Edit tour

Windows Analysis Report
Process Monitor.exe

Overview

General Information

Sample Name:	Process Monitor.exe
Analysis ID:	705045
MD5:	3d55e52bf84c8b1cb08cf447e195b006
SHA1:	00b090f4713570c100796ba6cbdf3317f6386289
SHA256:	a6bdbe803b403dafe01332c3bc9eaff5560481c6215d48e459a63ca7cc0a0e9f
Tags:	exe
Infos:

Detection

Score:	76
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Malicious sample detected (through community Yara rule)

Snort IDS alert for network traffic

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

May modify the system service descriptor table (often done to hook functions)

Performs DNS TXT record lookups

Uses 32bit PE files

Yara signature match

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to query locales information (e.g. system language)

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Detected potential crypto function

Contains functionality to query CPU information (cpuid)

Found potential string decryption / allocating functions

Sample execution stops while process was sleeping (likely an evasion)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to call native functions

Contains functionality to dynamically determine API calls

Contains functionality to record screenshots

Contains functionality which may be used to detect a debugger (GetProcessHeap)

PE file contains executable resources (Code or Archives)

Sample file is different than original file name gathered from version info

PE file contains an invalid checksum

Extensive use of GetProcAddress (often used to hide API calls)

PE file contains strange resources

Found evasive API chain checking for process token information

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to launch a program with higher privileges

PE / OLE file has an invalid certificate

Tries to resolve domain names, but no domain seems valid (expired dropper behavior)

Found large amount of non-executed APIs

Contains functionality for read data from the clipboard

Classification

Process Tree

System is w10x64

Process Monitor.exe (PID: 5972 cmdline: "C:\Users\user\Desktop\Process Monitor.exe" MD5: 3D55E52BF84C8B1CB08CF447E195B006)

cleanup

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.640850320.0000000020A00000.00000040.00000020.00020000.00000000.sdmp	Windows_Shellcode_Generic_8c487e57	unknown	unknown	0x9c1:$a: FC E8 89 00 00 00 60 89 E5 31 D2 64 8B 52 30 8B 52 0C 8B 52 14 8B 72 28 0F B7 4A 26 31 FF 31 C0
00000000.00000002.640850320.0000000020A00000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_Metasploit_38b8ceec	Identifies the API address lookup function used by metasploit. Also used by other tools (like beacon).	unknown	0x9c8:$a1: 89 E5 31 D2 64 8B 52 30 8B 52 0C 8B 52 14 8B 72 28 0F B7 4A 26 31 FF 31 C0 AC 3C 61

Snort Signatures

ETPRO TROJAN Suspected Cobalt Strike Stager DNS Activity - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.860582532847439 09/18/22-17:07:11.562484
SID:	2847439
Source Port:	60582
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Suspected Cobalt Strike Stager DNS Activity - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.857387532847439 09/18/22-17:07:24.194124
SID:	2847439
Source Port:	57387
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Suspected Cobalt Strike Stager DNS Activity - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.854283532847439 09/18/22-17:07:29.226053
SID:	2847439
Source Port:	54283
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Suspected Cobalt Strike Stager DNS Activity - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.852387532847439 09/18/22-17:07:10.272964
SID:	2847439
Source Port:	52387
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Suspected Cobalt Strike Stager DNS Activity - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.851139532847439 09/18/22-17:07:11.170526
SID:	2847439
Source Port:	51139
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Suspected Cobalt Strike Stager DNS Activity - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.850228532847439 09/18/22-17:07:24.364057
SID:	2847439
Source Port:	50228
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Suspected Cobalt Strike Stager DNS Activity - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.851592532847439 09/18/22-17:07:28.423748
SID:	2847439
Source Port:	51592
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Suspected Cobalt Strike Stager DNS Activity - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.865511532847439 09/18/22-17:07:19.758372
SID:	2847439
Source Port:	65511
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Suspected Cobalt Strike Stager DNS Activity - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.864376532847439 09/18/22-17:07:27.269341
SID:	2847439
Source Port:	64376
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Suspected Cobalt Strike Stager DNS Activity - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.860625532847439 09/18/22-17:07:10.628522
SID:	2847439
Source Port:	60625
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Suspected Cobalt Strike Stager DNS Activity - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.861359532847439 09/18/22-17:07:28.603368
SID:	2847439
Source Port:	61359
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Suspected Cobalt Strike Stager DNS Activity - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.865385532847439 09/18/22-17:07:21.931334
SID:	2847439
Source Port:	65385
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Suspected Cobalt Strike Stager DNS Activity - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.851105532847439 09/18/22-17:07:25.157982
SID:	2847439
Source Port:	51105
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Cobalt Strike Covert DNS CnC Channel TXT Lookup (udp) - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.857743532809850 09/18/22-17:07:17.807037
SID:	2809850
Source Port:	57743
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Suspected Cobalt Strike Stager DNS Activity - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.858912532847439 09/18/22-17:07:26.816961
SID:	2847439
Source Port:	58912
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Suspected Cobalt Strike Stager DNS Activity - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.853466532847439 09/18/22-17:07:17.612305
SID:	2847439
Source Port:	53466
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Suspected Cobalt Strike Stager DNS Activity - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.862431532847439 09/18/22-17:07:24.831301
SID:	2847439
Source Port:	62431
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Suspected Cobalt Strike Stager DNS Activity - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.857990532847439 09/18/22-17:07:10.103736
SID:	2847439
Source Port:	57990
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Suspected Cobalt Strike Stager DNS Activity - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.859433532847439 09/18/22-17:07:15.237878
SID:	2847439
Source Port:	59433
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Suspected Cobalt Strike Stager DNS Activity - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.855390532847439 09/18/22-17:07:26.665994
SID:	2847439
Source Port:	55390
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Suspected Cobalt Strike Stager DNS Activity - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.860644532847439 09/18/22-17:07:28.098121
SID:	2847439
Source Port:	60644
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Suspected Cobalt Strike Stager DNS Activity - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.858480532847439 09/18/22-17:07:28.753771
SID:	2847439
Source Port:	58480
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Suspected Cobalt Strike Stager DNS Activity - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.856616532847439 09/18/22-17:07:23.846528
SID:	2847439
Source Port:	56616
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Suspected Cobalt Strike Stager DNS Activity - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.854153532847439 09/18/22-17:07:22.105508
SID:	2847439
Source Port:	54153
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Suspected Cobalt Strike Stager DNS Activity - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.864602532847439 09/18/22-17:07:22.286338
SID:	2847439
Source Port:	64602
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Suspected Cobalt Strike Stager DNS Activity - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.865320532847439 09/18/22-17:07:12.851983
SID:	2847439
Source Port:	65320
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Suspected Cobalt Strike Stager DNS Activity - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.864271532847439 09/18/22-17:07:24.996996
SID:	2847439
Source Port:	64271
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Suspected Cobalt Strike Stager DNS Activity - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.856949532847439 09/18/22-17:07:16.693035
SID:	2847439
Source Port:	56949
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Suspected Cobalt Strike Stager DNS Activity - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.860418532847439 09/18/22-17:07:29.076080
SID:	2847439
Source Port:	60418
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Suspected Cobalt Strike Stager DNS Activity - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.864595532847439 09/18/22-17:07:20.143048
SID:	2847439
Source Port:	64595
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Suspected Cobalt Strike Stager DNS Activity - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.849302532847439 09/18/22-17:07:10.818703
SID:	2847439
Source Port:	49302
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Suspected Cobalt Strike Stager DNS Activity - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.860767532847439 09/18/22-17:07:13.048445
SID:	2847439
Source Port:	60767
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Suspected Cobalt Strike Stager DNS Activity - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.852110532847439 09/18/22-17:07:27.443917
SID:	2847439
Source Port:	52110
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Suspected Cobalt Strike Stager DNS Activity - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.853269532847439 09/18/22-17:07:24.532168
SID:	2847439
Source Port:	53269
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Suspected Cobalt Strike Stager DNS Activity - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.855649532847439 09/18/22-17:07:27.119889
SID:	2847439
Source Port:	55649
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Suspected Cobalt Strike Stager DNS Activity - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.864969532847439 09/18/22-17:07:25.680782
SID:	2847439
Source Port:	64969
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Suspected Cobalt Strike Stager DNS Activity - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.863687532847439 09/18/22-17:07:27.611185
SID:	2847439
Source Port:	63687
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Suspected Cobalt Strike Stager DNS Activity - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.859820532847439 09/18/22-17:07:19.922462
SID:	2847439
Source Port:	59820
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Suspected Cobalt Strike Stager DNS Activity - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.862424532847439 09/18/22-17:07:26.339688
SID:	2847439
Source Port:	62424
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Suspected Cobalt Strike Stager DNS Activity - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.861416532847439 09/18/22-17:07:18.210206
SID:	2847439
Source Port:	61416
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Suspected Cobalt Strike Stager DNS Activity - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.858691532847439 09/18/22-17:07:14.203939
SID:	2847439
Source Port:	58691
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Suspected Cobalt Strike Stager DNS Activity - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.864967532847439 09/18/22-17:07:22.800242
SID:	2847439
Source Port:	64967
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Suspected Cobalt Strike Stager DNS Activity - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.858301532847439 09/18/22-17:07:21.232458
SID:	2847439
Source Port:	58301
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Suspected Cobalt Strike Stager DNS Activity - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.859636532847439 09/18/22-17:07:12.315640
SID:	2847439
Source Port:	59636
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Suspected Cobalt Strike Stager DNS Activity - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.860088532847439 09/18/22-17:07:19.243261
SID:	2847439
Source Port:	60088
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Suspected Cobalt Strike Stager DNS Activity - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.853428532847439 09/18/22-17:07:19.583371
SID:	2847439
Source Port:	53428
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Suspected Cobalt Strike Stager DNS Activity - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.857134532847439 09/18/22-17:07:11.737698
SID:	2847439
Source Port:	57134
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Suspected Cobalt Strike Stager DNS Activity - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.862050532847439 09/18/22-17:07:11.920045
SID:	2847439
Source Port:	62050
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Suspected Cobalt Strike Stager DNS Activity - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.852955532847439 09/18/22-17:07:11.371670
SID:	2847439
Source Port:	52955
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Suspected Cobalt Strike Stager DNS Activity - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.853037532847439 09/18/22-17:07:25.831456
SID:	2847439
Source Port:	53037
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Suspected Cobalt Strike Stager DNS Activity - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.852547532847439 09/18/22-17:07:16.861417
SID:	2847439
Source Port:	52547
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Suspected Cobalt Strike Stager DNS Activity - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.859827532847439 09/18/22-17:07:24.681633
SID:	2847439
Source Port:	59827
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Suspected Cobalt Strike Stager DNS Activity - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.858708532847439 09/18/22-17:07:18.633823
SID:	2847439
Source Port:	58708
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Suspected Cobalt Strike Stager DNS Activity - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.863446532847439 09/18/22-17:07:21.428506
SID:	2847439
Source Port:	63446
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Suspected Cobalt Strike Stager DNS Activity - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.855951532847439 09/18/22-17:07:28.244855
SID:	2847439
Source Port:	55951
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Suspected Cobalt Strike Stager DNS Activity - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.857571532847439 09/18/22-17:07:13.704944
SID:	2847439
Source Port:	57571
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Suspected Cobalt Strike Stager DNS Activity - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.853844532847439 09/18/22-17:07:17.177911
SID:	2847439
Source Port:	53844
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Suspected Cobalt Strike Stager DNS Activity - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.853305532847439 09/18/22-17:07:14.506207
SID:	2847439
Source Port:	53305
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Suspected Cobalt Strike Stager DNS Activity - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.865196532847439 09/18/22-17:07:18.446638
SID:	2847439
Source Port:	65196
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Suspected Cobalt Strike Stager DNS Activity - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.865459532847439 09/18/22-17:07:21.761569
SID:	2847439
Source Port:	65459
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Suspected Cobalt Strike Stager DNS Activity - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.855638532847439 09/18/22-17:07:12.479999
SID:	2847439
Source Port:	55638
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Suspected Cobalt Strike Stager DNS Activity - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.865107532847439 09/18/22-17:07:13.253711
SID:	2847439
Source Port:	65107
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Suspected Cobalt Strike Stager DNS Activity - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.853975532847439 09/18/22-17:07:10.968952
SID:	2847439
Source Port:	53975
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Suspected Cobalt Strike Stager DNS Activity - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.853623532847439 09/18/22-17:07:18.045058
SID:	2847439
Source Port:	53623
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Suspected Cobalt Strike Stager DNS Activity - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.859374532847439 09/18/22-17:07:23.679047
SID:	2847439
Source Port:	59374
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Suspected Cobalt Strike Stager DNS Activity - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.856042532847439 09/18/22-17:07:12.122666
SID:	2847439
Source Port:	56042
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Suspected Cobalt Strike Stager DNS Activity - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.859581532847439 09/18/22-17:07:18.812839
SID:	2847439
Source Port:	59581
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Suspected Cobalt Strike Stager DNS Activity - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.849166532847439 09/18/22-17:07:21.060651
SID:	2847439
Source Port:	49166
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Suspected Cobalt Strike Stager DNS Activity - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.856924532847439 09/18/22-17:07:10.443975
SID:	2847439
Source Port:	56924
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Suspected Cobalt Strike Stager DNS Activity - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.865017532847439 09/18/22-17:07:17.434078
SID:	2847439
Source Port:	65017
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Suspected Cobalt Strike Stager DNS Activity - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.852455532847439 09/18/22-17:07:25.337136
SID:	2847439
Source Port:	52455
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Suspected Cobalt Strike Stager DNS Activity - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.860816532847439 09/18/22-17:07:26.170261
SID:	2847439
Source Port:	60816
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Suspected Cobalt Strike Stager DNS Activity - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.857824532847439 09/18/22-17:07:27.755938
SID:	2847439
Source Port:	57824
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Suspected Cobalt Strike Stager DNS Activity - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.864823532847439 09/18/22-17:07:20.522990
SID:	2847439
Source Port:	64823
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Suspected Cobalt Strike Stager DNS Activity - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.863562532847439 09/18/22-17:07:19.417113
SID:	2847439
Source Port:	63562
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Suspected Cobalt Strike Stager DNS Activity - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.849874532847439 09/18/22-17:07:21.606663
SID:	2847439
Source Port:	49874
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Suspected Cobalt Strike Stager DNS Activity - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.864121532847439 09/18/22-17:07:22.645440
SID:	2847439
Source Port:	64121
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Suspected Cobalt Strike Stager DNS Activity - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.850622532847439 09/18/22-17:07:26.966706
SID:	2847439
Source Port:	50622
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Suspected Cobalt Strike Stager DNS Activity - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.853049532847439 09/18/22-17:07:19.031587
SID:	2847439
Source Port:	53049
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Suspected Cobalt Strike Stager DNS Activity - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.858119532847439 09/18/22-17:07:20.884113
SID:	2847439
Source Port:	58119
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Suspected Cobalt Strike Stager DNS Activity - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.860473532847439 09/18/22-17:07:23.531670
SID:	2847439
Source Port:	60473
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Suspected Cobalt Strike Stager DNS Activity - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.850784532847439 09/18/22-17:07:22.457054
SID:	2847439
Source Port:	50784
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Suspected Cobalt Strike Stager DNS Activity - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.864936532847439 09/18/22-17:07:23.351211
SID:	2847439
Source Port:	64936
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Suspected Cobalt Strike Stager DNS Activity - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.853848532847439 09/18/22-17:07:13.469060
SID:	2847439
Source Port:	53848
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Suspected Cobalt Strike Stager DNS Activity - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.851992532847439 09/18/22-17:07:20.699180
SID:	2847439
Source Port:	51992
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Suspected Cobalt Strike Stager DNS Activity - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.852079532847439 09/18/22-17:07:20.352550
SID:	2847439
Source Port:	52079
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Suspected Cobalt Strike Stager DNS Activity - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.852741532847439 09/18/22-17:07:27.947161
SID:	2847439
Source Port:	52741
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Suspected Cobalt Strike Stager DNS Activity - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.849201532847439 09/18/22-17:07:23.199072
SID:	2847439
Source Port:	49201
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Suspected Cobalt Strike Stager DNS Activity - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.857704532847439 09/18/22-17:07:12.662394
SID:	2847439
Source Port:	57704
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Suspected Cobalt Strike Stager DNS Activity - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.860749532847439 09/18/22-17:07:15.469676
SID:	2847439
Source Port:	60749
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Suspected Cobalt Strike Stager DNS Activity - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.860825532847439 09/18/22-17:07:23.012681
SID:	2847439
Source Port:	60825
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Suspected Cobalt Strike Stager DNS Activity - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.855244532847439 09/18/22-17:07:25.529724
SID:	2847439
Source Port:	55244
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Suspected Cobalt Strike Stager DNS Activity - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.855457532847439 09/18/22-17:07:26.014383
SID:	2847439
Source Port:	55457
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Suspected Cobalt Strike Stager DNS Activity - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.851889532847439 09/18/22-17:07:28.922774
SID:	2847439
Source Port:	51889
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Suspected Cobalt Strike Stager DNS Activity - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.857743532847439 09/18/22-17:07:17.807037
SID:	2847439
Source Port:	57743
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Suspected Cobalt Strike Stager DNS Activity - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.861184532847439 09/18/22-17:07:24.020425
SID:	2847439
Source Port:	61184
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Suspected Cobalt Strike Stager DNS Activity - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.861126532847439 09/18/22-17:07:26.499232
SID:	2847439
Source Port:	61126
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: Process Monitor.exe	ReversingLabs: Detection: 17%
Source: Process Monitor.exe	Virustotal: Detection: 15%			Perma Link

Source: Process Monitor.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Users\user\Desktop\Process Monitor.exe

Window detected: You can also use the /accepteula command-line switch to accept the EULA.&Agree&Decline&PrintSYSINTERNALS SOFTWARE LICENSE TERMSThese license terms are an agreement between Sysinternals (a wholly owned subsidiary of Microsoft Corporation) and you. Please read them. They apply to the software you are downloading from Systinternals.com which includes the media on which you received it if any. The terms also apply to any SysinternalsupdatessupplementsInternet-based services and support servicesfor this software unless other terms accompany those items. If so those terms apply.BY USING THE SOFTWARE YOU ACCEPT THESE TERMS. IF YOU DO NOT ACCEPT THEM DO NOT USE THE SOFTWARE.If you comply with these license terms you have the rights below.1.INSTALLATION AND USE RIGHTS. You may install and use any number of copies of the software on your devices.2.Scope of License. The software is licensed not sold. This agreement only gives you some rights to use the software. Sysinternals reserves all other rights. Unless applicable law gives you more rights despite this limitation you may use the software only as expressly permitted in this agreement. In doing so you must comply with any technical limitations in the software that only allow you to use it in certain ways. You may notwork around any technical limitations in the binary versions of the software;reverse engineer decompile or disassemble the binary versions of the software except and only to the extent that applicable law expressly permits despite this limitation;make more copies of the software than specified in this agreement or allowed by applicable law despite this limitation;publish the software for others to copy;rent lease or lend the software;transfer the software or this agreement to any third party; oruse the software for commercial software hosting services.3.SENSITIVE INFORMATION. Please be aware that similar to other debug tools that capture "process state" information files saved by Sysinternals tools may include personally identifiable or other sensitive information (such as usernames passwords paths to files accessed and paths to registry accessed). By using this software you acknowledge that you are aware of this and take sole responsibility for any personally identifiable or other sensitive information provided to Microsoft or any other party through your use of the software.. DOCUMENTATION. Any person that has valid access to your computer or internal network may copy and use the documentation for your internal reference purposes.6.Export Restrictions. The software is subject to United States export laws and regulations. You must comply with all domestic and international export laws and regulations that apply to the software. These laws include restrictions on destinations end users and end use. For additional information see www.microsoft.com/exporting <<http://www.microsoft.com/exporting>>.7.SUPPORT SERVICES. Because this software is "as is

Source:	Binary string: C:\Builds\13810\Tools\Procmon_master\bin\x64\Release\ProcMonDriver.pdb source: Process Monitor.exe
Source:	Binary string: C:\Builds\13810\Tools\Procmon_master\bin\x64\Release\ProcMonDriver.pdb source: Process Monitor.exe
Source:	Binary string: C:\Builds\13810\Tools\Procmon_master\bin\Win32\Release\Procmon.pdb source: Process Monitor.exe
Source:	Binary string: C:\Builds\13810\Tools\Procmon_master\bin\x64\Release\Procmon.pdb source: Process Monitor.exe
Source:	Binary string: C:\Builds\13810\Tools\Procmon_master\bin\Win32\Release\ProcMonDriver.pdb source: Process Monitor.exe

Source: C:\Users\user\Desktop\Process Monitor.exe	Code function: 0_2_0046CD20 GetDlgItemTextW,EndDialog,GetDlgItemTextW,GetDlgItemTextW,MessageBoxW,_wcschr,DialogBoxParamW,GetDlgItem,GetDlgItem,SetEnvironmentVariableW,EndDialog,GetDlgItemTextW,_memset,GetOpenFileNameW,GetDlgItemTextW,GetDlgItemTextW,SetDlgItemTextW,GetDlgItemTextW,FindFirstFileW,GetDlgItem,EnableWindow,FindClose,SetDlgItemTextW,SetDlgItemTextW,SetDlgItemTextW,SetDlgItemTextW,GetDlgItem,GetDlgItem,SHAutoComplete,GetDlgItem,SetFocus,		0_2_0046CD20
Source: C:\Users\user\Desktop\Process Monitor.exe	Code function: 0_2_00467CF0 MessageBoxW,_wcsrchr,_wcsrchr,_wcsrchr,MessageBoxW,FindFirstFileW,FindNextFileW,FindClose,		0_2_00467CF0

Networking

Snort IDS alert for network traffic

Source: Traffic	Snort IDS: 2847439 ETPRO TROJAN Suspected Cobalt Strike Stager DNS Activity 192.168.2.3:57990 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2847439 ETPRO TROJAN Suspected Cobalt Strike Stager DNS Activity 192.168.2.3:52387 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2847439 ETPRO TROJAN Suspected Cobalt Strike Stager DNS Activity 192.168.2.3:56924 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2847439 ETPRO TROJAN Suspected Cobalt Strike Stager DNS Activity 192.168.2.3:60625 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2847439 ETPRO TROJAN Suspected Cobalt Strike Stager DNS Activity 192.168.2.3:49302 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2847439 ETPRO TROJAN Suspected Cobalt Strike Stager DNS Activity 192.168.2.3:53975 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2847439 ETPRO TROJAN Suspected Cobalt Strike Stager DNS Activity 192.168.2.3:51139 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2847439 ETPRO TROJAN Suspected Cobalt Strike Stager DNS Activity 192.168.2.3:52955 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2847439 ETPRO TROJAN Suspected Cobalt Strike Stager DNS Activity 192.168.2.3:60582 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2847439 ETPRO TROJAN Suspected Cobalt Strike Stager DNS Activity 192.168.2.3:57134 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2847439 ETPRO TROJAN Suspected Cobalt Strike Stager DNS Activity 192.168.2.3:62050 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2847439 ETPRO TROJAN Suspected Cobalt Strike Stager DNS Activity 192.168.2.3:56042 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2847439 ETPRO TROJAN Suspected Cobalt Strike Stager DNS Activity 192.168.2.3:59636 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2847439 ETPRO TROJAN Suspected Cobalt Strike Stager DNS Activity 192.168.2.3:55638 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2847439 ETPRO TROJAN Suspected Cobalt Strike Stager DNS Activity 192.168.2.3:57704 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2847439 ETPRO TROJAN Suspected Cobalt Strike Stager DNS Activity 192.168.2.3:65320 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2847439 ETPRO TROJAN Suspected Cobalt Strike Stager DNS Activity 192.168.2.3:60767 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2847439 ETPRO TROJAN Suspected Cobalt Strike Stager DNS Activity 192.168.2.3:65107 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2847439 ETPRO TROJAN Suspected Cobalt Strike Stager DNS Activity 192.168.2.3:53848 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2847439 ETPRO TROJAN Suspected Cobalt Strike Stager DNS Activity 192.168.2.3:57571 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2847439 ETPRO TROJAN Suspected Cobalt Strike Stager DNS Activity 192.168.2.3:58691 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2847439 ETPRO TROJAN Suspected Cobalt Strike Stager DNS Activity 192.168.2.3:53305 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2847439 ETPRO TROJAN Suspected Cobalt Strike Stager DNS Activity 192.168.2.3:59433 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2847439 ETPRO TROJAN Suspected Cobalt Strike Stager DNS Activity 192.168.2.3:60749 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2847439 ETPRO TROJAN Suspected Cobalt Strike Stager DNS Activity 192.168.2.3:56949 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2847439 ETPRO TROJAN Suspected Cobalt Strike Stager DNS Activity 192.168.2.3:52547 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2847439 ETPRO TROJAN Suspected Cobalt Strike Stager DNS Activity 192.168.2.3:53844 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2847439 ETPRO TROJAN Suspected Cobalt Strike Stager DNS Activity 192.168.2.3:65017 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2847439 ETPRO TROJAN Suspected Cobalt Strike Stager DNS Activity 192.168.2.3:53466 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2847439 ETPRO TROJAN Suspected Cobalt Strike Stager DNS Activity 192.168.2.3:57743 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2809850 ETPRO TROJAN Cobalt Strike Covert DNS CnC Channel TXT Lookup (udp) 192.168.2.3:57743 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2847439 ETPRO TROJAN Suspected Cobalt Strike Stager DNS Activity 192.168.2.3:53623 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2847439 ETPRO TROJAN Suspected Cobalt Strike Stager DNS Activity 192.168.2.3:61416 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2847439 ETPRO TROJAN Suspected Cobalt Strike Stager DNS Activity 192.168.2.3:65196 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2847439 ETPRO TROJAN Suspected Cobalt Strike Stager DNS Activity 192.168.2.3:58708 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2847439 ETPRO TROJAN Suspected Cobalt Strike Stager DNS Activity 192.168.2.3:59581 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2847439 ETPRO TROJAN Suspected Cobalt Strike Stager DNS Activity 192.168.2.3:53049 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2847439 ETPRO TROJAN Suspected Cobalt Strike Stager DNS Activity 192.168.2.3:60088 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2847439 ETPRO TROJAN Suspected Cobalt Strike Stager DNS Activity 192.168.2.3:63562 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2847439 ETPRO TROJAN Suspected Cobalt Strike Stager DNS Activity 192.168.2.3:53428 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2847439 ETPRO TROJAN Suspected Cobalt Strike Stager DNS Activity 192.168.2.3:65511 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2847439 ETPRO TROJAN Suspected Cobalt Strike Stager DNS Activity 192.168.2.3:59820 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2847439 ETPRO TROJAN Suspected Cobalt Strike Stager DNS Activity 192.168.2.3:64595 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2847439 ETPRO TROJAN Suspected Cobalt Strike Stager DNS Activity 192.168.2.3:52079 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2847439 ETPRO TROJAN Suspected Cobalt Strike Stager DNS Activity 192.168.2.3:64823 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2847439 ETPRO TROJAN Suspected Cobalt Strike Stager DNS Activity 192.168.2.3:51992 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2847439 ETPRO TROJAN Suspected Cobalt Strike Stager DNS Activity 192.168.2.3:58119 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2847439 ETPRO TROJAN Suspected Cobalt Strike Stager DNS Activity 192.168.2.3:49166 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2847439 ETPRO TROJAN Suspected Cobalt Strike Stager DNS Activity 192.168.2.3:58301 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2847439 ETPRO TROJAN Suspected Cobalt Strike Stager DNS Activity 192.168.2.3:63446 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2847439 ETPRO TROJAN Suspected Cobalt Strike Stager DNS Activity 192.168.2.3:49874 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2847439 ETPRO TROJAN Suspected Cobalt Strike Stager DNS Activity 192.168.2.3:65459 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2847439 ETPRO TROJAN Suspected Cobalt Strike Stager DNS Activity 192.168.2.3:65385 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2847439 ETPRO TROJAN Suspected Cobalt Strike Stager DNS Activity 192.168.2.3:54153 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2847439 ETPRO TROJAN Suspected Cobalt Strike Stager DNS Activity 192.168.2.3:64602 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2847439 ETPRO TROJAN Suspected Cobalt Strike Stager DNS Activity 192.168.2.3:50784 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2847439 ETPRO TROJAN Suspected Cobalt Strike Stager DNS Activity 192.168.2.3:64121 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2847439 ETPRO TROJAN Suspected Cobalt Strike Stager DNS Activity 192.168.2.3:64967 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2847439 ETPRO TROJAN Suspected Cobalt Strike Stager DNS Activity 192.168.2.3:60825 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2847439 ETPRO TROJAN Suspected Cobalt Strike Stager DNS Activity 192.168.2.3:49201 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2847439 ETPRO TROJAN Suspected Cobalt Strike Stager DNS Activity 192.168.2.3:64936 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2847439 ETPRO TROJAN Suspected Cobalt Strike Stager DNS Activity 192.168.2.3:60473 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2847439 ETPRO TROJAN Suspected Cobalt Strike Stager DNS Activity 192.168.2.3:59374 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2847439 ETPRO TROJAN Suspected Cobalt Strike Stager DNS Activity 192.168.2.3:56616 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2847439 ETPRO TROJAN Suspected Cobalt Strike Stager DNS Activity 192.168.2.3:61184 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2847439 ETPRO TROJAN Suspected Cobalt Strike Stager DNS Activity 192.168.2.3:57387 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2847439 ETPRO TROJAN Suspected Cobalt Strike Stager DNS Activity 192.168.2.3:50228 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2847439 ETPRO TROJAN Suspected Cobalt Strike Stager DNS Activity 192.168.2.3:53269 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2847439 ETPRO TROJAN Suspected Cobalt Strike Stager DNS Activity 192.168.2.3:59827 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2847439 ETPRO TROJAN Suspected Cobalt Strike Stager DNS Activity 192.168.2.3:62431 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2847439 ETPRO TROJAN Suspected Cobalt Strike Stager DNS Activity 192.168.2.3:64271 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2847439 ETPRO TROJAN Suspected Cobalt Strike Stager DNS Activity 192.168.2.3:51105 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2847439 ETPRO TROJAN Suspected Cobalt Strike Stager DNS Activity 192.168.2.3:52455 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2847439 ETPRO TROJAN Suspected Cobalt Strike Stager DNS Activity 192.168.2.3:55244 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2847439 ETPRO TROJAN Suspected Cobalt Strike Stager DNS Activity 192.168.2.3:64969 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2847439 ETPRO TROJAN Suspected Cobalt Strike Stager DNS Activity 192.168.2.3:53037 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2847439 ETPRO TROJAN Suspected Cobalt Strike Stager DNS Activity 192.168.2.3:55457 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2847439 ETPRO TROJAN Suspected Cobalt Strike Stager DNS Activity 192.168.2.3:60816 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2847439 ETPRO TROJAN Suspected Cobalt Strike Stager DNS Activity 192.168.2.3:62424 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2847439 ETPRO TROJAN Suspected Cobalt Strike Stager DNS Activity 192.168.2.3:61126 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2847439 ETPRO TROJAN Suspected Cobalt Strike Stager DNS Activity 192.168.2.3:55390 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2847439 ETPRO TROJAN Suspected Cobalt Strike Stager DNS Activity 192.168.2.3:58912 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2847439 ETPRO TROJAN Suspected Cobalt Strike Stager DNS Activity 192.168.2.3:50622 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2847439 ETPRO TROJAN Suspected Cobalt Strike Stager DNS Activity 192.168.2.3:55649 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2847439 ETPRO TROJAN Suspected Cobalt Strike Stager DNS Activity 192.168.2.3:64376 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2847439 ETPRO TROJAN Suspected Cobalt Strike Stager DNS Activity 192.168.2.3:52110 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2847439 ETPRO TROJAN Suspected Cobalt Strike Stager DNS Activity 192.168.2.3:63687 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2847439 ETPRO TROJAN Suspected Cobalt Strike Stager DNS Activity 192.168.2.3:57824 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2847439 ETPRO TROJAN Suspected Cobalt Strike Stager DNS Activity 192.168.2.3:52741 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2847439 ETPRO TROJAN Suspected Cobalt Strike Stager DNS Activity 192.168.2.3:60644 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2847439 ETPRO TROJAN Suspected Cobalt Strike Stager DNS Activity 192.168.2.3:55951 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2847439 ETPRO TROJAN Suspected Cobalt Strike Stager DNS Activity 192.168.2.3:51592 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2847439 ETPRO TROJAN Suspected Cobalt Strike Stager DNS Activity 192.168.2.3:61359 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2847439 ETPRO TROJAN Suspected Cobalt Strike Stager DNS Activity 192.168.2.3:58480 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2847439 ETPRO TROJAN Suspected Cobalt Strike Stager DNS Activity 192.168.2.3:51889 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2847439 ETPRO TROJAN Suspected Cobalt Strike Stager DNS Activity 192.168.2.3:60418 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2847439 ETPRO TROJAN Suspected Cobalt Strike Stager DNS Activity 192.168.2.3:54283 -> 8.8.8.8:53

Source: unknown

DNS traffic detected: query: aaa.stage.15550179.developer.cisc0.net replaycode: Name error (3)

Source: Process Monitor.exe	String found in binary or memory: http://www.sysinternals.com
Source: Process Monitor.exe	String found in binary or memory: http://www.sysinternals.comFileVersionLegalCopyright
Source: Process Monitor.exe	String found in binary or memory: https://www.sysinternals.com0

Source: unknown

DNS traffic detected: queries for: aaa.stage.15550179.developer.cisc0.net

Source: C:\Users\user\Desktop\Process Monitor.exe

Code function: 0_2_0043B530 WaitForSingleObject,recv,recv,

0_2_0043B530

Source: C:\Users\user\Desktop\Process Monitor.exe

Code function: 0_2_00404C10 GetDC,SelectObject,GetTextMetricsW,ReleaseDC,GetSystemMetrics,GetWindowRect,SendMessageW,SendMessageW,SendMessageW,SendMessageW,MapWindowPoints,GetScrollInfo,SendMessageW,GetSysColorBrush,FillRect,GetSysColor,CreatePen,SelectObject,SelectObject,SelectObject,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetFocus,GetSysColor,GetSysColor,SetTextColor,GetSysColor,SetTextColor,GetSysColor,GetSysColor,SetTextColor,GetSysColor,SetBkColor,SetBkMode,RectInRegion,CreateRectRgnIndirect,SelectClipRgn,SelectObject,DeleteObject,GetBkColor,CreateSolidBrush,GetBkMode,CreateCompatibleBitmap,CreateCompatibleDC,SelectObject,GetSysColorBrush,FillRect,GetSysColor,ImageList_DrawEx,BitBlt,DeleteObject,DeleteDC,DrawTextW,DrawTextW,DrawTextW,OffsetRect,SelectClipRgn,DeleteObject,Polyline,IntersectRect,IntersectRect,IntersectRect,IntersectRect,IntersectRect,FillRect,FillRect,GetSysColorBrush,FillRect,FillRect,DeleteObject,GetSysColorBrush,FillRect,SelectObject,SelectObject,Polyline,SelectObject,SelectObject,SelectObject,SelectObject,DeleteObject,GetSysColorBrush,FillRect,

0_2_00404C10

Source: C:\Users\user\Desktop\Process Monitor.exe

Code function: 0_2_0042F8B0 OpenClipboard,GlobalAlloc,GlobalLock,_memmove,GlobalUnlock,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_0042F8B0

System Summary

Malicious sample detected (through community Yara rule)

Source: 00000000.00000002.640850320.0000000020A00000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Shellcode_Generic_8c487e57 Author: unknown
Source: 00000000.00000002.640850320.0000000020A00000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identifies the API address lookup function used by metasploit. Also used by other tools (like beacon). Author: unknown

Source: Process Monitor.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 00000000.00000002.640850320.0000000020A00000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Shellcode_Generic_8c487e57 os = windows, severity = x86, creation_date = 2022-05-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Shellcode.Generic, fingerprint = 834caf96192a513aa93ac48fb8d2f3326bf9f08acaf7a27659f688b26e3e57e4, id = 8c487e57-4b8c-488e-a1d9-786ff935fd2c, last_modified = 2022-07-18
Source: 00000000.00000002.640850320.0000000020A00000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Metasploit_38b8ceec os = windows, severity = x86, description = Identifies the API address lookup function used by metasploit. Also used by other tools (like beacon)., creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = 44b9022d87c409210b1d0807f5a4337d73f19559941660267d63cd2e4f2ff342, id = 38b8ceec-601c-4117-b7a0-74720e26bf38, last_modified = 2021-08-23

Source: C:\Users\user\Desktop\Process Monitor.exe	Code function: 0_2_00470227	0_2_00470227
Source: C:\Users\user\Desktop\Process Monitor.exe	Code function: 0_2_00418140	0_2_00418140
Source: C:\Users\user\Desktop\Process Monitor.exe	Code function: 0_2_0041E300	0_2_0041E300
Source: C:\Users\user\Desktop\Process Monitor.exe	Code function: 0_2_00418740	0_2_00418740
Source: C:\Users\user\Desktop\Process Monitor.exe	Code function: 0_2_0043C8C0	0_2_0043C8C0
Source: C:\Users\user\Desktop\Process Monitor.exe	Code function: 0_2_00418939	0_2_00418939
Source: C:\Users\user\Desktop\Process Monitor.exe	Code function: 0_2_00448AA0	0_2_00448AA0
Source: C:\Users\user\Desktop\Process Monitor.exe	Code function: 0_2_00406B50	0_2_00406B50
Source: C:\Users\user\Desktop\Process Monitor.exe	Code function: 0_2_00468B50	0_2_00468B50
Source: C:\Users\user\Desktop\Process Monitor.exe	Code function: 0_2_0047CBE2	0_2_0047CBE2
Source: C:\Users\user\Desktop\Process Monitor.exe	Code function: 0_2_00404C10	0_2_00404C10
Source: C:\Users\user\Desktop\Process Monitor.exe	Code function: 0_2_00482CDB	0_2_00482CDB
Source: C:\Users\user\Desktop\Process Monitor.exe	Code function: 0_2_0044AF50	0_2_0044AF50
Source: C:\Users\user\Desktop\Process Monitor.exe	Code function: 0_2_0047B0FE	0_2_0047B0FE
Source: C:\Users\user\Desktop\Process Monitor.exe	Code function: 0_2_0042F1F0	0_2_0042F1F0
Source: C:\Users\user\Desktop\Process Monitor.exe	Code function: 0_2_0048324D	0_2_0048324D
Source: C:\Users\user\Desktop\Process Monitor.exe	Code function: 0_2_0047B3A0	0_2_0047B3A0
Source: C:\Users\user\Desktop\Process Monitor.exe	Code function: 0_2_0047B516	0_2_0047B516
Source: C:\Users\user\Desktop\Process Monitor.exe	Code function: 0_2_0047B5F1	0_2_0047B5F1
Source: C:\Users\user\Desktop\Process Monitor.exe	Code function: 0_2_00421580	0_2_00421580
Source: C:\Users\user\Desktop\Process Monitor.exe	Code function: 0_2_0047B765	0_2_0047B765
Source: C:\Users\user\Desktop\Process Monitor.exe	Code function: 0_2_004837BF	0_2_004837BF
Source: C:\Users\user\Desktop\Process Monitor.exe	Code function: 0_2_0047B852	0_2_0047B852
Source: C:\Users\user\Desktop\Process Monitor.exe	Code function: 0_2_00401910	0_2_00401910
Source: C:\Users\user\Desktop\Process Monitor.exe	Code function: 0_2_0047BA1C	0_2_0047BA1C
Source: C:\Users\user\Desktop\Process Monitor.exe	Code function: 0_2_00409AE0	0_2_00409AE0
Source: C:\Users\user\Desktop\Process Monitor.exe	Code function: 0_2_00485CB0	0_2_00485CB0
Source: C:\Users\user\Desktop\Process Monitor.exe	Code function: 0_2_00479DC4	0_2_00479DC4

Source: C:\Users\user\Desktop\Process Monitor.exe	Code function: String function: 0046EEB6 appears 37 times
Source: C:\Users\user\Desktop\Process Monitor.exe	Code function: String function: 0046A6C0 appears 94 times
Source: C:\Users\user\Desktop\Process Monitor.exe	Code function: String function: 0040C980 appears 53 times
Source: C:\Users\user\Desktop\Process Monitor.exe	Code function: String function: 0046A530 appears 109 times
Source: C:\Users\user\Desktop\Process Monitor.exe	Code function: String function: 00477E90 appears 40 times
Source: C:\Users\user\Desktop\Process Monitor.exe	Code function: String function: 0046EB0F appears 62 times
Source: C:\Users\user\Desktop\Process Monitor.exe	Code function: String function: 0046EF07 appears 73 times

Source: C:\Users\user\Desktop\Process Monitor.exe

Code function: 0_2_0043BCA0 GetModuleHandleW,GetProcAddress,NtOpenSymbolicLinkObject,_memset,NtQuerySymbolicLinkObject,NtClose,

0_2_0043BCA0

Source: Process Monitor.exe	Static PE information: Resource name: BINRES type: PE32 executable (DLL) (native) Intel 80386, for MS Windows
Source: Process Monitor.exe	Static PE information: Resource name: BINRES type: PE32+ executable (GUI) x86-64, for MS Windows

Source: Process Monitor.exe, 00000000.00000000.244188168.00000000004C5000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameProcess MonitorJ vs Process Monitor.exe
Source: Process Monitor.exe, 00000000.00000000.244188168.00000000004C5000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameprocmon.Sys@ vs Process Monitor.exe
Source: Process Monitor.exe	Binary or memory string: OriginalFilenameProcess MonitorJ vs Process Monitor.exe
Source: Process Monitor.exe	Binary or memory string: OriginalFilenameprocmon.Sys@ vs Process Monitor.exe

Source: Process Monitor.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Process Monitor.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Process Monitor.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Process Monitor.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Process Monitor.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Process Monitor.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Process Monitor.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Process Monitor.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Process Monitor.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Process Monitor.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Process Monitor.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Process Monitor.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Process Monitor.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Process Monitor.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Process Monitor.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Process Monitor.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Process Monitor.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Process Monitor.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: Process Monitor.exe

Static PE information: invalid certificate

Source: Process Monitor.exe	ReversingLabs: Detection: 17%
Source: Process Monitor.exe	Virustotal: Detection: 15%

Source: Process Monitor.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\Process Monitor.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\Process Monitor.exe

Code function: 0_2_0040F360 MessageBoxW,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,

0_2_0040F360

Source: Process Monitor.exe	Binary string: D:P(A;;GA;;;AU)\device\ProcmonDebugLogger\DosDevices\Global\ProcmonDebugLogger\device\ProcmonExternalLogger\??\ProcmonExternalLoggerEnabled
Source: Process Monitor.exe	Binary string: RtlInitUnicodeStringNtOpenSymbolicLinkObjectNtQuerySymbolicLinkObjectNtClose\??\%c:\Global??\%c:\Sessions\%d\DosDevices\%08x-%08x\%c:\Device\LanmanRedirector\;\Device\LanmanRedirector\;Z:0000000000000000
Source: Process Monitor.exe	Binary string: \Device\Mup\Device\Harddisk?\DR?DEVICE_PATH\Device\LanmanRedirector\\\\Device\Mup\\SystemRoot\SYSTEM\SelectCurrent%03d@\REGISTRY\MACHINE\SYSTEM\CURRENTCONTROLSET\HARDWARE PROFILES\CURRENT\SOFTWARE\CLASSES\SYSTEM\ControlSetHKLM\System\CurrentControlSetUSER_CLASSESHKCU\Software\ClassesSelect Remote ComputerSoftware\Classes\shell\open\command"%s" /Run32 /OpenLog "%%1""%s" /OpenLog "%%1"DefaultIcon"%s",0 Mandatory LevelGetNativeSystemInfokernel32.dllUnsupported processor type: %d
Source: Process Monitor.exe	Binary string: J\Device\Mup\Device\Harddisk?\DR?DEVICE_PATH\Device\LanmanRedirector\\\\Device\Mup\\SystemRoot\SYSTEM\SelectCurrent%03d@\REGISTRY\MACHINE\SYSTEM\CURRENTCONTROLSET\HARDWARE PROFILES\CURRENT\SOFTWARE\CLASSES\SYSTEM\ControlSetHKLM\System\CurrentControlSetUSER_CLASSESHKCU\Software\ClassesSelect Remote ComputerSoftware\Classes\shell\open\command"%s" /Run32 /OpenLog "%%1""%s" /OpenLog "%%1"DefaultIcon"%s",0 Mandatory LevelGetNativeSystemInfokernel32.dllUnsupported processor type: %d
Source: Process Monitor.exe	Binary string: RtlInitUnicodeStringNtOpenSymbolicLinkObjectNtQuerySymbolicLinkObjectNtClose\??\%c:\Global??\%c:\Sessions\%d\DosDevices\%08x-%08x\%c:\Device\LanmanRedirector\;`$J

Source: classification engine

Classification label: mal76.evad.winEXE@1/0@35/0

Source: C:\Users\user\Desktop\Process Monitor.exe

Code function: 0_2_00403970 SysAllocString,CoInitialize,CoCreateInstance,VariantClear,CoSetProxyBlanket,SysFreeString,

0_2_00403970

Source: C:\Users\user\Desktop\Process Monitor.exe

File read: C:\Windows\win.ini

Jump to behavior

Source: C:\Users\user\Desktop\Process Monitor.exe

Code function: 0_2_00435D40 GetLastError,FormatMessageW,GetSystemDirectoryW,LoadLibraryExW,FormatMessageW,LocalFree,FreeLibrary,LocalFree,

0_2_00435D40

Source: C:\Users\user\Desktop\Process Monitor.exe

Code function: 0_2_0040F560 GetModuleFileNameW,FindResourceW,LoadResource,SizeofResource,LockResource,SetFileAttributesW,SetFileAttributesW,__wfopen_s,SetFileAttributesW,

0_2_0040F560

Source: Process Monitor.exe	String found in binary or memory: IAll AccessRead/WriteExecuteQuery ValueSet ValueCreate Sub KeyEnumerate Sub KeysNotifyCreate LinkWOW64_ResWOW64_32KeyWOW64_64KeyGeneric Read/Write/ExecuteGeneric Read/WriteGeneric Read/ExecuteGeneric Write/ExecuteGeneric ReadGeneric WriteGeneric ExecuteRead Data/List DirectoryWrite Data/Add FileAppend Data/Add Subdirectory/Create Pipe InstanceRead EAWrite EAExecute/TraverseDelete ChildRead AttributesWrite AttributesRead ControlWrite DACWrite OwnerSynchronizeAccess System SecurityMaximum AllowedSeShutdownPrivilegeSeChangeNotifyPrivilegeSeUndockPrivilegeSeIncreaseWorkingSetPrivilegeSeTimeZonePrivilege\fltlib.dll%x%lf%s%07d%02u:%02u:%02u.%07u%02u:%02u:%02u%I64d0x%I64x-1%I64u KB MB GBWindows 2000Windows XPWindows XP x64Windows Server 2003Windows VistaWindows Server 2008Windows 7Windows Server 2008 R2Windows 8Windows Server 2012Windows 8.1Windows Server 2012 R2Windows 10Windows Server 2016Windows %d.%d (build %d.%d)%08x:%08x%02X64-bit32-bit%x:%x:%x:%x:%x:%x:%x:%x%d.%d.%d.%d:%d:None
Source: Process Monitor.exe	String found in binary or memory: /LoadConfig <file>
Source: Process Monitor.exe	String found in binary or memory: All AccessRead/WriteExecuteQuery ValueSet ValueCreate Sub KeyEnumerate Sub KeysNotifyCreate LinkWOW64_ResWOW64_32KeyWOW64_64KeyGeneric Read/Write/ExecuteGeneric Read/WriteGeneric Read/ExecuteGeneric Write/ExecuteGeneric ReadGeneric WriteGeneric ExecuteRead Data/List DirectoryWrite Data/Add FileAppend Data/Add Subdirectory/Create Pipe InstanceRead EAWrite EAExecute/TraverseDelete ChildRead AttributesWrite AttributesRead ControlWrite DACWrite OwnerSynchronizeAccess System SecurityMaximum AllowedSeShutdownPrivilegeSeChangeNotifyPrivilegeSeUndockPrivilegeSeIncreaseWorkingSetPrivilegeSeTimeZonePrivilege"

Source: C:\Users\user\Desktop\Process Monitor.exe

Window found: window name: RICHEDIT

Jump to behavior

Source: C:\Users\user\Desktop\Process Monitor.exe

File opened: C:\Windows\SysWOW64\Riched32.dll

Jump to behavior

Source: C:\Users\user\Desktop\Process Monitor.exe

Source: Process Monitor.exe

Static file information: File size 2134944 > 1048576

Source: Process Monitor.exe	Static PE information: section name: RT_CURSOR
Source: Process Monitor.exe	Static PE information: section name: RT_BITMAP
Source: Process Monitor.exe	Static PE information: section name: RT_ICON
Source: Process Monitor.exe	Static PE information: section name: RT_MENU
Source: Process Monitor.exe	Static PE information: section name: RT_DIALOG
Source: Process Monitor.exe	Static PE information: section name: RT_STRING
Source: Process Monitor.exe	Static PE information: section name: RT_ACCELERATOR
Source: Process Monitor.exe	Static PE information: section name: RT_GROUP_ICON

Source: Process Monitor.exe

Static PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x143400

Source: Process Monitor.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: Process Monitor.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: Process Monitor.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: Process Monitor.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Process Monitor.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: Process Monitor.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: Process Monitor.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: C:\Builds\13810\Tools\Procmon_master\bin\x64\Release\ProcMonDriver.pdb source: Process Monitor.exe
Source:	Binary string: C:\Builds\13810\Tools\Procmon_master\bin\x64\Release\ProcMonDriver.pdb source: Process Monitor.exe
Source:	Binary string: C:\Builds\13810\Tools\Procmon_master\bin\Win32\Release\Procmon.pdb source: Process Monitor.exe
Source:	Binary string: C:\Builds\13810\Tools\Procmon_master\bin\x64\Release\Procmon.pdb source: Process Monitor.exe
Source:	Binary string: C:\Builds\13810\Tools\Procmon_master\bin\Win32\Release\ProcMonDriver.pdb source: Process Monitor.exe

Source: Process Monitor.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: Process Monitor.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: Process Monitor.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: Process Monitor.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: Process Monitor.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\Process Monitor.exe

Code function: 0_2_0047413C push ecx; ret

0_2_0047414F

Source: C:\Users\user\Desktop\Process Monitor.exe

Code function: 0_2_0045EAC2 __CxxThrowException@8,_memset,GetVersionExW,RegOpenKeyExW,RegQueryValueExW,RegCloseKey,LoadLibraryW,GetProcAddress,GetProcAddress,GetModuleHandleW,GetProcAddress,GetCurrentProcess,GetCommandLineW,CommandLineToArgvW,GetComputerNameW,GetSystemDirectoryW,_wcschr,

0_2_0045EAC2

Source: Process Monitor.exe

Static PE information: real checksum: 0x212811 should be: 0x209d16

Hooking and other Techniques for Hiding and Protection

May modify the system service descriptor table (often done to hook functions)

Source: Process Monitor.exe, 00000000.00000000.244188168.00000000004C5000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: KeServiceDescriptorTable
Source: Process Monitor.exe	Binary or memory string: KeServiceDescriptorTable

Source: C:\Users\user\Desktop\Process Monitor.exe

Code function: 0_2_00470227 RtlEncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_00470227

Malware Analysis System Evasion

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: Process Monitor.exe	Binary or memory string: $XIIRP_MJ_FASTIO_PROCMON.EXEPROCEXP.EXEAUTORUNS.EXESYSTEMPAGEFILE.SYS$MFT$MFTMIRR$LOGFILE$VOLUME$ATTRDEF$ROOT$BITMAP$BOOT$BADCLUS$SECURE$UPCASE$EXTENDFAST IOINCLUDEEXCLUDE<BAD>OKAY TO OVERWRITE EVENT LOG ''?AN ERROR OCCURRED OPENING THE SNAPSHOT ''APPLYING EVENT FILTEROPERATION CANCELLED: THE LISTVIEW DATA MAY BE INCOMPLETEPROCESS MONITOR CAN OPEN AT MOST BACKING FILES<PAGEFILE>YESNOEVENTPROCESSINDEXSTACKFRAMEDEPTHADDRESS + PATHLOCATIONPROCESSPROCESSIDPARENTPROCESSIDPARENTPROCESSINDEXAUTHENTICATIONIDCREATETIMEFINISHTIMEISVIRTUALIZEDIS64BITINTEGRITYOWNERPROCESSNAMECOMMANDLINECOMPANYNAMEVERSIONDESCRIPTIONMODULELISTMODULETIMESTAMPBASEADDRESSSIZECOMPANYPROCESS MONITOR - EXPORTING EVENT DATAWT, CCS=UTF-8"%S"
Source: Process Monitor.exe	Binary or memory string: IRP_MJ_FASTIO_PROCMON.EXEPROCEXP.EXEAUTORUNS.EXEPROCMON64.EXEPROCEXP64.EXESYSTEMPAGEFILE.SYS$MFT$MFTMIRR$LOGFILE$VOLUME$ATTRDEF$ROOT$BITMAP$BOOT$BADCLUS$SECURE$UPCASE$EXTENDFAST IO"

Source: C:\Users\user\Desktop\Process Monitor.exe TID: 5960

Thread sleep time: -132496s >= -30000s

Jump to behavior

Source: C:\Users\user\Desktop\Process Monitor.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\Process Monitor.exe

Check user administrative privileges: GetTokenInformation,DecisionNodes

graph_0-52752

Source: C:\Users\user\Desktop\Process Monitor.exe

API coverage: 1.9 %

Source: C:\Users\user\Desktop\Process Monitor.exe

Code function: 0_2_00437270 LoadLibraryW,GetProcAddress,GetNativeSystemInfo,GetSystemInfo,MessageBoxW,GetModuleFileNameW,GetModuleFileNameW,_wcsrchr,ExpandEnvironmentStringsW,_wcsrchr,GetFileAttributesW,_memset,ShellExecuteExW,ShellExecuteExW,GetLastError,GetModuleFileNameW,ShellExecuteExW,WaitForSingleObject,CloseHandle,DeleteFileW,

0_2_00437270

Source: C:\Users\user\Desktop\Process Monitor.exe	Code function: 0_2_0046CD20 GetDlgItemTextW,EndDialog,GetDlgItemTextW,GetDlgItemTextW,MessageBoxW,_wcschr,DialogBoxParamW,GetDlgItem,GetDlgItem,SetEnvironmentVariableW,EndDialog,GetDlgItemTextW,_memset,GetOpenFileNameW,GetDlgItemTextW,GetDlgItemTextW,SetDlgItemTextW,GetDlgItemTextW,FindFirstFileW,GetDlgItem,EnableWindow,FindClose,SetDlgItemTextW,SetDlgItemTextW,SetDlgItemTextW,SetDlgItemTextW,GetDlgItem,GetDlgItem,SHAutoComplete,GetDlgItem,SetFocus,		0_2_0046CD20
Source: C:\Users\user\Desktop\Process Monitor.exe	Code function: 0_2_00467CF0 MessageBoxW,_wcsrchr,_wcsrchr,_wcsrchr,MessageBoxW,FindFirstFileW,FindNextFileW,FindClose,		0_2_00467CF0

Source: C:\Users\user\Desktop\Process Monitor.exe

API call chain: ExitProcess graph end node

graph_0-52685

Source: Process Monitor.exe, 00000000.00000003.603032420.00000000007D6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllw
Source: Process Monitor.exe, 00000000.00000003.636559400.00000000007D7000.00000004.00000020.00020000.00000000.sdmp, Process Monitor.exe, 00000000.00000002.640723106.00000000007D8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllHSzii)
Source: Process Monitor.exe, 00000000.00000003.603227570.00000000007D7000.00000004.00000020.00020000.00000000.sdmp, Process Monitor.exe, 00000000.00000003.625393877.00000000007D7000.00000004.00000020.00020000.00000000.sdmp, Process Monitor.exe, 00000000.00000003.524622404.00000000007D7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllkk+
Source: Process Monitor.exe, 00000000.00000003.513416118.00000000007D6000.00000004.00000020.00020000.00000000.sdmp, Process Monitor.exe, 00000000.00000003.580897619.00000000007D7000.00000004.00000020.00020000.00000000.sdmp, Process Monitor.exe, 00000000.00000003.580878519.00000000007D6000.00000004.00000020.00020000.00000000.sdmp, Process Monitor.exe, 00000000.00000003.513434546.00000000007D7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\Process Monitor.exe

Code function: 0_2_00474186 _memset,IsDebuggerPresent,

0_2_00474186

Source: C:\Users\user\Desktop\Process Monitor.exe

Code function: 0_2_0048083F EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,

0_2_0048083F

Source: C:\Users\user\Desktop\Process Monitor.exe

0_2_0045EAC2

Source: C:\Users\user\Desktop\Process Monitor.exe

Code function: 0_2_00478CE2 GetProcessHeap,

0_2_00478CE2

Source: C:\Users\user\Desktop\Process Monitor.exe	Code function: 0_2_00478647 SetUnhandledExceptionFilter,UnhandledExceptionFilter,		0_2_00478647
Source: C:\Users\user\Desktop\Process Monitor.exe	Code function: 0_2_00478616 SetUnhandledExceptionFilter,		0_2_00478616

HIPS / PFW / Operating System Protection Evasion

Performs DNS TXT record lookups

Source: Traffic	DNS traffic detected: queries for: aaa.stage.15550179.developer.cisc0.net
Source: Traffic	DNS traffic detected: queries for: aaa.stage.15550179.developer.cisc0.net
Source: Traffic	DNS traffic detected: queries for: aaa.stage.15550179.developer.cisc0.net
Source: Traffic	DNS traffic detected: queries for: aaa.stage.15550179.developer.cisc0.net
Source: Traffic	DNS traffic detected: queries for: aaa.stage.15550179.developer.cisc0.net
Source: Traffic	DNS traffic detected: queries for: aaa.stage.15550179.developer.cisc0.net
Source: Traffic	DNS traffic detected: queries for: aaa.stage.15550179.developer.cisc0.net
Source: Traffic	DNS traffic detected: queries for: aaa.stage.15550179.developer.cisc0.net
Source: Traffic	DNS traffic detected: queries for: aaa.stage.15550179.developer.cisc0.net
Source: Traffic	DNS traffic detected: queries for: aaa.stage.15550179.developer.cisc0.net
Source: Traffic	DNS traffic detected: queries for: aaa.stage.15550179.developer.cisc0.net
Source: Traffic	DNS traffic detected: queries for: aaa.stage.15550179.developer.cisc0.net
Source: Traffic	DNS traffic detected: queries for: aaa.stage.15550179.developer.cisc0.net
Source: Traffic	DNS traffic detected: queries for: aaa.stage.15550179.developer.cisc0.net
Source: Traffic	DNS traffic detected: queries for: aaa.stage.15550179.developer.cisc0.net
Source: Traffic	DNS traffic detected: queries for: aaa.stage.15550179.developer.cisc0.net
Source: Traffic	DNS traffic detected: queries for: aaa.stage.15550179.developer.cisc0.net
Source: Traffic	DNS traffic detected: queries for: aaa.stage.15550179.developer.cisc0.net
Source: Traffic	DNS traffic detected: queries for: aaa.stage.15550179.developer.cisc0.net
Source: Traffic	DNS traffic detected: queries for: aaa.stage.15550179.developer.cisc0.net
Source: Traffic	DNS traffic detected: queries for: aaa.stage.15550179.developer.cisc0.net
Source: Traffic	DNS traffic detected: queries for: aaa.stage.15550179.developer.cisc0.net
Source: Traffic	DNS traffic detected: queries for: aaa.stage.15550179.developer.cisc0.net
Source: Traffic	DNS traffic detected: queries for: aaa.stage.15550179.developer.cisc0.net
Source: Traffic	DNS traffic detected: queries for: aaa.stage.15550179.developer.cisc0.net
Source: Traffic	DNS traffic detected: queries for: aaa.stage.15550179.developer.cisc0.net
Source: Traffic	DNS traffic detected: queries for: aaa.stage.15550179.developer.cisc0.net
Source: Traffic	DNS traffic detected: queries for: aaa.stage.15550179.developer.cisc0.net
Source: Traffic	DNS traffic detected: queries for: aaa.stage.15550179.developer.cisc0.net
Source: Traffic	DNS traffic detected: queries for: aaa.stage.15550179.developer.cisc0.net
Source: Traffic	DNS traffic detected: queries for: aaa.stage.15550179.developer.cisc0.net
Source: Traffic	DNS traffic detected: queries for: aaa.stage.15550179.developer.cisc0.net
Source: Traffic	DNS traffic detected: queries for: aaa.stage.15550179.developer.cisc0.net
Source: Traffic	DNS traffic detected: queries for: aaa.stage.15550179.developer.cisc0.net
Source: Traffic	DNS traffic detected: queries for: aaa.stage.15550179.developer.cisc0.net

Source: C:\Users\user\Desktop\Process Monitor.exe

0_2_00437270

Source: C:\Users\user\Desktop\Process Monitor.exe

Code function: 0_2_00436580 GetCurrentProcess,OpenProcessToken,AllocateAndInitializeSid,GetTokenInformation,GetTokenInformation,_malloc,GetTokenInformation,EqualSid,_free,FreeSid,FindCloseChangeNotification,

0_2_00436580

Source: C:\Users\user\Desktop\Process Monitor.exe	Code function: GetLocaleInfoW,	0_2_00435930
Source: C:\Users\user\Desktop\Process Monitor.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	0_2_00435BE0
Source: C:\Users\user\Desktop\Process Monitor.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,SendMessageW,SendMessageW,SendMessageW,	0_2_0042FCF0

Source: C:\Users\user\Desktop\Process Monitor.exe

Code function: 0_2_004743A6 cpuid

0_2_004743A6

Source: C:\Users\user\Desktop\Process Monitor.exe

Code function: 0_2_0043A300 MessageBoxW,MessageBoxW,MessageBoxW,MessageBoxW,GetSystemTimeAsFileTime,QueryPerformanceCounter,QueryPerformanceFrequency,FilterSendMessage,

0_2_0043A300

Source: C:\Users\user\Desktop\Process Monitor.exe

0_2_0045EAC2

Source: C:\Users\user\Desktop\Process Monitor.exe	Code function: 0_2_00401500 __ehhandler$??1_Scoped_lock@?$SafeRWList@UListEntry@details@Concurrency@@VNoCount@CollectionTypes@23@V_ReaderWriterLock@23@@details@Concurrency@@QAE@XZ,InitializeCriticalSection,CreateSemaphoreW,HeapCreate,	0_2_00401500
Source: C:\Users\user\Desktop\Process Monitor.exe	Code function: 0_2_0040C7B0 CreateBindCtx,LoadLibraryW,GetProcAddress,ShellExecuteW,	0_2_0040C7B0
Source: C:\Users\user\Desktop\Process Monitor.exe	Code function: 0_2_00401810 __ehhandler$??1_Scoped_lock@?$SafeRWList@UListEntry@details@Concurrency@@VNoCount@CollectionTypes@23@V_ReaderWriterLock@23@@details@Concurrency@@QAE@XZ,InitializeCriticalSection,	0_2_00401810
Source: C:\Users\user\Desktop\Process Monitor.exe	Code function: 0_2_0043B830 MessageBoxW,socket,GetComputerNameA,gethostbyname,_memmove,htons,bind,getsockname,listen,accept,closesocket,	0_2_0043B830
Source: C:\Users\user\Desktop\Process Monitor.exe	Code function: 0_2_00401890 __ehhandler$??1_Scoped_lock@?$SafeRWList@UListEntry@details@Concurrency@@VNoCount@CollectionTypes@23@V_ReaderWriterLock@23@@details@Concurrency@@QAE@XZ,InitializeCriticalSection,	0_2_00401890
Source: C:\Users\user\Desktop\Process Monitor.exe	Code function: 0_2_00401910 __ehhandler$??1_Scoped_lock@?$SafeRWList@UListEntry@details@Concurrency@@VNoCount@CollectionTypes@23@V_ReaderWriterLock@23@@details@Concurrency@@QAE@XZ,	0_2_00401910

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	2 Command and Scripting Interpreter	Path Interception	1 Exploitation for Privilege Escalation	1 Virtualization/Sandbox Evasion	1 Credential API Hooking	1 System Time Discovery	Remote Services	1 Screen Capture	Exfiltration Over Other Network Medium	1 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	2 Native API	Boot or Logon Initialization Scripts	1 Access Token Manipulation	1 Access Token Manipulation	LSASS Memory	131 Security Software Discovery	Remote Desktop Protocol	1 Credential API Hooking	Exfiltration Over Bluetooth	1 Ingress Tool Transfer	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	1 Deobfuscate/Decode Files or Information	Security Account Manager	1 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	1 Archive Collected Data	Automated Exfiltration	1 Non-Application Layer Protocol	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	2 Obfuscated Files or Information	NTDS	2 File and Directory Discovery	Distributed Component Object Model	1 Clipboard Data	Scheduled Transfer	1 Application Layer Protocol	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Software Packing	LSA Secrets	24 System Information Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
Process Monitor.exe	18%	ReversingLabs	Win32.Trojan.APost
Process Monitor.exe	16%	Virustotal		Browse
Process Monitor.exe	22%	Metadefender		Browse

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
0.2.Process Monitor.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1224503		Download File
0.0.Process Monitor.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1224503		Download File

Domains

Source	Detection	Scanner	Label	Link
aaa.stage.15550179.developer.cisc0.net	0%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
https://www.sysinternals.com0	0%	URL Reputation	safe
http://www.sysinternals.comFileVersionLegalCopyright	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
aaa.stage.15550179.developer.cisc0.net	unknown	unknown	true	0%, Virustotal, Browse	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.sysinternals.com	Process Monitor.exe	false		high
http://www.sysinternals.comFileVersionLegalCopyright	Process Monitor.exe	false	Avira URL Cloud: safe	unknown
https://www.sysinternals.com0	Process Monitor.exe	false	URL Reputation: safe	unknown

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox Version:	36.0.0 Rainbow Opal
Analysis ID:	705045
Start date and time:	2022-09-18 17:12:43 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 6m 47s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	Process Monitor.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
Run name:	Run with higher sleep bypass
Number of analysed new started processes analysed:	30
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal76.evad.winEXE@1/0@35/0
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 10% (good quality ratio 9.7%) Quality average: 76.6% Quality standard deviation: 22.2%
HCA Information:	Successful, ratio: 93% Number of executed functions: 21 Number of non-executed functions: 328
Cookbook Comments:	Found application associated with file extension: .exe Sleeps bigger than 300000ms are automatically reduced to 1000ms

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, RuntimeBroker.exe, WMIADAP.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, wuapihost.exe
Excluded domains from analysis (whitelisted): www.bing.com, fs.microsoft.com, ctldl.windowsupdate.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, arc.msn.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtDeviceIoControlFile calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

⊘No simulations

Joe Sandbox View / Context

IPs

⊘No context

Domains

⊘No context

ASNs

⊘No context

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

⊘No created / dropped files found

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.277754169335207
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	Process Monitor.exe
File size:	2134944
MD5:	3d55e52bf84c8b1cb08cf447e195b006
SHA1:	00b090f4713570c100796ba6cbdf3317f6386289
SHA256:	a6bdbe803b403dafe01332c3bc9eaff5560481c6215d48e459a63ca7cc0a0e9f
SHA512:	42d44f8cbae582e7f173aa5ce7c730fd5c1ff9e7b1a955cabadf73437c4d35305e1995f14f3f31a7b67b897ce4d704431f72d2510c9811078caeb0198a38d5e4
SSDEEP:	24576:KF8bvzqxxY1RBv+O3EqokUCdWh4SZ5NQ75olmeu5xU4Cd5IBGxyjsSKR/mjLzKZG:KF8bv/1fv+ZAsZ5NQ75olmrrmdCoTZG
TLSH:	33A56B1263E840AAF1B352719EBD8767E676BC720B31C6CF5694520E1F32EE15E34722
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......i.z.-...-...-... ...7... ....... .......k...(...$...)...t.../...$...,...-.......$...6...P...,...P....... ...,...P...,...Rich-..

File Icon


Icon Hash:	3c2c6468bab6c9e1

Static PE Info

General

Entrypoint:	0x473d54
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:
Time Stamp:	0x59066E94 [Sun Apr 30 23:09:08 2017 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	ed4c409d538c031bc8ccdfd81f048c9d

Authenticode Signature

Signature Valid:	false
Signature Issuer:	CN=Microsoft Code Signing PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
Signature Validation Error:	The digital signature of the object did not verify
Error Number:	-2146869232
Not Before, Not After	9/2/2021 11:32:59 AM 9/1/2022 11:32:59 AM
Subject Chain	CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
Version:	3
Thumbprint MD5:	D15B2B9631F8B37BA8D83A5AE528A8BB
Thumbprint SHA-1:	8740DF4ACB749640AD318E4BE842F72EC651AD80
Thumbprint SHA-256:	2EB421FBB33BBF9C8F6B58C754B0405F40E02CB6328936AAE39DB7A24880EA21
Serial:	33000002528B33AAF895F339DB000000000252

Entrypoint Preview

Instruction
call 00007F7DF8D06B91h
jmp 00007F7DF8CFBAD5h
push 00000014h
push 004B7A40h
call 00007F7DF8CFFBFBh
call 00007F7DF8D00060h
movzx esi, ax
push 00000002h
call 00007F7DF8D06B24h
pop ecx
mov eax, 00005A4Dh
cmp word ptr [00400000h], ax
je 00007F7DF8CFBAD6h
xor ebx, ebx
jmp 00007F7DF8CFBB05h
mov eax, dword ptr [0040003Ch]
cmp dword ptr [eax+00400000h], 00004550h
jne 00007F7DF8CFBABDh
mov ecx, 0000010Bh
cmp word ptr [eax+00400018h], cx
jne 00007F7DF8CFBAAFh
xor ebx, ebx
cmp dword ptr [eax+00400074h], 0Eh
jbe 00007F7DF8CFBADBh
cmp dword ptr [eax+004000E8h], ebx
setne bl
mov dword ptr [ebp-1Ch], ebx
call 00007F7DF8D009F0h
test eax, eax
jne 00007F7DF8CFBADAh
push 0000001Ch
call 00007F7DF8CFBBB1h
pop ecx
call 00007F7DF8CFCFC2h
test eax, eax
jne 00007F7DF8CFBADAh
push 00000010h
call 00007F7DF8CFBBA0h
pop ecx
call 00007F7DF8CFFDA9h
and dword ptr [ebp-04h], 00000000h
call 00007F7DF8D0421Fh
test eax, eax
jns 00007F7DF8CFBADAh
push 0000001Bh
call 00007F7DF8CFBB86h
pop ecx
call dword ptr [0048F2E0h]
mov dword ptr [004C4724h], eax
call 00007F7DF8D06B78h
mov dword ptr [004C2BF8h], eax
call 00007F7DF8D06775h
test eax, eax
jns 00007F7DF8CFBADAh

Rich Headers

Programming Language:

[ASM] VS2013 build 21005
[ C ] VS2013 build 21005
[C++] VS2013 build 21005
[ C ] VS2008 SP1 build 30729
[C++] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729
[ C ] VS2013 UPD4 build 31101
[C++] VS2013 UPD4 build 31101
[RES] VS2013 build 21005
[LNK] VS2013 UPD4 build 31101

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xb7f1c	0x118	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xc5000	0x143228	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x206c00	0x27a0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x209000	0x8f04	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x8f820	0x38	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xaebd0	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8f000	0x70c	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x8d57d	0x8d600	False	0.4879876768346596	data	6.535658615397043	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x8f000	0x2b38a	0x2b400	False	0.30585598807803466	data	4.415495837867061	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xbb000	0x973c	0x1a00	False	0.33263221153846156	data	3.8291327237271515	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xc5000	0x143228	0x143400	False	0.43051754036156226	data	6.100980908224347	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x209000	0x8f04	0x9000	False	0.7015787760416666	data	6.712610728580015	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
BINRES	0xd72f8	0x11b48	PE32 executable (DLL) (native) Intel 80386, for MS Windows	English	United States
BINRES	0xe8e40	0x11e6a0	PE32+ executable (GUI) x86-64, for MS Windows	English	United States
RT_CURSOR	0xd7058	0x134	AmigaOS bitmap font	English	United States
RT_CURSOR	0xd71a8	0x134	data	English	United States
RT_BITMAP	0xc68e0	0xab8	data	English	United States
RT_ICON	0xc7398	0xea8	data	English	United States
RT_ICON	0xc8240	0x8a8	dBase IV DBT of @.DBF, block length 1024, next free block index 40, next free block 0, next used block 0	English	United States
RT_ICON	0xc8ae8	0x568	GLS_BINARY_LSB_FIRST	English	United States
RT_ICON	0xc9050	0x25a8	data	English	United States
RT_ICON	0xcb5f8	0x10a8	data	English	United States
RT_ICON	0xcc6a0	0x468	GLS_BINARY_LSB_FIRST	English	United States
RT_ICON	0xccb68	0x128	GLS_BINARY_LSB_FIRST	English	United States
RT_ICON	0xccca8	0x128	GLS_BINARY_LSB_FIRST	English	United States
RT_ICON	0xccde8	0x128	GLS_BINARY_LSB_FIRST	English	United States
RT_ICON	0xccf28	0x128	GLS_BINARY_LSB_FIRST	English	United States
RT_ICON	0xcd068	0x128	GLS_BINARY_LSB_FIRST	English	United States
RT_ICON	0xcd1a8	0x128	GLS_BINARY_LSB_FIRST	English	United States
RT_ICON	0xcd2e8	0x128	GLS_BINARY_LSB_FIRST	English	United States
RT_ICON	0xcd428	0x568	GLS_BINARY_LSB_FIRST	English	United States
RT_ICON	0xcd990	0x128	GLS_BINARY_LSB_FIRST	English	United States
RT_ICON	0xcdae0	0x128	GLS_BINARY_LSB_FIRST	English	United States
RT_ICON	0xcdc08	0x568	GLS_BINARY_LSB_FIRST	English	United States
RT_ICON	0xce198	0x128	GLS_BINARY_LSB_FIRST	English	United States
RT_ICON	0xce2d8	0x368	GLS_BINARY_LSB_FIRST	English	United States
RT_ICON	0xce658	0x128	GLS_BINARY_LSB_FIRST	English	United States
RT_ICON	0xce798	0x128	GLS_BINARY_LSB_FIRST	English	United States
RT_ICON	0xce8d8	0x128	GLS_BINARY_LSB_FIRST	English	United States
RT_MENU	0xcf478	0x4a	data	English	United States
RT_MENU	0xcf4c8	0xdc	data	English	United States
RT_MENU	0xcea18	0x9dc	data	English	United States
RT_MENU	0xcf3f8	0x7a	data	English	United States
RT_DIALOG	0xcf8d8	0x1f8	data	English	United States
RT_DIALOG	0xd1200	0x444	data	English	United States
RT_DIALOG	0xd6da0	0x2b8	data	English	United States
RT_DIALOG	0xcfad0	0x7ce	data	English	United States
RT_DIALOG	0xd5f98	0x204	data	English	United States
RT_DIALOG	0xd56c8	0x330	data	English	United States
RT_DIALOG	0xd6c78	0x122	data	English	United States
RT_DIALOG	0xd3dc8	0x1a2	data	English	United States
RT_DIALOG	0xd5f20	0x78	data	English	United States
RT_DIALOG	0xd02a0	0x184	data	English	United States
RT_DIALOG	0xd2680	0x1ae	data	English	United States
RT_DIALOG	0xd4e40	0x224	data	English	United States
RT_DIALOG	0xd2830	0x1cc	data	English	United States
RT_DIALOG	0xd2260	0x20c	data	English	United States
RT_DIALOG	0xd2f18	0x278	data	English	United States
RT_DIALOG	0xd6ab8	0x1ba	data	English	United States
RT_DIALOG	0xd37d0	0x25c	data	English	United States
RT_DIALOG	0xd32b8	0x16e	data	English	United States
RT_DIALOG	0xd3a30	0x394	data	English	United States
RT_DIALOG	0xd61a0	0x5ec	data	English	United States
RT_DIALOG	0xd59f8	0x528	data	English	United States
RT_DIALOG	0xd5408	0x2bc	data	English	United States
RT_DIALOG	0xd36d8	0xf6	data	English	United States
RT_DIALOG	0xd1b20	0x17c	data	English	United States
RT_DIALOG	0xd3428	0x2ac	data	English	United States
RT_DIALOG	0xd1ca0	0x5ba	data	English	United States
RT_DIALOG	0xd1070	0x18a	data	English	United States
RT_DIALOG	0xd5068	0x1be	data	English	United States
RT_DIALOG	0xd1648	0x4d2	data	English	United States
RT_DIALOG	0xd3190	0x124	data	English	United States
RT_DIALOG	0xd2a00	0x518	data	English	United States
RT_DIALOG	0xd5228	0x1de	data	English	United States
RT_DIALOG	0xd0a80	0x5ee	data	English	United States
RT_DIALOG	0xd07b8	0x2c8	data	English	United States
RT_DIALOG	0xd0428	0x390	data	English	United States
RT_DIALOG	0xd6790	0x324	data	English	United States
RT_DIALOG	0xd2470	0x20c	data	English	United States
RT_DIALOG	0xd3f70	0xeca	data	English	United States
RT_STRING	0x207d18	0x70	data	English	United States
RT_STRING	0x207c38	0xdc	data	English	United States
RT_STRING	0x207e68	0x174	data	English	United States
RT_STRING	0x207d88	0xdc	data	English	United States
RT_STRING	0x207fe0	0x128	data	English	United States
RT_STRING	0x208108	0xda	data	English	United States
RT_STRING	0x2081e8	0x3e	data	English	United States
RT_ACCELERATOR	0xc6800	0xe0	data	English	United States
RT_GROUP_CURSOR	0xd72e0	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States
RT_GROUP_CURSOR	0xd7190	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States
RT_GROUP_ICON	0xccb08	0x5a	data	English	United States
RT_GROUP_ICON	0xcd050	0x14	data	English	United States
RT_GROUP_ICON	0xccf10	0x14	data	English	United States
RT_GROUP_ICON	0xcd190	0x14	data	English	United States
RT_GROUP_ICON	0xccc90	0x14	data	English	United States
RT_GROUP_ICON	0xcd410	0x14	data	English	United States
RT_GROUP_ICON	0xcdab8	0x22	data	English	United States
RT_GROUP_ICON	0xce2c0	0x14	data	English	United States
RT_GROUP_ICON	0xce640	0x14	data	English	United States
RT_GROUP_ICON	0xce780	0x14	data	English	United States
RT_GROUP_ICON	0xce8c0	0x14	data	English	United States
RT_GROUP_ICON	0xcea00	0x14	data	English	United States
RT_GROUP_ICON	0xccdd0	0x14	data	English	United States
RT_GROUP_ICON	0xcd2d0	0x14	data	English	United States
RT_GROUP_ICON	0xce170	0x22	data	English	United States
RT_VERSION	0xcf5a8	0x330	data	English	United States
RT_MANIFEST	0x2074e0	0x757	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States

Imports

DLL	Import
WS2_32.dll	closesocket, listen, recv, bind, accept, getsockname, connect, inet_ntoa, WSASetLastError, getservbyname, getservbyport, gethostbyaddr, htons, inet_addr, htonl, WSAStartup, ntohs, WSAGetLastError, gethostbyname, socket, send
VERSION.dll	GetFileVersionInfoSizeW, VerQueryValueW, GetFileVersionInfoW
COMCTL32.dll	ImageList_Create, ImageList_ReplaceIcon, ImageList_SetBkColor, ImageList_Add, ImageList_SetOverlayImage, ImageList_GetIcon, ImageList_GetIconSize, CreateStatusWindowW, ImageList_Destroy, InitCommonControlsEx, ImageList_DrawEx
FLTLIB.DLL	FilterReplyMessage, FilterGetMessage, FilterConnectCommunicationPort, FilterSendMessage
KERNEL32.dll	OpenProcess, CreateProcessW, SetCurrentDirectoryW, GlobalAlloc, GlobalLock, GlobalUnlock, CompareStringW, GetLocaleInfoW, TryEnterCriticalSection, GetFileSize, SetEndOfFile, SetFilePointer, MapViewOfFile, UnmapViewOfFile, CreateFileMappingW, CreateFileW, GetVersion, WriteFile, ReadFile, SystemTimeToFileTime, FileTimeToLocalFileTime, LocalFileTimeToFileTime, FileTimeToSystemTime, FormatMessageW, GetTimeFormatW, GetDateFormatW, GetNumberFormatW, HeapCreate, HeapDestroy, HeapAlloc, HeapFree, HeapSize, EnumResourceNamesW, GetCurrentThread, SetThreadPriority, SetEvent, ResetEvent, ReleaseSemaphore, WaitForMultipleObjects, CreateEventW, CreateSemaphoreW, GetComputerNameA, QueryPerformanceCounter, QueryPerformanceFrequency, SetProcessShutdownParameters, GetFileAttributesExW, GetComputerNameW, SetConsoleCtrlHandler, GetCurrentProcessId, OpenThread, GetThreadContext, LoadLibraryA, GetSystemDirectoryA, FindClose, FindFirstFileW, FindNextFileW, GetEnvironmentVariableW, SetEnvironmentVariableW, ExpandEnvironmentStringsA, IsProcessorFeaturePresent, IsDebuggerPresent, HeapReAlloc, SetConsoleMode, ReadConsoleInputA, GetConsoleMode, GetModuleHandleExW, DecodePointer, EncodePointer, RtlUnwind, RaiseException, WideCharToMultiByte, MultiByteToWideChar, lstrlenA, LoadLibraryExW, GetVersionExW, GetFileAttributesW, GetFullPathNameW, GetSystemInfo, VirtualFree, GlobalMemoryStatusEx, InitializeSRWLock, AcquireSRWLockShared, AcquireSRWLockExclusive, ReleaseSRWLockShared, ReleaseSRWLockExclusive, DeleteFileW, SetFileAttributesW, GetCurrentDirectoryW, GetSystemDirectoryW, FindResourceW, GetCommandLineA, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, UnhandledExceptionFilter, SetUnhandledExceptionFilter, ExpandEnvironmentStringsW, SizeofResource, LoadResource, SetLastError, GetLastError, GetCurrentProcess, LockResource, VirtualAlloc, DeleteCriticalSection, InitializeCriticalSection, GetSystemTimeAsFileTime, CloseHandle, Sleep, WaitForSingleObject, LeaveCriticalSection, EnterCriticalSection, CreateThread, GetModuleFileNameW, GetCommandLineW, GetStdHandle, GetFileType, LocalFree, LocalAlloc, GlobalAddAtomW, GetModuleHandleW, LoadLibraryW, GetTickCount, MulDiv, GetProcAddress, FreeLibrary, InterlockedDecrement, InterlockedIncrement, ExitThread, InitializeCriticalSectionAndSpinCount, TerminateProcess, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetStartupInfoW, GetProcessHeap, GetConsoleCP, GetStringTypeW, GetModuleFileNameA, GetEnvironmentStringsW, FreeEnvironmentStringsW, LCMapStringW, SetFilePointerEx, OutputDebugStringW, WriteConsoleW, SetStdHandle, FlushFileBuffers, ReadConsoleW, ExitProcess, GetCurrentThreadId
USER32.dll	CopyImage, IsDialogMessageW, GetWindowDC, WindowFromPoint, GetMenuItemCount, GetSubMenu, EnableMenuItem, CheckMenuItem, DestroyMenu, CreatePopupMenu, GetMenu, LoadMenuW, TranslateAcceleratorW, LoadAcceleratorsW, IsWindowEnabled, KillTimer, CheckRadioButton, GetDlgItemTextW, GetDlgItemInt, SetDlgItemInt, CreateDialogParamW, IsZoomed, IsWindowVisible, EndDeferWindowPos, DeferWindowPos, BeginDeferWindowPos, SetWindowPlacement, GetWindowPlacement, FlashWindowEx, RegisterClassW, PostQuitMessage, DispatchMessageW, TranslateMessage, GetMessageW, DrawFrameControl, RegisterWindowMessageW, GetWindow, GetActiveWindow, LoadImageW, ClientToScreen, EmptyClipboard, SetClipboardData, CloseClipboard, OpenClipboard, GetWindowThreadProcessId, FindWindowExW, FindWindowW, SetForegroundWindow, IsIconic, WaitForInputIdle, CreateIconFromResourceEx, GetClassNameW, GetMonitorInfoW, MonitorFromPoint, GetIconInfo, DrawIconEx, DestroyIcon, LoadIconW, SetClassLongW, FrameRect, DeleteMenu, IsDlgButtonChecked, CheckDlgButton, PostMessageW, LoadStringW, MessageBoxW, GetAncestor, GetDesktopWindow, EnableWindow, DialogBoxParamW, ChildWindowFromPoint, GetWindowTextW, SetDlgItemTextW, MoveWindow, SetWindowTextW, GetDlgItem, EndDialog, DialogBoxIndirectParamW, GetScrollInfo, SetScrollInfo, LoadCursorW, EnumChildWindows, EqualRect, UnionRect, ScreenToClient, MessageBeep, SetWindowTextA, SetActiveWindow, SetMenuDefaultItem, GetMenuItemInfoW, InsertMenuItemW, SetMenuInfo, GetParent, GetClassLongW, SetWindowLongW, GetWindowLongW, OffsetRect, IntersectRect, InflateRect, FillRect, GetSysColorBrush, GetSysColor, MapWindowPoints, GetCursorPos, SetCursor, GetWindowRect, GetClientRect, GetPropW, SetPropW, ScrollWindowEx, ValidateRect, InvalidateRect, GetUpdateRgn, GetUpdateRect, EndPaint, BeginPaint, ReleaseDC, PtInRect, TrackPopupMenu, GetDC, UpdateWindow, DrawTextW, GetSystemMetrics, SetTimer, ReleaseCapture, SetCapture, GetCapture, GetKeyState, GetFocus, SetFocus, SetWindowPos, ShowWindow, CreateWindowExW, RegisterClassExW, CallWindowProcW, DefWindowProcW, SendMessageW, GetCursor, InsertMenuW, DestroyWindow
GDI32.dll	SetROP2, SaveDC, RestoreDC, Rectangle, Polyline, GdiFlush, SetPixel, GetPixel, CreateFontW, Polygon, MoveToEx, LineTo, GetBitmapBits, GetObjectW, CreateFontIndirectW, EndPage, StartPage, EndDoc, StartDocW, CreateCompatibleDC, CreateCompatibleBitmap, BitBlt, GetTextMetricsW, SetTextColor, SetBkMode, SetBkColor, SelectObject, SelectClipRgn, RectInRegion, GetStockObject, GetDeviceCaps, GetBkMode, GetBkColor, DeleteObject, DeleteDC, CreateSolidBrush, CreateRectRgnIndirect, CreateRectRgn, CreatePen, SetMapMode
COMDLG32.dll	PrintDlgW, GetOpenFileNameW, ChooseColorW, FindTextW, ChooseFontW, GetSaveFileNameW
ADVAPI32.dll	RegOpenKeyExA, RegQueryValueExA, RegEnumValueW, ConvertStringSidToSidW, ConvertSidToStringSidW, RegSetValueW, RegEnumKeyW, RegCreateKeyExW, LookupAccountSidW, MapGenericMask, GetLengthSid, FreeSid, AllocateAndInitializeSid, EqualSid, GetTokenInformation, RegDeleteValueW, RegDeleteKeyW, LookupPrivilegeValueW, AdjustTokenPrivileges, OpenProcessToken, RegOpenKeyExW, RegOpenKeyW, RegCreateKeyW, RegSetValueExW, RegCloseKey, RegQueryValueExW
SHELL32.dll	SHBrowseForFolderW, SHGetPathFromIDListW, CommandLineToArgvW, DragQueryFileW, SHChangeNotify, ShellExecuteW, SHGetSpecialFolderLocation, SHGetMalloc, ShellExecuteExW, SHGetFileInfoW
ole32.dll	CoSetProxyBlanket, CoCreateInstance, CreateBindCtx, OleInitialize, RegisterDragDrop, ReleaseStgMedium, CoInitialize
OLEAUT32.dll	SysAllocString, SysFreeString, SysStringLen, SafeArrayDestroy, SafeArrayGetUBound, SafeArrayGetLBound, SafeArrayAccessData, SafeArrayUnaccessData, SafeArrayGetElement, VariantInit, VariantClear, VariantChangeType, SysAllocStringByteLen, VariantTimeToSystemTime, SysAllocStringLen
SHLWAPI.dll	SHAutoComplete

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
192.168.2.38.8.8.860582532847439 09/18/22-17:07:11.562484	UDP	2847439	ETPRO TROJAN Suspected Cobalt Strike Stager DNS Activity	60582	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.857387532847439 09/18/22-17:07:24.194124	UDP	2847439	ETPRO TROJAN Suspected Cobalt Strike Stager DNS Activity	57387	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.854283532847439 09/18/22-17:07:29.226053	UDP	2847439	ETPRO TROJAN Suspected Cobalt Strike Stager DNS Activity	54283	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.852387532847439 09/18/22-17:07:10.272964	UDP	2847439	ETPRO TROJAN Suspected Cobalt Strike Stager DNS Activity	52387	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.851139532847439 09/18/22-17:07:11.170526	UDP	2847439	ETPRO TROJAN Suspected Cobalt Strike Stager DNS Activity	51139	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.850228532847439 09/18/22-17:07:24.364057	UDP	2847439	ETPRO TROJAN Suspected Cobalt Strike Stager DNS Activity	50228	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.851592532847439 09/18/22-17:07:28.423748	UDP	2847439	ETPRO TROJAN Suspected Cobalt Strike Stager DNS Activity	51592	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.865511532847439 09/18/22-17:07:19.758372	UDP	2847439	ETPRO TROJAN Suspected Cobalt Strike Stager DNS Activity	65511	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.864376532847439 09/18/22-17:07:27.269341	UDP	2847439	ETPRO TROJAN Suspected Cobalt Strike Stager DNS Activity	64376	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.860625532847439 09/18/22-17:07:10.628522	UDP	2847439	ETPRO TROJAN Suspected Cobalt Strike Stager DNS Activity	60625	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.861359532847439 09/18/22-17:07:28.603368	UDP	2847439	ETPRO TROJAN Suspected Cobalt Strike Stager DNS Activity	61359	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.865385532847439 09/18/22-17:07:21.931334	UDP	2847439	ETPRO TROJAN Suspected Cobalt Strike Stager DNS Activity	65385	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.851105532847439 09/18/22-17:07:25.157982	UDP	2847439	ETPRO TROJAN Suspected Cobalt Strike Stager DNS Activity	51105	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.857743532809850 09/18/22-17:07:17.807037	UDP	2809850	ETPRO TROJAN Cobalt Strike Covert DNS CnC Channel TXT Lookup (udp)	57743	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.858912532847439 09/18/22-17:07:26.816961	UDP	2847439	ETPRO TROJAN Suspected Cobalt Strike Stager DNS Activity	58912	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.853466532847439 09/18/22-17:07:17.612305	UDP	2847439	ETPRO TROJAN Suspected Cobalt Strike Stager DNS Activity	53466	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.862431532847439 09/18/22-17:07:24.831301	UDP	2847439	ETPRO TROJAN Suspected Cobalt Strike Stager DNS Activity	62431	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.857990532847439 09/18/22-17:07:10.103736	UDP	2847439	ETPRO TROJAN Suspected Cobalt Strike Stager DNS Activity	57990	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.859433532847439 09/18/22-17:07:15.237878	UDP	2847439	ETPRO TROJAN Suspected Cobalt Strike Stager DNS Activity	59433	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.855390532847439 09/18/22-17:07:26.665994	UDP	2847439	ETPRO TROJAN Suspected Cobalt Strike Stager DNS Activity	55390	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.860644532847439 09/18/22-17:07:28.098121	UDP	2847439	ETPRO TROJAN Suspected Cobalt Strike Stager DNS Activity	60644	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.858480532847439 09/18/22-17:07:28.753771	UDP	2847439	ETPRO TROJAN Suspected Cobalt Strike Stager DNS Activity	58480	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.856616532847439 09/18/22-17:07:23.846528	UDP	2847439	ETPRO TROJAN Suspected Cobalt Strike Stager DNS Activity	56616	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.854153532847439 09/18/22-17:07:22.105508	UDP	2847439	ETPRO TROJAN Suspected Cobalt Strike Stager DNS Activity	54153	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.864602532847439 09/18/22-17:07:22.286338	UDP	2847439	ETPRO TROJAN Suspected Cobalt Strike Stager DNS Activity	64602	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.865320532847439 09/18/22-17:07:12.851983	UDP	2847439	ETPRO TROJAN Suspected Cobalt Strike Stager DNS Activity	65320	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.864271532847439 09/18/22-17:07:24.996996	UDP	2847439	ETPRO TROJAN Suspected Cobalt Strike Stager DNS Activity	64271	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.856949532847439 09/18/22-17:07:16.693035	UDP	2847439	ETPRO TROJAN Suspected Cobalt Strike Stager DNS Activity	56949	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.860418532847439 09/18/22-17:07:29.076080	UDP	2847439	ETPRO TROJAN Suspected Cobalt Strike Stager DNS Activity	60418	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.864595532847439 09/18/22-17:07:20.143048	UDP	2847439	ETPRO TROJAN Suspected Cobalt Strike Stager DNS Activity	64595	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.849302532847439 09/18/22-17:07:10.818703	UDP	2847439	ETPRO TROJAN Suspected Cobalt Strike Stager DNS Activity	49302	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.860767532847439 09/18/22-17:07:13.048445	UDP	2847439	ETPRO TROJAN Suspected Cobalt Strike Stager DNS Activity	60767	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.852110532847439 09/18/22-17:07:27.443917	UDP	2847439	ETPRO TROJAN Suspected Cobalt Strike Stager DNS Activity	52110	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.853269532847439 09/18/22-17:07:24.532168	UDP	2847439	ETPRO TROJAN Suspected Cobalt Strike Stager DNS Activity	53269	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.855649532847439 09/18/22-17:07:27.119889	UDP	2847439	ETPRO TROJAN Suspected Cobalt Strike Stager DNS Activity	55649	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.864969532847439 09/18/22-17:07:25.680782	UDP	2847439	ETPRO TROJAN Suspected Cobalt Strike Stager DNS Activity	64969	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.863687532847439 09/18/22-17:07:27.611185	UDP	2847439	ETPRO TROJAN Suspected Cobalt Strike Stager DNS Activity	63687	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.859820532847439 09/18/22-17:07:19.922462	UDP	2847439	ETPRO TROJAN Suspected Cobalt Strike Stager DNS Activity	59820	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.862424532847439 09/18/22-17:07:26.339688	UDP	2847439	ETPRO TROJAN Suspected Cobalt Strike Stager DNS Activity	62424	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.861416532847439 09/18/22-17:07:18.210206	UDP	2847439	ETPRO TROJAN Suspected Cobalt Strike Stager DNS Activity	61416	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.858691532847439 09/18/22-17:07:14.203939	UDP	2847439	ETPRO TROJAN Suspected Cobalt Strike Stager DNS Activity	58691	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.864967532847439 09/18/22-17:07:22.800242	UDP	2847439	ETPRO TROJAN Suspected Cobalt Strike Stager DNS Activity	64967	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.858301532847439 09/18/22-17:07:21.232458	UDP	2847439	ETPRO TROJAN Suspected Cobalt Strike Stager DNS Activity	58301	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.859636532847439 09/18/22-17:07:12.315640	UDP	2847439	ETPRO TROJAN Suspected Cobalt Strike Stager DNS Activity	59636	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.860088532847439 09/18/22-17:07:19.243261	UDP	2847439	ETPRO TROJAN Suspected Cobalt Strike Stager DNS Activity	60088	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.853428532847439 09/18/22-17:07:19.583371	UDP	2847439	ETPRO TROJAN Suspected Cobalt Strike Stager DNS Activity	53428	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.857134532847439 09/18/22-17:07:11.737698	UDP	2847439	ETPRO TROJAN Suspected Cobalt Strike Stager DNS Activity	57134	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.862050532847439 09/18/22-17:07:11.920045	UDP	2847439	ETPRO TROJAN Suspected Cobalt Strike Stager DNS Activity	62050	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.852955532847439 09/18/22-17:07:11.371670	UDP	2847439	ETPRO TROJAN Suspected Cobalt Strike Stager DNS Activity	52955	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.853037532847439 09/18/22-17:07:25.831456	UDP	2847439	ETPRO TROJAN Suspected Cobalt Strike Stager DNS Activity	53037	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.852547532847439 09/18/22-17:07:16.861417	UDP	2847439	ETPRO TROJAN Suspected Cobalt Strike Stager DNS Activity	52547	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.859827532847439 09/18/22-17:07:24.681633	UDP	2847439	ETPRO TROJAN Suspected Cobalt Strike Stager DNS Activity	59827	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.858708532847439 09/18/22-17:07:18.633823	UDP	2847439	ETPRO TROJAN Suspected Cobalt Strike Stager DNS Activity	58708	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.863446532847439 09/18/22-17:07:21.428506	UDP	2847439	ETPRO TROJAN Suspected Cobalt Strike Stager DNS Activity	63446	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.855951532847439 09/18/22-17:07:28.244855	UDP	2847439	ETPRO TROJAN Suspected Cobalt Strike Stager DNS Activity	55951	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.857571532847439 09/18/22-17:07:13.704944	UDP	2847439	ETPRO TROJAN Suspected Cobalt Strike Stager DNS Activity	57571	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.853844532847439 09/18/22-17:07:17.177911	UDP	2847439	ETPRO TROJAN Suspected Cobalt Strike Stager DNS Activity	53844	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.853305532847439 09/18/22-17:07:14.506207	UDP	2847439	ETPRO TROJAN Suspected Cobalt Strike Stager DNS Activity	53305	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.865196532847439 09/18/22-17:07:18.446638	UDP	2847439	ETPRO TROJAN Suspected Cobalt Strike Stager DNS Activity	65196	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.865459532847439 09/18/22-17:07:21.761569	UDP	2847439	ETPRO TROJAN Suspected Cobalt Strike Stager DNS Activity	65459	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.855638532847439 09/18/22-17:07:12.479999	UDP	2847439	ETPRO TROJAN Suspected Cobalt Strike Stager DNS Activity	55638	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.865107532847439 09/18/22-17:07:13.253711	UDP	2847439	ETPRO TROJAN Suspected Cobalt Strike Stager DNS Activity	65107	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.853975532847439 09/18/22-17:07:10.968952	UDP	2847439	ETPRO TROJAN Suspected Cobalt Strike Stager DNS Activity	53975	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.853623532847439 09/18/22-17:07:18.045058	UDP	2847439	ETPRO TROJAN Suspected Cobalt Strike Stager DNS Activity	53623	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.859374532847439 09/18/22-17:07:23.679047	UDP	2847439	ETPRO TROJAN Suspected Cobalt Strike Stager DNS Activity	59374	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.856042532847439 09/18/22-17:07:12.122666	UDP	2847439	ETPRO TROJAN Suspected Cobalt Strike Stager DNS Activity	56042	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.859581532847439 09/18/22-17:07:18.812839	UDP	2847439	ETPRO TROJAN Suspected Cobalt Strike Stager DNS Activity	59581	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.849166532847439 09/18/22-17:07:21.060651	UDP	2847439	ETPRO TROJAN Suspected Cobalt Strike Stager DNS Activity	49166	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.856924532847439 09/18/22-17:07:10.443975	UDP	2847439	ETPRO TROJAN Suspected Cobalt Strike Stager DNS Activity	56924	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.865017532847439 09/18/22-17:07:17.434078	UDP	2847439	ETPRO TROJAN Suspected Cobalt Strike Stager DNS Activity	65017	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.852455532847439 09/18/22-17:07:25.337136	UDP	2847439	ETPRO TROJAN Suspected Cobalt Strike Stager DNS Activity	52455	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.860816532847439 09/18/22-17:07:26.170261	UDP	2847439	ETPRO TROJAN Suspected Cobalt Strike Stager DNS Activity	60816	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.857824532847439 09/18/22-17:07:27.755938	UDP	2847439	ETPRO TROJAN Suspected Cobalt Strike Stager DNS Activity	57824	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.864823532847439 09/18/22-17:07:20.522990	UDP	2847439	ETPRO TROJAN Suspected Cobalt Strike Stager DNS Activity	64823	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.863562532847439 09/18/22-17:07:19.417113	UDP	2847439	ETPRO TROJAN Suspected Cobalt Strike Stager DNS Activity	63562	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.849874532847439 09/18/22-17:07:21.606663	UDP	2847439	ETPRO TROJAN Suspected Cobalt Strike Stager DNS Activity	49874	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.864121532847439 09/18/22-17:07:22.645440	UDP	2847439	ETPRO TROJAN Suspected Cobalt Strike Stager DNS Activity	64121	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.850622532847439 09/18/22-17:07:26.966706	UDP	2847439	ETPRO TROJAN Suspected Cobalt Strike Stager DNS Activity	50622	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.853049532847439 09/18/22-17:07:19.031587	UDP	2847439	ETPRO TROJAN Suspected Cobalt Strike Stager DNS Activity	53049	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.858119532847439 09/18/22-17:07:20.884113	UDP	2847439	ETPRO TROJAN Suspected Cobalt Strike Stager DNS Activity	58119	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.860473532847439 09/18/22-17:07:23.531670	UDP	2847439	ETPRO TROJAN Suspected Cobalt Strike Stager DNS Activity	60473	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.850784532847439 09/18/22-17:07:22.457054	UDP	2847439	ETPRO TROJAN Suspected Cobalt Strike Stager DNS Activity	50784	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.864936532847439 09/18/22-17:07:23.351211	UDP	2847439	ETPRO TROJAN Suspected Cobalt Strike Stager DNS Activity	64936	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.853848532847439 09/18/22-17:07:13.469060	UDP	2847439	ETPRO TROJAN Suspected Cobalt Strike Stager DNS Activity	53848	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.851992532847439 09/18/22-17:07:20.699180	UDP	2847439	ETPRO TROJAN Suspected Cobalt Strike Stager DNS Activity	51992	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.852079532847439 09/18/22-17:07:20.352550	UDP	2847439	ETPRO TROJAN Suspected Cobalt Strike Stager DNS Activity	52079	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.852741532847439 09/18/22-17:07:27.947161	UDP	2847439	ETPRO TROJAN Suspected Cobalt Strike Stager DNS Activity	52741	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.849201532847439 09/18/22-17:07:23.199072	UDP	2847439	ETPRO TROJAN Suspected Cobalt Strike Stager DNS Activity	49201	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.857704532847439 09/18/22-17:07:12.662394	UDP	2847439	ETPRO TROJAN Suspected Cobalt Strike Stager DNS Activity	57704	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.860749532847439 09/18/22-17:07:15.469676	UDP	2847439	ETPRO TROJAN Suspected Cobalt Strike Stager DNS Activity	60749	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.860825532847439 09/18/22-17:07:23.012681	UDP	2847439	ETPRO TROJAN Suspected Cobalt Strike Stager DNS Activity	60825	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.855244532847439 09/18/22-17:07:25.529724	UDP	2847439	ETPRO TROJAN Suspected Cobalt Strike Stager DNS Activity	55244	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.855457532847439 09/18/22-17:07:26.014383	UDP	2847439	ETPRO TROJAN Suspected Cobalt Strike Stager DNS Activity	55457	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.851889532847439 09/18/22-17:07:28.922774	UDP	2847439	ETPRO TROJAN Suspected Cobalt Strike Stager DNS Activity	51889	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.857743532847439 09/18/22-17:07:17.807037	UDP	2847439	ETPRO TROJAN Suspected Cobalt Strike Stager DNS Activity	57743	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.861184532847439 09/18/22-17:07:24.020425	UDP	2847439	ETPRO TROJAN Suspected Cobalt Strike Stager DNS Activity	61184	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.861126532847439 09/18/22-17:07:26.499232	UDP	2847439	ETPRO TROJAN Suspected Cobalt Strike Stager DNS Activity	61126	53	192.168.2.3	8.8.8.8

Network Port Distribution

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 18, 2022 17:13:46.363976955 CEST	52387	53	192.168.2.3	8.8.8.8
Sep 18, 2022 17:13:46.385807037 CEST	53	52387	8.8.8.8	192.168.2.3
Sep 18, 2022 17:13:51.548960924 CEST	56924	53	192.168.2.3	8.8.8.8
Sep 18, 2022 17:13:51.572123051 CEST	53	56924	8.8.8.8	192.168.2.3
Sep 18, 2022 17:13:56.752093077 CEST	49302	53	192.168.2.3	8.8.8.8
Sep 18, 2022 17:13:56.772460938 CEST	53	49302	8.8.8.8	192.168.2.3
Sep 18, 2022 17:14:01.941020966 CEST	51139	53	192.168.2.3	8.8.8.8
Sep 18, 2022 17:14:01.987850904 CEST	53	51139	8.8.8.8	192.168.2.3
Sep 18, 2022 17:14:07.160772085 CEST	52955	53	192.168.2.3	8.8.8.8
Sep 18, 2022 17:14:07.183165073 CEST	53	52955	8.8.8.8	192.168.2.3
Sep 18, 2022 17:14:12.339678049 CEST	60582	53	192.168.2.3	8.8.8.8
Sep 18, 2022 17:14:12.362267971 CEST	53	60582	8.8.8.8	192.168.2.3
Sep 18, 2022 17:14:17.543041945 CEST	57134	53	192.168.2.3	8.8.8.8
Sep 18, 2022 17:14:17.565845013 CEST	53	57134	8.8.8.8	192.168.2.3
Sep 18, 2022 17:14:22.716207027 CEST	56042	53	192.168.2.3	8.8.8.8
Sep 18, 2022 17:14:22.739528894 CEST	53	56042	8.8.8.8	192.168.2.3
Sep 18, 2022 17:14:27.913388014 CEST	59636	53	192.168.2.3	8.8.8.8
Sep 18, 2022 17:14:27.942866087 CEST	53	59636	8.8.8.8	192.168.2.3
Sep 18, 2022 17:14:33.151722908 CEST	55638	53	192.168.2.3	8.8.8.8
Sep 18, 2022 17:14:33.173670053 CEST	53	55638	8.8.8.8	192.168.2.3
Sep 18, 2022 17:14:38.336065054 CEST	65320	53	192.168.2.3	8.8.8.8
Sep 18, 2022 17:14:38.357932091 CEST	53	65320	8.8.8.8	192.168.2.3
Sep 18, 2022 17:14:43.513825893 CEST	65107	53	192.168.2.3	8.8.8.8
Sep 18, 2022 17:14:43.536781073 CEST	53	65107	8.8.8.8	192.168.2.3
Sep 18, 2022 17:14:49.657768965 CEST	53848	53	192.168.2.3	8.8.8.8
Sep 18, 2022 17:14:49.679877996 CEST	53	53848	8.8.8.8	192.168.2.3
Sep 18, 2022 17:14:54.863643885 CEST	57571	53	192.168.2.3	8.8.8.8
Sep 18, 2022 17:14:54.884344101 CEST	53	57571	8.8.8.8	192.168.2.3
Sep 18, 2022 17:15:00.028803110 CEST	58691	53	192.168.2.3	8.8.8.8
Sep 18, 2022 17:15:00.051315069 CEST	53	58691	8.8.8.8	192.168.2.3
Sep 18, 2022 17:15:05.212260962 CEST	53305	53	192.168.2.3	8.8.8.8
Sep 18, 2022 17:15:05.234934092 CEST	53	53305	8.8.8.8	192.168.2.3
Sep 18, 2022 17:15:10.410643101 CEST	59433	53	192.168.2.3	8.8.8.8
Sep 18, 2022 17:15:10.430805922 CEST	53	59433	8.8.8.8	192.168.2.3
Sep 18, 2022 17:15:15.571191072 CEST	60749	53	192.168.2.3	8.8.8.8
Sep 18, 2022 17:15:15.594039917 CEST	53	60749	8.8.8.8	192.168.2.3
Sep 18, 2022 17:15:20.780646086 CEST	56949	53	192.168.2.3	8.8.8.8
Sep 18, 2022 17:15:20.829662085 CEST	53	56949	8.8.8.8	192.168.2.3
Sep 18, 2022 17:15:26.337430954 CEST	52547	53	192.168.2.3	8.8.8.8
Sep 18, 2022 17:15:26.367727041 CEST	53	52547	8.8.8.8	192.168.2.3
Sep 18, 2022 17:15:31.578469038 CEST	53844	53	192.168.2.3	8.8.8.8
Sep 18, 2022 17:15:31.599183083 CEST	53	53844	8.8.8.8	192.168.2.3
Sep 18, 2022 17:15:36.766236067 CEST	65017	53	192.168.2.3	8.8.8.8
Sep 18, 2022 17:15:36.791230917 CEST	53	65017	8.8.8.8	192.168.2.3
Sep 18, 2022 17:15:41.934885979 CEST	53466	53	192.168.2.3	8.8.8.8
Sep 18, 2022 17:15:41.957184076 CEST	53	53466	8.8.8.8	192.168.2.3
Sep 18, 2022 17:15:47.289606094 CEST	57743	53	192.168.2.3	8.8.8.8
Sep 18, 2022 17:15:47.310456038 CEST	53	57743	8.8.8.8	192.168.2.3
Sep 18, 2022 17:15:52.480628967 CEST	53623	53	192.168.2.3	8.8.8.8
Sep 18, 2022 17:15:52.538172007 CEST	53	53623	8.8.8.8	192.168.2.3
Sep 18, 2022 17:15:57.681257010 CEST	61416	53	192.168.2.3	8.8.8.8
Sep 18, 2022 17:15:57.703919888 CEST	53	61416	8.8.8.8	192.168.2.3
Sep 18, 2022 17:16:03.010015965 CEST	65196	53	192.168.2.3	8.8.8.8
Sep 18, 2022 17:16:03.032015085 CEST	53	65196	8.8.8.8	192.168.2.3
Sep 18, 2022 17:16:08.363207102 CEST	65511	53	192.168.2.3	8.8.8.8
Sep 18, 2022 17:16:08.386161089 CEST	53	65511	8.8.8.8	192.168.2.3
Sep 18, 2022 17:16:13.529748917 CEST	52079	53	192.168.2.3	8.8.8.8
Sep 18, 2022 17:16:13.558173895 CEST	53	52079	8.8.8.8	192.168.2.3
Sep 18, 2022 17:16:18.726145983 CEST	64823	53	192.168.2.3	8.8.8.8
Sep 18, 2022 17:16:18.748812914 CEST	53	64823	8.8.8.8	192.168.2.3
Sep 18, 2022 17:16:23.966360092 CEST	51992	53	192.168.2.3	8.8.8.8
Sep 18, 2022 17:16:23.988694906 CEST	53	51992	8.8.8.8	192.168.2.3
Sep 18, 2022 17:16:29.130558968 CEST	58119	53	192.168.2.3	8.8.8.8
Sep 18, 2022 17:16:29.159198046 CEST	53	58119	8.8.8.8	192.168.2.3
Sep 18, 2022 17:16:34.301772118 CEST	49166	53	192.168.2.3	8.8.8.8
Sep 18, 2022 17:16:34.322707891 CEST	53	49166	8.8.8.8	192.168.2.3
Sep 18, 2022 17:16:39.513777971 CEST	58301	53	192.168.2.3	8.8.8.8
Sep 18, 2022 17:16:39.536875963 CEST	53	58301	8.8.8.8	192.168.2.3
Sep 18, 2022 17:16:44.674921989 CEST	63446	53	192.168.2.3	8.8.8.8
Sep 18, 2022 17:16:44.701627016 CEST	53	63446	8.8.8.8	192.168.2.3

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Sep 18, 2022 17:13:46.363976955 CEST	192.168.2.3	8.8.8.8	0xeaff	Standard query (0)	aaa.stage.15550179.developer.cisc0.net	16	IN (0x0001)	false
Sep 18, 2022 17:13:51.548960924 CEST	192.168.2.3	8.8.8.8	0x6f24	Standard query (0)	aaa.stage.15550179.developer.cisc0.net	16	IN (0x0001)	false
Sep 18, 2022 17:13:56.752093077 CEST	192.168.2.3	8.8.8.8	0x61cb	Standard query (0)	aaa.stage.15550179.developer.cisc0.net	16	IN (0x0001)	false
Sep 18, 2022 17:14:01.941020966 CEST	192.168.2.3	8.8.8.8	0x2dbc	Standard query (0)	aaa.stage.15550179.developer.cisc0.net	16	IN (0x0001)	false
Sep 18, 2022 17:14:07.160772085 CEST	192.168.2.3	8.8.8.8	0xaeba	Standard query (0)	aaa.stage.15550179.developer.cisc0.net	16	IN (0x0001)	false
Sep 18, 2022 17:14:12.339678049 CEST	192.168.2.3	8.8.8.8	0x279c	Standard query (0)	aaa.stage.15550179.developer.cisc0.net	16	IN (0x0001)	false
Sep 18, 2022 17:14:17.543041945 CEST	192.168.2.3	8.8.8.8	0x1e51	Standard query (0)	aaa.stage.15550179.developer.cisc0.net	16	IN (0x0001)	false
Sep 18, 2022 17:14:22.716207027 CEST	192.168.2.3	8.8.8.8	0xfc09	Standard query (0)	aaa.stage.15550179.developer.cisc0.net	16	IN (0x0001)	false
Sep 18, 2022 17:14:27.913388014 CEST	192.168.2.3	8.8.8.8	0xb8c5	Standard query (0)	aaa.stage.15550179.developer.cisc0.net	16	IN (0x0001)	false
Sep 18, 2022 17:14:33.151722908 CEST	192.168.2.3	8.8.8.8	0x9285	Standard query (0)	aaa.stage.15550179.developer.cisc0.net	16	IN (0x0001)	false
Sep 18, 2022 17:14:38.336065054 CEST	192.168.2.3	8.8.8.8	0x47f4	Standard query (0)	aaa.stage.15550179.developer.cisc0.net	16	IN (0x0001)	false
Sep 18, 2022 17:14:43.513825893 CEST	192.168.2.3	8.8.8.8	0xcdf3	Standard query (0)	aaa.stage.15550179.developer.cisc0.net	16	IN (0x0001)	false
Sep 18, 2022 17:14:49.657768965 CEST	192.168.2.3	8.8.8.8	0x5240	Standard query (0)	aaa.stage.15550179.developer.cisc0.net	16	IN (0x0001)	false
Sep 18, 2022 17:14:54.863643885 CEST	192.168.2.3	8.8.8.8	0xc598	Standard query (0)	aaa.stage.15550179.developer.cisc0.net	16	IN (0x0001)	false
Sep 18, 2022 17:15:00.028803110 CEST	192.168.2.3	8.8.8.8	0xe845	Standard query (0)	aaa.stage.15550179.developer.cisc0.net	16	IN (0x0001)	false
Sep 18, 2022 17:15:05.212260962 CEST	192.168.2.3	8.8.8.8	0x1cf4	Standard query (0)	aaa.stage.15550179.developer.cisc0.net	16	IN (0x0001)	false
Sep 18, 2022 17:15:10.410643101 CEST	192.168.2.3	8.8.8.8	0x3cfe	Standard query (0)	aaa.stage.15550179.developer.cisc0.net	16	IN (0x0001)	false
Sep 18, 2022 17:15:15.571191072 CEST	192.168.2.3	8.8.8.8	0x3c7c	Standard query (0)	aaa.stage.15550179.developer.cisc0.net	16	IN (0x0001)	false
Sep 18, 2022 17:15:20.780646086 CEST	192.168.2.3	8.8.8.8	0x6a41	Standard query (0)	aaa.stage.15550179.developer.cisc0.net	16	IN (0x0001)	false
Sep 18, 2022 17:15:26.337430954 CEST	192.168.2.3	8.8.8.8	0x1898	Standard query (0)	aaa.stage.15550179.developer.cisc0.net	16	IN (0x0001)	false
Sep 18, 2022 17:15:31.578469038 CEST	192.168.2.3	8.8.8.8	0x50b6	Standard query (0)	aaa.stage.15550179.developer.cisc0.net	16	IN (0x0001)	false
Sep 18, 2022 17:15:36.766236067 CEST	192.168.2.3	8.8.8.8	0x7fab	Standard query (0)	aaa.stage.15550179.developer.cisc0.net	16	IN (0x0001)	false
Sep 18, 2022 17:15:41.934885979 CEST	192.168.2.3	8.8.8.8	0xeda7	Standard query (0)	aaa.stage.15550179.developer.cisc0.net	16	IN (0x0001)	false
Sep 18, 2022 17:15:47.289606094 CEST	192.168.2.3	8.8.8.8	0xe01e	Standard query (0)	aaa.stage.15550179.developer.cisc0.net	16	IN (0x0001)	false
Sep 18, 2022 17:15:52.480628967 CEST	192.168.2.3	8.8.8.8	0xd7bc	Standard query (0)	aaa.stage.15550179.developer.cisc0.net	16	IN (0x0001)	false
Sep 18, 2022 17:15:57.681257010 CEST	192.168.2.3	8.8.8.8	0xe7f6	Standard query (0)	aaa.stage.15550179.developer.cisc0.net	16	IN (0x0001)	false
Sep 18, 2022 17:16:03.010015965 CEST	192.168.2.3	8.8.8.8	0xb5	Standard query (0)	aaa.stage.15550179.developer.cisc0.net	16	IN (0x0001)	false
Sep 18, 2022 17:16:08.363207102 CEST	192.168.2.3	8.8.8.8	0x4759	Standard query (0)	aaa.stage.15550179.developer.cisc0.net	16	IN (0x0001)	false
Sep 18, 2022 17:16:13.529748917 CEST	192.168.2.3	8.8.8.8	0x3db0	Standard query (0)	aaa.stage.15550179.developer.cisc0.net	16	IN (0x0001)	false
Sep 18, 2022 17:16:18.726145983 CEST	192.168.2.3	8.8.8.8	0xfd7e	Standard query (0)	aaa.stage.15550179.developer.cisc0.net	16	IN (0x0001)	false
Sep 18, 2022 17:16:23.966360092 CEST	192.168.2.3	8.8.8.8	0x47ab	Standard query (0)	aaa.stage.15550179.developer.cisc0.net	16	IN (0x0001)	false
Sep 18, 2022 17:16:29.130558968 CEST	192.168.2.3	8.8.8.8	0xe6bd	Standard query (0)	aaa.stage.15550179.developer.cisc0.net	16	IN (0x0001)	false
Sep 18, 2022 17:16:34.301772118 CEST	192.168.2.3	8.8.8.8	0xc784	Standard query (0)	aaa.stage.15550179.developer.cisc0.net	16	IN (0x0001)	false
Sep 18, 2022 17:16:39.513777971 CEST	192.168.2.3	8.8.8.8	0x64f0	Standard query (0)	aaa.stage.15550179.developer.cisc0.net	16	IN (0x0001)	false
Sep 18, 2022 17:16:44.674921989 CEST	192.168.2.3	8.8.8.8	0xdacb	Standard query (0)	aaa.stage.15550179.developer.cisc0.net	16	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Sep 18, 2022 17:13:46.385807037 CEST	8.8.8.8	192.168.2.3	0xeaff	Name error (3)	aaa.stage.15550179.developer.cisc0.net	none	none	16	IN (0x0001)	false
Sep 18, 2022 17:13:51.572123051 CEST	8.8.8.8	192.168.2.3	0x6f24	Name error (3)	aaa.stage.15550179.developer.cisc0.net	none	none	16	IN (0x0001)	false
Sep 18, 2022 17:13:56.772460938 CEST	8.8.8.8	192.168.2.3	0x61cb	Name error (3)	aaa.stage.15550179.developer.cisc0.net	none	none	16	IN (0x0001)	false
Sep 18, 2022 17:14:01.987850904 CEST	8.8.8.8	192.168.2.3	0x2dbc	Name error (3)	aaa.stage.15550179.developer.cisc0.net	none	none	16	IN (0x0001)	false
Sep 18, 2022 17:14:07.183165073 CEST	8.8.8.8	192.168.2.3	0xaeba	Name error (3)	aaa.stage.15550179.developer.cisc0.net	none	none	16	IN (0x0001)	false
Sep 18, 2022 17:14:12.362267971 CEST	8.8.8.8	192.168.2.3	0x279c	Name error (3)	aaa.stage.15550179.developer.cisc0.net	none	none	16	IN (0x0001)	false
Sep 18, 2022 17:14:17.565845013 CEST	8.8.8.8	192.168.2.3	0x1e51	Name error (3)	aaa.stage.15550179.developer.cisc0.net	none	none	16	IN (0x0001)	false
Sep 18, 2022 17:14:22.739528894 CEST	8.8.8.8	192.168.2.3	0xfc09	Name error (3)	aaa.stage.15550179.developer.cisc0.net	none	none	16	IN (0x0001)	false
Sep 18, 2022 17:14:27.942866087 CEST	8.8.8.8	192.168.2.3	0xb8c5	Name error (3)	aaa.stage.15550179.developer.cisc0.net	none	none	16	IN (0x0001)	false
Sep 18, 2022 17:14:33.173670053 CEST	8.8.8.8	192.168.2.3	0x9285	Name error (3)	aaa.stage.15550179.developer.cisc0.net	none	none	16	IN (0x0001)	false
Sep 18, 2022 17:14:38.357932091 CEST	8.8.8.8	192.168.2.3	0x47f4	Name error (3)	aaa.stage.15550179.developer.cisc0.net	none	none	16	IN (0x0001)	false
Sep 18, 2022 17:14:43.536781073 CEST	8.8.8.8	192.168.2.3	0xcdf3	Name error (3)	aaa.stage.15550179.developer.cisc0.net	none	none	16	IN (0x0001)	false
Sep 18, 2022 17:14:49.679877996 CEST	8.8.8.8	192.168.2.3	0x5240	Name error (3)	aaa.stage.15550179.developer.cisc0.net	none	none	16	IN (0x0001)	false
Sep 18, 2022 17:14:54.884344101 CEST	8.8.8.8	192.168.2.3	0xc598	Name error (3)	aaa.stage.15550179.developer.cisc0.net	none	none	16	IN (0x0001)	false
Sep 18, 2022 17:15:00.051315069 CEST	8.8.8.8	192.168.2.3	0xe845	Name error (3)	aaa.stage.15550179.developer.cisc0.net	none	none	16	IN (0x0001)	false
Sep 18, 2022 17:15:05.234934092 CEST	8.8.8.8	192.168.2.3	0x1cf4	Name error (3)	aaa.stage.15550179.developer.cisc0.net	none	none	16	IN (0x0001)	false
Sep 18, 2022 17:15:10.430805922 CEST	8.8.8.8	192.168.2.3	0x3cfe	Name error (3)	aaa.stage.15550179.developer.cisc0.net	none	none	16	IN (0x0001)	false
Sep 18, 2022 17:15:15.594039917 CEST	8.8.8.8	192.168.2.3	0x3c7c	Name error (3)	aaa.stage.15550179.developer.cisc0.net	none	none	16	IN (0x0001)	false
Sep 18, 2022 17:15:20.829662085 CEST	8.8.8.8	192.168.2.3	0x6a41	Name error (3)	aaa.stage.15550179.developer.cisc0.net	none	none	16	IN (0x0001)	false
Sep 18, 2022 17:15:26.367727041 CEST	8.8.8.8	192.168.2.3	0x1898	Name error (3)	aaa.stage.15550179.developer.cisc0.net	none	none	16	IN (0x0001)	false
Sep 18, 2022 17:15:31.599183083 CEST	8.8.8.8	192.168.2.3	0x50b6	Name error (3)	aaa.stage.15550179.developer.cisc0.net	none	none	16	IN (0x0001)	false
Sep 18, 2022 17:15:36.791230917 CEST	8.8.8.8	192.168.2.3	0x7fab	Name error (3)	aaa.stage.15550179.developer.cisc0.net	none	none	16	IN (0x0001)	false
Sep 18, 2022 17:15:41.957184076 CEST	8.8.8.8	192.168.2.3	0xeda7	Name error (3)	aaa.stage.15550179.developer.cisc0.net	none	none	16	IN (0x0001)	false
Sep 18, 2022 17:15:47.310456038 CEST	8.8.8.8	192.168.2.3	0xe01e	Name error (3)	aaa.stage.15550179.developer.cisc0.net	none	none	16	IN (0x0001)	false
Sep 18, 2022 17:15:52.538172007 CEST	8.8.8.8	192.168.2.3	0xd7bc	Name error (3)	aaa.stage.15550179.developer.cisc0.net	none	none	16	IN (0x0001)	false
Sep 18, 2022 17:15:57.703919888 CEST	8.8.8.8	192.168.2.3	0xe7f6	Name error (3)	aaa.stage.15550179.developer.cisc0.net	none	none	16	IN (0x0001)	false
Sep 18, 2022 17:16:03.032015085 CEST	8.8.8.8	192.168.2.3	0xb5	Name error (3)	aaa.stage.15550179.developer.cisc0.net	none	none	16	IN (0x0001)	false
Sep 18, 2022 17:16:08.386161089 CEST	8.8.8.8	192.168.2.3	0x4759	Name error (3)	aaa.stage.15550179.developer.cisc0.net	none	none	16	IN (0x0001)	false
Sep 18, 2022 17:16:13.558173895 CEST	8.8.8.8	192.168.2.3	0x3db0	Name error (3)	aaa.stage.15550179.developer.cisc0.net	none	none	16	IN (0x0001)	false
Sep 18, 2022 17:16:18.748812914 CEST	8.8.8.8	192.168.2.3	0xfd7e	Name error (3)	aaa.stage.15550179.developer.cisc0.net	none	none	16	IN (0x0001)	false
Sep 18, 2022 17:16:23.988694906 CEST	8.8.8.8	192.168.2.3	0x47ab	Name error (3)	aaa.stage.15550179.developer.cisc0.net	none	none	16	IN (0x0001)	false
Sep 18, 2022 17:16:29.159198046 CEST	8.8.8.8	192.168.2.3	0xe6bd	Name error (3)	aaa.stage.15550179.developer.cisc0.net	none	none	16	IN (0x0001)	false
Sep 18, 2022 17:16:34.322707891 CEST	8.8.8.8	192.168.2.3	0xc784	Name error (3)	aaa.stage.15550179.developer.cisc0.net	none	none	16	IN (0x0001)	false
Sep 18, 2022 17:16:39.536875963 CEST	8.8.8.8	192.168.2.3	0x64f0	Name error (3)	aaa.stage.15550179.developer.cisc0.net	none	none	16	IN (0x0001)	false
Sep 18, 2022 17:16:44.701627016 CEST	8.8.8.8	192.168.2.3	0xdacb	Name error (3)	aaa.stage.15550179.developer.cisc0.net	none	none	16	IN (0x0001)	false

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

System Behavior

Analysis Process: Process Monitor.exePID: 5972, Parent PID: 5292

General

Target ID:	0
Start time:	17:13:36
Start date:	18/09/2022
Path:	C:\Users\user\Desktop\Process Monitor.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Process Monitor.exe"
Imagebase:	0x400000
File size:	2134944 bytes
MD5 hash:	3D55E52BF84C8B1CB08CF447E195B006
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Windows_Shellcode_Generic_8c487e57, Description: unknown, Source: 00000000.00000002.640850320.0000000020A00000.00000040.00000020.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Metasploit_38b8ceec, Description: Identifies the API address lookup function used by metasploit. Also used by other tools (like beacon)., Source: 00000000.00000002.640850320.0000000020A00000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
Reputation:	low

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Analysis Process: Process Monitor.exePID: 5972, Parent PID: 5292COMMON

Execution Graph

Execution Coverage:	1.3%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	15.2%
Total number of Nodes:	571
Total number of Limit Nodes:	37

Executed Functions

Function 00437270 Relevance: 51.0, APIs: 18, Strings: 11, Instructions: 261
libraryfileloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 87%

			E00437270(void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				long _v8;
				char _v16;
				signed int _v20;
				short _v540;
				short _v1060;
				char _v1064;
				char _v1068;
				intOrPtr _v1072;
				char _v1076;
				char _v1080;
				intOrPtr _v1084;
				char _v1088;
				struct _SHELLEXECUTEINFOW _v1148;
				struct _SYSTEM_INFO _v1184;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t73;
				signed int _t74;
				char _t78;
				void* _t113;
				intOrPtr _t123;
				void* _t127;
				_Unknown_base(*)()* _t139;
				signed int _t141;
				intOrPtr _t149;
				void* _t151;
				void* _t171;
				intOrPtr _t173;
				void* _t175;
				signed short _t177;
				void* _t178;
				signed int _t180;
				void* _t181;
				void* _t182;
				void* _t183;
				void* _t185;

				_t171 = __edx;
				_push(0xffffffff);
				_push(E00489812);
				_push( *[fs:0x0]);
				_t182 = _t181 - 0x490;
				_t73 =  *0x4bb1dc; // 0x2927074f
				_t74 = _t73 ^ _t180;
				_v20 = _t74;
				_push(_t74);
				 *[fs:0x0] =  &_v16;
				_t149 = _a12;
				_t177 = 0;
				_t173 = _a8;
				_v1084 = _a16;
				if(_t149 == 0) {
					L9:
					_t78 = E0046A6C0(_t149, _t173, E0046A530(_t173));
					_t183 = _t182 + 0xc;
					_v1064 = _t78;
					_v8 = 0;
					if(GetModuleFileNameW(0,  &_v540, 0x103) != 0) {
						if(_t149 != 0) {
							_v1076 = E0046A6C0(_t149,  &_v540, E0046A530( &_v540));
							_v8 = 1;
							_v1068 = E0046A6C0(_t149, "\"", E0046A530("\""));
							_v8 = 2;
							_t123 = E0046A6C0(_t149, L" /originalpath \"", E0046A530(L" /originalpath \""));
							_t185 = _t183 + 0x24;
							_v1072 = _t123;
							_v8 = 3;
							E0046A230( &_v1080,  &_v1076);
							_v8 = 4;
							_t127 = E0046A230( &_v1088,  &_v1068);
							_v8 = 5;
							E0046A310( &_v1064, _t127);
							_t164 = _v1088;
							_v8 = 4;
							if(_v1088 != 0) {
								E0046A700(_t164);
							}
							_t165 = _v1080;
							_v8 = 3;
							if(_v1080 != 0) {
								E0046A700(_t165);
							}
							_t166 = _v1072;
							_v8 = 2;
							if(_v1072 != 0) {
								E0046A700(_t166);
							}
							_t167 = _v1068;
							_v8 = 1;
							if(_v1068 != 0) {
								E0046A700(_t167);
							}
							_t168 = _v1076;
							_v8 = 0;
							if(_v1076 != 0) {
								E0046A700(_t168);
							}
							 *((short*)(E00471495( &_v540, 0x2e))) = 0;
							E00472C98( &_v540, 0x104, L"64.exe");
							_t183 = _t185 + 0x14;
						}
						if(_t177 == 0) {
							L25:
							E00470030( &(_v1148.fMask), 0, 0x38);
							_v1148.cbSize = 0x3c;
							_v1148.fMask = 0x40;
							_t87 =  ==  ? L"Open" : L"Runas";
							_v1148.hwnd = 0;
							_v1148.lpVerb =  ==  ? L"Open" : L"Runas";
							_v1148.nShow = _a4;
							_v1148.lpFile =  &_v540;
							_v1148.lpParameters = E0046A170( &_v1064);
							if(ShellExecuteExW( &_v1148) != 0 || GetLastError() != 2) {
								L28:
								WaitForSingleObject(_v1148.hProcess, 0xffffffff);
								CloseHandle(_v1148.hProcess);
								if(_t149 != 0) {
									DeleteFileW( &_v540);
								}
							} else {
								GetModuleFileNameW(0,  &_v540, 0x103);
								if(ShellExecuteExW( &_v1148) == 0) {
									goto L31;
								} else {
									goto L28;
								}
							}
						} else {
							ExpandEnvironmentStringsW(L"%TEMP%",  &_v1060, 0x104);
							E00472C98( &_v1060, 0x104, E00471495( &_v540, 0x5c));
							E0046EF0C( &_v540, 0x104,  &_v1060);
							_t113 = E0040F560(_t171, _t177 & 0x0000ffff,  &_v540); // executed
							_t183 = _t183 + 0x28;
							if(_t113 != 0 || GetFileAttributesW( &_v540) != 0xffffffff) {
								goto L25;
							} else {
								goto L31;
							}
						}
					}
					_t152 = _v1064;
					_v8 = 0xffffffff;
					if(_v1064 != 0) {
						E0046A700(_t152);
					}
				} else {
					_t139 = GetProcAddress(LoadLibraryW(L"kernel32.dll"), "GetNativeSystemInfo");
					if(_t139 == 0) {
						GetSystemInfo( &_v1184);
					} else {
						 *_t139( &_v1184); // executed
					}
					_t141 = _v1184.dwOemId & 0x0000ffff;
					if(_t141 == 6) {
						_t177 = 0x51d;
						goto L9;
					} else {
						if(_t141 == 9) {
							_t177 = 0x51c;
							goto L9;
						} else {
							L00401F90( &_v540, L"Unsupported processor type: %d\n", _t141);
							MessageBoxW(0,  &_v540, L"Process Monitor", 0x10);
						}
					}
				}
				 *[fs:0x0] = _v16;
				_pop(_t175);
				_pop(_t178);
				_pop(_t151);
				return E0046F77E(_t151, _v20 ^ _t180, _t171, _t175, _t178);
			}

0x00437270
0x00437273
0x00437275
0x00437280
0x00437281
0x00437287
0x0043728c
0x0043728e
0x00437294
0x00437298
0x0043729e
0x004372a1
0x004372a6
0x004372a9
0x004372b1
0x00437339
0x00437341
0x00437346
0x00437349
0x00437363
0x0043736e
0x00437376
0x00437395
0x004373a0
0x004373b4
0x004373bf
0x004373ce
0x004373d3
0x004373d6
0x004373e2
0x004373f4
0x004373ff
0x0043740d
0x00437419
0x0043741d
0x00437422
0x00437428
0x0043742e
0x00437430
0x00437430
0x00437435
0x0043743b
0x00437441
0x00437443
0x00437443
0x00437448
0x0043744e
0x00437454
0x00437456
0x00437456
0x0043745b
0x00437461
0x00437467
0x00437469
0x00437469
0x0043746e
0x00437474
0x0043747a
0x0043747c
0x0043747c
0x0043749b
0x004374a5
0x004374aa
0x004374aa
0x004374af
0x0043752d
0x00437538
0x00437540
0x0043755b
0x00437565
0x00437568
0x00437572
0x00437581
0x0043758d
0x0043759e
0x004375af
0x004375d9
0x004375e1
0x004375ed
0x004375f5
0x004375fe
0x004375fe
0x004375bc
0x004375ca
0x004375d7
0x00000000
0x00000000
0x00000000
0x00000000
0x004375d7
0x004374b1
0x004374c2
0x004374e3
0x004374fb
0x0043750b
0x00437510
0x00437515
0x00000000
0x00000000
0x00000000
0x00000000
0x00437515
0x004374af
0x0043760a
0x00437610
0x00437619
0x0043761b
0x0043761b
0x004372b7
0x004372c8
0x004372d0
0x004372e4
0x004372d2
0x004372d9
0x004372d9
0x004372ea
0x004372f4
0x00437334
0x00000000
0x004372f6
0x004372f9
0x0043732d
0x00000000
0x004372fb
0x00437308
0x00437320
0x00437326
0x004372f9
0x004372f4
0x00437625
0x0043762d
0x0043762e
0x0043762f
0x0043763d

APIs

LoadLibraryW.KERNEL32(kernel32.dll,GetNativeSystemInfo,2927074F,00000000,00000000,00000000), ref: 004372C1
GetProcAddress.KERNEL32(00000000), ref: 004372C8
GetNativeSystemInfo.KERNELBASE(?), ref: 004372D9
GetSystemInfo.KERNEL32(?), ref: 004372E4
MessageBoxW.USER32(00000000,?,Process Monitor,00000010), ref: 00437320
GetModuleFileNameW.KERNEL32(00000000,?,00000103,00000000,00000000,00000000), ref: 0043736A
_wcsrchr.LIBCMT ref: 0043748A
ExpandEnvironmentStringsW.KERNEL32(%TEMP%,?,00000104), ref: 004374C2
_wcsrchr.LIBCMT ref: 004374D1

Part of subcall function 0040F560: FindResourceW.KERNEL32(00000000,?,BINRES,74CB4DC0,?), ref: 0040F578

GetFileAttributesW.KERNEL32(?), ref: 0043751E
_memset.LIBCMT ref: 00437538
ShellExecuteExW.SHELL32(0000003C), ref: 004375AB
GetLastError.KERNEL32 ref: 004375B1
GetModuleFileNameW.KERNEL32(00000000,?,00000103), ref: 004375CA
ShellExecuteExW.SHELL32(0000003C), ref: 004375D3
WaitForSingleObject.KERNEL32(?,000000FF), ref: 004375E1
CloseHandle.KERNEL32(?), ref: 004375ED
DeleteFileW.KERNEL32(?), ref: 004375FE

Strings

<, xrefs: 00437540
Open, xrefs: 00437551
Runas, xrefs: 00437556
64.exe, xrefs: 00437491
@, xrefs: 0043755B
kernel32.dll, xrefs: 004372BC
Process Monitor, xrefs: 00437318
%TEMP%, xrefs: 004374BD
Unsupported processor type: %d, xrefs: 00437302
/originalpath ", xrefs: 004373BA, 004373C9
GetNativeSystemInfo, xrefs: 004372B7

Memory Dump Source

Source File: 00000000.00000002.639436822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.639422722.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639801425.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639950323.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639964900.00000000004C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639974043.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639981884.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Process Monitor.jbxd

Similarity

API ID: File$ExecuteInfoModuleNameShellSystem_wcsrchr$AddressAttributesCloseDeleteEnvironmentErrorExpandFindHandleLastLibraryLoadMessageNativeObjectProcResourceSingleStringsWait_memset
String ID: /originalpath "$%TEMP%$64.exe$<$@$GetNativeSystemInfo$Open$Process Monitor$Runas$Unsupported processor type: %d$kernel32.dll
API String ID: 1260156612-3799951361
Opcode ID: bc59fb85c6069d7abd654b1f2140fb67dfbec566d84a970c8f06997a89afbf89
Instruction ID: 449c25847c7153ef3e1e15aaabe9b45a51533746910648da7d15192563ea11f3
Opcode Fuzzy Hash: bc59fb85c6069d7abd654b1f2140fb67dfbec566d84a970c8f06997a89afbf89
Instruction Fuzzy Hash: F6A1C8F1945218AADB20DB60CC55BEE77B8AF18304F4001EBF945E3291EB385B44CF59

Uniqueness

Uniqueness Score: -1.00%

Function 0045EAC2 Relevance: 45.6, APIs: 16, Strings: 10, Instructions: 149
registrylibraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 78%

			E0045EAC2(char __edx, void* __fp0, signed int _a4, char _a12, intOrPtr _a16) {
				signed int _v8;
				intOrPtr _v20;
				struct _MEMORYSTATUSEX _v72;
				struct _OSVERSIONINFOW _v356;
				char _v612;
				char _v1010;
				char _v1012;
				int _v1016;
				char _v1020;
				char _v1021;
				char _v1022;
				int _v1028;
				char _v1032;
				char _v1033;
				char _v1034;
				char _v1035;
				char _v1036;
				char _v1037;
				void* _v1038;
				char _v1039;
				char _v1040;
				char _v1041;
				signed int _v1042;
				char _v1043;
				long _v1048;
				char _v1052;
				void* _v1056;
				char _v1060;
				char _v1064;
				char _v1068;
				void* _v1072;
				struct HINSTANCE__* _v1076;
				struct HWND__* _v1080;
				char _v1084;
				struct HWND__* _v1088;
				struct HWND__* _v1092;
				char _v1096;
				int _v1100;
				struct tagMSG _v1128;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t204;
				long _t212;
				_Unknown_base(*)()* _t214;
				void* _t225;
				char _t229;
				char _t231;
				char _t239;
				char _t241;
				char _t247;
				char _t253;
				char _t255;
				char _t257;
				char _t259;
				char _t261;
				char _t263;
				char _t265;
				signed int _t267;
				signed int _t268;
				char _t270;
				char _t272;
				char _t273;
				char _t275;
				char _t276;
				char _t277;
				char _t286;
				struct HWND__* _t288;
				struct HWND__* _t289;
				char _t304;
				intOrPtr _t313;
				short* _t326;
				void* _t330;
				WCHAR* _t334;
				char _t335;
				intOrPtr _t336;
				int _t344;
				int _t347;
				int _t348;
				int _t349;
				int _t350;
				intOrPtr _t355;
				int _t356;
				char _t360;
				char _t362;
				char _t365;
				char _t367;
				char _t369;
				char _t381;
				char _t383;
				signed int _t385;
				void* _t412;
				struct HWND__* _t419;
				char _t426;
				char _t435;
				char _t441;
				signed char _t442;
				signed char _t443;
				signed int _t446;
				char _t447;
				struct HWND__* _t449;
				signed int _t465;
				signed int _t466;
				int _t467;
				long _t468;
				signed int _t469;
				void* _t470;
				void* _t471;
				struct HWND__* _t472;
				struct HINSTANCE__* _t473;
				void* _t474;
				void* _t475;
				void* _t477;
				signed char _t480;
				char* _t482;
				struct HWND__* _t503;
				char _t529;
				struct HWND__* _t532;
				void* _t533;
				void* _t534;
				char _t535;
				void* _t536;
				void* _t537;
				void* _t539;
				intOrPtr* _t542;
				void* _t544;
				intOrPtr* _t545;
				void* _t546;
				struct HWND__* _t548;
				void* _t549;
				void* _t550;
				char _t551;
				void* _t552;
				signed int _t554;
				signed int _t560;
				void* _t562;
				void* _t563;
				void* _t569;
				intOrPtr* _t570;
				void* _t576;
				void* _t580;
				void* _t581;
				void* _t583;
				void* _t600;

				_t600 = __fp0;
				_t529 = __edx;
				_t478 = _v20;
				E0042CD70(_v20);
				E0046F78D(0, 0);
				asm("int3");
				asm("int3");
				asm("int3");
				asm("int3");
				asm("int3");
				asm("int3");
				asm("int3");
				asm("int3");
				asm("int3");
				asm("int3");
				asm("int3");
				asm("int3");
				asm("int3");
				asm("int3");
				asm("int3");
				asm("int3");
				asm("int3");
				asm("int3");
				asm("int3");
				asm("int3");
				asm("int3");
				asm("int3");
				asm("int3");
				asm("int3");
				asm("int3");
				asm("int3");
				asm("int3");
				asm("int3");
				asm("int3");
				_t554 = _t560;
				_t204 =  *0x4bb1dc; // 0x2927074f
				_v8 = _t204 ^ _t554;
				_t465 = _a4;
				_v1060 = _a12;
				_v1076 = _t465;
				_v356.dwMajorVersion = 0;
				E00470030( &(_v356.dwMinorVersion), 0, 0x114);
				_t562 = _t560 - 0x464 + 0xc;
				_v356.dwOSVersionInfoSize = 0x11c;
				GetVersionExW( &_v356);
				_t212 = RegOpenKeyExW(0x80000002, L"Software\\Microsoft\\Windows NT\\CurrentVersion", 0, 1,  &_v1072); // executed
				if(_t212 == 0) {
					_v1048 = 4;
					RegQueryValueExW(_v1072, L"UBS", 0,  &_v1028,  &(_v356.dwPlatformId),  &_v1048); // executed
					RegCloseKey(_v1072); // executed
				}
				_t214 = GetProcAddress(LoadLibraryW(L"Kernel32.dll"), "SetDllDirectoryW");
				if(_t214 != 0) {
					 *_t214(0x48fc20);
				}
				_t542 = GetProcAddress(GetModuleHandleW(L"kernel32.dll"), "IsWow64Process");
				if(_t542 != 0) {
					_v1052 = 0;
					 *_t542(GetCurrentProcess(),  &_v1052);
					_t457 =  !=  ? 1 :  *0x4bd0a3 & 0x000000ff;
					 *0x4bd0a3 =  !=  ? 1 :  *0x4bd0a3 & 0x000000ff;
				}
				_t543 = CommandLineToArgvW(GetCommandLineW(),  &_v1016);
				 *0x4bd2c4 = _t465;
				_v1048 = 0x104;
				GetComputerNameW("445817",  &_v1048); // executed
				GetSystemDirectoryW("C:\Windows", 0x104);
				_push(0x5c);
				_push("Windows");
				 *((short*)(E004713E7(_t478))) = 0;
				_t225 = E0040B8D0(0, _t219, L"Process Monitor",  &_v1016, _t219); // executed
				_t563 = _t562 + 0x14;
				_t480 = 0 | _t225 != 0x00000000;
				if(_t480 != 0) {
					_t532 = E0044C640(_t480, L"OpenLog",  &_v1016, _t543, 1);
					_t229 = E0044C640(_t480, L"Terminate",  &_v1016, _t543, 0);
					__eflags = _t229;
					_v1034 = _t229 != 0;
					_t231 = E0044C640(_t480, L"WaitForIdle",  &_v1016, _t543, 0);
					__eflags = _t231;
					_v1040 = _t231 != 0;
					_v1088 = E0044C640(_t480, L"SaveAs",  &_v1016, _t543, 1);
					_v1092 = E0044C640(_t480, L"SaveAs1",  &_v1016, _t543, 1);
					_v1080 = E0044C640(_t480, L"SaveAs2",  &_v1016, _t543, 1);
					_t239 = E0044C640(_t480, L"SaveApplyFilter",  &_v1016, _t543, 0);
					__eflags = _t239;
					_v1022 = _t239 != 0;
					_t241 = E0044C640(_t480, L"EnableBootLogging",  &_v1016, _t543, 0);
					__eflags = _t241;
					_v1037 = _t241 != 0;
					_v1084 = E0044C640(_t480, L"ConvertBootLog",  &_v1016, _t543, 1);
					_v1068 = E0044C640(_t480, L"LoadConfig",  &_v1016, _t543, 1);
					_t247 = E0044C640(_t480, L"NoFilter",  &_v1016, _t543, 0);
					__eflags = _t247;
					_v1039 = _t247 != 0;
					_v1052 = E0044C640(_t480, L"BackingFile",  &_v1016, _t543, 1);
					_v1096 = E0044C640(_t480, L"OriginalPath",  &_v1016, _t543, 1);
					_t253 = E0044C640(_t480, L"PagingFile",  &_v1016, _t543, 0);
					__eflags = _t253;
					_v1021 = _t253 != 0;
					_t255 = E0044C640(_t480, L"Profiling",  &_v1016, _t543, 0);
					__eflags = _t255;
					_v1041 = _t255 != 0;
					_t257 = E0044C640(_t480, L"NoConnect",  &_v1016, _t543, 0);
					__eflags = _t257;
					_v1036 = _t257 != 0;
					_t259 = E0044C640(_t480, L"Client",  &_v1016, _t543, 0);
					__eflags = _t259;
					_v1043 = _t259 != 0;
					_t261 = E0044C640(_t480, L"Minimized",  &_v1016, _t543, 0);
					__eflags = _t261;
					_v1038 = _t261 != 0;
					_t263 = E0044C640(_t480, L"Quiet",  &_v1016, _t543, 0);
					__eflags = _t263;
					_v1033 = _t263 != 0;
					_t265 = E0044C640(_t480, "?",  &_v1016, _t543, 0);
					__eflags = _t265;
					_t466 = _t465 & 0xffffff00 | _t265 != 0x00000000;
					_v1042 = _t466;
					_t267 = E0044C640(_t480, L"HookRegistry",  &_v1016, _t543, 0);
					_t569 = _t563 + 0x150;
					__eflags = _t267;
					_t268 = _t267 & 0xffffff00 | _t267 != 0x00000000;
					__eflags = _t268;
					if(_t268 != 0) {
						 *0x4bb120 =  *0x4bb120 | 0x00000008;
						__eflags =  *0x4bb120;
						 *_t529 =  *_t529 | _t480;
						__eflags =  *_t529;
					}
					_t270 = E0044C640(_t480, L"ExternalCapture",  &_v1016, _t543, 0);
					__eflags = _t270;
					_v1035 = _t270 != 0;
					_t272 = E0044C640(_t480, L"Run32",  &_v1016, _t543, 0);
					_t570 = _t569 + 0x20;
					__eflags = _t272;
					_t467 = _t466 & 0xffffff00 | _t272 != 0x00000000;
					_v1028 = _t467;
					__eflags = _t532;
					if(_t532 == 0) {
						_t449 = E0044C640(_t480, 0x48fc20,  &_v1016, _t543, _t532);
						_t570 = _t570 + 0x10;
						_t532 = _t449;
					}
					__eflags = _t467;
					if(_t467 != 0) {
						L20:
						_t273 =  *0x4bd0a3; // 0x1
						goto L21;
					} else {
						__eflags = _t532;
						if(__eflags != 0) {
							goto L20;
						} else {
							_t447 = E00436580(_t529, __eflags); // executed
							__eflags = _t447;
							if(_t447 != 0) {
								goto L20;
							} else {
								_t273 =  *0x4bd0a3; // 0x1
								__eflags = _t273;
								if(_t273 == 0) {
									L19:
									_t468 = 1;
								} else {
									__eflags = _t467;
									if(_t467 != 0) {
										L21:
										_t468 = 0;
										__eflags = 0;
									} else {
										goto L19;
									}
								}
							}
						}
					}
					_v1048 = _t468;
					__eflags = _t273;
					if(_t273 == 0) {
						L25:
						_t469 = 0;
						__eflags = 0;
					} else {
						__eflags = _t468;
						if(_t468 != 0) {
							goto L25;
						} else {
							_t469 = 1;
						}
					}
					_v1020 = _t469;
					__eflags = _t532;
					if(_t532 != 0) {
						__eflags = _t469;
						if(__eflags != 0) {
							_push(0x590);
							_t441 = E0046EEB6(_t469, _t532, __eflags);
							_t570 = _t570 + 4;
							__eflags = _t441;
							if(__eflags == 0) {
								_t442 = 0;
								__eflags = 0;
							} else {
								_t442 = E00415A70(_t441, __eflags);
							}
							_t480 = _t442;
							_t443 = E00467B10(_t480, _t532);
							__eflags = _t443 - 0xffffffff;
							if(_t443 != 0xffffffff) {
								asm("sbb al, al");
								_t446 =  ~(_t443 & 0x00000001) & _t469;
								__eflags = _t446;
								_t469 = _t446;
								_v1020 = _t469;
							}
						}
					}
					__eflags = _t469;
					if(_t469 == 0) {
						L41:
						__eflags = _t469;
						if(_t469 != 0) {
							L149:
							_t275 =  *(E00403D10(_v1060));
							__eflags = _t275;
							if(_t275 == 0) {
								_t276 = 0;
								__eflags = 0;
							} else {
								_t276 =  *_t275;
							}
							_t277 = E00437270(_t529, _a16, _t276, _v1020, _v1048);
							_t570 = _t570 + 0x10;
							_t482 =  &_v1060;
							__eflags = _t277;
							_t469 = _t469 & 0xffffff00 | _t277 == 0x00000000;
							E00403A00(_t482);
							__eflags = _t469;
							if(_t469 == 0) {
								goto L74;
							} else {
								_push(0);
								_push(_t482);
								_t545 = _t570;
								_push(E0046A530(L"Unable to extract x64 image. Run Process Monitor from a writeable directory."));
								_push(L"Unable to extract x64 image. Run Process Monitor from a writeable directory.");
								goto L39;
							}
						} else {
							__eflags = _t469;
							if(_t469 != 0) {
								goto L149;
							} else {
								_t286 = _v1096;
								__eflags = _t286;
								if(_t286 == 0) {
									GetModuleFileNameW(0, 0x4bd0a8, 0x104);
								} else {
									E0046EF0C(0x4bd0a8, 0x104, _t286);
									_t570 = _t570 + 0xc;
								}
								_t288 = _v1080;
								_v1020 = 0;
								__eflags = _t288;
								if(_t288 == 0) {
									_t289 = _v1092;
									__eflags = _t289;
									if(_t289 == 0) {
										_t472 = _v1088;
									} else {
										_v1020 = 1;
										_t472 = _t289;
									}
								} else {
									_v1020 = 2;
									_t472 = _t288;
								}
								__eflags = _v1042;
								if(_v1042 != 0) {
									L148:
									DialogBoxParamW(_v1076, L"USAGE", 0, E0040C2C0, 0);
									goto L40;
								} else {
									__eflags = _v1016 - 1;
									if(_v1016 != 1) {
										L142:
										_v1032 = E0046A6C0(_t472,  *((intOrPtr*)(_t543 + 4)), E0046A530( *((intOrPtr*)(_t543 + 4))));
										_v1068 = E0046A6C0(_t472, L"Invalid argument: ", E0046A530(L"Invalid argument: "));
										E0046A230( &_v1056,  &_v1032);
										_t488 = _v1068;
										__eflags = _v1068;
										if(_v1068 != 0) {
											E0046A700(_t488);
										}
										_t489 = _v1032;
										__eflags = _v1032;
										if(_v1032 != 0) {
											E0046A700(_t489);
										}
										MessageBoxW(0, E0046A170( &_v1056), L"Process Monitor", 0x10);
										_t491 = _v1056;
										__eflags = _v1056;
										if(_v1056 != 0) {
											E0046A700(_t491);
										}
										goto L148;
									} else {
										__eflags = _v1021;
										if(_v1021 == 0) {
											L55:
											__eflags = _t472;
											if(_t472 == 0) {
												L58:
												_t303 = _v1084;
												__eflags = _v1084;
												if(__eflags == 0) {
													__eflags = _v1022;
													_t548 = MessageBoxW;
													if(_v1022 != 0) {
														__eflags = _t472;
														if(_t472 == 0) {
															_t426 = E0046A6C0(_t472, L"The /SaveApplyFilter option is valid only when used with /SaveAs", E0046A530(L"The /SaveApplyFilter option is valid only when used with /SaveAs"));
															_t570 = _t570 + 0xc;
															_v1032 = _t426;
															MessageBoxW(_t472, E0046A170( &_v1032), L"Process Monitor", 0x10);
															_t524 = _v1032;
															__eflags = _v1032;
															if(_v1032 != 0) {
																E0046A700(_t524);
															}
														}
													}
													_t304 = E00417660(0x4bca10);
													__eflags = _t304;
													if(_t304 != 0) {
														__eflags = _v1040;
														if(_v1040 == 0) {
															__eflags = _v1037;
															if(_v1037 == 0) {
																__eflags = _v1034;
																if(_v1034 == 0) {
																	E0044D4E0(0x4bdce4, 0x4000000);
																	_v72.dwLength = 0x40;
																	_v72.dwMemoryLoad = 0;
																	E00470030( &(_v72.ullTotalPhys), 0, 0x38);
																	_t576 = _t570 + 0xc;
																	GlobalMemoryStatusEx( &_v72);
																	__eflags = _v356.dwMajorVersion - 6;
																	asm("sbb eax, eax");
																	asm("sbb eax, 0x0");
																	_t313 = E00472240(_v72.ullTotalPhys - ( &_v72 & 0xef4f8a00) + 0x1dcd6500 + _v72.ullTotalPhys - ( &_v72 & 0xef4f8a00) + 0x1dcd6500, (_v72.ullAvailPhys << 0x00000020 | _v72.ullTotalPhys - ( &_v72 & 0xef4f8a00) + 0x1dcd6500) << 1, 3, 0);
																	 *0x4bd2d8 = _t313;
																	 *0x4bd2dc = _t529;
																	__eflags = _t529;
																	if(__eflags > 0) {
																		_t313 = 0x3e800000;
																		_t529 = 0;
																		__eflags = 0;
																		 *0x4bd2d8 = _t313;
																		 *0x4bd2dc = 0;
																	} else {
																		if (__eflags < 0) goto L84;
																		_pop(es);
																	}
																	asm("adc edx, 0x0");
																	 *0x4bd2e0 = _t313 + 0x2000000;
																	 *0x4bd2e4 = _t529;
																	E0040F360(L"SeDebugPrivilege");
																	__imp__OleInitialize(0);
																	E00434860(_t529, _v1028, L".PML", L"ProcMon.Logfile.1", L"ProcMon Log File", 1);
																	_v1012 = 0;
																	E00470030( &_v1010, 0, 0x18e);
																	__imp__#115(0x202,  &_v1012);
																	E00471C3C(E00453240);
																	E0047331B(1);
																	SetConsoleCtrlHandler(E00446D00, 1);
																	SetProcessShutdownParameters(0x1ff, 1);
																	__eflags =  *0x4bd0a3;
																	_t326 =  ==  ? L"Software\\Sysinternals\\Process Monitor" : L"Software\\Sysinternals\\Process Monitor32";
																	 *0x4bd2b8 = _t326;
																	RegCreateKeyExW(0x80000001, _t326, 0, 0, 0, 0xf003f, 0, 0x4bd2b4, 0);
																	E00464AA0( &_v1064,  *0x4bd2b4);
																	_t330 = E00465020(_t529, _t600,  &_v1064);
																	_t580 = _t576 + 0x30;
																	E00464AC0(_t330);
																	E004192D0(0x4bca10,  *0x4bd8a0);
																	__eflags = _v1068;
																	if(__eflags == 0) {
																		L94:
																		__eflags = _v1035;
																		if(_v1035 != 0) {
																			 *0x4bb120 =  *0x4bb120 | 0x00000010;
																			__eflags =  *0x4bb120;
																		}
																		__eflags = _v1039;
																		if(_v1039 != 0) {
																			L00457F20(_t600, 0);
																		}
																		E00436760( *0x4bd2b4, L"DeviceNameMap", "PHx");
																		_t334 = _v1052;
																		_t581 = _t580 + 0xc;
																		__eflags = _t334;
																		if(_t334 == 0) {
																			__eflags = _v1021;
																			if(_v1021 != 0) {
																				__eflags = 0;
																				 *0x4bdac0 = 0;
																			}
																		} else {
																			GetFullPathNameW(_t334, 0x104, 0x4bdac0, 0);
																			_push(L".PML");
																			E00435A10(0x4bdac0, 0x104);
																			_t581 = _t581 + 0xc;
																		}
																		_t335 = E00436680();
																		__eflags = _t335;
																		if(_t335 != 0) {
																			 *0x4bb120 =  *0x4bb120 | 0x00000040;
																			__eflags =  *0x4bb120;
																			 *0x4bd2e9 = 1;
																		}
																		_t336 =  *0x4bd89c; // 0x0
																		__eflags = _v1041;
																		_t337 =  !=  ? 1 : _t336;
																		 *0x4bd89c =  !=  ? 1 : _t336;
																		SetThreadPriority(GetCurrentThread(), 2);
																		E0046C6B0(1, _t529);
																		__eflags = _t532;
																		if(_t532 == 0) {
																			L115:
																			__eflags = _v1043;
																			if(__eflags != 0) {
																				E0043A130(_t529, _t532, __eflags);
																				goto L141;
																			} else {
																				_t344 = RegisterWindowMessageW(L"commdlg_FindReplace");
																				_t473 = _v1076;
																				 *0x4bd2b0 = _t344;
																				_v1028 = LoadAcceleratorsW(_t473, L"ACCELERATORS");
																				E0044DC00(_t473);
																				_t548 = MulDiv;
																				_t583 = _t581 + 4;
																				_t347 = MulDiv(0x12c,  *0x4bc898, 0x60);
																				_t348 = MulDiv(0x1f4,  *0x4bc894, 0x60);
																				_t349 = MulDiv(0xc8,  *0x4bc898, 0x60);
																				_t350 = MulDiv(0x64,  *0x4bc894, 0x60);
																				_t472 = _v1038;
																				__eflags = _t472;
																				_t352 =  !=  ? 0x20000000 : 0;
																				_t353 = ( !=  ? 0x20000000 : 0) | 0x00cf0000;
																				_t503 = CreateWindowExW(0, L"PROCMON_WINDOW_CLASS", L"Process Monitor - Sysinternals: www.sysinternals.com", ( !=  ? 0x20000000 : 0) | 0x00cf0000, _t350, _t349, _t348, _t347, 0, 0, _t473, 0);
																				 *0x4bd2c0 = _t503;
																				__eflags = _t503;
																				if(_t503 == 0) {
																					goto L40;
																				} else {
																					__eflags = _t472;
																					if(_t472 == 0) {
																						_t355 = _a16;
																						_t529 = 5;
																						__eflags = _t355 - 1;
																						_t356 =  ==  ? 5 : _t355;
																					} else {
																						_t356 = 2;
																					}
																					ShowWindow(_t503, _t356);
																					UpdateWindow( *0x4bd2c0);
																					__eflags = E00414130(0x4bca94);
																					if(__eflags == 0) {
																						__eflags = _t472;
																						if(__eflags == 0) {
																							__eflags = _v1033 - _t472;
																							if(__eflags == 0) {
																								DialogBoxParamW( *0x4bd2c4, L"FILTER_INIT",  *0x4bd2c0,  &M0044BE70, 1);
																							}
																						}
																					}
																					_t360 = L00446DF0(_t529, __eflags,  *0x4bd2c0, 0);
																					_t581 = _t583 + 8;
																					__eflags = _t360;
																					if(__eflags == 0) {
																						__eflags = _t532;
																						if(_t532 == 0) {
																							__eflags = _v1036;
																							if(_v1036 == 0) {
																								__eflags =  *0x4bd0a3;
																								if( *0x4bd0a3 == 0) {
																									__eflags = _v1052;
																									_t175 = _v1052 != 0;
																									__eflags = _t175;
																									SendMessageW( *0x4bd2c0, 0x111, 0x9c87, 0 | _t175);
																								}
																							}
																						} else {
																							__eflags =  *0x4bd895;
																							if( *0x4bd895 != 0) {
																								SendMessageW( *0x4bd2c0, 0x111, 0x9c53, 0);
																							}
																							E00452450(_t529,  *0x4bd2c0, _t532, 0);
																							_t581 = _t581 + 0xc;
																						}
																					} else {
																						E00418140(0x4bca10, __eflags, 0);
																					}
																					_t532 = GetMessageW;
																					_t362 = GetMessageW( &_v1128, 0, 0, 0);
																					__eflags = _t362;
																					if(_t362 != 0) {
																						_t472 = TranslateMessage;
																						do {
																							_t548 = GetActiveWindow();
																							_t365 = TranslateAcceleratorW(_t548, _v1028,  &_v1128);
																							__eflags = _t365;
																							if(_t365 == 0) {
																								_t369 = IsDialogMessageW(_t548,  &_v1128);
																								__eflags = _t369;
																								if(_t369 == 0) {
																									TranslateMessage( &_v1128);
																									DispatchMessageW( &_v1128);
																								}
																							}
																							_t367 = GetMessageW( &_v1128, 0, 0, 0);
																							__eflags = _t367;
																						} while (_t367 != 0);
																					}
																					L141:
																					E0043A870(_t472, _t529, _t532, _t548, 0);
																					E004376B0( *0x4bd2b4, L"DeviceNameMap", "PHx");
																					goto L74;
																				}
																			}
																		} else {
																			__eflags = _t472;
																			if(_t472 == 0) {
																				goto L115;
																			} else {
																				_t381 = E00471495(_t472, 0x2e);
																				__eflags = _t381;
																				if(_t381 == 0) {
																					L114:
																					_t548->i(0, L"Invalid file extension in /SaveAs option", L"Process Monitor", 0x10);
																					goto L40;
																				} else {
																					_t383 = E0044C740(_t381);
																					_v1028 = _t383;
																					__eflags = _t383;
																					if(_t383 < 0) {
																						goto L114;
																					} else {
																						__eflags = E00452450(_t529, 0, _t532, 0);
																						if(__eflags == 0) {
																							goto L40;
																						} else {
																							_t385 = E00418140(0x4bca10, __eflags, 0);
																							_v1020 - 2 = _v1020 - 1;
																							__eflags = _v1022;
																							_t535 = E00421580(0x4bca10, _t529, 0, _t472, 0 | _v1022 != 0x00000000,  *((intOrPtr*)(0x4a2ce8 + _v1028 * 8)), 1, ((_t385 & 0xffffff00 | _v1020 - 0x00000002 >= 0x00000000) & 0 | _v1022 >= 0x00000000) & 0x000000ff, (_t385 & 0xffffff00 | _v1020 - 0x00000002 >= 0x00000000) & 0x000000ff);
																							__eflags = _t535;
																							if(_t535 == 0) {
																								goto L74;
																							} else {
																								_v1020 = E0046A6C0(_t472, L"The file was not saved. ", E0046A530(L"The file was not saved. "));
																								E0046A310( &_v1020, E00459490(_t472,  &_v1028, _t535));
																								_t509 = _v1028;
																								__eflags = _v1028;
																								if(_v1028 != 0) {
																									E0046A700(_t509);
																								}
																								_t548->i(0, E0046A170( &_v1020), L"Process Monitor", 0x10);
																								_t511 = _v1020;
																								__eflags = _v1020;
																								if(_v1020 != 0) {
																									E0046A700(_t511);
																								}
																								goto L40;
																							}
																						}
																					}
																				}
																			}
																		}
																	} else {
																		E00415890( &_v612);
																		__eflags = E004303A0( &_v612, __eflags, _v1068, 1, 0);
																		if(__eflags != 0) {
																			E00464A80( &_v1064,  &_v612);
																			_t412 = E00465020(_t529, _t600,  &_v1064);
																			_t580 = _t580 + 4;
																			E00464AC0(_t412);
																			E00415CF0(__eflags);
																			goto L94;
																		} else {
																			_t548->i(L"The selected configuration file cannot be opened", L"Process Monitor", 0x10);
																			E00415CF0(__eflags);
																			_t536 = 0;
																			_pop(_t549);
																			__eflags = _v8 ^ _t554;
																			_pop(_t474);
																			return E0046F77E(_t474, _v8 ^ _t554, _t529, _t536, _t549);
																		}
																	}
																} else {
																	_t419 = FindWindowW(L"PROCMON_WINDOW_CLASS", 0);
																	__eflags = _t419;
																	if(_t419 == 0) {
																		goto L40;
																	} else {
																		_push(0);
																		_push(0);
																		_push(0x800a);
																		goto L73;
																	}
																}
															} else {
																E0040EFC0(_t529, 0, 1, 1);
																_pop(_t537);
																_pop(_t550);
																_pop(_t475);
																__eflags = _v8 ^ _t554;
																return E0046F77E(_t475, _v8 ^ _t554, _t529, _t537, _t550);
															}
														} else {
															_t551 = 0;
															__eflags = 0;
															while(1) {
																_t419 = FindWindowW(L"PROCMON_WINDOW_CLASS", 0);
																__eflags = _t419;
																if(_t419 != 0) {
																	break;
																}
																Sleep(0x64);
																_t551 = _t551 + 1;
																__eflags = _t551 - 0x64;
																if(_t551 < 0x64) {
																	continue;
																} else {
																	goto L40;
																}
																goto L154;
															}
															_push(0);
															_push(0);
															_push(0x8009);
															L73:
															SendMessageW(_t419, ??, ??, ??);
															goto L74;
														}
													} else {
														_t548->i(0, L"Procmon was unable to allocate sufficient memory to run.\nTry increasing the size of your page file.", L"Process Monitor", 0x10);
														goto L40;
													}
												} else {
													__eflags = L00446DF0(_t529, __eflags,  *0x4bd2c0, _t303);
													if(__eflags != 0) {
														E00418140(0x4bca10, __eflags, 0);
													}
													L74:
													_pop(_t533);
													_pop(_t544);
													_pop(_t470);
													__eflags = _v8 ^ _t554;
													return E0046F77E(_t470, _v8 ^ _t554, _t529, _t533, _t544);
												}
											} else {
												__eflags = _t532;
												if(_t532 != 0) {
													goto L58;
												} else {
													MessageBoxW(_t532, L"The /SaveAs option is valid only when used with /OpenLog", L"Process Monitor", 0x10);
													goto L40;
												}
											}
										} else {
											__eflags = _v1052;
											if(_v1052 != 0) {
												goto L142;
											} else {
												goto L55;
											}
										}
									}
								}
							}
						}
					} else {
						_v1032 = 0;
						_t435 = RegOpenKeyW(0x80000002, L"Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System",  &_v1056);
						__eflags = _t435;
						if(_t435 == 0) {
							_v1100 = 4;
							RegQueryValueExW(_v1056, L"EnableLUA", 0, 0,  &_v1032,  &_v1100);
							RegCloseKey(_v1056);
						}
						__eflags = _v356.dwMajorVersion - 6;
						if(_v356.dwMajorVersion < 6) {
							L38:
							_push(0);
							_push(_t480);
							_t545 = _t570;
							_push(E0046A530(L"Process Monitor must be run from an administrator account."));
							_push(L"Process Monitor must be run from an administrator account.");
							L39:
							 *_t545 = E0046A6C0(_t469);
							E00437AE0(_t469, __eflags);
							L40:
							_pop(_t534);
							_pop(_t546);
							_pop(_t471);
							__eflags = _v8 ^ _t554;
							return E0046F77E(_t471, _v8 ^ _t554, _t529, _t534, _t546);
						} else {
							__eflags = _v1032;
							if(_v1032 != 0) {
								goto L41;
							} else {
								goto L38;
							}
						}
					}
				} else {
					_pop(_t539);
					_pop(_t552);
					_pop(_t477);
					return E0046F77E(_t477, _v8 ^ _t554, _t529, _t539, _t552);
				}
				L154:
			}

0x0045eac2
0x0045eac2
0x0045eac2
0x0045eac5
0x0045eace
0x0045ead3
0x0045ead4
0x0045ead5
0x0045ead6
0x0045ead7
0x0045ead8
0x0045ead9
0x0045eada
0x0045eadb
0x0045eadc
0x0045eadd
0x0045eade
0x0045eadf
0x0045eae0
0x0045eae1
0x0045eae2
0x0045eae3
0x0045eae4
0x0045eae5
0x0045eae6
0x0045eae7
0x0045eae8
0x0045eae9
0x0045eaea
0x0045eaeb
0x0045eaec
0x0045eaed
0x0045eaee
0x0045eaef
0x0045eaf1
0x0045eaf9
0x0045eb00
0x0045eb07
0x0045eb11
0x0045eb20
0x0045eb26
0x0045eb30
0x0045eb35
0x0045eb38
0x0045eb49
0x0045eb64
0x0045eb6c
0x0045eb74
0x0045eb9a
0x0045eba6
0x0045eba6
0x0045ebc3
0x0045ebc7
0x0045ebce
0x0045ebce
0x0045ebe3
0x0045ebec
0x0045ebf4
0x0045ec06
0x0045ec16
0x0045ec19
0x0045ec19
0x0045ec32
0x0045ec34
0x0045ec40
0x0045ec50
0x0045ec60
0x0045ec66
0x0045ec68
0x0045ec75
0x0045ec84
0x0045ec89
0x0045ec8e
0x0045ec93
0x0045ecc0
0x0045eccf
0x0045ecd6
0x0045ece5
0x0045ecec
0x0045ecf3
0x0045ed02
0x0045ed11
0x0045ed2d
0x0045ed47
0x0045ed5a
0x0045ed61
0x0045ed70
0x0045ed77
0x0045ed7f
0x0045ed87
0x0045ed9e
0x0045edb8
0x0045edcb
0x0045edd2
0x0045ede1
0x0045edf0
0x0045ee0c
0x0045ee1f
0x0045ee26
0x0045ee35
0x0045ee3c
0x0045ee43
0x0045ee52
0x0045ee59
0x0045ee61
0x0045ee69
0x0045ee79
0x0045ee80
0x0045ee8f
0x0045ee96
0x0045ee9d
0x0045eeac
0x0045eeb3
0x0045eeba
0x0045eec9
0x0045eed0
0x0045eed8
0x0045eee0
0x0045eee3
0x0045eef2
0x0045eef7
0x0045eefa
0x0045eefc
0x0045eeff
0x0045ef01
0x0045ef03
0x0045ef03
0x0045ef09
0x0045ef09
0x0045ef09
0x0045ef19
0x0045ef20
0x0045ef2f
0x0045ef36
0x0045ef3b
0x0045ef3e
0x0045ef40
0x0045ef43
0x0045ef49
0x0045ef4b
0x0045ef5b
0x0045ef60
0x0045ef63
0x0045ef63
0x0045ef65
0x0045ef67
0x0045ef87
0x0045ef87
0x00000000
0x0045ef69
0x0045ef69
0x0045ef6b
0x00000000
0x0045ef6d
0x0045ef6d
0x0045ef72
0x0045ef74
0x00000000
0x0045ef76
0x0045ef76
0x0045ef7b
0x0045ef7d
0x0045ef83
0x0045ef83
0x0045ef7f
0x0045ef7f
0x0045ef81
0x0045ef8c
0x0045ef8c
0x0045ef8c
0x00000000
0x00000000
0x00000000
0x0045ef81
0x0045ef7d
0x0045ef74
0x0045ef6b
0x0045ef8e
0x0045ef94
0x0045ef96
0x0045efa0
0x0045efa0
0x0045efa0
0x0045ef98
0x0045ef98
0x0045ef9a
0x00000000
0x0045ef9c
0x0045ef9c
0x0045ef9c
0x0045ef9a
0x0045efa2
0x0045efa8
0x0045efaa
0x0045efac
0x0045efae
0x0045efb0
0x0045efb5
0x0045efba
0x0045efbd
0x0045efbf
0x0045efca
0x0045efca
0x0045efc1
0x0045efc3
0x0045efc3
0x0045efcd
0x0045efcf
0x0045efd4
0x0045efd7
0x0045efdd
0x0045efdf
0x0045efdf
0x0045efe1
0x0045efe3
0x0045efe3
0x0045efd7
0x0045efae
0x0045efe9
0x0045efeb
0x0045f0a0
0x0045f0a0
0x0045f0a2
0x0045fa2a
0x0045fa3b
0x0045fa3d
0x0045fa3f
0x0045fa45
0x0045fa45
0x0045fa41
0x0045fa41
0x0045fa41
0x0045fa57
0x0045fa5c
0x0045fa5f
0x0045fa65
0x0045fa67
0x0045fa6a
0x0045fa6f
0x0045fa71
0x00000000
0x0045fa77
0x0045fa77
0x0045fa79
0x0045fa7a
0x0045fa86
0x0045fa87
0x00000000
0x0045fa87
0x0045f0a8
0x0045f0a8
0x0045f0aa
0x00000000
0x0045f0b0
0x0045f0b0
0x0045f0b6
0x0045f0b8
0x0045f0db
0x0045f0ba
0x0045f0c5
0x0045f0ca
0x0045f0ca
0x0045f0e1
0x0045f0e7
0x0045f0f1
0x0045f0f3
0x0045f103
0x0045f109
0x0045f10b
0x0045f11b
0x0045f10d
0x0045f10d
0x0045f117
0x0045f117
0x0045f0f5
0x0045f0f5
0x0045f0ff
0x0045f0ff
0x0045f121
0x0045f128
0x0045fa0b
0x0045fa1f
0x00000000
0x0045f12e
0x0045f12e
0x0045f135
0x0045f976
0x0045f98b
0x0045f9a4
0x0045f9be
0x0045f9c3
0x0045f9c9
0x0045f9cb
0x0045f9cd
0x0045f9cd
0x0045f9d2
0x0045f9d8
0x0045f9da
0x0045f9dc
0x0045f9dc
0x0045f9f6
0x0045f9fc
0x0045fa02
0x0045fa04
0x0045fa06
0x0045fa06
0x00000000
0x0045f13b
0x0045f13b
0x0045f142
0x0045f151
0x0045f151
0x0045f153
0x0045f171
0x0045f171
0x0045f177
0x0045f179
0x0045f1a3
0x0045f1aa
0x0045f1b0
0x0045f1b2
0x0045f1b4
0x0045f1c6
0x0045f1cb
0x0045f1ce
0x0045f1e8
0x0045f1ea
0x0045f1f0
0x0045f1f2
0x0045f1f4
0x0045f1f4
0x0045f1f2
0x0045f1b4
0x0045f1fe
0x0045f203
0x0045f205
0x0045f21c
0x0045f223
0x0045f274
0x0045f27b
0x0045f2a1
0x0045f2a8
0x0045f2d4
0x0045f2de
0x0045f2e8
0x0045f2ef
0x0045f2f4
0x0045f2fb
0x0045f301
0x0045f30b
0x0045f31e
0x0045f32b
0x0045f330
0x0045f335
0x0045f33b
0x0045f33d
0x0045f35c
0x0045f361
0x0045f361
0x0045f363
0x0045f368
0x0045f33f
0x0045f33f
0x0045f340
0x0045f340
0x0045f378
0x0045f37b
0x0045f380
0x0045f386
0x0045f390
0x0045f3ad
0x0045f3ba
0x0045f3c8
0x0045f3dc
0x0045f3e7
0x0045f3ee
0x0045f3fd
0x0045f40a
0x0045f410
0x0045f433
0x0045f43e
0x0045f443
0x0045f455
0x0045f461
0x0045f466
0x0045f46f
0x0045f47f
0x0045f484
0x0045f48b
0x0045f51f
0x0045f51f
0x0045f526
0x0045f528
0x0045f528
0x0045f528
0x0045f52f
0x0045f536
0x0045f53f
0x0045f53f
0x0045f554
0x0045f559
0x0045f55f
0x0045f562
0x0045f564
0x0045f592
0x0045f599
0x0045f59b
0x0045f59d
0x0045f59d
0x0045f566
0x0045f573
0x0045f579
0x0045f588
0x0045f58d
0x0045f58d
0x0045f5a3
0x0045f5a8
0x0045f5aa
0x0045f5ac
0x0045f5ac
0x0045f5b3
0x0045f5b3
0x0045f5ba
0x0045f5c4
0x0045f5cd
0x0045f5d0
0x0045f5dc
0x0045f5e2
0x0045f5e7
0x0045f5e9
0x0045f71a
0x0045f71a
0x0045f721
0x0045f94d
0x00000000
0x0045f727
0x0045f72c
0x0045f732
0x0045f73e
0x0045f74a
0x0045f750
0x0045f755
0x0045f75b
0x0045f772
0x0045f782
0x0045f792
0x0045f79f
0x0045f7a1
0x0045f7af
0x0045f7b1
0x0045f7b4
0x0045f7cc
0x0045f7ce
0x0045f7d4
0x0045f7d6
0x00000000
0x0045f7dc
0x0045f7dc
0x0045f7de
0x0045f7e7
0x0045f7ea
0x0045f7ef
0x0045f7f2
0x0045f7e0
0x0045f7e0
0x0045f7e0
0x0045f7f7
0x0045f803
0x0045f813
0x0045f815
0x0045f817
0x0045f819
0x0045f81b
0x0045f821
0x0045f83b
0x0045f83b
0x0045f821
0x0045f819
0x0045f849
0x0045f84e
0x0045f851
0x0045f853
0x0045f863
0x0045f865
0x0045f89b
0x0045f8a2
0x0045f8a4
0x0045f8ab
0x0045f8af
0x0045f8b5
0x0045f8b5
0x0045f8c9
0x0045f8c9
0x0045f8ab
0x0045f867
0x0045f867
0x0045f86e
0x0045f882
0x0045f882
0x0045f891
0x0045f896
0x0045f896
0x0045f855
0x0045f85c
0x0045f85c
0x0045f8cf
0x0045f8e2
0x0045f8e4
0x0045f8e6
0x0045f8e8
0x0045f8f0
0x0045f8f6
0x0045f906
0x0045f90c
0x0045f90e
0x0045f918
0x0045f91e
0x0045f920
0x0045f929
0x0045f932
0x0045f932
0x0045f920
0x0045f945
0x0045f947
0x0045f947
0x0045f94b
0x0045f952
0x0045f954
0x0045f969
0x00000000
0x0045f96e
0x0045f7d6
0x0045f5ef
0x0045f5ef
0x0045f5f1
0x00000000
0x0045f5f7
0x0045f5fa
0x0045f602
0x0045f604
0x0045f705
0x0045f713
0x00000000
0x0045f60a
0x0045f60b
0x0045f613
0x0045f619
0x0045f61b
0x00000000
0x0045f621
0x0045f62e
0x0045f630
0x00000000
0x0045f636
0x0045f63d
0x0045f651
0x0045f674
0x0045f686
0x0045f688
0x0045f68a
0x00000000
0x0045f690
0x0045f6a5
0x0045f6c2
0x0045f6c7
0x0045f6cd
0x0045f6cf
0x0045f6d1
0x0045f6d1
0x0045f6eb
0x0045f6ed
0x0045f6f3
0x0045f6f5
0x0045f6fb
0x0045f6fb
0x00000000
0x0045f6f5
0x0045f68a
0x0045f630
0x0045f61b
0x0045f604
0x0045f5f1
0x0045f491
0x0045f497
0x0045f4b1
0x0045f4b3
0x0045f4f5
0x0045f501
0x0045f506
0x0045f50f
0x0045f51a
0x00000000
0x0045f4b5
0x0045f4c3
0x0045f4cb
0x0045f4d8
0x0045f4d9
0x0045f4da
0x0045f4dc
0x0045f4e5
0x0045f4e5
0x0045f4b3
0x0045f2aa
0x0045f2b1
0x0045f2b7
0x0045f2b9
0x00000000
0x0045f2bf
0x0045f2bf
0x0045f2c1
0x0045f2c3
0x00000000
0x0045f2c3
0x0045f2b9
0x0045f27d
0x0045f283
0x0045f28e
0x0045f28f
0x0045f290
0x0045f294
0x0045f29e
0x0045f29e
0x0045f225
0x0045f22b
0x0045f22b
0x0045f233
0x0045f23a
0x0045f23c
0x0045f23e
0x00000000
0x00000000
0x0045f242
0x0045f244
0x0045f245
0x0045f248
0x00000000
0x0045f24a
0x00000000
0x0045f24a
0x00000000
0x0045f248
0x0045f24f
0x0045f251
0x0045f253
0x0045f258
0x0045f259
0x00000000
0x0045f259
0x0045f207
0x0045f215
0x00000000
0x0045f215
0x0045f17b
0x0045f18a
0x0045f18c
0x0045f199
0x0045f199
0x0045f25f
0x0045f261
0x0045f262
0x0045f263
0x0045f267
0x0045f271
0x0045f271
0x0045f155
0x0045f155
0x0045f157
0x00000000
0x0045f159
0x0045f166
0x00000000
0x0045f166
0x0045f157
0x0045f144
0x0045f144
0x0045f14b
0x00000000
0x00000000
0x00000000
0x00000000
0x0045f14b
0x0045f142
0x0045f135
0x0045f128
0x0045f0aa
0x0045eff1
0x0045eff7
0x0045f00c
0x0045f012
0x0045f014
0x0045f01c
0x0045f03d
0x0045f049
0x0045f049
0x0045f04f
0x0045f056
0x0045f061
0x0045f061
0x0045f063
0x0045f064
0x0045f070
0x0045f071
0x0045f076
0x0045f07e
0x0045f080
0x0045f088
0x0045f08d
0x0045f08e
0x0045f08f
0x0045f093
0x0045f09d
0x0045f058
0x0045f058
0x0045f05f
0x00000000
0x00000000
0x00000000
0x00000000
0x0045f05f
0x0045f056
0x0045ec95
0x0045ec97
0x0045ec98
0x0045ec99
0x0045eca7
0x0045eca7
0x00000000

APIs

__CxxThrowException@8.LIBCMT ref: 0045EACE

Part of subcall function 0046F78D: RaiseException.KERNEL32(?,?,000000FF,004B76C4,?,00000000,?,?,?,0046EF06,000000FF,004B76C4,?,00000001), ref: 0046F7E2

_memset.LIBCMT ref: 0045EB30
GetVersionExW.KERNEL32(0000011C,?,?,00000000), ref: 0045EB49
RegOpenKeyExW.KERNELBASE(80000002,Software\Microsoft\Windows NT\CurrentVersion,00000000,00000001,?,?,?,00000000), ref: 0045EB64
RegQueryValueExW.KERNELBASE(?,UBS,00000000,?,?,?), ref: 0045EB9A
RegCloseKey.KERNELBASE(?), ref: 0045EBA6
LoadLibraryW.KERNEL32(Kernel32.dll,SetDllDirectoryW,?,?,00000000), ref: 0045EBB6
GetProcAddress.KERNEL32(00000000), ref: 0045EBC3
GetModuleHandleW.KERNEL32(kernel32.dll,IsWow64Process,?,?,00000000), ref: 0045EBDA
GetProcAddress.KERNEL32(00000000), ref: 0045EBE1
GetCurrentProcess.KERNEL32(?), ref: 0045EBFF
GetCommandLineW.KERNEL32(?,?,?,00000000), ref: 0045EC25
CommandLineToArgvW.SHELL32(00000000,?,?,00000000), ref: 0045EC2C
GetComputerNameW.KERNEL32 ref: 0045EC50
GetSystemDirectoryW.KERNEL32(C:\Windows,00000104), ref: 0045EC60
_wcschr.LIBCMT ref: 0045EC6D

Strings

PhDiI, xrefs: 0045EC7E
445817, xrefs: 0045EC4B
Software\Microsoft\Windows NT\CurrentVersion, xrefs: 0045EB5A
kernel32.dll, xrefs: 0045EBD5
Kernel32.dll, xrefs: 0045EBB1
C:\Windows, xrefs: 0045EC5B
Process Monitor, xrefs: 0045EC7F
IsWow64Process, xrefs: 0045EBD0
UBS, xrefs: 0045EB8F
SetDllDirectoryW, xrefs: 0045EBAC

Memory Dump Source

Source File: 00000000.00000002.639436822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.639422722.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639801425.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639950323.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639964900.00000000004C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639974043.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639981884.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Process Monitor.jbxd

Similarity

API ID: AddressCommandLineProc$ArgvCloseComputerCurrentDirectoryExceptionException@8HandleLibraryLoadModuleNameOpenProcessQueryRaiseSystemThrowValueVersion_memset_wcschr
String ID: 445817$C:\Windows$IsWow64Process$Kernel32.dll$PhDiI$Process Monitor$SetDllDirectoryW$Software\Microsoft\Windows NT\CurrentVersion$UBS$kernel32.dll
API String ID: 4208679227-1622085573
Opcode ID: 47e484b02625e4ba9b5a723fc6b583f464957a7bc9084e6f07a8880a4113da65
Instruction ID: 3b5b4484fd8cf13905c49f5b386074b3d037261c84701a17e567e45bab3d2813
Opcode Fuzzy Hash: 47e484b02625e4ba9b5a723fc6b583f464957a7bc9084e6f07a8880a4113da65
Instruction Fuzzy Hash: 484186B1A4021CAFDB20DFA4DC45BDE77B8EB49705F1404BAFA05E2191D7745A888F6C

Uniqueness

Uniqueness Score: -1.00%

Function 00436580 Relevance: 15.1, APIs: 10, Instructions: 93
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 96%

			E00436580(void* __edx, void* __eflags) {
				signed int _v8;
				short _v12;
				struct _SID_IDENTIFIER_AUTHORITY _v16;
				char _v17;
				void* _v24;
				void* _v28;
				long _v32;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t26;
				int _t38;
				signed int _t45;
				void* _t46;
				void* _t47;
				void* _t50;
				long _t52;
				signed int _t53;
				void* _t64;

				_t50 = __edx;
				_t26 =  *0x4bb1dc; // 0x2927074f
				_v8 = _t26 ^ _t53;
				_v16.Value = 0;
				_v12 = 0x500;
				_v28 = 0;
				_v17 = 0;
				OpenProcessToken(GetCurrentProcess(), 8,  &_v24);
				AllocateAndInitializeSid( &_v16, 2, 0x20, 0x220, 0, 0, 0, 0, 0, 0,  &_v28);
				_t51 = GetTokenInformation;
				GetTokenInformation(_v24, 2, 0, 0,  &_v32); // executed
				_t52 = _v32;
				_t47 = E00470444(_t46, _t50, GetTokenInformation, _t52);
				_t38 = GetTokenInformation(_v24, 2, _t47, _t52,  &_v32); // executed
				if(_t38 != 0) {
					_t51 = 0;
					if(0 <  *_t47) {
						_t52 = _t47 + 8;
						do {
							if(EqualSid(_v28,  *(_t52 - 4)) == 0) {
								goto L6;
							} else {
								_t45 =  *_t52;
								if((_t45 & 0x00000004) == 0 || (_t45 & 0xffffffef) == 0) {
									goto L6;
								}
							}
							break;
							L6:
							_t51 = _t51 + 1;
							_t52 = _t52 + 8;
						} while (_t51 <  *_t47);
						_t64 = _t51 -  *_t47;
					}
					_v17 = _t64 != 0;
				}
				E0047040C(_t47);
				FreeSid(_v28);
				FindCloseChangeNotification(_v24); // executed
				return E0046F77E(_t47, _v8 ^ _t53, _t50, _t51, _t52);
			}

0x00436580
0x00436586
0x0043658d
0x00436596
0x004365a0
0x004365a6
0x004365ad
0x004365b8
0x004365db
0x004365e1
0x004365f4
0x004365f6
0x00436602
0x0043660f
0x00436613
0x00436615
0x00436619
0x0043661b
0x00436620
0x0043662e
0x00000000
0x00436630
0x00436630
0x00436634
0x00000000
0x00000000
0x00436634
0x00000000
0x0043663d
0x0043663d
0x0043663e
0x00436641
0x00436645
0x00436645
0x00436647
0x00436647
0x0043664c
0x00436657
0x00436660
0x00436679

APIs

GetCurrentProcess.KERNEL32(00000008,?), ref: 004365B1
OpenProcessToken.ADVAPI32(00000000), ref: 004365B8
AllocateAndInitializeSid.ADVAPI32(00000000,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 004365DB
GetTokenInformation.KERNELBASE(?,00000002,00000000,00000000,?), ref: 004365F4
_malloc.LIBCMT ref: 004365FA

Part of subcall function 00470444: __FF_MSGBANNER.LIBCMT ref: 0047045B
Part of subcall function 00470444: __NMSG_WRITE.LIBCMT ref: 00470462
Part of subcall function 00470444: RtlAllocateHeap.NTDLL(?,00000000,00000001,00000000,00000000,00000000,?,00477DC3,00000000,00000000,00000000,00000000,?,004781C7,00000018,004B7CD0), ref: 00470487

GetTokenInformation.KERNELBASE(?,00000002,00000000,?,?), ref: 0043660F
EqualSid.ADVAPI32(00000000,?), ref: 00436626
_free.LIBCMT ref: 0043664C
FreeSid.ADVAPI32(00000000), ref: 00436657
FindCloseChangeNotification.KERNELBASE(?), ref: 00436660

Memory Dump Source

Source File: 00000000.00000002.639436822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.639422722.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639801425.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639950323.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639964900.00000000004C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639974043.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639981884.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Process Monitor.jbxd

Similarity

API ID: Token$AllocateInformationProcess$ChangeCloseCurrentEqualFindFreeHeapInitializeNotificationOpen_free_malloc
String ID:
API String ID: 2470940866-0
Opcode ID: 5f6bb886000188b6119393a3ac11ca75bb3f8770a86f7177d0408e761c73503a
Instruction ID: ae26d9bf943b1abace986fa5e78159afa367a3508038e9e6f40e5067bf2b630a
Opcode Fuzzy Hash: 5f6bb886000188b6119393a3ac11ca75bb3f8770a86f7177d0408e761c73503a
Instruction Fuzzy Hash: 6D31D471A00209BFEF109FA4DC46BAEBB78EF09344F114069EA05B6191C63469068B69

Uniqueness

Uniqueness Score: -1.00%

Function 0040F560 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 69
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 75%

			E0040F560(void* __edx, WCHAR* _a4, WCHAR* _a8) {
				struct HINSTANCE__* _v8;
				void* _v12;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t10;
				void* _t12;
				struct HINSTANCE__* _t17;
				long _t24;
				void* _t27;
				struct HRSRC__* _t28;
				WCHAR* _t29;

				_t27 = __edx;
				_v8 = 0;
				_t28 = FindResourceW(0, _a4, L"BINRES");
				if(_t28 != 0) {
					_t10 = LoadResource(0, _t28);
					_t24 = SizeofResource(0, _t28);
					_t12 = LockResource(_t10);
					_t29 = _a8;
					_v12 = _t12;
					SetFileAttributesW(_t29, 0x80); // executed
					E00471CA4( &_v8, _t29, L"wb"); // executed
					SetFileAttributesW(_t29, 0x82);
					_t17 = _v8;
					__eflags = _t17;
					if(__eflags != 0) {
						_push(_t17);
						_push(_t24);
						_push(1);
						_push(_v12);
						L00471FEF(_t24, _t27, _t29, SetFileAttributesW, __eflags);
						_push(_v8);
						L00471E1F(_t24, _t29, SetFileAttributesW, __eflags);
						return 1;
					} else {
						__eflags = 0;
						return 0;
					}
				} else {
					return 0;
				}
			}

0x0040f560
0x0040f56f
0x0040f57e
0x0040f582
0x0040f590
0x0040f5a2
0x0040f5a4
0x0040f5aa
0x0040f5b9
0x0040f5bc
0x0040f5c8
0x0040f5d6
0x0040f5d8
0x0040f5db
0x0040f5dd
0x0040f5e8
0x0040f5e9
0x0040f5ea
0x0040f5ec
0x0040f5ef
0x0040f5f4
0x0040f5f7
0x0040f607
0x0040f5df
0x0040f5e1
0x0040f5e7
0x0040f5e7
0x0040f584
0x0040f58a
0x0040f58a

APIs

FindResourceW.KERNEL32(00000000,?,BINRES,74CB4DC0,?), ref: 0040F578
LoadResource.KERNEL32(00000000,00000000,00000000,00000000), ref: 0040F590
SizeofResource.KERNEL32(00000000,00000000), ref: 0040F59B
LockResource.KERNEL32(00000000), ref: 0040F5A4
SetFileAttributesW.KERNELBASE(?,00000080), ref: 0040F5BC
__wfopen_s.LIBCMT ref: 0040F5C8
SetFileAttributesW.KERNEL32(?,00000082), ref: 0040F5D6

Strings

BINRES, xrefs: 0040F567

Memory Dump Source

Source File: 00000000.00000002.639436822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.639422722.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639801425.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639950323.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639964900.00000000004C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639974043.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639981884.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Process Monitor.jbxd

Similarity

API ID: Resource$AttributesFile$FindLoadLockSizeof__wfopen_s
String ID: BINRES
API String ID: 846097099-3442368034
Opcode ID: de48b22cecd1e1033d39c406dbe821c7ce0693dec27db0ef405793a0c20180bf
Instruction ID: 610529513d5dcd39ddeea37451d32d84dcb424f8e3e45d89d40c69f4c7fd1de8
Opcode Fuzzy Hash: de48b22cecd1e1033d39c406dbe821c7ce0693dec27db0ef405793a0c20180bf
Instruction Fuzzy Hash: 9E11C632A4020877DF20ABA9AC0AF9FBB6CDB81761F1040BFFD08A7291D675591597A4

Uniqueness

Uniqueness Score: -1.00%

Function 00401500 Relevance: 4.5, APIs: 3, Instructions: 42
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InitializeCriticalSection.KERNEL32(004BCE48,2927074F,?,004899CA,000000FF), ref: 00401527
CreateSemaphoreW.KERNEL32(00000000,00000000,7FFFFFFF,00000000,?,004899CA,000000FF), ref: 0040153F
HeapCreate.KERNELBASE(00000000,00000000,00000000,00000000,00000000,?,004899CA,000000FF), ref: 00401581

Memory Dump Source

Source File: 00000000.00000002.639436822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.639422722.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639801425.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639950323.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639964900.00000000004C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639974043.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639981884.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Process Monitor.jbxd

Similarity

API ID: Create$CriticalHeapInitializeSectionSemaphore
String ID:
API String ID: 963375412-0
Opcode ID: 6dae58bafbc32e96f46fb737087652720bc611f8e91552037d28b7cf2d1cb6c6
Instruction ID: 7aae881674d98e5a4bdc6d9baca91ace215dbb3b3e3dcdae43d8644af2893832
Opcode Fuzzy Hash: 6dae58bafbc32e96f46fb737087652720bc611f8e91552037d28b7cf2d1cb6c6
Instruction Fuzzy Hash: E40108B1A84344EBE310DF94EC96B5977A4E704B14F20463AE6159A2E0DBB9A404CB5D

Uniqueness

Uniqueness Score: -1.00%

Function 0047B0FE Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 323memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

HeapCreate.KERNELBASE(00040000,00000601,0047C57B,004BB1DC,?,000000FE,004B7DD8,00000064,00473DF2,004B7A40,00000014), ref: 0047B4EC

Strings

, xrefs: 0047B20F

Memory Dump Source

Source File: 00000000.00000002.639436822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.639422722.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639801425.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639950323.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639964900.00000000004C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639974043.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639981884.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Process Monitor.jbxd

Similarity

API ID: CreateHeap
String ID:
API String ID: 10892065-4008152959
Opcode ID: 51e5cc251c1ff3153a8730e8b4f4bcc07931159e952e5f6133785e4c9522d766
Instruction ID: b3c5dca9be68f35f3c6168d5fd96845ad7a49b0896dcbfbbc5511612e945f560
Opcode Fuzzy Hash: 51e5cc251c1ff3153a8730e8b4f4bcc07931159e952e5f6133785e4c9522d766
Instruction Fuzzy Hash: 7EA12533E047344B9768DB7A9D996AB7292EBC4380783923EDC06E7665DF748C4186CC

Uniqueness

Uniqueness Score: -1.00%

Function 0040BA20 Relevance: 40.5, APIs: 10, Strings: 13, Instructions: 205
registrymemorylibraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 80%

			E0040BA20(void* __ebx, signed int __edx, void* __edi, void* __esi, long _a4, char _a8) {
				intOrPtr _v0;
				signed int _v8;
				signed int _v12;
				signed int _v516;
				signed int _v520;
				intOrPtr _v524;
				short _v528;
				short _v532;
				signed int _v536;
				char _v1052;
				char _v1056;
				void* _v1060;
				void* _v1064;
				void* _v1068;
				char _v1072;
				long _v1076;
				char _v1080;
				int _v1084;
				int _v1088;
				struct HINSTANCE__* _v1580;
				intOrPtr _v1600;
				intOrPtr* _v1612;
				signed int _t219;
				long _t225;
				char _t232;
				void* _t233;
				signed int _t234;
				signed int _t236;
				signed int _t246;
				signed int _t256;
				signed int _t258;
				signed int _t260;
				signed int _t261;
				signed int _t262;
				signed int _t263;
				intOrPtr* _t265;
				void* _t266;
				long _t271;
				signed int _t275;
				signed int _t277;
				signed int _t279;
				signed int _t280;
				signed int _t283;
				signed int _t284;
				signed int _t287;
				signed int _t288;
				signed int _t291;
				signed int _t292;
				signed int _t295;
				signed int _t296;
				signed int _t297;
				signed int _t301;
				signed int _t313;
				signed int _t319;
				long _t321;
				signed int _t329;
				signed int _t332;
				signed int _t335;
				signed int _t338;
				char _t343;
				long _t347;
				void* _t348;
				signed int _t349;
				signed int _t350;
				void* _t351;
				signed int _t356;
				signed short* _t357;
				signed short* _t358;
				signed short* _t360;
				signed short* _t362;
				signed short* _t364;
				signed short* _t366;
				signed short* _t368;
				signed short* _t369;
				signed int _t378;
				signed int _t380;
				signed int _t382;
				void* _t384;
				signed int _t386;
				signed int _t388;
				signed int _t390;
				signed int _t393;
				signed int _t394;
				void* _t395;
				void* _t396;
				intOrPtr* _t397;
				void* _t399;
				void* _t400;
				signed int _t402;
				long _t403;
				void* _t404;
				signed int _t405;
				void* _t406;
				long _t407;
				void* _t408;
				intOrPtr* _t410;
				intOrPtr* _t411;
				intOrPtr* _t412;
				intOrPtr* _t413;
				void* _t414;
				signed int _t415;
				intOrPtr* _t416;
				void* _t417;
				short* _t418;
				void* _t419;
				signed int _t422;
				void* _t423;
				signed int _t425;
				void* _t426;
				signed int _t428;
				void* _t429;
				signed int _t431;
				void* _t432;
				signed int _t434;
				void* _t435;
				void* _t436;
				signed int _t437;
				signed int _t438;
				void* _t440;
				void* _t441;
				signed int _t442;
				void* _t443;
				void* _t444;
				void* _t445;

				_t401 = __esi;
				_t392 = __edi;
				_t375 = __edx;
				_t219 =  *0x4bb1dc; // 0x2927074f
				_v8 = _t219 ^ _t437;
				_push(__ebx);
				_t347 = _a4;
				_v532 = 0;
				E0046F410( &_v528, L"Software\\Sysinternals\\%s", _t347);
				_t441 = _t440 + 0xc;
				_t448 = _a8;
				if(_a8 != 0) {
					L8:
					_t225 = RegCreateKeyW(0x80000001,  &_v528,  &_v532); // executed
					if(_t225 == 0) {
						RegSetValueExW(_v532, L"EulaAccepted", 0, 4,  &_a8, 4); // executed
						RegCloseKey(_v532); // executed
					}
					goto L10;
				} else {
					_t232 = E0040B4D0(_t347, __edx, __edi, __esi, _t448, _t347); // executed
					_t442 = _t441 + 4;
					_a8 = _t232;
					if(_t232 != 0) {
						goto L8;
					} else {
						_t233 = E0040B570(_t347, __edi); // executed
						if(_t233 == 0) {
							_t234 = E0040B630(); // executed
							__eflags = _t234;
							if(_t234 != 0) {
								L11:
								L0040B9F0(_t347, _t375, _t392, _t401);
								asm("int3");
								asm("int3");
								asm("int3");
								asm("int3");
								asm("int3");
								asm("int3");
								asm("int3");
								asm("int3");
								asm("int3");
								asm("int3");
								asm("int3");
								asm("int3");
								asm("int3");
								asm("int3");
								asm("int3");
								_push(_t437);
								_t438 = _t442;
								_t443 = _t442 - 0x438;
								_t236 =  *0x4bb1dc; // 0x2927074f
								_v536 = _t236 ^ _t438;
								_push(_t347);
								_t349 = _v516;
								_push(_t401);
								_push(_t392);
								_t393 = _v520;
								_v1600 = _v524;
								_v1580 = 0;
								__eflags = _t393;
								if(_t393 == 0) {
									L14:
									_t402 = GetProcAddress(LoadLibraryW(L"Shell32.dll"), "CommandLineToArgvW");
									__eflags = _t402;
									if(_t402 != 0) {
										_t393 = 0x4bc8b0;
										_t349 =  *_t402(GetCommandLineW(), 0x4bc8b0);
										goto L16;
									}
								} else {
									__eflags = _t349;
									if(_t349 != 0) {
										L16:
										_t415 = 0;
										__eflags =  *_t393;
										if( *_t393 > 0) {
											__eflags = 0;
											_v1056 = 0;
											while(1) {
												_t313 = E0046F283(_t349, _t393, _t415,  *((intOrPtr*)(_t349 + _t415 * 4)), L"/accepteula");
												_t443 = _t443 + 8;
												__eflags = _t313;
												if(_t313 == 0) {
													break;
												}
												_t319 = E0046F283(_t349, _t393, _t415,  *((intOrPtr*)(_t349 + _t415 * 4)), L"-accepteula");
												_t443 = _t443 + 8;
												__eflags = _t319;
												if(_t319 == 0) {
													break;
												} else {
													_t415 = _t415 + 1;
													__eflags = _t415 -  *_t393;
													if(_t415 <  *_t393) {
														continue;
													} else {
													}
												}
												goto L25;
											}
											_v1056 = 1;
											__eflags = _t415 -  *_t393 - 1;
											while(_t415 <  *_t393 - 1) {
												 *((intOrPtr*)(_t349 + _t415 * 4)) =  *((intOrPtr*)(_t349 + 4 + _t415 * 4));
												_t415 = _t415 + 1;
												__eflags = _t415 -  *_t393 - 1;
											}
											 *_t393 =  *_t393 - 1;
											__eflags =  *_t393;
										}
									} else {
										goto L14;
									}
								}
								L25:
								_t403 = _v1076;
								_t350 = _v1056;
								_v1056 = _t350;
								_v1068 = 0;
								E0046F410( &_v532, L"Software\\Sysinternals\\%s", _t403);
								_t444 = _t443 + 0xc;
								_t394 = 1;
								__eflags = _v1056;
								if(_v1056 != 0) {
									L37:
									_t246 = RegCreateKeyW(0x80000001,  &_v532,  &_v1068);
									__eflags = _t246;
									if(_t246 == 0) {
										RegSetValueExW(_v1068, L"EulaAccepted", 0, 4,  &_v1056, 4);
										RegCloseKey(_v1068);
									}
									__eflags = _v1056;
									_t350 =  !=  ? _t394 : _t350;
									goto L40;
								} else {
									_push(_t403);
									E0046F410( &_v1052, L"%s\\%s", L"Software\\Sysinternals");
									_t396 = RegOpenKeyExW;
									_t445 = _t444 + 0x10;
									_v1064 = 0;
									_v1080 = 0;
									_t256 = RegOpenKeyExW(0x80000002, L"Software\\Sysinternals", 0, 0x101,  &_v1064);
									_t405 = RegQueryValueExW;
									__eflags = _t256;
									if(_t256 != 0) {
										L30:
										_v1060 = 0;
										_v1072 = 0;
										_t258 = RegOpenKeyExW(0x80000001, L"Software\\Sysinternals", 0, 0x101,  &_v1060);
										__eflags = _t258;
										if(_t258 != 0) {
											L34:
											_t260 = E0040B450(0x80000001,  &_v1052);
											_t445 = _t445 + 8;
											__eflags = _t260;
											if(_t260 == 0) {
												_t261 = 0;
												__eflags = 0;
												goto L42;
											} else {
												_v1056 = 1;
												goto L36;
											}
										} else {
											_v1084 = 4;
											_t405 = RegQueryValueExW(_v1060, L"EulaAccepted", 0, 0,  &_v1072,  &_v1084);
											RegCloseKey(_v1060);
											__eflags = _t405;
											if(_t405 != 0) {
												goto L34;
											} else {
												__eflags = _v1072 - _t405;
												if(_v1072 == _t405) {
													goto L34;
												} else {
													goto L33;
												}
											}
										}
									} else {
										_v1088 = 4;
										_t405 = RegQueryValueExW(_v1064, L"EulaAccepted", 0, 0,  &_v1080,  &_v1088);
										RegCloseKey(_v1064);
										__eflags = _t405;
										if(_t405 != 0) {
											L29:
											_t405 = RegQueryValueExW;
											goto L30;
										} else {
											__eflags = _v1080 - _t405;
											if(_v1080 != _t405) {
												L33:
												_t261 = 1;
												L42:
												_v1056 = _t261;
												__eflags = _t261;
												if(_t261 != 0) {
													L36:
													_t394 = 1;
													goto L37;
												} else {
													_t262 = E0040B570(_t350, _t396);
													__eflags = _t262;
													if(_t262 == 0) {
														_t263 = E0040B630();
														__eflags = _t263;
														if(_t263 != 0) {
															L66:
															L0040B9F0(_t350, _t375, _t396, _t405);
															asm("int3");
															asm("int3");
															asm("int3");
															asm("int3");
															asm("int3");
															asm("int3");
															asm("int3");
															asm("int3");
															asm("int3");
															asm("int3");
															asm("int3");
															asm("int3");
															asm("int3");
															_push(_t438);
															_push(_t405);
															_push(_t396);
															_t397 = _v1612;
															_t376 =  *_t397;
															_t265 =  *_t397;
															_t406 = _t265 + 1;
															do {
																_t356 =  *_t265;
																_t265 = _t265 + 1;
																__eflags = _t356;
															} while (_t356 != 0);
															_t266 = _t265 - _t406;
															_t407 = _a4;
															__eflags = _t407 - _t266;
															_t408 =  >  ? _t266 : _t407;
															E00470850(_v0, _t376, _t408);
															 *_a8 = _t408;
															 *_t397 =  *_t397 + _t408;
															__eflags = 0;
															return 0;
														} else {
															_t271 = GetFileType(GetStdHandle(0xfffffff5));
															__eflags = _t271 - 3;
															if(_t271 == 3) {
																goto L66;
															} else {
																_t399 = LocalAlloc(0x40, 0x3e8);
																LoadLibraryW(L"Riched32.dll");
																 *_t399 = 0x80c808d0;
																_t357 = L"License Agreement";
																 *((intOrPtr*)(_t399 + 0xa)) = 0;
																_t136 = _t399 + 0x16; // 0x16
																 *((intOrPtr*)(_t399 + 0xe)) = 0xb40138;
																 *(_t399 + 8) = 0;
																_t378 = _t136 - _t357;
																__eflags = _t378;
																 *((intOrPtr*)(_t399 + 0x12)) = 0;
																do {
																	_t275 =  *_t357 & 0x0000ffff;
																	_t357 =  &(_t357[1]);
																	 *(_t378 + _t357 - 2) = _t275;
																	__eflags = _t275;
																} while (_t275 != 0);
																_t143 = _t399 + 0x3c; // 0x3c
																_t358 = L"MS Shell Dlg";
																 *((short*)(_t399 + 0x3a)) = 8;
																_t380 = _t143 - _t358;
																__eflags = _t380;
																do {
																	_t277 =  *_t358 & 0x0000ffff;
																	_t358 =  &(_t358[1]);
																	 *(_t380 + _t358 - 2) = _t277;
																	__eflags = _t277;
																} while (_t277 != 0);
																_t148 = _t399 + 0x59; // 0x59
																_t279 = _t148 & 0xfffffffc;
																_t149 = _t279 + 0x12; // 0x6b
																_t410 = _t149;
																_t150 = _t410 + 4; // 0x6f
																 *((short*)(_t279 + 0x10)) = 0x1f6;
																_t360 = L"You can also use the /accepteula command-line switch to accept the EULA.";
																 *((intOrPtr*)(_t279 + 8)) = 0x30007;
																_t382 = _t150 - _t360;
																__eflags = _t382;
																 *((intOrPtr*)(_t279 + 0xc)) = 0xe012a;
																 *_t279 = 0x50000000;
																 *_t410 = 0x82ffff;
																do {
																	_t280 =  *_t360 & 0x0000ffff;
																	_t360 =  &(_t360[1]);
																	 *(_t382 + _t360 - 2) = _t280;
																	__eflags = _t280;
																} while (_t280 != 0);
																 *((short*)(_t410 + 0x96)) = 0;
																_t158 = _t410 + 0x9b; // 0x106
																 *(_t399 + 8) =  *(_t399 + 8) + 1;
																_t283 = _t158 & 0xfffffffc;
																_t161 = _t283 + 0x12; // 0x118
																_t411 = _t161;
																_t162 = _t411 + 4; // 0x11c
																 *((short*)(_t283 + 0x10)) = 1;
																_t362 = L"&Agree";
																 *((intOrPtr*)(_t283 + 8)) = 0x9f00c9;
																_t384 = _t162 - _t362;
																 *((intOrPtr*)(_t283 + 0xc)) = 0xe0032;
																 *_t283 = 0x50010000;
																 *_t411 = 0x80ffff;
																do {
																	_t284 =  *_t362 & 0x0000ffff;
																	_t362 =  &(_t362[1]);
																	 *(_t362 + _t384 - 2) = _t284;
																	__eflags = _t284;
																} while (_t284 != 0);
																 *((short*)(_t411 + 0x12)) = 0;
																_t170 = _t411 + 0x17; // 0x12f
																 *(_t399 + 8) =  *(_t399 + 8) + 1;
																_t287 = _t170 & 0xfffffffc;
																_t173 = _t287 + 0x12; // 0x141
																_t412 = _t173;
																_t174 = _t412 + 4; // 0x145
																 *((short*)(_t287 + 0x10)) = 2;
																_t364 = L"&Decline";
																 *((intOrPtr*)(_t287 + 8)) = 0x9f00ff;
																_t386 = _t174 - _t364;
																__eflags = _t386;
																 *((intOrPtr*)(_t287 + 0xc)) = 0xe0032;
																 *_t287 = 0x50010000;
																 *_t412 = 0x80ffff;
																do {
																	_t288 =  *_t364 & 0x0000ffff;
																	_t364 =  &(_t364[1]);
																	 *(_t364 + _t386 - 2) = _t288;
																	__eflags = _t288;
																} while (_t288 != 0);
																 *((short*)(_t412 + 0x16)) = 0;
																_t182 = _t412 + 0x1b; // 0x15c
																 *(_t399 + 8) =  *(_t399 + 8) + 1;
																_t291 = _t182 & 0xfffffffc;
																_t185 = _t291 + 0x12; // 0x16e
																_t413 = _t185;
																_t186 = _t413 + 4; // 0x172
																 *((short*)(_t291 + 0x10)) = 0x1f5;
																_t366 = L"&Print";
																 *((intOrPtr*)(_t291 + 8)) = 0x9f0007;
																_t388 = _t186 - _t366;
																__eflags = _t388;
																 *((intOrPtr*)(_t291 + 0xc)) = 0xe0032;
																 *_t291 = 0x50010000;
																 *_t413 = 0x80ffff;
																do {
																	_t292 =  *_t366 & 0x0000ffff;
																	_t366 =  &(_t366[1]);
																	 *(_t366 + _t388 - 2) = _t292;
																	__eflags = _t292;
																} while (_t292 != 0);
																 *((short*)(_t413 + 0x12)) = 0;
																_t194 = _t413 + 0x17; // 0x185
																 *(_t399 + 8) =  *(_t399 + 8) + 1;
																_t295 = _t194 & 0xfffffffc;
																_t197 = _t295 + 0x12; // 0x197
																_t414 = _t197;
																 *((short*)(_t295 + 0x10)) = 0x1f4;
																_t368 = L"RICHEDIT";
																 *((intOrPtr*)(_t295 + 8)) = 0xe0007;
																 *((intOrPtr*)(_t295 + 0xc)) = 0x8c012a;
																 *_t295 = 0x50a11844;
																_t390 = _t414 - _t368;
																__eflags = _t390;
																do {
																	_t296 =  *_t368 & 0x0000ffff;
																	_t368 =  &(_t368[1]);
																	 *(_t368 + _t390 - 2) = _t296;
																	__eflags = _t296;
																} while (_t296 != 0);
																_t369 = L"&Decline";
																_t204 = _t414 + 0x12; // 0x1a9
																_t375 = _t204 - _t369;
																__eflags = _t375;
																do {
																	_t297 =  *_t369 & 0x0000ffff;
																	_t369 =  &(_t369[1]);
																	 *(_t369 + _t375 - 2) = _t297;
																	__eflags = _t297;
																} while (_t297 != 0);
																 *((short*)(_t414 + 0x24)) = 0;
																_t210 = _t399 + 8;
																 *_t210 =  *(_t399 + 8) + 1;
																__eflags =  *_t210;
																_v1056 = DialogBoxIndirectParamW(0, _t399, 0, E0040B230, _v1076);
																LocalFree(_t399);
																_t301 = _v1056;
																goto L64;
															}
														}
													} else {
														_t301 = E0040B990(_t396);
														_v1056 = _t301;
														L64:
														__eflags = _t301;
														if(_t301 != 0) {
															goto L36;
														}
														L40:
														__eflags = _t350;
														_pop(_t395);
														__eflags = _v12 ^ _t438;
														_pop(_t404);
														_pop(_t351);
														return E0046F77E(_t351, _v12 ^ _t438, _t375, _t395, _t404);
													}
												}
											} else {
												goto L29;
											}
										}
									}
								}
							} else {
								_t321 = GetFileType(GetStdHandle(0xfffffff5));
								__eflags = _t321 - 3;
								if(_t321 == 3) {
									goto L11;
								} else {
									_push(__esi);
									_push(__edi);
									_t400 = LocalAlloc(0x40, 0x3e8);
									_t8 = _t400 + 0x12; // 0x12, executed
									_t416 = _t8;
									LoadLibraryW(L"Riched32.dll"); // executed
									 *_t400 = 0x80c808d0;
									 *((intOrPtr*)(_t400 + 0xa)) = 0;
									 *((intOrPtr*)(_t400 + 0xe)) = 0xb40138;
									 *(_t400 + 8) = 0;
									 *_t416 = 0;
									_t417 = _t416 + 4;
									_t418 = _t417 + E0040B1E0(_t417, L"License Agreement") * 2;
									 *_t418 = 8;
									_t419 = _t418 + 2;
									_t422 = _t419 + E0040B1E0(_t419, L"MS Shell Dlg") * 0x00000002 + 0x00000003 & 0xfffffffc;
									 *((intOrPtr*)(_t422 + 8)) = 0x30007;
									 *((intOrPtr*)(_t422 + 0xc)) = 0xe012a;
									 *((intOrPtr*)(_t422 + 0x10)) = 0xffff01f6;
									 *_t422 = 0x50000000;
									 *((short*)(_t422 + 0x14)) = 0x82;
									_t423 = _t422 + 0x16;
									_t329 = E0040B1E0(_t423, L"You can also use the /accepteula command-line switch to accept the EULA.");
									 *((short*)(_t423 + _t329 * 2)) = 0;
									 *(_t400 + 8) =  *(_t400 + 8) + 1;
									_t26 = _t423 + _t329 * 2 + 5; // 0x5
									_t425 = _t26 & 0xfffffffc;
									 *((intOrPtr*)(_t425 + 8)) = 0x9f00c9;
									 *((intOrPtr*)(_t425 + 0xc)) = 0xe0032;
									 *((intOrPtr*)(_t425 + 0x10)) = 0xffff0001;
									 *_t425 = 0x50010000;
									 *((short*)(_t425 + 0x14)) = 0x80;
									_t426 = _t425 + 0x16;
									_t332 = E0040B1E0(_t426, L"&Agree");
									 *((short*)(_t426 + _t332 * 2)) = 0;
									 *(_t400 + 8) =  *(_t400 + 8) + 1;
									_t37 = _t426 + _t332 * 2 + 5; // 0x5
									_t428 = _t37 & 0xfffffffc;
									 *((intOrPtr*)(_t428 + 8)) = 0x9f00ff;
									 *((intOrPtr*)(_t428 + 0xc)) = 0xe0032;
									 *((intOrPtr*)(_t428 + 0x10)) = 0xffff0002;
									 *_t428 = 0x50010000;
									 *((short*)(_t428 + 0x14)) = 0x80;
									_t429 = _t428 + 0x16;
									_t335 = E0040B1E0(_t429, L"&Decline");
									 *((short*)(_t429 + _t335 * 2)) = 0;
									 *(_t400 + 8) =  *(_t400 + 8) + 1;
									_t48 = _t429 + _t335 * 2 + 5; // 0x5
									_t431 = _t48 & 0xfffffffc;
									 *((intOrPtr*)(_t431 + 8)) = 0x9f0007;
									 *((intOrPtr*)(_t431 + 0xc)) = 0xe0032;
									 *((intOrPtr*)(_t431 + 0x10)) = 0xffff01f5;
									 *_t431 = 0x50010000;
									 *((short*)(_t431 + 0x14)) = 0x80;
									_t432 = _t431 + 0x16;
									_t338 = E0040B1E0(_t432, L"&Print");
									 *((short*)(_t432 + _t338 * 2)) = 0;
									 *(_t400 + 8) =  *(_t400 + 8) + 1;
									_t59 = _t432 + _t338 * 2 + 5; // 0x5
									_t434 = _t59 & 0xfffffffc;
									 *((intOrPtr*)(_t434 + 8)) = 0xe0007;
									 *((intOrPtr*)(_t434 + 0xc)) = 0x8c012a;
									 *((short*)(_t434 + 0x10)) = 0x1f4;
									 *_t434 = 0x50a11844;
									_t435 = _t434 + 0x12;
									_t436 = _t435 + E0040B1E0(_t435, L"RICHEDIT") * 2;
									 *((short*)(_t436 + E0040B1E0(_t436, L"&Decline") * 2)) = 0;
									_t67 = _t400 + 8;
									 *_t67 =  *(_t400 + 8) + 1;
									__eflags =  *_t67;
									_t343 = DialogBoxIndirectParamW(0, _t400, 0, E0040B230, _t347); // executed
									_a8 = _t343;
									LocalFree(_t400);
									_pop(_t392);
									_pop(_t401);
									goto L7;
								}
							}
						} else {
							_a8 = E0040B990(__edi);
							L7:
							if(_a8 != 0) {
								goto L8;
							}
							L10:
							_pop(_t348);
							return E0046F77E(_t348, _v8 ^ _t437, _t375, _t392, _t401);
						}
					}
				}
			}

0x0040ba20
0x0040ba20
0x0040ba20
0x0040ba29
0x0040ba30
0x0040ba33
0x0040ba34
0x0040ba44
0x0040ba4e
0x0040ba53
0x0040ba56
0x0040ba5a
0x0040bc91
0x0040bca4
0x0040bcac
0x0040bcc3
0x0040bccf
0x0040bccf
0x00000000
0x0040ba60
0x0040ba61
0x0040ba66
0x0040ba69
0x0040ba6e
0x00000000
0x0040ba74
0x0040ba74
0x0040ba7b
0x0040ba8a
0x0040ba8f
0x0040ba91
0x0040bcec
0x0040bcec
0x0040bcf1
0x0040bcf2
0x0040bcf3
0x0040bcf4
0x0040bcf5
0x0040bcf6
0x0040bcf7
0x0040bcf8
0x0040bcf9
0x0040bcfa
0x0040bcfb
0x0040bcfc
0x0040bcfd
0x0040bcfe
0x0040bcff
0x0040bd00
0x0040bd01
0x0040bd03
0x0040bd09
0x0040bd10
0x0040bd16
0x0040bd17
0x0040bd1a
0x0040bd1b
0x0040bd1c
0x0040bd1f
0x0040bd27
0x0040bd2d
0x0040bd2f
0x0040bd35
0x0040bd4c
0x0040bd4e
0x0040bd50
0x0040bd52
0x0040bd61
0x00000000
0x0040bd61
0x0040bd31
0x0040bd31
0x0040bd33
0x0040bd63
0x0040bd63
0x0040bd65
0x0040bd67
0x0040bd69
0x0040bd6b
0x0040bd71
0x0040bd79
0x0040bd7e
0x0040bd81
0x0040bd83
0x00000000
0x00000000
0x0040bd8d
0x0040bd92
0x0040bd95
0x0040bd97
0x00000000
0x0040bd99
0x0040bd99
0x0040bd9a
0x0040bd9c
0x00000000
0x00000000
0x0040bd9e
0x0040bd9c
0x00000000
0x0040bd97
0x0040bda3
0x0040bdad
0x0040bdaf
0x0040bdb5
0x0040bdb8
0x0040bdbc
0x0040bdbc
0x0040bdc0
0x0040bdc0
0x0040bdc0
0x00000000
0x00000000
0x00000000
0x0040bd33
0x0040bdc2
0x0040bdc2
0x0040bdce
0x0040bddb
0x0040bde1
0x0040bdeb
0x0040bdf0
0x0040bdf3
0x0040bdf8
0x0040bdff
0x0040bf4c
0x0040bf5f
0x0040bf65
0x0040bf67
0x0040bf81
0x0040bf8d
0x0040bf8d
0x0040bf93
0x0040bf9a
0x00000000
0x0040be05
0x0040be05
0x0040be17
0x0040be1c
0x0040be28
0x0040be2b
0x0040be35
0x0040be51
0x0040be53
0x0040be59
0x0040be5b
0x0040bea6
0x0040beac
0x0040bec8
0x0040bed2
0x0040bed4
0x0040bed6
0x0040bf25
0x0040bf31
0x0040bf36
0x0040bf39
0x0040bf3b
0x0040bfb5
0x0040bfb5
0x00000000
0x0040bf3d
0x0040bf3d
0x00000000
0x0040bf3d
0x0040bed8
0x0040bede
0x0040bf07
0x0040bf09
0x0040bf0f
0x0040bf11
0x00000000
0x0040bf13
0x0040bf13
0x0040bf19
0x00000000
0x00000000
0x00000000
0x00000000
0x0040bf19
0x0040bf11
0x0040be5d
0x0040be63
0x0040be8c
0x0040be8e
0x0040be94
0x0040be96
0x0040bea0
0x0040bea0
0x00000000
0x0040be98
0x0040be98
0x0040be9e
0x0040bf1b
0x0040bf1b
0x0040bfb7
0x0040bfb7
0x0040bfbd
0x0040bfbf
0x0040bf47
0x0040bf47
0x00000000
0x0040bfc1
0x0040bfc1
0x0040bfc6
0x0040bfc8
0x0040bfda
0x0040bfdf
0x0040bfe1
0x0040c26e
0x0040c26e
0x0040c273
0x0040c274
0x0040c275
0x0040c276
0x0040c277
0x0040c278
0x0040c279
0x0040c27a
0x0040c27b
0x0040c27c
0x0040c27d
0x0040c27e
0x0040c27f
0x0040c280
0x0040c283
0x0040c284
0x0040c285
0x0040c288
0x0040c28a
0x0040c28c
0x0040c290
0x0040c290
0x0040c292
0x0040c293
0x0040c293
0x0040c297
0x0040c299
0x0040c29c
0x0040c29e
0x0040c2a6
0x0040c2b1
0x0040c2b3
0x0040c2b5
0x0040c2ba
0x0040bfe7
0x0040bff0
0x0040bff6
0x0040bff9
0x00000000
0x0040bfff
0x0040c011
0x0040c013
0x0040c01b
0x0040c021
0x0040c026
0x0040c029
0x0040c02c
0x0040c033
0x0040c037
0x0040c037
0x0040c039
0x0040c040
0x0040c040
0x0040c043
0x0040c046
0x0040c04b
0x0040c04b
0x0040c055
0x0040c058
0x0040c05d
0x0040c061
0x0040c061
0x0040c063
0x0040c063
0x0040c066
0x0040c069
0x0040c06e
0x0040c06e
0x0040c073
0x0040c07b
0x0040c07e
0x0040c07e
0x0040c081
0x0040c084
0x0040c088
0x0040c08d
0x0040c094
0x0040c094
0x0040c096
0x0040c09d
0x0040c0a3
0x0040c0b0
0x0040c0b0
0x0040c0b3
0x0040c0b6
0x0040c0bb
0x0040c0bb
0x0040c0c7
0x0040c0ce
0x0040c0d4
0x0040c0d8
0x0040c0db
0x0040c0db
0x0040c0de
0x0040c0e1
0x0040c0e5
0x0040c0ea
0x0040c0f1
0x0040c0f3
0x0040c0fa
0x0040c100
0x0040c110
0x0040c110
0x0040c113
0x0040c116
0x0040c11b
0x0040c11b
0x0040c127
0x0040c12b
0x0040c12e
0x0040c132
0x0040c135
0x0040c135
0x0040c138
0x0040c13b
0x0040c13f
0x0040c144
0x0040c14b
0x0040c14b
0x0040c14d
0x0040c154
0x0040c15a
0x0040c160
0x0040c160
0x0040c163
0x0040c166
0x0040c16b
0x0040c16b
0x0040c177
0x0040c17b
0x0040c17e
0x0040c182
0x0040c185
0x0040c185
0x0040c188
0x0040c18b
0x0040c18f
0x0040c194
0x0040c19b
0x0040c19b
0x0040c19d
0x0040c1a4
0x0040c1aa
0x0040c1b0
0x0040c1b0
0x0040c1b3
0x0040c1b6
0x0040c1bb
0x0040c1bb
0x0040c1c7
0x0040c1cb
0x0040c1ce
0x0040c1d2
0x0040c1d5
0x0040c1d5
0x0040c1d8
0x0040c1dc
0x0040c1e1
0x0040c1ea
0x0040c1f1
0x0040c1f7
0x0040c1f7
0x0040c200
0x0040c200
0x0040c203
0x0040c206
0x0040c20b
0x0040c20b
0x0040c210
0x0040c215
0x0040c218
0x0040c218
0x0040c220
0x0040c220
0x0040c223
0x0040c226
0x0040c22b
0x0040c22b
0x0040c23f
0x0040c243
0x0040c243
0x0040c243
0x0040c24f
0x0040c255
0x0040c25b
0x00000000
0x0040c25b
0x0040bff9
0x0040bfca
0x0040bfca
0x0040bfcf
0x0040c261
0x0040c261
0x0040c263
0x00000000
0x0040c269
0x0040bf9d
0x0040bfa2
0x0040bfa4
0x0040bfa8
0x0040bfaa
0x0040bfab
0x0040bfb4
0x0040bfb4
0x0040bfc8
0x00000000
0x00000000
0x00000000
0x0040be9e
0x0040be96
0x0040be5b
0x0040ba97
0x0040baa0
0x0040baa6
0x0040baa9
0x00000000
0x0040baaf
0x0040baaf
0x0040bab0
0x0040babe
0x0040bac5
0x0040bac5
0x0040bac8
0x0040bad0
0x0040bad6
0x0040bad9
0x0040bae0
0x0040bae4
0x0040bae6
0x0040baf9
0x0040bb01
0x0040bb04
0x0040bb1d
0x0040bb20
0x0040bb27
0x0040bb2e
0x0040bb35
0x0040bb3b
0x0040bb3f
0x0040bb43
0x0040bb4a
0x0040bb4e
0x0040bb55
0x0040bb5d
0x0040bb65
0x0040bb6c
0x0040bb73
0x0040bb7a
0x0040bb80
0x0040bb84
0x0040bb88
0x0040bb8f
0x0040bb93
0x0040bb9a
0x0040bba2
0x0040bbaa
0x0040bbb1
0x0040bbb8
0x0040bbbf
0x0040bbc5
0x0040bbc9
0x0040bbcd
0x0040bbd4
0x0040bbd8
0x0040bbdf
0x0040bbe2
0x0040bbe5
0x0040bbec
0x0040bbf3
0x0040bbfa
0x0040bc05
0x0040bc09
0x0040bc12
0x0040bc19
0x0040bc1d
0x0040bc24
0x0040bc2c
0x0040bc34
0x0040bc3b
0x0040bc42
0x0040bc46
0x0040bc4c
0x0040bc5a
0x0040bc68
0x0040bc6c
0x0040bc6c
0x0040bc6c
0x0040bc79
0x0040bc80
0x0040bc83
0x0040bc89
0x0040bc8a
0x00000000
0x0040bc8a
0x0040baa9
0x0040ba7d
0x0040ba82
0x0040bc8b
0x0040bc8f
0x00000000
0x00000000
0x0040bcd5
0x0040bcdd
0x0040bceb
0x0040bceb
0x0040ba7b
0x0040ba6e

APIs

__swprintf.LIBCMT ref: 0040BA4E
GetStdHandle.KERNEL32(000000F5,?,?,?,?), ref: 0040BA99
GetFileType.KERNEL32(00000000,?,?,?,?), ref: 0040BAA0
LocalAlloc.KERNEL32(00000040,000003E8,76A1E710,76A1E730,?,?,?,?), ref: 0040BAB8
LoadLibraryW.KERNELBASE(Riched32.dll,?,?,?,?), ref: 0040BAC8

Part of subcall function 0040B990: _wprintf.LIBCMT ref: 0040B99C
Part of subcall function 0040B990: _wprintf.LIBCMT ref: 0040B9A9
Part of subcall function 0040B990: _wprintf.LIBCMT ref: 0040B9BE

RegCreateKeyW.ADVAPI32(80000001,?,00000000), ref: 0040BCA4
RegSetValueExW.KERNELBASE(00000000,EulaAccepted,00000000,00000004,00000000,00000004,?,?,?), ref: 0040BCC3
RegCloseKey.KERNELBASE(00000000,?,?,?), ref: 0040BCCF

Part of subcall function 0040B4D0: __swprintf.LIBCMT ref: 0040B4F8

Part of subcall function 0040B570: RegOpenKeyW.ADVAPI32(80000002,Software\Microsoft\windows nt\currentversion,?), ref: 0040B5B1
Part of subcall function 0040B570: RegQueryValueExW.KERNELBASE(00000000,ProductName,00000000,?,?,00000208), ref: 0040B5DC
Part of subcall function 0040B570: RegCloseKey.ADVAPI32(00000000), ref: 0040B60A

Strings

You can also use the /accepteula command-line switch to accept the EULA., xrefs: 0040BB0D
Software\Sysinternals\%s, xrefs: 0040BA3E
&Decline, xrefs: 0040BBA5, 0040BC55
License Agreement, xrefs: 0040BAE9
This is the first run of this program. You must accept EULA to continue., xrefs: 0040BA00
Use -accepteula to accept EULA., xrefs: 0040BA0A
EulaAccepted, xrefs: 0040BCB8
RICHEDIT, xrefs: 0040BC2F
Riched32.dll, xrefs: 0040BAC0
MS Shell Dlg, xrefs: 0040BAF4
&Print, xrefs: 0040BC0C
&Agree, xrefs: 0040BB60
%ls, xrefs: 0040B9F6

Memory Dump Source

Source File: 00000000.00000002.639436822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.639422722.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639801425.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639950323.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639964900.00000000004C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639974043.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639981884.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Process Monitor.jbxd

Similarity

API ID: _wprintf$CloseValue__swprintf$AllocCreateFileHandleLibraryLoadLocalOpenQueryType
String ID: %ls$&Agree$&Decline$&Print$EulaAccepted$License Agreement$MS Shell Dlg$RICHEDIT$Riched32.dll$Software\Sysinternals\%s$This is the first run of this program. You must accept EULA to continue.$Use -accepteula to accept EULA.$You can also use the /accepteula command-line switch to accept the EULA.
API String ID: 1104390419-962866876
Opcode ID: fd05da4a61552397011a7882c41451e7971522207e2c776a6513022de3b64b78
Instruction ID: 916280ef5733c05079ac851bb11173742bde9b2b48e9b4e783f2e1e652e3e3e6
Opcode Fuzzy Hash: fd05da4a61552397011a7882c41451e7971522207e2c776a6513022de3b64b78
Instruction Fuzzy Hash: 0D710671410715ABC7209F25CC09B5BB7F4FF04314F50893EF8A9A7291DBB9A6498B8C

Uniqueness

Uniqueness Score: -1.00%

Function 0045EF04 Relevance: 28.2, APIs: 6, Strings: 10, Instructions: 233
registrywindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 82%

			E0045EF04(void* __eax, signed int __ebx, signed int __ecx, struct HWND__* __edx, struct HWND__* __edi) {
				void* __esi;
				void* _t136;
				char _t137;
				struct HWND__* _t139;
				int _t140;
				struct HWND__* _t141;
				struct HWND__* _t150;
				struct HWND__* _t152;
				struct HWND__* _t153;
				struct HWND__* _t168;
				intOrPtr _t177;
				short* _t190;
				void* _t194;
				WCHAR* _t198;
				struct HWND__* _t199;
				intOrPtr _t200;
				int _t208;
				int _t211;
				int _t212;
				int _t213;
				int _t214;
				intOrPtr _t219;
				int _t220;
				struct HWND__* _t224;
				struct HWND__* _t226;
				struct HWND__* _t229;
				struct HWND__* _t231;
				struct HWND__* _t233;
				struct HWND__* _t245;
				struct HWND__* _t247;
				signed int _t249;
				void* _t276;
				struct HWND__* _t283;
				char _t290;
				void* _t305;
				signed int _t306;
				signed char _t307;
				void* _t311;
				struct HWND__* _t313;
				struct HACCEL__* _t315;
				char _t316;
				signed int _t317;
				void* _t318;
				void* _t319;
				struct HWND__* _t320;
				struct HINSTANCE__* _t321;
				void* _t322;
				void* _t323;
				signed int _t325;
				void* _t327;
				struct HWND__* _t348;
				struct HWND__* _t372;
				void* _t374;
				void* _t375;
				struct HWND__* _t376;
				void* _t377;
				void* _t378;
				void* _t380;
				void* _t381;
				intOrPtr* _t382;
				void* _t383;
				struct HWND__* _t385;
				void* _t386;
				void* _t387;
				struct HWND__* _t388;
				signed int _t389;
				void* _t394;
				intOrPtr* _t395;
				void* _t401;
				void* _t405;
				void* _t406;
				void* _t408;
				void* _t438;

				_t373 = __edi;
				_t372 = __edx;
				_t325 = __ecx;
				 *__edx =  *__edx | __ecx;
				 *((char*)(_t389 - 0x407)) = E0044C640(__ecx, L"ExternalCapture", _t389 - 0x3f4, _t380, 0) != 0;
				_t136 = E0044C640(__ecx, L"Run32", _t389 - 0x3f4, _t380, 0);
				_t395 = _t394 + 0x20;
				_t315 = __ebx & 0xffffff00 | _t136 != 0x00000000;
				 *(_t389 - 0x400) = _t315;
				if(__edi == 0) {
					_t313 = E0044C640(__ecx, 0x48fc20, _t389 - 0x3f4, _t380, __edi);
					_t395 = _t395 + 0x10;
					_t373 = _t313;
				}
				if(_t315 != 0) {
					L9:
					_t137 =  *0x4bd0a3; // 0x1
					goto L10;
				} else {
					_t422 = _t373;
					if(_t373 != 0) {
						goto L9;
					} else {
						_t311 = E00436580(_t372, _t422); // executed
						if(_t311 != 0) {
							goto L9;
						} else {
							_t137 =  *0x4bd0a3; // 0x1
							if(_t137 == 0 || _t315 == 0) {
								_t316 = 1;
							} else {
								L10:
								_t316 = 0;
								__eflags = 0;
							}
						}
					}
				}
				 *((char*)(_t389 - 0x414)) = _t316;
				if(_t137 == 0 || _t316 != 0) {
					_t317 = 0;
					__eflags = 0;
				} else {
					_t317 = 1;
				}
				 *(_t389 - 0x3f8) = _t317;
				if(_t373 != 0) {
					_t429 = _t317;
					if(_t317 != 0) {
						_push(0x590);
						_t305 = E0046EEB6(_t317, _t373, _t429);
						_t395 = _t395 + 4;
						_t430 = _t305;
						if(_t305 == 0) {
							_t306 = 0;
							__eflags = 0;
						} else {
							_t306 = E00415A70(_t305, _t430);
						}
						_t325 = _t306;
						_t307 = E00467B10(_t325, _t373);
						if(_t307 != 0xffffffff) {
							asm("sbb al, al");
							_t317 =  ~(_t307 & 0x00000001) & _t317;
							 *(_t389 - 0x3f8) = _t317;
						}
					}
				}
				if(_t317 == 0) {
					L30:
					__eflags = _t317;
					if(_t317 != 0) {
						L138:
						_t139 =  *(E00403D10( *((intOrPtr*)(_t389 - 0x420))));
						__eflags = _t139;
						if(_t139 == 0) {
							_t140 = 0;
							__eflags = 0;
						} else {
							_t140 = _t139->i;
						}
						_t141 = E00437270(_t372,  *((intOrPtr*)(_t389 + 0x14)), _t140,  *(_t389 - 0x3f8),  *((intOrPtr*)(_t389 - 0x414)));
						_t395 = _t395 + 0x10;
						_t327 = _t389 - 0x420;
						__eflags = _t141;
						_t317 = _t317 & 0xffffff00 | _t141 == 0x00000000;
						E00403A00(_t327);
						__eflags = _t317;
						if(_t317 == 0) {
							goto L63;
						} else {
							_push(0);
							_push(_t327);
							_t382 = _t395;
							_push(E0046A530(L"Unable to extract x64 image. Run Process Monitor from a writeable directory."));
							_push(L"Unable to extract x64 image. Run Process Monitor from a writeable directory.");
							goto L28;
						}
					} else {
						__eflags = _t317;
						if(_t317 != 0) {
							goto L138;
						} else {
							_t150 =  *(_t389 - 0x444);
							__eflags = _t150;
							if(_t150 == 0) {
								GetModuleFileNameW(0, 0x4bd0a8, 0x104);
							} else {
								E0046EF0C(0x4bd0a8, 0x104, _t150);
								_t395 = _t395 + 0xc;
							}
							_t152 =  *(_t389 - 0x434);
							 *(_t389 - 0x3f8) = 0;
							__eflags = _t152;
							if(_t152 == 0) {
								_t153 =  *(_t389 - 0x440);
								__eflags = _t153;
								if(_t153 == 0) {
									_t320 =  *(_t389 - 0x43c);
								} else {
									 *(_t389 - 0x3f8) = 1;
									_t320 = _t153;
								}
							} else {
								 *(_t389 - 0x3f8) = 2;
								_t320 = _t152;
							}
							__eflags =  *((char*)(_t389 - 0x40e));
							if( *((char*)(_t389 - 0x40e)) != 0) {
								L137:
								DialogBoxParamW( *(_t389 - 0x430), L"USAGE", 0, E0040C2C0, 0);
								goto L29;
							} else {
								__eflags =  *((intOrPtr*)(_t389 - 0x3f4)) - 1;
								if( *((intOrPtr*)(_t389 - 0x3f4)) != 1) {
									L131:
									 *(_t389 - 0x404) = E0046A6C0(_t320,  *((intOrPtr*)(_t380 + 4)), E0046A530( *((intOrPtr*)(_t380 + 4))));
									 *(_t389 - 0x428) = E0046A6C0(_t320, L"Invalid argument: ", E0046A530(L"Invalid argument: "));
									E0046A230(_t389 - 0x41c, _t389 - 0x404);
									_t333 =  *(_t389 - 0x428);
									__eflags =  *(_t389 - 0x428);
									if( *(_t389 - 0x428) != 0) {
										E0046A700(_t333);
									}
									_t334 =  *(_t389 - 0x404);
									__eflags =  *(_t389 - 0x404);
									if( *(_t389 - 0x404) != 0) {
										E0046A700(_t334);
									}
									MessageBoxW(0, E0046A170(_t389 - 0x41c), L"Process Monitor", 0x10);
									_t336 =  *(_t389 - 0x41c);
									__eflags =  *(_t389 - 0x41c);
									if( *(_t389 - 0x41c) != 0) {
										E0046A700(_t336);
									}
									goto L137;
								} else {
									__eflags =  *((char*)(_t389 - 0x3f9));
									if( *((char*)(_t389 - 0x3f9)) == 0) {
										L44:
										__eflags = _t320;
										if(_t320 == 0) {
											L47:
											_t167 =  *(_t389 - 0x438);
											__eflags =  *(_t389 - 0x438);
											if(__eflags == 0) {
												__eflags =  *(_t389 - 0x3fa);
												_t385 = MessageBoxW;
												if( *(_t389 - 0x3fa) != 0) {
													__eflags = _t320;
													if(_t320 == 0) {
														_t290 = E0046A6C0(_t320, L"The /SaveApplyFilter option is valid only when used with /SaveAs", E0046A530(L"The /SaveApplyFilter option is valid only when used with /SaveAs"));
														_t395 = _t395 + 0xc;
														 *(_t389 - 0x404) = _t290;
														MessageBoxW(_t320, E0046A170(_t389 - 0x404), L"Process Monitor", 0x10);
														_t369 =  *(_t389 - 0x404);
														__eflags =  *(_t389 - 0x404);
														if( *(_t389 - 0x404) != 0) {
															E0046A700(_t369);
														}
													}
												}
												_t168 = E00417660(0x4bca10);
												__eflags = _t168;
												if(_t168 != 0) {
													__eflags =  *((char*)(_t389 - 0x40c));
													if( *((char*)(_t389 - 0x40c)) == 0) {
														__eflags =  *((char*)(_t389 - 0x409));
														if( *((char*)(_t389 - 0x409)) == 0) {
															__eflags =  *((char*)(_t389 - 0x406));
															if( *((char*)(_t389 - 0x406)) == 0) {
																E0044D4E0(0x4bdce4, 0x4000000);
																 *(_t389 - 0x44) = 0x40;
																 *(_t389 - 0x40) = 0;
																E00470030(_t389 - 0x3c, 0, 0x38);
																_t401 = _t395 + 0xc;
																GlobalMemoryStatusEx(_t389 - 0x44);
																__eflags =  *((intOrPtr*)(_t389 - 0x15c)) - 6;
																asm("sbb eax, eax");
																asm("sbb eax, 0x0");
																_t177 = E00472240( *((intOrPtr*)(_t389 - 0x3c)) - (_t389 - 0x00000044 & 0xef4f8a00) + 0x1dcd6500 +  *((intOrPtr*)(_t389 - 0x3c)) - (_t389 - 0x00000044 & 0xef4f8a00) + 0x1dcd6500, ( *(_t389 - 0x38) << 0x00000020 |  *((intOrPtr*)(_t389 - 0x3c)) - (_t389 - 0x00000044 & 0xef4f8a00) + 0x1dcd6500) << 1, 3, 0);
																 *0x4bd2d8 = _t177;
																 *0x4bd2dc = _t372;
																__eflags = _t372;
																if(__eflags > 0) {
																	_t177 = 0x3e800000;
																	_t372 = 0;
																	__eflags = 0;
																	 *0x4bd2d8 = _t177;
																	 *0x4bd2dc = 0;
																} else {
																	if (__eflags < 0) goto L73;
																	_pop(es);
																}
																asm("adc edx, 0x0");
																 *0x4bd2e0 = _t177 + 0x2000000;
																 *0x4bd2e4 = _t372;
																E0040F360(L"SeDebugPrivilege");
																__imp__OleInitialize(0);
																E00434860(_t372,  *(_t389 - 0x400), L".PML", L"ProcMon.Logfile.1", L"ProcMon Log File", 1);
																 *((short*)(_t389 - 0x3f0)) = 0;
																E00470030(_t389 - 0x3ee, 0, 0x18e);
																__imp__#115(0x202, _t389 - 0x3f0);
																E00471C3C(E00453240);
																E0047331B(1);
																SetConsoleCtrlHandler(E00446D00, 1);
																SetProcessShutdownParameters(0x1ff, 1);
																__eflags =  *0x4bd0a3;
																_t190 =  ==  ? L"Software\\Sysinternals\\Process Monitor" : L"Software\\Sysinternals\\Process Monitor32";
																 *0x4bd2b8 = _t190;
																RegCreateKeyExW(0x80000001, _t190, 0, 0, 0, 0xf003f, 0, 0x4bd2b4, 0);
																E00464AA0(_t389 - 0x424,  *0x4bd2b4);
																_t194 = E00465020(_t372, _t438, _t389 - 0x424);
																_t405 = _t401 + 0x30;
																E00464AC0(_t194);
																E004192D0(0x4bca10,  *0x4bd8a0);
																__eflags =  *(_t389 - 0x428);
																if(__eflags == 0) {
																	L83:
																	__eflags =  *((char*)(_t389 - 0x407));
																	if( *((char*)(_t389 - 0x407)) != 0) {
																		 *0x4bb120 =  *0x4bb120 | 0x00000010;
																		__eflags =  *0x4bb120;
																	}
																	__eflags =  *((char*)(_t389 - 0x40b));
																	if( *((char*)(_t389 - 0x40b)) != 0) {
																		L00457F20(_t438, 0);
																	}
																	E00436760( *0x4bd2b4, L"DeviceNameMap", "PHx");
																	_t198 =  *(_t389 - 0x418);
																	_t406 = _t405 + 0xc;
																	__eflags = _t198;
																	if(_t198 == 0) {
																		__eflags =  *((char*)(_t389 - 0x3f9));
																		if( *((char*)(_t389 - 0x3f9)) != 0) {
																			__eflags = 0;
																			 *0x4bdac0 = 0;
																		}
																	} else {
																		GetFullPathNameW(_t198, 0x104, 0x4bdac0, 0);
																		_push(L".PML");
																		E00435A10(0x4bdac0, 0x104);
																		_t406 = _t406 + 0xc;
																	}
																	_t199 = E00436680();
																	__eflags = _t199;
																	if(_t199 != 0) {
																		 *0x4bb120 =  *0x4bb120 | 0x00000040;
																		__eflags =  *0x4bb120;
																		 *0x4bd2e9 = 1;
																	}
																	_t200 =  *0x4bd89c; // 0x0
																	__eflags =  *((char*)(_t389 - 0x40d));
																	_t201 =  !=  ? 1 : _t200;
																	 *0x4bd89c =  !=  ? 1 : _t200;
																	SetThreadPriority(GetCurrentThread(), 2);
																	E0046C6B0(1, _t372);
																	__eflags = _t373;
																	if(_t373 == 0) {
																		L104:
																		__eflags =  *((char*)(_t389 - 0x40f));
																		if(__eflags != 0) {
																			E0043A130(_t372, _t373, __eflags);
																			goto L130;
																		} else {
																			_t208 = RegisterWindowMessageW(L"commdlg_FindReplace");
																			_t321 =  *(_t389 - 0x430);
																			 *0x4bd2b0 = _t208;
																			 *(_t389 - 0x400) = LoadAcceleratorsW(_t321, L"ACCELERATORS");
																			E0044DC00(_t321);
																			_t385 = MulDiv;
																			_t408 = _t406 + 4;
																			_t211 = MulDiv(0x12c,  *0x4bc898, 0x60);
																			_t212 = MulDiv(0x1f4,  *0x4bc894, 0x60);
																			_t213 = MulDiv(0xc8,  *0x4bc898, 0x60);
																			_t214 = MulDiv(0x64,  *0x4bc894, 0x60);
																			_t320 =  *((intOrPtr*)(_t389 - 0x40a));
																			__eflags = _t320;
																			_t216 =  !=  ? 0x20000000 : 0;
																			_t217 = ( !=  ? 0x20000000 : 0) | 0x00cf0000;
																			_t348 = CreateWindowExW(0, L"PROCMON_WINDOW_CLASS", L"Process Monitor - Sysinternals: www.sysinternals.com", ( !=  ? 0x20000000 : 0) | 0x00cf0000, _t214, _t213, _t212, _t211, 0, 0, _t321, 0);
																			 *0x4bd2c0 = _t348;
																			__eflags = _t348;
																			if(_t348 == 0) {
																				goto L29;
																			} else {
																				__eflags = _t320;
																				if(_t320 == 0) {
																					_t219 =  *((intOrPtr*)(_t389 + 0x14));
																					_t372 = 5;
																					__eflags = _t219 - 1;
																					_t220 =  ==  ? 5 : _t219;
																				} else {
																					_t220 = 2;
																				}
																				ShowWindow(_t348, _t220);
																				UpdateWindow( *0x4bd2c0);
																				__eflags = E00414130(0x4bca94);
																				if(__eflags == 0) {
																					__eflags = _t320;
																					if(__eflags == 0) {
																						__eflags =  *((intOrPtr*)(_t389 - 0x405)) - _t320;
																						if(__eflags == 0) {
																							DialogBoxParamW( *0x4bd2c4, L"FILTER_INIT",  *0x4bd2c0,  &M0044BE70, 1);
																						}
																					}
																				}
																				_t224 = L00446DF0(_t372, __eflags,  *0x4bd2c0, 0);
																				_t406 = _t408 + 8;
																				__eflags = _t224;
																				if(__eflags == 0) {
																					__eflags = _t373;
																					if(_t373 == 0) {
																						__eflags =  *((char*)(_t389 - 0x408));
																						if( *((char*)(_t389 - 0x408)) == 0) {
																							__eflags =  *0x4bd0a3;
																							if( *0x4bd0a3 == 0) {
																								__eflags =  *(_t389 - 0x418);
																								_t104 =  *(_t389 - 0x418) != 0;
																								__eflags = _t104;
																								SendMessageW( *0x4bd2c0, 0x111, 0x9c87, 0 | _t104);
																							}
																						}
																					} else {
																						__eflags =  *0x4bd895;
																						if( *0x4bd895 != 0) {
																							SendMessageW( *0x4bd2c0, 0x111, 0x9c53, 0);
																						}
																						E00452450(_t372,  *0x4bd2c0, _t373, 0);
																						_t406 = _t406 + 0xc;
																					}
																				} else {
																					E00418140(0x4bca10, __eflags, 0);
																				}
																				_t373 = GetMessageW;
																				_t226 = GetMessageW(_t389 - 0x464, 0, 0, 0);
																				__eflags = _t226;
																				if(_t226 != 0) {
																					_t320 = TranslateMessage;
																					do {
																						_t385 = GetActiveWindow();
																						_t229 = TranslateAcceleratorW(_t385,  *(_t389 - 0x400), _t389 - 0x464);
																						__eflags = _t229;
																						if(_t229 == 0) {
																							_t233 = IsDialogMessageW(_t385, _t389 - 0x464);
																							__eflags = _t233;
																							if(_t233 == 0) {
																								TranslateMessage(_t389 - 0x464);
																								DispatchMessageW(_t389 - 0x464);
																							}
																						}
																						_t231 = GetMessageW(_t389 - 0x464, 0, 0, 0);
																						__eflags = _t231;
																					} while (_t231 != 0);
																				}
																				L130:
																				E0043A870(_t320, _t372, _t373, _t385, 0);
																				E004376B0( *0x4bd2b4, L"DeviceNameMap", "PHx");
																				goto L63;
																			}
																		}
																	} else {
																		__eflags = _t320;
																		if(_t320 == 0) {
																			goto L104;
																		} else {
																			_t245 = E00471495(_t320, 0x2e);
																			__eflags = _t245;
																			if(_t245 == 0) {
																				L103:
																				_t385->i(0, L"Invalid file extension in /SaveAs option", L"Process Monitor", 0x10);
																				goto L29;
																			} else {
																				_t247 = E0044C740(_t245);
																				 *(_t389 - 0x400) = _t247;
																				__eflags = _t247;
																				if(_t247 < 0) {
																					goto L103;
																				} else {
																					__eflags = E00452450(_t372, 0, _t373, 0);
																					if(__eflags == 0) {
																						goto L29;
																					} else {
																						_t249 = E00418140(0x4bca10, __eflags, 0);
																						 *(_t389 - 0x3f8) - 2 =  *(_t389 - 0x3f8) - 1;
																						__eflags =  *(_t389 - 0x3fa);
																						_t376 = E00421580(0x4bca10, _t372, 0, _t320, 0 |  *(_t389 - 0x3fa) != 0x00000000,  *((intOrPtr*)(0x4a2ce8 +  *(_t389 - 0x400) * 8)), 1, ((_t249 & 0xffffff00 |  *(_t389 - 0x3f8) - 0x00000002 >= 0x00000000) & 0 |  *(_t389 - 0x3fa) >= 0x00000000) & 0x000000ff, (_t249 & 0xffffff00 |  *(_t389 - 0x3f8) - 0x00000002 >= 0x00000000) & 0x000000ff);
																						__eflags = _t376;
																						if(_t376 == 0) {
																							goto L63;
																						} else {
																							 *(_t389 - 0x3f8) = E0046A6C0(_t320, L"The file was not saved. ", E0046A530(L"The file was not saved. "));
																							E0046A310(_t389 - 0x3f8, E00459490(_t320, _t389 - 0x400, _t376));
																							_t354 =  *(_t389 - 0x400);
																							__eflags =  *(_t389 - 0x400);
																							if( *(_t389 - 0x400) != 0) {
																								E0046A700(_t354);
																							}
																							_t385->i(0, E0046A170(_t389 - 0x3f8), L"Process Monitor", 0x10);
																							_t356 =  *(_t389 - 0x3f8);
																							__eflags =  *(_t389 - 0x3f8);
																							if( *(_t389 - 0x3f8) != 0) {
																								E0046A700(_t356);
																							}
																							goto L29;
																						}
																					}
																				}
																			}
																		}
																	}
																} else {
																	E00415890(_t389 - 0x260);
																	__eflags = E004303A0(_t389 - 0x260, __eflags,  *(_t389 - 0x428), 1, 0);
																	if(__eflags != 0) {
																		E00464A80(_t389 - 0x424, _t389 - 0x260);
																		_t276 = E00465020(_t372, _t438, _t389 - 0x424);
																		_t405 = _t405 + 4;
																		E00464AC0(_t276);
																		E00415CF0(__eflags);
																		goto L83;
																	} else {
																		_t385->i(L"The selected configuration file cannot be opened", L"Process Monitor", 0x10);
																		E00415CF0(__eflags);
																		_t377 = 0;
																		_pop(_t386);
																		__eflags =  *(_t389 - 4) ^ _t389;
																		_pop(_t322);
																		return E0046F77E(_t322,  *(_t389 - 4) ^ _t389, _t372, _t377, _t386);
																	}
																}
															} else {
																_t283 = FindWindowW(L"PROCMON_WINDOW_CLASS", 0);
																__eflags = _t283;
																if(_t283 == 0) {
																	goto L29;
																} else {
																	_push(0);
																	_push(0);
																	_push(0x800a);
																	goto L62;
																}
															}
														} else {
															E0040EFC0(_t372, 0, 1, 1);
															_pop(_t378);
															_pop(_t387);
															_pop(_t323);
															__eflags =  *(_t389 - 4) ^ _t389;
															return E0046F77E(_t323,  *(_t389 - 4) ^ _t389, _t372, _t378, _t387);
														}
													} else {
														_t388 = 0;
														__eflags = 0;
														while(1) {
															_t283 = FindWindowW(L"PROCMON_WINDOW_CLASS", 0);
															__eflags = _t283;
															if(_t283 != 0) {
																break;
															}
															Sleep(0x64);
															_t388 =  &(_t388->i);
															__eflags = _t388 - 0x64;
															if(_t388 < 0x64) {
																continue;
															} else {
																goto L29;
															}
															goto L143;
														}
														_push(0);
														_push(0);
														_push(0x8009);
														L62:
														SendMessageW(_t283, ??, ??, ??);
														goto L63;
													}
												} else {
													_t385->i(0, L"Procmon was unable to allocate sufficient memory to run.\nTry increasing the size of your page file.", L"Process Monitor", 0x10);
													goto L29;
												}
											} else {
												__eflags = L00446DF0(_t372, __eflags,  *0x4bd2c0, _t167);
												if(__eflags != 0) {
													E00418140(0x4bca10, __eflags, 0);
												}
												L63:
												_pop(_t374);
												_pop(_t381);
												_pop(_t318);
												__eflags =  *(_t389 - 4) ^ _t389;
												return E0046F77E(_t318,  *(_t389 - 4) ^ _t389, _t372, _t374, _t381);
											}
										} else {
											__eflags = _t373;
											if(_t373 != 0) {
												goto L47;
											} else {
												MessageBoxW(_t373, L"The /SaveAs option is valid only when used with /OpenLog", L"Process Monitor", 0x10);
												goto L29;
											}
										}
									} else {
										__eflags =  *(_t389 - 0x418);
										if( *(_t389 - 0x418) != 0) {
											goto L131;
										} else {
											goto L44;
										}
									}
								}
							}
						}
					}
				} else {
					 *(_t389 - 0x404) = 0;
					if(RegOpenKeyW(0x80000002, L"Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System", _t389 - 0x41c) == 0) {
						 *(_t389 - 0x448) = 4;
						RegQueryValueExW( *(_t389 - 0x41c), L"EnableLUA", 0, 0, _t389 - 0x404, _t389 - 0x448);
						RegCloseKey( *(_t389 - 0x41c));
					}
					if( *((intOrPtr*)(_t389 - 0x15c)) < 6) {
						L27:
						_push(0);
						_push(_t325);
						_t382 = _t395;
						_push(E0046A530(L"Process Monitor must be run from an administrator account."));
						_push(L"Process Monitor must be run from an administrator account.");
						L28:
						 *_t382 = E0046A6C0(_t317);
						E00437AE0(_t317, _t436);
						L29:
						_pop(_t375);
						_pop(_t383);
						_pop(_t319);
						return E0046F77E(_t319,  *(_t389 - 4) ^ _t389, _t372, _t375, _t383);
					} else {
						_t436 =  *(_t389 - 0x404);
						if( *(_t389 - 0x404) != 0) {
							goto L30;
						} else {
							goto L27;
						}
					}
				}
				L143:
			}

0x0045ef04
0x0045ef04
0x0045ef04
0x0045ef09
0x0045ef2f
0x0045ef36
0x0045ef3b
0x0045ef40
0x0045ef43
0x0045ef4b
0x0045ef5b
0x0045ef60
0x0045ef63
0x0045ef63
0x0045ef67
0x0045ef87
0x0045ef87
0x00000000
0x0045ef69
0x0045ef69
0x0045ef6b
0x00000000
0x0045ef6d
0x0045ef6d
0x0045ef74
0x00000000
0x0045ef76
0x0045ef76
0x0045ef7d
0x0045ef83
0x0045ef8c
0x0045ef8c
0x0045ef8c
0x0045ef8c
0x0045ef8c
0x0045ef7d
0x0045ef74
0x0045ef6b
0x0045ef8e
0x0045ef96
0x0045efa0
0x0045efa0
0x0045ef9c
0x0045ef9c
0x0045ef9c
0x0045efa2
0x0045efaa
0x0045efac
0x0045efae
0x0045efb0
0x0045efb5
0x0045efba
0x0045efbd
0x0045efbf
0x0045efca
0x0045efca
0x0045efc1
0x0045efc3
0x0045efc3
0x0045efcd
0x0045efcf
0x0045efd7
0x0045efdd
0x0045efe1
0x0045efe3
0x0045efe3
0x0045efd7
0x0045efae
0x0045efeb
0x0045f0a0
0x0045f0a0
0x0045f0a2
0x0045fa2a
0x0045fa3b
0x0045fa3d
0x0045fa3f
0x0045fa45
0x0045fa45
0x0045fa41
0x0045fa41
0x0045fa41
0x0045fa57
0x0045fa5c
0x0045fa5f
0x0045fa65
0x0045fa67
0x0045fa6a
0x0045fa6f
0x0045fa71
0x00000000
0x0045fa77
0x0045fa77
0x0045fa79
0x0045fa7a
0x0045fa86
0x0045fa87
0x00000000
0x0045fa87
0x0045f0a8
0x0045f0a8
0x0045f0aa
0x00000000
0x0045f0b0
0x0045f0b0
0x0045f0b6
0x0045f0b8
0x0045f0db
0x0045f0ba
0x0045f0c5
0x0045f0ca
0x0045f0ca
0x0045f0e1
0x0045f0e7
0x0045f0f1
0x0045f0f3
0x0045f103
0x0045f109
0x0045f10b
0x0045f11b
0x0045f10d
0x0045f10d
0x0045f117
0x0045f117
0x0045f0f5
0x0045f0f5
0x0045f0ff
0x0045f0ff
0x0045f121
0x0045f128
0x0045fa0b
0x0045fa1f
0x00000000
0x0045f12e
0x0045f12e
0x0045f135
0x0045f976
0x0045f98b
0x0045f9a4
0x0045f9be
0x0045f9c3
0x0045f9c9
0x0045f9cb
0x0045f9cd
0x0045f9cd
0x0045f9d2
0x0045f9d8
0x0045f9da
0x0045f9dc
0x0045f9dc
0x0045f9f6
0x0045f9fc
0x0045fa02
0x0045fa04
0x0045fa06
0x0045fa06
0x00000000
0x0045f13b
0x0045f13b
0x0045f142
0x0045f151
0x0045f151
0x0045f153
0x0045f171
0x0045f171
0x0045f177
0x0045f179
0x0045f1a3
0x0045f1aa
0x0045f1b0
0x0045f1b2
0x0045f1b4
0x0045f1c6
0x0045f1cb
0x0045f1ce
0x0045f1e8
0x0045f1ea
0x0045f1f0
0x0045f1f2
0x0045f1f4
0x0045f1f4
0x0045f1f2
0x0045f1b4
0x0045f1fe
0x0045f203
0x0045f205
0x0045f21c
0x0045f223
0x0045f274
0x0045f27b
0x0045f2a1
0x0045f2a8
0x0045f2d4
0x0045f2de
0x0045f2e8
0x0045f2ef
0x0045f2f4
0x0045f2fb
0x0045f301
0x0045f30b
0x0045f31e
0x0045f32b
0x0045f330
0x0045f335
0x0045f33b
0x0045f33d
0x0045f35c
0x0045f361
0x0045f361
0x0045f363
0x0045f368
0x0045f33f
0x0045f33f
0x0045f340
0x0045f340
0x0045f378
0x0045f37b
0x0045f380
0x0045f386
0x0045f390
0x0045f3ad
0x0045f3ba
0x0045f3c8
0x0045f3dc
0x0045f3e7
0x0045f3ee
0x0045f3fd
0x0045f40a
0x0045f410
0x0045f433
0x0045f43e
0x0045f443
0x0045f455
0x0045f461
0x0045f466
0x0045f46f
0x0045f47f
0x0045f484
0x0045f48b
0x0045f51f
0x0045f51f
0x0045f526
0x0045f528
0x0045f528
0x0045f528
0x0045f52f
0x0045f536
0x0045f53f
0x0045f53f
0x0045f554
0x0045f559
0x0045f55f
0x0045f562
0x0045f564
0x0045f592
0x0045f599
0x0045f59b
0x0045f59d
0x0045f59d
0x0045f566
0x0045f573
0x0045f579
0x0045f588
0x0045f58d
0x0045f58d
0x0045f5a3
0x0045f5a8
0x0045f5aa
0x0045f5ac
0x0045f5ac
0x0045f5b3
0x0045f5b3
0x0045f5ba
0x0045f5c4
0x0045f5cd
0x0045f5d0
0x0045f5dc
0x0045f5e2
0x0045f5e7
0x0045f5e9
0x0045f71a
0x0045f71a
0x0045f721
0x0045f94d
0x00000000
0x0045f727
0x0045f72c
0x0045f732
0x0045f73e
0x0045f74a
0x0045f750
0x0045f755
0x0045f75b
0x0045f772
0x0045f782
0x0045f792
0x0045f79f
0x0045f7a1
0x0045f7af
0x0045f7b1
0x0045f7b4
0x0045f7cc
0x0045f7ce
0x0045f7d4
0x0045f7d6
0x00000000
0x0045f7dc
0x0045f7dc
0x0045f7de
0x0045f7e7
0x0045f7ea
0x0045f7ef
0x0045f7f2
0x0045f7e0
0x0045f7e0
0x0045f7e0
0x0045f7f7
0x0045f803
0x0045f813
0x0045f815
0x0045f817
0x0045f819
0x0045f81b
0x0045f821
0x0045f83b
0x0045f83b
0x0045f821
0x0045f819
0x0045f849
0x0045f84e
0x0045f851
0x0045f853
0x0045f863
0x0045f865
0x0045f89b
0x0045f8a2
0x0045f8a4
0x0045f8ab
0x0045f8af
0x0045f8b5
0x0045f8b5
0x0045f8c9
0x0045f8c9
0x0045f8ab
0x0045f867
0x0045f867
0x0045f86e
0x0045f882
0x0045f882
0x0045f891
0x0045f896
0x0045f896
0x0045f855
0x0045f85c
0x0045f85c
0x0045f8cf
0x0045f8e2
0x0045f8e4
0x0045f8e6
0x0045f8e8
0x0045f8f0
0x0045f8f6
0x0045f906
0x0045f90c
0x0045f90e
0x0045f918
0x0045f91e
0x0045f920
0x0045f929
0x0045f932
0x0045f932
0x0045f920
0x0045f945
0x0045f947
0x0045f947
0x0045f94b
0x0045f952
0x0045f954
0x0045f969
0x00000000
0x0045f96e
0x0045f7d6
0x0045f5ef
0x0045f5ef
0x0045f5f1
0x00000000
0x0045f5f7
0x0045f5fa
0x0045f602
0x0045f604
0x0045f705
0x0045f713
0x00000000
0x0045f60a
0x0045f60b
0x0045f613
0x0045f619
0x0045f61b
0x00000000
0x0045f621
0x0045f62e
0x0045f630
0x00000000
0x0045f636
0x0045f63d
0x0045f651
0x0045f674
0x0045f686
0x0045f688
0x0045f68a
0x00000000
0x0045f690
0x0045f6a5
0x0045f6c2
0x0045f6c7
0x0045f6cd
0x0045f6cf
0x0045f6d1
0x0045f6d1
0x0045f6eb
0x0045f6ed
0x0045f6f3
0x0045f6f5
0x0045f6fb
0x0045f6fb
0x00000000
0x0045f6f5
0x0045f68a
0x0045f630
0x0045f61b
0x0045f604
0x0045f5f1
0x0045f491
0x0045f497
0x0045f4b1
0x0045f4b3
0x0045f4f5
0x0045f501
0x0045f506
0x0045f50f
0x0045f51a
0x00000000
0x0045f4b5
0x0045f4c3
0x0045f4cb
0x0045f4d8
0x0045f4d9
0x0045f4da
0x0045f4dc
0x0045f4e5
0x0045f4e5
0x0045f4b3
0x0045f2aa
0x0045f2b1
0x0045f2b7
0x0045f2b9
0x00000000
0x0045f2bf
0x0045f2bf
0x0045f2c1
0x0045f2c3
0x00000000
0x0045f2c3
0x0045f2b9
0x0045f27d
0x0045f283
0x0045f28e
0x0045f28f
0x0045f290
0x0045f294
0x0045f29e
0x0045f29e
0x0045f225
0x0045f22b
0x0045f22b
0x0045f233
0x0045f23a
0x0045f23c
0x0045f23e
0x00000000
0x00000000
0x0045f242
0x0045f244
0x0045f245
0x0045f248
0x00000000
0x0045f24a
0x00000000
0x0045f24a
0x00000000
0x0045f248
0x0045f24f
0x0045f251
0x0045f253
0x0045f258
0x0045f259
0x00000000
0x0045f259
0x0045f207
0x0045f215
0x00000000
0x0045f215
0x0045f17b
0x0045f18a
0x0045f18c
0x0045f199
0x0045f199
0x0045f25f
0x0045f261
0x0045f262
0x0045f263
0x0045f267
0x0045f271
0x0045f271
0x0045f155
0x0045f155
0x0045f157
0x00000000
0x0045f159
0x0045f166
0x00000000
0x0045f166
0x0045f157
0x0045f144
0x0045f144
0x0045f14b
0x00000000
0x00000000
0x00000000
0x00000000
0x0045f14b
0x0045f142
0x0045f135
0x0045f128
0x0045f0aa
0x0045eff1
0x0045eff7
0x0045f014
0x0045f01c
0x0045f03d
0x0045f049
0x0045f049
0x0045f056
0x0045f061
0x0045f061
0x0045f063
0x0045f064
0x0045f070
0x0045f071
0x0045f076
0x0045f07e
0x0045f080
0x0045f088
0x0045f08d
0x0045f08e
0x0045f08f
0x0045f09d
0x0045f058
0x0045f058
0x0045f05f
0x00000000
0x00000000
0x00000000
0x00000000
0x0045f05f
0x0045f056
0x00000000

APIs

Part of subcall function 0044C640: _memmove.LIBCMT ref: 0044C6A8

Part of subcall function 0044C640: __wcsnicmp.LIBCMT ref: 0044C6C1

RegOpenKeyW.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\Policies\System,?), ref: 0045F00C
RegQueryValueExW.ADVAPI32(?,EnableLUA,00000000,00000000,00000000,?), ref: 0045F03D
RegCloseKey.ADVAPI32(?), ref: 0045F049

Part of subcall function 0044C640: _memmove.LIBCMT ref: 0044C71E

MessageBoxW.USER32(00000000,The /SaveAs option is valid only when used with /OpenLog,Process Monitor,00000010), ref: 0045F166

Part of subcall function 00418140: LoadCursorW.USER32(00000000,00007F02), ref: 00418177
Part of subcall function 00418140: SetCursor.USER32(00000000), ref: 0041817E
Part of subcall function 00418140: GetParent.USER32(?), ref: 0041818A
Part of subcall function 00418140: EnterCriticalSection.KERNEL32 ref: 004181AD
Part of subcall function 00418140: GetTickCount.KERNEL32 ref: 004181C3
Part of subcall function 00418140: SendMessageW.USER32(?,00001042,00000000,00000000), ref: 0041821D
Part of subcall function 00418140: SendMessageW.USER32(?,00001027,00000000,00000000), ref: 00418264

MessageBoxW.USER32(00000000,00000000,Process Monitor,00000010), ref: 0045F9F6
DialogBoxParamW.USER32 ref: 0045FA1F

Strings

The /SaveAs option is valid only when used with /OpenLog, xrefs: 0045F160
Run32, xrefs: 0045EF2A
Process Monitor must be run from an administrator account., xrefs: 0045F066, 0045F071
ExternalCapture, xrefs: 0045EF14
VPh(bJ, xrefs: 0045EF28
Process Monitor, xrefs: 0045F15B, 0045F9E3
Invalid argument: , xrefs: 0045F986, 0045F997
Software\Microsoft\Windows\CurrentVersion\Policies\System, xrefs: 0045F002
USAGE, xrefs: 0045FA14
EnableLUA, xrefs: 0045F032

Memory Dump Source

Source File: 00000000.00000002.639436822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.639422722.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639801425.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639950323.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639964900.00000000004C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639974043.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639981884.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Process Monitor.jbxd

Similarity

API ID: Message$CursorSend_memmove$CloseCountCriticalDialogEnterLoadOpenParamParentQuerySectionTickValue__wcsnicmp
String ID: EnableLUA$ExternalCapture$Invalid argument: $Process Monitor$Process Monitor must be run from an administrator account.$Run32$Software\Microsoft\Windows\CurrentVersion\Policies\System$The /SaveAs option is valid only when used with /OpenLog$USAGE$VPh(bJ
API String ID: 3933535058-3450932061
Opcode ID: 1f509ceaf8170c5934c37ae7b4b6de6173195e5a2965727a50e497ea1343994e
Instruction ID: 6aa5e178c562b313862b1d4ed3707864981b5653086e0a5a029b85d1aeabd8fa
Opcode Fuzzy Hash: 1f509ceaf8170c5934c37ae7b4b6de6173195e5a2965727a50e497ea1343994e
Instruction Fuzzy Hash: 6871FAB1B40214AADF249B619C41BEE73689B51705F1800FFEE45B7283EA7C5E4D8A1F

Uniqueness

Uniqueness Score: -1.00%

Function 0040B230 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 115
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 86%

			E0040B230(void* __ebx, void* __edx, struct HWND__* _a4, intOrPtr _a8, signed int _a12, intOrPtr _a16) {
				signed int _v8;
				short _v528;
				struct HWND__* _v532;
				char _v536;
				char* _v540;
				int _v544;
				void* _v548;
				void* __edi;
				void* __esi;
				signed int _t19;
				void* _t22;
				char _t23;
				struct HWND__* _t29;
				void* _t37;
				void* _t40;
				void* _t42;
				void* _t55;
				void* _t62;
				intOrPtr _t63;
				struct HWND__* _t64;
				signed int _t65;

				_t62 = __edx;
				_t53 = __ebx;
				_t19 =  *0x4bb1dc; // 0x2927074f
				_v8 = _t19 ^ _t65;
				_t64 = _a4;
				_v532 = _t64;
				_t63 = _a16;
				_t22 = _a8 - 0x110;
				if(_t22 == 0) {
					_push(__ebx); // executed
					_t23 = E0040B3B0(_t55); // executed
					_v544 = 0;
					_v536 = _t23;
					_v548 =  &_v536;
					_v540 =  &M0040C280;
					E0046F410( &_v528, L"%s License Agreement", _t63);
					SetWindowTextW(_t64,  &_v528); // executed
					_t63 = GetDlgItem;
					_t29 = GetDlgItem(_t64, 0x1f4);
					_t64 = SendMessageW;
					SendMessageW(_t29, 0x435, 0, 0x100000);
					SendMessageW(GetDlgItem(_v532, 0x1f4), 0x449, 2,  &_v548); // executed
					E0047040C(_t23);
					_pop(_t53);
					goto L13;
				} else {
					_t37 = _t22 - 1;
					if(_t37 == 0) {
						_t40 = (_a12 & 0x0000ffff) - 1;
						if(_t40 == 0) {
							EndDialog(_t64, 1); // executed
							goto L13;
						} else {
							_t42 = _t40 - 1;
							if(_t42 == 0) {
								EndDialog(_t64, 0);
								goto L13;
							} else {
								if(_t42 == 0x1f3) {
									E0040B6B0(__ebx, _t62, _t63, GetDlgItem(_t64, 0x1f4));
									L13:
									return E0046F77E(_t53, _v8 ^ _t65, _t62, _t63, _t64);
								} else {
									goto L8;
								}
							}
						}
					} else {
						if(_t37 != 0x27 || _t63 != GetDlgItem(_t64, 0x1f4)) {
							L8:
							return E0046F77E(_t53, _v8 ^ _t65, _t62, _t63, _t64);
						} else {
							GetSysColorBrush(5);
							return E0046F77E(__ebx, _v8 ^ _t65, _t62, _t63, _t64);
						}
					}
				}
			}

0x0040b230
0x0040b230
0x0040b239
0x0040b240
0x0040b247
0x0040b24a
0x0040b251
0x0040b254
0x0040b259
0x0040b2ee
0x0040b2ef
0x0040b2f6
0x0040b306
0x0040b30d
0x0040b31f
0x0040b329
0x0040b339
0x0040b33f
0x0040b357
0x0040b359
0x0040b360
0x0040b37e
0x0040b381
0x0040b389
0x00000000
0x0040b25f
0x0040b25f
0x0040b260
0x0040b297
0x0040b298
0x0040b2e3
0x00000000
0x0040b29a
0x0040b29a
0x0040b29b
0x0040b2d5
0x00000000
0x0040b29d
0x0040b2a2
0x0040b2c5
0x0040b38a
0x0040b39e
0x00000000
0x00000000
0x00000000
0x0040b2a2
0x0040b29b
0x0040b262
0x0040b265
0x0040b2a5
0x0040b2b5
0x0040b277
0x0040b279
0x0040b28e
0x0040b28e
0x0040b265
0x0040b260

APIs

GetDlgItem.USER32 ref: 0040B26D
GetSysColorBrush.USER32(00000005), ref: 0040B279
GetDlgItem.USER32 ref: 0040B2BE
EndDialog.USER32(?,00000000), ref: 0040B2D5
__swprintf.LIBCMT ref: 0040B329
SetWindowTextW.USER32(?,?), ref: 0040B339
GetDlgItem.USER32 ref: 0040B357
SendMessageW.USER32(00000000), ref: 0040B360
GetDlgItem.USER32 ref: 0040B37B
SendMessageW.USER32(00000000), ref: 0040B37E
_free.LIBCMT ref: 0040B381

Strings

%s License Agreement, xrefs: 0040B319

Memory Dump Source

Source File: 00000000.00000002.639436822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.639422722.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639801425.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639950323.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639964900.00000000004C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639974043.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639981884.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Process Monitor.jbxd

Similarity

API ID: Item$MessageSend$BrushColorDialogTextWindow__swprintf_free
String ID: %s License Agreement
API String ID: 3396904878-1285993597
Opcode ID: 28b5c2108bdf7902b3ab29d76a5fc9ba73a43d6f3cde637b115daf6160baea94
Instruction ID: a6e1adb998326c8b476fc5ccd62ce34c36ffd5037149ad52290828a11526c102
Opcode Fuzzy Hash: 28b5c2108bdf7902b3ab29d76a5fc9ba73a43d6f3cde637b115daf6160baea94
Instruction Fuzzy Hash: D631A27194021CABD710AF65AC49BEF7768EB14300F1005BBF905F62C1DBB85A448BDD

Uniqueness

Uniqueness Score: -1.00%

Function 00473D9D Relevance: 16.6, APIs: 11, Instructions: 73
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 81%

			E00473D9D(void* __eax, void* __edx, void* __edi, void* __esi) {
				void* _t12;
				void* _t13;
				void* _t15;
				intOrPtr _t17;
				void* _t18;
				void* _t19;
				void* _t20;
				intOrPtr _t22;
				void* _t34;
				void* _t40;
				void* _t41;
				void* _t42;
				void* _t44;

				_t42 = __esi;
				_t41 = __edi;
				_t40 = __edx;
				if( *((intOrPtr*)(__eax + 0x400018)) == 0x10b) {
					__ebx = 0;
					__eflags =  *((intOrPtr*)(__eax + 0x400074)) - 0xe;
					if( *((intOrPtr*)(__eax + 0x400074)) > 0xe) {
						__eflags =  *(__eax + 0x4000e8);
						_t5 =  *(__eax + 0x4000e8) != 0;
						__eflags = _t5;
						__ebx = 0 | _t5;
					}
				}
				 *((intOrPtr*)(_t44 - 0x1c)) = 0;
				_t12 = E00478CE2();
				_t46 = _t12;
				if(_t12 == 0) {
					L00473EAE(0x1c);
				}
				_t13 = E004752C5(0, _t41, _t46);
				_t47 = _t13;
				if(_t13 == 0) {
					_t13 = L00473EAE(0x10);
				}
				E004780BD(_t13);
				 *(_t44 - 4) =  *(_t44 - 4) & 0x00000000;
				_t15 = E0047C53C(0, _t41, _t42, _t47); // executed
				if(_t15 < 0) {
					L00473EAE(0x1b);
				}
				 *0x4c4724 = GetCommandLineA(); // executed
				_t17 = E0047EEB1(_t40); // executed
				 *0x4c2bf8 = _t17;
				_t18 = E0047EAB8();
				_t49 = _t18;
				if(_t18 < 0) {
					E00470155(0, _t40, _t41, _t42, _t49, 8);
				}
				_t19 = E0047ECE7(0, _t40, _t41, _t42);
				_t50 = _t19;
				if(_t19 < 0) {
					E00470155(0, _t40, _t41, _t42, _t50, 9);
				}
				_t20 = E0047018F(1); // executed
				_pop(_t34);
				_t51 = _t20;
				if(_t20 != 0) {
					E00470155(0, _t40, _t41, _t42, _t51, _t20);
					_pop(_t34);
				}
				_t22 = L0045EAF0(_t34, _t40, 0x400000, 0, E0047EF3E(), _t42); // executed
				_t43 = _t22;
				 *((intOrPtr*)(_t44 - 0x24)) = _t22;
				if(0 == 0) {
					E004703F8(_t43);
				}
				E00470180();
				 *(_t44 - 4) = 0xfffffffe;
				return L00477ED5(_t43);
			}

0x00473d9d
0x00473d9d
0x00473d9d
0x00473da9
0x00473dab
0x00473dad
0x00473db4
0x00473db6
0x00473dbc
0x00473dbc
0x00473dbc
0x00473dbc
0x00473db4
0x00473dbf
0x00473dc2
0x00473dc7
0x00473dc9
0x00473dcd
0x00473dd2
0x00473dd3
0x00473dd8
0x00473dda
0x00473dde
0x00473de3
0x00473de4
0x00473de9
0x00473ded
0x00473df4
0x00473df8
0x00473dfd
0x00473e04
0x00473e09
0x00473e0e
0x00473e13
0x00473e18
0x00473e1a
0x00473e1e
0x00473e23
0x00473e24
0x00473e29
0x00473e2b
0x00473e2f
0x00473e34
0x00473e37
0x00473e3c
0x00473e3d
0x00473e3f
0x00473e42
0x00473e47
0x00473e47
0x00473e56
0x00473e5b
0x00473e5d
0x00473e62
0x00473e65
0x00473e65
0x00473e6a
0x00473e9f
0x00473ead

APIs

_fast_error_exit.LIBCMT ref: 00473DCD

Part of subcall function 00473EAE: __FF_MSGBANNER.LIBCMT ref: 00473EBA
Part of subcall function 00473EAE: __NMSG_WRITE.LIBCMT ref: 00473EC2

Part of subcall function 004752C5: __init_pointers.LIBCMT ref: 004752C5
Part of subcall function 004752C5: __mtinitlocks.LIBCMT ref: 004752CA
Part of subcall function 004752C5: __mtterm.LIBCMT ref: 004752D3

_fast_error_exit.LIBCMT ref: 00473DDE
__RTC_Initialize.LIBCMT ref: 00473DE4
__ioinit.LIBCMT ref: 00473DED
_fast_error_exit.LIBCMT ref: 00473DF8
GetCommandLineA.KERNEL32(004B7A40,00000014), ref: 00473DFE
___crtGetEnvironmentStringsA.LIBCMT ref: 00473E09

Part of subcall function 0047EEB1: GetEnvironmentStringsW.KERNEL32(?,?,?,00473E0E), ref: 0047EEB6
Part of subcall function 0047EEB1: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000000,00000000,?,?,?,?,00473E0E), ref: 0047EEEA
Part of subcall function 0047EEB1: __malloc_crt.LIBCMT ref: 0047EEF8
Part of subcall function 0047EEB1: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000001,00000000,?,00000000,00000000,?,?,?,?,00473E0E), ref: 0047EF10
Part of subcall function 0047EEB1: _free.LIBCMT ref: 0047EF1B
Part of subcall function 0047EEB1: FreeEnvironmentStringsW.KERNEL32(00000000,?,?,?,?,00473E0E), ref: 0047EF24

__setargv.LIBCMT ref: 00473E13

Part of subcall function 0047EAB8: ___initmbctable.LIBCMT ref: 0047EAC6
Part of subcall function 0047EAB8: GetModuleFileNameA.KERNEL32(00000000,004C34F8,00000104,?,?,00000000,?,?,?,00473E18), ref: 0047EAE2
Part of subcall function 0047EAB8: _parse_cmdline.LIBCMT ref: 0047EB09
Part of subcall function 0047EAB8: __malloc_crt.LIBCMT ref: 0047EB2C
Part of subcall function 0047EAB8: _parse_cmdline.LIBCMT ref: 0047EB46

__setenvp.LIBCMT ref: 00473E24

Part of subcall function 00470155: __FF_MSGBANNER.LIBCMT ref: 00470158
Part of subcall function 00470155: __NMSG_WRITE.LIBCMT ref: 00470160

__cinit.LIBCMT ref: 00473E37

Part of subcall function 0047018F: __IsNonwritableInCurrentImage.LIBCMT ref: 004701A0
Part of subcall function 0047018F: __initp_misc_cfltcvt_tab.LIBCMT ref: 004701B4
Part of subcall function 0047018F: __initterm_e.LIBCMT ref: 004701C3
Part of subcall function 0047018F: __IsNonwritableInCurrentImage.LIBCMT ref: 004701F9

__wincmdln.LIBCMT ref: 00473E48

Part of subcall function 004703F8: _doexit.LIBCMT ref: 00470402

Memory Dump Source

Source File: 00000000.00000002.639436822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.639422722.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639801425.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639950323.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639964900.00000000004C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639974043.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639981884.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Process Monitor.jbxd

Similarity

API ID: EnvironmentStrings_fast_error_exit$ByteCharCurrentImageMultiNonwritableWide__malloc_crt_parse_cmdline$CommandFileFreeInitializeLineModuleName___crt___initmbctable__cinit__init_pointers__initp_misc_cfltcvt_tab__initterm_e__ioinit__mtinitlocks__mtterm__setargv__setenvp__wincmdln_doexit_free
String ID:
API String ID: 1716383608-0
Opcode ID: 97ab59cf51a4dda304b90e19326d9fb2c24341c196234cb6a821bc47efa529e3
Instruction ID: bbf3df1cd4f61a9178cff7e1680ee508cbfbd2bd14bd4877ac38e23bef474127
Opcode Fuzzy Hash: 97ab59cf51a4dda304b90e19326d9fb2c24341c196234cb6a821bc47efa529e3
Instruction Fuzzy Hash: 3D11B12064131199EB607FB39946BEE2254AF5031EF10C46FF80CAA2C3DFBDCA44625D

Uniqueness

Uniqueness Score: -1.00%

Function 00473D54 Relevance: 15.1, APIs: 10, Instructions: 51
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 92%

			_entry_(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t17;
				void* _t18;
				void* _t19;
				void* _t21;
				intOrPtr _t23;
				void* _t24;
				void* _t25;
				void* _t26;
				intOrPtr _t28;
				signed int _t39;
				void* _t41;
				void* _t48;
				signed int _t51;
				void* _t53;
				void* _t55;

				_t49 = __edi;
				_t48 = __edx;
				E0047EE15();
				_push(0x14);
				_push(0x4b7a40);
				L00477E90(__ebx, __edi, __esi);
				_t51 = E004782FA() & 0x0000ffff;
				E0047EDC8(2);
				_t55 =  *0x400000 - 0x5a4d; // 0x5a4d
				if(_t55 == 0) {
					_t17 =  *0x40003c; // 0x110
					__eflags =  *((intOrPtr*)(_t17 + 0x400000)) - 0x4550;
					if( *((intOrPtr*)(_t17 + 0x400000)) != 0x4550) {
						goto L2;
					} else {
						__eflags =  *((intOrPtr*)(_t17 + 0x400018)) - 0x10b;
						if( *((intOrPtr*)(_t17 + 0x400018)) != 0x10b) {
							goto L2;
						} else {
							_t39 = 0;
							__eflags =  *((intOrPtr*)(_t17 + 0x400074)) - 0xe;
							if( *((intOrPtr*)(_t17 + 0x400074)) > 0xe) {
								__eflags =  *(_t17 + 0x4000e8);
								_t6 =  *(_t17 + 0x4000e8) != 0;
								__eflags = _t6;
								_t39 = 0 | _t6;
							}
						}
					}
				} else {
					L2:
					_t39 = 0;
				}
				 *(_t53 - 0x1c) = _t39;
				_t18 = E00478CE2();
				_t56 = _t18;
				if(_t18 == 0) {
					L00473EAE(0x1c);
				}
				_t19 = E004752C5(_t39, _t49, _t56);
				_t57 = _t19;
				if(_t19 == 0) {
					_t19 = L00473EAE(0x10);
				}
				E004780BD(_t19);
				 *(_t53 - 4) =  *(_t53 - 4) & 0x00000000;
				_t21 = E0047C53C(_t39, _t49, _t51, _t57); // executed
				if(_t21 < 0) {
					L00473EAE(0x1b);
				}
				 *0x4c4724 = GetCommandLineA(); // executed
				_t23 = E0047EEB1(_t48); // executed
				 *0x4c2bf8 = _t23;
				_t24 = E0047EAB8();
				_t59 = _t24;
				if(_t24 < 0) {
					E00470155(_t39, _t48, _t49, _t51, _t59, 8);
				}
				_t25 = E0047ECE7(_t39, _t48, _t49, _t51);
				_t60 = _t25;
				if(_t25 < 0) {
					E00470155(_t39, _t48, _t49, _t51, _t60, 9);
				}
				_t26 = E0047018F(1); // executed
				_pop(_t41);
				_t61 = _t26;
				if(_t26 != 0) {
					E00470155(_t39, _t48, _t49, _t51, _t61, _t26);
					_pop(_t41);
				}
				_t28 = L0045EAF0(_t41, _t48, 0x400000, 0, E0047EF3E(), _t51); // executed
				_t52 = _t28;
				 *((intOrPtr*)(_t53 - 0x24)) = _t28;
				if(_t39 == 0) {
					E004703F8(_t52);
				}
				E00470180();
				 *(_t53 - 4) = 0xfffffffe;
				return L00477ED5(_t52);
			}

0x00473d54
0x00473d54
0x00473d54
0x00473d5e
0x00473d60
0x00473d65
0x00473d6f
0x00473d74
0x00473d7f
0x00473d86
0x00473d8c
0x00473d91
0x00473d9b
0x00000000
0x00473d9d
0x00473da2
0x00473da9
0x00000000
0x00473dab
0x00473dab
0x00473dad
0x00473db4
0x00473db6
0x00473dbc
0x00473dbc
0x00473dbc
0x00473dbc
0x00473db4
0x00473da9
0x00473d88
0x00473d88
0x00473d88
0x00473d88
0x00473dbf
0x00473dc2
0x00473dc7
0x00473dc9
0x00473dcd
0x00473dd2
0x00473dd3
0x00473dd8
0x00473dda
0x00473dde
0x00473de3
0x00473de4
0x00473de9
0x00473ded
0x00473df4
0x00473df8
0x00473dfd
0x00473e04
0x00473e09
0x00473e0e
0x00473e13
0x00473e18
0x00473e1a
0x00473e1e
0x00473e23
0x00473e24
0x00473e29
0x00473e2b
0x00473e2f
0x00473e34
0x00473e37
0x00473e3c
0x00473e3d
0x00473e3f
0x00473e42
0x00473e47
0x00473e47
0x00473e56
0x00473e5b
0x00473e5d
0x00473e62
0x00473e65
0x00473e65
0x00473e6a
0x00473e9f
0x00473ead

APIs

___security_init_cookie.LIBCMT ref: 00473D54
___crtGetShowWindowMode.LIBCMT ref: 00473D6A

Part of subcall function 004782FA: GetStartupInfoW.KERNEL32(?), ref: 00478304

Part of subcall function 00478CE2: GetProcessHeap.KERNEL32(00473DC7,004B7A40,00000014), ref: 00478CE2

Memory Dump Source

Source File: 00000000.00000002.639436822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.639422722.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639801425.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639950323.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639964900.00000000004C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639974043.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639981884.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Process Monitor.jbxd

Similarity

API ID: HeapInfoModeProcessShowStartupWindow___crt___security_init_cookie
String ID:
API String ID: 3192242368-0
Opcode ID: fdcb0b9587e68a8b53c8aa25cbf609c4a4467999966b91379e7dc8e30d94c134
Instruction ID: 19ab7aa627488bbbe2b16f2f5cc022623f1758f3b57d03447abaae19f2179312
Opcode Fuzzy Hash: fdcb0b9587e68a8b53c8aa25cbf609c4a4467999966b91379e7dc8e30d94c134
Instruction Fuzzy Hash: 6E01962464031299E7207FB79D07BEA26955F1435EF10C16FF80CD51C3EBBC9900666E

Uniqueness

Uniqueness Score: -1.00%

Function 0040B570 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 48
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 94%

			E0040B570(void* __ebx, void* __edi) {
				signed int _v8;
				char _v528;
				void* _v532;
				int _v536;
				int _v540;
				void* __esi;
				signed int _t13;
				long _t16;
				long _t22;
				void* _t30;
				signed int _t33;

				_t31 = __edi;
				_t26 = __ebx;
				_t13 =  *0x4bb1dc; // 0x2927074f
				_v8 = _t13 ^ _t33;
				_v532 = 0;
				_t32 = 0;
				_v536 = 0x208;
				_v540 = 0;
				_t16 = RegOpenKeyW(0x80000002, L"Software\\Microsoft\\windows nt\\currentversion",  &_v532); // executed
				if(_t16 == 0) {
					_t22 = RegQueryValueExW(_v532, L"ProductName", 0,  &_v540,  &_v528,  &_v536); // executed
					if(_t22 == 0) {
						E0046F283(__ebx, __edi, 0, L"iotuap",  &_v528);
						_t32 =  ==  ? 1 : 0;
					}
					RegCloseKey(_v532);
				}
				return E0046F77E(_t26, _v8 ^ _t33, _t30, _t31, _t32);
			}

0x0040b570
0x0040b570
0x0040b579
0x0040b580
0x0040b58a
0x0040b59a
0x0040b59c
0x0040b5ab
0x0040b5b1
0x0040b5b9
0x0040b5dc
0x0040b5e4
0x0040b5f2
0x0040b601
0x0040b601
0x0040b60a
0x0040b60a
0x0040b620

APIs

RegOpenKeyW.ADVAPI32(80000002,Software\Microsoft\windows nt\currentversion,?), ref: 0040B5B1
RegQueryValueExW.KERNELBASE(00000000,ProductName,00000000,?,?,00000208), ref: 0040B5DC
RegCloseKey.ADVAPI32(00000000), ref: 0040B60A

Strings

Software\Microsoft\windows nt\currentversion, xrefs: 0040B595
ProductName, xrefs: 0040B5D1
iotuap, xrefs: 0040B5ED

Memory Dump Source

Source File: 00000000.00000002.639436822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.639422722.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639801425.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639950323.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639964900.00000000004C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639974043.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639981884.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Process Monitor.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: ProductName$Software\Microsoft\windows nt\currentversion$iotuap
API String ID: 3677997916-312185779
Opcode ID: f8f9e67cb8810609da29034a24be0017aab272593a8fda4364c918af332e8194
Instruction ID: 171293ff41871a35604479344da090e37b3daf4aa335c9b9a263995989b96ff4
Opcode Fuzzy Hash: f8f9e67cb8810609da29034a24be0017aab272593a8fda4364c918af332e8194
Instruction Fuzzy Hash: 4A115E71A4022C9BDB209F50DC49BEEB77CEB15304F5005BAE809A2251EBB55F888FD9

Uniqueness

Uniqueness Score: -1.00%

Function 0040B630 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 40
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E0040B630() {
				void* _v8;
				int _v12;
				char _v16;
				int _v20;
				long _t14;
				int* _t22;

				_v8 = 0;
				_t22 = 0;
				_v16 = 0;
				_v20 = 4;
				_v12 = 0;
				_t14 = RegOpenKeyW(0x80000002, L"Software\\Microsoft\\Windows NT\\CurrentVersion\\Server\\ServerLevels",  &_v8); // executed
				if(_t14 == 0) {
					if(RegQueryValueExW(_v8, L"NanoServer", 0,  &_v12,  &_v16,  &_v20) == 0 && _v12 == 4) {
						_t22 =  ==  ? 1 : 0;
					}
					RegCloseKey(_v8);
				}
				return _t22;
			}

0x0040b63a
0x0040b647
0x0040b649
0x0040b655
0x0040b65c
0x0040b65f
0x0040b667
0x0040b686
0x0040b696
0x0040b696
0x0040b69c
0x0040b69c
0x0040b6a8

APIs

RegOpenKeyW.ADVAPI32(80000002,Software\Microsoft\Windows NT\CurrentVersion\Server\ServerLevels,0040BFDF), ref: 0040B65F
RegQueryValueExW.ADVAPI32(00000000,NanoServer,00000000,?,00000000,00000004), ref: 0040B67E
RegCloseKey.ADVAPI32(00000000), ref: 0040B69C

Strings

NanoServer, xrefs: 0040B676
Software\Microsoft\Windows NT\CurrentVersion\Server\ServerLevels, xrefs: 0040B642

Memory Dump Source

Source File: 00000000.00000002.639436822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.639422722.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639801425.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639950323.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639964900.00000000004C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639974043.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639981884.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Process Monitor.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: NanoServer$Software\Microsoft\Windows NT\CurrentVersion\Server\ServerLevels
API String ID: 3677997916-218722125
Opcode ID: 28af699a9b66ca3d95a565af4ef78dc62d9e366a11124c1267d3e312a1afcc17
Instruction ID: 90fc4faf476116a81d45be9c778305d5396e6fc0630cee1ffe40a633eaa074c7
Opcode Fuzzy Hash: 28af699a9b66ca3d95a565af4ef78dc62d9e366a11124c1267d3e312a1afcc17
Instruction Fuzzy Hash: DE0128B1A00218EBDF10DF90CC09BEEBBBCEB05701F2005BAE901B2180D3795A148B89

Uniqueness

Uniqueness Score: -1.00%

Function 0040B450 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 41
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E0040B450(void* _a4, short* _a8) {
				void* _v8;
				char _v12;
				int _v16;
				long _t13;
				long _t17;

				_v8 = 0;
				_v12 = 0;
				_t13 = RegOpenKeyExW(_a4, _a8, 0, 0x101,  &_v8); // executed
				if(_t13 != 0) {
					L4:
					return 0;
				} else {
					_v16 = 4;
					_t17 = RegQueryValueExW(_v8, L"EulaAccepted", 0, 0,  &_v12,  &_v16); // executed
					RegCloseKey(_v8); // executed
					if(_t17 != 0 || _v12 == 0) {
						goto L4;
					} else {
						return 1;
					}
				}
			}

0x0040b459
0x0040b46b
0x0040b475
0x0040b47d
0x0040b4c0
0x0040b4c5
0x0040b47f
0x0040b483
0x0040b49b
0x0040b4a6
0x0040b4af
0x00000000
0x0040b4b7
0x0040b4bf
0x0040b4bf
0x0040b4af

APIs

RegOpenKeyExW.KERNELBASE(00000000,0040BF36,00000000,00000101,?,0040BF36), ref: 0040B475
RegQueryValueExW.KERNELBASE(00000000,EulaAccepted,00000000,00000000,00000000,76A1E730), ref: 0040B49B
RegCloseKey.KERNELBASE(00000000), ref: 0040B4A6

Strings

EulaAccepted, xrefs: 0040B493

Memory Dump Source

Source File: 00000000.00000002.639436822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.639422722.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639801425.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639950323.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639964900.00000000004C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639974043.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639981884.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Process Monitor.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: EulaAccepted
API String ID: 3677997916-921354838
Opcode ID: 9776d663d8dbdaab9cc45e341d0e77b8a9847b8245df3a653f8ffe150d7d3aef
Instruction ID: b36093686f55cb0ffd355769008780c6864a73120f5c43f36a48ecd927c56b10
Opcode Fuzzy Hash: 9776d663d8dbdaab9cc45e341d0e77b8a9847b8245df3a653f8ffe150d7d3aef
Instruction Fuzzy Hash: 64011D71A4020CFBDF219F90DC05BDEBBB8EB04704F2041B6ED08B6291D3B95B549B88

Uniqueness

Uniqueness Score: -1.00%

Function 00401230 Relevance: 6.0, APIs: 4, Instructions: 16
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00401230() {
				struct HDC__* _t1;
				int _t4;
				struct HDC__* _t5;

				_t1 = CreateCompatibleDC(0); // executed
				_t5 = _t1;
				 *0x4bc894 = GetDeviceCaps(_t5, 0x58);
				 *0x4bc898 = GetDeviceCaps(_t5, 0x5a); // executed
				_t4 = DeleteDC(_t5); // executed
				return _t4;
			}

0x00401233
0x00401239
0x00401247
0x00401253
0x00401258
0x0040125f

APIs

CreateCompatibleDC.GDI32(00000000), ref: 00401233
GetDeviceCaps.GDI32(00000000,00000058), ref: 0040123E
GetDeviceCaps.GDI32(00000000,0000005A), ref: 0040124C
DeleteDC.GDI32(00000000), ref: 00401258

Memory Dump Source

Source File: 00000000.00000002.639436822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.639422722.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639801425.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639950323.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639964900.00000000004C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639974043.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639981884.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Process Monitor.jbxd

Similarity

API ID: CapsDevice$CompatibleCreateDelete
String ID:
API String ID: 1745246857-0
Opcode ID: 29bf81f99beba7c226d37e6a921d45b3633617d89bf7c552e407a2e6fb2b9c2d
Instruction ID: a96abfc68b145d0aa113d18650f4277c1e52402a9dc49a2384b3ab5caa1c10bc
Opcode Fuzzy Hash: 29bf81f99beba7c226d37e6a921d45b3633617d89bf7c552e407a2e6fb2b9c2d
Instruction Fuzzy Hash: DAD06731540600EBD6506FB5FC8DA2E7BB9EBEAB03F00493DF605D61A0DAB448098B29

Uniqueness

Uniqueness Score: -1.00%

Function 0040B4D0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 74%

			E0040B4D0(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags, intOrPtr _a4) {
				signed int _v8;
				char _v528;
				signed int _t7;
				void* _t12;
				void* _t15;
				signed int _t29;

				_t28 = __esi;
				_t27 = __edi;
				_t26 = __edx;
				_t21 = __ebx;
				_t7 =  *0x4bb1dc; // 0x2927074f
				_v8 = _t7 ^ _t29;
				_push(_a4);
				E0046F410( &_v528, L"%s\\%s", L"Software\\Sysinternals");
				_t12 = E0040B450(0x80000002, L"Software\\Sysinternals"); // executed
				if(_t12 != 0) {
					L3:
					return E0046F77E(_t21, _v8 ^ _t29, _t26, _t27, _t28);
				} else {
					_t15 = E0040B450(0x80000001, L"Software\\Sysinternals"); // executed
					if(_t15 != 0) {
						goto L3;
					} else {
						E0040B450(0x80000001,  &_v528); // executed
						asm("sbb eax, eax");
						return E0046F77E(__ebx, _v8 ^ _t29, __edx, __edi, __esi);
					}
				}
			}

0x0040b4d0
0x0040b4d0
0x0040b4d0
0x0040b4d0
0x0040b4d9
0x0040b4e0
0x0040b4e6
0x0040b4f8
0x0040b507
0x0040b511
0x0040b551
0x0040b563
0x0040b513
0x0040b51d
0x0040b527
0x00000000
0x0040b529
0x0040b535
0x0040b53f
0x0040b550
0x0040b550
0x0040b527

APIs

__swprintf.LIBCMT ref: 0040B4F8

Part of subcall function 0040B450: RegOpenKeyExW.KERNELBASE(00000000,0040BF36,00000000,00000101,?,0040BF36), ref: 0040B475
Part of subcall function 0040B450: RegQueryValueExW.KERNELBASE(00000000,EulaAccepted,00000000,00000000,00000000,76A1E730), ref: 0040B49B
Part of subcall function 0040B450: RegCloseKey.KERNELBASE(00000000), ref: 0040B4A6

Strings

Software\Sysinternals, xrefs: 0040B4E7, 0040B4FD, 0040B513
%s\%s, xrefs: 0040B4F2

Memory Dump Source

Source File: 00000000.00000002.639436822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.639422722.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639801425.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639950323.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639964900.00000000004C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639974043.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639981884.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Process Monitor.jbxd

Similarity

API ID: CloseOpenQueryValue__swprintf
String ID: %s\%s$Software\Sysinternals
API String ID: 3293003562-3469826209
Opcode ID: 6895b082f8d96b78ba85304278cbfacb0048e65a381c86fcc2f4ff4eeb06c32c
Instruction ID: f599e4e09dcea05e070b5d4e24340897c059dde4e78286c2262afdba6fe41772
Opcode Fuzzy Hash: 6895b082f8d96b78ba85304278cbfacb0048e65a381c86fcc2f4ff4eeb06c32c
Instruction Fuzzy Hash: 0C018B74A4021CAADF10F7A9AC53B797798CB14309F1142BEBC09E2283FA799A1446DD

Uniqueness

Uniqueness Score: -1.00%

Function 004013C0 Relevance: 3.0, APIs: 2, Instructions: 7windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,0000007F), ref: 004013C4
LoadIconW.USER32(00000000), ref: 004013CB

Memory Dump Source

Source File: 00000000.00000002.639436822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.639422722.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639801425.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639950323.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639964900.00000000004C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639974043.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639981884.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Process Monitor.jbxd

Similarity

API ID: HandleIconLoadModule
String ID:
API String ID: 3495291681-0
Opcode ID: f3aa58cdb81ecfcd5c11d9434067dc14340594e26c0ce01057738f1684f960be
Instruction ID: cab6348a24b322c2b9b7d9aee5c007e44a9704787ef7fdffb26b932e2e92508e
Opcode Fuzzy Hash: f3aa58cdb81ecfcd5c11d9434067dc14340594e26c0ce01057738f1684f960be
Instruction Fuzzy Hash: E6B092B494A200ABDA001FB4BC4EB1C3AA4A748702F000938B609C91A5CB7420048B18

Uniqueness

Uniqueness Score: -1.00%

Function 00424200 Relevance: 2.5, APIs: 2, Instructions: 25memoryCOMMON

Download Yara Rule

APIs

VirtualFree.KERNEL32(00000000,00000000,00008000,00000002,list<T> too long,00000000,00000002,?,0042092E,?,?,?,?,00000000), ref: 00424238
VirtualAlloc.KERNELBASE(00000000,1E1A3000,00002000,00000004,00000002,list<T> too long,00000000,00000002,?,0042092E,?,?,?,?,00000000), ref: 00424253

Memory Dump Source

Source File: 00000000.00000002.639436822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.639422722.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639801425.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639950323.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639964900.00000000004C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639974043.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639981884.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Process Monitor.jbxd

Similarity

API ID: Virtual$AllocFree
String ID:
API String ID: 2087232378-0
Opcode ID: 62e76eb65513b64904d0e23be259d5b803002e0f4a141e0e33a993abe22a44d0
Instruction ID: 133caccb5720568a8b501a23747f276ff64c2e06c324a712955fa138ae34d67d
Opcode Fuzzy Hash: 62e76eb65513b64904d0e23be259d5b803002e0f4a141e0e33a993abe22a44d0
Instruction Fuzzy Hash: 4BF01C70204B10DFE7308F15EC19B47BAF0BB00B15F10896DE6A65A6D0C3F9A488CF98

Uniqueness

Uniqueness Score: -1.00%

Function 0040B3B0 Relevance: 1.6, APIs: 1, Instructions: 64COMMON

Download Yara Rule

APIs

_malloc.LIBCMT ref: 0040B3EB

Memory Dump Source

Source File: 00000000.00000002.639436822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.639422722.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639801425.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639950323.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639964900.00000000004C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639974043.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639981884.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Process Monitor.jbxd

Similarity

API ID: _malloc
String ID:
API String ID: 1579825452-0
Opcode ID: f04968ac8513581a0098fb16f04782a478dfa0638ff09286abbb6e2f020c930b
Instruction ID: 13e8e649b4596eae026fc14e33ab0ec7eb8553a33075eaf73c47d262094c993c
Opcode Fuzzy Hash: f04968ac8513581a0098fb16f04782a478dfa0638ff09286abbb6e2f020c930b
Instruction Fuzzy Hash: CC113A31A0551D4BCB11CE18A8603BBB795DFC2708F2941BADC84AB346DB755D0683E8

Uniqueness

Uniqueness Score: -1.00%

Function 0046FC2D Relevance: 1.5, APIs: 1, Instructions: 16COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 004702B7: __lock.LIBCMT ref: 004702B9

__onexit_nolock.LIBCMT ref: 0046FC49

Part of subcall function 0046FC71: RtlDecodePointer.NTDLL(?,?,00000000,?,?,0046FC4E,?,004B77B0,0000000C,0046FD34,?,?,004701D8,004780DD,?,00473E3C), ref: 0046FC84
Part of subcall function 0046FC71: DecodePointer.KERNEL32(?,?,00000000,?,?,0046FC4E,?,004B77B0,0000000C,0046FD34,?,?,004701D8,004780DD,?,00473E3C), ref: 0046FC8F
Part of subcall function 0046FC71: __realloc_crt.LIBCMT ref: 0046FCD0
Part of subcall function 0046FC71: __realloc_crt.LIBCMT ref: 0046FCE4
Part of subcall function 0046FC71: EncodePointer.KERNEL32(00000000,?,?,00000000,?,?,0046FC4E,?,004B77B0,0000000C,0046FD34,?,?,004701D8,004780DD), ref: 0046FCF6
Part of subcall function 0046FC71: EncodePointer.KERNEL32(?,?,?,00000000,?,?,0046FC4E,?,004B77B0,0000000C,0046FD34,?,?,004701D8,004780DD), ref: 0046FD04
Part of subcall function 0046FC71: EncodePointer.KERNEL32(00000004,?,?,00000000,?,?,0046FC4E,?,004B77B0,0000000C,0046FD34,?,?,004701D8,004780DD), ref: 0046FD10

Memory Dump Source

Source File: 00000000.00000002.639436822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.639422722.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639801425.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639950323.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639964900.00000000004C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639974043.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639981884.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Process Monitor.jbxd

Similarity

API ID: Pointer$Encode$Decode__realloc_crt$__lock__onexit_nolock
String ID:
API String ID: 3536590627-0
Opcode ID: 2b9d9d1bbde30ccd476ba19665d5b338b41fe5f2b0f08bcccd330f5c3bdb1745
Instruction ID: ecc1b16250c631ba2d85f37c9812de81fef7f368fa3f8e48221f2a46eee8428d
Opcode Fuzzy Hash: 2b9d9d1bbde30ccd476ba19665d5b338b41fe5f2b0f08bcccd330f5c3bdb1745
Instruction Fuzzy Hash: 14D0C232D04609DACB00BBAA884679C76606F0072AF50C18EF018A61C3CB7C0A028F5E

Uniqueness

Uniqueness Score: -1.00%

Function 0047B4DB Relevance: 1.5, APIs: 1, Instructions: 7memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

HeapCreate.KERNELBASE(00040000,00000601,0047C57B,004BB1DC,?,000000FE,004B7DD8,00000064,00473DF2,004B7A40,00000014), ref: 0047B4EC

Memory Dump Source

Source File: 00000000.00000002.639436822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.639422722.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639801425.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639950323.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639964900.00000000004C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639974043.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639981884.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Process Monitor.jbxd

Similarity

API ID: CreateHeap
String ID:
API String ID: 10892065-0
Opcode ID: 48cb00946df4c04a5f538434d8088b3aad04a96bbb89e5790b46af1b64047792
Instruction ID: 9b0f7b1fa89997b80a71e9b132f05b378ffcef27703e09fd6800e969b7a7baa7
Opcode Fuzzy Hash: 48cb00946df4c04a5f538434d8088b3aad04a96bbb89e5790b46af1b64047792
Instruction Fuzzy Hash: 4AB01231C803168B87F45B78DA4C08D7550A2C02803511939D483D3111DF31C711C74C

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0044AF50 Relevance: 298.5, APIs: 168, Strings: 2, Instructions: 1041
windowCOMMONCrypto

Download Yara Rule

C-Code - Quality: 95%

			E0044AF50(void* __ebx, void* __edx, void* __fp0, struct HWND__* _a4, intOrPtr _a8, unsigned int _a12, intOrPtr* _a16) {
				int _v8;
				char _v16;
				signed int _v20;
				void* _v540;
				intOrPtr _v552;
				struct HWND__* _v556;
				void* _v560;
				void* _v564;
				signed int _v568;
				signed int _v572;
				int _v576;
				struct HWND__* _v580;
				struct _CRITICAL_SECTION _v584;
				struct _CRITICAL_SECTION* _v588;
				struct HWND__* __edi;
				struct _CRITICAL_SECTION* __esi;
				signed int _t199;
				signed int _t200;
				intOrPtr _t202;
				struct HWND__* _t203;
				long _t204;
				struct _CRITICAL_SECTION* _t209;
				struct HWND__* _t215;
				struct HWND__* _t221;
				long _t222;
				struct HWND__* _t227;
				int _t231;
				long _t233;
				int _t247;
				signed int _t253;
				void* _t265;
				void* _t273;
				void* _t275;
				int _t281;
				long _t282;
				signed int _t298;
				long _t301;
				void* _t304;
				signed int _t316;
				int _t320;
				struct _CRITICAL_SECTION* _t326;
				struct HWND__* _t333;
				unsigned int _t336;
				void* _t342;
				struct HWND__* _t344;
				void* _t345;
				intOrPtr* _t347;
				struct _CRITICAL_SECTION* _t348;
				struct _CRITICAL_SECTION* _t354;
				void* _t359;
				void* _t368;
				signed int _t372;
				void* _t383;
				void* _t389;
				void* _t390;

				_t342 = __edx;
				_t325 = __ebx;
				_push(0xffffffff);
				_push(E0048AECA);
				_push( *[fs:0x0]);
				_t199 =  *0x4bb1dc; // 0x2927074f
				_t200 = _t199 ^ _t372;
				_v20 = _t200;
				_push(_t200);
				 *[fs:0x0] =  &_v16;
				_t202 = _a8;
				_t347 = _a16;
				_t344 = _a4;
				_v568 = _t347;
				_t383 = _t202 - 0x111;
				if(_t383 > 0) {
					_t203 = _t202 - 0x8003;
					__eflags = _t203;
					if(__eflags == 0) {
						_t204 = GetWindowLongW(_t344, 0xffffffeb);
						_v564 = _t204;
						_t348 =  *_t204;
						_v568 = _t348;
						EnterCriticalSection(_t348);
						_t326 = _v568;
						LeaveCriticalSection(_t326);
						SendMessageW(GetDlgItem(_t344, 0x3f9), 0x102f,  *((intOrPtr*)(_t348 + 0x1c)) -  *((intOrPtr*)(_t326 + 0x18)) >> 5, 2);
						E0042EE90(_t326, __eflags, GetDlgItem(_t344, 0x3f9), 0xffffffff, 1);
						_t354 =  *_v564;
						_v568 = _t354;
						EnterCriticalSection(_t354);
						_t209 = _v568;
						LeaveCriticalSection(_t209);
						__eflags =  *((intOrPtr*)(_t354 + 0x1c)) -  *((intOrPtr*)(_t209 + 0x18)) >> 5;
						EnableWindow(GetDlgItem(_t344, 0x400), 0 | __eflags != 0x00000000);
						_t215 = SendMessageW(GetDlgItem(_t344, 0x3f9), 0x1042, 0, 0);
						__eflags = _t215;
						_t195 = _t215 > 0;
						__eflags = _t195;
						EnableWindow(GetDlgItem(_t344, 0x3fd), 0 | _t195);
						SendMessageW(_t344, 0x111, 0x103fb, 0);
						L88:
						__eflags = 0;
						L89:
						 *[fs:0x0] = _v16;
						_pop(_t345);
						_pop(_t359);
						return E0046F77E(_t325, _v20 ^ _t372, _t342, _t345, _t359);
					}
					_t221 = _t203 - 9;
					__eflags = _t221;
					if(_t221 == 0) {
						_t222 = GetWindowLongW(_t344, 0xffffffeb);
						__eflags =  *((char*)(_t222 + 4));
						if( *((char*)(_t222 + 4)) == 0) {
							L86:
							SetWindowLongW(_t344, 0, 0);
							goto L89;
						}
						_t227 = SendMessageW(GetDlgItem(_t344, 0x3ff), 0xe, 0, 0);
						__eflags = _t227;
						if(_t227 <= 0) {
							goto L86;
						}
						SetWindowLongW(_t344, 0, 1);
						goto L89;
					}
					_t231 = _t221 - 1;
					__eflags = _t231;
					if(_t231 != 0) {
						goto L88;
					}
					_v564 = _t231;
					_t233 = SendMessageW(GetDlgItem(_t344, 0x3fb), 0x150, _t231, _t231);
					__eflags = _t233 - 0xffffffff;
					if(_t233 == 0xffffffff) {
						L78:
						SendMessageW(GetDlgItem(_t344, 0x3fa), 0x14e,  *(_t347 + 4), 0);
						__eflags =  *(_t347 + 0x18);
						SendMessageW(GetDlgItem(_t344, 0x3fe), 0x14e, 0 | __eflags == 0x00000000, 0);
						SendMessageW(_t344, 0x111, 0x103fb, 0);
						_t333 =  *(_t347 + 8);
						_v580 = _t333;
						__eflags = _t333;
						if(_t333 != 0) {
							E0046A420(_t333);
						}
						_v8 = 1;
						SetDlgItemTextW(_t344, 0x3ff, E0046A170( &_v580));
						_t335 = _v580;
						_v8 = 0xffffffff;
						__eflags = _v580;
						if(_v580 != 0) {
							E0046A700(_t335);
						}
						SetFocus(GetDlgItem(_t344, 0x3fa));
						goto L88;
					} else {
						goto L74;
					}
					while(1) {
						L74:
						__eflags = _t233 -  *_t347;
						_t247 = _v564;
						_push(0);
						if(_t233 ==  *_t347) {
							break;
						}
						_v564 = _t247 + 1;
						_t233 = SendMessageW(GetDlgItem(_t344, 0x3fb), 0x150, _t250, ??);
						__eflags = _t233 - 0xffffffff;
						if(_t233 != 0xffffffff) {
							continue;
						}
						goto L78;
					}
					SendMessageW(GetDlgItem(_t344, 0x3fb), 0x14e, _t247, ??);
					goto L78;
				}
				if(_t383 == 0) {
					_t336 = _a12;
					_t253 = (_t336 & 0x0000ffff) + 0xfffffc06;
					__eflags = _t253 - 6;
					if(_t253 > 6) {
						goto L88;
					}
					switch( *((intOrPtr*)(_t253 * 4 +  &M0044BE50))) {
						case 0:
							__ecx = __ecx >> 0x10;
							__eflags = __ecx - 1;
							goto L50;
						case 1:
							__eflags = _t336 >> 0x10 - 1;
							if(_t336 >> 0x10 == 1) {
								_t255 = SendMessageW(GetDlgItem(_t344, 0x3fb), 0x147, 0, 0);
								_v568 = _t255;
								__eflags = _t255;
								if(_t255 >= 0) {
									_t363 = GetDlgItem(_t344, 0x3ff);
									_v564 = _t363;
									_v568 = SendMessageW(GetDlgItem(_t344, 0x3fb), 0x150, _v568, 0);
									SendMessageW(_t363, 0x14b, 0, 0);
									_t261 = SetCursor(LoadCursorW(0, 0x7f02));
									E0041E300(0x4bca10, _t342, _v568, _v564, 0x143, 0x151, 1);
									SetCursor(_t261);
									 *((char*)(GetWindowLongW(_t344, 0xffffffeb) + 4)) = 1;
								}
							}
							goto L88;
						case 2:
							__eax = GetDlgItem(__edi, 0x3fb);
							__esi = SendMessageW;
							__eax = SendMessageW(__eax, 0x147, 0, 0);
							__eax = GetDlgItem(__edi, 0x3fb);
							_v576 = __eax;
							__eax = GetDlgItem(__edi, 0x3fa);
							_v568 = __eax;
							__eax =  &_v540;
							GetDlgItem(__edi, 0x3ff) = SendMessageW(__eax, 0xd, 0x104,  &_v540);
							__eax = GetDlgItem(__edi, 0x3fe);
							__esi = __eax;
							__eax = GetWindowLongW(__edi, 0xffffffeb);
							__eflags = __esi;
							_v564 = __eax;
							__cl & 0x000000ff =  &_v540;
							__ecx = __eax->i;
							__eax = E00412AD0(__eax->i, __fp0, _v576, _v568,  &_v540, __cl & 0x000000ff);
							__ecx = _v564;
							__ecx =  *_v564;
							__eax = E00416890(__ecx);
							__esi = GetDlgItem;
							GetDlgItem(__edi, 0x3f9) = SendMessageW(__eax, 0x102f, __eax, 2);
							goto L69;
						case 3:
							__eax = GetDlgItem(__edi, 0x3f9);
							__eax = SendMessageW(__eax, 0x1042, 0, 0);
							_v568 = __eax;
							__eflags = __eax;
							if(__eax < 0) {
								goto L88;
							}
							__eax = GetWindowLongW(__edi, 0xffffffeb);
							_v564 = __eax;
							__esi = __eax->i;
							_v588 = __esi;
							EnterCriticalSection(__esi);
							__eax = _v564;
							_v568 = _v568 << 5;
							_v8 = 3;
							__eax =  *_v564;
							__ecx = (_v568 << 5) +  *((intOrPtr*)( *_v564 + 0x18));
							__eax = 0;
							_v572 = (_v568 << 5) +  *((intOrPtr*)( *_v564 + 0x18));
							_v576 = 0;
							__eax = GetDlgItem(__edi, 0x3fb);
							__eax = SendMessageW(__eax, 0x150, 0, 0);
							__eflags = __eax - 0xffffffff;
							if(__eax == 0xffffffff) {
								L63:
								__eax = _v572;
								GetDlgItem(__edi, 0x3fa) = SendMessageW(__eax, 0x14e,  *(__eax + 4), 0);
								__ecx = _v572;
								__eax = 0;
								__eflags =  *((intOrPtr*)(_v572 + 0x18)) - __al;
								__eax = 0 | __eflags == 0x00000000;
								GetDlgItem(__edi, 0x3fe) = SendMessageW(__eax, 0x14e, __eflags == 0, 0);
								SendMessageW(__edi, 0x111, 0x103fb, 0) = _v572;
								__ecx =  *(_v572 + 8);
								_v584 = __ecx;
								__eflags = __ecx;
								if(__ecx != 0) {
									__eax = E0046A420(__ecx);
								}
								__ecx =  &_v584;
								_v8 = 4;
								E0046A170( &_v584) = SetDlgItemTextW(__edi, 0x3ff, __eax);
								__ecx = _v584;
								_v8 = 3;
								__eflags = __ecx;
								if(__ecx != 0) {
									__eax = E0046A700(__ecx);
								}
								_v8 = 0xffffffff;
								LeaveCriticalSection(__esi);
								__esi = _v564;
								__ecx =  *__esi;
								__eax = E00413A20(_v568);
								__esi =  *__esi;
								_v568 = __esi;
								EnterCriticalSection(__esi);
								__eax = _v568;
								__esi =  *(__esi + 0x1c);
								__esi = __esi >> 5;
								LeaveCriticalSection(__eax);
								__esi = GetDlgItem;
								GetDlgItem(__edi, 0x3f9) = SendMessageW(__eax, 0x102f, GetDlgItem, 2);
								__eax = GetDlgItem(__edi, 0x3f9);
								__eax = SendMessageW(__eax, 0x1042, 0, 0);
								__eflags = __eax;
								if(__eax < 0) {
									GetDlgItem(__edi, 0x3fd) = EnableWindow(__eax, 0);
								}
								L69:
								GetDlgItem(__edi, 0x400) = EnableWindow(__eax, 1);
								__eax = UpdateWindow(__edi);
								__esi = GetParent;
								GetParent(__edi) = SendMessageW(__eax, 0x8003, 0, 0);
								__eax = GetParent(__edi);
								__eax = EnableWindow(__eax, 1);
								__eax = GetParent(__edi);
								__eax = _v564;
								 *((char*)(_v564 + 4)) = 0;
								goto L88;
							}
							while(1) {
								__ecx = _v572;
								_push(0);
								__eflags = __eax -  *_v572;
								__eax = _v576;
								if(__eflags == 0) {
									break;
								}
								_v576 = __eax;
								__eax = GetDlgItem(__edi, 0x3fb);
								__eax = SendMessageW(__eax, 0x150, __eax, ??);
								__eflags = __eax - 0xffffffff;
								if(__eax != 0xffffffff) {
									continue;
								}
								goto L63;
							}
							GetDlgItem(__edi, 0x3fb) = SendMessageW(__eax, 0x14e, __eax, ??);
							goto L63;
						case 4:
							__ecx = __ecx >> 0x10;
							__eflags = __cx - 1;
							if(__cx == 1) {
								L51:
								 *((char*)(GetWindowLongW(__edi, 0xffffffeb) + 4)) = 1;
								goto L88;
							}
							__eflags = __cx - 5;
							L50:
							if(__eflags != 0) {
								goto L88;
							}
							goto L51;
						case 5:
							__eax = GetParent(__edi);
							__esi = SendMessageW;
							__eax = SendMessageW(__eax, 0x111, 0x400, 0);
							__eax = GetWindowLongW(__edi, 0xffffffeb);
							_v568 = __eax;
							__ecx = __eax->i;
							__eax = E00416890(__ecx);
							GetDlgItem(__edi, 0x3f9) = SendMessageW(__eax, 0x102f, __eax, 2);
							__eax = GetDlgItem(__edi, 0x3fd);
							__esi = EnableWindow;
							__eax = EnableWindow(__eax, 0);
							GetDlgItem(__edi, 0x400) = EnableWindow(__eax, 0);
							__eax = UpdateWindow(__edi);
							GetParent(__edi) = SendMessageW(__eax, 0x8003, 0, 0);
							__eax = GetParent(__edi);
							__eax = EnableWindow(__eax, 1);
							__eax = GetParent(__edi);
							__eax = EnableWindow(__eax, 1);
							__eax = GetParent(__edi);
							__eax = _v568;
							 *((char*)(_v568 + 4)) = 0;
							goto L88;
					}
				}
				_t265 = _t202 - 2;
				if(_t265 == 0) {
					E0042EC40(__eflags, GetDlgItem(_t344, 0x3f9),  *0x4bd2b4, L"FilterControlColumns");
					ImageList_Destroy(SendMessageW(GetDlgItem(_t344, 0x3f9), 0x1002, 0, 0));
					E0046EF07(GetWindowLongW(_t344, 0xffffffeb));
					goto L88;
				}
				_t273 = _t265 - 0x4c;
				if(_t273 == 0) {
					__eflags = _a12 - 0x3f9;
					if(_a12 != 0x3f9) {
						goto L88;
					}
					_t275 =  *(_t347 + 8) + 0xb1;
					__eflags = _t275 - 0xaf;
					if(__eflags > 0) {
						goto L88;
					}
					switch( *((intOrPtr*)(( *(_t275 + 0x44bda0) & 0x000000ff) * 4 +  &M0044BD80))) {
						case 0:
							__eax = GetWindowLongW(__edi, 0xffffffeb);
							__eflags =  *(__esi + 0xc) & 0x00000001;
							__edi = __eax;
							if(( *(__esi + 0xc) & 0x00000001) != 0) {
								__ecx = __edi->i;
								 &_v564 = L00413F20(__ebx, __edi->i, __esi,  &_v564,  *(__esi + 0x10),  *(__esi + 0x14));
								__ecx =  &_v564;
								_v8 = 2;
								E0046A170( &_v564) = L0046FDBD( *(__esi + 0x20),  *(__esi + 0x24), __eax, 0xffffffff);
								__ecx =  *(__esi + 0x24);
								__edx = 0;
								__eax =  *(__esi + 0x20);
								_v8 = 0xffffffff;
								 *((short*)( *(__esi + 0x20) +  *(__esi + 0x24) * 2 - 2)) = __dx;
								__ecx = _v564;
								__eflags = __ecx;
								if(__ecx != 0) {
									__eax = E0046A700(__ecx);
								}
							}
							__eax =  *(__esi + 0xc);
							__eflags = __al & 0x00000002;
							if((__al & 0x00000002) != 0) {
								__eax = __edi->i;
								__edx = 0;
								__ecx =  *(__esi + 0x10);
								__ecx =  *(__esi + 0x10) << 5;
								__eax =  *(__edi->i + 0x18);
								__eflags =  *((intOrPtr*)( *(__edi->i + 0x18) + __ecx + 0x18)) - __dl;
								__edx = 0 | __eflags != 0x00000000;
								__edx = (__eflags != 0) + 3;
								 *(__esi + 0x28) = __edx;
								__eax = __edi->i;
								__eax =  *(__edi->i + 0x18);
								__eflags =  *((char*)(__eax + __ecx + 0x19));
								if( *((char*)(__eax + __ecx + 0x19)) == 0) {
									_t97 = __edx + 2; // -1
									__eax = _t97;
									 *(__esi + 0x28) = _t97;
								}
								__eax =  *(__esi + 0xc);
							}
							__eflags = __al & 0x00000008;
							if((__al & 0x00000008) != 0) {
								__eax = __edi->i;
								 *(__esi + 0x10) =  *(__esi + 0x10) << 5;
								__eax =  *(__edi->i + 0x18);
								__al =  *(( *(__esi + 0x10) << 5) +  *(__edi->i + 0x18) + 0x19);
								__ecx = 0;
								__eflags =  *(( *(__esi + 0x10) << 5) +  *(__edi->i + 0x18) + 0x19);
								 *(__esi + 0x1c) = 0xf000;
								0 | __eflags != 0x00000000 = (__eflags != 0) + 1;
								__ecx = (__eflags != 0) + 1 << 0xc;
								 *(__esi + 0x18) = __ecx;
							}
							goto L88;
						case 1:
							L19:
							goto L89;
						case 2:
							__eax = GetWindowLongW(__edi, 0xffffffeb);
							__edi = _v568;
							__esi = __eax;
							__eax = E0042EE90(__ecx, __eflags, __edi->i,  *((intOrPtr*)(__edi + 0x10)), 1);
							__ecx =  *__esi;
							_v568 = __al;
							E00414500( *((intOrPtr*)(__edi + 0x10)), _v568) = InvalidateRect( *__edi, 0, 0);
							goto L88;
						case 3:
							__eflags =  *(__esi + 0x14) & 0x00000002;
							if(( *(__esi + 0x14) & 0x00000002) != 0) {
								GetDlgItem(__edi, 0x3fd) = EnableWindow(__eax, 1);
							}
							goto L88;
						case 4:
							__eax =  *(__esi + 0xc);
							__eax =  *(__esi + 0xc) - 1;
							__eflags = __eax;
							if(__eax == 0) {
								SetWindowLongW(__edi, 0, 0x20) = 1;
								goto L89;
							}
							__eax = __eax - 0x10000;
							__eflags = __eax;
							if(__eax != 0) {
								goto L88;
							}
							__eax = GetWindowLongW(__edi, 0xffffffeb);
							__ecx = 0;
							_v568 = 0x808080;
							__edx =  *(__eax + 0x18);
							 *(__esi + 0x24) =  *(__esi + 0x24) << 5;
							__eflags =  *((intOrPtr*)(( *(__esi + 0x24) << 5) + __edx + 0x19)) - __cl;
							__ecx =  ==  ? _v568 : 0;
							 *(__esi + 0x30) = __ecx;
							SetWindowLongW(__edi, 0, 2) = 1;
							goto L89;
						case 5:
							_t278 = SendMessageW(GetDlgItem(_t344, 0x3f9), 0x1042, 0, 0);
							__eflags = _t278;
							if(_t278 >= 0) {
								SendMessageW(_t344, 0x111, 0x3fd, 0);
							}
							goto L88;
						case 6:
							__eax =  *(__esi + 0x20);
							asm("xorps xmm0, xmm0");
							_v560 =  *(__esi + 0x20);
							__eax =  *(__esi + 0x24);
							asm("movdqu [ebp-0x228], xmm0");
							_v556 =  *(__esi + 0x24);
							 &_v560 = SendMessageW( *__esi, 0x1012, 0,  &_v560);
							__eflags = _v552 - 8;
							if(_v552 == 8) {
								__eax = GetWindowLongW(__edi, 0xffffffeb);
								 *(__esi + 0xc) =  *(__esi + 0xc) << 5;
								__eax = __eax->i;
								__eax =  *(__eax + 0x18);
								__ecx = __eax + ( *(__esi + 0xc) << 5);
								__eflags =  *(__ecx + 0x19);
								__eax = __eax & 0xffffff00 |  *(__ecx + 0x19) == 0x00000000;
								 *(__ecx + 0x19) = __al;
								 *(__esi + 0xc) = SendMessageW( *__esi, 0x1015,  *(__esi + 0xc),  *(__esi + 0xc));
								__eax = GetParent(__edi);
								__eax = GetDlgItem(__eax, 0x6a);
								__esi = EnableWindow;
								__eax = EnableWindow(__eax, 1);
								__eax = GetParent(__edi);
								__eax = EnableWindow(__eax, 1);
							}
							goto L88;
						case 7:
							goto L88;
					}
				}
				_t386 = _t273 != 0xc2;
				if(_t273 != 0xc2) {
					goto L88;
				} else {
					_push(0x40);
					_t281 = E0046EEB6(__ebx, _t344, _t386);
					_v568 = _t281;
					_v8 = 0;
					_t387 = _t281;
					if(_t281 != 0) {
						E00445770(_t344);
					}
					_push(8);
					_v8 = 0xffffffff;
					_t282 = E0046EEB6(_t325, _t344, _t387);
					_t388 = _t282;
					if(_t282 == 0) {
						_t282 = 0;
						__eflags = 0;
					} else {
						 *_t282 = _t347;
						 *((char*)(_t282 + 4)) = 0;
					}
					SetWindowLongW(_t344, 0xffffffeb, _t282);
					E0042E9F0(_t342, GetDlgItem(_t344, 0x3f9), "\xef\xbf\xbd:J", 4, 0x4					E0042EB50(_t388, GetDlgItem(_t344, 0x3f9),  *0x4bd2b4, L"FilterControlColumns");
					_t368 = SendMessageW(GetDlgItem(_t344, 0x3f9), 0x1002, 1, 0);
					_v564 = _t368;
					ImageList_ReplaceIcon(_t368, 0xffffffff, LoadIconW( *0x4bd2c4, 0x78));
					ImageList_ReplaceIcon(_v564, 0xffffffff, LoadIconW( *0x4bd2c4, 0xcd));
					L00445FC0(_v564, 3);
					L00445FC0(_v564, 4);
					SendMessageW(GetDlgItem(_t344, 0x3f9), 0x100b, 0xf000, 0);
					_t298 = 0;
					_v572 = 0;
					_t389 =  *0x498004 - _t298; // 0x1b
					if(_t389 <= 0) {
						L13:
						SendMessageW(GetDlgItem(_t344, 0x3fb), 0x14e, 0, 0);
						_t301 =  *0x4bb0d4; // 0x4974f4
						_v564 = 0;
						if(_t301 == 0) {
							L16:
							SendMessageW(GetDlgItem(_t344, 0x3fa), 0x14e, 0, 0);
							_t304 = 0;
							_v564 = 0;
							goto L17;
							L17:
							_t30 = _t304 + 0x4bb128; // 0x497834
							SendMessageW(GetDlgItem(_t344, 0x3fe), 0x143, 0,  *_t30);
							_t304 = _v564 + 4;
							_v564 = _t304;
							if(_t304 < 8) {
								goto L17;
							} else {
								SendMessageW(GetDlgItem(_t344, 0x3fe), 0x14e, 0, 0);
								SendMessageW(GetDlgItem(_t344, 0x3f9), 0x30,  *0x4bd708, 0);
								goto L19;
							}
						} else {
							do {
								SendMessageW(GetDlgItem(_t344, 0x3fa), 0x143, 0, _t301);
								_t316 = _v564 + 1;
								_v564 = _t316;
								_t301 = 0x4bb0d4[_t316];
							} while (_t301 != 0);
							goto L16;
						}
					} else {
						do {
							LoadStringW( *0x4bd2c4,  *(0x497f98 + _t298 * 4),  &_v540, 0x104);
							_t320 = SendMessageW(GetDlgItem(_t344, 0x3fb), 0x143, 0,  &_v540);
							SendMessageW(GetDlgItem(_t344, 0x3fb), 0x151, _t320,  *(0x497f98 + _v572 * 4));
							_t298 = _v572 + 1;
							_v572 = _t298;
							_t390 = _t298 -  *0x498004; // 0x1b
						} while (_t390 < 0);
						goto L13;
					}
				}
			}

0x0044af50
0x0044af50
0x0044af53
0x0044af55
0x0044af60
0x0044af67
0x0044af6c
0x0044af6e
0x0044af73
0x0044af77
0x0044af7d
0x0044af80
0x0044af83
0x0044af86
0x0044af8c
0x0044af91
0x0044bad5
0x0044bad5
0x0044bada
0x0044bc6e
0x0044bc74
0x0044bc7a
0x0044bc7d
0x0044bc83
0x0044bc89
0x0044bc99
0x0044bcb6
0x0044bcc9
0x0044bcd7
0x0044bcda
0x0044bce0
0x0044bce6
0x0044bcf6
0x0044bcfe
0x0044bd17
0x0044bd2f
0x0044bd37
0x0044bd39
0x0044bd39
0x0044bd4a
0x0044bd59
0x0044bd5f
0x0044bd5f
0x0044bd61
0x0044bd64
0x0044bd6c
0x0044bd6d
0x0044bd7b
0x0044bd7b
0x0044bae0
0x0044bae0
0x0044bae3
0x0044bc16
0x0044bc1c
0x0044bc20
0x0044bc55
0x0044bc5e
0x00000000
0x0044bc64
0x0044bc35
0x0044bc3b
0x0044bc3d
0x00000000
0x00000000
0x0044bc48
0x00000000
0x0044bc4e
0x0044bae9
0x0044bae9
0x0044baea
0x00000000
0x00000000
0x0044bafd
0x0044bb0a
0x0044bb10
0x0044bb13
0x0044bb61
0x0044bb78
0x0044bb80
0x0044bb9b
0x0044bbae
0x0044bbb4
0x0044bbb7
0x0044bbbd
0x0044bbbf
0x0044bbc1
0x0044bbc1
0x0044bbcc
0x0044bbdf
0x0044bbe5
0x0044bbeb
0x0044bbf2
0x0044bbf4
0x0044bbf6
0x0044bbf6
0x0044bc08
0x00000000
0x00000000
0x00000000
0x00000000
0x0044bb15
0x0044bb15
0x0044bb15
0x0044bb17
0x0044bb1d
0x0044bb1f
0x00000000
0x00000000
0x0044bb2e
0x0044bb3b
0x0044bb41
0x0044bb44
0x00000000
0x00000000
0x00000000
0x0044bb46
0x0044bb5b
0x00000000
0x0044bb5b
0x0044af97
0x0044b55b
0x0044b561
0x0044b566
0x0044b569
0x00000000
0x00000000
0x0044b56f
0x00000000
0x0044b645
0x0044b648
0x00000000
0x00000000
0x0044b579
0x0044b57c
0x0044b59a
0x0044b5a0
0x0044b5a6
0x0044b5a8
0x0044b5be
0x0044b5cb
0x0044b5e8
0x0044b5ee
0x0044b602
0x0044b627
0x0044b62d
0x0044b63c
0x0044b63c
0x0044b5a8
0x00000000
0x00000000
0x0044b766
0x0044b76c
0x0044b773
0x0044b783
0x0044b79b
0x0044b7a1
0x0044b7aa
0x0044b7b0
0x0044b7cb
0x0044b7dc
0x0044b7e8
0x0044b7ea
0x0044b7f0
0x0044b7f2
0x0044b7ff
0x0044b80c
0x0044b814
0x0044b819
0x0044b821
0x0044b823
0x0044b828
0x0044b83d
0x00000000
0x00000000
0x0044b857
0x0044b85e
0x0044b864
0x0044b86a
0x0044b86c
0x00000000
0x00000000
0x0044b875
0x0044b87b
0x0044b881
0x0044b884
0x0044b88a
0x0044b890
0x0044b89c
0x0044b89f
0x0044b8a6
0x0044b8a8
0x0044b8ab
0x0044b8ba
0x0044b8c0
0x0044b8c6
0x0044b8cd
0x0044b8d3
0x0044b8d6
0x0044b932
0x0044b932
0x0044b94f
0x0044b955
0x0044b95b
0x0044b95f
0x0044b962
0x0044b978
0x0044b991
0x0044b997
0x0044b99a
0x0044b9a0
0x0044b9a2
0x0044b9a4
0x0044b9a4
0x0044b9a9
0x0044b9af
0x0044b9bf
0x0044b9c5
0x0044b9cb
0x0044b9cf
0x0044b9d1
0x0044b9d3
0x0044b9d3
0x0044b9d9
0x0044b9e0
0x0044b9e6
0x0044b9f2
0x0044b9f4
0x0044b9f9
0x0044b9fc
0x0044ba02
0x0044ba08
0x0044ba0e
0x0044ba15
0x0044ba18
0x0044ba21
0x0044ba35
0x0044ba4a
0x0044ba4d
0x0044ba53
0x0044ba55
0x0044ba62
0x0044ba62
0x0044ba68
0x0044ba73
0x0044ba7a
0x0044ba80
0x0044ba93
0x0044ba9e
0x0044baa8
0x0044bab6
0x0044bac6
0x0044bacc
0x00000000
0x0044bacc
0x0044b8e0
0x0044b8e0
0x0044b8e6
0x0044b8e8
0x0044b8ea
0x0044b8f0
0x00000000
0x00000000
0x0044b8ff
0x0044b905
0x0044b90c
0x0044b912
0x0044b915
0x00000000
0x00000000
0x00000000
0x0044b917
0x0044b92c
0x00000000
0x00000000
0x0044b663
0x0044b666
0x0044b66a
0x0044b651
0x0044b65a
0x00000000
0x0044b65a
0x0044b66c
0x0044b64b
0x0044b64b
0x00000000
0x00000000
0x00000000
0x00000000
0x0044b67f
0x0044b685
0x0044b68c
0x0044b691
0x0044b699
0x0044b69f
0x0044b6a1
0x0044b6b9
0x0044b6c3
0x0044b6c9
0x0044b6d0
0x0044b6e1
0x0044b6e4
0x0044b6fb
0x0044b706
0x0044b714
0x0044b71e
0x0044b72c
0x0044b734
0x0044b748
0x0044b74e
0x00000000
0x00000000
0x0044b56f
0x0044af9d
0x0044afa0
0x0044b51d
0x0044b53e
0x0044b54e
0x00000000
0x0044b553
0x0044afa6
0x0044afa9
0x0044b24b
0x0044b252
0x00000000
0x00000000
0x0044b25b
0x0044b260
0x0044b265
0x00000000
0x00000000
0x0044b272
0x00000000
0x0044b434
0x0044b43a
0x0044b43e
0x0044b440
0x0044b445
0x0044b451
0x0044b458
0x0044b45e
0x0044b471
0x0044b476
0x0044b479
0x0044b47b
0x0044b481
0x0044b488
0x0044b48d
0x0044b493
0x0044b495
0x0044b497
0x0044b497
0x0044b495
0x0044b49c
0x0044b49f
0x0044b4a1
0x0044b4a3
0x0044b4a5
0x0044b4a7
0x0044b4aa
0x0044b4ad
0x0044b4b0
0x0044b4b4
0x0044b4b7
0x0044b4ba
0x0044b4bd
0x0044b4bf
0x0044b4c2
0x0044b4c7
0x0044b4c9
0x0044b4c9
0x0044b4cc
0x0044b4cc
0x0044b4cf
0x0044b4cf
0x0044b4d2
0x0044b4d4
0x0044b4da
0x0044b4df
0x0044b4e2
0x0044b4e5
0x0044b4e9
0x0044b4eb
0x0044b4ed
0x0044b4f7
0x0044b4f8
0x0044b4fb
0x0044b4fb
0x00000000
0x00000000
0x0044b241
0x00000000
0x00000000
0x0044b2b6
0x0044b2bc
0x0044b2c2
0x0044b2cb
0x0044b2d0
0x0044b2d5
0x0044b2ef
0x00000000
0x00000000
0x0044b2fa
0x0044b2fe
0x0044b313
0x0044b313
0x00000000
0x00000000
0x0044b3c8
0x0044b3cb
0x0044b3cb
0x0044b3cc
0x0044b427
0x00000000
0x0044b427
0x0044b3ce
0x0044b3ce
0x0044b3d3
0x00000000
0x00000000
0x0044b3dc
0x0044b3e2
0x0044b3e4
0x0044b3f5
0x0044b3fb
0x0044b3fe
0x0044b402
0x0044b409
0x0044b412
0x00000000
0x00000000
0x0044b295
0x0044b297
0x0044b299
0x0044b2ac
0x0044b2ac
0x00000000
0x00000000
0x0044b31e
0x0044b321
0x0044b324
0x0044b32a
0x0044b32d
0x0044b335
0x0044b34b
0x0044b351
0x0044b358
0x0044b361
0x0044b36a
0x0044b36d
0x0044b36f
0x0044b372
0x0044b374
0x0044b378
0x0044b37b
0x0044b38a
0x0044b395
0x0044b39c
0x0044b3a2
0x0044b3a9
0x0044b3b3
0x0044b3c1
0x0044b3c1
0x00000000
0x00000000
0x00000000
0x00000000
0x0044b272
0x0044afaf
0x0044afb4
0x00000000
0x0044afba
0x0044afba
0x0044afbc
0x0044afc4
0x0044afca
0x0044afd1
0x0044afd3
0x0044afd8
0x0044afd8
0x0044afdd
0x0044afdf
0x0044afe6
0x0044afee
0x0044aff0
0x0044affa
0x0044affa
0x0044aff2
0x0044aff2
0x0044aff4
0x0044aff4
0x0044b000
0x0044b023
0x0044b03f
0x0044b067
0x0044b069
0x0044b07f
0x0044b09b
0x0044b0a6
0x0044b0ae
0x0044b0d1
0x0044b0d7
0x0044b0d9
0x0044b0df
0x0044b0e5
0x0044b163
0x0044b175
0x0044b17b
0x0044b180
0x0044b18c
0x0044b1bf
0x0044b1d1
0x0044b1d7
0x0044b1d9
0x0044b1d9
0x0044b1e0
0x0044b1e0
0x0044b1f6
0x0044b202
0x0044b205
0x0044b20e
0x00000000
0x0044b210
0x0044b222
0x0044b23b
0x00000000
0x0044b23b
0x0044b190
0x0044b190
0x0044b1a1
0x0044b1ad
0x0044b1ae
0x0044b1b4
0x0044b1bb
0x00000000
0x0044b190
0x0044b0e7
0x0044b0f0
0x0044b109
0x0044b126
0x0044b148
0x0044b154
0x0044b155
0x0044b15b
0x0044b15b
0x00000000
0x0044b0f0
0x0044b0e5

APIs

SetWindowLongW.USER32 ref: 0044B000
GetDlgItem.USER32 ref: 0044B020
GetDlgItem.USER32 ref: 0044B03C
GetDlgItem.USER32 ref: 0044B056
SendMessageW.USER32(00000000), ref: 0044B059
LoadIconW.USER32(00000078), ref: 0044B06F
ImageList_ReplaceIcon.COMCTL32(00000000,000000FF,00000000), ref: 0044B07F
LoadIconW.USER32(000000CD), ref: 0044B08C
ImageList_ReplaceIcon.COMCTL32(?,000000FF,00000000), ref: 0044B09B
GetDlgItem.USER32 ref: 0044B0CE
SendMessageW.USER32(00000000), ref: 0044B0D1
LoadStringW.USER32(?,00000104), ref: 0044B109
GetDlgItem.USER32 ref: 0044B123
SendMessageW.USER32(00000000), ref: 0044B126
GetDlgItem.USER32 ref: 0044B51A
GetDlgItem.USER32 ref: 0044B534
SendMessageW.USER32(00000000), ref: 0044B537
ImageList_Destroy.COMCTL32(00000000), ref: 0044B53E
GetWindowLongW.USER32(?,000000EB), ref: 0044B547

Part of subcall function 0046EEB6: _malloc.LIBCMT ref: 0046EECE

GetDlgItem.USER32 ref: 0044BB03
SendMessageW.USER32(00000000), ref: 0044BB0A
GetDlgItem.USER32 ref: 0044BB34
SendMessageW.USER32(00000000), ref: 0044BB3B
GetDlgItem.USER32 ref: 0044BB71
SendMessageW.USER32(00000000), ref: 0044BB78
GetDlgItem.USER32 ref: 0044BB94
SendMessageW.USER32(00000000), ref: 0044BB9B
SendMessageW.USER32(?,00000111,000103FB,00000000), ref: 0044BBAE
SetDlgItemTextW.USER32 ref: 0044BBDF
GetDlgItem.USER32 ref: 0044BC01
SetFocus.USER32(00000000), ref: 0044BC08

Strings

:J, xrefs: 0044B015
FilterControlColumns, xrefs: 0044B02B, 0044B509

Memory Dump Source

Source File: 00000000.00000002.639436822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.639422722.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639801425.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639950323.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639964900.00000000004C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639974043.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639981884.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Process Monitor.jbxd

Similarity

API ID: Item$MessageSend$Icon$ImageList_Load$LongReplaceWindow$DestroyFocusStringText_malloc
String ID: FilterControlColumns$:J
API String ID: 1272631875-1830203383
Opcode ID: f3eaee25770c2505c1d05a99ad1c15f734f9b956330462379577db02649bfda1
Instruction ID: 7390ce8f09e2bce7a0fb135e1548b2a8f0827de18ac0033b5820b757eacbb511
Opcode Fuzzy Hash: f3eaee25770c2505c1d05a99ad1c15f734f9b956330462379577db02649bfda1
Instruction Fuzzy Hash: BF82A370A40615BBEB215F749C4DF6E7B78EB08700F0009ADF605EA2E1DBB89945CF59

Uniqueness

Uniqueness Score: -1.00%

Function 00448AA0 Relevance: 169.8, APIs: 86, Strings: 10, Instructions: 1790
windowCOMMONCrypto

Download Yara Rule

C-Code - Quality: 88%

			E00448AA0(void* __ebx, int __edx, void* __fp0, struct HWND__* _a4, intOrPtr _a8, signed int _a12, struct HWND__** _a16) {
				int _v8;
				char _v16;
				signed int _v20;
				short _v120;
				char _v640;
				char _v2688;
				intOrPtr _v2692;
				char _v2696;
				int _v2700;
				void* _v2704;
				signed int _v2708;
				signed int _v2712;
				struct HWND__* _v2716;
				int _v2720;
				struct HWND__* _v2724;
				int _v2728;
				char _v2732;
				int _v2736;
				struct HICON__* _v2740;
				int _v2744;
				intOrPtr _v2748;
				int _v2752;
				void* _v2756;
				int _v2760;
				int _v2764;
				int _v2768;
				char _v2772;
				intOrPtr* _v2776;
				char _v2780;
				struct HWND__* _v2784;
				intOrPtr _v2796;
				void* _v2808;
				int _v2812;
				int _v2820;
				int _v2824;
				int _v2828;
				intOrPtr _v2832;
				intOrPtr _v2836;
				intOrPtr _v2840;
				intOrPtr _v2844;
				int _v2852;
				int _v2856;
				int _v2860;
				int _v2864;
				int _v2868;
				intOrPtr _v2872;
				intOrPtr _v2876;
				int _v2884;
				int _v2888;
				int _v2892;
				int _v2896;
				int _v2900;
				int _v2904;
				int _v2908;
				int _v2912;
				int _v2916;
				int _v2920;
				int _v2924;
				int _v2928;
				int _v2932;
				int _v2936;
				int _v2940;
				int _v2944;
				void* _v2968;
				char* _v2972;
				char _v2988;
				void* _v2992;
				int _v3012;
				int _v3020;
				int _v3024;
				int _v3028;
				intOrPtr _v3032;
				intOrPtr _v3036;
				intOrPtr _v3040;
				intOrPtr _v3044;
				int _v3052;
				int _v3056;
				int _v3060;
				int _v3064;
				int _v3068;
				intOrPtr _v3072;
				intOrPtr _v3076;
				int _v3084;
				int _v3092;
				int _v3120;
				char* _v3124;
				intOrPtr _v3128;
				void* _v3136;
				void* _v3144;
				int _v3216;
				int _v3224;
				int _v3296;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t634;
				signed int _t635;
				intOrPtr _t637;
				int _t638;
				int _t639;
				signed int _t642;
				struct HINSTANCE__* _t655;
				struct HWND__* _t657;
				void* _t658;
				void* _t660;
				void* _t672;
				struct HINSTANCE__* _t674;
				struct HWND__* _t675;
				signed int _t691;
				int _t693;
				int _t696;
				int _t703;
				int _t711;
				int _t723;
				struct HICON__* _t731;
				intOrPtr* _t736;
				intOrPtr* _t748;
				intOrPtr* _t752;
				intOrPtr* _t753;
				intOrPtr* _t759;
				intOrPtr* _t778;
				void* _t817;
				void* _t822;
				void* _t827;
				void* _t832;
				void* _t837;
				void* _t842;
				void* _t847;
				void* _t852;
				void* _t857;
				intOrPtr* _t861;
				int _t878;
				int _t879;
				int _t897;
				int _t898;
				intOrPtr _t899;
				intOrPtr* _t901;
				intOrPtr* _t902;
				intOrPtr* _t903;
				void* _t905;
				int _t907;
				void* _t908;
				int _t910;
				int _t911;
				int _t914;
				int _t924;
				short* _t941;
				int _t942;
				int _t949;
				int _t951;
				int _t953;
				int* _t954;
				signed int _t956;
				void* _t957;
				void* _t960;
				signed int _t962;
				intOrPtr _t963;
				void* _t980;
				int _t982;
				int _t983;
				void* _t984;
				int _t988;
				struct HWND__* _t991;
				signed int _t992;
				int _t994;
				void* _t995;
				void* _t997;
				int _t998;
				signed int _t999;
				int _t1001;
				void* _t1002;
				int _t1010;
				int _t1013;
				struct HICON__* _t1016;
				struct HICON__* _t1025;
				int _t1026;
				int _t1034;
				void* _t1041;
				int _t1094;
				intOrPtr* _t1137;
				intOrPtr* _t1138;
				intOrPtr* _t1139;
				int _t1144;
				int _t1154;
				int _t1162;
				int _t1190;
				int _t1211;
				signed int _t1221;
				struct HWND__* _t1224;
				int _t1225;
				int _t1226;
				void* _t1227;
				void* _t1232;
				int _t1234;
				intOrPtr* _t1235;
				intOrPtr _t1236;
				void* _t1237;
				int _t1238;
				void* _t1239;
				short* _t1242;
				int _t1243;
				int _t1244;
				void* _t1245;
				void* _t1247;
				struct HWND__** _t1253;
				struct HWND__* _t1255;
				struct HWND__* _t1257;
				void* _t1258;
				int _t1263;
				int _t1264;
				int _t1265;
				int _t1266;
				intOrPtr* _t1267;
				int _t1268;
				intOrPtr* _t1269;
				struct HWND__* _t1270;
				int _t1271;
				int _t1273;
				struct HWND__* _t1274;
				int _t1279;
				signed int _t1280;
				void* _t1281;
				void* _t1282;
				void* _t1283;
				void* _t1284;
				void* _t1285;
				void* _t1286;
				void* _t1293;
				void* _t1294;
				void* _t1301;
				void* _t1302;
				void* _t1303;
				void* _t1304;
				void* _t1305;
				void* _t1306;
				void* _t1307;
				void* _t1308;
				void* _t1309;
				void* _t1310;
				void* _t1311;
				void* _t1312;
				void* _t1313;
				void* _t1322;
				void* _t1326;

				_t1326 = __fp0;
				_t1220 = __edx;
				_t1064 = __ebx;
				_push(0xffffffff);
				_push(E0048AD80);
				_push( *[fs:0x0]);
				_t1282 = _t1281 - 0xcd0;
				_t634 =  *0x4bb1dc; // 0x2927074f
				_t635 = _t634 ^ _t1280;
				_v20 = _t635;
				_push(_t635);
				 *[fs:0x0] =  &_v16;
				_t637 = _a8;
				_t1224 = _a4;
				_t1253 = _a16;
				_v2716 = _t1224;
				_v2720 = _t1253;
				_v2712 = 0;
				_t1322 = _t637 - 0x4e;
				if(_t1322 > 0) {
					_t638 = _t637 - 0x110;
					__eflags = _t638;
					if(__eflags == 0) {
						_push(0x40);
						_t639 = E0046EEB6(__ebx, _t1224, __eflags);
						_t1283 = _t1282 + 4;
						_v2740 = _t639;
						_v8 = 0;
						__eflags = _t639;
						if(__eflags != 0) {
							E00445770(_t1224);
						}
						_push(0x40);
						_v8 = 0xffffffff;
						_t1225 = E0046EEB6(_t1064, _t1224, __eflags);
						_t1284 = _t1283 + 4;
						_v2740 = _t1225;
						_v8 = 1;
						__eflags = _t1225;
						if(_t1225 != 0) {
							E00445770(GetDlgItem(_v2716, 0x40e));
						}
						_v8 = 0xffffffff;
						_t1226 = 0;
						do {
							_v2808 = 1;
							_t642 = _t1226 + _t1226 * 2 << 2;
							asm("xorps xmm0, xmm0");
							_v2740 = _t642;
							asm("movdqu [ebp-0xaf0], xmm0");
							_t609 = 0x4a449c + _t642; // 0x4a44c0
							_v2796 =  *_t609;
							asm("movq [ebp-0xae0], xmm0");
							SendMessageW(GetDlgItem(_v2716, 0x40e), 0x133e, _t1226,  &_v2808);
							GetClientRect(GetDlgItem(_v2716, 0x40e),  &_v2704);
							SendMessageW(GetDlgItem(_v2716, 0x40e), 0x1328, 0,  &_v2704);
							__eflags = _t1226;
							if(_t1226 != 0) {
								_t655 = GetModuleHandleW(0);
								_t657 = E004041E0(GetDlgItem(_v2716, 0x40e), _t655,  *((intOrPtr*)(_v2740 + 0x4a44a4)), 0x40000000,  &_v2704);
								_t1285 = _t1284 + 0x14;
								_t1255 = _t657;
								_push(0xc);
								__eflags = _t1226 - 1;
								if(_t1226 != 1) {
									_push(0x4a43f8);
									_t658 = E00405D60(_t1255);
									_t1286 = _t1285 + 4;
									E004070B0(_t658);
									_push(L"FileSummaryColumns.ByExtension");
								} else {
									_push(0x4a4368);
									_t672 = E00405D60(_t1255);
									_t1286 = _t1285 + 4;
									E004070B0(_t672);
									_push(L"FileSummaryColumns.ByFolder");
								}
								_push( *0x4bd2b4);
								_t660 = E00405D60(_t1255);
								_t1284 = _t1286 + 4;
								E00408DB0(_t660, __eflags);
							} else {
								_t674 = GetModuleHandleW(_t1226);
								_t675 = GetDlgItem(_v2716, 0x40e);
								_t1220 = _v2700;
								_t1255 = CreateWindowExW(4,  *0x4a44a0,  *0x4a449c, 0x4031000d, _v2704, _v2700, _v2696 - _v2704, _v2692 - _v2700, _t675, 0x6d, _t674, _t1226);
								SendMessageW(_t1255, 0x1036, _t1226, 0x4030);
								E0042E9F0(_v2700, _t1255, 0x4a4210, 0xc, 0x4030, _t1226);
								E0042EB50(__eflags, _t1255,  *0x4bd2b4, L"FileSummaryColumns");
								_t1284 = _t1284 + 0x20;
								ShowWindow(_t1255, 5);
							}
							SendMessageW(_t1255, 0x30,  *0x4bd708, 0);
							_v2784 = _t1255;
							_v2808 = 8;
							SendMessageW(GetDlgItem(_v2716, 0x40e), 0x133d, _t1226,  &_v2808);
							_t1226 = _t1226 + 1;
							__eflags = _t1226 - 3;
						} while (_t1226 < 3);
						_t1257 = _v2716;
						E004585D0(_t1257,  *0x4bd2b4, L"FileSummaryDialog");
						SetDlgItemTextW(_t1257, 0x42f, 0x48fc20);
						UpdateWindow(_t1257);
						PostMessageW(_t1257, 0x111, 1, 0);
						L225:
						 *[fs:0x0] = _v16;
						_pop(_t1227);
						_pop(_t1258);
						return E0046F77E(_t1064, _v20 ^ _t1280, _t1220, _t1227, _t1258);
					}
					__eflags = _t638 != 1;
					if(_t638 != 1) {
						L211:
						goto L225;
					}
					_t691 = _a12 & 0x0000ffff;
					__eflags = _t691 - 0x418;
					if(__eflags > 0) {
						__eflags = _t691 - 0x449;
						if(_t691 == 0x449) {
							_t693 = SendMessageW(GetDlgItem(_t1224, 0x40e), 0x130b, 0, 0);
							_v2740 = _t693;
							_v2808 = 8;
							_v2784 = 0;
							SendMessageW(GetDlgItem(_v2716, 0x40e), 0x133c, _t693,  &_v2808);
							_t696 = _v2740;
							_push(1);
							_push(_v2784);
							__eflags = _t696;
							if(_t696 != 0) {
								__eflags = _t696 - 1;
								if(_t696 != 1) {
									E0042FD90(__ebx, _t1220);
									goto L211;
								}
								 *0x4bd0a0 = _t696;
								E0042FD90(__ebx, _t1220);
								 *0x4bd0a0 = 0;
								goto L225;
							}
							E0042F1F0(__ebx, _t1220);
							goto L225;
						}
						__eflags = _t691 - 0x9c68;
						if(_t691 != 0x9c68) {
							goto L211;
						}
						_t703 = SendMessageW(GetDlgItem(_t1224, 0x40e), 0x130b, 0, 0);
						_v2808 = 8;
						_v2784 = 0;
						SendMessageW(GetDlgItem(_v2716, 0x40e), 0x133c, _t703,  &_v2808);
						E0042F8B0(_v2784, 1);
						goto L225;
					}
					if(__eflags == 0) {
						SendMessageW(GetParent(_t1224), 0x111, 0x9c57, 0);
						goto L225;
					}
					_t711 = _t691 - 1;
					__eflags = _t711;
					if(_t711 == 0) {
						_v2808 = 8;
						_v2784 = 0;
						SendMessageW(GetDlgItem(_t1224, 0x40e), 0x133c, 0,  &_v2808);
						_v2724 = _v2784;
						SendMessageW(GetDlgItem(_t1224, 0x40e), 0x133c, 1,  &_v2808);
						_v2776 = E00405D60(_v2784);
						SendMessageW(GetDlgItem(_t1224, 0x40e), 0x133c, 2,  &_v2808);
						_t723 = E00405D60(_v2784);
						_t1293 = _t1282 + 8;
						_t1262 = _t723;
						_v2736 = _t723;
						SendMessageW(_v2724, 0x1009, 0, 0);
						E00404370(__ebx, _v2776, _t1220);
						E00404370(__ebx, _t723, _t1220);
						E004454F0( &_v2752);
						_v8 = 4;
						__eflags = E0041F1C0(0x4bca10, _t1220, __eflags,  &_v2752);
						if(__eflags != 0) {
							_t731 = SetCursor(LoadCursorW(0, 0x7f02));
							_t1230 = _v2776;
							_v2740 = _t731;
							SendMessageW(E004061F0(_v2776), 0xb, 0, 0);
							_push(E0040CA40);
							_push(0x445480);
							_push(0x100);
							_push(8);
							_push( &_v2688);
							E00472105(__ebx, _v2776, _t1262, __eflags);
							_t736 = _v2752;
							_v8 = 5;
							_v2768 = 0;
							_t1263 =  *_t736;
							_v2728 = _t1263;
							__eflags = _t1263 - _t736;
							if(_t1263 == _t736) {
								L88:
								E0041D780( &_v3296);
								_v8 = 0xa;
								E00446C60(E004063B0(_t1230),  &_v3296);
								_t1294 = _t1293 + 8;
								E00405BE0(_t1064, _t1230, _t1230, _t1263, E004063B0(_t1230), 1);
								_t1264 = IsWindowVisible(E004061F0(_t1230));
								SendMessageW(E004061F0(_t1230), 0xb, 1, 0);
								__eflags = _t1264;
								if(_t1264 == 0) {
									ShowWindow(E004061F0(_t1230), _t1264);
								}
								E004454F0( &_v2696);
								_t748 = _v2752;
								_v8 = 0xb;
								_t1265 =  *_t748;
								_v2728 = _t1265;
								__eflags = _t1265 - _t748;
								if(_t1265 == _t748) {
									L101:
									_t1231 = _v2736;
									SendMessageW(E004061F0(_v2736), 0xb, 0, 0);
									_v2764 = 0;
									_v2760 = 0;
									_v2764 = E00438EF0();
									_t752 = _v2696;
									_v8 = 0x10;
									_t1266 =  *_t752;
									_v2728 = _t1266;
									__eflags = _t1266 - _t752;
									if(__eflags == 0) {
										L112:
										_t753 = _v2752;
										_t1267 =  *_t753;
										_v2776 = _t1267;
										__eflags = _t1267 - _t753;
										if(_t1267 == _t753) {
											L143:
											_t1268 = IsWindowVisible(E004061F0(_t1231));
											SendMessageW(E004061F0(_t1231), 0xb, 1, 0);
											__eflags = _t1268;
											if(_t1268 == 0) {
												ShowWindow(E004061F0(_t1231), _t1268);
											}
											asm("xorps xmm0, xmm0");
											_v2884 = 0;
											asm("movlpd [ebp-0xb38], xmm0");
											_v2868 = 0;
											_v2864 = 0;
											_v2860 = 0;
											_v2856 = 0;
											_v2852 = 0;
											asm("movlpd [ebp-0xb18], xmm0");
											asm("movlpd [ebp-0xb10], xmm0");
											_v2828 = 0;
											_v2824 = 0;
											_v2820 = 0;
											_v8 = 0x13;
											E0046A0F0( &_v2884, L"<Total>");
											_t1220 = _v2752;
											_t759 =  *_t1220;
											__eflags = _t759 - _t1220;
											if(_t759 == _t1220) {
												L157:
												_t1094 = _v2884;
												_v3092 = _t1094;
												__eflags = _t1094;
												if(_t1094 != 0) {
													E0046A420(_t1094);
													_t1094 = _v2884;
												}
												_v8 = 0x14;
												_v3084 = _t1094;
												__eflags = _t1094;
												if(_t1094 != 0) {
													E0046A420(_t1094);
												}
												_v3076 = _v2876;
												_v3072 = _v2872;
												_v3068 = _v2868;
												_v3064 = _v2864;
												_v3060 = _v2860;
												_v3056 = _v2856;
												_v3052 = _v2852;
												_v3044 = _v2844;
												_v3040 = _v2840;
												_v3036 = _v2836;
												_v3032 = _v2832;
												_v3028 = _v2828;
												_v3024 = _v2824;
												_v3020 = _v2820;
												_v8 = 0x15;
												E0041CB60( &_v2752,  &_v2732, 0,  &_v3092,  *0x4bdce3 & 0x000000ff);
												_t1096 = _v3084;
												_v8 = 0x16;
												__eflags = _v3084;
												if(_v3084 != 0) {
													E0046A700(_t1096);
												}
												_t1097 = _v3092;
												_v8 = 0x13;
												__eflags = _v3092;
												if(_v3092 != 0) {
													E0046A700(_t1097);
												}
												_t778 = _v2752;
												_t1269 =  *_t778;
												__eflags = _t1269 - _t778;
												if(_t1269 == _t778) {
													L197:
													asm("xorps xmm0, xmm0");
													_t1270 = _v2716;
													_v3136 = _v2724;
													asm("movdqu [ebp-0xc38], xmm0");
													asm("movdqu [ebp-0xc28], xmm0");
													_v3128 = 0xffffff94;
													asm("movq [ebp-0xc18], xmm0");
													_v3120 = 1;
													SendMessageW(_t1270, 0x4e, 0x6d,  &_v3136);
													E00431870( &_v120, L"%u file paths", _v2748);
													SetDlgItemTextW(_t1270, 0x42f,  &_v120);
													SetCursor(_v2740);
													_t1098 = _v2884;
													_v8 = 0x10;
													__eflags = _v2884;
													if(_v2884 != 0) {
														E0046A700(_t1098);
													}
													_v8 = 0xb;
													E0040E1E0( &_v2764,  &_v2740,  *_v2764, _v2764);
													E0046EF07(_v2764);
													_v8 = 0xa;
													L0045DE90( &_v2696,  &_v2740,  *_v2696, _v2696);
													E0046EF07(_v2696);
													_t1101 = _v3296;
													_v8 = 5;
													__eflags = _v3296;
													if(__eflags != 0) {
														E0046A700(_t1101);
													}
													_push(E0040CA40);
													_push(0x100);
													_push(8);
													_v8 = 4;
													_push( &_v2688);
													E00472167(_t1064, _t1231, _t1270, __eflags);
													_v8 = 0xffffffff;
													L0045DE90( &_v2752,  &_v2740,  *_v2752, _v2752);
													E0046EF07(_v2752);
													goto L225;
												} else {
													do {
														_t1220 =  *(_t1269 + 0x24);
														_t440 = _t1269 + 0x18; // 0x18
														_t1231 = _t440;
														E004711AE(_t778,  *((intOrPtr*)(_t440 + 8)),  *(_t1269 + 0x24));
														asm("divsd xmm0, [0x4962f8]");
														asm("movsd [esp], xmm0");
														_push(L"%.07f");
														_push( &_v640);
														L00401F90();
														E00470030( &_v2988, 0, 0x30);
														_v2988 = 0x7fffffff;
														_v2992 = 1;
														_v2972 =  &_v640;
														_v2712 = SendMessageW(_v2724, 0x104d, 0,  &_v2992);
														E00436C80(_t1064,  *(_t1269 + 0x24), _t440,  &_v2708,  *((intOrPtr*)(_t440 + 0x10)), 0, 0);
														_v8 = 0x17;
														E00436730(_v2724, _v2712, 1,  &_v2708);
														_t817 = E00436C80(_t1064,  *(_t1269 + 0x24), _t440,  &_v2924,  *((intOrPtr*)(_t1231 + 0x14)), 0, 0);
														_t1301 = _t1294 - 8 + 0x4c;
														_v8 = 0x18;
														E0046A0B0( &_v2708, _t817);
														_t1105 = _v2924;
														_v8 = 0x17;
														__eflags = _v2924;
														if(_v2924 != 0) {
															E0046A700(_t1105);
														}
														E00436730(_v2724, _v2712, 2,  &_v2708);
														_t822 = E00436C80(_t1064, _t1220, _t1231,  &_v2912,  *((intOrPtr*)(_t1231 + 0x18)), 0, 0);
														_t1302 = _t1301 + 0x20;
														_v8 = 0x19;
														E0046A0B0( &_v2708, _t822);
														_t1107 = _v2912;
														_v8 = 0x17;
														__eflags = _v2912;
														if(_v2912 != 0) {
															E0046A700(_t1107);
														}
														E00436730(_v2724, _v2712, 3,  &_v2708);
														_t827 = E00436C80(_t1064, _t1220, _t1231,  &_v2928,  *((intOrPtr*)(_t1231 + 0x1c)), 0, 0);
														_t1303 = _t1302 + 0x20;
														_v8 = 0x1a;
														E0046A0B0( &_v2708, _t827);
														_t1109 = _v2928;
														_v8 = 0x17;
														__eflags = _v2928;
														if(_v2928 != 0) {
															E0046A700(_t1109);
														}
														E00436730(_v2724, _v2712, 4,  &_v2708);
														_t832 = E00436C80(_t1064, _t1220, _t1231,  &_v2920,  *((intOrPtr*)(_t1231 + 0x20)), 0, 0);
														_t1304 = _t1303 + 0x20;
														_v8 = 0x1b;
														E0046A0B0( &_v2708, _t832);
														_t1111 = _v2920;
														_v8 = 0x17;
														__eflags = _v2920;
														if(_v2920 != 0) {
															E0046A700(_t1111);
														}
														E00436730(_v2724, _v2712, 5,  &_v2708);
														_t837 = E00436C80(_t1064, _t1220, _t1231,  &_v2896,  *((intOrPtr*)(_t1231 + 0x28)),  *((intOrPtr*)(_t1231 + 0x2c)), 0);
														_t1305 = _t1304 + 0x20;
														_v8 = 0x1c;
														E0046A0B0( &_v2708, _t837);
														_t1113 = _v2896;
														_v8 = 0x17;
														__eflags = _v2896;
														if(_v2896 != 0) {
															E0046A700(_t1113);
														}
														E00436730(_v2724, _v2712, 6,  &_v2708);
														_t842 = E00436C80(_t1064, _t1220, _t1231,  &_v2932,  *((intOrPtr*)(_t1231 + 0x30)),  *((intOrPtr*)(_t1231 + 0x34)), 0);
														_t1306 = _t1305 + 0x20;
														_v8 = 0x1d;
														E0046A0B0( &_v2708, _t842);
														_t1115 = _v2932;
														_v8 = 0x17;
														__eflags = _v2932;
														if(_v2932 != 0) {
															E0046A700(_t1115);
														}
														E00436730(_v2724, _v2712, 7,  &_v2708);
														_t847 = E00436C80(_t1064, _t1220, _t1231,  &_v2940,  *((intOrPtr*)(_t1231 + 0x38)), 0, 0);
														_t1307 = _t1306 + 0x20;
														_v8 = 0x1e;
														E0046A0B0( &_v2708, _t847);
														_t1117 = _v2940;
														_v8 = 0x17;
														__eflags = _v2940;
														if(_v2940 != 0) {
															E0046A700(_t1117);
														}
														E00436730(_v2724, _v2712, 8,  &_v2708);
														_t852 = E00436C80(_t1064, _t1220, _t1231,  &_v2936,  *((intOrPtr*)(_t1231 + 0x3c)), 0, 0);
														_t1308 = _t1307 + 0x20;
														_v8 = 0x1f;
														E0046A0B0( &_v2708, _t852);
														_t1119 = _v2936;
														_v8 = 0x17;
														__eflags = _v2936;
														if(_v2936 != 0) {
															E0046A700(_t1119);
														}
														E00436730(_v2724, _v2712, 9,  &_v2708);
														_t857 = E00436C80(_t1064, _t1220, _t1231,  &_v2908,  *((intOrPtr*)(_t1231 + 0x40)), 0, 0);
														_t1309 = _t1308 + 0x20;
														_v8 = 0x20;
														E0046A0B0( &_v2708, _t857);
														_t1121 = _v2908;
														_v8 = 0x17;
														__eflags = _v2908;
														if(_v2908 != 0) {
															E0046A700(_t1121);
														}
														E00436730(_v2724, _v2712, 0xa,  &_v2708);
														_t778 = E00436730(_v2724, _v2712, 0xb, _t1231);
														_t1122 = _v2708;
														_t1294 = _t1309 + 0x20;
														_v8 = 0x13;
														__eflags = _v2708;
														if(_v2708 != 0) {
															_t778 = E0046A700(_t1122);
														}
														__eflags =  *((char*)(_t1269 + 0xd));
														if( *((char*)(_t1269 + 0xd)) == 0) {
															_t861 =  *((intOrPtr*)(_t1269 + 8));
															__eflags =  *((char*)(_t861 + 0xd));
															if( *((char*)(_t861 + 0xd)) != 0) {
																_t778 =  *((intOrPtr*)(_t1269 + 4));
																__eflags =  *((char*)(_t778 + 0xd));
																if( *((char*)(_t778 + 0xd)) != 0) {
																	L195:
																	_t1269 = _t778;
																	goto L196;
																}
																while(1) {
																	__eflags = _t1269 -  *((intOrPtr*)(_t778 + 8));
																	if(_t1269 !=  *((intOrPtr*)(_t778 + 8))) {
																		goto L195;
																	}
																	_t1269 = _t778;
																	_t778 =  *((intOrPtr*)(_t778 + 4));
																	__eflags =  *((char*)(_t778 + 0xd));
																	if( *((char*)(_t778 + 0xd)) == 0) {
																		continue;
																	}
																	goto L195;
																}
																goto L195;
															}
															_t1269 = _t861;
															_t778 =  *_t1269;
															__eflags =  *((char*)(_t778 + 0xd));
															if( *((char*)(_t778 + 0xd)) != 0) {
																goto L196;
															} else {
																goto L189;
															}
															do {
																L189:
																_t1269 = _t778;
																_t778 =  *_t1269;
																__eflags =  *((char*)(_t778 + 0xd));
															} while ( *((char*)(_t778 + 0xd)) == 0);
														}
														L196:
														__eflags = _t1269 - _v2752;
													} while (_t1269 != _v2752);
													goto L197;
												}
											} else {
												do {
													_v2876 = _v2876 +  *((intOrPtr*)(_t759 + 0x20));
													asm("adc [ebp-0xb34], ecx");
													_v2868 = _v2868 +  *((intOrPtr*)(_t759 + 0x28));
													_v2864 = _v2864 +  *((intOrPtr*)(_t759 + 0x2c));
													_v2860 = _v2860 +  *((intOrPtr*)(_t759 + 0x30));
													_v2856 = _v2856 +  *((intOrPtr*)(_t759 + 0x34));
													_v2852 = _v2852 +  *((intOrPtr*)(_t759 + 0x38));
													_v2844 = _v2844 +  *((intOrPtr*)(_t759 + 0x40));
													asm("adc [ebp-0xb14], ecx");
													_v2836 = _v2836 +  *((intOrPtr*)(_t759 + 0x48));
													asm("adc [ebp-0xb0c], ecx");
													_v2828 = _v2828 +  *((intOrPtr*)(_t759 + 0x50));
													_v2824 = _v2824 +  *((intOrPtr*)(_t759 + 0x54));
													_v2820 = _v2820 +  *((intOrPtr*)(_t759 + 0x58));
													__eflags =  *((char*)(_t759 + 0xd));
													if( *((char*)(_t759 + 0xd)) != 0) {
														goto L156;
													}
													_t1137 =  *((intOrPtr*)(_t759 + 8));
													__eflags =  *((char*)(_t1137 + 0xd));
													if( *((char*)(_t1137 + 0xd)) != 0) {
														_t1138 =  *((intOrPtr*)(_t759 + 4));
														__eflags =  *((char*)(_t1138 + 0xd));
														if( *((char*)(_t1138 + 0xd)) != 0) {
															L155:
															_t759 = _t1138;
															goto L156;
														} else {
															goto L153;
														}
														while(1) {
															L153:
															__eflags = _t759 -  *((intOrPtr*)(_t1138 + 8));
															if(_t759 !=  *((intOrPtr*)(_t1138 + 8))) {
																goto L155;
															}
															_t759 = _t1138;
															_t1138 =  *((intOrPtr*)(_t1138 + 4));
															__eflags =  *((char*)(_t1138 + 0xd));
															if( *((char*)(_t1138 + 0xd)) == 0) {
																continue;
															}
															goto L155;
														}
														goto L155;
													}
													_t759 = _t1137;
													_t1139 =  *_t759;
													__eflags =  *((char*)(_t1139 + 0xd));
													if( *((char*)(_t1139 + 0xd)) != 0) {
														goto L156;
													}
													do {
														_t759 = _t1139;
														_t1139 =  *_t759;
														__eflags =  *((char*)(_t1139 + 0xd));
													} while ( *((char*)(_t1139 + 0xd)) == 0);
													L156:
													__eflags = _t759 - _t1220;
												} while (_t759 != _t1220);
												goto L157;
											}
										} else {
											goto L113;
										}
										do {
											L113:
											_t248 = _t1267 + 0x18; // 0x18
											_t878 = E00435BA0(E0046A170(_t248));
											__eflags = _t878;
											_push(0x58);
											_t1143 =  !=  ? _t878 : L"<none>";
											_v2768 =  !=  ? _t878 : L"<none>";
											_t879 = E0046EEB6(_t1064, _t1231, _t878);
											_t1144 = _t879;
											_v2728 = _t879;
											_t1310 = _t1294 + 8;
											__eflags = _t1144;
											if(_t1144 == 0) {
												_t1144 = 0;
												__eflags = 0;
												_v2728 = 0;
											} else {
												 *_t1144 = 0x4a41f8;
												 *(_t1144 + 8) = 0;
												 *(_t1144 + 0x10) = 0;
												 *(_t1144 + 0x14) = 0;
												 *(_t1144 + 0x18) = 0;
												 *(_t1144 + 0x1c) = 0;
												 *(_t1144 + 0x20) = 0;
												 *(_t1144 + 0x24) = 0;
												 *(_t1144 + 0x28) = 0;
												 *(_t1144 + 0x30) = 0;
												 *(_t1144 + 0x34) = 0;
												 *(_t1144 + 0x38) = 0;
												 *(_t1144 + 0x3c) = 0;
												 *(_t1144 + 0x40) = 0;
												 *(_t1144 + 0x44) = 0;
												 *(_t1144 + 0x48) = 0;
												 *(_t1144 + 0x50) = 0;
											}
											_t268 = _t1267 + 0x18; // 0x18
											_t269 = _t1144 + 8; // 0x8
											_t1232 = _t269;
											E0046A0B0(_t1232, _t268);
											 *((intOrPtr*)(_t1232 + 8)) =  *((intOrPtr*)(_t1267 + 0x20));
											 *((intOrPtr*)(_t1232 + 0xc)) =  *((intOrPtr*)(_t1267 + 0x24));
											 *((intOrPtr*)(_t1232 + 0x10)) =  *((intOrPtr*)(_t1267 + 0x28));
											 *((intOrPtr*)(_t1232 + 0x14)) =  *((intOrPtr*)(_t1267 + 0x2c));
											 *((intOrPtr*)(_t1232 + 0x18)) =  *((intOrPtr*)(_t1267 + 0x30));
											 *((intOrPtr*)(_t1232 + 0x1c)) =  *((intOrPtr*)(_t1267 + 0x34));
											 *((intOrPtr*)(_t1232 + 0x20)) =  *((intOrPtr*)(_t1267 + 0x38));
											 *((intOrPtr*)(_t1232 + 0x28)) =  *((intOrPtr*)(_t1267 + 0x40));
											 *((intOrPtr*)(_t1232 + 0x2c)) =  *((intOrPtr*)(_t1267 + 0x44));
											 *((intOrPtr*)(_t1232 + 0x30)) =  *((intOrPtr*)(_t1267 + 0x48));
											 *((intOrPtr*)(_t1232 + 0x34)) =  *((intOrPtr*)(_t1267 + 0x4c));
											 *((intOrPtr*)(_t1232 + 0x38)) =  *((intOrPtr*)(_t1267 + 0x50));
											 *((intOrPtr*)(_t1232 + 0x3c)) =  *((intOrPtr*)(_t1267 + 0x54));
											 *((intOrPtr*)(_t1232 + 0x40)) =  *((intOrPtr*)(_t1267 + 0x58));
											_t897 = E0046A6C0(_t1064, _v2768, E0046A530(_v2768));
											_t1294 = _t1310 + 0xc;
											_v2812 = _t897;
											_t898 = _v2764;
											_v8 = 0x12;
											_t1234 =  *(_t898 + 4);
											__eflags =  *((char*)(_t1234 + 0xd));
											if( *((char*)(_t1234 + 0xd)) != 0) {
												L125:
												_v2720 = _t898;
												_t1235 =  &_v2720;
												goto L126;
											} else {
												_t1271 = _t898;
												do {
													_t905 = E0046A170( &_v2812);
													_t907 = E0046F283(_t1064, _t1234, _t1271, E0046A170(_t1234 + 0x10), _t905);
													_t1294 = _t1294 + 8;
													__eflags = _t907;
													if(_t907 >= 0) {
														_t1271 = _t1234;
														_t1234 =  *_t1234;
													} else {
														_t1234 =  *(_t1234 + 8);
													}
													__eflags =  *((char*)(_t1234 + 0xd));
												} while ( *((char*)(_t1234 + 0xd)) == 0);
												_t898 = _v2764;
												__eflags = _t1271 - _t898;
												_v2744 = _t1271;
												_t1267 = _v2776;
												if(_t1271 == _t898) {
													goto L125;
												}
												_t1237 = _v2744;
												_t908 = E0046A170(_t1237 + 0x10);
												_t910 = E0046F283(_t1064, _t1237, _t1267, E0046A170( &_v2812), _t908);
												_t1294 = _t1294 + 8;
												__eflags = _t910;
												_t898 = _v2764;
												if(_t910 < 0) {
													goto L125;
												}
												_v2756 = _t1237;
												_t1235 =  &_v2756;
												L126:
												_t1146 = _v2812;
												_t1236 =  *_t1235;
												_v8 = 0x10;
												__eflags = _v2812;
												if(_v2812 != 0) {
													E0046A700(_t1146);
													_t898 = _v2764;
												}
												__eflags = _t1236 - _t898;
												if(_t1236 != _t898) {
													_t899 =  *((intOrPtr*)(_t1236 + 0x14));
												} else {
													_t899 = 0;
												}
												_t1231 = _v2736;
												E00407580(_v2736, _t899, _v2728, 0, 0);
												__eflags =  *((char*)(_t1267 + 0xd));
												if( *((char*)(_t1267 + 0xd)) == 0) {
													_t901 =  *((intOrPtr*)(_t1267 + 8));
													__eflags =  *((char*)(_t901 + 0xd));
													if( *((char*)(_t901 + 0xd)) != 0) {
														_t902 =  *((intOrPtr*)(_t1267 + 4));
														__eflags =  *((char*)(_t902 + 0xd));
														if( *((char*)(_t902 + 0xd)) != 0) {
															L141:
															_t1267 = _t902;
															_v2776 = _t1267;
															goto L142;
														}
														while(1) {
															__eflags = _t1267 -  *((intOrPtr*)(_t902 + 8));
															if(_t1267 !=  *((intOrPtr*)(_t902 + 8))) {
																goto L141;
															}
															_t1267 = _t902;
															_t902 =  *((intOrPtr*)(_t902 + 4));
															__eflags =  *((char*)(_t902 + 0xd));
															if( *((char*)(_t902 + 0xd)) == 0) {
																continue;
															}
															goto L141;
														}
														goto L141;
													}
													_t1267 = _t901;
													_v2776 = _t1267;
													_t903 =  *_t1267;
													__eflags =  *((char*)(_t903 + 0xd));
													if( *((char*)(_t903 + 0xd)) != 0) {
														goto L142;
													}
													do {
														_t1267 = _t903;
														_v2776 = _t1267;
														_t903 =  *_t1267;
														__eflags =  *((char*)(_t903 + 0xd));
													} while ( *((char*)(_t903 + 0xd)) == 0);
												}
											}
											L142:
											__eflags = _t1267 - _v2752;
										} while (_t1267 != _v2752);
										goto L143;
									}
									do {
										_push(0x58);
										_t911 = E0046EEB6(_t1064, _t1231, __eflags);
										_t1294 = _t1294 + 4;
										_v2768 = _t911;
										__eflags = _t911;
										if(_t911 == 0) {
											_t1238 = 0;
											__eflags = 0;
										} else {
											_t227 = _t911 + 8; // 0x8
											_t1239 = _t227;
											 *_t911 = 0x4a41f8;
											E0041D780(_t1239);
											 *(_t1239 + 0x48) = 0;
											_t1238 = _v2768;
										}
										_t230 = _t1266 + 0x18; // 0x18
										_t231 = _t1238 + 8; // 0x8
										E00445BB0(_t231, _t230);
										_t914 = E00407580(_v2736, 0, _t1238, 0, 0);
										_t1154 =  *(_t1266 + 0x18);
										_t1231 = _t914;
										_v2904 = _t1154;
										__eflags = _t1154;
										if(_t1154 != 0) {
											E0046A420(_t1154);
										}
										_v2900 = _t1231;
										_v8 = 0x11;
										E0041C8C0( &_v2764,  &_v2780, 0,  &_v2904,  *0x4bdce3 & 0x000000ff);
										_t1156 = _v2904;
										_v8 = 0x10;
										__eflags = _v2904;
										if(_v2904 != 0) {
											E0046A700(_t1156);
										}
										E00462600( &_v2728);
										_t1266 = _v2728;
										__eflags = _t1266 - _v2696;
									} while (__eflags != 0);
									_t1231 = _v2736;
									goto L112;
								} else {
									do {
										_t194 = _t1265 + 0x18; // 0x18
										_t924 = E00435BA0(E0046A170(_t194));
										_t1294 = _t1294 + 4;
										__eflags = _t924;
										_t1241 =  !=  ? _t924 : L"<none>";
										E0041D780( &_v3012);
										_v8 = 0xc;
										E0046A0F0( &_v3012,  !=  ? _t924 : L"<none>");
										_t1162 = _v3012;
										_v3224 = _t1162;
										__eflags = _t1162;
										if(_t1162 != 0) {
											E0046A420(_t1162);
										}
										_v8 = 0xd;
										E0041D700( &_v3216,  &_v3012);
										_v8 = 0xe;
										E0041CB60( &_v2696,  &_v2772, 0,  &_v3224,  *0x4bdce3 & 0x000000ff);
										_t1165 = _v3216;
										_v8 = 0xf;
										__eflags = _v3216;
										if(_v3216 != 0) {
											E0046A700(_t1165);
										}
										_t1166 = _v3224;
										_v8 = 0xc;
										__eflags = _v3224;
										if(_v3224 != 0) {
											E0046A700(_t1166);
										}
										E00445DD0(_v2772 + 0x18, _t1265 + 0x18);
										_t1169 = _v3012;
										_v8 = 0xb;
										__eflags = _v3012;
										if(_v3012 != 0) {
											E0046A700(_t1169);
										}
										E00462600( &_v2728);
										_t1265 = _v2728;
										__eflags = _t1265 - _v2752;
									} while (_t1265 != _v2752);
									goto L101;
								}
							}
							do {
								_t102 = _t1263 + 0x18; // 0x18
								_t941 = E0046A170(_t102);
								_t1173 = 0;
								__eflags = 0;
								_v2756 = _t941;
								_v2708 = 0;
								while(1) {
									__eflags =  *_t941 - 0x5c;
									_t1242 = _t941;
									if( *_t941 != 0x5c) {
										goto L54;
									}
									L51:
									_t105 = _t1263 + 0x18; // 0x18
									_t1173 = _t105;
									_t984 = E0046A170(_t105);
									__eflags = _v2756 - _t984;
									if(_v2756 != _t984) {
										goto L54;
									}
									do {
										_t1242 = _t1242 + 2;
										__eflags =  *_t1242 - 0x5c;
									} while ( *_t1242 == 0x5c);
									L54:
									_push(0x5c);
									_push(_t1242);
									_t942 = E004713E7(_t1173);
									_t1243 = _t942;
									_t1311 = _t1293 + 8;
									_v2744 = _t1243;
									__eflags = _t1243;
									if(_t1243 == 0) {
										_push(_t942);
										_push(_v2756);
										_t983 = E004713E7(_t1173);
										_t1311 = _t1311 + 8;
										_v2744 = _t983;
										_t1243 = _t983;
									}
									E00434E40(_v2756,  &_v2720, _v2756, _t1243 - _v2756 >> 1);
									_t1312 = _t1311 + 0xc;
									_t948 = _v2708;
									_v8 = 6;
									__eflags = _v2708 - _v2768;
									if(__eflags >= 0) {
										L58:
										_push(0x58);
										_t949 = E0046EEB6(_t1064, _t1243, __eflags);
										_t1313 = _t1312 + 4;
										_v2768 = _t949;
										__eflags = _t949;
										if(_t949 == 0) {
											_t1244 = 0;
											__eflags = 0;
										} else {
											_t120 = _t949 + 8; // 0x8
											_t1245 = _t120;
											 *_t949 = 0x4a41f8;
											E0041D780(_t1245);
											 *(_t1245 + 0x48) = 0;
											_t1244 = _v2768;
										}
										__eflags =  *_v2744;
										if( *_v2744 == 0) {
											_t124 = _t1263 + 0x18; // 0x18
											_t125 = _t1244 + 8; // 0x8
											E00445BB0(_t125, _t124);
										}
										_t951 = E0046A720( &_v2720);
										__eflags = _t951;
										if(_t951 == 0) {
											_t953 = E0046A6C0(_t1064, "\\", E0046A530("\\"));
											_t1313 = _t1313 + 0xc;
											_v2892 = _t953;
											_t134 =  &_v2712;
											 *_t134 = _v2712 | 0x00000002;
											__eflags =  *_t134;
											_t954 =  &_v2892;
											_v8 = 8;
										} else {
											_t1190 = _v2720;
											_v2888 = _t1190;
											__eflags = _t1190;
											if(_t1190 != 0) {
												E0046A420(_t1190);
											}
											_v2712 = _v2712 | 0x00000001;
											_t954 =  &_v2888;
											_v8 = 7;
										}
										_t138 = _t1244 + 8; // 0x8
										E0046A0B0(_t138, _t954);
										_t956 = _v2712;
										_v8 = 7;
										__eflags = _t956 & 0x00000002;
										if((_t956 & 0x00000002) != 0) {
											_t1189 = _v2892;
											_t956 = _t956 & 0xfffffffd;
											_v2712 = _t956;
											__eflags = _v2892;
											if(_v2892 != 0) {
												E0046A700(_t1189);
												_t956 = _v2712;
											}
										}
										_v8 = 6;
										__eflags = _t956 & 0x00000001;
										if((_t956 & 0x00000001) != 0) {
											_t1188 = _v2888;
											_v2712 = _t956 & 0xfffffffe;
											__eflags = _v2888;
											if(_v2888 != 0) {
												E0046A700(_t1188);
											}
										}
										_t151 = _t1263 + 0x18; // 0x18
										_t957 = E0046A170(_t151);
										_t153 = _t1263 + 0x18; // 0x18
										_t960 = E00434E40(_t153,  &_v2916, E0046A170(_t153), _v2744 - _t957 >> 1);
										_t1293 = _t1313 + 0xc;
										_t155 = _t1244 + 0x50; // 0x50
										_v8 = 9;
										E0046A0B0(_t155, _t960);
										_t1183 = _v2916;
										_v8 = 6;
										__eflags = _v2916;
										if(_v2916 != 0) {
											E0046A700(_t1183);
										}
										_t962 = _v2708;
										__eflags = _t962;
										if(_t962 == 0) {
											_t963 = 0;
											__eflags = 0;
										} else {
											_t963 =  *((intOrPtr*)(_t1280 + _t962 * 8 - 0xa80));
										}
										 *((intOrPtr*)(_t1280 + _v2708 * 8 - 0xa78)) = E00407580(_v2776, _t963, _t1244, 0, 0);
										E0046A0B0( &_v2688 + _v2708 * 8,  &_v2720);
										_t1221 = _v2708;
										_t1243 = _v2744;
										_v2768 = _t1221 + 1;
										goto L81;
									} else {
										_t980 = E0046A170( &_v2688 + _t948 * 8);
										_t982 = E0046F283(_t1064, _t1243, _t1263, E0046A170( &_v2720), _t980);
										_t1293 = _t1312 + 8;
										__eflags = _t982;
										if(__eflags == 0) {
											_t1221 = _v2708;
											L81:
											__eflags =  *_t1243;
											_t1173 = _v2720;
											_v8 = 5;
											if( *_t1243 == 0) {
												break;
											}
											_t179 = _t1243 + 2; // 0x2
											_t941 = _t179;
											_v2756 = _t941;
											_v2708 = _t1221 + 1;
											__eflags = _t1173;
											if(_t1173 != 0) {
												E0046A700(_t1173);
												_t941 = _v2756;
											}
											__eflags =  *_t941 - 0x5c;
											_t1242 = _t941;
											if( *_t941 != 0x5c) {
												goto L54;
											}
											goto L51;
										}
										goto L58;
									}
								}
								__eflags = _t1173;
								if(_t1173 != 0) {
									E0046A700(_t1173);
								}
								E00462600( &_v2728);
								_t1263 = _v2728;
								__eflags = _t1263 - _v2752;
							} while (_t1263 != _v2752);
							_t1230 = _v2776;
							goto L88;
						}
						SendMessageW(_t1224, 0x10, 0, 0);
						E004459C0( &_v2752);
						goto L225;
					}
					_t988 = _t711 - 1;
					__eflags = _t988;
					if(_t988 != 0) {
						goto L211;
					}
					SendMessageW(_t1224, 0x10, _t988, _t988);
					goto L225;
				}
				if(_t1322 == 0) {
					_t991 = _t1253[2];
					__eflags = _t991 - 0xffffff94;
					if(__eflags > 0) {
						__eflags = _t991 - 0xfffffffd;
						if(_t991 != 0xfffffffd) {
							goto L211;
						}
						_t992 = _a12;
						__eflags = _t992 - 0x6d;
						if(_t992 == 0x6d) {
							L20:
							_t994 = SendMessageW(GetDlgItem(_t1224, 0x40e), 0x130b, 0, 0);
							_v2728 = _t994;
							__eflags = _t994;
							if(_t994 != 0) {
								_t995 = E00405D60( *_t1253);
								_t1282 = _t1282 + 4;
								_t997 = E00406130(E00406630(_t995));
								__eflags = _v2728 - 1;
								if(_v2728 != 1) {
									_t62 = _t997 + 8; // 0x8
									_t998 = E0046A170(_t62);
									_v2736 = 5;
								} else {
									_t60 = _t997 + 0x50; // 0x50
									_t998 = E0046A170(_t60);
									_v2736 = 4;
								}
								_t1273 = _t998;
								__eflags = _t1273;
								if(_t1273 == 0) {
									goto L211;
								} else {
									L27:
									_t999 =  *_t1273 & 0x0000ffff;
									__eflags = _t999;
									if(_t999 == 0) {
										goto L211;
									}
									__eflags = _t999 - 0x3c;
									if(_t999 == 0x3c) {
										goto L211;
									}
									_v2740 = 0x4bca10;
									EnterCriticalSection(0x4bca10);
									_t1247 = GetPropW;
									_v8 = 2;
									__eflags = GetPropW(_v2716, L"PreviousFilterItem");
									if(__eflags != 0) {
										E00413AB0(0x4bca94, GetPropW(_v2716, L"PreviousFilterItem"));
										_t1010 = GetPropW(_v2716, L"PreviousFilterItem");
										_v2728 = _t1010;
										__eflags = _t1010;
										if(__eflags != 0) {
											_t1204 =  *(_t1010 + 8);
											__eflags =  *(_t1010 + 8);
											if( *(_t1010 + 8) != 0) {
												E0046A700(_t1204);
												_t1010 = _v2728;
											}
											E0046EF07(_t1010);
											_t1282 = _t1282 + 4;
										}
									}
									_push(0x20);
									_t1001 = E0046EEB6(_t1064, _t1247, __eflags);
									_v2728 = _t1001;
									_v8 = 3;
									__eflags = _t1001;
									if(_t1001 == 0) {
										_t1002 = 0;
										__eflags = 0;
									} else {
										_t1002 = E004129A0(_t1001, _t1326, 0x9c87, _v2736, _t1273, 1);
									}
									_t1274 = _v2716;
									_v8 = 2;
									SetPropW(_t1274, L"PreviousFilterItem", _t1002);
									E00412A40(0x4bca94, GetPropW(_t1274, L"PreviousFilterItem"));
									_push(0);
									E00418140(0x4bca10, __eflags);
									LeaveCriticalSection(0x4bca10);
									goto L225;
								}
							}
							_t1013 = SendMessageW( *_t1253, 0x1042, _t994, _t994);
							__eflags = _t1013;
							if(_t1013 < 0) {
								goto L211;
							}
							_v3136 = 0xb;
							_v640 = 0;
							_v3124 =  &_v640;
							_v3120 = 0x104;
							SendMessageW( *_t1253, 0x1073, _t1013,  &_v3144);
							_v2736 = 0;
							_t1273 =  &_v640;
							goto L27;
						}
						__eflags = _t992 - 0x6e;
						if(_t992 == 0x6e) {
							goto L20;
						}
						__eflags = _t992 - 0x6f;
						if(_t992 != 0x6f) {
							goto L211;
						}
						goto L20;
					}
					if(__eflags == 0) {
						_t1016 = SetCursor(LoadCursorW(0, 0x7f02));
						__eflags =  *(_v2720 + 0x10);
						_v2728 = __eflags == 0;
						_v2728 = E0042EE90( *(_v2720 + 0x10), __eflags,  *_v2720,  *(_v2720 + 0x10), _v2728);
						E0042FCF0( *_v2720,  *(_v2720 + 0x10), 0x4a4210, _v2728);
						SetCursor(_t1016);
						goto L225;
					}
					__eflags = _t991 - 0x7d3;
					if(_t991 == 0x7d3) {
						_v2736 = E00405D60( *_t1253);
						_t1025 = SetCursor(LoadCursorW(0, 0x7f02));
						_t1211 =  *(_v2720 + 0x14);
						__eflags = _t1211;
						_v2728 = __eflags == 0;
						_push(_v2728);
						_push(_t1211);
						_t1026 = E004097C0(_v2736, _t1220, __eflags);
						_push(1);
						_v2728 = _t1026;
						_push(_v2728);
						E004094D0(_v2736, 0, E004469B0,  *(_v2720 + 0x14), 0);
						E004087A0(__ebx, _v2736, _t1220, __eflags);
						SetCursor(_t1025);
						goto L225;
					}
					__eflags = _t991 + 0x228 - 1;
					if(_t991 + 0x228 > 1) {
						goto L211;
					}
					_t1034 = SendMessageW(GetDlgItem(_t1224, 0x40e), 0x130b, 0, 0);
					_v2808 = 8;
					_v2784 = 0;
					SendMessageW(GetDlgItem(_v2716, 0x40e), 0x133c, _t1034,  &_v2808);
					_t1220 = 5;
					__eflags =  *((intOrPtr*)(_v2720 + 8)) - 0xfffffdd9;
					_t1038 =  ==  ? 5 : 0;
					ShowWindow(_v2784,  ==  ? 5 : 0);
					goto L225;
				}
				_t1041 = _t637 - 2;
				if(_t1041 == 0) {
					E004595D0(_t1224,  *0x4bd2b4, L"FileSummaryDialog");
					_v2968 = 8;
					_v2944 = 0;
					SendMessageW(GetDlgItem(_t1224, 0x40e), 0x133c, 0,  &_v2968);
					E0042EC40(__eflags, _v2944,  *0x4bd2b4, L"FileSummaryColumns");
					SendMessageW(GetDlgItem(_v2716, 0x40e), 0x133c, 1,  &_v2968);
					E00408EC0(E00405D60(_v2944), __eflags,  *0x4bd2b4, L"FileSummaryColumns.ByFolder");
					SendMessageW(GetDlgItem(_v2716, 0x40e), 0x133c, 2,  &_v2968);
					E00408EC0(E00405D60(_v2944), __eflags,  *0x4bd2b4, L"FileSummaryColumns.ByExtension");
					_t1279 = GetPropW(_v2716, L"PreviousFilterItem");
					__eflags = _t1279;
					if(_t1279 == 0) {
						goto L211;
					} else {
						_t1219 =  *(_t1279 + 8);
						__eflags =  *(_t1279 + 8);
						if( *(_t1279 + 8) != 0) {
							E0046A700(_t1219);
						}
						E0046EF07(_t1279);
						goto L225;
					}
				}
				if(_t1041 != 0xe) {
					goto L211;
				} else {
					DestroyWindow(_t1224);
					goto L225;
				}
			}

0x00448aa0
0x00448aa0
0x00448aa0
0x00448aa3
0x00448aa5
0x00448ab0
0x00448ab1
0x00448ab7
0x00448abc
0x00448abe
0x00448ac3
0x00448ac7
0x00448acd
0x00448ad0
0x00448ad3
0x00448ad6
0x00448adc
0x00448ae2
0x00448aec
0x00448aef
0x00448fcb
0x00448fcb
0x00448fd0
0x0044a359
0x0044a35b
0x0044a360
0x0044a363
0x0044a369
0x0044a370
0x0044a372
0x0044a377
0x0044a377
0x0044a37c
0x0044a37e
0x0044a38a
0x0044a38c
0x0044a38f
0x0044a39b
0x0044a3a2
0x0044a3a4
0x0044a3b6
0x0044a3b6
0x0044a3bb
0x0044a3c2
0x0044a3d0
0x0044a3d3
0x0044a3dd
0x0044a3e0
0x0044a3e3
0x0044a3e9
0x0044a3f1
0x0044a3f7
0x0044a415
0x0044a420
0x0044a43b
0x0044a45d
0x0044a463
0x0044a465
0x0044a520
0x0044a535
0x0044a53a
0x0044a53d
0x0044a53f
0x0044a541
0x0044a544
0x0044a562
0x0044a568
0x0044a56d
0x0044a572
0x0044a577
0x0044a546
0x0044a546
0x0044a54c
0x0044a551
0x0044a556
0x0044a55b
0x0044a55b
0x0044a57c
0x0044a583
0x0044a588
0x0044a58d
0x0044a46b
0x0044a46d
0x0044a481
0x0044a483
0x0044a4c3
0x0044a4cb
0x0044a4df
0x0044a4f0
0x0044a4f5
0x0044a4fb
0x0044a4fb
0x0044a59d
0x0044a5a9
0x0044a5c7
0x0044a5d4
0x0044a5da
0x0044a5db
0x0044a5db
0x0044a5e4
0x0044a5f6
0x0044a609
0x0044a610
0x0044a620
0x0044a62b
0x0044a62e
0x0044a636
0x0044a637
0x0044a645
0x0044a645
0x00448fd6
0x00448fd7
0x0044a352
0x00000000
0x0044a352
0x00448fe0
0x00448fe3
0x00448fe8
0x0044a238
0x0044a23d
0x0044a2d0
0x0044a2d8
0x0044a2f0
0x0044a2fa
0x0044a307
0x0044a309
0x0044a30f
0x0044a311
0x0044a317
0x0044a319
0x0044a32a
0x0044a32d
0x0044a34a
0x00000000
0x0044a34f
0x0044a32f
0x0044a334
0x0044a33c
0x00000000
0x0044a343
0x0044a31b
0x00000000
0x0044a323
0x0044a23f
0x0044a244
0x00000000
0x00000000
0x0044a268
0x0044a270
0x0044a28c
0x0044a299
0x0044a2a3
0x00000000
0x0044a2ab
0x00448fee
0x0044a22b
0x00000000
0x0044a231
0x00448ff4
0x00448ff4
0x00448ff5
0x0044902a
0x00449034
0x00449041
0x0044904d
0x0044906a
0x0044907e
0x0044909b
0x004490a7
0x004490ac
0x004490af
0x004490b1
0x004490c6
0x004490d2
0x004490d9
0x004490e4
0x004490ef
0x00449101
0x00449103
0x00449132
0x00449138
0x00449146
0x00449152
0x00449158
0x0044915d
0x00449162
0x00449167
0x0044916f
0x00449170
0x00449175
0x0044917b
0x0044917f
0x00449189
0x0044918b
0x00449191
0x00449193
0x00449486
0x0044948c
0x00449497
0x004494a4
0x004494a9
0x004494b8
0x004494d3
0x004494db
0x004494e1
0x004494e3
0x004494ee
0x004494ee
0x004494fa
0x004494ff
0x00449505
0x00449509
0x0044950b
0x00449511
0x00449513
0x00449610
0x00449610
0x00449624
0x00449630
0x0044963a
0x00449649
0x0044964f
0x00449655
0x00449659
0x0044965b
0x00449661
0x00449663
0x0044973a
0x0044973a
0x00449740
0x00449742
0x00449748
0x0044974a
0x004499d4
0x004499ea
0x004499f2
0x004499f8
0x004499fa
0x00449a05
0x00449a05
0x00449a0b
0x00449a0e
0x00449a18
0x00449a20
0x00449a2a
0x00449a34
0x00449a3e
0x00449a48
0x00449a52
0x00449a5a
0x00449a62
0x00449a6c
0x00449a76
0x00449a8b
0x00449a8f
0x00449a94
0x00449a9a
0x00449a9c
0x00449a9e
0x00449b6f
0x00449b6f
0x00449b75
0x00449b7b
0x00449b7d
0x00449b7f
0x00449b84
0x00449b84
0x00449b8a
0x00449b8e
0x00449b94
0x00449b96
0x00449b98
0x00449b98
0x00449ba3
0x00449baf
0x00449bbb
0x00449bc7
0x00449bd3
0x00449bdf
0x00449beb
0x00449bf7
0x00449c03
0x00449c0f
0x00449c1b
0x00449c27
0x00449c33
0x00449c3f
0x00449c59
0x00449c67
0x00449c6c
0x00449c72
0x00449c76
0x00449c78
0x00449c7a
0x00449c7a
0x00449c7f
0x00449c85
0x00449c89
0x00449c8b
0x00449c8d
0x00449c8d
0x00449c92
0x00449c98
0x00449c9a
0x00449c9c
0x0044a0be
0x0044a0c4
0x0044a0c7
0x0044a0cd
0x0044a0de
0x0044a0e7
0x0044a0ef
0x0044a0f9
0x0044a101
0x0044a10b
0x0044a120
0x0044a132
0x0044a13e
0x0044a144
0x0044a14a
0x0044a14e
0x0044a150
0x0044a152
0x0044a152
0x0044a164
0x0044a171
0x0044a17c
0x0044a190
0x0044a19e
0x0044a1a9
0x0044a1ae
0x0044a1b7
0x0044a1bb
0x0044a1bd
0x0044a1bf
0x0044a1bf
0x0044a1c4
0x0044a1c9
0x0044a1ce
0x0044a1d6
0x0044a1da
0x0044a1db
0x0044a1ed
0x0044a1fd
0x0044a208
0x00000000
0x00449ca2
0x00449ca2
0x00449ca2
0x00449ca5
0x00449ca5
0x00449cab
0x00449cb0
0x00449cc1
0x00449cc6
0x00449ccb
0x00449ccc
0x00449cdc
0x00449ce4
0x00449cf4
0x00449cfe
0x00449d25
0x00449d32
0x00449d3d
0x00449d50
0x00449d63
0x00449d68
0x00449d72
0x00449d76
0x00449d7b
0x00449d81
0x00449d85
0x00449d87
0x00449d89
0x00449d89
0x00449da3
0x00449db6
0x00449dbb
0x00449dc5
0x00449dc9
0x00449dce
0x00449dd4
0x00449dd8
0x00449dda
0x00449ddc
0x00449ddc
0x00449df6
0x00449e09
0x00449e0e
0x00449e18
0x00449e1c
0x00449e21
0x00449e27
0x00449e2b
0x00449e2d
0x00449e2f
0x00449e2f
0x00449e49
0x00449e5c
0x00449e61
0x00449e6b
0x00449e6f
0x00449e74
0x00449e7a
0x00449e7e
0x00449e80
0x00449e82
0x00449e82
0x00449e9c
0x00449eb0
0x00449eb5
0x00449ebf
0x00449ec3
0x00449ec8
0x00449ece
0x00449ed2
0x00449ed4
0x00449ed6
0x00449ed6
0x00449ef0
0x00449f04
0x00449f09
0x00449f13
0x00449f17
0x00449f1c
0x00449f22
0x00449f26
0x00449f28
0x00449f2a
0x00449f2a
0x00449f44
0x00449f57
0x00449f5c
0x00449f66
0x00449f6a
0x00449f6f
0x00449f75
0x00449f79
0x00449f7b
0x00449f7d
0x00449f7d
0x00449f97
0x00449faa
0x00449faf
0x00449fb9
0x00449fbd
0x00449fc2
0x00449fc8
0x00449fcc
0x00449fce
0x00449fd0
0x00449fd0
0x00449fea
0x00449ffd
0x0044a002
0x0044a00c
0x0044a010
0x0044a015
0x0044a01b
0x0044a01f
0x0044a021
0x0044a023
0x0044a023
0x0044a03d
0x0044a051
0x0044a056
0x0044a05c
0x0044a05f
0x0044a063
0x0044a065
0x0044a067
0x0044a067
0x0044a06c
0x0044a070
0x0044a072
0x0044a075
0x0044a079
0x0044a091
0x0044a094
0x0044a098
0x0044a0b0
0x0044a0b0
0x00000000
0x0044a0b0
0x0044a0a0
0x0044a0a0
0x0044a0a3
0x00000000
0x00000000
0x0044a0a5
0x0044a0a7
0x0044a0aa
0x0044a0ae
0x00000000
0x00000000
0x00000000
0x0044a0ae
0x00000000
0x0044a0a0
0x0044a07b
0x0044a07d
0x0044a07f
0x0044a083
0x00000000
0x00000000
0x00000000
0x00000000
0x0044a085
0x0044a085
0x0044a085
0x0044a087
0x0044a089
0x0044a089
0x0044a08f
0x0044a0b2
0x0044a0b2
0x0044a0b2
0x00000000
0x00449ca2
0x00449aa4
0x00449aa4
0x00449aa7
0x00449ab0
0x00449ab9
0x00449ac2
0x00449acb
0x00449ad4
0x00449add
0x00449ae6
0x00449aef
0x00449af8
0x00449b01
0x00449b0a
0x00449b13
0x00449b1c
0x00449b22
0x00449b26
0x00000000
0x00000000
0x00449b28
0x00449b2b
0x00449b2f
0x00449b4c
0x00449b4f
0x00449b53
0x00449b65
0x00449b65
0x00000000
0x00000000
0x00000000
0x00000000
0x00449b55
0x00449b55
0x00449b55
0x00449b58
0x00000000
0x00000000
0x00449b5a
0x00449b5c
0x00449b5f
0x00449b63
0x00000000
0x00000000
0x00000000
0x00449b63
0x00000000
0x00449b55
0x00449b31
0x00449b33
0x00449b35
0x00449b39
0x00000000
0x00000000
0x00449b40
0x00449b40
0x00449b42
0x00449b44
0x00449b44
0x00449b67
0x00449b67
0x00449b67
0x00000000
0x00449aa4
0x00000000
0x00000000
0x00000000
0x00449750
0x00449750
0x00449750
0x00449759
0x0044975e
0x00449765
0x00449767
0x0044976a
0x00449770
0x00449775
0x00449777
0x0044977d
0x00449780
0x00449782
0x004497fc
0x004497fc
0x004497fe
0x00449784
0x00449784
0x0044978a
0x00449791
0x00449798
0x0044979f
0x004497a6
0x004497ad
0x004497b4
0x004497bb
0x004497c2
0x004497c9
0x004497d0
0x004497d7
0x004497de
0x004497e5
0x004497ec
0x004497f3
0x004497f3
0x00449804
0x00449807
0x00449807
0x0044980d
0x00449815
0x0044981b
0x00449821
0x00449827
0x0044982d
0x00449833
0x00449839
0x0044983f
0x00449845
0x0044984b
0x00449851
0x00449857
0x0044985d
0x00449863
0x00449874
0x00449879
0x0044987c
0x00449882
0x00449888
0x0044988c
0x0044988f
0x00449893
0x00449921
0x00449921
0x00449927
0x00000000
0x00449899
0x00449899
0x004498a0
0x004498a6
0x004498b5
0x004498ba
0x004498bd
0x004498bf
0x004498c6
0x004498c8
0x004498c1
0x004498c1
0x004498c1
0x004498ca
0x004498ca
0x004498d0
0x004498d6
0x004498d8
0x004498de
0x004498e4
0x00000000
0x00000000
0x004498e6
0x004498ef
0x00449901
0x00449906
0x00449909
0x0044990b
0x00449911
0x00000000
0x00000000
0x00449913
0x00449919
0x0044992d
0x0044992d
0x00449933
0x00449935
0x00449939
0x0044993b
0x0044993d
0x00449942
0x00449942
0x00449948
0x0044994a
0x00449950
0x0044994c
0x0044994c
0x0044994c
0x00449953
0x00449966
0x0044996b
0x0044996f
0x00449971
0x00449974
0x00449978
0x004499a2
0x004499a5
0x004499a9
0x004499c0
0x004499c0
0x004499c2
0x00000000
0x004499c2
0x004499b0
0x004499b0
0x004499b3
0x00000000
0x00000000
0x004499b5
0x004499b7
0x004499ba
0x004499be
0x00000000
0x00000000
0x00000000
0x004499be
0x00000000
0x004499b0
0x0044997a
0x0044997c
0x00449982
0x00449984
0x00449988
0x00000000
0x00000000
0x00449990
0x00449990
0x00449992
0x00449998
0x0044999a
0x0044999a
0x004499a0
0x0044996f
0x004499c8
0x004499c8
0x004499c8
0x00000000
0x00449750
0x00449670
0x00449670
0x00449672
0x00449677
0x0044967a
0x00449680
0x00449682
0x004496a3
0x004496a3
0x00449684
0x00449684
0x00449684
0x00449687
0x0044968f
0x00449694
0x0044969b
0x0044969b
0x004496a5
0x004496a8
0x004496ac
0x004496be
0x004496c3
0x004496c6
0x004496c8
0x004496ce
0x004496d0
0x004496d2
0x004496d2
0x004496d7
0x004496f1
0x004496ff
0x00449704
0x0044970a
0x0044970e
0x00449710
0x00449712
0x00449712
0x0044971d
0x00449722
0x00449728
0x00449728
0x00449734
0x00000000
0x00449520
0x00449520
0x00449520
0x00449529
0x0044952e
0x00449537
0x0044953e
0x00449541
0x0044954d
0x00449551
0x00449556
0x0044955c
0x00449562
0x00449564
0x00449566
0x00449566
0x00449571
0x0044957c
0x00449595
0x004495a3
0x004495a8
0x004495ae
0x004495b2
0x004495b4
0x004495b6
0x004495b6
0x004495bb
0x004495c1
0x004495c5
0x004495c7
0x004495c9
0x004495c9
0x004495db
0x004495e0
0x004495e6
0x004495ea
0x004495ec
0x004495ee
0x004495ee
0x004495f9
0x004495fe
0x00449604
0x00449604
0x00000000
0x00449520
0x00449513
0x004491a0
0x004491a0
0x004491a3
0x004491a8
0x004491a8
0x004491aa
0x004491b0
0x004491b6
0x004491b6
0x004491ba
0x004491bc
0x00000000
0x00000000
0x004491be
0x004491be
0x004491be
0x004491c1
0x004491c6
0x004491cc
0x00000000
0x00000000
0x004491d0
0x004491d0
0x004491d3
0x004491d3
0x004491d9
0x004491d9
0x004491db
0x004491dc
0x004491e1
0x004491e3
0x004491e6
0x004491ec
0x004491ee
0x004491f0
0x004491f1
0x004491f7
0x004491fc
0x004491ff
0x00449205
0x00449205
0x0044921c
0x00449221
0x00449224
0x0044922a
0x0044922e
0x00449234
0x00449261
0x00449261
0x00449263
0x00449268
0x0044926b
0x00449271
0x00449273
0x00449294
0x00449294
0x00449275
0x00449275
0x00449275
0x00449278
0x00449280
0x00449285
0x0044928c
0x0044928c
0x0044929c
0x004492a0
0x004492a2
0x004492a5
0x004492a9
0x004492a9
0x004492b4
0x004492b9
0x004492bb
0x004492f5
0x004492fa
0x004492fd
0x00449303
0x00449303
0x00449303
0x0044930a
0x00449310
0x004492bd
0x004492bd
0x004492c3
0x004492c9
0x004492cb
0x004492cd
0x004492cd
0x004492d2
0x004492d9
0x004492df
0x004492df
0x00449317
0x0044931b
0x00449320
0x00449326
0x0044932d
0x0044932f
0x00449331
0x00449337
0x0044933a
0x00449340
0x00449342
0x00449344
0x00449349
0x00449349
0x00449342
0x0044934f
0x00449356
0x00449358
0x0044935a
0x00449363
0x00449369
0x0044936b
0x0044936d
0x0044936d
0x0044936b
0x00449372
0x00449375
0x00449385
0x00449395
0x0044939a
0x0044939d
0x004493a0
0x004493a5
0x004493aa
0x004493b0
0x004493b4
0x004493b6
0x004493b8
0x004493b8
0x004493bd
0x004493c3
0x004493c5
0x004493d0
0x004493d0
0x004493c7
0x004493c7
0x004493c7
0x004493e9
0x00449400
0x00449405
0x0044940b
0x00449414
0x00000000
0x00449236
0x0044923f
0x00449251
0x00449256
0x00449259
0x0044925b
0x0044941c
0x00449422
0x00449422
0x00449426
0x0044942c
0x00449430
0x00000000
0x00000000
0x00449433
0x00449433
0x00449436
0x0044943c
0x00449442
0x00449444
0x0044944a
0x0044944f
0x0044944f
0x004491b6
0x004491ba
0x004491bc
0x00000000
0x00000000
0x00000000
0x004491bc
0x00000000
0x0044925b
0x00449234
0x0044945a
0x0044945c
0x0044945e
0x0044945e
0x00449469
0x0044946e
0x00449474
0x00449474
0x00449480
0x00000000
0x00449480
0x0044910c
0x00449118
0x00000000
0x0044911d
0x00448ff7
0x00448ff7
0x00448ff8
0x00000000
0x00000000
0x00449003
0x00000000
0x00449009
0x00448af5
0x00448c30
0x00448c33
0x00448c36
0x00448dc9
0x00448dcc
0x00000000
0x00000000
0x00448dd2
0x00448dd5
0x00448dd8
0x00448de8
0x00448e04
0x00448e06
0x00448e0c
0x00448e0e
0x00448e71
0x00448e76
0x00448e82
0x00448e87
0x00448e8e
0x00448ea4
0x00448ea7
0x00448eac
0x00448e90
0x00448e90
0x00448e93
0x00448e98
0x00448e98
0x00448eb6
0x00448eb8
0x00448eba
0x00000000
0x00448ec0
0x00448ec0
0x00448ec0
0x00448ec3
0x00448ec6
0x00000000
0x00000000
0x00448ecc
0x00448ecf
0x00000000
0x00000000
0x00448eda
0x00448ee4
0x00448eea
0x00448efb
0x00448f04
0x00448f06
0x00448f1b
0x00448f2b
0x00448f2d
0x00448f33
0x00448f35
0x00448f37
0x00448f3a
0x00448f3c
0x00448f3e
0x00448f43
0x00448f43
0x00448f4a
0x00448f4f
0x00448f4f
0x00448f35
0x00448f52
0x00448f54
0x00448f5c
0x00448f62
0x00448f66
0x00448f68
0x00448f81
0x00448f81
0x00448f6a
0x00448f7a
0x00448f7a
0x00448f83
0x00448f90
0x00448f94
0x00448fa8
0x00448fad
0x00448fb4
0x00448fbe
0x00000000
0x00448fc4
0x00448eba
0x00448e19
0x00448e1b
0x00448e1d
0x00000000
0x00000000
0x00448e25
0x00448e2f
0x00448e3c
0x00448e51
0x00448e5b
0x00448e5d
0x00448e67
0x00000000
0x00448e67
0x00448dda
0x00448ddd
0x00000000
0x00000000
0x00448ddf
0x00448de2
0x00000000
0x00000000
0x00000000
0x00448de2
0x00448c3c
0x00448d77
0x00448d84
0x00448d86
0x00448d9b
0x00448db7
0x00448dc0
0x00000000
0x00448dc2
0x00448c42
0x00448c47
0x00448ce1
0x00448cfb
0x00448d05
0x00448d08
0x00448d0a
0x00448d11
0x00448d17
0x00448d1e
0x00448d29
0x00448d2b
0x00448d31
0x00448d49
0x00448d54
0x00448d5a
0x00000000
0x00448d5c
0x00448c52
0x00448c55
0x00000000
0x00000000
0x00448c79
0x00448c81
0x00448c9d
0x00448caa
0x00448cb4
0x00448cb9
0x00448cc0
0x00448cca
0x00000000
0x00448cd0
0x00448afb
0x00448afe
0x00448b23
0x00448b2b
0x00448b3b
0x00448b62
0x00448b75
0x00448b99
0x00448bb6
0x00448bd7
0x00448bf4
0x00448c0a
0x00448c0c
0x00448c0e
0x00000000
0x00448c14
0x00448c14
0x00448c17
0x00448c19
0x00448c1b
0x00448c1b
0x00448c21
0x00000000
0x00448c29
0x00448c0e
0x00448b03
0x00000000
0x00448b09
0x00448b0a
0x00000000
0x00448b10

APIs

DestroyWindow.USER32(?,2927074F), ref: 00448B0A
GetDlgItem.USER32 ref: 00448B59
SendMessageW.USER32(00000000), ref: 00448B62
GetDlgItem.USER32 ref: 00448B96
SendMessageW.USER32(00000000), ref: 00448B99
GetDlgItem.USER32 ref: 00448BD4
SendMessageW.USER32(00000000), ref: 00448BD7
GetPropW.USER32(?,PreviousFilterItem), ref: 00448C04
GetDlgItem.USER32 ref: 00448C70
SendMessageW.USER32(00000000), ref: 00448C79
GetDlgItem.USER32 ref: 00448CA7
SendMessageW.USER32(00000000), ref: 00448CAA
ShowWindow.USER32(00000000,00000000), ref: 00448CCA
SendMessageW.USER32(?,00000010,?,?), ref: 00449003

Strings

PreviousFilterItem, xrefs: 00448BF9, 00448EF0, 00448F08, 00448F20, 00448F8A, 00448F9A
%u file paths, xrefs: 0044A11A
<Total>, xrefs: 00449A80
%.07f, xrefs: 00449CC6
FileSummaryColumns.ByFolder, xrefs: 00448B9B, 0044A55B
FileSummaryColumns.ByExtension, xrefs: 00448BD9, 0044A577
FileSummaryColumns, xrefs: 00448B64, 0044A4E4
<none>, xrefs: 00449539, 00449546, 00449760
FileSummaryDialog, xrefs: 00448B17, 0044A5EA
, xrefs: 0044A00C

Memory Dump Source

Source File: 00000000.00000002.639436822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.639422722.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639801425.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639950323.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639964900.00000000004C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639974043.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639981884.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Process Monitor.jbxd

Similarity

API ID: MessageSend$Item$Window$DestroyPropShow
String ID: $%.07f$%u file paths$<Total>$<none>$FileSummaryColumns$FileSummaryColumns.ByExtension$FileSummaryColumns.ByFolder$FileSummaryDialog$PreviousFilterItem
API String ID: 1459556695-3159590984
Opcode ID: d6414b582c9d057a5c34efcce099d6e6f7388452c97753338588a5dee42b890e
Instruction ID: a4b467ffa1ca0b059921bdb5c515e256d4d8a913954e0deb444cf2d52f93f0c1
Opcode Fuzzy Hash: d6414b582c9d057a5c34efcce099d6e6f7388452c97753338588a5dee42b890e
Instruction Fuzzy Hash: 22F28071A00319AFEB20DF65CC45B9EB7B4AF05308F0440EAE509B7691DB786E85CF5A

Uniqueness

Uniqueness Score: -1.00%

Function 00404C10 Relevance: 113.4, APIs: 75, Instructions: 883
windowCOMMONCrypto

Download Yara Rule

C-Code - Quality: 85%

			E00404C10(intOrPtr __ecx, struct HDC__** _a4, struct HRGN__* _a8) {
				signed int _v8;
				char _v528;
				struct tagRECT _v544;
				signed int _v548;
				long _v552;
				struct tagPOINT _v560;
				struct tagRECT _v576;
				struct tagRECT _v592;
				struct tagRECT _v608;
				struct tagRECT _v624;
				struct tagRECT _v640;
				struct tagRECT _v656;
				struct tagTEXTMETRICW _v716;
				struct tagRECT _v748;
				signed int _v752;
				signed int _v756;
				struct tagPOINT* _v760;
				intOrPtr* _v764;
				signed int _v768;
				intOrPtr _v772;
				intOrPtr _v776;
				intOrPtr* _v780;
				struct HBRUSH__* _v784;
				signed int _v788;
				signed int _v792;
				struct HRGN__* _v796;
				void* _v800;
				signed int _v804;
				int _v808;
				void* _v812;
				signed int _v816;
				signed int _v820;
				struct HBITMAP__* _v824;
				struct HDC__* _v828;
				int _v832;
				void* _v836;
				int _v840;
				struct HRGN__* _v844;
				char _v848;
				void* _v852;
				long* _v856;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t407;
				signed int _t428;
				intOrPtr* _t435;
				signed int _t437;
				signed int _t441;
				signed int _t444;
				long* _t446;
				long _t447;
				void* _t449;
				void* _t454;
				long _t455;
				signed int _t456;
				void* _t460;
				long _t475;
				void* _t476;
				signed int _t485;
				long _t486;
				void* _t501;
				intOrPtr _t508;
				struct tagPOINT* _t519;
				intOrPtr _t520;
				struct HBRUSH__* _t537;
				long _t554;
				int _t560;
				int _t563;
				signed int _t570;
				signed char _t572;
				long _t583;
				long _t588;
				long _t590;
				long _t593;
				struct tagPOINT* _t605;
				intOrPtr _t624;
				intOrPtr _t628;
				void* _t629;
				void* _t631;
				intOrPtr _t636;
				intOrPtr _t637;
				signed int _t642;
				intOrPtr _t645;
				signed int _t648;
				signed int _t649;
				signed int _t658;
				signed int _t677;
				int _t680;
				int _t682;
				intOrPtr _t686;
				long _t687;
				long _t691;
				int _t692;
				long _t695;
				int _t696;
				int _t701;
				signed int _t703;
				intOrPtr* _t705;
				intOrPtr _t706;
				signed int _t707;
				void* _t709;
				signed int _t715;
				signed int _t718;
				signed int _t722;
				long* _t725;
				long _t726;
				signed int _t727;
				struct tagPOINT* _t728;
				long _t729;
				signed int _t730;
				long _t731;
				signed int _t732;
				struct HDC__* _t735;
				void* _t737;
				void* _t739;
				long _t740;
				signed int _t741;
				signed int _t744;
				void* _t745;
				signed int _t748;
				void* _t751;
				long _t753;
				signed int _t754;
				WCHAR* _t755;
				void* _t756;
				long _t757;
				long _t759;
				struct HBRUSH__* _t761;
				struct HDC__* _t762;
				struct HDC__** _t769;
				void* _t770;
				void* _t771;
				signed int _t773;
				signed int _t776;
				void* _t787;
				void* _t795;

				_t773 = _t776;
				_t407 =  *0x4bb1dc; // 0x2927074f
				_v8 = _t407 ^ _t773;
				_t769 = _a4;
				_t628 = __ecx;
				_v776 = __ecx;
				_v844 = _a8;
				_t735 = GetDC( *(__ecx + 8));
				SelectObject(_t735,  *(_t628 + 0x30));
				GetTextMetricsW(_t735,  &_v716);
				_v768 = _v716.tmHeight;
				ReleaseDC( *(_t628 + 8), _t735);
				if( *((intOrPtr*)(_t628 + 0x38)) == 0) {
					_t648 = _v768;
				} else {
					_t648 =  <  ? GetSystemMetrics(0x32) : _v768;
				}
				_v788 =  *((intOrPtr*)(_t628 + 0x68)) + _t648;
				GetWindowRect( *(_t628 + 0xc),  &(_v716.tmFirstChar));
				_t737 = _v716.tmCharSet - _v716.tmDefaultChar;
				_t22 = SendMessageW( *(_t628 + 0x14), 0x1200, 0, 0) + 1; // 0x1
				_t649 = _t22;
				_v752 = _t649;
				asm("cdq");
				_v792 = (_t769[3] - _t737) / _v788;
				asm("cdq");
				_t715 = (_t769[5] - _t737) / _v788;
				_v820 = _t715;
				_t428 =  <  ? 0 : _v792;
				_v792 = _t428;
				if(_t649 == 0) {
					L102:
					FillRect( *_t769,  &(_t769[2]), GetSysColorBrush(5));
					_pop(_t739);
					_pop(_t770);
					__eflags = _v8 ^ _t773;
					_pop(_t629);
					return E0046F77E(_t629, _v8 ^ _t773, _t715, _t739, _t770);
				} else {
					_t787 = _t428 - _t715;
					if(_t787 > 0) {
						goto L102;
					} else {
						_push( ~(0 | _t787 > 0x00000000) | _v752 * 0x00000004);
						_t435 = E0046EE59(_t628, 0, _t787);
						_v764 = _t435;
						 *_t435 = 0;
						_t51 = _t435 + 4; // 0x4
						_t740 = _t51;
						SendMessageW( *(_t628 + 0x14), 0x1211, _v752 - 1, _t740);
						_t718 = _v752;
						_t437 = 1;
						_t658 = _t718 - 1;
						if(_t718 > 1) {
							if(_t658 >= 8) {
								_t707 = _t658 & 0x80000007;
								if(_t707 < 0) {
									_t707 = (_t707 - 0x00000001 | 0xfffffff8) + 1;
								}
								asm("movdqa xmm1, [0x48fcc0]");
								_v800 = _t707;
								_t709 = _t718 - _v800;
								do {
									asm("movdqu xmm0, [edi]");
									_t437 = _t437 + 8;
									_t740 = _t740 + 0x20;
									asm("paddd xmm0, xmm1");
									asm("movdqu [edi-0x20], xmm0");
									asm("movdqu xmm0, [edi-0x10]");
									asm("paddd xmm0, xmm1");
									asm("movdqu [edi-0x10], xmm0");
								} while (_t437 < _t709);
							}
							if(_t437 < _t718) {
								_t706 = _v764;
								do {
									 *((intOrPtr*)(_t706 + _t437 * 4)) =  *((intOrPtr*)(_t706 + _t437 * 4)) + 1;
									_t437 = _t437 + 1;
									_t795 = _t437 - _t718;
								} while (_t795 < 0);
							}
						}
						_push( ~(0 | _t795 > 0x00000000) | _t718 * 0x00000010);
						_v780 = E0046EE59(_t628, _t740, _t795);
						_t441 = _v752;
						_t722 = _t441 * 4 >> 0x20;
						_push( ~(0 | _t795 > 0x00000000) | _t441 * 0x00000004);
						_v772 = E0046EE59(_t628, _t740, _t795);
						_t444 = _v752;
						_t741 = 0;
						_v816 = _t444;
						_v796 = 0;
						if(_t444 > 0) {
							do {
								_t605 = (_t741 << 4) + _v780;
								_v760 = _t605;
								_t701 =  *(_v764 + _t741 * 4);
								_push(_t605);
								if(_t701 != 0) {
									SendMessageW( *(_t628 + 0x14), 0x1207, _t701 - 1, ??);
									MapWindowPoints( *(_t628 + 0x14),  *(_t628 + 8), _v760, 2);
								} else {
									SendMessageW( *(_t628 + 0xc), 0x1207, _t701, ??);
									MapWindowPoints( *(_t628 + 0xc),  *(_t628 + 8), _v760, 2);
								}
								if(_t741 == 0 &&  *((char*)(_t628 + 0x9c)) != 0) {
									_v716.tmOverhang.cbSize = 0x1c;
									asm("xorps xmm0, xmm0");
									_v716.tmCharSet = _t741;
									asm("movdqu [ebp-0x2a0], xmm0");
									_v716.tmDigitizedAspectX = 4;
									GetScrollInfo( *(_t628 + 0x20), 2,  &(_v716.tmOverhang));
									_t705 = _v780;
									 *_t705 =  *_t705 - _v716.tmItalic;
									_t624 =  *((intOrPtr*)(_t628 + 0x98)) +  *_t705;
									if( *((intOrPtr*)(_t705 + 8)) < _t624) {
										 *((intOrPtr*)(_t705 + 8)) = _t624;
									}
								}
								 *(_v772 + _t741 * 4) =  *(_t628 + 0xa0);
								if(_t741 != 0) {
									_v716.tmExternalLeading = 4;
									SendMessageW( *(_t628 + 0x14), 0x120b,  *(_v764 + _t741 * 4) - 1,  &(_v716.tmExternalLeading));
									if((_v716.tmDigitizedAspectX & 0x00000001) != 0) {
										 *(_v772 + _t741 * 4) =  *(_v772 + _t741 * 4) | 0x00000002;
									}
								}
								_t703 = _v816;
								if(_t703 > _t741) {
									_t704 =  >  ? _t741 : _t703;
									_v816 =  >  ? _t741 : _t703;
								}
								_t444 = _v752;
								_t722 =  <  ? _t741 : _v796;
								_t741 = _t741 + 1;
								_v796 = _t722;
							} while (_t741 < _t444);
						}
						_t446 = (_t444 << 4) + _v780 + 0xfffffff8;
						_v856 = _t446;
						_t447 =  *_t446;
						if(_t769[4] > _t447) {
							asm("movdqu xmm0, [esi+0x8]");
							asm("movdqu [ebp-0x29c], xmm0");
							_v716.tmFirstChar.x = _t447;
							FillRect( *_t769,  &(_v716.tmFirstChar), GetSysColorBrush(5));
						}
						_t449 = CreatePen(0, 1, GetSysColor(0x15));
						_v800 = _t449;
						_v852 = SelectObject( *_t769, _t449);
						_v836 = SelectObject( *_t769,  *(_t628 + 0x30));
						_v808 = GetSystemMetrics(0x31);
						_v832 = GetSystemMetrics(0x32);
						_t454 = E004096B0(_t628);
						_t744 = _v792;
						_t455 = E00407810(_t454, _t744);
						_v756 = _t455;
						_v768 = _t744 * _v788;
						while(_t455 != 0) {
							if(( *(_t455 + 0x20) & 0x00000001) == 0) {
								SetTextColor( *_t769, GetSysColor(8));
								_push(5);
							} else {
								if(GetFocus() !=  *(_t628 + 8)) {
									SetTextColor( *_t769, GetSysColor(8));
									_push(0xa);
								} else {
									SetTextColor( *_t769, GetSysColor(0xe));
									_push(0xd);
								}
							}
							SetBkColor( *_t769, GetSysColor());
							SetBkMode( *_t769, 2);
							_t485 = _v816;
							_t748 = _t485;
							_v752 = _t485;
							if(_t485 <= _v796) {
								do {
									_t725 = (_t748 << 4) + _v780;
									_t680 = _t725[3] + _v768;
									_t726 = _t725[2];
									_v576.left =  *_t725;
									_v576.top = _t680;
									_v576.right = _t726;
									_v576.bottom = _v788 + _t680;
									if(_t748 <= 0 || _t726 >  *(_t628 + 0x90)) {
										if(RectInRegion(_v844,  &_v576) != 0) {
											asm("movdqu xmm0, [ebp-0x23c]");
											_t751 = 0;
											_v812 = 0;
											asm("movdqu [ebp-0x21c], xmm0");
											if(_v752 != 0) {
												if(__eflags <= 0) {
													goto L49;
												} else {
													_t590 =  *(_t628 + 0x90);
													__eflags = _v576.left - _t590;
													if(__eflags >= 0) {
														goto L49;
													} else {
														_v544.left = _t590;
														goto L45;
													}
												}
											} else {
												_t593 =  *(_t628 + 0x90);
												if(_v576.right < _t593) {
													L49:
													_push(0);
												} else {
													_v544.right = _t593 - 1;
													L45:
													_t751 = CreateRectRgnIndirect( &_v544);
													_v812 = _t751;
													_push(_t751);
												}
											}
											SelectClipRgn( *_t769, ??);
											SelectObject( *_t769,  *(_t628 + 0x30));
											_t727 = _v752 * 4;
											_v760 = _t727;
											_t501 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_v756 + 4)))) + 0x10))))(_v756,  *_t769,  *((intOrPtr*)(_t727 + _v764)),  *((intOrPtr*)(_v756 + 0x20)),  &_v576);
											_t628 = _v776;
											if(_t501 == 0) {
												_v784 = CreateSolidBrush(GetBkColor( *_t769));
												GetBkMode( *_t769);
												_t753 = _v576.left +  *((intOrPtr*)(_t628 + 0x6c));
												_t728 = _v760;
												_t682 = _v576.bottom;
												_v640.top =  *((intOrPtr*)(_t628 + 0x74)) + _v576.top;
												_t508 = _v576.right -  *((intOrPtr*)(_t628 + 0x6c));
												_t636 = _v764;
												_v640.left = _t753;
												_v640.right = _t508;
												_v640.bottom = _t682;
												__eflags =  *(_t728 + _t636);
												_t637 = _v776;
												if( *(_t728 + _t636) == 0) {
													_t692 = _t682 - _v576.top;
													_t563 = _t508 - _t753;
													_v748.left = 0;
													_v748.top = 0;
													_v748.right = _t563;
													_v748.bottom = _t692;
													_v824 = CreateCompatibleBitmap( *_t769, _t563, _t692);
													_t762 = CreateCompatibleDC( *_t769);
													_v828 = _t762;
													SelectObject(_t762, _v824);
													_t570 = E00404630(FillRect(_t762,  &_v748, GetSysColorBrush(5)), _v756);
													_t732 = _v756;
													_t695 = _v748.left + _t570 *  *(_t637 + 0x78);
													_t572 =  *(_t732 + 0x20);
													_v748.left = _t695;
													_v804 = _t572;
													__eflags = _t572 & 0x00000040;
													if((_t572 & 0x00000040) != 0) {
														_t588 = _v748.bottom - _v748.top;
														__eflags = _t588;
														return _t588;
													}
													_t696 = _t695 + _v808;
													__eflags =  *(_t637 + 0x38);
													_v748.left = _t696;
													if( *(_t637 + 0x38) != 0) {
														_v804 = 0;
														_v840 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t732 + 4)))) + 0xc))(_t732,  &_v804);
														asm("cdq");
														_t583 = GetSysColor(5);
														_t645 = _v776;
														_t762 = _v828;
														ImageList_DrawEx( *(_t645 + 0x38), _v840, _t762, _v748.left, _v748.top + (_v748.bottom - _v748.top - _v832 - _t732 >> 1), _v808, _v832, _t583, 0xffffffff, _v804 << 8);
														_t696 = _v748.left +  *((intOrPtr*)(_t645 + 0x6c)) + _v808;
														__eflags = _t696;
														_v748.left = _t696;
													}
													BitBlt( *_t769, _v640.left, _v576.top, _t696, _v640.bottom, _t762, 0, 0, 0xcc0020);
													_t266 =  &_v640;
													 *_t266 = _v640 + _v748;
													__eflags =  *_t266;
													DeleteObject(_v824);
													DeleteDC(_t762);
													_t728 = _v760;
												}
												_t754 = _v756;
												_v848 = 0x104;
												_t755 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t754 + 4)))) + 8))(_t754,  *((intOrPtr*)(_t728 + _v764)),  &_v528,  &_v848);
												DrawTextW( *_t769, _t755, 0xffffffff,  &_v640,  *(_v760 + _v772));
												asm("movdqu xmm0, [ebp-0x27c]");
												asm("movdqu [ebp-0x24c], xmm0");
												DrawTextW( *_t769, _t755, 0xffffffff,  &_v592,  *(_v760 + _v772) | 0x00000400);
												_t519 = _v760;
												_t686 = _v772;
												__eflags =  *(_t519 + _t686) & 0x00000002;
												if(( *(_t519 + _t686) & 0x00000002) != 0) {
													_t560 = _v640.right - _v592.right;
													__eflags = _t560;
													OffsetRect( &_v592, _t560, 0);
												}
												_t756 = _v812;
												__eflags = _t756;
												if(_t756 == 0) {
													_t757 = _v544.left;
													_t687 = _v592.right;
													_t729 = _v592.left;
												} else {
													SelectClipRgn( *_t769, 0);
													DeleteObject(_t756);
													_t691 = _v592.right;
													__eflags = _t691 - _v544.right;
													_t731 = _v592.left;
													_t687 =  >  ? _v544.right : _t691;
													_t757 = _v544.left;
													__eflags = _t731 - _t757;
													_v592.right = _t687;
													_t729 =  <  ? _t757 : _t731;
													_v592.left = _t729;
												}
												__eflags = _v752;
												_t520 = _v544.top;
												_t642 = _v544.bottom;
												_v608.top = _t520;
												_v560.y = _t520;
												_v624.top = _t520;
												_v608.left = _t757;
												_v608.right = _t729;
												_v624.left = _t729;
												_v656.left = _t729;
												_t730 = _t642;
												_v624.bottom = _v592.top;
												_v608.bottom = _t642;
												_v552 = _v544.right;
												_t759 = _v544.left;
												_v548 = _t642;
												_t628 = _v776;
												_v560.x = _t687;
												_v624.right = _t687;
												_v656.top = _v592.bottom;
												_v656.right = _t687;
												_v656.bottom = _t730;
												if(_v752 == 0) {
													_v608.right =  *((intOrPtr*)(_t628 + 0x6c)) + _t759;
													_t554 =  *(_t628 + 0x90) - 1;
													__eflags = _t554;
													_v716.tmDefaultChar = _v544.top;
													_v716.tmFirstChar.x = _t554;
													_v716.tmItalic = _t554;
													_v716.tmCharSet = _t730;
													Polyline( *_t769,  &(_v716.tmFirstChar), 2);
												}
												IntersectRect( &_v624,  &_v624,  &_v544);
												IntersectRect( &_v656,  &_v656,  &_v544);
												IntersectRect( &_v608,  &_v608,  &_v544);
												IntersectRect( &_v560,  &_v560,  &_v544);
												_t761 = _v784;
												__eflags = _v624.left - _v624.right;
												if(_v624.left < _v624.right) {
													__eflags = _v624.top - _v624.bottom;
													if(_v624.top < _v624.bottom) {
														FillRect( *_t769,  &_v624, _t761);
													}
												}
												__eflags = _v656.left - _v656.right;
												if(_v656.left < _v656.right) {
													__eflags = _v656.top - _v656.bottom;
													if(_v656.top < _v656.bottom) {
														FillRect( *_t769,  &_v656, _t761);
													}
												}
												_t748 = _v752;
												__eflags = _t748;
												if(_t748 == 0) {
													_t537 = GetSysColorBrush(5);
												} else {
													_t537 = _v784;
												}
												__eflags = _v608.left - _v608.right;
												if(_v608.left < _v608.right) {
													__eflags = _v608.top - _v608.bottom;
													if(_v608.top < _v608.bottom) {
														FillRect( *_t769,  &_v608, _t537);
													}
												}
												__eflags = _v560.x - _v552;
												if(__eflags < 0) {
													__eflags = _v560.y - _v548;
													if(__eflags < 0) {
														FillRect( *_t769,  &_v560, _v784);
													}
												}
												DeleteObject(_v784);
											} else {
												if(_t751 != 0) {
													DeleteObject(_t751);
												}
												_t748 = _v752;
											}
										}
									}
									_t748 = _t748 + 1;
									_v752 = _t748;
								} while (_t748 <= _v796);
							}
							_t722 = _v756;
							_t677 =  *(_t722 + 0x14);
							if(_t677 == 0 || ( *(_t722 + 0x20) >> 0x00000004 & 0x00000001) == 0) {
								_t455 =  *(_t722 + 0x10);
								__eflags = _t455;
								if(__eflags == 0) {
									_t486 =  *(_t722 + 8);
									__eflags = _t486;
									if(_t486 == 0) {
										L92:
										_t455 = 0;
										__eflags = 0;
									} else {
										while(1) {
											__eflags =  *(_t486 + 0x10);
											if(__eflags != 0) {
												break;
											}
											_t486 =  *(_t486 + 8);
											__eflags = _t486;
											if(_t486 != 0) {
												continue;
											} else {
												goto L92;
											}
											goto L93;
										}
										_t455 =  *(_t486 + 0x10);
									}
								}
								L93:
								_v756 = _t455;
							} else {
								_t455 = _t677;
								_v756 = _t677;
							}
							_t744 = _v792 + 1;
							_v768 = _v768 + _v788;
							_v792 = _t744;
							if(_t744 <= _v820) {
								continue;
							} else {
								_t456 = _v820;
							}
							L98:
							_t460 =  *((intOrPtr*)(_v780 + 0xc)) - 1 + (_t456 + 1) * _v788;
							if(_t769[5] > _t460) {
								asm("movdqu xmm0, [esi+0x8]");
								asm("movdqu [ebp-0x22c], xmm0");
								_v560.y = _t460 + 1;
								_v552 =  *_v856;
								FillRect( *_t769,  &_v560, GetSysColorBrush(5));
								_t475 =  *(_t628 + 0x90) - 1;
								_v560.x = _t475;
								_v552 = _t475;
								_t476 = SelectObject( *_t769, _v800);
								Polyline( *_t769,  &_v560, 2);
								SelectObject( *_t769, _t476);
							}
							SelectObject( *_t769, _v836);
							SelectObject( *_t769, _v852);
							DeleteObject(_v800);
							L0047002A(_v780);
							L0047002A(_v764);
							L0047002A(_v772);
							_pop(_t745);
							_pop(_t771);
							_pop(_t631);
							return E0046F77E(_t631, _v8 ^ _t773, _t722, _t745, _t771);
						}
						_t456 = _t744 - 1;
						goto L98;
					}
				}
				goto L103;
			}

0x00404c11
0x00404c19
0x00404c20
0x00404c28
0x00404c2b
0x00404c2e
0x00404c34
0x00404c46
0x00404c49
0x00404c57
0x00404c67
0x00404c6d
0x00404c77
0x00404c8e
0x00404c79
0x00404c89
0x00404c89
0x00404c99
0x00404ca9
0x00404cb5
0x00404ccd
0x00404ccd
0x00404cd5
0x00404cdb
0x00404ce2
0x00404cef
0x00404cf6
0x00404d00
0x00404d06
0x00404d09
0x00404d11
0x0040595a
0x00405969
0x00405972
0x00405973
0x00405974
0x00405976
0x0040597f
0x00404d17
0x00404d17
0x00404d19
0x00000000
0x00404d1f
0x00404d35
0x00404d36
0x00404d45
0x00404d4b
0x00404d4d
0x00404d4d
0x00404d5a
0x00404d60
0x00404d66
0x00404d6b
0x00404d70
0x00404d75
0x00404d77
0x00404d7d
0x00404d83
0x00404d83
0x00404d84
0x00404d8c
0x00404d94
0x00404da0
0x00404da0
0x00404da4
0x00404da7
0x00404daa
0x00404dae
0x00404db3
0x00404db8
0x00404dbc
0x00404dc1
0x00404da0
0x00404dc7
0x00404dc9
0x00404dd0
0x00404dd0
0x00404dd3
0x00404dd4
0x00404dd4
0x00404dd0
0x00404dc7
0x00404dea
0x00404df0
0x00404df8
0x00404e03
0x00404e0c
0x00404e12
0x00404e1b
0x00404e21
0x00404e23
0x00404e29
0x00404e35
0x00404e40
0x00404e4b
0x00404e51
0x00404e57
0x00404e5a
0x00404e5d
0x00404e8a
0x00404e9e
0x00404e5f
0x00404e68
0x00404e9e
0x00404e9e
0x00404ea6
0x00404eb7
0x00404ec7
0x00404eca
0x00404ed0
0x00404ed8
0x00404ee2
0x00404ee8
0x00404ef4
0x00404efc
0x00404f01
0x00404f03
0x00404f03
0x00404f01
0x00404f12
0x00404f17
0x00404f1f
0x00404f3d
0x00404f4a
0x00404f52
0x00404f52
0x00404f4a
0x00404f56
0x00404f5e
0x00404f6c
0x00404f6f
0x00404f6f
0x00404f86
0x00404f8c
0x00404f8f
0x00404f90
0x00404f96
0x00404e40
0x00404faa
0x00404fac
0x00404fb2
0x00404fb7
0x00404fb9
0x00404fc0
0x00404fc8
0x00404fde
0x00404fde
0x00404ff1
0x00405000
0x0040500b
0x0040501d
0x00405027
0x00405031
0x00405037
0x0040503c
0x00405045
0x0040504c
0x00405059
0x00405060
0x0040506c
0x004050ae
0x004050b4
0x0040506e
0x0040507d
0x00405097
0x0040509d
0x0040507f
0x00405086
0x0040508c
0x0040508c
0x0040507d
0x004050bb
0x004050c5
0x004050cb
0x004050d1
0x004050d3
0x004050df
0x004050e5
0x004050ea
0x004050f5
0x004050fb
0x004050fe
0x0040510c
0x00405112
0x00405118
0x00405120
0x00405143
0x00405149
0x00405157
0x00405159
0x0040515f
0x00405169
0x00405198
0x00000000
0x0040519a
0x0040519a
0x004051a0
0x004051a6
0x00000000
0x004051a8
0x004051a8
0x00000000
0x004051a8
0x004051a6
0x0040516b
0x0040516b
0x00405177
0x004051b0
0x004051b0
0x00405179
0x0040517a
0x00405180
0x0040518d
0x0040518f
0x00405195
0x00405195
0x00405177
0x004051b4
0x004051bf
0x004051ea
0x004051f3
0x00405207
0x00405209
0x00405211
0x00405274
0x0040527a
0x0040528f
0x00405292
0x00405298
0x0040529e
0x004052aa
0x004052ad
0x004052b3
0x004052b9
0x004052bf
0x004052c5
0x004052c9
0x004052cf
0x004052d5
0x004052db
0x004052e1
0x004052eb
0x004052f5
0x004052fb
0x00405309
0x0040531b
0x0040531e
0x00405324
0x00405347
0x00405350
0x0040535c
0x0040535e
0x00405361
0x00405367
0x0040536d
0x0040536f
0x00405388
0x00405388
0x00000000
0x00405388
0x004053fe
0x00405404
0x00405408
0x0040540e
0x0040541d
0x00405434
0x0040544c
0x00405461
0x00405467
0x00405481
0x00405491
0x004054a6
0x004054a6
0x004054a8
0x004054a8
0x004054cd
0x004054df
0x004054df
0x004054df
0x004054e5
0x004054ec
0x004054f2
0x004054f2
0x004054f8
0x0040550b
0x0040552e
0x0040554b
0x00405559
0x00405576
0x0040557e
0x00405580
0x00405586
0x0040558c
0x00405590
0x00405598
0x00405598
0x004055a8
0x004055a8
0x004055ae
0x004055b4
0x004055b6
0x004055fb
0x00405601
0x00405607
0x004055b8
0x004055bc
0x004055c3
0x004055c9
0x004055cf
0x004055d5
0x004055db
0x004055e2
0x004055e8
0x004055ea
0x004055f0
0x004055f3
0x004055f3
0x0040560d
0x00405614
0x0040561a
0x00405620
0x00405626
0x0040562c
0x00405638
0x00405644
0x0040564a
0x00405650
0x00405656
0x00405658
0x00405664
0x0040566a
0x00405670
0x00405676
0x0040567c
0x00405682
0x00405688
0x0040568e
0x00405694
0x0040569a
0x004056a0
0x004056ad
0x004056b9
0x004056b9
0x004056ba
0x004056c0
0x004056c6
0x004056d7
0x004056dd
0x004056dd
0x004056f8
0x00405709
0x0040571a
0x0040572b
0x00405733
0x00405739
0x0040573f
0x00405747
0x0040574d
0x00405759
0x00405759
0x0040574d
0x00405765
0x0040576b
0x00405773
0x00405779
0x00405785
0x00405785
0x00405779
0x0040578b
0x00405791
0x00405793
0x0040579f
0x00405795
0x00405795
0x00405795
0x004057ab
0x004057b1
0x004057b9
0x004057bf
0x004057cb
0x004057cb
0x004057bf
0x004057d7
0x004057dd
0x004057e5
0x004057eb
0x004057fc
0x004057fc
0x004057eb
0x00405808
0x00405213
0x00405215
0x00405218
0x00405218
0x0040521e
0x0040521e
0x00405211
0x00405143
0x00405224
0x00405225
0x0040522b
0x004050e5
0x00405237
0x0040523d
0x00405242
0x00405813
0x00405816
0x00405818
0x0040581a
0x0040581d
0x0040581f
0x0040582e
0x0040582e
0x0040582e
0x00405821
0x00405821
0x00405821
0x00405825
0x00000000
0x00000000
0x00405827
0x0040582a
0x0040582c
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x0040582c
0x00405863
0x00405863
0x0040581f
0x00405830
0x00405830
0x00405256
0x00405256
0x00405258
0x00405258
0x00405842
0x00405843
0x00405849
0x00405855
0x00000000
0x0040585b
0x0040585b
0x0040585b
0x0040586b
0x0040587f
0x00405884
0x00405886
0x0040588e
0x00405896
0x004058a4
0x004058ba
0x004058d2
0x004058d5
0x004058db
0x004058e1
0x004058f0
0x004058f9
0x004058f9
0x0040590b
0x00405915
0x0040591d
0x00405929
0x00405934
0x0040593f
0x00405947
0x00405948
0x00405949
0x00405957
0x00405957
0x00405868
0x00000000
0x00405868
0x00404d19
0x00000000

APIs

GetDC.USER32(?), ref: 00404C3D
SelectObject.GDI32(00000000,?), ref: 00404C49
GetTextMetricsW.GDI32(00000000,?), ref: 00404C57
ReleaseDC.USER32 ref: 00404C6D
GetSystemMetrics.USER32 ref: 00404C7B
GetWindowRect.USER32 ref: 00404CA9
SendMessageW.USER32(?,00001200,00000000,00000000), ref: 00404CC7
SendMessageW.USER32(?,00001211,?,00000004), ref: 00404D5A
SendMessageW.USER32(?,00001207,?,?), ref: 00404E68
SendMessageW.USER32(?,00001207,?,?), ref: 00404E8A
MapWindowPoints.USER32 ref: 00404E9E
GetScrollInfo.USER32 ref: 00404EE2
SendMessageW.USER32(?,0000120B,?,?), ref: 00404F3D
GetSysColorBrush.USER32(00000005), ref: 00404FCE
FillRect.USER32 ref: 00404FDE
GetSysColor.USER32(00000015), ref: 00404FE6
CreatePen.GDI32(00000000,00000001,00000000), ref: 00404FF1
SelectObject.GDI32(?,00000000), ref: 00405006
SelectObject.GDI32(?,?), ref: 00405013
GetSystemMetrics.USER32 ref: 00405023
GetSystemMetrics.USER32 ref: 0040502D
GetFocus.USER32(?), ref: 0040506E
GetSysColor.USER32(0000000E), ref: 00405081
SetTextColor.GDI32(?,00000000), ref: 00405086
GetSysColor.USER32(00000008), ref: 00405092
SetTextColor.GDI32(?,00000000), ref: 00405097
GetSysColor.USER32(00000008), ref: 004050A9
SetTextColor.GDI32(?,00000000), ref: 004050AE
GetSysColor.USER32(00000005), ref: 004050B6
SetBkColor.GDI32(?,00000000), ref: 004050BB
SetBkMode.GDI32(?,00000002), ref: 004050C5
RectInRegion.GDI32(?,?), ref: 0040513B
CreateRectRgnIndirect.GDI32(?), ref: 00405187
SelectClipRgn.GDI32(?,00000000), ref: 004051B4
SelectObject.GDI32(?,?), ref: 004051BF
DeleteObject.GDI32(00000000), ref: 00405218
GetBkColor.GDI32(?), ref: 00405265
CreateSolidBrush.GDI32(00000000), ref: 0040526C
GetBkMode.GDI32(?,?,00000001,?), ref: 0040527A
CreateCompatibleBitmap.GDI32(?,?,?), ref: 00405301
CreateCompatibleDC.GDI32(?), ref: 0040530F
SelectObject.GDI32(00000000,?), ref: 00405324
GetSysColorBrush.USER32(00000005), ref: 0040532C
FillRect.USER32 ref: 0040533B
GetSysColor.USER32(00000005), ref: 00405461
ImageList_DrawEx.COMCTL32(00000000,?,?,00000000,00000000,?,?,00000000,?,00000001,?), ref: 00405491
BitBlt.GDI32(?,?,?,?,?,00000000,00000000,00000000,00CC0020), ref: 004054CD
DeleteObject.GDI32(?), ref: 004054E5
DeleteDC.GDI32(00000000), ref: 004054EC
DrawTextW.USER32(?,00000000,000000FF,?,?), ref: 0040554B
DrawTextW.USER32(?,00000000,000000FF,?,?), ref: 0040557E
OffsetRect.USER32(?,?,00000000), ref: 004055A8
SelectClipRgn.GDI32(?,00000000), ref: 004055BC
DeleteObject.GDI32(?), ref: 004055C3
Polyline.GDI32(?,?,00000002), ref: 004056DD
IntersectRect.USER32 ref: 004056F8
IntersectRect.USER32 ref: 00405709
IntersectRect.USER32 ref: 0040571A
IntersectRect.USER32 ref: 0040572B
FillRect.USER32 ref: 00405759
FillRect.USER32 ref: 00405785
GetSysColorBrush.USER32(00000005), ref: 0040579F
FillRect.USER32 ref: 004057CB
FillRect.USER32 ref: 004057FC
DeleteObject.GDI32(?), ref: 00405808
GetSysColorBrush.USER32(00000005), ref: 004058AA
FillRect.USER32 ref: 004058BA
SelectObject.GDI32(?,?), ref: 004058E1
Polyline.GDI32(?,?,00000002), ref: 004058F0
SelectObject.GDI32(?,00000000), ref: 004058F9
SelectObject.GDI32(?,?), ref: 0040590B
SelectObject.GDI32(?,?), ref: 00405915
DeleteObject.GDI32(?), ref: 0040591D
GetSysColorBrush.USER32(00000005), ref: 0040595C
FillRect.USER32 ref: 00405969

Memory Dump Source

Source File: 00000000.00000002.639436822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.639422722.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639801425.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639950323.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639964900.00000000004C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639974043.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639981884.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Process Monitor.jbxd

Similarity

API ID: ColorRect$Object$Select$Fill$BrushDeleteText$CreateMessageSend$IntersectMetrics$DrawSystem$ClipCompatibleModePolylineWindow$BitmapFocusImageIndirectInfoList_OffsetPointsRegionReleaseScrollSolid
String ID:
API String ID: 2022576759-0
Opcode ID: 50ea4dbdb215afaabb92f78a6f4f19e10775358f1c725f07d4421219ee735fef
Instruction ID: 92bf124efc0d4ac5c6bf8d842824845a615e079119f2925d2cfae6dec9406aac
Opcode Fuzzy Hash: 50ea4dbdb215afaabb92f78a6f4f19e10775358f1c725f07d4421219ee735fef
Instruction Fuzzy Hash: A69217759012199FDB25DF68CC88BAAB7B9FF48300F1045EAE509A7261DB34AE85CF14

Uniqueness

Uniqueness Score: -1.00%

Function 0042F1F0 Relevance: 66.9, APIs: 34, Strings: 4, Instructions: 429
windowmemoryCOMMONCrypto

Download Yara Rule

C-Code - Quality: 74%

			E0042F1F0(void* __ebx, signed int __edx, struct HWND__* _a4, char _a8) {
				int _v8;
				char _v16;
				signed int _v20;
				char _v538;
				char _v540;
				char _v1058;
				char _v1060;
				int _v1064;
				int _v1068;
				int _v1072;
				struct HWND__* _v1076;
				int _v1080;
				int _v1084;
				struct HICON__* _v1088;
				int _v1092;
				signed int _v1120;
				int _v1124;
				intOrPtr _v1136;
				int _v1140;
				void* _v1144;
				int _v1148;
				intOrPtr _v1160;
				char* _v1164;
				intOrPtr _v1172;
				void* _v1176;
				char* _v1180;
				char _v1188;
				intOrPtr _v1224;
				intOrPtr _v1244;
				char* _v1248;
				WCHAR* _v1264;
				struct HWND__* _v1272;
				struct tagOFNA _v1276;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t143;
				signed int _t144;
				long _t160;
				struct HICON__* _t165;
				int _t166;
				short* _t174;
				long _t178;
				int _t179;
				int _t182;
				int _t185;
				int _t186;
				int _t187;
				int _t198;
				long _t200;
				int _t211;
				long _t214;
				int _t215;
				int _t216;
				void* _t230;
				int _t239;
				int* _t246;
				signed int _t249;
				struct HWND__* _t256;
				void* _t257;
				int _t258;
				struct HWND__* _t259;
				int _t260;
				int _t261;
				int _t262;
				void* _t265;
				int _t266;
				int _t267;
				int _t268;
				int* _t269;
				signed int _t271;
				void* _t272;
				void* _t274;
				void* _t275;
				void* _t277;
				void* _t278;
				void* _t279;
				void* _t280;
				void* _t281;

				_t249 = __edx;
				_t230 = __ebx;
				_push(0xffffffff);
				_push(E00488F24);
				_push( *[fs:0x0]);
				_t143 =  *0x4bb1dc; // 0x2927074f
				_t144 = _t143 ^ _t271;
				_v20 = _t144;
				_push(_t144);
				 *[fs:0x0] =  &_v16;
				_t256 = _a4;
				_v1076 = _t256;
				E00470030( &_v1272, 0, 0x54);
				_v540 = 0;
				E00470030( &_v538, 0, 0x206);
				_t274 = _t272 - 0x4ec + 0x18;
				_v1248 =  &_v540;
				_v1276 = 0x58;
				_v1272 = _t256;
				_v1244 = 0x104;
				_v1264 = L"Text File (*.CSV)";
				_v1224 = 8;
				if(GetSaveFileNameW( &_v1276) == 0) {
					L7:
					L8:
					 *[fs:0x0] = _v16;
					_pop(_t257);
					_pop(_t265);
					return E0046F77E(_t230, _v20 ^ _t271, _t249, _t257, _t265);
				}
				while(1) {
					_push(L".CSV");
					E00435A10( &_v540, 0x104);
					_t258 = E00405D60(_t256);
					_t275 = _t274 + 0x10;
					_v1084 = _t258;
					if(_t258 == 0) {
						_t160 = SendMessageW(SendMessageW(_v1076, 0x101f, 0, 0), 0x1200, 0, 0);
					} else {
						_t160 = E00404130(_t258);
					}
					_v1080 = _t160;
					_v1064 = 0;
					E00471CA4( &_v1064,  &_v540, L"wt");
					_t274 = _t275 + 0xc;
					if(_v1064 != 0) {
						break;
					}
					_t256 = _v1076;
					MessageBoxW(_t256, L"Unable to open file for writing", L"Export Listview", 0x10);
					_v1276 = 0x58;
					_v1248 =  &_v540;
					_v1272 = _t256;
					_v1244 = 0x104;
					_v1264 = L"Text File (*.CSV)";
					_v1224 = 8;
					if(GetSaveFileNameW( &_v1276) != 0) {
						continue;
					}
					goto L7;
				}
				_t165 = SetCursor(LoadCursorW(0, 0x7f02));
				__eflags = _a8;
				_v1088 = _t165;
				if(_a8 == 0) {
					L37:
					_t259 = _v1076;
					_t166 = SendMessageW(_t259, 0x1004, 0, 0);
					_t266 = 0;
					_v1084 = _t166;
					_v1072 = 0;
					__eflags = _t166;
					if(__eflags == 0) {
						L66:
						_push(_v1064);
						L00471E1F(_t230, _t259, _t266, __eflags);
						SetCursor(_v1088);
						goto L8;
					}
					do {
						E00470030( &_v1140, 0, 0x30);
						_v1144 = 1;
						_v1120 = 0x400;
						_t249 = 0x800 >> 0x20;
						_push( ~(0 | __eflags > 0x00000000) | 0x800);
						_t174 = E0046EE59(_t230, _t259, __eflags);
						_t239 = 0;
						_v1124 = _t174;
						_t277 = _t274 + 0x10;
						_v1068 = 0;
						__eflags = _v1080;
						if(__eflags <= 0) {
							goto L65;
						}
						while(1) {
							 *_t174 = 0;
							_v1140 = _t266;
							_v1136 = _t239;
							_t178 = SendMessageW(_t259, 0x1073, _t266,  &_v1144);
							_t249 = _v1120;
							_t94 = _t249 - 1; // 0x3ff
							_t240 = _t94;
							__eflags = _t178 - _t94;
							if(__eflags != 0) {
								goto L43;
							}
							do {
								L42:
								_v1120 = _t249 + 0x400;
								L0047002A(_v1124);
								_push( ~(0 | __eflags > 0x00000000) | _v1120 * 0x00000002);
								_t198 = E0046EE59(_t230, _t259, __eflags);
								_t277 = _t277 + 8;
								_v1124 = _t198;
								_t200 = SendMessageW(_t259, 0x1073, _t266,  &_v1144);
								_t249 = _v1120;
								_t107 = _t249 - 1; // 0x3ff
								_t240 = _t107;
								__eflags = _t200 - _t107;
							} while (__eflags == 0);
							L43:
							_t260 = _v1124;
							_push(0xc);
							_t179 = E0046EEB6(_t230, _t260, __eflags);
							_t267 = _t179;
							_t278 = _t277 + 4;
							_v1092 = _t267;
							_v8 = 1;
							__eflags = _t267;
							if(_t267 == 0) {
								L47:
								_t267 = 0;
								__eflags = 0;
								L48:
								_v8 = 0xffffffff;
								_v1092 = _t267;
								__eflags = _t267;
								if(_t267 == 0) {
									L46:
									E0046E410(0x8007000e);
									goto L47;
								}
								__eflags = _v1068;
								_v8 = 2;
								if(__eflags != 0) {
									_push(_v1064);
									_push(0x2c);
									E00472868(_t230, _t260, _t267, __eflags);
									_t278 = _t278 + 8;
								}
								_push(_v1064);
								_push(0x22);
								E00472868(_t230, _t260, _t267, __eflags);
								_t279 = _t278 + 8;
								__eflags =  *(_t267 + 4);
								if( *(_t267 + 4) == 0) {
									 *(_t267 + 4) = E0046E430(_t240,  *_t267);
								}
								_t261 =  *(_t267 + 4);
								_t182 =  *_t261;
								__eflags = _t182;
								if(__eflags == 0) {
									L57:
									_push(_v1064);
									_push(0x22);
									E00472868(_t230, _t261, _t267, __eflags);
									_t277 = _t279 + 8;
									_v8 = 0xffffffff;
									_t127 = _t267 + 8; // 0x8
									_t185 = InterlockedDecrement(_t127);
									__eflags = _t185;
									if(_t185 != 0) {
										L63:
										_t266 = _v1072;
										_t239 = _v1068 + 1;
										_t259 = _v1076;
										_v1068 = _t239;
										__eflags = _t239 - _v1080;
										if(__eflags >= 0) {
											break;
										}
										_t174 = _v1124;
										 *_t174 = 0;
										_v1140 = _t266;
										_v1136 = _t239;
										_t178 = SendMessageW(_t259, 0x1073, _t266,  &_v1144);
										_t249 = _v1120;
										_t94 = _t249 - 1; // 0x3ff
										_t240 = _t94;
										__eflags = _t178 - _t94;
										if(__eflags != 0) {
											goto L43;
										}
										goto L42;
									}
									_t186 =  *_t267;
									__eflags = _t186;
									if(_t186 != 0) {
										__imp__#6(_t186);
										 *_t267 = 0;
									}
									_t187 =  *(_t267 + 4);
									__eflags = _t187;
									if(_t187 != 0) {
										E0046EF07(_t187);
										_t277 = _t277 + 4;
										 *(_t267 + 4) = 0;
									}
									E0046EF07(_t267);
									_t277 = _t277 + 4;
									goto L63;
								} else {
									do {
										__eflags = _t182 - 0x22;
										if(__eflags == 0) {
											_push(_v1064);
											_push(0x22);
											E00472868(_t230, _t261, _t267, __eflags);
											_t279 = _t279 + 8;
										}
										_push(_v1064);
										_push( *_t261);
										E00472868(_t230, _t261, _t267, __eflags);
										_t182 =  *(_t261 + 1);
										_t261 = _t261 + 1;
										_t279 = _t279 + 8;
										__eflags = _t182;
									} while (__eflags != 0);
									goto L57;
								}
							}
							 *(_t267 + 4) = 0;
							 *(_t267 + 8) = 1;
							__imp__#2(_t260);
							 *_t267 = _t179;
							__eflags = _t179;
							if(_t179 != 0) {
								goto L48;
							}
							__eflags = _t260;
							if(_t260 == 0) {
								goto L48;
							}
							goto L46;
						}
						L65:
						_push(_v1064);
						_push(0xa);
						E00472868(_t230, _t259, _t266, __eflags);
						L0047002A(_v1124);
						_t266 = _t266 + 1;
						_t274 = _t277 + 0xc;
						_v1072 = _t266;
						__eflags = _t266 - _v1084;
					} while (__eflags < 0);
					goto L66;
				}
				_t268 = 0;
				_v1068 = 0;
				__eflags = _v1080;
				if(__eflags <= 0) {
					L36:
					_push(_v1064);
					_push(0xa);
					E00472868(_t230, _t258, _t268, __eflags);
					_t274 = _t274 + 8;
					goto L37;
				}
				do {
					_v1060 = 0;
					E00470030( &_v1058, 0, 0x206);
					_t280 = _t274 + 0xc;
					asm("xorps xmm0, xmm0");
					__eflags = _t258;
					if(_t258 == 0) {
						asm("movdqu [ebp-0x490], xmm0");
						_v1164 =  &_v1060;
						asm("movq [ebp-0x480], xmm0");
						_v1148 = 0;
						_v1176 = 4;
						_v1160 = 0x104;
						SendMessageW(_v1076, 0x105f, _t268,  &_v1176);
					} else {
						asm("movdqu [ebp-0x49c], xmm0");
						_v1180 =  &_v1060;
						asm("movq [ebp-0x47c], xmm0");
						asm("movdqu [ebp-0x48c], xmm0");
						_v1188 = 2;
						_v1172 = 0x104;
						E00406150(_t258, _t268,  &_v1188);
					}
					_t246 =  &_v1072;
					E00402050( &_v1060);
					_v8 = 0;
					__eflags = _t268;
					if(__eflags != 0) {
						_push(_v1064);
						_push(0x2c);
						E00472868(_t230, _t258, _t268, __eflags);
						_t280 = _t280 + 8;
					}
					_push(_v1064);
					_push(0x22);
					E00472868(_t230, _t258, _t268, __eflags);
					_t269 = _v1072;
					_t281 = _t280 + 8;
					__eflags = _t269;
					if(_t269 == 0) {
						_t262 = 0;
						__eflags = 0;
					} else {
						__eflags = _t269[1];
						if(_t269[1] == 0) {
							_t269[1] = E0046E430(_t246,  *_t269);
						}
						_t262 = _t269[1];
					}
					_t211 =  *_t262;
					__eflags = _t211;
					if(__eflags != 0) {
						do {
							__eflags = _t211 - 0x22;
							if(__eflags == 0) {
								_push(_v1064);
								_push(0x22);
								E00472868(_t230, _t262, _t269, __eflags);
								_t281 = _t281 + 8;
							}
							_push(_v1064);
							_push( *_t262);
							E00472868(_t230, _t262, _t269, __eflags);
							_t211 =  *(_t262 + 1);
							_t262 = _t262 + 1;
							_t281 = _t281 + 8;
							__eflags = _t211;
						} while (__eflags != 0);
					}
					_push(_v1064);
					_push(0x22);
					E00472868(_t230, _t262, _t269, __eflags);
					_t274 = _t281 + 8;
					_v8 = 0xffffffff;
					__eflags = _t269;
					if(_t269 != 0) {
						_t214 = InterlockedDecrement( &(_t269[2]));
						__eflags = _t214;
						if(_t214 == 0) {
							_t215 =  *_t269;
							__eflags = _t215;
							if(_t215 != 0) {
								__imp__#6(_t215);
								 *_t269 = 0;
							}
							_t216 = _t269[1];
							__eflags = _t216;
							if(_t216 != 0) {
								E0046EF07(_t216);
								_t274 = _t274 + 4;
								_t269[1] = 0;
							}
							E0046EF07(_t269);
							_t274 = _t274 + 4;
						}
						_v1072 = 0;
					}
					_t258 = _v1084;
					_t268 = _v1068 + 1;
					_v1068 = _t268;
					__eflags = _t268 - _v1080;
				} while (__eflags < 0);
				goto L36;
			}

0x0042f1f0
0x0042f1f0
0x0042f1f3
0x0042f1f5
0x0042f200
0x0042f207
0x0042f20c
0x0042f20e
0x0042f213
0x0042f217
0x0042f21d
0x0042f22b
0x0042f231
0x0042f23e
0x0042f24c
0x0042f25d
0x0042f260
0x0042f26c
0x0042f276
0x0042f27c
0x0042f287
0x0042f291
0x0042f29f
0x0042f3a5
0x0042f3a7
0x0042f3aa
0x0042f3b2
0x0042f3b3
0x0042f3c1
0x0042f3c1
0x0042f2b0
0x0042f2b0
0x0042f2c1
0x0042f2cc
0x0042f2ce
0x0042f2d1
0x0042f2d9
0x0042f303
0x0042f2db
0x0042f2dd
0x0042f2dd
0x0042f309
0x0042f321
0x0042f32c
0x0042f331
0x0042f33b
0x00000000
0x00000000
0x0042f341
0x0042f354
0x0042f360
0x0042f36a
0x0042f377
0x0042f37d
0x0042f387
0x0042f391
0x0042f39f
0x00000000
0x00000000
0x00000000
0x0042f39f
0x0042f3d0
0x0042f3d6
0x0042f3da
0x0042f3e0
0x0042f5e3
0x0042f5e3
0x0042f5f3
0x0042f5f9
0x0042f5fb
0x0042f601
0x0042f607
0x0042f609
0x0042f887
0x0042f887
0x0042f88d
0x0042f89b
0x00000000
0x0042f8a1
0x0042f610
0x0042f61b
0x0042f622
0x0042f631
0x0042f640
0x0042f649
0x0042f64a
0x0042f64f
0x0042f651
0x0042f657
0x0042f65a
0x0042f660
0x0042f666
0x00000000
0x00000000
0x0042f670
0x0042f672
0x0042f683
0x0042f689
0x0042f68f
0x0042f695
0x0042f69b
0x0042f69b
0x0042f69e
0x0042f6a0
0x00000000
0x00000000
0x0042f6a2
0x0042f6a2
0x0042f6ae
0x0042f6b4
0x0042f6cf
0x0042f6d0
0x0042f6d5
0x0042f6d8
0x0042f6ec
0x0042f6f2
0x0042f6f8
0x0042f6f8
0x0042f6fb
0x0042f6fb
0x0042f6ff
0x0042f6ff
0x0042f705
0x0042f707
0x0042f70c
0x0042f70e
0x0042f711
0x0042f717
0x0042f71e
0x0042f720
0x0042f74b
0x0042f74b
0x0042f74b
0x0042f74d
0x0042f74d
0x0042f754
0x0042f75a
0x0042f75c
0x0042f741
0x0042f746
0x00000000
0x0042f746
0x0042f75e
0x0042f765
0x0042f76c
0x0042f76e
0x0042f774
0x0042f776
0x0042f77b
0x0042f77b
0x0042f77e
0x0042f784
0x0042f786
0x0042f78b
0x0042f78e
0x0042f792
0x0042f79b
0x0042f79b
0x0042f79e
0x0042f7a1
0x0042f7a3
0x0042f7a5
0x0042f7d5
0x0042f7d5
0x0042f7db
0x0042f7dd
0x0042f7e2
0x0042f7e5
0x0042f7ec
0x0042f7f0
0x0042f7f6
0x0042f7f8
0x0042f82d
0x0042f833
0x0042f839
0x0042f83a
0x0042f840
0x0042f846
0x0042f84c
0x00000000
0x00000000
0x0042f84e
0x0042f672
0x0042f683
0x0042f689
0x0042f68f
0x0042f695
0x0042f69b
0x0042f69b
0x0042f69e
0x0042f6a0
0x00000000
0x00000000
0x00000000
0x0042f6a0
0x0042f7fa
0x0042f7fc
0x0042f7fe
0x0042f801
0x0042f807
0x0042f807
0x0042f80d
0x0042f810
0x0042f812
0x0042f815
0x0042f81a
0x0042f81d
0x0042f81d
0x0042f825
0x0042f82a
0x00000000
0x0042f7a7
0x0042f7a7
0x0042f7a7
0x0042f7a9
0x0042f7ab
0x0042f7b1
0x0042f7b3
0x0042f7b8
0x0042f7b8
0x0042f7bb
0x0042f7c4
0x0042f7c5
0x0042f7ca
0x0042f7cd
0x0042f7ce
0x0042f7d1
0x0042f7d1
0x00000000
0x0042f7a7
0x0042f7a5
0x0042f723
0x0042f72a
0x0042f731
0x0042f737
0x0042f739
0x0042f73b
0x00000000
0x00000000
0x0042f73d
0x0042f73f
0x00000000
0x00000000
0x00000000
0x0042f73f
0x0042f859
0x0042f859
0x0042f85f
0x0042f861
0x0042f86c
0x0042f871
0x0042f872
0x0042f875
0x0042f87b
0x0042f87b
0x00000000
0x0042f610
0x0042f3e6
0x0042f3e8
0x0042f3ee
0x0042f3f4
0x0042f5d3
0x0042f5d3
0x0042f5d9
0x0042f5db
0x0042f5e0
0x00000000
0x0042f5e0
0x0042f400
0x0042f408
0x0042f416
0x0042f41b
0x0042f424
0x0042f427
0x0042f429
0x0042f46e
0x0042f476
0x0042f48f
0x0042f497
0x0042f4a1
0x0042f4ab
0x0042f4b5
0x0042f42b
0x0042f42b
0x0042f433
0x0042f441
0x0042f44b
0x0042f453
0x0042f45d
0x0042f467
0x0042f467
0x0042f4c2
0x0042f4c8
0x0042f4cd
0x0042f4d4
0x0042f4d6
0x0042f4d8
0x0042f4de
0x0042f4e0
0x0042f4e5
0x0042f4e5
0x0042f4e8
0x0042f4ee
0x0042f4f0
0x0042f4f5
0x0042f4fb
0x0042f4fe
0x0042f500
0x0042f517
0x0042f517
0x0042f502
0x0042f502
0x0042f506
0x0042f50f
0x0042f50f
0x0042f512
0x0042f512
0x0042f519
0x0042f51b
0x0042f51d
0x0042f520
0x0042f520
0x0042f522
0x0042f524
0x0042f52a
0x0042f52c
0x0042f531
0x0042f531
0x0042f534
0x0042f53d
0x0042f53e
0x0042f543
0x0042f546
0x0042f547
0x0042f54a
0x0042f54a
0x0042f520
0x0042f54e
0x0042f554
0x0042f556
0x0042f55b
0x0042f55e
0x0042f565
0x0042f567
0x0042f56d
0x0042f573
0x0042f575
0x0042f577
0x0042f579
0x0042f57b
0x0042f57e
0x0042f584
0x0042f584
0x0042f58a
0x0042f58d
0x0042f58f
0x0042f592
0x0042f597
0x0042f59a
0x0042f59a
0x0042f5a2
0x0042f5a7
0x0042f5a7
0x0042f5aa
0x0042f5aa
0x0042f5ba
0x0042f5c0
0x0042f5c1
0x0042f5c7
0x0042f5c7
0x00000000

APIs

_memset.LIBCMT ref: 0042F231
_memset.LIBCMT ref: 0042F24C
GetSaveFileNameW.COMDLG32(2927074F), ref: 0042F29B

Part of subcall function 00435A10: _wcsrchr.LIBCMT ref: 00435A18

Part of subcall function 00405D60: GetPropW.USER32(?), ref: 00405D6E

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 0042F2F3
SendMessageW.USER32(00000000,00001200,00000000,00000000), ref: 0042F303
__wfopen_s.LIBCMT ref: 0042F32C
MessageBoxW.USER32(?,Unable to open file for writing,Export Listview,00000010), ref: 0042F354
GetSaveFileNameW.COMDLG32(00000058), ref: 0042F39B
LoadCursorW.USER32(00000000,00007F02), ref: 0042F3C9
SetCursor.USER32(00000000), ref: 0042F3D0
_memset.LIBCMT ref: 0042F416
SendMessageW.USER32(?,0000105F,00000000,?), ref: 0042F4B5
_fputc.LIBCMT ref: 0042F4E0
_fputc.LIBCMT ref: 0042F4F0

Part of subcall function 00404130: SendMessageW.USER32(?,00001200,00000000,00000000), ref: 0040413C

_fputc.LIBCMT ref: 0042F52C
_fputc.LIBCMT ref: 0042F53E
_fputc.LIBCMT ref: 0042F556
InterlockedDecrement.KERNEL32(?), ref: 0042F56D
SysFreeString.OLEAUT32(00000000), ref: 0042F57E
_fputc.LIBCMT ref: 0042F5DB
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0042F5F3
_memset.LIBCMT ref: 0042F61B
SendMessageW.USER32(?,00001073,00000000,00000001), ref: 0042F68F
SendMessageW.USER32(?,00001073,00000000,00000001), ref: 0042F6EC
SysAllocString.OLEAUT32(?), ref: 0042F731
_fputc.LIBCMT ref: 0042F776
_fputc.LIBCMT ref: 0042F786
_fputc.LIBCMT ref: 0042F7B3
_fputc.LIBCMT ref: 0042F7C5
_fputc.LIBCMT ref: 0042F7DD
InterlockedDecrement.KERNEL32(00000008), ref: 0042F7F0
SysFreeString.OLEAUT32(00000000), ref: 0042F801
_fputc.LIBCMT ref: 0042F861
SetCursor.USER32(?), ref: 0042F89B

Strings

Unable to open file for writing, xrefs: 0042F34E
.CSV, xrefs: 0042F2B0
X, xrefs: 0042F360
Export Listview, xrefs: 0042F349

Memory Dump Source

Source File: 00000000.00000002.639436822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.639422722.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639801425.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639950323.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639964900.00000000004C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639974043.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639981884.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Process Monitor.jbxd

Similarity

API ID: _fputc$Message$Send$_memset$CursorString$DecrementFileFreeInterlockedNameSave$AllocLoadProp__wfopen_s_wcsrchr
String ID: .CSV$Export Listview$Unable to open file for writing$X
API String ID: 1506878441-2764136903
Opcode ID: 868832f39e00515c6f967f178d0049cd00f349c3038f3400ad0cc0067c8d47e1
Instruction ID: 34abd8757648519886daafa4441e68f3a7421f9926db7ef585a16b27765875ea
Opcode Fuzzy Hash: 868832f39e00515c6f967f178d0049cd00f349c3038f3400ad0cc0067c8d47e1
Instruction Fuzzy Hash: E70284F1E002289BDB209F61DD45BDEB7B4AF44704F8041FAE608A7281E7755A89CF5D

Uniqueness

Uniqueness Score: -1.00%

Function 0046CD20 Relevance: 61.6, APIs: 28, Strings: 7, Instructions: 303
windowfileCOMMON

Download Yara Rule

C-Code - Quality: 83%

			E0046CD20(void* __edx, struct HWND__* _a4, intOrPtr _a8, unsigned int _a12) {
				int _v8;
				char _v16;
				signed int _v20;
				short _v540;
				short _v1060;
				struct _WIN32_FIND_DATAW _v1652;
				int _v1656;
				int _v1660;
				int _v1664;
				intOrPtr _v1684;
				WCHAR* _v1692;
				intOrPtr _v1696;
				intOrPtr _v1700;
				WCHAR* _v1704;
				int _v1708;
				int _v1712;
				int _v1716;
				intOrPtr _v1720;
				WCHAR* _v1724;
				int _v1728;
				int _v1732;
				int _v1736;
				WCHAR* _v1740;
				struct HINSTANCE__* _v1744;
				struct HWND__* _v1748;
				struct tagOFNA _v1752;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t61;
				signed int _t62;
				void* _t65;
				int _t80;
				int _t84;
				int _t90;
				int _t100;
				struct HINSTANCE__* _t106;
				int _t110;
				void* _t113;
				int _t119;
				int _t121;
				void* _t124;
				void* _t128;
				void* _t136;
				int _t143;
				int _t146;
				void* _t149;
				void* _t150;
				void* _t151;
				void* _t166;
				struct HWND__* _t168;
				void* _t169;
				void* _t173;
				unsigned int _t174;
				void* _t176;
				signed int _t177;
				void* _t178;
				void* _t179;
				void* _t183;
				void* _t184;
				void* _t191;

				_t166 = __edx;
				_push(0xffffffff);
				_push(E0048D5B1);
				_push( *[fs:0x0]);
				_t179 = _t178 - 0x6c8;
				_t61 =  *0x4bb1dc; // 0x2927074f
				_t62 = _t61 ^ _t177;
				_v20 = _t62;
				_push(_t62);
				 *[fs:0x0] =  &_v16;
				_t168 = _a4;
				_t65 = _a8 - 0x110;
				if(_t65 == 0) {
					SetDlgItemTextW(_t168, 0x440, 0x4bd8b0);
					SetDlgItemTextW(_t168, 0x441, E0046A170(0x4bdab8));
					SetDlgItemTextW(_t168, 0x444, E0046A170(0x4bdabc));
					SHAutoComplete(GetDlgItem(_t168, 0x440), 1);
					SetFocus(GetDlgItem(_t168, 0x440));
					L37:
					 *[fs:0x0] = _v16;
					_pop(_t169);
					_pop(_t173);
					_pop(_t149);
					return E0046F77E(_t149, _v20 ^ _t177, _t166, _t169, _t173);
				}
				if(_t65 != 1) {
					L35:
					goto L37;
				}
				_t174 = _a12;
				_t150 = GetDlgItemTextW;
				_t191 = _t174 - 0x442;
				if(_t191 > 0) {
					_t80 = _t174 - 0x443;
					__eflags = _t80;
					if(_t80 == 0) {
						GetDlgItemTextW(_t168, 0x441,  &_v540, 0x104);
						_t84 = E0046D1A0(_t168, L"Browse for Symbols Directory",  &_v540);
						__eflags = _t84;
						if(_t84 == 0) {
							L28:
							if(_t174 >> 0x10 == 0x300) {
								GetDlgItemTextW(_t168, 0x440,  &_v540, 0x104);
								_t176 = FindFirstFileW( &_v540,  &_v1652);
								if(_t176 == 0xffffffff || (_v1652.dwFileAttributes & 0x00000010) != 0) {
									_t90 = 0;
									__eflags = 0;
								} else {
									_t90 = 1;
								}
								EnableWindow(GetDlgItem(_t168, 1), _t90);
								if(_t176 != 0) {
									FindClose(_t176);
								}
							}
							goto L35;
						}
						_push( &_v540);
						_push(0x441);
						L27:
						SetDlgItemTextW(_t168, ??, ??);
						goto L28;
					}
					__eflags = _t80 != 2;
					if(_t80 != 2) {
						goto L28;
					}
					GetDlgItemTextW(_t168, 0x444,  &_v540, 0x104);
					_t100 = E0046D1A0(_t168, L"Browse for Source Directory",  &_v540);
					__eflags = _t100;
					if(_t100 == 0) {
						goto L28;
					}
					_push( &_v540);
					_push(0x444);
					goto L27;
				}
				if(_t191 == 0) {
					GetDlgItemTextW(_t168, 0x440,  &_v540, 0x104);
					E00470030( &_v1752, 0, 0x58);
					_t106 =  *0x4bd2c4; // 0x400000
					_v1744 = _t106;
					_v1724 =  &_v540;
					_v1696 = 0;
					_v1684 = 0;
					_v1752 = 0x4c;
					_v1748 = _t168;
					_v1736 = 0;
					_v1732 = 0;
					_v1728 = 1;
					_v1720 = 0x100;
					_v1716 = 0;
					_v1712 = 0;
					_v1708 = 0;
					_v1700 = 0x200000;
					_v1704 = L"Specify dbghelp.dll...";
					_v1692 = L"*.dll";
					_v1740 = L"Dbghelp DLL (dbghelp.dll)";
					_t110 = GetOpenFileNameW( &_v1752);
					__eflags = _t110;
					if(_t110 == 0) {
						goto L28;
					}
					_push( &_v540);
					_push(0x440);
					goto L27;
				}
				_t113 = _t174 - 1;
				if(_t113 == 0) {
					GetDlgItemTextW(_t168, 0x440,  &_v540, 0x104);
					GetDlgItemTextW(_t168, 0x441,  &_v1060, 0x104);
					_t119 = E0046D2B0( &_v540);
					_t183 = _t179 + 4;
					__eflags = _t119;
					if(_t119 != 0) {
						_push(0x2a);
						_push( &_v1060);
						_t121 = E004713E7(_t151);
						_t184 = _t183 + 8;
						__eflags = _t121;
						if(__eflags != 0) {
							_t143 = E0046C2D0(_t168, __eflags,  &_v540);
							_t184 = _t184 + 4;
							__eflags = _t143;
							if(__eflags == 0) {
								DialogBoxParamW( *0x4bd2c4, L"SYMBOLCONFIGWARNING", _t168, E0046DA50, 0);
							}
						}
						_t124 = L00435E80(_t150, _t151, __eflags,  &_v1664, GetDlgItem(_t168, 0x441));
						_v8 = 0;
						E0046A0B0(0x4bdab8, _t124);
						_t159 = _v1664;
						_v8 = 0xffffffff;
						__eflags = _v1664;
						if(__eflags != 0) {
							E0046A700(_t159);
						}
						_t128 = L00435E80(_t150, _t159, __eflags,  &_v1660, GetDlgItem(_t168, 0x444));
						_v8 = 1;
						E0046A0B0(0x4bdabc, _t128);
						_t161 = _v1660;
						_v8 = 0xffffffff;
						__eflags = _v1660;
						if(_v1660 != 0) {
							E0046A700(_t161);
						}
						E0046EF0C(0x4bd8b0, 0x104,  &_v540);
						SetEnvironmentVariableW(L"_NT_SYMBOL_PATH", E0046A170(0x4bdab8));
						_t136 = E00434DD0(_t150, 0x4bdab8, __eflags,  &_v1656, E0046A170(0x4bdab8));
						_v8 = 2;
						E0046A0B0(0x4bdcc8, _t136);
						_t165 = _v1656;
						_v8 = 0xffffffff;
						__eflags = _v1656;
						if(_v1656 != 0) {
							E0046A700(_t165);
						}
						EndDialog(_t168, 0);
					} else {
						MessageBoxW(_t168, L"The DLL you specified is not a valid Dbghelp DLL.", L"Process Monitor Error", 0x10);
					}
				} else {
					_t146 = _t113 - 1;
					if(_t146 == 0) {
						EndDialog(_t168, _t146);
					}
				}
				goto L28;
			}

0x0046cd20
0x0046cd23
0x0046cd25
0x0046cd30
0x0046cd31
0x0046cd37
0x0046cd3c
0x0046cd3e
0x0046cd44
0x0046cd48
0x0046cd51
0x0046cd54
0x0046cd59
0x0046d12b
0x0046d13e
0x0046d151
0x0046d164
0x0046d173
0x0046d17e
0x0046d181
0x0046d189
0x0046d18a
0x0046d18b
0x0046d199
0x0046d199
0x0046cd60
0x0046d116
0x00000000
0x0046d116
0x0046cd66
0x0046cd69
0x0046cd6f
0x0046cd75
0x0046d027
0x0046d027
0x0046d02c
0x0046d080
0x0046d08f
0x0046d097
0x0046d099
0x0046d0ae
0x0046d0b7
0x0046d0cb
0x0046d0e1
0x0046d0e6
0x0046d0f8
0x0046d0f8
0x0046d0f1
0x0046d0f1
0x0046d0f1
0x0046d105
0x0046d10d
0x0046d110
0x0046d110
0x0046d10d
0x00000000
0x0046d0b7
0x0046d0a1
0x0046d0a2
0x0046d0a7
0x0046d0a8
0x00000000
0x0046d0a8
0x0046d02e
0x0046d031
0x00000000
0x00000000
0x0046d045
0x0046d054
0x0046d05c
0x0046d05e
0x00000000
0x00000000
0x0046d066
0x0046d067
0x00000000
0x0046d067
0x0046cd7b
0x0046cf47
0x0046cf54
0x0046cf59
0x0046cf61
0x0046cf6d
0x0046cf75
0x0046cf7b
0x0046cf88
0x0046cf92
0x0046cf98
0x0046cfa2
0x0046cfac
0x0046cfb6
0x0046cfc0
0x0046cfca
0x0046cfd4
0x0046cfde
0x0046cfe8
0x0046cff2
0x0046cffc
0x0046d006
0x0046d00c
0x0046d00e
0x00000000
0x00000000
0x0046d01a
0x0046d01b
0x00000000
0x0046d01b
0x0046cd83
0x0046cd84
0x0046cdac
0x0046cdc0
0x0046cdc9
0x0046cdce
0x0046cdd1
0x0046cdd3
0x0046cdf3
0x0046cdf5
0x0046cdf6
0x0046cdfb
0x0046cdfe
0x0046ce00
0x0046ce09
0x0046ce0e
0x0046ce11
0x0046ce13
0x0046ce28
0x0046ce28
0x0046ce13
0x0046ce42
0x0046ce50
0x0046ce57
0x0046ce5c
0x0046ce62
0x0046ce69
0x0046ce6b
0x0046ce6d
0x0046ce6d
0x0046ce86
0x0046ce94
0x0046ce9b
0x0046cea0
0x0046cea6
0x0046cead
0x0046ceaf
0x0046ceb1
0x0046ceb1
0x0046cec7
0x0046cedf
0x0046cef7
0x0046cf05
0x0046cf0c
0x0046cf11
0x0046cf17
0x0046cf1e
0x0046cf20
0x0046cf22
0x0046cf22
0x0046cf2a
0x0046cdd5
0x0046cde2
0x0046cde2
0x0046cd86
0x0046cd86
0x0046cd87
0x0046cd8f
0x0046cd8f
0x0046cd87
0x00000000

APIs

EndDialog.USER32(?,?), ref: 0046CD8F
GetDlgItemTextW.USER32 ref: 0046CDAC
GetDlgItemTextW.USER32 ref: 0046CDC0
MessageBoxW.USER32(?,The DLL you specified is not a valid Dbghelp DLL.,Process Monitor Error,00000010), ref: 0046CDE2
GetDlgItemTextW.USER32 ref: 0046CF47
_memset.LIBCMT ref: 0046CF54
GetOpenFileNameW.COMDLG32(?), ref: 0046D006
GetDlgItemTextW.USER32 ref: 0046D045
SetDlgItemTextW.USER32 ref: 0046D0A8
GetDlgItemTextW.USER32 ref: 0046D0CB
FindFirstFileW.KERNEL32(?,?), ref: 0046D0DB
GetDlgItem.USER32 ref: 0046D0FE
EnableWindow.USER32(00000000), ref: 0046D105
FindClose.KERNEL32(00000000), ref: 0046D110
SetDlgItemTextW.USER32 ref: 0046D12B
SetDlgItemTextW.USER32 ref: 0046D13E
SetDlgItemTextW.USER32 ref: 0046D151
GetDlgItem.USER32 ref: 0046D161
SHAutoComplete.SHLWAPI(00000000), ref: 0046D164
GetDlgItem.USER32 ref: 0046D170
SetFocus.USER32(00000000), ref: 0046D173

Strings

Process Monitor Error, xrefs: 0046CDD7
_NT_SYMBOL_PATH, xrefs: 0046CEDA
L, xrefs: 0046CF88
SYMBOLCONFIGWARNING, xrefs: 0046CE1D
Browse for Symbols Directory, xrefs: 0046D089
The DLL you specified is not a valid Dbghelp DLL., xrefs: 0046CDDC
Browse for Source Directory, xrefs: 0046D04E

Memory Dump Source

Source File: 00000000.00000002.639436822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.639422722.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639801425.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639950323.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639964900.00000000004C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639974043.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639981884.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Process Monitor.jbxd

Similarity

API ID: Item$Text$FileFind$AutoCloseCompleteDialogEnableFirstFocusMessageNameOpenWindow_memset
String ID: Browse for Source Directory$Browse for Symbols Directory$L$Process Monitor Error$SYMBOLCONFIGWARNING$The DLL you specified is not a valid Dbghelp DLL.$_NT_SYMBOL_PATH
API String ID: 1920422044-661456046
Opcode ID: face3d20b73127b9a85192c3058912434c07d64791689e91627a5a25facc5b22
Instruction ID: 5f1416e6a7202308f73ee859261d5e71c06d35e80264ab5cdca119ac3b667a89
Opcode Fuzzy Hash: face3d20b73127b9a85192c3058912434c07d64791689e91627a5a25facc5b22
Instruction Fuzzy Hash: 30B1E9B1E40218ABEB109F608C85FFE7778EB45704F0001ABF608E62D1EB7959558F5E

Uniqueness

Uniqueness Score: -1.00%

Function 00418140 Relevance: 47.6, APIs: 23, Strings: 4, Instructions: 399
windowCOMMONCrypto

Download Yara Rule

C-Code - Quality: 80%

			E00418140(signed int __ecx, void* __eflags, struct _CRITICAL_SECTION* _a4, char _a7) {
				RECT* _v8;
				char _v16;
				signed int _v17;
				signed int _v24;
				struct _CRITICAL_SECTION* _v28;
				struct _CRITICAL_SECTION* _v32;
				intOrPtr _v44;
				char _v52;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				struct HICON__* _v72;
				struct _CRITICAL_SECTION* _v80;
				signed int _v84;
				signed int _v88;
				struct _CRITICAL_SECTION* _v92;
				intOrPtr _v100;
				intOrPtr _v104;
				intOrPtr _v108;
				intOrPtr _v144;
				char _v148;
				void* __ebx;
				void* __esi;
				signed int _t166;
				signed int _t179;
				struct _CRITICAL_SECTION* _t186;
				intOrPtr* _t189;
				struct HICON__* _t194;
				long _t198;
				struct _CRITICAL_SECTION* _t210;
				signed int _t211;
				signed int _t215;
				void* _t218;
				signed int _t224;
				intOrPtr _t228;
				char _t261;
				struct _CRITICAL_SECTION* _t262;
				intOrPtr _t266;
				signed int _t267;
				struct _CRITICAL_SECTION* _t272;
				signed int _t274;
				intOrPtr _t291;
				intOrPtr _t304;
				intOrPtr* _t306;
				struct _CRITICAL_SECTION* _t309;
				signed int _t311;
				long _t313;
				void* _t314;
				struct _CRITICAL_SECTION* _t315;
				intOrPtr* _t319;
				void* _t321;
				void* _t324;
				struct _CRITICAL_SECTION* _t325;
				signed int _t326;
				signed int _t327;
				void* _t328;
				void* _t330;

				_push(0xffffffff);
				_push(E00487176);
				_push( *[fs:0x0]);
				_t166 =  *0x4bb1dc; // 0x2927074f
				_push(_t166 ^ _t327);
				 *[fs:0x0] =  &_v16;
				_t309 = __ecx;
				_v24 = __ecx;
				_v72 = SetCursor(LoadCursorW(0, 0x7f02));
				E0045C5B0(GetParent( *(_t309 + 0x18)));
				_t330 = _t328 - 0x84 + 4;
				_v92 = _t309;
				asm("xorps xmm0, xmm0");
				asm("movlpd [ebp-0x54], xmm0");
				_v80 = 0;
				_v32 = 0;
				EnterCriticalSection(_t309);
				_v8 = 0;
				E00418740(_t309, 0);
				GetTickCount();
				if(( *((intOrPtr*)(_t309 + 0x34)) -  *((intOrPtr*)(_t309 + 0x30)) & 0xfffffffc) != 4) {
					L6:
					_t261 = 0;
					__eflags = 0;
				} else {
					_t304 =  *((intOrPtr*)( *((intOrPtr*)(_t309 + 0x30))));
					if(( *(_t304 + 0x250) |  *(_t304 + 0x254)) == 0) {
						_t305 =  *((intOrPtr*)(_t304 + 0x570));
					} else {
						_t305 =  *((intOrPtr*)(_t304 + 0x23c));
					}
					if( *((intOrPtr*)(_t304 + 0x588)) + _t305 <= 0x100000) {
						goto L6;
					} else {
						_t261 = 1;
					}
				}
				_v17 = 0;
				_t313 = SendMessageW( *(_t309 + 0x18), 0x1042, 0, 0);
				if(_t313 >= 0) {
					E0040D160(_t309,  &_v52, _t313);
					_t305 = _v44;
					if(_t305 != 0) {
						_v68 =  *((intOrPtr*)(_t305 + 0x1c));
						_v64 =  *((intOrPtr*)(_t305 + 0x20));
						_v60 =  *((intOrPtr*)(_t305 + 0x10));
						asm("movdqu xmm0, [ebp-0x40]");
						asm("movdqu [ebp-0x54], xmm0");
						_v32 = _t313 - SendMessageW( *(_t309 + 0x18), 0x1027, 0, 0);
					}
					E0040F960( &_v52, _t313);
				}
				_t339 = _a4;
				if(_a4 == 0) {
					_t179 =  *(_t309 + 0x2c);
					__eflags = _t179;
					if(_t179 == 0) {
						E0047040C( *(_t309 + 0x20));
						_t330 = _t330 + 4;
						 *(_t309 + 0x20) = 0;
					} else {
						VirtualFree( *(_t309 + 0x20), _t179 + _t179 * 2 << 3, 0x4000);
					}
					 *(_t309 + 0x24) = 0;
					_t272 = 0;
					 *(_t309 + 0x28) = 0;
					_t314 = 0;
					 *((char*)(_t309 + 0x1c)) = _t261;
					_t262 = 0;
					__eflags =  *((intOrPtr*)(_t309 + 0x34)) -  *((intOrPtr*)(_t309 + 0x30)) >> 2;
					if(__eflags != 0) {
						_t224 =  *((intOrPtr*)(_t309 + 0x34)) -  *((intOrPtr*)(_t309 + 0x30));
						__eflags = _t224;
						_t306 =  *((intOrPtr*)(_t309 + 0x30));
						_t311 = _t224 >> 2;
						do {
							_t291 =  *_t306;
							__eflags =  *(_t291 + 0x250) |  *(_t291 + 0x254);
							if(( *(_t291 + 0x250) |  *(_t291 + 0x254)) == 0) {
								_t228 =  *((intOrPtr*)(_t291 + 0x570));
							} else {
								_t228 =  *((intOrPtr*)(_t291 + 0x23c));
							}
							_t314 = _t314 + 1;
							_t262 = _t262 + _t228;
							_t306 = _t306 + 4;
							__eflags = _t314 - _t311;
						} while (_t314 < _t311);
						_t309 = _v24;
						_a4 = _t262;
						_t262 = 0;
						__eflags = 0;
						_t272 = _a4;
					}
					E0040C870( &_v148, _t305, __eflags,  *(_t309 + 0x18), L"Applying Event Filter", _t272,  &_v17);
					_t315 = _t309 + 0x84;
					_v8 = 3;
					EnterCriticalSection(_t315);
					_t186 = _t309 + 0x84;
					LeaveCriticalSection(_t186);
					__eflags =  *((intOrPtr*)(_t315 + 0x1c)) -  *((intOrPtr*)(_t186 + 0x18)) >> 5;
					_a7 =  *((intOrPtr*)(_t315 + 0x1c)) -  *((intOrPtr*)(_t186 + 0x18)) >> 5 != 0;
					_t274 = 0;
					_v24 = 0;
					__eflags = _v17;
					if(_v17 == 0) {
						while(1) {
							__eflags = _t274 -  *((intOrPtr*)(_t309 + 0x34)) -  *((intOrPtr*)(_t309 + 0x30)) >> 2;
							if(_t274 >=  *((intOrPtr*)(_t309 + 0x34)) -  *((intOrPtr*)(_t309 + 0x30)) >> 2) {
								goto L45;
							}
							_t210 =  *((intOrPtr*)( *((intOrPtr*)(_t309 + 0x30)) + _t274 * 4));
							_v28 = _t210;
							__imp__AcquireSRWLockShared(_t210);
							_t324 = 0;
							_t211 = E004168B0(_v28);
							__eflags = _t211;
							if(_t211 != 0) {
								do {
									E004677F0(_v28,  &_v52, _t324);
									__eflags = _a7;
									_v8 = 4;
									if(_a7 != 0) {
										_t215 = E00414070(_t309 + 0x84,  &_v52);
										__eflags = _t215;
										if(_t215 != 0) {
											_t305 = _v44;
											_v108 =  *((intOrPtr*)(_t305 + 0x1c));
											_v104 =  *((intOrPtr*)(_t305 + 0x20));
											_v100 =  *((intOrPtr*)(_t305 + 0x10));
											asm("movdqu xmm0, [ebp-0x68]");
											goto L39;
										}
									} else {
										_t305 = _v44;
										_v68 =  *((intOrPtr*)(_t305 + 0x1c));
										_v64 =  *((intOrPtr*)(_t305 + 0x20));
										_v60 =  *((intOrPtr*)(_t305 + 0x10));
										asm("movdqu xmm0, [ebp-0x40]");
										L39:
										_push(0xffffffff);
										_push(_t324);
										_push(_v24);
										_t330 = _t330 - 0x10;
										asm("movdqu [eax], xmm0");
										E0040E7C0(_t262, _t309 + 0x1c, _t324);
									}
									_t262 = _t262 + 1;
									_v8 = 3;
									__eflags = _v17;
									_v144 = _t262;
									if(_v17 != 0) {
										E0040F960( &_v52, _t324);
									} else {
										goto L41;
									}
									goto L44;
									L41:
									E0040F960( &_v52, _t324);
									_t324 = _t324 + 1;
									_t218 = E004168B0(_v28);
									__eflags = _t324 - _t218;
								} while (_t324 < _t218);
							}
							L44:
							__imp__ReleaseSRWLockShared(_v28);
							_t274 = _v24 + 1;
							__eflags = _v17;
							_v24 = _t274;
							if(_v17 == 0) {
								continue;
							}
							goto L45;
						}
					}
				} else {
					_t266 = 0;
					E0040C870( &_v148, _t305, _t339,  *(_t309 + 0x18), L"Applying Event Filter",  *(_t309 + 0x28),  &_v17);
					_t325 = 0;
					_v8 = 1;
					_v24 = 0;
					if( *(_t309 + 0x28) > 0) {
						_v28 = 0;
						_a4 = 0;
						while(1) {
							E0040D160(_t309,  &_v52, _t325);
							_v8 = 2;
							if(E00414070(_t309 + 0x84,  &_v52) != 0) {
								_v24 = _v24 + 1;
								asm("movdqu xmm0, [eax+ecx]");
								asm("movdqu [eax+edx], xmm0");
								asm("movq xmm0, [eax+ecx+0x10]");
								asm("movq [eax+edx+0x10], xmm0");
								_t305 = _v28 + 0x18;
								_v28 = _v28 + 0x18;
							}
							_t266 = _t266 + 1;
							_v8 = 1;
							_v144 = _t266;
							if(_v17 != 0) {
								break;
							}
							E0040F960( &_v52, _t325);
							_a4 = _a4 + 0x18;
							_t325 = _t325 + 1;
							if(_t325 <  *(_t309 + 0x28)) {
								continue;
							} else {
							}
							goto L20;
						}
						E0040F960( &_v52, _t325);
					}
					L20:
					_t326 =  *(_t309 + 0x28);
					_t267 = _v24;
					E00471540( *(_t309 + 0x20) + (_t267 + _t267 * 2) * 8,  *(_t309 + 0x20) + (_t326 + _t326 * 2) * 8, _t326 - _t326 + (_t326 - _t326) * 2 << 3);
					_t330 = _t330 + 0xc;
					 *(_t309 + 0x28) =  *(_t309 + 0x28) + _t267 - _t326;
				}
				L45:
				_t142 =  &_v148; // 0x487176
				_v8 = 0;
				E0040C9C0(_t142);
				if(_v17 != 0) {
					MessageBoxW( *(_t309 + 0x18), L"Operation cancelled: The listview data may be incomplete", L"Process Monitor", 0x40);
				}
				_v8 = 0xffffffff;
				LeaveCriticalSection(_t309);
				E00418740(_t309, 0);
				_t189 =  *((intOrPtr*)(_t309 + 0x6c));
				_t319 =  *_t189;
				if(_t319 != _t189) {
					do {
						 *((intOrPtr*)( *((intOrPtr*)(_t319 + 8))))(0);
						_t319 =  *_t319;
						_t330 = _t330 + 4;
					} while (_t319 !=  *((intOrPtr*)(_t309 + 0x6c)));
				}
				if((_v88 | _v84) != 0) {
					_a4 = _t309;
					EnterCriticalSection(_t309);
					_v8 = 5;
					_t321 = E0040EA10(_t309 + 0x1c,  &_v88, 1);
					_v8 = 0xffffffff;
					LeaveCriticalSection(_t309);
					E004366B0( *(_t309 + 0x18), _t321, 1);
					_t198 = SendMessageW( *(_t309 + 0x18), 0x1027, 0, 0);
					SendMessageW( *(_t309 + 0x18), 0x1014, 0, (SendMessageW( *(_t309 + 0x18), 0x1033, 1, 0) >> 0x10) * (_t321 - _v32 - _t198));
				}
				InvalidateRect( *(_t309 + 0x18), 0, 0);
				E0045C730(_t305);
				_t194 = SetCursor(_v72);
				 *[fs:0x0] = _v16;
				return _t194;
			}

0x00418143
0x00418145
0x00418150
0x0041815a
0x00418161
0x00418165
0x0041816b
0x0041816d
0x00418187
0x00418191
0x00418196
0x00418199
0x0041819e
0x004181a1
0x004181a6
0x004181aa
0x004181ad
0x004181b7
0x004181be
0x004181c3
0x004181d5
0x0041820b
0x0041820b
0x0041820b
0x004181d7
0x004181da
0x004181e8
0x004181f2
0x004181ea
0x004181ea
0x004181ea
0x00418205
0x00000000
0x00418207
0x00418207
0x00418207
0x00418205
0x00418219
0x00418223
0x00418227
0x00418230
0x00418235
0x0041823a
0x00418244
0x0041824c
0x0041824f
0x00418252
0x0041825f
0x0041826e
0x0041826e
0x00418274
0x00418274
0x00418279
0x0041827d
0x0041835c
0x0041835f
0x00418361
0x0041837d
0x00418382
0x00418385
0x00418363
0x00418372
0x00418372
0x0041838c
0x00418393
0x00418395
0x0041839c
0x0041839e
0x004183a1
0x004183ac
0x004183ae
0x004183b3
0x004183b3
0x004183b6
0x004183bc
0x004183c0
0x004183c0
0x004183c8
0x004183ce
0x004183d8
0x004183d0
0x004183d0
0x004183d0
0x004183de
0x004183df
0x004183e1
0x004183e4
0x004183e4
0x004183e8
0x004183eb
0x004183ee
0x004183ee
0x004183f0
0x004183f0
0x00418406
0x0041840b
0x00418411
0x00418416
0x0041841f
0x0041842c
0x00418432
0x00418434
0x00418438
0x0041843a
0x0041843d
0x00418440
0x00418446
0x0041844f
0x00418451
0x00000000
0x00000000
0x0041845a
0x0041845e
0x00418461
0x0041846a
0x0041846c
0x00418471
0x00418473
0x00418480
0x00418488
0x0041848d
0x00418491
0x00418495
0x004184bd
0x004184c2
0x004184c4
0x004184c6
0x004184cf
0x004184d5
0x004184d8
0x004184db
0x00000000
0x004184db
0x00418497
0x00418497
0x004184a0
0x004184a6
0x004184a9
0x004184ac
0x004184e0
0x004184e0
0x004184e2
0x004184e3
0x004184e9
0x004184ee
0x004184f2
0x004184f2
0x004184f7
0x004184f8
0x004184fc
0x00418503
0x00418509
0x00418523
0x00000000
0x00000000
0x00000000
0x00000000
0x0041850b
0x0041850b
0x00418513
0x00418514
0x00418519
0x00418519
0x00418521
0x00418528
0x0041852b
0x00418534
0x00418535
0x00418539
0x0041853c
0x00000000
0x00000000
0x00000000
0x0041853c
0x00418446
0x00418283
0x00418286
0x0041829a
0x0041829f
0x004182a1
0x004182a5
0x004182ab
0x004182ad
0x004182b0
0x004182b3
0x004182ba
0x004182c2
0x004182d4
0x004182df
0x004182e2
0x004182e7
0x004182ec
0x004182f2
0x004182f8
0x004182fb
0x004182fb
0x004182fe
0x004182ff
0x0041830a
0x00418310
0x00000000
0x00000000
0x00418312
0x00418317
0x0041831b
0x0041831f
0x00000000
0x00000000
0x00418321
0x00000000
0x0041831f
0x00418323
0x00418323
0x00418328
0x00418328
0x00418332
0x0041834a
0x00418351
0x00418354
0x00418354
0x00418542
0x00418542
0x00418548
0x0041854c
0x00418555
0x00418566
0x00418566
0x00418573
0x0041857a
0x00418580
0x00418585
0x00418588
0x0041858c
0x00418590
0x00418595
0x00418597
0x00418599
0x0041859c
0x00418590
0x004185a7
0x004185aa
0x004185ad
0x004185b8
0x004185c9
0x004185cb
0x004185d2
0x004185da
0x004185f4
0x0041861a
0x0041861a
0x00418623
0x00418629
0x00418631
0x0041863a
0x00418648

APIs

LoadCursorW.USER32(00000000,00007F02), ref: 00418177
SetCursor.USER32(00000000), ref: 0041817E
GetParent.USER32(?), ref: 0041818A

Part of subcall function 0045C5B0: GetDlgItem.USER32 ref: 0045C5F7
Part of subcall function 0045C5B0: SendMessageW.USER32(00000000), ref: 0045C5FE

EnterCriticalSection.KERNEL32 ref: 004181AD

Part of subcall function 00418740: SendMessageW.USER32(00000000,00001027,00000000,00000000), ref: 00418788
Part of subcall function 00418740: SendMessageW.USER32(00000000,00001028,00000000,00000000), ref: 0041879E
Part of subcall function 00418740: EnterCriticalSection.KERNEL32(004BCA10), ref: 004187A8
Part of subcall function 00418740: LeaveCriticalSection.KERNEL32(004BCA10), ref: 004187B9
Part of subcall function 00418740: EnterCriticalSection.KERNEL32(004BCA10), ref: 004187C8
Part of subcall function 00418740: LeaveCriticalSection.KERNEL32(004BCA10), ref: 004187D9
Part of subcall function 00418740: EnterCriticalSection.KERNEL32(004BCA10), ref: 004187EE

GetTickCount.KERNEL32 ref: 004181C3
SendMessageW.USER32(?,00001042,00000000,00000000), ref: 0041821D
SendMessageW.USER32(?,00001027,00000000,00000000), ref: 00418264
_memmove.LIBCMT ref: 0041834A
VirtualFree.KERNEL32(?,?,00004000), ref: 00418372

Part of subcall function 00414070: EnterCriticalSection.KERNEL32(004BCA68,2927074F,004BCA94,?,00000000,?,?,-00000001,004BCA10), ref: 004140A1
Part of subcall function 00414070: LeaveCriticalSection.KERNEL32(?), ref: 00414110

_free.LIBCMT ref: 0041837D
EnterCriticalSection.KERNEL32(?,?,Applying Event Filter,00000000,00000000), ref: 00418416
LeaveCriticalSection.KERNEL32(?), ref: 0041842C
AcquireSRWLockShared.KERNEL32(?,00487176), ref: 00418461
ReleaseSRWLockShared.KERNEL32(?), ref: 0041852B

Part of subcall function 0040F960: ReleaseSRWLockShared.KERNEL32(?,004C2538,00468906,004C2538,000000FF,?,?,00467152,00000000,004C255C), ref: 0040F971

MessageBoxW.USER32(?,Operation cancelled: The listview data may be incomplete,Process Monitor,00000040), ref: 00418566
LeaveCriticalSection.KERNEL32(?,00487176), ref: 0041857A
EnterCriticalSection.KERNEL32(?,00000000,?,00487176), ref: 004185AD
LeaveCriticalSection.KERNEL32(?,?,00000001,?,00000000,?,00487176), ref: 004185D2
SendMessageW.USER32(?,00001027,00000000,00000000), ref: 004185F4
SendMessageW.USER32(?,00001033,00000001,00000000), ref: 00418607
SendMessageW.USER32(?,00001014,00000000,00000000), ref: 0041861A
InvalidateRect.USER32(?,00000000,00000000,00000000,?,00487176), ref: 00418623
SetCursor.USER32(?,?,00487176), ref: 00418631

Strings

Applying Event Filter, xrefs: 00418292, 004183F8
Process Monitor, xrefs: 00418559
Operation cancelled: The listview data may be incomplete, xrefs: 0041855E
vqH, xrefs: 00418542

Memory Dump Source

Source File: 00000000.00000002.639436822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.639422722.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639801425.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639950323.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639964900.00000000004C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639974043.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639981884.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Process Monitor.jbxd

Similarity

API ID: CriticalSection$Message$Send$Enter$Leave$CursorLockShared$Release$AcquireCountFreeInvalidateItemLoadParentRectTickVirtual_free_memmove
String ID: Applying Event Filter$Operation cancelled: The listview data may be incomplete$Process Monitor$vqH
API String ID: 3566328307-1340453759
Opcode ID: d881e647be20f37e36617fb630b77507cf47e916648c4e3c9c387589b7e273cd
Instruction ID: 4df195615fd793c2c1a20f46447b56a460968df1e26fdaf7818df92683afd225
Opcode Fuzzy Hash: d881e647be20f37e36617fb630b77507cf47e916648c4e3c9c387589b7e273cd
Instruction Fuzzy Hash: B5F1C27190060AEFDB14DFA8C885BDEBBB4FF44304F14426EE805A7691DB34A995CB98

Uniqueness

Uniqueness Score: -1.00%

Function 00421580 Relevance: 46.2, APIs: 19, Strings: 7, Instructions: 675
windowCOMMONCrypto

Download Yara Rule

C-Code - Quality: 88%

			E00421580(struct _CRITICAL_SECTION* __ecx, void* __edx, int _a4, WCHAR* _a8, long _a12, long _a16, long _a20, intOrPtr _a24, intOrPtr _a28) {
				int _v8;
				char _v16;
				signed int _v20;
				short _v540;
				char _v541;
				long _v548;
				int _v552;
				int _v556;
				long _v560;
				long _v564;
				WCHAR* _v568;
				intOrPtr _v580;
				char _v588;
				int _v592;
				int _v596;
				int _v632;
				char _v636;
				long _v640;
				struct _CRITICAL_SECTION* _v644;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t233;
				signed int _t234;
				long _t245;
				void* _t262;
				long _t275;
				long _t283;
				void* _t287;
				long _t291;
				long _t296;
				void* _t298;
				long _t306;
				int _t307;
				long _t317;
				void* _t319;
				void* _t320;
				long _t324;
				long _t329;
				long _t332;
				long _t340;
				long _t349;
				void* _t352;
				intOrPtr _t353;
				long _t355;
				long _t356;
				long _t361;
				long _t367;
				void* _t370;
				int _t371;
				long _t381;
				long _t387;
				struct _CRITICAL_SECTION* _t392;
				void* _t393;
				signed int _t400;
				signed int _t439;
				void* _t466;
				long _t468;
				long _t469;
				int _t470;
				void* _t471;
				long _t472;
				struct _CRITICAL_SECTION* _t474;
				long _t477;
				long _t478;
				long _t479;
				void* _t481;
				void* _t482;
				int _t483;
				int _t485;
				long _t486;
				intOrPtr _t487;
				void* _t488;
				void* _t489;
				int _t491;
				signed int _t495;
				void* _t496;
				void* _t497;
				void* _t498;
				void* _t500;
				void* _t503;

				_t466 = __edx;
				_push(0xffffffff);
				_push(0x487eb3);
				_push( *[fs:0x0]);
				_t497 = _t496 - 0x274;
				_t233 =  *0x4bb1dc; // 0x2927074f
				_t234 = _t233 ^ _t495;
				_v20 = _t234;
				_push(_t234);
				 *[fs:0x0] =  &_v16;
				_t392 = __ecx;
				_t477 = _a16;
				_v552 = _a4;
				_v568 = _a8;
				_v560 = 0;
				_v564 = _t477;
				_v541 = 0;
				if(( *((intOrPtr*)(__ecx + 0x34)) -  *((intOrPtr*)(__ecx + 0x30)) & 0xfffffffc) != 0) {
					_t468 = _a12;
					_t241 = EnterCriticalSection;
					__eflags = _t468 - 1;
					if(_t468 == 1) {
						_t474 = __ecx + 0x84;
						EnterCriticalSection(_t474);
						LeaveCriticalSection(_t474);
						__eflags =  *((intOrPtr*)(_t474 + 0x1c)) -  *((intOrPtr*)(_t474 + 0x18)) >> 5;
						_t477 = _v564;
						_t468 =  ==  ? 0 : _a12;
						_t241 = EnterCriticalSection;
						_a12 = _t468;
					}
					_v644 = _t392;
					 *_t241(_t392);
					_v8 = 0;
					__eflags = _t477;
					if(__eflags != 0) {
						_v548 = 0;
						E00471CA4( &_v548, _v568, L"wt, ccs=utf-8");
						_t245 = _v548;
						_t498 = _t497 + 0xc;
						__eflags = _t245;
						if(_t245 != 0) {
							__eflags = _t477 - 1;
							if(__eflags != 0) {
								_push(L"<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n");
								_push(_t245);
								E00472526(_t392, _t466, _t468, _t477, __eflags);
								E00438E60(__eflags, _v548, L"procmon", 1);
								E00438E60(__eflags, _v548, L"processlist", 1);
								E004229A0(_t392, _t466, _v548);
								E00438E60(__eflags, _v548, L"processlist", 0);
								E00438E60(__eflags, _v548, L"eventlist", 1);
								_t500 = _t498 + 0x38;
								L61:
								_v596 = 0;
								__eflags = _t477 - 1;
								_v592 = 0;
								_t253 =  ==  ? E00422030 : E00422120;
								_v560 =  ==  ? E00422030 : E00422120;
								_v596 = E00423280();
								_v8 = 9;
								_t469 = _t468;
								__eflags = _t469;
								if(_t469 == 0) {
									E0040C870( &_v636, _t466, __eflags, _v552, L"Process Monitor - Exporting event data", E00419550(_t392),  &_v541);
									_t400 = 0;
									_t470 = 0;
									_v8 = 0xa;
									_v556 = 0;
									__eflags =  *((intOrPtr*)(_t392 + 0x34)) -  *((intOrPtr*)(_t392 + 0x30)) >> 2;
									if( *((intOrPtr*)(_t392 + 0x34)) -  *((intOrPtr*)(_t392 + 0x30)) >> 2 == 0) {
										L69:
										_v8 = 9;
										E0040C9C0( &_v636);
										L70:
										__eflags = _v564 - 2;
										if(__eflags == 0) {
											E00438E60(__eflags, _v548, L"eventlist", 0);
											E00438E60(__eflags, _v548, L"procmon", 0);
											_t500 = _t500 + 0x18;
										}
										_t478 = 0;
										__eflags = 0;
										L73:
										_push(_v548);
										_t262 = L00471E1F(_t392, _t470, _t478, __eflags);
										_v8 = 0;
										__eflags = _t262 - 0xffffffff;
										_t479 =  ==  ? 4 : _t478;
										E004237D0( &_v596,  &_v640,  *_v596, _v596);
										E0046EF07(_v596);
										goto L74;
									} else {
										goto L88;
									}
									do {
										L88:
										_t482 = 0;
										_v552 =  *((intOrPtr*)( *((intOrPtr*)(_t392 + 0x30)) + _t400 * 4));
										_t275 = E004168B0( *((intOrPtr*)( *((intOrPtr*)(_t392 + 0x30)) + _t400 * 4)));
										__eflags = _t275;
										if(_t275 == 0) {
											goto L93;
										}
										while(1) {
											E004677F0(_v552,  &_v588, _t482);
											_v8 = 0xb;
											_t283 = _v560(_v548,  &_v588,  &_v596, _a24, _a28);
											_t500 = _t500 + 0x14;
											__eflags = _t283;
											if(_t283 == 0) {
												break;
											}
											__eflags = _v541;
											if(_v541 != 0) {
												break;
											}
											_v632 = _t470;
											_t470 = _t470 + 1;
											_v8 = 0xa;
											E0040F960( &_v588, _t482);
											_t482 = _t482 + 1;
											_t287 = E004168B0(_v552);
											__eflags = _t482 - _t287;
											if(_t482 < _t287) {
												continue;
											}
											goto L93;
										}
										_v8 = 0xa;
										L96:
										_t478 = 4;
										E0040F960( &_v588, 4);
										_v8 = 9;
										E0040C9C0( &_v636);
										goto L73;
										L93:
										_t400 = _v556 + 1;
										_v556 = _t400;
										__eflags = _t400 -  *((intOrPtr*)(_t392 + 0x34)) -  *((intOrPtr*)(_t392 + 0x30)) >> 2;
									} while (_t400 <  *((intOrPtr*)(_t392 + 0x34)) -  *((intOrPtr*)(_t392 + 0x30)) >> 2);
									goto L69;
								}
								_t470 = _t469 - 1;
								__eflags = _t470;
								if(__eflags == 0) {
									E0040C870( &_v636, _t466, __eflags, _v552, L"Process Monitor - Exporting event data", E00416870(_t392),  &_v541);
									_v8 = 0xc;
									_t483 = 0;
									_t291 = E00416870(_t392);
									__eflags = _t291;
									if(_t291 == 0) {
										goto L69;
									}
									_t470 = _v560;
									while(1) {
										E0040D160(_t392,  &_v588, _t483);
										_v8 = 0xd;
										_t296 =  *_t470(_v548,  &_v588,  &_v596, _a24, _a28);
										_t500 = _t500 + 0x14;
										__eflags = _t296;
										if(_t296 == 0) {
											break;
										}
										__eflags = _v541;
										if(_v541 != 0) {
											break;
										}
										_v632 = _t483;
										_v8 = 0xc;
										E0040F960( &_v588, _t483);
										_t483 = _t483 + 1;
										_t298 = E00416870(_t392);
										__eflags = _t483 - _t298;
										if(_t483 < _t298) {
											continue;
										}
										goto L69;
									}
									_v8 = 0xc;
									goto L96;
								}
								_t470 = _t470 - 1;
								__eflags = _t470;
								if(__eflags != 0) {
									goto L70;
								}
								E0040C870( &_v636, _t466, __eflags, _v552, L"Process Monitor - Exporting event data", SendMessageW( *(_t392 + 0x18), 0x1032, _t470, _t470),  &_v541);
								_v8 = 0xe;
								_v552 = _t470;
								_t485 = SendMessageW( *(_t392 + 0x18), 0x100c, 0xffffffff, 2);
								__eflags = _t485 - 0xffffffff;
								if(_t485 == 0xffffffff) {
									goto L69;
								}
								_t470 = _v560;
								while(1) {
									E0040D160(_t392,  &_v588, _t485);
									_v8 = 0xf;
									_t306 =  *_t470(_v548,  &_v588,  &_v596, _a24, _a28);
									_t500 = _t500 + 0x14;
									__eflags = _t306;
									if(_t306 == 0) {
										break;
									}
									__eflags = _v541;
									if(_v541 != 0) {
										break;
									}
									_t307 = _v552;
									_v632 = _t307;
									_v552 = _t307 + 1;
									_v8 = 0xe;
									E0040F960( &_v588, _t485);
									_t485 = SendMessageW( *(_t392 + 0x18), 0x100c, _t485, 2);
									__eflags = _t485 - 0xffffffff;
									if(_t485 != 0xffffffff) {
										continue;
									}
									goto L69;
								}
								_v8 = 0xe;
								goto L96;
							}
							_t486 = 0;
							__eflags =  *0x4bd790 - _t486; // 0x0
							if(__eflags <= 0) {
								L59:
								_push("\n");
								_push(_t245);
								E00472526(_t392, _t466, _t468, _t486, __eflags);
								_t477 = _v564;
								_t500 = _t498 + 8;
								goto L61;
							} else {
								goto L55;
							}
							do {
								L55:
								LoadStringW( *0x4bd2c4,  *(0x4bd794 + _t486 * 4),  &_v540, 0x104);
								__eflags = _t486;
								if(__eflags > 0) {
									_push(_v548);
									_push(0x2c);
									E004724AF(_t392, _t466, _t468, _t486, __eflags);
									_t498 = _t498 + 8;
								}
								_push( &_v540);
								_push(L"\"%s\"");
								_push(_v548);
								E00472526(_t392, _t466, _t468, _t486, __eflags);
								_t486 = _t486 + 1;
								_t498 = _t498 + 0xc;
								__eflags = _t486 -  *0x4bd790; // 0x0
							} while (__eflags < 0);
							_t245 = _v548;
							goto L59;
						}
						goto L77;
					} else {
						_push(0x590);
						_t317 = E0046EEB6(_t392, _t468, __eflags);
						_t503 = _t497 + 4;
						_v556 = _t317;
						_v8 = 1;
						__eflags = _t317;
						if(__eflags == 0) {
							_t472 = 0;
							__eflags = 0;
							_v548 = 0;
						} else {
							_t387 = E00415A70(_t317, __eflags);
							_t472 = _t387;
							_v548 = _t387;
						}
						_v640 = _t472;
						__eflags = _t472;
						if(_t472 != 0) {
							_t29 = _t472 + 0x578; // 0x578
							InterlockedIncrement(_t29);
						}
						_v8 = 2;
						_t487 =  *((intOrPtr*)( *((intOrPtr*)(_t392 + 0x34)) - 4));
						_t33 = _t487 + 0x4ec; // 0x4ee
						_t319 = E00441C60(_t33);
						_t34 = _t487 + 0x51c; // 0x51e
						_t35 = _t487 + 0x4b8; // 0x4ba
						_t36 = _t472 + 0x51c; // 0x51c
						_t37 = _t472 + 0x4b8; // 0x4b8
						_t320 = E00440180(_t319, _t37, _t36, _t35, _t34);
						_t38 = _t472 + 0x4ec; // 0x4ec
						E0043F110(_t38, _t320);
						__eflags = _a20;
						_t323 =  !=  ? 0 : _a12;
						_t324 =  !=  ? 0 : _a12;
						__eflags = _t324;
						if(_t324 == 0) {
							E0040C870( &_v636, _t466, __eflags, _v552, L"Process Monitor - Exporting event data", E00419550(_t392),  &_v541);
							_v8 = 3;
							_v556 = 0;
							_t329 = E00467370(_t472, _t466, _v568, E00419550(_t392), _t392);
							__eflags = _t329;
							if(_t329 != 0) {
								goto L14;
							}
							_t439 = 0;
							_v564 = 0;
							__eflags =  *((intOrPtr*)(_t392 + 0x34)) -  *((intOrPtr*)(_t392 + 0x30)) >> 2;
							if( *((intOrPtr*)(_t392 + 0x34)) -  *((intOrPtr*)(_t392 + 0x30)) >> 2 == 0) {
								goto L44;
							} else {
								goto L32;
							}
							do {
								L32:
								_t488 = 0;
								_t473 =  *((intOrPtr*)( *((intOrPtr*)(_t392 + 0x30)) + _t439 * 4));
								_t340 = E004168B0( *((intOrPtr*)( *((intOrPtr*)(_t392 + 0x30)) + _t439 * 4)));
								__eflags = _t340;
								if(_t340 == 0) {
									goto L40;
								}
								do {
									E004677F0(_t473,  &_v588, _t488);
									__eflags = _a12;
									_v8 = 4;
									if(_a12 == 0) {
										L37:
										_t349 = L00421FA0(_t466, _v548,  &_v588,  &_v636,  &_v556);
										_t503 = _t503 + 0x10;
										__eflags = _t349;
										if(_t349 == 0) {
											L42:
											_v560 = 4;
											_v8 = 3;
											E0040F960( &_v588, _t488);
											L43:
											_t472 = _v548;
											goto L44;
										}
										__eflags = _v541;
										if(_v541 != 0) {
											goto L42;
										}
										goto L39;
									}
									_t353 = _v580;
									__eflags =  *((short*)(_t353 + 8)) - 4;
									if( *((short*)(_t353 + 8)) == 4) {
										goto L37;
									}
									_t355 = E00414070(_t392 + 0x84,  &_v588);
									__eflags = _t355;
									if(_t355 == 0) {
										goto L39;
									}
									goto L37;
									L39:
									_v8 = 3;
									E0040F960( &_v588, _t488);
									_t488 = _t488 + 1;
									_t352 = E004168B0(_t473);
									__eflags = _t488 - _t352;
								} while (_t488 < _t352);
								L40:
								_t439 = _v564 + 1;
								_v564 = _t439;
								__eflags = _t439 -  *((intOrPtr*)(_t392 + 0x34)) -  *((intOrPtr*)(_t392 + 0x30)) >> 2;
							} while (_t439 <  *((intOrPtr*)(_t392 + 0x34)) -  *((intOrPtr*)(_t392 + 0x30)) >> 2);
							goto L43;
						} else {
							_t356 = _t324 - 1;
							__eflags = _t356;
							if(__eflags == 0) {
								E0040C870( &_v636, _t466, __eflags, _v552, L"Process Monitor - Exporting event data", E00416870(_t392),  &_v541);
								_v8 = 5;
								_v556 = 0;
								_t329 = E00467370(_t472, _t466, _v568, E00416870(_t392), _t392);
								__eflags = _t329;
								if(_t329 != 0) {
									L14:
									SetLastError(_t329);
									_v8 = 2;
									_t479 = 5;
									E0040C9C0( &_v636);
									L48:
									_v8 = 0;
									__eflags = _t472;
									if(_t472 != 0) {
										_t119 = _t472 + 0x578; // 0x578
										_t332 = InterlockedDecrement(_t119);
										__eflags = _t332 - 2;
										if(_t332 < 2) {
											E00467460(_t472, _t332);
										}
									}
									L74:
									__eflags = _t479;
									if(_t479 != 0) {
										DeleteFileW(_v568);
									}
									__eflags = _v541;
									_t480 =  !=  ? 1 : _t479;
									L77:
									LeaveCriticalSection(_t392);
									goto L78;
								}
								_t489 = 0;
								_t361 = E00416870(_t392);
								__eflags = _t361;
								if(_t361 == 0) {
									L44:
									_v8 = 2;
									E0040C9C0( &_v636);
									_t479 = _v560;
									__eflags = _t479;
									if(_t479 != 0) {
										goto L48;
									}
									L47:
									__eflags = E00466B40(_t472);
									_t479 =  ==  ? 4 : _t479;
									goto L48;
								}
								while(1) {
									E0040D160(_t392,  &_v588, _t489);
									_v8 = 6;
									_t367 = L00421FA0(_t466, _t472,  &_v588,  &_v636,  &_v556);
									_t503 = _t503 + 0x10;
									__eflags = _t367;
									if(_t367 == 0) {
										break;
									}
									__eflags = _v541;
									if(_v541 != 0) {
										break;
									}
									_v8 = 5;
									E0040F960( &_v588, _t489);
									_t489 = _t489 + 1;
									_t370 = E00416870(_t392);
									__eflags = _t489 - _t370;
									if(_t489 < _t370) {
										continue;
									}
									goto L44;
								}
								_v560 = 4;
								_v8 = 5;
								E0040F960( &_v588, _t489);
								goto L44;
							}
							_t371 = _t356 - 1;
							__eflags = _t371;
							if(__eflags != 0) {
								_t479 = 0;
								__eflags = 0;
								goto L47;
							}
							E0040C870( &_v636, _t466, __eflags, _v552, L"Process Monitor - Exporting event data", SendMessageW( *(_t392 + 0x18), 0x1032, _t371, _t371),  &_v541);
							_v8 = 7;
							_v556 = 0;
							_t329 = E00467370(_t472, _t466, _v568, SendMessageW( *(_t392 + 0x18), 0x1032, 0, 0), _t392);
							__eflags = _t329;
							if(_t329 == 0) {
								_t491 = SendMessageW( *(_t392 + 0x18), 0x100c, 0xffffffff, 2);
								__eflags = _t491 - 0xffffffff;
								if(_t491 == 0xffffffff) {
									goto L44;
								}
								while(1) {
									E0040D160(_t392,  &_v588, _t491);
									_v8 = 8;
									_t381 = L00421FA0(_t466, _t472,  &_v588,  &_v636,  &_v556);
									_t503 = _t503 + 0x10;
									__eflags = _t381;
									if(_t381 == 0) {
										break;
									}
									__eflags = _v541;
									if(_v541 != 0) {
										break;
									}
									_v8 = 7;
									E0040F960( &_v588, _t491);
									_t491 = SendMessageW( *(_t392 + 0x18), 0x100c, _t491, 2);
									__eflags = _t491 - 0xffffffff;
									if(_t491 != 0xffffffff) {
										continue;
									}
									goto L44;
								}
								_v560 = 4;
								_v8 = 7;
								E0040F960( &_v588, _t491);
								goto L44;
							}
							goto L14;
						}
					}
				} else {
					L78:
					 *[fs:0x0] = _v16;
					_pop(_t471);
					_pop(_t481);
					_pop(_t393);
					return E0046F77E(_t393, _v20 ^ _t495, _t466, _t471, _t481);
				}
			}

0x00421580
0x00421583
0x00421585
0x00421590
0x00421591
0x00421597
0x0042159c
0x0042159e
0x004215a4
0x004215a8
0x004215ae
0x004215b3
0x004215b6
0x004215bf
0x004215c7
0x004215d3
0x004215d9
0x004215e5
0x004215f1
0x004215f4
0x004215f9
0x004215fc
0x004215fe
0x00421605
0x00421611
0x0042161c
0x0042161e
0x00421624
0x00421627
0x0042162c
0x0042162c
0x00421630
0x00421636
0x00421638
0x0042163f
0x00421641
0x00421ab8
0x00421ac3
0x00421ac8
0x00421ace
0x00421ad1
0x00421ad3
0x00421add
0x00421ae0
0x00421b62
0x00421b67
0x00421b68
0x00421b7a
0x00421b8c
0x00421b9c
0x00421bae
0x00421bc0
0x00421bc5
0x00421bc8
0x00421bcd
0x00421bd7
0x00421bda
0x00421be9
0x00421bf2
0x00421bfd
0x00421c03
0x00421c07
0x00421c07
0x00421c0a
0x00421ea0
0x00421ea8
0x00421ead
0x00421eb2
0x00421eb6
0x00421ebc
0x00421ebe
0x00421cfc
0x00421d02
0x00421d06
0x00421d0b
0x00421d0b
0x00421d12
0x00421d21
0x00421d33
0x00421d38
0x00421d38
0x00421d3b
0x00421d3b
0x00421d3d
0x00421d3d
0x00421d43
0x00421d4b
0x00421d4f
0x00421d5d
0x00421d70
0x00421d7b
0x00000000
0x00000000
0x00000000
0x00000000
0x00421ec4
0x00421ec4
0x00421ec7
0x00421ece
0x00421ed4
0x00421ed9
0x00421edb
0x00000000
0x00000000
0x00421ee0
0x00421eee
0x00421efc
0x00421f11
0x00421f17
0x00421f1a
0x00421f1c
0x00000000
0x00000000
0x00421f1e
0x00421f25
0x00000000
0x00000000
0x00421f27
0x00421f33
0x00421f34
0x00421f38
0x00421f43
0x00421f44
0x00421f49
0x00421f4b
0x00000000
0x00000000
0x00000000
0x00421f4b
0x00421f70
0x00421f74
0x00421f7a
0x00421f7f
0x00421f8a
0x00421f8e
0x00000000
0x00421f4d
0x00421f59
0x00421f5d
0x00421f63
0x00421f63
0x00000000
0x00421f6b
0x00421c10
0x00421c10
0x00421c11
0x00421df2
0x00421df9
0x00421dfd
0x00421dff
0x00421e04
0x00421e06
0x00000000
0x00000000
0x00421e0c
0x00421e12
0x00421e1c
0x00421e2a
0x00421e3f
0x00421e41
0x00421e44
0x00421e46
0x00000000
0x00000000
0x00421e48
0x00421e4f
0x00000000
0x00000000
0x00421e57
0x00421e5d
0x00421e61
0x00421e68
0x00421e69
0x00421e6e
0x00421e70
0x00000000
0x00000000
0x00000000
0x00421e72
0x00421e77
0x00000000
0x00421e77
0x00421c17
0x00421c17
0x00421c18
0x00000000
0x00000000
0x00421c49
0x00421c5a
0x00421c5e
0x00421c66
0x00421c68
0x00421c6b
0x00000000
0x00000000
0x00421c71
0x00421c77
0x00421c81
0x00421c8f
0x00421ca4
0x00421ca6
0x00421ca9
0x00421cab
0x00000000
0x00000000
0x00421cb1
0x00421cb8
0x00000000
0x00000000
0x00421cbe
0x00421cca
0x00421cd1
0x00421cd7
0x00421cdb
0x00421cf1
0x00421cf3
0x00421cf6
0x00000000
0x00000000
0x00000000
0x00421cf6
0x00421dc9
0x00000000
0x00421dc9
0x00421ae6
0x00421ae8
0x00421aee
0x00421b4c
0x00421b4c
0x00421b51
0x00421b52
0x00421b57
0x00421b5d
0x00000000
0x00000000
0x00000000
0x00000000
0x00421af0
0x00421af0
0x00421b09
0x00421b0f
0x00421b11
0x00421b13
0x00421b19
0x00421b1b
0x00421b20
0x00421b20
0x00421b29
0x00421b2a
0x00421b2f
0x00421b35
0x00421b3a
0x00421b3b
0x00421b3e
0x00421b3e
0x00421b46
0x00000000
0x00421b46
0x00000000
0x00421647
0x00421647
0x0042164c
0x00421651
0x00421654
0x0042165a
0x0042165e
0x00421660
0x00421673
0x00421673
0x00421675
0x00421662
0x00421664
0x00421669
0x0042166b
0x0042166b
0x0042167b
0x00421681
0x00421683
0x00421685
0x0042168c
0x0042168c
0x00421695
0x00421699
0x0042169c
0x004216a2
0x004216a7
0x004216ae
0x004216b5
0x004216bc
0x004216c5
0x004216cb
0x004216d1
0x004216db
0x004216de
0x004216e1
0x004216e1
0x004216e3
0x0042191c
0x00421924
0x00421928
0x00421940
0x00421945
0x00421947
0x00000000
0x00000000
0x00421950
0x00421958
0x0042195e
0x00421960
0x00000000
0x00000000
0x00000000
0x00000000
0x00421966
0x00421966
0x00421969
0x0042196b
0x00421970
0x00421975
0x00421977
0x00000000
0x00000000
0x00421980
0x0042198a
0x0042198f
0x00421993
0x00421997
0x004219bc
0x004219d7
0x004219dc
0x004219df
0x004219e1
0x00421a2b
0x00421a31
0x00421a3b
0x00421a3f
0x00421a44
0x00421a44
0x00000000
0x00421a44
0x004219e3
0x004219ea
0x00000000
0x00000000
0x00000000
0x004219ea
0x00421999
0x0042199f
0x004219a4
0x00000000
0x00000000
0x004219b3
0x004219b8
0x004219ba
0x00000000
0x00000000
0x00000000
0x004219ec
0x004219f2
0x004219f6
0x004219fd
0x004219fe
0x00421a03
0x00421a03
0x00421a0b
0x00421a17
0x00421a1b
0x00421a21
0x00421a21
0x00000000
0x004216e9
0x004216e9
0x004216e9
0x004216ea
0x00421838
0x00421840
0x00421844
0x0042185c
0x00421861
0x00421863
0x00421756
0x00421757
0x00421763
0x00421767
0x0042176c
0x00421a78
0x00421a78
0x00421a7c
0x00421a7e
0x00421a84
0x00421a8b
0x00421a91
0x00421a94
0x00421a9d
0x00421a9d
0x00421a94
0x00421d83
0x00421d83
0x00421d85
0x00421d8d
0x00421d8d
0x00421d93
0x00421d9f
0x00421da2
0x00421da3
0x00000000
0x00421da9
0x0042186b
0x0042186d
0x00421872
0x00421874
0x00421a4a
0x00421a50
0x00421a54
0x00421a59
0x00421a5f
0x00421a61
0x00000000
0x00000000
0x00421a67
0x00421a6e
0x00421a75
0x00000000
0x00421a75
0x00421880
0x0042188a
0x00421895
0x004218a9
0x004218ae
0x004218b1
0x004218b3
0x00000000
0x00000000
0x004218b5
0x004218bc
0x00000000
0x00000000
0x004218c4
0x004218c8
0x004218cf
0x004218d0
0x004218d5
0x004218d7
0x00000000
0x00000000
0x00000000
0x004218d9
0x004218e4
0x004218ee
0x004218f2
0x00000000
0x004218f2
0x004216f0
0x004216f0
0x004216f1
0x00421a65
0x00421a65
0x00000000
0x00421a65
0x00421722
0x00421733
0x00421737
0x0042174d
0x00421752
0x00421754
0x00421784
0x00421786
0x00421789
0x00000000
0x00000000
0x00421790
0x0042179a
0x004217a5
0x004217b9
0x004217be
0x004217c1
0x004217c3
0x00000000
0x00000000
0x004217c5
0x004217cc
0x00000000
0x00000000
0x004217d4
0x004217d8
0x004217ee
0x004217f0
0x004217f3
0x00000000
0x00000000
0x00000000
0x004217f5
0x00421800
0x0042180a
0x0042180e
0x00000000
0x0042180e
0x00000000
0x00421754
0x004216e3
0x004215e7
0x00421dab
0x00421dae
0x00421db6
0x00421db7
0x00421db8
0x00421dc6
0x00421dc6

APIs

LeaveCriticalSection.KERNEL32(?), ref: 00421611
InterlockedIncrement.KERNEL32(00000578), ref: 0042168C
SendMessageW.USER32(?,00001032,?,?), ref: 00421707
SendMessageW.USER32(?,00001032,00000000,00000000), ref: 00421741
SetLastError.KERNEL32(00000000,?,00000000,?,?,Process Monitor - Exporting event data,00000000,00000000,00000000,000004B8,0000051C,000004BA,0000051E), ref: 00421757

Strings

"%s", xrefs: 00421B2A
<?xml version="1.0" encoding="UTF-8"?>, xrefs: 00421B62
Process Monitor - Exporting event data, xrefs: 00421711, 00421827, 0042190B, 00421C38, 00421DE1, 00421E8F
processlist, xrefs: 00421B81, 00421BA3
eventlist, xrefs: 00421BB5, 00421D16
wt, ccs=utf-8, xrefs: 00421AA7
procmon, xrefs: 00421B6F, 00421D28

Memory Dump Source

Source File: 00000000.00000002.639436822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.639422722.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639801425.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639950323.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639964900.00000000004C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639974043.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639981884.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Process Monitor.jbxd

Similarity

API ID: MessageSend$CriticalErrorIncrementInterlockedLastLeaveSection
String ID: "%s"$<?xml version="1.0" encoding="UTF-8"?>$Process Monitor - Exporting event data$eventlist$processlist$procmon$wt, ccs=utf-8
API String ID: 775730344-1362190896
Opcode ID: 550f00768027ec5931c3bbf79827d59e2b99eb524db33f086ce52df2748ebea4
Instruction ID: 06bd0df2da25a756c63d621677d09f304a1c12ed958de0ef217827465aacf147
Opcode Fuzzy Hash: 550f00768027ec5931c3bbf79827d59e2b99eb524db33f086ce52df2748ebea4
Instruction Fuzzy Hash: A5429671A00168ABDF21DF65DC89BDE7775AF14304F4002EAE809B32A1DB789E85CF59

Uniqueness

Uniqueness Score: -1.00%

Function 0041E300 Relevance: 40.7, APIs: 22, Strings: 1, Instructions: 404
windowCOMMONCrypto

Download Yara Rule

C-Code - Quality: 95%

			E0041E300(void* __ecx, void* __edx, struct HWND__* _a4, struct HWND__* _a8, int _a12, int _a16, char _a20) {
				int _v8;
				char _v16;
				signed int _v20;
				char _v540;
				struct HWND__* _v544;
				long _v548;
				long _v552;
				char _v560;
				long _v564;
				int _v576;
				char _v584;
				char _v592;
				void* __ebx;
				long __edi;
				struct HWND__* __esi;
				signed int _t124;
				signed int _t125;
				void* _t128;
				void* _t133;
				void* _t139;
				void* _t142;
				void* _t145;
				signed int _t146;

				_t139 = __edx;
				_push(0xffffffff);
				_push(E004879B7);
				_push( *[fs:0x0]);
				_t124 =  *0x4bb1dc; // 0x2927074f
				_t125 = _t124 ^ _t146;
				_v20 = _t125;
				_push(_t125);
				 *[fs:0x0] =  &_v16;
				_t128 = _a4 + 0xffff638b;
				_v544 = _a8;
				if(_t128 <= 0x23) {
					switch( *((intOrPtr*)(( *(_t128 + 0x41e8a4) & 0x000000ff) * 4 +  &M0041E854))) {
						case 0:
							__eax = E0041FD30(__ecx, __esi, _a12);
							goto L62;
						case 1:
							E0041FC60(__ecx, _t144, _a12);
							goto L62;
						case 2:
							__ebx = SendMessageW;
							__edi = 0;
							__eflags =  *0x496b0c - __edi; // 0x496c80
							if(__eflags != 0) {
								__eax = 0x496b0c;
								do {
									__eflags = __edi;
									if(__edi != 0) {
										__eax = SendMessageW(__esi, _a16, __eax, __edi);
									}
									__edi = __edi + 1;
									__eflags =  *(0x496b0c + __edi * 4);
									__eax = 0x496b0c + __edi * 4;
								} while ( *(0x496b0c + __edi * 4) != 0);
							}
							__ecx =  &_v552;
							_v552 = 0;
							_v548 = 0;
							__eax = E0045CBA0();
							_v552 = __eax;
							__eflags =  *0x4bd896;
							_v8 = 0;
							__al & 0x000000ff =  &_v552;
							__eax = E0042B4E0( &_v552, __al & 0x000000ff);
							__ecx = _v552;
							__eax =  *__ecx;
							_v544 = __eax;
							__eflags = __eax - __ecx;
							while(__eax != __ecx) {
								_t36 = __eax + 0x10; // 0x10
								__ecx = _t36;
								__eax = E0046A170(_t36);
								__eax = SendMessageW(__esi, _a16, __eax, __edi);
								__ecx =  &_v544;
								__eax = E00462600( &_v544);
								__eax = _v544;
								__ecx = _v552;
								__eflags = __eax - __ecx;
							}
							__eax =  &_v544;
							_v8 = 0xffffffff;
							__ecx =  &_v552;
							E0040E1E0( &_v552,  &_v544, _v552,  &_v552) = E0046EF07(_v552);
							__eax =  *0x496b38; // 0x496e28
							__edi = 0;
							__eflags = __eax;
							while(__eax != 0) {
								__eax = SendMessageW(__esi, _a16, __eax, __edi);
								__eax =  *(0x496b3c + __edi * 4);
								__edi = __edi + 1;
								__eflags = __eax;
							}
							__eax = 1;
							_v544 = 1;
							do {
								__eax =  *(0x496b88 + __eax * 4);
								__edi = 0;
								__eflags = __eax;
								while(__eax != 0) {
									__eax = _v544;
									__edi = __edi + 1;
									__eax = _v544 + __edi * 2;
									__eax =  *(0x496b88 + (_v544 + __edi * 2) * 4);
									__eflags = __eax;
								}
								__eax = _v544;
								__eax = _v544 - 1;
								__eflags = __eax;
								_v544 = __eax;
							} while (__eax >= 0);
							__eax =  *0x496be0; // 0x496db0
							__edi = 0;
							__eflags = __eax;
							while(__eax != 0) {
								__eax = SendMessageW(__esi, _a16, __eax, __edi);
								__eax =  *(0x496be4 + __edi * 4);
								__edi = __edi + 1;
								__eflags = __eax;
							}
							goto L62;
						case 3:
							__ebx = SendMessageW;
							__edi = 0;
							do {
								_t85 = __edi + 0x497dcc; // 0x48f8f8
								__eax = SendMessageW(__esi, _a12, 0,  *_t85);
								_t87 = __edi + 0x497dc8; // 0xffffffff
								__eax = SendMessageW(__esi, _a16, __eax,  *_t87);
								__edi = __edi + 8;
								__eflags = __edi - 0x10;
							} while (__edi < 0x10);
							goto L62;
						case 4:
							__eflags = _a20;
							if(_a20 == 0) {
								__ecx =  &_v560;
								__eax = E0041D5F0( &_v560);
								__ecx = __edi;
								_v8 = 1;
								__ebx = 0;
								__eax = E00416870(__edi);
								__eflags = __eax;
								if(__eax != 0) {
									__esi = _a4;
									_v548 = __edi;
									do {
										EnterCriticalSection(__edi);
										__eax =  &_v584;
										_v8 = 2;
										__ecx = __edi;
										__eax = E0040D160(__edi,  &_v584, __ebx);
										__eflags = _v576;
										_v8 = 3;
										if(_v576 == 0) {
											__eax = 0;
											__eflags = 0;
											_v540 = __ax;
										} else {
											__eax =  &_v540;
											__ecx =  &_v584;
											__eax = E004110C0(__edx, __edi, __esi,  &_v540, 0x104);
										}
										 &_v540 = E0046A530( &_v540);
										__eax =  &_v540;
										_v564 = E0046A6C0(__ebx,  &_v540,  &_v540);
										__eax =  *0x4bca04 & 0x000000ff;
										__ecx =  &_v560;
										__eax =  &_v564;
										_v8 = 4;
										 &_v592 = E0041CFD0( &_v560,  &_v592, 0,  &_v564,  *0x4bca04 & 0x000000ff);
										__ecx = _v564;
										_v8 = 3;
										__eflags = __ecx;
										if(__ecx != 0) {
											__eax = E0046A700(__ecx);
										}
										__ecx =  &_v584;
										_v8 = 2;
										__eax = E0040F960( &_v584, __esi);
										_v8 = 1;
										LeaveCriticalSection(__edi);
										__ecx = __edi;
										__ebx = __ebx + 1;
										__eax = E00416870(__edi);
										__eflags = __ebx - __eax;
									} while (__ebx < __eax);
									__esi = _v544;
								}
								__ecx =  &_v560;
								E0041E000( &_v560, __esi, _a12) = _v560;
								__ecx =  &_v560;
								_v8 = 0xffffffff;
								 &_v548 = E0040E1E0( &_v560,  &_v548, _v548,  &_v548);
								__eax = E0046EF07(_v560);
							}
							goto L62;
						case 5:
							__eax = E0041EBA0(__ecx, __esi, _a12);
							goto L62;
						case 6:
							__eax = E0041F0F0(__ecx, __esi, _a12);
							goto L62;
						case 7:
							__eax = E0041EAD0(__ecx, __esi, _a12);
							goto L62;
						case 8:
							__eax = E00421280(__ecx, __esi, _a12);
							goto L62;
						case 9:
							__eax = E0041F600(__ecx, __esi, _a12);
							goto L62;
						case 0xa:
							__eax = E00420C50(__ecx, __edx, __esi, _a12);
							goto L62;
						case 0xb:
							__eax = E00421350(__ecx, __esi, _a12);
							goto L62;
						case 0xc:
							__edi = 0;
							__eflags =  *0x496af0 - __edi; // 0x496c08
							if(__eflags != 0) {
								__ebx = SendMessageW;
								__eax = 0x496af0;
								do {
									__eflags = __edi;
									if(__edi != 0) {
										__eax = SendMessageW(__esi, _a16, __eax, __edi);
									}
									__edi = __edi + 1;
									__eflags =  *(0x496af0 + __edi * 4);
									__eax = 0x496af0 + __edi * 4;
								} while ( *(0x496af0 + __edi * 4) != 0);
							}
							goto L62;
						case 0xd:
							__eax = E0041E090(__ecx, __edx, __esi, _a12);
							goto L62;
						case 0xe:
							__ebx = SendMessageW;
							__edi = 0;
							__eflags = 0;
							do {
								_t70 = __edi + 0x497db4; // 0xffffffff
								__eax = E00438B30( *_t70);
								__eax = SendMessageW(__esi, _a12, 0, __eax);
								_t72 = __edi + 0x497db4; // 0xffffffff
								__eax = SendMessageW(__esi, _a16, __eax,  *_t72);
								__edi = __edi + 4;
								__eflags = __edi - 0xc;
							} while (__edi < 0xc);
							goto L62;
						case 0xf:
							__eax = E0041F6D0(__ecx, __esi, _a12);
							goto L62;
						case 0x10:
							__eax =  *0x496bf0;
							__edi = 0;
							__eflags = __eax;
							if(__eax != 0) {
								__ebx = SendMessageW;
								do {
									__eax = SendMessageW(__esi, _a16, __eax, __edi);
									__eax =  *(0x496bf4 + __edi * 4);
									__edi = __edi + 1;
									__eflags = __eax;
								} while (__eax != 0);
							}
							goto L62;
						case 0x11:
							__eax = E0041FB90(__ecx, __esi, _a12);
							goto L62;
						case 0x12:
							__ebx = SendMessageW;
							__edi = 0;
							__eflags = 0;
							do {
								_t74 = __edi + 0x497dc0; // 0x0
								__eax = E00431C80( *_t74);
								__eax = SendMessageW(__esi, _a12, 0, __eax);
								_t76 = __edi + 0x497dc0; // 0x0
								__eax = SendMessageW(__esi, _a16, __eax,  *_t76);
								__edi = __edi + 4;
								__eflags = __edi - 8;
							} while (__edi < 8);
							goto L62;
						case 0x13:
							goto L62;
					}
				}
				L62:
				 *[fs:0x0] = _v16;
				_pop(_t142);
				_pop(_t145);
				_pop(_t133);
				return E0046F77E(_t133, _v20 ^ _t146, _t139, _t142, _t145);
			}

0x0041e300
0x0041e303
0x0041e305
0x0041e310
0x0041e317
0x0041e31c
0x0041e31e
0x0041e324
0x0041e328
0x0041e336
0x0041e33b
0x0041e344
0x0041e351
0x00000000
0x0041e394
0x00000000
0x00000000
0x0041e35c
0x00000000
0x00000000
0x0041e3e4
0x0041e3ea
0x0041e3ec
0x0041e3f2
0x0041e3f4
0x0041e400
0x0041e400
0x0041e402
0x0041e414
0x0041e414
0x0041e416
0x0041e417
0x0041e41f
0x0041e41f
0x0041e400
0x0041e428
0x0041e42e
0x0041e438
0x0041e442
0x0041e447
0x0041e44d
0x0041e454
0x0041e462
0x0041e469
0x0041e46e
0x0041e477
0x0041e479
0x0041e47f
0x0041e481
0x0041e483
0x0041e483
0x0041e486
0x0041e49a
0x0041e49c
0x0041e4a2
0x0041e4a7
0x0041e4ad
0x0041e4b3
0x0041e4b3
0x0041e4ba
0x0041e4c0
0x0041e4c8
0x0041e4d9
0x0041e4de
0x0041e4e6
0x0041e4e8
0x0041e4ea
0x0041e4ff
0x0041e501
0x0041e508
0x0041e509
0x0041e509
0x0041e50d
0x0041e512
0x0041e520
0x0041e520
0x0041e527
0x0041e529
0x0041e52b
0x0041e541
0x0041e547
0x0041e548
0x0041e54b
0x0041e552
0x0041e552
0x0041e556
0x0041e55c
0x0041e55c
0x0041e55d
0x0041e55d
0x0041e565
0x0041e56a
0x0041e56c
0x0041e56e
0x0041e583
0x0041e585
0x0041e58c
0x0041e58d
0x0041e58d
0x00000000
0x00000000
0x0041e6b3
0x0041e6b9
0x0041e6c0
0x0041e6c0
0x0041e6cc
0x0041e6ce
0x0041e6d9
0x0041e6db
0x0041e6de
0x0041e6de
0x00000000
0x00000000
0x0041e6e8
0x0041e6ec
0x0041e6f2
0x0041e6f8
0x0041e6fd
0x0041e6ff
0x0041e706
0x0041e708
0x0041e70d
0x0041e70f
0x0041e715
0x0041e718
0x0041e720
0x0041e721
0x0041e728
0x0041e72e
0x0041e733
0x0041e735
0x0041e73a
0x0041e741
0x0041e745
0x0041e761
0x0041e761
0x0041e763
0x0041e747
0x0041e74c
0x0041e754
0x0041e75a
0x0041e75a
0x0041e771
0x0041e777
0x0041e786
0x0041e78c
0x0041e793
0x0041e79a
0x0041e7a0
0x0041e7ae
0x0041e7b3
0x0041e7b9
0x0041e7bd
0x0041e7bf
0x0041e7c1
0x0041e7c1
0x0041e7c6
0x0041e7cc
0x0041e7d0
0x0041e7d6
0x0041e7da
0x0041e7e0
0x0041e7e2
0x0041e7e3
0x0041e7e8
0x0041e7e8
0x0041e7f0
0x0041e7f0
0x0041e7f9
0x0041e805
0x0041e80b
0x0041e812
0x0041e822
0x0041e82d
0x0041e832
0x00000000
0x00000000
0x0041e671
0x00000000
0x00000000
0x0041e69b
0x00000000
0x00000000
0x0041e67f
0x00000000
0x00000000
0x0041e655
0x00000000
0x00000000
0x0041e68d
0x00000000
0x00000000
0x0041e378
0x00000000
0x00000000
0x0041e6a9
0x00000000
0x00000000
0x0041e39e
0x0041e3a0
0x0041e3a6
0x0041e3ac
0x0041e3b2
0x0041e3b7
0x0041e3b7
0x0041e3b9
0x0041e3cb
0x0041e3cb
0x0041e3cd
0x0041e3ce
0x0041e3d6
0x0041e3d6
0x0041e3df
0x00000000
0x00000000
0x0041e386
0x00000000
0x00000000
0x0041e5d2
0x0041e5d8
0x0041e5d8
0x0041e5e0
0x0041e5e0
0x0041e5e6
0x0041e5f5
0x0041e5f7
0x0041e602
0x0041e604
0x0041e607
0x0041e607
0x00000000
0x00000000
0x0041e663
0x00000000
0x00000000
0x0041e596
0x0041e59b
0x0041e59d
0x0041e59f
0x0041e5a5
0x0041e5b0
0x0041e5bf
0x0041e5c1
0x0041e5c8
0x0041e5c9
0x0041e5c9
0x0041e5cd
0x00000000
0x00000000
0x0041e36a
0x00000000
0x00000000
0x0041e611
0x0041e617
0x0041e617
0x0041e620
0x0041e620
0x0041e626
0x0041e635
0x0041e637
0x0041e642
0x0041e644
0x0041e647
0x0041e647
0x00000000
0x00000000
0x00000000
0x00000000
0x0041e351
0x0041e835
0x0041e838
0x0041e840
0x0041e841
0x0041e842
0x0041e850

APIs

SendMessageW.USER32(?,?,00000000,00496AF0), ref: 0041E3C3
SendMessageW.USER32(?,00000000,00000000,00000000), ref: 0041E3CB
SendMessageW.USER32(2927074F,?,00000000,00496B0C), ref: 0041E40C
SendMessageW.USER32(2927074F,?,00000000,00000000), ref: 0041E414
SendMessageW.USER32(2927074F,00000000,00000000,00000000), ref: 0041E492
SendMessageW.USER32(2927074F,?,00000000,00000000), ref: 0041E49A
SendMessageW.USER32(2927074F,00496E28,00000000,00496E28), ref: 0041E4F7
SendMessageW.USER32(2927074F,?,00000000,00000000), ref: 0041E4FF
SendMessageW.USER32(?,?,00000000,0048FC20), ref: 0041E5B7
SendMessageW.USER32(?,00000000,00000000,00000000), ref: 0041E5BF
SendMessageW.USER32(?,?,00000000,00000000), ref: 0041E5F5
SendMessageW.USER32(?,FFFFFFFF,00000000,FFFFFFFF), ref: 0041E602
SendMessageW.USER32(?,?,00000000,00000000), ref: 0041E635
SendMessageW.USER32(?,00000000,00000000,00000000), ref: 0041E642
SendMessageW.USER32(2927074F,?,00000000,0048F8F8), ref: 0041E6CC
SendMessageW.USER32(2927074F,?,00000000,FFFFFFFF), ref: 0041E6D9
EnterCriticalSection.KERNEL32(-00000008), ref: 0041E721
LeaveCriticalSection.KERNEL32(-00000008), ref: 0041E7DA

Strings

(nI, xrefs: 0041E4DE

Memory Dump Source

Source File: 00000000.00000002.639436822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.639422722.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639801425.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639950323.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639964900.00000000004C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639974043.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639981884.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Process Monitor.jbxd

Similarity

API ID: MessageSend$CriticalSection$EnterLeave
String ID: (nI
API String ID: 4009585992-1029796183
Opcode ID: 1eeea129276b0e7d61663d0c1e89d289f8c9056baf9fffb6713ae06253c53d94
Instruction ID: f1b5092680802484c42a0c0b85443e9e62e1f961371d8f2719823b686cf60e1b
Opcode Fuzzy Hash: 1eeea129276b0e7d61663d0c1e89d289f8c9056baf9fffb6713ae06253c53d94
Instruction Fuzzy Hash: A7E1DE35500119EBDB11EF66DC44FEE7779BF09304F0000AAF905A3150EB39AAA2DB6E

Uniqueness

Uniqueness Score: -1.00%

Function 0043C8C0 Relevance: 35.4, APIs: 12, Strings: 8, Instructions: 355
networkCOMMONCrypto

Download Yara Rule

C-Code - Quality: 79%

			E0043C8C0(int _a4, int _a8, intOrPtr _a12, wchar_t* _a16, int _a20) {
				intOrPtr _v8;
				char _v16;
				signed int _v20;
				signed int _t124;
				signed int _t127;
				signed int _t132;
				intOrPtr _t136;
				signed int _t146;

				_push(0xffffffff);
				_push(E0048A918);
				_push( *[fs:0x0]);
				_t124 =  *0x4bb1dc; // 0x2927074f
				_push(_t124 ^ _t146);
				 *[fs:0x0] =  &_v16;
				_t136 = _a12;
				_t132 = _a4;
				_v20 = _t132;
				_t127 =  *(_t136 + 8);
				if(_t127 > 0x1b) {
					L69:
					_t132 = _t132 + 4;
					L70:
					 *[fs:0x0] = _v16;
					return _t132 - _v20;
				}
				switch( *((intOrPtr*)(_t127 * 4 +  &M0043CD88))) {
					case 0:
						_t145 = _a16;
						_t140 = 0;
						if( *(_t136 + 0xc) > 0) {
							do {
								_t130 =  *_t132;
								_t132 = _t132 + 1;
								 *((short*)(_t145 + _t140 * 2)) = _t130;
								_t140 = _t140 + 1;
							} while (_t140 <  *(_t136 + 0xc));
						}
						goto L5;
					case 1:
						__esi = _a16;
						__edx = 0;
						__eflags =  *(__ecx + 0xc);
						if( *(__ecx + 0xc) <= 0) {
							goto L5;
						}
						do {
							__ax =  *__ebx;
							__ebx = __ebx + 2;
							 *(__esi + __edx * 2) = __ax;
							__edx = __edx + 1;
							__eflags = __edx -  *(__ecx + 0xc);
						} while (__edx <  *(__ecx + 0xc));
						__eax =  *(__ecx + 0xc);
						__ecx = 0;
						 *((short*)(__esi + __eax * 2)) = __cx;
						goto L70;
					case 2:
						__esi = _a16;
						__edx = 0;
						__eflags =  *(__ecx + 0xc);
						if( *(__ecx + 0xc) <= 0) {
							L5:
							 *((short*)(_t145 +  *(_t136 + 0xc) * 2)) = 0;
							goto L70;
						} else {
							goto L7;
						}
						do {
							L7:
							__eax =  *__ebx & 0x000000ff;
							__ebx = __ebx + 1;
							 *(__esi + __edx * 2) = __ax;
							__edx = __edx + 1;
							__eflags = __edx -  *(__ecx + 0xc);
						} while (__edx <  *(__ecx + 0xc));
						__eax =  *(__ecx + 0xc);
						__ecx = 0;
						 *((short*)(__esi + __eax * 2)) = __cx;
						goto L70;
					case 3:
						 *__ebx = swprintf(_a16, _a20, L"%d",  *__ebx);
						__ebx = __ebx + 1;
						goto L70;
					case 4:
						__eax =  *__ebx;
						_push( *__ebx);
						_push(L"%d");
						goto L15;
					case 5:
						__eax =  *__ebx & 0x0000ffff;
						_push( *__ebx & 0x0000ffff);
						_push(L"%u");
						goto L15;
					case 6:
						_push( *__ebx);
						_push(L"%d");
						goto L68;
					case 7:
						_push( *__ebx);
						_push("%lu");
						goto L68;
					case 8:
						L19:
						_push( *__ebx);
						_push(L"0x%08X");
						goto L68;
					case 9:
						__eax =  *(__ebx + 4);
						__ecx =  *__ebx;
						__ebx = __ebx + 8;
						__eax = swprintf(_a16, _a20, L"%I64d", __ecx, __eax);
						goto L70;
					case 0xa:
						__eax =  *(__ebx + 4);
						__ecx =  *__ebx;
						__ebx = __ebx + 8;
						__eax = swprintf(_a16, _a20, L"%I64u", __ecx, __eax);
						goto L70;
					case 0xb:
						asm("movss xmm0, [ebx]");
						__ebx = __ebx + 4;
						asm("cvtps2pd xmm0, xmm0");
						goto L23;
					case 0xc:
						asm("movsd xmm0, [ebx]");
						__ebx = __ebx + 8;
						L23:
						__esp = __esp - 8;
						asm("movsd [esp], xmm0");
						__eax = swprintf(_a16, _a20, L"%f");
						goto L70;
					case 0xd:
						__eax = __eax + 0xfffffff3;
						__eflags = __eax - 9;
						if(__eax > 9) {
							goto L41;
						}
						_t66 = __eax + 0x43ce08; // 0x33084d8b
						__eax =  *_t66 & 0x000000ff;
						switch( *((intOrPtr*)(( *_t66 & 0x000000ff) * 4 +  &M0043CDF8))) {
							case 0:
								goto L32;
							case 1:
								goto L40;
							case 2:
								goto L39;
							case 3:
								goto L41;
						}
					case 0xe:
						__ecx = _a8;
						__eax = __eax + 0xfffffff2;
						__eflags = __eax - 9;
						if(__eax > 9) {
							L55:
							__edi = _a4;
							__edx = _a4;
							__esi = _a4;
							L56:
							__ecx = __ecx - __edi;
							__eax = __edx + __edx;
							__eflags = __edx + __edx - __ecx;
							if(__edx + __edx > __ecx) {
								__edx = __ecx;
								__edx = __ecx >> 1;
								__eflags = __edx;
							}
							__ecx = _a20;
							__eax = __ecx - 3;
							__eflags = __edx - __eax;
							__eax = swprintf(_a16, __ecx, L"\"%*ws\"", __edx, __ebx);
							__ebx = __esi;
							goto L70;
						}
						switch( *((intOrPtr*)(__eax * 4 +  &M0043CE14))) {
							case 0:
								__edx = __ebx;
								__edi = __ebx;
								__esi = __edx + 2;
								do {
									__ax =  *__edx;
									__edx = __edx + 2;
									__eflags = __ax;
								} while (__ax != 0);
								__edx = __edx - __esi;
								__eflags = __edx;
								__esi = __ebx + 2;
								__edx = __edx >> 1;
								__esi = __ebx + 2 + __edx * 2;
								if(__eflags == 0) {
									goto L56;
								}
								__eax = __ebx - 2;
								__eax = __ebx - 2 + __edx * 2;
								while(1) {
									__ebx = 0xffff;
									__eflags =  *__eax - __bx;
									__ebx = __edi;
									if( *__eax != __bx) {
										goto L56;
									}
									__eax = __eax - 2;
									__edx = __edx - 1;
									__eflags = __edx;
									if(__edx != 0) {
										continue;
									}
									goto L56;
								}
								goto L56;
							case 1:
								__edx =  *__ebx & 0x000000ff;
								__ebx = __ebx + 1;
								__edi = __ebx;
								__esi = __edx + __ebx;
								__edx = __edx >> 1;
								goto L56;
							case 2:
								__edx =  *__ebx & 0x000000ff;
								__eax =  *(__ebx + 1) & 0x000000ff;
								__ebx = __ebx + 2;
								__edx = __edx << 8;
								__edi = __ebx;
								__edx = __edx + __eax;
								__esi = __edx + __ebx;
								__edx = __edx >> 1;
								goto L56;
							case 3:
								__edx = __ecx;
								__edi = __ebx;
								__edx = __ecx - __ebx;
								__esi = __ecx;
								__edx = __ecx - __ebx >> 1;
								goto L56;
							case 4:
								goto L55;
						}
					case 0xf:
						__eflags =  *__ebx;
						if( *__ebx != 0) {
							__eflags =  *0x4bb11c - 0x40;
							if( *0x4bb11c != 0x40) {
								__ebx = __ebx + 8;
								__eflags = __ebx;
							} else {
								__ebx = __ebx + 0x10;
							}
							__eax =  *(__ebx + 1) & 0x000000ff;
							__edi = 8 + ( *(__ebx + 1) & 0x000000ff) * 4;
							 &_a4 = E00437B60( &_a4, __ebx);
							__ecx =  &_a4;
							_v8 = 0;
							__eax = E0046A170( &_a4);
							__esi = _a16;
							__eax = E0046EF0C(__esi, _a20, __eax);
							__ecx = _a4;
							__eax = 0;
							 *__esi = __ax;
							__ebx = __ebx + 8 + ( *(__ebx + 1) & 0x000000ff) * 4;
							_v8 = 0xffffffff;
							__eflags = __ecx;
							if(__ecx != 0) {
								__eax = E0046A700(__ecx);
							}
						} else {
							__ebx = __ebx + 4;
							__eax = swprintf(_a16, _a20, "0");
						}
						goto L70;
					case 0x10:
						__ecx =  *__ebx;
						__ecx = __ecx >> 0x18;
						__ecx = __ecx >> 0x10;
						__ecx >> 0x00000010 & 0x000000ff = __ecx;
						__ecx >> 8 = __ecx >> 0x00000008 & 0x000000ff;
						__cl & 0x000000ff = swprintf(_a16, _a20, L"%03d.%03d.%03d.%03d", __cl & 0x000000ff, __ecx >> 0x00000008 & 0x000000ff, __ecx >> 0x00000010 & 0x000000ff, __ecx >> 0x18);
						goto L69;
					case 0x11:
						__eax =  *__ebx & 0x0000ffff;
						_push( *__ebx & 0x0000ffff);
						__imp__#15();
						__eax = __ax & 0x0000ffff;
						_push(__ax & 0x0000ffff);
						_push(L"%u");
						L15:
						__eax = swprintf(_a16, _a20);
						__ebx = __ebx + 2;
						goto L70;
					case 0x12:
						__eflags =  *0x4bb11c - 0x40;
						if( *0x4bb11c != 0x40) {
							goto L19;
						}
						__eax = swprintf(_a16, _a20, L"0x%X",  *__ebx,  *(__ebx + 4));
						__ebx = __ebx + 8;
						goto L70;
					case 0x13:
						__eax = E00403920(_a16, _a20, __ebx);
						__ebx = __ebx + 0x10;
						goto L70;
					case 0x14:
						__eflags =  *__ebx;
						__eax = L"TRUE";
						__ecx = L"FALSE";
						__eax =  ==  ? L"FALSE" : L"TRUE";
						_push( ==  ? L"FALSE" : L"TRUE");
						_push(L"%s");
						L68:
						__eax = swprintf(_a16, _a20);
						goto L69;
					case 0x15:
						 *(__ebx + 0xf) & 0x000000ff =  *(__ebx + 0xe) & 0x000000ff;
						 *(__ebx + 0xd) & 0x000000ff =  *(__ebx + 0xc) & 0x000000ff;
						 *(__ebx + 0xb) & 0x000000ff =  *(__ebx + 0xa) & 0x000000ff;
						 *(__ebx + 9) & 0x000000ff =  *(__ebx + 8) & 0x000000ff;
						 *(__ebx + 7) & 0x000000ff =  *(__ebx + 6) & 0x000000ff;
						 *(__ebx + 5) & 0x000000ff =  *(__ebx + 4) & 0x000000ff;
						 *(__ebx + 3) & 0x000000ff =  *(__ebx + 2) & 0x000000ff;
						 *(__ebx + 1) & 0x000000ff =  *__ebx & 0x000000ff;
						__eax = swprintf(_a16, _a20, L"%02x%02x:%02x%02x:%02x%02x:%02x%02x:%02x%02x:%02x%02x:%02x%02x:%02x%02x",  *__ebx & 0x000000ff,  *(__ebx + 1) & 0x000000ff,  *(__ebx + 2) & 0x000000ff,  *(__ebx + 3) & 0x000000ff,  *(__ebx + 4) & 0x000000ff,  *(__ebx + 5) & 0x000000ff,  *(__ebx + 6) & 0x000000ff,  *(__ebx + 7) & 0x000000ff,  *(__ebx + 8) & 0x000000ff,  *(__ebx + 9) & 0x000000ff,  *(__ebx + 0xa) & 0x000000ff,  *(__ebx + 0xb) & 0x000000ff,  *(__ebx + 0xc) & 0x000000ff,  *(__ebx + 0xd) & 0x000000ff,  *(__ebx + 0xe) & 0x000000ff,  *(__ebx + 0xf) & 0x000000ff);
						__ebx = __ebx + 0x10;
						goto L70;
					case 0x16:
						L32:
						__edx = __ebx;
						__ecx = __ebx;
						__esi = __edx + 1;
						do {
							__al =  *__edx;
							__edx = __edx + 1;
							__eflags = __al;
						} while (__al != 0);
						__edx = __edx - __esi;
						__eflags = __edx;
						__esi = __ebx + 1;
						__esi = __ebx + 1 + __edx;
						if(__edx == 0) {
							goto L42;
						}
						while(1) {
							__eax =  *((char*)(__ebx + __edx - 1));
							__eflags =  *((char*)(__ebx + __edx - 1)) - 0xff;
							if( *((char*)(__ebx + __edx - 1)) != 0xff) {
								goto L42;
							}
							__edx = __edx - 1;
							__eflags = __edx;
							if(__edx != 0) {
								continue;
							}
							goto L42;
						}
						goto L42;
					case 0x17:
						L40:
						__edx =  *__ebx & 0x000000ff;
						__ebx = __ebx + 1;
						__ecx = __ebx;
						__esi = __edx + __ebx;
						goto L42;
					case 0x18:
						L39:
						__edx =  *__ebx & 0x000000ff;
						__eax =  *(__ebx + 1) & 0x000000ff;
						__edx = ( *__ebx & 0x000000ff) << 8;
						__edx = (( *__ebx & 0x000000ff) << 8) + ( *(__ebx + 1) & 0x000000ff);
						__ebx = __ebx + 2;
						__ecx = __ebx;
						__esi = __edx + __ebx;
						goto L42;
					case 0x19:
						L41:
						__ecx = _a4;
						__edx = _a4;
						__esi = _a4;
						L42:
						__eax = _a8;
						__eax = _a8 - __ecx;
						__ecx = _a20;
						__eflags = __edx - __eax;
						__edx =  >  ? __eax : __edx;
						__eax = __ecx - 3;
						__eflags = __edx - __eax;
						__eax = swprintf(_a16, __ecx, L"\"%*S\"", __edx, __ebx);
						__ebx = __esi;
						goto L70;
				}
			}

0x0043c8c3
0x0043c8c5
0x0043c8d0
0x0043c8d5
0x0043c8dc
0x0043c8e0
0x0043c8e6
0x0043c8e9
0x0043c8ec
0x0043c8ef
0x0043c8f5
0x0043cd6c
0x0043cd6c
0x0043cd6f
0x0043cd77
0x0043cd85
0x0043cd85
0x0043c8fb
0x00000000
0x0043c902
0x0043c905
0x0043c90a
0x0043c910
0x0043c910
0x0043c914
0x0043c915
0x0043c919
0x0043c91a
0x0043c910
0x00000000
0x00000000
0x0043c953
0x0043c956
0x0043c958
0x0043c95b
0x00000000
0x00000000
0x0043c960
0x0043c960
0x0043c963
0x0043c966
0x0043c96a
0x0043c96b
0x0043c96b
0x0043c970
0x0043c973
0x0043c975
0x00000000
0x00000000
0x0043c92d
0x0043c930
0x0043c932
0x0043c935
0x0043c91f
0x0043c924
0x00000000
0x00000000
0x00000000
0x00000000
0x0043c937
0x0043c937
0x0043c937
0x0043c93a
0x0043c93b
0x0043c93f
0x0043c940
0x0043c940
0x0043c945
0x0043c948
0x0043c94a
0x00000000
0x00000000
0x0043c98d
0x0043c995
0x00000000
0x00000000
0x0043c99b
0x0043c99e
0x0043c99f
0x00000000
0x00000000
0x0043c9ba
0x0043c9bd
0x0043c9be
0x00000000
0x00000000
0x0043c9c5
0x0043c9c7
0x00000000
0x00000000
0x0043c9d1
0x0043c9d3
0x00000000
0x00000000
0x0043c9dd
0x0043c9dd
0x0043c9df
0x00000000
0x00000000
0x0043c9e9
0x0043c9ec
0x0043c9ee
0x0043c9fe
0x00000000
0x00000000
0x0043ca0b
0x0043ca0e
0x0043ca10
0x0043ca20
0x00000000
0x00000000
0x0043ca2d
0x0043ca31
0x0043ca34
0x00000000
0x00000000
0x0043ca57
0x0043ca5b
0x0043ca37
0x0043ca37
0x0043ca3a
0x0043ca4a
0x00000000
0x00000000
0x0043cb49
0x0043cb4c
0x0043cb4f
0x00000000
0x00000000
0x0043cb51
0x0043cb51
0x0043cb58
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x0043cbea
0x0043cbed
0x0043cbf0
0x0043cbf3
0x0043cc75
0x0043cc75
0x0043cc78
0x0043cc7b
0x0043cc7e
0x0043cc7e
0x0043cc80
0x0043cc83
0x0043cc85
0x0043cc87
0x0043cc89
0x0043cc89
0x0043cc89
0x0043cc8b
0x0043cc8f
0x0043cc92
0x0043cca1
0x0043cca9
0x00000000
0x0043cca9
0x0043cc00
0x00000000
0x0043cc07
0x0043cc09
0x0043cc0b
0x0043cc10
0x0043cc10
0x0043cc13
0x0043cc16
0x0043cc16
0x0043cc1b
0x0043cc1b
0x0043cc1d
0x0043cc20
0x0043cc22
0x0043cc25
0x00000000
0x00000000
0x0043cc27
0x0043cc2a
0x0043cc30
0x0043cc30
0x0043cc35
0x0043cc38
0x0043cc3a
0x00000000
0x00000000
0x0043cc3c
0x0043cc3f
0x0043cc3f
0x0043cc40
0x00000000
0x00000000
0x00000000
0x0043cc42
0x00000000
0x00000000
0x0043cc5c
0x0043cc5f
0x0043cc60
0x0043cc62
0x0043cc65
0x00000000
0x00000000
0x0043cc44
0x0043cc47
0x0043cc4b
0x0043cc4e
0x0043cc51
0x0043cc53
0x0043cc55
0x0043cc58
0x00000000
0x00000000
0x0043cc69
0x0043cc6b
0x0043cc6d
0x0043cc6f
0x0043cc71
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x0043ccb0
0x0043ccb3
0x0043ccd0
0x0043ccd7
0x0043ccde
0x0043ccde
0x0043ccd9
0x0043ccd9
0x0043ccd9
0x0043cce1
0x0043cce6
0x0043ccf1
0x0043ccf9
0x0043ccfc
0x0043cd03
0x0043cd08
0x0043cd10
0x0043cd15
0x0043cd18
0x0043cd1d
0x0043cd20
0x0043cd22
0x0043cd29
0x0043cd2b
0x0043cd2d
0x0043cd2d
0x0043ccb5
0x0043ccbd
0x0043ccc3
0x0043ccc8
0x00000000
0x00000000
0x0043ca8d
0x0043ca91
0x0043ca97
0x0043caa0
0x0043caa5
0x0043caba
0x00000000
0x00000000
0x0043cb31
0x0043cb34
0x0043cb35
0x0043cb3b
0x0043cb3e
0x0043cb3f
0x0043c9a4
0x0043c9aa
0x0043c9b2
0x00000000
0x00000000
0x0043ca60
0x0043ca67
0x00000000
0x00000000
0x0043ca7d
0x0043ca85
0x00000000
0x00000000
0x0043cd3b
0x0043cd43
0x00000000
0x00000000
0x0043cd48
0x0043cd4b
0x0043cd50
0x0043cd55
0x0043cd58
0x0043cd59
0x0043cd5e
0x0043cd64
0x00000000
0x00000000
0x0043cacc
0x0043cad6
0x0043cae0
0x0043caea
0x0043caf4
0x0043cafe
0x0043cb08
0x0043cb12
0x0043cb21
0x0043cb29
0x00000000
0x00000000
0x0043cb5f
0x0043cb5f
0x0043cb61
0x0043cb63
0x0043cb66
0x0043cb66
0x0043cb68
0x0043cb69
0x0043cb69
0x0043cb6d
0x0043cb6d
0x0043cb6f
0x0043cb72
0x0043cb75
0x00000000
0x00000000
0x0043cb80
0x0043cb80
0x0043cb85
0x0043cb8a
0x00000000
0x00000000
0x0043cb8c
0x0043cb8c
0x0043cb8d
0x00000000
0x00000000
0x00000000
0x0043cb8f
0x00000000
0x00000000
0x0043cba7
0x0043cba7
0x0043cbaa
0x0043cbab
0x0043cbad
0x00000000
0x00000000
0x0043cb91
0x0043cb91
0x0043cb94
0x0043cb98
0x0043cb9b
0x0043cb9d
0x0043cba0
0x0043cba2
0x00000000
0x00000000
0x0043cbb2
0x0043cbb2
0x0043cbb5
0x0043cbb8
0x0043cbbb
0x0043cbbb
0x0043cbbe
0x0043cbc0
0x0043cbc3
0x0043cbc6
0x0043cbc9
0x0043cbcc
0x0043cbdb
0x0043cbe3
0x00000000
0x00000000

APIs

swprintf.LIBCMT ref: 0043C98D
swprintf.LIBCMT ref: 0043C9AA
swprintf.LIBCMT ref: 0043C9FE
swprintf.LIBCMT ref: 0043CA20
swprintf.LIBCMT ref: 0043CA4A
swprintf.LIBCMT ref: 0043CA7D
swprintf.LIBCMT ref: 0043CABA
htons.WS2_32(00000000), ref: 0043CB35
swprintf.LIBCMT ref: 0043CBDB
swprintf.LIBCMT ref: 0043CCA1
swprintf.LIBCMT ref: 0043CCC3
swprintf.LIBCMT ref: 0043CD64

Strings

"%*ws", xrefs: 0043CC98
%lu, xrefs: 0043C9D3
"%*S", xrefs: 0043CBD2
%I64d, xrefs: 0043C9F3
%I64u, xrefs: 0043CA15
0x%08X, xrefs: 0043C9DF
%03d.%03d.%03d.%03d, xrefs: 0043CAAF
0x%X, xrefs: 0043CA72

Memory Dump Source

Source File: 00000000.00000002.639436822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.639422722.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639801425.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639950323.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639964900.00000000004C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639974043.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639981884.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Process Monitor.jbxd

Similarity

API ID: swprintf$htons
String ID: "%*S"$"%*ws"$%03d.%03d.%03d.%03d$%I64d$%I64u$%lu$0x%08X$0x%X
API String ID: 3686976175-3615838498
Opcode ID: 1eeffbe5ccbd7fa7f66a1e2265fc261d98aa7d40e256d5891629fa48716e52bf
Instruction ID: c409cf546cdd7aae04e3300ae43efa359a38b4145534832eebae438828a4677b
Opcode Fuzzy Hash: 1eeffbe5ccbd7fa7f66a1e2265fc261d98aa7d40e256d5891629fa48716e52bf
Instruction Fuzzy Hash: 91C15772500111DFCF109F18CCC267A7B62EF5A300F54917BFC45AB256E639AD22DBAA

Uniqueness

Uniqueness Score: -1.00%

Function 00401910 Relevance: 29.0, Strings: 23, Instructions: 261
COMMONCrypto

Download Yara Rule

C-Code - Quality: 67%

			E00401910(void* __ebx) {
				char _v8;
				char _v16;
				signed int _t23;
				intOrPtr _t27;
				intOrPtr _t29;
				intOrPtr _t31;
				intOrPtr _t33;
				intOrPtr _t35;
				intOrPtr _t37;
				intOrPtr _t39;
				intOrPtr _t41;
				intOrPtr _t43;
				intOrPtr _t45;
				intOrPtr _t47;
				intOrPtr _t49;
				intOrPtr _t51;
				intOrPtr _t53;
				intOrPtr _t55;
				intOrPtr _t57;
				intOrPtr _t59;
				intOrPtr _t61;
				intOrPtr _t65;
				void* _t66;
				signed int _t73;

				_t67 = __ebx;
				_push(0xffffffff);
				_push(E0048C99E);
				_push( *[fs:0x0]);
				_t23 =  *0x4bb1dc; // 0x2927074f
				_push(_t23 ^ _t73);
				 *[fs:0x0] =  &_v16;
				_t27 = E0046A6C0(__ebx, L"Columns", E0046A530(L"Columns"));
				asm("xorps xmm0, xmm0");
				 *0x4c2588 = _t27;
				 *0x4c258c = 9;
				 *0x4c2590 = 0x80;
				 *0x4c2594 = 0x4bd710;
				asm("movsd [0x4c2598], xmm0");
				_v8 = 0;
				_t29 = E0046A6C0(__ebx, L"ColumnCount", E0046A530(L"ColumnCount"));
				asm("movsd xmm0, [0x4a6fe8]");
				 *0x4c25a0 = _t29;
				 *0x4c25a4 = 0;
				 *0x4c25a8 = 0;
				 *0x4c25ac = 0x4bd790;
				asm("movsd [0x4c25b0], xmm0");
				_v8 = 1;
				_t31 = E0046A6C0(__ebx, L"ColumnMap", E0046A530(L"ColumnMap"));
				asm("xorps xmm0, xmm0");
				 *0x4c25b8 = _t31;
				 *0x4c25bc = 6;
				 *0x4c25c0 = 0x100;
				 *0x4c25c4 = 0x4bd794;
				asm("movsd [0x4c25c8], xmm0");
				_v8 = 2;
				_t33 = E0046A6C0(__ebx, L"DbgHelpPath", E0046A530(L"DbgHelpPath"));
				asm("xorps xmm0, xmm0");
				 *0x4c25d0 = _t33;
				 *0x4c25d4 = 4;
				 *0x4c25d8 = 0x208;
				 *0x4c25dc = 0x4bd8b0;
				asm("movsd [0x4c25e0], xmm0");
				_v8 = 3;
				_t35 = E0046A6C0(_t67, L"Logfile", E0046A530(L"Logfile"));
				asm("xorps xmm0, xmm0");
				 *0x4c25e8 = _t35;
				 *0x4c25ec = 4;
				 *0x4c25f0 = 0x208;
				 *0x4c25f4 = 0x4bdac0;
				asm("movsd [0x4c25f8], xmm0");
				_v8 = 4;
				_t37 = E0046A6C0(_t67, L"HighlightFG", E0046A530(L"HighlightFG"));
				asm("xorps xmm0, xmm0");
				 *0x4c2600 = _t37;
				 *0x4c2604 = 0;
				 *0x4c2608 = 0;
				 *0x4c260c = 0x4bd8a8;
				asm("movsd [0x4c2610], xmm0");
				_v8 = 5;
				_t39 = E0046A6C0(_t67, L"HighlightBG", E0046A530(L"HighlightBG"));
				asm("movsd xmm0, [0x4a6ff8]");
				 *0x4c2618 = _t39;
				 *0x4c261c = 0;
				 *0x4c2620 = 0;
				 *0x4c2624 = 0x4bd8ac;
				asm("movsd [0x4c2628], xmm0");
				_v8 = 6;
				_t41 = E0046A6C0(_t67, L"LogFont", E0046A530(L"LogFont"));
				asm("xorps xmm0, xmm0");
				 *0x4c2630 = _t41;
				 *0x4c2634 = 5;
				 *0x4c2638 = 4;
				 *0x4c263c = 0x4bd708;
				asm("movsd [0x4c2640], xmm0");
				_v8 = 7;
				_t43 = E0046A6C0(_t67, L"BoookmarkFont", E0046A530(L"BoookmarkFont"));
				asm("xorps xmm0, xmm0");
				 *0x4c2648 = _t43;
				 *0x4c264c = 5;
				 *0x4c2650 = 4;
				 *0x4c2654 = 0x4bd70c;
				asm("movsd [0x4c2658], xmm0");
				_v8 = 8;
				_t45 = E0046A6C0(_t67, L"AdvancedMode", E0046A530(L"AdvancedMode"));
				asm("xorps xmm0, xmm0");
				 *0x4c2660 = _t45;
				 *0x4c2664 = 1;
				 *0x4c2668 = 1;
				 *0x4c266c = 0x4bd896;
				asm("movsd [0x4c2670], xmm0");
				_v8 = 9;
				_t47 = E0046A6C0(_t67, L"Autoscroll", E0046A530(L"Autoscroll"));
				asm("xorps xmm0, xmm0");
				 *0x4c2678 = _t47;
				 *0x4c267c = 1;
				 *0x4c2680 = 1;
				 *0x4c2684 = 0x4bd895;
				asm("movsd [0x4c2688], xmm0");
				_v8 = 0xa;
				_t49 = E0046A6C0(_t67, L"HistoryDepth", E0046A530(L"HistoryDepth"));
				asm("movsd xmm0, [0x4a6ff0]");
				 *0x4c2690 = _t49;
				 *0x4c2694 = 0;
				 *0x4c2698 = 4;
				 *0x4c269c = 0x4bd8a0;
				asm("movsd [0x4c26a0], xmm0");
				_v8 = 0xb;
				_t51 = E0046A6C0(_t67, L"Profiling", E0046A530(L"Profiling"));
				asm("xorps xmm0, xmm0");
				 *0x4c26a8 = _t51;
				 *0x4c26ac = 0;
				 *0x4c26b0 = 4;
				 *0x4c26b4 = 0x4bd89c;
				asm("movsd [0x4c26b8], xmm0");
				_v8 = 0xc;
				_t53 = E0046A6C0(_t67, L"DestructiveFilter", E0046A530(L"DestructiveFilter"));
				asm("xorps xmm0, xmm0");
				 *0x4c26c0 = _t53;
				 *0x4c26c4 = 1;
				 *0x4c26c8 = 1;
				 *0x4c26cc = 0x4bd8a4;
				asm("movsd [0x4c26d0], xmm0");
				_v8 = 0xd;
				_t55 = E0046A6C0(_t67, L"AlwaysOnTop", E0046A530(L"AlwaysOnTop"));
				asm("xorps xmm0, xmm0");
				 *0x4c26d8 = _t55;
				 *0x4c26dc = 1;
				 *0x4c26e0 = 1;
				 *0x4c26e4 = 0x4bd894;
				asm("movsd [0x4c26e8], xmm0");
				_v8 = 0xe;
				_t57 = E0046A6C0(_t67, L"ResolveAddresses", E0046A530(L"ResolveAddresses"));
				asm("movsd xmm0, [0x4962e0]");
				 *0x4c26f0 = _t57;
				 *0x4c26f4 = 1;
				 *0x4c26f8 = 1;
				 *0x4c26fc = 0x4bd897;
				asm("movsd [0x4c2700], xmm0");
				_v8 = 0xf;
				_t59 = E0046A6C0(_t67, L"SourcePath", E0046A530(L"SourcePath"));
				asm("xorps xmm0, xmm0");
				 *0x4c2708 = _t59;
				 *0x4c270c = 7;
				 *0x4c2710 = 0;
				 *0x4c2714 = 0x4bdabc;
				asm("movsd [0x4c2718], xmm0");
				_v8 = 0x10;
				_t61 = E0046A6C0(_t67, L"SymbolPath", E0046A530(L"SymbolPath"));
				asm("xorps xmm0, xmm0");
				 *0x4c2720 = _t61;
				 *0x4c2724 = 7;
				 *0x4c2728 = 0;
				 *0x4c272c = 0x4bdab8;
				asm("movsd [0x4c2730], xmm0");
				_v8 = 0x11;
				 *0x4c2738 = E0046A6C0(_t67, L"FilterRules", E0046A530(L"FilterRules"));
				asm("xorps xmm0, xmm0");
				 *0x4c273c = 8;
				 *0x4c2740 = 0;
				 *0x4c2744 = 0x4bca94;
				asm("movsd [0x4c2748], xmm0");
				_v8 = 0x12;
				_t65 = E0046A6C0(_t67, L"HighlightRules", E0046A530(L"HighlightRules"));
				asm("xorps xmm0, xmm0");
				 *0x4c2750 = _t65;
				 *0x4c2754 = 8;
				 *0x4c2758 = 0;
				 *0x4c275c = 0x4bcac0;
				asm("movsd [0x4c2760], xmm0");
				_t66 = E0046FD29(_t23 ^ _t73, E0048E3E0);
				 *[fs:0x0] = _v16;
				return _t66;
			}

0x00401910
0x00401913
0x00401915
0x00401920
0x00401921
0x00401928
0x0040192c
0x00401942
0x00401947
0x0040194a
0x0040194f
0x00401959
0x00401963
0x0040196d
0x0040197a
0x0040198c
0x00401991
0x00401999
0x0040199e
0x004019a8
0x004019b2
0x004019bc
0x004019c9
0x004019d8
0x004019dd
0x004019e0
0x004019e5
0x004019ef
0x004019f9
0x00401a03
0x00401a10
0x00401a1f
0x00401a24
0x00401a27
0x00401a2c
0x00401a36
0x00401a40
0x00401a4a
0x00401a57
0x00401a66
0x00401a6b
0x00401a6e
0x00401a73
0x00401a7d
0x00401a87
0x00401a91
0x00401a9e
0x00401ab0
0x00401ab5
0x00401ab8
0x00401abd
0x00401ac7
0x00401ad1
0x00401adb
0x00401ae8
0x00401af7
0x00401afc
0x00401b04
0x00401b09
0x00401b13
0x00401b1d
0x00401b27
0x00401b34
0x00401b43
0x00401b48
0x00401b4b
0x00401b50
0x00401b5a
0x00401b64
0x00401b6e
0x00401b7b
0x00401b8a
0x00401b8f
0x00401b92
0x00401b97
0x00401ba1
0x00401bab
0x00401bb5
0x00401bc2
0x00401bd1
0x00401bd6
0x00401bd9
0x00401bde
0x00401be8
0x00401bf2
0x00401bfc
0x00401c09
0x00401c18
0x00401c1d
0x00401c20
0x00401c28
0x00401c32
0x00401c3c
0x00401c46
0x00401c53
0x00401c62
0x00401c67
0x00401c6f
0x00401c74
0x00401c7e
0x00401c88
0x00401c92
0x00401c9f
0x00401cae
0x00401cb3
0x00401cb6
0x00401cbb
0x00401cc5
0x00401ccf
0x00401cd9
0x00401ce6
0x00401cf5
0x00401cfa
0x00401cfd
0x00401d02
0x00401d0c
0x00401d16
0x00401d20
0x00401d2d
0x00401d3c
0x00401d41
0x00401d44
0x00401d49
0x00401d53
0x00401d5d
0x00401d67
0x00401d74
0x00401d83
0x00401d88
0x00401d90
0x00401d95
0x00401d9f
0x00401da9
0x00401db3
0x00401dc0
0x00401dd2
0x00401dd7
0x00401dda
0x00401ddf
0x00401de9
0x00401df3
0x00401dfd
0x00401e0a
0x00401e19
0x00401e1e
0x00401e21
0x00401e26
0x00401e30
0x00401e3a
0x00401e44
0x00401e51
0x00401e65
0x00401e6a
0x00401e6d
0x00401e77
0x00401e81
0x00401e8b
0x00401e98
0x00401ea7
0x00401eac
0x00401eaf
0x00401eb9
0x00401ec3
0x00401ecd
0x00401ed7
0x00401edf
0x00401eea
0x00000000

Strings

AdvancedMode, xrefs: 00401BBD, 00401BCC
ResolveAddresses, xrefs: 00401D6F, 00401D7E
BoookmarkFont, xrefs: 00401B76, 00401B85
Profiling, xrefs: 00401C9A, 00401CA9
0{x, xrefs: 00401B4B
HistoryDepth, xrefs: 00401C4E, 00401C5D
SourcePath, xrefs: 00401DBB, 00401DCD
DestructiveFilter, xrefs: 00401CE1, 00401CF0
HighlightRules, xrefs: 00401E93, 00401EA2
Logfile, xrefs: 00401A52, 00401A61
Columns, xrefs: 00401932, 0040193D
HighlightBG, xrefs: 00401AE3, 00401AF2
FilterRules, xrefs: 00401E4C, 00401E5B
LogFont, xrefs: 00401B2F, 00401B3E
ColumnMap, xrefs: 004019C4, 004019D3
hzx, xrefs: 004019E0
ColumnCount, xrefs: 00401975, 00401987
HighlightFG, xrefs: 00401A99, 00401AAB
DbgHelpPath, xrefs: 00401A0B, 00401A1A
X{x, xrefs: 00401CB6
AlwaysOnTop, xrefs: 00401D28, 00401D37
Autoscroll, xrefs: 00401C04, 00401C13
SymbolPath, xrefs: 00401E05, 00401E14

Memory Dump Source

Source File: 00000000.00000002.639436822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.639422722.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639801425.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639950323.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639964900.00000000004C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639974043.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639981884.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Process Monitor.jbxd

Similarity

API ID: _memmove
String ID: 0{x$AdvancedMode$AlwaysOnTop$Autoscroll$BoookmarkFont$ColumnCount$ColumnMap$Columns$DbgHelpPath$DestructiveFilter$FilterRules$HighlightBG$HighlightFG$HighlightRules$HistoryDepth$LogFont$Logfile$Profiling$ResolveAddresses$SourcePath$SymbolPath$X{x$hzx
API String ID: 4104443479-3430090256
Opcode ID: 008c9533b3d45319db66e13ac0a16f7795c6a4c5f19253d37a051c009063d99f
Instruction ID: ee847b18061cd1676089d47e1541f765562c6a8a87f94b527cfe8ae3197387eb
Opcode Fuzzy Hash: 008c9533b3d45319db66e13ac0a16f7795c6a4c5f19253d37a051c009063d99f
Instruction Fuzzy Hash: FEC163F4A11744AED380DF61EE45F563AA0EB66708F25426FF040662A1FBFD01849F6E

Uniqueness

Uniqueness Score: -1.00%

Function 00418740 Relevance: 28.6, APIs: 15, Strings: 1, Instructions: 632
windowCOMMONCrypto

Download Yara Rule

C-Code - Quality: 73%

			E00418740(signed int __ecx, char _a4) {
				long _v8;
				char _v16;
				signed int _v20;
				char _v816;
				long _v820;
				char _v821;
				signed int _v828;
				signed int _v832;
				signed int _v836;
				char _v840;
				signed int _v844;
				signed int _v852;
				signed int _v856;
				signed int _v860;
				long _v864;
				char _v868;
				intOrPtr _v872;
				char _v876;
				struct _CRITICAL_SECTION* _v880;
				intOrPtr* _v884;
				signed int _v892;
				intOrPtr _v896;
				char _v900;
				char _v904;
				signed int _v912;
				intOrPtr _v916;
				char _v920;
				char _v928;
				char _v952;
				long _v956;
				intOrPtr _v960;
				char _v976;
				intOrPtr _v988;
				char _v996;
				intOrPtr _v1008;
				char _v1016;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t238;
				signed int _t239;
				long _t241;
				long _t242;
				signed int _t248;
				signed int _t249;
				intOrPtr _t251;
				int _t262;
				intOrPtr* _t266;
				intOrPtr* _t267;
				intOrPtr* _t272;
				intOrPtr _t295;
				intOrPtr _t296;
				intOrPtr _t297;
				intOrPtr _t309;
				intOrPtr _t313;
				signed int _t314;
				char* _t321;
				intOrPtr* _t330;
				struct _CRITICAL_SECTION* _t362;
				void* _t363;
				long _t364;
				signed int _t365;
				void* _t369;
				void* _t371;
				intOrPtr _t375;
				intOrPtr _t377;
				intOrPtr _t379;
				intOrPtr _t394;
				intOrPtr _t395;
				intOrPtr _t396;
				intOrPtr* _t397;
				intOrPtr* _t399;
				intOrPtr _t402;
				unsigned int _t410;
				signed int _t411;
				intOrPtr _t414;
				unsigned int _t416;
				signed int _t417;
				intOrPtr _t425;
				intOrPtr _t426;
				signed int _t427;
				signed int _t428;
				intOrPtr _t429;
				unsigned int _t430;
				signed int _t431;
				intOrPtr _t432;
				intOrPtr _t434;
				char _t435;
				unsigned int _t439;
				unsigned int _t441;
				long _t447;
				char _t448;
				void* _t450;
				intOrPtr* _t451;
				intOrPtr* _t452;
				char _t453;
				void* _t456;
				intOrPtr _t460;
				long _t462;
				intOrPtr _t463;
				signed int _t467;
				signed int _t471;
				intOrPtr _t472;
				int _t473;
				intOrPtr* _t474;
				intOrPtr* _t475;
				void* _t476;
				intOrPtr* _t478;
				intOrPtr* _t479;
				intOrPtr* _t480;
				signed int _t481;
				void* _t482;
				void* _t483;
				void* _t484;

				_push(0xffffffff);
				_push(E004871ED);
				_push( *[fs:0x0]);
				_t483 = _t482 - 0x3e8;
				_t238 =  *0x4bb1dc; // 0x2927074f
				_t239 = _t238 ^ _t481;
				_v20 = _t239;
				_push(_t239);
				 *[fs:0x0] =  &_v16;
				_t362 = __ecx;
				_v844 = __ecx;
				_t4 = _t362 + 0x18; // 0x0
				_t241 = SendMessageW( *_t4, 0x1027, 0, 0);
				_t5 = _t362 + 0x18; // 0x0
				_t462 = _t241;
				_v864 = _t462;
				_t242 = SendMessageW( *_t5, 0x1028, 0, 0);
				_t446 = _t462 + _t242;
				EnterCriticalSection(0x4bca10);
				_t463 =  *0x4bca38; // 0x0
				LeaveCriticalSection(0x4bca10);
				if(_t462 + _t242 >= _t463) {
					EnterCriticalSection(0x4bca10);
					_t460 =  *0x4bca38; // 0x0
					LeaveCriticalSection(0x4bca10);
					_t446 = _t460 - 1;
				}
				_v821 = 0;
				_v880 = _t362;
				EnterCriticalSection(_t362);
				_v8 = 0;
				E0040D160(0x4bca10,  &_v996, _v864);
				_v8 = 1;
				E0040D160(0x4bca10,  &_v1016, _t446);
				_t425 = _v988;
				_v8 = 2;
				if(_t425 == 0) {
					asm("xorps xmm0, xmm0");
					_v912 = 0;
					_t248 =  &_v920;
					asm("movlpd [ebp-0x394], xmm0");
				} else {
					_v900 =  *((intOrPtr*)(_t425 + 0x1c));
					_v892 =  *((intOrPtr*)(_t425 + 0x10));
					_t248 =  &_v900;
					_v896 =  *((intOrPtr*)(_t425 + 0x20));
				}
				asm("movdqu xmm0, [eax]");
				_t426 = _v1008;
				asm("movdqu [ebp-0x380], xmm0");
				if(_t426 == 0) {
					_t249 = _t248 | 0xffffffff;
					__eflags = _t249;
					_v860 = _t249;
					_v856 = _t249;
				} else {
					_t249 =  *(_t426 + 0x10);
					_v860 =  *((intOrPtr*)(_t426 + 0x1c));
					_v856 =  *((intOrPtr*)(_t426 + 0x20));
				}
				_v852 = _t249;
				asm("movdqu xmm0, [eax]");
				_t36 = _t362 + 0xec; // 0x0
				_t251 =  *_t36;
				asm("movdqu [ebp-0x358], xmm0");
				if(_t251 == 0) {
					L21:
					_t59 = _t362 + 0xe4; // 0x0
					_t375 =  *_t59;
					if(_t375 == 0) {
						L70:
						_t447 = 0;
						_t127 = _t362 + 0xe0; // 0x4bcaf0
						_v864 = 0;
						E00419200(_t127);
						_t129 = _t362 + 0x34; // 0x0
						_t377 = 0;
						_t130 = _t362 + 0x30; // 0x0
						_t467 = ( *_t129 -  *_t130 >> 2) - 1;
						_v828 = 0;
						if(_t467 < 0) {
							L78:
							_push(_t377);
							E00415730( &_v840);
							_v8 = 5;
							_v820 = 0;
							E00470030( &_v816, 0, 0x31c);
							_t154 = _t362 + 0x34; // 0x0
							_t379 = 0;
							_t155 = _t362 + 0x30; // 0x0
							_t484 = _t483 + 0xc;
							_t427 = _v828;
							_t448 = _v840;
							_t471 = ( *_t154 -  *_t155 >> 2) - 1;
							_v904 = 0;
							_v844 = _t427;
							if(_t471 < 0) {
								L101:
								_t258 = _v836 - _t448 >> 5;
								if(_v836 - _t448 >> 5 != 0) {
									_t197 = _t362 + 0x1c; // 0x4bca2c
									E0040E660(_t197, _t448, _t258,  &_v820, _t379, 0);
								}
								_t198 = _t362 + 0x28; // 0x0
								_t472 =  *_t198;
								 *((intOrPtr*)(_t362 + 0x80)) = 0xffffffff;
								if(_t448 != 0) {
									E0046EF07(_t448);
									_t484 = _t484 + 4;
								}
								_v8 = 1;
								E0040F960( &_v1016, _t472);
								_v8 = 0;
								E0040F960( &_v996, _t472);
								LeaveCriticalSection(_t362);
								_t473 =  >  ? 0x5f5e100 : _t472;
								_t262 =  *0x4bc8e0; // 0x0
								if(_t473 != _t262) {
									_t204 = _t362 + 0x18; // 0x0
									SendMessageW( *_t204, 0x102f, _t473, 3);
									_t262 =  *0x4bc8e0; // 0x0
								}
								if(_v821 != 0 || _t473 == 0 && _t262 != 0) {
									_t208 = _t362 + 0x18; // 0x0
									InvalidateRect( *_t208, 0, 0 | _t473 == 0x00000000);
									_t262 =  *0x4bc8e0; // 0x0
								}
								if(_a4 != 0 && _t473 > _t262) {
									_t210 = _t473 - 1; // -1
									_t211 = _t362 + 0x18; // 0x0
									SendMessageW( *_t211, 0x1013, _t210, 0);
								}
								 *0x4bc8e0 = _t473;
								_v880 = _t362;
								EnterCriticalSection(_t362);
								_t213 = _t362 + 0x48; // 0x77cfc8
								_t266 =  *_t213;
								_v8 = 6;
								_t474 =  *_t266;
								if(_t474 == _t266) {
									L121:
									_t223 = _t362 + 0x50; // 0x77d088
									_t267 =  *_t223;
									_t475 =  *_t267;
									if(_t475 == _t267) {
										L130:
										LeaveCriticalSection(_t362);
										 *[fs:0x0] = _v16;
										_pop(_t450);
										_pop(_t476);
										_pop(_t363);
										return E0046F77E(_t363, _v20 ^ _t481, _t427, _t450, _t476);
									}
									do {
										if( *((intOrPtr*)( *((intOrPtr*)(_t475 + 8)) + 0x578)) != 1) {
											_t475 =  *_t475;
										} else {
											_t451 = _t475;
											_t475 =  *_t475;
											 *((intOrPtr*)( *((intOrPtr*)(_t451 + 4)))) =  *_t451;
											 *((intOrPtr*)( *_t451 + 4)) =  *((intOrPtr*)(_t451 + 4));
											 *((intOrPtr*)(_t362 + 0x54)) =  *((intOrPtr*)(_t362 + 0x54)) - 1;
											_t272 =  *((intOrPtr*)(_t451 + 8));
											_v884 = _t272;
											if(_t272 != 0 && InterlockedDecrement(_t272 + 0x578) < 2) {
												E00467460(_v884, _t275);
											}
											E0046EF07(_t451);
											_t484 = _t484 + 4;
										}
										_t234 = _t362 + 0x50; // 0x77d088
									} while (_t475 !=  *_t234);
									goto L130;
								} else {
									do {
										_t389 =  *((intOrPtr*)(_t474 + 8));
										if( *((intOrPtr*)( *((intOrPtr*)(_t474 + 8)) + 0x578)) != 1) {
											_t474 =  *_t474;
										} else {
											_t452 = _t474;
											_t474 =  *_t474;
											if(E00467590(_t389) != 0) {
												 *((intOrPtr*)( *((intOrPtr*)(_t452 + 4)))) =  *_t452;
												 *((intOrPtr*)( *_t452 + 4)) =  *((intOrPtr*)(_t452 + 4));
												 *((intOrPtr*)(_t362 + 0x4c)) =  *((intOrPtr*)(_t362 + 0x4c)) - 1;
												E0046EF07(_t452);
												_t484 = _t484 + 4;
											}
										}
										_t222 = _t362 + 0x48; // 0x77cfc8
									} while (_t474 !=  *_t222);
									goto L121;
								}
							}
							do {
								_t160 = _t362 + 0x30; // 0x0
								_t394 =  *((intOrPtr*)( *_t160 + _t471 * 4));
								if(_t427 == 0) {
									goto L99;
								}
								_t165 = _t362 + 0x58; // 0x4bca68
								_t168 = _t362 + 0x84; // 0x4bca94
								_t295 = E00469000(_t394, _t471, _t168, (_v844 << 5) + _t448,  &_v904, _t165,  &_v876,  &_v920);
								_v844 = _v844 - _t295;
								_t395 = _v876;
								_t428 = _v856;
								 *((intOrPtr*)(_t481 + _t471 * 4 - 0x330)) = _t295;
								_t296 = _v872;
								if(_t395 != _v860) {
									__eflags = _t296 - _t428;
									L86:
									if(__eflags < 0) {
										L89:
										_t396 = _v920;
										_t429 = _v900;
										_t297 = _v916;
										if(_t396 != _t429) {
											__eflags = _t297 - _v896;
											L94:
											if(__eflags > 0) {
												L97:
												_v821 = 1;
												L98:
												_t427 = _v828;
												goto L99;
											}
											if(__eflags < 0) {
												goto L98;
											}
											__eflags = _t396 - _t429;
											if(_t396 <= _t429) {
												goto L98;
											}
											goto L97;
										}
										if(_t297 != _v896) {
											goto L94;
										}
										if((_v892 & 0xffffff00 | _v912 - _v892 > 0x00000000) == 0) {
											goto L98;
										}
										goto L97;
									}
									if(__eflags > 0) {
										goto L98;
									}
									__eflags = _t395 - _v860;
									if(__eflags >= 0) {
										goto L98;
									}
									goto L89;
								}
								if(_t296 != _t428) {
									goto L86;
								}
								if((_v852 & 0xffffff00 | _v868 - _v852 > 0x00000000) == 0) {
									goto L98;
								}
								goto L89;
								L99:
								_t471 = _t471 - 1;
							} while (_t471 >= 0);
							_t379 = _v904;
							goto L101;
						}
						_t132 = _t467 + 1; // 0x0
						_t430 = _t132;
						if(_t430 < 2) {
							L75:
							if(_t467 >= 0) {
								_t144 = _t362 + 0x30; // 0x0
								_t377 =  *((intOrPtr*)( *((intOrPtr*)( *_t144 + _t467 * 4)) + 0x588));
							}
							_t377 = _t377 + _v864 + _t447;
							_v828 = _t377;
							goto L78;
						}
						_t133 = _t362 + 0x30; // 0x0
						_t431 = _t430 >> 1;
						_t397 =  *_t133 + _t467 * 4;
						_t364 = 0;
						_t467 = _t467 +  ~_t431 * 2;
						do {
							_t309 =  *_t397;
							_t397 = _t397 - 8;
							_t447 = _t447 +  *((intOrPtr*)(_t309 + 0x588));
							_t364 = _t364 +  *((intOrPtr*)( *((intOrPtr*)(_t397 + 4)) + 0x588));
							_t431 = _t431 - 1;
						} while (_t431 != 0);
						_v864 = _t364;
						_t377 = 0;
						_t362 = _v844;
						goto L75;
					}
					_t453 = 0;
					_t365 = 0;
					_v840 = 0;
					_v836 = 0;
					_v828 = 0;
					_v832 = 0;
					_v8 = 4;
					if(_t375 != 0) {
						_t498 = _t375 - 0x7ffffff;
						if(_t375 > 0x7ffffff) {
							_push("vector<T> too long");
							E0046EB0F(_t498);
						}
						_push(_t375);
						E00419BA0( &_v840);
						_t365 = _v836;
						_t453 = _v840;
						_v828 = _v832;
					}
					_t478 = _v844 + 0xe0;
					_v864 = 0;
					_v884 = _t478;
					E004152E0(_t478, _v864);
					_t399 =  *_t478;
					_t479 =  *_t399;
					_t432 =  *((intOrPtr*)(_t479 + 8));
					_t313 =  *((intOrPtr*)(_t479 + 0xc));
					if(_t432 != _v860) {
						__eflags = _t313 - _v856;
						goto L31;
					} else {
						if(_t313 != _v856) {
							L31:
							if(__eflags < 0) {
								L34:
								_t314 =  *(_t399 + 4);
								_t453 = _v840;
								_v864 =  *((intOrPtr*)(_t314 + 8));
								_t434 =  *((intOrPtr*)(_t314 + 0xc));
								if( *((intOrPtr*)(_t314 + 8)) != _v900) {
									__eflags = _t434 - _v896;
									L39:
									if(__eflags > 0) {
										L42:
										_v821 = 1;
										L43:
										if(_t479 == _t399) {
											L68:
											_t362 = _v844;
											E0040E660(_t362 + 0x1c, _t453, _t365 - _t453 >> 5, 0, _t365 - _t453 >> 5, 1);
											_v8 = 2;
											if(_t453 != 0) {
												E0046EF07(_t453);
												_t483 = _t483 + 4;
											}
											goto L70;
										}
										do {
											E00417200(_v844,  &_v868, _t479 + 8, 0);
											asm("movdqu xmm1, [edi]");
											_t435 = _v840;
											_v960 = _v868;
											_v956 = _v864;
											_t321 =  &_v952;
											asm("movq xmm0, [ebp-0x3bc]");
											asm("movq [ebp-0x3a4], xmm0");
											_v928 = 1;
											asm("movdqu [ebp-0x394], xmm1");
											asm("movdqu [ebp-0x3b4], xmm1");
											if(_t321 >= _t365 || _t435 > _t321) {
												_t402 = _v828;
												__eflags = _t365 - _t402;
												if(_t365 != _t402) {
													L63:
													__eflags = _t365;
													if(_t365 == 0) {
														goto L66;
													}
													asm("movdqu xmm0, [ebp-0x3a4]");
													asm("movdqu [ebx], xmm1");
													goto L65;
												}
												__eflags = _t402 - _t365 >> 5 - 1;
												if(_t402 - _t365 >> 5 >= 1) {
													goto L63;
												}
												_t362 = _t365 - _t435 >> 5;
												__eflags = 0x7ffffff - _t362 - 1;
												if(__eflags < 0) {
													goto L11;
												}
												_t410 = _t402 - _t435 >> 5;
												_t369 = _t362 + 1;
												_t439 = _t410 >> 1;
												__eflags = 0x7ffffff - _t439 - _t410;
												if(0x7ffffff - _t439 >= _t410) {
													_t411 = _t410 + _t439;
													__eflags = _t411;
												} else {
													_t411 = 0;
												}
												__eflags = _t411 - _t369;
												_t412 =  <  ? _t369 : _t411;
												_push( <  ? _t369 : _t411);
												E00419BA0( &_v840);
												_t365 = _v836;
												asm("movdqu xmm1, [ebp-0x394]");
												_v828 = _v832;
												goto L63;
											} else {
												_t414 = _v828;
												if(_t365 != _t414 || _t414 - _t365 >> 5 >= 1) {
													L54:
													if(_t365 == 0) {
														goto L66;
													}
													asm("movdqu xmm0, [edi+edx]");
													asm("movdqu [ebx], xmm0");
													asm("movdqu xmm0, [edi+edx+0x10]");
													L65:
													asm("movdqu [ebx+0x10], xmm0");
													goto L66;
												} else {
													_t362 = _t365 - _t435 >> 5;
													if(0x7ffffff - _t362 < 1) {
														goto L11;
													}
													_t416 = _t414 - _t435 >> 5;
													_t371 = _t362 + 1;
													_t441 = _t416 >> 1;
													if(0x7ffffff - _t441 >= _t416) {
														_t417 = _t416 + _t441;
														__eflags = _t417;
													} else {
														_t417 = 0;
													}
													_t418 =  <  ? _t371 : _t417;
													_push( <  ? _t371 : _t417);
													E00419BA0( &_v840);
													_t365 = _v836;
													_v828 = _v832;
													goto L54;
												}
											}
											L66:
											_t365 = _t365 + 0x20;
											_t479 =  *_t479;
											_v836 = _t365;
										} while (_t479 !=  *_v884);
										_t453 = _v840;
										goto L68;
									}
									if(__eflags < 0) {
										goto L43;
									}
									__eflags = _v864 - _v900;
									if(_v864 <= _v900) {
										goto L43;
									}
									goto L42;
								}
								if(_t434 != _v896) {
									goto L39;
								}
								if((_t314 & 0xffffff00 |  *((intOrPtr*)(_t314 + 0x10)) - _v892 > 0x00000000) == 0) {
									goto L43;
								}
								goto L42;
							}
							if(__eflags > 0) {
								goto L43;
							}
							__eflags = _t432 - _v860;
							if(__eflags >= 0) {
								goto L43;
							}
							goto L34;
						}
						if((_v852 & 0xffffff00 |  *((intOrPtr*)(_t479 + 0x10)) - _v852 > 0x00000000) == 0) {
							goto L43;
						}
						goto L34;
					}
				} else {
					_t456 = 0;
					_v840 = 0;
					_v836 = 0;
					_v832 = 0;
					_v8 = 3;
					if(_t251 == 0) {
						L13:
						_v864 = 0;
						_t44 = _t362 + 0xe8; // 0x4bcaf8
						E004152E0(_t44, _v864);
						_t46 = _t362 + 0xe8; // 0x784af0
						_t330 =  *_t46;
						_t480 =  *_t330;
						if(_t480 == _t330) {
							L17:
							_t437 = 0x2aaaaaab * (_v836 - _t456) >> 0x20 >> 2;
							_t335 = (0x2aaaaaab * (_v836 - _t456) >> 0x20 >> 2 >> 0x1f) + _t437;
							if((0x2aaaaaab * (_v836 - _t456) >> 0x20 >> 2 >> 0x1f) + _t437 != 0) {
								_t56 = _t362 + 0x1c; // 0x1c
								_v821 = E0040E8F0(_t56, _t456, _t335);
							}
							_v8 = 2;
							if(_t456 != 0) {
								E0046EF07(_t456);
								_t483 = _t483 + 4;
							}
							goto L21;
						} else {
							do {
								asm("movdqu xmm0, [esi+0x8]");
								asm("movdqu [ebp-0x3cc], xmm0");
								E0041A480( &_v840,  &_v976);
								_t480 =  *_t480;
								_t49 = _t362 + 0xe8; // 0x784af0
							} while (_t480 !=  *_t49);
							_t456 = _v840;
							goto L17;
						}
					}
					_t491 = _t251 - 0xaaaaaaa;
					if(_t251 <= 0xaaaaaaa) {
						L12:
						_push(_t251);
						E00419AB0( &_v840);
						_t456 = _v840;
						goto L13;
					}
					L11:
					_push("vector<T> too long");
					_t251 = E0046EB0F(_t491);
					goto L12;
				}
			}

0x00418743
0x00418745
0x00418750
0x00418751
0x00418757
0x0041875c
0x0041875e
0x00418764
0x00418768
0x0041876e
0x00418770
0x00418785
0x00418788
0x00418793
0x00418796
0x00418798
0x0041879e
0x004187a5
0x004187a8
0x004187ae
0x004187b9
0x004187c1
0x004187c8
0x004187ce
0x004187d9
0x004187df
0x004187df
0x004187e1
0x004187e8
0x004187ee
0x00418800
0x0041880d
0x00418819
0x00418823
0x00418828
0x0041882e
0x00418834
0x0041885b
0x0041885e
0x00418864
0x0041886a
0x00418836
0x0041883c
0x00418845
0x0041884b
0x00418851
0x00418851
0x00418872
0x00418876
0x0041887c
0x00418886
0x0041889f
0x0041889f
0x004188a2
0x004188a8
0x00418888
0x0041888b
0x0041888e
0x00418897
0x00418897
0x004188ae
0x004188ba
0x004188be
0x004188be
0x004188c4
0x004188ce
0x004189ab
0x004189ab
0x004189ab
0x004189b3
0x00418cb9
0x00418cb9
0x00418cbb
0x00418cc1
0x00418cc7
0x00418ccc
0x00418ccf
0x00418cd1
0x00418cd7
0x00418cd8
0x00418cde
0x00418d45
0x00418d45
0x00418d4c
0x00418d5c
0x00418d63
0x00418d6d
0x00418d72
0x00418d75
0x00418d77
0x00418d7a
0x00418d7d
0x00418d83
0x00418d8c
0x00418d8d
0x00418d93
0x00418d99
0x00418e89
0x00418e91
0x00418e96
0x00418ea4
0x00418ea7
0x00418ea7
0x00418eac
0x00418eac
0x00418eaf
0x00418ebb
0x00418ebe
0x00418ec3
0x00418ec3
0x00418ecc
0x00418ed0
0x00418edb
0x00418edf
0x00418ee5
0x00418ef8
0x00418efb
0x00418f02
0x00418f0c
0x00418f0f
0x00418f11
0x00418f11
0x00418f1d
0x00418f31
0x00418f34
0x00418f3a
0x00418f3a
0x00418f43
0x00418f4b
0x00418f54
0x00418f57
0x00418f57
0x00418f5a
0x00418f60
0x00418f66
0x00418f6c
0x00418f6c
0x00418f6f
0x00418f76
0x00418f7a
0x00418fbd
0x00418fbd
0x00418fbd
0x00418fc0
0x00418fc4
0x0041902e
0x0041902f
0x00419038
0x00419040
0x00419041
0x00419042
0x00419050
0x00419050
0x00418fd0
0x00418fda
0x00419027
0x00418fdc
0x00418fdc
0x00418fde
0x00418fe5
0x00418fec
0x00418fef
0x00418ff2
0x00418ff5
0x00418ffd
0x00419017
0x00419017
0x0041901d
0x00419022
0x00419022
0x00419029
0x00419029
0x00000000
0x00418f80
0x00418f80
0x00418f80
0x00418f8a
0x00418fb6
0x00418f8c
0x00418f8c
0x00418f8e
0x00418f97
0x00418f9f
0x00418fa6
0x00418fa9
0x00418fac
0x00418fb1
0x00418fb1
0x00418f97
0x00418fb8
0x00418fb8
0x00000000
0x00418f80
0x00418f7a
0x00418da0
0x00418da0
0x00418da3
0x00418da8
0x00000000
0x00000000
0x00418dbc
0x00418dd3
0x00418ddb
0x00418de0
0x00418de6
0x00418dec
0x00418df2
0x00418df9
0x00418e05
0x00418e20
0x00418e22
0x00418e22
0x00418e2e
0x00418e2e
0x00418e34
0x00418e3a
0x00418e42
0x00418e61
0x00418e67
0x00418e67
0x00418e6f
0x00418e6f
0x00418e76
0x00418e76
0x00000000
0x00418e76
0x00418e69
0x00000000
0x00000000
0x00418e6b
0x00418e6d
0x00000000
0x00000000
0x00000000
0x00418e6d
0x00418e4a
0x00000000
0x00000000
0x00418e5d
0x00000000
0x00000000
0x00000000
0x00418e5f
0x00418e24
0x00000000
0x00000000
0x00418e26
0x00418e2c
0x00000000
0x00000000
0x00000000
0x00418e2c
0x00418e09
0x00000000
0x00000000
0x00418e1c
0x00000000
0x00000000
0x00000000
0x00418e7c
0x00418e7c
0x00418e7c
0x00418e83
0x00000000
0x00418e83
0x00418ce0
0x00418ce0
0x00418ce6
0x00418d25
0x00418d27
0x00418d29
0x00418d2f
0x00418d2f
0x00418d3d
0x00418d3f
0x00000000
0x00418d3f
0x00418ce8
0x00418ceb
0x00418ced
0x00418cf4
0x00418cf6
0x00418d00
0x00418d00
0x00418d02
0x00418d05
0x00418d0e
0x00418d14
0x00418d14
0x00418d17
0x00418d1d
0x00418d1f
0x00000000
0x00418d1f
0x004189bb
0x004189bd
0x004189bf
0x004189c5
0x004189cb
0x004189d1
0x004189d7
0x004189dd
0x004189df
0x004189e5
0x004189e7
0x004189ec
0x004189ec
0x004189f1
0x004189f8
0x00418a03
0x00418a09
0x00418a0f
0x00418a0f
0x00418a1b
0x00418a21
0x00418a30
0x00418a36
0x00418a3b
0x00418a3d
0x00418a3f
0x00418a42
0x00418a4b
0x00418a67
0x00000000
0x00418a4d
0x00418a53
0x00418a6d
0x00418a6d
0x00418a79
0x00418a79
0x00418a88
0x00418a8e
0x00418a94
0x00418a97
0x00418ab3
0x00418ab9
0x00418ab9
0x00418acb
0x00418acb
0x00418ad2
0x00418ad4
0x00418c8e
0x00418c99
0x00418ca3
0x00418ca8
0x00418cae
0x00418cb1
0x00418cb6
0x00418cb6
0x00000000
0x00418cae
0x00418ae0
0x00418af3
0x00418afe
0x00418b02
0x00418b08
0x00418b14
0x00418b1a
0x00418b20
0x00418b28
0x00418b30
0x00418b37
0x00418b3f
0x00418b49
0x00418be9
0x00418bef
0x00418bf1
0x00418c5a
0x00418c5a
0x00418c5c
0x00000000
0x00000000
0x00418c5e
0x00418c66
0x00000000
0x00418c66
0x00418bfa
0x00418bfd
0x00000000
0x00000000
0x00418c06
0x00418c0b
0x00418c0e
0x00000000
0x00000000
0x00418c1b
0x00418c1e
0x00418c21
0x00418c25
0x00418c27
0x00418c2d
0x00418c2d
0x00418c29
0x00418c29
0x00418c29
0x00418c2f
0x00418c31
0x00418c34
0x00418c3b
0x00418c46
0x00418c4c
0x00418c54
0x00000000
0x00418b57
0x00418b57
0x00418b63
0x00418bca
0x00418bcf
0x00000000
0x00000000
0x00418bd5
0x00418bda
0x00418bde
0x00418c6a
0x00418c6a
0x00000000
0x00418b71
0x00418b78
0x00418b80
0x00000000
0x00000000
0x00418b8d
0x00418b90
0x00418b93
0x00418b99
0x00418b9f
0x00418b9f
0x00418b9b
0x00418b9b
0x00418b9b
0x00418ba3
0x00418ba6
0x00418bad
0x00418bb8
0x00418bc4
0x00000000
0x00418bc4
0x00418b63
0x00418c6f
0x00418c75
0x00418c78
0x00418c7a
0x00418c80
0x00418c88
0x00000000
0x00418c88
0x00418abb
0x00000000
0x00000000
0x00418ac3
0x00418ac9
0x00000000
0x00000000
0x00000000
0x00418ac9
0x00418a9f
0x00000000
0x00000000
0x00418aaf
0x00000000
0x00000000
0x00000000
0x00418ab1
0x00418a6f
0x00000000
0x00000000
0x00418a71
0x00418a77
0x00000000
0x00000000
0x00000000
0x00418a77
0x00418a63
0x00000000
0x00000000
0x00000000
0x00418a65
0x004188d4
0x004188d4
0x004188d6
0x004188dc
0x004188e2
0x004188e8
0x004188ee
0x00418913
0x00418913
0x0041891a
0x00418926
0x0041892b
0x0041892b
0x00418931
0x00418935
0x0041896f
0x0041897e
0x00418986
0x00418988
0x0041898c
0x00418994
0x00418994
0x0041899a
0x004189a0
0x004189a3
0x004189a8
0x004189a8
0x00000000
0x00418937
0x00418940
0x00418940
0x00418952
0x0041895a
0x0041895f
0x00418961
0x00418961
0x00418969
0x00000000
0x00418969
0x00418935
0x004188f0
0x004188f5
0x00418901
0x00418901
0x00418908
0x0041890d
0x00000000
0x0041890d
0x004188f7
0x004188f7
0x004188fc
0x00000000
0x004188fc

APIs

SendMessageW.USER32(00000000,00001027,00000000,00000000), ref: 00418788
SendMessageW.USER32(00000000,00001028,00000000,00000000), ref: 0041879E
EnterCriticalSection.KERNEL32(004BCA10), ref: 004187A8
LeaveCriticalSection.KERNEL32(004BCA10), ref: 004187B9
EnterCriticalSection.KERNEL32(004BCA10), ref: 004187C8
LeaveCriticalSection.KERNEL32(004BCA10), ref: 004187D9
EnterCriticalSection.KERNEL32(004BCA10), ref: 004187EE

Strings

vector<T> too long, xrefs: 004188F7, 004189E7

Memory Dump Source

Source File: 00000000.00000002.639436822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.639422722.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639801425.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639950323.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639964900.00000000004C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639974043.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639981884.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Process Monitor.jbxd

Similarity

API ID: CriticalSection$Enter$LeaveMessageSend
String ID: vector<T> too long
API String ID: 4252995630-3788999226
Opcode ID: 8de749aaa20012b7951fd5ca1fbd32e1d445281e9770647146f525e48afa6f23
Instruction ID: a53ade9d2f4d6435273339a012b8b65afff5205543f32eb1616b669dfd463940
Opcode Fuzzy Hash: 8de749aaa20012b7951fd5ca1fbd32e1d445281e9770647146f525e48afa6f23
Instruction Fuzzy Hash: D8422B71A002199BCB26DF18CD80BEAB7B9AF54304F1445EEE849A7251DB34AFC5CF58

Uniqueness

Uniqueness Score: -1.00%

Function 0043A300 Relevance: 26.4, APIs: 8, Strings: 7, Instructions: 147
windowCOMMON

Download Yara Rule

C-Code - Quality: 90%

			E0043A300(void* __ecx, void* __edx, void* __edi, struct HWND__* _a4, intOrPtr _a8) {
				signed int _v8;
				char _v12;
				intOrPtr _v16;
				char _v20;
				void* __ebx;
				void* __esi;
				char* _t14;
				intOrPtr _t17;
				char* _t19;
				signed int _t39;
				void* _t40;
				intOrPtr _t41;
				char* _t44;
				intOrPtr* _t47;

				_t42 = __edx;
				_t40 = __ecx;
				if( *0x4bd0a3 == 0) {
					_t14 = E00439880(_t39, __edx);
					__eflags = _t14;
					if(_t14 == 0) {
						 *0x4bce38 = 1;
						GetSystemTimeAsFileTime(0x4bdce8);
						QueryPerformanceCounter(0x4bdcf0);
						QueryPerformanceFrequency(0x4bdcf8);
						_t41 =  *0x4bb114; // 0xffffffff
						__eflags = _t41 - 0xffffffff;
						if(_t41 != 0xffffffff) {
							_t17 =  *0x4bb120; // 0x7
							_v16 = _t17;
							_push( &_v12);
							_push(0);
							_push(0);
							_push(8);
							_t19 =  &_v20;
							 *0x4bb0d0 = 9;
							_push(_t19);
							_push(_t41);
							_v20 = 0;
							L0046E3E6();
							_t44 = _t19;
							__eflags = _t44;
							_t39 = _t39 & 0xffffff00 | _t44 == 0x00000000;
							_v8 = _t39;
							E0043CF70(_t39, _t42, __edi, _t44, _v8, _a8);
							_t47 = _t47 + 8;
							 *0x4bce3c = _t39;
							__eflags = _t44;
							if(_t44 == 0) {
								E0043B6A0(_t41, _t42, 1);
								return 1;
							} else {
								goto L17;
							}
						} else {
							_t44 = 0x80070006;
							L17:
							 *_t47 = E0046A6C0(_t39, L"Error enabling capture", E0046A530(L"Error enabling capture"));
							E00437AE0(_t39, __eflags, _t41, _t44);
							__eflags = 0;
							return 0;
						}
					} else {
						__eflags = _t14 - 0x514;
						if(__eflags > 0) {
							__eflags = _t14 - 0x522;
							if(_t14 == 0x522) {
								goto L8;
							} else {
								__eflags = _t14 - 0x801f0011;
								if(_t14 == 0x801f0011) {
									MessageBoxW(_a4, L"Another version of the Process Monitor driver is already loaded. A reboot is required to run this version.", L"Process Monitor", 0x10);
									__eflags = 0;
									return 0;
								} else {
									goto L12;
								}
							}
						} else {
							if(__eflags == 0) {
								L8:
								MessageBoxW(_a4, L"Capture requires Administrators group membership", L"Process Monitor", 0x10);
								__eflags = 0;
								return 0;
							} else {
								__eflags = _t14 - 4;
								if(__eflags == 0) {
									MessageBoxW(_a4, L"Process Monitor is already monitoring this system.", L"Process Monitor", 0x10);
									__eflags = 0;
									return 0;
								} else {
									if(__eflags <= 0) {
										L12:
										 *_t47 = E0046A6C0(_t39, L"Unable to load Process Monitor device driver", E0046A530(L"Unable to load Process Monitor device driver"));
										E00437AE0(_t39, __eflags, _t40, 0);
										__eflags = 0;
										return 0;
									} else {
										__eflags = _t14 - 6;
										if(_t14 > 6) {
											goto L12;
										} else {
											goto L8;
										}
									}
								}
							}
						}
					}
				} else {
					MessageBoxW(_a4, L"Capture requires 64-bit mode.", L"Process Monitor", 0x10);
					return 0;
				}
			}

0x0043a300
0x0043a300
0x0043a30f
0x0043a32e
0x0043a333
0x0043a335
0x0043a3e9
0x0043a3f3
0x0043a3fe
0x0043a409
0x0043a40f
0x0043a415
0x0043a418
0x0043a421
0x0043a426
0x0043a42c
0x0043a42d
0x0043a42f
0x0043a431
0x0043a433
0x0043a436
0x0043a440
0x0043a441
0x0043a442
0x0043a449
0x0043a451
0x0043a453
0x0043a455
0x0043a458
0x0043a45e
0x0043a463
0x0043a466
0x0043a46c
0x0043a46e
0x0043a4a0
0x0043a4af
0x00000000
0x00000000
0x00000000
0x0043a41a
0x0043a41a
0x0043a470
0x0043a48c
0x0043a48e
0x0043a496
0x0043a49d
0x0043a49d
0x0043a33b
0x0043a33b
0x0043a340
0x0043a38a
0x0043a38f
0x00000000
0x0043a391
0x0043a391
0x0043a396
0x0043a3d6
0x0043a3dc
0x0043a3e3
0x00000000
0x00000000
0x00000000
0x0043a396
0x0043a342
0x0043a342
0x0043a350
0x0043a35f
0x0043a365
0x0043a36c
0x0043a344
0x0043a344
0x0043a347
0x0043a37c
0x0043a382
0x0043a389
0x0043a349
0x0043a349
0x0043a398
0x0043a3b5
0x0043a3b7
0x0043a3bf
0x0043a3c6
0x0043a34b
0x0043a34b
0x0043a34e
0x00000000
0x00000000
0x00000000
0x00000000
0x0043a34e
0x0043a349
0x0043a347
0x0043a342
0x0043a340
0x0043a311
0x0043a320
0x0043a32d
0x0043a32d

APIs

MessageBoxW.USER32(?,Capture requires 64-bit mode.,Process Monitor,00000010), ref: 0043A320
MessageBoxW.USER32(?,Capture requires Administrators group membership,Process Monitor,00000010), ref: 0043A35F

Strings

Error enabling capture, xrefs: 0043A474, 0043A47F
Another version of the Process Monitor driver is already loaded. A reboot is required to run this version., xrefs: 0043A3CE
Capture requires Administrators group membership, xrefs: 0043A357
Process Monitor, xrefs: 0043A313, 0043A352, 0043A36F, 0043A3C9
Capture requires 64-bit mode., xrefs: 0043A318
Process Monitor is already monitoring this system., xrefs: 0043A374
Unable to load Process Monitor device driver, xrefs: 0043A39D, 0043A3A8

Memory Dump Source

Source File: 00000000.00000002.639436822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.639422722.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639801425.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639950323.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639964900.00000000004C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639974043.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639981884.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Process Monitor.jbxd

Similarity

API ID: Message
String ID: Another version of the Process Monitor driver is already loaded. A reboot is required to run this version.$Capture requires 64-bit mode.$Capture requires Administrators group membership$Error enabling capture$Process Monitor$Process Monitor is already monitoring this system.$Unable to load Process Monitor device driver
API String ID: 2030045667-2387588967
Opcode ID: da9f5d35c73fa642d9f4894228906b121a9cde3b6495f9f3b618de350510faff
Instruction ID: 9451fb5afb1e069413167b4053b254e2caccf08cd61d81fb904684c1f2c9ad5c
Opcode Fuzzy Hash: da9f5d35c73fa642d9f4894228906b121a9cde3b6495f9f3b618de350510faff
Instruction Fuzzy Hash: D9417D719C03187BDF106B98BC07BEA7740DB0A759F2401BBFC48A2291E2AA482457DF

Uniqueness

Uniqueness Score: -1.00%

Function 0043B830 Relevance: 24.6, APIs: 10, Strings: 4, Instructions: 105networkCOMMON

Download Yara Rule

APIs

socket.WS2_32(00000002,00000001,00000000), ref: 0043B858
GetComputerNameA.KERNEL32(?,?), ref: 0043B892
gethostbyname.WS2_32(?), ref: 0043B89F
_memmove.LIBCMT ref: 0043B8CC
htons.WS2_32(00005AB3), ref: 0043B8D9
bind.WS2_32(00000000,?,00000010), ref: 0043B8F0

Strings

Unable to bind socket, xrefs: 0043B8FA, 0043B905
Unable to query the port, xrefs: 0043B92F, 0043B93A
Unable to create socket, xrefs: 0043B865, 0043B870
Accept failed, xrefs: 0043B95F, 0043B96A

Memory Dump Source

Source File: 00000000.00000002.639436822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.639422722.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639801425.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639950323.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639964900.00000000004C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639974043.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639981884.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Process Monitor.jbxd

Similarity

API ID: ComputerName_memmovebindgethostbynamehtonssocket
String ID: Accept failed$Unable to bind socket$Unable to create socket$Unable to query the port
API String ID: 3172922981-368204941
Opcode ID: fb7e45f168fb5b8ec5abb7bb291ab5f16e653b8fe8639c7db2858f1ddd754672
Instruction ID: f9f7b1e660b8aeb61be189fb028d3b60a273849aff4dcd617681a599f2745933
Opcode Fuzzy Hash: fb7e45f168fb5b8ec5abb7bb291ab5f16e653b8fe8639c7db2858f1ddd754672
Instruction Fuzzy Hash: 38311974640218ABD7109B60DC46FEE73B8DF18700F1046ABF605F61A0F7785A958F9E

Uniqueness

Uniqueness Score: -1.00%

Function 00468B50 Relevance: 17.8, APIs: 8, Strings: 2, Instructions: 294
COMMONCrypto

Download Yara Rule

C-Code - Quality: 45%

			E00468B50(void* __ecx, intOrPtr _a4, signed int _a8, signed int _a12, intOrPtr _a16) {
				intOrPtr _v8;
				char _v16;
				char _v17;
				void* _v18;
				intOrPtr _v24;
				intOrPtr* _v28;
				signed int _v32;
				intOrPtr _v36;
				signed int _v40;
				signed int _v48;
				signed int _v56;
				intOrPtr _v64;
				intOrPtr _v68;
				char _v72;
				intOrPtr _v76;
				intOrPtr _v80;
				char _v84;
				signed int _t121;
				signed int _t125;
				intOrPtr* _t129;
				signed int _t135;
				intOrPtr* _t144;
				signed int _t174;
				struct _CRITICAL_SECTION* _t175;
				intOrPtr _t177;
				signed char _t178;
				intOrPtr _t183;
				signed char _t187;
				intOrPtr* _t188;
				intOrPtr* _t190;
				signed int _t193;
				intOrPtr _t196;
				void* _t210;
				intOrPtr _t214;
				intOrPtr _t217;
				signed int _t221;
				intOrPtr _t225;
				void* _t228;
				void* _t230;
				intOrPtr _t236;
				intOrPtr _t237;
				signed int _t238;
				intOrPtr* _t239;
				intOrPtr _t240;
				intOrPtr* _t243;
				intOrPtr _t246;
				signed int _t247;
				void* _t248;
				void* _t249;
				void* _t251;
				void* _t256;
				void* _t267;

				_push(0xffffffff);
				_push(E0048D048);
				_push( *[fs:0x0]);
				_t249 = _t248 - 0x44;
				_t121 =  *0x4bb1dc; // 0x2927074f
				_push(_t121 ^ _t247);
				 *[fs:0x0] =  &_v16;
				_t230 = __ecx;
				_t125 =  *(__ecx + 0x250) |  *(__ecx + 0x254);
				_v17 = 0;
				if(_t125 != 0) {
					L41:
					 *[fs:0x0] = _v16;
					return _t125;
				}
				_t236 = _a4 + _a12;
				asm("cdq");
				_t187 = _a8 & 0x000000ff;
				asm("adc ecx, 0x0");
				_t210 =  *((intOrPtr*)(__ecx + 0x4b0)) - _a16;
				asm("sbb eax, 0x0");
				_t251 = _t187 -  *((intOrPtr*)(__ecx + 0x4b4));
				if(_t251 > 0 || _t251 >= 0 && _t236 >= _t210) {
					L13:
					_t174 =  *((intOrPtr*)(_t230 + 0x570)) - 1;
					if(_t174 < 0) {
						L24:
						_t129 =  *((intOrPtr*)(_t230 + 0x584));
						_t188 =  *_t129;
						if(_t188 == _t129) {
							L34:
							_t175 = _t230 + 0x490;
							 *((intOrPtr*)(_t230 + 0x4b0)) =  *((intOrPtr*)(_t230 + 0x4b0)) - _a12 + _a16;
							_t237 =  *((intOrPtr*)(_t230 + 0x4b0));
							asm("sbb dword [edi+0x4b4], 0x0");
							_a12 =  *((intOrPtr*)(_t230 + 0x4b4));
							EnterCriticalSection(_t175);
							_t125 = _a12;
							_t267 = _t125 -  *(_t230 + 0x3cc);
							if(_t267 <= 0 && (_t267 < 0 || _t237 <=  *((intOrPtr*)(_t230 + 0x3c8))) &&  *((char*)(_t230 + 0x3b4)) == 0) {
								 *((intOrPtr*)(_t230 + 0x3c8)) = _t237;
								 *(_t230 + 0x3cc) = _t125;
							}
							LeaveCriticalSection(_t175);
							if(_v17 != 0) {
								__imp__ReleaseSRWLockExclusive(_t230);
								__imp__AcquireSRWLockShared(_t230);
							}
							goto L41;
						} else {
							goto L25;
						}
						do {
							L25:
							_t177 = _a4;
							asm("cdq");
							_t238 = _a8 & 0x000000ff;
							_t135 =  *(_t188 + 0x1c) & 0x000000ff;
							asm("cdq");
							if( *((intOrPtr*)(_t188 + 0x18)) != _t177 || _t135 != _t238) {
								asm("cdq");
								_t214 =  *((intOrPtr*)(_t188 + 0x18));
								__eflags = ( *(_t188 + 0x1c) & 0x000000ff) - _t238;
								if(__eflags < 0) {
									L32:
									_t188 =  *_t188;
									goto L33;
								}
								if(__eflags > 0) {
									L31:
									asm("cdq");
									_t217 =  *((intOrPtr*)(_t188 + 0x18)) - _a12;
									__eflags = _t217;
									 *((intOrPtr*)(_t188 + 0x18)) = _t217;
									asm("sbb eax, 0x0");
									 *(_t188 + 0x1c) =  *(_t188 + 0x1c) & 0x000000ff;
									goto L32;
								}
								__eflags = _t214 - _t177;
								if(_t214 <= _t177) {
									goto L32;
								}
								goto L31;
							} else {
								_t239 =  *_t188;
								 *((intOrPtr*)( *((intOrPtr*)(_t188 + 4)))) = _t239;
								 *((intOrPtr*)( *_t188 + 4)) =  *((intOrPtr*)(_t188 + 4));
								 *((intOrPtr*)(_t230 + 0x588)) =  *((intOrPtr*)(_t230 + 0x588)) - 1;
								E0046EF07(_t188);
								_t249 = _t249 + 4;
								_t188 = _t239;
							}
							L33:
						} while (_t188 !=  *((intOrPtr*)(_t230 + 0x584)));
						goto L34;
					}
					_t240 = _t174 + _t174 * 4;
					_v24 = _t240;
					do {
						_t190 =  *((intOrPtr*)(_t230 + 0x568)) + _t240;
						asm("cdq");
						_v32 = _a8 & 0x000000ff;
						_v36 = _a4;
						_v28 = _t190;
						asm("cdq");
						_t221 =  *(_t190 + 4) & 0x000000ff;
						_t144 = _v28;
						_t193 = _v32;
						if( *_t144 != _v36 || _t221 != _t193) {
							asm("cdq");
							_v40 =  *_v28;
							_t240 = _v24;
							__eflags = ( *(_t144 + 4) & 0x000000ff) - _t193;
							if(__eflags < 0) {
								goto L23;
							}
							if(__eflags > 0) {
								L22:
								_t243 = _t240 +  *((intOrPtr*)(_t230 + 0x568));
								_t196 =  *_t243 - _a12;
								__eflags = _t196;
								asm("cdq");
								asm("sbb eax, 0x0");
								 *_t243 = _t196;
								 *(_t243 + 4) =  *(_t243 + 4) & 0x000000ff;
								_t240 = _v24;
								goto L23;
							}
							__eflags = _v40 - _v36;
							if(_v40 <= _v36) {
								goto L23;
							}
							goto L22;
						} else {
							E00471540( *((intOrPtr*)(_t230 + 0x568)) + _t240,  *((intOrPtr*)(_t230 + 0x568)) + _t240 + 5,  *((intOrPtr*)(_t230 + 0x570)) - _t174 - 1 + ( *((intOrPtr*)(_t230 + 0x570)) - _t174 - 1) * 4);
							 *((intOrPtr*)(_t230 + 0x570)) =  *((intOrPtr*)(_t230 + 0x570)) - 1;
							_t249 = _t249 + 0xc;
							if(_v17 == 0) {
								goto L24;
							}
						}
						L23:
						_t240 = _t240 - 5;
						_t174 = _t174 - 1;
						_v24 = _t240;
					} while (_t174 >= 0);
					goto L24;
				} else {
					_t178 = _t187;
					_v28 = _a4;
					_v32 = _a8;
					_v40 = _t187;
					__imp__ReleaseSRWLockShared(_t230);
					__imp__AcquireSRWLockExclusive(_t230);
					_v17 = 1;
					while(1) {
						L6:
						asm("cdq");
						_t181 =  >  ? 0x10400 :  *((intOrPtr*)(_t230 + 0x4b0)) - _t236;
						_v24 =  >  ? 0x10400 :  *((intOrPtr*)(_t230 + 0x4b0)) - _t236;
						_v40 = _t178 & 0x000000ff;
						_t21 =  &_v84; // 0x4961e8
						_v36 = _t236;
						E004180C0(_t230 + 0x3b0, _t21, _t236, _t178 & 0x000000ff,  >  ? 0x10400 :  *((intOrPtr*)(_t230 + 0x4b0)) - _t236, 0);
						_t183 = _v28;
						asm("cdq");
						_v8 = 0;
						_t29 =  &_v72; // 0x4961e8
						E004180C0(_t230 + 0x3b0, _t29, _t183, _v32 & 0x000000ff, _v24, 0);
						E00470850(_v64, _v76, _v24);
						_t225 = _v24;
						_t249 = _t249 + 0xc;
						_v72 = 0x4961e8;
						_v24 = _t225 + _v36;
						asm("adc eax, [ebp-0x24]");
						_v48 = 0;
						asm("adc ecx, esi");
						_v18 = 0;
						_v56 = 0;
						_t206 = _v68;
						_v28 = _t225 + _t183;
						_v32 = 0;
						if(_v68 != 0) {
							E00430D60(_t206, 0xffffffff, 0xffffffff);
						}
						_t207 = _v80;
						_v8 = 0xffffffff;
						_v84 = 0x4961e8;
						if(_v80 != 0) {
							E00430D60(_t207, 0xffffffff, 0xffffffff);
						}
						_t178 = _v18;
						_t246 = _v24;
						asm("cdq");
						_t228 =  *((intOrPtr*)(_t230 + 0x4b0)) - _a16;
						asm("sbb ecx, 0x0");
						_t256 = (_t178 & 0x000000ff) -  *((intOrPtr*)(_t230 + 0x4b4));
						if(_t256 < 0) {
							break;
						}
						if(_t256 > 0) {
							goto L13;
						}
						_t236 = _v24;
						if(_t246 < _t228) {
							continue;
						}
						goto L13;
					}
					_t236 = _v24;
					goto L6;
				}
			}

0x00468b53
0x00468b55
0x00468b60
0x00468b61
0x00468b67
0x00468b6e
0x00468b72
0x00468b78
0x00468b80
0x00468b86
0x00468b8a
0x00468ebd
0x00468ec0
0x00468ece
0x00468ece
0x00468b98
0x00468b9e
0x00468ba5
0x00468bad
0x00468bb0
0x00468bb3
0x00468bb6
0x00468bb8
0x00468cff
0x00468d05
0x00468d06
0x00468dc3
0x00468dc3
0x00468dc9
0x00468dcd
0x00468e49
0x00468e4c
0x00468e55
0x00468e5b
0x00468e61
0x00468e6f
0x00468e72
0x00468e78
0x00468e7b
0x00468e81
0x00468e96
0x00468e9c
0x00468e9c
0x00468ea3
0x00468ead
0x00468eb0
0x00468eb7
0x00468eb7
0x00000000
0x00000000
0x00000000
0x00000000
0x00468dd3
0x00468dd3
0x00468dd8
0x00468dde
0x00468ddf
0x00468de1
0x00468de5
0x00468ded
0x00468e19
0x00468e1c
0x00468e1f
0x00468e21
0x00468e3f
0x00468e3f
0x00000000
0x00468e3f
0x00468e23
0x00468e29
0x00468e2d
0x00468e33
0x00468e33
0x00468e36
0x00468e39
0x00468e3c
0x00000000
0x00468e3c
0x00468e25
0x00468e27
0x00000000
0x00000000
0x00000000
0x00468df3
0x00468df6
0x00468df9
0x00468e00
0x00468e03
0x00468e09
0x00468e0e
0x00468e11
0x00468e11
0x00468e41
0x00468e41
0x00000000
0x00468dd3
0x00468d0c
0x00468d0f
0x00468d12
0x00468d1b
0x00468d20
0x00468d23
0x00468d2d
0x00468d30
0x00468d35
0x00468d36
0x00468d38
0x00468d40
0x00468d43
0x00468d7f
0x00468d85
0x00468d88
0x00468d8b
0x00468d8d
0x00000000
0x00000000
0x00468d8f
0x00468d99
0x00468d99
0x00468da7
0x00468da7
0x00468daa
0x00468dab
0x00468dae
0x00468db0
0x00468db3
0x00000000
0x00468db3
0x00468d94
0x00468d97
0x00000000
0x00000000
0x00000000
0x00468d49
0x00468d63
0x00468d68
0x00468d6e
0x00468d75
0x00000000
0x00000000
0x00468d77
0x00468db6
0x00468db6
0x00468db9
0x00468dba
0x00468dba
0x00000000
0x00468bc8
0x00468bcb
0x00468bcd
0x00468bd4
0x00468bd7
0x00468bda
0x00468be1
0x00468be7
0x00468bf3
0x00468bf3
0x00468c02
0x00468c10
0x00468c17
0x00468c1d
0x00468c22
0x00468c25
0x00468c2f
0x00468c47
0x00468c4a
0x00468c4d
0x00468c56
0x00468c5a
0x00468c68
0x00468c6d
0x00468c72
0x00468c75
0x00468c81
0x00468c86
0x00468c8b
0x00468c8e
0x00468c90
0x00468c95
0x00468c98
0x00468c9b
0x00468c9e
0x00468ca3
0x00468ca9
0x00468ca9
0x00468cae
0x00468cb1
0x00468cb8
0x00468cc1
0x00468cc7
0x00468cc7
0x00468ccc
0x00468cd1
0x00468cdd
0x00468ce4
0x00468ce7
0x00468cea
0x00468cec
0x00000000
0x00000000
0x00468cf2
0x00000000
0x00000000
0x00468cf6
0x00468cf9
0x00000000
0x00000000
0x00000000
0x00468cf9
0x00468bf0
0x00000000
0x00468bf0

APIs

ReleaseSRWLockShared.KERNEL32(?,2927074F,004BCA10,?,0043B0BC), ref: 00468BDA
AcquireSRWLockExclusive.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,0048D048,000000FF), ref: 00468BE1
_memmove.LIBCMT ref: 00468C68
_memmove.LIBCMT ref: 00468D63
EnterCriticalSection.KERNEL32(?,2927074F,004BCA10,?,0043B0BC), ref: 00468E72
LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,0048D048,000000FF), ref: 00468EA3
ReleaseSRWLockExclusive.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,0048D048,000000FF), ref: 00468EB0
AcquireSRWLockShared.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,0048D048,000000FF), ref: 00468EB7

Strings

aI, xrefs: 00468C56, 00468C59
aI, xrefs: 00468C22, 00468C28

Memory Dump Source

Source File: 00000000.00000002.639436822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.639422722.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639801425.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639950323.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639964900.00000000004C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639974043.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639981884.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Process Monitor.jbxd

Similarity

API ID: Lock$AcquireCriticalExclusiveReleaseSectionShared_memmove$EnterLeave
String ID: aI$aI
API String ID: 1763019936-428213775
Opcode ID: a94c0f18542bcff7abf1696129a2965fcf3fc933762d707864bf8baa05284d1a
Instruction ID: 0445a7c676c1554787db2cb93264b898fef30cba148bdc388534e7c5e1daed2d
Opcode Fuzzy Hash: a94c0f18542bcff7abf1696129a2965fcf3fc933762d707864bf8baa05284d1a
Instruction Fuzzy Hash: 53C1A571A002599FCB08CFA9C980AEEFBB5FF48314F10425EE515E7381DB39A915CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 00418939 Relevance: 16.2, APIs: 8, Strings: 1, Instructions: 447
COMMONCrypto

Download Yara Rule

C-Code - Quality: 70%

			E00418939(struct _CRITICAL_SECTION* __ebx, void* __esi, void* __eflags) {
				void* _t197;
				intOrPtr* _t200;
				int _t216;
				intOrPtr* _t220;
				intOrPtr* _t221;
				intOrPtr _t226;
				intOrPtr _t249;
				intOrPtr _t250;
				intOrPtr _t251;
				intOrPtr _t263;
				intOrPtr _t267;
				signed int _t268;
				void* _t275;
				struct _CRITICAL_SECTION* _t306;
				void* _t307;
				intOrPtr _t308;
				intOrPtr _t309;
				void* _t313;
				void* _t315;
				intOrPtr _t320;
				signed int _t322;
				intOrPtr _t324;
				intOrPtr _t339;
				intOrPtr _t340;
				intOrPtr _t341;
				intOrPtr* _t342;
				intOrPtr* _t344;
				signed int _t347;
				unsigned int _t349;
				intOrPtr _t350;
				signed int _t353;
				unsigned int _t355;
				intOrPtr _t356;
				signed int _t364;
				intOrPtr _t365;
				intOrPtr _t366;
				unsigned int _t367;
				signed int _t368;
				intOrPtr _t369;
				intOrPtr _t371;
				intOrPtr _t372;
				unsigned int _t374;
				unsigned int _t376;
				intOrPtr _t379;
				intOrPtr _t380;
				intOrPtr _t381;
				void* _t383;
				intOrPtr* _t384;
				intOrPtr* _t385;
				intOrPtr _t386;
				intOrPtr* _t393;
				signed int _t397;
				signed int _t401;
				intOrPtr _t402;
				int _t403;
				intOrPtr* _t404;
				intOrPtr* _t405;
				void* _t406;
				intOrPtr* _t408;
				intOrPtr* _t409;
				signed int _t410;
				void* _t412;
				void* _t413;
				void* _t415;

				_t415 = __eflags;
				_t306 = __ebx;
				while(1) {
					L5:
					asm("movdqu xmm0, [esi+0x8]");
					asm("movdqu [ebp-0x3cc], xmm0");
					E0041A480(_t410 - 0x344, _t410 - 0x3cc);
					_t393 =  *_t393;
					_t9 = _t306 + 0xe8; // 0x784af0
					if(_t393 !=  *_t9) {
						continue;
					}
					L6:
					_t379 =  *((intOrPtr*)(_t410 - 0x344));
					while(1) {
						L7:
						_t363 = 0x2aaaaaab * ( *((intOrPtr*)(_t410 - 0x340)) - _t379) >> 0x20 >> 2;
						_t205 = (0x2aaaaaab * ( *((intOrPtr*)(_t410 - 0x340)) - _t379) >> 0x20 >> 2 >> 0x1f) + _t363;
						if((0x2aaaaaab * ( *((intOrPtr*)(_t410 - 0x340)) - _t379) >> 0x20 >> 2 >> 0x1f) + _t363 != 0) {
							_t16 = _t306 + 0x1c; // 0x1c
							 *((char*)(_t410 - 0x331)) = E0040E8F0(_t16, _t379, _t205);
						}
						 *((char*)(_t410 - 4)) = 2;
						if(_t379 != 0) {
							E0046EF07(_t379);
							_t412 = _t412 + 4;
						}
						_t19 = _t306 + 0xe4; // 0x0
						_t320 =  *_t19;
						if(_t320 == 0) {
							break;
						}
						_t386 = 0;
						_t309 = 0;
						 *((intOrPtr*)(_t410 - 0x344)) = 0;
						 *((intOrPtr*)(_t410 - 0x340)) = 0;
						 *(_t410 - 0x338) = 0;
						 *(_t410 - 0x33c) = 0;
						 *((char*)(_t410 - 4)) = 4;
						if(_t320 != 0) {
							_t422 = _t320 - 0x7ffffff;
							if(_t320 > 0x7ffffff) {
								_push("vector<T> too long");
								E0046EB0F(_t422);
							}
							_push(_t320);
							E00419BA0(_t410 - 0x344);
							_t309 =  *((intOrPtr*)(_t410 - 0x340));
							_t386 =  *((intOrPtr*)(_t410 - 0x344));
							 *(_t410 - 0x338) =  *(_t410 - 0x33c);
						}
						_t408 =  *(_t410 - 0x348) + 0xe0;
						 *((char*)(_t410 - 0x35c)) = 0;
						 *((intOrPtr*)(_t410 - 0x370)) = _t408;
						E004152E0(_t408,  *((intOrPtr*)(_t410 - 0x35c)));
						_t344 =  *_t408;
						_t409 =  *_t344;
						_t369 =  *((intOrPtr*)(_t409 + 8));
						_t267 =  *((intOrPtr*)(_t409 + 0xc));
						if(_t369 !=  *((intOrPtr*)(_t410 - 0x358))) {
							__eflags = _t267 -  *((intOrPtr*)(_t410 - 0x354));
							goto L21;
						} else {
							if(_t267 !=  *((intOrPtr*)(_t410 - 0x354))) {
								L21:
								if(__eflags < 0) {
									goto L24;
								} else {
									if(__eflags <= 0) {
										__eflags = _t369 -  *((intOrPtr*)(_t410 - 0x358));
										if(__eflags < 0) {
											goto L24;
										}
									}
								}
							} else {
								if(( *(_t410 - 0x350) & 0xffffff00 |  *((intOrPtr*)(_t409 + 0x10)) -  *(_t410 - 0x350) > 0x00000000) != 0) {
									L24:
									_t268 =  *(_t344 + 4);
									_t386 =  *((intOrPtr*)(_t410 - 0x344));
									 *((intOrPtr*)(_t410 - 0x35c)) =  *((intOrPtr*)(_t268 + 8));
									_t371 =  *((intOrPtr*)(_t268 + 0xc));
									if( *((intOrPtr*)(_t268 + 8)) !=  *((intOrPtr*)(_t410 - 0x380))) {
										__eflags = _t371 -  *((intOrPtr*)(_t410 - 0x37c));
										goto L29;
									} else {
										if(_t371 !=  *((intOrPtr*)(_t410 - 0x37c))) {
											L29:
											if(__eflags > 0) {
												goto L32;
											} else {
												if(__eflags >= 0) {
													__eflags =  *((intOrPtr*)(_t410 - 0x35c)) -  *((intOrPtr*)(_t410 - 0x380));
													if( *((intOrPtr*)(_t410 - 0x35c)) >  *((intOrPtr*)(_t410 - 0x380))) {
														goto L32;
													}
												}
											}
										} else {
											if((_t268 & 0xffffff00 |  *((intOrPtr*)(_t268 + 0x10)) -  *(_t410 - 0x378) > 0x00000000) != 0) {
												L32:
												 *((char*)(_t410 - 0x331)) = 1;
											}
										}
									}
								}
							}
						}
						if(_t409 == _t344) {
							L58:
							_t306 =  *(_t410 - 0x348);
							E0040E660(_t306 + 0x1c, _t386, _t309 - _t386 >> 5, 0, _t309 - _t386 >> 5, 1);
							 *((char*)(_t410 - 4)) = 2;
							if(_t386 != 0) {
								E0046EF07(_t386);
								_t412 = _t412 + 4;
							}
						} else {
							do {
								E00417200( *(_t410 - 0x348), _t410 - 0x360, _t409 + 8, 0);
								asm("movdqu xmm1, [edi]");
								_t372 =  *((intOrPtr*)(_t410 - 0x344));
								 *((intOrPtr*)(_t410 - 0x3bc)) =  *((intOrPtr*)(_t410 - 0x360));
								 *((intOrPtr*)(_t410 - 0x3b8)) =  *((intOrPtr*)(_t410 - 0x35c));
								_t275 = _t410 - 0x3b4;
								asm("movq xmm0, [ebp-0x3bc]");
								asm("movq [ebp-0x3a4], xmm0");
								 *((char*)(_t410 - 0x39c)) = 1;
								asm("movdqu [ebp-0x394], xmm1");
								asm("movdqu [ebp-0x3b4], xmm1");
								if(_t275 >= _t309 || _t372 > _t275) {
									_t347 =  *(_t410 - 0x338);
									__eflags = _t309 - _t347;
									if(_t309 != _t347) {
										L53:
										__eflags = _t309;
										if(_t309 != 0) {
											asm("movdqu xmm0, [ebp-0x3a4]");
											asm("movdqu [ebx], xmm1");
											goto L55;
										}
										goto L56;
									} else {
										__eflags = _t347 - _t309 >> 5 - 1;
										if(_t347 - _t309 >> 5 >= 1) {
											goto L53;
										} else {
											_t306 = _t309 - _t372 >> 5;
											__eflags = 0x7ffffff - _t306 - 1;
											if(__eflags < 0) {
												goto L1;
											} else {
												_t349 = _t347 - _t372 >> 5;
												_t313 = _t306 + 1;
												_t374 = _t349 >> 1;
												__eflags = 0x7ffffff - _t374 - _t349;
												if(0x7ffffff - _t374 >= _t349) {
													_t350 = _t349 + _t374;
													__eflags = _t350;
												} else {
													_t350 = 0;
												}
												__eflags = _t350 - _t313;
												_t351 =  <  ? _t313 : _t350;
												_push( <  ? _t313 : _t350);
												E00419BA0(_t410 - 0x344);
												_t309 =  *((intOrPtr*)(_t410 - 0x340));
												asm("movdqu xmm1, [ebp-0x394]");
												 *(_t410 - 0x338) =  *(_t410 - 0x33c);
												goto L53;
											}
										}
									}
								} else {
									_t353 =  *(_t410 - 0x338);
									if(_t309 != _t353 || _t353 - _t309 >> 5 >= 1) {
										L44:
										if(_t309 != 0) {
											asm("movdqu xmm0, [edi+edx]");
											asm("movdqu [ebx], xmm0");
											asm("movdqu xmm0, [edi+edx+0x10]");
											L55:
											asm("movdqu [ebx+0x10], xmm0");
										}
										goto L56;
									} else {
										_t306 = _t309 - _t372 >> 5;
										if(0x7ffffff - _t306 < 1) {
											L1:
											_push("vector<T> too long");
											_t197 = E0046EB0F(_t415);
											_push(_t197);
											E00419AB0(_t410 - 0x344);
											_t379 =  *((intOrPtr*)(_t410 - 0x344));
											 *((char*)(_t410 - 0x35c)) = 0;
											_t4 = _t306 + 0xe8; // 0x4bcaf8
											E004152E0(_t4,  *((intOrPtr*)(_t410 - 0x35c)));
											_t6 = _t306 + 0xe8; // 0x784af0
											_t200 =  *_t6;
											_t393 =  *_t200;
											if(_t393 != _t200) {
												do {
													goto L5;
												} while (_t393 !=  *_t9);
												goto L6;
											}
											goto L7;
										} else {
											_t355 = _t353 - _t372 >> 5;
											_t315 = _t306 + 1;
											_t376 = _t355 >> 1;
											if(0x7ffffff - _t376 >= _t355) {
												_t356 = _t355 + _t376;
												__eflags = _t356;
											} else {
												_t356 = 0;
											}
											_t357 =  <  ? _t315 : _t356;
											_push( <  ? _t315 : _t356);
											E00419BA0(_t410 - 0x344);
											_t309 =  *((intOrPtr*)(_t410 - 0x340));
											 *(_t410 - 0x338) =  *(_t410 - 0x33c);
											goto L44;
										}
									}
								}
								goto L60;
								L56:
								_t309 = _t309 + 0x20;
								_t409 =  *_t409;
								 *((intOrPtr*)(_t410 - 0x340)) = _t309;
							} while (_t409 !=  *((intOrPtr*)( *((intOrPtr*)(_t410 - 0x370)))));
							_t386 =  *((intOrPtr*)(_t410 - 0x344));
							goto L58;
						}
						break;
					}
					L60:
					_t380 = 0;
					_t87 = _t306 + 0xe0; // 0x4bcaf0
					 *((intOrPtr*)(_t410 - 0x35c)) = 0;
					E00419200(_t87);
					_t89 = _t306 + 0x34; // 0x0
					_t322 = 0;
					_t90 = _t306 + 0x30; // 0x0
					_t397 = ( *_t89 -  *_t90 >> 2) - 1;
					 *(_t410 - 0x338) = 0;
					if(_t397 >= 0) {
						_t92 = _t397 + 1; // 0x0
						_t367 = _t92;
						if(_t367 >= 2) {
							_t93 = _t306 + 0x30; // 0x0
							_t368 = _t367 >> 1;
							_t342 =  *_t93 + _t397 * 4;
							_t308 = 0;
							_t397 = _t397 +  ~_t368 * 2;
							do {
								_t263 =  *_t342;
								_t342 = _t342 - 8;
								_t380 = _t380 +  *((intOrPtr*)(_t263 + 0x588));
								_t308 = _t308 +  *((intOrPtr*)( *((intOrPtr*)(_t342 + 4)) + 0x588));
								_t368 = _t368 - 1;
							} while (_t368 != 0);
							 *((intOrPtr*)(_t410 - 0x35c)) = _t308;
							_t322 = 0;
							_t306 =  *(_t410 - 0x348);
						}
						if(_t397 >= 0) {
							_t104 = _t306 + 0x30; // 0x0
							_t322 =  *( *((intOrPtr*)( *_t104 + _t397 * 4)) + 0x588);
						}
						_t322 = _t322 +  *((intOrPtr*)(_t410 - 0x35c)) + _t380;
						 *(_t410 - 0x338) = _t322;
					}
					_push(_t322);
					E00415730(_t410 - 0x344);
					 *((char*)(_t410 - 4)) = 5;
					 *(_t410 - 0x330) = 0;
					E00470030(_t410 - 0x32c, 0, 0x31c);
					_t114 = _t306 + 0x34; // 0x0
					_t324 = 0;
					_t115 = _t306 + 0x30; // 0x0
					_t413 = _t412 + 0xc;
					_t364 =  *(_t410 - 0x338);
					_t381 =  *((intOrPtr*)(_t410 - 0x344));
					_t401 = ( *_t114 -  *_t115 >> 2) - 1;
					 *((intOrPtr*)(_t410 - 0x384)) = 0;
					 *(_t410 - 0x348) = _t364;
					if(_t401 >= 0) {
						do {
							_t120 = _t306 + 0x30; // 0x0
							_t339 =  *((intOrPtr*)( *_t120 + _t401 * 4));
							if(_t364 != 0) {
								_t125 = _t306 + 0x58; // 0x4bca68
								_t128 = _t306 + 0x84; // 0x4bca94
								_t249 = E00469000(_t339, _t401, _t128, ( *(_t410 - 0x348) << 5) + _t381, _t410 - 0x384, _t125, _t410 - 0x368, _t410 - 0x394);
								 *(_t410 - 0x348) =  *(_t410 - 0x348) - _t249;
								_t340 =  *((intOrPtr*)(_t410 - 0x368));
								_t365 =  *((intOrPtr*)(_t410 - 0x354));
								 *((intOrPtr*)(_t410 + _t401 * 4 - 0x330)) = _t249;
								_t250 =  *((intOrPtr*)(_t410 - 0x364));
								if(_t340 !=  *((intOrPtr*)(_t410 - 0x358))) {
									__eflags = _t250 - _t365;
									goto L76;
								} else {
									if(_t250 != _t365) {
										L76:
										if(__eflags < 0) {
											goto L79;
										} else {
											if(__eflags <= 0) {
												__eflags = _t340 -  *((intOrPtr*)(_t410 - 0x358));
												if(__eflags < 0) {
													goto L79;
												}
											}
										}
									} else {
										if(( *(_t410 - 0x350) & 0xffffff00 |  *((intOrPtr*)(_t410 - 0x360)) -  *(_t410 - 0x350) > 0x00000000) != 0) {
											L79:
											_t341 =  *((intOrPtr*)(_t410 - 0x394));
											_t366 =  *((intOrPtr*)(_t410 - 0x380));
											_t251 =  *((intOrPtr*)(_t410 - 0x390));
											if(_t341 != _t366) {
												__eflags = _t251 -  *((intOrPtr*)(_t410 - 0x37c));
												goto L84;
											} else {
												if(_t251 !=  *((intOrPtr*)(_t410 - 0x37c))) {
													L84:
													if(__eflags > 0) {
														goto L87;
													} else {
														if(__eflags >= 0) {
															__eflags = _t341 - _t366;
															if(_t341 > _t366) {
																goto L87;
															}
														}
													}
												} else {
													if(( *(_t410 - 0x378) & 0xffffff00 |  *((intOrPtr*)(_t410 - 0x38c)) -  *(_t410 - 0x378) > 0x00000000) != 0) {
														L87:
														 *((char*)(_t410 - 0x331)) = 1;
													}
												}
											}
										}
									}
								}
								_t364 =  *(_t410 - 0x338);
							}
							_t401 = _t401 - 1;
						} while (_t401 >= 0);
						_t324 =  *((intOrPtr*)(_t410 - 0x384));
					}
					_t212 =  *((intOrPtr*)(_t410 - 0x340)) - _t381 >> 5;
					if( *((intOrPtr*)(_t410 - 0x340)) - _t381 >> 5 != 0) {
						_t157 = _t306 + 0x1c; // 0x4bca2c
						E0040E660(_t157, _t381, _t212, _t410 - 0x330, _t324, 0);
					}
					_t158 = _t306 + 0x28; // 0x0
					_t402 =  *_t158;
					 *((intOrPtr*)(_t306 + 0x80)) = 0xffffffff;
					if(_t381 != 0) {
						E0046EF07(_t381);
						_t413 = _t413 + 4;
					}
					 *((char*)(_t410 - 4)) = 1;
					E0040F960(_t410 - 0x3f4, _t402);
					 *((char*)(_t410 - 4)) = 0;
					E0040F960(_t410 - 0x3e0, _t402);
					LeaveCriticalSection(_t306);
					_t403 =  >  ? 0x5f5e100 : _t402;
					_t216 =  *0x4bc8e0; // 0x0
					if(_t403 != _t216) {
						_t164 = _t306 + 0x18; // 0x0
						SendMessageW( *_t164, 0x102f, _t403, 3);
						_t216 =  *0x4bc8e0; // 0x0
					}
					if( *((char*)(_t410 - 0x331)) != 0 || _t403 == 0 && _t216 != 0) {
						_t168 = _t306 + 0x18; // 0x0
						InvalidateRect( *_t168, 0, 0 | _t403 == 0x00000000);
						_t216 =  *0x4bc8e0; // 0x0
					}
					if( *((char*)(_t410 + 8)) != 0 && _t403 > _t216) {
						_t170 = _t403 - 1; // -1
						_t171 = _t306 + 0x18; // 0x0
						SendMessageW( *_t171, 0x1013, _t170, 0);
					}
					 *0x4bc8e0 = _t403;
					 *(_t410 - 0x36c) = _t306;
					EnterCriticalSection(_t306);
					_t173 = _t306 + 0x48; // 0x77cfc8
					_t220 =  *_t173;
					 *((intOrPtr*)(_t410 - 4)) = 6;
					_t404 =  *_t220;
					if(_t404 != _t220) {
						do {
							_t334 =  *((intOrPtr*)(_t404 + 8));
							if( *((intOrPtr*)( *((intOrPtr*)(_t404 + 8)) + 0x578)) != 1) {
								_t404 =  *_t404;
							} else {
								_t385 = _t404;
								_t404 =  *_t404;
								if(E00467590(_t334) != 0) {
									 *((intOrPtr*)( *((intOrPtr*)(_t385 + 4)))) =  *_t385;
									 *((intOrPtr*)( *_t385 + 4)) =  *((intOrPtr*)(_t385 + 4));
									 *((intOrPtr*)(_t306 + 0x4c)) =  *((intOrPtr*)(_t306 + 0x4c)) - 1;
									E0046EF07(_t385);
									_t413 = _t413 + 4;
								}
							}
							_t182 = _t306 + 0x48; // 0x77cfc8
						} while (_t404 !=  *_t182);
					}
					_t183 = _t306 + 0x50; // 0x77d088
					_t221 =  *_t183;
					_t405 =  *_t221;
					if(_t405 != _t221) {
						do {
							if( *((intOrPtr*)( *((intOrPtr*)(_t405 + 8)) + 0x578)) != 1) {
								_t405 =  *_t405;
							} else {
								_t384 = _t405;
								_t405 =  *_t405;
								 *((intOrPtr*)( *((intOrPtr*)(_t384 + 4)))) =  *_t384;
								 *((intOrPtr*)( *_t384 + 4)) =  *((intOrPtr*)(_t384 + 4));
								 *((intOrPtr*)(_t306 + 0x54)) =  *((intOrPtr*)(_t306 + 0x54)) - 1;
								_t226 =  *((intOrPtr*)(_t384 + 8));
								 *((intOrPtr*)(_t410 - 0x370)) = _t226;
								if(_t226 != 0 && InterlockedDecrement(_t226 + 0x578) < 2) {
									E00467460( *((intOrPtr*)(_t410 - 0x370)), _t229);
								}
								E0046EF07(_t384);
								_t413 = _t413 + 4;
							}
							_t194 = _t306 + 0x50; // 0x77d088
						} while (_t405 !=  *_t194);
					}
					LeaveCriticalSection(_t306);
					 *[fs:0x0] =  *((intOrPtr*)(_t410 - 0xc));
					_pop(_t383);
					_pop(_t406);
					_pop(_t307);
					return E0046F77E(_t307,  *(_t410 - 0x10) ^ _t410, _t364, _t383, _t406);
					L5:
					asm("movdqu xmm0, [esi+0x8]");
					asm("movdqu [ebp-0x3cc], xmm0");
					E0041A480(_t410 - 0x344, _t410 - 0x3cc);
					_t393 =  *_t393;
					_t9 = _t306 + 0xe8; // 0x784af0
				}
			}

0x00418939
0x00418939
0x00418940
0x00418940
0x00418940
0x00418952
0x0041895a
0x0041895f
0x00418961
0x00418967
0x00000000
0x00000000
0x00418969
0x00418969
0x0041896f
0x0041896f
0x0041897e
0x00418986
0x00418988
0x0041898c
0x00418994
0x00418994
0x0041899a
0x004189a0
0x004189a3
0x004189a8
0x004189a8
0x004189ab
0x004189ab
0x004189b3
0x00000000
0x00000000
0x004189bb
0x004189bd
0x004189bf
0x004189c5
0x004189cb
0x004189d1
0x004189d7
0x004189dd
0x004189df
0x004189e5
0x004189e7
0x004189ec
0x004189ec
0x004189f1
0x004189f8
0x00418a03
0x00418a09
0x00418a0f
0x00418a0f
0x00418a1b
0x00418a21
0x00418a30
0x00418a36
0x00418a3b
0x00418a3d
0x00418a3f
0x00418a42
0x00418a4b
0x00418a67
0x00000000
0x00418a4d
0x00418a53
0x00418a6d
0x00418a6d
0x00000000
0x00418a6f
0x00418a6f
0x00418a71
0x00418a77
0x00000000
0x00000000
0x00418a77
0x00418a6f
0x00418a55
0x00418a63
0x00418a79
0x00418a79
0x00418a88
0x00418a8e
0x00418a94
0x00418a97
0x00418ab3
0x00000000
0x00418a99
0x00418a9f
0x00418ab9
0x00418ab9
0x00000000
0x00418abb
0x00418abb
0x00418ac3
0x00418ac9
0x00000000
0x00000000
0x00418ac9
0x00418abb
0x00418aa1
0x00418aaf
0x00418acb
0x00418acb
0x00418acb
0x00418aaf
0x00418a9f
0x00418a97
0x00418a63
0x00418a53
0x00418ad4
0x00418c8e
0x00418c99
0x00418ca3
0x00418ca8
0x00418cae
0x00418cb1
0x00418cb6
0x00418cb6
0x00418ae0
0x00418ae0
0x00418af3
0x00418afe
0x00418b02
0x00418b08
0x00418b14
0x00418b1a
0x00418b20
0x00418b28
0x00418b30
0x00418b37
0x00418b3f
0x00418b49
0x00418be9
0x00418bef
0x00418bf1
0x00418c5a
0x00418c5a
0x00418c5c
0x00418c5e
0x00418c66
0x00000000
0x00418c66
0x00000000
0x00418bf3
0x00418bfa
0x00418bfd
0x00000000
0x00418bff
0x00418c06
0x00418c0b
0x00418c0e
0x00000000
0x00418c14
0x00418c1b
0x00418c1e
0x00418c21
0x00418c25
0x00418c27
0x00418c2d
0x00418c2d
0x00418c29
0x00418c29
0x00418c29
0x00418c2f
0x00418c31
0x00418c34
0x00418c3b
0x00418c46
0x00418c4c
0x00418c54
0x00000000
0x00418c54
0x00418c0e
0x00418bfd
0x00418b57
0x00418b57
0x00418b63
0x00418bca
0x00418bcf
0x00418bd5
0x00418bda
0x00418bde
0x00418c6a
0x00418c6a
0x00418c6a
0x00000000
0x00418b71
0x00418b78
0x00418b80
0x004188f7
0x004188f7
0x004188fc
0x00418901
0x00418908
0x0041890d
0x00418913
0x0041891a
0x00418926
0x0041892b
0x0041892b
0x00418931
0x00418935
0x00418940
0x00000000
0x00000000
0x00000000
0x00418940
0x00000000
0x00418b86
0x00418b8d
0x00418b90
0x00418b93
0x00418b99
0x00418b9f
0x00418b9f
0x00418b9b
0x00418b9b
0x00418b9b
0x00418ba3
0x00418ba6
0x00418bad
0x00418bb8
0x00418bc4
0x00000000
0x00418bc4
0x00418b80
0x00418b63
0x00000000
0x00418c6f
0x00418c75
0x00418c78
0x00418c7a
0x00418c80
0x00418c88
0x00000000
0x00418c88
0x00000000
0x00418ad4
0x00418cb9
0x00418cb9
0x00418cbb
0x00418cc1
0x00418cc7
0x00418ccc
0x00418ccf
0x00418cd1
0x00418cd7
0x00418cd8
0x00418cde
0x00418ce0
0x00418ce0
0x00418ce6
0x00418ce8
0x00418ceb
0x00418ced
0x00418cf4
0x00418cf6
0x00418d00
0x00418d00
0x00418d02
0x00418d05
0x00418d0e
0x00418d14
0x00418d14
0x00418d17
0x00418d1d
0x00418d1f
0x00418d1f
0x00418d27
0x00418d29
0x00418d2f
0x00418d2f
0x00418d3d
0x00418d3f
0x00418d3f
0x00418d45
0x00418d4c
0x00418d5c
0x00418d63
0x00418d6d
0x00418d72
0x00418d75
0x00418d77
0x00418d7a
0x00418d7d
0x00418d83
0x00418d8c
0x00418d8d
0x00418d93
0x00418d99
0x00418da0
0x00418da0
0x00418da3
0x00418da8
0x00418dbc
0x00418dd3
0x00418ddb
0x00418de0
0x00418de6
0x00418dec
0x00418df2
0x00418df9
0x00418e05
0x00418e20
0x00000000
0x00418e07
0x00418e09
0x00418e22
0x00418e22
0x00000000
0x00418e24
0x00418e24
0x00418e26
0x00418e2c
0x00000000
0x00000000
0x00418e2c
0x00418e24
0x00418e0b
0x00418e1c
0x00418e2e
0x00418e2e
0x00418e34
0x00418e3a
0x00418e42
0x00418e61
0x00000000
0x00418e44
0x00418e4a
0x00418e67
0x00418e67
0x00000000
0x00418e69
0x00418e69
0x00418e6b
0x00418e6d
0x00000000
0x00000000
0x00418e6d
0x00418e69
0x00418e4c
0x00418e5d
0x00418e6f
0x00418e6f
0x00418e6f
0x00418e5d
0x00418e4a
0x00418e42
0x00418e1c
0x00418e09
0x00418e76
0x00418e76
0x00418e7c
0x00418e7c
0x00418e83
0x00418e83
0x00418e91
0x00418e96
0x00418ea4
0x00418ea7
0x00418ea7
0x00418eac
0x00418eac
0x00418eaf
0x00418ebb
0x00418ebe
0x00418ec3
0x00418ec3
0x00418ecc
0x00418ed0
0x00418edb
0x00418edf
0x00418ee5
0x00418ef8
0x00418efb
0x00418f02
0x00418f0c
0x00418f0f
0x00418f11
0x00418f11
0x00418f1d
0x00418f31
0x00418f34
0x00418f3a
0x00418f3a
0x00418f43
0x00418f4b
0x00418f54
0x00418f57
0x00418f57
0x00418f5a
0x00418f60
0x00418f66
0x00418f6c
0x00418f6c
0x00418f6f
0x00418f76
0x00418f7a
0x00418f80
0x00418f80
0x00418f8a
0x00418fb6
0x00418f8c
0x00418f8c
0x00418f8e
0x00418f97
0x00418f9f
0x00418fa6
0x00418fa9
0x00418fac
0x00418fb1
0x00418fb1
0x00418f97
0x00418fb8
0x00418fb8
0x00418f80
0x00418fbd
0x00418fbd
0x00418fc0
0x00418fc4
0x00418fd0
0x00418fda
0x00419027
0x00418fdc
0x00418fdc
0x00418fde
0x00418fe5
0x00418fec
0x00418fef
0x00418ff2
0x00418ff5
0x00418ffd
0x00419017
0x00419017
0x0041901d
0x00419022
0x00419022
0x00419029
0x00419029
0x00418fd0
0x0041902f
0x00419038
0x00419040
0x00419041
0x00419042
0x00419050
0x00418940
0x00418940
0x00418952
0x0041895a
0x0041895f
0x00418961
0x00418961

Strings

vector<T> too long, xrefs: 004189E7

Memory Dump Source

Source File: 00000000.00000002.639436822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.639422722.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639801425.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639950323.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639964900.00000000004C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639974043.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639981884.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Process Monitor.jbxd

Similarity

API ID:
String ID: vector<T> too long
API String ID: 0-3788999226
Opcode ID: 28dc8a4ac417ea7cae1ba7c349c7e17eebe65844d7bb9b259a6f677a9d7d2589
Instruction ID: f882352c51328ba4d513de4d41dae2182c5d3e13f19b01d4aa47dfe492cd0da1
Opcode Fuzzy Hash: 28dc8a4ac417ea7cae1ba7c349c7e17eebe65844d7bb9b259a6f677a9d7d2589
Instruction Fuzzy Hash: A6124C719002159BCB26DF18C880BEAB7B9BF54304F1441EEE849AB355DB34AF85CF84

Uniqueness

Uniqueness Score: -1.00%

Function 0040C7B0 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 69
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E0040C7B0(void* __ecx, void* _a4, short*** _a8) {
				void* _v8;
				char* _t9;
				short** _t10;
				short* _t11;
				_Unknown_base(*)()* _t15;
				intOrPtr* _t16;
				short** _t23;
				short* _t24;
				void* _t25;
				short*** _t26;
				void* _t29;
				char* _t30;

				_t9 =  &_v8;
				__imp__CreateBindCtx(0, _t9, _t25, _t29, __ecx);
				_t26 = _a8;
				_t30 = _t9;
				if(_t30 < 0) {
					L8:
					_t10 =  *_t26;
					if(_t10 == 0) {
						_t11 = 0;
					} else {
						_t11 =  *_t10;
					}
					return ShellExecuteW(_a4, L"open", _t11, 0, 0, 1) & 0xffffff00 | _t12 - 0x00000020 >= 0x00000000;
				} else {
					_t15 = GetProcAddress(LoadLibraryW(L"URLMON.DLL"), "HlinkSimpleNavigateToString");
					if(_t15 != 0) {
						_t23 =  *_t26;
						if(_t23 == 0) {
							_t24 = 0;
						} else {
							_t24 =  *_t23;
						}
						_t30 =  *_t15(_t24, 0, 0, 0, _v8, 0, 2, 0);
					}
					_t16 = _v8;
					 *((intOrPtr*)( *_t16 + 8))(_t16);
					if(_t30 < 0) {
						goto L8;
					} else {
						return 1;
					}
				}
			}

0x0040c7b6
0x0040c7bc
0x0040c7c2
0x0040c7c5
0x0040c7c9
0x0040c81b
0x0040c81b
0x0040c81f
0x0040c825
0x0040c821
0x0040c821
0x0040c821
0x0040c849
0x0040c7cb
0x0040c7dc
0x0040c7e4
0x0040c7e6
0x0040c7ea
0x0040c7f0
0x0040c7ec
0x0040c7ec
0x0040c7ec
0x0040c804
0x0040c804
0x0040c806
0x0040c80c
0x0040c811
0x00000000
0x0040c813
0x0040c81a
0x0040c81a
0x0040c811

APIs

CreateBindCtx.OLE32(00000000,?), ref: 0040C7BC
LoadLibraryW.KERNEL32(URLMON.DLL,HlinkSimpleNavigateToString,?,?,0040C63B,?,00000010), ref: 0040C7D5
GetProcAddress.KERNEL32(00000000), ref: 0040C7DC
ShellExecuteW.SHELL32(?,open,00000000,00000000,00000000,00000001), ref: 0040C836

Strings

open, xrefs: 0040C82E
URLMON.DLL, xrefs: 0040C7D0
HlinkSimpleNavigateToString, xrefs: 0040C7CB

Memory Dump Source

Source File: 00000000.00000002.639436822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.639422722.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639801425.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639950323.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639964900.00000000004C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639974043.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639981884.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Process Monitor.jbxd

Similarity

API ID: AddressBindCreateExecuteLibraryLoadProcShell
String ID: HlinkSimpleNavigateToString$URLMON.DLL$open
API String ID: 3349459919-4128940622
Opcode ID: a6e2ebebceed34b1b871db6d7f00c688994da27c6d631a589bf30fdb6d2c94e1
Instruction ID: cbd270a9d776dc5ed6e4b6e828af576bd028c7e473a252ef2fea078dbd65ba78
Opcode Fuzzy Hash: a6e2ebebceed34b1b871db6d7f00c688994da27c6d631a589bf30fdb6d2c94e1
Instruction Fuzzy Hash: CD119472740214ABE7209B58DC86F6A77A8AB04B11F20427AFD05FB2D1D675AC01979C

Uniqueness

Uniqueness Score: -1.00%

Function 0042F8B0 Relevance: 12.1, APIs: 8, Instructions: 67
clipboardmemoryCOMMON

Download Yara Rule

C-Code - Quality: 81%

			E0042F8B0(struct HWND__* _a4, char _a8) {
				intOrPtr _v8;
				int _v16;
				signed int _t17;
				int _t19;
				void* _t25;
				signed int _t26;
				void* _t41;
				struct HWND__* _t43;
				signed int _t46;

				_push(0xffffffff);
				_push(E00488F58);
				_push( *[fs:0x0]);
				_t17 =  *0x4bb1dc; // 0x2927074f
				_push(_t17 ^ _t46);
				_t19 =  &_v16;
				 *[fs:0x0] = _t19;
				_t43 = _a4;
				if(_t43 != 0) {
					_t19 = OpenClipboard(_t43);
					if(_t19 != 0) {
						E0042F990( &_a4, _t43, _a8);
						_v8 = 0;
						_t41 = GlobalAlloc(0x2002, 2 + E0046A720( &_a4) * 2);
						_t25 = GlobalLock(_t41);
						_t26 = E0046A720( &_a4);
						E00470850(_t25, E0046A170( &_a4), 2 + _t26 * 2);
						GlobalUnlock(_t41);
						EmptyClipboard();
						SetClipboardData(0xd, _t41);
						_t19 = CloseClipboard();
						_t38 = _a4;
						_v8 = 0xffffffff;
						if(_a4 != 0) {
							_t19 = E0046A700(_t38);
						}
					}
				}
				 *[fs:0x0] = _v16;
				return _t19;
			}

0x0042f8b3
0x0042f8b5
0x0042f8c0
0x0042f8c3
0x0042f8ca
0x0042f8cb
0x0042f8ce
0x0042f8d4
0x0042f8d9
0x0042f8e0
0x0042f8e8
0x0042f8f6
0x0042f901
0x0042f920
0x0042f923
0x0042f92e
0x0042f945
0x0042f94e
0x0042f954
0x0042f95d
0x0042f963
0x0042f969
0x0042f96c
0x0042f975
0x0042f977
0x0042f977
0x0042f975
0x0042f8e8
0x0042f97f
0x0042f98c

APIs

OpenClipboard.USER32(?), ref: 0042F8E0

Part of subcall function 0042F990: SendMessageW.USER32(?,0000100C,000000FF,00000002), ref: 0042FA10
Part of subcall function 0042F990: _memset.LIBCMT ref: 0042FA3E
Part of subcall function 0042F990: SendMessageW.USER32(?,0000103B,00000000,00000000), ref: 0042FA98
Part of subcall function 0042F990: SendMessageW.USER32(?,0000100C,000000FF,00000000), ref: 0042FAA9

GlobalAlloc.KERNEL32(00002002,00000000), ref: 0042F91A
GlobalLock.KERNEL32 ref: 0042F923
_memmove.LIBCMT ref: 0042F945
GlobalUnlock.KERNEL32(00000000), ref: 0042F94E
EmptyClipboard.USER32 ref: 0042F954
SetClipboardData.USER32 ref: 0042F95D
CloseClipboard.USER32 ref: 0042F963

Part of subcall function 0046A700: InterlockedDecrement.KERNEL32(?), ref: 0046A704

Memory Dump Source

Source File: 00000000.00000002.639436822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.639422722.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639801425.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639950323.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639964900.00000000004C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639974043.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639981884.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Process Monitor.jbxd

Similarity

API ID: Clipboard$GlobalMessageSend$AllocCloseDataDecrementEmptyInterlockedLockOpenUnlock_memmove_memset
String ID:
API String ID: 679696266-0
Opcode ID: af11f91b1539b9e158270fe2e9fdcc4c025a4531f1d0a2136ef849ef5c01d601
Instruction ID: 0172e94b86604a7c93fe547fbb9d8a73ae7e4a001017e594d1918d6cc683b55b
Opcode Fuzzy Hash: af11f91b1539b9e158270fe2e9fdcc4c025a4531f1d0a2136ef849ef5c01d601
Instruction Fuzzy Hash: E3219571500618BBDB00AF61EC49BAE7B7CEB45754F40453EFC19D3251EB389908CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 00403970 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 63commemoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32(root\wmi), ref: 00403982
CoInitialize.OLE32(00000000), ref: 0040398C
CoCreateInstance.OLE32(004A925C,00000000,00000001,004A918C,00000000,?,?,00402489,?), ref: 004039A4
CoSetProxyBlanket.OLE32(?,0000000A,00000000,00000000,00000004,00000003,00000000,00000000,?,?,00402489,?), ref: 004039D7
SysFreeString.OLEAUT32(00000000), ref: 004039E1

Strings

root\wmi, xrefs: 00403976

Memory Dump Source

Source File: 00000000.00000002.639436822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.639422722.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639801425.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639950323.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639964900.00000000004C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639974043.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639981884.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Process Monitor.jbxd

Similarity

API ID: String$AllocBlanketCreateFreeInitializeInstanceProxy
String ID: root\wmi
API String ID: 3747975327-922848465
Opcode ID: 34f5b0dc52ca0caa4b8222c195d6311b40ccc205da336b04ba399bcc6952798c
Instruction ID: eaaada76f8f46dfe6805b7978b872ba1455ccdb7cdf19e3404713896ce573fc4
Opcode Fuzzy Hash: 34f5b0dc52ca0caa4b8222c195d6311b40ccc205da336b04ba399bcc6952798c
Instruction Fuzzy Hash: 8401ADB2A40214BFEB209B95CC49F6F7BACEB45B91F10016AFD05EB290C6B58D0087A4

Uniqueness

Uniqueness Score: -1.00%

Function 0040F360 Relevance: 9.1, APIs: 6, Instructions: 62
COMMON

Download Yara Rule

C-Code - Quality: 90%

			E0040F360(WCHAR* _a4) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				struct _TOKEN_PRIVILEGES _v24;
				void* _v28;
				struct _LUID _v36;
				void* __esi;
				signed int _t16;
				void* _t33;
				void* _t39;
				void* _t40;
				WCHAR* _t41;
				int _t42;
				signed int _t43;

				_t16 =  *0x4bb1dc; // 0x2927074f
				_v8 = _t16 ^ _t43;
				_t41 = _a4;
				if(OpenProcessToken(GetCurrentProcess(), 0x28,  &_v28) != 0) {
					if(LookupPrivilegeValueW(0, _t41,  &_v36) == 0) {
						goto L1;
					} else {
						_v24.Privileges = _v36.LowPart;
						_v16 = _v36.HighPart;
						_v24.PrivilegeCount = 1;
						_v12 = 2;
						_t42 = AdjustTokenPrivileges(_v28, 0,  &_v24, 0x10, 0, 0);
						if(_t42 != 0) {
							GetLastError();
							_t42 =  !=  ? 0 : _t42;
						}
						CloseHandle(_v28);
						return E0046F77E(_t33, _v8 ^ _t43, _t39, _t40, _t42);
					}
				} else {
					L1:
					return E0046F77E(_t33, _v8 ^ _t43, _t39, _t40, _t41);
				}
			}

0x0040f366
0x0040f36d
0x0040f371
0x0040f389
0x0040f3ab
0x00000000
0x0040f3ad
0x0040f3b4
0x0040f3bc
0x0040f3c8
0x0040f3cf
0x0040f3dc
0x0040f3e0
0x0040f3e2
0x0040f3ec
0x0040f3ec
0x0040f3f2
0x0040f408
0x0040f408
0x0040f38b
0x0040f38b
0x0040f39b
0x0040f39b

APIs

GetCurrentProcess.KERNEL32(00000028,0045F38B,749682C0,?,?,0045F38B,SeDebugPrivilege,?,?,00000003,00000000,?,?,04000000), ref: 0040F37A
OpenProcessToken.ADVAPI32(00000000,?,?,0045F38B,SeDebugPrivilege,?,?,00000003,00000000,?,?,04000000), ref: 0040F381
LookupPrivilegeValueW.ADVAPI32(00000000,00000003,?), ref: 0040F3A3
AdjustTokenPrivileges.ADVAPI32(0045F38B,00000000,?,00000010,00000000,00000000,?,?,0045F38B), ref: 0040F3D6
GetLastError.KERNEL32(?,?,0045F38B), ref: 0040F3E2
CloseHandle.KERNEL32(0045F38B,?,?,0045F38B), ref: 0040F3F2

Memory Dump Source

Source File: 00000000.00000002.639436822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.639422722.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639801425.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639950323.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639964900.00000000004C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639974043.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639981884.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Process Monitor.jbxd

Similarity

API ID: ProcessToken$AdjustCloseCurrentErrorHandleLastLookupOpenPrivilegePrivilegesValue
String ID:
API String ID: 3398352648-0
Opcode ID: 02fcc153d0ac070c9d3f65fb853e4ed8d804d0c68090ac4063405ba9640fd3b1
Instruction ID: 1564ffbd2bd35a89f193c793884e4849a633e2e31f8580d7d87f10bcf7e39400
Opcode Fuzzy Hash: 02fcc153d0ac070c9d3f65fb853e4ed8d804d0c68090ac4063405ba9640fd3b1
Instruction Fuzzy Hash: 18112E71A00219AFDB109FE5DC49BFEBBB8EF08715F00057EED05E7291DA7499088B95

Uniqueness

Uniqueness Score: -1.00%

Function 00406B50 Relevance: 6.2, APIs: 4, Instructions: 227
COMMONCrypto

Download Yara Rule

C-Code - Quality: 83%

			E00406B50(void* __ecx, signed int __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr* _a12, intOrPtr* _a16, intOrPtr* _a20) {
				signed int _v8;
				struct tagRECT _v24;
				struct tagRECT _v40;
				intOrPtr* _v44;
				intOrPtr _v48;
				intOrPtr* _v52;
				intOrPtr _v56;
				intOrPtr* _v60;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t60;
				intOrPtr* _t65;
				intOrPtr _t66;
				intOrPtr _t67;
				intOrPtr _t69;
				intOrPtr _t73;
				intOrPtr _t74;
				void* _t75;
				signed int _t78;
				intOrPtr* _t85;
				intOrPtr* _t86;
				int _t91;
				void* _t96;
				intOrPtr _t104;
				intOrPtr* _t105;
				void* _t114;
				signed int _t119;
				long _t135;
				signed int _t144;
				intOrPtr* _t145;
				int _t146;
				void* _t147;
				intOrPtr* _t149;
				intOrPtr _t150;
				signed int _t152;

				_t144 = __edx;
				_t60 =  *0x4bb1dc; // 0x2927074f
				_v8 = _t60 ^ _t152;
				_t149 = _a16;
				_t114 = __ecx;
				_t145 = _a20;
				_v52 = _a12;
				_v44 = _t149;
				_v60 = _t145;
				GetClientRect( *(__ecx + 8),  &_v40);
				_t65 = _v52;
				if(_t65 != 0) {
					 *_t65 = 0xffffffff;
				}
				if(_t149 != 0) {
					 *_t149 = 0xffffffff;
				}
				if(_t145 != 0) {
					 *_t145 = 0;
				}
				_t66 = _a4;
				if(_t66 >= _v40.left) {
					if(_t66 < _v40.right) {
						_t67 = _a8;
						if(_t67 >= _v40.top) {
							if(_t67 < _v40.bottom) {
								_t146 = 0;
								_v56 = 0xffffffff;
								_t69 = SendMessageW( *(_t114 + 0x14), 0x1200, 0, 0) + 1;
								_t150 = 0;
								_v48 = _t69;
								if(_t69 > 0) {
									while(1) {
										E00406190(_t114, _t150,  &_v24);
										_t104 = _a4;
										_t135 = _v24.left;
										if(_t104 >= _t135 && _t104 < _v24.right) {
											break;
										}
										_t150 = _t150 + 1;
										if(_t150 < _v48) {
											continue;
										} else {
										}
										goto L21;
									}
									_v56 = _t150;
									_t105 = _v44;
									_t146 = _t104 - _t135;
									if(_t105 != 0) {
										 *_t105 = _t150;
									}
								}
								L21:
								GetWindowRect( *(_t114 + 0xc),  &_v24);
								_t73 = _v24.bottom - _v24.top;
								_v44 = _t73;
								if(_a8 >= _t73) {
									_t74 = E004096B0(_t114);
									_v48 = _t74;
									if(_t74 != 0) {
										_t75 = E00409770(_t114);
										_t119 = E004078D0(_t114);
										_t78 = _a8 - _v44;
										asm("cdq");
										_t144 = _t78 % _t119;
										_v44 = _t78 / _t119 + _t75;
										_t150 = E00407810(_v48, _t78 / _t119 + _t75 - _t75);
										if(_t150 == 0) {
											goto L24;
										} else {
											_t85 = _v52;
											if(_t85 != 0) {
												 *_t85 = _v44;
											}
											_t86 = _v60;
											if(_t86 != 0) {
												 *_t86 = _t150;
											}
											if(_v56 != 0) {
												L37:
												goto L38;
											} else {
												_t147 = _t146 - E00404630(_t86, _t150) *  *(_t114 + 0x78);
												if(_t147 >= 0) {
													_t91 = GetSystemMetrics(0x31);
													_t146 = _t147 - _t91;
													if(_t146 >= 0) {
														if( *((intOrPtr*)(_t114 + 0x38)) == 0 || _t146 >= 0) {
															goto L37;
														}
														L38:
														return E0046F77E(_t114, _v8 ^ _t152, _t144, _t146, _t150);
													} else {
														_t96 =  !=  ? 0x40 : 0x100;
														return E0046F77E(_t114, _v8 ^ _t152, _t144, _t146, _t150);
													}
												} else {
													return E0046F77E(_t114, _v8 ^ _t152, _t144, _t147, _t150);
												}
											}
										}
									} else {
										L24:
										return E0046F77E(_t114, _v8 ^ _t152, _t144, _t146, _t150);
									}
								} else {
									return E0046F77E(_t114, _v8 ^ _t152, _t144, _t146, _t150);
								}
							} else {
								return E0046F77E(_t114, _v8 ^ _t152, _t144, _t145, _t149);
							}
						} else {
							return E0046F77E(_t114, _v8 ^ _t152, _t144, _t145, _t149);
						}
					} else {
						return E0046F77E(_t114, _v8 ^ _t152, _t144, _t145, _t149);
					}
				} else {
					return E0046F77E(_t114, _v8 ^ _t152, _t144, _t145, _t149);
				}
			}

0x00406b50
0x00406b56
0x00406b5d
0x00406b65
0x00406b68
0x00406b6b
0x00406b6e
0x00406b78
0x00406b7b
0x00406b7e
0x00406b84
0x00406b89
0x00406b8b
0x00406b8b
0x00406b93
0x00406b95
0x00406b95
0x00406b9d
0x00406b9f
0x00406b9f
0x00406ba5
0x00406bab
0x00406bc8
0x00406be2
0x00406be8
0x00406c05
0x00406c1f
0x00406c21
0x00406c38
0x00406c39
0x00406c3b
0x00406c40
0x00406c42
0x00406c49
0x00406c4e
0x00406c51
0x00406c56
0x00000000
0x00000000
0x00406c5d
0x00406c61
0x00000000
0x00000000
0x00406c63
0x00000000
0x00406c61
0x00406c67
0x00406c6a
0x00406c6d
0x00406c71
0x00406c73
0x00406c73
0x00406c71
0x00406c75
0x00406c7c
0x00406c85
0x00406c88
0x00406c8e
0x00406caa
0x00406caf
0x00406cb4
0x00406cd0
0x00406cde
0x00406ce3
0x00406ce6
0x00406ce7
0x00406cee
0x00406cf9
0x00406cfd
0x00000000
0x00406cff
0x00406cff
0x00406d04
0x00406d09
0x00406d09
0x00406d0b
0x00406d10
0x00406d12
0x00406d12
0x00406d18
0x00406d84
0x00000000
0x00406d1a
0x00406d25
0x00406d27
0x00406d43
0x00406d49
0x00406d4b
0x00406d79
0x00000000
0x00000000
0x00406d89
0x00406d99
0x00406d4d
0x00406d61
0x00406d72
0x00406d72
0x00406d2b
0x00406d3e
0x00406d3e
0x00406d27
0x00406d18
0x00406cb8
0x00406cb8
0x00406ccb
0x00406ccb
0x00406c92
0x00406ca5
0x00406ca5
0x00406c09
0x00406c1c
0x00406c1c
0x00406bec
0x00406bff
0x00406bff
0x00406bcc
0x00406bdf
0x00406bdf
0x00406baf
0x00406bc2
0x00406bc2

APIs

GetClientRect.USER32 ref: 00406B7E

Memory Dump Source

Source File: 00000000.00000002.639436822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.639422722.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639801425.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639950323.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639964900.00000000004C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639974043.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639981884.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Process Monitor.jbxd

Similarity

API ID: ClientRect
String ID:
API String ID: 846599473-0
Opcode ID: f78ada9f909d14599951c21019694200cb17a05cad3e18ae4dccb754e80deec8
Instruction ID: 23ffddc600f17c3beefe7f07710641a2ac964ba845df1c0697073b4aa2ef92be
Opcode Fuzzy Hash: f78ada9f909d14599951c21019694200cb17a05cad3e18ae4dccb754e80deec8
Instruction Fuzzy Hash: 64717432B001099BDB10DF6DE481AAEB7F4EF48360F11417FE806EB291DA399D55CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00435930 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(00000400,0000000E,004BCBAC,00000005,00000000), ref: 0043596E

Strings

%.07f, xrefs: 00435984

Memory Dump Source

Source File: 00000000.00000002.639436822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.639422722.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639801425.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639950323.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639964900.00000000004C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639974043.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639981884.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Process Monitor.jbxd

Similarity

API ID: InfoLocale
String ID: %.07f
API String ID: 2299586839-2673020589
Opcode ID: e4abbf2c98e1afc2ed2fe2f27891794566370ab5a2eb0830d8241f6a718943dc
Instruction ID: 28ddb292d76bc1a50da75e7158aa2e66a5560ea4d1e38b9a4802be94b49b5144
Opcode Fuzzy Hash: e4abbf2c98e1afc2ed2fe2f27891794566370ab5a2eb0830d8241f6a718943dc
Instruction Fuzzy Hash: 6E219370900708DBCB24AF64D8467AF73B4EF05714F41542BE445AB290FB789994CB9E

Uniqueness

Uniqueness Score: -1.00%

Function 00401810 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 29COMMON

Download Yara Rule

APIs

InitializeCriticalSection.KERNEL32(004C2538,2927074F,?,0048C62A,000000FF), ref: 00401837

Strings

T%L, xrefs: 0040183D

Memory Dump Source

Source File: 00000000.00000002.639436822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.639422722.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639801425.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639950323.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639964900.00000000004C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639974043.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639981884.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Process Monitor.jbxd

Similarity

API ID: CriticalInitializeSection
String ID: T%L
API String ID: 32694325-57508386
Opcode ID: baba6f558a8b71bae8b60e0f70e657ec4f3110c2131b16833aafa54112f1bce6
Instruction ID: 02543fd216cbfbcabd40ed2397330d76c6c20b52a61db1c077d799789ffb5288
Opcode Fuzzy Hash: baba6f558a8b71bae8b60e0f70e657ec4f3110c2131b16833aafa54112f1bce6
Instruction Fuzzy Hash: 5EF09AB1904288AFD744DF98EA25F0BB7A4E308714F10463EE80687780EBFD54088B89

Uniqueness

Uniqueness Score: -1.00%

Function 00401890 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 29COMMON

Download Yara Rule

APIs

InitializeCriticalSection.KERNEL32(004C255C,2927074F,?,0048C65A,000000FF), ref: 004018B7

Strings

pGx, xrefs: 004018BD, 004018D3, 004018F1

Memory Dump Source

Source File: 00000000.00000002.639436822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.639422722.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639801425.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639950323.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639964900.00000000004C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639974043.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639981884.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Process Monitor.jbxd

Similarity

API ID: CriticalInitializeSection
String ID: pGx
API String ID: 32694325-1247187342
Opcode ID: d3a75fdc9de355e18a8e42ae418cfaa7f52ab7d78d66a0ff7131755f9b59bad2
Instruction ID: f189c038b6ffcc06f91aa34ff34bf2f0b3a1cf124817e33945508ea59337d943
Opcode Fuzzy Hash: d3a75fdc9de355e18a8e42ae418cfaa7f52ab7d78d66a0ff7131755f9b59bad2
Instruction Fuzzy Hash: 5AF09AB1984348ABD740DFA4EA25B1AB7A4E308B45F104A3EE81687790DBFA54048F8D

Uniqueness

Uniqueness Score: -1.00%

Function 00478647 Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(00000000,?,00474284,?,?,?,00000000), ref: 0047864C
UnhandledExceptionFilter.KERNEL32(?,?,?,00000000), ref: 00478655

Memory Dump Source

Source File: 00000000.00000002.639436822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.639422722.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639801425.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639950323.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639964900.00000000004C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639974043.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639981884.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Process Monitor.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: a93a1da747ee7ebdfc9d58705ae25981871650e63387c6a83ccae549744eaff2
Instruction ID: 727111198f73003d5b9b48d029c2ed0e6d09dea3a5de41bf341f71f8a610aa6f
Opcode Fuzzy Hash: a93a1da747ee7ebdfc9d58705ae25981871650e63387c6a83ccae549744eaff2
Instruction Fuzzy Hash: 82B0923545420AABCA102B91EC09B8C7F28EB04652F2004B4FA0D440708BA354648B99

Uniqueness

Uniqueness Score: -1.00%

Function 0043B530 Relevance: 1.5, APIs: 1, Instructions: 37networkCOMMON

Download Yara Rule

APIs

recv.WS2_32(?,?,00000000,?), ref: 0043B556

Memory Dump Source

Source File: 00000000.00000002.639436822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.639422722.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639801425.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639950323.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639964900.00000000004C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639974043.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639981884.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Process Monitor.jbxd

Similarity

API ID: recv
String ID:
API String ID: 1507349165-0
Opcode ID: 0559cedfc9261952a7cc44b5379e1dc933df91602ccb47f4e3ff73052e75515a
Instruction ID: a50f4500a8962a6f2dd0724fab0a3fb178488ba7ee3157647d0bed2886823bd4
Opcode Fuzzy Hash: 0559cedfc9261952a7cc44b5379e1dc933df91602ccb47f4e3ff73052e75515a
Instruction Fuzzy Hash: 20E0E53324123837DE105A5D6C81B9BB74CDB897B8F141323FA2CD72A0D2229C5282E8

Uniqueness

Uniqueness Score: -1.00%

Function 00478616 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(?), ref: 0047861C

Memory Dump Source

Source File: 00000000.00000002.639436822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.639422722.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639801425.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639950323.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639964900.00000000004C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639974043.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639981884.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Process Monitor.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 215f444f95888d596d2143e790eb61a99434b3b374db90acc48357dd476f6d35
Instruction ID: 0ca1449552c6d2cc96847d7d9ade21317b688039f738ab61482a524c055d1657
Opcode Fuzzy Hash: 215f444f95888d596d2143e790eb61a99434b3b374db90acc48357dd476f6d35
Instruction Fuzzy Hash: A3A0113000020CAB8A002B82EC088C8BF2CEA002A2B2000B0F80C000308B23A8A08A88

Uniqueness

Uniqueness Score: -1.00%

Function 0047B516 Relevance: 1.4, APIs: 1, Instructions: 134memoryCOMMON

Download Yara Rule

APIs

HeapAlloc.KERNEL32(00000000,00000000,00000601), ref: 0047B682

Memory Dump Source

Source File: 00000000.00000002.639436822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.639422722.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639801425.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639950323.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639964900.00000000004C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639974043.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639981884.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Process Monitor.jbxd

Similarity

API ID: AllocHeap
String ID:
API String ID: 4292702814-0
Opcode ID: c54927847d1b3b94469cc99591707ebad64628a4a6adcc92d07ec2570aac64a5
Instruction ID: 35426464ed84ed90044d656193da4bf5fa0b562ea9d4d00089dc801c1a46e32e
Opcode Fuzzy Hash: c54927847d1b3b94469cc99591707ebad64628a4a6adcc92d07ec2570aac64a5
Instruction Fuzzy Hash: 8B410377D103348BC398DF76EE2695A77A2E7C0204743863EE846E3064EB3895068ACD

Uniqueness

Uniqueness Score: -1.00%

Function 0047B5F1 Relevance: 1.3, APIs: 1, Instructions: 67memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

HeapAlloc.KERNEL32(00000000,00000000,00000601), ref: 0047B682

Memory Dump Source

Source File: 00000000.00000002.639436822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.639422722.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639801425.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639950323.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639964900.00000000004C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639974043.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639981884.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Process Monitor.jbxd

Similarity

API ID: AllocHeap
String ID:
API String ID: 4292702814-0
Opcode ID: 755a3e1a51cbe4c459810641d549e7a57b9eb4885493c230f898476b2d2bb415
Instruction ID: 87911245dcd4c21b42a6d13453d0616a6c3657f640bedeeb11f74279bbc5efeb
Opcode Fuzzy Hash: 755a3e1a51cbe4c459810641d549e7a57b9eb4885493c230f898476b2d2bb415
Instruction Fuzzy Hash: B82188B7C152258FC7D8DFB5EF2695A7BA2E3C0250343463AE842E7564EB345406CB8C

Uniqueness

Uniqueness Score: -1.00%

Function 00478CE2 Relevance: 1.3, APIs: 1, Instructions: 7memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00473DC7,004B7A40,00000014), ref: 00478CE2

Memory Dump Source

Source File: 00000000.00000002.639436822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.639422722.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639801425.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639950323.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639964900.00000000004C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639974043.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639981884.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Process Monitor.jbxd

Similarity

API ID: HeapProcess
String ID:
API String ID: 54951025-0
Opcode ID: 6423722743bb08e0aeaf32a564b4e011e25acc291c4428b51e15f98bfd9b6c28
Instruction ID: 235bf6ed9270931fcebb3dd7a2c06b1bf330e5593b8513dcd29d4b174d2b37fa
Opcode Fuzzy Hash: 6423722743bb08e0aeaf32a564b4e011e25acc291c4428b51e15f98bfd9b6c28
Instruction Fuzzy Hash: 23B012B07012034787094F387CA410D35D45708602310803D7C07C5970DF30C4509B08

Uniqueness

Uniqueness Score: -1.00%

Function 0047B765 Relevance: .1, Instructions: 137COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.639436822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.639422722.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639801425.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639950323.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639964900.00000000004C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639974043.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639981884.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Process Monitor.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b1475652764a11342d669c49691c513313237eb537ffad06262ea68f6a485676
Instruction ID: 0959622b64c2984adf930fc5e79fc775c9d5ad4cbde3b2cde19b90ddb7ef7396
Opcode Fuzzy Hash: b1475652764a11342d669c49691c513313237eb537ffad06262ea68f6a485676
Instruction Fuzzy Hash: 134103B39413354F87D4DFB9EE6AA5A3AA2F3C0204347433AD806E3964DB3445019BCC

Uniqueness

Uniqueness Score: -1.00%

Function 0047B3A0 Relevance: .1, Instructions: 89COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.639436822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.639422722.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639801425.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639950323.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639964900.00000000004C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639974043.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639981884.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Process Monitor.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 10608f7199308a5d8dd595375ea0eec59440269d0084a63bb661f7fa40655c1b
Instruction ID: 05d934b954bbaee67cf580396316370f03ac7bd04227ac334a00ec514886975b
Opcode Fuzzy Hash: 10608f7199308a5d8dd595375ea0eec59440269d0084a63bb661f7fa40655c1b
Instruction Fuzzy Hash: E321AE37E402248BD794DF76AEA996772A3EBC0310743923ADC42EB169CF3558419AC8

Uniqueness

Uniqueness Score: -1.00%

Function 0047B852 Relevance: .1, Instructions: 75COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.639436822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.639422722.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639801425.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639950323.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639964900.00000000004C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639974043.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639981884.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Process Monitor.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b4b94f8af13ed7fe19783a3c6a3ea4a1ab1bfd8bdb223d3e984cd941f3e82ef
Instruction ID: 5a41a27caa386f42ad875e6eafa69be53571a018042f04b6e53258d1c9c384b2
Opcode Fuzzy Hash: 0b4b94f8af13ed7fe19783a3c6a3ea4a1ab1bfd8bdb223d3e984cd941f3e82ef
Instruction Fuzzy Hash: 1821FFB29813258F87C8DF7ABE2AA163BE1F3C4214346423ED906C7564DB314542AB8D

Uniqueness

Uniqueness Score: -1.00%

Function 00469510 Relevance: 210.1, APIs: 2, Strings: 118, Instructions: 62
memoryCOMMON

Download Yara Rule

C-Code - Quality: 71%

			E00469510(void* __ebx, void** __ecx, void* __edi, void* __esi, void* _a4) {
				intOrPtr _v4;
				void* _t34;
				signed int _t35;
				intOrPtr* _t39;
				intOrPtr _t43;
				signed int _t51;
				void* _t57;
				void* _t69;
				void* _t73;
				void* _t77;
				signed int _t89;
				void* _t92;
				void** _t95;
				void* _t106;
				void* _t107;

				_t34 = _a4;
				_t95 = __ecx;
				 *(__ecx + 8) = _t34;
				if(_t34 <=  *(__ecx + 4)) {
					L7:
					return _t34;
				} else {
					_t89 =  *(__ecx + 0xc);
					_t35 = 0x3e8 + _t34 * 2;
					 *(__ecx + 4) = _t35;
					if(_t89 == 0) {
						_t34 = E00471B84(__ebx, _t92, __edi,  *((intOrPtr*)(__ecx)), _t35 + _t35 * 4);
						 *_t95 = _t34;
						goto L7;
					} else {
						if(_t35 > _t89) {
							 *(__ecx + 4) = _t89;
						}
						_t34 = VirtualAlloc( *_t95, _t95[1] + _t95[1] * 4, 0x1000, 4);
						if(_t34 ==  *_t95) {
							goto L7;
						} else {
							_t39 = E00471C2F(_t34);
							 *_t39(_t95[1] + _t95[1] * 4);
							_a4 = 8;
							E0046F78D( &_a4, 0x4affc8);
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							_t43 = _v4;
							_t106 = _t43 - 0xc0000001;
							if(_t106 > 0) {
								__eflags = _t43 - 0xc0000101;
								if(__eflags > 0) {
									__eflags = _t43 - 0xc0000203;
									if(__eflags > 0) {
										__eflags = _t43 - 0xc0000388;
										if(__eflags > 0) {
											__eflags = _t43 - 0xc0190049;
											if(__eflags > 0) {
												__eflags = _t43 - 0x103;
												if(__eflags > 0) {
													__eflags = _t43 - 0x12a;
													if(__eflags > 0) {
														__eflags = _t43 - 0x216;
														if(__eflags > 0) {
															__eflags = _t43 - 0x367;
															if(_t43 == 0x367) {
																return L"WAIT FOR OPLOCK";
															} else {
																__eflags = _t43 - 0x40000016;
																if(_t43 == 0x40000016) {
																	return L"PREDEFINED HANDLE";
																} else {
																	goto L204;
																}
															}
														} else {
															if(__eflags == 0) {
																return L"OPLOCK HANDLE CLOSED";
															} else {
																__eflags = _t43 - 0x12b;
																if(_t43 == 0x12b) {
																	return L"FILE LOCKED WITH WRITERS";
																} else {
																	__eflags = _t43 - 0x215;
																	if(_t43 != 0x215) {
																		goto L204;
																	} else {
																		return L"OPLOCK SWITCHED TO NEW HANDLE";
																	}
																}
															}
														}
													} else {
														if(__eflags == 0) {
															return L"FILE LOCKED WITH ONLY READERS";
														} else {
															_t51 = _t43 + 0xfffffefc;
															__eflags = _t51 - 8;
															if(_t51 > 8) {
																goto L204;
															} else {
																switch( *((intOrPtr*)(_t51 * 4 +  &M00469FDC))) {
																	case 0:
																		__eax = L"REPARSE";
																		return L"REPARSE";
																		goto L207;
																	case 1:
																		__eax = L"MORE ENTRIES";
																		return L"MORE ENTRIES";
																		goto L207;
																	case 2:
																		goto L204;
																	case 3:
																		__eax = L"OPLOCK BREAK IN PROGRESS";
																		return L"OPLOCK BREAK IN PROGRESS";
																		goto L207;
																	case 4:
																		__eax = L"NOTIFY CLEANUP";
																		return L"NOTIFY CLEANUP";
																		goto L207;
																	case 5:
																		return L"NOTIFY ENUM DIR";
																		goto L207;
																}
															}
														}
													}
												} else {
													if(__eflags == 0) {
														return 0x48fc20;
													} else {
														__eflags = _t43 - 0xc01c0004;
														if(_t43 == 0xc01c0004) {
															return L"FAST IO DISALLOWED";
														} else {
															__eflags = _t43;
															if(_t43 != 0) {
																goto L204;
															} else {
																return L"SUCCESS";
															}
														}
													}
												}
											} else {
												if(__eflags == 0) {
													return L"SPARSE NOT ALLOWED IN TRANSACTION";
												} else {
													__eflags = _t43 - 0xc000a2a1;
													if(__eflags > 0) {
														__eflags = _t43 - 0xc0190001;
														if(__eflags > 0) {
															_t57 = _t43 + 0x3fe6fffe;
															__eflags = _t57 - 0x42;
															if(_t57 > 0x42) {
																goto L204;
															} else {
																switch( *((intOrPtr*)(( *(_t57 + 0x469f98) & 0x000000ff) * 4 +  &M00469F7C))) {
																	case 0:
																		return L"INVALID TRANSACTION";
																		goto L207;
																	case 1:
																		__eax = L"TRANSACTION_NOT_ACTIVE";
																		return L"TRANSACTION_NOT_ACTIVE";
																		goto L207;
																	case 2:
																		__eax = L"EFS NOT ALLOWED IN TRANSACTION";
																		return L"EFS NOT ALLOWED IN TRANSACTION";
																		goto L207;
																	case 3:
																		__eax = L"TRANSACTIONAL OPEN NOT ALLOWED";
																		return L"TRANSACTIONAL OPEN NOT ALLOWED";
																		goto L207;
																	case 4:
																		__eax = L"TRANSACTED MAPPING UNSUPPORTED REMOTE";
																		return L"TRANSACTED MAPPING UNSUPPORTED REMOTE";
																		goto L207;
																	case 5:
																		__eax = L"CANNOT EXECUTE FILE IN TRANSACTION";
																		return L"CANNOT EXECUTE FILE IN TRANSACTION";
																		goto L207;
																	case 6:
																		goto L204;
																}
															}
														} else {
															if(__eflags == 0) {
																return L"TRANSACTIONAL CONFLICT";
															} else {
																__eflags = _t43 - 0xc000a2a2;
																if(_t43 == 0xc000a2a2) {
																	return L"STATUS_OFFLOAD_WRITE_FLT_NOT_SUPPORTED ";
																} else {
																	__eflags = _t43 - 0xc000a2a3;
																	if(_t43 == 0xc000a2a3) {
																		L166:
																		return L"OFFLOAD READ FILE NOT SUPPORTED";
																	} else {
																		__eflags = _t43 - 0xc000a2a4;
																		if(_t43 != 0xc000a2a4) {
																			goto L204;
																		} else {
																			goto L166;
																		}
																	}
																}
															}
														}
													} else {
														if(__eflags == 0) {
															return L"STATUS_OFFLOAD_READ_FLT_NOT_SUPPORTED";
														} else {
															__eflags = _t43 - 0xc0000463;
															if(__eflags > 0) {
																__eflags = _t43 - 0xc0000909;
																if(_t43 != 0xc0000909) {
																	goto L204;
																} else {
																	return L"CANNOT BREAK OPLOCK";
																}
															} else {
																if(__eflags == 0) {
																	return L"DEVICE FEATURE NOT SUPPORTED";
																} else {
																	__eflags = _t43 - 0xc0000425;
																	if(_t43 == 0xc0000425) {
																		return L"HIVE UNLOADED";
																	} else {
																		__eflags = _t43 - 0xc0000427;
																		if(_t43 != 0xc0000427) {
																			goto L204;
																		} else {
																			return L"FILE SYSTEM LIMITATION";
																		}
																	}
																}
															}
														}
													}
												}
											}
										} else {
											if(__eflags == 0) {
												return L"DOWNGRADE DETECTED";
											} else {
												_t69 = _t43 + 0x3ffffdfb;
												__eflags = _t69 - 0xeb;
												if(_t69 > 0xeb) {
													goto L204;
												} else {
													switch( *((intOrPtr*)(( *(_t69 + 0x469e90) & 0x000000ff) * 4 +  &M00469E5C))) {
														case 0:
															return L"INSUFFICIENT SERVER RESOURCES";
															goto L207;
														case 1:
															__eax = L"INVALID ADDRESS COMPONENT";
															return L"INVALID ADDRESS COMPONENT";
															goto L207;
														case 2:
															__eax = L"DISCONNECTED";
															return L"DISCONNECTED";
															goto L207;
														case 3:
															__eax = L"NOT FOUND";
															return L"NOT FOUND";
															goto L207;
														case 4:
															__eax = L"USER MAPPED FILE";
															return L"USER MAPPED FILE";
															goto L207;
														case 5:
															__eax = L"LOGIN WKSTA RESTRICTION";
															return L"LOGIN WKSTA RESTRICTION";
															goto L207;
														case 6:
															__eax = L"PATH NOT COVERED";
															return L"PATH NOT COVERED";
															goto L207;
														case 7:
															__eax = L"DFS UNAVAILABLE";
															return L"DFS UNAVAILABLE";
															goto L207;
														case 8:
															__eax = L"NO MORE MATCHES";
															return L"NO MORE MATCHES";
															goto L207;
														case 9:
															__eax = L"NOT REPARSE POINT";
															return L"NOT REPARSE POINT";
															goto L207;
														case 0xa:
															__eax = L"CANNOT MAKE";
															return L"CANNOT MAKE";
															goto L207;
														case 0xb:
															__eax = L"OBJECTID NOT FOUND";
															return L"OBJECTID NOT FOUND";
															goto L207;
														case 0xc:
															goto L204;
													}
												}
											}
										}
									} else {
										if(__eflags == 0) {
											return L"USER SESSION DELETED";
										} else {
											_t73 = _t43 + 0x3ffffefe;
											__eflags = _t73 - 0x9a;
											if(_t73 > 0x9a) {
												goto L204;
											} else {
												switch( *((intOrPtr*)(( *(_t73 + 0x469dc0) & 0x000000ff) * 4 +  &M00469D70))) {
													case 0:
														__eax = L"FILE CORRUPT";
														return L"FILE CORRUPT";
														goto L207;
													case 1:
														__eax = L"NOT A DIRECTORY";
														return L"NOT A DIRECTORY";
														goto L207;
													case 2:
														__eax = L"FILES OPEN";
														return L"FILES OPEN";
														goto L207;
													case 3:
														__eax = L"CANNOT IMPERSONATE";
														return L"CANNOT IMPERSONATE";
														goto L207;
													case 4:
														__eax = L"CANCELLED";
														return L"CANCELLED";
														goto L207;
													case 5:
														__eax = L"CANNOT DELETE";
														return L"CANNOT DELETE";
														goto L207;
													case 6:
														__eax = L"FILE DELETED";
														return L"FILE DELETED";
														goto L207;
													case 7:
														__eax = L"FILE CLOSED";
														return L"FILE CLOSED";
														goto L207;
													case 8:
														return L"THREAD NOT IN PROCESS";
														goto L207;
													case 9:
														__eax = L"INVALID LEVEL";
														return L"INVALID LEVEL";
														goto L207;
													case 0xa:
														__eax = L"PIPE BROKEN";
														return L"PIPE BROKEN";
														goto L207;
													case 0xb:
														__eax = L"REGISTRY CORRUPT";
														return L"REGISTRY CORRUPT";
														goto L207;
													case 0xc:
														__eax = L"IO FAILED";
														return L"IO FAILED";
														goto L207;
													case 0xd:
														__eax = L"KEY DELETED";
														return L"KEY DELETED";
														goto L207;
													case 0xe:
														__eax = L"CHILD MUST BE VOLATILE";
														return L"CHILD MUST BE VOLATILE";
														goto L207;
													case 0xf:
														__eax = L"INVALID DEVICE STATE";
														return L"INVALID DEVICE STATE";
														goto L207;
													case 0x10:
														__eax = L"IO DEVICE ERROR";
														return L"IO DEVICE ERROR";
														goto L207;
													case 0x11:
														__eax = L"LOG FILE FULL";
														return L"LOG FILE FULL";
														goto L207;
													case 0x12:
														__eax = L"FS DRIVER REQUIRED";
														return L"FS DRIVER REQUIRED";
														goto L207;
													case 0x13:
														goto L204;
												}
											}
										}
									}
								} else {
									if(__eflags == 0) {
										return L"NOT EMPTY";
									} else {
										_t77 = _t43 + 0x3ffffffe;
										__eflags = _t77 - 0xf9;
										if(_t77 > 0xf9) {
											goto L204;
										} else {
											switch( *((intOrPtr*)(( *(_t77 + 0x469c74) & 0x000000ff) * 4 +  &M00469B40))) {
												case 0:
													__eax = L"NOT IMPLEMENTED";
													return L"NOT IMPLEMENTED";
													goto L207;
												case 1:
													__eax = L"INVALID INFO CLASS";
													return L"INVALID INFO CLASS";
													goto L207;
												case 2:
													__eax = L"INFO LENGTH MISMATCH";
													return L"INFO LENGTH MISMATCH";
													goto L207;
												case 3:
													__eax = L"ACCESS VIOLATION";
													return L"ACCESS VIOLATION";
													goto L207;
												case 4:
													__eax = L"IN PAGE ERROR";
													return L"IN PAGE ERROR";
													goto L207;
												case 5:
													__eax = L"INVALID HANDLE";
													return L"INVALID HANDLE";
													goto L207;
												case 6:
													__eax = L"INVALID PARAMETER";
													return L"INVALID PARAMETER";
													goto L207;
												case 7:
													__eax = L"NO SUCH DEVICE";
													return L"NO SUCH DEVICE";
													goto L207;
												case 8:
													__eax = L"NO SUCH FILE";
													return L"NO SUCH FILE";
													goto L207;
												case 9:
													__eax = L"INVALID DEVICE REQUEST";
													return L"INVALID DEVICE REQUEST";
													goto L207;
												case 0xa:
													__eax = L"END OF FILE";
													return L"END OF FILE";
													goto L207;
												case 0xb:
													__eax = L"WRONG VOLUME";
													return L"WRONG VOLUME";
													goto L207;
												case 0xc:
													__eax = L"NO MEDIA";
													return L"NO MEDIA";
													goto L207;
												case 0xd:
													__eax = L"NONEXISTENT SECTOR";
													return L"NONEXISTENT SECTOR";
													goto L207;
												case 0xe:
													__eax = L"NO MEMORY";
													return L"NO MEMORY";
													goto L207;
												case 0xf:
													__eax = L"ALREADY COMMITTED";
													return L"ALREADY COMMITTED";
													goto L207;
												case 0x10:
													__eax = L"ACCESS DENIED";
													return L"ACCESS DENIED";
													goto L207;
												case 0x11:
													__eax = L"BUFFER TOO SMALL";
													return L"BUFFER TOO SMALL";
													goto L207;
												case 0x12:
													__eax = L"OBJECT TYPE MISMATCH";
													return L"OBJECT TYPE MISMATCH";
													goto L207;
												case 0x13:
													__eax = L"DISK CORRUPT";
													return L"DISK CORRUPT";
													goto L207;
												case 0x14:
													__eax = L"NAME INVALID";
													return L"NAME INVALID";
													goto L207;
												case 0x15:
													__eax = L"NAME NOT FOUND";
													return L"NAME NOT FOUND";
													goto L207;
												case 0x16:
													__eax = L"NAME COLLISION";
													return L"NAME COLLISION";
													goto L207;
												case 0x17:
													__eax = L"OBJECT PATH INVALID";
													return L"OBJECT PATH INVALID";
													goto L207;
												case 0x18:
													__eax = L"PATH NOT FOUND";
													return L"PATH NOT FOUND";
													goto L207;
												case 0x19:
													__eax = L"PATH SYNTAX BAD";
													return L"PATH SYNTAX BAD";
													goto L207;
												case 0x1a:
													__eax = L"DATA OVERRUN";
													return L"DATA OVERRUN";
													goto L207;
												case 0x1b:
													__eax = L"CRC ERROR";
													return L"CRC ERROR";
													goto L207;
												case 0x1c:
													__eax = L"SHARING VIOLATION";
													return L"SHARING VIOLATION";
													goto L207;
												case 0x1d:
													__eax = L"QUOTA EXCEEDED";
													return L"QUOTA EXCEEDED";
													goto L207;
												case 0x1e:
													__eax = L"EAS NOT SUPPORTED";
													return L"EAS NOT SUPPORTED";
													goto L207;
												case 0x1f:
													__eax = L"EA TOO LARGE";
													return L"EA TOO LARGE";
													goto L207;
												case 0x20:
													__eax = L"NONEXISTENT EA ENTRY";
													return L"NONEXISTENT EA ENTRY";
													goto L207;
												case 0x21:
													__eax = L"NO EAS ON FILE";
													return L"NO EAS ON FILE";
													goto L207;
												case 0x22:
													__eax = L"EA CORRUPT ERROR";
													return L"EA CORRUPT ERROR";
													goto L207;
												case 0x23:
													__eax = L"FILE LOCK CONFLICT";
													return L"FILE LOCK CONFLICT";
													goto L207;
												case 0x24:
													__eax = L"NOT GRANTED";
													return L"NOT GRANTED";
													goto L207;
												case 0x25:
													__eax = L"DELETE PENDING";
													return L"DELETE PENDING";
													goto L207;
												case 0x26:
													return L"PRIVILEGE NOT HELD";
													goto L207;
												case 0x27:
													__eax = L"LOGON FAILURE";
													return L"LOGON FAILURE";
													goto L207;
												case 0x28:
													__eax = L"RANGE NOT LOCKED";
													return L"RANGE NOT LOCKED";
													goto L207;
												case 0x29:
													__eax = L"DISK FULL";
													return L"DISK FULL";
													goto L207;
												case 0x2a:
													__eax = L"FILE INVALID";
													return L"FILE INVALID";
													goto L207;
												case 0x2b:
													__eax = L"INSUFFICIENT RESOURCES";
													return L"INSUFFICIENT RESOURCES";
													goto L207;
												case 0x2c:
													__eax = L"DEVICE DATA ERROR";
													return L"DEVICE DATA ERROR";
													goto L207;
												case 0x2d:
													__eax = L"DEVICE NOT CONNECTED";
													return L"DEVICE NOT CONNECTED";
													goto L207;
												case 0x2e:
													__eax = L"MEDIA WRITE PROTECTED";
													return L"MEDIA WRITE PROTECTED";
													goto L207;
												case 0x2f:
													__eax = L"BAD IMPERSONATION";
													return L"BAD IMPERSONATION";
													goto L207;
												case 0x30:
													__eax = L"INSTANCE NOT AVAILABLE";
													return L"INSTANCE NOT AVAILABLE";
													goto L207;
												case 0x31:
													__eax = L"PIPE NOT AVAILABLE";
													return L"PIPE NOT AVAILABLE";
													goto L207;
												case 0x32:
													__eax = L"INVALID PIPE STATE";
													return L"INVALID PIPE STATE";
													goto L207;
												case 0x33:
													__eax = L"PIPE BUSY";
													return L"PIPE BUSY";
													goto L207;
												case 0x34:
													__eax = L"PIPE DISCONNECTED";
													return L"PIPE DISCONNECTED";
													goto L207;
												case 0x35:
													__eax = L"PIPE CLOSING";
													return L"PIPE CLOSING";
													goto L207;
												case 0x36:
													__eax = L"PIPE CONNECTED";
													return L"PIPE CONNECTED";
													goto L207;
												case 0x37:
													__eax = L"PIPE LISTENING";
													return L"PIPE LISTENING";
													goto L207;
												case 0x38:
													__eax = L"INVALID READ MODE";
													return L"INVALID READ MODE";
													goto L207;
												case 0x39:
													__eax = L"IO TIMEOUT";
													return L"IO TIMEOUT";
													goto L207;
												case 0x3a:
													__eax = L"IS DIRECTORY";
													return L"IS DIRECTORY";
													goto L207;
												case 0x3b:
													__eax = L"NOT SUPPORTED";
													return L"NOT SUPPORTED";
													goto L207;
												case 0x3c:
													__eax = L"DUPLICATE NAME";
													return L"DUPLICATE NAME";
													goto L207;
												case 0x3d:
													__eax = L"BAD NETWORK PATH";
													return L"BAD NETWORK PATH";
													goto L207;
												case 0x3e:
													__eax = L"TOO MANY COMMANDS";
													return L"TOO MANY COMMANDS";
													goto L207;
												case 0x3f:
													__eax = L"INVALID NETWORK RESPONSE";
													return L"INVALID NETWORK RESPONSE";
													goto L207;
												case 0x40:
													__eax = L"NETWORK ERROR";
													return L"NETWORK ERROR";
													goto L207;
												case 0x41:
													__eax = L"BAD NETWORK NAME";
													return L"BAD NETWORK NAME";
													goto L207;
												case 0x42:
													__eax = L"NOT SAME DEVICE";
													return L"NOT SAME DEVICE";
													goto L207;
												case 0x43:
													__eax = L"CANT WAIT";
													return L"CANT WAIT";
													goto L207;
												case 0x44:
													__eax = L"PIPE EMPTY";
													return L"PIPE EMPTY";
													goto L207;
												case 0x45:
													__eax = L"CSC OBJECT PATH NOT FOUND";
													return L"CSC OBJECT PATH NOT FOUND";
													goto L207;
												case 0x46:
													__eax = L"OPLOCK NOT GRANTED";
													return L"OPLOCK NOT GRANTED";
													goto L207;
												case 0x47:
													__eax = L"INVALID PARAMETER 1";
													return L"INVALID PARAMETER 1";
													goto L207;
												case 0x48:
													__eax = L"INVALID PARAMETER 2";
													return L"INVALID PARAMETER 2";
													goto L207;
												case 0x49:
													__eax = L"INVALID PARAMETER 3";
													return L"INVALID PARAMETER 3";
													goto L207;
												case 0x4a:
													__eax = L"INVALID PARAMETER 4";
													return L"INVALID PARAMETER 4";
													goto L207;
												case 0x4b:
													__eax = L"REDIRECTOR NOT STARTED";
													return L"REDIRECTOR NOT STARTED";
													goto L207;
												case 0x4c:
													goto L204;
											}
										}
									}
								}
							} else {
								if(_t106 == 0) {
									return L"UNSUCCESSFUL";
								} else {
									_t107 = _t43 - 0x80000015;
									if(_t107 > 0) {
										__eflags = _t43 - 0x8000001a;
										if(_t43 == 0x8000001a) {
											return L"NO MORE ENTRIES";
										} else {
											__eflags = _t43 - 0x80090322;
											if(_t43 != 0x80090322) {
												goto L204;
											} else {
												return L"E_WRONG_PRINCIPAL";
											}
										}
									} else {
										if(_t107 == 0) {
											return L"INVALID EA FLAG";
										} else {
											if(_t43 == 0x80000002) {
												return L"DATATYPE MISALIGNMENT";
											} else {
												if(_t43 == 0x80000005) {
													return L"BUFFER OVERFLOW";
												} else {
													if(_t43 != 0x80000006) {
														L204:
														__eflags = 0;
														return 0;
													} else {
														return L"NO MORE FILES";
													}
												}
											}
										}
									}
								}
							}
						}
					}
				}
				L207:
			}

0x00469513
0x00469517
0x00469519
0x0046951f
0x00469565
0x00469567
0x00469521
0x00469521
0x00469524
0x0046952b
0x00469530
0x0046955b
0x00469563
0x00000000
0x00469532
0x00469534
0x00469536
0x00469536
0x00469549
0x00469551
0x00000000
0x00469553
0x0046956a
0x00469576
0x0046957b
0x0046958b
0x00469590
0x00469591
0x00469592
0x00469593
0x00469594
0x00469595
0x00469596
0x00469597
0x00469598
0x00469599
0x0046959a
0x0046959b
0x0046959c
0x0046959d
0x0046959e
0x0046959f
0x004695a3
0x004695a6
0x004695ab
0x00469614
0x00469619
0x0046985e
0x00469863
0x00469919
0x0046991e
0x0046999b
0x004699a0
0x00469a82
0x00469a87
0x00469aaf
0x00469ab4
0x00469af3
0x00469af8
0x00469b1f
0x00469b24
0x00469b3e
0x00469b26
0x00469b26
0x00469b2b
0x00469b37
0x00000000
0x00000000
0x00000000
0x00469b2b
0x00469afa
0x00469afa
0x00469b1e
0x00469afc
0x00469afc
0x00469b01
0x00469b17
0x00469b03
0x00469b03
0x00469b08
0x00000000
0x00469b0a
0x00469b10
0x00469b10
0x00469b08
0x00469b01
0x00469afa
0x00469ab6
0x00469ab6
0x00469af2
0x00469ab8
0x00469ab8
0x00469abd
0x00469ac0
0x00000000
0x00469ac2
0x00469ac2
0x00000000
0x00469ade
0x00469ae4
0x00000000
0x00000000
0x00469ae5
0x00469aeb
0x00000000
0x00000000
0x00000000
0x00000000
0x00469ad7
0x00469add
0x00000000
0x00000000
0x00469ad0
0x00469ad6
0x00000000
0x00000000
0x00469acf
0x00000000
0x00000000
0x00469ac2
0x00469ac0
0x00469ab6
0x00469a89
0x00469a89
0x00469aae
0x00469a8b
0x00469a8b
0x00469a90
0x00469aa7
0x00469a92
0x00469a92
0x00469a94
0x00000000
0x00469a9a
0x00469aa0
0x00469aa0
0x00469a94
0x00469a90
0x00469a89
0x004699a6
0x004699a6
0x00469a81
0x004699ac
0x004699ac
0x004699b1
0x004699fe
0x00469a03
0x00469a35
0x00469a3a
0x00469a3d
0x00000000
0x00469a43
0x00469a4a
0x00000000
0x00469a57
0x00000000
0x00000000
0x00469a74
0x00469a7a
0x00000000
0x00000000
0x00469a6d
0x00469a73
0x00000000
0x00000000
0x00469a66
0x00469a6c
0x00000000
0x00000000
0x00469a5f
0x00469a65
0x00000000
0x00000000
0x00469a58
0x00469a5e
0x00000000
0x00000000
0x00000000
0x00000000
0x00469a4a
0x00469a05
0x00469a05
0x00469a34
0x00469a07
0x00469a07
0x00469a0c
0x00469a2d
0x00469a0e
0x00469a0e
0x00469a13
0x00469a20
0x00469a26
0x00469a15
0x00469a15
0x00469a1a
0x00000000
0x00000000
0x00000000
0x00000000
0x00469a1a
0x00469a13
0x00469a0c
0x00469a05
0x004699b3
0x004699b3
0x004699fd
0x004699b5
0x004699b5
0x004699ba
0x004699e5
0x004699ea
0x00000000
0x004699f0
0x004699f6
0x004699f6
0x004699bc
0x004699bc
0x004699e4
0x004699be
0x004699be
0x004699c3
0x004699dd
0x004699c5
0x004699c5
0x004699ca
0x00000000
0x004699d0
0x004699d6
0x004699d6
0x004699ca
0x004699c3
0x004699bc
0x004699ba
0x004699b3
0x004699b1
0x004699a6
0x00469920
0x00469920
0x0046999a
0x00469922
0x00469922
0x00469927
0x0046992c
0x00000000
0x00469932
0x00469939
0x00000000
0x00469946
0x00000000
0x00000000
0x00469955
0x0046995b
0x00000000
0x00000000
0x00469963
0x00469969
0x00000000
0x00000000
0x00469947
0x0046994d
0x00000000
0x00000000
0x00469986
0x0046998c
0x00000000
0x00000000
0x0046998d
0x00469993
0x00000000
0x00000000
0x0046997f
0x00469985
0x00000000
0x00000000
0x0046996a
0x00469970
0x00000000
0x00000000
0x0046994e
0x00469954
0x00000000
0x00000000
0x00469971
0x00469977
0x00000000
0x00000000
0x00469978
0x0046997e
0x00000000
0x00000000
0x0046995c
0x00469962
0x00000000
0x00000000
0x00000000
0x00000000
0x00469939
0x0046992c
0x00469920
0x00469869
0x00469869
0x00469918
0x0046986f
0x0046986f
0x00469874
0x00469879
0x00000000
0x0046987f
0x00469886
0x00000000
0x004698b7
0x004698bd
0x00000000
0x00000000
0x004698d3
0x004698d9
0x00000000
0x00000000
0x004698b0
0x004698b6
0x00000000
0x00000000
0x004698c5
0x004698cb
0x00000000
0x00000000
0x004698cc
0x004698d2
0x00000000
0x00000000
0x004698e1
0x004698e7
0x00000000
0x00000000
0x004698a9
0x004698af
0x00000000
0x00000000
0x004698be
0x004698c4
0x00000000
0x00000000
0x00469893
0x00000000
0x00000000
0x004698fd
0x00469903
0x00000000
0x00000000
0x00469904
0x0046990a
0x00000000
0x00000000
0x004698a2
0x004698a8
0x00000000
0x00000000
0x0046989b
0x004698a1
0x00000000
0x00000000
0x00469894
0x0046989a
0x00000000
0x00000000
0x004698e8
0x004698ee
0x00000000
0x00000000
0x004698f6
0x004698fc
0x00000000
0x00000000
0x0046990b
0x00469911
0x00000000
0x00000000
0x004698ef
0x004698f5
0x00000000
0x00000000
0x004698da
0x004698e0
0x00000000
0x00000000
0x00000000
0x00000000
0x00469886
0x00469879
0x00469869
0x0046961f
0x0046961f
0x0046985d
0x00469625
0x00469625
0x0046962a
0x0046962f
0x00000000
0x00469635
0x0046963c
0x00000000
0x0046967b
0x00469681
0x00000000
0x00000000
0x004697af
0x004697b5
0x00000000
0x00000000
0x004696eb
0x004696f1
0x00000000
0x00000000
0x0046964a
0x00469650
0x00000000
0x00000000
0x004696f9
0x004696ff
0x00000000
0x00000000
0x004697b6
0x004697bc
0x00000000
0x00000000
0x0046977e
0x00469784
0x00000000
0x00000000
0x00469754
0x0046975a
0x00000000
0x00000000
0x00469731
0x00469737
0x00000000
0x00000000
0x004697bd
0x004697c3
0x00000000
0x00000000
0x0046975b
0x00469761
0x00000000
0x00000000
0x004697c4
0x004697ca
0x00000000
0x00000000
0x004697d2
0x004697d8
0x00000000
0x00000000
0x0046973f
0x00469745
0x00000000
0x00000000
0x00469658
0x0046965e
0x00000000
0x00000000
0x004697a8
0x004697ae
0x00000000
0x00000000
0x00469770
0x00469776
0x00000000
0x00000000
0x0046971c
0x00469722
0x00000000
0x00000000
0x00469769
0x0046976f
0x00000000
0x00000000
0x004696c1
0x004696c7
0x00000000
0x00000000
0x00469723
0x00469729
0x00000000
0x00000000
0x0046972a
0x00469730
0x00000000
0x00000000
0x00469738
0x0046973e
0x00000000
0x00000000
0x004696e4
0x004696ea
0x00000000
0x00000000
0x0046974d
0x00469753
0x00000000
0x00000000
0x0046965f
0x00469665
0x00000000
0x00000000
0x004696d6
0x004696dc
0x00000000
0x00000000
0x00469674
0x0046967a
0x00000000
0x00000000
0x00469777
0x0046977d
0x00000000
0x00000000
0x0046970e
0x00469714
0x00000000
0x00000000
0x00469682
0x00469688
0x00000000
0x00000000
0x0046969e
0x004696a4
0x00000000
0x00000000
0x004696ac
0x004696b2
0x00000000
0x00000000
0x00469700
0x00469706
0x00000000
0x00000000
0x00469707
0x0046970d
0x00000000
0x00000000
0x0046978c
0x00469792
0x00000000
0x00000000
0x0046979a
0x004697a0
0x00000000
0x00000000
0x00469793
0x00469799
0x00000000
0x00000000
0x00469649
0x00000000
0x00000000
0x004696f2
0x004696f8
0x00000000
0x00000000
0x004696c8
0x004696ce
0x00000000
0x00000000
0x004697d9
0x004697df
0x00000000
0x00000000
0x004696a5
0x004696ab
0x00000000
0x00000000
0x00469651
0x00469657
0x00000000
0x00000000
0x0046966d
0x00469673
0x00000000
0x00000000
0x00469690
0x00469696
0x00000000
0x00000000
0x004697e0
0x004697e6
0x00000000
0x00000000
0x00469666
0x0046966c
0x00000000
0x00000000
0x00469803
0x00469809
0x00000000
0x00000000
0x0046980a
0x00469810
0x00000000
0x00000000
0x00469811
0x00469817
0x00000000
0x00000000
0x00469818
0x0046981e
0x00000000
0x00000000
0x0046981f
0x00469825
0x00000000
0x00000000
0x00469826
0x0046982c
0x00000000
0x00000000
0x0046982d
0x00469833
0x00000000
0x00000000
0x00469834
0x0046983a
0x00000000
0x00000000
0x0046983b
0x00469841
0x00000000
0x00000000
0x00469849
0x0046984f
0x00000000
0x00000000
0x004697a1
0x004697a7
0x00000000
0x00000000
0x00469715
0x0046971b
0x00000000
0x00000000
0x004696cf
0x004696d5
0x00000000
0x00000000
0x00469746
0x0046974c
0x00000000
0x00000000
0x00469689
0x0046968f
0x00000000
0x00000000
0x004696ba
0x004696c0
0x00000000
0x00000000
0x004697cb
0x004697d1
0x00000000
0x00000000
0x004696b3
0x004696b9
0x00000000
0x00000000
0x00469697
0x0046969d
0x00000000
0x00000000
0x00469850
0x00469856
0x00000000
0x00000000
0x00469842
0x00469848
0x00000000
0x00000000
0x00469762
0x00469768
0x00000000
0x00000000
0x00469785
0x0046978b
0x00000000
0x00000000
0x004697e7
0x004697ed
0x00000000
0x00000000
0x004697ee
0x004697f4
0x00000000
0x00000000
0x004697f5
0x004697fb
0x00000000
0x00000000
0x004697fc
0x00469802
0x00000000
0x00000000
0x004696dd
0x004696e3
0x00000000
0x00000000
0x00000000
0x00000000
0x0046963c
0x0046962f
0x0046961f
0x004695ad
0x004695ad
0x00469613
0x004695af
0x004695af
0x004695b4
0x004695ed
0x004695f2
0x0046960c
0x004695f4
0x004695f4
0x004695f9
0x00000000
0x004695ff
0x00469605
0x00469605
0x004695f9
0x004695b6
0x004695b6
0x004695ec
0x004695b8
0x004695bd
0x004695e5
0x004695bf
0x004695c4
0x004695de
0x004695c6
0x004695cb
0x00469b2d
0x00469b2d
0x00469b30
0x004695d1
0x004695d7
0x004695d7
0x004695cb
0x004695c4
0x004695bd
0x004695b6
0x004695b4
0x004695ad
0x004695ab
0x00469551
0x00469530
0x00000000

APIs

VirtualAlloc.KERNEL32(00000568,?,00001000,00000004,00000584,?,0046915D,?,?,2927074F,?,-00000001,004BCA10), ref: 00469549
__CxxThrowException@8.LIBCMT ref: 0046958B

Strings

NONEXISTENT EA ENTRY, xrefs: 004696AC
FILE LOCK CONFLICT, xrefs: 0046978C
PRIVILEGE NOT HELD, xrefs: 00469643
NO MORE MATCHES, xrefs: 0046994E
DEVICE NOT CONNECTED, xrefs: 00469690
OBJECT PATH INVALID, xrefs: 004696E4
DELETE PENDING, xrefs: 00469793
DISK FULL, xrefs: 004697D9
IO FAILED, xrefs: 0046989B
INVALID PARAMETER 1, xrefs: 004697E7
CHILD MUST BE VOLATILE, xrefs: 004698E8
INSTANCE NOT AVAILABLE, xrefs: 00469803
NAME INVALID, xrefs: 00469723
OBJECTID NOT FOUND, xrefs: 0046995C
ALREADY COMMITTED, xrefs: 004697A8
MEDIA WRITE PROTECTED, xrefs: 004697E0
DEVICE DATA ERROR, xrefs: 0046966D
INVALID PARAMETER 2, xrefs: 004697EE
CANT WAIT, xrefs: 00469850
IN PAGE ERROR, xrefs: 004696F9
THREAD NOT IN PROCESS, xrefs: 0046988D
REDIRECTOR NOT STARTED, xrefs: 004696DD
QUOTA EXCEEDED, xrefs: 0046970E
OBJECT TYPE MISMATCH, xrefs: 00469769
INVALID READ MODE, xrefs: 0046983B
LOGON FAILURE, xrefs: 004696F2
NAME NOT FOUND, xrefs: 0046972A
NOT A DIRECTORY, xrefs: 004698D3
EA TOO LARGE, xrefs: 0046969E
SHARING VIOLATION, xrefs: 00469777
REPARSE, xrefs: 00469ADE
BUFFER TOO SMALL, xrefs: 0046971C
NOT SUPPORTED, xrefs: 00469715
CRC ERROR, xrefs: 00469674
OPLOCK BREAK IN PROGRESS, xrefs: 00469AD7
USER MAPPED FILE, xrefs: 00469986
TRANSACTION_NOT_ACTIVE, xrefs: 00469A74
IO DEVICE ERROR, xrefs: 0046990B
NO EAS ON FILE, xrefs: 00469700
FILES OPEN, xrefs: 004698B0
EAS NOT SUPPORTED, xrefs: 00469682
PATH SYNTAX BAD, xrefs: 0046965F
NO MEMORY, xrefs: 00469658
NOT GRANTED, xrefs: 0046979A
NOT REPARSE POINT, xrefs: 00469971
FILE CORRUPT, xrefs: 004698B7
ACCESS DENIED, xrefs: 00469770
LOGIN WKSTA RESTRICTION, xrefs: 0046998D
PATH NOT COVERED, xrefs: 0046997F
DISCONNECTED, xrefs: 00469963
TOO MANY COMMANDS, xrefs: 00469689
NAME COLLISION, xrefs: 00469738
IO TIMEOUT, xrefs: 00469849
NONEXISTENT SECTOR, xrefs: 0046973F
EA CORRUPT ERROR, xrefs: 00469707
MORE ENTRIES, xrefs: 00469AE5
PIPE NOT AVAILABLE, xrefs: 0046980A
PIPE CLOSING, xrefs: 00469826
IS DIRECTORY, xrefs: 004697A1
BAD NETWORK NAME, xrefs: 004696B3
DATA OVERRUN, xrefs: 004696D6
INVALID PIPE STATE, xrefs: 00469811
LOG FILE FULL, xrefs: 004698EF
PIPE LISTENING, xrefs: 00469834
PIPE BROKEN, xrefs: 00469904
FILE CLOSED, xrefs: 004698BE
PIPE DISCONNECTED, xrefs: 0046981F
PIPE CONNECTED, xrefs: 0046982D
NOT IMPLEMENTED, xrefs: 0046967B
INVALID PARAMETER 3, xrefs: 004697F5
INSUFFICIENT SERVER RESOURCES, xrefs: 00469940
INVALID HANDLE, xrefs: 004697B6
DUPLICATE NAME, xrefs: 004696CF
TRANSACTED MAPPING UNSUPPORTED REMOTE, xrefs: 00469A5F
RANGE NOT LOCKED, xrefs: 004696C8
CSC OBJECT PATH NOT FOUND, xrefs: 00469762
CANNOT IMPERSONATE, xrefs: 004698C5
NOT FOUND, xrefs: 00469947
DFS UNAVAILABLE, xrefs: 0046996A
PIPE EMPTY, xrefs: 00469842
WRONG VOLUME, xrefs: 004697C4
NO MEDIA, xrefs: 004697D2
FILE DELETED, xrefs: 004698A9
NOT SAME DEVICE, xrefs: 00469697
NOTIFY CLEANUP, xrefs: 00469AD0
CANNOT MAKE, xrefs: 00469978
INSUFFICIENT RESOURCES, xrefs: 00469651
PIPE BUSY, xrefs: 00469818
REGISTRY CORRUPT, xrefs: 004698A2
EFS NOT ALLOWED IN TRANSACTION, xrefs: 00469A6D
CANNOT EXECUTE FILE IN TRANSACTION, xrefs: 00469A58
PATH NOT FOUND, xrefs: 0046974D
NO SUCH DEVICE, xrefs: 00469754
OPLOCK NOT GRANTED, xrefs: 00469785
INVALID PARAMETER 4, xrefs: 004697FC
ACCESS VIOLATION, xrefs: 0046964A
FS DRIVER REQUIRED, xrefs: 004698DA
FILE INVALID, xrefs: 004696A5
INVALID LEVEL, xrefs: 004698FD
INVALID NETWORK RESPONSE, xrefs: 004696BA
INFO LENGTH MISMATCH, xrefs: 004696EB
INVALID DEVICE REQUEST, xrefs: 004697BD
INVALID TRANSACTION, xrefs: 00469A51
NETWORK ERROR, xrefs: 004697CB
CANNOT DELETE, xrefs: 004698E1
INVALID DEVICE STATE, xrefs: 004698F6
NO SUCH FILE, xrefs: 00469731
INVALID PARAMETER, xrefs: 0046977E
NOTIFY ENUM DIR, xrefs: 00469AC9
END OF FILE, xrefs: 0046975B
BAD IMPERSONATION, xrefs: 00469666
KEY DELETED, xrefs: 00469894
INVALID ADDRESS COMPONENT, xrefs: 00469955
DISK CORRUPT, xrefs: 004696C1
INVALID INFO CLASS, xrefs: 004697AF
TRANSACTIONAL OPEN NOT ALLOWED, xrefs: 00469A66
BAD NETWORK PATH, xrefs: 00469746
CANCELLED, xrefs: 004698CC

Memory Dump Source

Source File: 00000000.00000002.639436822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.639422722.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639801425.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639950323.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639964900.00000000004C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639974043.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639981884.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Process Monitor.jbxd

Similarity

API ID: AllocException@8ThrowVirtual
String ID: ACCESS DENIED$ACCESS VIOLATION$ALREADY COMMITTED$BAD IMPERSONATION$BAD NETWORK NAME$BAD NETWORK PATH$BUFFER TOO SMALL$CANCELLED$CANNOT DELETE$CANNOT EXECUTE FILE IN TRANSACTION$CANNOT IMPERSONATE$CANNOT MAKE$CANT WAIT$CHILD MUST BE VOLATILE$CRC ERROR$CSC OBJECT PATH NOT FOUND$DATA OVERRUN$DELETE PENDING$DEVICE DATA ERROR$DEVICE NOT CONNECTED$DFS UNAVAILABLE$DISCONNECTED$DISK CORRUPT$DISK FULL$DUPLICATE NAME$EA CORRUPT ERROR$EA TOO LARGE$EAS NOT SUPPORTED$EFS NOT ALLOWED IN TRANSACTION$END OF FILE$FILE CLOSED$FILE CORRUPT$FILE DELETED$FILE INVALID$FILE LOCK CONFLICT$FILES OPEN$FS DRIVER REQUIRED$IN PAGE ERROR$INFO LENGTH MISMATCH$INSTANCE NOT AVAILABLE$INSUFFICIENT RESOURCES$INSUFFICIENT SERVER RESOURCES$INVALID ADDRESS COMPONENT$INVALID DEVICE REQUEST$INVALID DEVICE STATE$INVALID HANDLE$INVALID INFO CLASS$INVALID LEVEL$INVALID NETWORK RESPONSE$INVALID PARAMETER$INVALID PARAMETER 1$INVALID PARAMETER 2$INVALID PARAMETER 3$INVALID PARAMETER 4$INVALID PIPE STATE$INVALID READ MODE$INVALID TRANSACTION$IO DEVICE ERROR$IO FAILED$IO TIMEOUT$IS DIRECTORY$KEY DELETED$LOG FILE FULL$LOGIN WKSTA RESTRICTION$LOGON FAILURE$MEDIA WRITE PROTECTED$MORE ENTRIES$NAME COLLISION$NAME INVALID$NAME NOT FOUND$NETWORK ERROR$NO EAS ON FILE$NO MEDIA$NO MEMORY$NO MORE MATCHES$NO SUCH DEVICE$NO SUCH FILE$NONEXISTENT EA ENTRY$NONEXISTENT SECTOR$NOT A DIRECTORY$NOT FOUND$NOT GRANTED$NOT IMPLEMENTED$NOT REPARSE POINT$NOT SAME DEVICE$NOT SUPPORTED$NOTIFY CLEANUP$NOTIFY ENUM DIR$OBJECT PATH INVALID$OBJECT TYPE MISMATCH$OBJECTID NOT FOUND$OPLOCK BREAK IN PROGRESS$OPLOCK NOT GRANTED$PATH NOT COVERED$PATH NOT FOUND$PATH SYNTAX BAD$PIPE BROKEN$PIPE BUSY$PIPE CLOSING$PIPE CONNECTED$PIPE DISCONNECTED$PIPE EMPTY$PIPE LISTENING$PIPE NOT AVAILABLE$PRIVILEGE NOT HELD$QUOTA EXCEEDED$RANGE NOT LOCKED$REDIRECTOR NOT STARTED$REGISTRY CORRUPT$REPARSE$SHARING VIOLATION$THREAD NOT IN PROCESS$TOO MANY COMMANDS$TRANSACTED MAPPING UNSUPPORTED REMOTE$TRANSACTIONAL OPEN NOT ALLOWED$TRANSACTION_NOT_ACTIVE$USER MAPPED FILE$WRONG VOLUME
API String ID: 276607522-4171771890
Opcode ID: e76b99c1938411a675ff80f80ad97e3e7d8391d4251e98b08e80901c4d8c48cf
Instruction ID: 77355d466a7fa30f5ea632cf114990a0e50c91429de4c698a40356366c5ccbf3
Opcode Fuzzy Hash: e76b99c1938411a675ff80f80ad97e3e7d8391d4251e98b08e80901c4d8c48cf
Instruction Fuzzy Hash: 2B01C0B1500209AFC720EF98D880DAA77ECAF04744B10882FF59AC7650EA75E945CB99

Uniqueness

Uniqueness Score: -1.00%

Function 00458770 Relevance: 102.0, APIs: 49, Strings: 9, Instructions: 490
windowCOMMON

Download Yara Rule

C-Code - Quality: 88%

			E00458770(void* __ecx, int __edx, struct HWND__* _a4, intOrPtr _a8, signed int _a12) {
				int _v8;
				char _v16;
				signed int _v20;
				short _v540;
				struct tagOFNA _v544;
				struct tagOFNA _v548;
				int _v552;
				struct tagOFNA _v556;
				char _v560;
				struct tagOFNA _v564;
				char _v568;
				struct tagOFNA _v572;
				struct tagOFNA _v576;
				intOrPtr _v612;
				long _v632;
				WCHAR* _v636;
				WCHAR* _v652;
				struct HWND__* _v660;
				struct tagOFNA _v664;
				struct HWND__* __ebx;
				void* __edi;
				void* __esi;
				signed int _t92;
				signed int _t93;
				intOrPtr _t95;
				int _t100;
				signed int _t106;
				struct tagOFNA _t122;
				signed int _t124;
				void* _t125;
				struct tagOFNA _t130;
				long _t137;
				struct tagOFNA _t138;
				signed int _t139;
				int _t140;
				int _t141;
				int _t145;
				struct HICON__* _t147;
				struct tagOFNA _t151;
				void* _t154;
				struct tagOFNA _t164;
				struct tagOFNA _t165;
				struct tagOFNA _t166;
				struct tagOFNA _t172;
				int _t177;
				struct tagOFNA _t184;
				struct tagOFNA _t186;
				int _t193;
				void* _t196;
				struct HWND__* _t218;
				void* _t219;
				void* _t220;
				struct tagOFNA _t232;
				short* _t237;
				int _t238;
				void* _t239;
				void* _t240;
				struct tagOFNA _t241;
				void* _t245;
				void* _t246;
				struct tagOFNA _t251;
				struct tagOFNA _t255;
				signed int _t259;
				void* _t260;
				void* _t261;
				void* _t265;
				void* _t269;
				void* _t272;
				void* _t273;

				_t238 = __edx;
				_t220 = __ecx;
				_push(0xffffffff);
				_push(E0048BBE2);
				_push( *[fs:0x0]);
				_t261 = _t260 - 0x288;
				_t92 =  *0x4bb1dc; // 0x2927074f
				_t93 = _t92 ^ _t259;
				_v20 = _t93;
				_push(_t245);
				_push(_t239);
				_push(_t93);
				 *[fs:0x0] =  &_v16;
				_t95 = _a8;
				_t218 = _a4;
				_t273 = _t95 - 0x111;
				if(_t273 > 0) {
					__eflags = _t95 - 0x8000;
					if(_t95 != 0x8000) {
						L75:
						__eflags = 0;
						L76:
						 *[fs:0x0] = _v16;
						_pop(_t240);
						_pop(_t246);
						_pop(_t219);
						return E0046F77E(_t219, _v20 ^ _t259, _t238, _t240, _t246);
					}
					GetDlgItemTextW(_t218, 0x403,  &_v540, 0x104);
					__eflags = _v540;
					if(_v540 == 0) {
						goto L75;
					}
					_t100 = IsDlgButtonChecked(_t218, 0x436);
					__eflags = _t100 - 1;
					if(_t100 != 1) {
						_t74 = IsDlgButtonChecked(_t218, 0x438) - 1; // -1
						asm("sbb esi, esi");
						_t251 = ( ~_t74 & 0xfffffffe) + 2;
						__eflags = _t251;
					} else {
						_t251 = _t100;
					}
					_v544 = _t251;
					_t241 = E00471495( &_v540, 0x2e);
					__eflags = _t241;
					if(_t241 == 0) {
						L68:
						_push(0);
						_push( &_v540);
						_t241 = E004713E7(_t220);
						goto L69;
					} else {
						_t122 = E0044C740(_t241);
						__eflags = _t122;
						if(_t122 >= 0) {
							L69:
							_t106 = 0;
							__eflags = 0;
							while(1) {
								__eflags =  *((intOrPtr*)(0x4a2ce8 + _t106 * 8)) - _t251;
								if( *((intOrPtr*)(0x4a2ce8 + _t106 * 8)) == _t251) {
									break;
								}
								_t106 = _t106 + 1;
								__eflags = _t106 - 3;
								if(_t106 < 3) {
									continue;
								}
								L74:
								SetDlgItemTextW(_t218, 0x403,  &_v540);
								__eflags = _t251 - 2;
								EnableWindow(GetDlgItem(_t218, 0x463), 0 | __eflags == 0x00000000);
								__eflags = IsDlgButtonChecked(_t218, 0x463);
								_t238 = 1;
								_t226 =  ==  ? 1 : _v544;
								__eflags = ( ==  ? 1 : _v544) - 2;
								_t88 = ( ==  ? 1 : _v544) == 2;
								__eflags = _t88;
								EnableWindow(GetDlgItem(_t218, 0x464), 0 | _t88);
								goto L75;
							}
							__eflags =  &_v20 - _t241;
							E0046EF0C(_t241,  &_v20 - _t241 >> 1,  *((intOrPtr*)(0x4a2cec + _t106 * 8)));
							goto L74;
						}
						goto L68;
					}
				}
				if(_t273 == 0) {
					_t124 = _a12 & 0x0000ffff;
					__eflags = _t124 - 0x405;
					if(__eflags > 0) {
						_t125 = _t124 - 0x40c;
						__eflags = _t125 - 0x57;
						if(_t125 > 0x57) {
							goto L75;
						}
						switch( *((intOrPtr*)(( *(_t125 + 0x458e98) & 0x000000ff) * 4 +  &M00458E8C))) {
							case 0:
								L59:
								_t127 = IsDlgButtonChecked(_t218, 0x40c);
								EnableWindow(GetDlgItem(_t218, 0x465), _t127);
								goto L75;
							case 1:
								SendMessageW(__ebx, 0x8000, 0, 0);
								goto L75;
							case 2:
								goto L75;
						}
					}
					if(__eflags == 0) {
						goto L59;
					}
					_t130 = _t124 - 1;
					__eflags = _t130;
					if(_t130 == 0) {
						SendMessageW(_t218, 0x8000, 0, 0);
						GetDlgItemTextW(_t218, 0x403,  &_v540, 0x104);
						__eflags = _v540;
						if(_v540 != 0) {
							E0046EF0C(0x4be098, 0x104,  &_v540);
							_t265 = _t261 + 0xc;
							_t137 = GetFileAttributesW( &_v540);
							__eflags = _t137 - 0xffffffff;
							if(_t137 == 0xffffffff) {
								L33:
								_t138 = IsDlgButtonChecked(_t218, 0x405);
								__eflags = _t138;
								if(_t138 == 0) {
									_t139 = IsDlgButtonChecked(_t218, 0x40c);
									asm("sbb esi, esi");
									_t255 =  ~_t139 + 2;
									__eflags = _t255;
								} else {
									_t255 = 0;
								}
								_v544 = _t255;
								_t140 = IsDlgButtonChecked(_t218, 0x436);
								__eflags = _t140 - 1;
								if(_t140 != 1) {
									_t141 = IsDlgButtonChecked(_t218, 0x438);
									asm("sbb eax, eax");
									_t145 = ( ~(_t141 - 1) & 0xfffffffe) + 2;
									_v552 = _t145;
									__eflags = _t145 - 2;
									if(_t145 != 2) {
										goto L38;
									}
									_t165 = IsDlgButtonChecked(_t218, 0x463);
									__eflags = _t165;
									if(_t165 == 0) {
										goto L38;
									}
									_v568 = 1;
									_t166 = IsDlgButtonChecked(_t218, 0x464);
									__eflags = _t166;
									if(_t166 == 0) {
										goto L39;
									}
									_v548 = 1;
									goto L40;
								} else {
									_v552 = _t140;
									L38:
									_v568 = 0;
									L39:
									_v548 = 0;
									L40:
									__eflags = _t255 - 1;
									if(_t255 != 1) {
										L42:
										_v560 = 0;
										L43:
										_t147 = SetCursor(LoadCursorW(0, 0x7f02));
										_v544 = E00421580(0x4bca10, _t238, _t218,  &_v540, _v544, _v552, _v560, _v568, _v548);
										SetCursor(_t147);
										_t151 = _v544;
										__eflags = _t151;
										if(_t151 == 0) {
											L56:
											EndDialog(_t218, 1);
											goto L75;
										}
										__eflags = _t151 - 1;
										if(_t151 == 1) {
											goto L56;
										}
										_t154 = E00459490(_t218,  &_v576, _t151);
										_v8 = 5;
										_v556 = E0046A6C0(_t218, L"Error Saving File", E0046A530(L"Error Saving File"));
										_v8 = 6;
										E0046A230( &_v544, _t154);
										_t229 = _v556;
										_v8 = 8;
										__eflags = _v556;
										if(_v556 != 0) {
											E0046A700(_t229);
										}
										_t230 = _v576;
										_v8 = 9;
										__eflags = _v576;
										if(_v576 != 0) {
											E0046A700(_t230);
										}
										MessageBoxW(_t218, E0046A170( &_v544), L"Process Monitor", 0x10);
										_t232 = _v544;
										_v8 = 0xffffffff;
										L50:
										__eflags = _t232;
										if(_t232 != 0) {
											E0046A700(_t232);
										}
										goto L75;
									}
									_t164 = IsDlgButtonChecked(_t218, 0x465);
									_v560 = 1;
									__eflags = _t164;
									if(_t164 != 0) {
										goto L43;
									}
									goto L42;
								}
							}
							_v572 = E0046A6C0(_t218, L" already exists.\nDo you want to replace it?", E0046A530(L" already exists.\nDo you want to replace it?"));
							_v8 = 0;
							_t172 = E0046A6C0(_t218,  &_v540, E0046A530( &_v540));
							_t265 = _t265 + 0x18;
							_v564 = _t172;
							_v8 = 1;
							E0046A230( &_v548,  &_v572);
							_t234 = _v564;
							_v8 = 3;
							__eflags = _v564;
							if(_v564 != 0) {
								E0046A700(_t234);
							}
							_t235 = _v572;
							_v8 = 4;
							__eflags = _v572;
							if(_v572 != 0) {
								E0046A700(_t235);
							}
							_t177 = MessageBoxW(_t218, E0046A170( &_v548), L"Process Monitor", 0x34);
							_t232 = _v548;
							_v8 = 0xffffffff;
							__eflags = _t177 - 6;
							if(_t177 != 6) {
								goto L50;
							} else {
								__eflags = _t232;
								if(_t232 != 0) {
									E0046A700(_t232);
								}
								goto L33;
							}
						}
						MessageBoxW(_t218, L"You must supply a path", L"Process Monitor", 0x40);
						SetFocus(GetDlgItem(_t218, 0x403));
						goto L75;
					}
					_t184 = _t130 - 1;
					__eflags = _t184;
					if(_t184 == 0) {
						EndDialog(_t218, 0);
					} else {
						_t186 = _t184 - 0x402;
						__eflags = _t186;
						if(_t186 == 0) {
							_v664 = _t186;
							E00470030( &_v660, _t186, 0x54);
							GetDlgItemTextW(_t218, 0x403,  &_v540, 0x104);
							_v664 = 0x58;
							_v636 =  &_v540;
							_v660 = _t218;
							_v632 = 0x104;
							_v652 = L"Procmon Log (*.PML)";
							_v612 = 8;
							_t193 = GetSaveFileNameW( &_v664);
							__eflags = _t193;
							if(_t193 != 0) {
								SetDlgItemTextW(_t218, 0x403,  &_v540);
							}
						}
					}
					goto L75;
				}
				_t196 = _t95 - 2;
				if(_t196 == 0) {
					E004595D0(_t218,  *0x4bd2b4, L"SaveDialog");
					goto L75;
				}
				if(_t196 != 0x10e) {
					goto L75;
				} else {
					E004585D0(_t218,  *0x4bd2b4, L"SaveDialog");
					_t269 = _t261 + 0xc;
					if( *0x4be098 == 0) {
						GetCurrentDirectoryW(0x104, 0x4be098);
						_push(0);
						_push(0x4be098);
						_t237 = E004713E7(_t220);
						_t272 = _t269 + 8;
						if(_t237 > 0x4be098 &&  *((short*)(_t237 - 2)) != 0x5c) {
							 *_t237 = 0x5c;
							_t237 = _t237 + 2;
						}
						E0046EF0C(_t237, 0x4be2a0 - _t237 >> 1, L"Logfile");
						_t269 = _t272 + 0xc;
					}
					SetDlgItemTextW(_t218, 0x403, 0x4be098);
					if(E00471495(0x4be098, 0x2e) == 0 || E0046F283(_t218, _t239, _t245, _t201, L".CSV") != 0) {
						_push(1);
						_push(0x437);
					} else {
						_push(1);
						_push(0x436);
					}
					CheckDlgButton(_t218, ??, ??);
					SHAutoComplete(GetDlgItem(_t218, 0x403), 1);
					CheckDlgButton(_t218, 0x40c, 1);
					CheckDlgButton(_t218, 0x465, 1);
					SendMessageW(_t218, 0x8000, 0, 0);
					goto L76;
				}
			}

0x00458770
0x00458770
0x00458773
0x00458775
0x00458780
0x00458781
0x00458787
0x0045878c
0x0045878e
0x00458792
0x00458793
0x00458794
0x00458798
0x0045879e
0x004587a1
0x004587a4
0x004587a9
0x00458d42
0x00458d47
0x00458e6c
0x00458e6c
0x00458e6e
0x00458e71
0x00458e79
0x00458e7a
0x00458e7b
0x00458e89
0x00458e89
0x00458d5f
0x00458d65
0x00458d6d
0x00000000
0x00000000
0x00458d7f
0x00458d81
0x00458d84
0x00458d92
0x00458d97
0x00458d9c
0x00458d9c
0x00458d86
0x00458d86
0x00458d86
0x00458da5
0x00458db3
0x00458db8
0x00458dba
0x00458dc9
0x00458dcf
0x00458dd1
0x00458dda
0x00000000
0x00458dbc
0x00458dbd
0x00458dc5
0x00458dc7
0x00458ddc
0x00458ddc
0x00458ddc
0x00458de0
0x00458de0
0x00458de7
0x00000000
0x00000000
0x00458de9
0x00458dea
0x00458ded
0x00000000
0x00000000
0x00458e09
0x00458e16
0x00458e24
0x00458e3a
0x00458e4e
0x00458e50
0x00458e55
0x00458e5a
0x00458e5d
0x00458e5d
0x00458e6a
0x00000000
0x00458e6a
0x00458dfb
0x00458e01
0x00000000
0x00458e06
0x00000000
0x00458dc7
0x00458dba
0x004587af
0x004588e8
0x004588eb
0x004588f0
0x00458cec
0x00458cf1
0x00458cf4
0x00000000
0x00000000
0x00458d01
0x00000000
0x00458d08
0x00458d0e
0x00458d22
0x00000000
0x00000000
0x00458d37
0x00000000
0x00000000
0x00000000
0x00000000
0x00458d01
0x004588f6
0x00000000
0x00000000
0x004588fc
0x004588fc
0x004588fd
0x004589c4
0x004589dc
0x004589e2
0x004589ea
0x00458a28
0x00458a2d
0x00458a37
0x00458a3d
0x00458a40
0x00458b06
0x00458b12
0x00458b14
0x00458b16
0x00458b22
0x00458b28
0x00458b2a
0x00458b2a
0x00458b18
0x00458b18
0x00458b18
0x00458b33
0x00458b39
0x00458b3b
0x00458b3e
0x00458c8f
0x00458c94
0x00458c99
0x00458c9c
0x00458ca2
0x00458ca5
0x00000000
0x00000000
0x00458cb1
0x00458cb3
0x00458cb5
0x00000000
0x00000000
0x00458cc1
0x00458cc8
0x00458cca
0x00458ccc
0x00000000
0x00000000
0x00458cd2
0x00000000
0x00458b44
0x00458b44
0x00458b4a
0x00458b4a
0x00458b51
0x00458b51
0x00458b58
0x00458b58
0x00458b5b
0x00458b70
0x00458b70
0x00458b77
0x00458b8b
0x00458bc0
0x00458bc6
0x00458bc8
0x00458bce
0x00458bd0
0x00458cde
0x00458ce1
0x00000000
0x00458ce1
0x00458bd6
0x00458bd9
0x00000000
0x00000000
0x00458be7
0x00458bf3
0x00458c0d
0x00458c1a
0x00458c25
0x00458c2a
0x00458c30
0x00458c34
0x00458c36
0x00458c38
0x00458c38
0x00458c3d
0x00458c43
0x00458c47
0x00458c49
0x00458c4b
0x00458c4b
0x00458c64
0x00458c6a
0x00458c70
0x00458c77
0x00458c77
0x00458c79
0x00458c7f
0x00458c7f
0x00000000
0x00458c79
0x00458b63
0x00458b65
0x00458b6c
0x00458b6e
0x00000000
0x00000000
0x00000000
0x00458b6e
0x00458b3e
0x00458a5b
0x00458a67
0x00458a7c
0x00458a81
0x00458a84
0x00458a90
0x00458aa2
0x00458aa7
0x00458aad
0x00458ab1
0x00458ab3
0x00458ab5
0x00458ab5
0x00458aba
0x00458ac0
0x00458ac4
0x00458ac6
0x00458ac8
0x00458ac8
0x00458ae1
0x00458ae7
0x00458aed
0x00458af4
0x00458af7
0x00000000
0x00458afd
0x00458afd
0x00458aff
0x00458b01
0x00458b01
0x00000000
0x00458aff
0x00458af7
0x004589f9
0x00458a0c
0x00000000
0x00458a0c
0x00458903
0x00458903
0x00458904
0x004589af
0x0045890a
0x0045890a
0x0045890a
0x0045890f
0x00458918
0x00458925
0x0045893f
0x0045894b
0x00458955
0x00458962
0x00458968
0x00458972
0x0045897c
0x00458986
0x0045898c
0x0045898e
0x004589a1
0x004589a1
0x0045898e
0x0045890f
0x00000000
0x00458904
0x004587b5
0x004587b8
0x004588d8
0x00000000
0x004588dd
0x004587c3
0x00000000
0x004587c9
0x004587d5
0x004587da
0x004587e5
0x004587f1
0x004587f7
0x004587f9
0x00458803
0x00458805
0x0045880e
0x0045881c
0x0045881f
0x0045881f
0x00458832
0x00458837
0x00458837
0x00458845
0x0045885c
0x00458879
0x0045887b
0x00458870
0x00458870
0x00458872
0x00458872
0x00458887
0x00458898
0x004588a6
0x004588b0
0x004588bc
0x00000000
0x004588c2

APIs

GetCurrentDirectoryW.KERNEL32(00000104,004BE098), ref: 004587F1
_wcschr.LIBCMT ref: 004587FE
SetDlgItemTextW.USER32 ref: 00458845
_wcsrchr.LIBCMT ref: 00458852
CheckDlgButton.USER32(?,00000437,00000001), ref: 00458887
GetDlgItem.USER32 ref: 00458891
SHAutoComplete.SHLWAPI(00000000), ref: 00458898
CheckDlgButton.USER32(?,0000040C,00000001), ref: 004588A6
CheckDlgButton.USER32(?,00000465,00000001), ref: 004588B0
SendMessageW.USER32(?,00008000,00000000,00000000), ref: 004588BC
_memset.LIBCMT ref: 00458925
GetDlgItemTextW.USER32 ref: 0045893F
GetSaveFileNameW.COMDLG32(00000058), ref: 00458986
SetDlgItemTextW.USER32 ref: 004589A1

Part of subcall function 004585D0: RegQueryValueExW.ADVAPI32(004463F1,?,00000000,00000000,?,?), ref: 00458618
Part of subcall function 004585D0: GetWindowLongW.USER32(?,000000F0), ref: 00458635
Part of subcall function 004585D0: SetWindowLongW.USER32 ref: 00458666
Part of subcall function 004585D0: GetWindowRect.USER32 ref: 00458674
Part of subcall function 004585D0: GetSystemMetrics.USER32 ref: 004586C8
Part of subcall function 004585D0: GetSystemMetrics.USER32 ref: 004586CF
Part of subcall function 004585D0: GetSystemMetrics.USER32 ref: 004586D6
Part of subcall function 004585D0: GetSystemMetrics.USER32 ref: 004586DC
Part of subcall function 004585D0: GetSystemMetrics.USER32 ref: 004586E2
Part of subcall function 004585D0: GetSystemMetrics.USER32 ref: 004586E9

EndDialog.USER32(?,00000000), ref: 004589AF
SendMessageW.USER32(?,00008000,00000000,00000000), ref: 004589C4
GetDlgItemTextW.USER32 ref: 004589DC
MessageBoxW.USER32(?,You must supply a path,Process Monitor,00000040), ref: 004589F9
GetDlgItem.USER32 ref: 00458A05
SetFocus.USER32(00000000), ref: 00458A0C
GetFileAttributesW.KERNEL32(00000000), ref: 00458A37
MessageBoxW.USER32(?,00000000,Process Monitor,00000034), ref: 00458AE1
IsDlgButtonChecked.USER32(?,00000405), ref: 00458B12
IsDlgButtonChecked.USER32(?,0000040C), ref: 00458B22
IsDlgButtonChecked.USER32(?,00000436), ref: 00458B39
IsDlgButtonChecked.USER32(?,00000465), ref: 00458B63
LoadCursorW.USER32(00000000,00007F02), ref: 00458B7E
SetCursor.USER32(00000000), ref: 00458B8B
SetCursor.USER32(00000000), ref: 00458BC6
MessageBoxW.USER32(?,00000000,Process Monitor,00000010), ref: 00458C64

Part of subcall function 0046A6C0: _memmove.LIBCMT ref: 0046A6ED

Part of subcall function 0046A230: InterlockedIncrement.KERNEL32(004373F9), ref: 0046A267

IsDlgButtonChecked.USER32(?,00000438), ref: 00458C8F
IsDlgButtonChecked.USER32(?,00000463), ref: 00458CB1
IsDlgButtonChecked.USER32(?,00000464), ref: 00458CC8
EndDialog.USER32(?,00000001), ref: 00458CE1

Part of subcall function 0046A700: InterlockedDecrement.KERNEL32(?), ref: 0046A704

IsDlgButtonChecked.USER32(?,0000040C), ref: 00458D0E
GetDlgItem.USER32 ref: 00458D1B
EnableWindow.USER32(00000000), ref: 00458D22
SendMessageW.USER32(?,00008000,00000000,00000000), ref: 00458D37
GetDlgItemTextW.USER32 ref: 00458D5F
IsDlgButtonChecked.USER32(?,00000436), ref: 00458D7F
_wcsrchr.LIBCMT ref: 00458DAE
_wcschr.LIBCMT ref: 00458DD2
SetDlgItemTextW.USER32 ref: 00458E16
GetDlgItem.USER32 ref: 00458E31
EnableWindow.USER32(00000000), ref: 00458E3A
IsDlgButtonChecked.USER32(?,00000463), ref: 00458E42
GetDlgItem.USER32 ref: 00458E67
EnableWindow.USER32(00000000), ref: 00458E6A

Strings

already exists.Do you want to replace it?, xrefs: 00458A46, 00458A51
.CSV, xrefs: 0045885E
Error Saving File, xrefs: 00458BEE, 00458C00
X, xrefs: 0045894B
POJ, xrefs: 00458972
Process Monitor, xrefs: 004589EE, 00458ACF, 00458C52
SaveDialog, xrefs: 004587C9, 004588CC
You must supply a path, xrefs: 004589F3
Logfile, xrefs: 00458829

Memory Dump Source

Source File: 00000000.00000002.639436822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.639422722.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639801425.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639950323.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639964900.00000000004C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639974043.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639981884.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Process Monitor.jbxd

Similarity

API ID: Button$Item$Checked$MessageMetricsSystemTextWindow$CheckCursorEnableSend$DialogFileInterlockedLong_wcschr_wcsrchr$AttributesAutoCompleteCurrentDecrementDirectoryFocusIncrementLoadNameQueryRectSaveValue_memmove_memset
String ID: already exists.Do you want to replace it?$.CSV$Error Saving File$Logfile$POJ$Process Monitor$SaveDialog$X$You must supply a path
API String ID: 467708156-456722815
Opcode ID: 117d5b60d122fc7a153a9c0fb1c4218401d66a843fe8d127265dcedd3f1071e5
Instruction ID: d8875656da8532b79fa48c32688bbb7a82b928e7032809e3b8a482e232f5451f
Opcode Fuzzy Hash: 117d5b60d122fc7a153a9c0fb1c4218401d66a843fe8d127265dcedd3f1071e5
Instruction Fuzzy Hash: 3AF11DB1940318BADB20AB709C49F9F767CAB14301F1005AAFA05F61D2DF789A49CF6D

Uniqueness

Uniqueness Score: -1.00%

Function 004462D0 Relevance: 91.4, APIs: 41, Strings: 11, Instructions: 417
windowtimeCOMMON

Download Yara Rule

C-Code - Quality: 86%

			E004462D0(void* __edx, struct HWND__* _a4, intOrPtr _a8, unsigned int _a12, intOrPtr _a16) {
				int _v8;
				char _v16;
				signed int _v20;
				char _v80;
				char _v598;
				short _v600;
				short _v1120;
				signed int _v1148;
				struct _MEMORYSTATUSEX _v1184;
				WCHAR* _v1196;
				struct HWND__* _v1204;
				struct tagOFNA _v1208;
				signed char _v1209;
				struct HWND__* _v1216;
				short _v1220;
				short _v1224;
				short _v1228;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t82;
				signed int _t83;
				intOrPtr _t85;
				short _t86;
				signed int _t87;
				short _t91;
				void* _t112;
				signed int _t125;
				short _t131;
				short _t132;
				signed int _t133;
				short _t144;
				long _t150;
				short _t152;
				void* _t153;
				void* _t176;
				struct HWND__* _t183;
				void* _t184;
				int _t185;
				intOrPtr _t186;
				unsigned int _t187;
				void* _t207;
				void* _t208;
				void* _t209;
				void* _t210;
				void* _t214;
				intOrPtr _t215;
				int _t217;
				signed int _t222;
				void* _t239;

				_t207 = __edx;
				_push(0xffffffff);
				_push(E0048A8DA);
				_push( *[fs:0x0]);
				_t82 =  *0x4bb1dc; // 0x2927074f
				_t83 = _t82 ^ _t222;
				_v20 = _t83;
				_push(_t208);
				_push(_t83);
				 *[fs:0x0] =  &_v16;
				_t85 = _a8;
				_t183 = _a4;
				_t186 = _a16;
				_v1216 = _t183;
				_t239 = _t85 - 0x110;
				if(_t239 > 0) {
					_t86 = _t85 - 0x111;
					__eflags = _t86;
					if(_t86 == 0) {
						_t187 = _a12;
						_t87 = _t187 & 0x0000ffff;
						__eflags = _t87 - 0x402;
						if(_t87 > 0x402) {
							__eflags = _t87 - 0x404;
							if(_t87 == 0x404) {
								E00470030( &_v1204, 0, 0x54);
								_v1208 = 0x58;
								_v1204 = _t183;
								_v1184.dwMemoryLoad = 0x4bdd40;
								_v1184.ullTotalPhys = 0x104;
								_v1196 = L"Procmon Log (*.PML)";
								_v1184.ullAvailVirtual = 0x20008;
								_t91 = GetSaveFileNameW( &_v1208);
								__eflags = _t91;
								if(_t91 != 0) {
									SetDlgItemTextW(_t183, 0x403, 0x4bdd40);
								}
							} else {
								__eflags = _t87 - 0x9c4c;
								if(_t87 == 0x9c4c) {
									_t215 =  *0x4bca44; // 0x0
									_t210 = GetDlgItem;
									_t217 = _t215 -  *0x4bca40 >> 2;
									SendMessageW(GetDlgItem(_t183, 0x3f9), 0x102f, _t217, 2);
									__eflags = _t217 -  *0x4bdd3c; // 0x0
									if(__eflags > 0) {
										_t39 = _t217 - 1; // -4966977
										SendMessageW(GetDlgItem(_t183, 0x3f9), 0x1013, _t39, 0);
									}
									 *0x4bdd3c = _t217;
									E00436D00(_t183, _t210,  &_v80, 0x1e,  *0x4bd2d0, 0);
									asm("movsd xmm0, [0x4bd2c8]");
									_push( &_v80);
									asm("movsd [esp], xmm0");
									L00401F90( &_v1120, L"ProcMon load: %.2f%% @ p%d (%s bytes pending)",  *0x4bd2d4);
									SetDlgItemTextW(_t183, 0x419,  &_v1120);
									_v1184.dwLength = 0x40;
									_v1184.dwMemoryLoad = 0;
									E00470030( &(_v1184.ullTotalPhys), 0, 0x38);
									GlobalMemoryStatusEx( &_v1184);
									_v1220 = E0046A6C0(_t183, L"MB available)", E0046A530(L"MB available)"));
									_v8 = 1;
									_t112 = E00436C80(_t183, _t207, _t210,  &_v1224, (_v1148 << 0x00000020 | _v1184.ullAvailExtendedVirtual) >> 0x14, _v1148 >> 0x14, 0);
									_v8 = 2;
									E0046A190( &_v1228, "(", _t112);
									_v8 = 3;
									E0046A230( &_v1216,  &_v1220);
									_t197 = _v1228;
									_v8 = 5;
									__eflags = _v1228;
									if(_v1228 != 0) {
										E0046A700(_t197);
									}
									_t198 = _v1224;
									_v8 = 6;
									__eflags = _v1224;
									if(_v1224 != 0) {
										E0046A700(_t198);
									}
									_t199 = _v1220;
									_v8 = 7;
									__eflags = _v1220;
									if(_v1220 != 0) {
										E0046A700(_t199);
									}
									SetDlgItemTextW(_t183, 0x459, E0046A170( &_v1216));
									_t201 = _v1216;
									_v8 = 0xffffffff;
									__eflags = _v1216;
									if(_v1216 != 0) {
										E0046A700(_t201);
									}
								}
							}
							goto L45;
						}
						__eflags = _t87 - 0x401;
						if(_t87 >= 0x401) {
							__eflags = _t187 >> 0x10;
							if(_t187 >> 0x10 == 0) {
								_t125 = IsDlgButtonChecked(_t183, 0x401);
								__eflags = _t125;
								_t185 = (_t125 & 0xffffff00 | _t125 == 0x00000000) & 0x000000ff;
								EnableWindow(GetDlgItem(_v1216, 0x403), _t185);
								EnableWindow(GetDlgItem(_v1216, 0x404), _t185);
							}
							goto L45;
						}
						_t131 = _t87 - 1;
						__eflags = _t131;
						if(_t131 == 0) {
							_v1209 = 0;
							_t132 = IsDlgButtonChecked(_t183, 0x401);
							__eflags = _t132;
							_t133 = _v1209 & 0x000000ff;
							if(_t132 == 0) {
								__eflags =  *0x4bdac0;
								_t134 =  ==  ? 1 : _t133;
								_v1216 =  ==  ? 1 : _t133;
								_v600 = 0;
								E00470030( &_v598, 0, 0x206);
								GetDlgItemTextW(_t183, 0x403,  &_v600, 0x104);
								__eflags = _v600;
								_push(0);
								if(_v600 != 0) {
									GetFullPathNameW( &_v600, 0x104, 0x4bdac0, ??);
									_push(L".PML");
									E00435A10(0x4bdac0, 0x104);
									SetDlgItemTextW(_t183, 0x403, 0x4bdac0);
									_t144 = _v1216;
									L26:
									__eflags = _t144;
									if(_t144 != 0) {
										MessageBoxW(_t183, L"Your changes will take affect the next time you begin capturing a new log.", L"Process Monitor", 0);
									}
									DestroyWindow(_t183);
									goto L45;
								}
								MessageBoxW(_t183, L"Please provide a path to the backing file.", L"Process Monitor", ??);
								goto L45;
							}
							__eflags =  *0x4bdac0;
							_t144 =  !=  ? 1 : _t133;
							 *0x4bdac0 = 0;
							goto L26;
						} else {
							__eflags = _t131 == 1;
							if(_t131 == 1) {
								DestroyWindow(_t183);
							}
							goto L45;
						}
					} else {
						_t150 = _t86 - 2;
						__eflags = _t150;
						if(_t150 == 0) {
							SendMessageW(_t183, 0x111, 0x9c4c, _t150);
						}
						L45:
						L46:
						 *[fs:0x0] = _v16;
						_pop(_t209);
						_pop(_t214);
						_pop(_t184);
						return E0046F77E(_t184, _v20 ^ _t222, _t207, _t209, _t214);
					}
				}
				if(_t239 == 0) {
					_push(0x40);
					_t152 = E0046EEB6(_t183, _t208, __eflags);
					_v1216 = _t152;
					_v8 = 0;
					__eflags = _t152;
					if(_t152 == 0) {
						_t153 = 0;
						__eflags = 0;
					} else {
						_t153 = E00445770(_t183);
					}
					 *((intOrPtr*)(_t153 + 0x2c)) = 0x32;
					 *((intOrPtr*)(_t153 + 0x30)) = 0x1e;
					_v8 = 0xffffffff;
					E004585D0(_t183,  *0x4bd2b4, L"BackingFileDialog");
					E0042E9F0(_t207, GetDlgItem(_t183, 0x3f9), 0x4a3588, 8, 0x4030, 0);
					E0042EB50(__eflags, GetDlgItem(_t183, 0x3f9),  *0x4bd2b4, L"BackingFileColumns");
					SetDlgItemTextW(_t183, 0x403, 0x4bdac0);
					__eflags =  *0x4bdac0; // 0x0
					CheckDlgButton(_t183, 0x401, 0 | __eflags == 0x00000000);
					__eflags =  *0x4bdac0; // 0x0
					CheckDlgButton(_t183, 0x402, 0 | __eflags != 0x00000000);
					SendMessageW(_t183, 0x111, 0x401, 0);
					SendMessageW(_t183, 0x111, 0x9c4c, 0);
					SetTimer(_t183, 1, 0x3e8, 0);
					SendMessageW(GetDlgItem(_t183, 0x3f9), 0x30,  *0x4bd708, 0);
					SendMessageW(GetDlgItem(_t183, 0x3f9), 0x101e, 0, 0xffff);
					SHAutoComplete(GetDlgItem(_t183, 0x403), 1);
					goto L46;
				} else {
					_t176 = _t85 - 2;
					if(_t176 == 0) {
						E004595D0(_t183,  *0x4bd2b4, L"BackingFileDialog");
						E0042EC40(__eflags, GetDlgItem(_t183, 0x3f9),  *0x4bd2b4, L"BackingFileColumns");
					} else {
						if(_t176 == 0x4c && _a12 == 0x3f9 &&  *((intOrPtr*)(_t186 + 8)) == 0xffffff4f && ( *(_t186 + 0xc) & 0x00000001) != 0) {
							E0041E160(_t183, _t208,  *((intOrPtr*)(_t186 + 0x10)),  *((intOrPtr*)(_t186 + 0x14)),  *((intOrPtr*)(_t186 + 0x20)),  *((intOrPtr*)(_t186 + 0x24)));
						}
					}
					goto L45;
				}
			}

0x004462d0
0x004462d3
0x004462d5
0x004462e0
0x004462e7
0x004462ec
0x004462ee
0x004462f3
0x004462f4
0x004462f8
0x004462fe
0x00446301
0x00446304
0x00446307
0x0044630d
0x00446312
0x004464f1
0x004464f1
0x004464f6
0x00446518
0x0044651b
0x0044651e
0x00446523
0x004466a9
0x004466ae
0x00446887
0x0044688f
0x0044689f
0x004468a5
0x004468af
0x004468ba
0x004468c4
0x004468ce
0x004468d4
0x004468d6
0x004468e3
0x004468e3
0x004466b4
0x004466b4
0x004466b9
0x004466bf
0x004466cb
0x004466d3
0x004466e5
0x004466eb
0x004466f1
0x004466f5
0x00446707
0x00446707
0x00446718
0x00446721
0x00446726
0x00446734
0x00446744
0x0044674f
0x0044676a
0x00446774
0x00446781
0x0044678b
0x0044679a
0x004467b5
0x004467d8
0x004467e0
0x004467ec
0x004467f6
0x00446804
0x00446812
0x00446817
0x0044681d
0x00446821
0x00446823
0x00446825
0x00446825
0x0044682a
0x00446830
0x00446834
0x00446836
0x00446838
0x00446838
0x0044683d
0x00446843
0x00446847
0x00446849
0x0044684b
0x0044684b
0x00446862
0x00446864
0x0044686a
0x00446871
0x00446873
0x00446875
0x00446875
0x00446873
0x004466b9
0x00000000
0x004466ae
0x00446529
0x0044652e
0x0044665a
0x0044665c
0x00446668
0x00446674
0x00446679
0x00446691
0x004466a2
0x004466a2
0x00000000
0x0044665c
0x00446534
0x00446534
0x00446535
0x00446550
0x00446557
0x0044655d
0x00446564
0x0044656b
0x00446586
0x00446593
0x00446596
0x0044659f
0x004465ad
0x004465c7
0x004465cd
0x004465d5
0x004465d7
0x00446600
0x00446606
0x00446615
0x00446628
0x0044662e
0x00446634
0x00446634
0x00446636
0x00446645
0x00446645
0x0044664c
0x00000000
0x0044664c
0x004465e4
0x00000000
0x004465e4
0x0044656d
0x00446575
0x0044657a
0x00000000
0x00446537
0x00446537
0x00446538
0x0044653f
0x0044653f
0x00000000
0x00446538
0x004464f8
0x004464f8
0x004464f8
0x004464fb
0x0044650d
0x0044650d
0x004468e9
0x004468eb
0x004468ee
0x004468f6
0x004468f7
0x004468f8
0x00446906
0x00446906
0x004464f6
0x00446318
0x004463a4
0x004463a6
0x004463ae
0x004463b4
0x004463bb
0x004463bd
0x004463c9
0x004463c9
0x004463bf
0x004463c2
0x004463c2
0x004463d0
0x004463d7
0x004463e4
0x004463ec
0x00446411
0x0044642d
0x00446440
0x0044644e
0x0044645f
0x00446463
0x00446474
0x00446489
0x00446498
0x004464a4
0x004464bd
0x004464d4
0x004464e1
0x00000000
0x0044631e
0x0044631e
0x00446321
0x00446377
0x00446397
0x00446323
0x00446326
0x00446361
0x00446361
0x00446326
0x00000000
0x00446321

APIs

GetDlgItem.USER32 ref: 00446390

Part of subcall function 0041E160: EnterCriticalSection.KERNEL32(?,2927074F,?,?,?,00487960,000000FF), ref: 0041E18A

GetDlgItem.USER32 ref: 0044640E
GetDlgItem.USER32 ref: 0044642A
SetDlgItemTextW.USER32 ref: 00446440
CheckDlgButton.USER32(?,00000401,00000000), ref: 0044645F
CheckDlgButton.USER32(?,00000402,00000000), ref: 00446474
SendMessageW.USER32(?,00000111,00000401,00000000), ref: 00446489
SendMessageW.USER32(?,00000111,00009C4C,00000000), ref: 00446498
SetTimer.USER32(?,00000001,000003E8,00000000), ref: 004464A4
GetDlgItem.USER32 ref: 004464BA
SendMessageW.USER32(00000000), ref: 004464BD
GetDlgItem.USER32 ref: 004464D1
SendMessageW.USER32(00000000), ref: 004464D4
GetDlgItem.USER32 ref: 004464DE
SHAutoComplete.SHLWAPI(00000000), ref: 004464E1
SendMessageW.USER32(?,00000111,00009C4C,?), ref: 0044650D

Strings

.PML, xrefs: 00446606
Your changes will take affect the next time you begin capturing a new log., xrefs: 0044663F
@, xrefs: 00446774
ProcMon load: %.2f%% @ p%d (%s bytes pending), xrefs: 00446749
MB available), xrefs: 004467A0, 004467AB
BackingFileDialog, xrefs: 0044636B, 004463CB
h7J, xrefs: 004468BA
Process Monitor, xrefs: 004465D9, 0044663A
X, xrefs: 0044688F
BackingFileColumns, xrefs: 0044637F, 00446419
Please provide a path to the backing file., xrefs: 004465DE

Memory Dump Source

Source File: 00000000.00000002.639436822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.639422722.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639801425.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639950323.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639964900.00000000004C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639974043.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639981884.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Process Monitor.jbxd

Similarity

API ID: Item$MessageSend$ButtonCheck$AutoCompleteCriticalEnterSectionTextTimer
String ID: .PML$@$BackingFileColumns$BackingFileDialog$MB available)$Please provide a path to the backing file.$ProcMon load: %.2f%% @ p%d (%s bytes pending)$Process Monitor$X$Your changes will take affect the next time you begin capturing a new log.$h7J
API String ID: 1235451974-3174516316
Opcode ID: c0f5db9f2477f2228c9620f509283e804a975691584656bdca135faf2360e650
Instruction ID: d9d91aaf7562d933817448fb18d4aecdd630dbdcfd94fc23b47eba0c9e2cb176
Opcode Fuzzy Hash: c0f5db9f2477f2228c9620f509283e804a975691584656bdca135faf2360e650
Instruction Fuzzy Hash: D1E1C6F0A40314BBEB10AF60DC46F9A7B6CAB05705F0045AEF606F61D2D7BC9A458B5D

Uniqueness

Uniqueness Score: -1.00%

Function 0045F340 Relevance: 87.9, APIs: 29, Strings: 21, Instructions: 427comregistrynetworkCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(00000000), ref: 0045F390
_memset.LIBCMT ref: 0045F3C8
WSAStartup.WS2_32(00000202,?), ref: 0045F3DC
SetConsoleCtrlHandler.KERNEL32(00446D00,00000001,?,?,?,?,?,?,?,?,?,?,?,?,?,04000000), ref: 0045F3FD
SetProcessShutdownParameters.KERNEL32(000001FF,00000001,?,?,?,?,?,?,?,?,?,?,?,?,?,04000000), ref: 0045F40A
RegCreateKeyExW.ADVAPI32(80000001,Software\Sysinternals\Process Monitor32,00000000,00000000,00000000,000F003F,00000000,004BD2B4,00000000), ref: 0045F443

Strings

DeviceNameMap, xrefs: 0045F549, 0045F95E
Invalid file extension in /SaveAs option, xrefs: 0045F70C
ProcMon Log File, xrefs: 0045F398
.PML, xrefs: 0045F3A2, 0045F579
ACCELERATORS, xrefs: 0045F738
PHx, xrefs: 0045F544, 0045F959
Software\Sysinternals\Process Monitor32, xrefs: 0045F42E, 0045F438
Process Monitor - Sysinternals: www.sysinternals.com, xrefs: 0045F7BA
The file was not saved. , xrefs: 0045F690, 0045F69B
h@2E, xrefs: 0045F3E2
FILTER_INIT, xrefs: 0045F830
FV, xrefs: 0045F455
The selected configuration file cannot be opened, xrefs: 0045F4BC
t,j, xrefs: 0045F564
Software\Sysinternals\Process Monitor, xrefs: 0045F417
PROCMON_WINDOW_CLASS, xrefs: 0045F7BF
Process Monitor, xrefs: 0045F4B7, 0045F6D8, 0045F707
commdlg_FindReplace, xrefs: 0045F727
SeDebugPrivilege, xrefs: 0045F373
LV, xrefs: 0045F46F
ProcMon.Logfile.1, xrefs: 0045F39D

Memory Dump Source

Source File: 00000000.00000002.639436822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.639422722.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639801425.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639950323.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639964900.00000000004C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639974043.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639981884.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Process Monitor.jbxd

Similarity

API ID: ConsoleCreateCtrlHandlerInitializeParametersProcessShutdownStartup_memset
String ID: .PML$ACCELERATORS$DeviceNameMap$FILTER_INIT$Invalid file extension in /SaveAs option$PHx$PROCMON_WINDOW_CLASS$ProcMon Log File$ProcMon.Logfile.1$Process Monitor$Process Monitor - Sysinternals: www.sysinternals.com$SeDebugPrivilege$Software\Sysinternals\Process Monitor$Software\Sysinternals\Process Monitor32$The file was not saved. $The selected configuration file cannot be opened$commdlg_FindReplace$h@2E$t,j$FV$LV
API String ID: 1199330796-1675621587
Opcode ID: 888242bbf260ae7516b312f982ca66783a4525bba2e2e765fa7c48855d8baa6f
Instruction ID: dd3de3ed241efc844b7b6ddc1f6364a5231d742c4604e7b448692a38683c79ba
Opcode Fuzzy Hash: 888242bbf260ae7516b312f982ca66783a4525bba2e2e765fa7c48855d8baa6f
Instruction Fuzzy Hash: 7EE11CB1A403047BEB24AB609C47FAE3768EB54705F1400BBFA05B51D3EBB9594D8B1E

Uniqueness

Uniqueness Score: -1.00%

Function 0046D2B0 Relevance: 85.9, APIs: 25, Strings: 24, Instructions: 112
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0046D2B0(WCHAR* _a4) {
				_Unknown_base(*)()* _t25;
				struct HINSTANCE__* _t34;

				_t34 = LoadLibraryW(_a4);
				GetModuleHandleW(L"ntdll.dll");
				 *0x4c2774 = GetProcAddress(_t34, "SymInitialize");
				 *0x4c27a0 = GetProcAddress(_t34, "EnumerateLoadedModules64");
				 *0x4c27a8 = GetProcAddress(_t34, "SymRegisterCallback64");
				 *0x4c279c = GetProcAddress(_t34, "SymGetModuleInfo64");
				 *0x4c2784 = GetProcAddress(_t34, "SymCleanup");
				 *0x4c2780 = GetProcAddress(_t34, "SymFromAddrW");
				 *0x4c277c = GetProcAddress(_t34, "SymGetSymFromName");
				 *0x4c2788 = GetProcAddress(_t34, "SymSetOptions");
				 *0x4c27cc = GetProcAddress(_t34, "SymSetHomeDirectoryW");
				 *0x4c2790 = GetProcAddress(_t34, "SymLoadModuleExW");
				 *0x4c2794 = GetProcAddress(_t34, "SymLoadModule64");
				 *0x4c2798 = GetProcAddress(_t34, "SymUnloadModule64");
				 *0x4c278c = GetProcAddress(_t34, "StackWalk64");
				 *0x4c27bc = GetProcAddress(_t34, "SymGetLineFromAddrW64");
				 *0x4c27c0 = GetProcAddress(_t34, "SymGetLinePrevW64");
				 *0x4c27c4 = GetProcAddress(_t34, "SymGetSourceFileTokenW");
				 *0x4c27c8 = GetProcAddress(_t34, "SymGetSourceFileW");
				 *0x4c27ac = GetProcAddress(_t34, "SymGetModuleBase64");
				 *0x4c2778 = GetProcAddress(_t34, "SymFunctionTableAccess64");
				_t25 = GetProcAddress(_t34, "SymSrvGetFileIndexesW");
				_t26 =  ==  ? E0046CC00 : _t25;
				 *0x4c27b0 =  ==  ? E0046CC00 : _t25;
				 *0x4c27b4 = GetProcAddress(_t34, "SymFindFileInPathW");
				 *0x4c27b8 = GetProcAddress(_t34, "SymSetSearchPathW");
				return SetEnvironmentVariableW(L"_NT_SYMBOL_PATH", E0046A170(0x4bdab8)) & 0xffffff00 |  *0x4c2774 != 0x00000000;
			}

0x0046d2c3
0x0046d2c5
0x0046d2df
0x0046d2ec
0x0046d2f9
0x0046d306
0x0046d313
0x0046d320
0x0046d32d
0x0046d33a
0x0046d347
0x0046d354
0x0046d361
0x0046d36e
0x0046d37b
0x0046d388
0x0046d395
0x0046d3a2
0x0046d3af
0x0046d3b6
0x0046d3c9
0x0046d3ce
0x0046d3dc
0x0046d3e0
0x0046d3ed
0x0046d3f9
0x0046d41c

APIs

LoadLibraryW.KERNEL32(0046C966,00000000,00000000,?,0046C966,004BD8B0), ref: 0046D2B8
GetModuleHandleW.KERNEL32(ntdll.dll,?,0046C966,004BD8B0), ref: 0046D2C5
GetProcAddress.KERNEL32(00000000,SymInitialize), ref: 0046D2D7
GetProcAddress.KERNEL32(00000000,EnumerateLoadedModules64), ref: 0046D2E4
GetProcAddress.KERNEL32(00000000,SymRegisterCallback64), ref: 0046D2F1
GetProcAddress.KERNEL32(00000000,SymGetModuleInfo64), ref: 0046D2FE
GetProcAddress.KERNEL32(00000000,SymCleanup), ref: 0046D30B
GetProcAddress.KERNEL32(00000000,SymFromAddrW), ref: 0046D318
GetProcAddress.KERNEL32(00000000,SymGetSymFromName), ref: 0046D325
GetProcAddress.KERNEL32(00000000,SymSetOptions), ref: 0046D332
GetProcAddress.KERNEL32(00000000,SymSetHomeDirectoryW), ref: 0046D33F
GetProcAddress.KERNEL32(00000000,SymLoadModuleExW), ref: 0046D34C
GetProcAddress.KERNEL32(00000000,SymLoadModule64), ref: 0046D359
GetProcAddress.KERNEL32(00000000,SymUnloadModule64), ref: 0046D366
GetProcAddress.KERNEL32(00000000,StackWalk64), ref: 0046D373
GetProcAddress.KERNEL32(00000000,SymGetLineFromAddrW64), ref: 0046D380
GetProcAddress.KERNEL32(00000000,SymGetLinePrevW64), ref: 0046D38D
GetProcAddress.KERNEL32(00000000,SymGetSourceFileTokenW), ref: 0046D39A
GetProcAddress.KERNEL32(00000000,SymGetSourceFileW), ref: 0046D3A7
GetProcAddress.KERNEL32(00000000,SymGetModuleBase64), ref: 0046D3B4
GetProcAddress.KERNEL32(00000000,SymFunctionTableAccess64), ref: 0046D3C1
GetProcAddress.KERNEL32(00000000,SymSrvGetFileIndexesW), ref: 0046D3CE
GetProcAddress.KERNEL32(00000000,SymFindFileInPathW), ref: 0046D3E5
GetProcAddress.KERNEL32(00000000,SymSetSearchPathW), ref: 0046D3F2
SetEnvironmentVariableW.KERNEL32(_NT_SYMBOL_PATH,00000000,?,0046C966,004BD8B0), ref: 0046D409

Strings

SymSetSearchPathW, xrefs: 0046D3E7
SymGetModuleBase64, xrefs: 0046D3A9
SymFunctionTableAccess64, xrefs: 0046D3BB
EnumerateLoadedModules64, xrefs: 0046D2D9
SymSrvGetFileIndexesW, xrefs: 0046D3C3
SymLoadModuleExW, xrefs: 0046D341
SymGetModuleInfo64, xrefs: 0046D2F3
SymLoadModule64, xrefs: 0046D34E
SymRegisterCallback64, xrefs: 0046D2E6
SymSetHomeDirectoryW, xrefs: 0046D334
SymFromAddrW, xrefs: 0046D30D
SymFindFileInPathW, xrefs: 0046D3D7
_NT_SYMBOL_PATH, xrefs: 0046D404
ntdll.dll, xrefs: 0046D2BE
SymGetLineFromAddrW64, xrefs: 0046D375
SymCleanup, xrefs: 0046D300
StackWalk64, xrefs: 0046D368
SymGetSourceFileTokenW, xrefs: 0046D38F
SymInitialize, xrefs: 0046D2D1
SymSetOptions, xrefs: 0046D327
SymGetSymFromName, xrefs: 0046D31A
SymGetSourceFileW, xrefs: 0046D39C
SymUnloadModule64, xrefs: 0046D35B
SymGetLinePrevW64, xrefs: 0046D382

Memory Dump Source

Source File: 00000000.00000002.639436822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.639422722.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639801425.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639950323.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639964900.00000000004C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639974043.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639981884.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Process Monitor.jbxd

Similarity

API ID: AddressProc$EnvironmentHandleLibraryLoadModuleVariable
String ID: EnumerateLoadedModules64$StackWalk64$SymCleanup$SymFindFileInPathW$SymFromAddrW$SymFunctionTableAccess64$SymGetLineFromAddrW64$SymGetLinePrevW64$SymGetModuleBase64$SymGetModuleInfo64$SymGetSourceFileTokenW$SymGetSourceFileW$SymGetSymFromName$SymInitialize$SymLoadModule64$SymLoadModuleExW$SymRegisterCallback64$SymSetHomeDirectoryW$SymSetOptions$SymSetSearchPathW$SymSrvGetFileIndexesW$SymUnloadModule64$_NT_SYMBOL_PATH$ntdll.dll
API String ID: 1933961203-2357135374
Opcode ID: 3680ad0ecc161f3432a700371ef35f00dee9dff8e7075e63d9cc390330972436
Instruction ID: 98751f5dc1f363d8ed587a52521a4292f15c1bb98313c85a9ccd8570de5b5df7
Opcode Fuzzy Hash: 3680ad0ecc161f3432a700371ef35f00dee9dff8e7075e63d9cc390330972436
Instruction Fuzzy Hash: 34316BB0D41314BAC7946B769D8EE1BBEECEAA6F54350443FB404D2160DEFC54109E5D

Uniqueness

Uniqueness Score: -1.00%

Function 0044D520 Relevance: 79.1, APIs: 41, Strings: 4, Instructions: 342
COMMON

Download Yara Rule

C-Code - Quality: 74%

			E0044D520(int __edx, void* __fp0, struct HWND__* _a4, intOrPtr _a8, signed short _a12) {
				int _v8;
				char _v16;
				signed int _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				struct tagPOINT _v36;
				long _v40;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t25;
				signed int _t26;
				signed int _t28;
				intOrPtr _t29;
				signed int _t30;
				signed int _t31;
				signed int _t36;
				signed int _t40;
				signed int _t43;
				int _t54;
				signed int _t56;
				char _t66;
				int _t67;
				signed int _t69;
				void* _t93;
				struct HWND__* _t104;
				void* _t105;
				signed int _t106;
				void* _t124;
				signed short _t125;
				void* _t126;
				signed int _t127;
				void* _t130;
				intOrPtr _t132;
				intOrPtr _t135;
				void* _t136;
				intOrPtr _t137;
				struct HWND__* _t141;
				signed int _t142;
				void* _t143;
				void* _t144;
				void* _t150;
				void* _t155;

				_t155 = __fp0;
				_t123 = __edx;
				_push(0xffffffff);
				_push(E0048B073);
				_push( *[fs:0x0]);
				_t144 = _t143 - 0x18;
				_t25 =  *0x4bb1dc; // 0x2927074f
				_t26 = _t25 ^ _t142;
				_v20 = _t26;
				_push(_t124);
				_push(_t26);
				 *[fs:0x0] =  &_v16;
				_t28 =  *0x4bdfa4; // 0x0
				_t104 = _a4;
				_v40 = _t104;
				if((_t28 & 0x00000001) == 0) {
					 *0x4bdfa4 = _t28 | 0x00000001;
					InitializeCriticalSection(0x4bdf78);
					 *0x4bdf90 = 0;
					 *0x4bdf94 = 0;
					 *0x4bdf98 = 0;
					 *0x4bdf9c = 1;
					 *0x4bdfa0 = 0;
					E0046FD29(_t28 | 0x00000001, E0048E120);
					_t144 = _t144 + 4;
				}
				_t29 = _a8;
				_t150 = _t29 - 0x110;
				if(_t150 > 0) {
					__eflags = _t29 - 0x111;
					if(_t29 == 0x111) {
						_t125 = _a12;
						_t30 = _t125 & 0x0000ffff;
						__eflags = _t30 - 0x3fc;
						if(__eflags > 0) {
							_t31 = _t30 - 0x3fd;
							__eflags = _t31;
							if(_t31 == 0) {
								_push(0);
								_push(0x3fd);
								L48:
								_push(0x111);
								_push(GetDlgItem(_t104, 0x418));
								L49:
								SendMessageW();
								L50:
								__eflags = 0;
								L51:
								 *[fs:0x0] = _v16;
								_pop(_t126);
								_pop(_t130);
								_pop(_t105);
								return E0046F77E(_t105, _v20 ^ _t142, _t123, _t126, _t130);
							}
							_t36 = _t31 - 3;
							__eflags = _t36;
							if(_t36 == 0) {
								L00457F20(_t155, 0);
								goto L50;
							}
							__eflags = _t36 != 0x46;
							if(_t36 != 0x46) {
								goto L50;
							}
							L30:
							_t40 = SendMessageW(GetDlgItem(_t104, 0x418), 0x800c, 0, 0);
							__eflags = _t40;
							if(_t40 == 0) {
								L34:
								__eflags = _t125 - 0x3f5;
								if(_t125 != 0x3f5) {
									_t43 = IsWindowEnabled(GetDlgItem(_t104, 0x446));
									__eflags = _t43;
									if(_t43 != 0) {
										EnableWindow(GetDlgItem(_t104, 0x446), 0);
										L00415F80(0x4bdf78);
										E00418650(0x4bca10);
									}
									__eflags = _t125 - 0x3f4;
									if(_t125 == 0x3f4) {
										SendMessageW(_t104, 0x10, 0, 0);
									}
									goto L50;
								}
								L00415F80(0x4bdf78);
								EnterCriticalSection(0x4bcac0);
								_t132 =  *0x4bcadc; // 0x0
								LeaveCriticalSection(0x4bcac0);
								__eflags = _t132 -  *0x4bcad8 >> 5;
								if(__eflags == 0) {
									L41:
									_push(0);
									E00418140(0x4bca10, __eflags);
									_push(0);
									_push(0);
									_push(0x800b);
									_push(_t104);
									goto L49;
								}
								_t127 = 0;
								_t106 = 0;
								__eflags = 0;
								do {
									_t135 =  *0x4bcad8; // 0x0
									_t136 = _t135 + _t127;
									__eflags =  *((char*)(_t136 + 0x19));
									if( *((char*)(_t136 + 0x19)) != 0) {
										E00412A40(0x4bca94, _t136);
										E00413AB0(0x4bcac0, _t136);
										_t106 = _t106 - 1;
										_t127 = _t127 - 0x20;
										__eflags = _t127;
									}
									_t106 = _t106 + 1;
									_t127 = _t127 + 0x20;
									EnterCriticalSection(0x4bcac0);
									_t137 =  *0x4bcadc; // 0x0
									LeaveCriticalSection(0x4bcac0);
									__eflags = _t106 - _t137 -  *0x4bcad8 >> 5;
								} while (__eflags < 0);
								_t104 = _v40;
								goto L41;
							}
							_t54 = MessageBoxW(_t104, L"You did not add the item you were editing. Add it now?", L"Process Monitor", 3);
							__eflags = _t54 - 6;
							if(_t54 != 6) {
								__eflags = _t54 - 7;
								if(_t54 != 7) {
									goto L50;
								}
								goto L34;
							}
							SendMessageW(_t104, 0x111, 0x3fc, 0);
							goto L34;
						}
						if(__eflags == 0) {
							L26:
							_push(0);
							_push(0x3fc);
							goto L48;
						}
						__eflags = _t30 - 0x6a;
						if(__eflags > 0) {
							__eflags = _t30 - 0x3f4;
							if(_t30 < 0x3f4) {
								goto L50;
							}
							__eflags = _t30 - 0x3f5;
							if(_t30 <= 0x3f5) {
								goto L30;
							}
							goto L50;
						}
						if(__eflags == 0) {
							L22:
							_push(0);
							_push(0);
							_push(0x10);
							_push(_t104);
							goto L49;
						}
						_t56 = _t30 - 1;
						__eflags = _t56;
						if(_t56 == 0) {
							goto L26;
						}
						__eflags = _t56 != 1;
						if(_t56 != 1) {
							goto L50;
						}
						goto L22;
					}
					__eflags = _t29 - 0x800b;
					if(_t29 == 0x800b) {
						L00415F80(0x4bcac0);
						SendMessageW(GetDlgItem(_t104, 0x418), 0x8003, 0, 0);
						EnableWindow(GetDlgItem(_t104, 0x446), 0);
						SetFocus(GetDlgItem(_t104, 0x3f4));
					}
					goto L50;
				}
				if(_t150 == 0) {
					_v40 = 0x4bdf78;
					EnterCriticalSection(0x4bdf78);
					_push(0x4bcad8);
					_v8 = 0;
					L00415E40(0x4bdf90);
					_t66 =  *0x4bcae4; // 0x0
					 *0x4bdf9c = _t66;
					_t67 =  *0x4bcae8; // 0x0
					 *0x4bdfa0 = _t67;
					E004145C0();
					_v8 = 0xffffffff;
					LeaveCriticalSection(0x4bdf78);
					_push(0x40);
					_t69 = E0046EEB6(_t104, _t124, __eflags);
					_v40 = _t69;
					_v8 = 1;
					__eflags = _t69;
					if(_t69 != 0) {
						E00445770(_t104);
					}
					_t141 = CreateDialogParamW(GetModuleHandleW(0), L"FILTER_CONTROL", _t104, E0044AF50, 0x4bdf78);
					GetWindowRect(GetDlgItem(_t104, 0x418),  &_v36);
					MapWindowPoints(0, _t104,  &_v36, 2);
					_t123 = _v36.y;
					MoveWindow(_t141, _v36.x, _v36.y, _v28 - _v36.x, _v24 - _v36.y, 0);
					DestroyWindow(GetDlgItem(_t104, 0x418));
					SetWindowLongW(_t141, 0xfffffff4, 0x418);
					E004585D0(_t104,  *0x4bd2b4, L"HighlightDialog");
					EnableWindow(GetDlgItem(_t104, 0x446), 0);
					SetFocus(GetDlgItem(_t104, 0x3f4));
					SendMessageW(_t104, 0x800b, 0, 0);
					goto L51;
				}
				_t93 = _t29 - 2;
				if(_t93 == 0) {
					E004595D0(_t104,  *0x4bd2b4, L"HighlightDialog");
					goto L50;
				}
				if(_t93 != 0xe) {
					goto L50;
				} else {
					if(GetWindowLongW(_t104, 0xffffffeb) == 0) {
						DestroyWindow(_t104);
						 *0x4bd2f0 = 0;
					} else {
						EndDialog(_t104, 0);
					}
					goto L51;
				}
			}

0x0044d520
0x0044d520
0x0044d523
0x0044d525
0x0044d530
0x0044d531
0x0044d534
0x0044d539
0x0044d53b
0x0044d540
0x0044d541
0x0044d545
0x0044d54b
0x0044d550
0x0044d553
0x0044d558
0x0044d562
0x0044d567
0x0044d572
0x0044d57c
0x0044d586
0x0044d590
0x0044d597
0x0044d5a1
0x0044d5a6
0x0044d5a6
0x0044d5a9
0x0044d5ac
0x0044d5b1
0x0044d764
0x0044d769
0x0044d7c8
0x0044d7cb
0x0044d7ce
0x0044d7d3
0x0044d817
0x0044d817
0x0044d81c
0x0044d9ad
0x0044d9af
0x0044d9b4
0x0044d9b4
0x0044d9c5
0x0044d9c6
0x0044d9c6
0x0044d9cc
0x0044d9cc
0x0044d9ce
0x0044d9d1
0x0044d9d9
0x0044d9da
0x0044d9db
0x0044d9e9
0x0044d9e9
0x0044d822
0x0044d822
0x0044d825
0x0044d9a6
0x00000000
0x0044d9a6
0x0044d82b
0x0044d82e
0x00000000
0x00000000
0x0044d834
0x0044d850
0x0044d852
0x0044d854
0x0044d888
0x0044d88d
0x0044d890
0x0044d952
0x0044d958
0x0044d95a
0x0044d96b
0x0044d97b
0x0044d985
0x0044d985
0x0044d98f
0x0044d992
0x0044d99b
0x0044d99b
0x00000000
0x0044d992
0x0044d8a0
0x0044d8aa
0x0044d8b0
0x0044d8c4
0x0044d8ca
0x0044d8cc
0x0044d92a
0x0044d92a
0x0044d931
0x0044d936
0x0044d938
0x0044d93a
0x0044d93f
0x00000000
0x0044d93f
0x0044d8ce
0x0044d8d0
0x0044d8d0
0x0044d8d2
0x0044d8d2
0x0044d8d8
0x0044d8da
0x0044d8de
0x0044d8e6
0x0044d8f1
0x0044d8f6
0x0044d8f7
0x0044d8f7
0x0044d8f7
0x0044d8ff
0x0044d900
0x0044d903
0x0044d909
0x0044d91d
0x0044d923
0x0044d923
0x0044d927
0x00000000
0x0044d927
0x0044d863
0x0044d869
0x0044d86c
0x0044d87f
0x0044d882
0x00000000
0x00000000
0x00000000
0x0044d882
0x0044d87b
0x00000000
0x0044d87b
0x0044d7d5
0x0044d80b
0x0044d80b
0x0044d80d
0x00000000
0x0044d80d
0x0044d7d7
0x0044d7da
0x0044d7f4
0x0044d7f9
0x00000000
0x00000000
0x0044d7ff
0x0044d804
0x00000000
0x00000000
0x00000000
0x0044d806
0x0044d7dc
0x0044d7e8
0x0044d7e8
0x0044d7ea
0x0044d7ec
0x0044d7ee
0x00000000
0x0044d7ee
0x0044d7de
0x0044d7de
0x0044d7df
0x00000000
0x00000000
0x0044d7e1
0x0044d7e2
0x00000000
0x00000000
0x00000000
0x0044d7e2
0x0044d76b
0x0044d770
0x0044d780
0x0044d79d
0x0044d7ae
0x0044d7bd
0x0044d7bd
0x00000000
0x0044d770
0x0044d5b7
0x0044d620
0x0044d627
0x0044d62d
0x0044d637
0x0044d63e
0x0044d643
0x0044d64d
0x0044d652
0x0044d657
0x0044d65c
0x0044d666
0x0044d66d
0x0044d673
0x0044d675
0x0044d67d
0x0044d680
0x0044d687
0x0044d689
0x0044d68e
0x0044d68e
0x0044d6b8
0x0044d6c7
0x0044d6d6
0x0044d6df
0x0044d6f3
0x0044d702
0x0044d710
0x0044d722
0x0044d735
0x0044d744
0x0044d754
0x00000000
0x0044d75a
0x0044d5b9
0x0044d5bc
0x0044d60e
0x00000000
0x0044d613
0x0044d5c1
0x00000000
0x0044d5c7
0x0044d5d2
0x0044d5e8
0x0044d5ee
0x0044d5d4
0x0044d5d7
0x0044d5dd
0x00000000
0x0044d5d2

APIs

InitializeCriticalSection.KERNEL32(004BDF78,2927074F), ref: 0044D567
GetWindowLongW.USER32(?,000000EB), ref: 0044D5CA
EndDialog.USER32(?,00000000), ref: 0044D5D7
DestroyWindow.USER32(?), ref: 0044D5E8

Strings

You did not add the item you were editing. Add it now?, xrefs: 0044D85D
Process Monitor, xrefs: 0044D858
FILTER_CONTROL, xrefs: 0044D69E
HighlightDialog, xrefs: 0044D602, 0044D716

Memory Dump Source

Source File: 00000000.00000002.639436822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.639422722.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639801425.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639950323.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639964900.00000000004C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639974043.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639981884.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Process Monitor.jbxd

Similarity

API ID: Window$CriticalDestroyDialogInitializeLongSection
String ID: FILTER_CONTROL$HighlightDialog$Process Monitor$You did not add the item you were editing. Add it now?
API String ID: 3429590198-3729010341
Opcode ID: 3f99d47a430bc0406ced345ed56069cce30b90f072c44527d6d048e8acabf26b
Instruction ID: 98b89503464b980baae35b01523fccce54995c4edb2cd67c493b7a319dd098ff
Opcode Fuzzy Hash: 3f99d47a430bc0406ced345ed56069cce30b90f072c44527d6d048e8acabf26b
Instruction Fuzzy Hash: E2B18BB1E84305BBF710AB649C4AFAF3A68E708705F14493AF602F62D1DBBC9505876D

Uniqueness

Uniqueness Score: -1.00%

Function 00424EF0 Relevance: 67.9, APIs: 45, Instructions: 419
windowCOMMON

Download Yara Rule

C-Code - Quality: 82%

			E00424EF0(void* __ebx, void* __eflags, intOrPtr _a4) {
				int _v8;
				char _v16;
				signed int _v20;
				short _v8212;
				char _v8452;
				void* _v8468;
				struct tagRECT _v8484;
				intOrPtr _v8488;
				intOrPtr _v8492;
				intOrPtr _v8496;
				int _v8500;
				struct tagRECT _v8516;
				char _v8517;
				void* _v8524;
				signed int _v8528;
				intOrPtr _v8532;
				void* _v8536;
				int _v8540;
				struct HWND__* _v8548;
				int _v8552;
				int _v8556;
				int _v8560;
				struct HWND__* _v8564;
				int _v8568;
				int _v8572;
				int _v8576;
				intOrPtr _v8588;
				char _v8596;
				struct _CRITICAL_SECTION* _v8600;
				int _v8624;
				signed int _v8628;
				void* _v8632;
				int _v8676;
				int _v8680;
				void* _v8684;
				intOrPtr _v8712;
				WCHAR* _v8716;
				signed int _v8728;
				void* _v8736;
				void* __edi;
				void* __esi;
				signed int _t166;
				signed int _t167;
				signed int _t177;
				long _t182;
				long _t184;
				void* _t187;
				void* _t195;
				intOrPtr _t217;
				void* _t223;
				intOrPtr _t230;
				int _t235;
				int _t237;
				void* _t262;
				void* _t263;
				signed int _t271;
				struct tagRECT _t272;
				void* _t276;
				int _t277;
				signed int _t282;
				int _t286;
				int _t287;
				char* _t292;
				intOrPtr _t294;
				void* _t295;
				void* _t296;
				struct HDC__* _t297;
				void* _t298;
				struct HWND__* _t300;
				void* _t301;
				long _t303;
				int _t305;
				void* _t306;
				intOrPtr _t307;
				void* _t308;
				void* _t309;
				signed int _t310;
				signed int _t311;
				void* _t327;
				void* _t331;

				_t263 = __ebx;
				_push(0xffffffff);
				_push(E00488326);
				_push( *[fs:0x0]);
				E00472600(0x2210);
				_t166 =  *0x4bb1dc; // 0x2927074f
				_t167 = _t166 ^ _t311;
				_v20 = _t167;
				_push(_t167);
				 *[fs:0x0] =  &_v16;
				_t294 = _a4;
				_v8532 = _t294;
				_v8600 = 0x4bca10;
				_t300 =  *(_t294 + 0x14);
				_v8548 = _t300;
				EnterCriticalSection(0x4bca10);
				_v8 = 0;
				E0040D160(0x4bca10,  &_v8596,  *(_t294 + 8));
				_v8 = 1;
				if(_v8588 == 0) {
					L53:
					_v8 = 0;
					E0040F960( &_v8596, _t300);
					LeaveCriticalSection(0x4bca10);
					 *[fs:0x0] = _v16;
					_pop(_t295);
					_pop(_t301);
					return E0046F77E(_t263, _v20 ^ _t311, _t286, _t295, _t301);
				}
				_v8680 =  *(_t294 + 8);
				_v8684 = 0xa;
				_v8676 = 0;
				SendMessageW(_t300, 0x104b, 0,  &_v8684);
				_t177 = SendMessageW(_t300, 0x103b,  *0x4bd790,  &_v8468);
				if(_t177 != 0) {
					L12:
					if(E004255A0(0x4bcac0) == 0) {
						L14:
						_v8517 = 0;
						L15:
						_v8536 = 0;
						if(( *(_v8588 + 0xa) & 0x00000001) != 0) {
							_v8536 = SelectObject( *(_t294 + 0x18),  *0x4bd70c);
						}
						if(( *(_t294 + 0x10) & 0x00000001) == 0) {
							if(_v8517 == 0) {
								_t182 = GetSysColor(8);
								_push(5);
								goto L24;
							}
							_t184 =  *0x4bd8a8; // 0x0
							_t303 =  *0x4bd8ac; // 0x0
							goto L25;
						} else {
							if(GetFocus() != _v8548) {
								_t182 = GetSysColor(0x12);
								_push(0xf);
							} else {
								_t182 = GetSysColor(0xe);
								_push(0xd);
							}
							L24:
							_v8524 = _t182;
							_t303 = GetSysColor(??);
							_t184 = _v8524;
							L25:
							SetTextColor( *(_t294 + 0x18), _t184);
							SetBkColor( *(_t294 + 0x18), _t303);
							_t271 = 0;
							_t300 = 0;
							_v8564 = 0;
							_v8528 = 0;
							_t327 =  *0x4bd790 - _t271; // 0x0
							if(_t327 <= 0) {
								L46:
								if(_v8517 == 0) {
									if(( *(_t294 + 0x10) & 0x00000001) == 0) {
										L51:
										_t187 = _v8536;
										if(_t187 != 0) {
											SelectObject( *(_t294 + 0x18), _t187);
										}
										goto L53;
									}
									L50:
									_t300 = GetSysColor;
									SetTextColor( *(_t294 + 0x18), GetSysColor(8));
									SetBkColor( *(_t294 + 0x18), GetSysColor(5));
									goto L51;
								}
								if(( *(_t294 + 0x10) & 0x00000001) != 0) {
									FrameRect( *(_t294 + 0x18), _t294 + 0x1c, GetSysColorBrush(5));
									_t195 = CreateSolidBrush( *0x4bd8ac);
									asm("movdqu xmm0, [esi]");
									_t296 = _t195;
									asm("movdqu [ebp-0x2120], xmm0");
									InflateRect( &_v8484, 0xffffffff, 0xffffffff);
									FrameRect( *(_v8532 + 0x18),  &_v8484, _t296);
									DeleteObject(_t296);
									_t294 = _v8532;
								}
								goto L50;
							}
							while(_t300 <  *((intOrPtr*)(_t294 + 0x24)) -  *(_t294 + 0x1c)) {
								_v8632 = 3;
								SendMessageW(_v8548, 0x105f,  *(_t311 + _t271 * 4 - 0x2110),  &_v8632);
								_t272 =  *(_t294 + 0x1c);
								_t286 = _v8624;
								_v8572 = _t286;
								_v8712 = 0x1000;
								_v8500 = _t300 + _t272;
								_v8496 =  *((intOrPtr*)(_t294 + 0x20));
								_v8488 =  *((intOrPtr*)(_t294 + 0x28));
								_v8492 = _t272 + _t286 + _t300;
								_v8728 =  *(_t311 + _v8528 * 4 - 0x2110);
								_v8716 =  &_v8212;
								SendMessageW(_v8548, 0x1073,  *(_t294 + 8),  &_v8736);
								_t217 =  *((intOrPtr*)(0x4bd794 +  *(_t311 + _v8528 * 4 - 0x2110) * 4));
								if(_t217 == 0x9c75 || _t217 == 0x9c77) {
									_t305 = GetSystemMetrics(0x31);
									_v8552 = _t305;
									_v8540 = GetSystemMetrics(0x32);
									if( *((intOrPtr*)(0x4bd794 +  *(_t311 + _v8528 * 4 - 0x2110) * 4)) != 0x9c75) {
										_t223 = ( *(_v8588 + 8) & 0x0000ffff) - 1;
										if(_t223 > 4) {
											L41:
											asm("movdqu xmm0, [ebp-0x2130]");
											asm("movd eax, xmm0");
											asm("movdqu [ebp-0x2120], xmm0");
											_v8484.right = _t223 + _t305;
											_t306 = CreateSolidBrush(GetBkColor( *(_t294 + 0x18)));
											FillRect( *(_t294 + 0x18),  &_v8484, _t306);
											DeleteObject(_t306);
											_t230 = _v8488;
											_t307 = _v8496;
											_t276 = _t230 - _t307;
											_t287 = _v8552;
											_t288 =  <  ? _t276 : _t287;
											_v8560 =  <  ? _t276 : _t287;
											_t286 =  <  ? _t276 : _v8540;
											_t277 = _v8500;
											_v8556 = _t286;
											_v8576 = _t277;
											asm("cdq");
											_t235 = (_t230 - _t286 - _t307 - _t286 >> 1) + _t307;
											_v8568 = _t235;
											if(( *(_t294 + 0x10) & 0x00000001) == 0) {
												DrawIconEx( *(_t294 + 0x18), _t277, _t235, _v8524, _v8560, _v8556, 0, 0, 3);
											} else {
												_t309 = ImageList_Create(_v8552, _v8540, 0xfe, 1, 1);
												ImageList_SetBkColor(_t309, GetSysColor(5));
												ImageList_DrawEx(_t309, ImageList_ReplaceIcon(_t309, 0xffffffff, _v8524),  *(_t294 + 0x18), _v8576, _v8568, _v8560, _v8556, 0xff000000, 0xff000000, 4);
												ImageList_Destroy(_t309);
											}
											asm("movdqu xmm0, [ebp-0x2130]");
											asm("movdqu [ebp-0x2120], xmm0");
											_t237 = GetSystemMetrics(0x31);
											_t297 =  *(_t294 + 0x18);
											_v8484.left = _v8484.left + _t237;
											_t308 = CreateSolidBrush(GetBkColor(_t297));
											FillRect(_t297,  &_v8484, _t308);
											DeleteObject(_t308);
											SetBkMode(_t297, 2);
											asm("movdqu xmm0, [ebp-0x2120]");
											asm("movdqu [ebp-0x2140], xmm0");
											DrawTextW(_t297,  &_v8212, 0xffffffff,  &_v8516, 0x40824);
											_t294 = _v8532;
											_t300 = _v8564;
											goto L45;
										}
										switch( *((intOrPtr*)(_t223 * 4 +  &M00425584))) {
											case 0:
												_t223 =  *0x4bcb28;
												goto L40;
											case 1:
												__eax =  *0x4bcb20;
												goto L40;
											case 2:
												__eax =  *0x4bcb24;
												goto L40;
											case 3:
												__eax =  *0x4bcb2c;
												goto L40;
											case 4:
												__eax =  *0x4bcb30;
												L40:
												_v8524 = _t223;
												goto L41;
										}
									}
									_t223 = E004119A0( &_v8596, _t286, 0x10);
									goto L40;
								} else {
									E00424E50( *(_t294 + 0x18),  &_v8212,  &_v8500, _v8628 & 1);
									L45:
									_t300 = _t300 + _v8572;
									_t271 = _v8528 + 1;
									_v8564 = _t300;
									_v8528 = _t271;
									_t331 = _t271 -  *0x4bd790; // 0x0
									if(_t331 < 0) {
										continue;
									}
									goto L46;
								}
							}
							goto L46;
						}
					}
					_t262 = E00414070(0x4bcac0,  &_v8596);
					_v8517 = 1;
					if(_t262 != 0) {
						goto L15;
					}
					goto L14;
				}
				_t310 =  *0x4bd790; // 0x0
				if(_t310 <= 0) {
					goto L12;
				}
				if(_t310 < 8) {
					L9:
					if(_t177 >= _t310) {
						goto L12;
					}
					do {
						 *(_t311 + _t177 * 4 - 0x2110) = _t177;
						_t177 = _t177 + 1;
					} while (_t177 < _t310);
					goto L12;
				} else {
					asm("movdqa xmm1, [0x498050]");
					_t282 = _t310 & 0x80000007;
					if(_t282 < 0) {
						_t282 = (_t282 - 0x00000001 | 0xfffffff8) + 1;
					}
					_v8536 = _t310 - _t282;
					_t292 =  &_v8452;
					_t298 = _v8536;
					do {
						asm("movd xmm0, eax");
						asm("pshufd xmm0, xmm0, 0x0");
						_t292 = _t292 + 0x20;
						asm("paddd xmm0, xmm1");
						_t177 = _t177 + 8;
						asm("movdqu [edx-0x30], xmm0");
						asm("movd xmm0, ecx");
						asm("pshufd xmm0, xmm0, 0x0");
						asm("paddd xmm0, xmm1");
						asm("movdqu [edx-0x20], xmm0");
					} while (_t177 < _t298);
					_t294 = _v8532;
					goto L9;
				}
			}

0x00424ef0
0x00424ef3
0x00424ef5
0x00424f00
0x00424f06
0x00424f0b
0x00424f10
0x00424f12
0x00424f17
0x00424f1b
0x00424f21
0x00424f29
0x00424f2f
0x00424f39
0x00424f3c
0x00424f42
0x00424f51
0x00424f5e
0x00424f6a
0x00424f6e
0x0042554f
0x00425555
0x00425559
0x00425563
0x0042556c
0x00425574
0x00425575
0x00425583
0x00425583
0x00424f77
0x00424f8c
0x00424f96
0x00424fa0
0x00424fb9
0x00424fc1
0x0042505c
0x00425068
0x00425086
0x00425086
0x0042508d
0x00425093
0x004250a2
0x004250b3
0x004250b3
0x004250c3
0x004250ea
0x004250fb
0x004250fd
0x00000000
0x004250fd
0x004250ec
0x004250f1
0x00000000
0x004250c5
0x004250d1
0x004250dd
0x004250df
0x004250d3
0x004250d5
0x004250d7
0x004250d7
0x004250ff
0x004250ff
0x00425107
0x00425109
0x0042510f
0x00425113
0x0042511d
0x00425123
0x00425125
0x00425127
0x0042512d
0x00425133
0x00425139
0x0042549d
0x004254a4
0x00425517
0x0042553b
0x0042553b
0x00425543
0x00425549
0x00425549
0x00000000
0x00425543
0x00425519
0x00425519
0x00425527
0x00425535
0x00000000
0x00425535
0x004254aa
0x004254bc
0x004254c8
0x004254ce
0x004254d4
0x004254df
0x004254e7
0x004254fe
0x00425505
0x0042550b
0x0042550b
0x00000000
0x004254aa
0x00425140
0x00425154
0x00425171
0x00425177
0x0042517a
0x00425180
0x00425186
0x00425193
0x0042519c
0x004251a5
0x004251b0
0x004251c3
0x004251cf
0x004251ea
0x004251fd
0x00425209
0x00425241
0x00425245
0x00425251
0x0042526f
0x0042528a
0x0042528e
0x004252be
0x004252be
0x004252c9
0x004252cd
0x004252d7
0x004252ea
0x004252f7
0x004252fe
0x00425304
0x0042530c
0x00425312
0x00425314
0x0042531c
0x0042531f
0x0042532d
0x00425330
0x00425338
0x00425340
0x00425346
0x0042534b
0x00425351
0x00425357
0x004253ea
0x00425359
0x00425376
0x00425380
0x004253be
0x004253c5
0x004253c5
0x004253f0
0x004253fa
0x00425402
0x00425408
0x0042540b
0x0042541f
0x0042542a
0x00425431
0x0042543a
0x00425440
0x0042545e
0x00425466
0x0042546c
0x00425472
0x00000000
0x00425472
0x00425290
0x00000000
0x00425297
0x00000000
0x00000000
0x0042529e
0x00000000
0x00000000
0x004252a5
0x00000000
0x00000000
0x004252ac
0x00000000
0x00000000
0x004252b3
0x004252b8
0x004252b8
0x00000000
0x00000000
0x00425290
0x00425279
0x00000000
0x00425212
0x0042522f
0x00425478
0x0042547e
0x00425484
0x00425485
0x0042548b
0x00425491
0x00425497
0x00000000
0x00000000
0x00000000
0x00425497
0x00425209
0x00000000
0x00425140
0x004250c3
0x00425076
0x0042507b
0x00425084
0x00000000
0x00000000
0x00000000
0x00425084
0x00424fc7
0x00424fcf
0x00000000
0x00000000
0x00424fd8
0x00425047
0x00425049
0x00000000
0x00000000
0x00425050
0x00425050
0x00425057
0x00425058
0x00000000
0x00424fda
0x00424fda
0x00424fe4
0x00424fea
0x00424ff0
0x00424ff0
0x00424ff5
0x00424ffb
0x00425001
0x00425010
0x00425010
0x00425017
0x0042501c
0x0042501f
0x00425023
0x00425026
0x0042502b
0x0042502f
0x00425034
0x00425038
0x0042503d
0x00425041
0x00000000
0x00425041

APIs

EnterCriticalSection.KERNEL32 ref: 00424F42
SendMessageW.USER32 ref: 00424FA0
SendMessageW.USER32(?,0000103B,?), ref: 00424FB9
SelectObject.GDI32(?), ref: 004250AD
GetFocus.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 004250C5
GetSysColor.USER32(0000000E), ref: 004250D5
GetSysColor.USER32(00000012), ref: 004250DD
GetSysColor.USER32(00000005), ref: 00425105
SetTextColor.GDI32(?,?), ref: 00425113
SetBkColor.GDI32(?,00000000), ref: 0042511D
SendMessageW.USER32(?,0000105F,?,?), ref: 00425171
SendMessageW.USER32(?,00001073,?,?), ref: 004251EA
GetSystemMetrics.USER32 ref: 0042523B
GetSystemMetrics.USER32 ref: 0042524B
GetBkColor.GDI32(?), ref: 004252DD
CreateSolidBrush.GDI32(00000000), ref: 004252E4
FillRect.USER32 ref: 004252F7
DeleteObject.GDI32(00000000), ref: 004252FE
ImageList_Create.COMCTL32(?,?,000000FE,00000001,00000001), ref: 0042536E
GetSysColor.USER32(00000005), ref: 00425378
ImageList_SetBkColor.COMCTL32(00000000,00000000), ref: 00425380
ImageList_ReplaceIcon.COMCTL32(00000000,000000FF,?), ref: 0042538F
ImageList_DrawEx.COMCTL32(00000000,00000000,?,?,?,?,?,FF000000,FF000000,00000004), ref: 004253BE
ImageList_Destroy.COMCTL32(00000000), ref: 004253C5
GetSysColorBrush.USER32(00000005), ref: 004254B1
FrameRect.USER32 ref: 004254BC
CreateSolidBrush.GDI32 ref: 004254C8
InflateRect.USER32(?,000000FF,000000FF), ref: 004254E7
FrameRect.USER32 ref: 004254FE
DeleteObject.GDI32(00000000), ref: 00425505
GetSysColor.USER32(00000008), ref: 00425521
SetTextColor.GDI32(?,00000000), ref: 00425527
GetSysColor.USER32(00000005), ref: 0042552F
SetBkColor.GDI32(?,00000000), ref: 00425535
SelectObject.GDI32(?,00000000), ref: 00425549
LeaveCriticalSection.KERNEL32(004BCA10,?,?), ref: 00425563

Memory Dump Source

Source File: 00000000.00000002.639436822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.639422722.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639801425.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639950323.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639964900.00000000004C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639974043.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639981884.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Process Monitor.jbxd

Similarity

API ID: Color$ImageList_$MessageObjectRectSend$BrushCreate$CriticalDeleteFrameMetricsSectionSelectSolidSystemText$DestroyDrawEnterFillFocusIconInflateLeaveReplace
String ID:
API String ID: 3633396157-0
Opcode ID: 130fd42d45b46b1964072588689bc31a97385c7b6a3aee58863ddd4583cfac56
Instruction ID: 8b1023dffd639966a88090638eff1b3f80ddbe5355c3b4c444af244342eb1876
Opcode Fuzzy Hash: 130fd42d45b46b1964072588689bc31a97385c7b6a3aee58863ddd4583cfac56
Instruction Fuzzy Hash: 89026231900628EFDB219F64DC4CAEDBBB4FB19300F5046EAE649A2290D7745ED5CF94

Uniqueness

Uniqueness Score: -1.00%

Function 0040EFC0 Relevance: 61.5, APIs: 19, Strings: 16, Instructions: 280
registrywindowfileCOMMON

Download Yara Rule

C-Code - Quality: 80%

			E0040EFC0(char* __edx, struct HWND__* _a4, intOrPtr _a8, char _a12) {
				int _v8;
				char _v16;
				signed int _v20;
				intOrPtr _v24;
				char _v72;
				void* _v76;
				void* _v80;
				char** _v84;
				char _v88;
				char _v92;
				char _v96;
				char _v100;
				WCHAR** _v104;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t77;
				signed int _t78;
				void* _t88;
				WCHAR** _t95;
				WCHAR* _t96;
				WCHAR* _t99;
				char _t101;
				intOrPtr _t108;
				void* _t116;
				char** _t120;
				WCHAR** _t135;
				WCHAR* _t136;
				void* _t147;
				char** _t166;
				signed int _t169;
				char* _t170;
				struct HWND__* _t177;
				void* _t178;
				void* _t181;
				WCHAR** _t182;
				signed int _t184;
				void* _t185;
				void* _t186;
				void* _t187;

				_t174 = __edx;
				_push(0xffffffff);
				_push(E004863F0);
				_push( *[fs:0x0]);
				_t186 = _t185 - 0x58;
				_t77 =  *0x4bb1dc; // 0x2927074f
				_t78 = _t77 ^ _t184;
				_v20 = _t78;
				_push(_t78);
				 *[fs:0x0] =  &_v16;
				_t146 = _a8;
				_t177 = _a4;
				if(_a8 == 0) {
					E0040EE70(_t146, __edx, _t177);
					goto L40;
				} else {
					E0040F410(_t146, __edx, _t177,  &_v104, 1);
					_t187 = _t186 + 8;
					_t182 = _v104;
					_v8 = 0;
					if(_t182 == 0) {
						L33:
						if(_a12 == 0) {
							E00402050(L".\n\nMake sure that you have permission to\nwrite to the %%SystemRoot%%\\System32\\Drivers directory.");
							_v8 = 1;
							_t88 = E00402050(L"PROCMON23.SYS");
							_v8 = 2;
							E0040EC80(_t146,  &_v96, L"Unable to write ", _t88);
							_v8 = 3;
							E0040ECF0( &_v84,  &_v80);
							E00403A00( &_v96);
							E00403A00( &_v100);
							E00403A00( &_v80);
							_t95 = _v84;
							if(_t95 == 0) {
								_t96 = 0;
							} else {
								_t96 =  *_t95;
							}
							MessageBoxW(_t177, _t96, L"Process Monitor", 0x10);
							E00403A00( &_v84);
						}
						E00403A00( &_v104);
					} else {
						_t99 =  *_t182;
						if(_t99 == 0) {
							goto L33;
						} else {
							__imp__#7(_t99);
							if(_t99 == 0) {
								goto L33;
							} else {
								_t101 = RegCreateKeyW(0x80000002, L"System\\CurrentControlSet\\Services\\PROCMON23",  &_v76);
								if(_t101 != 0) {
									DeleteFileW( *_t182);
									if(_a12 == 0) {
										MessageBoxW(_t177, L"Error configuring boot logging", L"Process Monitor", 0x10);
									}
									_t146 = 0;
									E00403A00( &_v104);
									goto L40;
								} else {
									_v88 = _t101;
									if( *0x4bd2e9 == _t101) {
										E0040ED60(_t146, _t174, _t177,  &_v92);
										_t187 = _t187 + 4;
										_v8 = 4;
										if(_a12 == 0) {
											E00402050(L"Process Monitor is configured to log activity during the next boot.");
											_t135 = _v80;
											if(_t135 == 0) {
												_t136 = 0;
											} else {
												_t136 =  *_t135;
											}
											MessageBoxW(_t177, _t136, L"Process Monitor", 0x40);
											E00403A00( &_v80);
										}
										_v8 = 0;
										E00403A00( &_v92);
										goto L15;
									} else {
										if(_a12 != _t101 || DialogBoxParamW( *0x4bd2c4, L"BOOTLOG_OPTIONS", _t177, E004569B0,  &_v88) != 0) {
											L15:
											asm("movdqu xmm0, [0x496a10]");
											_t108 =  *0x496a40; // 0x72
											asm("movdqu [ebp-0x44], xmm0");
											_v24 = _t108;
											asm("movdqu xmm0, [0x496a20]");
											_v100 = 0;
											_v96 = 1;
											asm("movdqu [ebp-0x34], xmm0");
											asm("movdqu xmm0, [0x496a30]");
											asm("movdqu [ebp-0x24], xmm0");
											RegDeleteValueW(_v76, L"DeleteFlag");
											RegSetValueExW(_v76, L"Start", 0, 4,  &_v100, 4);
											RegSetValueExW(_v76, L"Group", 0, 1,  &_v72, 0x34);
											RegSetValueExW(_v76, L"Type", 0, 4,  &_v96, 4);
											_t116 = E00402050(L"PROCMON23.SYS");
											_v8 = 5;
											E0040EC80(_t146,  &_v84, L"System32\\Drivers\\", _t116);
											E00403A00( &_v92);
											_t120 = _v84;
											if(_t120 == 0) {
												_t166 = 0;
												goto L22;
											} else {
												_t170 =  *_t120;
												if(_t170 == 0) {
													_t166 = 0;
												} else {
													__imp__#7(_t170);
													_t166 = _t120;
													_t120 = _v84;
												}
												if(_t120 == 0) {
													L22:
													_t174 = 0;
												} else {
													_t174 =  *_t120;
												}
											}
											RegSetValueExW(_v76, L"ImagePath", 0, 2, _t174, _t166 + _t166);
											if(_v88 != 0 && RegCreateKeyW(_v76, L"Parameters",  &_v80) == 0) {
												_t169 = _v88;
												if(_t169 == 0) {
													_v88 = 0;
												} else {
													_t174 = 0x989680 % _t169;
													_v88 = 0x989680 / _t169;
												}
												RegSetValueExW(_v80, L"ThreadProfiling", 0, 4,  &_v88, 4);
												RegCloseKey(_v80);
											}
											E0040EDC0(_v76);
											RegCloseKey(_v76);
											E00403A00( &_v84);
											E00403A00( &_v104);
											L40:
										} else {
											RegDeleteKeyW(0x80000002, L"System\\CurrentControlSet\\Services\\PROCMON23");
											RegCloseKey(_v76);
											E00403A00( &_v104);
										}
									}
								}
							}
						}
					}
				}
				 *[fs:0x0] = _v16;
				_pop(_t178);
				_pop(_t181);
				_pop(_t147);
				return E0046F77E(_t147, _v20 ^ _t184, _t174, _t178, _t181);
			}

0x0040efc0
0x0040efc3
0x0040efc5
0x0040efd0
0x0040efd1
0x0040efd4
0x0040efd9
0x0040efdb
0x0040efe1
0x0040efe5
0x0040efeb
0x0040efee
0x0040eff3
0x0040f335
0x00000000
0x0040eff9
0x0040efff
0x0040f004
0x0040f007
0x0040f00a
0x0040f013
0x0040f29c
0x0040f2a0
0x0040f2ae
0x0040f2bb
0x0040f2bf
0x0040f2c8
0x0040f2d2
0x0040f2dd
0x0040f2e8
0x0040f2f0
0x0040f2f8
0x0040f300
0x0040f305
0x0040f30a
0x0040f310
0x0040f30c
0x0040f30c
0x0040f30c
0x0040f31b
0x0040f324
0x0040f324
0x0040f32c
0x0040f019
0x0040f019
0x0040f01d
0x00000000
0x0040f023
0x0040f024
0x0040f02c
0x00000000
0x0040f032
0x0040f040
0x0040f048
0x0040f26e
0x0040f278
0x0040f287
0x0040f287
0x0040f290
0x0040f292
0x00000000
0x0040f04e
0x0040f04e
0x0040f057
0x0040f0ad
0x0040f0b2
0x0040f0b9
0x0040f0bd
0x0040f0c7
0x0040f0cc
0x0040f0d1
0x0040f0d7
0x0040f0d3
0x0040f0d3
0x0040f0d3
0x0040f0e2
0x0040f0eb
0x0040f0eb
0x0040f0f3
0x0040f0f7
0x00000000
0x0040f059
0x0040f05c
0x0040f0fc
0x0040f0fc
0x0040f104
0x0040f111
0x0040f116
0x0040f119
0x0040f121
0x0040f128
0x0040f12f
0x0040f134
0x0040f13c
0x0040f141
0x0040f15f
0x0040f173
0x0040f187
0x0040f191
0x0040f19a
0x0040f1a4
0x0040f1af
0x0040f1b4
0x0040f1b9
0x0040f1d9
0x00000000
0x0040f1bb
0x0040f1bb
0x0040f1bf
0x0040f1cf
0x0040f1c1
0x0040f1c2
0x0040f1c8
0x0040f1ca
0x0040f1ca
0x0040f1d3
0x0040f1db
0x0040f1db
0x0040f1d5
0x0040f1d5
0x0040f1d5
0x0040f1d3
0x0040f1ee
0x0040f1fa
0x0040f212
0x0040f217
0x0040f227
0x0040f219
0x0040f220
0x0040f222
0x0040f222
0x0040f240
0x0040f245
0x0040f245
0x0040f24a
0x0040f255
0x0040f25a
0x0040f262
0x0040f33a
0x0040f081
0x0040f08b
0x0040f094
0x0040f09d
0x0040f0a2
0x0040f05c
0x0040f057
0x0040f048
0x0040f02c
0x0040f01d
0x0040f013
0x0040f33f
0x0040f347
0x0040f348
0x0040f349
0x0040f357

APIs

Part of subcall function 0040F410: GetSystemDirectoryW.KERNEL32(?,00000104), ref: 0040F43D
Part of subcall function 0040F410: GetLastError.KERNEL32 ref: 0040F47C

SysStringLen.OLEAUT32(00000000), ref: 0040F024
RegCreateKeyW.ADVAPI32(80000002,System\CurrentControlSet\Services\PROCMON23,?), ref: 0040F040
DialogBoxParamW.USER32 ref: 0040F077
RegDeleteKeyW.ADVAPI32(80000002,System\CurrentControlSet\Services\PROCMON23), ref: 0040F08B
RegCloseKey.ADVAPI32(?), ref: 0040F094

Part of subcall function 00403A00: InterlockedDecrement.KERNEL32(00000008), ref: 00403A0E
Part of subcall function 00403A00: SysFreeString.OLEAUT32(00000000), ref: 00403A23

MessageBoxW.USER32(?,00000000,Process Monitor,00000040), ref: 0040F0E2
RegDeleteValueW.ADVAPI32(?,DeleteFlag), ref: 0040F141
RegSetValueExW.ADVAPI32(?,Start,00000000,00000004,00000000,00000004), ref: 0040F15F
RegSetValueExW.ADVAPI32(?,Group,00000000,00000001,?,00000034), ref: 0040F173
RegSetValueExW.ADVAPI32(?,Type,00000000,00000004,00000001,00000004), ref: 0040F187
SysStringLen.OLEAUT32 ref: 0040F1C2
RegSetValueExW.ADVAPI32(?,ImagePath,00000000,00000002,00000000,?,?,?,PROCMON23.SYS), ref: 0040F1EE
RegCreateKeyW.ADVAPI32(?,Parameters,?), ref: 0040F208
RegSetValueExW.ADVAPI32(?,ThreadProfiling,00000000,00000004,00000000,00000004,?,?,PROCMON23.SYS), ref: 0040F240
RegCloseKey.ADVAPI32(?,?,?,PROCMON23.SYS), ref: 0040F245
RegCloseKey.ADVAPI32(?,?,?,?,PROCMON23.SYS), ref: 0040F255
DeleteFileW.KERNEL32(?), ref: 0040F26E
MessageBoxW.USER32(?,Error configuring boot logging,Process Monitor,00000010), ref: 0040F287
MessageBoxW.USER32(?,00000000,Process Monitor,00000010), ref: 0040F31B

Strings

BOOTLOG_OPTIONS, xrefs: 0040F06C
Start, xrefs: 0040F157
System32\Drivers\, xrefs: 0040F19E
Process Monitor is configured to log activity during the next boot., xrefs: 0040F0BF
PROCMON23.SYS, xrefs: 0040F189, 0040F2B3
Parameters, xrefs: 0040F200
DeleteFlag, xrefs: 0040F109
Group, xrefs: 0040F16B
System\CurrentControlSet\Services\PROCMON23, xrefs: 0040F036, 0040F081
Error configuring boot logging, xrefs: 0040F281
Type, xrefs: 0040F17F
ImagePath, xrefs: 0040F1E6
Process Monitor, xrefs: 0040F0DB, 0040F27C, 0040F314
Unable to write , xrefs: 0040F2CC
.Make sure that you have permission towrite to the %%SystemRoot%%\System32\Drivers directory., xrefs: 0040F2A6
ThreadProfiling, xrefs: 0040F238

Memory Dump Source

Source File: 00000000.00000002.639436822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.639422722.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639801425.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639950323.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639964900.00000000004C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639974043.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639981884.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Process Monitor.jbxd

Similarity

API ID: Value$CloseDeleteMessageString$Create$DecrementDialogDirectoryErrorFileFreeInterlockedLastParamSystem
String ID: .Make sure that you have permission towrite to the %%SystemRoot%%\System32\Drivers directory.$BOOTLOG_OPTIONS$DeleteFlag$Error configuring boot logging$Group$ImagePath$PROCMON23.SYS$Parameters$Process Monitor$Process Monitor is configured to log activity during the next boot.$Start$System32\Drivers\$System\CurrentControlSet\Services\PROCMON23$ThreadProfiling$Type$Unable to write
API String ID: 549132588-3812335773
Opcode ID: fa95f904be404fcefbb01468c0b218a78bb1e20d6fe0cabc22ed7addea8f9b10
Instruction ID: 81bbb34337947f2be7a5b300104f3d735f17205cdf7c7418dc66a6a69db975b8
Opcode Fuzzy Hash: fa95f904be404fcefbb01468c0b218a78bb1e20d6fe0cabc22ed7addea8f9b10
Instruction Fuzzy Hash: EAA15F70A40248AAEF20DFA1DC46FAE7F78AF15704F14443EE902B65D1DBB95A09CB58

Uniqueness

Uniqueness Score: -1.00%

Function 004229A0 Relevance: 58.2, APIs: 8, Strings: 25, Instructions: 489
COMMON

Download Yara Rule

C-Code - Quality: 97%

			E004229A0(intOrPtr __ecx, void* __edx, intOrPtr _a4) {
				char _v8;
				char _v16;
				intOrPtr* _v20;
				char _v24;
				char _v28;
				char _v32;
				char _v36;
				char _v40;
				char _v44;
				char _v48;
				char _v52;
				char _v56;
				char _v60;
				char _v64;
				char _v68;
				struct _CRITICAL_SECTION* _v72;
				intOrPtr _v76;
				char _v80;
				void* _v84;
				char _v96;
				void* __ebx;
				void* __edi;
				signed int _t121;
				intOrPtr _t126;
				void* _t128;
				void* _t134;
				void* _t138;
				void* _t142;
				void* _t146;
				void* _t151;
				void* _t155;
				void* _t159;
				void* _t163;
				void* _t167;
				intOrPtr* _t191;
				intOrPtr* _t196;
				void* _t208;
				void* _t213;
				void* _t218;
				intOrPtr _t249;
				intOrPtr* _t284;
				void* _t298;
				intOrPtr* _t300;
				intOrPtr _t302;
				struct _CRITICAL_SECTION* _t305;
				intOrPtr* _t306;
				intOrPtr* _t307;
				intOrPtr* _t308;
				signed int _t309;
				void* _t310;
				void* _t311;
				void* _t314;
				void* _t316;
				void* _t318;
				void* _t320;
				void* _t322;
				void* _t324;
				void* _t326;
				void* _t328;
				void* _t330;
				void* _t338;
				void* _t339;
				void* _t342;
				void* _t344;
				void* _t346;

				_t298 = __edx;
				_push(0xffffffff);
				_push(E00488060);
				_push( *[fs:0x0]);
				_t311 = _t310 - 0x50;
				_t121 =  *0x4bb1dc; // 0x2927074f
				_push(_t121 ^ _t309);
				 *[fs:0x0] =  &_v16;
				_v76 = __ecx;
				_t300 =  *((intOrPtr*)(__ecx + 0x30));
				_v20 = _t300;
				if(_t300 !=  *((intOrPtr*)(__ecx + 0x34))) {
					_t249 = _a4;
					do {
						_t126 =  *_t300;
						_a4 = _t126;
						_t305 = _t126 + 0x4ec;
						_v72 = _t305;
						EnterCriticalSection(_t305);
						_v8 = 0;
						E0043EDC0( &_v96, _t305);
						_t128 = E0043F020( &_v96);
						_t351 = _t128;
						if(_t128 != 0) {
							_t302 = _a4;
							do {
								E00438E60(_t351, _t249, L"process", 1);
								E00472329(_t298, 0xa, _t249);
								_t306 = E0043F020( &_v96);
								_t134 = E00436170(_t249, _t298, _t302, _t351,  &_v24,  *_t306, 0);
								_v8 = 1;
								E00438C20(_t351, _t249, L"ProcessIndex", E0046A170(_t134));
								_t257 = _v24;
								_t314 = _t311 + 0x2c;
								_v8 = 0;
								_t352 = _v24;
								if(_v24 != 0) {
									E0046A700(_t257);
								}
								_t138 = E00436170(_t249, _t298, _t302, _t352,  &_v28,  *((intOrPtr*)(_t306 + 4)), 0);
								_v8 = 2;
								E00438C20(_t352, _t249, L"ProcessId", E0046A170(_t138));
								_t259 = _v28;
								_t316 = _t314 + 0x18;
								_v8 = 0;
								_t353 = _v28;
								if(_v28 != 0) {
									E0046A700(_t259);
								}
								_t142 = E00436170(_t249, _t298, _t302, _t353,  &_v32,  *((intOrPtr*)(_t306 + 8)), 0);
								_v8 = 3;
								E00438C20(_t353, _t249, L"ParentProcessId", E0046A170(_t142));
								_t261 = _v32;
								_t318 = _t316 + 0x18;
								_v8 = 0;
								_t354 = _v32;
								if(_v32 != 0) {
									E0046A700(_t261);
								}
								_t146 = E00436170(_t249, _t298, _t302, _t354,  &_v36,  *((intOrPtr*)(_t306 + 0xc)), 0);
								_v8 = 4;
								E00438C20(_t354, _t249, L"ParentProcessIndex", E0046A170(_t146));
								_t263 = _v36;
								_t320 = _t318 + 0x18;
								_v8 = 0;
								_t355 = _v36;
								if(_v36 != 0) {
									E0046A700(_t263);
								}
								_t34 = _t306 + 0x10; // 0x10
								_t151 = E00431CA0(_t249, _t298, _t302, _t355,  &_v40, _t34);
								_v8 = 5;
								E00438C20(_t355, _t249, L"AuthenticationId", E0046A170(_t151));
								_t265 = _v40;
								_t322 = _t320 + 0x14;
								_v8 = 0;
								_t356 = _v40;
								if(_v40 != 0) {
									E0046A700(_t265);
								}
								_t155 = E00436170(_t249, _t298, _t302, _t356,  &_v44,  *((intOrPtr*)(_t306 + 0x20)),  *((intOrPtr*)(_t306 + 0x24)));
								_v8 = 6;
								E00438C20(_t356, _t249, L"CreateTime", E0046A170(_t155));
								_t267 = _v44;
								_t324 = _t322 + 0x18;
								_v8 = 0;
								_t357 = _v44;
								if(_v44 != 0) {
									E0046A700(_t267);
								}
								_t159 = E00436170(_t249, _t298, _t302, _t357,  &_v48,  *((intOrPtr*)(_t306 + 0x28)),  *((intOrPtr*)(_t306 + 0x2c)));
								_v8 = 7;
								E00438C20(_t357, _t249, L"FinishTime", E0046A170(_t159));
								_t269 = _v48;
								_t326 = _t324 + 0x18;
								_v8 = 0;
								_t358 = _v48;
								if(_v48 != 0) {
									E0046A700(_t269);
								}
								_t163 = E00436170(_t249, _t298, _t302, _t358,  &_v52,  *((intOrPtr*)(_t306 + 0x30)), 0);
								_v8 = 8;
								E00438C20(_t358, _t249, L"IsVirtualized", E0046A170(_t163));
								_t271 = _v52;
								_t328 = _t326 + 0x18;
								_v8 = 0;
								_t359 = _v52;
								if(_v52 != 0) {
									E0046A700(_t271);
								}
								_t167 = E00436170(_t249, _t298, _t302, _t359,  &_v56,  *((intOrPtr*)(_t306 + 0x34)), 0);
								_v8 = 9;
								E00438C20(_t359, _t249, L"Is64bit", E0046A170(_t167));
								_t273 = _v56;
								_t330 = _t328 + 0x18;
								_v8 = 0;
								_t360 = _v56;
								if(_v56 != 0) {
									E0046A700(_t273);
								}
								E00438C20(_t360, _t249, L"Integrity", E00467450(_t302,  *((intOrPtr*)(_t306 + 0x38))));
								E00438C20(_t360, _t249, L"Owner", E00467450(_t302,  *((intOrPtr*)(_t306 + 0x3c))));
								E00438C20(_t360, _t249, L"ProcessName", E00467450(_t302,  *((intOrPtr*)(_t306 + 0x40))));
								E00438C20(_t360, _t249, L"ImagePath", E00467450(_t302,  *((intOrPtr*)(_t306 + 0x44))));
								E00438C20(_t360, _t249, L"CommandLine", E00467450(_t302,  *((intOrPtr*)(_t306 + 0x48))));
								E00438C20(_t360, _t249, L"CompanyName", E00467450(_t302,  *((intOrPtr*)(_t306 + 0x4c))));
								E00438C20(_t360, _t249, L"Version", E00467450(_t302,  *((intOrPtr*)(_t306 + 0x50))));
								E00438C20(_t360, _t249, L"Description", E00467450(_t302,  *((intOrPtr*)(_t306 + 0x54))));
								E00438E60(_t360, _t249, L"modulelist", 1);
								E00472329(_t298, 0xa, _t249);
								_t338 = _t330 + 0x74;
								_v84 = 0;
								_v80 = 0;
								_v84 = E00419990(0, 0);
								_v8 = 0xa;
								E00441040(_t306, 0xffffffff, 0xffffffff,  &_v84);
								_t191 = _v84;
								_t307 =  *_t191;
								_t361 = _t307 - _t191;
								if(_t307 != _t191) {
									do {
										_a4 =  *((intOrPtr*)(_t307 + 8));
										E00438E60(_t361, _t249, L"module", 1);
										E00472329(_t298, 0xa, _t249);
										_t208 = E00436170(_t249, _t298, _t302, _t361,  &_v60, E00442D80(_a4), _t298);
										_v8 = 0xb;
										E00438C20(_t361, _t249, L"Timestamp", E0046A170(_t208));
										_t289 = _v60;
										_t342 = _t338 + 0x2c;
										_v8 = 0xa;
										_t362 = _v60;
										if(_v60 != 0) {
											E0046A700(_t289);
										}
										_t84 = _a4 + 4; // 0xff00497d
										_t213 = E00436110(_t249, _t298, _t302, _t362,  &_v64,  *_t84, 0);
										_v8 = 0xc;
										E00438C20(_t362, _t249, L"BaseAddress", E0046A170(_t213));
										_t291 = _v64;
										_t344 = _t342 + 0x18;
										_v8 = 0xa;
										_t363 = _v64;
										if(_v64 != 0) {
											E0046A700(_t291);
										}
										_t90 = _a4 + 8; // 0xfffde0b5
										_t218 = E00436170(_t249, _t298, _t302, _t363,  &_v68,  *_t90, 0);
										_v8 = 0xd;
										E00438C20(_t363, _t249, L"Size", E0046A170(_t218));
										_t293 = _v68;
										_t346 = _t344 + 0x18;
										_v8 = 0xa;
										_t364 = _v68;
										if(_v68 != 0) {
											E0046A700(_t293);
										}
										_t96 = _a4 + 0xc; // 0x72ade8ff
										E00438C20(_t364, _t249, L"Path", E00467450(_t302,  *_t96));
										_t98 = _a4 + 0x10; // 0x16a0001
										E00438C20(_t364, _t249, L"Version", E00467450(_t302,  *_t98));
										_t100 = _a4 + 0x14; // 0x497da068
										E00438C20(_t364, _t249, L"Company", E00467450(_t302,  *_t100));
										_t102 = _a4 + 0x18; // 0xe0b5ff00
										E00438C20(_t364, _t249, L"Description", E00467450(_t302,  *_t102));
										E00438E60(_t364, _t249, L"module", 0);
										E00472329(_t298, 0xa, _t249);
										_t307 =  *_t307;
										_t338 = _t346 + 0x44;
										_t365 = _t307 - _v84;
									} while (_t307 != _v84);
								}
								E00438E60(_t365, _t249, L"modulelist", 0);
								E00472329(_t298, 0xa, _t249);
								E00438E60(_t365, _t249, L"process", 0);
								E00472329(_t298, 0xa, _t249);
								_t196 = _v84;
								_t339 = _t338 + 0x28;
								_v8 = 0;
								_t284 =  *_t196;
								 *_t196 = _t196;
								 *((intOrPtr*)(_v84 + 4)) = _v84;
								_t198 = _v84;
								_v80 = 0;
								if(_t284 != _v84) {
									do {
										_t308 =  *_t284;
										E0046EF07(_t284);
										_t198 = _v84;
										_t339 = _t339 + 4;
										_t284 = _t308;
									} while (_t308 != _v84);
								}
								E0046EF07(_t198);
								_t311 = _t339 + 4;
								E0043F050( &_v96);
							} while (E0043F020( &_v96) != 0);
							_t300 = _v20;
							_t305 = _v72;
						}
						_v8 = 0xffffffff;
						LeaveCriticalSection(_t305);
						_t300 = _t300 + 4;
						_v20 = _t300;
					} while (_t300 !=  *((intOrPtr*)(_v76 + 0x34)));
				}
				 *[fs:0x0] = _v16;
				return 1;
			}

0x004229a0
0x004229a3
0x004229a5
0x004229b0
0x004229b1
0x004229b7
0x004229be
0x004229c2
0x004229ca
0x004229cd
0x004229d0
0x004229d6
0x004229dc
0x004229e0
0x004229e0
0x004229e2
0x004229e5
0x004229ec
0x004229ef
0x004229f9
0x00422a00
0x00422a08
0x00422a0d
0x00422a0f
0x00422a15
0x00422a18
0x00422a20
0x00422a28
0x00422a38
0x00422a42
0x00422a4c
0x00422a5c
0x00422a61
0x00422a64
0x00422a67
0x00422a6b
0x00422a6d
0x00422a6f
0x00422a6f
0x00422a7d
0x00422a87
0x00422a97
0x00422a9c
0x00422a9f
0x00422aa2
0x00422aa6
0x00422aa8
0x00422aaa
0x00422aaa
0x00422ab8
0x00422ac2
0x00422ad2
0x00422ad7
0x00422ada
0x00422add
0x00422ae1
0x00422ae3
0x00422ae5
0x00422ae5
0x00422af3
0x00422afd
0x00422b0d
0x00422b12
0x00422b15
0x00422b18
0x00422b1c
0x00422b1e
0x00422b20
0x00422b20
0x00422b25
0x00422b2d
0x00422b37
0x00422b47
0x00422b4c
0x00422b4f
0x00422b52
0x00422b56
0x00422b58
0x00422b5a
0x00422b5a
0x00422b69
0x00422b73
0x00422b83
0x00422b88
0x00422b8b
0x00422b8e
0x00422b92
0x00422b94
0x00422b96
0x00422b96
0x00422ba5
0x00422baf
0x00422bbf
0x00422bc4
0x00422bc7
0x00422bca
0x00422bce
0x00422bd0
0x00422bd2
0x00422bd2
0x00422be0
0x00422bea
0x00422bfa
0x00422bff
0x00422c02
0x00422c05
0x00422c09
0x00422c0b
0x00422c0d
0x00422c0d
0x00422c1b
0x00422c25
0x00422c35
0x00422c3a
0x00422c3d
0x00422c40
0x00422c44
0x00422c46
0x00422c48
0x00422c48
0x00422c5e
0x00422c77
0x00422c90
0x00422ca9
0x00422cc2
0x00422cdb
0x00422cf4
0x00422d0d
0x00422d1a
0x00422d22
0x00422d27
0x00422d2a
0x00422d34
0x00422d44
0x00422d47
0x00422d55
0x00422d5a
0x00422d5d
0x00422d5f
0x00422d61
0x00422d70
0x00422d7b
0x00422d7e
0x00422d86
0x00422d9c
0x00422da6
0x00422db6
0x00422dbb
0x00422dbe
0x00422dc1
0x00422dc5
0x00422dc7
0x00422dc9
0x00422dc9
0x00422dd3
0x00422dda
0x00422de4
0x00422df4
0x00422df9
0x00422dfc
0x00422dff
0x00422e03
0x00422e05
0x00422e07
0x00422e07
0x00422e11
0x00422e18
0x00422e22
0x00422e32
0x00422e37
0x00422e3a
0x00422e3d
0x00422e41
0x00422e43
0x00422e45
0x00422e45
0x00422e4f
0x00422e5e
0x00422e6b
0x00422e7a
0x00422e87
0x00422e96
0x00422ea3
0x00422eb2
0x00422ebf
0x00422ec7
0x00422ecc
0x00422ece
0x00422ed1
0x00422ed1
0x00422d70
0x00422ee2
0x00422eea
0x00422ef7
0x00422eff
0x00422f04
0x00422f07
0x00422f0a
0x00422f0e
0x00422f10
0x00422f15
0x00422f18
0x00422f1b
0x00422f24
0x00422f26
0x00422f26
0x00422f29
0x00422f2e
0x00422f31
0x00422f34
0x00422f36
0x00422f26
0x00422f3b
0x00422f40
0x00422f46
0x00422f53
0x00422f5b
0x00422f5e
0x00422f5e
0x00422f62
0x00422f69
0x00422f72
0x00422f75
0x00422f78
0x004229e0
0x00422f86
0x00422f94

APIs

EnterCriticalSection.KERNEL32(?,2927074F,?,?), ref: 004229EF
LeaveCriticalSection.KERNEL32(?,?), ref: 00422F69

Part of subcall function 00438E60: __fputwc_nolock.LIBCMT ref: 00438E6B
Part of subcall function 00438E60: __fputwc_nolock.LIBCMT ref: 00438E7C
Part of subcall function 00438E60: __fputwc_nolock.LIBCMT ref: 00438E92
Part of subcall function 00438E60: __fputwc_nolock.LIBCMT ref: 00438EA9

__fputwc_nolock.LIBCMT ref: 00422A28

Part of subcall function 00472329: HeapCreate.KERNELBASE(?,?,00000000), ref: 0047234A
Part of subcall function 00472329: HeapCreate.KERNELBASE(?,?,00000000), ref: 0047235B
Part of subcall function 00472329: HeapCreate.KERNELBASE(?,?,00000000), ref: 00472367
Part of subcall function 00472329: HeapCreate.KERNELBASE(?,?,?), ref: 00472372
Part of subcall function 00472329: HeapCreate.KERNELBASE(?,?,00000000), ref: 00472398
Part of subcall function 00472329: HeapCreate.KERNELBASE(?,?,00000000), ref: 004723A4
Part of subcall function 00472329: HeapCreate.KERNELBASE(?,?,00000000), ref: 004723B0
Part of subcall function 00472329: HeapCreate.KERNELBASE(?,?,?), ref: 004723BB
Part of subcall function 00472329: HeapCreate.KERNELBASE(?,?,00000000), ref: 004723E1
Part of subcall function 00472329: HeapCreate.KERNELBASE(?,?,00000000), ref: 004723ED
Part of subcall function 00472329: HeapCreate.KERNELBASE(?,?,00000000), ref: 004723F9
Part of subcall function 00472329: HeapCreate.KERNELBASE(?,?,?), ref: 00472404
Part of subcall function 00472329: __cftof.LIBCMT ref: 0047242D

Part of subcall function 00438C20: __fputwc_nolock.LIBCMT ref: 00438C2C
Part of subcall function 00438C20: __fputwc_nolock.LIBCMT ref: 00438C43
Part of subcall function 00438C20: __fputwc_nolock.LIBCMT ref: 00438C5A

Part of subcall function 0046A700: InterlockedDecrement.KERNEL32(?), ref: 0046A704

Part of subcall function 00438C20: __fputwc_nolock.LIBCMT ref: 00438CA9
Part of subcall function 00438C20: __fputwc_nolock.LIBCMT ref: 00438DB1
Part of subcall function 00438C20: __fputwc_nolock.LIBCMT ref: 00438DB9
Part of subcall function 00438C20: __fputwc_nolock.LIBCMT ref: 00438DD2
Part of subcall function 00438C20: __fputwc_nolock.LIBCMT ref: 00438DE9
Part of subcall function 00438C20: __fputwc_nolock.LIBCMT ref: 00438DF1

Part of subcall function 00438C20: __fputwc_nolock.LIBCMT ref: 00438CD3

__fputwc_nolock.LIBCMT ref: 00422D22
__fputwc_nolock.LIBCMT ref: 00422D86

Part of subcall function 00438C20: __fputwc_nolock.LIBCMT ref: 00438D02

__fputwc_nolock.LIBCMT ref: 00422EC7
__fputwc_nolock.LIBCMT ref: 00422EEA
__fputwc_nolock.LIBCMT ref: 00422EFF

Strings

ParentProcessIndex, xrefs: 00422B07
Integrity, xrefs: 00422C58
CreateTime, xrefs: 00422B7D
Version, xrefs: 00422CEE, 00422E74
ProcessName, xrefs: 00422C8A
CompanyName, xrefs: 00422CD5
Is64bit, xrefs: 00422C2F
IsVirtualized, xrefs: 00422BF4
CommandLine, xrefs: 00422CBC
Company, xrefs: 00422E90
ProcessIndex, xrefs: 00422A56
AuthenticationId, xrefs: 00422B41
ProcessId, xrefs: 00422A91
modulelist, xrefs: 00422D14, 00422EDC
BaseAddress, xrefs: 00422DEE
Owner, xrefs: 00422C71
ImagePath, xrefs: 00422CA3
ParentProcessId, xrefs: 00422ACC
module, xrefs: 00422D75, 00422EB9
Size, xrefs: 00422E2C
FinishTime, xrefs: 00422BB9
Timestamp, xrefs: 00422DB0
Description, xrefs: 00422D07, 00422EAC
process, xrefs: 00422A1A, 00422EF1
Path, xrefs: 00422E58

Memory Dump Source

Source File: 00000000.00000002.639436822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.639422722.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639801425.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639950323.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639964900.00000000004C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639974043.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639981884.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Process Monitor.jbxd

Similarity

API ID: __fputwc_nolock$CreateHeap$CriticalSection$DecrementEnterInterlockedLeave__cftof
String ID: AuthenticationId$BaseAddress$CommandLine$Company$CompanyName$CreateTime$Description$FinishTime$ImagePath$Integrity$Is64bit$IsVirtualized$Owner$ParentProcessId$ParentProcessIndex$Path$ProcessId$ProcessIndex$ProcessName$Size$Timestamp$Version$module$modulelist$process
API String ID: 721800305-19602617
Opcode ID: 25db340e35ac09f811456d4c84457a6ce3c002d6ae76a8b2680ec6e5358b040a
Instruction ID: 742685f71ac532d6b61e36e940e874e634b612b4dcdf18c3260b7480a146e0b9
Opcode Fuzzy Hash: 25db340e35ac09f811456d4c84457a6ce3c002d6ae76a8b2680ec6e5358b040a
Instruction Fuzzy Hash: 2BF1A570A00304BADF11BBB5DD42FAEBB699F4430CF14542EF505B7282EA7DA914876E

Uniqueness

Uniqueness Score: -1.00%

Function 00424910 Relevance: 58.0, APIs: 30, Strings: 3, Instructions: 219
windowCOMMON

Download Yara Rule

C-Code - Quality: 69%

			E00424910(struct HWND__* _a4, struct HWND__* _a8, struct HWND__* _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, struct HMENU__* _a28) {
				signed int _v8;
				struct tagRECT _v24;
				struct tagRECT _v40;
				struct HWND__* _v52;
				struct HWND__* _v76;
				struct HWND__* _v80;
				intOrPtr _v84;
				void* _v88;
				struct HWND__* _v92;
				intOrPtr _v96;
				intOrPtr _v100;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t38;
				struct HWND__* _t72;
				void* _t83;
				struct HWND__* _t84;
				void* _t85;
				struct HWND__* _t88;
				void* _t89;
				int _t91;
				void* _t96;
				void* _t97;
				void* _t99;
				void* _t102;
				void* _t103;
				struct HWND__* _t105;
				void* _t106;
				long _t107;
				struct HICON__* _t108;
				void* _t109;
				signed int _t110;

				_t38 =  *0x4bb1dc; // 0x2927074f
				_v8 = _t38 ^ _t110;
				asm("xorps xmm0, xmm0");
				_t84 = _a4;
				_v92 = _a12;
				_v96 = _a16;
				_v100 = _a20;
				asm("movdqu [ebp-0x24], xmm0");
				__imp__#17(_t97, _t103, _t83);
				GetClientRect(_t84,  &_v40);
				GetWindowRect(_a8,  &_v24);
				_t91 = _v40.bottom + _v24.top - _v24.bottom;
				_v40.bottom = _t91;
				_t105 = CreateWindowExW(0, L"SysListView32", 0x48fc20, _v92, _v40, _v40.top, _v40.right, _t91, _t84, _a28,  *0x4bd2c4, 0);
				_v92 = _t105;
				if(_t105 == 0) {
					L3:
					_pop(_t99);
					_pop(_t106);
					_pop(_t85);
					return E0046F77E(_t85, _v8 ^ _t110, _t96, _t99, _t106);
				} else {
					if(E00426A50(_t96, _t105, _v96, _v100, _a24) != 0) {
						SetClassLongW(_t105, 0xfffffff6, GetSysColorBrush(5));
						 *0x4bcb3c = SetWindowLongW(_t105, 0xfffffffc, E004263B0);
						SendMessageW(_t105, 0x1036, 0x430, 0x30);
						SendMessageW(_t105, 0x104a, 0, 0);
						SendMessageW(_t105, 0x30,  *0x4bd708, 0);
						_t107 = ImageList_Create(0x10, 0x10, 1, 0x100, 0x100);
						ImageList_ReplaceIcon(_t107, 0xffffffff, LoadIconW( *0x4bd2c4, 0xcb));
						ImageList_ReplaceIcon(_t107, 0xffffffff, LoadIconW( *0x4bd2c4, 0x71));
						SetWindowLongW(_v92, 0xfffffff0, GetWindowLongW(_v92, 0xfffffff0) | 0x00000040);
						SendMessageW(_v92, 0x1003, 1, _t107);
						_t108 = LoadIconW(0, 0x7f00);
						 *0x4bcb38 = ImageList_ReplaceIcon(SendMessageW(_v92, 0x1002, 1, 0), 0xffffffff, _t108);
						DestroyIcon(_t108);
						_t88 = _v92;
						_t72 = CreateWindowExW(0, L"tooltips_class32", 0, 0x80000033, 0, 0, 0, 0, _t88, 0,  *0x4bd2c4, 0);
						 *0x4bcb44 = _t72;
						 *0x4bcb40 = SetWindowLongW(_t72, 0xfffffffc, E00426BF0);
						 *0x4bcb58 = _t88;
						SetWindowPos( *0x4bcb44, 0xffffffff, 0, 0, 0, 0, 0x13);
						_v88 = 0x30;
						asm("xorps xmm0, xmm0");
						_v84 = 0x101;
						asm("movdqu [ebp-0x4c], xmm0");
						_v80 = _t88;
						asm("movdqu [ebp-0x3c], xmm0");
						_v76 = _t88;
						asm("movq [ebp-0x2c], xmm0");
						_v52 = 0xffffffff;
						SendMessageW( *0x4bcb44, 0x432, 0,  &_v88);
						SendMessageW( *0x4bcb44, 0x403, 3, 0);
						SendMessageW( *0x4bcb44, 0x403, 2, 0xf4240);
						SendMessageW( *0x4bcb44, 0x30,  *0x4bd708, 0);
						_pop(_t102);
						_pop(_t109);
						_pop(_t89);
						return E0046F77E(_t89, _v8 ^ _t110, _t96, _t102, _t109);
					} else {
						DestroyWindow(_t105);
						goto L3;
					}
				}
			}

0x00424916
0x0042491d
0x00424923
0x00424927
0x0042492a
0x00424934
0x0042493e
0x00424941
0x00424946
0x00424951
0x0042495c
0x00424973
0x0042497b
0x00424999
0x0042499b
0x004249a0
0x004249bc
0x004249bc
0x004249bd
0x004249c0
0x004249ce
0x004249a2
0x004249b3
0x004249db
0x00424a02
0x00424a07
0x00424a13
0x00424a20
0x00424a3e
0x00424a57
0x00424a67
0x00424a7d
0x00424a8e
0x00424aa3
0x00424aba
0x00424abf
0x00424acd
0x00424ae9
0x00424af7
0x00424b14
0x00424b19
0x00424b1f
0x00424b28
0x00424b32
0x00424b35
0x00424b47
0x00424b4c
0x00424b4f
0x00424b54
0x00424b57
0x00424b5c
0x00424b63
0x00424b74
0x00424b88
0x00424b9a
0x00424ba1
0x00424ba2
0x00424ba5
0x00424bae
0x004249b5
0x004249b6
0x00000000
0x004249b6
0x004249b3

APIs

#17.COMCTL32 ref: 00424946
GetClientRect.USER32 ref: 00424951
GetWindowRect.USER32 ref: 0042495C
CreateWindowExW.USER32 ref: 00424993

Part of subcall function 00426A50: SendMessageW.USER32(?,0000101C,00000000,00000000), ref: 00426ABA
Part of subcall function 00426A50: LoadStringW.USER32(?,?,00000104), ref: 00426AFC
Part of subcall function 00426A50: SendMessageW.USER32(?,00001061,00000000,0000000F), ref: 00426B5C
Part of subcall function 00426A50: SendMessageW.USER32(?,0000105F,00000000,0000000F), ref: 00426B9A
Part of subcall function 00426A50: SendMessageW.USER32(?,00001060,00000000,00000001), ref: 00426BBC

DestroyWindow.USER32(00000000,00000000,?,?,?), ref: 004249B6
GetSysColorBrush.USER32(00000005), ref: 004249D1
SetClassLongW.USER32(00000000,000000F6,00000000), ref: 004249DB
SetWindowLongW.USER32 ref: 004249E9
SendMessageW.USER32(00000000,00001036,00000430,00000030), ref: 00424A07
SendMessageW.USER32(00000000,0000104A,00000000,00000000), ref: 00424A13
SendMessageW.USER32(00000000,00000030,00000000), ref: 00424A20
ImageList_Create.COMCTL32(00000010,00000010,00000001,00000100,00000100), ref: 00424A32
LoadIconW.USER32(000000CB), ref: 00424A4B
ImageList_ReplaceIcon.COMCTL32(00000000,000000FF,00000000), ref: 00424A57
LoadIconW.USER32(00000071), ref: 00424A61
ImageList_ReplaceIcon.COMCTL32(00000000,000000FF,00000000), ref: 00424A67
GetWindowLongW.USER32(?,000000F0), ref: 00424A6E
SetWindowLongW.USER32 ref: 00424A7D
SendMessageW.USER32(?,00001003,00000001,00000000), ref: 00424A8E
LoadIconW.USER32(00000000,00007F00), ref: 00424A9B
SendMessageW.USER32(?,00001002,00000001,00000000), ref: 00424AB4
ImageList_ReplaceIcon.COMCTL32(00000000), ref: 00424AB7
DestroyIcon.USER32(00000000), ref: 00424ABF
CreateWindowExW.USER32 ref: 00424AE9
SetWindowLongW.USER32 ref: 00424AFC
SetWindowPos.USER32(000000FF,00000000,00000000,00000000,00000000,00000013), ref: 00424B1F
SendMessageW.USER32(00000432,00000000,?), ref: 00424B63
SendMessageW.USER32(00000403,00000003,00000000), ref: 00424B74
SendMessageW.USER32(00000403,00000002,000F4240), ref: 00424B88
SendMessageW.USER32(00000030,00000000), ref: 00424B9A

Strings

SysListView32, xrefs: 0042498C
0, xrefs: 00424B28
tooltips_class32, xrefs: 00424AE2

Memory Dump Source

Source File: 00000000.00000002.639436822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.639422722.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639801425.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639950323.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639964900.00000000004C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639974043.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639981884.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Process Monitor.jbxd

Similarity

API ID: MessageSend$Window$Icon$Long$ImageList_Load$CreateReplace$DestroyRect$BrushClassClientColorString
String ID: 0$SysListView32$tooltips_class32
API String ID: 1169339700-823657299
Opcode ID: 2f503924162e5d9f2bafbc5a72153d096e94f945d5a293c47d661c66b18103aa
Instruction ID: 89fe0cd3f29996c0b5bd1a5c9f7dbf3903cafb10067a6219c46fada373a3e089
Opcode Fuzzy Hash: 2f503924162e5d9f2bafbc5a72153d096e94f945d5a293c47d661c66b18103aa
Instruction Fuzzy Hash: 12719271A44359BFEB119FA4EC86F9E7B74FB09710F200329FA10BA1E0D7B569418B58

Uniqueness

Uniqueness Score: -1.00%

Function 0040F670 Relevance: 57.9, APIs: 19, Strings: 14, Instructions: 152
registrylibraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 75%

			E0040F670(void* __esi, void* __eflags, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				char _v528;
				void* _v532;
				char _v536;
				WCHAR* _v540;
				char _v544;
				void* __ebx;
				void* __edi;
				signed int _t31;
				intOrPtr _t45;
				_Unknown_base(*)()* _t51;
				_Unknown_base(*)()* _t62;
				void* _t65;
				intOrPtr _t69;
				void* _t70;
				void* _t71;
				intOrPtr* _t74;
				void* _t81;
				intOrPtr _t83;
				void* _t84;
				void* _t85;
				void* _t86;
				signed int _t94;

				_t87 = __esi;
				_t92 = _t94;
				_t31 =  *0x4bb1dc; // 0x2927074f
				_v8 = _t31 ^ _t94;
				_t69 = _a8;
				_t83 = _a4;
				E0040F360(L"SeLoadDriverPrivilege");
				if(RegCreateKeyW(0x80000002, L"System\\CurrentControlSet\\Services\\PROCMON23",  &_v532) != 0) {
					L10:
					_pop(_t84);
					_pop(_t70);
					return E0046F77E(_t70, _v8 ^ _t92, _t81, _t84, _t87);
				} else {
					_push(__esi);
					_v536 = 2;
					RegSetValueExW(_v532, L"Type", 0, 4,  &_v536, 4);
					_v536 = 1;
					RegSetValueExW(_v532, L"ErrorControl", 0, 4,  &_v536, 4);
					_v536 = 3;
					RegSetValueExW(_v532, L"Start", 0, 4,  &_v536, 4);
					L00401F90( &_v528, L"\\??\\%s", _t83);
					_t74 =  &_v528;
					_t81 = _t74 + 2;
					do {
						_t45 =  *_t74;
						_t74 = _t74 + 2;
					} while (_t45 != 0);
					RegSetValueExW(_v532, L"ImagePath", 0, 1,  &_v528, (_t74 - _t81 >> 1) + (_t74 - _t81 >> 1));
					E0040EDC0(_v532);
					_t51 = GetProcAddress(GetModuleHandleW(L"ntdll.dll"), "NtLoadDriver");
					_v540 = L"\\Registry\\Machine\\System\\CurrentControlSet\\Services\\PROCMON23";
					_v544 = 0x7a;
					_t85 =  *_t51( &_v544);
					RegDeleteKeyW(0x80000002, L"System\\CurrentControlSet\\Services\\PROCMON23\\Enum");
					RegDeleteKeyW(0x80000002, L"System\\CurrentControlSet\\Services\\PROCMON23\\Security");
					RegDeleteKeyW(0x80000002, L"System\\CurrentControlSet\\Services\\PROCMON23\\Parameters");
					RegDeleteValueW(_v532, L"Type");
					RegDeleteValueW(_v532, L"ErrorControl");
					RegDeleteValueW(_v532, L"Start");
					RegDeleteValueW(_v532, L"ImagePath");
					RegCloseKey(_v532);
					_pop(_t87);
					if(_t85 == 0 || _t85 == 0xc000010e) {
						E0040F8A0(_t69, 0);
						goto L10;
					} else {
						_t62 =  *0x4bc8d8; // 0x0
						if(_t62 == 0) {
							_t62 = GetProcAddress(GetModuleHandleW(L"ntdll.dll"), "RtlNtStatusToDosError");
							 *0x4bc8d8 = _t62;
						}
						SetLastError( *_t62());
						GetLastError();
						_t86 = _t85;
						_pop(_t71);
						_t65 = E0046F77E(_t71, _v8 ^ _t92, _t81, _t86, _t87);
						return _t65 + 0x5de58b00;
					}
				}
			}

0x0040f670
0x0040f671
0x0040f679
0x0040f680
0x0040f684
0x0040f688
0x0040f690
0x0040f6b1
0x0040f88e
0x0040f891
0x0040f894
0x0040f89d
0x0040f6b7
0x0040f6b7
0x0040f6d6
0x0040f6e0
0x0040f6ea
0x0040f704
0x0040f70e
0x0040f728
0x0040f737
0x0040f73c
0x0040f745
0x0040f750
0x0040f750
0x0040f753
0x0040f756
0x0040f779
0x0040f781
0x0040f79a
0x0040f7a5
0x0040f7af
0x0040f7c5
0x0040f7d1
0x0040f7dd
0x0040f7e9
0x0040f7fc
0x0040f809
0x0040f816
0x0040f823
0x0040f82b
0x0040f831
0x0040f834
0x0040f886
0x00000000
0x0040f83e
0x0040f83e
0x0040f845
0x0040f858
0x0040f85e
0x0040f85e
0x0040f867
0x0040f86d
0x0040f873
0x0040f874
0x0040f87a
0x0040f882
0x0040f882
0x0040f834

APIs

Part of subcall function 0040F360: GetCurrentProcess.KERNEL32(00000028,0045F38B,749682C0,?,?,0045F38B,SeDebugPrivilege,?,?,00000003,00000000,?,?,04000000), ref: 0040F37A
Part of subcall function 0040F360: OpenProcessToken.ADVAPI32(00000000,?,?,0045F38B,SeDebugPrivilege,?,?,00000003,00000000,?,?,04000000), ref: 0040F381

RegCreateKeyW.ADVAPI32(80000002,System\CurrentControlSet\Services\PROCMON23,?), ref: 0040F6A9
RegSetValueExW.ADVAPI32(?,Type,00000000,00000004,?,00000004,74CB4C30), ref: 0040F6E0
RegSetValueExW.ADVAPI32(?,ErrorControl,00000000,00000004,00000002,00000004), ref: 0040F704
RegSetValueExW.ADVAPI32(?,Start,00000000,00000004,00000001,00000004), ref: 0040F728

Part of subcall function 00401F90: vswprintf.LIBCMT ref: 00401FA2

RegSetValueExW.ADVAPI32(?,ImagePath,00000000,00000001,?,00000000), ref: 0040F779
GetModuleHandleW.KERNEL32(ntdll.dll,NtLoadDriver), ref: 0040F793
GetProcAddress.KERNEL32(00000000), ref: 0040F79A
RegDeleteKeyW.ADVAPI32(80000002,System\CurrentControlSet\Services\PROCMON23\Enum), ref: 0040F7D1
RegDeleteKeyW.ADVAPI32(80000002,System\CurrentControlSet\Services\PROCMON23\Security), ref: 0040F7DD
RegDeleteKeyW.ADVAPI32(80000002,System\CurrentControlSet\Services\PROCMON23\Parameters), ref: 0040F7E9
RegDeleteValueW.ADVAPI32(?,Type), ref: 0040F7FC
RegDeleteValueW.ADVAPI32(?,ErrorControl), ref: 0040F809
RegDeleteValueW.ADVAPI32(?,Start), ref: 0040F816
RegDeleteValueW.ADVAPI32(?,ImagePath), ref: 0040F823
RegCloseKey.ADVAPI32(?), ref: 0040F82B
GetModuleHandleW.KERNEL32(ntdll.dll,RtlNtStatusToDosError), ref: 0040F851
GetProcAddress.KERNEL32(00000000), ref: 0040F858
SetLastError.KERNEL32(00000000), ref: 0040F867
GetLastError.KERNEL32 ref: 0040F86D

Part of subcall function 0040F8A0: FilterConnectCommunicationPort.FLTLIB(\ProcessMonitor23Port,00000000,000000FF,00000004,00000000,?,?,004398BB,004BB114,00000000,?,00000000,004899F8,000000FF,?,0043A210), ref: 0040F8B5

Strings

SeLoadDriverPrivilege, xrefs: 0040F68B
Start, xrefs: 0040F71D, 0040F80B
System\CurrentControlSet\Services\PROCMON23\Parameters, xrefs: 0040F7DF
ntdll.dll, xrefs: 0040F78E, 0040F84C
ErrorControl, xrefs: 0040F6F9, 0040F7FE
System\CurrentControlSet\Services\PROCMON23, xrefs: 0040F69F
NtLoadDriver, xrefs: 0040F789
(fI, xrefs: 0040F7A5
Type, xrefs: 0040F6CB, 0040F7F1
ImagePath, xrefs: 0040F76E, 0040F818
System\CurrentControlSet\Services\PROCMON23\Enum, xrefs: 0040F7C7
System\CurrentControlSet\Services\PROCMON23\Security, xrefs: 0040F7D3
RtlNtStatusToDosError, xrefs: 0040F847
\??\%s, xrefs: 0040F731

Memory Dump Source

Source File: 00000000.00000002.639436822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.639422722.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639801425.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639950323.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639964900.00000000004C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639974043.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639981884.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Process Monitor.jbxd

Similarity

API ID: Value$Delete$AddressErrorHandleLastModuleProcProcess$CloseCommunicationConnectCreateCurrentFilterOpenPortTokenvswprintf
String ID: (fI$ErrorControl$ImagePath$NtLoadDriver$RtlNtStatusToDosError$SeLoadDriverPrivilege$Start$System\CurrentControlSet\Services\PROCMON23$System\CurrentControlSet\Services\PROCMON23\Enum$System\CurrentControlSet\Services\PROCMON23\Parameters$System\CurrentControlSet\Services\PROCMON23\Security$Type$\??\%s$ntdll.dll
API String ID: 1337259551-2372326339
Opcode ID: 363e423b4988f85b84d28789c6bfeb7a4befb13fd5fd698aef18ce88b330b875
Instruction ID: 4ad328a35374ac0bfb104866307218be8b547612176afd3dd3510e5e011d88b6
Opcode Fuzzy Hash: 363e423b4988f85b84d28789c6bfeb7a4befb13fd5fd698aef18ce88b330b875
Instruction Fuzzy Hash: 6E51A47198021CBBDF20AB60EC4AFED7F78EB14754F1104BAB908B2191D6B95A488F59

Uniqueness

Uniqueness Score: -1.00%

Function 0046D420 Relevance: 56.5, APIs: 28, Strings: 4, Instructions: 473
windowCOMMON

Download Yara Rule

C-Code - Quality: 89%

			E0046D420(void* __edx, struct HWND__* _a4, intOrPtr _a8) {
				int _v8;
				char _v16;
				long _v20;
				WCHAR* _v24;
				int _v28;
				int _v32;
				char _v36;
				intOrPtr _v40;
				long _v44;
				long _v48;
				intOrPtr _v52;
				char _v56;
				intOrPtr* _v60;
				char _v64;
				char _v68;
				char _v72;
				char _v76;
				char _v80;
				char _v84;
				intOrPtr _v88;
				char _v92;
				intOrPtr _v112;
				intOrPtr _v116;
				intOrPtr _v124;
				int _v128;
				int _v132;
				int _v136;
				intOrPtr _v140;
				void* _v144;
				intOrPtr _v148;
				void* __ebx;
				void* __edi;
				signed int _t155;
				long _t161;
				long _t162;
				void* _t195;
				intOrPtr _t199;
				void* _t203;
				intOrPtr _t205;
				void* _t215;
				void* _t227;
				void* _t233;
				intOrPtr _t235;
				void* _t239;
				intOrPtr _t245;
				int _t248;
				struct HWND__* _t263;
				intOrPtr* _t266;
				void* _t267;
				struct HICON__* _t268;
				intOrPtr _t276;
				intOrPtr _t282;
				void* _t301;
				long _t302;
				intOrPtr _t305;
				void* _t309;
				struct HICON__* _t311;
				long _t315;
				intOrPtr _t317;
				signed int _t324;
				void* _t325;
				void* _t326;
				void* _t327;
				void* _t329;
				void* _t330;
				void* _t331;
				void* _t332;
				void* _t333;
				void* _t334;
				void* _t335;
				intOrPtr _t346;

				_t301 = __edx;
				_push(0xffffffff);
				_push(E0048D638);
				_push( *[fs:0x0]);
				_t326 = _t325 - 0x88;
				_t155 =  *0x4bb1dc; // 0x2927074f
				_push(_t155 ^ _t324);
				 *[fs:0x0] =  &_v16;
				_t263 = _a4;
				if(_t263 == 0) {
					L45:
					__eflags = 0;
					 *[fs:0x0] = _v16;
					return 0;
				} else {
					_t305 = _a8;
					if( *((intOrPtr*)(_t305 + 8)) == 0) {
						goto L45;
					} else {
						SetDlgItemTextW(GetParent(_t263), 0x42f, L"Resolving symbols...");
						_t161 = SendMessageW(_t263, 0x1002, 1, 0);
						_t338 = _t161;
						if(_t161 == 0) {
							E0042E9F0(_t301, _t263, 0x4a8c18, 5, 0x30, 1);
							_t326 = _t326 + 0x14;
							SendMessageW(_t263, 0x1036, 0x10, 0x10);
							_t248 = GetSystemMetrics(0x32);
							_t267 = ImageList_Create(GetSystemMetrics(0x31), _t248, 0xfe, 2, 0xa);
							_v20 = _t267;
							ImageList_SetBkColor(_t267, GetSysColor(5));
							_t268 = LoadImageW(GetModuleHandleW(0), 0x6b, 1, 0x10, 0x10, 0);
							_t311 = LoadImageW(GetModuleHandleW(0), 0x6a, 1, 0x10, 0x10, 0);
							ImageList_ReplaceIcon(_v20, 0xffffffff, _t268);
							ImageList_ReplaceIcon(_v20, 0xffffffff, _t311);
							SendMessageW(_a4, 0x1003, 1, _v20);
							DestroyIcon(_t268);
							DestroyIcon(_t311);
							_t263 = _a4;
							_t305 = _a8;
						}
						_push(0x24);
						_t162 = E0046EEB6(_t263, _t305, _t338);
						_t315 = _t162;
						_v48 = _t162;
						_t327 = _t326 + 4;
						if(_t315 == 0) {
							_t315 = 0;
							__eflags = 0;
							_v48 = 0;
						} else {
							 *(_t315 + 8) = 0;
							 *(_t315 + 0xc) = 0;
							 *(_t315 + 0x10) = 0;
						}
						 *((intOrPtr*)(_t315 + 4)) =  *((intOrPtr*)( *((intOrPtr*)(_t305 + 8))));
						 *_t315 = _t263;
						 *((char*)(_t315 + 0x14)) = 0;
						 *(_t315 + 0x18) = 0;
						 *((intOrPtr*)(_t315 + 0x1c)) = GetWindowLongW(_t263, 0xffffffeb);
						 *(_t315 + 0x20) = 2;
						SetWindowLongW(_t263, 0xffffffeb, _t315);
						_v88 = E00441C60( *((intOrPtr*)(_t305 + 0xc)) + 0x4ec);
						_t27 = _t315 + 8; // 0x8
						_v60 = _t27;
						_push( *( *((intOrPtr*)(_t305 + 8)) + 0x28) & 0x0000ffff);
						E0046DDE0(_t27);
						_t276 =  *((intOrPtr*)(_t305 + 8));
						_t302 = 0;
						_v20 = 0;
						_v36 = 0;
						if(0 < ( *(_t276 + 0x28) & 0x0000ffff)) {
							_v44 = 0;
							do {
								if(_t302 < ( *(_t276 + 0x28) & 0x0000ffff)) {
									_t317 =  *((intOrPtr*)(_t276 + 0x34 + _t302 * 4));
									_v40 = _t317;
									_t342 = _t317;
									if(_t317 != 0) {
										_v28 = 0;
										_v8 = 0;
										_v32 = 0;
										_push(0x48);
										_v8 = 1;
										_t309 =  *_v60 + _v44;
										_t266 = E0046EEB6(_t263, _t309, _t342);
										_t329 = _t327 + 4;
										if(_t266 == 0) {
											_t266 = 0;
											__eflags = 0;
										} else {
											 *(_t266 + 4) = 0;
											 *(_t266 + 0x38) = 0;
											 *(_t266 + 0x3c) = 0;
											 *(_t266 + 0x40) = 0;
											 *(_t266 + 0x44) = 0;
										}
										_t51 = _t266 + 0x2c; // 0x2c
										L0046BEE0(_v88, _a8, _t317, _t309, _t51);
										asm("movdqu xmm0, [edi+0x8]");
										_t330 = _t329 + 0x14;
										_t54 = _t266 + 4; // 0x4
										asm("movdqu [ebx+0xc], xmm0");
										asm("movq xmm0, [edi+0x18]");
										asm("movq [ebx+0x1c], xmm0");
										E0046A0B0(_t54, _t309);
										 *((intOrPtr*)(_t266 + 8)) =  *((intOrPtr*)(_t309 + 4));
										 *((intOrPtr*)(_t266 + 0x24)) =  *((intOrPtr*)(_t309 + 0x20));
										 *((intOrPtr*)(_t266 + 0x28)) =  *((intOrPtr*)(_t309 + 0x24));
										 *_t266 =  *((intOrPtr*)(_v48 + 4));
										if(E0046A720(_t309) == 0) {
											_v24 = L"<unknown>";
											_t195 = E00436110(_t266, _t302, _t309, __eflags,  &_v64, _v40, 0);
											_t331 = _t330 + 0xc;
											_v8 = 7;
											E0046A0B0( &_v32, _t195);
											_t282 = _v64;
										} else {
											_v24 = E0046A170(_t309);
											_t227 = E00471495(_t226, 0x5c);
											_t335 = _t330 + 8;
											if(_t227 != 0) {
												_t245 = _t227 + 2;
												_t346 = _t245;
												_v24 = _t245;
											}
											_v56 = E0046A6C0(_t266, L" + ", E0046A530(L" + "));
											_v8 = 2;
											_t233 = E00436110(_t266, _t302, _t309, _t346,  &_v80, _v40 -  *((intOrPtr*)(_t309 + 0x24)), 0);
											_v8 = 3;
											_t235 = E0046A6C0(_t266, _v24, E0046A530(_v24));
											_t331 = _t335 + 0x24;
											_v52 = _t235;
											_v8 = 4;
											E0046A230( &_v84,  &_v56);
											_v8 = 5;
											_t239 = E0046A230( &_v72, _t233);
											_v8 = 6;
											E0046A0B0( &_v32, _t239);
											_t297 = _v72;
											_v8 = 5;
											if(_v72 != 0) {
												E0046A700(_t297);
											}
											_t298 = _v84;
											_v8 = 4;
											if(_v84 != 0) {
												E0046A700(_t298);
											}
											_t299 = _v52;
											_v8 = 3;
											if(_v52 != 0) {
												E0046A700(_t299);
											}
											_t300 = _v80;
											_v8 = 2;
											if(_v80 != 0) {
												E0046A700(_t300);
											}
											_t282 = _v56;
										}
										_v8 = 1;
										if(_t282 != 0) {
											E0046A700(_t282);
										}
										_v144 = 7;
										_v140 = 0x7fffffff;
										_v136 = 0;
										_t199 =  *((intOrPtr*)( *((intOrPtr*)(_a8 + 0xc)) + 0x274));
										_v148 = _t199;
										asm("sbb eax, eax");
										_v112 = _t266;
										_v128 = 0;
										_v116 = _t199 + 1;
										asm("cdq");
										_v132 = 0;
										_t203 = E00436170(_t266, _t302, _t309, _v40 -  *((intOrPtr*)( *((intOrPtr*)(_a8 + 0xc)) + 0x270)),  &_v68, _v20, _t302);
										_t332 = _t331 + 0xc;
										_v8 = 8;
										E0046A0B0( &_v28, _t203);
										_t285 = _v68;
										_v8 = 1;
										if(_v68 != 0) {
											E0046A700(_t285);
										}
										_t205 = E0046A170( &_v28);
										_t263 = _a4;
										_v124 = _t205;
										_t318 = SendMessageW(_t263, 0x104d, 0,  &_v144);
										_v36 = E0046A6C0(_t263, _v24, E0046A530(_v24));
										_v8 = 9;
										E00436730(_t263, _t207, 1,  &_v36);
										_t287 = _v36;
										_t333 = _t332 + 0x1c;
										_v8 = 1;
										_t354 = _v36;
										if(_v36 != 0) {
											E0046A700(_t287);
										}
										E00436730(_t263, _t318, 2,  &_v32);
										_t215 = E00436110(_t263, _t302, _t309, _t354,  &_v76,  *((intOrPtr*)(_t309 + 0x20)), 0);
										_t334 = _t333 + 0x1c;
										_v8 = 0xa;
										E0046A0B0( &_v28, _t215);
										_t289 = _v76;
										_v8 = 1;
										if(_v76 != 0) {
											E0046A700(_t289);
										}
										E00436730(_t263, _t318, 3,  &_v28);
										E00436730(_t263, _t318, 4, _t309);
										_t290 = _v32;
										_t327 = _t334 + 0x20;
										_v8 = 0;
										if(_v32 != 0) {
											E0046A700(_t290);
										}
										_t291 = _v28;
										_v8 = 0xffffffff;
										if(_v28 != 0) {
											E0046A700(_t291);
										}
										_t305 = _a8;
										_t302 = _v20;
									}
								}
								_t276 =  *((intOrPtr*)(_t305 + 8));
								_t302 = _t302 + 1;
								_v44 = _v44 + 0x28;
								_v20 = _t302;
							} while (_t302 < ( *(_t276 + 0x28) & 0x0000ffff));
							_t315 = _v48;
						}
						if( *( *((intOrPtr*)(_t305 + 8)) + 0x28) != 0) {
							SendMessageW(_t263, 0x101e, 1, 0xffff);
							SendMessageW(_t263, 0x101e, 2, 0xffff);
							SendMessageW(_t263, 0x101e, 3, 0xffff);
							SendMessageW(_t263, 0x101e, 4, 0xffff);
						}
						UpdateWindow(GetParent(_t263));
						 *(_t315 + 0x18) = E00472D60(0, 0, E0046CBC0, _t315, 0,  &_v92);
						 *[fs:0x0] = _v16;
						return 1;
					}
				}
			}

0x0046d420
0x0046d423
0x0046d425
0x0046d430
0x0046d431
0x0046d43a
0x0046d441
0x0046d445
0x0046d44b
0x0046d450
0x0046d9df
0x0046d9df
0x0046d9e4
0x0046d9f2
0x0046d456
0x0046d456
0x0046d45d
0x00000000
0x0046d463
0x0046d475
0x0046d48b
0x0046d48d
0x0046d48f
0x0046d4a1
0x0046d4a6
0x0046d4b3
0x0046d4c6
0x0046d4d4
0x0046d4d8
0x0046d4e3
0x0046d512
0x0046d51f
0x0046d527
0x0046d52f
0x0046d53e
0x0046d54b
0x0046d54e
0x0046d550
0x0046d553
0x0046d553
0x0046d556
0x0046d558
0x0046d55d
0x0046d55f
0x0046d562
0x0046d567
0x0046d580
0x0046d580
0x0046d582
0x0046d569
0x0046d569
0x0046d570
0x0046d577
0x0046d577
0x0046d58d
0x0046d590
0x0046d592
0x0046d596
0x0046d5a7
0x0046d5aa
0x0046d5b1
0x0046d5c8
0x0046d5cb
0x0046d5ce
0x0046d5d5
0x0046d5d8
0x0046d5dd
0x0046d5e0
0x0046d5e2
0x0046d5e5
0x0046d5ef
0x0046d5f5
0x0046d600
0x0046d606
0x0046d60c
0x0046d610
0x0046d613
0x0046d615
0x0046d61b
0x0046d622
0x0046d629
0x0046d633
0x0046d635
0x0046d63b
0x0046d643
0x0046d645
0x0046d64a
0x0046d671
0x0046d671
0x0046d64c
0x0046d64c
0x0046d653
0x0046d65a
0x0046d661
0x0046d668
0x0046d668
0x0046d673
0x0046d67f
0x0046d684
0x0046d689
0x0046d68c
0x0046d68f
0x0046d694
0x0046d69a
0x0046d69f
0x0046d6a9
0x0046d6af
0x0046d6b5
0x0046d6be
0x0046d6c7
0x0046d7b5
0x0046d7bd
0x0046d7c2
0x0046d7c9
0x0046d7cd
0x0046d7d2
0x0046d6cd
0x0046d6d7
0x0046d6da
0x0046d6df
0x0046d6e4
0x0046d6e6
0x0046d6e6
0x0046d6e9
0x0046d6e9
0x0046d701
0x0046d710
0x0046d715
0x0046d71f
0x0046d72c
0x0046d731
0x0046d734
0x0046d73a
0x0046d746
0x0046d74f
0x0046d756
0x0046d75f
0x0046d763
0x0046d768
0x0046d76b
0x0046d771
0x0046d773
0x0046d773
0x0046d778
0x0046d77b
0x0046d781
0x0046d783
0x0046d783
0x0046d788
0x0046d78b
0x0046d791
0x0046d793
0x0046d793
0x0046d798
0x0046d79b
0x0046d7a1
0x0046d7a3
0x0046d7a3
0x0046d7a8
0x0046d7a8
0x0046d7d5
0x0046d7db
0x0046d7dd
0x0046d7dd
0x0046d7e5
0x0046d7ef
0x0046d7f9
0x0046d80c
0x0046d815
0x0046d81b
0x0046d81d
0x0046d821
0x0046d828
0x0046d82e
0x0046d834
0x0046d83c
0x0046d841
0x0046d848
0x0046d84c
0x0046d851
0x0046d854
0x0046d85a
0x0046d85c
0x0046d85c
0x0046d864
0x0046d869
0x0046d86c
0x0046d887
0x0046d897
0x0046d89d
0x0046d8a6
0x0046d8ab
0x0046d8ae
0x0046d8b1
0x0046d8b5
0x0046d8b7
0x0046d8b9
0x0046d8b9
0x0046d8c6
0x0046d8d4
0x0046d8d9
0x0046d8e0
0x0046d8e4
0x0046d8e9
0x0046d8ec
0x0046d8f2
0x0046d8f4
0x0046d8f4
0x0046d901
0x0046d90b
0x0046d910
0x0046d913
0x0046d916
0x0046d91c
0x0046d91e
0x0046d91e
0x0046d923
0x0046d926
0x0046d92f
0x0046d931
0x0046d931
0x0046d936
0x0046d939
0x0046d939
0x0046d615
0x0046d93c
0x0046d93f
0x0046d940
0x0046d944
0x0046d94b
0x0046d953
0x0046d953
0x0046d95e
0x0046d973
0x0046d982
0x0046d991
0x0046d9a0
0x0046d9a0
0x0046d9aa
0x0046d9c5
0x0046d9d0
0x0046d9de
0x0046d9de
0x0046d45d

APIs

GetParent.USER32(?), ref: 0046D46E
SetDlgItemTextW.USER32 ref: 0046D475
SendMessageW.USER32(?,00001002,00000001,00000000), ref: 0046D48B
SendMessageW.USER32(?,00001036,00000010,00000010), ref: 0046D4B3
GetSystemMetrics.USER32 ref: 0046D4C6
GetSystemMetrics.USER32 ref: 0046D4CB
ImageList_Create.COMCTL32(00000000), ref: 0046D4CE
GetSysColor.USER32(00000005), ref: 0046D4DB
ImageList_SetBkColor.COMCTL32(00000000,00000000), ref: 0046D4E3
GetModuleHandleW.KERNEL32(00000000,0000006B,00000001,00000010,00000010,00000000), ref: 0046D4FB
LoadImageW.USER32 ref: 0046D504
GetModuleHandleW.KERNEL32(00000000,0000006A,00000001,00000010,00000010,00000000), ref: 0046D514
LoadImageW.USER32 ref: 0046D517
ImageList_ReplaceIcon.COMCTL32(00000000,000000FF,00000000), ref: 0046D527
ImageList_ReplaceIcon.COMCTL32(00000000,000000FF,00000000), ref: 0046D52F
SendMessageW.USER32(00000000,00001003,00000001,00000000), ref: 0046D53E
DestroyIcon.USER32(00000000), ref: 0046D54B
DestroyIcon.USER32(00000000), ref: 0046D54E
GetWindowLongW.USER32(?,000000EB), ref: 0046D59D
SetWindowLongW.USER32 ref: 0046D5B1

Part of subcall function 0042E9F0: SendMessageW.USER32(?,00001036,?,?), ref: 0042EA17
Part of subcall function 0042E9F0: GetModuleHandleW.KERNEL32(00000000,?,?,00000104), ref: 0042EA53
Part of subcall function 0042E9F0: LoadStringW.USER32(00000000), ref: 0042EA5A
Part of subcall function 0042E9F0: MulDiv.KERNEL32(?,00000060), ref: 0042EAB8
Part of subcall function 0042E9F0: SendMessageW.USER32(?,00001061,00000000,00000006), ref: 0042EAD2
Part of subcall function 0042E9F0: SendMessageW.USER32(?,00001003,00000001,00000000), ref: 0042EAFF
Part of subcall function 0042E9F0: GetWindowLongW.USER32(?,000000F0), ref: 0042EB0C
Part of subcall function 0042E9F0: SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 0042EB23
Part of subcall function 0042E9F0: SendMessageW.USER32(00000000,00001208,00000000,00000000), ref: 0042EB35

Strings

<unknown>, xrefs: 0046D7B5
Resolving symbols..., xrefs: 0046D463
(, xrefs: 0046D940
+ , xrefs: 0046D6EC, 0046D6F7

Memory Dump Source

Source File: 00000000.00000002.639436822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.639422722.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639801425.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639950323.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639964900.00000000004C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639974043.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639981884.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Process Monitor.jbxd

Similarity

API ID: MessageSend$Image$IconList_$HandleLoadLongModuleWindow$ColorDestroyMetricsReplaceSystem$CreateItemParentStringText
String ID: + $($<unknown>$Resolving symbols...
API String ID: 3983729390-1478535649
Opcode ID: 8afb38ae1285cd0ee1fef0e9105680525a86a88da9e24ee418687fbed0472e55
Instruction ID: f44063d9d98cdf096e86a05c327154673b3cdc0063d4f5a51bd1ba6f78e1d27d
Opcode Fuzzy Hash: 8afb38ae1285cd0ee1fef0e9105680525a86a88da9e24ee418687fbed0472e55
Instruction Fuzzy Hash: AC02A6B0E00305ABDB10DFA5CD45BAEBBB8AF04314F14456EF905B72C2E7799944CBA6

Uniqueness

Uniqueness Score: -1.00%

Function 004023D0 Relevance: 49.3, APIs: 22, Strings: 6, Instructions: 342memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 0040245F
VariantInit.OLEAUT32(?), ref: 00402468
VariantInit.OLEAUT32(?), ref: 00402471
swprintf.LIBCMT ref: 004024DF
SysAllocString.OLEAUT32(EventTrace), ref: 004024EC
SysAllocString.OLEAUT32(__CLASS), ref: 004024F9
SysAllocString.OLEAUT32(Guid), ref: 0040250A
SysAllocString.OLEAUT32(EventVersion), ref: 0040251B
SysFreeString.OLEAUT32(00000000), ref: 0040254B
SysAllocString.OLEAUT32(?), ref: 004025D1
SysFreeString.OLEAUT32(00000000), ref: 00402601

Part of subcall function 00403970: SysAllocString.OLEAUT32(root\wmi), ref: 00403982
Part of subcall function 00403970: CoInitialize.OLE32(00000000), ref: 0040398C
Part of subcall function 00403970: CoCreateInstance.OLE32(004A925C,00000000,00000001,004A918C,00000000,?,?,00402489,?), ref: 004039A4
Part of subcall function 00403970: CoSetProxyBlanket.OLE32(?,0000000A,00000000,00000000,00000004,00000003,00000000,00000000,?,?,00402489,?), ref: 004039D7
Part of subcall function 00403970: SysFreeString.OLEAUT32(00000000), ref: 004039E1

VariantClear.OLEAUT32(?), ref: 0040260E
VariantClear.OLEAUT32(?), ref: 0040269F
VariantClear.OLEAUT32(?), ref: 00402718
_wcsstr.LIBCMT ref: 00402726
VariantChangeType.OLEAUT32(?,?,00000000,00000002), ref: 0040278D
VariantClear.OLEAUT32(?), ref: 004027A1
VariantClear.OLEAUT32(?), ref: 00402840
VariantClear.OLEAUT32(?), ref: 00402849
SysFreeString.OLEAUT32(?), ref: 00402857
SysFreeString.OLEAUT32(?), ref: 0040285A
SysFreeString.OLEAUT32(?), ref: 00402862

Strings

{%s}, xrefs: 00402739
Guid, xrefs: 004024FF
EventTrace, xrefs: 004024E7
EventVersion, xrefs: 00402510
{%08x-%04x-%04x-%02x%02x-%02x%02x%02x%02x%02x%02x}, xrefs: 004024D4
__CLASS, xrefs: 004024F2

Memory Dump Source

Source File: 00000000.00000002.639436822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.639422722.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639801425.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639950323.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639964900.00000000004C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639974043.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639981884.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Process Monitor.jbxd

Similarity

API ID: String$Variant$AllocClearFree$Init$BlanketChangeCreateInitializeInstanceProxyType_wcsstrswprintf
String ID: EventTrace$EventVersion$Guid$__CLASS${%08x-%04x-%04x-%02x%02x-%02x%02x%02x%02x%02x%02x}${%s}
API String ID: 3666647165-1511013516
Opcode ID: 5ee1bf12eeaac4a9b51b84a541af93c34f4bda04f0a033846df2246319e53283
Instruction ID: db6fcdb54e2a0f759f77fc0778511a5ef43644451ee3c12c252b9ce79e6ef373
Opcode Fuzzy Hash: 5ee1bf12eeaac4a9b51b84a541af93c34f4bda04f0a033846df2246319e53283
Instruction Fuzzy Hash: 22E130B5A002289FDB20DF64CC88B9AB7B8AF48304F1445E9F609E7291D7759E85CF58

Uniqueness

Uniqueness Score: -1.00%

Function 004377C0 Relevance: 47.5, APIs: 18, Strings: 9, Instructions: 223
registryprocesswindowCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E004377C0(void* __edx, struct HWND__* _a4, intOrPtr* _a8) {
				signed int _v8;
				char _v528;
				void* _v532;
				int _v536;
				struct HWND__* _v540;
				intOrPtr* _v544;
				struct _PROCESS_INFORMATION _v560;
				struct _STARTUPINFOW _v628;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t54;
				short* _t61;
				intOrPtr _t67;
				intOrPtr _t68;
				struct HWND__* _t72;
				void* _t112;
				int _t114;
				intOrPtr* _t117;
				signed int _t119;
				void* _t123;
				void* _t124;
				intOrPtr* _t125;
				void* _t128;
				void* _t129;
				WCHAR* _t130;
				short* _t131;
				intOrPtr* _t132;
				signed int _t137;
				void* _t138;
				void* _t139;

				_t123 = __edx;
				_t54 =  *0x4bb1dc; // 0x2927074f
				_v8 = _t54 ^ _t137;
				_v540 = _a4;
				_v544 = _a8;
				_v628.cb = 0x44;
				_v628.lpReserved = 0;
				E00470030( &(_v628.lpDesktop), 0, 0x3c);
				_t128 = RegOpenKeyExW;
				_t139 = _t138 + 0xc;
				_t61 = RegOpenKeyExW(0x80000001, L"Software\\Microsoft\\Windows\\Shell\\Associations\\UrlAssociations\\http\\UserChoice", 0, 0x20019,  &_v532);
				_t112 = RegQueryValueExW;
				_t131 = _t61;
				if(_t131 != 0) {
					L4:
					if(RegOpenKeyExW(0x80000000, L"http\\shell\\open\\command", 0, 0x20019,  &_v532) == 0) {
						_v536 = 0x104;
						_t131 = RegQueryValueExW(_v532, 0, 0, 0,  &_v528,  &_v536);
						RegCloseKey(_v532);
					}
					if(_t131 != 0) {
						MessageBoxW(_v540, L"No web browser is configured.", L"Process Monitor Error", 0x10);
						return E0046F77E(_t112, _v8 ^ _t137, _t123, _t128, _t131);
					} else {
						goto L7;
					}
				} else {
					_v536 = 0x104;
					_t131 = RegQueryValueExW(_v532, L"ProgId", 0, 0,  &_v528,  &_v536);
					RegCloseKey(_v532);
					if(_t131 != 0) {
						goto L4;
					} else {
						E00472C98( &_v528, 0x104, L"\\shell\\open\\command");
						_t139 = _t139 + 0xc;
						if(RegOpenKeyExW(0x80000000,  &_v528, _t131, 0x20019,  &_v532) != 0) {
							L7:
							_t117 =  &_v528;
							_t124 = _t117 + 2;
							do {
								_t67 =  *_t117;
								_t117 = _t117 + 2;
							} while (_t67 != 0);
							_t132 = _v544;
							_t125 = _t132;
							_t119 = _t117 - _t124 >> 1;
							_t129 = _t125 + 2;
							do {
								_t68 =  *_t125;
								_t125 = _t125 + 2;
							} while (_t68 != 0);
							_t127 = _t125 - _t129 >> 1;
							_t114 = _t119 + 6 + (_t125 - _t129 >> 1);
							_t130 = E00470444(_t114, _t125 - _t129 >> 1, _t129, _t114 + _t114);
							_push(L"\"%1\"");
							_push( &_v528);
							_t72 = E0046EF68(_t119);
							_v540 = _t72;
							if(_t72 == 0) {
								swprintf(_t130, _t114, L"%s \"? %s\"",  &_v528, _t132);
							} else {
								_t136 = _t72 -  &_v528 >> 1;
								_t38 = _t136 + 1; // 0x1
								L0046FDBD(_t130, _t114,  &_v528, _t38);
								_t39 = _t136 + 1; // 0x1
								E0046EF0C( &(_t130[_t39]), _t114 - (_t72 -  &_v528 >> 1) - 1, L"? ");
								E00472C98(_t130, _t114, _v544);
								E00472C98(_t130, _t114, _v540 + 6);
							}
							_v560.hThread = 0;
							_v560.hProcess = 0;
							CreateProcessW(0, _t130, 0, 0, 0, 0, 0, 0,  &_v628,  &_v560);
							CloseHandle(_v560.hThread);
							CloseHandle(_v560);
							E0047040C(_t130);
							return E0046F77E(_t114, _v8 ^ _t137, _t127, _t130, CloseHandle);
						} else {
							_v536 = 0x104;
							_t131 = RegQueryValueExW(_v532, _t131, _t131, _t131,  &_v528,  &_v536);
							RegCloseKey(_v532);
							if(_t131 == 0) {
								goto L7;
							} else {
								goto L4;
							}
						}
					}
				}
			}

0x004377c0
0x004377c9
0x004377d0
0x004377d9
0x004377e4
0x004377f3
0x004377fd
0x00437807
0x0043780c
0x00437818
0x0043782d
0x0043782f
0x00437835
0x00437839
0x004378eb
0x00437907
0x0043790f
0x00437935
0x00437937
0x00437937
0x0043793f
0x00437a91
0x00437aa9
0x00000000
0x00000000
0x00000000
0x0043783f
0x00437845
0x0043786e
0x00437870
0x00437878
0x00000000
0x0043787a
0x0043788b
0x00437890
0x004378b0
0x00437945
0x00437945
0x0043794b
0x00437950
0x00437950
0x00437953
0x00437956
0x0043795b
0x00437963
0x00437965
0x00437967
0x00437970
0x00437970
0x00437973
0x00437976
0x00437980
0x00437982
0x0043798d
0x00437995
0x0043799a
0x0043799b
0x004379a3
0x004379ab
0x00437a0e
0x004379ad
0x004379b7
0x004379b9
0x004379c0
0x004379d0
0x004379d7
0x004379e4
0x004379f5
0x004379fa
0x00437a1c
0x00437a2d
0x00437a47
0x00437a59
0x00437a61
0x00437a64
0x00437a7e
0x004378b6
0x004378bc
0x004378df
0x004378e1
0x004378e9
0x00000000
0x00000000
0x00000000
0x00000000
0x004378e9
0x004378b0
0x00437878

APIs

_memset.LIBCMT ref: 00437807
RegOpenKeyExW.ADVAPI32(80000001,Software\Microsoft\Windows\Shell\Associations\UrlAssociations\http\UserChoice,00000000,00020019,?), ref: 0043782D
RegQueryValueExW.ADVAPI32(?,ProgId,00000000,00000000,?,?), ref: 00437866
RegCloseKey.ADVAPI32(?), ref: 00437870
RegOpenKeyExW.ADVAPI32(80000000,?,00000000,00020019,?), ref: 004378AC
RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,00000104), ref: 004378D7
RegCloseKey.ADVAPI32(?), ref: 004378E1
RegOpenKeyExW.ADVAPI32(80000000,http\shell\open\command,00000000,00020019,?), ref: 00437903
RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?), ref: 0043792D
RegCloseKey.ADVAPI32(?), ref: 00437937
_malloc.LIBCMT ref: 00437988
_wcsstr.LIBCMT ref: 0043799B
swprintf.LIBCMT ref: 00437A0E
CreateProcessW.KERNEL32 ref: 00437A47
CloseHandle.KERNEL32(00000000), ref: 00437A59
CloseHandle.KERNEL32(00000000), ref: 00437A61
_free.LIBCMT ref: 00437A64
MessageBoxW.USER32(?,No web browser is configured.,Process Monitor Error,00000010), ref: 00437A91

Strings

"%1", xrefs: 00437995
Process Monitor Error, xrefs: 00437A81
D, xrefs: 004377F3
%s "? %s", xrefs: 00437A07
ProgId, xrefs: 0043785B
http\shell\open\command, xrefs: 004378F9
Software\Microsoft\Windows\Shell\Associations\UrlAssociations\http\UserChoice, xrefs: 00437823
No web browser is configured., xrefs: 00437A86
\shell\open\command, xrefs: 0043787A

Memory Dump Source

Source File: 00000000.00000002.639436822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.639422722.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639801425.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639950323.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639964900.00000000004C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639974043.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639981884.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Process Monitor.jbxd

Similarity

API ID: Close$OpenQueryValue$Handle$CreateMessageProcess_free_malloc_memset_wcsstrswprintf
String ID: "%1"$%s "? %s"$D$No web browser is configured.$Process Monitor Error$ProgId$Software\Microsoft\Windows\Shell\Associations\UrlAssociations\http\UserChoice$\shell\open\command$http\shell\open\command
API String ID: 2812589176-1130325665
Opcode ID: 4ebbf84c3906e5ac4341c241af994a6b853dd90065c29d3cb6c0a5cb8fb3fad4
Instruction ID: e652c7419c87808a1e1d88c2bb6855ee7a0443e5f453c2adbf0db8555522305a
Opcode Fuzzy Hash: 4ebbf84c3906e5ac4341c241af994a6b853dd90065c29d3cb6c0a5cb8fb3fad4
Instruction Fuzzy Hash: EE7194B594122CABDB30DB64DC89FEEB778EF14744F1001E6E908B7251D6749E448FA4

Uniqueness

Uniqueness Score: -1.00%

Function 00404650 Relevance: 46.8, APIs: 31, Instructions: 336
windowCOMMON

Download Yara Rule

C-Code - Quality: 65%

			E00404650(void* __ebx, void* __ecx, void* __edi, void* __esi, intOrPtr _a4, struct HDC__* _a8) {
				signed int _v8;
				struct tagRECT _v560;
				struct tagRECT _v588;
				struct tagTEXTMETRICW _v648;
				long _v652;
				intOrPtr _v660;
				struct HDC__* _v672;
				signed int _t21;
				long _t31;
				struct HDC__* _t39;
				long _t40;
				void* _t41;
				void* _t46;
				struct HDC__* _t48;
				void* _t50;
				void* _t52;
				void* _t53;
				signed int _t57;

				_t55 = _t57;
				_t21 =  *0x4bb1dc; // 0x2927074f
				_v8 = _t21 ^ _t57;
				asm("movdqu xmm0, [ebp+0x10]");
				_push(__ebx);
				_t39 = _a8;
				_push(__esi);
				_t52 = __ecx;
				_v660 = _a4;
				_push(__edi);
				_v672 = _t39;
				asm("movdqu [ebp-0x248], xmm0");
				_t48 = GetDC( *(__ecx + 8));
				SelectObject(_t48,  *(_t52 + 0x30));
				GetTextMetricsW(_t48,  &_v648);
				ReleaseDC( *(_t52 + 8), _t48);
				if( *((intOrPtr*)(_t52 + 0x38)) != 0) {
					GetSystemMetrics(0x32);
				}
				GetWindowRect( *(_t52 + 0xc),  &_v560);
				if(_v660 ==  *(_t52 + 0xc)) {
					_t40 = 1;
					_v652 = 1;
					L7:
					return _t40;
				}
				_t31 = SendMessageW( *(_t52 + 0x14), 0x1200, 0, 0);
				_v652 = _t31;
				if(_t31 != 0) {
					_t40 = _v652;
					goto L7;
				}
				FillRect(_t39,  &_v588, GetSysColorBrush(5));
				_pop(_t50);
				_pop(_t53);
				_pop(_t41);
				return E0046F77E(_t41, _v8 ^ _t55, _t46, _t50, _t53);
			}

0x00404651
0x00404659
0x00404660
0x00404663
0x0040466b
0x0040466c
0x0040466f
0x00404670
0x00404672
0x00404678
0x00404679
0x0040467f
0x00404693
0x00404696
0x004046a4
0x004046ae
0x004046b8
0x004046bc
0x004046bc
0x004046cc
0x004046db
0x004046dd
0x004046e2
0x00404736
0x00000000
0x00404738
0x004046f6
0x004046fc
0x00404704
0x00404730
0x00000000
0x00404730
0x00404717
0x0040471d
0x0040471e
0x0040471f
0x0040472d

APIs

GetDC.USER32(?), ref: 0040468A
SelectObject.GDI32(00000000,?), ref: 00404696
GetTextMetricsW.GDI32(00000000,?), ref: 004046A4
ReleaseDC.USER32 ref: 004046AE
GetSystemMetrics.USER32 ref: 004046BC
GetWindowRect.USER32 ref: 004046CC
SendMessageW.USER32(?,00001200,00000000,00000000), ref: 004046F6
GetSysColorBrush.USER32(00000005), ref: 00404708
FillRect.USER32 ref: 00404717
SendMessageW.USER32(?,00001211,?,00000000), ref: 0040476E
SendMessageW.USER32(?,00001207,?,?), ref: 004047F6
InflateRect.USER32(?,000000FE,000000FE), ref: 00404806
GetScrollInfo.USER32 ref: 00404855

Memory Dump Source

Source File: 00000000.00000002.639436822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.639422722.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639801425.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639950323.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639964900.00000000004C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639974043.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639981884.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Process Monitor.jbxd

Similarity

API ID: MessageRectSend$Metrics$BrushColorFillInflateInfoObjectReleaseScrollSelectSystemTextWindow
String ID:
API String ID: 2260952835-0
Opcode ID: 02925a90457306cac3cc9cbf1bb25bd695b42b8d01c9b2c88e9e80dd2abd7b11
Instruction ID: ddfdc8a4a82af02964eccb4319ba60dde5d73bb1790eb8de4b15fafd9a301817
Opcode Fuzzy Hash: 02925a90457306cac3cc9cbf1bb25bd695b42b8d01c9b2c88e9e80dd2abd7b11
Instruction Fuzzy Hash: 0AE13A75901218AFDB61DF64CC88BAEB7B5FF49300F1046EAE549E2260DB35AE85CF14

Uniqueness

Uniqueness Score: -1.00%

Function 00407150 Relevance: 44.0, APIs: 21, Strings: 4, Instructions: 209
timewindowCOMMON

Download Yara Rule

C-Code - Quality: 69%

			E00407150(void* __ecx, void* __edx) {
				signed int _v8;
				struct tagRECT _v24;
				struct HINSTANCE__* _v28;
				intOrPtr _v32;
				char _v36;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t49;
				RECT* _t55;
				intOrPtr* _t56;
				struct HWND__* _t57;
				struct HWND__* _t60;
				struct HWND__* _t68;
				void* _t86;
				void* _t87;
				void* _t99;
				void* _t103;
				struct HWND__* _t105;
				struct HINSTANCE__* _t107;
				void* _t108;
				signed int _t112;

				_t99 = __edx;
				_t110 = _t112;
				_t49 =  *0x4bb1dc; // 0x2927074f
				_v8 = _t49 ^ _t112;
				_t86 = __ecx;
				_v28 = GetModuleHandleW(0);
				GetClientRect( *(_t86 + 8),  &_v24);
				SetPropW( *(_t86 + 8),  *0x4bc8a0 & 0x0000ffff, _t86);
				_t55 =  *(_t86 + 4);
				_t105 =  *(_t86 + 8);
				if(_t55 != 0) {
					 *0x4bc890(_t55);
				}
				 *(_t86 + 4) = 0;
				_t56 =  *0x4bc884; // 0x73c34310
				if(_t56 != 0 &&  *_t56() != 0) {
					 *(_t86 + 4) =  *0x4bc888(_t105,  *( *_t86)());
				}
				_t57 = CreateWindowExW(0, L"SysHeader32", 0x48fc20, 0x44000082, 0, 0, 0, 0,  *(_t86 + 8), 0x451, _v28, 0);
				 *(_t86 + 0xc) = _t57;
				SetPropW(_t57,  *0x4bc8a0 & 0x0000ffff, _t86);
				 *((intOrPtr*)(_t86 + 0xc8)) = SetWindowLongW( *(_t86 + 0xc), 0xfffffffc, E004095B0);
				_t60 = CreateWindowExW(0, L"SysHeader32", 0x48fc20, 0x440000c2, 0, 0, 0, 0,  *(_t86 + 8), 0x452, _v28, 0);
				 *(_t86 + 0x14) = _t60;
				SetPropW(_t60,  *0x4bc8a0 & 0x0000ffff, _t86);
				SetWindowLongW( *(_t86 + 0x14), 0xfffffffc, E004095B0);
				 *((intOrPtr*)(_t86 + 0x1c)) = CreateWindowExW(0, L"ScrollBar", 0x48fc20, 0x44000005, 0, 0, 0, 0,  *(_t86 + 8), 0x453, _v28, 0);
				 *((intOrPtr*)(_t86 + 0x20)) = CreateWindowExW(0, L"ScrollBar", 0x48fc20, 0x44000004, 0, 0, 0, 0,  *(_t86 + 8), 0x454, _v28, 0);
				 *((intOrPtr*)(_t86 + 0x24)) = CreateWindowExW(0, L"ScrollBar", 0x48fc20, 0x44000004, 0, 0, 0, 0,  *(_t86 + 8), 0x455, _v28, 0);
				 *((intOrPtr*)(_t86 + 0x28)) = CreateWindowExW(0, L"Static", 0x48fc20, 0x44000000, 0, 0, 0, 0,  *(_t86 + 8), 0x456, _v28, 0);
				_v36 = 8;
				_v32 = 4;
				__imp__InitCommonControlsEx( &_v36);
				_t107 = _v28;
				_t68 = E00404260(_t107,  *(_t86 + 8));
				 *(_t86 + 0x2c) = _t68;
				SetPropW(_t68,  *0x4bc8a0 & 0x0000ffff, _t86);
				 *((intOrPtr*)(_t86 + 0xb0)) = SetWindowLongW( *(_t86 + 0x2c), 0xfffffffc, E00409600);
				SetTimer( *(_t86 + 8), 0x64, 0x1f4, 0);
				 *((intOrPtr*)(_t86 + 0x10)) = E00404260(_t107,  *(_t86 + 0xc));
				 *((intOrPtr*)(_t86 + 0x18)) = E00404260(_t107,  *(_t86 + 0x14));
				SendMessageW( *(_t86 + 8), 0x30, GetStockObject(0x11), 0);
				 *((intOrPtr*)(_t86 + 0x34)) = LoadCursorW(_t107, L"SPLITTER_CURSOR");
				 *((intOrPtr*)(_t86 + 0x60)) = 0x10;
				InvalidateRect( *(_t86 + 8), 0, 1);
				_pop(_t103);
				_pop(_t108);
				_pop(_t87);
				return E0046F77E(_t87, _v8 ^ _t110, _t99, _t103, _t108);
			}

0x00407150
0x00407151
0x00407156
0x0040715d
0x00407165
0x0040716d
0x00407177
0x0040718f
0x00407191
0x00407194
0x00407199
0x0040719c
0x0040719c
0x004071a2
0x004071a9
0x004071b0
0x004071c6
0x004071c6
0x004071f5
0x004071f7
0x00407204
0x0040721d
0x00407244
0x00407246
0x00407253
0x00407263
0x00407292
0x004072bd
0x004072e8
0x0040730e
0x00407315
0x0040731c
0x00407323
0x0040732c
0x00407332
0x00407337
0x00407344
0x00407362
0x00407368
0x0040737e
0x0040738b
0x0040739a
0x004073b3
0x004073b6
0x004073bd
0x004073c8
0x004073c9
0x004073ca
0x00000000

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 00407167
GetClientRect.USER32 ref: 00407177
SetPropW.USER32 ref: 0040718F
CreateWindowExW.USER32 ref: 004071F5
SetPropW.USER32 ref: 00407204
SetWindowLongW.USER32 ref: 00407216
CreateWindowExW.USER32 ref: 00407244
SetPropW.USER32 ref: 00407253
SetWindowLongW.USER32 ref: 00407263
CreateWindowExW.USER32 ref: 0040728B
CreateWindowExW.USER32 ref: 004072B6
CreateWindowExW.USER32 ref: 004072E1
CreateWindowExW.USER32 ref: 0040730C
InitCommonControlsEx.COMCTL32(?,?,00000000,?,00000000,?,00000000), ref: 00407323

Part of subcall function 00404260: CreateWindowExW.USER32 ref: 00404294
Part of subcall function 00404260: GetClientRect.USER32 ref: 004042CB
Part of subcall function 00404260: SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 004042DD

SetPropW.USER32 ref: 00407344
SetWindowLongW.USER32 ref: 00407354
SetTimer.USER32(?,00000064,000001F4,00000000), ref: 00407368
GetStockObject.GDI32(00000011), ref: 0040738E
SendMessageW.USER32(?,00000030,00000000), ref: 0040739A
LoadCursorW.USER32(?,SPLITTER_CURSOR), ref: 004073A6
InvalidateRect.USER32(?), ref: 004073BD

Strings

Static, xrefs: 00407305
SPLITTER_CURSOR, xrefs: 004073A0
ScrollBar, xrefs: 00407284, 004072AF, 004072DA
SysHeader32, xrefs: 004071EE, 0040723D

Memory Dump Source

Source File: 00000000.00000002.639436822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.639422722.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639801425.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639950323.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639964900.00000000004C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639974043.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639981884.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Process Monitor.jbxd

Similarity

API ID: Window$Create$Prop$LongRect$ClientMessageSend$CommonControlsCursorHandleInitInvalidateLoadModuleObjectStockTimer
String ID: SPLITTER_CURSOR$ScrollBar$Static$SysHeader32
API String ID: 25741240-124383379
Opcode ID: 6d7fcc4b96650de7e8756c2c15d20878eb24e8a7c914069a19a72263be31060e
Instruction ID: 5de49bb53ec6c2ba600d481ac11772cf783b4e2ed5052d8c7891bf65bd61fe04
Opcode Fuzzy Hash: 6d7fcc4b96650de7e8756c2c15d20878eb24e8a7c914069a19a72263be31060e
Instruction Fuzzy Hash: 82714170680304BBEB106FA0DC86F6A7A64FB48B11F24457AFB04BE1D5D7B4A954CB6C

Uniqueness

Uniqueness Score: -1.00%

Function 0040B6B0 Relevance: 43.9, APIs: 23, Strings: 2, Instructions: 157
windowCOMMON

Download Yara Rule

C-Code - Quality: 75%

			E0040B6B0(void* __ebx, void* __edx, void* __edi, struct HWND__* _a4) {
				signed int _v8;
				intOrPtr _v12;
				int _v16;
				signed int _v20;
				signed int _v24;
				int _v28;
				int _v32;
				struct tagRECT _v48;
				int _v52;
				void* _v56;
				long _v60;
				struct HICON__* _v64;
				struct HWND__* _v68;
				struct HINSTANCE__* _v102;
				intOrPtr _v116;
				struct HDC__* _v120;
				char _v132;
				struct tagPD _v136;
				struct _DOCINFOW _v156;
				void* __esi;
				signed int _t59;
				signed int _t69;
				signed int _t71;
				int _t75;
				signed int _t79;
				signed int _t102;
				struct HWND__* _t103;
				void* _t104;
				void* _t109;
				signed int _t111;
				void* _t115;
				struct HWND__* _t116;
				int _t119;
				signed int _t120;

				_t109 = __edx;
				_t59 =  *0x4bb1dc; // 0x2927074f
				_v8 = _t59 ^ _t120;
				_t116 = _a4;
				_v68 = _t116;
				E00470030( &_v132, 0, 0x3e);
				_v136 = 0x42;
				_v132 = _t116;
				_v102 = GetModuleHandleW(0);
				_v116 = 0x14c;
				if(PrintDlgW( &_v136) != 0) {
					_push(__ebx);
					_push(__edi);
					_v64 = SetCursor(LoadCursorW(0, 0x7f02));
					_v60 = GetDeviceCaps(_v120, 8);
					_t69 = GetDeviceCaps(_v120, 0xa);
					_t102 = GetDeviceCaps(_v120, 0x58);
					_t71 = GetDeviceCaps(_v120, 0x5a);
					_v56 = 0;
					E00470030( &_v52, 0, 0x2c);
					_v156.cbSize = 0;
					asm("xorps xmm0, xmm0");
					asm("movdqu [ebp-0x94], xmm0");
					SetMapMode(_v120, 1);
					_t75 = _v120;
					_v56 = _t75;
					_v52 = _t75;
					asm("cdq");
					_v28 = 0;
					_v32 = 0;
					_v20 = _t69 / _t71 * 0x5a0;
					_t79 = _v60;
					asm("cdq");
					_t111 = _t79 % _t102;
					_v24 = _t79 / _t102 * 0x5a0;
					asm("movdqu xmm0, [ebp-0x1c]");
					asm("movdqu [ebp-0x2c], xmm0");
					InflateRect( &_v48, 0xfffffa60, 0xfffffa60);
					_v16 = 0;
					_v12 = 0xffffffff;
					_v156.cbSize = 0x14;
					_v156.lpszDocName = L"Sysinternals License";
					StartDocW(_v120,  &_v156);
					_t103 = _v68;
					_v60 = SendMessageW(_t103, 0xe, 0, 0);
					StartPage(_v120);
					_t119 = SendMessageW(_t103, 0x439, 1,  &_v56);
					EndPage(_v120);
					while(_t119 < _v60) {
						_v16 = _t119;
						_v12 = 0xffffffff;
						StartPage(_v120);
						_t119 = SendMessageW(_t103, 0x439, 1,  &_v56);
						EndPage(_v120);
					}
					SendMessageW(_t103, 0x439, 0, 0);
					EndDoc(_v120);
					SetCursor(_v64);
					_pop(_t115);
					_pop(_t104);
					return E0046F77E(_t104, _v8 ^ _t120, _t111, _t115, _t119);
				} else {
					return E0046F77E(__ebx, _v8 ^ _t120, _t109, __edi, _t116);
				}
			}

0x0040b6b0
0x0040b6b9
0x0040b6c0
0x0040b6c4
0x0040b6cf
0x0040b6d2
0x0040b6da
0x0040b6e4
0x0040b6ef
0x0040b6f9
0x0040b708
0x0040b719
0x0040b71a
0x0040b73a
0x0040b744
0x0040b747
0x0040b757
0x0040b759
0x0040b75f
0x0040b76c
0x0040b774
0x0040b77e
0x0040b781
0x0040b78e
0x0040b794
0x0040b797
0x0040b79a
0x0040b79f
0x0040b7ad
0x0040b7b4
0x0040b7c0
0x0040b7c3
0x0040b7c6
0x0040b7c7
0x0040b7cf
0x0040b7d5
0x0040b7db
0x0040b7e0
0x0040b7ec
0x0040b7f7
0x0040b7fe
0x0040b808
0x0040b812
0x0040b818
0x0040b82d
0x0040b830
0x0040b847
0x0040b849
0x0040b852
0x0040b863
0x0040b866
0x0040b86d
0x0040b884
0x0040b886
0x0040b88c
0x0040b89b
0x0040b8a0
0x0040b8a9
0x0040b8b7
0x0040b8b8
0x0040b8c4
0x0040b70b
0x0040b718
0x0040b718

APIs

_memset.LIBCMT ref: 0040B6D2
GetModuleHandleW.KERNEL32(00000000,?,?,?), ref: 0040B6E9
PrintDlgW.COMDLG32(00000042,?,?,?), ref: 0040B700
LoadCursorW.USER32(00000000,00007F02), ref: 0040B722
SetCursor.USER32(00000000,?,?,?,?), ref: 0040B729
GetDeviceCaps.GDI32(?,00000008), ref: 0040B73D
GetDeviceCaps.GDI32(?,0000000A), ref: 0040B747
GetDeviceCaps.GDI32(?,00000058), ref: 0040B750
GetDeviceCaps.GDI32(?,0000005A), ref: 0040B759
_memset.LIBCMT ref: 0040B76C
SetMapMode.GDI32(?,00000001), ref: 0040B78E
InflateRect.USER32(?,FFFFFA60,FFFFFA60), ref: 0040B7E0
StartDocW.GDI32(?,00000000), ref: 0040B812
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 0040B828
StartPage.GDI32(?), ref: 0040B830
SendMessageW.USER32(?,00000439,00000001,00000000), ref: 0040B842
EndPage.GDI32(?), ref: 0040B849
StartPage.GDI32(?), ref: 0040B86D
SendMessageW.USER32(?,00000439,00000001,00000000), ref: 0040B87F

Strings

t\I, xrefs: 0040B808
B, xrefs: 0040B6DA

Memory Dump Source

Source File: 00000000.00000002.639436822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.639422722.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639801425.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639950323.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639964900.00000000004C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639974043.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639981884.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Process Monitor.jbxd

Similarity

API ID: CapsDevice$MessagePageSendStart$Cursor_memset$HandleInflateLoadModeModulePrintRect
String ID: B$t\I
API String ID: 228724135-2176315325
Opcode ID: 27b0562df59f84c4d8b2aef1e67f3b19e601e94fdb1ad84d0a296872b9728428
Instruction ID: fb0fd05d664f02e5cf25002725c51c134e0c9a0a2b6d11269fb4695dafefc526
Opcode Fuzzy Hash: 27b0562df59f84c4d8b2aef1e67f3b19e601e94fdb1ad84d0a296872b9728428
Instruction Fuzzy Hash: 86513871E00218EBDF209FA5EC4AB9DBBB5FB48710F20466AF504B7291DB745A448F98

Uniqueness

Uniqueness Score: -1.00%

Function 00403288 Relevance: 40.9, APIs: 27, Instructions: 373COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32(?), ref: 0040330B
VariantClear.OLEAUT32(?), ref: 00403357
SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 004033A1
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 004033B5
SafeArrayAccessData.OLEAUT32(?,?), ref: 004033D7
SafeArrayGetLBound.OLEAUT32(00000000,00000001,?), ref: 004033EB
SafeArrayGetUBound.OLEAUT32(00000000,00000001,?), ref: 004033FF
SafeArrayAccessData.OLEAUT32(00000000,?), ref: 00403421

Part of subcall function 0046EEB6: _malloc.LIBCMT ref: 0046EECE

SafeArrayUnaccessData.OLEAUT32(?), ref: 00403521
SafeArrayDestroy.OLEAUT32(?), ref: 0040352A
VariantInit.OLEAUT32(00002000), ref: 00403533
SafeArrayUnaccessData.OLEAUT32(00000000), ref: 00403542
SafeArrayDestroy.OLEAUT32(00000000), ref: 00403545
VariantInit.OLEAUT32(?), ref: 0040354E
VariantClear.OLEAUT32(?), ref: 0040366B
SafeArrayGetLBound.OLEAUT32(00000000,00000001,?), ref: 004036CF
SafeArrayGetUBound.OLEAUT32(00000000,00000001,?), ref: 004036EC

Memory Dump Source

Source File: 00000000.00000002.639436822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.639422722.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639801425.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639950323.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639964900.00000000004C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639974043.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639981884.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Process Monitor.jbxd

Similarity

API ID: ArraySafe$Bound$Variant$Data$Clear$AccessDestroyInitUnaccess$_malloc
String ID:
API String ID: 1879989983-0
Opcode ID: 2b4c453a24769a6261ba542e561bcd568e2fd7672ff8866be32a2f34f1d313d9
Instruction ID: 89e210f1d8eb1d1ae695f9a9d912778a9cb6a0e622c181b5568f69ad4fd146d3
Opcode Fuzzy Hash: 2b4c453a24769a6261ba542e561bcd568e2fd7672ff8866be32a2f34f1d313d9
Instruction Fuzzy Hash: 19F10CB1A002299BDF209F61CC84B9EB7BDEF44705F0044EAE609A7291D7759F85CF58

Uniqueness

Uniqueness Score: -1.00%

Function 0046C6B0 Relevance: 40.5, APIs: 13, Strings: 10, Instructions: 213
libraryregistryCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E0046C6B0(void* __ecx, void* __edx) {
				signed char _v8;
				char _v16;
				char _v20;
				signed char _v24;
				char _v28;
				char _v32;
				int _v36;
				void* _v40;
				char _v44;
				char _v48;
				void* __ebx;
				signed int _t48;
				intOrPtr* _t57;
				void* _t63;
				intOrPtr _t69;
				void* _t95;
				signed char _t96;
				void* _t98;
				char _t99;
				struct HINSTANCE__* _t117;
				char _t121;
				signed int _t123;
				void* _t124;
				void* _t125;

				_t98 = __ecx;
				_push(0xffffffff);
				_push(E0048D4FA);
				_push( *[fs:0x0]);
				_t125 = _t124 - 0x20;
				_push(_t95);
				_t48 =  *0x4bb1dc; // 0x2927074f
				_push(_t48 ^ _t123);
				 *[fs:0x0] =  &_v16;
				_v24 = 0;
				_t117 = LoadLibraryW(0x4bd8b0);
				if(_t117 == 0) {
					if(RegOpenKeyW(0x80000001, L"Software\\Microsoft\\DebuggingTools",  &_v40) != 0) {
						ExpandEnvironmentStringsW(L"%ProgramFiles%\\Debugging Tools for Windows (x86)\\dbghelp.dll", 0x4bd8b0, 0x104);
					} else {
						_v36 = 0x208;
						RegQueryValueExW(_v40, L"Windbg", _t117, _t117, 0x4bd8b0,  &_v36);
						E00472C98(0x4bd8b0, 0x104, L"DbgHelp.dll");
						_t125 = _t125 + 0xc;
					}
					_t117 = LoadLibraryW(0x4bd8b0);
					if(_t117 == 0) {
						E0046EF0C(0x4bd8b0, 0x104, L"C:\\Debuggers\\dbghelp.dll");
						_t125 = _t125 + 0xc;
						_t117 = LoadLibraryW(0x4bd8b0);
						if(_t117 == 0) {
							GetCurrentDirectoryW(0x104, 0x4bd8b0);
							E00472C98(0x4bd8b0, 0x104, L"\\dbghelp.dll");
							_t125 = _t125 + 0xc;
							_t117 = LoadLibraryW(0x4bd8b0);
							if(_t117 == 0) {
								_t117 = LoadLibraryW(L"dbghelp.dll");
								_t135 = _t117;
								if(_t117 == 0) {
									_t117 = LoadLibraryW(L"imagehlp.dll");
								}
							}
						}
					}
				}
				E00434DD0(_t95, _t98, _t135,  &_v20, L"%PATH%");
				_v8 = 0;
				if(E00471495(0x4bd8b0, 0x5c) == 0) {
					_t121 = E0046A6C0(_t95, 0x4bd8b0, E0046A530(0x4bd8b0));
					_v28 = _t121;
					_t57 =  &_v28;
					_v8 = 2;
					_t96 = 2;
				} else {
					_t57 = E00434E40(_t98,  &_v44, 0x4bd8b0, _t54 - 0x4bd8b0 >> 1);
					_t121 = _v28;
					_t96 = 1;
					_v8 = 1;
				}
				_t99 =  *_t57;
				_v24 = _t96;
				_v32 = _t99;
				if(_t99 != 0) {
					E0046A420(_t99);
				}
				_v8 = 4;
				if((_t96 & 0x00000002) != 0) {
					_t96 = _t96 & 0xfffffffd;
					_v24 = _t96;
					if(_t121 != 0) {
						E0046A700(_t121);
					}
				}
				_v8 = 5;
				if((_t96 & 0x00000001) != 0) {
					_t113 = _v44;
					if(_v44 != 0) {
						E0046A700(_t113);
					}
				}
				_v28 = E0046A6C0(_t96, ";", E0046A530(";"));
				_v8 = 6;
				E0046A230( &_v48,  &_v28);
				_v8 = 7;
				_t63 = E0046A230( &_v24,  &_v32);
				_v8 = 8;
				E0046A0B0( &_v20, _t63);
				_t105 = _v24;
				_v8 = 7;
				if(_v24 != 0) {
					E0046A700(_t105);
				}
				_t106 = _v48;
				_v8 = 6;
				if(_v48 != 0) {
					E0046A700(_t106);
				}
				_t107 = _v28;
				_v8 = 5;
				if(_v28 != 0) {
					E0046A700(_t107);
				}
				SetEnvironmentVariableW(L"PATH", E0046A170( &_v20));
				_t109 = _v32;
				_v8 = 0;
				if(_v32 != 0) {
					E0046A700(_t109);
				}
				_t110 = _v20;
				_v8 = 0xffffffff;
				if(_v20 != 0) {
					E0046A700(_t110);
				}
				GetModuleFileNameW(_t117, 0x4bd8b0, 0x104);
				E0046D2B0(0x4bd8b0);
				_t69 =  *0x4c27b0; // 0x0
				 *0x4c27e0 = _t69;
				 *[fs:0x0] = _v16;
				return _t69;
			}

0x0046c6b0
0x0046c6b3
0x0046c6b5
0x0046c6c0
0x0046c6c1
0x0046c6c4
0x0046c6c7
0x0046c6ce
0x0046c6d2
0x0046c6d8
0x0046c6ec
0x0046c6f0
0x0046c70c
0x0046c756
0x0046c70e
0x0046c711
0x0046c728
0x0046c73d
0x0046c742
0x0046c742
0x0046c763
0x0046c767
0x0046c778
0x0046c77d
0x0046c787
0x0046c78b
0x0046c797
0x0046c7ac
0x0046c7b1
0x0046c7bb
0x0046c7bf
0x0046c7c8
0x0046c7ca
0x0046c7cc
0x0046c7d5
0x0046c7d5
0x0046c7cc
0x0046c7bf
0x0046c78b
0x0046c767
0x0046c7e0
0x0046c7ec
0x0046c7fd
0x0046c83b
0x0046c840
0x0046c843
0x0046c846
0x0046c84d
0x0046c7ff
0x0046c810
0x0046c818
0x0046c81b
0x0046c820
0x0046c820
0x0046c852
0x0046c854
0x0046c857
0x0046c85c
0x0046c85e
0x0046c85e
0x0046c863
0x0046c86d
0x0046c86f
0x0046c872
0x0046c877
0x0046c87b
0x0046c87b
0x0046c877
0x0046c880
0x0046c887
0x0046c889
0x0046c88e
0x0046c890
0x0046c890
0x0046c88e
0x0046c8ad
0x0046c8b3
0x0046c8bf
0x0046c8c7
0x0046c8d2
0x0046c8db
0x0046c8df
0x0046c8e4
0x0046c8e7
0x0046c8ed
0x0046c8ef
0x0046c8ef
0x0046c8f4
0x0046c8f7
0x0046c8fd
0x0046c8ff
0x0046c8ff
0x0046c904
0x0046c907
0x0046c90d
0x0046c90f
0x0046c90f
0x0046c922
0x0046c928
0x0046c92b
0x0046c931
0x0046c933
0x0046c933
0x0046c938
0x0046c93b
0x0046c944
0x0046c946
0x0046c946
0x0046c956
0x0046c961
0x0046c966
0x0046c96e
0x0046c976
0x0046c984

APIs

LoadLibraryW.KERNEL32(004BD8B0,2927074F,00000000,749682C0,?), ref: 0046C6EA
RegOpenKeyW.ADVAPI32(80000001,Software\Microsoft\DebuggingTools,?), ref: 0046C704
RegQueryValueExW.ADVAPI32(?,Windbg,00000000,00000000,004BD8B0,?), ref: 0046C728
ExpandEnvironmentStringsW.KERNEL32(%ProgramFiles%\Debugging Tools for Windows (x86)\dbghelp.dll,004BD8B0,00000104), ref: 0046C756
LoadLibraryW.KERNEL32(004BD8B0), ref: 0046C761
LoadLibraryW.KERNEL32(004BD8B0), ref: 0046C785
GetCurrentDirectoryW.KERNEL32(00000104,004BD8B0), ref: 0046C797
LoadLibraryW.KERNEL32(004BD8B0), ref: 0046C7B9
LoadLibraryW.KERNEL32(dbghelp.dll), ref: 0046C7C6
LoadLibraryW.KERNEL32(imagehlp.dll), ref: 0046C7D3
_wcsrchr.LIBCMT ref: 0046C7F3
SetEnvironmentVariableW.KERNEL32(PATH,00000000,00000000,00000000,?,?,?), ref: 0046C922
GetModuleFileNameW.KERNEL32(00000000,004BD8B0,00000104), ref: 0046C956

Strings

PATH, xrefs: 0046C91D
Windbg, xrefs: 0046C720
%ProgramFiles%\Debugging Tools for Windows (x86)\dbghelp.dll, xrefs: 0046C751
%PATH%, xrefs: 0046C7DA
imagehlp.dll, xrefs: 0046C7CE
C:\Debuggers\dbghelp.dll, xrefs: 0046C769
\dbghelp.dll, xrefs: 0046C79D
dbghelp.dll, xrefs: 0046C7C1
Software\Microsoft\DebuggingTools, xrefs: 0046C6FA
DbgHelp.dll, xrefs: 0046C72E

Memory Dump Source

Source File: 00000000.00000002.639436822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.639422722.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639801425.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639950323.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639964900.00000000004C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639974043.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639981884.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Process Monitor.jbxd

Similarity

API ID: LibraryLoad$Environment$CurrentDirectoryExpandFileModuleNameOpenQueryStringsValueVariable_wcsrchr
String ID: %PATH%$%ProgramFiles%\Debugging Tools for Windows (x86)\dbghelp.dll$C:\Debuggers\dbghelp.dll$DbgHelp.dll$PATH$Software\Microsoft\DebuggingTools$Windbg$\dbghelp.dll$dbghelp.dll$imagehlp.dll
API String ID: 2370551187-2329811820
Opcode ID: 7740e1855f937938a7f56cb3d81a940eab260001eaf995eef14403a06f329164
Instruction ID: 29374899ab90ca08df99ef6eb4b546d37866c19bf248538228c78558bf90fead
Opcode Fuzzy Hash: 7740e1855f937938a7f56cb3d81a940eab260001eaf995eef14403a06f329164
Instruction Fuzzy Hash: 9F71B2B1E40205AADB00EBA58C82BFF7664AF55715F24006FE951B3281FBBD59048A6F

Uniqueness

Uniqueness Score: -1.00%

Function 0044E2D6 Relevance: 40.4, APIs: 21, Strings: 2, Instructions: 186
windowregistryCOMMON

Download Yara Rule

C-Code - Quality: 66%

			E0044E2D6(void* __ebx, void* __edx, int __edi) {
				void* __esi;
				struct HINSTANCE__* _t45;
				intOrPtr* _t48;
				void* _t74;
				int _t80;
				void* _t86;
				int _t87;
				void* _t89;
				struct HWND__* _t90;
				void* _t91;
				signed int _t92;
				void* _t94;
				intOrPtr _t102;

				_t87 = __edi;
				_t86 = __edx;
				_t74 = __ebx;
				do {
					if( *(0x4a5658 + _t87 * 4) < 0) {
						InsertMenuW( *0x4c22b4, _t87, 0xc00, 0, 0);
						InsertMenuW( *0x4c22b8, _t87, 0xc00, 0, 0);
						_push(0);
						_push(0);
						_push(0xc00);
					} else {
						asm("movdqu xmm0, [0x4a56e4]");
						asm("movdqu [ebp-0x288], xmm0");
						asm("movq xmm0, [0x4a56f4]");
						asm("movq [ebp-0x278], xmm0");
						E00470030(_t92 - 0x270, 0, 0x1f0);
						_t94 = _t94 + 0xc;
						LoadStringW(GetModuleHandleW(0),  *(0x4a5658 + _t87 * 4), _t92 - 0x288, 0x104);
						InsertMenuW( *0x4c22b4, _t87, 0x400, 0xffffffff, _t92 - 0x288);
						InsertMenuW( *0x4c22b8, _t87, 0x400, 0xffffffff, _t92 - 0x288);
						_push(_t92 - 0x288);
						_push(0xffffffff);
						_push(0x400);
					}
					InsertMenuW( *0x4c22bc, _t87, ??, ??, ??);
					_t87 = _t87 + 1;
				} while (_t87 < 0x15);
				E0044DDD0(0x4bdd00, _t86,  *0x4bd2b4);
				E0044AEF0(0x4bdd00,  *0x4c22c0);
				L00437FA0(_t90,  *0x4bd894 & 0x000000ff);
				E0045CA50(_t90, 0x9cb4, 0,  *0x4bd894 & 0x000000ff);
				E0045CA50(_t90, 0x9c53, 3,  *0x4bd895 & 0x000000ff);
				_t102 =  *0x4bd896; // 0x0
				_t40 =  !=  ? 8 : 0;
				CheckMenuItem(GetMenu(_t90), 0x9c7f,  !=  ? 8 : 0);
				E0045C5B0(_t90);
				 *0x4bb130 = RegisterWindowMessageW(L"commdlg_FindReplace");
				_t45 =  *0x4bd2c4; // 0x400000
				 *0x4bb138 = _t90;
				 *0x4bb140 = 1;
				 *0x4bb13c = _t45;
				 *0x4bb144 = 0x4c22d0;
				 *0x4bb148 = 0;
				 *0x4bb14c = 0x104;
				E0044DBB0(0x4bdd08, _t90,  *0x4be2a4, 0x9c6f, LoadCursorW(_t45, 0x79));
				_push(0xc);
				_t48 = E0046EEB6(_t74, 8, _t102);
				if(_t48 == 0) {
					_t48 = 0;
					__eflags = 0;
				} else {
					 *_t48 = 0x4a3178;
					 *((intOrPtr*)(_t48 + 4)) = 1;
					 *(_t48 + 8) = 0;
				}
				__imp__RegisterDragDrop(_t90, _t48);
				_t80 =  !=  ? 8 : 0;
				CheckMenuItem(GetMenu(_t90), 0x9cb0, _t80);
				_t53 =  !=  ? 8 : 0;
				CheckMenuItem(GetMenu(_t90), 0x9cc0,  !=  ? 8 : 0);
				_t57 =  !=  ? 8 : 0;
				CheckMenuItem(GetMenu(_t90), 0x9ce6,  !=  ? 8 : 0);
				_t61 =  !=  ? 8 : 0;
				CheckMenuItem(GetMenu(_t90), 0x9ce7,  !=  ? 8 : 0);
				 *0x4bd0a1 = _t80 & 0xffffff00 | E0040F610() == 0x00000000;
				_t66 =  !=  ? 8 : 0;
				CheckMenuItem(GetMenu(_t90), 0x9c8c,  !=  ? 8 : 0);
				if( *0x4bd0a1 == 0) {
					E0040EE70(_t74, _t86, 8);
				}
				E0045C360(_t90);
				E0045C730(_t86);
				 *[fs:0x0] =  *((intOrPtr*)(_t92 - 0xc));
				_pop(_t89);
				_pop(_t91);
				return E0046F77E(_t74,  *(_t92 - 0x10) ^ _t92, _t86, _t89, _t91);
			}

0x0044e2d6
0x0044e2d6
0x0044e2d6
0x0044e2e0
0x0044e2e8
0x0044e39c
0x0044e3b2
0x0044e3b8
0x0044e3ba
0x0044e3bc
0x0044e2ee
0x0044e2ee
0x0044e301
0x0044e30b
0x0044e314
0x0044e31c
0x0044e321
0x0044e340
0x0044e35b
0x0044e376
0x0044e382
0x0044e383
0x0044e385
0x0044e385
0x0044e3c8
0x0044e3ce
0x0044e3cf
0x0044e3e3
0x0044e3f3
0x0044e401
0x0044e416
0x0044e42b
0x0044e435
0x0044e440
0x0044e451
0x0044e458
0x0044e46b
0x0044e475
0x0044e47d
0x0044e483
0x0044e48d
0x0044e492
0x0044e49c
0x0044e4a6
0x0044e4c5
0x0044e4ca
0x0044e4cc
0x0044e4d6
0x0044e4ee
0x0044e4ee
0x0044e4d8
0x0044e4d8
0x0044e4de
0x0044e4e5
0x0044e4e5
0x0044e4f2
0x0044e506
0x0044e517
0x0044e525
0x0044e536
0x0044e544
0x0044e555
0x0044e563
0x0044e574
0x0044e588
0x0044e58e
0x0044e59f
0x0044e5ac
0x0044e5ae
0x0044e5ae
0x0044e5b4
0x0044e5bc
0x0044e740
0x0044e748
0x0044e749
0x0044e757

APIs

_memset.LIBCMT ref: 0044E31C
GetModuleHandleW.KERNEL32(00000000,?,00000104,?,?,?,?,?,00000000,?,?,00000000,?,?,00000000,00000000), ref: 0044E339
LoadStringW.USER32(00000000), ref: 0044E340
InsertMenuW.USER32(00000000,00000400,000000FF,?), ref: 0044E35B
InsertMenuW.USER32(00000000,00000400,000000FF,?), ref: 0044E376
InsertMenuW.USER32(00000000,00000C00,00000000,00000000), ref: 0044E39C
InsertMenuW.USER32(00000000,00000C00,00000000,00000000), ref: 0044E3B2
InsertMenuW.USER32(00000000,00000C00,00000000,00000000), ref: 0044E3C8
GetMenu.USER32 ref: 0044E44A
CheckMenuItem.USER32(00000000,?,00009C7F), ref: 0044E451
RegisterWindowMessageW.USER32(commdlg_FindReplace,00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0044E465
LoadCursorW.USER32(00400000,00000079), ref: 0044E4AD
RegisterDragDrop.OLE32(?,00000000), ref: 0044E4F2
GetMenu.USER32 ref: 0044E510
CheckMenuItem.USER32(00000000,?,00009CB0), ref: 0044E517

Strings

pHx, xrefs: 0044E3DE, 0044E3EE
commdlg_FindReplace, xrefs: 0044E460

Memory Dump Source

Source File: 00000000.00000002.639436822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.639422722.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639801425.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639950323.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639964900.00000000004C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639974043.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639981884.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Process Monitor.jbxd

Similarity

API ID: Menu$Insert$CheckItemLoadRegister$CursorDragDropHandleMessageModuleStringWindow_memset
String ID: commdlg_FindReplace$pHx
API String ID: 3329817966-956448493
Opcode ID: 49efa27d3e8ae608c4c15cd9a04baf532608e4a761b9f6eeaa7d8597cf56801e
Instruction ID: de118f04ebc9d1bbb4bb391b54f9eef4da68ca7f3c301f014e863ed6aada5e85
Opcode Fuzzy Hash: 49efa27d3e8ae608c4c15cd9a04baf532608e4a761b9f6eeaa7d8597cf56801e
Instruction Fuzzy Hash: 3B6104B0900644BFFB006B71AC09F6F3BA8EB45705F14067AF645D60E2EBB84549CB6D

Uniqueness

Uniqueness Score: -1.00%

Function 004569B0 Relevance: 40.4, APIs: 21, Strings: 2, Instructions: 181
registrywindowCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E004569B0(struct HWND__* _a4, intOrPtr _a8, signed int _a12, int* _a16) {
				signed int _v8;
				int _v12;
				int _v48;
				char _v52;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t15;
				void* _t18;
				signed int _t20;
				void* _t25;
				int _t30;
				void* _t38;
				int _t39;
				int _t40;
				int* _t41;
				int* _t46;
				void* _t48;
				int _t51;
				struct HWND__* _t52;
				struct HWND__* _t56;
				struct HWND__* _t60;
				int* _t61;
				void* _t66;
				void* _t67;
				void* _t68;
				signed int _t69;

				_t15 =  *0x4bb1dc; // 0x2927074f
				_v8 = _t15 ^ _t69;
				_t61 = _a16;
				_t60 = _a4;
				_t18 = _a8 - 2;
				if(_t18 == 0) {
					_t68 =  *0x4bd2b4; // 0x0
					asm("xorps xmm0, xmm0");
					_v52 = 0x2c;
					_v48 = 0;
					asm("movdqu [ebp-0x28], xmm0");
					_v12 = 0;
					asm("movdqu [ebp-0x18], xmm0");
					_t20 = GetWindowPlacement(_t60,  &_v52);
					__eflags = _t20;
					if(_t20 != 0) {
						RegSetValueExW(_t68, L"ProfilingDialog", 0, 3,  &_v52, 0x2c);
					}
					goto L32;
				} else {
					_t25 = _t18 - 0x10e;
					if(_t25 == 0) {
						 *0x4bdd28 = _t61;
						E004585D0(_t60,  *0x4bd2b4, L"ProfilingDialog");
						__eflags =  *0x4bd89c; // 0x0
						CheckDlgButton(_t60, 0x44d, 0 | __eflags != 0x00000000);
						_t30 =  *0x4bd89c; // 0x0
						__eflags = _t30 - 1;
						if(_t30 <= 1) {
							_push(0x44e);
							goto L28;
						} else {
							__eflags = _t30 - 0xa;
							if(_t30 == 0xa) {
								_push(0x44f);
								L28:
								CheckRadioButton(_t60, 0x44e, 0x44f, ??);
							}
						}
						SendMessageW(_t60, 0x111, 0x44d, 0);
						__eflags = _v8 ^ _t69;
						return E0046F77E(_t60, _v8 ^ _t69, _t66, _t67, _t68);
					} else {
						if(_t25 == 1) {
							_t38 = (_a12 & 0x0000ffff) - 1;
							if(_t38 == 0) {
								_t68 = IsDlgButtonChecked;
								_t39 = IsDlgButtonChecked(_t60, 0x44d);
								__eflags = _t39;
								if(_t39 != 0) {
									_t40 = IsDlgButtonChecked(_t60, 0x44e);
									__eflags = _t40;
									_t41 =  *0x4bdd28; // 0x0
									if(_t40 == 0) {
										__eflags = _t41;
										if(_t41 == 0) {
											 *0x4bd89c = 0xa;
											goto L21;
										} else {
											 *_t41 = 0xa;
											EndDialog(_t60, 1);
										}
									} else {
										__eflags = _t41;
										if(_t41 == 0) {
											 *0x4bd89c = 1;
											goto L21;
										} else {
											 *_t41 = 1;
											EndDialog(_t60, 1);
										}
									}
								} else {
									_t46 =  *0x4bdd28; // 0x0
									__eflags = _t46;
									if(_t46 == 0) {
										 *0x4bd89c = 0;
										L21:
										__eflags =  *0x4bd2e9;
										if( *0x4bd2e9 != 0) {
											E0043ACF0(_t66);
										}
										EndDialog(_t60, 1);
									} else {
										 *_t46 = 0;
										EndDialog(_t60, 1);
									}
								}
							} else {
								_t48 = _t38 - 1;
								if(_t48 == 0) {
									EndDialog(_t60, 0);
								} else {
									if(_t48 == 0x44b) {
										_t51 = IsDlgButtonChecked(_t60, 0x44d);
										_t67 = GetDlgItem;
										if(_t51 == 0) {
											_t52 = GetDlgItem(_t60, 0x44e);
											_t68 = EnableWindow;
											EnableWindow(_t52, 0);
											EnableWindow(GetDlgItem(_t60, 0x44f), 0);
										} else {
											_t56 = GetDlgItem(_t60, 0x44e);
											_t68 = EnableWindow;
											EnableWindow(_t56, 1);
											EnableWindow(GetDlgItem(_t60, 0x44f), 1);
										}
									}
								}
							}
						}
						L32:
						return E0046F77E(_t60, _v8 ^ _t69, _t66, _t67, _t68);
					}
				}
			}

0x004569b6
0x004569bd
0x004569c3
0x004569c7
0x004569cc
0x004569cf
0x00456ba3
0x00456bac
0x00456baf
0x00456bb8
0x00456bbf
0x00456bc4
0x00456bcb
0x00456bd0
0x00456bd6
0x00456bd8
0x00456bea
0x00456bea
0x00000000
0x004569d5
0x004569d5
0x004569da
0x00456b25
0x00456b2c
0x00456b36
0x00456b46
0x00456b4c
0x00456b51
0x00456b54
0x00456b62
0x00000000
0x00456b56
0x00456b56
0x00456b59
0x00456b5b
0x00456b67
0x00456b72
0x00456b72
0x00456b59
0x00456b85
0x00456b96
0x00456ba0
0x004569e0
0x004569e1
0x004569ed
0x004569ee
0x00456a6c
0x00456a78
0x00456a7a
0x00456a7c
0x00456aad
0x00456aaf
0x00456ab1
0x00456ab6
0x00456adc
0x00456ade
0x00456af4
0x00000000
0x00456ae0
0x00456ae3
0x00456ae9
0x00456ae9
0x00456ab8
0x00456ab8
0x00456aba
0x00456ad0
0x00000000
0x00456abc
0x00456abf
0x00456ac5
0x00456ac5
0x00456aba
0x00456a7e
0x00456a7e
0x00456a83
0x00456a85
0x00456a9b
0x00456afe
0x00456afe
0x00456b05
0x00456b07
0x00456b07
0x00456b0f
0x00456a87
0x00456a8a
0x00456a90
0x00456a90
0x00456a85
0x004569f0
0x004569f0
0x004569f1
0x00456a61
0x004569f3
0x004569f8
0x00456a04
0x00456a0a
0x00456a12
0x00456a41
0x00456a43
0x00456a4a
0x00456a57
0x00456a14
0x00456a1c
0x00456a1e
0x00456a25
0x00456a32
0x00456a32
0x00456a12
0x004569f8
0x004569f1
0x004569ee
0x00456bf0
0x00456c02
0x00456c02
0x004569da

APIs

IsDlgButtonChecked.USER32(?,0000044D), ref: 00456A04
GetDlgItem.USER32 ref: 00456A1C
EnableWindow.USER32(00000000), ref: 00456A25
GetDlgItem.USER32 ref: 00456A2F
EnableWindow.USER32(00000000), ref: 00456A32
GetDlgItem.USER32 ref: 00456A41
EnableWindow.USER32(00000000), ref: 00456A4A
GetDlgItem.USER32 ref: 00456A54
EnableWindow.USER32(00000000), ref: 00456A57
EndDialog.USER32(?,00000000), ref: 00456A61
IsDlgButtonChecked.USER32(?,0000044D), ref: 00456A78
EndDialog.USER32(?,00000001), ref: 00456A90
CheckDlgButton.USER32(?,0000044D,00000000), ref: 00456B46
CheckRadioButton.USER32 ref: 00456B72
SendMessageW.USER32(?,00000111,0000044D,00000000), ref: 00456B85
GetWindowPlacement.USER32(?,?), ref: 00456BD0
RegSetValueExW.ADVAPI32(00000000,ProfilingDialog,00000000,00000003,0000002C,0000002C), ref: 00456BEA

Strings

ProfilingDialog, xrefs: 00456B1A, 00456BE4
,, xrefs: 00456BAF

Memory Dump Source

Source File: 00000000.00000002.639436822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.639422722.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639801425.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639950323.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639964900.00000000004C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639974043.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639981884.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Process Monitor.jbxd

Similarity

API ID: Window$ButtonEnableItem$CheckCheckedDialog$MessagePlacementRadioSendValue
String ID: ,$ProfilingDialog
API String ID: 883324546-3000176156
Opcode ID: c14a886d604e2115b14c52f241415bc59201f6ed9a2d0636c055858849ee37ce
Instruction ID: 0d97ad7ded59bef08075e9771ce4672c43f31e45935ba231df78bc88a4e58059
Opcode Fuzzy Hash: c14a886d604e2115b14c52f241415bc59201f6ed9a2d0636c055858849ee37ce
Instruction Fuzzy Hash: 9F51A3B0A40319BBE7109F359C45F6B7768EB04702F41443AFA05E71E2DAB8E8488B6D

Uniqueness

Uniqueness Score: -1.00%

Function 0046B7A0 Relevance: 38.9, APIs: 13, Strings: 9, Instructions: 449
COMMON

Download Yara Rule

C-Code - Quality: 83%

			E0046B7A0(void* __ebx, void* __edx, signed int* _a4, signed int _a8, intOrPtr _a12, signed int _a16, struct HWND__* _a20, signed int _a24) {
				char _v8;
				char _v16;
				signed int _v20;
				long _v80;
				char _v1020;
				intOrPtr _v1024;
				char _v1104;
				signed int _v1108;
				signed int _v1112;
				signed int _v1116;
				signed int _v1120;
				signed int _v1124;
				signed int _v1128;
				signed int _v1132;
				signed int _v1136;
				intOrPtr _v1140;
				signed int _v1144;
				signed int _v1148;
				signed int _v1160;
				signed int _v1164;
				intOrPtr _v1168;
				char _v1172;
				char _v1176;
				char _v1180;
				void* __edi;
				void* __esi;
				signed int _t166;
				signed int _t167;
				signed int _t171;
				signed int _t177;
				void* _t192;
				signed int _t201;
				signed int _t281;
				void* _t282;
				signed int _t298;
				void* _t334;
				signed int* _t336;
				void* _t337;
				struct HWND__* _t339;
				void* _t340;
				signed int _t342;
				void* _t343;
				void* _t344;
				void* _t346;

				_t334 = __edx;
				_t282 = __ebx;
				_push(0xffffffff);
				_push(E0048D3E7);
				_push( *[fs:0x0]);
				_t344 = _t343 - 0x48c;
				_t166 =  *0x4bb1dc; // 0x2927074f
				_t167 = _t166 ^ _t342;
				_v20 = _t167;
				_push(_t167);
				 *[fs:0x0] =  &_v16;
				_t336 = _a4;
				_t339 = _a20;
				_v1116 = _a8;
				_t170 = _a12;
				_v1128 = _a16;
				_v1140 = _a12;
				_v1136 = _a24;
				_v1180 = 0;
				if( *0x4c2780 != 0) {
					_t171 = E0046A720(_t170);
					__eflags = _t171;
					if(_t171 == 0) {
						goto L1;
					} else {
						_v1124 = E0046A170(_v1140);
						_t177 = E00471495(_t176, 0x5c);
						_t346 = _t344 + 8;
						__eflags = _t177;
						if(_t177 != 0) {
							_t281 = _t177 + 2;
							__eflags = _t281;
							_v1124 = _t281;
						}
						__eflags = _t339;
						if(_t339 == 0) {
							L14:
							E0046C340(_t334, _v1116, _v1140, _v1128);
							_t344 = _t346 + 0xc;
							_v1172 = 0x18;
							_v1168 = 0;
							asm("xorps xmm0, xmm0");
							_v1104 = 0x58;
							_v1024 = 0x1d4;
							asm("movdqu [ebp-0x488], xmm0");
							__eflags = _t339;
							if(_t339 != 0) {
								_v1112 = E0046A6C0(_t282, L"...", E0046A530(L"..."));
								_v8 = 7;
								_v1108 = E0046A6C0(_t282, _v1124, E0046A530(_v1124));
								_v8 = 8;
								E0046A190( &_v1128, L"Loading symbols for ",  &_v1108);
								_t344 = _t344 + 0x24;
								_v8 = 9;
								E0046A230( &_v1120,  &_v1112);
								_t321 = _v1128;
								_v8 = 0xb;
								__eflags = _v1128;
								if(_v1128 != 0) {
									E0046A700(_t321);
								}
								_t322 = _v1108;
								_v8 = 0xc;
								__eflags = _v1108;
								if(_v1108 != 0) {
									E0046A700(_t322);
								}
								_t323 = _v1112;
								_v8 = 0xd;
								__eflags = _v1112;
								if(_v1112 != 0) {
									E0046A700(_t323);
								}
								SetWindowTextW(_t339, E0046A170( &_v1120));
								_t325 = _v1120;
								_v8 = 0xffffffff;
								__eflags = _v1120;
								if(_v1120 != 0) {
									E0046A700(_t325);
								}
							}
							EnterCriticalSection(0x4c27e4);
							asm("cdq");
							_v1132 =  *0x4c2780(_v1116,  *((intOrPtr*)(_v1140 + 0x20)), _t334,  &_v1148,  &_v1104);
							LeaveCriticalSection(0x4c27e4);
							__eflags = _v1132;
							if(_v1132 != 0) {
								__eflags = _t339;
								if(_t339 != 0) {
									_v1112 = E0046A6C0(_t282, L"...", E0046A530(L"..."));
									_v8 = 0xe;
									_v1108 = E0046A6C0(_t282, _v1124, E0046A530(_v1124));
									_v8 = 0xf;
									E0046A190( &_v1128, L"Retrieving function names for ",  &_v1108);
									_t344 = _t344 + 0x24;
									_v8 = 0x10;
									E0046A230( &_v1120,  &_v1112);
									_t313 = _v1128;
									_v8 = 0x12;
									__eflags = _v1128;
									if(_v1128 != 0) {
										E0046A700(_t313);
									}
									_t314 = _v1108;
									_v8 = 0x13;
									__eflags = _v1108;
									if(_v1108 != 0) {
										E0046A700(_t314);
									}
									_t315 = _v1112;
									_v8 = 0x14;
									__eflags = _v1112;
									if(_v1112 != 0) {
										E0046A700(_t315);
									}
									SetWindowTextW(_t339, E0046A170( &_v1120));
									_t317 = _v1120;
									_v8 = 0xffffffff;
									__eflags = _v1120;
									if(_v1120 != 0) {
										E0046A700(_t317);
									}
								}
								EnterCriticalSection(0x4c27e4);
								asm("cdq");
								 *0x4c27bc(_v1116,  *((intOrPtr*)(_v1140 + 0x20)), _t334,  &_v1176,  &_v1172);
								 *0x4c27c0(_v1116,  &_v1172);
								LeaveCriticalSection(0x4c27e4);
							}
							__eflags = _v1136;
							if(_v1136 != 0) {
								__eflags = _v1160;
								if(_v1160 != 0) {
									__eflags = _t339;
									if(_t339 != 0) {
										_v1112 = E0046A6C0(_t282, L"...", E0046A530(L"..."));
										_v8 = 0x15;
										_v1108 = E0046A6C0(_t282, _v1124, E0046A530(_v1124));
										_v8 = 0x16;
										E0046A190( &_v1128, L"Retrieving source path for ",  &_v1108);
										_t344 = _t344 + 0x24;
										_v8 = 0x17;
										E0046A230( &_v1120,  &_v1112);
										_t305 = _v1128;
										_v8 = 0x19;
										__eflags = _v1128;
										if(_v1128 != 0) {
											E0046A700(_t305);
										}
										_t306 = _v1108;
										_v8 = 0x1a;
										__eflags = _v1108;
										if(_v1108 != 0) {
											E0046A700(_t306);
										}
										_t307 = _v1112;
										_v8 = 0x1b;
										__eflags = _v1112;
										if(_v1112 != 0) {
											E0046A700(_t307);
										}
										SetWindowTextW(_t339, E0046A170( &_v1120));
										_t309 = _v1120;
										_v8 = 0xffffffff;
										__eflags = _v1120;
										if(_v1120 != 0) {
											E0046A700(_t309);
										}
									}
									EnterCriticalSection(0x4c27e4);
									asm("cdq");
									 *0x4c27c8(_v1116,  *((intOrPtr*)(_v1140 + 0x24)), _t334, 0, _v1160, _v1136, 0x104);
									GetLastError();
									LeaveCriticalSection(0x4c27e4);
								}
							}
							__eflags = _v1132;
							if(_v1132 == 0) {
								goto L1;
							} else {
								__eflags = _v1148 | _v1144;
								if((_v1148 | _v1144) == 0) {
									_push(E0046A530( &_v1020));
									_push( &_v1020);
									L63:
									 *_t336 = E0046A6C0(_t282);
									L64:
									 *[fs:0x0] = _v16;
									_pop(_t337);
									_pop(_t340);
									return E0046F77E(_t282, _v20 ^ _t342, _t334, _t337, _t340);
								}
								_v1136 = E0046A6C0(_t282, L" + ", E0046A530(L" + "));
								_v8 = 0x1c;
								_t192 = E00436110(_t282, _t334, _t336, __eflags,  &_v1108, _v1148, _v1144);
								_v8 = 0x1d;
								_v1132 = E0046A6C0(_t282,  &_v1020, E0046A530( &_v1020));
								_v8 = 0x1e;
								E0046A230( &_v1128,  &_v1136);
								_v8 = 0x1f;
								E0046A230( &_v1116, _t192);
								_t294 = _v1128;
								_v8 = 0x21;
								__eflags = _v1128;
								if(_v1128 != 0) {
									E0046A700(_t294);
								}
								_t295 = _v1132;
								_v8 = 0x22;
								__eflags = _v1132;
								if(_v1132 != 0) {
									E0046A700(_t295);
								}
								_t296 = _v1108;
								_v8 = 0x23;
								__eflags = _v1108;
								if(_v1108 != 0) {
									E0046A700(_t296);
								}
								_t297 = _v1136;
								_v8 = 0x24;
								__eflags = _v1136;
								if(_v1136 != 0) {
									E0046A700(_t297);
								}
								_t201 = _v1164;
								__eflags = _t201;
								if(_t201 != 0) {
									swprintf( &_v80, 0x1e, L"(%d)", _t201);
									E0046A390( &_v1116, L", ");
									E0046A390( &_v1116, _v1160);
									E0046A390( &_v1116,  &_v80);
								}
								_t298 = _v1116;
								 *_t336 = _t298;
								__eflags = _t298;
								if(_t298 != 0) {
									E0046A420(_t298);
									_t298 = _v1116;
								}
								_v8 = 0xffffffff;
								__eflags = _t298;
								if(_t298 != 0) {
									E0046A700(_t298);
								}
								goto L64;
							}
						} else {
							_v1112 = E0046A6C0(_t282, L"...", E0046A530(L"..."));
							_v8 = 0;
							_v1120 = E0046A6C0(_t282, _v1124, E0046A530(_v1124));
							_v8 = 1;
							E0046A190( &_v1132, L"Loading symbol module for ",  &_v1120);
							_t346 = _t346 + 0x24;
							_v8 = 2;
							E0046A230( &_v1108,  &_v1112);
							_t329 = _v1132;
							_v8 = 4;
							__eflags = _v1132;
							if(_v1132 != 0) {
								E0046A700(_t329);
							}
							_t330 = _v1120;
							_v8 = 5;
							__eflags = _v1120;
							if(_v1120 != 0) {
								E0046A700(_t330);
							}
							_t331 = _v1112;
							_v8 = 6;
							__eflags = _v1112;
							if(_v1112 != 0) {
								E0046A700(_t331);
							}
							SetWindowTextW(_t339, E0046A170( &_v1108));
							_t333 = _v1108;
							_v8 = 0xffffffff;
							__eflags = _v1108;
							if(_v1108 != 0) {
								E0046A700(_t333);
							}
							goto L14;
						}
					}
				}
				L1:
				_push(E0046A530(0x48fc20));
				_push(0x48fc20);
				goto L63;
			}

0x0046b7a0
0x0046b7a0
0x0046b7a3
0x0046b7a5
0x0046b7b0
0x0046b7b1
0x0046b7b7
0x0046b7bc
0x0046b7be
0x0046b7c3
0x0046b7c7
0x0046b7da
0x0046b7dd
0x0046b7e0
0x0046b7e6
0x0046b7e9
0x0046b7f2
0x0046b7f8
0x0046b7fe
0x0046b808
0x0046b821
0x0046b826
0x0046b828
0x00000000
0x0046b82a
0x0046b838
0x0046b83e
0x0046b843
0x0046b846
0x0046b848
0x0046b84a
0x0046b84a
0x0046b84d
0x0046b84d
0x0046b853
0x0046b855
0x0046b934
0x0046b946
0x0046b94b
0x0046b94e
0x0046b958
0x0046b962
0x0046b965
0x0046b96f
0x0046b979
0x0046b981
0x0046b983
0x0046b99e
0x0046b9aa
0x0046b9c2
0x0046b9ce
0x0046b9df
0x0046b9e4
0x0046b9ed
0x0046b9fb
0x0046ba00
0x0046ba06
0x0046ba0a
0x0046ba0c
0x0046ba0e
0x0046ba0e
0x0046ba13
0x0046ba19
0x0046ba1d
0x0046ba1f
0x0046ba21
0x0046ba21
0x0046ba26
0x0046ba2c
0x0046ba30
0x0046ba32
0x0046ba34
0x0046ba34
0x0046ba46
0x0046ba4c
0x0046ba52
0x0046ba59
0x0046ba5b
0x0046ba5d
0x0046ba5d
0x0046ba5b
0x0046ba67
0x0046ba84
0x0046ba98
0x0046ba9e
0x0046baa4
0x0046baab
0x0046bab1
0x0046bab3
0x0046bace
0x0046bada
0x0046baf2
0x0046bafe
0x0046bb0f
0x0046bb14
0x0046bb1d
0x0046bb2b
0x0046bb30
0x0046bb36
0x0046bb3a
0x0046bb3c
0x0046bb3e
0x0046bb3e
0x0046bb43
0x0046bb49
0x0046bb4d
0x0046bb4f
0x0046bb51
0x0046bb51
0x0046bb56
0x0046bb5c
0x0046bb60
0x0046bb62
0x0046bb64
0x0046bb64
0x0046bb76
0x0046bb7c
0x0046bb82
0x0046bb89
0x0046bb8b
0x0046bb8d
0x0046bb8d
0x0046bb8b
0x0046bb97
0x0046bbb4
0x0046bbbd
0x0046bbd0
0x0046bbdb
0x0046bbdb
0x0046bbe1
0x0046bbe8
0x0046bbee
0x0046bbf5
0x0046bbfb
0x0046bbfd
0x0046bc18
0x0046bc24
0x0046bc3c
0x0046bc48
0x0046bc59
0x0046bc5e
0x0046bc67
0x0046bc75
0x0046bc7a
0x0046bc80
0x0046bc84
0x0046bc86
0x0046bc88
0x0046bc88
0x0046bc8d
0x0046bc93
0x0046bc97
0x0046bc99
0x0046bc9b
0x0046bc9b
0x0046bca0
0x0046bca6
0x0046bcaa
0x0046bcac
0x0046bcae
0x0046bcae
0x0046bcc0
0x0046bcc6
0x0046bccc
0x0046bcd3
0x0046bcd5
0x0046bcd7
0x0046bcd7
0x0046bcd5
0x0046bce1
0x0046bd03
0x0046bd0c
0x0046bd12
0x0046bd1d
0x0046bd1d
0x0046bbf5
0x0046bd23
0x0046bd2a
0x00000000
0x0046bd30
0x0046bd36
0x0046bd3c
0x0046bea3
0x0046beaa
0x0046beab
0x0046beb0
0x0046beb5
0x0046beba
0x0046bec2
0x0046bec3
0x0046bed1
0x0046bed1
0x0046bd57
0x0046bd69
0x0046bd77
0x0046bd84
0x0046bd9e
0x0046bdaa
0x0046bdbc
0x0046bdc8
0x0046bdcf
0x0046bdd4
0x0046bdda
0x0046bdde
0x0046bde0
0x0046bde2
0x0046bde2
0x0046bde7
0x0046bded
0x0046bdf1
0x0046bdf3
0x0046bdf5
0x0046bdf5
0x0046bdfa
0x0046be00
0x0046be04
0x0046be06
0x0046be08
0x0046be08
0x0046be0d
0x0046be13
0x0046be17
0x0046be19
0x0046be1b
0x0046be1b
0x0046be20
0x0046be26
0x0046be28
0x0046be36
0x0046be49
0x0046be5a
0x0046be69
0x0046be69
0x0046be6e
0x0046be74
0x0046be76
0x0046be78
0x0046be7a
0x0046be7f
0x0046be7f
0x0046be85
0x0046be8c
0x0046be8e
0x0046be90
0x0046be90
0x00000000
0x0046be8e
0x0046b85b
0x0046b870
0x0046b87c
0x0046b894
0x0046b8a0
0x0046b8b1
0x0046b8b6
0x0046b8bf
0x0046b8cd
0x0046b8d2
0x0046b8d8
0x0046b8dc
0x0046b8de
0x0046b8e0
0x0046b8e0
0x0046b8e5
0x0046b8eb
0x0046b8ef
0x0046b8f1
0x0046b8f3
0x0046b8f3
0x0046b8f8
0x0046b8fe
0x0046b902
0x0046b904
0x0046b906
0x0046b906
0x0046b918
0x0046b91e
0x0046b924
0x0046b92b
0x0046b92d
0x0046b92f
0x0046b92f
0x00000000
0x0046b92d
0x0046b855
0x0046b828
0x0046b80a
0x0046b814
0x0046b815
0x00000000

APIs

_wcsrchr.LIBCMT ref: 0046B83E
SetWindowTextW.USER32(80000001,00000000), ref: 0046B918

Strings

X, xrefs: 0046B965
(%d), xrefs: 0046BE2B
$, xrefs: 0046BE13
Retrieving function names for , xrefs: 0046BB09
Retrieving source path for , xrefs: 0046BC53
Loading symbols for , xrefs: 0046B9D9
..., xrefs: 0046B85B, 0046B866, 0046B989, 0046B994, 0046BAB9, 0046BAC4, 0046BC03, 0046BC0E
Loading symbol module for , xrefs: 0046B8AB
+ , xrefs: 0046BD42, 0046BD4D

Memory Dump Source

Source File: 00000000.00000002.639436822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.639422722.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639801425.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639950323.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639964900.00000000004C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639974043.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639981884.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Process Monitor.jbxd

Similarity

API ID: TextWindow_wcsrchr
String ID: + $$$(%d)$...$Loading symbol module for $Loading symbols for $Retrieving function names for $Retrieving source path for $X
API String ID: 204472955-3192370048
Opcode ID: 7f950ea037a940d47596d4c85c1d6ec7207fb1d7f1dcdbc046b88c3d29923eab
Instruction ID: 82ac33aa1d38c48f170a6f4b19f64904ddc255a9bfc5f6e5d1c46a4a73e57e59
Opcode Fuzzy Hash: 7f950ea037a940d47596d4c85c1d6ec7207fb1d7f1dcdbc046b88c3d29923eab
Instruction Fuzzy Hash: 9C124EB49016189BDB25DBA1CD45BEEB778AF05305F1000DEA905B3242EB785E94CF6F

Uniqueness

Uniqueness Score: -1.00%

Function 0040A140 Relevance: 38.9, APIs: 21, Strings: 1, Instructions: 379
windowCOMMON

Download Yara Rule

C-Code - Quality: 76%

			E0040A140(void* __ebx, struct HDC__* __edx, intOrPtr* __edi, intOrPtr* __esi) {
				intOrPtr _t151;
				struct HDC__* _t158;
				struct HDC__* _t159;
				struct HDC__* _t160;
				signed char* _t167;
				int _t177;
				signed char _t183;
				int _t204;
				int _t210;
				struct HDC__* _t216;
				void* _t218;
				intOrPtr _t219;
				struct tagRECT _t230;
				struct HDC__* _t240;
				intOrPtr* _t241;
				void* _t242;
				intOrPtr _t243;
				struct HDC__* _t244;
				intOrPtr _t246;
				intOrPtr* _t247;
				void* _t248;
				signed int _t249;

				_t247 = __esi;
				_t241 = __edi;
				_t240 = __edx;
				_t218 = __ebx;
				if( *__edi !=  *((intOrPtr*)(__esi + 0x2c))) {
					L11:
					_t219 =  *_t241;
					_t240 =  *(_t247 + 0xc);
					__eflags = _t219 - _t240;
					if(_t219 == _t240) {
						L13:
						_t151 =  *((intOrPtr*)(_t241 + 8));
						__eflags = _t151 - 0xfffffec0;
						if(__eflags > 0) {
							__eflags = _t151 - 0xfffffec9;
							if(_t151 == 0xfffffec9) {
								InvalidateRect( *(_t247 + 8), 0, 0);
								goto L33;
							}
							__eflags = _t151 - 0xfffffffb;
							if(_t151 != 0xfffffffb) {
								L25:
								__eflags =  *((intOrPtr*)(_t249 + 0xc)) - 0x31a;
								if( *((intOrPtr*)(_t249 + 0xc)) == 0x31a) {
									_t158 =  *(_t247 + 4);
									__eflags = _t158;
									if(_t158 != 0) {
										 *0x4bc890(_t158);
									}
									 *(_t247 + 4) = 0;
									_t159 =  *0x4bc884; // 0x73c34310
									__eflags = _t159;
									if(_t159 != 0) {
										_t160 = _t159->i();
										__eflags = _t160;
										if(_t160 != 0) {
											 *(_t247 + 4) =  *0x4bc888( *((intOrPtr*)(_t249 - 0x2a0)),  *((intOrPtr*)( *((intOrPtr*)( *_t247))))());
										}
									}
								}
								_t243 =  *((intOrPtr*)(_t249 - 0x2b4));
								 *((intOrPtr*)( *((intOrPtr*)( *_t247 + 4))))( *((intOrPtr*)(_t249 - 0x2a0)),  *((intOrPtr*)(_t249 + 0xc)),  *((intOrPtr*)(_t249 - 0x29c)), _t243);
								goto L33;
							}
							_push(0);
							_push(0);
							_push(0);
							_push(0);
							_push(_t151);
							_push(_t219);
							L24:
							E00404B90(_t247);
							goto L25;
						}
						if(__eflags == 0) {
							_t167 =  *(_t241 + 0x14);
							__eflags =  *_t167 & 0x00000001;
							if(( *_t167 & 0x00000001) == 0) {
								goto L25;
							}
							_t240 =  *(_t241 + 0xc);
							__eflags = _t240;
							if(_t240 != 0) {
								L44:
								__eflags = _t219 -  *(_t247 + 0x14);
								 *(_t249 - 0x2b8) = _t240 + (_t219 ==  *(_t247 + 0x14));
								E00406190(_t247, _t240 + (_t219 ==  *(_t247 + 0x14)), _t249 - 0x278);
								GetClientRect( *(_t247 + 8), _t249 - 0x238);
								_t230 =  *(_t249 - 0x270);
								_t177 = ( *(_t241 + 0x14))[4] - _t230 +  *(_t249 - 0x278);
								__eflags = _t177;
								 *(_t249 - 0x298) = _t177;
								if(_t177 == 0) {
									goto L58;
								}
								_t244 =  *(_t249 - 0x2b8);
								 *((intOrPtr*)(_t249 - 0x290)) =  *((intOrPtr*)(_t249 - 0x26c));
								 *(_t249 - 0x28c) =  *(_t249 - 0x230);
								 *(_t249 - 0x294) = _t230;
								 *((intOrPtr*)(_t249 - 0x288)) =  *((intOrPtr*)(_t249 - 0x22c));
								__eflags = _t244;
								if(_t244 == 0) {
									 *(_t249 - 0x294) = _t230 - 1;
								}
								_t183 = GetWindowLongW( *(_t247 + 0x1c), 0xfffffff0) >> 0x1c;
								__eflags = _t183 & 0x00000001;
								if((_t183 & 0x00000001) != 0) {
									_t204 = GetSystemMetrics(2);
									_t127 = _t249 - 0x28c;
									 *_t127 =  *(_t249 - 0x28c) - _t204;
									__eflags =  *_t127;
								}
								ScrollWindowEx( *(_t247 + 8),  *(_t249 - 0x298), 0, _t249 - 0x294, 0, 0, 0, 2);
								__eflags = _t244;
								if(_t244 != 0) {
									L51:
									 *(_t249 - 0x228) =  *(_t249 - 0x278);
									 *((intOrPtr*)(_t249 - 0x224)) =  *((intOrPtr*)(_t249 - 0x26c));
									 *(_t249 - 0x220) =  *(_t249 - 0x270);
									 *((intOrPtr*)(_t249 - 0x21c)) =  *((intOrPtr*)(_t249 - 0x22c));
									InvalidateRect( *(_t247 + 8), _t249 - 0x228, 0);
									__eflags = _t244;
									if(__eflags != 0) {
										E00408C20(_t247, _t240, _t244, __eflags);
										UpdateWindow( *(_t247 + 0x24));
										goto L33;
									}
									goto L52;
								} else {
									__eflags =  *((char*)(_t247 + 0x9c));
									if( *((char*)(_t247 + 0x9c)) != 0) {
										L52:
										E00408A90(_t247,  *(_t249 - 0x270) +  *(_t249 - 0x298));
										E00408C20(_t247, _t240, _t244, __eflags);
										E00408CF0(_t247, _t240);
										UpdateWindow( *(_t247 + 0x14));
										UpdateWindow( *(_t247 + 0x20));
										UpdateWindow( *(_t247 + 0x24));
										goto L33;
									}
									goto L51;
								}
							}
							__eflags = _t167[4] -  *((intOrPtr*)(_t247 + 0x94));
							if(_t167[4] <  *((intOrPtr*)(_t247 + 0x94))) {
								goto L1;
							}
							goto L44;
						}
						__eflags = _t151 - 0xfffffebb;
						if(_t151 == 0xfffffebb) {
							__eflags = _t219 -  *(_t247 + 0x14);
							_t210 =  *(_t241 + 0xc) + (0 | _t219 ==  *(_t247 + 0x14));
							__eflags = _t210;
							 *(_t249 - 0x298) = _t210;
							if(_t210 != 0) {
								L37:
								_t246 = E00405D80(_t247, _t210);
								_t210 =  *(_t249 - 0x298);
								L38:
								E00409060(_t247, _t210, _t246);
								__eflags =  *(_t249 - 0x298);
								if(__eflags == 0) {
									E00408A90(_t247, _t246);
								}
								E00408C20(_t247, _t240, _t246, __eflags);
								goto L25;
							}
							__eflags =  *((char*)(_t247 + 0x9c));
							if( *((char*)(_t247 + 0x9c)) == 0) {
								goto L37;
							}
							_t246 =  *((intOrPtr*)(_t247 + 0x98));
							goto L38;
						}
						__eflags = _t151 - 0xfffffebe;
						if(_t151 == 0xfffffebe) {
							__eflags = _t219 - _t240;
							if(_t219 != _t240) {
								_t216 =  &( *(_t241 + 0xc)->i);
								__eflags = _t216;
							} else {
								_t216 = 0;
							}
							_push(0);
							_push(0);
							_push(0);
							_push(_t216);
							_push(0x7d3);
							_push( *(_t247 + 8));
							goto L24;
						}
						__eflags = _t151 - 0xfffffebf;
						if(__eflags == 0) {
							E00408C20(_t247, _t240, _t241, __eflags);
						}
						goto L25;
					}
					__eflags = _t219 -  *(_t247 + 0x14);
					if(_t219 !=  *(_t247 + 0x14)) {
						goto L25;
					}
					goto L13;
				} else {
					__eax =  *(__edi + 8);
					__eflags = __eax - 0xfffffdee;
					if(__eax == 0xfffffdee) {
						__eflags =  *(__esi + 0xac);
						if( *(__esi + 0xac) == 0) {
							 *(__edi + 0xc) = 0x48fc20;
							goto L11;
						}
						__eax = __edi + 0xc;
						__ecx = __edi + 0x10;
						 *(__ebp - 0x2a8) = __eax;
						__eax->i = __ecx;
						 *(__ebp - 0x298) = __ecx;
						__ecx = __esi;
						__eax = E00404B90(__ecx,  *(__esi + 8), 0x7d4,  *((intOrPtr*)(__esi + 0xa4)),  *(__esi + 0xac), 0, __eax);
						__eflags = __eax;
						if(__eax != 0) {
							L58:
							L33:
							 *[fs:0x0] =  *((intOrPtr*)(_t249 - 0xc));
							_pop(_t242);
							_pop(_t248);
							return E0046F77E(_t218,  *(_t249 - 0x10) ^ _t249, _t240, _t242, _t248);
						}
						__eax =  *(__esi + 0xac);
						__edi = __ebp - 0x2b8;
						 *(__ebp - 0x2b8) = 0x50;
						__ecx =  *(__eax + 4);
						__edx =  *( *(__eax + 4));
						 *(__edx + 8) =  *( *(__edx + 8))(__eax,  *((intOrPtr*)(__esi + 0xa4)),  *(__ebp - 0x298), __edi);
						 *(__ebp - 0x2b0) =  *(__edx + 8);
						 *(__ebp - 0x278) = 0;
						 *(__ebp - 0x274) = 0;
						__eax = GetSystemMetrics(0x4e);
						__ecx = __esi;
						 *(__ebp - 0x270) = __eax;
						 *((intOrPtr*)(__ebp - 0x26c)) = E004078D0(__esi);
						__ecx = __esi;
						__ebp - 0x294 = L00405F10(__ecx,  *((intOrPtr*)(__esi + 0xa8)),  *((intOrPtr*)(__esi + 0xa4)), 1, 1,  *(__esi + 0xac), __ebp - 0x294);
						__eax = __ebp - 0x244;
						 *(__ebp - 0x244) = 0x1c;
						asm("xorps xmm0, xmm0");
						 *(__ebp - 0x22c) = 0;
						asm("movdqu [ebp-0x23c], xmm0");
						 *((intOrPtr*)(__ebp - 0x240)) = 4;
						GetScrollInfo( *(__esi + 0x24), 2, __ebp - 0x244) =  *((intOrPtr*)(__ebp - 0x294));
						__eflags =  *((intOrPtr*)(__ebp - 0x294)) -  *((intOrPtr*)(__esi + 0x90));
						if( *((intOrPtr*)(__ebp - 0x294)) !=  *((intOrPtr*)(__esi + 0x90))) {
							L9:
							 *(__esi + 0xa0) =  *(__esi + 0xa0) & 0xfffb3fff;
							__eax =  *(__esi + 0xa0) & 0xfffb3fff | 0x00000400;
							 *(__ebp - 0x2a4) =  *(__esi + 0xa0) & 0xfffb3fff | 0x00000400;
							__eax = GetDC( *(__esi + 8));
							 *(__ebp - 0x298) = __eax;
							__edi = __eax;
							__ebp - 0x278 = DrawTextW( *(__ebp - 0x298),  *(__ebp - 0x2b0), 0xffffffff, __ebp - 0x278,  *(__ebp - 0x2a4));
							__edi =  *(__ebp - 0x298);
							SelectObject(__edi, __edi) = ReleaseDC( *(__esi + 8), __edi);
							__edx =  *(__ebp - 0x28c);
							__ecx = 0x48fc20;
							 *(__ebp - 0x270) =  *(__ebp - 0x270) -  *(__ebp - 0x278);
							__edx =  *(__ebp - 0x28c) -  *((intOrPtr*)(__ebp - 0x294));
							__edi =  *(__ebp - 0x2b4);
							__eflags =  *(__ebp - 0x270) -  *(__ebp - 0x278) - __edx;
							__eax =  *(__ebp - 0x2a8);
							__ecx =  >  ?  *(__ebp - 0x2b0) : 0x48fc20;
							 *( *(__ebp - 0x2a8)) = __ecx;
							goto L11;
						}
						__eflags =  *(__ebp - 0x230);
						if( *(__ebp - 0x230) != 0) {
							goto L58;
						}
						goto L9;
					}
					__eflags = __eax - 0xfffffdf7;
					if(__eax != 0xfffffdf7) {
						goto L11;
					}
					__eax = __ebp - 0x278;
					__ecx = __esi;
					__eax = L00405F10(__esi,  *((intOrPtr*)(__esi + 0xa8)),  *((intOrPtr*)(__esi + 0xa4)), 0, 1,  *(__esi + 0xac), __ebp - 0x278);
					__edi = SendMessageW;
					__ebp - 0x278 = SendMessageW( *(__esi + 0x2c), 0x41f, 1, __ebp - 0x278);
					__ebp - 0x278 = MapWindowPoints( *(__esi + 8), 0, __ebp - 0x278, 2);
					SetWindowPos( *(__esi + 0x2c), 0,  *(__ebp - 0x278),  *(__ebp - 0x274), 0, 0, 0x15) = SendMessageW( *(__esi + 0x2c), 0x30,  *(__esi + 0x30), 0);
					__ecx = __esi;
					E00404B90(__ecx,  *(__esi + 0x2c), 0x7d5,  *((intOrPtr*)(__esi + 0xa4)),  *(__esi + 0xac), 0, 0) = 1;
					goto L33;
				}
				L1:
				goto L33;
			}

0x0040a140
0x0040a140
0x0040a140
0x0040a140
0x0040a145
0x0040a3d2
0x0040a3d2
0x0040a3d4
0x0040a3d7
0x0040a3d9
0x0040a3e0
0x0040a3e0
0x0040a3e3
0x0040a3e8
0x0040a6aa
0x0040a6af
0x0040a6d0
0x00000000
0x0040a6d6
0x0040a6b1
0x0040a6b4
0x0040a438
0x0040a438
0x0040a43f
0x0040a441
0x0040a444
0x0040a446
0x0040a449
0x0040a449
0x0040a44f
0x0040a456
0x0040a45b
0x0040a45d
0x0040a45f
0x0040a461
0x0040a463
0x0040a47a
0x0040a47a
0x0040a463
0x0040a45d
0x0040a47d
0x0040a49b
0x00000000
0x0040a49b
0x0040a6ba
0x0040a6bc
0x0040a6be
0x0040a6c0
0x0040a6c2
0x0040a6c3
0x0040a431
0x0040a433
0x00000000
0x0040a433
0x0040a3ee
0x0040a514
0x0040a517
0x0040a51a
0x00000000
0x00000000
0x0040a520
0x0040a523
0x0040a525
0x0040a536
0x0040a538
0x0040a54a
0x0040a550
0x0040a55f
0x0040a568
0x0040a573
0x0040a573
0x0040a579
0x0040a57f
0x00000000
0x00000000
0x0040a58b
0x0040a591
0x0040a59d
0x0040a5a9
0x0040a5af
0x0040a5b5
0x0040a5b7
0x0040a5bc
0x0040a5bc
0x0040a5cd
0x0040a5d0
0x0040a5d2
0x0040a5d6
0x0040a5dc
0x0040a5dc
0x0040a5dc
0x0040a5dc
0x0040a5fc
0x0040a602
0x0040a604
0x0040a60f
0x0040a615
0x0040a621
0x0040a62d
0x0040a639
0x0040a64b
0x0040a651
0x0040a653
0x0040a695
0x0040a69d
0x00000000
0x0040a6a3
0x00000000
0x0040a606
0x0040a606
0x0040a60d
0x0040a655
0x0040a664
0x0040a66b
0x0040a672
0x0040a680
0x0040a685
0x0040a68a
0x00000000
0x0040a68c
0x00000000
0x0040a60d
0x0040a604
0x0040a52a
0x0040a530
0x00000000
0x00000000
0x00000000
0x0040a530
0x0040a3f4
0x0040a3f9
0x0040a4bc
0x0040a4c2
0x0040a4c2
0x0040a4c5
0x0040a4cb
0x0040a4de
0x0040a4e6
0x0040a4e8
0x0040a4ee
0x0040a4f2
0x0040a4f7
0x0040a4fe
0x0040a503
0x0040a503
0x0040a50a
0x00000000
0x0040a50a
0x0040a4cd
0x0040a4d4
0x00000000
0x00000000
0x0040a4d6
0x00000000
0x0040a4d6
0x0040a3ff
0x0040a404
0x0040a416
0x0040a418
0x0040a421
0x0040a421
0x0040a41a
0x0040a41a
0x0040a41a
0x0040a422
0x0040a424
0x0040a426
0x0040a428
0x0040a429
0x0040a42e
0x00000000
0x0040a42e
0x0040a406
0x0040a40b
0x0040a40f
0x0040a40f
0x00000000
0x0040a40b
0x0040a3db
0x0040a3de
0x00000000
0x00000000
0x00000000
0x0040a14b
0x0040a14b
0x0040a14e
0x0040a153
0x0040a207
0x0040a20e
0x0040a3cb
0x00000000
0x0040a3cb
0x0040a214
0x0040a21a
0x0040a21d
0x0040a223
0x0040a22b
0x0040a231
0x0040a241
0x0040a246
0x0040a248
0x0040aff9
0x0040a49d
0x0040a4a0
0x0040a4a8
0x0040a4a9
0x0040a4b7
0x0040a4b7
0x0040a24e
0x0040a254
0x0040a25a
0x0040a26b
0x0040a275
0x0040a27a
0x0040a27e
0x0040a284
0x0040a28e
0x0040a298
0x0040a29e
0x0040a2a0
0x0040a2ab
0x0040a2b1
0x0040a2d0
0x0040a2d5
0x0040a2db
0x0040a2eb
0x0040a2ee
0x0040a2f8
0x0040a300
0x0040a310
0x0040a316
0x0040a31c
0x0040a32b
0x0040a334
0x0040a339
0x0040a33e
0x0040a344
0x0040a34d
0x0040a360
0x0040a377
0x0040a37e
0x0040a38f
0x0040a395
0x0040a39b
0x0040a3a6
0x0040a3ac
0x0040a3b2
0x0040a3b8
0x0040a3ba
0x0040a3c0
0x0040a3c7
0x00000000
0x0040a3c7
0x0040a31e
0x0040a325
0x00000000
0x00000000
0x00000000
0x0040a325
0x0040a159
0x0040a15e
0x00000000
0x00000000
0x0040a164
0x0040a16a
0x0040a183
0x0040a188
0x0040a19f
0x0040a1af
0x0040a1dc
0x0040a1e8
0x0040a1fd
0x00000000
0x0040a1fd
0x00409ea2
0x00000000

APIs

SendMessageW.USER32(?,0000041F,00000001,?), ref: 0040A19F
MapWindowPoints.USER32 ref: 0040A1AF
SetWindowPos.USER32(?,00000000,?,?,00000000,00000000,00000015), ref: 0040A1CC
SendMessageW.USER32(?,00000030,?,00000000), ref: 0040A1DC

Part of subcall function 00404B90: GetWindowLongW.USER32(?,000000F4), ref: 00404BA8
Part of subcall function 00404B90: GetParent.USER32(00000000), ref: 00404BD9

GetSystemMetrics.USER32 ref: 0040A298
GetScrollInfo.USER32 ref: 0040A30A
GetDC.USER32(?), ref: 0040A344
SelectObject.GDI32(00000000,?), ref: 0040A354
DrawTextW.USER32(?,?,000000FF,00000000,?), ref: 0040A377
SelectObject.GDI32(?,00000000), ref: 0040A385
ReleaseDC.USER32 ref: 0040A38F
GetClientRect.USER32 ref: 0040A55F
GetWindowLongW.USER32(?,000000F0), ref: 0040A5C7
GetSystemMetrics.USER32 ref: 0040A5D6
ScrollWindowEx.USER32 ref: 0040A5FC

Part of subcall function 00405F10: SendMessageW.USER32(?,00001207,00000000,?), ref: 00405F40
Part of subcall function 00405F10: MapWindowPoints.USER32 ref: 00405F4F
Part of subcall function 00405F10: GetScrollInfo.USER32 ref: 00405F7B
Part of subcall function 00405F10: GetScrollInfo.USER32 ref: 00405FCC
Part of subcall function 00405F10: GetDC.USER32(?), ref: 00405FD1
Part of subcall function 00405F10: SelectObject.GDI32(00000000,?), ref: 00405FDD
Part of subcall function 00405F10: GetTextMetricsW.GDI32(00000000,?), ref: 00405FE8
Part of subcall function 00405F10: ReleaseDC.USER32 ref: 00405FF8
Part of subcall function 00405F10: GetSystemMetrics.USER32 ref: 00406006
Part of subcall function 00405F10: GetWindowRect.USER32 ref: 00406025

InvalidateRect.USER32(?,?,00000000), ref: 0040A64B
UpdateWindow.USER32(?), ref: 0040A680
UpdateWindow.USER32(?), ref: 0040A685
UpdateWindow.USER32(?), ref: 0040A68A
UpdateWindow.USER32(?), ref: 0040A69D
InvalidateRect.USER32(?,00000000,00000000), ref: 0040A6D0

Strings

P, xrefs: 0040A25A

Memory Dump Source

Source File: 00000000.00000002.639436822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.639422722.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639801425.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639950323.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639964900.00000000004C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639974043.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639981884.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Process Monitor.jbxd

Similarity

API ID: Window$MetricsRectScrollUpdate$InfoMessageObjectSelectSendSystem$InvalidateLongPointsReleaseText$ClientDrawParent
String ID: P
API String ID: 2828796626-3110715001
Opcode ID: ae345a3230084c47e8905826ea97763d6d36e241128ef3a0f299bf6305401cbd
Instruction ID: 0ad10d375b56bfcb15c17de5ead97339049c988d5eedf7839255ffa6617b47e7
Opcode Fuzzy Hash: ae345a3230084c47e8905826ea97763d6d36e241128ef3a0f299bf6305401cbd
Instruction Fuzzy Hash: DDF17C31A00714AFDB31DF24CC49BAAB7B5FF48700F1046AAE55AA62E0DB74AD91CF15

Uniqueness

Uniqueness Score: -1.00%

Function 00448530 Relevance: 37.1, APIs: 19, Strings: 2, Instructions: 370
windowlibraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 89%

			E00448530(signed int __edx, struct HWND__* _a4, intOrPtr _a8, signed short _a12, intOrPtr _a16) {
				int _v8;
				char _v16;
				signed int _v20;
				short _v540;
				int _v544;
				void* _v548;
				intOrPtr _v552;
				int _v556;
				signed int _v560;
				char _v564;
				char _v568;
				char _v572;
				struct _CRITICAL_SECTION* _v576;
				char _v580;
				char _v584;
				char _v588;
				char _v608;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t110;
				signed int _t111;
				void* _t115;
				int _t116;
				void* _t117;
				int _t119;
				void* _t128;
				int _t130;
				int _t142;
				signed int _t147;
				long _t149;
				int _t154;
				int _t158;
				intOrPtr _t178;
				char _t182;
				void* _t187;
				void* _t193;
				void* _t205;
				int _t221;
				signed int _t248;
				void* _t252;
				int _t253;
				int _t254;
				signed short _t256;
				void* _t258;
				void* _t259;
				void* _t261;
				short* _t262;
				signed int _t263;
				void* _t264;
				void* _t265;
				void* _t269;

				_t248 = __edx;
				_push(0xffffffff);
				_push(E0048AB99);
				_push( *[fs:0x0]);
				_t265 = _t264 - 0x250;
				_t110 =  *0x4bb1dc; // 0x2927074f
				_t111 = _t110 ^ _t263;
				_v20 = _t111;
				_push(_t111);
				 *[fs:0x0] =  &_v16;
				_t204 = 0;
				_t251 = _a4;
				_t256 = _a12;
				_v552 = _a16;
				_v548 = _t251;
				_v560 = 0;
				_t115 = _a8 - 0x110;
				if(_t115 == 0) {
					_push(0x40);
					_t116 = E0046EEB6(0, _t251, __eflags);
					_v576 = _t116;
					_v8 = 0;
					__eflags = _t116;
					if(_t116 == 0) {
						_t117 = 0;
						__eflags = 0;
					} else {
						_t117 = E00445770(_t251);
					}
					_v8 = 0xffffffff;
					 *((intOrPtr*)(_t117 + 0x2c)) = 0x32;
					 *((intOrPtr*)(_t117 + 0x30)) = 0x5a;
					_t119 = GetProcAddress(GetModuleHandleW(L"uxtheme.dll"), "EnableThemeDialogTexture");
					__eflags = _t119;
					if(_t119 != 0) {
						 *_t119(_t251, 6);
					}
					_v548 = 0x82;
					SendMessageW(GetDlgItem(_t251, 0x3f9), 0xcb, 1,  &_v548);
					SendMessageW(_t251, 0x8003,  *(_v552 + 0x1c), 0);
					L50:
					 *[fs:0x0] = _v16;
					_pop(_t252);
					_pop(_t258);
					_pop(_t205);
					return E0046F77E(_t205, _v20 ^ _t263, _t248, _t252, _t258);
				}
				_t128 = _t115 - 1;
				if(_t128 == 0) {
					_t130 = (_t256 & 0x0000ffff) - 0x45e;
					__eflags = _t130;
					if(_t130 == 0) {
						_v544 = 0;
						_t259 = 0;
						__eflags = 0;
						_v8 = 0xd;
						do {
							_t77 = _t259 + 0x4a3894; // 0x9c46
							LoadStringW( *0x4bd2c4,  *_t77,  &_v540, 0x104);
							E0046A390( &_v544,  &_v540);
							E0046A390( &_v544, 0x4a38c8);
							_t82 = _t259 + 0x4a3890; // 0x410
							GetDlgItemTextW(_t251,  *_t82,  &_v540, 0x104);
							E0046A390( &_v544,  &_v540);
							E0046A390( &_v544, L"\r\n");
							_t259 = _t259 + 8;
							__eflags = _t259 - 0x38;
						} while (_t259 < 0x38);
						_t142 = SendMessageW(GetDlgItem(_t251, 0x3f9), 0xe, 0, 0);
						__eflags = _t142;
						if(__eflags != 0) {
							_t86 = _t142 + 1; // 0x1
							_t253 = _t86;
							_t147 = _t253;
							_t248 = _t147 * 2 >> 0x20;
							_t221 =  ~(0 | __eflags > 0x00000000) | _t147 * 0x00000002;
							__eflags = _t221;
							_push(_t221);
							_t149 = E0046EE59(GetDlgItem, _t253, _t221);
							_t260 = _t149;
							_t251 = _v548;
							SendMessageW(GetDlgItem(_v548, 0x3f9), 0xd, _t253, _t149);
							E0046A390( &_v544, _t149);
							L0047002A(_t260);
							_t265 = _t265 + 8;
						}
						E00433D80(_t251,  &_v544);
						_t217 = _v544;
						_v8 = 0xffffffff;
						__eflags = _v544;
						if(_v544 != 0) {
							E0046A700(_t217);
						}
						L43:
						goto L50;
					}
					_t154 = _t130 - 0x980a;
					__eflags = _t154;
					if(_t154 == 0) {
						SendMessageW(GetFocus(), 0x301, 0, 0);
						goto L50;
					}
					_t158 = _t154 - 0x43;
					__eflags = _t158;
					if(_t158 != 0) {
						goto L43;
					}
					SendMessageW(GetFocus(), 0xb1, _t158, 0xffffffff);
					goto L50;
				}
				if(_t128 != 0x7ef2) {
					goto L43;
				} else {
					_v576 = 0x4bca10;
					EnterCriticalSection(0x4bca10);
					_v8 = 1;
					E0040D160(0x4bca10,  &_v608, _t256);
					_v8 = 2;
					_t261 = 0;
					do {
						_t15 = _t261 + 0x4a3894; // 0x9c46
						E004110C0(_t248, _t251,  *_t15,  &_v540, 0x104);
						_t18 = _t261 + 0x4a3890; // 0x410
						SetDlgItemTextW(_t251,  *_t18,  &_v540);
						_t261 = _t261 + 8;
					} while (_t261 < 0x38);
					_v556 = 0;
					_t254 = 0;
					_v544 = 0;
					_v8 = 4;
					_t262 = E00410F20(0,  &_v608, 0, _t261, 0,  &_v544);
					if(_t262 == 0) {
						L27:
						_t226 = _v544;
						_v8 = 3;
						if(_v544 != 0) {
							E0046A700(_t226);
						}
						SetDlgItemTextW(_v548, 0x3f9, E0046A170( &_v556));
						_t228 = _v556;
						_v8 = 2;
						if(_v556 != 0) {
							E0046A700(_t228);
						}
						_v8 = 1;
						E0040F960( &_v608, _t262);
						LeaveCriticalSection(0x4bca10);
						goto L50;
					}
					do {
						_t276 =  *_t262;
						if( *_t262 == 0) {
							asm("cdq");
							_t193 = E00436170(_t204, _t248, _t254, _t276,  &_v584, _t254, _t248);
							_t265 = _t265 + 0xc;
							_t204 = _t204 | 0x00000001;
							_v8 = 5;
							_v560 = _t204;
							_t262 = E0046A170(_t193);
						}
						_t178 = E0046A6C0(_t204, _t262, E0046A530(_t262));
						_t269 = _t265 + 0xc;
						_v552 = _t178;
						_v8 = 7;
						if((_t204 & 0x00000001) != 0) {
							_t246 = _v584;
							_t204 = _t204 & 0xfffffffe;
							_v560 = _t204;
							if(_v584 != 0) {
								E0046A700(_t246);
							}
						}
						_v564 = E0046A6C0(_t204, L"\r\n", E0046A530(L"\r\n"));
						_v8 = 8;
						_t182 = E0046A6C0(_t204, 0x4a38c8, E0046A530(0x4a38c8));
						_t265 = _t269 + 0x18;
						_v568 = _t182;
						_v8 = 9;
						E0046A230( &_v588,  &_v568);
						_v8 = 0xa;
						E0046A230( &_v580,  &_v544);
						_v8 = 0xb;
						_t187 = E0046A230( &_v572,  &_v564);
						_v8 = 0xc;
						E0046A310( &_v556, _t187);
						_t238 = _v572;
						_v8 = 0xb;
						if(_v572 != 0) {
							E0046A700(_t238);
						}
						_t239 = _v580;
						_v8 = 0xa;
						if(_v580 != 0) {
							E0046A700(_t239);
						}
						_t240 = _v588;
						_v8 = 9;
						if(_v588 != 0) {
							E0046A700(_t240);
						}
						_t241 = _v568;
						_v8 = 8;
						if(_v568 != 0) {
							E0046A700(_t241);
						}
						_t242 = _v564;
						_v8 = 7;
						if(_v564 != 0) {
							E0046A700(_t242);
						}
						_t243 = _v552;
						_v8 = 4;
						if(_v552 != 0) {
							E0046A700(_t243);
						}
						_t244 = _v544;
						_v8 = 3;
						if(_v544 != 0) {
							E0046A700(_t244);
						}
						_t254 = _t254 + 1;
						_v544 = 0;
						_v8 = 4;
						_t262 = E00410F20(_t204,  &_v608, _t254, _t262, _t254,  &_v544);
					} while (_t262 != 0);
					goto L27;
				}
			}

0x00448530
0x00448533
0x00448535
0x00448540
0x00448541
0x00448547
0x0044854c
0x0044854e
0x00448554
0x00448558
0x00448561
0x00448563
0x00448566
0x00448569
0x00448572
0x00448578
0x0044857e
0x00448583
0x004489dc
0x004489de
0x004489e6
0x004489ec
0x004489f3
0x004489f5
0x00448a01
0x00448a01
0x004489f7
0x004489fa
0x004489fa
0x00448a0d
0x00448a14
0x00448a1b
0x00448a29
0x00448a2f
0x00448a31
0x00448a36
0x00448a36
0x00448a3e
0x00448a63
0x00448a76
0x00448a7d
0x00448a80
0x00448a88
0x00448a89
0x00448a8a
0x00448a98
0x00448a98
0x00448589
0x0044858a
0x0044885e
0x0044885e
0x00448863
0x004488ae
0x004488ba
0x004488ba
0x004488bc
0x004488c3
0x004488cf
0x004488db
0x004488ea
0x004488fa
0x0044890b
0x00448912
0x00448925
0x00448935
0x0044893a
0x0044893d
0x0044893d
0x00448957
0x0044895d
0x0044895f
0x00448961
0x00448961
0x00448966
0x0044896d
0x00448974
0x00448974
0x00448976
0x00448977
0x0044897f
0x00448983
0x00448994
0x004489a1
0x004489a7
0x004489ac
0x004489ac
0x004489b7
0x004489bc
0x004489c5
0x004489cc
0x004489ce
0x004489d0
0x004489d0
0x004489d5
0x00000000
0x004489d5
0x00448865
0x00448865
0x0044886a
0x004488a1
0x00000000
0x004488a7
0x0044886c
0x0044886c
0x0044886f
0x00000000
0x00000000
0x00448884
0x00000000
0x0044888a
0x00448595
0x00000000
0x0044859b
0x004485a0
0x004485aa
0x004485b7
0x004485c4
0x004485c9
0x004485cd
0x004485d0
0x004485dc
0x004485e8
0x004485f4
0x004485fb
0x00448601
0x00448604
0x00448609
0x00448613
0x00448615
0x00448621
0x00448632
0x00448636
0x004487f7
0x004487f7
0x004487fd
0x00448803
0x00448805
0x00448805
0x00448821
0x00448827
0x0044882d
0x00448833
0x00448835
0x00448835
0x00448840
0x00448844
0x0044884e
0x00000000
0x00448854
0x00448640
0x00448640
0x00448644
0x00448648
0x00448652
0x00448657
0x0044865a
0x0044865d
0x00448663
0x0044866e
0x0044866e
0x00448678
0x0044867d
0x00448680
0x00448686
0x00448690
0x00448692
0x00448698
0x0044869b
0x004486a3
0x004486a5
0x004486a5
0x004486a3
0x004486bf
0x004486ca
0x004486d9
0x004486de
0x004486e1
0x004486ed
0x004486ff
0x0044870a
0x00448718
0x00448723
0x00448731
0x0044873d
0x00448741
0x00448746
0x0044874c
0x00448752
0x00448754
0x00448754
0x00448759
0x0044875f
0x00448765
0x00448767
0x00448767
0x0044876c
0x00448772
0x00448778
0x0044877a
0x0044877a
0x0044877f
0x00448785
0x0044878b
0x0044878d
0x0044878d
0x00448792
0x00448798
0x0044879e
0x004487a0
0x004487a0
0x004487a5
0x004487ab
0x004487b1
0x004487b3
0x004487b3
0x004487b8
0x004487be
0x004487c4
0x004487c6
0x004487c6
0x004487cb
0x004487cc
0x004487dc
0x004487ed
0x004487ef
0x00000000
0x00448640

APIs

EnterCriticalSection.KERNEL32(004BCA10,2927074F), ref: 004485AA
SetDlgItemTextW.USER32 ref: 004485FB
SetDlgItemTextW.USER32 ref: 00448821
GetFocus.USER32(00000301,00000000,00000000,2927074F), ref: 0044889A
SendMessageW.USER32(00000000), ref: 004488A1
LeaveCriticalSection.KERNEL32(004BCA10), ref: 0044884E

Part of subcall function 0046A700: InterlockedDecrement.KERNEL32(?), ref: 0046A704

GetFocus.USER32(000000B1,?,000000FF,2927074F), ref: 0044887D
SendMessageW.USER32(00000000), ref: 00448884
GetModuleHandleW.KERNEL32(uxtheme.dll,EnableThemeDialogTexture), ref: 00448A22
GetProcAddress.KERNEL32(00000000), ref: 00448A29
GetDlgItem.USER32 ref: 00448A56
SendMessageW.USER32(00000000), ref: 00448A63
SendMessageW.USER32(?,00008003,?,00000000), ref: 00448A76

Strings

EnableThemeDialogTexture, xrefs: 00448A03
uxtheme.dll, xrefs: 00448A08

Memory Dump Source

Source File: 00000000.00000002.639436822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.639422722.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639801425.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639950323.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639964900.00000000004C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639974043.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639981884.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Process Monitor.jbxd

Similarity

API ID: MessageSend$Item$CriticalFocusSectionText$AddressDecrementEnterHandleInterlockedLeaveModuleProc
String ID: EnableThemeDialogTexture$uxtheme.dll
API String ID: 1632629279-3124852905
Opcode ID: f5ce0dd829a20382e285dde4a469983028221bdcb1089e921779b418afe0e9c1
Instruction ID: a8a176c411a545a74b578f2a9e177c4c1b82c1d0160a7071cdfb72c421f99033
Opcode Fuzzy Hash: f5ce0dd829a20382e285dde4a469983028221bdcb1089e921779b418afe0e9c1
Instruction Fuzzy Hash: 64E1D870941218AAEB20EFA5DC49BEE77B4AF15304F1001AEF405B3291EB785F44CF6A

Uniqueness

Uniqueness Score: -1.00%

Function 00434860 Relevance: 37.1, APIs: 15, Strings: 6, Instructions: 369
registryCOMMON

Download Yara Rule

C-Code - Quality: 85%

			E00434860(void* __edx, char _a4, short* _a8, short* _a12, short* _a16, char _a20) {
				int* _v8;
				char _v16;
				signed int _v20;
				char _v538;
				char _v540;
				short _v1580;
				void* _v1584;
				int* _v1588;
				int _v1592;
				void* _v1596;
				char _v1600;
				int _v1604;
				short* _v1608;
				char _v1612;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t115;
				signed int _t116;
				void* _t125;
				void* _t145;
				short* _t149;
				short _t151;
				void* _t159;
				short _t166;
				short* _t172;
				intOrPtr _t174;
				intOrPtr _t184;
				signed int _t199;
				void* _t201;
				void* _t204;
				void* _t205;
				short* _t222;
				short* _t230;
				intOrPtr* _t233;
				intOrPtr* _t236;
				void* _t240;
				short* _t241;
				short* _t243;
				void* _t244;
				void* _t245;
				short* _t246;
				short* _t249;
				void* _t250;
				short* _t251;
				signed int _t253;
				void* _t254;
				void* _t255;
				void* _t259;
				void* _t260;

				_t240 = __edx;
				_push(0xffffffff);
				_push(E00489393);
				_push( *[fs:0x0]);
				_t255 = _t254 - 0x63c;
				_t115 =  *0x4bb1dc; // 0x2927074f
				_t116 = _t115 ^ _t253;
				_v20 = _t116;
				_push(_t204);
				_push(_t116);
				 *[fs:0x0] =  &_v16;
				_t243 = _a8;
				_t249 = _a12;
				_v1608 = _a16;
				if( *_t243 != 0x2e) {
					L9:
					L46:
					 *[fs:0x0] = _v16;
					_pop(_t244);
					_pop(_t250);
					_pop(_t205);
					return E0046F77E(_t205, _v20 ^ _t253, _t240, _t244, _t250);
				}
				_v1588 = 0;
				_v8 = 0;
				_push(_t243);
				if(_a20 == 0) {
					_v1592 = E0046A6C0(_t204, _t243, E0046A530());
					_v8 = 5;
					_t125 = E0046A190( &_v1608, L"Software\\Classes\\",  &_v1592);
					_v8 = 6;
					E0046A0B0( &_v1588, _t125);
					_t212 = _v1608;
					_v8 = 5;
					if(_v1608 != 0) {
						E0046A700(_t212);
					}
					_t213 = _v1592;
					_v8 = 0;
					if(_v1592 != 0) {
						E0046A700(_t213);
					}
					E00434180(_t240, 0x80000001, E0046A170( &_v1588));
					_v1600 = E0046A6C0(_t204, _t249, E0046A530(_t249));
					_v8 = 7;
					E0046A190( &_v1612, L"Software\\Classes\\",  &_v1600);
					_t215 = _v1600;
					_v8 = 9;
					if(_v1600 != 0) {
						E0046A700(_t215);
					}
					E00434180(_t240, 0x80000001, _t249);
					_t216 = _v1612;
					_v8 = 0;
					if(_v1612 != 0) {
						E0046A700(_t216);
					}
					L43:
					SHChangeNotify(0x8000000, 0, 0, 0);
					_t217 = _v1588;
					_v8 = 0xffffffff;
					if(_v1588 != 0) {
						E0046A700(_t217);
					}
					goto L46;
				}
				_v1596 = 0;
				_v1584 = 0;
				_v1592 = E0046A6C0(_t204, _t243, E0046A530());
				_v8 = 1;
				_t145 = E0046A190( &_v1600, L"Software\\Classes\\",  &_v1592);
				_t259 = _t255 + 0x18;
				_v8 = 2;
				E0046A0B0( &_v1588, _t145);
				_t219 = _v1600;
				_v8 = 1;
				if(_v1600 != 0) {
					E0046A700(_t219);
				}
				_t220 = _v1592;
				_v8 = 0;
				if(_v1592 != 0) {
					E0046A700(_t220);
				}
				_t149 = E0046A170( &_v1588);
				_t206 = RegCreateKeyExW;
				RegCreateKeyExW(0x80000001, _t149, 0, 0, 0, 0xf003f, 0,  &_v1584,  &_v1604);
				_t245 = _v1584;
				if(_t245 != 0) {
					if(_v1604 != 2) {
						L15:
						_t222 = _t249;
						_t241 =  &(_t222[1]);
						do {
							_t151 =  *_t222;
							_t222 =  &(_t222[1]);
						} while (_t151 != 0);
						RegSetValueW(_t245, 0x48fc20, 1, _t249, 2 + (_t222 - _t241 >> 1) * 2);
						RegCloseKey(_v1584);
						_v1596 = 0;
						_v1592 = E0046A6C0(_t206, _t249, E0046A530(_t249));
						_v8 = 3;
						_t159 = E0046A190( &_v1600, L"Software\\Classes\\",  &_v1592);
						_t260 = _t259 + 0x18;
						_v8 = 4;
						E0046A0B0( &_v1588, _t159);
						_t226 = _v1600;
						_v8 = 3;
						if(_v1600 != 0) {
							E0046A700(_t226);
						}
						_t227 = _v1592;
						_v8 = 0;
						if(_v1592 != 0) {
							E0046A700(_t227);
						}
						RegCreateKeyExW(0x80000001, E0046A170( &_v1588), 0, 0, 0, 0xf003f, 0,  &_v1596,  &_v1604);
						_t240 = _v1596;
						if(_t240 == 0) {
							goto L7;
						} else {
							_t251 = _v1608;
							_t230 = _t251;
							_t60 =  &(_t230[1]); // 0x749682c2
							_t246 = _t60;
							do {
								_t166 =  *_t230;
								_t230 =  &(_t230[1]);
							} while (_t166 != 0);
							RegSetValueW(_t240, 0x48fc20, 1, _t251, 2 + (_t230 - _t246 >> 1) * 2);
							_v1584 = 0;
							RegCreateKeyExW(_v1596, L"shell\\open\\command", 0, 0, 0, 0xf003f, 0,  &_v1584,  &_v1604);
							if(_v1584 == 0) {
								goto L7;
							}
							_t172 =  &_v1580;
							_push(0x4bd0a8);
							if(_a4 == 0) {
								L28:
								_push(L"\"%s\" /OpenLog \"%%1\"");
								L29:
								_push(_t172);
								E00431850();
								_t233 =  &_v1580;
								_t240 = _t233 + 2;
								do {
									_t174 =  *_t233;
									_t233 = _t233 + 2;
								} while (_t174 != 0);
								RegSetValueW(_v1584, 0x48fc20, 1,  &_v1580, 2 + (_t233 - _t240 >> 1) * 2);
								RegCloseKey(_v1584);
								_v1584 = 0;
								RegCreateKeyExW(_v1596, L"DefaultIcon", 0, 0, 0, 0xf003f, 0,  &_v1584,  &_v1604);
								if(_v1584 == 0) {
									goto L7;
								}
								E00431850( &_v1580, L"\"%s\",0", 0x4bd0a8);
								_t236 =  &_v1580;
								_t240 = _t236 + 2;
								do {
									_t184 =  *_t236;
									_t236 = _t236 + 2;
								} while (_t184 != 0);
								RegSetValueW(_v1584, 0x48fc20, 1,  &_v1580, 2 + (_t236 - _t240 >> 1) * 2);
								RegCloseKey(_v1584);
								RegCloseKey(_v1596);
								goto L43;
							}
							_push(L"\"%s\" /Run32 /OpenLog \"%%1\"");
							goto L29;
						}
					}
					_v540 = 0;
					E00470030( &_v538, 0, 0x206);
					_t260 = _t259 + 0xc;
					_v1592 = 0x206;
					RegQueryValueExW(_t245, 0x48fc20, 0, 0,  &_v540,  &_v1592);
					_t199 = _v1592 & 0xfffffffe;
					if(_t199 >= 0x208) {
						_t172 = E00472AA1();
						goto L28;
					}
					 *((short*)(_t253 + _t199 - 0x218)) = 0;
					if(_v540 == 0) {
						L14:
						_t245 = _v1584;
						goto L15;
					}
					_t201 = E0046F283(RegCreateKeyExW, _t245, _t249,  &_v540, _t249);
					_t259 = _t260 + 8;
					if(_t201 != 0) {
						goto L7;
					}
					goto L14;
				} else {
					L7:
					_t229 = _v1588;
					_v8 = 0xffffffff;
					if(_v1588 != 0) {
						E0046A700(_t229);
					}
					goto L9;
				}
			}

0x00434860
0x00434863
0x00434865
0x00434870
0x00434871
0x00434877
0x0043487c
0x0043487e
0x00434881
0x00434884
0x00434888
0x0043488e
0x00434894
0x00434897
0x004348a1
0x00434992
0x00434dae
0x00434db1
0x00434db9
0x00434dba
0x00434dbb
0x00434dc9
0x00434dc9
0x004348a7
0x004348b5
0x004348bc
0x004348bd
0x00434cae
0x00434cba
0x00434ccb
0x00434cda
0x00434cde
0x00434ce3
0x00434ce9
0x00434cef
0x00434cf1
0x00434cf1
0x00434cf6
0x00434cfc
0x00434d02
0x00434d04
0x00434d04
0x00434d1a
0x00434d2c
0x00434d38
0x00434d49
0x00434d51
0x00434d57
0x00434d5d
0x00434d5f
0x00434d5f
0x00434d6a
0x00434d6f
0x00434d78
0x00434d7e
0x00434d80
0x00434d80
0x00434d85
0x00434d90
0x00434d96
0x00434d9c
0x00434da5
0x00434da7
0x00434da7
0x00000000
0x00434dac
0x004348c3
0x004348cd
0x004348e3
0x004348ef
0x00434900
0x00434905
0x0043490f
0x00434913
0x00434918
0x0043491e
0x00434924
0x00434926
0x00434926
0x0043492b
0x00434931
0x00434937
0x00434939
0x00434939
0x0043495f
0x00434964
0x00434970
0x00434972
0x0043497a
0x004349a0
0x00434a31
0x00434a31
0x00434a33
0x00434a36
0x00434a36
0x00434a39
0x00434a3c
0x00434a56
0x00434a62
0x00434a69
0x00434a7f
0x00434a8b
0x00434a9c
0x00434aa1
0x00434aab
0x00434aaf
0x00434ab4
0x00434aba
0x00434ac0
0x00434ac2
0x00434ac2
0x00434ac7
0x00434acd
0x00434ad3
0x00434ad5
0x00434ad5
0x00434b06
0x00434b08
0x00434b10
0x00000000
0x00434b16
0x00434b16
0x00434b1c
0x00434b1e
0x00434b1e
0x00434b21
0x00434b21
0x00434b24
0x00434b27
0x00434b47
0x00434b4f
0x00434b79
0x00434b82
0x00000000
0x00000000
0x00434b8c
0x00434b92
0x00434b97
0x00434ba5
0x00434ba5
0x00434baa
0x00434baa
0x00434bab
0x00434bb0
0x00434bb9
0x00434bc0
0x00434bc0
0x00434bc3
0x00434bc6
0x00434beb
0x00434bf9
0x00434c01
0x00434c2b
0x00434c34
0x00000000
0x00000000
0x00434c4b
0x00434c50
0x00434c59
0x00434c60
0x00434c60
0x00434c63
0x00434c66
0x00434c8b
0x00434c93
0x00434c9b
0x00000000
0x00434c9b
0x00434b99
0x00000000
0x00434b99
0x00434b10
0x004349ae
0x004349bc
0x004349c1
0x004349c4
0x004349e6
0x004349f2
0x004349fa
0x00434ba0
0x00000000
0x00434ba0
0x00434a02
0x00434a11
0x00434a2b
0x00434a2b
0x00000000
0x00434a2b
0x00434a1b
0x00434a20
0x00434a25
0x00000000
0x00000000
0x00000000
0x0043497c
0x0043497c
0x0043497c
0x00434982
0x0043498b
0x0043498d
0x0043498d
0x00000000
0x0043498b

APIs

RegCreateKeyExW.ADVAPI32(80000001,00000000,00000000,00000000,00000000,000F003F,00000000,00000000,?,00000000,?,?,2927074F,00000000,749682C0,?), ref: 00434970
_memset.LIBCMT ref: 004349BC
RegQueryValueExW.ADVAPI32(00000000,0048FC20,00000000,00000000,?,00000206,?,?,?,?,?,2927074F,00000000,749682C0), ref: 004349E6
RegSetValueW.ADVAPI32(00000000,0048FC20,00000001,?,00000000), ref: 00434A56
RegCreateKeyExW.ADVAPI32(80000001,00000000,00000000,00000000,00000000,000F003F,00000000,00000000,00000002,00000000), ref: 00434B06
RegSetValueW.ADVAPI32(00000000,0048FC20,00000001,749682C0,00000000), ref: 00434B47
RegCreateKeyExW.ADVAPI32(00000000,shell\open\command,00000000,00000000,00000000,000F003F,00000000,00000000,00000002), ref: 00434B79
RegSetValueW.ADVAPI32(00000000,0048FC20,00000001,?,00000000), ref: 00434BEB
RegCloseKey.ADVAPI32(00000000,?,?,?,?,?,?,?,?,?,?,?,2927074F,00000000,749682C0), ref: 00434BF9
RegCreateKeyExW.ADVAPI32(00000000,DefaultIcon,00000000,00000000,00000000,000F003F,00000000,00000000,00000002), ref: 00434C2B

Part of subcall function 00472AA1: ___report_securityfailure.LIBCMT ref: 00472AA6

Part of subcall function 00431850: vswprintf.LIBCMT ref: 00431862

RegSetValueW.ADVAPI32(00000000,0048FC20,00000001,?,00000000), ref: 00434C8B
RegCloseKey.ADVAPI32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,2927074F), ref: 00434C93
RegCloseKey.ADVAPI32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,2927074F), ref: 00434C9B
RegCloseKey.ADVAPI32(00000000,?,?,2927074F,00000000,749682C0), ref: 00434A62

Part of subcall function 0046A700: InterlockedDecrement.KERNEL32(?), ref: 0046A704

SHChangeNotify.SHELL32(08000000,00000000,00000000,00000000), ref: 00434D90

Part of subcall function 0046A0B0: InterlockedDecrement.KERNEL32(?), ref: 0046A0BE

Strings

"%s" /Run32 /OpenLog "%%1", xrefs: 00434B99
"%s" /OpenLog "%%1", xrefs: 00434BA5
DefaultIcon, xrefs: 00434C20
shell\open\command, xrefs: 00434B6E
Software\Classes\, xrefs: 004348FA, 00434A96, 00434CC5, 00434D43
"%s",0, xrefs: 00434C45

Memory Dump Source

Source File: 00000000.00000002.639436822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.639422722.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639801425.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639950323.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639964900.00000000004C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639974043.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639981884.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Process Monitor.jbxd

Similarity

API ID: Value$CloseCreate$DecrementInterlocked$ChangeNotifyQuery___report_securityfailure_memsetvswprintf
String ID: "%s" /OpenLog "%%1"$"%s" /Run32 /OpenLog "%%1"$"%s",0$DefaultIcon$Software\Classes\$shell\open\command
API String ID: 1268116332-2163412305
Opcode ID: 74c36b143cf1ec28f1e0f489d9efd427600d9565a76312fa7f068bbe31073db6
Instruction ID: 4847aeda66f0ec8d6adb58e8e37e53047bebc3ccf8b335cfedd2a9fd79fa0601
Opcode Fuzzy Hash: 74c36b143cf1ec28f1e0f489d9efd427600d9565a76312fa7f068bbe31073db6
Instruction Fuzzy Hash: 5AE1DA74901218AADB20EB60CC45BEEB779AF98314F1001DAF90577281EB796B64CF99

Uniqueness

Uniqueness Score: -1.00%

Function 0045B880 Relevance: 37.0, APIs: 20, Strings: 1, Instructions: 244
COMMON

Download Yara Rule

C-Code - Quality: 66%

			E0045B880(struct HWND__* _a4, int _a8, int _a12, long _a16) {
				signed int _v8;
				struct tagRECT _v24;
				long _v28;
				struct HDC__* _v32;
				struct HWND__* __ebx;
				unsigned int __edi;
				struct HDC__* __esi;
				signed int _t68;
				void* _t70;
				int _t71;
				intOrPtr _t75;
				intOrPtr* _t76;
				struct HWND__* _t86;
				void* _t87;
				int _t95;
				void* _t96;
				long _t97;
				signed int _t98;

				_t68 =  *0x4bb1dc; // 0x2927074f
				_v8 = _t68 ^ _t98;
				_t86 = _a4;
				_t97 = _a16;
				_v28 = _t97;
				_t70 = GetPropW(_t86, L"ResizerClass");
				_t95 = _a12;
				_t96 = _t70;
				_t71 = _a8;
				_t87 = _t71 - 2;
				if(_t87 > 0x82) {
					L9:
					if(_t71 == 0x31a) {
						_t75 =  *((intOrPtr*)(_t96 + 4));
						if(_t75 != 0) {
							 *0x4bc890(_t75);
						}
						 *((intOrPtr*)(_t96 + 4)) = 0;
						_t76 =  *0x4bc884; // 0x73c34310
						if(_t76 != 0 &&  *_t76() != 0) {
							 *((intOrPtr*)(_t96 + 4)) =  *0x4bc888(_t86,  *( *_t96)());
						}
					}
					 *((intOrPtr*)( *_t96 + 4))(_a8, _a12, _t97);
					return E0046F77E(_t86, _v8 ^ _t98, _t95, _t96, _t97, _t86);
				} else {
					switch( *((intOrPtr*)(( *(_t87 + 0x45bb28) & 0x000000ff) * 4 +  &M0045BB10))) {
						case 0:
							__esi =  *(__edi + 8);
							__eax = SetWindowLongW(__ebx, 0xfffffffc, __esi);
							__ecx = __edi;
							E00445A00(__edi) = E0046EF07(__edi);
							_v28 = CallWindowProcW(__esi, __ebx, _a8, _a12, _v28);
							__ecx = _v8;
							__ecx = _v8 ^ __ebp;
							return E0046F77E(__ebx, _v8 ^ __ebp, __edx, __edi, __esi);
							goto L28;
						case 1:
							if( *((char*)(__edi + 0x34)) != 0 && (__edx == 2 || __edx == 0)) {
								__eax =  &_v24;
								if(GetWindowRect(__ebx,  &_v24) != 0) {
									_v24.right = _v24.right - _v24.left;
									_v24.bottom.x = _v24.bottom.x - _v24.top.x;
									__edx =  <  ?  *(__edi + 0x10) : _v24.right - _v24.left;
									 *((intOrPtr*)(__edi + 0x20)) =  <  ?  *(__edi + 0x10) : _v24.right - _v24.left;
									__ecx =  <  ?  *((void*)(__edi + 0x14)) : _v24.bottom.x - _v24.top.x;
									 *((intOrPtr*)(__edi + 0x24)) =  <  ?  *((void*)(__edi + 0x14)) : _v24.bottom.x - _v24.top.x;
									__ecx = __edi;
									__eax = E00458430(__ecx);
								}
								goto L8;
							}
							goto L9;
						case 2:
							if((GetWindowLongW(__ebx, 0xfffffff0) & 0x40000000) == 0 && IsZoomed(__ebx) == 0) {
								_v32 = GetDC(__ebx);
								 &_v24 = GetClientRect(__ebx,  &_v24);
								__esi = GetSystemMetrics;
								__eax = GetSystemMetrics(0x15);
								_v24.right = _v24.right - __eax;
								_v24.left = _v24.right - __eax;
								__eax = GetSystemMetrics(0x14);
								__ecx = _v24.bottom.x;
								__esi = _v32;
								__ecx = _v24.bottom.x - __eax;
								__eax =  *(__edi + 4);
								_v24.top.x = __ecx;
								if(__eax == 0) {
									 &_v24 = DrawFrameControl(__esi,  &_v24, 3, 8);
									__eax = ReleaseDC(__ebx, __esi);
									__esi = _v28;
								} else {
									_push(0);
									__ecx =  &_v24;
									_push(__ecx);
									_push(0);
									_push(3);
									_push(__esi);
									_push(__eax);
									 *0x4bc88c() = ReleaseDC(__ebx, __esi);
									__esi = _v28;
								}
							}
							L8:
							__eax = _a8;
							goto L9;
						case 3:
							 *((intOrPtr*)(_t97 + 0x18)) =  *((intOrPtr*)(_t96 + 0x10));
							 *((intOrPtr*)(_t97 + 0x1c)) =  *((intOrPtr*)(_t96 + 0x14));
							return E0046F77E(_t86, _v8 ^ _t98, _t95, _t96, _t97);
							goto L28;
						case 4:
							__edi = __eax;
							if((GetWindowLongW(__ebx, 0xfffffff0) & 0x40000000) == 0) {
								if(__edi != 1 || IsZoomed(__ebx) != 0) {
									goto L17;
								} else {
									 &_v24 = GetWindowRect(__ebx,  &_v24);
									__esi = GetSystemMetrics;
									__eax = GetSystemMetrics(0x15);
									_v24.right = _v24.right - __eax;
									_v24.left = _v24.right - __eax;
									__eax = GetSystemMetrics(0x14);
									__ecx = _v24.bottom.x;
									__ecx = _v24.bottom.x - __eax;
									__eax = _v28;
									_v24.top = __ecx;
									__ecx = __ax;
									__eax = _v28 >> 0x10;
									__ax = __eax;
									_push(__eax);
									__eax =  &_v24;
									if(PtInRect( &_v24, __ecx) == 0) {
										goto L17;
									} else {
										_t47 = __edi + 0x10; // 0x10
										__eax = _t47;
										__ecx = _v8;
										__ecx = _v8 ^ __ebp;
										return E0046F77E(__ebx, _v8 ^ __ebp, __edx, __edi, GetSystemMetrics);
									}
								}
							} else {
								L17:
								__eax = __edi;
								__ecx = _v8;
								__ecx = _v8 ^ __ebp;
								return E0046F77E(__ebx, _v8 ^ __ebp, __edx, __edi, __esi);
							}
							goto L28;
						case 5:
							goto L9;
					}
				}
				L28:
			}

0x0045b886
0x0045b88d
0x0045b891
0x0045b895
0x0045b89f
0x0045b8a2
0x0045b8a8
0x0045b8ab
0x0045b8ad
0x0045b8b0
0x0045b8b9
0x0045b932
0x0045b937
0x0045b939
0x0045b93e
0x0045b941
0x0045b941
0x0045b947
0x0045b94e
0x0045b955
0x0045b96b
0x0045b96b
0x0045b955
0x0045b97a
0x0045b98d
0x0045b8bb
0x0045b8c2
0x00000000
0x0045bace
0x0045bad5
0x0045badb
0x0045bae3
0x0045baf7
0x0045bafd
0x0045bb02
0x0045bb0d
0x00000000
0x00000000
0x0045b8ee
0x0045b8f9
0x0045b906
0x0045b90b
0x0045b911
0x0045b917
0x0045b91e
0x0045b921
0x0045b925
0x0045b928
0x0045b92a
0x0045b92a
0x00000000
0x0045b906
0x00000000
0x00000000
0x0045ba3b
0x0045ba57
0x0045ba5f
0x0045ba65
0x0045ba6d
0x0045ba72
0x0045ba76
0x0045ba79
0x0045ba7b
0x0045ba7e
0x0045ba81
0x0045ba83
0x0045ba86
0x0045ba8b
0x0045bab8
0x0045bac0
0x0045bac6
0x0045ba8d
0x0045ba8d
0x0045ba8f
0x0045ba92
0x0045ba93
0x0045ba95
0x0045ba97
0x0045ba98
0x0045baa1
0x0045baa7
0x0045baa7
0x0045ba8b
0x0045b92f
0x0045b92f
0x00000000
0x00000000
0x0045b8cc
0x0045b8d3
0x0045b8e7
0x00000000
0x00000000
0x0045b9a0
0x0045b9ad
0x0045b9c7
0x00000000
0x0045b9d4
0x0045b9d9
0x0045b9df
0x0045b9e7
0x0045b9ec
0x0045b9f0
0x0045b9f3
0x0045b9f5
0x0045b9f8
0x0045b9fa
0x0045b9fd
0x0045ba00
0x0045ba03
0x0045ba06
0x0045ba07
0x0045ba09
0x0045ba15
0x00000000
0x0045ba17
0x0045ba17
0x0045ba17
0x0045ba1d
0x0045ba20
0x0045ba2a
0x0045ba2a
0x0045ba15
0x0045b9af
0x0045b9af
0x0045b9af
0x0045b9b4
0x0045b9b7
0x0045b9c1
0x0045b9c1
0x00000000
0x00000000
0x00000000
0x00000000
0x0045b8c2
0x00000000

APIs

GetPropW.USER32(?,ResizerClass), ref: 0045B8A2
GetWindowRect.USER32 ref: 0045B8FE
CallWindowProcW.USER32(?,?,00000000,?,?), ref: 0045B997
GetWindowLongW.USER32(?,000000F0), ref: 0045B9A2
IsZoomed.USER32 ref: 0045B9CA
GetWindowRect.USER32 ref: 0045B9D9
GetSystemMetrics.USER32 ref: 0045B9E7
GetSystemMetrics.USER32 ref: 0045B9F3
PtInRect.USER32(?,?,?), ref: 0045BA0D
GetWindowLongW.USER32(?,000000F0), ref: 0045BA30
IsZoomed.USER32 ref: 0045BA42
GetDC.USER32 ref: 0045BA51
GetClientRect.USER32 ref: 0045BA5F
GetSystemMetrics.USER32 ref: 0045BA6D
GetSystemMetrics.USER32 ref: 0045BA79
ReleaseDC.USER32 ref: 0045BAA1
DrawFrameControl.USER32 ref: 0045BAB8
ReleaseDC.USER32 ref: 0045BAC0
SetWindowLongW.USER32 ref: 0045BAD5
CallWindowProcW.USER32(?,?,?,?,?), ref: 0045BAF7

Strings

ResizerClass, xrefs: 0045B899

Memory Dump Source

Source File: 00000000.00000002.639436822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.639422722.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639801425.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639950323.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639964900.00000000004C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639974043.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639981884.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Process Monitor.jbxd

Similarity

API ID: Window$MetricsRectSystem$Long$CallProcReleaseZoomed$ClientControlDrawFrameProp
String ID: ResizerClass
API String ID: 3375924146-804565684
Opcode ID: 9a3388ac38583944c32bb1b570d268be3b5ddfd16d39d8ec806713063304ffc3
Instruction ID: 4eec76655bb5e97cd88f07f1839d43e2724157c1aa9a48ca4c1933de52b4fc00
Opcode Fuzzy Hash: 9a3388ac38583944c32bb1b570d268be3b5ddfd16d39d8ec806713063304ffc3
Instruction Fuzzy Hash: D5818571A00609AFDB14DFA5DC84ABFB7B8FF48311F10452AF906E3291DB34A914CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 0043CF70 Relevance: 36.9, APIs: 11, Strings: 10, Instructions: 191
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 51%

			E0043CF70(void* __ebx, void* __edx, void* __edi, void* __esi, char _a4, intOrPtr _a8) {
				signed int _v8;
				short _v208;
				intOrPtr _v280;
				intOrPtr _v312;
				intOrPtr _v316;
				intOrPtr _v320;
				char _v840;
				char _v1360;
				intOrPtr _v1368;
				intOrPtr _v1372;
				char _v1406;
				signed int _v1408;
				intOrPtr _v1412;
				signed int _v1416;
				intOrPtr _v1436;
				intOrPtr _v1440;
				char _v1476;
				char _v1480;
				char _v1484;
				signed int _t35;
				signed char _t39;
				struct HINSTANCE__* _t76;
				struct HINSTANCE__* _t99;
				void* _t102;
				void* _t103;
				void* _t105;
				void* _t106;
				void* _t107;
				signed int _t108;

				_t100 = __esi;
				_t98 = __edi;
				_t96 = __edx;
				_t83 = __ebx;
				_t35 =  *0x4bb1dc; // 0x2927074f
				_v8 = _t35 ^ _t108;
				if(_a8 != 1) {
					_push(__esi);
					if( *0x4bd000 == 0) {
						_push(__edi);
						_t76 = LoadLibraryW(L"advapi32.dll");
						_t100 = GetProcAddress;
						_t99 = _t76;
						 *0x4bcfe0 = GetProcAddress(_t99, "StartTraceW");
						 *0x4bcfe4 = GetProcAddress(_t99, "ControlTraceW");
						 *0x4bcfe8 = GetProcAddress(_t99, "OpenTraceW");
						 *0x4bcfec = GetProcAddress(_t99, "ProcessTrace");
						 *0x4bd000 = 1;
						_pop(_t98);
					}
					if( *0x4bcfe0 != 0) {
						E00470030( &_v1476, 0, 0x4f4);
						_v1480 = 0x4f8;
						_v1436 = 0x20000;
						_v1412 = 1;
						_t39 = E00436690();
						_v1440 = 1;
						asm("sbb eax, eax");
						_v1416 =  ~(_t39 & 0x000000ff) & 0x02000000 | 0x00000100;
						if(E00436690() == 0) {
							asm("movdqu xmm0, [0x4a2714]");
							asm("movdqu [ebp-0x5ac], xmm0");
						}
						_v1368 = 0x78;
						_v1372 = 0x280;
						E00436690();
						_t97 = L"NT Kernel Logger";
						_t85 =  ==  ? L"NT Kernel Logger" : L"PROCMON TRACE";
						E0046EF0C( &_v1360, 0x104,  ==  ? L"NT Kernel Logger" : L"PROCMON TRACE");
						E0046EF0C( &_v840, 0x104, 0x48fc20);
						if(E0043CE40(_t83, _t98, _t100) != 0) {
							asm("movdqu xmm0, [0x4a2be0]");
							_v1408 = 0x80000000;
							_v1406 = 0xff;
							asm("movdqu [ebp-0x110], xmm0");
							_v1408 = 0x488;
							asm("movdqu xmm0, [0x4a2bf0]");
							_v316 = 0x10009;
							_v312 = 0x10000;
							asm("movdqu [ebp-0x100], xmm0");
							_v280 = 0x30011;
							asm("movdqu xmm0, [0x4a2c00]");
							_v320 = 0x2001b;
							asm("movdqu [ebp-0xf0], xmm0");
							asm("movdqu xmm0, [0x4a2c10]");
							asm("movdqu [ebp-0xe0], xmm0");
						} else {
							_v1408 = _v1408 | 0x00010000;
						}
						if(_a4 == 0) {
							SetEvent( *0x4bcfac);
							 *0x4bcfe4( *0x4bcff8,  *0x4bcffc,  &_v1360,  &_v1480, 1);
							WaitForSingleObject( *0x4bcfa4, 0xffffffff);
							CloseHandle( *0x4bcfa4);
							 *0x4bcfa4 = 0;
							ResetEvent( *0x4bcfac);
							_pop(_t102);
							return E0046F77E(_t83, _v8 ^ _t108, _t97, _t98, _t102);
						} else {
							_t103 =  *0x4bcfe0(0x4bcff8,  &_v1360,  &_v1480);
							if(_t103 == 0 || _t103 == 0xb7) {
								 *0x4bcfa4 = E00472D60(0, 0, E0043C260, 0, 0,  &_v1484);
								_pop(_t105);
								return E0046F77E(_t83, _v8 ^ _t108, _t97, _t98, _t105);
							} else {
								E0043C230( &_v208, L"Network trace initialization failed: Error %d", _t103);
								MessageBoxW(0,  &_v208, L"Process Monitor", 0x10);
								_pop(_t106);
								return E0046F77E(_t83, _v8 ^ _t108, _t97, _t98, _t106);
							}
						}
					} else {
						_pop(_t107);
						return E0046F77E(_t83, _v8 ^ _t108, _t96, _t98, _t107);
					}
				} else {
					return E0046F77E(__ebx, _v8 ^ _t108, __edx, __edi, __esi);
				}
			}

0x0043cf70
0x0043cf70
0x0043cf70
0x0043cf70
0x0043cf79
0x0043cf80
0x0043cf87
0x0043cfa0
0x0043cfa1
0x0043cfa3
0x0043cfa9
0x0043cfaf
0x0043cfb5
0x0043cfc5
0x0043cfd2
0x0043cfdf
0x0043cfe6
0x0043cfeb
0x0043cff2
0x0043cff2
0x0043cffa
0x0043d01e
0x0043d026
0x0043d030
0x0043d03a
0x0043d044
0x0043d04e
0x0043d058
0x0043d064
0x0043d071
0x0043d073
0x0043d07b
0x0043d07b
0x0043d083
0x0043d08d
0x0043d097
0x0043d09e
0x0043d0ae
0x0043d0b8
0x0043d0ce
0x0043d0dd
0x0043d0ee
0x0043d0f6
0x0043d105
0x0043d10c
0x0043d114
0x0043d11b
0x0043d123
0x0043d12d
0x0043d137
0x0043d13f
0x0043d149
0x0043d151
0x0043d15b
0x0043d163
0x0043d16b
0x0043d0df
0x0043d0df
0x0043d0df
0x0043d177
0x0043d216
0x0043d238
0x0043d248
0x0043d254
0x0043d260
0x0043d26a
0x0043d277
0x0043d280
0x0043d17d
0x0043d196
0x0043d19a
0x0043d1fa
0x0043d201
0x0043d20f
0x0043d1a4
0x0043d1b1
0x0043d1c9
0x0043d1d1
0x0043d1df
0x0043d1df
0x0043d19a
0x0043cffc
0x0043d001
0x0043d00f
0x0043d00f
0x0043cf89
0x0043cf98
0x0043cf98

APIs

LoadLibraryW.KERNEL32(advapi32.dll,00000000,00000000), ref: 0043CFA9
GetProcAddress.KERNEL32(00000000,StartTraceW), ref: 0043CFBD
GetProcAddress.KERNEL32(00000000,ControlTraceW), ref: 0043CFCA
GetProcAddress.KERNEL32(00000000,OpenTraceW), ref: 0043CFD7
GetProcAddress.KERNEL32(00000000,ProcessTrace), ref: 0043CFE4

Strings

ControlTraceW, xrefs: 0043CFBF
PROCMON TRACE, xrefs: 0043D0A3, 0043D0B1
StartTraceW, xrefs: 0043CFB7
NT Kernel Logger, xrefs: 0043D09E
OpenTraceW, xrefs: 0043CFCC
Process Monitor, xrefs: 0043D1C1
ProcessTrace, xrefs: 0043CFD9
Network trace initialization failed: Error %d, xrefs: 0043D1AB
advapi32.dll, xrefs: 0043CFA4
x, xrefs: 0043D083

Memory Dump Source

Source File: 00000000.00000002.639436822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.639422722.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639801425.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639950323.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639964900.00000000004C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639974043.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639981884.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Process Monitor.jbxd

Similarity

API ID: AddressProc$LibraryLoad
String ID: ControlTraceW$NT Kernel Logger$Network trace initialization failed: Error %d$OpenTraceW$PROCMON TRACE$Process Monitor$ProcessTrace$StartTraceW$advapi32.dll$x
API String ID: 2238633743-2214304098
Opcode ID: 1d073817a5cb9c3ddcc49f31cfae7157f9411dd4d83da81eb08808b6e003e761
Instruction ID: f426306cc7430b6f1c34f8f07272a12548c9f15631fb13a93f9a8fdd386f912c
Opcode Fuzzy Hash: 1d073817a5cb9c3ddcc49f31cfae7157f9411dd4d83da81eb08808b6e003e761
Instruction Fuzzy Hash: 3771FB71D007189BDB209F68ED45BEE7B74EB49305F0046FAF848A6291DBB84A84DF58

Uniqueness

Uniqueness Score: -1.00%

Function 00466B40 Relevance: 35.4, APIs: 11, Strings: 9, Instructions: 431
COMMON

Download Yara Rule

C-Code - Quality: 92%

			E00466B40(void* __ecx) {
				char _v8;
				char _v16;
				signed int _v20;
				struct _CRITICAL_SECTION* _v24;
				struct _CRITICAL_SECTION* _v28;
				void* _v32;
				void* _v36;
				void* _v40;
				signed int _v44;
				void* _v48;
				signed int _v52;
				void* _v56;
				signed int _v60;
				char _v64;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t194;
				struct _CRITICAL_SECTION* _t203;
				signed int _t210;
				signed int _t220;
				signed int _t230;
				struct _CRITICAL_SECTION* _t253;
				struct _CRITICAL_SECTION* _t254;
				signed int _t255;
				signed int _t260;
				signed int _t261;
				void* _t266;
				long _t271;
				signed int _t272;
				signed int _t273;
				void* _t294;
				signed int _t303;
				signed int _t306;
				signed int _t311;
				signed int _t316;
				void* _t331;
				void* _t337;
				intOrPtr _t343;
				void* _t346;
				intOrPtr _t353;
				void* _t358;
				void* _t360;
				signed int _t361;
				signed int _t362;
				signed int _t363;
				signed int _t365;
				void* _t366;
				void* _t367;
				void* _t368;
				void* _t369;

				_push(0xffffffff);
				_push(E0048CCB8);
				_push( *[fs:0x0]);
				_t367 = _t366 - 0x30;
				_push(_t346);
				_t194 =  *0x4bb1dc; // 0x2927074f
				_push(_t194 ^ _t365);
				 *[fs:0x0] =  &_v16;
				_t294 = __ecx;
				_t2 = _t294 + 0x250; // 0x0
				_t3 = _t294 + 0x254; // 0x0
				if(( *_t2 |  *_t3) != 0) {
					L56:
					 *[fs:0x0] = _v16;
					return 1;
				} else {
					_t4 = _t294 + 0x4b0; // 0x0
					_t5 = _t294 + 0x4b4; // 0x0
					asm("adc eax, 0x0");
					 *(__ecx + 0x4b0) =  *_t4 + 0x00000003 & 0xfffffffc;
					_t358 = 0;
					_t7 = _t294 + 0x570; // 0x0
					_t303 =  *_t7;
					 *((intOrPtr*)(__ecx + 0x4b4)) =  *_t5;
					_t9 = _t294 + 0x4b0; // 0x0
					 *((intOrPtr*)(__ecx + 0x250)) =  *_t9;
					_t11 = _t294 + 0x4b4; // 0x0
					 *((intOrPtr*)(__ecx + 0x254)) =  *_t11;
					_t203 = _t303 + _t303 * 4;
					 *(__ecx + 0x23c) = _t303;
					_v24 = _t203;
					if(_t203 == 0) {
						L7:
						 *((intOrPtr*)(_t294 + 0x4b0)) =  *((intOrPtr*)(_t294 + 0x4b0)) + _t203;
						_t29 = _t294 + 0x4ec; // 0x4bcefc
						_t30 = _t294 + 0x4b0; // 0x0
						asm("adc dword [ebx+0x4b4], 0x0");
						 *((intOrPtr*)(_t294 + 0x258)) =  *_t30;
						_t32 = _t294 + 0x4b4; // 0x0
						 *((intOrPtr*)(_t294 + 0x25c)) =  *_t32;
						_t34 =  &_v40; // 0x4961e8
						_v40 = 0;
						_v36 = 0;
						_v32 = 0;
						E00442C40(_t294, _t29, _t346, _t358, _t34);
						_t40 = _t294 + 0x25c; // 0x0
						_t41 = _t294 + 0x3b0; // 0x4bcdc0
						_t42 = _t294 + 0x258; // 0x0
						E004180C0(_t41,  &_v64,  *_t42,  *_t40, _v36, 1);
						_t306 = _v56;
						_t210 = _v36;
						_v8 = 1;
						if(_t306 != 0 || _t210 == 0) {
							_v44 = _t210;
							_v52 = _t306;
							_t55 = _t294 + 0x4ec; // 0x4bcefc
							_v48 = 0;
							E00442C40(_t294, _t55, _t346, _t358,  &_v52);
							 *((intOrPtr*)(_t294 + 0x4b0)) =  *((intOrPtr*)(_t294 + 0x4b0)) + _v48;
							_t308 = _v60;
							asm("adc dword [ebx+0x4b4], 0x0");
							_v8 = 0xffffffff;
							__eflags = _v60;
							if(_v60 != 0) {
								E00430D60(_t308, 0xffffffff, 0xffffffff);
							}
							_t62 = _t294 + 0x4b0; // 0x0
							_t63 = _t294 + 0x4b8; // 0x4bcec8
							 *((intOrPtr*)(_t294 + 0x260)) =  *_t62;
							_t65 = _t294 + 0x4b4; // 0x0
							 *((intOrPtr*)(_t294 + 0x264)) =  *_t65;
							_v40 = 0;
							_v36 = 0;
							_v32 = 0;
							L0040DEB0(_t63,  &_v40);
							_t73 = _t294 + 0x264; // 0x0
							_t74 = _t294 + 0x3b0; // 0x4bcdc0
							_t75 = _t294 + 0x260; // 0x0
							E004180C0(_t74,  &_v64,  *_t75,  *_t73, _v36, 1);
							_t311 = _v56;
							_t220 = _v36;
							_v8 = 2;
							__eflags = _t311;
							if(_t311 != 0) {
								L19:
								_v44 = _t220;
								_v52 = _t311;
								_t83 = _t294 + 0x4b8; // 0x4bcec8
								_v48 = 0;
								L0040DEB0(_t83,  &_v52);
								 *((intOrPtr*)(_t294 + 0x4b0)) =  *((intOrPtr*)(_t294 + 0x4b0)) + _v48;
								_t313 = _v60;
								asm("adc dword [ebx+0x4b4], 0x0");
								_v8 = 0xffffffff;
								__eflags = _v60;
								if(_v60 != 0) {
									E00430D60(_t313, 0xffffffff, 0xffffffff);
								}
								_t90 = _t294 + 0x4b0; // 0x0
								_t91 = _t294 + 0x51c; // 0x4bcf2c
								 *((intOrPtr*)(_t294 + 0x268)) =  *_t90;
								_t93 = _t294 + 0x4b4; // 0x0
								 *((intOrPtr*)(_t294 + 0x26c)) =  *_t93;
								_v40 = 0;
								_v36 = 0;
								_v32 = 0;
								E0042D940(_t91,  &_v40);
								_t101 = _t294 + 0x26c; // 0x0
								_t102 = _t294 + 0x3b0; // 0x4bcdc0
								_t103 = _t294 + 0x268; // 0x0
								E004180C0(_t102,  &_v64,  *_t103,  *_t101, _v36, 1);
								_t316 = _v56;
								_t230 = _v36;
								_v8 = 3;
								__eflags = _t316;
								if(_t316 != 0) {
									L24:
									_v44 = _t230;
									_v52 = _t316;
									_t111 = _t294 + 0x51c; // 0x4bcf2c
									_v48 = 0;
									E0042D940(_t111,  &_v52);
									 *((intOrPtr*)(_t294 + 0x4b0)) =  *((intOrPtr*)(_t294 + 0x4b0)) + _v48;
									_t318 = _v60;
									asm("adc dword [ebx+0x4b4], 0x0");
									_v8 = 0xffffffff;
									__eflags = _v60;
									if(_v60 != 0) {
										E00430D60(_t318, 0xffffffff, 0xffffffff);
									}
									_t118 = _t294 + 0x4b0; // 0x0
									 *((intOrPtr*)(_t294 + 0x3a8)) =  *_t118;
									_t120 = _t294 + 0x4b4; // 0x0
									 *((intOrPtr*)(_t294 + 0x3ac)) =  *_t120;
									_v28 = 0x4c2538;
									EnterCriticalSection(0x4c2538);
									_v8 = 4;
									_v24 = 0x4c255c;
									EnterCriticalSection(0x4c255c);
									_v8 = 5;
									_v40 = 0;
									_v36 = 0;
									_v32 = 0;
									E00463380(0x4c2538,  &_v40);
									E00463450(0x4c255c,  &_v40);
									_t133 = _t294 + 0x4b4; // 0x0
									_t134 = _t294 + 0x3b0; // 0x4bcdc0
									_t135 = _t294 + 0x4b0; // 0x0
									E004180C0(_t134,  &_v64,  *_t135,  *_t133, _v36, 1);
									_v52 = _v56;
									_v44 = _v36;
									_v8 = 6;
									_v48 = 0;
									E00463380(0x4c2538,  &_v52);
									E00463450(0x4c255c,  &_v52);
									 *((intOrPtr*)(_t294 + 0x4b0)) =  *((intOrPtr*)(_t294 + 0x4b0)) + _v36;
									_t324 = _v60;
									asm("adc dword [ebx+0x4b4], 0x0");
									_v8 = 5;
									__eflags = _v60;
									if(_v60 != 0) {
										E00430D60(_t324, 0xffffffff, 0xffffffff);
									}
									LeaveCriticalSection(0x4c255c);
									_v8 = 0xffffffff;
									LeaveCriticalSection(0x4c2538);
									_t151 = _t294 + 0x3b0; // 0x4bcdc0
									E004180C0(_t151,  &_v64, 0, 0, 0x3a8, 0);
									_t153 = _t294 + 8; // 0x4bca18
									memcpy(_v56, _t153, 0xea << 2);
									_t368 = _t367 + 0xc;
									_t328 = _v60;
									__eflags = _v60;
									if(_v60 != 0) {
										E00430D60(_t328, 0xffffffff, 0xffffffff);
									}
									_t156 = _t294 + 0x4b4; // 0x0
									_t157 = _t294 + 0x3b0; // 0x4bcdc0
									_t360 = _t157;
									_t158 = _t294 + 0x4b0; // 0x0
									_t353 =  *_t158;
									_v24 =  *_t156;
									_t160 = _t360 + 0xe0; // 0x4bcea0
									_t253 = _t160;
									_v28 = _t253;
									EnterCriticalSection(_t253);
									_t254 = _v24;
									_t163 = _t360 + 0x1c; // 0x0
									__eflags = _t254 -  *_t163;
									if(__eflags <= 0) {
										if(__eflags < 0) {
											L33:
											__eflags =  *((char*)(_t360 + 4));
											if( *((char*)(_t360 + 4)) == 0) {
												 *((intOrPtr*)(_t360 + 0x18)) = _t353;
												 *((intOrPtr*)(_t360 + 0x1c)) = _t254;
											}
										} else {
											_t164 = _t360 + 0x18; // 0x0
											__eflags = _t353 -  *_t164;
											if(_t353 <=  *_t164) {
												goto L33;
											}
										}
									}
									LeaveCriticalSection(_v28);
									_t169 = _t294 + 0x574; // 0x0
									_t255 =  *_t169;
									__eflags = _t255;
									if(_t255 == 0) {
										_t173 = _t294 + 0x568; // 0x0
										E0047040C( *_t173);
										_t368 = _t368 + 4;
										 *(_t294 + 0x568) = 0;
									} else {
										_t172 = _t294 + 0x568; // 0x0
										VirtualFree( *_t172, _t255 + _t255 * 4, 0x4000);
									}
									 *(_t294 + 0x56c) = 0;
									 *(_t294 + 0x570) = 0;
									_t361 =  *(E004675A0(_t360,  &_v24));
									_v8 = 7;
									__eflags = _t361;
									if(_t361 == 0) {
										_t362 = 0;
										__eflags = 0;
									} else {
										_t362 =  *_t361;
									}
									_t260 = E0046A6C0(_t294, _t362, E0046A530(_t362));
									_t369 = _t368 + 0xc;
									_v20 = _t260;
									_t363 = _v24;
									_v8 = 9;
									__eflags = _t363;
									if(_t363 != 0) {
										_t182 = _t363 + 8; // 0x4c2564
										_t271 = InterlockedDecrement(_t182);
										__eflags = _t271;
										if(_t271 == 0) {
											__eflags = _t363;
											if(_t363 != 0) {
												_t272 =  *_t363;
												__eflags = _t272;
												if(_t272 != 0) {
													__imp__#6(_t272);
													 *_t363 = 0;
												}
												_t183 = _t363 + 4; // 0xffffffff
												_t273 =  *_t183;
												__eflags = _t273;
												if(_t273 != 0) {
													E0046EF07(_t273);
													_t369 = _t369 + 4;
													 *(_t363 + 4) = 0;
												}
												E0046EF07(_t363);
											}
										}
										_v24 = 0;
									}
									_t261 = E0046A720( &_v20);
									_t331 = _t294;
									__eflags = _t261;
									if(__eflags == 0) {
										E00466A30(_t331);
										E00468280(_t294, _t345);
									} else {
										E00466AD0(_t331, __eflags);
										_t266 = E0046A170( &_v20);
										_t188 =  &_v28; // 0x4c2538
										E00468350(_t294, _t188, _t266);
										_t189 =  &_v28; // 0x4c2538
										_t336 =  *_t189;
										__eflags =  *_t189;
										if( *_t189 != 0) {
											E0046A700(_t336);
										}
									}
									_t333 = _v20;
									_v8 = 0xffffffff;
									__eflags = _v20;
									if(_v20 != 0) {
										E0046A700(_t333);
									}
									goto L56;
								} else {
									__eflags = _t230;
									if(_t230 == 0) {
										goto L24;
									} else {
										_t337 = _v60;
										goto L11;
									}
								}
							} else {
								__eflags = _t220;
								if(_t220 == 0) {
									goto L19;
								} else {
									_t337 = _v60;
									goto L11;
								}
							}
						} else {
							_t337 = _v60;
							goto L11;
						}
					} else {
						while(1) {
							_t17 = _t294 + 0x3b0; // 0x4bcdc0
							_t345 = _t17;
							_t346 =  <  ? _t203 - _t358 : 0x400000;
							_t18 = _t294 + 0x250; // 0x0
							asm("adc eax, [ebx+0x254]"); // 0x0
							E004180C0(_t17,  &_v40, _t358 +  *_t18, 0, 0x400000, 1);
							_t20 =  &_v32; // 0x414ae3
							_t343 =  *_t20;
							if(_t343 != 0 || _v24 == _t343) {
								_t22 = _t294 + 0x568; // 0x0
								E00470850(_t343,  *_t22 + _t358, _t346);
								_t344 = _v36;
								_t367 = _t367 + 0xc;
								_v8 = 0xffffffff;
								_v40 = 0x4961e8;
								if(_v36 != 0) {
									E00430D60(_t344, 0xffffffff, 0xffffffff);
								}
							} else {
								_t337 = _v36;
								 *(_t294 + 0x250) = 0;
								 *(_t294 + 0x254) = 0;
								break;
							}
							_t203 = _v24;
							_t358 = _t358 + 0x400000;
							if(_t358 < _t203) {
								continue;
							} else {
								goto L7;
							}
							goto L57;
						}
						L11:
						_v8 = 0xffffffff;
						if(_t337 != 0) {
							E00430D60(_t337, 0xffffffff, 0xffffffff);
						}
						 *[fs:0x0] = _v16;
						return 0;
					}
				}
				L57:
			}

0x00466b43
0x00466b45
0x00466b50
0x00466b51
0x00466b56
0x00466b57
0x00466b5e
0x00466b62
0x00466b68
0x00466b6a
0x00466b70
0x00466b76
0x0046717f
0x00467184
0x00467192
0x00466b7c
0x00466b7c
0x00466b82
0x00466b8b
0x00466b91
0x00466b97
0x00466b99
0x00466b99
0x00466b9f
0x00466ba5
0x00466bab
0x00466bb1
0x00466bb7
0x00466bbd
0x00466bc0
0x00466bc6
0x00466bcb
0x00466c51
0x00466c51
0x00466c57
0x00466c5d
0x00466c63
0x00466c6a
0x00466c70
0x00466c76
0x00466c7c
0x00466c80
0x00466c87
0x00466c8e
0x00466c95
0x00466ca2
0x00466ca8
0x00466cae
0x00466cb5
0x00466cba
0x00466cbd
0x00466cc0
0x00466cc9
0x00466d13
0x00466d19
0x00466d1c
0x00466d23
0x00466d2a
0x00466d32
0x00466d38
0x00466d3b
0x00466d42
0x00466d49
0x00466d4b
0x00466d51
0x00466d51
0x00466d56
0x00466d5c
0x00466d62
0x00466d68
0x00466d6e
0x00466d78
0x00466d7f
0x00466d86
0x00466d8d
0x00466d9a
0x00466da0
0x00466da6
0x00466dad
0x00466db2
0x00466db5
0x00466db8
0x00466dbf
0x00466dc1
0x00466dcf
0x00466dcf
0x00466dd5
0x00466dd8
0x00466ddf
0x00466de6
0x00466dee
0x00466df4
0x00466df7
0x00466dfe
0x00466e05
0x00466e07
0x00466e0d
0x00466e0d
0x00466e12
0x00466e18
0x00466e1e
0x00466e24
0x00466e2a
0x00466e34
0x00466e3b
0x00466e42
0x00466e49
0x00466e56
0x00466e5c
0x00466e62
0x00466e69
0x00466e6e
0x00466e71
0x00466e74
0x00466e7b
0x00466e7d
0x00466e8b
0x00466e8b
0x00466e91
0x00466e94
0x00466e9b
0x00466ea2
0x00466eaa
0x00466eb0
0x00466eb3
0x00466eba
0x00466ec1
0x00466ec3
0x00466ec9
0x00466ec9
0x00466ece
0x00466eda
0x00466ee0
0x00466eeb
0x00466ef1
0x00466ef8
0x00466eff
0x00466f06
0x00466f0d
0x00466f12
0x00466f1c
0x00466f23
0x00466f2a
0x00466f31
0x00466f3f
0x00466f4c
0x00466f52
0x00466f58
0x00466f5f
0x00466f6c
0x00466f72
0x00466f79
0x00466f7d
0x00466f84
0x00466f92
0x00466f9a
0x00466fa0
0x00466fa3
0x00466faa
0x00466fae
0x00466fb0
0x00466fb6
0x00466fb6
0x00466fc6
0x00466fcd
0x00466fd4
0x00466fe5
0x00466feb
0x00466ff3
0x00466ffb
0x00466ffb
0x00466ffd
0x00467000
0x00467002
0x00467008
0x00467008
0x0046700d
0x00467013
0x00467013
0x00467019
0x00467019
0x0046701f
0x00467022
0x00467022
0x00467029
0x0046702c
0x00467032
0x00467035
0x00467035
0x00467038
0x0046703a
0x00467041
0x00467041
0x00467045
0x00467047
0x0046704a
0x0046704a
0x0046703c
0x0046703c
0x0046703c
0x0046703f
0x00000000
0x00000000
0x0046703f
0x0046703a
0x00467050
0x00467056
0x00467056
0x0046705c
0x0046705e
0x00467077
0x0046707d
0x00467082
0x00467085
0x00467060
0x00467069
0x0046706f
0x0046706f
0x00467092
0x0046709f
0x004670ae
0x004670b0
0x004670b7
0x004670b9
0x004670bf
0x004670bf
0x004670bb
0x004670bb
0x004670bb
0x004670c9
0x004670ce
0x004670d1
0x004670d4
0x004670d7
0x004670db
0x004670dd
0x004670df
0x004670e3
0x004670e9
0x004670eb
0x004670ed
0x004670ef
0x004670f1
0x004670f3
0x004670f5
0x004670f8
0x004670fe
0x004670fe
0x00467104
0x00467104
0x00467107
0x00467109
0x0046710c
0x00467111
0x00467114
0x00467114
0x0046711c
0x00467121
0x004670ef
0x00467124
0x00467124
0x0046712e
0x00467133
0x00467135
0x00467137
0x00467160
0x00467167
0x00467139
0x00467139
0x00467141
0x00467147
0x0046714d
0x00467152
0x00467152
0x00467155
0x00467157
0x00467159
0x00467159
0x00467157
0x0046716c
0x0046716f
0x00467176
0x00467178
0x0046717a
0x0046717a
0x00000000
0x00466e7f
0x00466e7f
0x00466e81
0x00000000
0x00466e83
0x00466e83
0x00000000
0x00466e83
0x00466e81
0x00466dc3
0x00466dc3
0x00466dc5
0x00000000
0x00466dc7
0x00466dc7
0x00000000
0x00466dc7
0x00466dc5
0x00466ccf
0x00466ccf
0x00000000
0x00466ccf
0x00466bd1
0x00466bd1
0x00466bd3
0x00466bd3
0x00466be4
0x00466be9
0x00466bf0
0x00466bfe
0x00466c03
0x00466c03
0x00466c08
0x00466c13
0x00466c1e
0x00466c23
0x00466c26
0x00466c29
0x00466c30
0x00466c39
0x00466c3f
0x00466c3f
0x00466cd4
0x00466cd4
0x00466cd7
0x00466ce1
0x00466ce1
0x00466ce1
0x00466c44
0x00466c47
0x00466c4f
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00466c4f
0x00466ceb
0x00466ceb
0x00466cf4
0x00466cfa
0x00466cfa
0x00466d04
0x00466d12
0x00466d12
0x00466bcb
0x00000000

APIs

_memmove.LIBCMT ref: 00466C1E

Part of subcall function 0042D940: EnterCriticalSection.KERNEL32(004BCF2C,2927074F,004BCA10,00000000,004BCA10,004674DB,2927074F,004BCA10,004BCA10,0077A1E8,0048CCB8), ref: 0042D96E
Part of subcall function 0042D940: __CxxThrowException@8.LIBCMT ref: 0042D9AB
Part of subcall function 0042D940: LeaveCriticalSection.KERNEL32(004BCF2C), ref: 0042DA4D

EnterCriticalSection.KERNEL32(004C2538,0048CCB8,004BCA10,00000000,00000000,00000000,00000001,00000000,0048CCB8,004BCA10,00000000,00000000,00000000,00000001,00000000,0048CCB8), ref: 00466EF8
EnterCriticalSection.KERNEL32(004C255C), ref: 00466F0D
LeaveCriticalSection.KERNEL32(004C255C,00000000,00000000,00000000,00000000,00000000,00000000,00000001,00000000,00000000), ref: 00466FC6
LeaveCriticalSection.KERNEL32(004C2538), ref: 00466FD4
EnterCriticalSection.KERNEL32(004BCEA0,00000000,00000000,00000000,000003A8,00000000), ref: 0046702C
LeaveCriticalSection.KERNEL32(004C2538), ref: 00467050

Part of subcall function 00430D60: InterlockedDecrement.KERNEL32(004BD724), ref: 00430D6A
Part of subcall function 00430D60: LeaveCriticalSection.KERNEL32(004C2668,?,00464B69,000000FF,000000FF,00000014,00000000,00000000,007801D0,00000001,2927074F,00000014,004BD710,004C2588,00000000), ref: 00430D92

VirtualFree.KERNEL32(00000000,00000000,00004000), ref: 0046706F

Part of subcall function 00466A30: VirtualFree.KERNEL32(00000000,00000000,00004000,004BCA10,004162D9,0077A1E8), ref: 00466A52

Part of subcall function 00468280: GetSystemInfo.KERNEL32(?,00000000,004C255C,004BCA10,?,?,?,?,?,?,?,?,?,?,0046716C), ref: 0046828F
Part of subcall function 00468280: MapViewOfFile.KERNEL32(00000000,00000004,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,?,0046716C), ref: 004682C5

_free.LIBCMT ref: 0046707D
InterlockedDecrement.KERNEL32(004C2564), ref: 004670E3
SysFreeString.OLEAUT32(00000000), ref: 004670F8

Strings

\%L, xrefs: 00466F06
aI, xrefs: 00466C7C, 00466C7F
\%L, xrefs: 00466F8C
aI, xrefs: 00466BF8, 00466D74
8%L, xrefs: 00466F17
JA, xrefs: 00466C03, 00466C1D
8%L, xrefs: 00466F67
8%L, xrefs: 00467147, 0046714C
\%L, xrefs: 00466F39

Memory Dump Source

Source File: 00000000.00000002.639436822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.639422722.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639801425.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639950323.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639964900.00000000004C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639974043.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639981884.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Process Monitor.jbxd

Similarity

API ID: CriticalSection$Leave$Enter$Free$DecrementInterlockedVirtual$Exception@8FileInfoStringSystemThrowView_free_memmove
String ID: 8%L$8%L$8%L$\%L$\%L$\%L$JA$aI$aI
API String ID: 439464383-1557562058
Opcode ID: d14812a56cf809ec19b9f12db450ad4902b5e67643de831212a86e76264aa8a6
Instruction ID: 3a797b8b8dff14206be3ae68452fa6cd8c16c455bb91eca73b805a01b2b91cc3
Opcode Fuzzy Hash: d14812a56cf809ec19b9f12db450ad4902b5e67643de831212a86e76264aa8a6
Instruction Fuzzy Hash: 83126BB09052099BDF14DF94C994BEE77B4EF04318F14027EED19AB286EB399904CF69

Uniqueness

Uniqueness Score: -1.00%

Function 0044E65D Relevance: 35.2, APIs: 15, Strings: 5, Instructions: 208
windowCOMMON

Download Yara Rule

C-Code - Quality: 78%

			E0044E65D(void* __ebx, unsigned int __edi) {
				void* __esi;
				struct HWND__* _t48;
				int _t49;
				struct HMENU__* _t59;
				int _t88;
				struct HMENU__* _t93;
				void* _t94;
				int _t97;
				struct HWND__* _t109;
				void* _t110;
				struct HWND__* _t111;
				void* _t112;
				signed int _t113;

				_t94 = __ebx;
				_t48 = GetDlgItem(_t111, 0x3f9);
				_t107 = __edi;
				 *(_t113 - 0x624) = _t48;
				_t49 = __edi >> 0x10;
				 *(_t113 - 0x498) = __edi;
				 *(_t113 - 0x494) = _t49;
				if(__edi != 0xffffffff) {
					L2:
					 *((char*)(_t113 - 0x61d)) = 1;
					L3:
					_t109 =  *(_t113 - 0x624);
					if(E0042ECF0(_t109, _t113 - 0x498) == 0) {
						L7:
						_t97 =  *(_t113 + 0xc);
						DefWindowProcW(_t111, _t97,  *(_t113 - 0x628),  *(_t113 - 0x64c));
						 *[fs:0x0] =  *((intOrPtr*)(_t113 - 0xc));
						_pop(_t110);
						_pop(_t112);
						return E0046F77E(_t94,  *(_t113 - 0x10) ^ _t113, _t107, _t110, _t112);
					}
					GetWindowRect(SendMessageW(_t109, 0x101f, 0, 0), _t113 - 0x508);
					_push( *(_t113 - 0x494));
					if(PtInRect(_t113 - 0x508,  *(_t113 - 0x498)) == 0) {
						if( *0x4bd895 != 0) {
							SendMessageW(_t111, 0x111, 0x9c53, 0);
						}
						 *0x4c22b0 = 0xffffffff;
						 *0x4be2b0 = 0;
						if( *((intOrPtr*)(_t113 - 0x61d)) == 0) {
							L22:
							_t59 =  *0x4c24d8; // 0x0
							if(_t59 != 0) {
								DestroyMenu(_t59);
							}
							 *0x4c24d8 = E004481D0(_t107, E0044C290(GetMenu(_t111), 0x9c43, 0));
							if( *0x4be2b0 == 0) {
								E00459890(_t94, _t62, 0);
							} else {
								L0046FDBD(_t113 - 0x80, 0x37, 0x4be2b0, 0xffffffff);
								E0046EF0C(_t113 - 0x1c, 5, L"...");
								E00459890(_t94,  *0x4c24d8, _t113 - 0x80);
							}
							 *0x4c22c4 = E0044C340( *0x4c24d8, L"Include", _t113 - 0x624);
							 *0x4c22c8 = E0044C340( *0x4c24d8, L"Exclude", _t113 - 0x624);
							 *0x4c22cc = E0044C340( *0x4c24d8, L"Highlight", _t113 - 0x624);
							TrackPopupMenu( *0x4c24d8, 0,  *(_t113 - 0x498),  *(_t113 - 0x494), 0, _t111, 0);
							L6:
							goto L7;
						} else {
							asm("xorps xmm0, xmm0");
							 *(_t113 - 0x61c) =  *(_t113 - 0x498);
							asm("movdqu [ebp-0x618], xmm0");
							 *(_t113 - 0x618) =  *(_t113 - 0x494);
							ScreenToClient(_t109, _t113 - 0x61c);
							if(SendMessageW(_t109, 0x1039, 0, _t113 - 0x61c) < 0) {
								goto L22;
							}
							 *(_t113 - 0x62c) = 0x4bca10;
							EnterCriticalSection(0x4bca10);
							 *(_t113 - 4) = 0;
							E0040D160(0x4bca10, _t113 - 0x4b4,  *((intOrPtr*)(_t113 - 0x610)));
							 *(_t113 - 4) = 1;
							if( *((intOrPtr*)(_t113 - 0x4ac)) == 0) {
								L21:
								 *(_t113 - 4) = 0;
								E0040F960(_t113 - 0x4b4, _t111);
								 *(_t113 - 4) = 0xffffffff;
								LeaveCriticalSection(0x4bca10);
								goto L22;
							}
							_t88 =  *(0x4bd794 +  *(_t113 - 0x60c) * 4);
							 *0x4c22b0 = _t88;
							if(_t88 == 0x9c8e || _t88 == 0x9c8c || _t88 == 0x9c74) {
								_push(0x1000);
								_push(0x4be2b0);
								 *0x4c22b0 = 0x9c74;
								_push(0x9c46);
							} else {
								_push(0x1000);
								_push(0x4be2b0);
								_push(_t88);
							}
							E004110C0(_t107, _t109);
							E004110C0(_t107, _t109, 0x9c46, 0x4c02b0, 0x1000);
							goto L21;
						}
					}
					_t93 = GetSubMenu(LoadMenuW( *0x4bd2c4, L"CONTEXT_HEADER"), 0);
					TrackPopupMenu(_t93, 0,  *(_t113 - 0x498),  *(_t113 - 0x494), 0, _t111, 0);
					goto L6;
				}
				 *((char*)(_t113 - 0x61d)) = 0;
				if(_t49 == __edi) {
					goto L3;
				}
				goto L2;
			}

0x0044e65d
0x0044e663
0x0044e66b
0x0044e671
0x0044e677
0x0044e67a
0x0044e680
0x0044e689
0x0044e696
0x0044e696
0x0044e69d
0x0044e69d
0x0044e6b5
0x0044e726
0x0044e726
0x0044e737
0x0044e740
0x0044e748
0x0044e749
0x0044e757
0x0044e757
0x0044e6cf
0x0044e6d5
0x0044e6f0
0x0044e761
0x0044e770
0x0044e770
0x0044e778
0x0044e782
0x0044e78e
0x0044e8b5
0x0044e8b5
0x0044e8bc
0x0044e8bf
0x0044e8bf
0x0044e8e2
0x0044e8ef
0x0044e92a
0x0044e8f1
0x0044e8fe
0x0044e90e
0x0044e91d
0x0044e922
0x0044e949
0x0044e965
0x0044e984
0x0044e720
0x0044e720
0x00000000
0x0044e794
0x0044e79a
0x0044e79d
0x0044e7a9
0x0044e7b1
0x0044e7bf
0x0044e7dc
0x00000000
0x00000000
0x0044e7e7
0x0044e7f1
0x0044e803
0x0044e810
0x0044e81c
0x0044e820
0x0044e894
0x0044e89a
0x0044e89e
0x0044e8a8
0x0044e8af
0x00000000
0x0044e8af
0x0044e828
0x0044e82f
0x0044e839
0x0044e856
0x0044e85b
0x0044e860
0x0044e86a
0x0044e849
0x0044e849
0x0044e84e
0x0044e853
0x0044e853
0x0044e875
0x0044e88f
0x00000000
0x0044e88f
0x0044e78e
0x0044e706
0x0044e720
0x00000000
0x0044e720
0x0044e68b
0x0044e694
0x00000000
0x00000000
0x00000000

APIs

GetDlgItem.USER32 ref: 0044E663
SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 0044E6C1
GetWindowRect.USER32 ref: 0044E6CF
PtInRect.USER32(?,?,?), ref: 0044E6E8
LoadMenuW.USER32 ref: 0044E6FD
GetSubMenu.USER32 ref: 0044E706
TrackPopupMenu.USER32(00000000,00000000,?,?,00000000,?,00000000), ref: 0044E720
DefWindowProcW.USER32(?,?,?,?,2927074F), ref: 0044E737
SendMessageW.USER32(?,00000111,00009C53,00000000), ref: 0044E770
ScreenToClient.USER32 ref: 0044E7BF
SendMessageW.USER32(?,00001039,00000000,?), ref: 0044E7D4
EnterCriticalSection.KERNEL32 ref: 0044E7F1
LeaveCriticalSection.KERNEL32(004BCA10,?,?), ref: 0044E8AF
DestroyMenu.USER32(00000000), ref: 0044E8BF
GetMenu.USER32 ref: 0044E8CD

Part of subcall function 0044C340: GetMenuItemCount.USER32 ref: 0044C363
Part of subcall function 0044C340: GetMenuItemInfoW.USER32(?,00000000,00000001,00000030), ref: 0044C3D0

Strings

Exclude, xrefs: 0044E955
Include, xrefs: 0044E939
Highlight, xrefs: 0044E971
..., xrefs: 0044E903
CONTEXT_HEADER, xrefs: 0044E6F2

Memory Dump Source

Source File: 00000000.00000002.639436822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.639422722.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639801425.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639950323.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639964900.00000000004C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639974043.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639981884.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Process Monitor.jbxd

Similarity

API ID: Menu$ItemMessageSend$CriticalRectSectionWindow$ClientCountDestroyEnterInfoLeaveLoadPopupProcScreenTrack
String ID: ...$CONTEXT_HEADER$Exclude$Highlight$Include
API String ID: 115234869-279293504
Opcode ID: 87f98e831012632035d55296070282af09776fc2223d0e908271ed814eb5a2b1
Instruction ID: 57c9b57cd7fcc908da7655d161e326afb5af073fdc5895b3ee96b3601fcc5a26
Opcode Fuzzy Hash: 87f98e831012632035d55296070282af09776fc2223d0e908271ed814eb5a2b1
Instruction Fuzzy Hash: 7C81C370900218ABEF259F61DC49FDE77B9AB48700F1005BAF605B71E1DBB95A858F2C

Uniqueness

Uniqueness Score: -1.00%

Function 0042EF90 Relevance: 35.2, APIs: 16, Strings: 4, Instructions: 151
windowCOMMON

Download Yara Rule

C-Code - Quality: 79%

			E0042EF90(void* __edx, struct HWND__* _a4) {
				signed int _v8;
				char _v526;
				char _v528;
				void* _v4624;
				int _v4628;
				struct HICON__* _v4632;
				signed int _v4636;
				intOrPtr _v4672;
				intOrPtr _v4692;
				char* _v4696;
				WCHAR* _v4712;
				struct HWND__* _v4720;
				struct tagOFNA _v4724;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t44;
				struct HICON__* _t62;
				signed int _t63;
				struct HWND__* _t80;
				void* _t85;
				void* _t86;
				int _t87;
				void* _t88;
				void* _t89;
				signed short* _t90;
				signed int _t91;
				void* _t92;
				void* _t93;
				void* _t95;

				_t85 = __edx;
				E00472600(0x1270);
				_t44 =  *0x4bb1dc; // 0x2927074f
				_v8 = _t44 ^ _t91;
				_t80 = _a4;
				E00470030( &_v4720, 0, 0x54);
				_v528 = 0;
				E00470030( &_v526, 0, 0x206);
				_t86 = GetSaveFileNameW;
				_t93 = _t92 + 0x18;
				_v4696 =  &_v528;
				_v4724 = 0x58;
				_v4720 = _t80;
				_v4692 = 0x104;
				_v4712 = L"Text File (*.CSV)";
				_v4672 = 8;
				if(GetSaveFileNameW( &_v4724) == 0) {
					L4:
					return E0046F77E(_t80, _v8 ^ _t91, _t85, _t86, _t88);
				} else {
					_t88 = MessageBoxW;
					while(1) {
						_push(L".CSV");
						E00435A10( &_v528, 0x104);
						_v4628 = 0;
						E00471CA4( &_v4628,  &_v528, L"wt");
						_t93 = _t93 + 0x18;
						if(_v4628 != 0) {
							break;
						}
						MessageBoxW(_t80, L"Unable to open file for writing", L"Export Listview", 0x10);
						_v4724 = 0x58;
						_v4696 =  &_v528;
						_v4720 = _t80;
						_v4692 = 0x104;
						_v4712 = L"Text File (*.CSV)";
						_v4672 = 8;
						if(GetSaveFileNameW( &_v4724) != 0) {
							continue;
						} else {
							goto L4;
						}
						goto L13;
					}
					_t62 = SetCursor(LoadCursorW(0, 0x7f02));
					_t89 = SendMessageW;
					_v4632 = _t62;
					_t63 = SendMessageW(_t80, 0x18b, 0, 0);
					_t87 = 0;
					_v4636 = _t63;
					__eflags = _t63;
					if(__eflags != 0) {
						do {
							SendMessageW(_t80, 0x189, _t87,  &_v4624);
							_push(_v4628);
							_push(0x22);
							E00472868(_t80, _t87, _t89, __eflags);
							_t95 = _t93 + 8;
							_t90 =  &_v4624;
							__eflags = _v4624;
							while(__eflags != 0) {
								__eflags =  *_t90 - 0x22;
								if(__eflags == 0) {
									_push(_v4628);
									_push(0x22);
									E00472868(_t80, _t87, _t90, __eflags);
									_t95 = _t95 + 8;
								}
								_push(_v4628);
								_push( *_t90 & 0x0000ffff);
								E00472868(_t80, _t87, _t90, __eflags);
								_t90 =  &(_t90[1]);
								_t95 = _t95 + 8;
								__eflags =  *_t90;
							}
							_push(_v4628);
							_push(0x22);
							E00472868(_t80, _t87, _t90, __eflags);
							_push(_v4628);
							_push(0xa);
							E00472868(_t80, _t87, _t90, __eflags);
							_t89 = SendMessageW;
							_t87 = _t87 + 1;
							_t93 = _t95 + 0x10;
							__eflags = _t87 - _v4636;
						} while (__eflags < 0);
					}
					L00471E1F(_t80, _t87, _t89, __eflags);
					SetCursor(_v4632);
					__eflags = _v8 ^ _t91;
					return E0046F77E(_t80, _v8 ^ _t91, _t85, _t87, _t89, _v4628);
				}
				L13:
			}

0x0042ef90
0x0042ef98
0x0042ef9d
0x0042efa4
0x0042efa8
0x0042efb8
0x0042efc5
0x0042efd3
0x0042efd8
0x0042efe4
0x0042efe7
0x0042eff3
0x0042effd
0x0042f003
0x0042f00e
0x0042f018
0x0042f026
0x0042f0e0
0x0042f0f0
0x0042f02c
0x0042f02c
0x0042f040
0x0042f040
0x0042f051
0x0042f061
0x0042f073
0x0042f078
0x0042f082
0x00000000
0x00000000
0x0042f091
0x0042f099
0x0042f0a3
0x0042f0b0
0x0042f0b6
0x0042f0c0
0x0042f0ca
0x0042f0d8
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x0042f0d8
0x0042f0ff
0x0042f105
0x0042f115
0x0042f11b
0x0042f11d
0x0042f11f
0x0042f125
0x0042f127
0x0042f130
0x0042f13e
0x0042f140
0x0042f146
0x0042f148
0x0042f14d
0x0042f150
0x0042f156
0x0042f15e
0x0042f160
0x0042f164
0x0042f166
0x0042f16c
0x0042f16e
0x0042f173
0x0042f173
0x0042f176
0x0042f17f
0x0042f180
0x0042f185
0x0042f188
0x0042f18b
0x0042f18b
0x0042f191
0x0042f197
0x0042f199
0x0042f19e
0x0042f1a4
0x0042f1a6
0x0042f1ab
0x0042f1b1
0x0042f1b2
0x0042f1b5
0x0042f1b5
0x0042f130
0x0042f1c7
0x0042f1d5
0x0042f1e2
0x0042f1ed
0x0042f1ed
0x00000000

APIs

_memset.LIBCMT ref: 0042EFB8
_memset.LIBCMT ref: 0042EFD3
GetSaveFileNameW.COMDLG32(?), ref: 0042F022

Part of subcall function 00435A10: _wcsrchr.LIBCMT ref: 00435A18

__wfopen_s.LIBCMT ref: 0042F073
MessageBoxW.USER32(?,Unable to open file for writing,Export Listview,00000010), ref: 0042F091
GetSaveFileNameW.COMDLG32(00000058), ref: 0042F0D4
LoadCursorW.USER32(00000000,00007F02), ref: 0042F0F8
SetCursor.USER32(00000000), ref: 0042F0FF
SendMessageW.USER32(?,0000018B,00000000,00000000), ref: 0042F11B
SendMessageW.USER32(?,00000189,00000000,?), ref: 0042F13E
_fputc.LIBCMT ref: 0042F148
_fputc.LIBCMT ref: 0042F16E
_fputc.LIBCMT ref: 0042F180
_fputc.LIBCMT ref: 0042F199
_fputc.LIBCMT ref: 0042F1A6
SetCursor.USER32(?), ref: 0042F1D5

Strings

Unable to open file for writing, xrefs: 0042F08B
.CSV, xrefs: 0042F040
X, xrefs: 0042F099
Export Listview, xrefs: 0042F086

Memory Dump Source

Source File: 00000000.00000002.639436822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.639422722.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639801425.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639950323.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639964900.00000000004C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639974043.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639981884.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Process Monitor.jbxd

Similarity

API ID: _fputc$CursorMessage$FileNameSaveSend_memset$Load__wfopen_s_wcsrchr
String ID: .CSV$Export Listview$Unable to open file for writing$X
API String ID: 155739214-2764136903
Opcode ID: 8b2807e65b31c897f06ff951db5d3ef1da7be2396563587de06ae99d1c679eeb
Instruction ID: f52d16d664ee15a04a65454dc60f003e887da9d4c55bd8778c788ae5d0b0a5d5
Opcode Fuzzy Hash: 8b2807e65b31c897f06ff951db5d3ef1da7be2396563587de06ae99d1c679eeb
Instruction Fuzzy Hash: B8518FB1D40228AADF20EF65DC45BD9B778FB04304F4045EAF50CF2182D7B95AA88F99

Uniqueness

Uniqueness Score: -1.00%

Function 00446E44 Relevance: 35.1, APIs: 10, Strings: 10, Instructions: 126
filewindowCOMMON

Download Yara Rule

C-Code - Quality: 64%

			E00446E44(WCHAR** __eax, void* __ebx, void* __edx) {
				void* __esi;
				WCHAR* _t30;
				union _GET_FILEEX_INFO_LEVELS _t36;
				WCHAR** _t47;
				WCHAR* _t48;
				void* _t49;
				WCHAR** _t61;
				void* _t68;
				void* _t69;
				WCHAR** _t76;
				WCHAR* _t77;
				void* _t78;
				void* _t79;
				struct HWND__* _t81;
				union _GET_FILEEX_INFO_LEVELS* _t82;
				void* _t83;
				signed int _t84;
				void* _t86;
				void* _t89;

				_t78 = __edx;
				_t30 =  *__eax;
				if(GetFileAttributesExW(_t30, 0, _t84 - 0x23c) == 0 || ( *(_t84 - 0x23c) & 0x00000010) != 0) {
					L16:
					goto L17;
				} else {
					E0043AD70();
					if(__ebx != 0) {
						E0046EF0C(_t84 - 0x218, 0x104, __ebx);
						_t89 = _t86 + 0xc;
						L13:
						_push(L".PML");
						E00435A10(_t84 - 0x218, 0x104);
						_t86 = _t89 + 0xc;
						if(E004168D0(0x4bca10, _t78, _t84 - 0x218, 0, ?str?, ?str?) != 0) {
							_t47 =  *(_t84 - 0x240);
							if(_t47 == 0) {
								_t48 = 0;
							} else {
								_t48 =  *_t47;
							}
							_t49 = L0043AA70(_t78, _t81, _t48);
							_t76 =  *(_t84 - 0x240);
							_t86 = _t86 + 8;
							_t69 = _t49;
							if(_t76 == 0) {
								_t77 = 0;
							} else {
								_t77 =  *_t76;
							}
							DeleteFileW(_t77);
							if(_t69 != 0) {
								L17:
								_t82 =  *(_t84 - 0x240);
								if(_t82 != 0 && InterlockedDecrement(_t82 + 8) == 0 && _t82 != 0) {
									_t36 =  *_t82;
									if(_t36 != 0) {
										__imp__#6(_t36);
										 *_t82 = 0;
									}
									_t37 =  *(_t82 + 4);
									if( *(_t82 + 4) != 0) {
										E0046EF07(_t37);
										_t86 = _t86 + 4;
										 *(_t82 + 4) = 0;
									}
									E0046EF07(_t82);
								}
								 *[fs:0x0] =  *((intOrPtr*)(_t84 - 0xc));
								_pop(_t79);
								_pop(_t83);
								_pop(_t68);
								return E0046F77E(_t68,  *(_t84 - 0x10) ^ _t84, _t78, _t79, _t83);
							}
							_push(0x10);
							_push(L"Process Monitor");
							_push(L"An error occured processing the boot-time data");
							L15:
							MessageBoxW(_t81, ??, ??, ??);
							goto L16;
						}
						_push(0x10);
						_push(L"Process Monitor");
						_push(L"Unable to create the requested PML file");
						goto L15;
					}
					if( *((intOrPtr*)(_t84 - 0x21c)) != 0 ||  *((intOrPtr*)(_t84 - 0x220)) != 0) {
						if(MessageBoxW(_t81, L"A log of boot-time activity was created by a previous instance of Process Monitor. Do you wish to save the collected data now?", L"Process Monitor", 0x24) != 6) {
							goto L16;
						}
						E0046EF0C(_t84 - 0x218, 0x104, L"Bootlog.pml");
						E00470030(_t84 - 0x294, 0, 0x54);
						_t89 = _t86 + 0x18;
						 *(_t84 - 0x298) = 0x58;
						 *(_t84 - 0x294) = _t81;
						 *((intOrPtr*)(_t84 - 0x27c)) = _t84 - 0x218;
						 *((intOrPtr*)(_t84 - 0x278)) = 0x104;
						 *((intOrPtr*)(_t84 - 0x28c)) = L"Procmon Log (*.PML)";
						 *((intOrPtr*)(_t84 - 0x264)) = 0x20008;
						if(GetSaveFileNameW(_t84 - 0x298) != 0) {
							goto L13;
						}
					} else {
						MessageBoxW(_t81, L"The log of boot-time activity created by a previous instance of Process Monitor is incomplete and cannot be read.", L"Process Monitor", 0x30);
						_t61 =  *(_t84 - 0x240);
						if(_t61 == 0) {
							DeleteFileW(0);
						} else {
							DeleteFileW( *_t61);
						}
					}
					goto L16;
				}
			}

0x00446e44
0x00446e44
0x00446e5c
0x00446fb5
0x00000000
0x00446e6f
0x00446e6f
0x00446e7c
0x00446f64
0x00446f69
0x00446f6c
0x00446f6c
0x00446f7d
0x00446f82
0x00446fa4
0x00447024
0x0044702c
0x00447032
0x0044702e
0x0044702e
0x0044702e
0x00447036
0x0044703b
0x00447041
0x00447044
0x00447048
0x0044704e
0x0044704a
0x0044704a
0x0044704a
0x00447051
0x00447059
0x00446fb7
0x00446fb7
0x00446fbf
0x00446fd3
0x00446fd7
0x00446fda
0x00446fe0
0x00446fe0
0x00446fe6
0x00446feb
0x00446fee
0x00446ff3
0x00446ff6
0x00446ff6
0x00446ffe
0x00447003
0x0044700b
0x00447013
0x00447014
0x00447015
0x00447023
0x00447023
0x0044705b
0x0044705d
0x00447062
0x00446fb2
0x00446fb3
0x00000000
0x00446fb3
0x00446fa6
0x00446fa8
0x00446fad
0x00000000
0x00446fad
0x00446e89
0x00446edb
0x00000000
0x00000000
0x00446ef2
0x00446f02
0x00446f07
0x00446f0a
0x00446f1a
0x00446f20
0x00446f2c
0x00446f37
0x00446f41
0x00446f53
0x00000000
0x00000000
0x00446e94
0x00446ea1
0x00446ea3
0x00446eab
0x00446ebe
0x00446ead
0x00446eb0
0x00446eb0
0x00446eab
0x00000000
0x00446e89

APIs

GetFileAttributesExW.KERNEL32(00000000,00000000,?,?), ref: 00446E54
MessageBoxW.USER32(?,The log of boot-time activity created by a previous instance of Process Monitor is incomplete and cannot be read.,Process Monitor,00000030), ref: 00446EA1
DeleteFileW.KERNEL32(?,?,The log of boot-time activity created by a previous instance of Process Monitor is incomplete and cannot be read.,Process Monitor,00000030), ref: 00446EB0
DeleteFileW.KERNEL32(00000000,?,The log of boot-time activity created by a previous instance of Process Monitor is incomplete and cannot be read.,Process Monitor,00000030), ref: 00446EBE
MessageBoxW.USER32(?,A log of boot-time activity was created by a previous instance of Process Monitor. Do you wish to save the collected data now?,Process Monitor,00000024), ref: 00446ED6
_memset.LIBCMT ref: 00446F02
GetSaveFileNameW.COMDLG32(00000058), ref: 00446F4B
InterlockedDecrement.KERNEL32(?), ref: 00446FC5
SysFreeString.OLEAUT32(00000000), ref: 00446FDA

Strings

X, xrefs: 00446F0A
.PML, xrefs: 00446F6C
445817, xrefs: 00446F95
Unable to create the requested PML file, xrefs: 00446FAD
C:\Windows, xrefs: 00446F90
Process Monitor, xrefs: 00446E96, 00446ECB, 00446FA8
h7J, xrefs: 00446F37
Bootlog.pml, xrefs: 00446EE1
A log of boot-time activity was created by a previous instance of Process Monitor. Do you wish to save the collected data now?, xrefs: 00446ED0
The log of boot-time activity created by a previous instance of Process Monitor is incomplete and cannot be read., xrefs: 00446E9B

Memory Dump Source

Source File: 00000000.00000002.639436822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.639422722.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639801425.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639950323.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639964900.00000000004C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639974043.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639981884.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Process Monitor.jbxd

Similarity

API ID: File$DeleteMessage$AttributesDecrementFreeInterlockedNameSaveString_memset
String ID: .PML$445817$A log of boot-time activity was created by a previous instance of Process Monitor. Do you wish to save the collected data now?$Bootlog.pml$C:\Windows$Process Monitor$The log of boot-time activity created by a previous instance of Process Monitor is incomplete and cannot be read.$Unable to create the requested PML file$X$h7J
API String ID: 1545733719-738849985
Opcode ID: 465e8b37f8460eebd718809c6495a55cb87c3084972f91f0029d9ecfb91a714e
Instruction ID: 2ee06464a060d61f4e389d6bc65562c3dd6c57ab050cdbb74255a7d73a13ca8b
Opcode Fuzzy Hash: 465e8b37f8460eebd718809c6495a55cb87c3084972f91f0029d9ecfb91a714e
Instruction Fuzzy Hash: 4541DDB0A413186BEB209F61DC49BDA77A8AF15B04F1104ABE948F3280E77C9D498F5D

Uniqueness

Uniqueness Score: -1.00%

Function 004596E0 Relevance: 35.1, APIs: 18, Strings: 2, Instructions: 114
windowregistryCOMMON

Download Yara Rule

C-Code - Quality: 67%

			E004596E0(struct HWND__* _a4, intOrPtr _a8, struct HDC__* _a12, intOrPtr _a16) {
				void* _t12;
				long _t13;
				long _t14;
				int _t16;
				void* _t22;
				long _t23;
				long _t24;
				int _t32;
				long _t34;
				intOrPtr _t43;
				struct HWND__* _t45;
				struct HDC__* _t46;
				struct HWND__* _t47;
				void* _t51;

				_t43 = _a8;
				_t12 = _t43 - 0x110;
				if(_t12 == 0) {
					_t13 =  *0x4bd8a8; // 0x0
					 *0x4bdd2c = _t13;
					_t14 =  *0x4bd8ac; // 0x0
					 *0x4bdd30 = _t14;
					 *0x4bdd34 = RegisterWindowMessageW(L"commdlg_ColorOK");
					_t16 = RegisterWindowMessageW(L"commdlg_SetRGBColor");
					_t45 = _a4;
					 *0x4bdd38 = _t16;
					CheckRadioButton(_t45, 0x404, 0x405, 0x404);
					SendMessageW(_t45,  *0x4bdd38, 0,  *0x4bdd2c);
					SetFocus(GetDlgItem(_t45, 0x3f4));
					goto L12;
				} else {
					_t22 = _t12 - 1;
					if(_t22 == 0) {
						if(_a12 != 0x3f4) {
							goto L12;
						} else {
							_t23 =  *0x4bdd2c; // 0x0
							 *0x4bd8a8 = _t23;
							_t24 =  *0x4bdd30; // 0x0
							 *0x4bd8ac = _t24;
							PostMessageW(_a4, 0x111, 3, 0);
							return 0;
						}
					} else {
						if(_t22 == 0x27) {
							if(_a16 != GetDlgItem(_a4, 0x3ff)) {
								goto L12;
							} else {
								_t46 = _a12;
								SetBkColor(_t46,  *0x4bdd30);
								SetTextColor(_t46,  *0x4bdd2c);
								return GetStockObject(0);
							}
						} else {
							_t51 = _t43 -  *0x4bdd34; // 0x0
							if(_t51 != 0) {
								L12:
								return 0;
							} else {
								_t47 = _a4;
								_t32 = IsDlgButtonChecked(_t47, 0x405);
								_push(1);
								_push(0);
								_push(0x3ff);
								_push(_t47);
								_t34 =  *(_a16 + 0xc);
								if(_t32 == 0) {
									 *0x4bdd2c = _t34;
									InvalidateRect(GetDlgItem(??, ??), ??, ??);
									SendMessageW(_t47,  *0x4bdd38, 0,  *0x4bdd30);
									return 1;
								} else {
									 *0x4bdd30 = _t34;
									InvalidateRect(GetDlgItem(??, ??), ??, ??);
									SendMessageW(_t47,  *0x4bdd38, 0,  *0x4bdd2c);
									return 1;
								}
							}
						}
					}
				}
			}

0x004596e3
0x004596e9
0x004596ee
0x00459810
0x0045981b
0x00459820
0x0045982a
0x00459836
0x0045983b
0x0045983d
0x00459850
0x00459855
0x0045986a
0x0045987d
0x00000000
0x004596f4
0x004596f4
0x004596f5
0x004597dd
0x00000000
0x004597e3
0x004597e3
0x004597f4
0x004597f9
0x004597fe
0x00459803
0x0045980d
0x0045980d
0x004596fb
0x004596fe
0x004597a6
0x00000000
0x004597ac
0x004597b2
0x004597b6
0x004597c3
0x004597d3
0x004597d3
0x00459704
0x00459704
0x0045970a
0x00459883
0x00459887
0x00459710
0x00459710
0x00459719
0x0045971f
0x00459726
0x00459728
0x0045972d
0x0045972e
0x00459731
0x00459764
0x00459770
0x00459785
0x00459792
0x00459733
0x00459733
0x0045973f
0x00459754
0x00459761
0x00459761
0x00459731
0x0045970a
0x004596fe
0x004596f5

APIs

IsDlgButtonChecked.USER32(?,00000405), ref: 00459719
GetDlgItem.USER32 ref: 00459738
InvalidateRect.USER32(00000000), ref: 0045973F
SendMessageW.USER32(?,00000000), ref: 00459754
GetDlgItem.USER32 ref: 00459769
InvalidateRect.USER32(00000000), ref: 00459770
SendMessageW.USER32(?,00000000), ref: 00459785
GetDlgItem.USER32 ref: 0045979D
SetBkColor.GDI32(?), ref: 004597B6
SetTextColor.GDI32(?), ref: 004597C3
GetStockObject.GDI32(00000000), ref: 004597CB
PostMessageW.USER32(?,00000111,00000003,00000000), ref: 00459803
RegisterWindowMessageW.USER32(commdlg_ColorOK), ref: 0045982F
RegisterWindowMessageW.USER32(commdlg_SetRGBColor), ref: 0045983B
CheckRadioButton.USER32 ref: 00459855
SendMessageW.USER32(?,00000000), ref: 0045986A
GetDlgItem.USER32 ref: 00459876
SetFocus.USER32(00000000), ref: 0045987D

Strings

commdlg_SetRGBColor, xrefs: 00459831
commdlg_ColorOK, xrefs: 00459825

Memory Dump Source

Source File: 00000000.00000002.639436822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.639422722.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639801425.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639950323.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639964900.00000000004C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639974043.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639981884.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Process Monitor.jbxd

Similarity

API ID: Message$Item$Send$ButtonColorInvalidateRectRegisterWindow$CheckCheckedFocusObjectPostRadioStockText
String ID: commdlg_ColorOK$commdlg_SetRGBColor
API String ID: 4223648790-943306312
Opcode ID: 5e449ecc7050adcbafad09f2e13553beb9fb704c3e9dd4bf4ca6e521a1e70709
Instruction ID: 3a1c0792f82f98d3b657d6fefe19d24bbf14d3af04f3ef2f3be53b1393a7ac36
Opcode Fuzzy Hash: 5e449ecc7050adcbafad09f2e13553beb9fb704c3e9dd4bf4ca6e521a1e70709
Instruction Fuzzy Hash: 69414336A50214FFDB01AFA4EC09B9A3B68FB08721F004A76F641D62B1E7795915CF5C

Uniqueness

Uniqueness Score: -1.00%

Function 0040EE70 Relevance: 35.1, APIs: 11, Strings: 9, Instructions: 83
registryfileCOMMON

Download Yara Rule

C-Code - Quality: 77%

			E0040EE70(void* __ebx, void* __edx, void* __edi) {
				intOrPtr _v8;
				char _v16;
				signed int _v20;
				short _v540;
				void* _v544;
				WCHAR** _v548;
				char _v552;
				void* __esi;
				signed int _t23;
				signed int _t24;
				void* _t39;
				WCHAR** _t44;
				WCHAR* _t45;
				void* _t56;
				void* _t57;
				void* _t59;
				signed int _t62;

				_t57 = __edi;
				_t56 = __edx;
				_t48 = __ebx;
				_push(0xffffffff);
				_push(E0048638B);
				_push( *[fs:0x0]);
				_t23 =  *0x4bb1dc; // 0x2927074f
				_t24 = _t23 ^ _t62;
				_v20 = _t24;
				_push(_t24);
				 *[fs:0x0] =  &_v16;
				if(RegOpenKeyW(0x80000002, L"System\\CurrentControlSet\\Services\\PROCMON23",  &_v544) == 0) {
					RegDeleteKeyW(_v544, L"Parameters");
					RegDeleteKeyW(_v544, L"Security");
					RegDeleteKeyW(_v544, L"Enum");
					RegDeleteValueW(_v544, L"Type");
					RegDeleteValueW(_v544, L"ErrorControl");
					RegDeleteValueW(_v544, L"Start");
					RegDeleteValueW(_v544, L"ImagePath");
					RegCloseKey(_v544);
					GetSystemDirectoryW( &_v540, 0x104);
					_t39 = E00402050(L"\\Drivers\\PROCMON23.SYS");
					_v8 = 0;
					E0040EC80(__ebx,  &_v548,  &_v540, _t39);
					E00403A00( &_v552);
					_t44 = _v548;
					if(_t44 == 0) {
						_t45 = 0;
					} else {
						_t45 =  *_t44;
					}
					DeleteFileW(_t45);
					E00403A00( &_v548);
				}
				 *[fs:0x0] = _v16;
				_pop(_t59);
				return E0046F77E(_t48, _v20 ^ _t62, _t56, _t57, _t59);
			}

0x0040ee70
0x0040ee70
0x0040ee70
0x0040ee73
0x0040ee75
0x0040ee80
0x0040ee87
0x0040ee8c
0x0040ee8e
0x0040ee92
0x0040ee96
0x0040eeb5
0x0040eecc
0x0040eed9
0x0040eee6
0x0040eef9
0x0040ef06
0x0040ef13
0x0040ef20
0x0040ef28
0x0040ef3a
0x0040ef4b
0x0040ef57
0x0040ef66
0x0040ef74
0x0040ef79
0x0040ef81
0x0040ef87
0x0040ef83
0x0040ef83
0x0040ef83
0x0040ef8a
0x0040ef96
0x0040ef96
0x0040ef9e
0x0040efa6
0x0040efb4

APIs

RegOpenKeyW.ADVAPI32(80000002,System\CurrentControlSet\Services\PROCMON23,?), ref: 0040EEAD
RegDeleteKeyW.ADVAPI32(?,Parameters), ref: 0040EECC
RegDeleteKeyW.ADVAPI32(?,Security), ref: 0040EED9
RegDeleteKeyW.ADVAPI32(?,Enum), ref: 0040EEE6
RegDeleteValueW.ADVAPI32(?,Type), ref: 0040EEF9
RegDeleteValueW.ADVAPI32(?,ErrorControl), ref: 0040EF06
RegDeleteValueW.ADVAPI32(?,Start), ref: 0040EF13
RegDeleteValueW.ADVAPI32(?,ImagePath), ref: 0040EF20
RegCloseKey.ADVAPI32(?), ref: 0040EF28
GetSystemDirectoryW.KERNEL32(?,00000104), ref: 0040EF3A

Part of subcall function 00402050: SysAllocString.OLEAUT32(?), ref: 004020A2

Part of subcall function 00403A00: InterlockedDecrement.KERNEL32(00000008), ref: 00403A0E
Part of subcall function 00403A00: SysFreeString.OLEAUT32(00000000), ref: 00403A23

DeleteFileW.KERNEL32(00000000,?,\Drivers\PROCMON23.SYS), ref: 0040EF8A

Strings

\Drivers\PROCMON23.SYS, xrefs: 0040EF40
Start, xrefs: 0040EF08
Security, xrefs: 0040EECE
ErrorControl, xrefs: 0040EEFB
Enum, xrefs: 0040EEDB
System\CurrentControlSet\Services\PROCMON23, xrefs: 0040EEA3
ImagePath, xrefs: 0040EF15
Type, xrefs: 0040EEEE
Parameters, xrefs: 0040EEC1

Memory Dump Source

Source File: 00000000.00000002.639436822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.639422722.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639801425.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639950323.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639964900.00000000004C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639974043.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639981884.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Process Monitor.jbxd

Similarity

API ID: Delete$Value$String$AllocCloseDecrementDirectoryFileFreeInterlockedOpenSystem
String ID: Enum$ErrorControl$ImagePath$Parameters$Security$Start$System\CurrentControlSet\Services\PROCMON23$Type$\Drivers\PROCMON23.SYS
API String ID: 2771376638-861459100
Opcode ID: a84fbbc81c2d7140c30bdb6055e6f0415a8eddb65c70821443d0c65d1a9afb1d
Instruction ID: 3cea0cb71953284b30070bbf785e3bb6c5be7e5a1b15ce62cd98c7f6847cc780
Opcode Fuzzy Hash: a84fbbc81c2d7140c30bdb6055e6f0415a8eddb65c70821443d0c65d1a9afb1d
Instruction Fuzzy Hash: 4E31723198021CABCF20AB51EC49FDE7F78EB14714F2045BBA405B21A1DA795A45CF88

Uniqueness

Uniqueness Score: -1.00%

Function 004263B0 Relevance: 34.8, APIs: 23, Instructions: 261
windowCOMMON

Download Yara Rule

C-Code - Quality: 88%

			E004263B0(struct HWND__* _a4, int _a8, struct HDC__* _a12, long _a16) {
				struct HINSTANCE__* _v8;
				char _v16;
				signed int _v20;
				struct tagRECT _v36;
				struct tagRECT _v52;
				struct HINSTANCE__* _v56;
				long _v60;
				intOrPtr _v64;
				void* _v68;
				struct HWND__* _v72;
				struct HDC__* _v76;
				struct tagPOINT _v84;
				intOrPtr _v88;
				char _v92;
				intOrPtr _v96;
				struct HINSTANCE__* _v100;
				long _v112;
				struct HDC__* _v116;
				int _v120;
				void* _v124;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t77;
				signed int _t78;
				intOrPtr _t84;
				intOrPtr _t89;
				int _t114;
				void* _t131;
				void* _t143;
				intOrPtr _t145;
				intOrPtr _t146;
				struct HWND__* _t148;
				long _t159;
				void* _t160;
				int _t163;
				void* _t164;
				struct HWND__* _t165;
				signed int _t167;
				void* _t175;
				void* _t176;
				void* _t177;

				_push(0xffffffff);
				_push(E004884C8);
				_push( *[fs:0x0]);
				_t77 =  *0x4bb1dc; // 0x2927074f
				_t78 = _t77 ^ _t167;
				_v20 = _t78;
				_push(_t78);
				 *[fs:0x0] =  &_v16;
				_t163 = _a8;
				_t148 = _a4;
				_t159 = _a16;
				_v72 = _t148;
				_v76 = _a12;
				if(_t163 < 0x200 || _t163 > 0x20d) {
					if(_t163 != 0x101) {
						goto L12;
					}
					goto L5;
				} else {
					if(_t163 == 0x101) {
						L5:
						GetCursorPos( &_v84);
						MapWindowPoints(0, _v72,  &_v84, 1);
						_t129 = _v84.y;
						_t157 = _v84.x;
						_t148 = _v72;
						L6:
						asm("xorps xmm0, xmm0");
						_v116 = _v76;
						_t145 =  *0x4bb0fc; // 0xffffffff
						_v88 = _t145;
						_t146 =  *0x4bb0f8; // 0xffffffff
						_v124 = _t148;
						_v120 = _t163;
						_v112 = _t159;
						asm("movq [ebp-0x68], xmm0");
						_v100 = 0;
						_v96 = _t146;
						_t131 = L00425E10(_t146,  &_v92, _t148, _t157, _t129, 0x4bb0fc, 0x4bb0f8, 0x4bcb48, 0x4bca08);
						_v8 = 0;
						E0046A0B0(0x4bcb34, _t131);
						_t156 = _v92;
						_v8 = 0xffffffff;
						if(_v92 != 0) {
							E0046A700(_t156);
						}
						_t175 = _v96 -  *0x4bb0f8; // 0xffffffff
						if(_t175 != 0) {
							L10:
							SendMessageW( *0x4bcb44, 0x41c, 0, 0);
							goto L11;
						} else {
							_t176 = _v88 -  *0x4bb0fc; // 0xffffffff
							if(_t176 == 0) {
								L11:
								SendMessageW( *0x4bcb44, 0x407, 0,  &_v124);
								_t148 = _v72;
								L12:
								_t177 = _t163 - 0x4e;
								if(_t177 > 0) {
									if(_t163 >= 0x114 && (_t163 <= 0x115 || _t163 == 0x20a)) {
										SendMessageW( *0x4bcb44, 0x41c, 0, 0);
									}
									L27:
									CallWindowProcW( *0x4bcb3c, _v72, _t163, _v76, _t159);
									L28:
									 *[fs:0x0] = _v16;
									_pop(_t160);
									_pop(_t164);
									_pop(_t143);
									return E0046F77E(_t143, _v20 ^ _t167, _t157, _t160, _t164);
								}
								if(_t177 == 0) {
									_t84 =  *((intOrPtr*)(_t159 + 8));
									if(_t84 == 0xfffffdee) {
										 *((intOrPtr*)(_t159 + 0xc)) = E0046A170(0x4bcb34);
										SendMessageW( *0x4bcb44, 0x418, 0, 0x3e8);
										goto L28;
									}
									if(_t84 != 0xfffffdf7) {
										goto L27;
									}
									SetWindowPos( *0x4bcb44, 0,  *0x4bcb48,  *0x4bcb4c, 0, 0, 0x15);
									_t89 =  *0x4bd708; // 0x0
									_t90 =  !=  ?  *0x4bd70c : _t89;
									SendMessageW( *0x4bcb44, 0x30,  !=  ?  *0x4bd70c : _t89, 0);
									goto L28;
								}
								if(_t163 == 0x14) {
									if(SendMessageW(_t148, 0x1004, 0, 0) == 0) {
										goto L27;
									}
									_t165 = _v72;
									GetClientRect(_t165,  &_v52);
									_v68 = 0;
									SendMessageW(_t165, 0x100e, SendMessageW(_t165, 0x1004, 0, 0) - 1,  &_v68);
									_v36.left = _v60;
									_v36.right = _v52.right;
									_v36.top = _v52.top;
									_v36.bottom = _v52.bottom;
									FillRect(_v76,  &_v36, GetSysColorBrush(5));
									_v36.left = _v52.left;
									_v36.right = _v52.right;
									_v36.top = _v56;
									_v36.bottom = _v52.bottom;
									FillRect(_v76,  &_v36, GetSysColorBrush(5));
									_t114 = SendMessageW(_v72, 0x1027, 0, 0);
									_v68 = 0;
									SendMessageW(_v72, 0x100e, _t114,  &_v68);
									_v36.right = _v52.right;
									_v36.left = 0;
									_v36.top = 0;
									_v36.bottom = _v64;
									FillRect(_v76,  &_v36, GetSysColorBrush(5));
									goto L28;
								}
								if(_t163 != 0x20) {
									goto L27;
								}
								SetCursor(LoadCursorW(0, 0x7f00));
								goto L28;
							}
							goto L10;
						}
					}
					_t157 = _t159;
					_t129 = _t159 >> 0x10;
					_v84.x = _t159;
					_v84.y = _t159 >> 0x10;
					goto L6;
				}
			}

0x004263b3
0x004263b5
0x004263c0
0x004263c4
0x004263c9
0x004263cb
0x004263d1
0x004263d5
0x004263db
0x004263de
0x004263e4
0x004263ed
0x004263f0
0x004263f9
0x00426422
0x00000000
0x00000000
0x00000000
0x00426403
0x00426409
0x00426428
0x0042642c
0x0042643d
0x00426443
0x00426446
0x00426449
0x0042644c
0x0042644f
0x00426468
0x0042646e
0x00426475
0x00426478
0x0042647f
0x00426482
0x00426485
0x00426488
0x0042648d
0x00426494
0x00426497
0x004264a5
0x004264ac
0x004264b1
0x004264ba
0x004264c3
0x004264c5
0x004264c5
0x004264cd
0x004264d3
0x004264e0
0x004264ef
0x00000000
0x004264d5
0x004264d8
0x004264de
0x004264f1
0x00426502
0x00426504
0x00426507
0x00426507
0x0042650a
0x004266b8
0x004266d9
0x004266d9
0x004266db
0x004266e9
0x004266ef
0x004266f2
0x004266fa
0x004266fb
0x004266fc
0x0042670a
0x0042670a
0x00426510
0x00426631
0x00426639
0x004266a9
0x004266ac
0x00000000
0x004266ae
0x00426640
0x00000000
0x00000000
0x00426660
0x0042666d
0x00426672
0x00426684
0x00000000
0x00426686
0x00426519
0x0042654e
0x00000000
0x00000000
0x00426554
0x0042655c
0x00426565
0x00426581
0x0042658c
0x00426592
0x00426598
0x004265a0
0x004265b3
0x004265b8
0x004265be
0x004265c4
0x004265cc
0x004265d9
0x004265e7
0x004265ec
0x004265fd
0x00426602
0x0042660a
0x00426611
0x00426618
0x00426625
0x00000000
0x00426627
0x0042651e
0x00000000
0x00000000
0x00426532
0x00000000
0x00426538
0x00000000
0x004264de
0x004264d3
0x0042640d
0x00426413
0x00426414
0x00426417
0x00000000
0x00426417

APIs

GetCursorPos.USER32(?), ref: 0042642C
MapWindowPoints.USER32 ref: 0042643D
SendMessageW.USER32(0000041C,00000000,00000000,00000000), ref: 004264EF
SendMessageW.USER32(00000407,00000000,?), ref: 00426502
LoadCursorW.USER32(00000000,00007F00), ref: 0042652B
SetCursor.USER32(00000000), ref: 00426532
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0042654A
GetClientRect.USER32 ref: 0042655C
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00426577
SendMessageW.USER32(?,0000100E,-00000001), ref: 00426581
GetSysColorBrush.USER32(00000005), ref: 004265A3
FillRect.USER32 ref: 004265B3
GetSysColorBrush.USER32(00000005), ref: 004265CF
FillRect.USER32 ref: 004265D9
SendMessageW.USER32(?,00001027,00000000,00000000), ref: 004265E7
SendMessageW.USER32(?,0000100E,00000000,00000000), ref: 004265FD
GetSysColorBrush.USER32(00000005), ref: 0042661B
FillRect.USER32 ref: 00426625
SetWindowPos.USER32(00000000,00000000,00000000,00000015,2927074F), ref: 00426660
SendMessageW.USER32(00000030,00000000,00000000), ref: 00426684
SendMessageW.USER32(00000418,00000000,000003E8,2927074F), ref: 004266AC

Memory Dump Source

Source File: 00000000.00000002.639436822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.639422722.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639801425.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639950323.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639964900.00000000004C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639974043.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639981884.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Process Monitor.jbxd

Similarity

API ID: MessageSend$Rect$BrushColorCursorFill$Window$ClientLoadPoints
String ID:
API String ID: 3779856903-0
Opcode ID: ee3ad0461b264e9dbd1f5170c8cc4f855860d4d1fe5c758768cdd5d10f356cca
Instruction ID: e7e6146fb912a3dd3ded07db6e25fdda9a8d4be056bb865d6dc52989cf8fbb73
Opcode Fuzzy Hash: ee3ad0461b264e9dbd1f5170c8cc4f855860d4d1fe5c758768cdd5d10f356cca
Instruction Fuzzy Hash: EFA14C71E44218AFDB10DF98DC85FEEBBB5EB08700F11452AFA14B7290D7B5A9418F68

Uniqueness

Uniqueness Score: -1.00%

Function 0040CBC0 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 223
windowtimeCOMMON

Download Yara Rule

C-Code - Quality: 48%

			E0040CBC0(signed int __edx, void* __fp0, struct HWND__* _a4, intOrPtr _a8, signed int _a12, long _a16) {
				long _v8;
				char _v16;
				intOrPtr _v20;
				signed int _v24;
				signed int _v28;
				short _v148;
				struct HWND__* _v168;
				struct _FILETIME _v188;
				char _v192;
				long* _v196;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t40;
				signed int _t42;
				void* _t46;
				void* _t59;
				void* _t62;
				char* _t67;
				void* _t80;
				intOrPtr _t81;
				struct HWND__* _t105;
				void* _t106;
				signed int _t107;
				struct HWND__* _t109;
				long _t123;
				void* _t124;
				void* _t130;
				signed int _t134;
				signed int _t136;
				signed int _t138;

				_t119 = __edx;
				_push(0xffffffff);
				_push(E004860AB);
				_push( *[fs:0x0]);
				_t138 = (_t136 & 0xfffffff8) - 0xb8;
				_t40 =  *0x4bb1dc; // 0x2927074f
				_v24 = _t40 ^ _t138;
				_t42 =  *0x4bb1dc; // 0x2927074f
				_push(_t42 ^ _t138);
				 *[fs:0x0] =  &_v16;
				_t105 = _a4;
				_t123 = _a16;
				_v168 = _t105;
				_t46 = _a8 - 0x110;
				if(_t46 == 0) {
					SetWindowLongW(_t105, 0xffffffec, GetWindowLongW(_t105, 0xffffffec) & 0xfffbffff);
					SetWindowLongW(_t105, 8, _t123);
					 *(_t123 + 0x14) = _t105;
					SetWindowTextW(_t105, E0046A170(_t123 + 0xc));
					SendMessageW(GetDlgItem(_t105, 0x445), 0x406, 0,  *_t123);
					L00431F60(_t119, _t105,  *((intOrPtr*)(_t123 + 0x18)),  *((intOrPtr*)(_t123 + 0x1c)));
					_t138 = _t138 + 0xc;
					SetTimer(_t105, 1, 0x1f4, 0);
					L13:
					 *[fs:0x0] = _v20;
					_pop(_t124);
					_pop(_t130);
					_pop(_t106);
					return E0046F77E(_t106, _v28 ^ _t138, _t119, _t124, _t130);
				}
				_t59 = _t46 - 1;
				if(_t59 == 0) {
					_t62 = (_a12 & 0x0000ffff) - 1;
					if(_t62 == 0) {
						L10:
						EndDialog(_t105, 0);
						L11:
						goto L13;
					}
					if(_t62 != 1) {
						goto L11;
					}
					_t67 =  *((intOrPtr*)(GetWindowLongW(_t105, 8) + 0x10));
					if(_t67 != 0) {
						 *_t67 = 1;
					}
					goto L10;
				}
				if(_t59 != 2) {
					goto L11;
				}
				_t107 = GetWindowLongW(_t105, 8);
				_v196 = _t107;
				if( *((intOrPtr*)(_t107 + 4)) == 0) {
					goto L11;
				}
				asm("movd xmm0, esi");
				asm("cvtdq2pd xmm0, xmm0");
				asm("addsd xmm0, [eax*8+0x496300]");
				asm("movsd [esp+0x34], xmm0");
				GetTickCount();
				asm("movd xmm1, eax");
				asm("cvtdq2pd xmm1, xmm1");
				asm("addsd xmm1, [eax*8+0x496300]");
				asm("movd xmm0, eax");
				asm("cvtdq2pd xmm0, xmm0");
				asm("addsd xmm0, [eax*8+0x496300]");
				asm("mulsd xmm1, xmm0");
				asm("movsd xmm0, [esp+0x34]");
				asm("divsd xmm1, xmm0");
				asm("divsd xmm1, [0x4962f0]");
				asm("movsd [esp+0x24], xmm1");
				asm("movd xmm1, edi");
				asm("cvtdq2pd xmm1, xmm1");
				asm("addsd xmm1, [edi*8+0x496300]");
				asm("divsd xmm0, xmm1");
				asm("movsd [esp+0x3c], xmm1");
				E00471270(__fp0);
				asm("movsd xmm2, [0x4962e0]");
				asm("subsd xmm2, xmm0");
				asm("movsd xmm0, [esp+0x34]");
				asm("mulsd xmm0, [0x4962e8]");
				asm("addsd xmm2, [0x4962e0]");
				asm("divsd xmm0, [esp+0x40]");
				asm("mulsd xmm2, [esp+0x28]");
				asm("cvttsd2si edi, xmm0");
				asm("movsd [esp+0x28], xmm2");
				asm("cvttsd2si ebx, xmm2");
				GetSystemTimeAsFileTime( &_v188);
				asm("movsd xmm0, [esp+0x24]");
				asm("mulsd xmm0, [0x4962f8]");
				_t80 = E00471090( &_v188);
				_t116 = _v188.dwLowDateTime + _t80;
				_t81 = _v188.dwHighDateTime;
				_v188.dwLowDateTime = _v188.dwLowDateTime + _t80;
				asm("adc eax, edx");
				_push(_t81);
				_v188.dwHighDateTime = _t81;
				L00433FE0(_v188.dwLowDateTime + _t80,  &_v192, _t116);
				_v8 = 0;
				_t119 = (0x88888889 * _t107 >> 0x20) + _t107 >> 5;
				_t134 = ((0x88888889 * _t107 >> 0x20) + _t107 >> 5 >> 0x1f) + ((0x88888889 * _t107 >> 0x20) + _t107 >> 5);
				_push(E0046A170( &_v192));
				_push(_t107 - ((_t134 << 4) - _t134 << 2));
				_push(_t134);
				E0040C850( &_v148, L"%d%% - %d:%02d remaining (%s)",  *_t107 >> 0x1f);
				_t109 = _v168;
				_t138 = _t138 + 0x24;
				SetDlgItemTextW(_t109, 0x447,  &_v148);
				SendMessageW(GetDlgItem(_t109, 0x445), 0x406, 0,  *_v196);
				SendMessageW(GetDlgItem(_t109, 0x445), 0x402, _v196[1], 0);
				UpdateWindow(_t109);
				_t118 = _v192;
				_v8 = 0xffffffff;
				if(_v192 == 0) {
					goto L11;
				}
				E0046A700(_t118);
				goto L13;
			}

0x0040cbc0
0x0040cbc6
0x0040cbc8
0x0040cbd3
0x0040cbd4
0x0040cbda
0x0040cbe1
0x0040cbeb
0x0040cbf2
0x0040cbfa
0x0040cc03
0x0040cc06
0x0040cc09
0x0040cc0d
0x0040cc12
0x0040ce58
0x0040ce5e
0x0040ce63
0x0040ce6d
0x0040ce89
0x0040ce96
0x0040ce9b
0x0040cea8
0x0040ceb3
0x0040ceba
0x0040cec2
0x0040cec3
0x0040cec4
0x0040ced6
0x0040ced6
0x0040cc18
0x0040cc19
0x0040ce1a
0x0040ce1b
0x0040ce33
0x0040ce36
0x0040ce3c
0x00000000
0x0040ce3c
0x0040ce1e
0x00000000
0x00000000
0x0040ce29
0x0040ce2e
0x0040ce30
0x0040ce30
0x00000000
0x0040ce2e
0x0040cc22
0x00000000
0x00000000
0x0040cc31
0x0040cc33
0x0040cc3b
0x00000000
0x00000000
0x0040cc4b
0x0040cc4f
0x0040cc53
0x0040cc5c
0x0040cc62
0x0040cc6b
0x0040cc6f
0x0040cc76
0x0040cc83
0x0040cc87
0x0040cc8e
0x0040cc97
0x0040cc9b
0x0040cca1
0x0040cca5
0x0040ccad
0x0040ccb3
0x0040ccb7
0x0040ccbe
0x0040ccc7
0x0040cccb
0x0040ccd1
0x0040ccd6
0x0040cce2
0x0040cce6
0x0040ccec
0x0040ccf5
0x0040ccfd
0x0040cd03
0x0040cd09
0x0040cd0d
0x0040cd13
0x0040cd17
0x0040cd1d
0x0040cd23
0x0040cd2b
0x0040cd34
0x0040cd36
0x0040cd3a
0x0040cd3e
0x0040cd40
0x0040cd41
0x0040cd4b
0x0040cd58
0x0040cd6b
0x0040cd73
0x0040cd7a
0x0040cd87
0x0040cd88
0x0040cd94
0x0040cd99
0x0040cda1
0x0040cdab
0x0040cdd3
0x0040cdec
0x0040cdef
0x0040cdf5
0x0040cdf9
0x0040ce06
0x00000000
0x00000000
0x0040ce08
0x00000000

APIs

GetWindowLongW.USER32(?,00000008), ref: 0040CC2B
GetTickCount.KERNEL32 ref: 0040CC62
GetSystemTimeAsFileTime.KERNEL32(?), ref: 0040CD17

Part of subcall function 0040C850: vswprintf.LIBCMT ref: 0040C85F

SetDlgItemTextW.USER32 ref: 0040CDAB
GetDlgItem.USER32 ref: 0040CDCA
SendMessageW.USER32(00000000), ref: 0040CDD3
GetDlgItem.USER32 ref: 0040CDE9
SendMessageW.USER32(00000000), ref: 0040CDEC
UpdateWindow.USER32(?), ref: 0040CDEF

Part of subcall function 0046A700: InterlockedDecrement.KERNEL32(?), ref: 0046A704

GetWindowLongW.USER32(?,00000008), ref: 0040CE23
EndDialog.USER32(?,00000000), ref: 0040CE36
GetWindowLongW.USER32(?,000000EC), ref: 0040CE43
SetWindowLongW.USER32 ref: 0040CE58
SetWindowLongW.USER32 ref: 0040CE5E
SetWindowTextW.USER32(?,00000000), ref: 0040CE6D
GetDlgItem.USER32 ref: 0040CE82
SendMessageW.USER32(00000000), ref: 0040CE89
SetTimer.USER32(?,00000001,000001F4,00000000), ref: 0040CEA8

Strings

%d%% - %d:%02d remaining (%s), xrefs: 0040CD8A

Memory Dump Source

Source File: 00000000.00000002.639436822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.639422722.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639801425.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639950323.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639964900.00000000004C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639974043.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639981884.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Process Monitor.jbxd

Similarity

API ID: Window$Long$Item$MessageSend$TextTime$CountDecrementDialogFileInterlockedSystemTickTimerUpdatevswprintf
String ID: %d%% - %d:%02d remaining (%s)
API String ID: 3686750363-2490123265
Opcode ID: e669dff7b30d2b6cc68925d49b0579802e615791616cdb63f50f5f14e351f00e
Instruction ID: 246817f8e7ba22f1d9740caddc8f0c49861e077566965abe0e065a42920d488b
Opcode Fuzzy Hash: e669dff7b30d2b6cc68925d49b0579802e615791616cdb63f50f5f14e351f00e
Instruction Fuzzy Hash: E781C271504B05AFC711DF34DC85B1BB7A8EF88390F008B3AF506A62A2EB74D445CB99

Uniqueness

Uniqueness Score: -1.00%

Function 004028D0 Relevance: 33.5, APIs: 13, Strings: 6, Instructions: 218
memoryCOMMON

Download Yara Rule

C-Code - Quality: 50%

			E004028D0(void* __edi, void* __esi, signed int _a4, intOrPtr* _a8) {
				signed int _v8;
				char _v28;
				char _v88;
				char _v148;
				signed char _v149;
				intOrPtr _v160;
				char _v168;
				signed int _v172;
				void* __ebx;
				signed int _t60;
				intOrPtr _t65;
				intOrPtr _t68;
				signed int _t73;
				void* _t76;
				signed int _t79;
				void* _t81;
				intOrPtr* _t94;
				void* _t95;
				void* _t96;
				void* _t106;
				intOrPtr _t109;
				intOrPtr _t110;
				signed int _t111;
				void* _t112;
				void* _t118;
				void* _t120;
				signed int _t125;
				void* _t126;

				_t122 = _t125;
				_t126 = _t125 - 0xa8;
				_t60 =  *0x4bb1dc; // 0x2927074f
				_v8 = _t60 ^ _t125;
				_v149 = 0;
				_t94 = _a8;
				_v28 = 0;
				_v148 = 0;
				_v88 = 0;
				if(_t94 == 0) {
					_pop(_t96);
					return E0046F77E(_t96, _v8 ^ _t122, _t106, __edi, __esi);
				}
				__imp__#2(L"format", __edi, __esi);
				__imp__#8( &_v168);
				_t65 =  *((intOrPtr*)( *_t94 + 0xc))(_t94, 0, 0,  &_v168, 0);
				__imp__#6(0);
				if(_t65 == 0) {
					_t65 = _v160;
					if(_t65 != 0) {
						_t65 = E0046EF0C( &_v28, 0xa, _t65);
						_t126 = _t126 + 0xc;
					}
				}
				__imp__#2(L"StringTermination");
				_t109 = _t65;
				__imp__#9( &_v168);
				_t68 =  *((intOrPtr*)( *_t94 + 0xc))(_t94, _t109, 0,  &_v168, 0);
				__imp__#6(_t109);
				if(_t68 == 0) {
					_t68 = _v160;
					if(_t68 != 0) {
						_t68 = E0046EF0C( &_v148, 0x1e, _t68);
						_t126 = _t126 + 0xc;
					}
				}
				__imp__#2(L"pointer");
				_t110 = _t68;
				__imp__#9( &_v168);
				 *((intOrPtr*)( *_t94 + 0xc))(_t94, _t110, 0,  &_v168, 0);
				__imp__#6(_t110);
				_t73 =  ==  ? 1 : _v149 & 0x000000ff;
				_v172 = _t73;
				__imp__#2(L"extension");
				_t111 = _t73;
				__imp__#9( &_v168);
				_t76 =  *((intOrPtr*)( *_t94 + 0xc))(_t94, _t111, 0,  &_v168, 0);
				__imp__#6(_t111);
				if(_t76 == 0) {
					_t86 = _v160;
					if(_v160 != 0) {
						E0046EF0C( &_v88, 0x1e, _t86);
						_t126 = _t126 + 0xc;
					}
				}
				__imp__#9( &_v168);
				_t79 = _a4 & 0xffffdfff;
				if(_t79 > 0x67) {
					L50:
					_t118 = 0x1d;
					L51:
					_t119 =  !=  ? 0x18 : _t118;
					_pop(_t112);
					_t81 =  !=  ? 0x18 : _t118;
					_pop(_t120);
					_pop(_t95);
					return E0046F77E(_t95, _v8 ^ _t122, _t106, _t112, _t120);
				}
				switch( *((intOrPtr*)(( *(_t79 + 0x402d44) & 0x000000ff) * 4 +  &M00402D04))) {
					case 0:
						goto L50;
					case 1:
						__esi = 4;
						goto L51;
					case 2:
						L19:
						__esi = 6;
						goto L51;
					case 3:
						__esi = 0xb;
						goto L51;
					case 4:
						__esi = 0xc;
						goto L51;
					case 5:
						__eax =  &_v148;
						if(E0046F283(__ebx, __edi, __esi,  &_v148, L"NullTerminated") != 0) {
							__eax =  &_v148;
							if(E0046F283(__ebx, __edi, __esi,  &_v148, L"Counted") != 0) {
								__eax =  &_v148;
								if(E0046F283(__ebx, __edi, __esi,  &_v148, L"ReverseCounted") != 0) {
									__eax =  &_v148;
									__eax = E0046F283(__ebx, __edi, __esi,  &_v148, L"NotCounted");
									__eax =  ~__eax;
									asm("sbb esi, esi");
									__esi =  ~__eax & 0xfffffff6;
									__esi = ( ~__eax & 0xfffffff6) + 0x17;
								} else {
									__eax =  &_v28;
									__eax = E0046F283(__ebx, __edi, __esi,  &_v28, "w");
									__eax =  ~__eax;
									asm("sbb esi, esi");
									__esi =  ~__eax + 0x12;
								}
							} else {
								__eax =  &_v28;
								__eax = E0046F283(__ebx, __edi, __esi,  &_v28, "w");
								__eax =  ~__eax;
								asm("sbb esi, esi");
								__esi =  ~__eax + 0x10;
							}
						} else {
							__eax =  &_v28;
							__eax = E0046F283(__ebx, __edi, __esi,  &_v28, "w");
							__eax =  ~__eax;
							asm("sbb esi, esi");
							__esi =  ~__eax + 0xe;
						}
						goto L51;
					case 6:
						__esi = 0x1a;
						goto L51;
					case 7:
						__eax =  &_v88;
						__eax = E0046F283(__ebx, __edi, __esi,  &_v88, L"Port");
						if(__eax != 0) {
							__eax =  &_v88;
							if(E0046F283(__ebx, __edi, __esi,  &_v88, L"IPAddr") == 0) {
								L46:
								__esi = 0x14;
								goto L51;
							}
							__eax =  &_v88;
							__eax = E0046F283(__ebx, __edi, __esi,  &_v88, L"Sid");
							if(__eax != 0) {
								__eax =  &_v88;
								__eax = E0046F283(__ebx, __edi, __esi,  &_v88, L"Guid");
								if(__eax != 0) {
									__eax =  &_v88;
									if(E0046F283(__ebx, __edi, __esi,  &_v88, L"SizeT") == 0) {
										goto L19;
									}
									__eax =  &_v88;
									__eax = E0046F283(__ebx, __edi, __esi,  &_v88, L"IPAddrV6");
									if(__eax != 0) {
										__eax =  &_v88;
										if(E0046F283(__ebx, __edi, __esi,  &_v88, L"IPAddrV4") != 0) {
											__eax =  &_v88;
											__eax = E0046F283(__ebx, __edi, __esi,  &_v88, L"WmiTime");
											if(__eax != 0) {
												__esi = _v172;
											} else {
												__esi = __eax + 0x1c;
											}
											goto L51;
										}
										goto L46;
									}
									__esi = __eax + 0x1b;
									goto L51;
								}
								__esi = __eax + 0x19;
								goto L51;
							}
							__esi = __eax + 0x13;
							goto L51;
						}
						_t45 = __eax + 0x15; // 0x15
						__esi = _t45;
						goto L51;
					case 8:
						_t118 = 3;
						if(E0046F283(_t94, _t111, 3,  &_v28, "c") == 0) {
							_t118 = 0;
						}
						goto L51;
					case 9:
						__esi = 2;
						goto L51;
					case 0xa:
						__esi = 5;
						goto L51;
					case 0xb:
						__eax =  &_v28;
						__esi = 7;
						__eax = E0046F283(__ebx, __edi, 7,  &_v28, "x");
						if(__eax == 0) {
							_t36 = __eax + 8; // 0x8
							__esi = _t36;
						}
						goto L51;
					case 0xc:
						__esi = 9;
						goto L51;
					case 0xd:
						__esi = 0xa;
						goto L51;
					case 0xe:
						__esi = 1;
						goto L51;
				}
			}

0x004028d1
0x004028d3
0x004028d9
0x004028e0
0x004028e5
0x004028ed
0x004028f0
0x004028f4
0x004028fb
0x00402901
0x00402906
0x00000000
0x00402913
0x0040291c
0x0040292b
0x00402940
0x00402946
0x0040294e
0x00402950
0x00402958
0x00402961
0x00402966
0x00402966
0x00402958
0x0040296e
0x00402974
0x0040297d
0x00402992
0x00402998
0x004029a0
0x004029a2
0x004029aa
0x004029b6
0x004029bb
0x004029bb
0x004029aa
0x004029c3
0x004029c9
0x004029d2
0x004029e7
0x004029ed
0x00402a06
0x00402a09
0x00402a0f
0x00402a15
0x00402a1e
0x00402a33
0x00402a39
0x00402a41
0x00402a43
0x00402a4b
0x00402a54
0x00402a59
0x00402a59
0x00402a4b
0x00402a63
0x00402a6c
0x00402a74
0x00402cdb
0x00402cdb
0x00402ce0
0x00402cef
0x00402cf4
0x00402cf5
0x00402cf7
0x00402cf8
0x00000000
0x00402d00
0x00402a81
0x00000000
0x00000000
0x00000000
0x00402ab7
0x00000000
0x00000000
0x00402acb
0x00402acb
0x00000000
0x00000000
0x00402b0f
0x00000000
0x00000000
0x00402b19
0x00000000
0x00000000
0x00402b2d
0x00402b43
0x00402b64
0x00402b7a
0x00402b9b
0x00402bb1
0x00402bd2
0x00402bde
0x00402be8
0x00402bea
0x00402bec
0x00402bef
0x00402bb3
0x00402bb3
0x00402bbc
0x00402bc6
0x00402bc8
0x00402bca
0x00402bca
0x00402b7c
0x00402b7c
0x00402b85
0x00402b8f
0x00402b91
0x00402b93
0x00402b93
0x00402b45
0x00402b45
0x00402b4e
0x00402b58
0x00402b5a
0x00402b5c
0x00402b5c
0x00000000
0x00000000
0x00402b23
0x00000000
0x00000000
0x00402c01
0x00402c0a
0x00402c14
0x00402c1e
0x00402c31
0x00402cb2
0x00402cb2
0x00000000
0x00402cb2
0x00402c33
0x00402c3c
0x00402c46
0x00402c50
0x00402c59
0x00402c63
0x00402c6a
0x00402c7d
0x00000000
0x00000000
0x00402c83
0x00402c8c
0x00402c96
0x00402c9d
0x00402cb0
0x00402cb9
0x00402cc2
0x00402ccc
0x00402cd3
0x00402cce
0x00402cce
0x00402cce
0x00000000
0x00402ccc
0x00000000
0x00402cb0
0x00402c98
0x00000000
0x00402c98
0x00402c65
0x00000000
0x00402c65
0x00402c48
0x00000000
0x00402c48
0x00402c16
0x00402c16
0x00000000
0x00000000
0x00402a8b
0x00402aa0
0x00402aa6
0x00402aa6
0x00000000
0x00000000
0x00402aad
0x00000000
0x00000000
0x00402ac1
0x00000000
0x00000000
0x00402ad5
0x00402ad8
0x00402ae3
0x00402aed
0x00402af3
0x00402af3
0x00402af3
0x00000000
0x00000000
0x00402afb
0x00000000
0x00000000
0x00402b05
0x00000000
0x00000000
0x00402bf7
0x00000000
0x00000000

APIs

SysAllocString.OLEAUT32(format), ref: 0040291C
VariantInit.OLEAUT32(?), ref: 0040292B
SysFreeString.OLEAUT32(00000000), ref: 00402946
SysAllocString.OLEAUT32(StringTermination), ref: 0040296E
VariantClear.OLEAUT32(?), ref: 0040297D
SysFreeString.OLEAUT32(00000000), ref: 00402998
SysAllocString.OLEAUT32(pointer), ref: 004029C3
VariantClear.OLEAUT32(?), ref: 004029D2
SysFreeString.OLEAUT32(00000000), ref: 004029ED
SysAllocString.OLEAUT32(extension), ref: 00402A0F
VariantClear.OLEAUT32(?), ref: 00402A1E
SysFreeString.OLEAUT32(00000000), ref: 00402A39

Strings

StringTermination, xrefs: 00402969
extension, xrefs: 00402A01
pointer, xrefs: 004029BE
Port, xrefs: 00402C04
format, xrefs: 00402917
NullTerminated, xrefs: 00402B33

Memory Dump Source

Source File: 00000000.00000002.639436822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.639422722.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639801425.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639950323.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639964900.00000000004C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639974043.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639981884.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Process Monitor.jbxd

Similarity

API ID: String$AllocFreeVariant$Clear$Init
String ID: NullTerminated$Port$StringTermination$extension$format$pointer
API String ID: 3890998398-1407832888
Opcode ID: 234354bb8c9a93b1dbbd565b665c26ff084c638d70f829d997f937affc795e9b
Instruction ID: 4e56999e981be7022a54b68adcc758d8f9152722b5096254d14c7c4437e85264
Opcode Fuzzy Hash: 234354bb8c9a93b1dbbd565b665c26ff084c638d70f829d997f937affc795e9b
Instruction Fuzzy Hash: E271B572E00218ABDF209B60CD49B9F77A8AF04740F1504B7FD05F72C1E6B89D488B9A

Uniqueness

Uniqueness Score: -1.00%

Function 00438C20 Relevance: 33.4, APIs: 14, Strings: 5, Instructions: 156
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E00438C20(void* __eflags, intOrPtr _a4, signed short* _a8, signed short* _a12) {
				signed short* _t26;
				void* _t34;
				signed short* _t41;
				signed short* _t42;
				signed int _t43;
				void* _t44;
				void* _t45;
				signed short* _t46;
				char* _t47;
				intOrPtr _t49;
				void* _t50;
				void* _t51;
				void* _t52;
				void* _t53;

				_t49 = _a4;
				E00472329(_t44, 0x3c, _t49);
				_t41 = _a8;
				_t51 = _t50 + 8;
				_t46 = _t41;
				_t24 =  *_t41 & 0x0000ffff;
				if(( *_t41 & 0x0000ffff) != 0) {
					do {
						E00472329(_t44, _t24, _t49);
						_t3 =  &(_t46[1]); // 0x497d8868
						_t24 =  *_t3 & 0x0000ffff;
						_t4 =  &(_t46[1]); // 0x497d8868
						_t46 = _t4;
						_t51 = _t51 + 8;
					} while (( *_t3 & 0x0000ffff) != 0);
				}
				E00472329(_t44, 0x3e, _t49);
				_t26 = _a12;
				_t52 = _t51 + 8;
				_t43 =  *_t26 & 0x0000ffff;
				if(_t43 != 0) {
					_t45 = 0xd7ff;
					_t47 = 0xe000;
					_t42 = _t26;
					do {
						_t34 = (_t43 & 0x0000ffff) + 0xfffffff7;
						if(_t34 > 0x35) {
							L21:
							if(_t43 < 0x20 || _t43 > _t45 && _t43 < _t47 || _t43 > 0xfffd) {
								_push(_t49);
								_push(0x5f);
							} else {
								goto L25;
							}
							goto L27;
						} else {
							_t6 = _t34 + 0x438e1c; // 0xbfea75c0
							switch( *((intOrPtr*)(( *_t6 & 0x000000ff) * 4 +  &M00438E00))) {
								case 0:
									L25:
									_push(_t49);
									_push(_t43);
									L27:
									E00472329(_t45);
									_t52 = _t52 + 8;
									goto L28;
								case 1:
									__edi = L"&quot;";
									__eax = 0x26;
									do {
										__eax = __edi[2] & 0x0000ffff;
										__edi =  &(__edi[2]);
									} while (__ax != 0);
									__edi = 0xe000;
									goto L28;
								case 2:
									__edi = L"&amp;";
									__eax = 0x26;
									do {
										__eax = __edi[2] & 0x0000ffff;
										__edi =  &(__edi[2]);
									} while (__ax != 0);
									__edi = 0xe000;
									goto L28;
								case 3:
									__edi = L"&apos;";
									__eax = 0x26;
									do {
										__eax = __edi[2] & 0x0000ffff;
										__edi =  &(__edi[2]);
									} while (__ax != 0);
									__edi = 0xe000;
									goto L28;
								case 4:
									_t48 = L"&lt;";
									_t38 = 0x26;
									do {
										E00472329(_t45, _t38, _t49);
										_t38 = _t48[2] & 0x0000ffff;
										_t48 =  &(_t48[2]);
										_t52 = _t52 + 8;
									} while (_t38 != 0);
									_t47 = 0xe000;
									goto L28;
								case 5:
									__edi = L"&gt;";
									__eax = 0x26;
									do {
										__eax = __edi[2] & 0x0000ffff;
										__edi =  &(__edi[2]);
									} while (__ax != 0);
									__edi = 0xe000;
									goto L28;
								case 6:
									goto L21;
							}
						}
						L28:
						_t43 = _t42[1] & 0x0000ffff;
						_t42 =  &(_t42[1]);
						_t45 = 0xd7ff;
					} while (_t43 != 0);
					_t41 = _a8;
				}
				E00472329(_t44, 0x3c, _t49);
				E00472329(_t44, 0x2f, _t49);
				_t29 =  *_t41 & 0x0000ffff;
				_t53 = _t52 + 0x10;
				if(( *_t41 & 0x0000ffff) != 0) {
					do {
						E00472329(_t44, _t29, _t49);
						_t21 =  &(_t41[1]); // 0x497d8868
						_t29 =  *_t21 & 0x0000ffff;
						_t22 =  &(_t41[1]); // 0x497d8868
						_t41 = _t22;
						_t53 = _t53 + 8;
					} while (( *_t21 & 0x0000ffff) != 0);
				}
				E00472329(_t44, 0x3e, _t49);
				return E00472329(_t44, 0xa, _t49);
			}

0x00438c25
0x00438c2c
0x00438c31
0x00438c34
0x00438c37
0x00438c39
0x00438c3f
0x00438c41
0x00438c43
0x00438c48
0x00438c48
0x00438c4c
0x00438c4c
0x00438c4f
0x00438c52
0x00438c41
0x00438c5a
0x00438c5f
0x00438c62
0x00438c65
0x00438c6b
0x00438c71
0x00438c76
0x00438c7b
0x00438c80
0x00438c83
0x00438c89
0x00438d6d
0x00438d71
0x00438d8b
0x00438d8c
0x00000000
0x00000000
0x00000000
0x00000000
0x00438c8f
0x00438c8f
0x00438c96
0x00000000
0x00438d87
0x00438d87
0x00438d88
0x00438d8e
0x00438d8e
0x00438d93
0x00000000
0x00000000
0x00438d44
0x00438d49
0x00438d50
0x00438d57
0x00438d5b
0x00438d61
0x00438d66
0x00000000
0x00000000
0x00438cf1
0x00438cf6
0x00438d00
0x00438d07
0x00438d0b
0x00438d11
0x00438d16
0x00000000
0x00000000
0x00438d1d
0x00438d22
0x00438d27
0x00438d2e
0x00438d32
0x00438d38
0x00438d3d
0x00000000
0x00000000
0x00438c9d
0x00438ca2
0x00438ca7
0x00438ca9
0x00438cae
0x00438cb2
0x00438cb5
0x00438cb8
0x00438cbd
0x00000000
0x00000000
0x00438cc7
0x00438ccc
0x00438cd1
0x00438cd8
0x00438cdc
0x00438ce2
0x00438ce7
0x00000000
0x00000000
0x00000000
0x00000000
0x00438c96
0x00438d96
0x00438d96
0x00438d9a
0x00438d9d
0x00438da2
0x00438dab
0x00438dab
0x00438db1
0x00438db9
0x00438dbe
0x00438dc1
0x00438dc7
0x00438dd0
0x00438dd2
0x00438dd7
0x00438dd7
0x00438ddb
0x00438ddb
0x00438dde
0x00438de1
0x00438dd0
0x00438de9
0x00438dfd

APIs

__fputwc_nolock.LIBCMT ref: 00438C2C

Part of subcall function 00472329: HeapCreate.KERNELBASE(?,?,00000000), ref: 0047234A
Part of subcall function 00472329: HeapCreate.KERNELBASE(?,?,00000000), ref: 0047235B
Part of subcall function 00472329: HeapCreate.KERNELBASE(?,?,00000000), ref: 00472367
Part of subcall function 00472329: HeapCreate.KERNELBASE(?,?,?), ref: 00472372
Part of subcall function 00472329: HeapCreate.KERNELBASE(?,?,00000000), ref: 00472398
Part of subcall function 00472329: HeapCreate.KERNELBASE(?,?,00000000), ref: 004723A4
Part of subcall function 00472329: HeapCreate.KERNELBASE(?,?,00000000), ref: 004723B0
Part of subcall function 00472329: HeapCreate.KERNELBASE(?,?,?), ref: 004723BB
Part of subcall function 00472329: HeapCreate.KERNELBASE(?,?,00000000), ref: 004723E1
Part of subcall function 00472329: HeapCreate.KERNELBASE(?,?,00000000), ref: 004723ED
Part of subcall function 00472329: HeapCreate.KERNELBASE(?,?,00000000), ref: 004723F9
Part of subcall function 00472329: HeapCreate.KERNELBASE(?,?,?), ref: 00472404
Part of subcall function 00472329: __cftof.LIBCMT ref: 0047242D

__fputwc_nolock.LIBCMT ref: 00438C43
__fputwc_nolock.LIBCMT ref: 00438C5A
__fputwc_nolock.LIBCMT ref: 00438CA9
__fputwc_nolock.LIBCMT ref: 00438CD3
__fputwc_nolock.LIBCMT ref: 00438D02

Part of subcall function 00472329: __flsbuf.LIBCMT ref: 00472465

__fputwc_nolock.LIBCMT ref: 00438D29

Part of subcall function 00472329: __flswbuf.LIBCMT ref: 00472497

__fputwc_nolock.LIBCMT ref: 00438D52
__fputwc_nolock.LIBCMT ref: 00438D8E
__fputwc_nolock.LIBCMT ref: 00438DB1
__fputwc_nolock.LIBCMT ref: 00438DB9
__fputwc_nolock.LIBCMT ref: 00438DD2
__fputwc_nolock.LIBCMT ref: 00438DE9
__fputwc_nolock.LIBCMT ref: 00438DF1

Strings

<, xrefs: 00438C9D
', xrefs: 00438D1D
>, xrefs: 00438CC7
", xrefs: 00438D44
&, xrefs: 00438CF1

Memory Dump Source

Source File: 00000000.00000002.639436822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.639422722.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639801425.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639950323.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639964900.00000000004C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639974043.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639981884.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Process Monitor.jbxd

Similarity

API ID: __fputwc_nolock$CreateHeap$__cftof__flsbuf__flswbuf
String ID: &$'$>$<$"
API String ID: 3877199237-87953025
Opcode ID: 8299d42355d1b584be66102ab3a8832ebc03031246e002ce974f7f901c2c17cd
Instruction ID: 55eca48639f4de5c2b0b3b8e5f59eb2e191289d8b7eb86cfcdf09b428bab286d
Opcode Fuzzy Hash: 8299d42355d1b584be66102ab3a8832ebc03031246e002ce974f7f901c2c17cd
Instruction Fuzzy Hash: 2C41382150036163DF202752ED067F7B654EF15399F64541BFC4CAB2C1EA6CEA12C3B9

Uniqueness

Uniqueness Score: -1.00%

Function 0044F27A Relevance: 33.4, APIs: 17, Strings: 2, Instructions: 138
windowCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E0044F27A(void* __ebx, struct HWND__* __esi) {
				void* _t50;
				int _t51;
				void* _t56;
				void* _t57;
				struct HWND__* _t58;
				void* _t59;
				signed int _t60;

				_t58 = __esi;
				_t50 = __ebx;
				 *(_t60 - 0x4dc) = 0x3c;
				 *(_t60 - 0x4d8) = 0;
				E00470030(_t60 - 0x4d4, 0, 0x34);
				 *(_t60 - 0x70) = 0;
				E00470030(_t60 - 0x6c, 0, 0x58);
				GetObjectW( *0x4bd708, 0x5c, _t60 - 0x70);
				 *(_t60 - 0x4d8) = __esi;
				 *((intOrPtr*)(_t60 - 0x4d0)) = _t60 - 0x70;
				 *((intOrPtr*)(_t60 - 0x4c8)) = 0x10041;
				if(ChooseFontW(_t60 - 0x4dc) != 0) {
					__eax = DeleteObject( *0x4bd708);
					__edi = CreateFontIndirectW;
					__eax = __ebp - 0x70;
					 *0x4bd708 = CreateFontIndirectW(__ebp - 0x70);
					GetDlgItem(__esi, 0x3f9) = SendMessageW(__eax, 0x30, __eax, 0);
					__ecx = 0x2bc;
					0x320 =  <  ? 0x2bc : 0x320;
					 *((intOrPtr*)(__ebp - 0x60)) =  <  ? 0x2bc : 0x320;
					DeleteObject( *0x4bd70c) = __ebp - 0x70;
					 *0x4bd70c = CreateFontIndirectW(__ebp - 0x70);
					__ebp - 0x4a0 = GetWindowRect(__esi, __ebp - 0x4a0);
					__eax =  *(__ebp - 0x494);
					__edx =  *(__ebp - 0x49c);
					__eax =  *(__ebp - 0x494) - __edx;
					__ecx =  *(__ebp - 0x4a0);
					__edi = MoveWindow;
					 *(__ebp - 0x498) =  *(__ebp - 0x498) - __ecx;
					 *(__ebp - 0x498) - __ecx - 1 = MoveWindow(__esi, __ecx, __edx,  *(__ebp - 0x498) - __ecx - 1,  *(__ebp - 0x494) - __edx, 0);
					__eax =  *(__ebp - 0x494);
					__edx =  *(__ebp - 0x49c);
					__eax =  *(__ebp - 0x494) - __edx;
					__ecx =  *(__ebp - 0x4a0);
					 *(__ebp - 0x498) =  *(__ebp - 0x498) - __ecx;
					MoveWindow(__esi, __ecx, __edx,  *(__ebp - 0x498) - __ecx,  *(__ebp - 0x494) - __edx, 0) = __ebp - 0x4a0;
					GetWindowRect(__esi, __ebp - 0x4a0) =  *(__ebp - 0x494);
					__edx =  *(__ebp - 0x49c);
					__eax =  *(__ebp - 0x494) - __edx;
					__ecx =  *(__ebp - 0x4a0);
					__edi = SetWindowPos;
					 *(__ebp - 0x498) =  *(__ebp - 0x498) - __ecx;
					 *(__ebp - 0x498) - __ecx - 1 = SetWindowPos(__esi, 0, __ecx, __edx,  *(__ebp - 0x498) - __ecx - 1,  *(__ebp - 0x494) - __edx, 4);
					__eax =  *(__ebp - 0x494);
					__edx =  *(__ebp - 0x49c);
					__ecx =  *(__ebp - 0x4a0);
					 *(__ebp - 0x494) - __edx =  *(__ebp - 0x498);
					 *(__ebp - 0x498) - __ecx = SetWindowPos(__esi, 0, __ecx, __edx,  *(__ebp - 0x498) - __ecx,  *(__ebp - 0x494) - __edx, 4);
				}
				_t51 =  *(_t60 + 0xc);
				DefWindowProcW(_t58, _t51,  *(_t60 - 0x628),  *(_t60 - 0x64c));
				 *[fs:0x0] =  *((intOrPtr*)(_t60 - 0xc));
				_pop(_t57);
				_pop(_t59);
				return E0046F77E(_t50,  *(_t60 - 0x10) ^ _t60, _t56, _t57, _t59);
			}

0x0044f27a
0x0044f27a
0x0044f282
0x0044f28f
0x0044f299
0x0044f2a3
0x0044f2ad
0x0044f2c1
0x0044f2ca
0x0044f2d0
0x0044f2dd
0x0044f2ef
0x0044f2fb
0x0044f301
0x0044f307
0x0044f318
0x0044f324
0x0044f330
0x0044f33d
0x0044f340
0x0044f349
0x0044f34f
0x0044f35c
0x0044f362
0x0044f368
0x0044f36e
0x0044f370
0x0044f376
0x0044f385
0x0044f38c
0x0044f38e
0x0044f394
0x0044f39a
0x0044f39c
0x0044f3ab
0x0044f3b3
0x0044f3c1
0x0044f3c7
0x0044f3cd
0x0044f3cf
0x0044f3d5
0x0044f3e4
0x0044f3ed
0x0044f3ef
0x0044f3f5
0x0044f3fd
0x0044f406
0x0044f414
0x0044f414
0x0044e726
0x0044e737
0x0044e740
0x0044e748
0x0044e749
0x0044e757

APIs

DefWindowProcW.USER32(?,?,?,?,2927074F), ref: 0044E737
_memset.LIBCMT ref: 0044F299
_memset.LIBCMT ref: 0044F2AD
GetObjectW.GDI32(0000005C,?), ref: 0044F2C1
ChooseFontW.COMDLG32 ref: 0044F2E7
DeleteObject.GDI32 ref: 0044F2FB
CreateFontIndirectW.GDI32(?), ref: 0044F30B
GetDlgItem.USER32 ref: 0044F31D
SendMessageW.USER32(00000000,?,000003F9,00000030), ref: 0044F324
DeleteObject.GDI32 ref: 0044F343
CreateFontIndirectW.GDI32(?), ref: 0044F34D
GetWindowRect.USER32 ref: 0044F35C
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,?,000003F9,00000030,00000000,00000000), ref: 0044F38C
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,?,?,?,00000000,?,?,?,000003F9), ref: 0044F3B1
GetWindowRect.USER32 ref: 0044F3BB
SetWindowPos.USER32(?,00000000,?,?,?,?,00000004,?,?,?,?,?,?,?,00000000), ref: 0044F3ED
SetWindowPos.USER32(?,00000000,?,?,?,?,00000004,?,00000000,?,?,?,?,00000004,?,?), ref: 0044F414

Strings

A, xrefs: 0044F2DD
<, xrefs: 0044F282

Memory Dump Source

Source File: 00000000.00000002.639436822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.639422722.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639801425.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639950323.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639964900.00000000004C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639974043.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639981884.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Process Monitor.jbxd

Similarity

API ID: Window$FontObject$CreateDeleteIndirectMoveRect_memset$ChooseItemMessageProcSend
String ID: <$A
API String ID: 1552102481-570643782
Opcode ID: e857c969ef16888a2555d2ddd0bfb17ee135d0cba855fd3a8d7c05c74c91aac5
Instruction ID: 358ee3bf2a8544eb44ac26d70fbcb6dcdae12ad8d1fc1303d4347a62ccd21528
Opcode Fuzzy Hash: e857c969ef16888a2555d2ddd0bfb17ee135d0cba855fd3a8d7c05c74c91aac5
Instruction Fuzzy Hash: C251FFB1A00519AFEB24DFA4DC49FAEB7B9FB44300F1041A9E608E3251DB746A45CF18

Uniqueness

Uniqueness Score: -1.00%

Function 0044A3C6 Relevance: 33.4, APIs: 17, Strings: 2, Instructions: 132
windowCOMMON

Download Yara Rule

C-Code - Quality: 67%

			E0044A3C6(void* __ebx, int __edi) {
				signed int _t30;
				struct HINSTANCE__* _t43;
				struct HWND__* _t45;
				void* _t46;
				void* _t48;
				void* _t60;
				struct HINSTANCE__* _t62;
				struct HWND__* _t63;
				void* _t73;
				int _t83;
				void* _t84;
				struct HWND__* _t85;
				struct HWND__* _t87;
				void* _t88;
				signed int _t89;
				void* _t91;
				void* _t92;
				void* _t93;

				_t83 = __edi;
				_t73 = __ebx;
				do {
					 *(_t89 - 0xaf4) = 1;
					_t30 = _t83 + _t83 * 2 << 2;
					asm("xorps xmm0, xmm0");
					 *(_t89 - 0xab0) = _t30;
					asm("movdqu [ebp-0xaf0], xmm0");
					_t5 = 0x4a449c + _t30; // 0x4a44c0
					 *((intOrPtr*)(_t89 - 0xae8)) =  *_t5;
					asm("movq [ebp-0xae0], xmm0");
					SendMessageW(GetDlgItem( *(_t89 - 0xa98), 0x40e), 0x133e, _t83, _t89 - 0xaf4);
					GetClientRect(GetDlgItem( *(_t89 - 0xa98), 0x40e), _t89 - 0xa8c);
					SendMessageW(GetDlgItem( *(_t89 - 0xa98), 0x40e), 0x1328, 0, _t89 - 0xa8c);
					_t96 = _t83;
					if(_t83 != 0) {
						_t43 = GetModuleHandleW(0);
						_t45 = E004041E0(GetDlgItem( *(_t89 - 0xa98), 0x40e), _t43,  *((intOrPtr*)( *(_t89 - 0xab0) + 0x4a44a4)), 0x40000000, _t89 - 0xa8c);
						_t92 = _t91 + 0x14;
						_t85 = _t45;
						_push(0xc);
						__eflags = _t83 - 1;
						if(_t83 != 1) {
							_push(0x4a43f8);
							_t46 = E00405D60(_t85);
							_t93 = _t92 + 4;
							E004070B0(_t46);
							_push(L"FileSummaryColumns.ByExtension");
						} else {
							_push(0x4a4368);
							_t60 = E00405D60(_t85);
							_t93 = _t92 + 4;
							E004070B0(_t60);
							_push(L"FileSummaryColumns.ByFolder");
						}
						_push( *0x4bd2b4);
						_t48 = E00405D60(_t85);
						_t91 = _t93 + 4;
						E00408DB0(_t48, __eflags);
					} else {
						_t62 = GetModuleHandleW(_t83);
						_t63 = GetDlgItem( *(_t89 - 0xa98), 0x40e);
						_t82 =  *(_t89 - 0xa88);
						_t85 = CreateWindowExW(4,  *0x4a44a0,  *0x4a449c, 0x4031000d,  *(_t89 - 0xa8c),  *(_t89 - 0xa88),  *((intOrPtr*)(_t89 - 0xa84)) -  *(_t89 - 0xa8c),  *((intOrPtr*)(_t89 - 0xa80)) -  *(_t89 - 0xa88), _t63, 0x6d, _t62, _t83);
						SendMessageW(_t85, 0x1036, _t83, 0x4030);
						E0042E9F0( *(_t89 - 0xa88), _t85, 0x4a4210, 0xc, 0x4030, _t83);
						E0042EB50(_t96, _t85,  *0x4bd2b4, L"FileSummaryColumns");
						_t91 = _t91 + 0x20;
						ShowWindow(_t85, 5);
					}
					SendMessageW(_t85, 0x30,  *0x4bd708, 0);
					 *(_t89 - 0xadc) = _t85;
					 *(_t89 - 0xaf4) = 8;
					SendMessageW(GetDlgItem( *(_t89 - 0xa98), 0x40e), 0x133d, _t83, _t89 - 0xaf4);
					_t83 = _t83 + 1;
				} while (_t83 < 3);
				_t87 =  *(_t89 - 0xa98);
				E004585D0(_t87,  *0x4bd2b4, L"FileSummaryDialog");
				SetDlgItemTextW(_t87, 0x42f, 0x48fc20);
				UpdateWindow(_t87);
				PostMessageW(_t87, 0x111, 1, 0);
				 *[fs:0x0] =  *((intOrPtr*)(_t89 - 0xc));
				_pop(_t84);
				_pop(_t88);
				return E0046F77E(_t73,  *(_t89 - 0x10) ^ _t89, _t82, _t84, _t88);
			}

0x0044a3c6
0x0044a3c6
0x0044a3d0
0x0044a3d3
0x0044a3dd
0x0044a3e0
0x0044a3e3
0x0044a3e9
0x0044a3f1
0x0044a3f7
0x0044a415
0x0044a420
0x0044a43b
0x0044a45d
0x0044a463
0x0044a465
0x0044a520
0x0044a535
0x0044a53a
0x0044a53d
0x0044a53f
0x0044a541
0x0044a544
0x0044a562
0x0044a568
0x0044a56d
0x0044a572
0x0044a577
0x0044a546
0x0044a546
0x0044a54c
0x0044a551
0x0044a556
0x0044a55b
0x0044a55b
0x0044a57c
0x0044a583
0x0044a588
0x0044a58d
0x0044a46b
0x0044a46d
0x0044a481
0x0044a483
0x0044a4c3
0x0044a4cb
0x0044a4df
0x0044a4f0
0x0044a4f5
0x0044a4fb
0x0044a4fb
0x0044a59d
0x0044a5a9
0x0044a5c7
0x0044a5d4
0x0044a5da
0x0044a5db
0x0044a5e4
0x0044a5f6
0x0044a609
0x0044a610
0x0044a620
0x0044a62e
0x0044a636
0x0044a637
0x0044a645

APIs

GetDlgItem.USER32 ref: 0044A41D
SendMessageW.USER32(00000000), ref: 0044A420
GetDlgItem.USER32 ref: 0044A438
GetClientRect.USER32 ref: 0044A43B
GetDlgItem.USER32 ref: 0044A45A
SendMessageW.USER32(00000000), ref: 0044A45D
GetModuleHandleW.KERNEL32(00000000,00000000), ref: 0044A46D
GetDlgItem.USER32 ref: 0044A481
CreateWindowExW.USER32 ref: 0044A4B7
SendMessageW.USER32(00000000,00001036,00000000,00004030), ref: 0044A4CB

Part of subcall function 0042E9F0: SendMessageW.USER32(?,00001036,?,?), ref: 0042EA17
Part of subcall function 0042E9F0: GetModuleHandleW.KERNEL32(00000000,?,?,00000104), ref: 0042EA53
Part of subcall function 0042E9F0: LoadStringW.USER32(00000000), ref: 0042EA5A
Part of subcall function 0042E9F0: MulDiv.KERNEL32(?,00000060), ref: 0042EAB8
Part of subcall function 0042E9F0: SendMessageW.USER32(?,00001061,00000000,00000006), ref: 0042EAD2
Part of subcall function 0042E9F0: SendMessageW.USER32(?,00001003,00000001,00000000), ref: 0042EAFF
Part of subcall function 0042E9F0: GetWindowLongW.USER32(?,000000F0), ref: 0042EB0C
Part of subcall function 0042E9F0: SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 0042EB23
Part of subcall function 0042E9F0: SendMessageW.USER32(00000000,00001208,00000000,00000000), ref: 0042EB35

Part of subcall function 0042EB50: SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 0042EB6B
Part of subcall function 0042EB50: SendMessageW.USER32(00000000,00001200,00000000,00000000), ref: 0042EB77
Part of subcall function 0042EB50: RegQueryValueExW.ADVAPI32(?,?,00000000,FFFFFFFF,00000000,?), ref: 0042EBBF
Part of subcall function 0042EB50: SendMessageW.USER32(00000003,0000103A,00000000,00000000), ref: 0042EBE8
Part of subcall function 0042EB50: MulDiv.KERNEL32(00000000,00000060), ref: 0042EC00
Part of subcall function 0042EB50: SendMessageW.USER32(00000003,0000101E,00000000,?), ref: 0042EC13

ShowWindow.USER32(00000000,00000005), ref: 0044A4FB
GetModuleHandleW.KERNEL32(00000000,?,40000000,?), ref: 0044A520
GetDlgItem.USER32 ref: 0044A532
SendMessageW.USER32(00000000,00000030,00000000,FileSummaryColumns.ByExtension), ref: 0044A59D
GetDlgItem.USER32 ref: 0044A5D1
SendMessageW.USER32(00000000), ref: 0044A5D4
SetDlgItemTextW.USER32 ref: 0044A609
UpdateWindow.USER32(?), ref: 0044A610
PostMessageW.USER32(?,00000111,00000001,00000000), ref: 0044A620

Strings

FileSummaryColumns, xrefs: 0044A4E4
FileSummaryDialog, xrefs: 0044A5EA

Memory Dump Source

Source File: 00000000.00000002.639436822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.639422722.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639801425.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639950323.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639964900.00000000004C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639974043.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639981884.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Process Monitor.jbxd

Similarity

API ID: Message$Send$Item$Window$HandleModule$ClientCreateLoadLongPostQueryRectShowStringTextUpdateValue
String ID: FileSummaryColumns$FileSummaryDialog
API String ID: 3966296028-828229291
Opcode ID: f782525d28ae1ae82cdfe580d6319b3718ae11e704f319808f0ab665fb88b072
Instruction ID: cf7bc035095630a92c4aa50878180dae192234144deec9fb44e952c0dfde1d19
Opcode Fuzzy Hash: f782525d28ae1ae82cdfe580d6319b3718ae11e704f319808f0ab665fb88b072
Instruction Fuzzy Hash: 5241E971B40329BFEB209F50DC09FAE7B78FB4A700F0041A9F605B6590DBB41A958F59

Uniqueness

Uniqueness Score: -1.00%

Function 00458EF0 Relevance: 31.9, APIs: 13, Strings: 5, Instructions: 393
windowCOMMON

Download Yara Rule

C-Code - Quality: 92%

			E00458EF0(void* __edx, struct HWND__* _a4, intOrPtr _a8, signed int _a12, long _a16) {
				int _v8;
				char _v16;
				signed int _v20;
				char _v100;
				short _v620;
				int _v624;
				long _v628;
				long _v632;
				long _v636;
				long _v640;
				long _v644;
				long _v648;
				long _v652;
				long _v656;
				long _v660;
				long _v664;
				long _v668;
				long _v672;
				long _v676;
				long _v680;
				long _v684;
				long _v688;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t108;
				signed int _t109;
				void* _t112;
				void* _t132;
				long _t136;
				void* _t139;
				char* _t150;
				int _t160;
				void* _t168;
				void* _t171;
				long _t177;
				void* _t180;
				long _t196;
				void* _t210;
				void* _t221;
				void* _t222;
				void* _t223;
				long _t234;
				long _t242;
				void* _t267;
				struct HWND__* _t269;
				void* _t270;
				long _t272;
				void* _t273;
				void* _t274;
				long _t275;
				int _t276;
				signed int _t277;
				void* _t278;
				void* _t279;
				void* _t280;
				void* _t283;

				_t267 = __edx;
				_push(0xffffffff);
				_push(E0048BCCB);
				_push( *[fs:0x0]);
				_t279 = _t278 - 0x2a0;
				_t108 =  *0x4bb1dc; // 0x2927074f
				_t109 = _t108 ^ _t277;
				_v20 = _t109;
				_push(_t221);
				_push(_t109);
				 *[fs:0x0] =  &_v16;
				_t269 = _a4;
				_t272 = _a16;
				_t112 = _a8 - 0x110;
				if(_t112 == 0) {
					SetWindowLongW(_t269, 0xffffffeb, _t272);
					E0044ADD0(0x4bdd00, GetDlgItem(_t269, 0x424));
					__eflags = _t272;
					if(__eflags == 0) {
						_t273 = 0;
						E00445460( &_v100, L"Filter %d", 0);
						_t280 = _t279 + 0xc;
						__eflags = E00446D30(__eflags,  &_v100);
						if(__eflags == 0) {
							L57:
							_push( &_v100);
							L58:
							SetDlgItemTextW(_t269, 0x424, ??);
							L59:
							 *[fs:0x0] = _v16;
							_pop(_t270);
							_pop(_t274);
							_pop(_t222);
							return E0046F77E(_t222, _v20 ^ _t277, _t267, _t270, _t274);
						}
						do {
							_t273 = _t273 + 1;
							E00445460( &_v100, L"Filter %d", _t273);
							_t280 = _t280 + 0xc;
							__eflags = E00446D30(__eflags,  &_v100);
						} while (__eflags != 0);
						goto L57;
					}
					_push(_t272);
					goto L58;
				}
				if(_t112 != 1) {
					L51:
					goto L59;
				}
				_t132 = (_a12 & 0x0000ffff) - 1;
				if(_t132 == 0) {
					GetDlgItemTextW(_t269, 0x424,  &_v620, 0x104);
					_t136 = E00446D30(__eflags,  &_v620);
					__eflags = _t136;
					if(_t136 == 0) {
						L20:
						_t275 = GetWindowLongW(_t269, 0xffffffeb);
						_v624 = 0;
						_v8 = 9;
						__eflags = _t275;
						if(_t275 == 0) {
							_t139 = E00414290(0x4bca94,  &_v684);
							_v8 = 0x11;
							E0046A0B0( &_v624, _t139);
							_t234 = _v684;
						} else {
							_v644 = E0046A6C0(_t221, _t275, E0046A530(_t275));
							_v8 = 0xa;
							_v656 = E0046A6C0(_t221, L"Filter#", E0046A530(L"Filter#"));
							_v8 = 0xb;
							_t168 = E0046A230( &_v688,  &_v644);
							_v8 = 0xc;
							_t171 = E004371A0( &_v680,  *0x4bd2b4, E0046A170(_t168));
							_t283 = _t279 + 0x24;
							_v8 = 0xd;
							E0046A0B0( &_v624, _t171);
							_t247 = _v680;
							_v8 = 0xc;
							__eflags = _v680;
							if(_v680 != 0) {
								E0046A700(_t247);
							}
							_t248 = _v688;
							_v8 = 0xb;
							__eflags = _v688;
							if(_v688 != 0) {
								E0046A700(_t248);
							}
							_t249 = _v656;
							_v8 = 0xa;
							__eflags = _v656;
							if(_v656 != 0) {
								E0046A700(_t249);
							}
							_t250 = _v644;
							_v8 = 9;
							__eflags = _v644;
							if(__eflags != 0) {
								E0046A700(_t250);
							}
							E00447960(_t221, __eflags, _t275);
							_v636 = E0046A6C0(_t221, _t275, E0046A530(_t275));
							_v8 = 0xe;
							_t177 = E0046A6C0(_t221, L"Filter#", E0046A530(L"Filter#"));
							_t279 = _t283 + 0x18;
							_v660 = _t177;
							_v8 = 0xf;
							_t180 = E0046A230( &_v676,  &_v636);
							_v8 = 0x10;
							RegDeleteValueW( *0x4bd2b4, E0046A170(_t180));
							_t254 = _v676;
							_v8 = 0xf;
							__eflags = _v676;
							if(_v676 != 0) {
								E0046A700(_t254);
							}
							_t255 = _v660;
							_v8 = 0xe;
							__eflags = _v660;
							if(_v660 != 0) {
								E0046A700(_t255);
							}
							_t234 = _v636;
						}
						_v8 = 9;
						__eflags = _t234;
						if(_t234 != 0) {
							E0046A700(_t234);
						}
						_v648 = E0046A6C0(_t221,  &_v620, E0046A530( &_v620));
						_v8 = 0x12;
						_v632 = E0046A6C0(_t221, L"Filter#", E0046A530(L"Filter#"));
						_v8 = 0x13;
						_t223 = E0046A230( &_v672,  &_v648);
						_t236 = _v624;
						_v8 = 0x14;
						__eflags = _v624;
						if(_v624 == 0) {
							_t276 = 0;
							__eflags = 0;
							goto L41;
						} else {
							_t160 = E00406130(_t236);
							_t243 = _v624;
							_t276 = _t160;
							__eflags = _v624;
							if(_v624 == 0) {
								L41:
								_t150 = 0;
								__eflags = 0;
								L42:
								RegSetValueExW( *0x4bd2b4, E0046A170(_t223), 0, 3, _t150, _t276);
								_t238 = _v672;
								_v8 = 0x13;
								__eflags = _v672;
								if(_v672 != 0) {
									E0046A700(_t238);
								}
								_t239 = _v632;
								_v8 = 0x12;
								__eflags = _v632;
								if(_v632 != 0) {
									E0046A700(_t239);
								}
								_t240 = _v648;
								_v8 = 9;
								__eflags = _v648;
								if(__eflags != 0) {
									E0046A700(_t240);
								}
								E0044DC80(_t223, 0x4bdd00, __eflags,  &_v620);
								EndDialog(_t269, 1);
								_t242 = _v624;
								L49:
								_v8 = 0xffffffff;
								__eflags = _t242;
								if(_t242 != 0) {
									E0046A700(_t242);
								}
								goto L51;
							}
							_t150 = E0046A620(_t243);
							goto L42;
						}
					}
					_v652 = E0046A6C0(_t221, L"\'?", E0046A530(L"\'?"));
					_v8 = 0;
					_v664 = E0046A6C0(_t221,  &_v620, E0046A530( &_v620));
					_v8 = 1;
					_t196 = E0046A6C0(_t221, L"Replace existing filter \'", E0046A530(L"Replace existing filter \'"));
					_t279 = _t279 + 0x24;
					_v640 = _t196;
					_v8 = 2;
					E0046A230( &_v668,  &_v664);
					_v8 = 3;
					E0046A230( &_v628,  &_v652);
					_t260 = _v668;
					_v8 = 5;
					__eflags = _v668;
					if(_v668 != 0) {
						E0046A700(_t260);
					}
					_t261 = _v640;
					_v8 = 6;
					__eflags = _v640;
					if(_v640 != 0) {
						E0046A700(_t261);
					}
					_t262 = _v664;
					_v8 = 7;
					__eflags = _v664;
					if(_v664 != 0) {
						E0046A700(_t262);
					}
					_t263 = _v652;
					_v8 = 8;
					__eflags = _v652;
					if(_v652 != 0) {
						E0046A700(_t263);
					}
					__eflags = MessageBoxW(_t269, E0046A170( &_v628), L"Process Monitor", 0x21) - 1;
					if(__eflags == 0) {
						E00447960(_t221, __eflags,  &_v620);
						_t266 = _v628;
						_v8 = 0xffffffff;
						__eflags = _v628;
						if(_v628 != 0) {
							E0046A700(_t266);
						}
						goto L20;
					} else {
						_t242 = _v628;
						goto L49;
					}
				}
				_t210 = _t132 - 1;
				if(_t210 == 0) {
					EndDialog(_t269, 0);
					goto L59;
				}
				if(_t210 != 0x422) {
					goto L51;
				} else {
					GetDlgItemTextW(_t269, 0x424,  &_v620, 0x104);
					EnableWindow(GetDlgItem(_t269, 1), 0 | _v620 != 0x00000000);
					goto L59;
				}
			}

0x00458ef0
0x00458ef3
0x00458ef5
0x00458f00
0x00458f01
0x00458f07
0x00458f0c
0x00458f0e
0x00458f11
0x00458f14
0x00458f18
0x00458f21
0x00458f24
0x00458f27
0x00458f2c
0x004593e5
0x004593fd
0x00459402
0x00459404
0x00459409
0x00459415
0x0045941a
0x0045942b
0x0045942d
0x00459455
0x00459458
0x00459459
0x0045945f
0x0045946a
0x0045946d
0x00459475
0x00459476
0x00459477
0x00459485
0x00459485
0x00459430
0x00459430
0x0045943b
0x00459440
0x00459451
0x00459451
0x00000000
0x00459430
0x00459406
0x00000000
0x00459406
0x00458f33
0x004593da
0x00000000
0x004593da
0x00458f3f
0x00458f40
0x00458fae
0x00458fc0
0x00458fc5
0x00458fc7
0x00459103
0x0045910c
0x0045910e
0x00459118
0x0045911f
0x00459121
0x004592a5
0x004592b1
0x004592b5
0x004592ba
0x00459127
0x00459134
0x0045913f
0x00459156
0x00459162
0x00459174
0x0045917b
0x00459192
0x00459197
0x004591a1
0x004591a5
0x004591aa
0x004591b0
0x004591b4
0x004591b6
0x004591b8
0x004591b8
0x004591bd
0x004591c3
0x004591c7
0x004591c9
0x004591cb
0x004591cb
0x004591d0
0x004591d6
0x004591da
0x004591dc
0x004591de
0x004591de
0x004591e3
0x004591e9
0x004591ed
0x004591ef
0x004591f1
0x004591f1
0x004591fc
0x0045920e
0x00459219
0x00459228
0x0045922d
0x00459230
0x0045923c
0x0045924e
0x00459255
0x00459265
0x0045926b
0x00459271
0x00459275
0x00459277
0x00459279
0x00459279
0x0045927e
0x00459284
0x00459288
0x0045928a
0x0045928c
0x0045928c
0x00459291
0x00459291
0x004592c0
0x004592c4
0x004592c6
0x004592c8
0x004592c8
0x004592e6
0x004592f1
0x00459308
0x00459314
0x0045932b
0x0045932d
0x00459333
0x00459337
0x00459339
0x00459353
0x00459353
0x00000000
0x0045933b
0x0045933b
0x00459340
0x00459346
0x00459348
0x0045934a
0x00459355
0x00459355
0x00459355
0x00459357
0x0045936b
0x00459371
0x00459377
0x0045937b
0x0045937d
0x0045937f
0x0045937f
0x00459384
0x0045938a
0x0045938e
0x00459390
0x00459392
0x00459392
0x00459397
0x0045939d
0x004593a1
0x004593a3
0x004593a5
0x004593a5
0x004593b6
0x004593be
0x004593c4
0x004593ca
0x004593ca
0x004593d1
0x004593d3
0x004593d5
0x004593d5
0x00000000
0x004593d3
0x0045934c
0x00000000
0x0045934c
0x00459339
0x00458fe2
0x00458fee
0x00459008
0x00459013
0x00459022
0x00459027
0x0045902a
0x00459036
0x00459048
0x00459053
0x00459061
0x00459066
0x0045906c
0x00459070
0x00459072
0x00459074
0x00459074
0x00459079
0x0045907f
0x00459083
0x00459085
0x00459087
0x00459087
0x0045908c
0x00459092
0x00459096
0x00459098
0x0045909a
0x0045909a
0x0045909f
0x004590a5
0x004590a9
0x004590ab
0x004590ad
0x004590ad
0x004590cc
0x004590cf
0x004590e8
0x004590ed
0x004590f3
0x004590fa
0x004590fc
0x004590fe
0x004590fe
0x00000000
0x004590d1
0x004590d1
0x00000000
0x004590d1
0x004590cf
0x00458f42
0x00458f43
0x00458f8f
0x00000000
0x00458f95
0x00458f4a
0x00000000
0x00458f50
0x00458f62
0x00458f7f
0x00000000
0x00458f85

APIs

GetDlgItemTextW.USER32 ref: 00458F62
GetDlgItem.USER32 ref: 00458F78
EnableWindow.USER32(00000000), ref: 00458F7F
EndDialog.USER32(?,00000000), ref: 00458F8F
GetDlgItemTextW.USER32 ref: 00458FAE
MessageBoxW.USER32(?,00000000,Process Monitor,00000021), ref: 004590C6
SetWindowLongW.USER32 ref: 004593E5
GetDlgItem.USER32 ref: 004593F1
SetDlgItemTextW.USER32 ref: 0045945F

Strings

Replace existing filter ', xrefs: 0045900E, 0045901D
Filter#, xrefs: 0045913A, 00459149, 00459214, 00459223, 004592EC, 004592FB
pHx, xrefs: 00458FBA, 004590E2, 004591F7, 004593B0, 004593F8, 00459420, 00459446
Process Monitor, xrefs: 004590B4
Filter %d, xrefs: 0045940F, 00459435

Memory Dump Source

Source File: 00000000.00000002.639436822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.639422722.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639801425.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639950323.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639964900.00000000004C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639974043.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639981884.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Process Monitor.jbxd

Similarity

API ID: Item$Text$Window$DialogEnableLongMessage
String ID: Filter %d$Filter#$Process Monitor$Replace existing filter '$pHx
API String ID: 3817051067-2056973898
Opcode ID: a2980aa6af1dec3b7ce961897903ca89c8ae07f1d0226e7d9ba0a0f548c0e951
Instruction ID: 2420fc5e9a6c2ef926f64625a37378919b73f8ab5da2842f73717f742f2e6d22
Opcode Fuzzy Hash: a2980aa6af1dec3b7ce961897903ca89c8ae07f1d0226e7d9ba0a0f548c0e951
Instruction Fuzzy Hash: F6E1C474905218EAEF14EBA1CC59BAE77789F05305F1441DFE806B3282EB785E44CF6A

Uniqueness

Uniqueness Score: -1.00%

Function 0040C470 Relevance: 31.7, APIs: 21, Instructions: 157
COMMON

Download Yara Rule

C-Code - Quality: 89%

			E0040C470(void* __edx, struct HWND__* _a4, int _a8, int _a12, long _a16) {
				signed int _v8;
				short _v528;
				struct tagRECT _v544;
				struct tagPAINTSTRUCT _v608;
				void* _v612;
				long _v616;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t38;
				int _t41;
				void* _t42;
				signed int _t47;
				signed int _t53;
				void* _t58;
				signed int _t65;
				void* _t68;
				signed int* _t80;
				void* _t81;
				void* _t85;
				long _t86;
				signed int _t88;
				int _t89;
				struct HWND__* _t90;
				signed int _t91;
				void* _t94;

				_t85 = __edx;
				_t38 =  *0x4bb1dc; // 0x2927074f
				_v8 = _t38 ^ _t91;
				_t90 = _a4;
				_t86 = _a16;
				_v616 = _t86;
				_t80 = GetWindowLongW(_t90, 0xffffffeb);
				_t41 = _a8;
				_t94 = _t41 - 0x200;
				if(_t94 > 0) {
					_t42 = _t41 - 0x201;
					if(_t42 == 0) {
						_t34 =  &(_t80[4]); // 0x10
						E0040C7B0(_t81, _t90, _t34);
					} else {
						_t47 = _t42 - 0x14;
						if(_t47 == 0) {
							 *_t80 = _t47 & 0xffffff00 | _t86 == _t90;
							InvalidateRect(_t90, 0, 1);
						}
					}
				} else {
					if(_t94 == 0) {
						_push(_t86 >> 0x10);
						_t53 = ChildWindowFromPoint(_t90, _t86 & 0x0000ffff) & 0xffffff00 | _t52 == _t90;
						if(_t53 !=  *_t80) {
							 *_t80 = _t53;
							if(_t53 == 0) {
								ReleaseCapture();
								InvalidateRect(_t90, 0, 1);
							} else {
								SetCapture(_t90);
								InvalidateRect(_t90, 0, 1);
							}
						}
					} else {
						_t58 = _t41 - 1;
						if(_t58 == 0) {
							SetWindowLongW(_t90, 0xffffffeb,  *_t86);
						} else {
							if(_t58 == 0xe) {
								BeginPaint(_t90,  &_v608);
								GetClientRect(_t90,  &_v544);
								_t65 = GetWindowLongW(_t80[3], 0xfffffff0);
								if((_t65 & 0x0000000b) == 0) {
									_t88 = _t65 & 0x00000003;
									if((_t65 & 0x0000000c) != 0) {
										_t88 = _t88 | 0x00000020;
									}
									_t89 = _t88 | 0x00000040;
								} else {
									_t89 = 0x20;
								}
								if((_t65 & 0x00000200) != 0) {
									_t89 = _t89 | 0x00000004;
								}
								GetWindowTextW(_t80[3],  &_v528, 0x104);
								if( *_t80 == 0) {
									_t68 = _t80[2];
								} else {
									_t68 = _t80[1];
								}
								_t80 = SelectObject;
								_v612 = SelectObject(_v608.hdc, _t68);
								if(GetSysColorBrush(0x1a) == 0) {
									_push(0xff0000);
								} else {
									_push(GetSysColor(0x1a));
								}
								SetTextColor(_v608.hdc, ??);
								SetBkMode(_v608.hdc, 1);
								DrawTextW(_v608.hdc,  &_v528, 0xffffffff,  &_v544, _t89);
								SelectObject(_v608, _v612);
								EndPaint(_t90,  &_v608);
								_t86 = _v616;
							}
						}
					}
				}
				DefWindowProcW(_t90, _a8, _a12, _t86);
				return E0046F77E(_t80, _v8 ^ _t91, _t85, _t86, _t90);
			}

0x0040c470
0x0040c479
0x0040c480
0x0040c485
0x0040c489
0x0040c48f
0x0040c49b
0x0040c49d
0x0040c4a0
0x0040c4a5
0x0040c611
0x0040c616
0x0040c631
0x0040c636
0x0040c618
0x0040c618
0x0040c61b
0x0040c627
0x0040c629
0x0040c629
0x0040c61b
0x0040c4ab
0x0040c4ab
0x0040c5d2
0x0040c5dd
0x0040c5e2
0x0040c5e4
0x0040c5e8
0x0040c5fe
0x0040c609
0x0040c5ea
0x0040c5eb
0x0040c5f6
0x0040c5f6
0x0040c5e8
0x0040c4b1
0x0040c4b1
0x0040c4b2
0x0040c5c2
0x0040c4b8
0x0040c4bb
0x0040c4c9
0x0040c4d7
0x0040c4e2
0x0040c4ea
0x0040c4f5
0x0040c4fa
0x0040c4fc
0x0040c4fc
0x0040c4ff
0x0040c4ec
0x0040c4ec
0x0040c4ec
0x0040c507
0x0040c509
0x0040c509
0x0040c51b
0x0040c524
0x0040c52b
0x0040c526
0x0040c526
0x0040c526
0x0040c52e
0x0040c53f
0x0040c54d
0x0040c55a
0x0040c54f
0x0040c557
0x0040c557
0x0040c565
0x0040c573
0x0040c590
0x0040c5a2
0x0040c5ac
0x0040c5b2
0x0040c5b2
0x0040c4bb
0x0040c4b2
0x0040c4ab
0x0040c646
0x0040c65c

APIs

GetWindowLongW.USER32(?,000000EB), ref: 0040C495
BeginPaint.USER32(?,?), ref: 0040C4C9
GetClientRect.USER32 ref: 0040C4D7
GetWindowLongW.USER32(?,000000F0), ref: 0040C4E2
GetWindowTextW.USER32 ref: 0040C51B
SelectObject.GDI32(?,?), ref: 0040C53B
GetSysColorBrush.USER32(0000001A), ref: 0040C545
GetSysColor.USER32(0000001A), ref: 0040C551
SetTextColor.GDI32(?,00FF0000), ref: 0040C565
SetBkMode.GDI32(?,00000001), ref: 0040C573
DrawTextW.USER32(?,?,000000FF,?,00000000), ref: 0040C590
SelectObject.GDI32(?,?), ref: 0040C5A2
EndPaint.USER32(?,?), ref: 0040C5AC
SetWindowLongW.USER32 ref: 0040C5C2
ChildWindowFromPoint.USER32 ref: 0040C5D5
SetCapture.USER32(?,?,?), ref: 0040C5EB
InvalidateRect.USER32(?,00000000,00000001,?,?), ref: 0040C5F6
ReleaseCapture.USER32(?,?), ref: 0040C5FE
InvalidateRect.USER32(?,00000000,00000001,?,?), ref: 0040C609
InvalidateRect.USER32(?,00000000,00000001), ref: 0040C629
DefWindowProcW.USER32(?,?,?,?), ref: 0040C646

Memory Dump Source

Source File: 00000000.00000002.639436822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.639422722.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639801425.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639950323.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639964900.00000000004C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639974043.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639981884.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Process Monitor.jbxd

Similarity

API ID: Window$Rect$ColorInvalidateLongText$CaptureObjectPaintSelect$BeginBrushChildClientDrawFromModePointProcRelease
String ID:
API String ID: 1254485943-0
Opcode ID: e09baee4e188be391ce7a7032605341cbce7d17e1f9e62159393c579fe01d28d
Instruction ID: d00a78582e62528bea71a27cd42478ae73f446622037b6949ea572783df20d5d
Opcode Fuzzy Hash: e09baee4e188be391ce7a7032605341cbce7d17e1f9e62159393c579fe01d28d
Instruction Fuzzy Hash: 6C51BF31501218FBDB215F54DC8CBAE3B78AF05301F2046B6F901F61A1D7399D469B69

Uniqueness

Uniqueness Score: -1.00%

Function 00457035 Relevance: 31.6, APIs: 17, Strings: 1, Instructions: 117
windowCOMMON

Download Yara Rule

C-Code - Quality: 88%

			E00457035(void* __ebx) {
				void* __edi;
				void* __esi;
				intOrPtr _t31;
				long _t37;
				long _t41;
				void* _t50;
				struct HWND__* _t57;
				void* _t60;
				int _t61;
				struct HWND__* _t64;
				void* _t65;
				signed int _t66;

				_t50 = __ebx;
				do {
					 *(_t66 - 0x108) = 8;
					 *(_t66 - 0xf0) = 0;
					SendMessageW(GetDlgItem(_t57, 0x40e), 0x133c, _t61, _t66 - 0x108);
					_t56 =  *(_t66 - 0x90);
					 *(_t66 - 0xd8) =  *(_t66 - 0xf0);
					MoveWindow( *(_t66 - 0xd8),  *(_t66 - 0x94),  *(_t66 - 0x90),  *((intOrPtr*)(_t66 - 0x8c)) -  *(_t66 - 0x94),  *((intOrPtr*)(_t66 - 0x88)) -  *(_t66 - 0x90), 0);
					_t31 =  *((intOrPtr*)(_t66 - 0xe0));
					if(_t61 ==  *(_t31 + 0x1c)) {
						ShowWindow( *(_t66 - 0xd8), 5);
						_t31 =  *((intOrPtr*)(_t66 - 0xe0));
					}
					_t61 = _t61 + 1;
				} while (_t61 <  *((intOrPtr*)(_t31 + 0x18)));
				SendMessageW(GetDlgItem(_t57, 0x40e), 0x130c,  *(_t31 + 0x1c), 0);
				SendMessageW(_t57, 0x80, 0, LoadIconW( *0x4bd2c4, 0x65));
				_t37 = LoadImageW(GetModuleHandleW(0), 0x6e, 1, 0x10, 0x10, 0x8000);
				SendMessageW(GetDlgItem( *(_t66 - 0xec), 0x41b), 0xf7, 1, _t37);
				_t41 = LoadImageW(GetModuleHandleW(0), 0xcc, 1, 0x10, 0x10, 0x8000);
				_t64 =  *(_t66 - 0xec);
				SendMessageW(GetDlgItem(_t64, 0x41a), 0xf7, 1, _t41);
				SendMessageW(_t64, 0x8003,  *( *(_t66 - 0xe8)), 0);
				E004585D0(_t64,  *0x4bd2b4, L"PropertySheetDialog");
				 *[fs:0x0] =  *((intOrPtr*)(_t66 - 0xc));
				_pop(_t60);
				_pop(_t65);
				return E0046F77E(_t50,  *(_t66 - 0x10) ^ _t66, _t56, _t60, _t65);
			}

0x00457035
0x00457040
0x00457046
0x0045705d
0x0045706e
0x0045707a
0x00457086
0x004570a8
0x004570ae
0x004570b7
0x004570c1
0x004570c7
0x004570c7
0x004570cd
0x004570ce
0x004570f4
0x0045710d
0x0045712d
0x00457149
0x00457164
0x00457166
0x00457187
0x00457199
0x004571a7
0x0045740b
0x00457413
0x00457414
0x00457422

APIs

GetDlgItem.USER32 ref: 00457067
SendMessageW.USER32(00000000), ref: 0045706E
MoveWindow.USER32(?,?,?,?,?,00000000), ref: 004570A8
ShowWindow.USER32(?,00000005), ref: 004570C1
GetDlgItem.USER32 ref: 004570E7
SendMessageW.USER32(00000000), ref: 004570F4
LoadIconW.USER32(00000065), ref: 004570FE
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 0045710D
GetModuleHandleW.KERNEL32(00000000,0000006E,00000001,00000010,00000010,00008000), ref: 00457124
LoadImageW.USER32 ref: 0045712D
GetDlgItem.USER32 ref: 00457142
SendMessageW.USER32(00000000), ref: 00457149
GetModuleHandleW.KERNEL32(00000000,000000CC,00000001,00000010,00000010,00008000), ref: 00457161
LoadImageW.USER32 ref: 00457164
GetDlgItem.USER32 ref: 0045717A
SendMessageW.USER32(00000000), ref: 00457187
SendMessageW.USER32(?,00008003,?,00000000), ref: 00457199

Strings

PropertySheetDialog, xrefs: 0045719B

Memory Dump Source

Source File: 00000000.00000002.639436822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.639422722.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639801425.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639950323.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639964900.00000000004C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639974043.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639981884.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Process Monitor.jbxd

Similarity

API ID: MessageSend$Item$Load$HandleImageModuleWindow$IconMoveShow
String ID: PropertySheetDialog
API String ID: 196872372-3713141481
Opcode ID: 9835c33fd65c08354e788c6346472472fd9dba8575fb654bc0c49402afb75f5d
Instruction ID: cecc36cdd6aa79dcd821d0a49f9e873ff7ad53221842faac59204bde110cd6db
Opcode Fuzzy Hash: 9835c33fd65c08354e788c6346472472fd9dba8575fb654bc0c49402afb75f5d
Instruction Fuzzy Hash: A241C431A40218BFEB209F60DC0AF9E7B79FB48700F0045A5F648B71D1DBB169958F68

Uniqueness

Uniqueness Score: -1.00%

Function 0042E730 Relevance: 31.6, APIs: 15, Strings: 3, Instructions: 84
windowCOMMON

Download Yara Rule

C-Code - Quality: 83%

			E0042E730(void* __ecx) {
				struct HINSTANCE__* _v8;
				int _t5;
				void* _t10;
				struct HINSTANCE__* _t12;
				struct HINSTANCE__* _t14;
				struct HINSTANCE__* _t18;
				intOrPtr* _t23;
				void* _t27;

				_t18 = GetModuleHandleW(0);
				_v8 = _t18;
				_t5 = GetSystemMetrics(0x32);
				_t27 = ImageList_Create(GetSystemMetrics(0x31), _t5, 0xff, 0xa, 0x1e);
				ImageList_SetBkColor(_t27, GetSysColor(5));
				_t10 = LoadImageW(_t18, L"ICON_MYCOMPUTER", 1, 0x10, 0x10, 0x8000);
				if(_t10 == 0) {
					_t10 = LoadIconW(0, 0x7f01);
				}
				_t23 = ImageList_ReplaceIcon;
				ImageList_ReplaceIcon(_t27, 0xffffffff, _t10);
				_t12 = LoadImageW(_v8, L"ICON_CLOSEDFOLDER", 1, 0x10, 0x10, 0x8000);
				if(_t12 == 0) {
					_t12 = LoadIconW(_t12, 0x7f01);
				}
				 *_t23(_t27, 0xffffffff, _t12);
				_t14 = LoadImageW(_v8, L"ICON_OPENFOLDER", 1, 0x10, 0x10, 0x8000);
				if(_t14 == 0) {
					_t14 = LoadIconW(_t14, 0x7f01);
				}
				 *_t23(_t27, 0xffffffff, _t14);
				return _t27;
			}

0x0042e745
0x0042e752
0x0042e755
0x0042e765
0x0042e76f
0x0042e786
0x0042e794
0x0042e79d
0x0042e79d
0x0042e79f
0x0042e7a9
0x0042e7be
0x0042e7c6
0x0042e7ce
0x0042e7ce
0x0042e7d4
0x0042e7e9
0x0042e7f1
0x0042e7f9
0x0042e7f9
0x0042e7ff
0x0042e809

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 0042E739
GetSystemMetrics.USER32 ref: 0042E755
GetSystemMetrics.USER32 ref: 0042E75A
ImageList_Create.COMCTL32(00000000), ref: 0042E75D
GetSysColor.USER32(00000005), ref: 0042E767
ImageList_SetBkColor.COMCTL32(00000000,00000000), ref: 0042E76F
LoadImageW.USER32 ref: 0042E786
LoadIconW.USER32(00000000,00007F01), ref: 0042E79D
ImageList_ReplaceIcon.COMCTL32(00000000,000000FF,00000000), ref: 0042E7A9
LoadImageW.USER32 ref: 0042E7BE
LoadIconW.USER32(00000000,00007F01), ref: 0042E7CE
ImageList_ReplaceIcon.COMCTL32(00000000,000000FF,00000000), ref: 0042E7D4
LoadImageW.USER32 ref: 0042E7E9
LoadIconW.USER32(00000000,00007F01), ref: 0042E7F9
ImageList_ReplaceIcon.COMCTL32(00000000,000000FF,00000000), ref: 0042E7FF

Strings

ICON_MYCOMPUTER, xrefs: 0042E780
ICON_OPENFOLDER, xrefs: 0042E7E1
ICON_CLOSEDFOLDER, xrefs: 0042E7B6

Memory Dump Source

Source File: 00000000.00000002.639436822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.639422722.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639801425.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639950323.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639964900.00000000004C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639974043.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639981884.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Process Monitor.jbxd

Similarity

API ID: Image$IconLoad$List_$Replace$ColorMetricsSystem$CreateHandleModule
String ID: ICON_CLOSEDFOLDER$ICON_MYCOMPUTER$ICON_OPENFOLDER
API String ID: 3964826133-1514685596
Opcode ID: f8fa7a7f3886d978855fbd886b4c4127c33075d4fd61fce209558509b0905cd8
Instruction ID: e36712aead652b03e88af9590640121682e5e0e6f8eeedeb3bea6600b08ce03d
Opcode Fuzzy Hash: f8fa7a7f3886d978855fbd886b4c4127c33075d4fd61fce209558509b0905cd8
Instruction Fuzzy Hash: 78219A307847187AFA2017716D4AFAF3A1DDB45F61F200935F704FA1D1CAE66944576C

Uniqueness

Uniqueness Score: -1.00%

Function 00460690 Relevance: 31.5, APIs: 10, Strings: 8, Instructions: 49
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00460690(WCHAR* _a4) {
				struct HINSTANCE__* _t13;
				struct HINSTANCE__* _t16;

				if( *0x4c2504 == 0) {
					GetSystemInfo(0x4c2500);
					_t16 = GetModuleHandleW(L"kernel32.dll");
					_t13 = GetModuleHandleW(L"ntdll.dll");
					LoadLibraryW(_a4);
					 *0x4c24e4 = GetProcAddress(_t16, "Process32First");
					 *0x4c24e8 = GetProcAddress(_t16, "Process32Next");
					 *0x4c24ec = GetProcAddress(_t16, "Thread32First");
					 *0x4c24f0 = GetProcAddress(_t16, "Thread32Next");
					 *0x4c24f4 = GetProcAddress(_t13, "NtSuspendThread");
					 *0x4c24f8 = GetProcAddress(_t13, "NtResumeThread");
				}
				return 1;
			}

0x0046069a
0x004606a8
0x004606c0
0x004606c7
0x004606c9
0x004606e3
0x004606f0
0x004606fd
0x0046070a
0x00460717
0x00460720
0x00460725
0x00460729

APIs

GetSystemInfo.KERNEL32(004C2500,00000000,00000000,74D0EA30,?,004602F4,?,2927074F,00000000,00000000,74D0EA30,00000000,0048C31E,000000FF,?,0043B479), ref: 004606A8
GetModuleHandleW.KERNEL32(kernel32.dll,?,004602F4,?,2927074F,00000000,00000000,74D0EA30,00000000,0048C31E,000000FF,?,0043B479,004BD8B0,004BCA10), ref: 004606B9
GetModuleHandleW.KERNEL32(ntdll.dll,?,004602F4,?,2927074F,00000000,00000000,74D0EA30,00000000,0048C31E,000000FF,?,0043B479,004BD8B0,004BCA10), ref: 004606C2
LoadLibraryW.KERNEL32(?,?,004602F4,?,2927074F,00000000,00000000,74D0EA30,00000000,0048C31E,000000FF,?,0043B479,004BD8B0,004BCA10), ref: 004606C9
GetProcAddress.KERNEL32(00000000,Process32First), ref: 004606DB
GetProcAddress.KERNEL32(00000000,Process32Next), ref: 004606E8
GetProcAddress.KERNEL32(00000000,Thread32First), ref: 004606F5
GetProcAddress.KERNEL32(00000000,Thread32Next), ref: 00460702
GetProcAddress.KERNEL32(00000000,NtSuspendThread), ref: 0046070F
GetProcAddress.KERNEL32(00000000,NtResumeThread), ref: 0046071C

Strings

ntdll.dll, xrefs: 004606BB
Thread32Next, xrefs: 004606F7
NtSuspendThread, xrefs: 00460704
kernel32.dll, xrefs: 004606B4
Thread32First, xrefs: 004606EA
NtResumeThread, xrefs: 00460711
Process32Next, xrefs: 004606DD
Process32First, xrefs: 004606D5

Memory Dump Source

Source File: 00000000.00000002.639436822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.639422722.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639801425.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639950323.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639964900.00000000004C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639974043.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639981884.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Process Monitor.jbxd

Similarity

API ID: AddressProc$HandleModule$InfoLibraryLoadSystem
String ID: NtResumeThread$NtSuspendThread$Process32First$Process32Next$Thread32First$Thread32Next$kernel32.dll$ntdll.dll
API String ID: 4123715355-3598288627
Opcode ID: e91fc7e4a0b96169b1ae86f77c3cb1b025bc81b8eda9b03c9183fdb38f73abc2
Instruction ID: 7d08b998bebb3408670bb82ce4f29f9cda252fd55f764f59f1b0eeae0dfa125c
Opcode Fuzzy Hash: e91fc7e4a0b96169b1ae86f77c3cb1b025bc81b8eda9b03c9183fdb38f73abc2
Instruction Fuzzy Hash: 8E014471D413187BC7646FB6AD49E0B7FACEA967A1715043BB418D3260DAFC64009FAC

Uniqueness

Uniqueness Score: -1.00%

Function 00425009 Relevance: 30.2, APIs: 20, Instructions: 194
windowCOMMON

Download Yara Rule

C-Code - Quality: 82%

			E00425009(signed int __eax, void* __ebx, int __edx, void* __edi, void* __esi) {
				signed int _t142;
				void* _t147;
				long _t149;
				void* _t152;
				void* _t162;
				intOrPtr _t184;
				void* _t190;
				intOrPtr _t197;
				int _t202;
				int _t204;
				void* _t229;
				void* _t230;
				signed int _t233;
				struct tagRECT _t239;
				void* _t243;
				int _t244;
				int _t248;
				int _t249;
				intOrPtr _t253;
				void* _t254;
				void* _t255;
				struct HDC__* _t256;
				long _t259;
				intOrPtr _t260;
				void* _t261;
				int _t263;
				void* _t264;
				intOrPtr _t265;
				void* _t266;
				void* _t267;
				signed int _t268;
				void* _t279;
				void* _t283;

				_t248 = __edx;
				_t230 = __ebx;
				_t142 = __eax;
				do {
					asm("movd xmm0, eax");
					asm("pshufd xmm0, xmm0, 0x0");
					_t248 = _t248 + 0x20;
					asm("paddd xmm0, xmm1");
					_t142 = _t142 + 8;
					asm("movdqu [edx-0x30], xmm0");
					asm("movd xmm0, ecx");
					asm("pshufd xmm0, xmm0, 0x0");
					asm("paddd xmm0, xmm1");
					asm("movdqu [edx-0x20], xmm0");
				} while (_t142 < __edi);
				_t253 =  *((intOrPtr*)(_t268 - 0x2150));
				if(_t142 >= __esi) {
					L6:
					if(E004255A0(0x4bcac0) == 0) {
						L8:
						 *((char*)(_t268 - 0x2141)) = 0;
						L9:
						 *(_t268 - 0x2154) = 0;
						if(( *( *((intOrPtr*)(_t268 - 0x2188)) + 0xa) & 0x00000001) != 0) {
							 *(_t268 - 0x2154) = SelectObject( *(_t253 + 0x18),  *0x4bd70c);
						}
						if(( *(_t253 + 0x10) & 0x00000001) == 0) {
							if( *((char*)(_t268 - 0x2141)) == 0) {
								_t147 = GetSysColor(8);
								_push(5);
								goto L18;
							}
							_t149 =  *0x4bd8a8; // 0x0
							_t259 =  *0x4bd8ac; // 0x0
							goto L19;
						} else {
							if(GetFocus() !=  *(_t268 - 0x2160)) {
								_t147 = GetSysColor(0x12);
								_push(0xf);
							} else {
								_t147 = GetSysColor(0xe);
								_push(0xd);
							}
							L18:
							 *(_t268 - 0x2148) = _t147;
							_t259 = GetSysColor(??);
							_t149 =  *(_t268 - 0x2148);
							L19:
							SetTextColor( *(_t253 + 0x18), _t149);
							SetBkColor( *(_t253 + 0x18), _t259);
							_t233 = 0;
							_t260 = 0;
							 *((intOrPtr*)(_t268 - 0x2170)) = 0;
							 *(_t268 - 0x214c) = 0;
							_t279 =  *0x4bd790 - _t233; // 0x0
							if(_t279 <= 0) {
								L40:
								if( *((char*)(_t268 - 0x2141)) == 0) {
									if(( *(_t253 + 0x10) & 0x00000001) == 0) {
										L45:
										_t152 =  *(_t268 - 0x2154);
										if(_t152 != 0) {
											SelectObject( *(_t253 + 0x18), _t152);
										}
										 *((char*)(_t268 - 4)) = 0;
										E0040F960(_t268 - 0x2190, _t260);
										LeaveCriticalSection(0x4bca10);
										 *[fs:0x0] =  *((intOrPtr*)(_t268 - 0xc));
										_pop(_t254);
										_pop(_t261);
										return E0046F77E(_t230,  *(_t268 - 0x10) ^ _t268, _t248, _t254, _t261);
									}
									L44:
									_t260 = GetSysColor;
									SetTextColor( *(_t253 + 0x18), GetSysColor(8));
									SetBkColor( *(_t253 + 0x18), GetSysColor(5));
									goto L45;
								}
								if(( *(_t253 + 0x10) & 0x00000001) != 0) {
									FrameRect( *(_t253 + 0x18), _t253 + 0x1c, GetSysColorBrush(5));
									_t162 = CreateSolidBrush( *0x4bd8ac);
									asm("movdqu xmm0, [esi]");
									_t255 = _t162;
									asm("movdqu [ebp-0x2120], xmm0");
									InflateRect(_t268 - 0x2120, 0xffffffff, 0xffffffff);
									FrameRect( *( *((intOrPtr*)(_t268 - 0x2150)) + 0x18), _t268 - 0x2120, _t255);
									DeleteObject(_t255);
									_t253 =  *((intOrPtr*)(_t268 - 0x2150));
								}
								goto L44;
							}
							while(_t260 <  *((intOrPtr*)(_t253 + 0x24)) -  *(_t253 + 0x1c)) {
								 *(_t268 - 0x21b4) = 3;
								SendMessageW( *(_t268 - 0x2160), 0x105f,  *(_t268 + _t233 * 4 - 0x2110), _t268 - 0x21b4);
								_t239 =  *(_t253 + 0x1c);
								_t248 =  *(_t268 - 0x21ac);
								 *(_t268 - 0x2178) = _t248;
								 *((intOrPtr*)(_t268 - 0x2204)) = 0x1000;
								 *(_t268 - 0x2130) = _t239 + _t260;
								 *((intOrPtr*)(_t268 - 0x212c)) =  *((intOrPtr*)(_t253 + 0x20));
								 *((intOrPtr*)(_t268 - 0x2124)) =  *((intOrPtr*)(_t253 + 0x28));
								 *((intOrPtr*)(_t268 - 0x2128)) = _t239 + _t248 + _t260;
								 *(_t268 - 0x2214) =  *(_t268 +  *(_t268 - 0x214c) * 4 - 0x2110);
								 *((intOrPtr*)(_t268 - 0x2208)) = _t268 - 0x2010;
								SendMessageW( *(_t268 - 0x2160), 0x1073,  *(_t253 + 8), _t268 - 0x221c);
								_t184 =  *((intOrPtr*)(0x4bd794 +  *(_t268 +  *(_t268 - 0x214c) * 4 - 0x2110) * 4));
								if(_t184 == 0x9c75 || _t184 == 0x9c77) {
									_t263 = GetSystemMetrics(0x31);
									 *(_t268 - 0x2164) = _t263;
									 *(_t268 - 0x2158) = GetSystemMetrics(0x32);
									if( *((intOrPtr*)(0x4bd794 +  *(_t268 +  *(_t268 - 0x214c) * 4 - 0x2110) * 4)) != 0x9c75) {
										_t190 = ( *( *((intOrPtr*)(_t268 - 0x2188)) + 8) & 0x0000ffff) - 1;
										if(_t190 > 4) {
											L35:
											asm("movdqu xmm0, [ebp-0x2130]");
											asm("movd eax, xmm0");
											asm("movdqu [ebp-0x2120], xmm0");
											 *((intOrPtr*)(_t268 - 0x2118)) = _t190 + _t263;
											_t264 = CreateSolidBrush(GetBkColor( *(_t253 + 0x18)));
											FillRect( *(_t253 + 0x18), _t268 - 0x2120, _t264);
											DeleteObject(_t264);
											_t197 =  *((intOrPtr*)(_t268 - 0x2124));
											_t265 =  *((intOrPtr*)(_t268 - 0x212c));
											_t243 = _t197 - _t265;
											_t249 =  *(_t268 - 0x2164);
											_t250 =  <  ? _t243 : _t249;
											 *(_t268 - 0x216c) =  <  ? _t243 : _t249;
											_t248 =  <  ? _t243 :  *(_t268 - 0x2158);
											_t244 =  *(_t268 - 0x2130);
											 *(_t268 - 0x2168) = _t248;
											 *(_t268 - 0x217c) = _t244;
											asm("cdq");
											_t202 = (_t197 - _t248 - _t265 - _t248 >> 1) + _t265;
											 *(_t268 - 0x2174) = _t202;
											if(( *(_t253 + 0x10) & 0x00000001) == 0) {
												DrawIconEx( *(_t253 + 0x18), _t244, _t202,  *(_t268 - 0x2148),  *(_t268 - 0x216c),  *(_t268 - 0x2168), 0, 0, 3);
											} else {
												_t267 = ImageList_Create( *(_t268 - 0x2164),  *(_t268 - 0x2158), 0xfe, 1, 1);
												ImageList_SetBkColor(_t267, GetSysColor(5));
												ImageList_DrawEx(_t267, ImageList_ReplaceIcon(_t267, 0xffffffff,  *(_t268 - 0x2148)),  *(_t253 + 0x18),  *(_t268 - 0x217c),  *(_t268 - 0x2174),  *(_t268 - 0x216c),  *(_t268 - 0x2168), 0xff000000, 0xff000000, 4);
												ImageList_Destroy(_t267);
											}
											asm("movdqu xmm0, [ebp-0x2130]");
											asm("movdqu [ebp-0x2120], xmm0");
											_t204 = GetSystemMetrics(0x31);
											_t256 =  *(_t253 + 0x18);
											 *(_t268 - 0x2120) =  *(_t268 - 0x2120) + _t204;
											_t266 = CreateSolidBrush(GetBkColor(_t256));
											FillRect(_t256, _t268 - 0x2120, _t266);
											DeleteObject(_t266);
											SetBkMode(_t256, 2);
											asm("movdqu xmm0, [ebp-0x2120]");
											asm("movdqu [ebp-0x2140], xmm0");
											DrawTextW(_t256, _t268 - 0x2010, 0xffffffff, _t268 - 0x2140, 0x40824);
											_t253 =  *((intOrPtr*)(_t268 - 0x2150));
											_t260 =  *((intOrPtr*)(_t268 - 0x2170));
											goto L39;
										}
										switch( *((intOrPtr*)(_t190 * 4 +  &M00425584))) {
											case 0:
												_t190 =  *0x4bcb28;
												goto L34;
											case 1:
												__eax =  *0x4bcb20;
												goto L34;
											case 2:
												__eax =  *0x4bcb24;
												goto L34;
											case 3:
												__eax =  *0x4bcb2c;
												goto L34;
											case 4:
												__eax =  *0x4bcb30;
												L34:
												 *(_t268 - 0x2148) = _t190;
												goto L35;
										}
									}
									_t190 = E004119A0(_t268 - 0x2190, _t248, 0x10);
									goto L34;
								} else {
									E00424E50( *(_t253 + 0x18), _t268 - 0x2010, _t268 - 0x2130,  *(_t268 - 0x21b0) & 1);
									L39:
									_t260 = _t260 +  *(_t268 - 0x2178);
									_t233 =  *(_t268 - 0x214c) + 1;
									 *((intOrPtr*)(_t268 - 0x2170)) = _t260;
									 *(_t268 - 0x214c) = _t233;
									_t283 = _t233 -  *0x4bd790; // 0x0
									if(_t283 < 0) {
										continue;
									}
									goto L40;
								}
							}
							goto L40;
						}
					}
					_t229 = E00414070(0x4bcac0, _t268 - 0x2190);
					 *((char*)(_t268 - 0x2141)) = 1;
					if(_t229 != 0) {
						goto L9;
					}
					goto L8;
				} else {
					do {
						 *(_t268 + _t142 * 4 - 0x2110) = _t142;
						_t142 = _t142 + 1;
					} while (_t142 < __esi);
					goto L6;
				}
			}

0x00425009
0x00425009
0x00425009
0x00425010
0x00425010
0x00425017
0x0042501c
0x0042501f
0x00425023
0x00425026
0x0042502b
0x0042502f
0x00425034
0x00425038
0x0042503d
0x00425041
0x00425049
0x0042505c
0x00425068
0x00425086
0x00425086
0x0042508d
0x00425093
0x004250a2
0x004250b3
0x004250b3
0x004250c3
0x004250ea
0x004250fb
0x004250fd
0x00000000
0x004250fd
0x004250ec
0x004250f1
0x00000000
0x004250c5
0x004250d1
0x004250dd
0x004250df
0x004250d3
0x004250d5
0x004250d7
0x004250d7
0x004250ff
0x004250ff
0x00425107
0x00425109
0x0042510f
0x00425113
0x0042511d
0x00425123
0x00425125
0x00425127
0x0042512d
0x00425133
0x00425139
0x0042549d
0x004254a4
0x00425517
0x0042553b
0x0042553b
0x00425543
0x00425549
0x00425549
0x00425555
0x00425559
0x00425563
0x0042556c
0x00425574
0x00425575
0x00425583
0x00425583
0x00425519
0x00425519
0x00425527
0x00425535
0x00000000
0x00425535
0x004254aa
0x004254bc
0x004254c8
0x004254ce
0x004254d4
0x004254df
0x004254e7
0x004254fe
0x00425505
0x0042550b
0x0042550b
0x00000000
0x004254aa
0x00425140
0x00425154
0x00425171
0x00425177
0x0042517a
0x00425180
0x00425186
0x00425193
0x0042519c
0x004251a5
0x004251b0
0x004251c3
0x004251cf
0x004251ea
0x004251fd
0x00425209
0x00425241
0x00425245
0x00425251
0x0042526f
0x0042528a
0x0042528e
0x004252be
0x004252be
0x004252c9
0x004252cd
0x004252d7
0x004252ea
0x004252f7
0x004252fe
0x00425304
0x0042530c
0x00425312
0x00425314
0x0042531c
0x0042531f
0x0042532d
0x00425330
0x00425338
0x00425340
0x00425346
0x0042534b
0x00425351
0x00425357
0x004253ea
0x00425359
0x00425376
0x00425380
0x004253be
0x004253c5
0x004253c5
0x004253f0
0x004253fa
0x00425402
0x00425408
0x0042540b
0x0042541f
0x0042542a
0x00425431
0x0042543a
0x00425440
0x0042545e
0x00425466
0x0042546c
0x00425472
0x00000000
0x00425472
0x00425290
0x00000000
0x00425297
0x00000000
0x00000000
0x0042529e
0x00000000
0x00000000
0x004252a5
0x00000000
0x00000000
0x004252ac
0x00000000
0x00000000
0x004252b3
0x004252b8
0x004252b8
0x00000000
0x00000000
0x00425290
0x00425279
0x00000000
0x00425212
0x0042522f
0x00425478
0x0042547e
0x00425484
0x00425485
0x0042548b
0x00425491
0x00425497
0x00000000
0x00000000
0x00000000
0x00425497
0x00425209
0x00000000
0x00425140
0x004250c3
0x00425076
0x0042507b
0x00425084
0x00000000
0x00000000
0x00000000
0x0042504b
0x00425050
0x00425050
0x00425057
0x00425058
0x00000000
0x00425050

APIs

SelectObject.GDI32(?), ref: 004250AD
GetFocus.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 004250C5
GetSysColor.USER32(0000000E), ref: 004250D5
GetSysColor.USER32(00000005), ref: 00425105
SetTextColor.GDI32(?,?), ref: 00425113
SetBkColor.GDI32(?,00000000), ref: 0042511D
SendMessageW.USER32(?,0000105F,?,?), ref: 00425171
SendMessageW.USER32(?,00001073,?,?), ref: 004251EA

Memory Dump Source

Source File: 00000000.00000002.639436822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.639422722.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639801425.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639950323.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639964900.00000000004C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639974043.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639981884.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Process Monitor.jbxd

Similarity

API ID: Color$MessageSend$FocusObjectSelectText
String ID:
API String ID: 2150165941-0
Opcode ID: ccc14526c630b5567e46bbfdc53b318355e4e62cfbffe7c4b46051b2a4517ef4
Instruction ID: f9f0680dc360dec6eb4b1c5f52e97cf4b63a5cba5829861001dd65f08921cda0
Opcode Fuzzy Hash: ccc14526c630b5567e46bbfdc53b318355e4e62cfbffe7c4b46051b2a4517ef4
Instruction Fuzzy Hash: C2916E71900628EFCB21DF64DC4CAE9BBB4BF28304F5046EAEA49A2260D7345DD5CF94

Uniqueness

Uniqueness Score: -1.00%

Function 00452450 Relevance: 30.0, APIs: 11, Strings: 6, Instructions: 255
windowCOMMON

Download Yara Rule

C-Code - Quality: 81%

			E00452450(void* __edx, struct HWND__* _a4, intOrPtr _a8, char _a12) {
				long _v8;
				char _v16;
				signed int _v20;
				short _v540;
				struct HWND__* _v544;
				intOrPtr _v548;
				void* _v552;
				char _v556;
				intOrPtr _v560;
				struct _CRITICAL_SECTION* _v564;
				char _v568;
				struct HWND__* _v580;
				char _v588;
				struct HWND__* _v600;
				char _v608;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t62;
				signed int _t63;
				void* _t66;
				char _t70;
				char _t75;
				struct HWND__* _t80;
				char _t81;
				intOrPtr _t83;
				struct HWND__* _t99;
				int _t114;
				struct HWND__* _t124;
				void* _t125;
				intOrPtr _t133;
				intOrPtr* _t134;
				struct HWND__* _t136;
				intOrPtr _t138;
				void* _t160;
				void* _t161;
				void* _t162;
				signed int _t164;
				void* _t165;
				void* _t167;
				void* _t168;
				intOrPtr* _t170;

				_t156 = __edx;
				_push(0xffffffff);
				_push(E0048B4E7);
				_push( *[fs:0x0]);
				_t62 =  *0x4bb1dc; // 0x2927074f
				_t63 = _t62 ^ _t164;
				_v20 = _t63;
				_push(_t161);
				_push(_t63);
				 *[fs:0x0] =  &_v16;
				_t159 = _a8;
				_t124 = _a4;
				E00471495(_a8, 0x5c);
				_t66 = E00471495(_a8, 0x2e);
				_t167 = _t165 - 0x250 + 0x10;
				if(_t66 == 0) {
					L29:
					MessageBoxW(_t124, L"Log files must be native Process Monitor log files with a .pml extension.", L"Process Monitor", 0x10);
					__eflags = 0;
					L30:
					 *[fs:0x0] = _v16;
					_pop(_t160);
					_pop(_t162);
					_pop(_t125);
					return E0046F77E(_t125, _v20 ^ _t164, _t156, _t160, _t162);
				}
				_t70 = E0046F283(_t124, _t159, _t161, _t66, L".PML");
				_t168 = _t167 + 8;
				if(_t70 != 0) {
					goto L29;
				}
				_v552 = _t70;
				_v548 = _t70;
				_v552 = E0045CBA0();
				_v8 = 0;
				E00467CF0( &_v552, _t156, _t159);
				_t133 = _v548;
				if(_t133 != 0) {
					__eflags = _a12;
					if(_a12 != 0) {
						__eflags = _t133 - 1;
						if(_t133 > 1) {
							__eflags = _t133 - 2;
							_t107 =  !=  ? "s" : 0x48fc20;
							_t156 = L"are";
							_push( !=  ? "s" : 0x48fc20);
							_push(_t133 - 1);
							_t110 =  !=  ? L"are" : L"is";
							L00401F90( &_v540, L"There %s %d additional file%s associated with this log. Do you wish to open all files?",  !=  ? L"are" : L"is");
							_t168 = _t168 + 0x14;
							_t114 = MessageBoxW(_t124,  &_v540, L"Process Monitor", 0x24);
							__eflags = _t114 - 6;
							if(_t114 != 6) {
								E0041A110( &_v552);
								E0040C980(_t124,  &_v544, _t159);
								_v8 = 1;
								E00445160( &_v552,  &_v568, 0,  &_v544,  *0x4bdce3 & 0x000000ff);
								_t155 = _v544;
								_v8 = 0;
								__eflags = _v544;
								if(_v544 != 0) {
									E0046A700(_t155);
								}
							}
						}
					}
					_t163 = SendMessageW;
					SendMessageW( *0x4bd2c0, 0x111, 0x9c8a, 0);
					__eflags =  *0x4bd895;
					if( *0x4bd895 != 0) {
						SendMessageW( *0x4bd2c0, 0x111, 0x9c53, 0);
					}
					UpdateWindow( *0x4bd2c0);
					_v564 = 0x4bca10;
					EnterCriticalSection(0x4bca10);
					_t134 = _v552;
					_v8 = 2;
					_t75 =  *_t134;
					_v556 = _t75;
					__eflags = _t75 - _t134;
					if(_t75 == _t134) {
						L19:
						E004175E0(0x4bca10,  &_v608, 0, 0);
						_t136 = _v600;
						_v8 = 4;
						__eflags = _t136;
						if(_t136 == 0) {
							E004175E0(0x4bca10,  &_v588, 1, 0);
							_t80 = _v580;
							__eflags = _t80;
							if(_t80 == 0) {
								asm("xorps xmm0, xmm0");
								asm("movlpd [ebp-0x22c], xmm0");
								_t81 = _v556;
								_t138 = _v560;
							} else {
								_t138 =  *((intOrPtr*)(_t80 + 0x1c));
								_t81 =  *((intOrPtr*)(_t80 + 0x20));
							}
							 *0x4bb0c8 = _t138;
							 *0x4bb0cc = _t81;
							E0040F960( &_v588, _t163);
						} else {
							 *0x4bb0c8 =  *((intOrPtr*)(_t136 + 0x1c));
							 *0x4bb0cc =  *((intOrPtr*)(_t136 + 0x20));
						}
						_t83 = E00417640(0x4bca10);
						__eflags =  *0x4bd2c0;
						 *0x4bb0d0 = _t83;
						if(__eflags != 0) {
							E00418140(0x4bca10, __eflags, 0);
							E004366B0( *0x4bca28, 0, 1);
							_t170 = _t168 + 8;
							_t163 = _t170;
							 *_t170 = E0046A6C0(_t124, _t159, E0046A530(_t159));
							_push( *0x4bd2c0);
							L00459F80(_t124, __eflags);
							_t168 = _t170 + 0x14;
						}
						_v8 = 2;
						E0040F960( &_v608, _t163);
						LeaveCriticalSection(0x4bca10);
						goto L28;
					} else {
						while(1) {
							_t28 = _t75 + 0x10; // 0x10
							L00417E80(0x4bca10, _t156,  &_v544, E0046A170(_t28));
							_v8 = 3;
							_t99 = E0046A720( &_v544);
							__eflags = _t99;
							if(_t99 != 0) {
								break;
							}
							_t150 = _v544;
							_v8 = 2;
							__eflags = _v544;
							if(_v544 != 0) {
								E0046A700(_t150);
							}
							E00462600( &_v556);
							_t75 = _v556;
							__eflags = _t75 - _v552;
							if(_t75 != _v552) {
								continue;
							} else {
								goto L19;
							}
						}
						MessageBoxW(_t124, E0046A170( &_v544), L"Process Monitor", 0x10);
						_t149 = _v544;
						_v8 = 2;
						__eflags = _v544;
						if(_v544 != 0) {
							E0046A700(_t149);
						}
						goto L19;
					}
				} else {
					MessageBoxW(_t124, L"The specified log file does not exist.", L"Process Monitor", 0x10);
					L28:
					_v8 = 0xffffffff;
					E0040E1E0( &_v552,  &_v564,  *_v552, _v552);
					E0046EF07(_v552);
					goto L30;
				}
			}

0x00452450
0x00452453
0x00452455
0x00452460
0x00452467
0x0045246c
0x0045246e
0x00452472
0x00452474
0x00452478
0x0045247e
0x00452481
0x00452487
0x0045248f
0x00452494
0x00452499
0x004527e9
0x004527f6
0x004527fc
0x004527fe
0x00452801
0x00452809
0x0045280a
0x0045280b
0x00452819
0x00452819
0x004524a5
0x004524aa
0x004524af
0x00000000
0x00000000
0x004524bb
0x004524c1
0x004524cc
0x004524d9
0x004524e0
0x004524e5
0x004524ed
0x00452509
0x0045250d
0x00452513
0x00452516
0x0045251c
0x00452529
0x0045252c
0x00452531
0x00452535
0x0045253b
0x0045254b
0x00452550
0x00452562
0x00452568
0x0045256b
0x00452573
0x0045257f
0x00452598
0x004525a6
0x004525ab
0x004525b1
0x004525b5
0x004525b7
0x004525b9
0x004525b9
0x004525b7
0x0045256b
0x00452516
0x004525be
0x004525d6
0x004525d8
0x004525df
0x004525f3
0x004525f3
0x004525fb
0x00452606
0x00452610
0x00452616
0x0045261c
0x00452620
0x00452622
0x00452628
0x0045262a
0x004526b8
0x004526c8
0x004526cd
0x004526d3
0x004526d7
0x004526d9
0x004526fd
0x00452702
0x00452708
0x0045270a
0x00452714
0x00452717
0x0045271f
0x00452725
0x0045270c
0x0045270c
0x0045270f
0x0045270f
0x0045272b
0x00452737
0x0045273c
0x004526db
0x004526de
0x004526e6
0x004526e6
0x00452746
0x0045274b
0x00452752
0x00452757
0x00452760
0x0045276f
0x00452774
0x00452777
0x00452789
0x0045278b
0x00452791
0x00452796
0x00452796
0x0045279f
0x004527a5
0x004527af
0x00000000
0x00452630
0x00452630
0x00452630
0x00452645
0x00452650
0x00452654
0x00452659
0x0045265b
0x00000000
0x00000000
0x0045265d
0x00452663
0x00452667
0x00452669
0x0045266b
0x0045266b
0x00452676
0x0045267b
0x00452681
0x00452687
0x00000000
0x00452689
0x00000000
0x00452689
0x00452687
0x0045269f
0x004526a5
0x004526ab
0x004526af
0x004526b1
0x004526b3
0x004526b3
0x00000000
0x004526b1
0x004524ef
0x004524fc
0x004527b5
0x004527c2
0x004527d2
0x004527dd
0x00000000
0x004527e5

APIs

_wcsrchr.LIBCMT ref: 00452487
_wcsrchr.LIBCMT ref: 0045248F
MessageBoxW.USER32(?,Log files must be native Process Monitor log files with a .pml extension.,Process Monitor,00000010), ref: 004527F6

Part of subcall function 00467CF0: _wcsrchr.LIBCMT ref: 00467D4B
Part of subcall function 00467CF0: _wcsrchr.LIBCMT ref: 00467D6D

MessageBoxW.USER32(?,The specified log file does not exist.,Process Monitor,00000010), ref: 004524FC
MessageBoxW.USER32(?,?,Process Monitor,00000024), ref: 00452562
SendMessageW.USER32(00000111,00009C8A,00000000,?), ref: 004525D6
SendMessageW.USER32(00000111,00009C53,00000000), ref: 004525F3
UpdateWindow.USER32 ref: 004525FB
EnterCriticalSection.KERNEL32(004BCA10,?,?,2927074F,?,?), ref: 00452610

Strings

The specified log file does not exist., xrefs: 004524F6
There %s %d additional file%s associated with this log. Do you wish to open all files?, xrefs: 00452545
.PML, xrefs: 0045249F
Log files must be native Process Monitor log files with a .pml extension., xrefs: 004527F0
Process Monitor, xrefs: 004524F1, 0045255B, 0045268D, 004527EB
are, xrefs: 0045252C

Memory Dump Source

Source File: 00000000.00000002.639436822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.639422722.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639801425.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639950323.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639964900.00000000004C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639974043.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639981884.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Process Monitor.jbxd

Similarity

API ID: Message$_wcsrchr$Send$CriticalEnterSectionUpdateWindow
String ID: .PML$Log files must be native Process Monitor log files with a .pml extension.$Process Monitor$The specified log file does not exist.$There %s %d additional file%s associated with this log. Do you wish to open all files?$are
API String ID: 69219730-1070824263
Opcode ID: 1ea4e922c0f184178e43e1f8ede2855a40dd2c50d1f833b646687a8a2abd8d5c
Instruction ID: 49bf81bbb22243ec2056dba56c986f23af977b119579986f7cb06c235f762c60
Opcode Fuzzy Hash: 1ea4e922c0f184178e43e1f8ede2855a40dd2c50d1f833b646687a8a2abd8d5c
Instruction Fuzzy Hash: B3A1D874940208BBDB14EB60DD95BEE77B4AF09305F1001ABF805B7292EB785E48CF59

Uniqueness

Uniqueness Score: -1.00%

Function 004585D0 Relevance: 29.9, APIs: 15, Strings: 2, Instructions: 156
registryCOMMON

Download Yara Rule

C-Code - Quality: 79%

			E004585D0(struct HWND__* _a4, void* _a8, short* _a12) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				struct _WINDOWPLACEMENT _v52;
				struct tagRECT _v68;
				int _v72;
				int _v76;
				int _v80;
				int _v84;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t40;
				void* _t47;
				long _t51;
				int _t54;
				intOrPtr _t58;
				intOrPtr _t59;
				intOrPtr _t60;
				intOrPtr _t61;
				void* _t79;
				long _t80;
				signed char _t83;
				intOrPtr _t84;
				void* _t86;
				void* _t93;
				intOrPtr _t94;
				long _t95;
				intOrPtr _t103;
				struct HWND__* _t108;
				void* _t109;
				void* _t110;
				long _t111;
				intOrPtr _t112;
				signed int _t115;

				_t40 =  *0x4bb1dc; // 0x2927074f
				_v8 = _t40 ^ _t115;
				asm("xorps xmm0, xmm0");
				_t108 = _a4;
				_t102 =  &_v52;
				_v52.length = 0;
				asm("movdqu [ebp-0x2c], xmm0");
				_v84 = 0x2c;
				asm("movdqu [ebp-0x1c], xmm0");
				asm("movq [ebp-0xc], xmm0");
				if(RegQueryValueExW(_a8, _a12, 0, 0,  &_v52,  &_v84) == 0 && _v52.length == 0x2c) {
					_push(_t79);
					_push(_t110);
					_t80 = GetWindowLongW(_t108, 0xfffffff0);
					_t47 = _v52.showCmd - 2;
					if(_t47 == 0) {
						_t80 = _t80 & 0xfeffffff | 0x20000000;
						goto L6;
					} else {
						if(_t47 == 1) {
							_t80 = _t80 & 0xdfffffff | 0x01000000;
							L6:
							SetWindowLongW(_t108, 0xfffffff0, _t80);
						}
					}
					GetWindowRect(_t108,  &_v68);
					_t111 = _v52.rcNormalPosition.left;
					_t103 = _v68.right;
					_t51 = _v68.left;
					_t83 = _t80 >> 0x00000012 & 0x00000001;
					if(_t83 == 0) {
						L10:
						_v16 = _t103 - _t51 + _t111;
					} else {
						if(_v16 - _t111 < _t103 - _t51) {
							_t51 = _v68.left;
							goto L10;
						}
					}
					_t112 = _v20;
					_t102 = _v68.bottom;
					_t84 = _v68.top;
					if(_t83 == 0 || _v12 - _t112 < _t102 - _t84) {
						_v12 = _t102;
					}
					_v80 = GetSystemMetrics(0x4c);
					_v72 = GetSystemMetrics(0x4d);
					_t54 = GetSystemMetrics(0x4e);
					_t86 = _t54 + GetSystemMetrics(0x4c);
					_v76 = GetSystemMetrics(0x4f);
					_t93 = _v76 + GetSystemMetrics(0x4d);
					_t58 = _v12;
					if(_t58 > _t93) {
						OffsetRect( &(_v52.rcNormalPosition), 0, _t93 - _t58);
					}
					_t94 = _v20;
					_t59 = _v72;
					if(_t94 < _t59) {
						OffsetRect( &(_v52.rcNormalPosition), 0, _t59 - _t94);
					}
					_t60 = _v16;
					if(_t60 > _t86) {
						OffsetRect( &(_v52.rcNormalPosition), _t86 - _t60, 0);
					}
					_t95 = _v52.rcNormalPosition.left;
					_t61 = _v80;
					if(_t95 < _t61) {
						OffsetRect( &(_v52.rcNormalPosition), _t61 - _t95, 0);
					}
					_v52.showCmd = 0;
					SetWindowPlacement(_t108,  &_v52);
					_pop(_t110);
					_pop(_t79);
				}
				_pop(_t109);
				return E0046F77E(_t79, _v8 ^ _t115, _t102, _t109, _t110);
			}

0x004585d6
0x004585dd
0x004585e9
0x004585ed
0x004585f1
0x004585f4
0x00458602
0x00458607
0x0045860e
0x00458613
0x00458620
0x00458630
0x00458631
0x0045863b
0x00458640
0x00458643
0x0045865c
0x00000000
0x00458645
0x00458646
0x0045864e
0x00458662
0x00458666
0x00458666
0x00458646
0x00458674
0x0045867a
0x0045867d
0x00458680
0x00458683
0x00458686
0x00458698
0x0045869c
0x00458688
0x00458693
0x00458695
0x00000000
0x00458695
0x00458693
0x0045869f
0x004586a4
0x004586a7
0x004586aa
0x004586bd
0x004586bd
0x004586cc
0x004586d3
0x004586d6
0x004586e0
0x004586e6
0x004586f4
0x004586f6
0x004586fb
0x00458706
0x00458706
0x00458708
0x0045870b
0x00458710
0x0045871b
0x0045871b
0x0045871d
0x00458722
0x0045872d
0x0045872d
0x0045872f
0x00458732
0x00458737
0x00458742
0x00458742
0x00458747
0x00458750
0x00458756
0x00458757
0x00458757
0x0045875d
0x00458766

APIs

RegQueryValueExW.ADVAPI32(004463F1,?,00000000,00000000,?,?), ref: 00458618
GetWindowLongW.USER32(?,000000F0), ref: 00458635
SetWindowLongW.USER32 ref: 00458666
GetWindowRect.USER32 ref: 00458674
GetSystemMetrics.USER32 ref: 004586C8
GetSystemMetrics.USER32 ref: 004586CF
GetSystemMetrics.USER32 ref: 004586D6
GetSystemMetrics.USER32 ref: 004586DC
GetSystemMetrics.USER32 ref: 004586E2
GetSystemMetrics.USER32 ref: 004586E9
OffsetRect.USER32(?,00000000,?), ref: 00458706
OffsetRect.USER32(?,00000000,?), ref: 0045871B
OffsetRect.USER32(?,00000000,00000000), ref: 0045872D
OffsetRect.USER32(?,?,00000000), ref: 00458742
SetWindowPlacement.USER32(?,0000002C,?,?), ref: 00458750

Strings

,, xrefs: 00458626
,, xrefs: 00458607

Memory Dump Source

Source File: 00000000.00000002.639436822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.639422722.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639801425.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639950323.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639964900.00000000004C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639974043.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639981884.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Process Monitor.jbxd

Similarity

API ID: MetricsSystem$Rect$OffsetWindow$Long$PlacementQueryValue
String ID: ,$,
API String ID: 2925993089-220654547
Opcode ID: d54e268140c40cb680cdf6d199bc868076a796492143d80725484e702959ed70
Instruction ID: 09dbf5097d59a0b0aa3c53905dbd9848ef27802076fba8360e7f762c6c1c9ba8
Opcode Fuzzy Hash: d54e268140c40cb680cdf6d199bc868076a796492143d80725484e702959ed70
Instruction Fuzzy Hash: 28515371E00219AFDF10CFA8CC85BAEBBB9EB48311F10462AE911F7281DB786D458B54

Uniqueness

Uniqueness Score: -1.00%

Function 00464320 Relevance: 28.1, APIs: 9, Strings: 7, Instructions: 109
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 80%

			E00464320(void* _a4) {
				signed int _v8;
				char _v276;
				char _v540;
				char _v544;
				CHAR* _v548;
				intOrPtr _v552;
				CHAR* _v556;
				char* _v560;
				CHAR* _v564;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t30;
				_Unknown_base(*)()* _t53;
				void* _t61;
				void* _t65;
				void* _t66;
				struct HINSTANCE__* _t67;
				void* _t68;
				signed int _t70;
				signed int _t71;

				_t30 =  *0x4bb1dc; // 0x2927074f
				_v8 = _t30 ^ _t71;
				_v564 = "getaddrinfo";
				_v560 =  &M00463E30;
				_v556 = "getnameinfo";
				_v552 = E004640D0;
				_v548 = "freeaddrinfo";
				_v544 = E00463DE0;
				if( *0x4c2530 == 0) {
					if(GetSystemDirectoryA( &_v540, 0x104) != 0) {
						_push(_t61);
						_push(_t68);
						_push(_t66);
						E00473785( &_v276, 0x10c,  &_v540);
						E004737DA( &_v276, 0x10c, "\\ws2_32");
						_t67 = LoadLibraryA( &_v276);
						if(_t67 == 0) {
							L5:
							E00473785( &_v276, 0x10c,  &_v540);
							E004737DA( &_v276, 0x10c, "\\wship6");
							_t67 = LoadLibraryA( &_v276);
							if(_t67 != 0) {
								if(GetProcAddress(_t67, "getaddrinfo") != 0) {
									goto L8;
								} else {
									FreeLibrary(_t67);
								}
							}
						} else {
							if(GetProcAddress(_t67, "getaddrinfo") != 0) {
								L8:
								_t70 = 0;
								while(1) {
									_t53 = GetProcAddress(_t67,  *(_t71 + _t70 * 8 - 0x230));
									 *(_t71 + _t70 * 8 - 0x22c) = _t53;
									if(_t53 == 0) {
										break;
									}
									_t70 = _t70 + 1;
									if(_t70 < 3) {
										continue;
									} else {
										 *0x4bb19c = _v560;
										 *0x4bb1a4 = _v552;
										_t25 =  &_v544; // 0x463de0
										 *0x4bb1ac =  *_t25;
									}
									goto L13;
								}
								FreeLibrary(_t67);
							} else {
								FreeLibrary(_t67);
								goto L5;
							}
						}
						L13:
						_pop(_t66);
						_pop(_t68);
						_pop(_t61);
					}
					 *0x4c2530 = 1;
				}
				return E0046F77E(_t61, _v8 ^ _t71, _t65, _t66, _t68);
			}

0x00464329
0x00464330
0x0046433a
0x00464344
0x0046434e
0x00464358
0x00464362
0x0046436c
0x00464376
0x00464390
0x00464396
0x00464397
0x00464398
0x004643ac
0x004643c2
0x004643dd
0x004643e7
0x004643f8
0x0046440b
0x00464421
0x00464436
0x0046443a
0x00464446
0x00000000
0x00464448
0x00464449
0x00464449
0x00464446
0x004643e9
0x004643f3
0x0046444d
0x0046444d
0x00464450
0x00464458
0x0046445a
0x00464463
0x00000000
0x00000000
0x00464465
0x00464469
0x00000000
0x0046446b
0x00464471
0x0046447c
0x00464481
0x00464487
0x00464487
0x00000000
0x00464469
0x0046448f
0x004643f5
0x004643f6
0x00000000
0x004643f6
0x004643f3
0x00464495
0x00464495
0x00464496
0x00464497
0x00464497
0x00464498
0x00464498
0x004644bc

APIs

GetSystemDirectoryA.KERNEL32 ref: 00464388
LoadLibraryA.KERNEL32(?,?,?,?,?,?), ref: 004643D1
GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 004643EF
FreeLibrary.KERNEL32(00000000,?,?,?,?,?), ref: 004643F6
LoadLibraryA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00464430
GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 00464442
FreeLibrary.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?), ref: 00464449
GetProcAddress.KERNEL32(00000000,004A6D48), ref: 00464458
FreeLibrary.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?), ref: 0046448F

Strings

HmJ, xrefs: 0046433A
\ws2_32, xrefs: 004643B1
TmJ, xrefs: 0046434E
=F, xrefs: 00464481
getaddrinfo, xrefs: 004643E9, 0046443C
`mJ, xrefs: 00464362
\wship6, xrefs: 00464410

Memory Dump Source

Source File: 00000000.00000002.639436822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.639422722.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639801425.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639950323.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639964900.00000000004C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639974043.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639981884.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Process Monitor.jbxd

Similarity

API ID: Library$AddressFreeProc$Load$DirectorySystem
String ID: HmJ$TmJ$\ws2_32$\wship6$`mJ$getaddrinfo$=F
API String ID: 2490988753-842671920
Opcode ID: 923fdf4e2d058ea9f58702b57a0cc7bbbe1c7b26b6e0863737555a8ce57ba8bb
Instruction ID: 24a28b71282f6163004de0a3a00d08cdc0c68429ed15a3569852f281c4f495b5
Opcode Fuzzy Hash: 923fdf4e2d058ea9f58702b57a0cc7bbbe1c7b26b6e0863737555a8ce57ba8bb
Instruction Fuzzy Hash: AF41DBB1900218ABCB10DF65DC89BDE77B8FB59344F1445BAE908E3200EBB89E458F59

Uniqueness

Uniqueness Score: -1.00%

Function 0040C660 Relevance: 28.1, APIs: 13, Strings: 3, Instructions: 102
registrywindowCOMMON

Download Yara Rule

C-Code - Quality: 97%

			E0040C660(void* __ecx, struct HWND__* _a4, intOrPtr _a8) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				struct tagPOINT _v24;
				struct tagLOGFONTW _v116;
				struct _WNDCLASSEXW _v164;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t27;
				void* _t35;
				struct HFONT__* _t38;
				struct HINSTANCE__* _t46;
				struct HWND__* _t47;
				void* _t53;
				struct HWND__* _t61;
				intOrPtr _t62;
				signed int _t63;

				_t27 =  *0x4bb1dc; // 0x2927074f
				_v8 = _t27 ^ _t63;
				_t62 = _a8;
				_t53 = __ecx;
				_t61 = _a4;
				if(_t61 != 0) {
					E00470030( &(_v164.style), 0, 0x2c);
					_v164.cbSize = 0x30;
					_v164.style = 3;
					_v164.lpfnWndProc = E0040C470;
					_v164.hCursor = LoadCursorW(0, 0x7f89);
					_v164.hbrBackground = 0x10;
					_v164.lpszClassName = L"HyperlinkClass";
					_v164.lpszMenuName = 0;
					RegisterClassExW( &_v164);
					_t35 = SendMessageW(_t61, 0x31, 0, 0);
					 *(_t53 + 4) = _t35;
					GetObjectW(_t35, 0x5c,  &_v116);
					_v116.lfUnderline = 1;
					_t38 = CreateFontIndirectW( &_v116);
					_t17 = _t53 + 0x10; // 0x4bc8c4
					 *(_t53 + 8) = _t38;
					 *(_t53 + 0xc) = _t61;
					 *_t53 = 0;
					E00402120(_t17, _t62);
					ShowWindow(_t61, 0);
					GetWindowRect(_t61,  &_v24);
					_t62 = GetParent;
					MapWindowPoints(0, GetParent(_t61),  &_v24, 2);
					_t46 = GetModuleHandleW(0);
					_t47 = GetParent(_t61);
					_t60 = _v24.y;
					CreateWindowExW(0, L"HyperlinkClass", 0x48fc20, 0x50000000, _v24.x, _v24.y, _v16 - _v24.x, _v12 - _v24.y, _t47, 0, _t46, _t53);
				}
				return E0046F77E(_t53, _v8 ^ _t63, _t60, _t61, _t62);
			}

0x0040c669
0x0040c670
0x0040c675
0x0040c678
0x0040c67b
0x0040c680
0x0040c691
0x0040c699
0x0040c6a3
0x0040c6ad
0x0040c6c4
0x0040c6d1
0x0040c6d8
0x0040c6df
0x0040c6e6
0x0040c6f3
0x0040c6fc
0x0040c703
0x0040c70c
0x0040c711
0x0040c718
0x0040c71b
0x0040c71e
0x0040c721
0x0040c724
0x0040c72c
0x0040c737
0x0040c73d
0x0040c74f
0x0040c758
0x0040c762
0x0040c764
0x0040c78a
0x0040c78a
0x0040c7a0

APIs

_memset.LIBCMT ref: 0040C691
LoadCursorW.USER32(00000000,00007F89), ref: 0040C6BE
RegisterClassExW.USER32 ref: 0040C6E6
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 0040C6F3
GetObjectW.GDI32(00000000,0000005C,?,?,?,?), ref: 0040C703
CreateFontIndirectW.GDI32(?), ref: 0040C711

Part of subcall function 00402120: SysAllocString.OLEAUT32(004BCDC0), ref: 0040218C

ShowWindow.USER32(?,00000000,?,?,?,?), ref: 0040C72C
GetWindowRect.USER32 ref: 0040C737
GetParent.USER32(?), ref: 0040C74A
MapWindowPoints.USER32 ref: 0040C74F
GetModuleHandleW.KERNEL32(00000000,004BC8B4,?,?,?), ref: 0040C758
GetParent.USER32(?), ref: 0040C762
CreateWindowExW.USER32 ref: 0040C78A

Strings

HyperlinkClass, xrefs: 0040C783
0, xrefs: 0040C699
TaI, xrefs: 0040C6D8

Memory Dump Source

Source File: 00000000.00000002.639436822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.639422722.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639801425.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639950323.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639964900.00000000004C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639974043.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639981884.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Process Monitor.jbxd

Similarity

API ID: Window$CreateParent$AllocClassCursorFontHandleIndirectLoadMessageModuleObjectPointsRectRegisterSendShowString_memset
String ID: 0$HyperlinkClass$TaI
API String ID: 2850986339-1951003211
Opcode ID: 310f22482b504f5a01748eaa50b87afed9e609931a16238c4a777eaee3861dbd
Instruction ID: c2bce2cbf5e96bcfd22f0609050a82768a1ef155b7f1eb7b57d7351586721eee
Opcode Fuzzy Hash: 310f22482b504f5a01748eaa50b87afed9e609931a16238c4a777eaee3861dbd
Instruction Fuzzy Hash: EC314171A00208AFEB10DFA4DC89FAEBBB8EB45705F104569F904E7281D7B469098F65

Uniqueness

Uniqueness Score: -1.00%

Function 00438350 Relevance: 26.6, APIs: 11, Strings: 4, Instructions: 349
COMMON

Download Yara Rule

C-Code - Quality: 92%

			E00438350(void* __ecx, signed int __edx, short* _a4, short* _a8, intOrPtr* _a12, intOrPtr _a16) {
				char _v8;
				char _v16;
				signed int _v20;
				char _v534;
				short _v540;
				intOrPtr _v544;
				intOrPtr _v548;
				char _v552;
				void* _v560;
				char _v572;
				signed int _v576;
				char _v580;
				char _v584;
				char _v588;
				void* _v592;
				signed short* _v596;
				short* _v600;
				struct _CRITICAL_SECTION* _v604;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t95;
				signed int _t96;
				signed int _t99;
				signed int _t100;
				char _t105;
				intOrPtr* _t106;
				signed int _t108;
				signed int _t111;
				signed int _t116;
				void* _t122;
				intOrPtr* _t135;
				signed int _t138;
				signed int _t141;
				signed int _t143;
				short* _t148;
				signed int _t149;
				signed int _t155;
				void* _t157;
				void* _t159;
				short* _t164;
				void* _t165;
				char _t166;
				signed int _t167;
				intOrPtr _t178;
				signed char _t185;
				signed int _t192;
				intOrPtr* _t194;
				signed int _t196;
				intOrPtr* _t199;
				void* _t200;
				char _t202;
				signed short* _t203;
				signed int _t204;
				signed int _t206;
				short* _t211;
				void* _t212;
				char _t213;
				signed char* _t214;
				signed int _t215;
				void* _t216;
				void* _t217;

				_t197 = __edx;
				_t168 = __ecx;
				_push(0xffffffff);
				_push(E004898DF);
				_push( *[fs:0x0]);
				_t217 = _t216 - 0x24c;
				_t95 =  *0x4bb1dc; // 0x2927074f
				_t96 = _t95 ^ _t215;
				_v20 = _t96;
				_push(_t96);
				 *[fs:0x0] =  &_v16;
				_t164 = _a4;
				_t211 = _a8;
				_t199 = _a12;
				_v600 = _t164;
				_v596 = _t211;
				_v576 = _t199;
				if( *_t164 != 0x5c) {
					L53:
					 *[fs:0x0] = _v16;
					_pop(_t200);
					_pop(_t212);
					_pop(_t165);
					return E0046F77E(_t165, _v20 ^ _t215, _t197, _t200, _t212);
				} else {
					if( *_t211 >= 0x19) {
						_t159 = L0046FE7B(_t164, __ecx, _t211, _t164, L"\\Device\\LanmanRedirector\\", 0x19);
						_t217 = _t217 + 0xc;
						if(_t159 == 0) {
							_t168 = 0x2d;
							_t161 =  ==  ? 0x2d : 0x19;
							E00437640(_t164, _t211, 0,  ==  ? 0x2d : 0x19, L"\\\\");
							_t217 = _t217 + 0x14;
						}
					}
					if( *_t211 < 4) {
						L7:
						__eflags =  *_t211 - 0xc;
						if( *_t211 <= 0xc) {
							L10:
							__eflags =  *0x4bd0a2;
							if( *0x4bd0a2 == 0) {
								__eflags =  *_t211 - 0xc;
								if( *_t211 <= 0xc) {
									L23:
									_t99 =  *0x4bcdfc; // 0x0
									__eflags = _t99 & 0x00000001;
									if((_t99 & 0x00000001) == 0) {
										_t141 = _t99 | 0x00000001;
										__eflags = _t141;
										 *0x4bcdfc = _t141;
										InitializeCriticalSection(0x4bcde4);
										E0046FD29(__eflags, E0048D830);
										_t217 = _t217 + 4;
									}
									_v604 = 0x4bcde4;
									EnterCriticalSection(0x4bcde4);
									_t100 =  *0x4bcdfc; // 0x0
									_v8 = 0;
									__eflags = _t100 & 0x00000002;
									if((_t100 & 0x00000002) == 0) {
										_t138 = _t100 | 0x00000002;
										__eflags = _t138;
										 *0x4bcdfc = _t138;
										_v8 = 1;
										 *0x4bce00 = 0;
										 *0x4bce04 = 0;
										 *0x4bce00 = E00438EC0();
										E0046FD29(__eflags, E0048D7B0);
										_t217 = _t217 + 4;
										_v8 = 0;
									}
									__eflags =  *0x4bd2ea;
									if( *0x4bd2ea != 0) {
										_t135 =  *0x4bce00; // 0x0
										E004390B0(0x4bce00,  &_v580,  *_t135, _t135);
									}
									_v552 =  *_t199;
									_v548 =  *((intOrPtr*)(_t199 + 4));
									_v544 = _a16;
									_t105 = E00439030(0x4bce00,  &_v552);
									_t166 =  *0x4bce00; // 0x0
									__eflags = _t105 - _t166;
									if(_t105 == _t166) {
										L39:
										_v580 = _t166;
										goto L40;
									} else {
										_t34 = _t105 + 0x10; // 0x10
										_t214 = _t34;
										_t204 = 8;
										_t197 =  &_v552;
										while(1) {
											_t185 =  *_t197;
											__eflags = _t185 -  *_t214;
											if(_t185 !=  *_t214) {
												break;
											}
											_t197 = _t197 + 4;
											_t214 =  &(_t214[4]);
											_t204 = _t204 - 4;
											__eflags = _t204;
											if(_t204 >= 0) {
												continue;
											}
											_t206 = 0;
											L38:
											_v580 = _t105;
											__eflags = _t206;
											if(_t206 >= 0) {
												L40:
												_t202 = _v580;
												__eflags = _t202 - _t166;
												if(_t202 == _t166) {
													_v592 = 0;
													_v588 = 0;
													_v592 = E00438EF0();
													_v8 = 2;
													_t122 = E00430E30( &_v572,  &_v552,  &_v592);
													_t197 =  *0x4bcb78 & 0x000000ff;
													_v8 = 3;
													E00431410(0x4bce00,  &_v584, 0, _t122,  *0x4bcb78 & 0x000000ff);
													_t202 = _v584;
													_v8 = 2;
													E00439400( &_v560,  &_v580,  *_v560, _v560);
													E0046EF07(_v560);
													_v8 = 0;
													E00439400( &_v592,  &_v580,  *_v592, _v592);
													E0046EF07(_v592);
													E0043B9A0( *0x4bcb78 & 0x000000ff, _a16, _v576, _t202 + 0x1c);
													_t217 = _t217 + 0x14;
												}
												_t106 =  *((intOrPtr*)(_t202 + 0x1c));
												_t213 =  *_t106;
												_v580 = _t213;
												__eflags = _t213 - _t106;
												if(_t213 == _t106) {
													L52:
													LeaveCriticalSection(0x4bcde4);
													goto L53;
												} else {
													do {
														_v576 = E0046A720(_t213 + 0x10);
														_t108 = E0046A170(_t213 + 0x10);
														_t167 = _v576;
														_t197 = _t108;
														_t176 =  *_v596 & 0x0000ffff;
														__eflags = _t167 - ( *_v596 & 0x0000ffff);
														if(_t167 > ( *_v596 & 0x0000ffff)) {
															goto L47;
														}
														_t111 = L0046FE7B(_t167, _t176, _t213, _t197, _v600, _t167);
														_t217 = _t217 + 0xc;
														__eflags = _t111;
														if(_t111 != 0) {
															goto L47;
														}
														_t178 = _v600;
														__eflags =  *((short*)(_t178 + _t167 * 2)) - 0x5c;
														if( *((short*)(_t178 + _t167 * 2)) == 0x5c) {
															L49:
															_t203 = _v596;
															_t197 = _t167 + 4;
															_v576 = _t197;
															__eflags = ( *_t203 & 0x0000ffff) - _t197;
															if(( *_t203 & 0x0000ffff) >= _t197) {
																_t116 = L0046FE7B(_t167, _t178, _t213, _t178 + _t167 * 2, L"\\??\\", 4);
																_t217 = _t217 + 0xc;
																__eflags = _t116;
																_t167 =  ==  ? _v576 : _t167;
															}
															E00437640(_v600, _t203, 0, _t167, E0046A170(_t213 + 0x14));
															goto L52;
														}
														__eflags = _t167 - ( *_v596 & 0x0000ffff);
														if(_t167 == ( *_v596 & 0x0000ffff)) {
															goto L49;
														}
														L47:
														E00462600( &_v580);
														_t213 = _v580;
														__eflags = _t213 -  *((intOrPtr*)(_t202 + 0x1c));
													} while (_t213 !=  *((intOrPtr*)(_t202 + 0x1c)));
													goto L52;
												}
											}
											goto L39;
										}
										_t206 = (_t185 & 0x000000ff) - ( *_t214 & 0x000000ff);
										__eflags = _t206;
										if(_t206 == 0) {
											_t206 = ( *(_t197 + 1) & 0x000000ff) - (_t214[1] & 0x000000ff);
											__eflags = _t206;
											if(_t206 == 0) {
												_t206 = ( *(_t197 + 2) & 0x000000ff) - (_t214[2] & 0x000000ff);
												__eflags = _t206;
												if(_t206 == 0) {
													_t206 = ( *(_t197 + 3) & 0x000000ff) - (_t214[3] & 0x000000ff);
													__eflags = _t206;
												}
											}
										}
										goto L38;
									}
								}
								_t143 = L0046FE7B(_t164, _t168, _t211, _t164, L"\\SystemRoot\\", 0xc);
								_t217 = _t217 + 0xc;
								__eflags = _t143;
								if(_t143 != 0) {
									goto L23;
								}
								_t192 =  *0x4bcde0; // 0x0
								__eflags = _t192;
								if(_t192 != 0) {
									L21:
									__eflags = _t192 - 0xc;
									if(_t192 > 0xc) {
										goto L23;
									}
									E00437640(_t164, _t211, 0, 0xc, 0x4bcbd8);
									goto L53;
								}
								GetSystemDirectoryW( &_v540, 0x104);
								_push(0x5c);
								_push( &_v534);
								_t148 = E004713E7(_t192);
								_t217 = _t217 + 8;
								__eflags = 0;
								 *_t148 = 0;
								_t194 =  &_v540;
								_t197 = _t194 + 2;
								do {
									_t149 =  *_t194;
									_t194 = _t194 + 2;
									__eflags = _t149;
								} while (_t149 != 0);
								_t196 = _t194 - _t197 >> 1;
								 *((short*)(_t215 + _t196 * 2 - 0x218)) = 0x5c;
								_t192 = _t196 + 1;
								 *0x4bcde0 = _t192;
								__eflags = _t192 + _t192 - 0x208;
								if(_t192 + _t192 >= 0x208) {
									E00472AA1();
								}
								goto L21;
							}
							__eflags =  *_t164 - 0x5c;
							if( *_t164 == 0x5c) {
								__eflags =  *((short*)(_t164 + 2)) - 0x5c;
								if( *((short*)(_t164 + 2)) != 0x5c) {
									E00438850(GetActiveWindow(), _t164, _t211, 0);
								}
							}
							goto L53;
						}
						_t155 = L0046FE7B(_t164, _t168, _t211, _t164, L"\\Device\\Mup\\", 0xc);
						_t217 = _t217 + 0xc;
						__eflags = _t155;
						if(_t155 != 0) {
							goto L10;
						} else {
							E00437640(_t164, _t211, _t155, 0xc, L"\\\\");
							goto L53;
						}
					}
					_t157 = E0047262B(_t164, L"\\??\\", 4);
					_t217 = _t217 + 0xc;
					if(_t157 != 0) {
						goto L7;
					} else {
						E00437640(_t164, _t211, _t157, 4, 0x48fc20);
						goto L53;
					}
				}
			}

0x00438350
0x00438350
0x00438353
0x00438355
0x00438360
0x00438361
0x00438367
0x0043836c
0x0043836e
0x00438374
0x00438378
0x0043837e
0x00438381
0x00438384
0x00438387
0x00438391
0x00438397
0x0043839d
0x00438829
0x0043882c
0x00438834
0x00438835
0x00438836
0x00438844
0x004383a3
0x004383a7
0x004383b1
0x004383b6
0x004383bb
0x004383c2
0x004383d1
0x004383d9
0x004383de
0x004383de
0x004383bb
0x004383e5
0x00438412
0x00438412
0x00438416
0x00438443
0x00438443
0x0043844a
0x00438479
0x0043847d
0x00438525
0x00438525
0x0043852a
0x0043852c
0x0043852e
0x0043852e
0x00438536
0x0043853b
0x00438546
0x0043854b
0x0043854b
0x00438553
0x0043855d
0x00438563
0x00438568
0x0043856f
0x00438571
0x00438573
0x00438573
0x00438576
0x00438580
0x00438584
0x0043858e
0x004385a2
0x004385a7
0x004385ac
0x004385af
0x004385af
0x004385b3
0x004385ba
0x004385bc
0x004385d0
0x004385d0
0x004385dc
0x004385e5
0x004385ee
0x004385fb
0x00438600
0x00438606
0x00438608
0x00438663
0x00438663
0x00000000
0x0043860a
0x0043860a
0x0043860a
0x0043860d
0x00438612
0x00438618
0x00438618
0x0043861a
0x0043861c
0x00000000
0x00000000
0x0043861e
0x00438621
0x00438624
0x00438624
0x00438627
0x00000000
0x00000000
0x00438629
0x00438659
0x00438659
0x0043865f
0x00438661
0x00438669
0x0043866f
0x00438671
0x00438673
0x0043867f
0x00438689
0x00438698
0x004386a4
0x004386b6
0x004386bb
0x004386d1
0x004386d6
0x004386e7
0x004386ee
0x004386fb
0x00438706
0x0043871a
0x00438728
0x00438733
0x00438745
0x0043874a
0x0043874a
0x0043874d
0x00438750
0x00438752
0x00438758
0x0043875a
0x0043881e
0x00438823
0x00000000
0x00438760
0x00438760
0x0043876b
0x00438771
0x00438776
0x0043877c
0x00438784
0x00438787
0x00438789
0x00000000
0x00000000
0x00438793
0x00438798
0x0043879b
0x0043879d
0x00000000
0x00000000
0x0043879f
0x004387a5
0x004387aa
0x004387d1
0x004387d1
0x004387d7
0x004387da
0x004387e3
0x004387e5
0x004387f2
0x004387f7
0x004387fa
0x004387fc
0x004387fc
0x00438816
0x00000000
0x0043881b
0x004387b5
0x004387b7
0x00000000
0x00000000
0x004387b9
0x004387bf
0x004387c4
0x004387ca
0x004387ca
0x00000000
0x004387cf
0x0043875a
0x00000000
0x00438661
0x00438633
0x00438633
0x00438635
0x0043863f
0x0043863f
0x00438641
0x0043864b
0x0043864b
0x0043864d
0x00438657
0x00438657
0x00438657
0x0043864d
0x00438641
0x00000000
0x00438635
0x00438608
0x0043848b
0x00438490
0x00438493
0x00438495
0x00000000
0x00000000
0x0043849b
0x004384a1
0x004384a3
0x00438508
0x00438508
0x0043850b
0x00000000
0x00000000
0x00438518
0x00000000
0x0043851d
0x004384b1
0x004384bd
0x004384bf
0x004384c0
0x004384c5
0x004384c8
0x004384ca
0x004384cd
0x004384d3
0x004384d6
0x004384d6
0x004384d9
0x004384dc
0x004384dc
0x004384e8
0x004384ea
0x004384f2
0x004384f3
0x004384fc
0x00438501
0x00438503
0x00438503
0x00000000
0x00438501
0x0043844c
0x00438450
0x00438456
0x0043845b
0x0043846c
0x00438471
0x0043845b
0x00000000
0x00438450
0x00438420
0x00438425
0x00438428
0x0043842a
0x00000000
0x0043842c
0x00438436
0x00000000
0x0043843b
0x0043842a
0x004383ef
0x004383f4
0x004383f9
0x00000000
0x004383fb
0x00438405
0x00000000
0x0043840a
0x004383f9

APIs

__wcsnicmp.LIBCMT ref: 004383B1
GetActiveWindow.USER32 ref: 00438461

Part of subcall function 00438850: InitializeCriticalSection.KERNEL32(004BCBB8,2927074F,?,?,?,?,?,00000000), ref: 0043888E
Part of subcall function 00438850: EnterCriticalSection.KERNEL32(004BCBB8,2927074F,?,?,?,?), ref: 004388B5
Part of subcall function 00438850: __wcsnicmp.LIBCMT ref: 004388F3

__wcsnicmp.LIBCMT ref: 0043848B
GetSystemDirectoryW.KERNEL32(?,00000104), ref: 004384B1
_wcschr.LIBCMT ref: 004384C0
__wcsnicmp.LIBCMT ref: 00438420

Part of subcall function 00437640: _memmove.LIBCMT ref: 0043766E
Part of subcall function 00437640: _memmove.LIBCMT ref: 00437694

Strings

\Device\LanmanRedirector\, xrefs: 004383AB
\SystemRoot\, xrefs: 00438485
\Device\Mup\, xrefs: 0043841A
\??\, xrefs: 004383E9, 004387EC

Memory Dump Source

Source File: 00000000.00000002.639436822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.639422722.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639801425.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639950323.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639964900.00000000004C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639974043.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639981884.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Process Monitor.jbxd

Similarity

API ID: __wcsnicmp$CriticalSection_memmove$ActiveDirectoryEnterInitializeSystemWindow_wcschr
String ID: \??\$\Device\LanmanRedirector\$\Device\Mup\$\SystemRoot\
API String ID: 4155568516-728346552
Opcode ID: a9c504822a56afe821507593bdfcfe21c667bd95bec0f04d977bf42b06d6c889
Instruction ID: 33aff677deac7ee83bad6304d7538201efdc971d1875dc42ddf1bb4949f27ac8
Opcode Fuzzy Hash: a9c504822a56afe821507593bdfcfe21c667bd95bec0f04d977bf42b06d6c889
Instruction Fuzzy Hash: B2D1FA70D00315ABDB20AF65DC85B9AB7B5EB18304F1055AFF409A3291EB789E44CF99

Uniqueness

Uniqueness Score: -1.00%

Function 0045A350 Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 297
COMMON

Download Yara Rule

C-Code - Quality: 81%

			E0045A350(void* __edx, void* __eflags, intOrPtr* _a4) {
				WCHAR* _v8;
				char _v16;
				signed int _v20;
				char _v538;
				char _v540;
				WCHAR* _v544;
				WCHAR* _v548;
				char _v552;
				WCHAR* _v556;
				WCHAR* _v560;
				char _v564;
				char _v568;
				WCHAR** _v572;
				char _v576;
				WCHAR** _v580;
				char _v584;
				char _v588;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t77;
				signed int _t78;
				struct HICON__* _t84;
				char _t100;
				intOrPtr* _t105;
				intOrPtr _t106;
				void* _t110;
				long _t113;
				WCHAR* _t122;
				WCHAR* _t131;
				WCHAR* _t138;
				WCHAR* _t145;
				void* _t156;
				void* _t186;
				intOrPtr* _t189;
				void* _t190;
				WCHAR** _t193;
				WCHAR** _t194;
				WCHAR** _t195;
				WCHAR** _t196;
				void* _t197;
				signed int _t198;
				void* _t199;
				void* _t203;
				void* _t204;

				_t186 = __edx;
				_push(0xffffffff);
				_push(0x48bf04);
				_push( *[fs:0x0]);
				_t77 =  *0x4bb1dc; // 0x2927074f
				_t78 = _t77 ^ _t198;
				_v20 = _t78;
				_push(_t78);
				 *[fs:0x0] =  &_v16;
				_t154 = _a4;
				_v540 = 0;
				E00470030( &_v538, 0, 0x206);
				_t84 = SetCursor(LoadCursorW(0, 0x7f02));
				E0046C230( *_a4);
				E0046B7A0(_a4, _t186,  &_v564,  *_t154, _t154 + 4, 0, 0,  &_v540);
				_v8 = 0;
				E0046B0A0( *_t154);
				SetCursor(_t84);
				_v544 = 0;
				_v548 = 0;
				_v8 = 2;
				E0046B420(E0046A170( &_v564),  &_v544,  &_v548);
				_v552 = E0046A6C0(_t154,  &_v540, E0046A530( &_v540));
				_v8 = 3;
				_t100 = E0046A6C0(_t154, ";", E0046A530(";"));
				_t203 = _t199 - 0x23c + 0x50;
				_v568 = _t100;
				_v8 = 4;
				E00402050(";");
				_v8 = 5;
				E00402050(E0046A170( &_v544));
				_v8 = 6;
				_t105 =  *((intOrPtr*)(E0040ECF0( &_v556,  &_v572)));
				_v8 = 7;
				if(_t105 == 0) {
					_t106 = 0;
				} else {
					_t106 =  *_t105;
				}
				E0046A190( &_v584, _t106,  &_v548);
				_t204 = _t203 + 0xc;
				_v8 = 8;
				E0046A230( &_v588,  &_v568);
				_v8 = 9;
				_t110 = E0046A230( &_v576,  &_v552);
				_v8 = 0xa;
				E00402050(E0046A170(_t110));
				_t174 = _v576;
				_v8 = 0xc;
				if(_v576 != 0) {
					E0046A700(_t174);
				}
				_t175 = _v588;
				_v8 = 0xd;
				if(_v588 != 0) {
					E0046A700(_t175);
				}
				_t176 = _v584;
				_v8 = 0xe;
				if(_v584 != 0) {
					E0046A700(_t176);
				}
				_t193 = _v556;
				_t189 = __imp__#6;
				if(_t193 != 0) {
					if(InterlockedDecrement( &(_t193[2])) == 0 && _t193 != 0) {
						_t145 =  *_t193;
						if(_t145 != 0) {
							 *_t189(_t145);
							 *_t193 = 0;
						}
						_t146 = _t193[1];
						if(_t193[1] != 0) {
							E0046EF07(_t146);
							_t204 = _t204 + 4;
							_t193[1] = 0;
						}
						E0046EF07(_t193);
						_t204 = _t204 + 4;
					}
					_v556 = 0;
				}
				_t194 = _v560;
				if(_t194 != 0) {
					if(InterlockedDecrement( &(_t194[2])) == 0 && _t194 != 0) {
						_t138 =  *_t194;
						if(_t138 != 0) {
							 *_t189(_t138);
							 *_t194 = 0;
						}
						_t139 = _t194[1];
						if(_t194[1] != 0) {
							E0046EF07(_t139);
							_t204 = _t204 + 4;
							_t194[1] = 0;
						}
						E0046EF07(_t194);
						_t204 = _t204 + 4;
					}
					_v560 = 0;
				}
				_t195 = _v572;
				if(_t195 != 0 && InterlockedDecrement( &(_t195[2])) == 0) {
					_t131 =  *_t195;
					if(_t131 != 0) {
						 *_t189(_t131);
						 *_t195 = 0;
					}
					_t132 = _t195[1];
					if(_t195[1] != 0) {
						E0046EF07(_t132);
						_t204 = _t204 + 4;
						_t195[1] = 0;
					}
					E0046EF07(_t195);
					_t204 = _t204 + 4;
				}
				_t177 = _v568;
				_v8 = 0x12;
				if(_v568 != 0) {
					E0046A700(_t177);
				}
				_t178 = _v552;
				_v8 = 0x13;
				if(_v552 != 0) {
					E0046A700(_t178);
				}
				_t196 = _v580;
				if(_t196 == 0) {
					_t113 = 0;
				} else {
					_t113 =  *_t196;
				}
				CreateDialogParamW(GetModuleHandleW(0), L"FILE_VIEWER", 0, E0044A650, _t113);
				if(_t196 != 0 && InterlockedDecrement( &(_t196[2])) == 0) {
					_t122 =  *_t196;
					if(_t122 != 0) {
						 *_t189(_t122);
						 *_t196 = 0;
					}
					_t123 = _t196[1];
					if(_t196[1] != 0) {
						E0046EF07(_t123);
						_t204 = _t204 + 4;
						_t196[1] = 0;
					}
					E0046EF07(_t196);
				}
				_t179 = _v548;
				_v8 = 1;
				if(_v548 != 0) {
					E0046A700(_t179);
				}
				_t180 = _v544;
				_v8 = 0;
				if(_v544 != 0) {
					E0046A700(_t180);
				}
				_t181 = _v564;
				_v8 = 0xffffffff;
				if(_v564 != 0) {
					E0046A700(_t181);
				}
				 *[fs:0x0] = _v16;
				_pop(_t190);
				_pop(_t197);
				_pop(_t156);
				return E0046F77E(_t156, _v20 ^ _t198, _t186, _t190, _t197);
			}

0x0045a350
0x0045a353
0x0045a355
0x0045a360
0x0045a367
0x0045a36c
0x0045a36e
0x0045a374
0x0045a378
0x0045a37e
0x0045a389
0x0045a397
0x0045a3b3
0x0045a3b9
0x0045a3d6
0x0045a3dd
0x0045a3e4
0x0045a3ed
0x0045a3ef
0x0045a3f9
0x0045a409
0x0045a421
0x0045a43f
0x0045a44a
0x0045a459
0x0045a45e
0x0045a461
0x0045a472
0x0045a476
0x0045a481
0x0045a491
0x0045a49c
0x0045a4af
0x0045a4b1
0x0045a4b7
0x0045a4bd
0x0045a4b9
0x0045a4b9
0x0045a4b9
0x0045a4ce
0x0045a4d3
0x0045a4dc
0x0045a4ea
0x0045a4f5
0x0045a503
0x0045a50a
0x0045a51a
0x0045a51f
0x0045a525
0x0045a52b
0x0045a52d
0x0045a52d
0x0045a532
0x0045a538
0x0045a53e
0x0045a540
0x0045a540
0x0045a545
0x0045a54b
0x0045a551
0x0045a553
0x0045a553
0x0045a558
0x0045a564
0x0045a56c
0x0045a576
0x0045a57c
0x0045a580
0x0045a583
0x0045a585
0x0045a585
0x0045a58b
0x0045a590
0x0045a593
0x0045a598
0x0045a59b
0x0045a59b
0x0045a5a3
0x0045a5a8
0x0045a5a8
0x0045a5ab
0x0045a5ab
0x0045a5b5
0x0045a5bd
0x0045a5c7
0x0045a5cd
0x0045a5d1
0x0045a5d4
0x0045a5d6
0x0045a5d6
0x0045a5dc
0x0045a5e1
0x0045a5e4
0x0045a5e9
0x0045a5ec
0x0045a5ec
0x0045a5f4
0x0045a5f9
0x0045a5f9
0x0045a5fc
0x0045a5fc
0x0045a606
0x0045a60e
0x0045a61a
0x0045a61e
0x0045a621
0x0045a623
0x0045a623
0x0045a629
0x0045a62e
0x0045a631
0x0045a636
0x0045a639
0x0045a639
0x0045a641
0x0045a646
0x0045a646
0x0045a649
0x0045a64f
0x0045a655
0x0045a657
0x0045a657
0x0045a65c
0x0045a662
0x0045a668
0x0045a66a
0x0045a66a
0x0045a66f
0x0045a677
0x0045a67d
0x0045a679
0x0045a679
0x0045a679
0x0045a695
0x0045a69d
0x0045a6a9
0x0045a6ad
0x0045a6b0
0x0045a6b2
0x0045a6b2
0x0045a6b8
0x0045a6bd
0x0045a6c0
0x0045a6c5
0x0045a6c8
0x0045a6c8
0x0045a6d0
0x0045a6d5
0x0045a6d8
0x0045a6de
0x0045a6e4
0x0045a6e6
0x0045a6e6
0x0045a6eb
0x0045a6f1
0x0045a6f7
0x0045a6f9
0x0045a6f9
0x0045a6fe
0x0045a704
0x0045a70d
0x0045a70f
0x0045a70f
0x0045a717
0x0045a71f
0x0045a720
0x0045a721
0x0045a72f

APIs

_memset.LIBCMT ref: 0045A397
LoadCursorW.USER32(00000000,00007F02), ref: 0045A3A6
SetCursor.USER32(00000000), ref: 0045A3B3

Part of subcall function 0046C230: EnterCriticalSection.KERNEL32(004C27E4,004880B8,?), ref: 0046C24F
Part of subcall function 0046C230: GetEnvironmentVariableW.KERNEL32(TEMP,?,00000400), ref: 0046C295
Part of subcall function 0046C230: LeaveCriticalSection.KERNEL32(004C27E4), ref: 0046C2AE

Part of subcall function 0046B0A0: EnterCriticalSection.KERNEL32(004C27E4,?,0042306F,80000001,00000000,?,?,?,2927074F), ref: 0046B0A8
Part of subcall function 0046B0A0: LeaveCriticalSection.KERNEL32(004C27E4,?,0042306F,80000001,00000000,?,?,?,2927074F), ref: 0046B0BC

SetCursor.USER32(00000000), ref: 0045A3ED

Part of subcall function 0046B420: _wcsrchr.LIBCMT ref: 0046B467
Part of subcall function 0046B420: _wcsrchr.LIBCMT ref: 0046B48A
Part of subcall function 0046B420: _wcschr.LIBCMT ref: 0046B4D5

Part of subcall function 0046A6C0: _memmove.LIBCMT ref: 0046A6ED

Part of subcall function 00402050: SysAllocString.OLEAUT32(?), ref: 004020A2

Part of subcall function 0040ECF0: InterlockedIncrement.KERNEL32(?), ref: 0040ED2A

InterlockedDecrement.KERNEL32(?), ref: 0045A572
SysFreeString.OLEAUT32(00000000), ref: 0045A583
InterlockedDecrement.KERNEL32(?), ref: 0045A5C3
SysFreeString.OLEAUT32(00000000), ref: 0045A5D4
InterlockedDecrement.KERNEL32(?), ref: 0045A614
SysFreeString.OLEAUT32(00000000), ref: 0045A621
GetModuleHandleW.KERNEL32(00000000,FILE_VIEWER,00000000,Function_0004A650,00000000,00000000,?,?,?,?,?,00000000,004A194C), ref: 0045A68E
CreateDialogParamW.USER32 ref: 0045A695
InterlockedDecrement.KERNEL32(?), ref: 0045A6A3
SysFreeString.OLEAUT32(00000000), ref: 0045A6B0

Strings

FILE_VIEWER, xrefs: 0045A687

Memory Dump Source

Source File: 00000000.00000002.639436822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.639422722.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639801425.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639950323.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639964900.00000000004C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639974043.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639981884.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Process Monitor.jbxd

Similarity

API ID: InterlockedString$CriticalDecrementFreeSection$Cursor$EnterLeave_wcsrchr$AllocCreateDialogEnvironmentHandleIncrementLoadModuleParamVariable_memmove_memset_wcschr
String ID: FILE_VIEWER
API String ID: 1671526586-4193591710
Opcode ID: 7bfa3f621206b4f81d511610f8a1186f8e8a6a124efc844c7758d11f038d59e8
Instruction ID: e4f5c343350b817e88023f564a3c0326d74efdc6bceba6b8ec8463ef9d2c5af9
Opcode Fuzzy Hash: 7bfa3f621206b4f81d511610f8a1186f8e8a6a124efc844c7758d11f038d59e8
Instruction Fuzzy Hash: A0B1BBB5901218ABDB20EBA1CC59B9FB7B89F14304F04059EE845A7281EB3CDE54CF5B

Uniqueness

Uniqueness Score: -1.00%

Function 00406840 Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 254
COMMON

Download Yara Rule

C-Code - Quality: 74%

			E00406840(intOrPtr __ecx, struct HWND__* _a4, int _a8, int _a12, long _a16) {
				signed int _v8;
				struct tagPOINT _v16;
				struct tagPOINT _v24;
				long _v28;
				intOrPtr _v32;
				void* _v40;
				int _v44;
				int _v48;
				void* _v52;
				struct tagRECT _v68;
				struct HWND__* _v72;
				long _v76;
				WCHAR* _v80;
				intOrPtr _v84;
				struct HWND__* _v88;
				intOrPtr _v116;
				intOrPtr _v124;
				char _v132;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t92;
				struct HWND__* _t103;
				int _t105;
				signed int _t107;
				struct HDC__* _t115;
				void* _t116;
				int _t123;
				struct HDC__* _t127;
				int _t129;
				struct HWND__* _t147;
				struct HDC__* _t151;
				struct HWND__* _t152;
				intOrPtr* _t154;
				int _t159;
				void* _t166;
				WCHAR* _t172;
				int _t175;
				intOrPtr _t176;
				long _t178;
				struct HDC__* _t179;
				signed int _t181;

				_t92 =  *0x4bb1dc; // 0x2927074f
				_v8 = _t92 ^ _t181;
				_t147 = _a4;
				_t178 = _a16;
				_t176 = __ecx;
				_v88 = _t147;
				_v84 = __ecx;
				_v76 = _t178;
				if(_t147 !=  *((intOrPtr*)(__ecx + 0xc))) {
					_v72 =  *((intOrPtr*)(__ecx + 0x18));
				} else {
					_v72 =  *((intOrPtr*)(__ecx + 0x10));
				}
				_t171 = _a8;
				_t154 = SendMessageW;
				if(_t171 - 0x200 <= 0xd) {
					asm("xorps xmm0, xmm0");
					_v16.x = _t178;
					_v16.y = _t178 >> 0x10;
					_v44 = _a12;
					_v52 = _t147;
					_v48 = _t171;
					_v40 = _t178;
					asm("movq [ebp-0x20], xmm0");
					_v28 = 0;
					MapWindowPoints(_t147,  *(_t176 + 8),  &_v16, 1);
					E004098E0(_t176, _t178 >> 0x10, _v72,  &_v16);
					SendMessageW(_v72, 0x407, 0,  &_v52);
					_t154 = SendMessageW;
					_t171 = _a8;
				}
				if(_t171 == 0xf) {
					__eflags =  *(_t176 + 0xd4);
					if( *(_t176 + 0xd4) != 0) {
						_t179 = GetDC(_t147);
						GetUpdateRect(_t147,  &_v40, 0);
						asm("movdqu xmm0, [ebp-0x24]");
						_push(_t179);
						asm("movdqu [ecx], xmm0");
						_push(_t147);
						E00404650(_t147, _t176, _t176, _t179);
						ReleaseDC(_t147, _t179);
						_t178 = _v76;
					}
					goto L24;
				} else {
					if(_t171 != 0x4e) {
						L24:
						CallWindowProcW( *(_t176 + 0xc8), _t147, _a8, _a12, _t178);
						__eflags = _v8 ^ _t181;
						return E0046F77E(_t147, _v8 ^ _t181, _t171, _t176, _t178);
					} else {
						_t103 = _v72;
						if( *_t178 != _t103) {
							goto L24;
						} else {
							_t171 =  *(_t178 + 8);
							if(_t171 == 0xfffffdee) {
								asm("xorps xmm0, xmm0");
								_v132 = 7;
								_t172 = _t178 + 0x10;
								asm("movq [ebp-0x5c], xmm0");
								asm("movdqu [ebp-0x7c], xmm0");
								_v80 = _t172;
								_v124 = _t172;
								_t171 =  *(_t176 + 0xa4);
								_v116 = 0x50;
								asm("movdqu [ebp-0x6c], xmm0");
								__eflags = _t171 - 0xffffffff;
								if(_t171 == 0xffffffff) {
									L21:
									 *((intOrPtr*)(_t178 + 0xc)) = 0x48fc20;
								} else {
									__eflags = _t103 -  *((intOrPtr*)(_t176 + 0x10));
									if(_t103 !=  *((intOrPtr*)(_t176 + 0x10))) {
										_t171 = _t171 - 1;
										__eflags = _t171;
									}
									_t105 =  *_t154(_t147, 0x120b, _t171,  &_v132);
									__eflags = _t105;
									if(_t105 == 0) {
										goto L21;
									} else {
										_t107 = SendMessageW(_t147, 0x1215, 0, 0);
										_t159 =  *(_t176 + 0xa4);
										_v16.y = _t107;
										__eflags = _v72 -  *((intOrPtr*)(_t176 + 0x10));
										if(_v72 !=  *((intOrPtr*)(_t176 + 0x10))) {
											_t159 = _t159 - 1;
											__eflags = _t159;
										}
										SendMessageW(_t147, 0x1207, _t159,  &_v40);
										__eflags = _v40;
										if(_v40 < 0) {
											goto L21;
										} else {
											_v68.left = 0;
											_v68.top = 0;
											_v32 = _v32 +  ~(_v16.y) * 2;
											_v68.right = GetSystemMetrics(0x4e);
											_v68.bottom = E004078D0(_t176);
											_t115 = GetDC( *(_t176 + 8));
											_v16.y = _t115;
											_t116 = SelectObject(_t115,  *(_t176 + 0x30));
											_t151 = _v16.y;
											DrawTextW(_t151, _v80, 0xffffffff,  &_v68,  *(_t176 + 0xa0) & 0xfffb3fff | 0x00000400);
											SelectObject(_t151, _t116);
											_t176 = _v84;
											ReleaseDC( *(_t176 + 8), _t151);
											_t171 = _v68.right - _v68.left;
											_t178 = _v76;
											__eflags = _v68.right - _v68.left - _v32 - _v40;
											_t147 = _v88;
											_t164 =  >  ? _v80 : 0x48fc20;
											 *((intOrPtr*)(_t178 + 0xc)) =  >  ? _v80 : 0x48fc20;
										}
									}
								}
								goto L24;
							} else {
								if(_t171 != 0xfffffdf7) {
									goto L24;
								} else {
									_t123 =  *(_t176 + 0xa4);
									if(_t103 !=  *((intOrPtr*)(_t176 + 0x10))) {
										_t123 = _t123 - 1;
									}
									 *_t154(0x1207, _t123,  &_v24);
									MapWindowPoints(_t147, 0,  &_v24, 2);
									_t127 = _v16.y;
									_t166 = _t127 - _v24.y;
									_t152 = _v72;
									_t175 = _t127 + _t166;
									_t129 = _v24.x + _t166;
									_v24.y = _t175;
									_v24.x = _t129;
									SetWindowPos(_t152, 0, _t129, _t175, 0, 0, 0x15);
									SendMessageW(_t152, 0x30,  *(_t176 + 0x30), 0);
									return E0046F77E(_t152, _v8 ^ _t181, _t175, _t176, _t178, _t147);
								}
							}
						}
					}
				}
			}

0x00406849
0x00406850
0x00406854
0x00406858
0x0040685c
0x0040685e
0x00406861
0x00406864
0x0040686a
0x00406877
0x0040686c
0x0040686f
0x0040686f
0x0040687a
0x0040687d
0x0040688c
0x00406891
0x00406894
0x0040689d
0x004068a5
0x004068af
0x004068b3
0x004068b6
0x004068b9
0x004068be
0x004068c5
0x004068d4
0x004068ec
0x004068ee
0x004068f4
0x004068f4
0x004068fa
0x00406ae6
0x00406aed
0x00406af6
0x00406aff
0x00406b05
0x00406b0f
0x00406b10
0x00406b14
0x00406b17
0x00406b1e
0x00406b24
0x00406b24
0x00000000
0x00406900
0x00406903
0x00406b27
0x00406b35
0x00406b40
0x00406b4b
0x00406909
0x00406909
0x0040690e
0x00000000
0x00406914
0x00406914
0x0040691d
0x004069a8
0x004069ab
0x004069b2
0x004069b5
0x004069ba
0x004069bf
0x004069c2
0x004069c5
0x004069cb
0x004069d2
0x004069d7
0x004069da
0x00406add
0x00406add
0x004069e0
0x004069e0
0x004069e3
0x004069e5
0x004069e5
0x004069e5
0x004069f1
0x004069f3
0x004069f5
0x00000000
0x004069fb
0x00406a0a
0x00406a0c
0x00406a12
0x00406a18
0x00406a1b
0x00406a1d
0x00406a1d
0x00406a1d
0x00406a29
0x00406a2f
0x00406a33
0x00000000
0x00406a39
0x00406a43
0x00406a4a
0x00406a54
0x00406a5f
0x00406a76
0x00406a7f
0x00406a8f
0x00406a92
0x00406a95
0x00406aa4
0x00406aac
0x00406aae
0x00406ab5
0x00406ac6
0x00406acc
0x00406acf
0x00406ad1
0x00406ad4
0x00406ad8
0x00406ad8
0x00406a33
0x004069f5
0x00000000
0x00406923
0x00406929
0x00000000
0x0040692f
0x00406932
0x00406938
0x0040693a
0x0040693a
0x00406946
0x00406951
0x00406957
0x0040695c
0x0040695f
0x00406966
0x0040696f
0x00406971
0x00406978
0x0040697b
0x0040698e
0x004069a5
0x004069a5
0x00406929
0x0040691d
0x0040690e
0x00406903

APIs

MapWindowPoints.USER32 ref: 004068C5
MapWindowPoints.USER32 ref: 00406951
SetWindowPos.USER32(?,00000000,?,?,00000000,00000000,00000015), ref: 0040697B

Strings

P, xrefs: 004069CB

Memory Dump Source

Source File: 00000000.00000002.639436822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.639422722.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639801425.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639950323.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639964900.00000000004C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639974043.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639981884.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Process Monitor.jbxd

Similarity

API ID: Window$Points
String ID: P
API String ID: 2612124105-3110715001
Opcode ID: 8fb4f868a78a698211f119c1e34f1ba274b36b57a4b89d04b92b4aece437e3a4
Instruction ID: 3db5e01959e7e09152b06ffd07ac8dfa87a6bfede76efb23fdb738cbc138d4b5
Opcode Fuzzy Hash: 8fb4f868a78a698211f119c1e34f1ba274b36b57a4b89d04b92b4aece437e3a4
Instruction Fuzzy Hash: 74A12BB1A00609AFDB14DFA4CC84FAEBBB9FF48310F10862AE515B7290D774A955CF64

Uniqueness

Uniqueness Score: -1.00%

Function 00422D69 Relevance: 26.4, APIs: 5, Strings: 10, Instructions: 180
COMMON

Download Yara Rule

C-Code - Quality: 99%

			E00422D69(void* __edx, intOrPtr* __edi, void* __esi, void* __eflags) {
				void* __ebx;
				intOrPtr _t114;
				void* _t116;
				void* _t123;
				void* _t127;
				void* _t131;
				void* _t135;
				void* _t140;
				void* _t144;
				void* _t148;
				void* _t152;
				void* _t156;
				intOrPtr* _t180;
				intOrPtr* _t185;
				void* _t197;
				void* _t202;
				void* _t207;
				void* _t236;
				intOrPtr* _t271;
				void* _t285;
				intOrPtr* _t286;
				intOrPtr _t288;
				struct _CRITICAL_SECTION* _t290;
				intOrPtr* _t292;
				intOrPtr* _t293;
				intOrPtr* _t294;
				void* _t295;
				void* _t297;
				void* _t300;
				void* _t302;
				void* _t304;
				void* _t306;
				void* _t308;
				void* _t310;
				void* _t312;
				void* _t314;
				void* _t316;
				void* _t324;
				void* _t325;
				void* _t329;
				void* _t331;
				void* _t333;

				_t286 = __edi;
				_t285 = __edx;
				while(1) {
					L23:
					 *((intOrPtr*)(_t295 + 8)) =  *((intOrPtr*)(_t293 + 8));
					E00438E60(_t348, _t236, L"module", 1);
					E00472329(_t285, 0xa, _t236);
					_t197 = E00436170(_t236, _t285, _t288, _t348, _t295 - 0x38, E00442D80( *((intOrPtr*)(_t295 + 8))), _t285);
					 *((char*)(_t295 - 4)) = 0xb;
					E00438C20(_t348, _t236, L"Timestamp", E0046A170(_t197));
					_t276 =  *((intOrPtr*)(_t295 - 0x38));
					_t329 = _t324 + 0x2c;
					 *((char*)(_t295 - 4)) = 0xa;
					_t349 =  *((intOrPtr*)(_t295 - 0x38));
					if( *((intOrPtr*)(_t295 - 0x38)) != 0) {
						E0046A700(_t276);
					}
					_t78 =  *((intOrPtr*)(_t295 + 8)) + 4; // 0xff00497d
					_t202 = E00436110(_t236, _t285, _t288, _t349, _t295 - 0x3c,  *_t78, 0);
					 *((char*)(_t295 - 4)) = 0xc;
					E00438C20(_t349, _t236, L"BaseAddress", E0046A170(_t202));
					_t278 =  *((intOrPtr*)(_t295 - 0x3c));
					_t331 = _t329 + 0x18;
					 *((char*)(_t295 - 4)) = 0xa;
					_t350 =  *((intOrPtr*)(_t295 - 0x3c));
					if( *((intOrPtr*)(_t295 - 0x3c)) != 0) {
						E0046A700(_t278);
					}
					_t84 =  *((intOrPtr*)(_t295 + 8)) + 8; // 0xfffde0b5
					_t207 = E00436170(_t236, _t285, _t288, _t350, _t295 - 0x40,  *_t84, 0);
					 *((char*)(_t295 - 4)) = 0xd;
					E00438C20(_t350, _t236, L"Size", E0046A170(_t207));
					_t280 =  *((intOrPtr*)(_t295 - 0x40));
					_t333 = _t331 + 0x18;
					 *((char*)(_t295 - 4)) = 0xa;
					_t351 =  *((intOrPtr*)(_t295 - 0x40));
					if( *((intOrPtr*)(_t295 - 0x40)) != 0) {
						E0046A700(_t280);
					}
					_t90 =  *((intOrPtr*)(_t295 + 8)) + 0xc; // 0x72ade8ff
					E00438C20(_t351, _t236, L"Path", E00467450(_t288,  *_t90));
					_t92 =  *((intOrPtr*)(_t295 + 8)) + 0x10; // 0x16a0001
					E00438C20(_t351, _t236, L"Version", E00467450(_t288,  *_t92));
					_t94 =  *((intOrPtr*)(_t295 + 8)) + 0x14; // 0x497da068
					E00438C20(_t351, _t236, L"Company", E00467450(_t288,  *_t94));
					_t96 =  *((intOrPtr*)(_t295 + 8)) + 0x18; // 0xe0b5ff00
					E00438C20(_t351, _t236, L"Description", E00467450(_t288,  *_t96));
					E00438E60(_t351, _t236, L"module", 0);
					E00472329(_t285, 0xa, _t236);
					_t293 =  *_t293;
					_t324 = _t333 + 0x44;
					_t352 = _t293 -  *((intOrPtr*)(_t295 - 0x50));
					if(_t293 !=  *((intOrPtr*)(_t295 - 0x50))) {
						continue;
					} else {
						goto L30;
					}
					do {
						L30:
						E00438E60(_t352, _t236, L"modulelist", 0);
						E00472329(_t285, 0xa, _t236);
						E00438E60(_t352, _t236, L"process", 0);
						E00472329(_t285, 0xa, _t236);
						_t185 =  *((intOrPtr*)(_t295 - 0x50));
						_t325 = _t324 + 0x28;
						 *((char*)(_t295 - 4)) = 0;
						_t271 =  *_t185;
						 *_t185 = _t185;
						 *((intOrPtr*)( *((intOrPtr*)(_t295 - 0x50)) + 4)) =  *((intOrPtr*)(_t295 - 0x50));
						_t187 =  *((intOrPtr*)(_t295 - 0x50));
						 *((intOrPtr*)(_t295 - 0x4c)) = 0;
						if(_t271 !=  *((intOrPtr*)(_t295 - 0x50))) {
							do {
								_t294 =  *_t271;
								E0046EF07(_t271);
								_t187 =  *((intOrPtr*)(_t295 - 0x50));
								_t325 = _t325 + 4;
								_t271 = _t294;
							} while (_t294 !=  *((intOrPtr*)(_t295 - 0x50)));
						}
						E0046EF07(_t187);
						_t297 = _t325 + 4;
						E0043F050(_t295 - 0x5c);
						if(E0043F020(_t295 - 0x5c) != 0) {
							goto L3;
						}
						_t286 =  *((intOrPtr*)(_t295 - 0x10));
						_t290 =  *(_t295 - 0x44);
						while(1) {
							 *((intOrPtr*)(_t295 - 4)) = 0xffffffff;
							LeaveCriticalSection(_t290);
							_t286 = _t286 + 4;
							 *((intOrPtr*)(_t295 - 0x10)) = _t286;
							if(_t286 ==  *((intOrPtr*)( *((intOrPtr*)(_t295 - 0x48)) + 0x34))) {
								break;
							}
							_t114 =  *_t286;
							 *((intOrPtr*)(_t295 + 8)) = _t114;
							_t290 = _t114 + 0x4ec;
							 *(_t295 - 0x44) = _t290;
							EnterCriticalSection(_t290);
							 *((intOrPtr*)(_t295 - 4)) = 0;
							E0043EDC0(_t295 - 0x5c, _t290);
							_t116 = E0043F020(_t295 - 0x5c);
							_t338 = _t116;
							if(_t116 != 0) {
								_t288 =  *((intOrPtr*)(_t295 + 8));
								goto L3;
							}
						}
						 *[fs:0x0] =  *((intOrPtr*)(_t295 - 0xc));
						return 1;
						L3:
						E00438E60(_t338, _t236, L"process", 1);
						E00472329(_t285, 0xa, _t236);
						_t292 = E0043F020(_t295 - 0x5c);
						_t123 = E00436170(_t236, _t285, _t288, _t338, _t295 - 0x14,  *_t292, 0);
						 *((char*)(_t295 - 4)) = 1;
						E00438C20(_t338, _t236, L"ProcessIndex", E0046A170(_t123));
						_t244 =  *((intOrPtr*)(_t295 - 0x14));
						_t300 = _t297 + 0x2c;
						 *((char*)(_t295 - 4)) = 0;
						_t339 =  *((intOrPtr*)(_t295 - 0x14));
						if( *((intOrPtr*)(_t295 - 0x14)) != 0) {
							E0046A700(_t244);
						}
						_t127 = E00436170(_t236, _t285, _t288, _t339, _t295 - 0x18,  *((intOrPtr*)(_t292 + 4)), 0);
						 *((char*)(_t295 - 4)) = 2;
						E00438C20(_t339, _t236, L"ProcessId", E0046A170(_t127));
						_t246 =  *((intOrPtr*)(_t295 - 0x18));
						_t302 = _t300 + 0x18;
						 *((char*)(_t295 - 4)) = 0;
						_t340 =  *((intOrPtr*)(_t295 - 0x18));
						if( *((intOrPtr*)(_t295 - 0x18)) != 0) {
							E0046A700(_t246);
						}
						_t131 = E00436170(_t236, _t285, _t288, _t340, _t295 - 0x1c,  *((intOrPtr*)(_t292 + 8)), 0);
						 *((char*)(_t295 - 4)) = 3;
						E00438C20(_t340, _t236, L"ParentProcessId", E0046A170(_t131));
						_t248 =  *((intOrPtr*)(_t295 - 0x1c));
						_t304 = _t302 + 0x18;
						 *((char*)(_t295 - 4)) = 0;
						_t341 =  *((intOrPtr*)(_t295 - 0x1c));
						if( *((intOrPtr*)(_t295 - 0x1c)) != 0) {
							E0046A700(_t248);
						}
						_t135 = E00436170(_t236, _t285, _t288, _t341, _t295 - 0x20,  *((intOrPtr*)(_t292 + 0xc)), 0);
						 *((char*)(_t295 - 4)) = 4;
						E00438C20(_t341, _t236, L"ParentProcessIndex", E0046A170(_t135));
						_t250 =  *((intOrPtr*)(_t295 - 0x20));
						_t306 = _t304 + 0x18;
						 *((char*)(_t295 - 4)) = 0;
						_t342 =  *((intOrPtr*)(_t295 - 0x20));
						if( *((intOrPtr*)(_t295 - 0x20)) != 0) {
							E0046A700(_t250);
						}
						_t28 = _t292 + 0x10; // 0x10
						_t140 = E00431CA0(_t236, _t285, _t288, _t342, _t295 - 0x24, _t28);
						 *((char*)(_t295 - 4)) = 5;
						E00438C20(_t342, _t236, L"AuthenticationId", E0046A170(_t140));
						_t252 =  *((intOrPtr*)(_t295 - 0x24));
						_t308 = _t306 + 0x14;
						 *((char*)(_t295 - 4)) = 0;
						_t343 =  *((intOrPtr*)(_t295 - 0x24));
						if( *((intOrPtr*)(_t295 - 0x24)) != 0) {
							E0046A700(_t252);
						}
						_t144 = E00436170(_t236, _t285, _t288, _t343, _t295 - 0x28,  *((intOrPtr*)(_t292 + 0x20)),  *((intOrPtr*)(_t292 + 0x24)));
						 *((char*)(_t295 - 4)) = 6;
						E00438C20(_t343, _t236, L"CreateTime", E0046A170(_t144));
						_t254 =  *((intOrPtr*)(_t295 - 0x28));
						_t310 = _t308 + 0x18;
						 *((char*)(_t295 - 4)) = 0;
						_t344 =  *((intOrPtr*)(_t295 - 0x28));
						if( *((intOrPtr*)(_t295 - 0x28)) != 0) {
							E0046A700(_t254);
						}
						_t148 = E00436170(_t236, _t285, _t288, _t344, _t295 - 0x2c,  *((intOrPtr*)(_t292 + 0x28)),  *((intOrPtr*)(_t292 + 0x2c)));
						 *((char*)(_t295 - 4)) = 7;
						E00438C20(_t344, _t236, L"FinishTime", E0046A170(_t148));
						_t256 =  *((intOrPtr*)(_t295 - 0x2c));
						_t312 = _t310 + 0x18;
						 *((char*)(_t295 - 4)) = 0;
						_t345 =  *((intOrPtr*)(_t295 - 0x2c));
						if( *((intOrPtr*)(_t295 - 0x2c)) != 0) {
							E0046A700(_t256);
						}
						_t152 = E00436170(_t236, _t285, _t288, _t345, _t295 - 0x30,  *((intOrPtr*)(_t292 + 0x30)), 0);
						 *((char*)(_t295 - 4)) = 8;
						E00438C20(_t345, _t236, L"IsVirtualized", E0046A170(_t152));
						_t258 =  *((intOrPtr*)(_t295 - 0x30));
						_t314 = _t312 + 0x18;
						 *((char*)(_t295 - 4)) = 0;
						_t346 =  *((intOrPtr*)(_t295 - 0x30));
						if( *((intOrPtr*)(_t295 - 0x30)) != 0) {
							E0046A700(_t258);
						}
						_t156 = E00436170(_t236, _t285, _t288, _t346, _t295 - 0x34,  *((intOrPtr*)(_t292 + 0x34)), 0);
						 *((char*)(_t295 - 4)) = 9;
						E00438C20(_t346, _t236, L"Is64bit", E0046A170(_t156));
						_t260 =  *((intOrPtr*)(_t295 - 0x34));
						_t316 = _t314 + 0x18;
						 *((char*)(_t295 - 4)) = 0;
						_t347 =  *((intOrPtr*)(_t295 - 0x34));
						if( *((intOrPtr*)(_t295 - 0x34)) != 0) {
							E0046A700(_t260);
						}
						E00438C20(_t347, _t236, L"Integrity", E00467450(_t288,  *((intOrPtr*)(_t292 + 0x38))));
						E00438C20(_t347, _t236, L"Owner", E00467450(_t288,  *((intOrPtr*)(_t292 + 0x3c))));
						E00438C20(_t347, _t236, L"ProcessName", E00467450(_t288,  *((intOrPtr*)(_t292 + 0x40))));
						E00438C20(_t347, _t236, L"ImagePath", E00467450(_t288,  *((intOrPtr*)(_t292 + 0x44))));
						E00438C20(_t347, _t236, L"CommandLine", E00467450(_t288,  *((intOrPtr*)(_t292 + 0x48))));
						E00438C20(_t347, _t236, L"CompanyName", E00467450(_t288,  *((intOrPtr*)(_t292 + 0x4c))));
						E00438C20(_t347, _t236, L"Version", E00467450(_t288,  *((intOrPtr*)(_t292 + 0x50))));
						E00438C20(_t347, _t236, L"Description", E00467450(_t288,  *((intOrPtr*)(_t292 + 0x54))));
						E00438E60(_t347, _t236, L"modulelist", 1);
						E00472329(_t285, 0xa, _t236);
						_t324 = _t316 + 0x74;
						 *((intOrPtr*)(_t295 - 0x50)) = 0;
						 *((intOrPtr*)(_t295 - 0x4c)) = 0;
						 *((intOrPtr*)(_t295 - 0x50)) = E00419990(0, 0);
						 *((char*)(_t295 - 4)) = 0xa;
						E00441040(_t292, 0xffffffff, 0xffffffff, _t295 - 0x50);
						_t180 =  *((intOrPtr*)(_t295 - 0x50));
						_t293 =  *_t180;
						_t348 = _t293 - _t180;
					} while (_t293 == _t180);
					do {
						goto L23;
					} while (_t293 !=  *((intOrPtr*)(_t295 - 0x50)));
					goto L30;
					L23:
					 *((intOrPtr*)(_t295 + 8)) =  *((intOrPtr*)(_t293 + 8));
					E00438E60(_t348, _t236, L"module", 1);
					E00472329(_t285, 0xa, _t236);
					_t197 = E00436170(_t236, _t285, _t288, _t348, _t295 - 0x38, E00442D80( *((intOrPtr*)(_t295 + 8))), _t285);
					 *((char*)(_t295 - 4)) = 0xb;
					E00438C20(_t348, _t236, L"Timestamp", E0046A170(_t197));
					_t276 =  *((intOrPtr*)(_t295 - 0x38));
					_t329 = _t324 + 0x2c;
					 *((char*)(_t295 - 4)) = 0xa;
					_t349 =  *((intOrPtr*)(_t295 - 0x38));
					if( *((intOrPtr*)(_t295 - 0x38)) != 0) {
						E0046A700(_t276);
					}
					_t78 =  *((intOrPtr*)(_t295 + 8)) + 4; // 0xff00497d
					_t202 = E00436110(_t236, _t285, _t288, _t349, _t295 - 0x3c,  *_t78, 0);
					 *((char*)(_t295 - 4)) = 0xc;
					E00438C20(_t349, _t236, L"BaseAddress", E0046A170(_t202));
					_t278 =  *((intOrPtr*)(_t295 - 0x3c));
					_t331 = _t329 + 0x18;
					 *((char*)(_t295 - 4)) = 0xa;
					_t350 =  *((intOrPtr*)(_t295 - 0x3c));
					if( *((intOrPtr*)(_t295 - 0x3c)) != 0) {
						E0046A700(_t278);
					}
					_t84 =  *((intOrPtr*)(_t295 + 8)) + 8; // 0xfffde0b5
					_t207 = E00436170(_t236, _t285, _t288, _t350, _t295 - 0x40,  *_t84, 0);
					 *((char*)(_t295 - 4)) = 0xd;
					E00438C20(_t350, _t236, L"Size", E0046A170(_t207));
					_t280 =  *((intOrPtr*)(_t295 - 0x40));
					_t333 = _t331 + 0x18;
					 *((char*)(_t295 - 4)) = 0xa;
					_t351 =  *((intOrPtr*)(_t295 - 0x40));
					if( *((intOrPtr*)(_t295 - 0x40)) != 0) {
						E0046A700(_t280);
					}
					_t90 =  *((intOrPtr*)(_t295 + 8)) + 0xc; // 0x72ade8ff
					E00438C20(_t351, _t236, L"Path", E00467450(_t288,  *_t90));
					_t92 =  *((intOrPtr*)(_t295 + 8)) + 0x10; // 0x16a0001
					E00438C20(_t351, _t236, L"Version", E00467450(_t288,  *_t92));
					_t94 =  *((intOrPtr*)(_t295 + 8)) + 0x14; // 0x497da068
					E00438C20(_t351, _t236, L"Company", E00467450(_t288,  *_t94));
					_t96 =  *((intOrPtr*)(_t295 + 8)) + 0x18; // 0xe0b5ff00
					E00438C20(_t351, _t236, L"Description", E00467450(_t288,  *_t96));
					E00438E60(_t351, _t236, L"module", 0);
					E00472329(_t285, 0xa, _t236);
					_t293 =  *_t293;
					_t324 = _t333 + 0x44;
					_t352 = _t293 -  *((intOrPtr*)(_t295 - 0x50));
				}
			}

0x00422d69
0x00422d69
0x00422d70
0x00422d70
0x00422d7b
0x00422d7e
0x00422d86
0x00422d9c
0x00422da6
0x00422db6
0x00422dbb
0x00422dbe
0x00422dc1
0x00422dc5
0x00422dc7
0x00422dc9
0x00422dc9
0x00422dd3
0x00422dda
0x00422de4
0x00422df4
0x00422df9
0x00422dfc
0x00422dff
0x00422e03
0x00422e05
0x00422e07
0x00422e07
0x00422e11
0x00422e18
0x00422e22
0x00422e32
0x00422e37
0x00422e3a
0x00422e3d
0x00422e41
0x00422e43
0x00422e45
0x00422e45
0x00422e4f
0x00422e5e
0x00422e6b
0x00422e7a
0x00422e87
0x00422e96
0x00422ea3
0x00422eb2
0x00422ebf
0x00422ec7
0x00422ecc
0x00422ece
0x00422ed1
0x00422ed4
0x00000000
0x00000000
0x00000000
0x00000000
0x00422eda
0x00422eda
0x00422ee2
0x00422eea
0x00422ef7
0x00422eff
0x00422f04
0x00422f07
0x00422f0a
0x00422f0e
0x00422f10
0x00422f15
0x00422f18
0x00422f1b
0x00422f24
0x00422f26
0x00422f26
0x00422f29
0x00422f2e
0x00422f31
0x00422f34
0x00422f36
0x00422f26
0x00422f3b
0x00422f40
0x00422f46
0x00422f55
0x00000000
0x00000000
0x00422f5b
0x00422f5e
0x00422f61
0x00422f62
0x00422f69
0x00422f72
0x00422f75
0x00422f7b
0x00000000
0x00000000
0x004229e0
0x004229e2
0x004229e5
0x004229ec
0x004229ef
0x004229f9
0x00422a00
0x00422a08
0x00422a0d
0x00422a0f
0x00422a15
0x00000000
0x00422a15
0x00422a0f
0x00422f86
0x00422f94
0x00422a18
0x00422a20
0x00422a28
0x00422a38
0x00422a42
0x00422a4c
0x00422a5c
0x00422a61
0x00422a64
0x00422a67
0x00422a6b
0x00422a6d
0x00422a6f
0x00422a6f
0x00422a7d
0x00422a87
0x00422a97
0x00422a9c
0x00422a9f
0x00422aa2
0x00422aa6
0x00422aa8
0x00422aaa
0x00422aaa
0x00422ab8
0x00422ac2
0x00422ad2
0x00422ad7
0x00422ada
0x00422add
0x00422ae1
0x00422ae3
0x00422ae5
0x00422ae5
0x00422af3
0x00422afd
0x00422b0d
0x00422b12
0x00422b15
0x00422b18
0x00422b1c
0x00422b1e
0x00422b20
0x00422b20
0x00422b25
0x00422b2d
0x00422b37
0x00422b47
0x00422b4c
0x00422b4f
0x00422b52
0x00422b56
0x00422b58
0x00422b5a
0x00422b5a
0x00422b69
0x00422b73
0x00422b83
0x00422b88
0x00422b8b
0x00422b8e
0x00422b92
0x00422b94
0x00422b96
0x00422b96
0x00422ba5
0x00422baf
0x00422bbf
0x00422bc4
0x00422bc7
0x00422bca
0x00422bce
0x00422bd0
0x00422bd2
0x00422bd2
0x00422be0
0x00422bea
0x00422bfa
0x00422bff
0x00422c02
0x00422c05
0x00422c09
0x00422c0b
0x00422c0d
0x00422c0d
0x00422c1b
0x00422c25
0x00422c35
0x00422c3a
0x00422c3d
0x00422c40
0x00422c44
0x00422c46
0x00422c48
0x00422c48
0x00422c5e
0x00422c77
0x00422c90
0x00422ca9
0x00422cc2
0x00422cdb
0x00422cf4
0x00422d0d
0x00422d1a
0x00422d22
0x00422d27
0x00422d2a
0x00422d34
0x00422d44
0x00422d47
0x00422d55
0x00422d5a
0x00422d5d
0x00422d5f
0x00422d5f
0x00422d70
0x00000000
0x00000000
0x00000000
0x00422d70
0x00422d7b
0x00422d7e
0x00422d86
0x00422d9c
0x00422da6
0x00422db6
0x00422dbb
0x00422dbe
0x00422dc1
0x00422dc5
0x00422dc7
0x00422dc9
0x00422dc9
0x00422dd3
0x00422dda
0x00422de4
0x00422df4
0x00422df9
0x00422dfc
0x00422dff
0x00422e03
0x00422e05
0x00422e07
0x00422e07
0x00422e11
0x00422e18
0x00422e22
0x00422e32
0x00422e37
0x00422e3a
0x00422e3d
0x00422e41
0x00422e43
0x00422e45
0x00422e45
0x00422e4f
0x00422e5e
0x00422e6b
0x00422e7a
0x00422e87
0x00422e96
0x00422ea3
0x00422eb2
0x00422ebf
0x00422ec7
0x00422ecc
0x00422ece
0x00422ed1
0x00422ed1

APIs

Part of subcall function 00438E60: __fputwc_nolock.LIBCMT ref: 00438E6B
Part of subcall function 00438E60: __fputwc_nolock.LIBCMT ref: 00438E7C
Part of subcall function 00438E60: __fputwc_nolock.LIBCMT ref: 00438E92
Part of subcall function 00438E60: __fputwc_nolock.LIBCMT ref: 00438EA9

__fputwc_nolock.LIBCMT ref: 00422EC7
__fputwc_nolock.LIBCMT ref: 00422D86

Part of subcall function 00472329: HeapCreate.KERNELBASE(?,?,00000000), ref: 0047234A
Part of subcall function 00472329: HeapCreate.KERNELBASE(?,?,00000000), ref: 0047235B
Part of subcall function 00472329: HeapCreate.KERNELBASE(?,?,00000000), ref: 00472367
Part of subcall function 00472329: HeapCreate.KERNELBASE(?,?,?), ref: 00472372
Part of subcall function 00472329: HeapCreate.KERNELBASE(?,?,00000000), ref: 00472398
Part of subcall function 00472329: HeapCreate.KERNELBASE(?,?,00000000), ref: 004723A4
Part of subcall function 00472329: HeapCreate.KERNELBASE(?,?,00000000), ref: 004723B0
Part of subcall function 00472329: HeapCreate.KERNELBASE(?,?,?), ref: 004723BB
Part of subcall function 00472329: HeapCreate.KERNELBASE(?,?,00000000), ref: 004723E1
Part of subcall function 00472329: HeapCreate.KERNELBASE(?,?,00000000), ref: 004723ED
Part of subcall function 00472329: HeapCreate.KERNELBASE(?,?,00000000), ref: 004723F9
Part of subcall function 00472329: HeapCreate.KERNELBASE(?,?,?), ref: 00472404
Part of subcall function 00472329: __cftof.LIBCMT ref: 0047242D

Part of subcall function 00438C20: __fputwc_nolock.LIBCMT ref: 00438C2C
Part of subcall function 00438C20: __fputwc_nolock.LIBCMT ref: 00438C43
Part of subcall function 00438C20: __fputwc_nolock.LIBCMT ref: 00438C5A

__fputwc_nolock.LIBCMT ref: 00422EEA
__fputwc_nolock.LIBCMT ref: 00422EFF

Part of subcall function 0046A700: InterlockedDecrement.KERNEL32(?), ref: 0046A704

LeaveCriticalSection.KERNEL32(?,?), ref: 00422F69

Strings

modulelist, xrefs: 00422EDC
BaseAddress, xrefs: 00422DEE
Version, xrefs: 00422E74
module, xrefs: 00422D75, 00422EB9
Size, xrefs: 00422E2C
Timestamp, xrefs: 00422DB0
Description, xrefs: 00422EAC
process, xrefs: 00422EF1
Path, xrefs: 00422E58
Company, xrefs: 00422E90

Memory Dump Source

Source File: 00000000.00000002.639436822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.639422722.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639801425.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639950323.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639964900.00000000004C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639974043.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639981884.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Process Monitor.jbxd

Similarity

API ID: CreateHeap$__fputwc_nolock$CriticalDecrementInterlockedLeaveSection__cftof
String ID: BaseAddress$Company$Description$Path$Size$Timestamp$Version$module$modulelist$process
API String ID: 493530597-3631526074
Opcode ID: 40d3e36e240b0be8c3169b88f561393a7116b1508dee1f85df36a612de650179
Instruction ID: f532262d63a4d29fcbf225823de8e76a0536e60e0e72f7ee4080405db11ebbf3
Opcode Fuzzy Hash: 40d3e36e240b0be8c3169b88f561393a7116b1508dee1f85df36a612de650179
Instruction Fuzzy Hash: B3518370A00304BBDF14BBB5DD42F9E7BA89F4430CF14506EF905BB292DA78A910876E

Uniqueness

Uniqueness Score: -1.00%

Function 00426710 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 179
windowCOMMON

Download Yara Rule

C-Code - Quality: 95%

			E00426710(intOrPtr __edx, struct HWND__* _a4, intOrPtr _a8, signed int _a12, struct HWND__* _a16) {
				signed int _v8;
				short _v136;
				struct HWND__* _v140;
				signed int _v152;
				int _v156;
				WCHAR* _v160;
				int _v164;
				signed int _v168;
				void* _v172;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t45;
				void* _t48;
				void* _t57;
				signed int _t60;
				signed int _t63;
				signed int _t67;
				signed int _t68;
				int _t69;
				signed int _t70;
				signed int _t73;
				int _t74;
				int _t83;
				void* _t85;
				struct HWND__* _t86;
				signed int _t91;
				int _t96;
				int _t97;
				intOrPtr _t98;
				struct HWND__* _t99;
				int _t100;
				void* _t101;
				signed int _t102;
				int _t103;
				signed int _t104;
				signed int _t105;
				void* _t106;

				_t98 = __edx;
				_t45 =  *0x4bb1dc; // 0x2927074f
				_v8 = _t45 ^ _t105;
				_t86 = _a16;
				_t99 = _a4;
				_v140 = _t99;
				_t48 = _a8 - 0x110;
				if(_t48 == 0) {
					_t102 = 0;
					 *0x4bcb5c = _t86;
					__eflags =  *0x4bd790 - _t102; // 0x0
					if(__eflags > 0) {
						_t85 = CheckDlgButton;
						do {
							CheckDlgButton(_t99,  *(0x4bd794 + _t102 * 4), 1);
							_t102 = _t102 + 1;
							__eflags = _t102 -  *0x4bd790; // 0x0
						} while (__eflags < 0);
					}
					goto L28;
				} else {
					if(_t48 != 1) {
						L5:
						return E0046F77E(_t85, _v8 ^ _t105, _t98, _t99, _t101);
					} else {
						_t57 = (_a12 & 0x0000ffff) - 1;
						if(_t57 == 0) {
							_v172 = 7;
							_v168 = 0;
							_v156 = 0x40;
							_v160 =  &_v136;
							ShowWindow( *0x4bcb5c, 0);
							_t85 = SendMessageW;
							_t103 = 0;
							__eflags =  *0x4bd790 - _t103; // 0x0
							if(__eflags > 0) {
								do {
									_t73 = GetDlgItem(_t99,  *(0x4bd794 + _t103 * 4));
									__eflags = _t73;
									if(_t73 != 0) {
										_t74 = IsDlgButtonChecked(_t99,  *(0x4bd794 + _t103 * 4));
										__eflags = _t74 - 1;
										if(_t74 != 1) {
											_t96 =  *0x4bd790; // 0x0
											_t17 = _t96 - 1; // -1
											__eflags = _t103 - _t17;
											if(_t103 < _t17) {
												do {
													_t19 = _t103 + 1; // 0x1
													_t100 = _t19;
													SendMessageW( *0x4bcb5c, 0x105f, _t100,  &_v172);
													SendMessageW( *0x4bcb5c, 0x1060, _t103,  &_v172);
													 *(0x4bd794 + _t103 * 4) =  *(0x4bd798 + _t103 * 4);
													_t103 = _t100;
													_t96 =  *0x4bd790; // 0x0
													_t25 = _t96 - 1; // -1
													__eflags = _t103 - _t25;
												} while (_t103 < _t25);
												_t99 = _v140;
											}
											_t97 = _t96 - 1;
											 *0x4bd790 = _t97;
											SendMessageW( *0x4bcb5c, 0x101c, _t97, 0);
											_t103 = _t103 | 0xffffffff;
											__eflags = _t103;
										}
									}
									_t103 = _t103 + 1;
									__eflags = _t103 -  *0x4bd790; // 0x0
								} while (__eflags < 0);
							}
							_t104 = 0;
							__eflags = 0;
							do {
								_t27 = _t104 + 0x497f98; // 0x9c74
								_t60 = IsDlgButtonChecked(_t99,  *_t27);
								__eflags = _t60;
								if(_t60 != 0) {
									_t91 =  *0x4bd790; // 0x0
									_t63 = 0;
									__eflags = _t91;
									if(_t91 > 0) {
										_t28 = _t104 + 0x497f98; // 0x9c74
										_t98 =  *_t28;
										while(1) {
											__eflags =  *((intOrPtr*)(0x4bd794 + _t63 * 4)) - _t98;
											if( *((intOrPtr*)(0x4bd794 + _t63 * 4)) == _t98) {
												goto L21;
											}
											_t63 = _t63 + 1;
											__eflags = _t63 - _t91;
											if(_t63 < _t91) {
												continue;
											}
											goto L21;
										}
									}
									L21:
									__eflags = _t63 - _t91;
									if(_t63 == _t91) {
										_v152 = _t91;
										_v164 = MulDiv(0x64,  *0x4bc894, 0x60);
										_t34 = _t104 + 0x497f98; // 0x9c74
										LoadStringW( *0x4bd2c4,  *_t34,  &_v136, 0x40);
										_t67 =  *0x4bd790; // 0x0
										_t35 = _t104 + 0x497f98; // 0x9c74
										 *((intOrPtr*)(0x4bd794 + _t67 * 4)) =  *_t35;
										_t68 = E00426300( *_t35);
										_t106 = _t106 + 4;
										__eflags = _t68;
										_t69 =  *0x4bd790; // 0x0
										_v168 = 0 | _t68 != 0x00000000;
										_t70 = _t69 + 1;
										__eflags = _t70;
										 *0x4bd790 = _t70;
										SendMessageW( *0x4bcb5c, 0x1061, _t69,  &_v172);
									}
								}
								_t104 = _t104 + 4;
								__eflags = _t104 - 0x6c;
							} while (_t104 < 0x6c);
							ShowWindow( *0x4bcb5c, 5);
							EndDialog(_t99, 0);
							L28:
							__eflags = _v8 ^ _t105;
							return E0046F77E(_t85, _v8 ^ _t105, _t98, _t99, _t102);
						} else {
							_t83 = _t57 - 1;
							if(_t83 == 0) {
								EndDialog(_t99, _t83);
							}
							goto L5;
						}
					}
				}
			}

0x00426710
0x00426719
0x00426720
0x00426726
0x0042672c
0x0042672f
0x00426735
0x0042673a
0x00426953
0x00426955
0x0042695b
0x00426961
0x00426963
0x00426970
0x0042697a
0x0042697c
0x0042697d
0x0042697d
0x00426970
0x00000000
0x00426740
0x00426741
0x00426759
0x00426769
0x00426743
0x00426749
0x0042674a
0x0042677a
0x00426784
0x0042678e
0x00426798
0x0042679e
0x004267a4
0x004267aa
0x004267ac
0x004267b2
0x004267c0
0x004267c8
0x004267ce
0x004267d0
0x004267de
0x004267e4
0x004267e7
0x004267e9
0x004267ef
0x004267f2
0x004267f4
0x004267f6
0x004267fd
0x004267fd
0x0042680c
0x00426821
0x0042682a
0x00426831
0x00426833
0x00426839
0x0042683c
0x0042683c
0x00426840
0x00426840
0x00426848
0x00426855
0x0042685b
0x0042685d
0x0042685d
0x0042685d
0x004267e7
0x00426860
0x00426861
0x00426861
0x004267c0
0x0042686d
0x0042686d
0x00426870
0x00426870
0x00426877
0x0042687d
0x0042687f
0x00426885
0x0042688b
0x0042688d
0x0042688f
0x00426891
0x00426891
0x00426897
0x00426897
0x0042689e
0x00000000
0x00000000
0x004268a0
0x004268a1
0x004268a3
0x00000000
0x00000000
0x00000000
0x004268a3
0x00426897
0x004268a5
0x004268a5
0x004268a7
0x004268b5
0x004268c5
0x004268d2
0x004268de
0x004268e4
0x004268e9
0x004268f0
0x004268f7
0x004268fc
0x00426901
0x00426903
0x0042690b
0x00426913
0x00426913
0x00426914
0x0042692c
0x0042692c
0x004268a7
0x0042692e
0x00426931
0x00426931
0x00426942
0x0042694b
0x00426985
0x0042698f
0x0042699a
0x0042674c
0x0042674c
0x0042674d
0x00426751
0x00426751
0x00000000
0x0042674d
0x0042674a
0x00426741

APIs

EndDialog.USER32(?,?), ref: 00426751
ShowWindow.USER32(00000000), ref: 0042679E
GetDlgItem.USER32 ref: 004267C8
IsDlgButtonChecked.USER32(?), ref: 004267DE
SendMessageW.USER32(0000105F,00000001,00000007), ref: 0042680C
SendMessageW.USER32(00001060,00000000,00000007), ref: 00426821
SendMessageW.USER32(0000101C,-00000001,00000000), ref: 0042685B
IsDlgButtonChecked.USER32(?,00009C74), ref: 00426877
MulDiv.KERNEL32(00000064,00000060), ref: 004268BD
LoadStringW.USER32(00009C74,?,00000040), ref: 004268DE
CheckDlgButton.USER32(?,00000001), ref: 0042697A

Strings

@, xrefs: 0042678E

Memory Dump Source

Source File: 00000000.00000002.639436822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.639422722.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639801425.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639950323.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639964900.00000000004C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639974043.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639981884.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Process Monitor.jbxd

Similarity

API ID: ButtonMessageSend$Checked$CheckDialogItemLoadShowStringWindow
String ID: @
API String ID: 3525671759-2766056989
Opcode ID: c4ea84e5bf71ab928f9eb8d8f97c6236422b443e2334507b6bb68b6bb3bcb5b8
Instruction ID: cc583a72da37750322819ecd7475232abe1b99e1edd86c09a2d9beda6ac5d758
Opcode Fuzzy Hash: c4ea84e5bf71ab928f9eb8d8f97c6236422b443e2334507b6bb68b6bb3bcb5b8
Instruction Fuzzy Hash: 9061B471A10125AFDB209F14FC85BAA77B5FB59304F4105BAE989D32A0EB39A844CF4C

Uniqueness

Uniqueness Score: -1.00%

Function 0040C2C0 Relevance: 26.4, APIs: 12, Strings: 3, Instructions: 130
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E0040C2C0(int __edx, void* __edi, void* __esi, struct HWND__* _a4, intOrPtr _a8, intOrPtr _a12) {
				signed int _v8;
				short _v528;
				struct tagRECT _v544;
				struct tagRECT _v560;
				int _v564;
				void* __ebx;
				signed int _t24;
				signed int _t26;
				void* _t28;
				void* _t32;
				struct HWND__* _t35;
				void* _t41;
				int _t55;
				struct HWND__* _t64;
				int _t70;
				int _t73;
				void* _t75;
				void* _t77;
				int _t78;
				signed int _t81;
				void* _t82;

				_t77 = __esi;
				_t75 = __edi;
				_t73 = __edx;
				_t24 =  *0x4bb1dc; // 0x2927074f
				_v8 = _t24 ^ _t81;
				_t26 =  *0x4bc8c8; // 0x0
				_t64 = _a4;
				if((_t26 & 0x00000001) == 0) {
					 *0x4bc8c4 = 0;
					 *0x4bc8c8 = _t26 | 0x00000001;
					E0046FD29(_t26 | 0x00000001, E0048D720);
					_t82 = _t82 + 4;
				}
				_t28 = _a8 - 0x10;
				if(_t28 == 0) {
					L10:
					EndDialog(_t64, 0);
					goto L11;
				} else {
					_t32 = _t28 - 0x100;
					if(_t32 == 0) {
						_push(_t77);
						_push(_t75);
						E0040C660(0x4bc8b4, GetDlgItem(_t64, 0x40a), L"http://www.sysinternals.com");
						_t35 =  *0x4bd2c0; // 0x0
						__eflags = _t35;
						if(_t35 != 0) {
							GetWindowRect(_t35,  &_v544);
							GetWindowRect(_t64,  &_v560);
							_t70 = _v544.top + 0x3c;
							_t73 = _v544.left + 0x46;
							_t55 = _v560.right - _v560.left;
							__eflags = _t55;
							_v544.left = _t73;
							_v544.top = _t70;
							MoveWindow(_t64, _t73, _t70, _t55, _v560.bottom - _v560.top, 1);
						}
						GetModuleFileNameW(0,  &_v528, 0x104);
						_v564 = 0;
						_t78 = GetFileVersionInfoSizeW( &_v528,  &_v564);
						_t41 = E00470444(_t64, _t73, _t75, _t78);
						_t76 = _t41;
						GetFileVersionInfoW( &_v528, 0, _t78, _t41);
						SetDlgItemTextW(_t64, 0x46c, E0046E060(_t41, L"FileVersion"));
						SetDlgItemTextW(_t64, 0x46b, E0046E060(_t41, L"LegalCopyright"));
						E0047040C(_t76);
						_pop(_t75);
						_pop(_t77);
						L11:
						__eflags = _v8 ^ _t81;
						return E0046F77E(_t64, _v8 ^ _t81, _t73, _t75, _t77);
					} else {
						if(_t32 != 1 || _a12 - 1 > 1) {
							return E0046F77E(_t64, _v8 ^ _t81, _t73, _t75, _t77);
						} else {
							goto L10;
						}
					}
				}
			}

0x0040c2c0
0x0040c2c0
0x0040c2c0
0x0040c2c9
0x0040c2d0
0x0040c2d3
0x0040c2d9
0x0040c2de
0x0040c2e3
0x0040c2f2
0x0040c2f7
0x0040c2fc
0x0040c2fc
0x0040c302
0x0040c305
0x0040c448
0x0040c44b
0x00000000
0x0040c30b
0x0040c30b
0x0040c310
0x0040c335
0x0040c336
0x0040c34e
0x0040c353
0x0040c358
0x0040c35a
0x0040c36a
0x0040c374
0x0040c38e
0x0040c39a
0x0040c39d
0x0040c39d
0x0040c3a7
0x0040c3ad
0x0040c3b3
0x0040c3b3
0x0040c3c7
0x0040c3d3
0x0040c3ea
0x0040c3ed
0x0040c3f5
0x0040c402
0x0040c422
0x0040c439
0x0040c43c
0x0040c444
0x0040c445
0x0040c451
0x0040c459
0x0040c464
0x0040c312
0x0040c313
0x0040c332
0x00000000
0x00000000
0x00000000
0x0040c313
0x0040c310

APIs

GetDlgItem.USER32 ref: 0040C342

Part of subcall function 0040C660: _memset.LIBCMT ref: 0040C691
Part of subcall function 0040C660: LoadCursorW.USER32(00000000,00007F89), ref: 0040C6BE
Part of subcall function 0040C660: RegisterClassExW.USER32 ref: 0040C6E6
Part of subcall function 0040C660: SendMessageW.USER32(?,00000031,00000000,00000000), ref: 0040C6F3
Part of subcall function 0040C660: GetObjectW.GDI32(00000000,0000005C,?,?,?,?), ref: 0040C703
Part of subcall function 0040C660: CreateFontIndirectW.GDI32(?), ref: 0040C711
Part of subcall function 0040C660: ShowWindow.USER32(?,00000000,?,?,?,?), ref: 0040C72C
Part of subcall function 0040C660: GetWindowRect.USER32 ref: 0040C737
Part of subcall function 0040C660: GetParent.USER32(?), ref: 0040C74A
Part of subcall function 0040C660: MapWindowPoints.USER32 ref: 0040C74F
Part of subcall function 0040C660: GetModuleHandleW.KERNEL32(00000000,004BC8B4,?,?,?), ref: 0040C758
Part of subcall function 0040C660: GetParent.USER32(?), ref: 0040C762
Part of subcall function 0040C660: CreateWindowExW.USER32 ref: 0040C78A

GetWindowRect.USER32 ref: 0040C36A
GetWindowRect.USER32 ref: 0040C374
MoveWindow.USER32(?,?,?,?,?,00000001), ref: 0040C3B3
GetModuleFileNameW.KERNEL32(00000000,?,00000104,00000000), ref: 0040C3C7
GetFileVersionInfoSizeW.VERSION(?,?), ref: 0040C3E5
_malloc.LIBCMT ref: 0040C3ED
GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000), ref: 0040C402
SetDlgItemTextW.USER32 ref: 0040C422
SetDlgItemTextW.USER32 ref: 0040C439
_free.LIBCMT ref: 0040C43C
EndDialog.USER32(?,00000000), ref: 0040C44B

Strings

FileVersion, xrefs: 0040C407
http://www.sysinternals.com, xrefs: 0040C337
LegalCopyright, xrefs: 0040C424

Memory Dump Source

Source File: 00000000.00000002.639436822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.639422722.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639801425.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639950323.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639964900.00000000004C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639974043.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639981884.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Process Monitor.jbxd

Similarity

API ID: Window$FileItemRect$CreateInfoModuleParentTextVersion$ClassCursorDialogFontHandleIndirectLoadMessageMoveNameObjectPointsRegisterSendShowSize_free_malloc_memset
String ID: FileVersion$LegalCopyright$http://www.sysinternals.com
API String ID: 1844586901-6530968
Opcode ID: b9450a1401f5b00505c9a43f69e3f03918ace9284dc768f58f66828fa15ddd05
Instruction ID: 08b09bc77c8a8681be14b73e751d54c35eee904da4f11f233525177f6587e6e6
Opcode Fuzzy Hash: b9450a1401f5b00505c9a43f69e3f03918ace9284dc768f58f66828fa15ddd05
Instruction Fuzzy Hash: 7141CCB5940218BBDB20EF75DCC9FAF77ACEB04304F1045BAF905E3282D67999448B69

Uniqueness

Uniqueness Score: -1.00%

Function 0040EDC0 Relevance: 26.3, APIs: 8, Strings: 7, Instructions: 60
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040EDC0(void* _a4) {
				char _v8;
				void* _v12;
				void* _v16;
				void* _t27;

				_t27 = _a4;
				_v8 = 3;
				RegSetValueExW(_t27, L"SupportedFeatures", 0, 4,  &_v8, 4);
				RegCreateKeyW(_t27, L"Instances",  &_v16);
				RegSetValueExW(_v16, L"DefaultInstance", 0, 1, L"Process Monitor 23 Instance", 0x36);
				RegCreateKeyW(_v16, L"Process Monitor 23 Instance",  &_v12);
				RegSetValueExW(_v12, L"Altitude", 0, 1, L"385200", 0xc);
				_v8 = 0;
				RegSetValueExW(_v12, L"Flags", 0, 4,  &_v8, 4);
				RegCloseKey(_v12);
				return RegCloseKey(_v16);
			}

0x0040edc7
0x0040ede1
0x0040ede8
0x0040edfa
0x0040ee0f
0x0040ee1d
0x0040ee32
0x0040ee39
0x0040ee4d
0x0040ee58
0x0040ee64

APIs

RegSetValueExW.ADVAPI32(0040F786,SupportedFeatures,00000000,00000004,?,00000004,00000000,76A1F690,?,0040F786), ref: 0040EDE8
RegCreateKeyW.ADVAPI32(0040F786,Instances,?), ref: 0040EDFA
RegSetValueExW.ADVAPI32(?,DefaultInstance,00000000,00000001,Process Monitor 23 Instance,00000036,?,0040F786), ref: 0040EE0F
RegCreateKeyW.ADVAPI32(?,Process Monitor 23 Instance,0040F786), ref: 0040EE1D
RegSetValueExW.ADVAPI32(0040F786,Altitude,00000000,00000001,385200,0000000C,?,0040F786), ref: 0040EE32
RegSetValueExW.ADVAPI32(0040F786,Flags,00000000,00000004,00000003,00000004,?,0040F786), ref: 0040EE4D
RegCloseKey.ADVAPI32(0040F786,?,0040F786), ref: 0040EE58
RegCloseKey.ADVAPI32(?,?,0040F786), ref: 0040EE5D

Strings

Altitude, xrefs: 0040EE2A
SupportedFeatures, xrefs: 0040EDDB
DefaultInstance, xrefs: 0040EE07
Process Monitor 23 Instance, xrefs: 0040EDFE, 0040EE15
Instances, xrefs: 0040EDEE
Flags, xrefs: 0040EE45
385200, xrefs: 0040EE21

Memory Dump Source

Source File: 00000000.00000002.639436822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.639422722.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639801425.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639950323.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639964900.00000000004C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639974043.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639981884.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Process Monitor.jbxd

Similarity

API ID: Value$CloseCreate
String ID: 385200$Altitude$DefaultInstance$Flags$Instances$Process Monitor 23 Instance$SupportedFeatures
API String ID: 390822645-2607731072
Opcode ID: 060d75c30d4338414e8ba5ed6a9e906c7f3a8b224c1f803edf16c56b9ba516f1
Instruction ID: d78a9b63ad59078c5a3bdc004dc37c046b3f9ca745d505b33911cd84ac9830c2
Opcode Fuzzy Hash: 060d75c30d4338414e8ba5ed6a9e906c7f3a8b224c1f803edf16c56b9ba516f1
Instruction Fuzzy Hash: 94110071A8021CBAEF20AB94DC02F9E7F78DB45B14F214072BA04B61E1C6F52A049B9C

Uniqueness

Uniqueness Score: -1.00%

Function 0044B0E9 Relevance: 25.6, APIs: 17, Instructions: 110
windowCOMMON

Download Yara Rule

C-Code - Quality: 89%

			E0044B0E9(signed int __eax) {
				void* __edi;
				signed int _t21;
				int _t25;
				long _t31;
				signed int _t34;
				signed int _t47;
				void* _t48;
				void* _t55;
				struct HWND__* _t56;
				void* _t57;
				void* _t58;
				signed int _t59;
				void* _t62;

				_t21 = __eax;
				do {
					LoadStringW( *0x4bd2c4,  *(0x497f98 + _t21 * 4), _t59 - 0x218, 0x104);
					_t25 = SendMessageW(GetDlgItem(_t56, 0x3fb), 0x143, 0, _t59 - 0x218);
					SendMessageW(GetDlgItem(_t56, 0x3fb), 0x151, _t25,  *(0x497f98 +  *(_t59 - 0x238) * 4));
					_t21 =  *(_t59 - 0x238) + 1;
					 *(_t59 - 0x238) = _t21;
					_t62 = _t21 -  *0x498004; // 0x1b
				} while (_t62 < 0);
				SendMessageW(GetDlgItem(_t56, 0x3fb), 0x14e, 0, 0);
				_t31 =  *0x4bb0d4; // 0x4974f4
				 *(_t59 - 0x230) = 0;
				while(_t31 != 0) {
					SendMessageW(GetDlgItem(_t56, 0x3fa), 0x143, 0, _t31);
					_t47 =  *(_t59 - 0x230) + 1;
					 *(_t59 - 0x230) = _t47;
					_t31 = 0x4bb0d4[_t47];
				}
				SendMessageW(GetDlgItem(_t56, 0x3fa), 0x14e, 0, 0);
				_t34 = 0;
				 *(_t59 - 0x230) = 0;
				do {
					_t16 = _t34 + 0x4bb128; // 0x497834
					SendMessageW(GetDlgItem(_t56, 0x3fe), 0x143, 0,  *_t16);
					_t34 =  *(_t59 - 0x230) + 4;
					 *(_t59 - 0x230) = _t34;
				} while (_t34 < 8);
				SendMessageW(GetDlgItem(_t56, 0x3fe), 0x14e, 0, 0);
				SendMessageW(GetDlgItem(_t56, 0x3f9), 0x30,  *0x4bd708, 0);
				 *[fs:0x0] =  *((intOrPtr*)(_t59 - 0xc));
				_pop(_t57);
				_pop(_t58);
				return E0046F77E(_t48,  *(_t59 - 0x10) ^ _t59, _t55, _t57, _t58);
			}

0x0044b0e9
0x0044b0f0
0x0044b109
0x0044b126
0x0044b148
0x0044b154
0x0044b155
0x0044b15b
0x0044b15b
0x0044b175
0x0044b17b
0x0044b180
0x0044b18c
0x0044b1a1
0x0044b1ad
0x0044b1ae
0x0044b1b4
0x0044b1bb
0x0044b1d1
0x0044b1d7
0x0044b1d9
0x0044b1e0
0x0044b1e0
0x0044b1f6
0x0044b202
0x0044b205
0x0044b20b
0x0044b222
0x0044b23b
0x0044bd64
0x0044bd6c
0x0044bd6d
0x0044bd7b

APIs

LoadStringW.USER32(?,00000104), ref: 0044B109
GetDlgItem.USER32 ref: 0044B123
SendMessageW.USER32(00000000), ref: 0044B126
GetDlgItem.USER32 ref: 0044B145
SendMessageW.USER32(00000000), ref: 0044B148
GetDlgItem.USER32 ref: 0044B172
SendMessageW.USER32(00000000), ref: 0044B175
GetDlgItem.USER32 ref: 0044B19E
SendMessageW.USER32(00000000), ref: 0044B1A1
GetDlgItem.USER32 ref: 0044B1CE
SendMessageW.USER32(00000000), ref: 0044B1D1
GetDlgItem.USER32 ref: 0044B1F3
SendMessageW.USER32(00000000), ref: 0044B1F6
GetDlgItem.USER32 ref: 0044B21F
SendMessageW.USER32(00000000), ref: 0044B222
GetDlgItem.USER32 ref: 0044B238
SendMessageW.USER32(00000000), ref: 0044B23B

Memory Dump Source

Source File: 00000000.00000002.639436822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.639422722.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639801425.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639950323.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639964900.00000000004C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639974043.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639981884.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Process Monitor.jbxd

Similarity

API ID: ItemMessageSend$LoadString
String ID:
API String ID: 2585412736-0
Opcode ID: af033247d5301f1a05b37050044d2a2f86acaf88ce31d1e9197455612867ac6c
Instruction ID: 9396925a143fb2caf8eaf0c58bb7f9e6e9a486066d8463a728955ffdfeb6e05a
Opcode Fuzzy Hash: af033247d5301f1a05b37050044d2a2f86acaf88ce31d1e9197455612867ac6c
Instruction Fuzzy Hash: 43311770A90319BBE7219F64DC9EF6E7A78FB44B00F000669F605E61E0DB749641CF68

Uniqueness

Uniqueness Score: -1.00%

Function 004602B0 Relevance: 24.8, APIs: 10, Strings: 4, Instructions: 250
libraryloadersynchronizationCOMMON

Download Yara Rule

C-Code - Quality: 60%

			E004602B0(WCHAR* _a4, intOrPtr _a8) {
				long _v8;
				char _v16;
				signed int _v20;
				intOrPtr _v131048;
				signed short _v131052;
				char _v131092;
				intOrPtr _v131096;
				void* _v131100;
				intOrPtr _v131104;
				intOrPtr* _v131108;
				signed int _v131112;
				intOrPtr _v131120;
				char _v131124;
				signed int _v131128;
				signed int _v131132;
				intOrPtr _v131136;
				signed int _v131140;
				intOrPtr _v131144;
				intOrPtr _v131148;
				intOrPtr _v131152;
				intOrPtr _v131156;
				char _v131160;
				char _v131164;
				char _v131196;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t93;
				signed int _t94;
				signed int _t98;
				intOrPtr* _t99;
				intOrPtr _t102;
				signed int _t124;
				void* _t132;
				intOrPtr _t143;
				void* _t151;
				intOrPtr* _t152;
				void* _t153;
				void* _t154;
				intOrPtr _t155;
				signed int _t156;
				intOrPtr _t163;
				signed int _t166;
				intOrPtr* _t168;
				void* _t169;
				long _t170;
				intOrPtr _t171;
				signed int _t172;
				intOrPtr _t173;
				signed int _t176;
				intOrPtr* _t177;
				void* _t178;
				intOrPtr* _t179;
				signed int _t180;
				void* _t181;
				void* _t182;
				void* _t183;
				void* _t197;
				void* _t199;

				_push(0xffffffff);
				_push(E0048C31E);
				_push( *[fs:0x0]);
				E00472600(0x2006c);
				_t93 =  *0x4bb1dc; // 0x2927074f
				_t94 = _t93 ^ _t180;
				_v20 = _t94;
				_push(_t151);
				_push(_t94);
				 *[fs:0x0] =  &_v16;
				_v131120 = _a8;
				E00460690(_a4);
				_t168 =  *0x4c27dc; // 0x0
				_t182 = _t181 + 4;
				if(_t168 == 0) {
					_t168 = GetProcAddress(GetModuleHandleW(L"ntdll.dll"), "NtQuerySystemInformation");
					 *0x4c27dc = _t168;
				}
				_t98 =  *0x4c252c; // 0x0
				if((_t98 & 0x00000001) == 0) {
					 *0x4c252c = _t98 | 0x00000001;
					_v8 = 0;
					 *0x4c2524 = 0;
					 *0x4c2528 = 0;
					 *0x4c2524 = E00460730();
					E0046FD29(_t98 | 0x00000001, E0048E1C0);
					_t168 =  *0x4c27dc; // 0x0
					_t182 = _t182 + 4;
					_v8 = 0xffffffff;
				}
				_t176 = 0xfa00;
				_t99 = E00470444(_t151, _t166, _t168, 0xfa00);
				_t183 = _t182 + 4;
				_v131108 = _t99;
				_t152 = _t99;
				_push( &_v131124);
				_push(0xfa00);
				_push(_t152);
				_push(5);
				if( *_t168() == 0) {
					L8:
					_t177 = _t152;
					_v131104 = _t152;
					L9:
					while(1) {
						if( *(_t177 + 0x44) <= 4) {
							L36:
							_t102 =  *_t177;
							if(_t102 == 0) {
								E0047040C(_v131108);
								 *[fs:0x0] = _v16;
								_pop(_t169);
								_pop(_t178);
								_pop(_t153);
								__eflags = _v20 ^ _t180;
								return E0046F77E(_t153, _v20 ^ _t180, _t166, _t169, _t178);
							}
							_t177 = _t177 + _t102;
							_v131104 = _t177;
							continue;
						}
						_t170 =  *(_t177 + 0x44);
						if(_t170 == GetCurrentProcessId()) {
							goto L36;
						}
						_t154 = OpenProcess(0x1f0fff, 0, _t170);
						_v131100 = _t154;
						if(_t154 == 0) {
							goto L36;
						}
						_t171 = 0;
						_t179 = _t177 + 0xb8;
						_v131096 = 0;
						if( *((intOrPtr*)(_v131104 + 4)) <= 0) {
							L35:
							CloseHandle(_t154);
							_t177 = _v131104;
							goto L36;
						}
						while(WaitForSingleObject( *0x4bce44, 0) != 0) {
							_v131156 =  *((intOrPtr*)(_t179 + 0x20));
							_v131152 =  *((intOrPtr*)(_t179 + 0x30));
							_v131148 =  *_t179;
							_v131144 =  *((intOrPtr*)(_t179 + 4));
							asm("movdqu xmm0, [ebp-0x20050]");
							_v131140 =  *(_t179 + 8);
							_v131136 =  *((intOrPtr*)(_t179 + 0xc));
							_v131196 =  *((intOrPtr*)(_t179 + 0x24));
							asm("movdqu [ebp-0x20070], xmm0");
							asm("movq xmm0, [ebp-0x20040]");
							asm("movq [ebp-0x20060], xmm0");
							E0045FCF0(0x4c2524,  &_v131164, 0,  &_v131196,  *0x4c24fc & 0x000000ff);
							_t163 = _v131164;
							if(_v131160 != 0 ||  *((intOrPtr*)(_t163 + 0x18)) !=  *((intOrPtr*)(_t179 + 0x20))) {
								L31:
								asm("movdqu xmm0, [ebp-0x20050]");
								asm("movdqu [ecx+0x18], xmm0");
								asm("movq xmm0, [ebp-0x20040]");
								asm("movq [ecx+0x28], xmm0");
								goto L34;
							} else {
								_t124 =  *((intOrPtr*)(_t179 + 0xc));
								_t166 =  *(_t179 + 8);
								_t197 =  *((intOrPtr*)(_t163 + 0x2c)) - _t124;
								if(_t197 > 0 || _t197 >= 0 &&  *(_t163 + 0x28) > _t166) {
									goto L31;
								} else {
									_t172 =  *((intOrPtr*)(_t179 + 4));
									_t199 =  *((intOrPtr*)(_t163 + 0x24)) - _t172;
									_t155 =  *_t179;
									_v131112 = _t172;
									_t171 = _v131096;
									if(_t199 > 0 || _t199 >= 0 &&  *((intOrPtr*)(_t163 + 0x20)) > _t155) {
										L30:
										_t154 = _v131100;
										goto L31;
									} else {
										_t173 =  *((intOrPtr*)(_t179 + 0x30));
										if( *((intOrPtr*)(_t163 + 0x1c)) > _t173) {
											_t171 = _v131096;
											goto L30;
										}
										_t166 = _t166 -  *(_t163 + 0x28);
										asm("sbb eax, [ecx+0x2c]");
										_t156 = _t155 -  *((intOrPtr*)(_t163 + 0x20));
										_v131128 = _t124;
										asm("sbb eax, [ecx+0x24]");
										_t174 = _t173 !=  *((intOrPtr*)(_t163 + 0x1c));
										_v131132 = _v131112;
										 *((intOrPtr*)(_t163 + 0x20)) =  *_t179;
										 *((intOrPtr*)(_t163 + 0x24)) = _v131112;
										 *(_t163 + 0x28) =  *(_t179 + 8);
										 *((intOrPtr*)(_t163 + 0x2c)) =  *((intOrPtr*)(_t179 + 0xc));
										 *((intOrPtr*)(_t163 + 0x1c)) =  *((intOrPtr*)(_t179 + 0x30));
										if(_t173 !=  *((intOrPtr*)(_t163 + 0x1c)) || (_t166 | _v131128) != 0 || (_t156 | _v131132) != 0) {
											_t154 = _v131100;
											_t132 = L0045FE00(_t166,  *((intOrPtr*)(_t179 + 0x20)),  *((intOrPtr*)(_t179 + 0x24)), _t154, _t166, _t156, _t174,  &_v131092, _v131120);
											_t183 = _t183 + 0x20;
											if(_t132 != 0) {
												E004397E0(_v131048 + (_v131052 & 0x0000ffff) * 4 + 0x34,  &_v131092);
												_t183 = _t183 + 8;
											}
										} else {
											_t154 = _v131100;
										}
										_t171 = _v131096;
										L34:
										_t171 = _t171 + 1;
										_t179 = _t179 + 0x40;
										_v131096 = _t171;
										if(_t171 <  *((intOrPtr*)(_v131104 + 4))) {
											continue;
										}
										goto L35;
									}
								}
							}
						}
						goto L35;
					}
				} else {
					do {
						E0047040C(_t152);
						_t176 = _t176 << 2;
						_t143 = E00470444(_t152, _t166, _t168, _t176);
						_t183 = _t183 + 8;
						_t152 = _t143;
						_push( &_v131124);
						_push(_t176);
						_push(_t152);
						_push(5);
					} while ( *0x4c27dc() != 0);
					_v131108 = _t152;
					goto L8;
				}
			}

0x004602b3
0x004602b5
0x004602c0
0x004602c6
0x004602cb
0x004602d0
0x004602d2
0x004602d5
0x004602d8
0x004602dc
0x004602e9
0x004602ef
0x004602f4
0x004602fa
0x004602ff
0x00460318
0x0046031a
0x0046031a
0x00460320
0x00460327
0x0046032c
0x00460336
0x0046033d
0x00460347
0x0046035b
0x00460360
0x00460365
0x0046036b
0x0046036e
0x0046036e
0x00460375
0x0046037b
0x00460380
0x00460383
0x00460389
0x00460391
0x00460392
0x00460393
0x00460394
0x0046039a
0x004603cf
0x004603cf
0x004603d1
0x00000000
0x004603e0
0x004603e4
0x0046063f
0x0046063f
0x00460643
0x00460658
0x00460668
0x00460670
0x00460671
0x00460672
0x00460676
0x00460680
0x00460680
0x00460645
0x00460647
0x00000000
0x00460647
0x004603ea
0x004603f5
0x00000000
0x00000000
0x00460409
0x0046040b
0x00460413
0x00000000
0x00000000
0x0046041f
0x00460421
0x00460427
0x00460430
0x00460632
0x00460633
0x00460639
0x00000000
0x00460639
0x00460440
0x0046045e
0x00460467
0x0046046f
0x00460478
0x00460481
0x00460489
0x00460492
0x0046049b
0x004604b0
0x004604be
0x004604c9
0x004604d1
0x004604dd
0x004604e3
0x004605f1
0x004605f1
0x004605f9
0x004605fe
0x00460606
0x00000000
0x004604f5
0x004604f5
0x004604f8
0x004604fb
0x004604fe
0x00000000
0x0046050f
0x0046050f
0x00460512
0x00460515
0x00460517
0x0046051d
0x00460523
0x004605eb
0x004605eb
0x00000000
0x00460534
0x00460534
0x0046053a
0x004605e5
0x00000000
0x004605e5
0x00460540
0x00460543
0x00460546
0x00460549
0x00460555
0x00460558
0x0046055b
0x00460563
0x0046056c
0x00460572
0x00460578
0x0046057e
0x00460581
0x004605a6
0x004605b4
0x004605b9
0x004605be
0x004605db
0x004605e0
0x004605e0
0x0046060d
0x0046060d
0x0046060d
0x00460613
0x00460619
0x0046061f
0x00460620
0x00460623
0x0046062c
0x00000000
0x00000000
0x00000000
0x0046062c
0x00460523
0x004604fe
0x004604e3
0x00000000
0x00460440
0x004603a0
0x004603a0
0x004603a1
0x004603a6
0x004603aa
0x004603af
0x004603b2
0x004603ba
0x004603bb
0x004603bc
0x004603bd
0x004603c5
0x004603c9
0x00000000
0x004603c9

APIs

Part of subcall function 00460690: GetSystemInfo.KERNEL32(004C2500,00000000,00000000,74D0EA30,?,004602F4,?,2927074F,00000000,00000000,74D0EA30,00000000,0048C31E,000000FF,?,0043B479), ref: 004606A8
Part of subcall function 00460690: GetModuleHandleW.KERNEL32(kernel32.dll,?,004602F4,?,2927074F,00000000,00000000,74D0EA30,00000000,0048C31E,000000FF,?,0043B479,004BD8B0,004BCA10), ref: 004606B9
Part of subcall function 00460690: GetModuleHandleW.KERNEL32(ntdll.dll,?,004602F4,?,2927074F,00000000,00000000,74D0EA30,00000000,0048C31E,000000FF,?,0043B479,004BD8B0,004BCA10), ref: 004606C2
Part of subcall function 00460690: LoadLibraryW.KERNEL32(?,?,004602F4,?,2927074F,00000000,00000000,74D0EA30,00000000,0048C31E,000000FF,?,0043B479,004BD8B0,004BCA10), ref: 004606C9
Part of subcall function 00460690: GetProcAddress.KERNEL32(00000000,Process32First), ref: 004606DB
Part of subcall function 00460690: GetProcAddress.KERNEL32(00000000,Process32Next), ref: 004606E8
Part of subcall function 00460690: GetProcAddress.KERNEL32(00000000,Thread32First), ref: 004606F5
Part of subcall function 00460690: GetProcAddress.KERNEL32(00000000,Thread32Next), ref: 00460702
Part of subcall function 00460690: GetProcAddress.KERNEL32(00000000,NtSuspendThread), ref: 0046070F
Part of subcall function 00460690: GetProcAddress.KERNEL32(00000000,NtResumeThread), ref: 0046071C

GetModuleHandleW.KERNEL32(ntdll.dll,NtQuerySystemInformation), ref: 0046030B
GetProcAddress.KERNEL32(00000000), ref: 00460312
_malloc.LIBCMT ref: 0046037B
_free.LIBCMT ref: 004603A1
_malloc.LIBCMT ref: 004603AA
GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 004603ED
OpenProcess.KERNEL32(001F0FFF,00000000,?), ref: 00460403
WaitForSingleObject.KERNEL32(00000000), ref: 00460448

Strings

ntdll.dll, xrefs: 00460306
$%L, xrefs: 00460331
$%L, xrefs: 00460459
NtQuerySystemInformation, xrefs: 00460301

Memory Dump Source

Source File: 00000000.00000002.639436822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.639422722.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639801425.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639950323.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639964900.00000000004C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639974043.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639981884.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Process Monitor.jbxd

Similarity

API ID: AddressProc$HandleModule$Process_malloc$CurrentInfoLibraryLoadObjectOpenSingleSystemWait_free
String ID: $%L$$%L$NtQuerySystemInformation$ntdll.dll
API String ID: 928006588-621312615
Opcode ID: 820cf7fd88d03ff6cd0f0da365b984e84134ffe4bc675fbb976b3cd5c67f82ed
Instruction ID: 8efb58c6d63ef5df7f8822474bfb250d6e180baf9165d9e0d8daddbdbf4ac46e
Opcode Fuzzy Hash: 820cf7fd88d03ff6cd0f0da365b984e84134ffe4bc675fbb976b3cd5c67f82ed
Instruction Fuzzy Hash: D7B149B19443189FEB60CF29CD80B9AB7F4FB48304F1045AAE94DA7302E775A985CF59

Uniqueness

Uniqueness Score: -1.00%

Function 0046C990 Relevance: 24.7, APIs: 10, Strings: 4, Instructions: 176
synchronizationwindowCOMMON

Download Yara Rule

C-Code - Quality: 88%

			E0046C990(struct HWND__** _a4) {
				long _v8;
				long _v16;
				struct HWND__* _v20;
				long _v24;
				void* _v28;
				void* __ebx;
				signed int _t60;
				long _t62;
				int _t96;
				struct HWND__* _t103;
				void* _t104;
				struct HWND__* _t129;
				void* _t131;
				struct HWND__** _t134;
				signed int _t138;
				void* _t139;
				void* _t140;
				void* _t141;

				_push(0xffffffff);
				_push(E0048D530);
				_push( *[fs:0x0]);
				_t140 = _t139 - 0xc;
				_t60 =  *0x4bb1dc; // 0x2927074f
				_push(_t60 ^ _t138);
				_t62 =  &_v16;
				 *[fs:0x0] = _t62;
				_t134 = _a4;
				_t129 = _t134[7];
				if(_t129 != 0) {
					 *((char*)(_t129 + 0x14)) = 1;
					WaitForSingleObject( *(_t129 + 0x18), 0xffffffff);
					CloseHandle( *(_t129 + 0x18));
					_t7 = _t129 + 0x20; // 0x2927076f
					_t62 = InterlockedDecrement(_t7);
					if(_t62 == 0) {
						_t8 = _t129 + 8; // 0x29270757
						E0046DD90(_t8);
						_t62 = E0046EF07(_t129);
						_t140 = _t140 + 4;
					}
				}
				if(_t134[5] != 0) {
					L21:
					 *[fs:0x0] = _v16;
					return _t62;
				} else {
					_t103 = GetDlgItem(GetParent( *_t134), 0x42f);
					_v20 = _t103;
					_t62 = E0046C230(_t134[1]);
					_t141 = _t140 + 4;
					if(_t62 != 0) {
						if(_t134[5] == 0) {
							_v28 = 0;
							_v24 = 0;
							_v28 = E004232B0();
							_t131 = 0;
							_v8 = 0;
							_t124 = 0x66666667 * (_t134[3] - _t134[2]) >> 0x20 >> 4;
							if((0x66666667 * (_t134[3] - _t134[2]) >> 0x20 >> 4 >> 0x1f) + (0x66666667 * (_t134[3] - _t134[2]) >> 0x20 >> 4) == 0) {
								L17:
								if((0x66666667 * (_t134[3] - _t134[2]) >> 0x20 >> 4 >> 0x1f) + (0x66666667 * (_t134[3] - _t134[2]) >> 0x20 >> 4) != 0) {
									SendMessageW( *_t134, 0x101e, 2, 0xffff);
								}
								SetWindowTextW(_t103, 0x48fc20);
								EnterCriticalSection(0x4c27e4);
								 *0x4c2784(_t134[1]);
								LeaveCriticalSection(0x4c27e4);
							} else {
								_t104 = 0;
								do {
									_t83 = _t134[2] + _t104;
									if( *((intOrPtr*)(_t134[2] + _t104 + 0x20)) == 0) {
										goto L15;
									} else {
										E0046B7A0(_t104, _t124,  &_a4, _t134[1], _t83,  &_v28, _v20, 0);
										_t141 = _t141 + 0x18;
										_v8 = 1;
										if(_t134[5] != 0) {
											_t117 = _a4;
											_v8 = 0;
											if(_a4 != 0) {
												E0046A700(_t117);
											}
										} else {
											if(E0046A720( &_a4) != 0) {
												E00436730( *_t134, _t131, 2,  &_a4);
												_t141 = _t141 + 0x10;
											}
											_t119 = _a4;
											_v8 = 0;
											if(_a4 != 0) {
												E0046A700(_t119);
											}
											goto L15;
										}
									}
									goto L20;
									L15:
									_t131 = _t131 + 1;
									_t104 = _t104 + 0x28;
									_t124 = 0x66666667 * (_t134[3] - _t134[2]) >> 0x20 >> 4;
								} while (_t131 < (0x66666667 * (_t134[3] - _t134[2]) >> 0x20 >> 4 >> 0x1f) + (0x66666667 * (_t134[3] - _t134[2]) >> 0x20 >> 4));
								_t103 = _v20;
								goto L17;
							}
							L20:
							_v8 = 0xffffffff;
							E0040E1E0( &_v28,  &_a4,  *_v28, _v28);
							_t62 = E0046EF07(_v28);
						}
						goto L21;
					} else {
						_t96 = SetWindowTextW(_t103, L"Configure the symbol engine for symbols");
						 *[fs:0x0] = _v16;
						return _t96;
					}
				}
			}

0x0046c993
0x0046c995
0x0046c9a0
0x0046c9a1
0x0046c9a7
0x0046c9ae
0x0046c9af
0x0046c9b2
0x0046c9b8
0x0046c9bb
0x0046c9c0
0x0046c9c7
0x0046c9cb
0x0046c9d4
0x0046c9da
0x0046c9de
0x0046c9e6
0x0046c9e8
0x0046c9eb
0x0046c9f1
0x0046c9f6
0x0046c9f6
0x0046c9e6
0x0046c9fd
0x0046cb92
0x0046cb95
0x0046cba3
0x0046ca03
0x0046ca1a
0x0046ca1c
0x0046ca1f
0x0046ca24
0x0046ca29
0x0046ca4d
0x0046ca56
0x0046ca5d
0x0046ca69
0x0046ca77
0x0046ca7b
0x0046ca82
0x0046ca8c
0x0046cb15
0x0046cb2c
0x0046cb3c
0x0046cb3c
0x0046cb48
0x0046cb56
0x0046cb5d
0x0046cb68
0x0046ca92
0x0046ca92
0x0046ca94
0x0046ca97
0x0046ca9d
0x00000000
0x0046ca9f
0x0046cab0
0x0046cab5
0x0046cabc
0x0046cac0
0x0046cba4
0x0046cba7
0x0046cbad
0x0046cbaf
0x0046cbaf
0x0046cac6
0x0046cad0
0x0046cadb
0x0046cae0
0x0046cae0
0x0046cae3
0x0046cae6
0x0046caec
0x0046caee
0x0046caee
0x00000000
0x0046caec
0x0046cac0
0x00000000
0x0046caf3
0x0046cafe
0x0046cb01
0x0046cb04
0x0046cb0e
0x0046cb12
0x00000000
0x0046cb12
0x0046cb6e
0x0046cb75
0x0046cb82
0x0046cb8a
0x0046cb8f
0x00000000
0x0046ca2b
0x0046ca31
0x0046ca3a
0x0046ca48
0x0046ca48
0x0046ca29

APIs

WaitForSingleObject.KERNEL32(?,000000FF,2927074F), ref: 0046C9CB
CloseHandle.KERNEL32(?), ref: 0046C9D4
InterlockedDecrement.KERNEL32(2927076F), ref: 0046C9DE
GetParent.USER32(?), ref: 0046CA0A
GetDlgItem.USER32 ref: 0046CA11
SetWindowTextW.USER32(00000000,Configure the symbol engine for symbols), ref: 0046CA31
SendMessageW.USER32(?,0000101E,00000002,0000FFFF), ref: 0046CB3C
SetWindowTextW.USER32(00000000,0048FC20), ref: 0046CB48
EnterCriticalSection.KERNEL32(004C27E4,?,?,?,0048D530,000000FF), ref: 0046CB56
LeaveCriticalSection.KERNEL32(004C27E4,?,?,?,0048D530,000000FF), ref: 0046CB68

Strings

gfff, xrefs: 0046CA6F
Configure the symbol engine for symbols, xrefs: 0046CA2B
gfff, xrefs: 0046CAF6
gfff, xrefs: 0046CB18

Memory Dump Source

Source File: 00000000.00000002.639436822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.639422722.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639801425.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639950323.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639964900.00000000004C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639974043.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639981884.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Process Monitor.jbxd

Similarity

API ID: CriticalSectionTextWindow$CloseDecrementEnterHandleInterlockedItemLeaveMessageObjectParentSendSingleWait
String ID: Configure the symbol engine for symbols$gfff$gfff$gfff
API String ID: 307883437-2595433044
Opcode ID: a387a45c18d2a9a2e8ee109af371ee03a761e400c97a2ab4ea9b1550ea94b1ba
Instruction ID: f3a1d67328bf2cd77a4df89372c89189fb4e28af995044e1524efba3f9cb7925
Opcode Fuzzy Hash: a387a45c18d2a9a2e8ee109af371ee03a761e400c97a2ab4ea9b1550ea94b1ba
Instruction Fuzzy Hash: 6E513671A00605AFDB14DFA5ED45B6EBBB4EF04304F00453EF94593391E779A904CB9A

Uniqueness

Uniqueness Score: -1.00%

Function 00450CD0 Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 165
registryCOMMON

Download Yara Rule

C-Code - Quality: 73%

			E00450CD0(void* __ebx, signed int __edx, struct HWND__* _a4, intOrPtr _a8, signed int _a12, intOrPtr _a16) {
				int _v8;
				char _v16;
				signed int _v20;
				int _v24;
				int _v60;
				char _v64;
				intOrPtr _v68;
				int _v72;
				int _v76;
				void* __edi;
				void* __esi;
				signed int _t35;
				signed int _t36;
				void* _t39;
				int _t41;
				void* _t48;
				int _t49;
				int _t53;
				void* _t66;
				void* _t68;
				signed int _t97;
				struct HWND__* _t99;
				void* _t100;
				intOrPtr _t102;
				void* _t103;
				void* _t104;
				WCHAR* _t105;
				signed int _t107;

				_t97 = __edx;
				_t79 = __ebx;
				_push(0xffffffff);
				_push(E0048B333);
				_push( *[fs:0x0]);
				_t35 =  *0x4bb1dc; // 0x2927074f
				_t36 = _t35 ^ _t107;
				_v20 = _t36;
				_push(_t36);
				 *[fs:0x0] =  &_v16;
				_t102 = _a16;
				_t99 = _a4;
				_v68 = _t102;
				_t39 = _a8 - 2;
				if(_t39 == 0) {
					_t103 =  *0x4bd2b4; // 0x0
					asm("xorps xmm0, xmm0");
					_v64 = 0x2c;
					_v60 = 0;
					asm("movdqu [ebp-0x34], xmm0");
					_v24 = 0;
					asm("movdqu [ebp-0x24], xmm0");
					_t41 = GetWindowPlacement(_t99,  &_v64);
					__eflags = _t41;
					if(_t41 != 0) {
						RegSetValueExW(_t103, L"ModulePropertiesDialog", 0, 3,  &_v64, 0x2c);
					}
					InvalidateRect(GetParent(_t99), 0, 0);
					L15:
					L16:
					 *[fs:0x0] = _v16;
					_pop(_t100);
					_pop(_t104);
					return E0046F77E(_t79, _v20 ^ _t107, _t97, _t100, _t104);
				}
				_t48 = _t39 - 0x10e;
				if(_t48 == 0) {
					_push(0x40);
					_t49 = E0046EEB6(__ebx, _t99, __eflags);
					_v72 = _t49;
					_v8 = 0;
					__eflags = _t49;
					if(_t49 != 0) {
						E00445770(_t99);
					}
					_v8 = 0xffffffff;
					E004585D0(_t99,  *0x4bd2b4, L"ModulePropertiesDialog");
					_v72 = _t102 + 0xc;
					_t105 = E0046A170(_t102 + 0xc);
					_t53 = E00471495(_t105, 0x5c);
					__eflags = _t53;
					if(_t53 != 0) {
						_t13 = _t53 + 2; // 0x2
						_t105 = _t13;
					}
					SetDlgItemTextW(_t99, 0x404, _t105);
					SetDlgItemTextW(_t99, 0x403, E0046A170(_v72));
					SetDlgItemTextW(_t99, 0x46c, E0046A170(_v68 + 0x10));
					SetDlgItemTextW(_t99, 0x40a, E0046A170(_v68 + 0x14));
					SetDlgItemTextW(_t99, 0x40b, E0046A170(_v68 + 0x18));
					asm("cdq");
					asm("adc edx, 0x2");
					_t66 = E004725C0( *((intOrPtr*)(_v68 + 8)) + 0xb6109100, _t97, 0x989680, 0);
					_push(_t97);
					_t68 = L00433FE0(_t97 >> 0x1f,  &_v76, _t66);
					_v8 = 1;
					SetDlgItemTextW(_t99, 0x40c, E0046A170(_t68));
					_t95 = _v76;
					_v8 = 0xffffffff;
					__eflags = _v76;
					if(_v76 != 0) {
						E0046A700(_t95);
					}
					goto L16;
				}
				if(_t48 == 1 && (_a12 & 0x0000ffff) - 1 <= 1) {
					EndDialog(_t99, 0);
				}
				goto L15;
			}

0x00450cd0
0x00450cd0
0x00450cd3
0x00450cd5
0x00450ce0
0x00450ce4
0x00450ce9
0x00450ceb
0x00450cf0
0x00450cf4
0x00450cfd
0x00450d00
0x00450d03
0x00450d06
0x00450d09
0x00450e54
0x00450e5d
0x00450e60
0x00450e69
0x00450e70
0x00450e75
0x00450e7c
0x00450e81
0x00450e87
0x00450e89
0x00450e9b
0x00450e9b
0x00450ead
0x00450eb3
0x00450eb5
0x00450eb8
0x00450ec0
0x00450ec1
0x00450ecf
0x00450ecf
0x00450d0f
0x00450d14
0x00450d3b
0x00450d3d
0x00450d45
0x00450d48
0x00450d4f
0x00450d51
0x00450d56
0x00450d56
0x00450d66
0x00450d6e
0x00450d7b
0x00450d83
0x00450d88
0x00450d90
0x00450d92
0x00450d94
0x00450d94
0x00450d94
0x00450da4
0x00450db5
0x00450dc9
0x00450ddd
0x00450df1
0x00450e00
0x00450e06
0x00450e0b
0x00450e10
0x00450e1b
0x00450e25
0x00450e38
0x00450e3a
0x00450e3d
0x00450e44
0x00450e46
0x00450e48
0x00450e48
0x00000000
0x00450e4d
0x00450d17
0x00450d30
0x00450d30
0x00000000

APIs

EndDialog.USER32(?,00000000), ref: 00450D30
_wcsrchr.LIBCMT ref: 00450D88
SetDlgItemTextW.USER32 ref: 00450DA4
SetDlgItemTextW.USER32 ref: 00450DB5
SetDlgItemTextW.USER32 ref: 00450DC9
SetDlgItemTextW.USER32 ref: 00450DDD
SetDlgItemTextW.USER32 ref: 00450DF1
SetDlgItemTextW.USER32 ref: 00450E38
GetWindowPlacement.USER32(?,?,2927074F), ref: 00450E81
RegSetValueExW.ADVAPI32(00000000,ModulePropertiesDialog,00000000,00000003,0000002C,0000002C), ref: 00450E9B
GetParent.USER32(?), ref: 00450EA6
InvalidateRect.USER32(00000000), ref: 00450EAD

Strings

,, xrefs: 00450E60
ModulePropertiesDialog, xrefs: 00450D5B, 00450E95

Memory Dump Source

Source File: 00000000.00000002.639436822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.639422722.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639801425.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639950323.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639964900.00000000004C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639974043.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639981884.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Process Monitor.jbxd

Similarity

API ID: ItemText$DialogInvalidateParentPlacementRectValueWindow_wcsrchr
String ID: ,$ModulePropertiesDialog
API String ID: 354358640-28183819
Opcode ID: 1500361ed53812e92045694eccde8d54e5fb48523416418b2418e1d23aa67c0e
Instruction ID: d0550ce8e9b93cadd9f5cb5a002515a925098b7482b809f9e67098793f2af863
Opcode Fuzzy Hash: 1500361ed53812e92045694eccde8d54e5fb48523416418b2418e1d23aa67c0e
Instruction Fuzzy Hash: 5A518071A00208ABDB10EF64DC46FBE77B8EF45715F10452EF901B72D2EB78A9068B59

Uniqueness

Uniqueness Score: -1.00%

Function 0045A1B0 Relevance: 24.6, APIs: 3, Strings: 11, Instructions: 78
COMMON

Download Yara Rule

C-Code - Quality: 92%

			E0045A1B0(void* __ebx, void* __edi, struct HWND__* _a4, intOrPtr _a8, void* _a12) {
				signed int _v8;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				WCHAR* _v40;
				intOrPtr _v44;
				WCHAR* _v48;
				struct HINSTANCE__* _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v80;
				intOrPtr _v84;
				intOrPtr _v88;
				WCHAR* _v92;
				intOrPtr _v96;
				WCHAR* _v100;
				struct HINSTANCE__* _v104;
				intOrPtr _v108;
				intOrPtr _v112;
				intOrPtr _v132;
				intOrPtr _v136;
				intOrPtr _v140;
				WCHAR* _v144;
				intOrPtr _v148;
				WCHAR* _v152;
				struct HINSTANCE__* _v156;
				char _v160;
				char _v164;
				intOrPtr _v180;
				char* _v184;
				intOrPtr _v188;
				intOrPtr _v192;
				WCHAR* _v196;
				intOrPtr _v200;
				struct HINSTANCE__* _v204;
				struct HWND__* _v208;
				char _v212;
				void* _v216;
				void* __esi;
				signed int _t47;
				intOrPtr _t53;
				struct HINSTANCE__* _t61;
				struct HWND__* _t67;
				signed int _t68;

				_t47 =  *0x4bb1dc; // 0x2927074f
				_v8 = _t47 ^ _t68;
				_t67 = _a4;
				E00470030( &_v160, 0, 0x98);
				E00470030( &_v212, 0, 0x30);
				_t53 = _a8;
				_t61 =  *0x4bd2c4; // 0x400000
				_v136 = _t53;
				_v84 = _t53;
				_v32 = _t53;
				_v184 =  &_v164;
				_v180 = 0;
				_t55 =  ==  ? 2 : 0;
				_v188 =  ==  ? 2 : 0;
				_v164 = 0x34;
				_v160 = 8;
				_v156 = _t61;
				_v152 = L"PROP_EVENT";
				_v148 = 0;
				_v140 = E00448530;
				_v144 = L"Event";
				_v132 = 0;
				_v112 = 0x34;
				_v108 = 8;
				_v104 = _t61;
				_v100 = L"PROP_PROCESS";
				_v96 = 0;
				_v88 = E00454390;
				_v92 = L"Process";
				_v80 = 0;
				_v60 = 0x34;
				_v56 = 8;
				_v52 = _t61;
				_v48 = L"PROP_STACKTRACE";
				_v44 = 0;
				_v36 = E0045AF80;
				_v40 = L"Stack";
				_v28 = 0;
				_v216 = 0x34;
				_v212 = 0x2000488;
				_v208 = _t67;
				_v204 = _t61;
				_v200 = 0;
				_v196 = L"Event Properties";
				_v192 = 3;
				CreateDialogParamW(_t61, L"PROPERTIES", _t67, E00456C10,  &_v216);
				return E0046F77E(__ebx, _v8 ^ _t68, 2, __edi, _t67);
			}

0x0045a1b9
0x0045a1c0
0x0045a1c4
0x0045a1d5
0x0045a1e5
0x0045a1ea
0x0045a1f3
0x0045a1fc
0x0045a202
0x0045a205
0x0045a211
0x0045a21c
0x0045a222
0x0045a225
0x0045a23e
0x0045a248
0x0045a252
0x0045a258
0x0045a262
0x0045a26c
0x0045a276
0x0045a280
0x0045a287
0x0045a28e
0x0045a295
0x0045a298
0x0045a29f
0x0045a2a6
0x0045a2ad
0x0045a2b4
0x0045a2bb
0x0045a2c2
0x0045a2c9
0x0045a2cc
0x0045a2d3
0x0045a2da
0x0045a2e1
0x0045a2e8
0x0045a2ef
0x0045a2f9
0x0045a303
0x0045a309
0x0045a30f
0x0045a319
0x0045a323
0x0045a32d
0x0045a343

APIs

_memset.LIBCMT ref: 0045A1D5
_memset.LIBCMT ref: 0045A1E5
CreateDialogParamW.USER32 ref: 0045A32D

Strings

4, xrefs: 0045A23E
8:J, xrefs: 0045A258
PROPERTIES, xrefs: 0045A238
\:J, xrefs: 0045A298
Event Properties, xrefs: 0045A319
lI, xrefs: 0045A2AD
4, xrefs: 0045A2BB
4, xrefs: 0045A287
4, xrefs: 0045A2EF
P:J, xrefs: 0045A276
x:J, xrefs: 0045A2CC

Memory Dump Source

Source File: 00000000.00000002.639436822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.639422722.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639801425.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639950323.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639964900.00000000004C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639974043.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639981884.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Process Monitor.jbxd

Similarity

API ID: _memset$CreateDialogParam
String ID: lI$4$4$4$4$8:J$Event Properties$P:J$PROPERTIES$\:J$x:J
API String ID: 107006318-1572845698
Opcode ID: 9417f4bbcc26476ed784bbb9b7f9b859a23d1ddc109909487210a0a287660360
Instruction ID: 2311d4ef295794a8890352d6fdd52901eb37a7dc6eb3f1885f5f3d0471b90197
Opcode Fuzzy Hash: 9417f4bbcc26476ed784bbb9b7f9b859a23d1ddc109909487210a0a287660360
Instruction Fuzzy Hash: 2341A7B0D01368DBEB10DF94D8597CDBBB4BB05308F50819EE548BB241D7B95A89CF98

Uniqueness

Uniqueness Score: -1.00%

Function 00430630 Relevance: 24.3, APIs: 16, Instructions: 312
COMMON

Download Yara Rule

C-Code - Quality: 87%

			E00430630(void** __ecx, signed int _a4, long _a8, long _a12, void* _a16, char _a19) {
				void* _v8;
				struct _CRITICAL_SECTION* _v12;
				long _v16;
				char _v20;
				void* _v24;
				void* _v28;
				LONG* _v36;
				long _t132;
				struct _CRITICAL_SECTION* _t134;
				void* _t135;
				signed int _t137;
				signed int _t141;
				void* _t142;
				void* _t148;
				LONG* _t149;
				void* _t151;
				void* _t156;
				void* _t161;
				void* _t173;
				void* _t178;
				void* _t191;
				void* _t192;
				signed int _t197;
				long _t198;
				void* _t203;
				void* _t210;
				long _t211;
				void* _t212;
				void* _t214;
				void* _t217;
				void* _t218;
				void* _t219;
				void** _t220;
				long _t221;
				void* _t223;
				void* _t225;
				void* _t226;
				void* _t227;
				void** _t236;
				void** _t237;

				_t205 = __ecx;
				_t236 = __ecx;
				if( *((intOrPtr*)(__ecx + 0xc)) != 0xffffffff ||  *((intOrPtr*)(__ecx + 0x10)) != 0) {
					_t197 = _a4;
					_t225 = _a12;
					_t6 =  &(_t236[7]); // 0x0
					__eflags = _a8 -  *_t6;
					if(__eflags > 0) {
						L7:
						_t132 = GetTickCount();
						__eflags = _t132 -  *0x4bcb74 - 0x1388;
						if(_t132 -  *0x4bcb74 > 0x1388) {
							 *0x4bcb74 = GetTickCount();
							E00430B40(_t205);
						}
						_t8 =  &(_t236[0x38]); // 0x4c2668
						_t134 = _t8;
						_v12 = _t134;
						EnterCriticalSection(_t134);
						__eflags = _a16;
						if(_a16 == 0) {
							L16:
							_t15 =  &(_t236[7]); // 0x0
							_t135 =  *_t15;
							_t17 =  &(_t236[6]); // 0x7801d0
							_t217 =  *_t17;
							__eflags = _a8 - _t135;
							if(__eflags < 0) {
								L23:
								_t218 = _t217 - _t197;
								asm("sbb eax, ecx");
								__eflags = 0 - _t135;
								if(__eflags >= 0) {
									if(__eflags > 0) {
										L26:
										_t24 =  &(_t236[6]); // 0x7801d0
										_t225 =  *_t24 - _t197;
										__eflags = _t225;
									} else {
										__eflags = _t225 - _t218;
										if(_t225 > _t218) {
											goto L26;
										}
									}
								}
								goto L27;
							} else {
								if(__eflags > 0) {
									L19:
									_a16 = _t225;
									_a16 = _a16 + _t197;
									asm("adc eax, ecx");
									_t21 =  &(_t236[7]); // 0x0
									__eflags = 0 -  *_t21;
									if(__eflags < 0) {
										L22:
										_t23 =  &(_t236[7]); // 0x0
										_t135 =  *_t23;
										goto L23;
									} else {
										if(__eflags > 0) {
											goto L15;
										} else {
											__eflags = _a16 - _t217;
											if(_a16 > _t217) {
												goto L15;
											} else {
												goto L22;
											}
										}
									}
								} else {
									__eflags = _t197 - _t217;
									if(_t197 < _t217) {
										goto L23;
									} else {
										goto L19;
									}
								}
							}
						} else {
							__eflags = _t236[1];
							if(_t236[1] != 0) {
								goto L16;
							} else {
								_t191 = _t225 + _t197;
								asm("adc ecx, [ebp+0xc]");
								_t12 =  &(_t236[7]); // 0x0
								__eflags = 0 -  *_t12;
								if(__eflags < 0) {
									L27:
									_t25 =  &(_t236[2]); // 0x80
									_t208 =  *_t25;
									_t219 = _a8;
									_t27 = _t208 - 1; // 0x7f
									_t137 = _t27 & _t197;
									_t198 = _t197 - _t137;
									_v36 = _t198;
									asm("sbb edx, 0x0");
									_a8 = _t219;
									_t141 = _t137 - 0x00000001 +  *_t25 + _t225 &  ~( *_t25);
									__eflags = _t236[1];
									_a12 = _t141;
									if(_t236[1] == 0) {
										_t210 = _t219;
									} else {
										_t210 = _a8;
										_t223 = _t141 + _t198;
										asm("adc eax, ecx");
										_t33 =  &(_t236[7]); // 0x0
										__eflags = 0 -  *_t33;
										if(__eflags >= 0) {
											if(__eflags > 0) {
												L31:
												_t35 =  &(_t236[6]); // 0x7801d0
												_a12 =  *_t35 - _t198;
											} else {
												_t34 =  &(_t236[6]); // 0x7801d0
												__eflags = _t223 -  *_t34;
												if(_t223 >  *_t34) {
													goto L31;
												}
											}
										}
									}
									_v20 = 0xffffffd8;
									_t38 =  &(_t236[0xa]); // 0x4c25b0
									_t220 = _t38;
									_t226 = 0;
									_v8 = 0xffffffff;
									_t40 =  &_v20;
									 *_t40 = _v20 - _t236;
									__eflags =  *_t40;
									_a19 = 0;
									_v24 = 0xffffffe0;
									while(1) {
										_t44 =  &(_t220[1]); // 0x4bd710
										__eflags = _t210 -  *_t44;
										if(__eflags < 0) {
											goto L40;
										}
										if(__eflags > 0) {
											L37:
											_t45 =  &(_t220[2]); // 0x0
											_t210 = 0;
											_v28 =  *_t45 +  *_t220;
											asm("adc ecx, [edx+0x4]"); // 0x4bd710
											_v16 = _a12;
											_v16 = _v16 + _t198;
											asm("adc eax, [ebp+0xc]");
											__eflags = 0;
											if(0 < 0) {
												L49:
												_t142 = _t226;
												_a19 = 1;
											} else {
												if(0 > 0) {
													goto L40;
												} else {
													__eflags = _v16 - _v28;
													if(_v16 <= _v28) {
														goto L49;
													} else {
														goto L40;
													}
												}
											}
										} else {
											__eflags = _t198 -  *_t220;
											if(_t198 <  *_t220) {
												goto L40;
											} else {
												goto L37;
											}
										}
										L50:
										__eflags = _t142;
										if(_t142 < 0) {
											_t143 = _v12;
											LeaveCriticalSection(_v12);
											_push(_t198);
											goto L67;
										} else {
											_t71 = _t142 + 1; // 0x2
											_t226 = _t236 + (_t71 << 5);
											_t72 = _t226 + 0x14; // 0x16
											_t149 = _t72;
											_v36 = _t149;
											InterlockedIncrement(_t149);
											__eflags = _a19;
											if(_a19 == 0) {
												_t151 =  *(_t226 + 4);
												__eflags = _t151;
												if(_t151 != 0) {
													UnmapViewOfFile(_t151);
												}
												_t211 = _a8;
												_t221 = _a12;
												 *(_t226 + 8) = _t198;
												 *(_t226 + 0xc) = _t211;
												 *(_t226 + 0x10) = _t221;
												_t236[0x3f] = _t236[0x3f] + 1;
												_t87 =  &(_t236[0x3f]); // 0x4bd895
												 *(_t226 + 0x18) =  *_t87;
												__eflags = _t236[1];
												_a19 = 1;
												_v28 = 0;
												_t96 =  &(_t236[4]); // 0x0
												_t156 = MapViewOfFile( *_t96, 2 + (0 | _t236[1] != 0x00000000) * 2, _t211, _t198, _t221);
												 *(_t226 + 4) = _t156;
												__eflags = _t156;
												if(_t156 == 0) {
													while(1) {
														__eflags = _a19;
														if(_a19 == 0) {
															goto L60;
														}
														_a19 = 0;
														E00430B40(_t211);
														__eflags = _t236[1];
														_t107 =  &(_t236[4]); // 0x0
														_t173 = MapViewOfFile( *_t107, 2 + (0 | _t236[1] != 0x00000000) * 2, _a8, _t198, _a12);
														 *(_t226 + 4) = _t173;
														__eflags = _t173;
														if(_t173 == 0) {
															continue;
														}
														goto L60;
													}
												}
												L60:
												_t210 =  *(_t226 + 4);
												__eflags = _t210;
												if(_t210 != 0) {
													__eflags =  *_t236;
													if( *_t236 == 0) {
														goto L53;
													} else {
														__eflags = _t236[1];
														_t161 = VirtualAlloc(_t210, _a12, 0x1000, 2 + (0 | _t236[1] == 0x00000000) * 2);
														_t212 =  *(_t226 + 4);
														__eflags = _t161 - _t212;
														if(_t161 == _t212) {
															goto L53;
														} else {
															UnmapViewOfFile(_t212);
															_t120 = _t226 + 0x14; // 0x100000014
															 *(_t226 + 4) = 0;
															 *(_t226 + 0x10) = 0;
															InterlockedDecrement(_t120);
															_t123 =  &(_t236[0x38]); // 0x4c2668
															LeaveCriticalSection(_t123);
															goto L65;
														}
													}
												} else {
													InterlockedDecrement(_v36);
													_t143 = _v12;
													LeaveCriticalSection(_v12);
													_push(_a12);
													L67:
													 *((intOrPtr*)(E00471C2F(_t143)))();
													_a16 = 8;
													E0046F78D( &_a16, 0x4affc8);
													asm("int3");
													asm("int3");
													asm("int3");
													asm("int3");
													asm("int3");
													asm("int3");
													_push(_t198);
													_push(_t236);
													_push(_t226);
													_t237 = _t210 + 0x24;
													_t227 = 6;
													do {
														_t148 =  *_t237;
														__eflags = _t148;
														if(_t148 != 0) {
															_t148 = UnmapViewOfFile(_t148);
															 *_t237 = 0;
															_t237[1] = 0;
															_t237[2] = 0;
															_t237[3] = 0;
														}
														_t237 =  &(_t237[8]);
														_t227 = _t227 - 1;
														__eflags = _t227;
													} while (_t227 != 0);
													return _t148;
												}
											} else {
												_t75 =  &(_t236[0x3f]);
												 *_t75 = _t236[0x3f] + 1;
												__eflags =  *_t75;
												_t77 =  &(_t236[0x3f]); // 0x4bd895
												 *(_t226 + 0x18) =  *_t77;
												L53:
												return _t226;
											}
										}
										goto L73;
										L40:
										__eflags = _t220[3];
										if(_t220[3] != 0) {
											L46:
											_t142 = _v8;
										} else {
											__eflags = _v8 - 0xffffffff;
											if(_v8 == 0xffffffff) {
												L45:
												_t142 = _t226;
												_t210 = _v20 + _t220;
												_v8 = _t142;
												_v24 = _t210;
											} else {
												__eflags =  *(_t220 - 4);
												if( *(_t220 - 4) != 0) {
													L44:
													_t203 = _v24;
													_t60 =  &(_t236[0x3f]); // 0x4bd895
													_t214 =  *_t60;
													_t61 =  &(_t220[4]); // 0x7801d0
													_t210 = _t214 -  *_t61;
													_t198 = _v36;
													__eflags = _t210 - _t214 -  *((intOrPtr*)(_t203 +  &(_t236[0xe])));
													if(_t210 <= _t214 -  *((intOrPtr*)(_t203 +  &(_t236[0xe])))) {
														goto L46;
													} else {
														goto L45;
													}
												} else {
													_t178 = _v24;
													__eflags =  *(_t178 +  &(_t236[9]));
													if( *(_t178 +  &(_t236[9])) != 0) {
														goto L45;
													} else {
														goto L44;
													}
												}
											}
										}
										_t226 = _t226 + 1;
										_t220 =  &(_t220[8]);
										__eflags = _t226 - 6;
										if(_t226 < 6) {
											_t210 = _a8;
											continue;
										}
										goto L50;
									}
								} else {
									if(__eflags > 0) {
										L14:
										_t192 = E00430C30(_t236, _t191, 0);
										__eflags = _t192;
										if(_t192 != 0) {
											goto L27;
										} else {
											L15:
											LeaveCriticalSection(_v12);
											__eflags = 0;
											return 0;
										}
									} else {
										_t13 =  &(_t236[6]); // 0x7801d0
										__eflags = _t191 -  *_t13;
										if(_t191 <=  *_t13) {
											goto L27;
										} else {
											goto L14;
										}
									}
								}
							}
						}
					} else {
						if(__eflags < 0) {
							L6:
							__eflags = _t225;
							if(_t225 == 0) {
								L65:
								__eflags = 0;
								return 0;
							} else {
								goto L7;
							}
						} else {
							_t7 =  &(_t236[6]); // 0x7801d0
							__eflags = _t197 -  *_t7;
							if(_t197 >  *_t7) {
								goto L7;
							} else {
								goto L6;
							}
						}
					}
				} else {
					return 0;
				}
				L73:
			}

0x00430630
0x00430637
0x0043063d
0x00430652
0x00430656
0x00430659
0x00430659
0x0043065c
0x0043066d
0x0043066d
0x00430679
0x0043067e
0x00430686
0x0043068b
0x0043068b
0x00430690
0x00430690
0x00430697
0x0043069a
0x004306a0
0x004306a4
0x004306e3
0x004306e3
0x004306e3
0x004306e9
0x004306e9
0x004306ec
0x004306ee
0x0043070f
0x0043070f
0x00430711
0x00430715
0x00430717
0x00430719
0x0043071f
0x0043071f
0x00430722
0x00430722
0x0043071b
0x0043071b
0x0043071d
0x00000000
0x00000000
0x0043071d
0x00430719
0x00000000
0x004306f0
0x004306f0
0x004306f6
0x004306f8
0x004306fb
0x004306fe
0x00430700
0x00430700
0x00430703
0x0043070c
0x0043070c
0x0043070c
0x00000000
0x00430705
0x00430705
0x00000000
0x00430707
0x00430707
0x0043070a
0x00000000
0x00000000
0x00000000
0x00000000
0x0043070a
0x00430705
0x004306f2
0x004306f2
0x004306f4
0x00000000
0x00000000
0x00000000
0x00000000
0x004306f4
0x004306f0
0x004306a6
0x004306a6
0x004306aa
0x00000000
0x004306ac
0x004306b0
0x004306b2
0x004306b5
0x004306b5
0x004306b8
0x00430724
0x00430724
0x00430724
0x00430727
0x0043072a
0x0043072d
0x0043072f
0x00430731
0x00430734
0x0043073a
0x00430741
0x00430743
0x00430747
0x0043074a
0x0043076d
0x0043074c
0x0043074c
0x00430753
0x00430755
0x00430757
0x00430757
0x0043075a
0x0043075c
0x00430763
0x00430763
0x00430768
0x0043075e
0x0043075e
0x0043075e
0x00430761
0x00000000
0x00000000
0x00430761
0x0043075c
0x0043075a
0x0043076f
0x00430776
0x00430776
0x00430779
0x0043077b
0x00430782
0x00430782
0x00430782
0x00430785
0x00430789
0x00430790
0x00430790
0x00430790
0x00430793
0x00000000
0x00000000
0x00430795
0x0043079b
0x0043079b
0x0043079e
0x004307a2
0x004307a5
0x004307ab
0x004307b0
0x004307b3
0x004307b6
0x004307b8
0x0043081c
0x0043081c
0x0043081e
0x004307ba
0x004307ba
0x00000000
0x004307bc
0x004307bf
0x004307c2
0x00000000
0x00000000
0x00000000
0x00000000
0x004307c2
0x004307ba
0x00430797
0x00430797
0x00430799
0x00000000
0x00000000
0x00000000
0x00000000
0x00430799
0x00430822
0x00430822
0x00430824
0x00430980
0x00430984
0x0043098a
0x00000000
0x0043082a
0x0043082a
0x00430830
0x00430832
0x00430832
0x00430836
0x00430839
0x0043083f
0x00430843
0x0043085f
0x00430862
0x00430864
0x00430867
0x00430867
0x0043086d
0x00430870
0x00430873
0x00430876
0x00430879
0x0043087c
0x00430882
0x00430888
0x0043088d
0x00430894
0x0043089a
0x004308a9
0x004308ac
0x004308b2
0x004308b5
0x004308b7
0x004308c0
0x004308c0
0x004308c4
0x00000000
0x00000000
0x004308c6
0x004308ca
0x004308d4
0x004308e6
0x004308e9
0x004308ef
0x004308f2
0x004308f4
0x00000000
0x00000000
0x00000000
0x004308f4
0x004308c0
0x004308f6
0x004308f6
0x004308f9
0x004308fb
0x00430916
0x00430919
0x00000000
0x0043091f
0x00430921
0x00430938
0x0043093e
0x00430941
0x00430943
0x00000000
0x00430949
0x0043094a
0x00430950
0x00430953
0x0043095b
0x00430962
0x00430968
0x0043096f
0x00000000
0x0043096f
0x00430943
0x004308fd
0x00430901
0x00430907
0x0043090b
0x00430911
0x0043098b
0x00430990
0x00430995
0x004309a5
0x004309aa
0x004309ab
0x004309ac
0x004309ad
0x004309ae
0x004309af
0x004309b0
0x004309b7
0x004309b8
0x004309b9
0x004309bc
0x004309c1
0x004309c1
0x004309c3
0x004309c5
0x004309c8
0x004309ca
0x004309d0
0x004309d7
0x004309de
0x004309de
0x004309e5
0x004309e8
0x004309e8
0x004309e8
0x004309ee
0x004309ee
0x00430845
0x00430845
0x00430845
0x00430845
0x0043084b
0x00430851
0x00430854
0x0043085c
0x0043085c
0x00430843
0x00000000
0x004307c4
0x004307c4
0x004307c8
0x00430808
0x00430808
0x004307ca
0x004307ca
0x004307ce
0x004307f9
0x004307fc
0x004307fe
0x00430800
0x00430803
0x004307d0
0x004307d0
0x004307d4
0x004307e0
0x004307e0
0x004307e3
0x004307e3
0x004307eb
0x004307eb
0x004307f2
0x004307f5
0x004307f7
0x00000000
0x00000000
0x00000000
0x00000000
0x004307d6
0x004307d6
0x004307d9
0x004307de
0x00000000
0x00000000
0x00000000
0x00000000
0x004307de
0x004307d4
0x004307ce
0x0043080b
0x0043080c
0x0043080f
0x00430812
0x00430814
0x00000000
0x00430814
0x00000000
0x00430812
0x004306ba
0x004306ba
0x004306c1
0x004306c5
0x004306ca
0x004306cc
0x00000000
0x004306ce
0x004306ce
0x004306d2
0x004306da
0x004306e0
0x004306e0
0x004306bc
0x004306bc
0x004306bc
0x004306bf
0x00000000
0x00000000
0x00000000
0x00000000
0x004306bf
0x004306ba
0x004306b8
0x004306aa
0x0043065e
0x0043065e
0x00430665
0x00430665
0x00430667
0x00430975
0x00430977
0x0043097d
0x00000000
0x00000000
0x00000000
0x00430660
0x00430660
0x00430660
0x00430663
0x00000000
0x00000000
0x00000000
0x00000000
0x00430663
0x0043065e
0x00430645
0x0043064b
0x0043064b
0x00000000

APIs

GetTickCount.KERNEL32 ref: 0043066D
GetTickCount.KERNEL32 ref: 00430680
EnterCriticalSection.KERNEL32(004C2668), ref: 0043069A
LeaveCriticalSection.KERNEL32(?), ref: 004306D2

Memory Dump Source

Source File: 00000000.00000002.639436822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.639422722.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639801425.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639950323.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639964900.00000000004C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639974043.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639981884.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Process Monitor.jbxd

Similarity

API ID: CountCriticalSectionTick$EnterLeave
String ID:
API String ID: 1992965235-0
Opcode ID: 30725958b776534c97155f3e9733ee7fa47a7a6369ac26de27831bee7c9222b2
Instruction ID: f6f66dcf5c77e22e2a73762f3eab19a63bf2f583c2207337a28091457ed399bf
Opcode Fuzzy Hash: 30725958b776534c97155f3e9733ee7fa47a7a6369ac26de27831bee7c9222b2
Instruction Fuzzy Hash: 81C17D70A006099FDB24DF68D994B9EB7B5FB48310F149B2EE856C3640D738E994CB98

Uniqueness

Uniqueness Score: -1.00%

Function 004399D0 Relevance: 24.2, APIs: 16, Instructions: 196
threadmemoryCOMMON

Download Yara Rule

C-Code - Quality: 83%

			E004399D0() {
				signed int _v8;
				char _v124;
				long _v128;
				signed int _v132;
				int _v136;
				signed int _v140;
				char _v144;
				signed int _v148;
				void* _v152;
				int _v156;
				intOrPtr _v160;
				void* _v164;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t72;
				int _t77;
				signed int _t78;
				long _t81;
				intOrPtr* _t86;
				long _t91;
				int _t94;
				signed int _t96;
				signed int _t103;
				signed int _t104;
				int _t106;
				void* _t107;
				intOrPtr _t108;
				intOrPtr* _t111;
				intOrPtr _t117;
				signed int _t118;
				intOrPtr* _t120;
				signed int _t122;
				int _t126;
				long _t128;
				signed int _t129;
				long _t131;
				void* _t132;
				signed int _t135;
				void* _t136;
				void* _t137;

				_t72 =  *0x4bb1dc; // 0x2927074f
				_v8 = _t72 ^ _t135;
				_t126 = 1;
				_v136 = 1;
				SetThreadPriority(GetCurrentThread(), 1);
				_v128 = 0;
				_t77 = E00470030( &_v124, 0, 0x74);
				_t104 = 0;
				_t137 = _t136 + 0xc;
				_t129 = 0;
				_v144 = 0;
				_t118 = 0;
				while(1) {
					asm("sbb eax, eax");
					_t78 = _t77 & _t104 + 0x00000001;
					_v140 = _t78;
					_t103 = _t78 + _t78 * 2;
					_t106 =  *(_t135 + _t103 * 4 - 0x78);
					_t119 = _t118 -  *(_t135 + _t103 * 4 - 0x74);
					_v144 = _v144 - _t106;
					_v148 = _t129 -  *(_t135 + _t103 * 4 - 0x7c) + _t106;
					_v132 = _t118 -  *(_t135 + _t103 * 4 - 0x74);
					_t81 = GetTickCount();
					_t107 =  *0x4bce44; // 0x158
					_t131 = _t81;
					_v164 = _t107;
					_t108 =  *0x4bce60; // 0x204
					 *(_t135 + _t103 * 4 - 0x7c) = _t131;
					 *(_t135 + _t103 * 4 - 0x74) = _t126;
					_v160 = _t108;
					if(WaitForMultipleObjects(2,  &_v164, 0, 0xffffffff) == 0) {
						break;
					}
					_t77 = GetTickCount();
					_v156 = _t77;
					_t128 = _t77 - _t131;
					 *(_t135 + _t103 * 4 - 0x78) = _t77;
					 *(_t135 + _t103 * 4 - 0x7c) = _t128;
					EnterCriticalSection(0x4bce48);
					if( *0x4bce68 != 0) {
						_t111 =  *0x4bce64; // 0x77cfe0
						_t86 =  *_t111;
						_t120 = _t86;
						_t132 =  *(_t86 + 8);
						_v152 = _t132;
						 *((intOrPtr*)( *((intOrPtr*)(_t120 + 4)))) =  *_t120;
						 *((intOrPtr*)( *_t120 + 4)) =  *((intOrPtr*)(_t120 + 4));
						 *0x4bce68 =  *0x4bce68 - 1;
						_t77 = E0046EF07(_t120);
						_t137 = _t137 + 4;
						LeaveCriticalSection(0x4bce48);
						_t118 = _v132;
						_t104 = _v140;
						__eflags = _t132;
						if(_t132 == 0) {
							goto L1;
						}
						L0043B170(_t132 + 4,  *_t132);
						_t137 = _t137 + 8;
						_t91 = HeapSize( *0x4bce70, 0, _t132);
						HeapFree( *0x4bce70, 0, _v152);
						EnterCriticalSection(0x4bce48);
						 *0x4bce6c =  *0x4bce6c - _t91;
						LeaveCriticalSection(0x4bce48);
						_t94 = GetTickCount() - _v156;
						 *(_t135 + _t103 * 4 - 0x78) = _t94;
						_t126 = _v136;
						_t129 = _v148 + _t94 + _t128;
						_t122 = _v132 + _t126;
						_v132 = _t122;
						_v144 = _v144 + _t94;
						__eflags = _t129;
						if(_t129 == 0) {
							asm("xorps xmm0, xmm0");
							asm("movsd [0x4bd2c8], xmm0");
						} else {
							asm("movd xmm1, ecx");
							asm("cvtdq2pd xmm1, xmm1");
							asm("movd xmm0, esi");
							asm("addsd xmm1, [eax*8+0x496300]");
							asm("cvtdq2pd xmm0, xmm0");
							asm("mulsd xmm1, [0x4962e8]");
							asm("addsd xmm0, [eax*8+0x496300]");
							asm("divsd xmm1, xmm0");
							asm("movsd [0x4bd2c8], xmm1");
						}
						_t117 =  *0x4bce6c; // 0x0
						_t96 = 0xcccccccd * _t122;
						 *0x4bd2d0 = _t117;
						 *0x4bd2d4 = 0xcccccccd * _t122 >> 0x20 >> 3;
						__eflags = _t117 - 0x20000;
						if(_t117 >= 0x20000) {
							__eflags = _t117 - 0x80000;
							if(_t117 >= 0x80000) {
								__eflags = _t117 - 0x100000;
								asm("sbb eax, eax");
								_t77 = (_t96 & 0xfffffff3) + 0xf;
								__eflags = _t77;
							} else {
								_t77 = 1;
							}
						} else {
							_t77 = 0;
						}
						__eflags = 0 -  *0x4bd2dc; // 0x0
						if(__eflags < 0) {
							L18:
							 *0x4bd2e8 = 0;
							goto L19;
						} else {
							if(__eflags > 0) {
								L17:
								 *0x4bd2e8 = 1;
								L19:
								_t118 = _v132;
								_t104 = _v140;
								__eflags = _t126 - _t77;
								if(_t126 != _t77) {
									_t126 = _t77;
									_v136 = _t126;
									_t77 = SetThreadPriority(GetCurrentThread(), _t77);
									_t118 = _v132;
									_t104 = _v140;
								}
								continue;
							}
							__eflags = _t117 -  *0x4bd2d8; // 0x0
							if(__eflags < 0) {
								goto L18;
							}
							goto L17;
						}
					} else {
						LeaveCriticalSection(0x4bce48);
						_t118 = _v132;
						_t104 = _v140;
						L1:
						_t126 = _v136;
						_t129 = _v148;
						continue;
					}
				}
				__eflags = _v8 ^ _t135;
				return E0046F77E(_t103, _v8 ^ _t135, _t119, _t126, _t131);
			}

0x004399d9
0x004399e0
0x004399e6
0x004399ec
0x004399f9
0x00439a04
0x00439a0e
0x00439a13
0x00439a15
0x00439a18
0x00439a1a
0x00439a20
0x00439a40
0x00439a44
0x00439a46
0x00439a48
0x00439a4e
0x00439a51
0x00439a59
0x00439a5f
0x00439a67
0x00439a6d
0x00439a70
0x00439a76
0x00439a7c
0x00439a88
0x00439a8e
0x00439a97
0x00439a9b
0x00439a9f
0x00439aad
0x00000000
0x00000000
0x00439ab3
0x00439abb
0x00439ac1
0x00439ac3
0x00439acc
0x00439ad0
0x00439add
0x00439af8
0x00439afe
0x00439b00
0x00439b06
0x00439b0b
0x00439b11
0x00439b18
0x00439b1b
0x00439b21
0x00439b26
0x00439b2e
0x00439b34
0x00439b37
0x00439b3d
0x00439b3f
0x00000000
0x00000000
0x00439b4b
0x00439b50
0x00439b5c
0x00439b72
0x00439b7d
0x00439b83
0x00439b8e
0x00439b9a
0x00439ba9
0x00439bb0
0x00439bb6
0x00439bb8
0x00439bc2
0x00439bc5
0x00439bcb
0x00439bcd
0x00439c11
0x00439c14
0x00439bcf
0x00439bcf
0x00439bd5
0x00439bdc
0x00439be0
0x00439be9
0x00439bf2
0x00439bfa
0x00439c03
0x00439c07
0x00439c07
0x00439c1c
0x00439c27
0x00439c29
0x00439c32
0x00439c38
0x00439c3e
0x00439c44
0x00439c4a
0x00439c53
0x00439c59
0x00439c5e
0x00439c5e
0x00439c4c
0x00439c4c
0x00439c4c
0x00439c40
0x00439c40
0x00439c40
0x00439c63
0x00439c69
0x00439c7e
0x00439c7e
0x00000000
0x00439c6b
0x00439c6b
0x00439c75
0x00439c75
0x00439c84
0x00439c84
0x00439c87
0x00439c8d
0x00439c8f
0x00439c95
0x00439c98
0x00439ca5
0x00439cab
0x00439cae
0x00439cae
0x00000000
0x00439c8f
0x00439c6d
0x00439c73
0x00000000
0x00000000
0x00000000
0x00439c73
0x00439adf
0x00439ae4
0x00439aea
0x00439aed
0x00439a30
0x00439a30
0x00439a36
0x00000000
0x00439a36
0x00439add
0x00439cc0
0x00439ccb

APIs

GetCurrentThread.KERNEL32 ref: 004399F2
SetThreadPriority.KERNEL32(00000000), ref: 004399F9
_memset.LIBCMT ref: 00439A0E
GetTickCount.KERNEL32 ref: 00439A70
WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 00439AA5
GetTickCount.KERNEL32 ref: 00439AB3
EnterCriticalSection.KERNEL32(004BCE48), ref: 00439AD0
LeaveCriticalSection.KERNEL32(004BCE48), ref: 00439AE4
LeaveCriticalSection.KERNEL32(004BCE48), ref: 00439B2E
HeapSize.KERNEL32(00000000,?), ref: 00439B5C
HeapFree.KERNEL32(00000000,?), ref: 00439B72
EnterCriticalSection.KERNEL32(004BCE48), ref: 00439B7D
LeaveCriticalSection.KERNEL32(004BCE48), ref: 00439B8E
GetTickCount.KERNEL32 ref: 00439B94
GetCurrentThread.KERNEL32 ref: 00439C9E
SetThreadPriority.KERNEL32(00000000), ref: 00439CA5

Memory Dump Source

Source File: 00000000.00000002.639436822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.639422722.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639801425.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639950323.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639964900.00000000004C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639974043.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639981884.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Process Monitor.jbxd

Similarity

API ID: CriticalSection$Thread$CountLeaveTick$CurrentEnterHeapPriority$FreeMultipleObjectsSizeWait_memset
String ID:
API String ID: 912656650-0
Opcode ID: 7c3c485d1daa34870d09e074d88095db8af360a537ce3744ab62734c99478495
Instruction ID: 7b77b754aad28f18cc615279d8ddbef3d4f6d588915ff613e82180fef1ef09cd
Opcode Fuzzy Hash: 7c3c485d1daa34870d09e074d88095db8af360a537ce3744ab62734c99478495
Instruction Fuzzy Hash: AB815A35E00214CFDB14DF68DC85B9DB7B5BB88300F2482BAE80AA3261DB759D85DF58

Uniqueness

Uniqueness Score: -1.00%

Function 00438850 Relevance: 23.0, APIs: 10, Strings: 3, Instructions: 233
COMMON

Download Yara Rule

C-Code - Quality: 97%

			E00438850(struct HWND__* _a4, intOrPtr _a8, signed short* _a12, char _a16) {
				WCHAR* _v8;
				char _v16;
				signed int _v20;
				struct _CRITICAL_SECTION* _v24;
				signed int _v28;
				signed int _v32;
				char _v40;
				void* __ebx;
				void* __esi;
				signed int _t63;
				signed int _t66;
				intOrPtr* _t67;
				signed short* _t72;
				long _t73;
				signed int _t85;
				signed int _t86;
				signed int _t87;
				void* _t88;
				intOrPtr* _t89;
				intOrPtr* _t90;
				intOrPtr* _t91;
				void* _t92;
				signed int _t93;
				signed int _t95;
				signed int* _t96;
				void* _t109;
				signed int _t110;
				signed short* _t114;
				signed int _t121;
				signed int _t126;
				signed int _t130;
				void* _t131;
				void* _t133;
				intOrPtr _t134;
				intOrPtr* _t135;
				signed int _t137;
				intOrPtr* _t141;
				signed short* _t142;
				void* _t143;
				signed int _t146;
				void* _t147;
				void* _t148;
				void* _t157;
				void* _t163;

				_push(0xffffffff);
				_push(E00489938);
				_push( *[fs:0x0]);
				_t148 = _t147 - 0x18;
				_t63 =  *0x4bb1dc; // 0x2927074f
				_push(_t63 ^ _t146);
				 *[fs:0x0] =  &_v16;
				_t66 =  *0x4bcbd0; // 0x0
				if((_t66 & 0x00000001) == 0) {
					 *0x4bcbd0 = _t66 | 0x00000001;
					InitializeCriticalSection(0x4bcbb8);
					E0046FD29(_t66 | 0x00000001, E0048D8D0);
					_t148 = _t148 + 4;
				}
				_v24 = 0x4bcbb8;
				while(1) {
					L3:
					EnterCriticalSection(0x4bcbb8);
					_t67 =  *0x4bdcd8; // 0x784850
					_v8 = 0;
					_t141 =  *_t67;
					if(_t141 == _t67) {
						goto L21;
					} else {
						goto L4;
					}
					do {
						L4:
						_t6 = _t141 + 0x10; // 0x4a14fc
						_t87 = E0046A720(_t6);
						_t7 = _t141 + 0x10; // 0x4a14fc
						_t110 = _t87;
						_t88 = E0046A170(_t7);
						_t112 =  *_a12 & 0x0000ffff;
						if(_t110 > ( *_a12 & 0x0000ffff)) {
							L10:
							if( *((char*)(_t141 + 0xd)) != 0) {
								goto L20;
							}
							_t14 = _t141 + 8; // 0x630069
							_t89 =  *_t14;
							if( *((char*)(_t89 + 0xd)) != 0) {
								_t18 = _t141 + 4; // 0x760065
								_t90 =  *_t18;
								__eflags =  *((char*)(_t90 + 0xd));
								if( *((char*)(_t90 + 0xd)) != 0) {
									L19:
									_t141 = _t90;
									goto L20;
								} else {
									goto L17;
								}
								while(1) {
									L17:
									__eflags = _t141 -  *((intOrPtr*)(_t90 + 8));
									if(_t141 !=  *((intOrPtr*)(_t90 + 8))) {
										goto L19;
									}
									_t141 = _t90;
									_t90 =  *((intOrPtr*)(_t90 + 4));
									__eflags =  *((char*)(_t90 + 0xd));
									if( *((char*)(_t90 + 0xd)) == 0) {
										continue;
									}
									goto L19;
								}
								goto L19;
							}
							_t141 = _t89;
							_t91 =  *_t141;
							if( *((char*)(_t91 + 0xd)) != 0) {
								goto L20;
							}
							do {
								_t141 = _t91;
								_t91 =  *_t141;
							} while ( *((char*)(_t91 + 0xd)) == 0);
							goto L20;
						}
						_t134 = _a8;
						_t92 = L0046FE7B(_t110, _t112, _t141, _t88, _t134, _t110);
						_t148 = _t148 + 0xc;
						if(_t92 != 0) {
							goto L10;
						}
						_t93 =  *(_t134 + _t110 * 2) & 0x0000ffff;
						if(_t93 == 0x5c) {
							L42:
							_t95 = L0046FE7B(_t110, _t112, _t141, _t134 + _t110 * 2, L"\\??\\", 4);
							__eflags = _t95;
							if(_t95 == 0) {
								_t110 = _t110 + 4;
								__eflags = _t110;
							}
							_t49 = _t141 + 0x14; // 0x4a1500
							_t96 = E0046A720(_t49);
							__eflags = _t110 - _t96;
							if(_t110 >= _t96) {
								L46:
								_t51 = _t141 + 0x14; // 0x4a1500
								_t135 = E0046A170(_t51);
								_t52 = _t135 + 2; // 0x2
								_t131 = _t52;
								do {
									_t121 =  *_t135;
									_t135 = _t135 + 2;
									__eflags = _t121;
								} while (_t121 != 0);
								_t137 = _t135 - _t131 >> 1;
								E00470850(_a8, _t97, _t137 + _t137);
								E00471540(_t137 + _t137 + _a8, _a8 + _t110 * 2, ( *_a12 & 0x0000ffff) - _t110 + ( *_a12 & 0x0000ffff) - _t110);
								_t96 = _a12;
								 *_t96 =  *_t96 + _t137 - _t110;
								__eflags =  *_t96;
								goto L49;
							} else {
								__eflags = _a16;
								if(_a16 == 0) {
									L49:
									LeaveCriticalSection(0x4bcbb8);
									 *[fs:0x0] = _v16;
									return _t96;
								}
								goto L46;
							}
						}
						_t112 =  *_a12 & 0x0000ffff;
						_t157 = _t110 - ( *_a12 & 0x0000ffff);
						if(_t157 == 0 || _t157 < 0 && _t93 == 0) {
							goto L42;
						} else {
							goto L10;
						}
						L20:
						_t163 = _t141 -  *0x4bdcd8; // 0x784850
					} while (_t163 != 0);
					L21:
					E00434E40(_t112,  &_v20, _a8,  *_a12 & 0x0000ffff);
					_t148 = _t148 + 0xc;
					_t109 = 0;
					_v8 = 1;
					_t133 = 0;
					while(1) {
						_t72 = E0046A170( &_v20);
						_t28 = _t133 + 0x4a14e4; // 0x4a14ec
						_t142 =  *_t28;
						_t114 = _t72;
						_t130 =  *_t142 & 0x0000ffff;
						if(_t130 == 0) {
							break;
						}
						_t143 = _t142 - _t114;
						while(1) {
							_t85 =  *_t114 & 0x0000ffff;
							if(_t85 == 0 || _t130 != _t85 && _t130 != 0x3f) {
								break;
							}
							_t30 =  &(_t114[1]); // 0x650044
							_t86 =  *(_t143 + _t30) & 0x0000ffff;
							_t114 =  &(_t114[1]);
							_t130 = _t86;
							if(_t86 != 0) {
								continue;
							}
							goto L28;
						}
						_t133 = _t133 + 4;
						_t109 = _t109 + 1;
						__eflags = _t133 - 8;
						if(_t133 < 8) {
							continue;
						}
						L38:
						_t73 = E0046A170( &_v20);
						DialogBoxParamW(GetModuleHandleW(0), L"DEVICE_PATH", _a4, E00447A30, _t73);
						L39:
						_t112 = _v20;
						_v8 = 0;
						if(_v20 != 0) {
							E0046A700(_t112);
						}
						LeaveCriticalSection(0x4bcbb8);
						goto L3;
					}
					L28:
					if(_t109 >= 2) {
						goto L38;
					}
					_t126 = _v20;
					_v32 = _t126;
					if(_t126 != 0) {
						E0046A420(_t126);
						_t126 = _v20;
					}
					_v8 = 2;
					_v28 = _t126;
					if(_t126 != 0) {
						E0046A420(_t126);
					}
					_v8 = 3;
					E00431700(0x4bdcd8,  &_v40, 0,  &_v32,  *0x4bcb78 & 0x000000ff);
					_t128 = _v28;
					_v8 = 4;
					if(_v28 != 0) {
						E0046A700(_t128);
					}
					_t129 = _v32;
					_v8 = 1;
					if(_v32 != 0) {
						E0046A700(_t129);
					}
					goto L39;
				}
			}

0x00438853
0x00438855
0x00438860
0x00438861
0x00438867
0x0043886e
0x00438872
0x00438878
0x0043887f
0x00438889
0x0043888e
0x00438899
0x0043889e
0x0043889e
0x004388a1
0x004388b0
0x004388b0
0x004388b5
0x004388bb
0x004388c0
0x004388c7
0x004388cb
0x00000000
0x00000000
0x00000000
0x00000000
0x004388d1
0x004388d1
0x004388d1
0x004388d4
0x004388d9
0x004388dc
0x004388de
0x004388e6
0x004388eb
0x00438925
0x00438929
0x00000000
0x00000000
0x0043892b
0x0043892b
0x00438932
0x0043894c
0x0043894c
0x0043894f
0x00438953
0x00438965
0x00438965
0x00000000
0x00000000
0x00000000
0x00000000
0x00438955
0x00438955
0x00438955
0x00438958
0x00000000
0x00000000
0x0043895a
0x0043895c
0x0043895f
0x00438963
0x00000000
0x00000000
0x00000000
0x00438963
0x00000000
0x00438955
0x00438934
0x00438936
0x0043893c
0x00000000
0x00000000
0x00438940
0x00438940
0x00438942
0x00438944
0x00000000
0x0043894a
0x004388ed
0x004388f3
0x004388f8
0x004388fd
0x00000000
0x00000000
0x004388ff
0x00438906
0x00438a91
0x00438a9c
0x00438aa4
0x00438aa6
0x00438aa8
0x00438aa8
0x00438aa8
0x00438aab
0x00438aae
0x00438ab3
0x00438ab5
0x00438abd
0x00438abd
0x00438ac5
0x00438ac7
0x00438ac7
0x00438ad0
0x00438ad0
0x00438ad3
0x00438ad6
0x00438ad6
0x00438add
0x00438ae7
0x00438b02
0x00438b07
0x00438b0f
0x00438b0f
0x00000000
0x00438ab7
0x00438ab7
0x00438abb
0x00438b12
0x00438b17
0x00438b20
0x00438b2e
0x00438b2e
0x00000000
0x00438abb
0x00438ab5
0x0043890f
0x00438912
0x00438914
0x00000000
0x00000000
0x00000000
0x00000000
0x00438967
0x00438967
0x00438967
0x00438973
0x00438981
0x00438986
0x00438989
0x0043898b
0x0043898f
0x00438991
0x00438994
0x00438999
0x00438999
0x0043899f
0x004389a1
0x004389a7
0x00000000
0x00000000
0x004389a9
0x004389b0
0x004389b0
0x004389b6
0x00000000
0x00000000
0x004389c7
0x004389c7
0x004389cc
0x004389cf
0x004389d4
0x00000000
0x00000000
0x00000000
0x004389d4
0x00438a3f
0x00438a42
0x00438a43
0x00438a46
0x00000000
0x00000000
0x00438a4c
0x00438a4f
0x00438a6b
0x00438a71
0x00438a71
0x00438a74
0x00438a7a
0x00438a7c
0x00438a7c
0x00438a86
0x00000000
0x00438a86
0x004389d6
0x004389d9
0x00000000
0x00000000
0x004389db
0x004389de
0x004389e3
0x004389e5
0x004389ea
0x004389ea
0x004389ed
0x004389f1
0x004389f6
0x004389f8
0x004389f8
0x00438a0d
0x00438a18
0x00438a1d
0x00438a20
0x00438a26
0x00438a28
0x00438a28
0x00438a2d
0x00438a30
0x00438a36
0x00438a38
0x00438a38
0x00000000
0x00438a36

APIs

InitializeCriticalSection.KERNEL32(004BCBB8,2927074F,?,?,?,?,?,00000000), ref: 0043888E
EnterCriticalSection.KERNEL32(004BCBB8,2927074F,?,?,?,?), ref: 004388B5
__wcsnicmp.LIBCMT ref: 004388F3

Strings

DEVICE_PATH, xrefs: 00438A5D
PHx, xrefs: 004388BB, 00438A04
\??\, xrefs: 00438A96

Memory Dump Source

Source File: 00000000.00000002.639436822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.639422722.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639801425.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639950323.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639964900.00000000004C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639974043.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639981884.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Process Monitor.jbxd

Similarity

API ID: CriticalSection$EnterInitialize__wcsnicmp
String ID: DEVICE_PATH$PHx$\??\
API String ID: 596417830-1945314630
Opcode ID: 6f620733100cca19fc6d8dd519f3ff8732f7dbfcf5ffb5f477a4a42b561c4eab
Instruction ID: cc5157729bf9b71672aa3af679ae1e8ae1d734b127f68a34c23e442817218888
Opcode Fuzzy Hash: 6f620733100cca19fc6d8dd519f3ff8732f7dbfcf5ffb5f477a4a42b561c4eab
Instruction Fuzzy Hash: F481E1B09003059BDB14EBA5C885BBFB7A4AF09354F14546FF841A7391EB78AD04C76A

Uniqueness

Uniqueness Score: -1.00%

Function 00408A90 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 124
windowCOMMON

Download Yara Rule

C-Code - Quality: 75%

			E00408A90(void* __ecx, intOrPtr _a4) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				struct tagPOINT _v24;
				intOrPtr _v28;
				int _v32;
				struct tagPOINT _v40;
				struct tagSCROLLINFO _v68;
				struct tagSCROLLINFO _v96;
				struct tagRECT _v128;
				struct HWND__* _v136;
				int _v140;
				void* _v144;
				void* __ebx;
				void* __esi;
				signed int _t48;
				struct HWND__* _t73;
				struct HWND__* _t77;
				void* _t82;
				int _t90;
				void* _t92;
				signed int _t98;

				_t48 =  *0x4bb1dc; // 0x2927074f
				_v8 = _t48 ^ _t98;
				_t82 = __ecx;
				 *((intOrPtr*)(__ecx + 0x90)) = _a4;
				GetWindowRect( *(__ecx + 0xc),  &_v40);
				GetWindowRect( *(_t82 + 0x14),  &_v24);
				MapWindowPoints(0,  *(_t82 + 8),  &_v40, 2);
				MapWindowPoints(0,  *(_t82 + 8),  &_v24, 2);
				asm("xorps xmm0, xmm0");
				_v96.cbSize = 0x1c;
				asm("movdqu [ebp-0x54], xmm0");
				_v96.nTrackPos = 0;
				_v68.cbSize = 0x1c;
				asm("movdqu [ebp-0x38], xmm0");
				_v68.nTrackPos = 0;
				_v96.fMask = 4;
				_v68.fMask = 4;
				GetScrollInfo( *(_t82 + 0x20), 2,  &_v96);
				GetScrollInfo( *(_t82 + 0x24), 2,  &_v68);
				_t90 =  *(_t82 + 0x90);
				_v24.x = _t90 - _v68.nPos;
				_v40.x = 0;
				_v32 = _t90;
				SetWindowPos( *(_t82 + 0xc), 0, 0, _v40.y, _t90, _v28 - _v40.y, 4);
				SetWindowPos( *(_t82 + 0x14), 0, _v24.x, _v24.y, _v16 - _v24.x, _v12 - _v24.y, 4);
				_v144 = 0x30;
				_v140 = 0;
				_t73 =  *(_t82 + 0x14);
				asm("xorps xmm0, xmm0");
				asm("movdqu [ebp-0x84], xmm0");
				asm("movdqu [ebp-0x74], xmm0");
				_v136 = _t73;
				asm("movq [ebp-0x64], xmm0");
				GetClientRect(_t73,  &_v128);
				SendMessageW( *(_t82 + 0x18), 0x434, 0,  &_v144);
				_t77 =  *(_t82 + 0xc);
				_v136 = _t77;
				GetClientRect(_t77,  &_v128);
				SendMessageW( *(_t82 + 0x10), 0x434, 0,  &_v144);
				return E0046F77E(_t82, _v8 ^ _t98, _v24.y, _t92, SendMessageW);
			}

0x00408a99
0x00408aa0
0x00408aa7
0x00408ab0
0x00408abd
0x00408ac6
0x00408ad9
0x00408ae6
0x00408af7
0x00408afa
0x00408b01
0x00408b06
0x00408b0d
0x00408b14
0x00408b19
0x00408b20
0x00408b27
0x00408b2e
0x00408b39
0x00408b3b
0x00408b51
0x00408b59
0x00408b6a
0x00408b6d
0x00408b8a
0x00408b8c
0x00408b96
0x00408ba0
0x00408ba6
0x00408baa
0x00408bb3
0x00408bb8
0x00408bbe
0x00408bc3
0x00408be0
0x00408be2
0x00408bea
0x00408bf0
0x00408c07
0x00408c18

APIs

GetWindowRect.USER32 ref: 00408ABD
GetWindowRect.USER32 ref: 00408AC6
MapWindowPoints.USER32 ref: 00408AD9
MapWindowPoints.USER32 ref: 00408AE6
GetScrollInfo.USER32 ref: 00408B2E
GetScrollInfo.USER32 ref: 00408B39
SetWindowPos.USER32(?,00000000,00000000,?,?,?,00000004), ref: 00408B6D
SetWindowPos.USER32(?,00000000,004044D6,?,?,?,00000004), ref: 00408B8A
GetClientRect.USER32 ref: 00408BC3
SendMessageW.USER32(?,00000434,00000000,00000030), ref: 00408BE0
GetClientRect.USER32 ref: 00408BF0
SendMessageW.USER32(?,00000434,00000000,00000030), ref: 00408C07

Strings

0, xrefs: 00408B8C

Memory Dump Source

Source File: 00000000.00000002.639436822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.639422722.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639801425.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639950323.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639964900.00000000004C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639974043.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639981884.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Process Monitor.jbxd

Similarity

API ID: Window$Rect$ClientInfoMessagePointsScrollSend
String ID: 0
API String ID: 795192097-4108050209
Opcode ID: 0373b5bfd90958ec11df1ad22403d4321bce608528ef0ace416baaa31af8e7fe
Instruction ID: 10ba3291c133c949d520821c5cfcfcc0de9afc67d70f4fbd0c9559d456b87e2e
Opcode Fuzzy Hash: 0373b5bfd90958ec11df1ad22403d4321bce608528ef0ace416baaa31af8e7fe
Instruction Fuzzy Hash: 7651BCB1D10219AFEF14CF94DD85FAEBBB8EB48300F108169EA04AB195D771AD44DF64

Uniqueness

Uniqueness Score: -1.00%

Function 00406DA0 Relevance: 22.7, APIs: 15, Instructions: 235
COMMON

Download Yara Rule

C-Code - Quality: 80%

			E00406DA0(void* __ecx, struct HWND__* _a4, intOrPtr _a8) {
				signed int _v8;
				intOrPtr _v12;
				long _v16;
				struct tagPOINT _v24;
				struct tagRECT _v40;
				struct tagRECT _v56;
				struct tagSCROLLINFO _v84;
				intOrPtr _v88;
				intOrPtr* _v92;
				struct HWND__** _v96;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t72;
				intOrPtr _t74;
				intOrPtr _t80;
				long _t84;
				RECT* _t92;
				intOrPtr* _t119;
				void* _t120;
				int _t122;
				struct HWND__** _t124;
				intOrPtr _t128;
				long _t131;
				long _t133;
				int _t136;
				struct HWND__* _t139;
				void* _t140;
				struct HWND__** _t141;
				void* _t143;
				void* _t144;
				signed int _t148;

				_t146 = _t148;
				_t72 =  *0x4bb1dc; // 0x2927074f
				_v8 = _t72 ^ _t148;
				_t143 = __ecx;
				_t139 = _a4;
				_t74 =  *((intOrPtr*)(__ecx + 0x20));
				_t124 = __ecx + 0xc;
				if(_t139 != _t74) {
					_t124 = __ecx + 0x14;
				}
				_v96 = _t124;
				_t119 = _t143 + 0x84;
				if(_t139 != _t74) {
					_t119 = _t143 + 0x88;
				}
				_v92 = _t119;
				if((GetWindowLongW(_t139, 0xfffffff0) >> 0x0000001c & 0x00000001) != 0) {
					asm("xorps xmm0, xmm0");
					_t78 = GetScrollInfo;
					_v84.cbSize = 0x1c;
					asm("movdqu [ebp-0x48], xmm0");
					_v84.nTrackPos = 0;
					_v84.fMask = 4;
					if(_a8 != 0) {
						GetScrollInfo(_t139, 2,  &_v84);
						_v84.nPos = _v84.nPos + _a8;
						SetScrollInfo(_t139, 2,  &_v84, 1);
						_t78 = GetScrollInfo;
					}
					 *_t78(_t139, 2,  &_v84);
					_t80 = _v84.nPos;
					_v88 = _t80;
					if(_t80 !=  *_t119) {
						GetClientRect( *(_t143 + 8),  &_v40);
						_t128 = _v88;
						_t122 =  *_t119 - _t128;
						 *_v92 = _t128;
						_t84 =  *(_t143 + 0x90);
						if(_t139 !=  *((intOrPtr*)(_t143 + 0x20))) {
							_v40.left = _t84;
						} else {
							_v40.right = _t84 - 1;
							_t84 = _v40.left;
						}
						if(_t122 < 0) {
							return _t84 - _t122;
						}
						_v24.x = _t84;
						GetWindowRect( *(_t143 + 0xc),  &_v56);
						_v24.y = _v56.bottom - _v56.top;
						_v16 = _v40.right - _t122;
						_v12 = _v40.bottom - GetSystemMetrics(3);
						if(_t139 !=  *((intOrPtr*)(_t143 + 0x24)) || (GetWindowLongW( *(_t143 + 0x1c), 0xfffffff0) >> 0x0000001c & 0x00000001) == 0) {
							_t131 = _v16;
						} else {
							_t131 = _v16 - GetSystemMetrics(2);
							_v16 = _t131;
						}
						if(_t131 <= _v24.x) {
							_t92 =  &_v40;
							goto L22;
						} else {
							ScrollWindowEx( *(_t143 + 8), _t122, 0,  &_v24, 0, 0, 0, 2);
							_t133 = _v16;
							_t136 = _v24.x;
							if(_t122 > _t133 - _t136) {
								_v24.x = _t133;
								_v16 = _t136 + _t122;
								_t92 =  &_v24;
								L22:
								InvalidateRect( *(_t143 + 8), _t92, 0);
							}
						}
						if(_t139 ==  *((intOrPtr*)(_t143 + 0x24))) {
							_t141 = _v96;
							GetWindowRect( *_t141,  &_v24);
							MapWindowPoints(0,  *(_t143 + 8),  &_v24, 2);
							_t136 = _v24.x + _t122;
							_v24.x = _t136;
							SetWindowPos( *_t141, 0, _t136, _v24.y, _v16 - _t136, _v12 - _v24.y, 4);
						}
					}
				}
				_pop(_t140);
				_pop(_t144);
				_pop(_t120);
				return E0046F77E(_t120, _v8 ^ _t146, _t136, _t140, _t144);
			}

0x00406da1
0x00406da6
0x00406dad
0x00406db2
0x00406db5
0x00406db8
0x00406dbb
0x00406dc0
0x00406dc2
0x00406dc2
0x00406dc5
0x00406dc8
0x00406dd0
0x00406dd2
0x00406dd2
0x00406ddb
0x00406de9
0x00406df3
0x00406df6
0x00406dfb
0x00406e02
0x00406e07
0x00406e0e
0x00406e15
0x00406e1e
0x00406e23
0x00406e2f
0x00406e35
0x00406e35
0x00406e41
0x00406e43
0x00406e46
0x00406e4b
0x00406e58
0x00406e63
0x00406e66
0x00406e68
0x00406e6a
0x00406e73
0x00406e7e
0x00406e75
0x00406e76
0x00406e79
0x00406e79
0x00406e83
0x00000000
0x00406e89
0x00406f35
0x00406f3f
0x00406f4b
0x00406f55
0x00406f63
0x00406f69
0x00406f90
0x00406f7e
0x00406f89
0x00406f8b
0x00406f8b
0x00406f96
0x00406fcc
0x00000000
0x00406f98
0x00406faa
0x00406fb0
0x00406fb5
0x00406fbc
0x00406fc1
0x00406fc4
0x00406fc7
0x00406fcf
0x00406fd5
0x00406fd5
0x00406fbc
0x00406fde
0x00406fe0
0x00406fe9
0x00406ffa
0x00407011
0x00407015
0x0040701f
0x0040701f
0x00406fde
0x00406e4b
0x00407028
0x00407029
0x0040702c
0x00407035

APIs

GetWindowLongW.USER32(?,000000F0), ref: 00406DDE
SetScrollInfo.USER32(?,00000002,0000001C,00000001), ref: 00406E2F
GetClientRect.USER32 ref: 00406E58
GetWindowRect.USER32 ref: 00406E95
GetSystemMetrics.USER32 ref: 00406EAC
GetSystemMetrics.USER32 ref: 00406ED4
ScrollWindowEx.USER32 ref: 00406F02
InvalidateRect.USER32(00000000,?,00000000), ref: 00406FD5
GetWindowRect.USER32 ref: 00406FE9
MapWindowPoints.USER32 ref: 00406FFA
SetWindowPos.USER32(?,00000000,?,00000000,00000000,?,00000004), ref: 0040701F

Memory Dump Source

Source File: 00000000.00000002.639436822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.639422722.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639801425.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639950323.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639964900.00000000004C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639974043.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639981884.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Process Monitor.jbxd

Similarity

API ID: Window$Rect$MetricsScrollSystem$ClientInfoInvalidateLongPoints
String ID:
API String ID: 1162865344-0
Opcode ID: 677deeff7781cf95db35c845d5cd7b042e7b910dcd0cf4e7e81788eb06986ac2
Instruction ID: 80515e98d8d20c5a269704305dcf2ca8b73360acca1b581aa94acaf17e59f88e
Opcode Fuzzy Hash: 677deeff7781cf95db35c845d5cd7b042e7b910dcd0cf4e7e81788eb06986ac2
Instruction Fuzzy Hash: 6A910A71A0020AAFDB14DFA8D984BAEB7B5FB48300F20453AE516F7290DB74AA55CF54

Uniqueness

Uniqueness Score: -1.00%

Function 004192F0 Relevance: 22.6, APIs: 15, Instructions: 125
windowCOMMON

Download Yara Rule

C-Code - Quality: 91%

			E004192F0(struct _CRITICAL_SECTION* __ecx, void* __eflags, char _a4, struct _CRITICAL_SECTION* _a8, intOrPtr _a12, intOrPtr _a16) {
				long _v8;
				char _v16;
				signed int _v17;
				struct HICON__* _v24;
				struct _CRITICAL_SECTION* _v28;
				intOrPtr _v36;
				struct _CRITICAL_SECTION* _v40;
				char _v44;
				char _v48;
				void* __esi;
				signed int _t38;
				signed int _t48;
				signed int _t54;
				signed int _t55;
				void* _t59;
				intOrPtr _t69;
				struct _CRITICAL_SECTION* _t78;
				signed int _t80;
				void* _t87;

				_push(0xffffffff);
				_push(E00487238);
				_push( *[fs:0x0]);
				_t38 =  *0x4bb1dc; // 0x2927074f
				_push(_t38 ^ _t80);
				 *[fs:0x0] =  &_v16;
				_t78 = __ecx;
				_v17 = 0;
				_v24 = SetCursor(LoadCursorW(0, 0x7f02));
				_v28 = _t78;
				EnterCriticalSection(_t78);
				_v44 = _a4;
				_v8 = 0;
				_v40 = _a8;
				_v36 = 0;
				_a8 = _t78;
				EnterCriticalSection(_t78);
				_v8 = 1;
				_t59 = E0040EA10(_t78 + 0x1c,  &_v44, 1);
				_v8 = 0;
				LeaveCriticalSection(_t78);
				EnterCriticalSection(_t78);
				LeaveCriticalSection(_t78);
				if(_t59 <  *((intOrPtr*)(_t78 + 0x28))) {
					while(1) {
						E0040D160(_t78,  &_v48, _t59);
						_v8 = 2;
						_t54 = E00411BA0( &_v48);
						_t69 = _a12;
						if(_a16 == 0x9c76) {
							_t87 = _t69 -  *((intOrPtr*)(_t54 + 4));
						}
						_t55 = _t54 & 0xffffff00 | _t87 == 0x00000000;
						_v8 = 0;
						_v17 = _t55;
						if(_t55 != 0) {
							break;
						}
						E0040F960( &_v48, _t78);
						_t59 = _t59 + 1;
						EnterCriticalSection(_t78);
						LeaveCriticalSection(_t78);
						if(_t59 <  *((intOrPtr*)(_t78 + 0x28))) {
							continue;
						} else {
						}
						goto L8;
					}
					E0040F960( &_v48, _t78);
				}
				L8:
				_v8 = 0xffffffff;
				LeaveCriticalSection(_t78);
				SetCursor(_v24);
				_t48 = _v17;
				if(_t48 != 0) {
					EnterCriticalSection(_t78);
					LeaveCriticalSection(_t78);
					if(_t59 <  *((intOrPtr*)(_t78 + 0x28))) {
						if( *0x4bd895 != 0) {
							SendMessageW(GetParent( *(_t78 + 0x18)), 0x111, 0x9c53, 0);
						}
						E004366B0( *(_t78 + 0x18), _t59, 1);
					}
					_t48 = _v17;
				}
				 *[fs:0x0] = _v16;
				return _t48;
			}

0x004192f3
0x004192f5
0x00419300
0x00419307
0x0041930e
0x00419312
0x00419318
0x00419323
0x0041933a
0x0041933d
0x00419340
0x00419347
0x0041934e
0x00419355
0x00419358
0x0041935b
0x0041935e
0x00419365
0x00419373
0x00419375
0x00419379
0x00419380
0x00419386
0x0041938e
0x00419390
0x00419397
0x0041939f
0x004193a3
0x004193af
0x004193b2
0x004193b4
0x004193b4
0x004193bb
0x004193be
0x004193c2
0x004193ca
0x00000000
0x00000000
0x004193cc
0x004193d2
0x004193d3
0x004193dd
0x004193e5
0x00000000
0x00000000
0x004193e7
0x00000000
0x004193e5
0x004193e9
0x004193e9
0x004193ee
0x004193ef
0x004193f6
0x004193ff
0x00419405
0x0041940a
0x0041940d
0x00419417
0x0041941f
0x00419428
0x00419440
0x00419440
0x0041944c
0x00419451
0x00419454
0x00419454
0x0041945a
0x00419468

APIs

LoadCursorW.USER32(00000000,00007F02), ref: 00419326
SetCursor.USER32(00000000), ref: 0041932D
EnterCriticalSection.KERNEL32 ref: 00419340
EnterCriticalSection.KERNEL32 ref: 0041935E
LeaveCriticalSection.KERNEL32(?,?,00000001), ref: 00419379
EnterCriticalSection.KERNEL32(?,?,?,00000001), ref: 00419380
LeaveCriticalSection.KERNEL32(?,?,?,?,00000001), ref: 00419386
EnterCriticalSection.KERNEL32(?,?,00000000,?,?,?,?,00000001), ref: 004193D3
LeaveCriticalSection.KERNEL32(?,?,?,00000000,?,?,?,?,00000001), ref: 004193DD

Part of subcall function 0040F960: ReleaseSRWLockShared.KERNEL32(?,004C2538,00468906,004C2538,000000FF,?,?,00467152,00000000,004C255C), ref: 0040F971

LeaveCriticalSection.KERNEL32(?,?,?,?,?,00000001), ref: 004193F6
SetCursor.USER32(?,?,?,?,?,?,00000001), ref: 004193FF
EnterCriticalSection.KERNEL32(?,?,?,?,?,?,00000001), ref: 0041940D
LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,?,00000001), ref: 00419417
GetParent.USER32(?), ref: 00419439
SendMessageW.USER32(00000000), ref: 00419440

Memory Dump Source

Source File: 00000000.00000002.639436822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.639422722.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639801425.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639950323.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639964900.00000000004C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639974043.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639981884.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Process Monitor.jbxd

Similarity

API ID: CriticalSection$EnterLeave$Cursor$LoadLockMessageParentReleaseSendShared
String ID:
API String ID: 1916728252-0
Opcode ID: 94f86bd17b27696d3df5477e472a32fb693b3c5639a4446e0da26e85a6e06119
Instruction ID: fdfba07a5e6f92872d563aa06ffcc7d898008016fd8258213393a3e9721c822f
Opcode Fuzzy Hash: 94f86bd17b27696d3df5477e472a32fb693b3c5639a4446e0da26e85a6e06119
Instruction Fuzzy Hash: 4141D431905208EFCB11DFA9DC49BDEBBB8EF09310F14456EF902A3291D7785945CB69

Uniqueness

Uniqueness Score: -1.00%

Function 0043A4B0 Relevance: 21.3, APIs: 7, Strings: 5, Instructions: 295
networkwindowCOMMON

Download Yara Rule

C-Code - Quality: 85%

			E0043A4B0(void* __edx, struct HWND__* _a4, char _a8) {
				char _v8;
				char _v16;
				char _v20;
				char _v24;
				char _v28;
				char _v32;
				char _v36;
				char _v40;
				char _v44;
				char _v48;
				char _v52;
				void* __ebx;
				void* __edi;
				signed int _t85;
				intOrPtr* _t90;
				void* _t97;
				intOrPtr* _t107;
				char _t108;
				void* _t116;
				void* _t128;
				void* _t135;
				intOrPtr _t147;
				void* _t152;
				char _t153;
				void* _t193;
				intOrPtr* _t195;
				intOrPtr* _t198;
				intOrPtr* _t199;
				intOrPtr* _t200;
				signed int _t203;
				void* _t204;
				void* _t205;

				_t193 = __edx;
				_push(0xffffffff);
				_push(E00489AD8);
				_push( *[fs:0x0]);
				_t205 = _t204 - 0x24;
				_push(_t152);
				_t85 =  *0x4bb1dc; // 0x2927074f
				_push(_t85 ^ _t203);
				 *[fs:0x0] =  &_v16;
				_v8 = 0;
				_t198 =  *((intOrPtr*)(E00402050(E0046A170( &_a8))));
				_v8 = 1;
				if(_t198 == 0) {
					_t90 = 0;
					__eflags = 0;
				} else {
					if( *((intOrPtr*)(_t198 + 4)) == 0) {
						 *((intOrPtr*)(_t198 + 4)) = E0046E430( &_v24,  *_t198);
					}
					_t90 =  *((intOrPtr*)(_t198 + 4));
				}
				__imp__#52(_t90);
				_t199 = _v24;
				_t195 = _t90;
				_v8 = 0;
				if(_t199 != 0) {
					if(InterlockedDecrement(_t199 + 8) == 0 && _t199 != 0) {
						_t147 =  *_t199;
						if(_t147 != 0) {
							__imp__#6(_t147);
							 *_t199 = 0;
						}
						_t148 =  *((intOrPtr*)(_t199 + 4));
						if( *((intOrPtr*)(_t199 + 4)) != 0) {
							E0046EF07(_t148);
							_t205 = _t205 + 4;
							 *((intOrPtr*)(_t199 + 4)) = 0;
						}
						E0046EF07(_t199);
						_t205 = _t205 + 4;
					}
					_v24 = 0;
				}
				_t200 = __imp__#111;
				 *_t200();
				if(_t195 == 0 ||  *((intOrPtr*)( *((intOrPtr*)(_t195 + 0xc)))) == 0) {
					_v28 = E0046A6C0(_t152, "\'", E0046A530("\'"));
					_v8 = 2;
					E0046A190( &_v48, L"Unable to resolve address for computer \'",  &_a8);
					_v8 = 3;
					_t97 = E0046A230( &_v52,  &_v28);
					_v8 = 4;
					MessageBoxW(_a4, E0046A170(_t97), L"Process Monitor", 0x30);
					_t161 = _v52;
					_v8 = 3;
					__eflags = _v52;
					if(_v52 != 0) {
						E0046A700(_t161);
					}
					_t162 = _v48;
					_v8 = 2;
					__eflags = _v48;
					if(_v48 != 0) {
						E0046A700(_t162);
					}
					_t163 = _v28;
					_v8 = 0;
					__eflags = _v28;
					if(_v28 != 0) {
						E0046A700(_t163);
					}
					_t153 = 0;
					__eflags = 0;
				} else {
					_t107 =  *((intOrPtr*)(E00403D10( *_t195)));
					_v8 = 5;
					if(_t107 == 0) {
						_t108 = 0;
						__eflags = 0;
					} else {
						_t108 =  *_t107;
					}
					E0046A0F0( &_a8, _t108);
					_v8 = 0;
					E00403A00( &_v28);
					E0043ADA0(_t152, _t193,  &_v20,  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t195 + 0xc)))))));
					_v8 = 6;
					 *_t200();
					_t116 = E0046A720( &_v20);
					_t220 = _t116;
					if(_t116 == 0) {
						__eflags =  *0x4bd2e9;
						 *0x4bce38 = 2;
						if( *0x4bd2e9 != 0) {
							E0043ACF0(_t193);
						}
						 *0x4bce24 = E00472D60(0, 0, E004399D0, 0, 0,  &_v52);
						 *0x4bce28 = E00472D60(0, 0, E00439CD0, 0, 0,  &_v52);
						_t153 = 1;
					} else {
						_v28 = E0046A6C0(_t152, L":\r\n", E0046A530(L":\r\n"));
						_v8 = 7;
						_v24 = E0046A6C0(_t152, L"\' on port ", E0046A530(L"\' on port "));
						_v8 = 8;
						_t128 = E00436170(_t152, _t193, _t195, _t220,  &_v52, 0x5ab3, 0);
						_v8 = 9;
						E0046A190( &_v48, L"Unable to open connection to \'",  &_a8);
						_v8 = 0xa;
						E0046A230( &_v44,  &_v24);
						_v8 = 0xb;
						E0046A230( &_v40, _t128);
						_v8 = 0xc;
						E0046A230( &_v36,  &_v28);
						_v8 = 0xd;
						_t135 = E0046A230( &_v32,  &_v20);
						_v8 = 0xe;
						MessageBoxW(_a4, E0046A170(_t135), L"Process Monitor", 0x30);
						_t184 = _v32;
						_v8 = 0xd;
						if(_v32 != 0) {
							E0046A700(_t184);
						}
						_t185 = _v36;
						_v8 = 0xc;
						if(_v36 != 0) {
							E0046A700(_t185);
						}
						_t186 = _v40;
						_v8 = 0xb;
						if(_v40 != 0) {
							E0046A700(_t186);
						}
						_t187 = _v44;
						_v8 = 0xa;
						if(_v44 != 0) {
							E0046A700(_t187);
						}
						_t188 = _v48;
						_v8 = 9;
						if(_v48 != 0) {
							E0046A700(_t188);
						}
						_t189 = _v52;
						_v8 = 8;
						if(_v52 != 0) {
							E0046A700(_t189);
						}
						_t190 = _v24;
						_v8 = 7;
						if(_v24 != 0) {
							E0046A700(_t190);
						}
						_t191 = _v28;
						_v8 = 6;
						if(_v28 != 0) {
							E0046A700(_t191);
						}
						_t153 = 0;
					}
					_t171 = _v20;
					_v8 = 0;
					if(_v20 != 0) {
						E0046A700(_t171);
					}
				}
				_t164 = _a8;
				_v8 = 0xffffffff;
				if(_a8 != 0) {
					E0046A700(_t164);
				}
				 *[fs:0x0] = _v16;
				return _t153;
			}

0x0043a4b0
0x0043a4b3
0x0043a4b5
0x0043a4c0
0x0043a4c1
0x0043a4c4
0x0043a4c7
0x0043a4ce
0x0043a4d2
0x0043a4db
0x0043a4f0
0x0043a4f2
0x0043a4f8
0x0043a50f
0x0043a50f
0x0043a4fa
0x0043a4fe
0x0043a507
0x0043a507
0x0043a50a
0x0043a50a
0x0043a512
0x0043a518
0x0043a51b
0x0043a51d
0x0043a523
0x0043a531
0x0043a537
0x0043a53b
0x0043a53e
0x0043a544
0x0043a544
0x0043a54a
0x0043a54f
0x0043a552
0x0043a557
0x0043a55a
0x0043a55a
0x0043a562
0x0043a567
0x0043a567
0x0043a56a
0x0043a56a
0x0043a571
0x0043a577
0x0043a57b
0x0043a7b2
0x0043a7b8
0x0043a7c6
0x0043a7d1
0x0043a7dc
0x0043a7ea
0x0043a7f7
0x0043a7fd
0x0043a800
0x0043a804
0x0043a806
0x0043a808
0x0043a808
0x0043a80d
0x0043a810
0x0043a814
0x0043a816
0x0043a818
0x0043a818
0x0043a81d
0x0043a820
0x0043a824
0x0043a826
0x0043a828
0x0043a828
0x0043a82d
0x0043a82d
0x0043a58d
0x0043a597
0x0043a599
0x0043a59f
0x0043a5a5
0x0043a5a5
0x0043a5a1
0x0043a5a1
0x0043a5a1
0x0043a5ab
0x0043a5b3
0x0043a5b7
0x0043a5c7
0x0043a5cf
0x0043a5d3
0x0043a5d8
0x0043a5dd
0x0043a5df
0x0043a731
0x0043a738
0x0043a742
0x0043a744
0x0043a744
0x0043a75f
0x0043a77d
0x0043a782
0x0043a5e5
0x0043a5fa
0x0043a602
0x0043a616
0x0043a61e
0x0043a628
0x0043a632
0x0043a640
0x0043a64b
0x0043a656
0x0043a65f
0x0043a666
0x0043a66e
0x0043a679
0x0043a681
0x0043a68c
0x0043a69a
0x0043a6a7
0x0043a6ad
0x0043a6b0
0x0043a6b6
0x0043a6b8
0x0043a6b8
0x0043a6bd
0x0043a6c0
0x0043a6c6
0x0043a6c8
0x0043a6c8
0x0043a6cd
0x0043a6d0
0x0043a6d6
0x0043a6d8
0x0043a6d8
0x0043a6dd
0x0043a6e0
0x0043a6e6
0x0043a6e8
0x0043a6e8
0x0043a6ed
0x0043a6f0
0x0043a6f6
0x0043a6f8
0x0043a6f8
0x0043a6fd
0x0043a700
0x0043a706
0x0043a708
0x0043a708
0x0043a70d
0x0043a710
0x0043a716
0x0043a718
0x0043a718
0x0043a71d
0x0043a720
0x0043a726
0x0043a728
0x0043a728
0x0043a72d
0x0043a72d
0x0043a784
0x0043a787
0x0043a78d
0x0043a793
0x0043a793
0x0043a78d
0x0043a82f
0x0043a832
0x0043a83b
0x0043a83d
0x0043a83d
0x0043a847
0x0043a855

APIs

Part of subcall function 00402050: SysAllocString.OLEAUT32(?), ref: 004020A2

gethostbyname.WS2_32(00000000), ref: 0043A512
InterlockedDecrement.KERNEL32(?), ref: 0043A529
SysFreeString.OLEAUT32(00000000), ref: 0043A53E
WSAGetLastError.WS2_32 ref: 0043A577
WSAGetLastError.WS2_32 ref: 0043A5D3
MessageBoxW.USER32(?,00000000,Process Monitor,00000030), ref: 0043A6A7
MessageBoxW.USER32(?,00000000,Process Monitor,00000030), ref: 0043A7F7

Strings

Unable to open connection to ', xrefs: 0043A63A
' on port , xrefs: 0043A5FD, 0043A60C
Process Monitor, xrefs: 0043A693, 0043A7E3
Unable to resolve address for computer ', xrefs: 0043A7C0
:, xrefs: 0043A5E5, 0043A5F0

Memory Dump Source

Source File: 00000000.00000002.639436822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.639422722.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639801425.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639950323.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639964900.00000000004C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639974043.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639981884.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Process Monitor.jbxd

Similarity

API ID: ErrorLastMessageString$AllocDecrementFreeInterlockedgethostbyname
String ID: ' on port $:$Process Monitor$Unable to open connection to '$Unable to resolve address for computer '
API String ID: 1459405013-3078330798
Opcode ID: 2579de0e9699665c9b5b036e86c4fd439418f140d0ffa93a2bb6e9a3da8e949f
Instruction ID: 45f890148b30f9eb3bcb17610fb142f6ecf66ed8bd1e66122532596b79c648a2
Opcode Fuzzy Hash: 2579de0e9699665c9b5b036e86c4fd439418f140d0ffa93a2bb6e9a3da8e949f
Instruction Fuzzy Hash: A0B10874901244EAEF15EBA5C951BEFBBB49F19304F14405FE842B3381EB789A14CB6B

Uniqueness

Uniqueness Score: -1.00%

Function 0045C730 Relevance: 21.2, APIs: 5, Strings: 7, Instructions: 213
windowCOMMON

Download Yara Rule

C-Code - Quality: 60%

			E0045C730(void* __edx) {
				char _v8;
				char _v16;
				signed int _v20;
				void* _v220;
				void* _v780;
				struct HWND__* _v784;
				char _v788;
				struct _CRITICAL_SECTION* _v792;
				char _v796;
				char _v800;
				intOrPtr _v804;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t44;
				signed int _t45;
				void* _t57;
				void* _t59;
				intOrPtr _t65;
				char* _t72;
				void* _t85;
				void* _t91;
				void* _t100;
				void* _t120;
				struct HWND__* _t122;
				void* _t124;
				void* _t126;
				void* _t129;
				signed int _t130;
				void* _t131;
				void* _t132;
				void* _t135;
				void* _t137;

				_t120 = __edx;
				_push(0xffffffff);
				_push(E0048C1FD);
				_push( *[fs:0x0]);
				_t132 = _t131 - 0x314;
				_t44 =  *0x4bb1dc; // 0x2927074f
				_t45 = _t44 ^ _t130;
				_v20 = _t45;
				_push(_t45);
				 *[fs:0x0] =  &_v16;
				_t122 = GetDlgItem( *0x4bd2c0, 0x67);
				_v792 = 0x4bca10;
				_v784 = _t122;
				EnterCriticalSection(0x4bca10);
				_v8 = 0;
				_t99 = E00416870(0x4bca10);
				_v804 = _t99;
				_t126 = E00419550(0x4bca10);
				_v8 = 0xffffffff;
				LeaveCriticalSection(0x4bca10);
				if(_t126 != 0) {
					if(_t99 != 0) {
						if(_t99 != _t126) {
							asm("movd xmm1, ebx");
							asm("cvtdq2pd xmm1, xmm1");
							_push(2);
							asm("movd xmm0, esi");
							asm("addsd xmm1, [eax*8+0x496300]");
							asm("cvtdq2pd xmm0, xmm0");
							asm("mulsd xmm1, [0x4962e8]");
							asm("addsd xmm0, [eax*8+0x496300]");
							asm("divsd xmm1, xmm0");
							asm("movsd [esp], xmm1");
							_push( &_v792);
							_t99 = E00435930(_t99, _t122);
							_v8 = 3;
							_t57 = E00436C80(_t55, _t120, _t122,  &_v800, _t126, 0, 0);
							_v8 = 4;
							_t59 = E00436C80(_t55, _t120, _t57,  &_v796, _v804, 0, 0);
							_v8 = 5;
							_push(E0046A170(_t55));
							_push(E0046A170(_t57));
							E0043C230( &_v220, L"Showing %s of %s events (%s%%)", E0046A170(_t59));
							_t106 = _v796;
							_t135 = _t132 - 8 + 0x44;
							_v8 = 4;
							if(_v796 != 0) {
								E0046A700(_t106);
							}
							_t107 = _v800;
							_v8 = 3;
							if(_v800 != 0) {
								E0046A700(_t107);
							}
							_t108 = _v792;
							_v8 = 0xffffffff;
							if(_v792 != 0) {
								E0046A700(_t108);
							}
							_t122 = _v784;
							goto L16;
						}
						_t85 = E00436C80(_t99, _t120, _t122,  &_v784, _t126, 0, 0);
						_t137 = _t132 + 0x10;
						_v8 = 2;
						_push(E0046A170(_t85));
						_push(L"Showing all %s events");
						L7:
						_push( &_v220);
						E0043C230();
						_t118 = _v784;
						_t135 = _t137 + 0xc;
						_v8 = 0xffffffff;
						if(_v784 != 0) {
							E0046A700(_t118);
						}
						goto L16;
					}
					_t91 = E00436C80(_t99, _t120, _t122,  &_v784, _t126, _t99, _t99);
					_t137 = _t132 + 0x10;
					_v8 = 1;
					_push(E0046A170(_t91));
					_push(L"The current filter excludes all %s events");
					goto L7;
				} else {
					E0046EF0C( &_v220, 0x64, L"No events");
					_t135 = _t132 + 0xc;
					if(E0043A120() == 0) {
						E00472C98( &_v220, 0x64, L" (capture disabled)");
						_t135 = _t135 + 0xc;
					}
					L16:
					_t65 =  *0x4bca44; // 0x0
					E0044C590(_t99, 0x4bca10,  &_v788, (_t65 -  *0x4bca40 >> 2) - 1);
					_v8 = 6;
					if(E0046A720( &_v788) == 0) {
						_t72 = L"virtual memory";
					} else {
						_t72 = E0046A170( &_v788);
					}
					E00445440( &_v780, L"Backed by %s", _t72);
					SendMessageW(_t122, 0x40b, 0x200,  &_v220);
					SendMessageW(_t122, 0x40b, 0x201,  &_v780);
					_t111 = _v788;
					_v8 = 0xffffffff;
					if(_v788 != 0) {
						E0046A700(_t111);
					}
					 *[fs:0x0] = _v16;
					_pop(_t124);
					_pop(_t129);
					_pop(_t100);
					return E0046F77E(_t100, _v20 ^ _t130, _t120, _t124, _t129);
				}
			}

0x0045c730
0x0045c733
0x0045c735
0x0045c740
0x0045c741
0x0045c747
0x0045c74c
0x0045c74e
0x0045c754
0x0045c758
0x0045c76c
0x0045c76e
0x0045c77d
0x0045c783
0x0045c78e
0x0045c79a
0x0045c7a1
0x0045c7b1
0x0045c7b3
0x0045c7ba
0x0045c7c2
0x0045c804
0x0045c830
0x0045c888
0x0045c88e
0x0045c895
0x0045c89a
0x0045c89e
0x0045c8a7
0x0045c8b0
0x0045c8b8
0x0045c8c7
0x0045c8cb
0x0045c8d0
0x0045c8d6
0x0045c8e2
0x0045c8eb
0x0045c902
0x0045c907
0x0045c913
0x0045c91c
0x0045c924
0x0045c939
0x0045c93e
0x0045c944
0x0045c947
0x0045c94d
0x0045c94f
0x0045c94f
0x0045c954
0x0045c95a
0x0045c960
0x0045c962
0x0045c962
0x0045c967
0x0045c96d
0x0045c976
0x0045c978
0x0045c978
0x0045c97d
0x00000000
0x0045c97d
0x0045c83e
0x0045c843
0x0045c848
0x0045c854
0x0045c855
0x0045c85a
0x0045c860
0x0045c861
0x0045c866
0x0045c86c
0x0045c86f
0x0045c878
0x0045c87e
0x0045c87e
0x00000000
0x0045c878
0x0045c810
0x0045c815
0x0045c81a
0x0045c826
0x0045c827
0x00000000
0x0045c7c4
0x0045c7d2
0x0045c7d7
0x0045c7e1
0x0045c7f5
0x0045c7fa
0x0045c7fa
0x0045c983
0x0045c983
0x0045c99f
0x0045c9aa
0x0045c9b8
0x0045c9c7
0x0045c9ba
0x0045c9c0
0x0045c9c0
0x0045c9d9
0x0045c9f9
0x0045ca0d
0x0045ca0f
0x0045ca15
0x0045ca1e
0x0045ca20
0x0045ca20
0x0045ca28
0x0045ca30
0x0045ca31
0x0045ca32
0x0045ca40
0x0045ca40

APIs

GetDlgItem.USER32 ref: 0045C766
EnterCriticalSection.KERNEL32(004BCA10,?,?,778BEB70), ref: 0045C783

Part of subcall function 00416870: EnterCriticalSection.KERNEL32(004BCA10,00000000,?,0043B1A2,2927074F,00000000,?,?,?,0044703B,0045F84E,00000000,?,00000000,445817), ref: 00416875
Part of subcall function 00416870: LeaveCriticalSection.KERNEL32(004BCA10,?,0044703B,0045F84E,00000000,?,00000000,445817), ref: 0041687F

LeaveCriticalSection.KERNEL32(004BCA10,?,?,778BEB70), ref: 0045C7BA
SendMessageW.USER32(?,0000040B,00000200,?), ref: 0045C9F9
SendMessageW.USER32(?,0000040B,00000201,?), ref: 0045CA0D

Strings

Showing %s of %s events (%s%%), xrefs: 0045C933
Backed by %s, xrefs: 0045C9D3
(capture disabled), xrefs: 0045C7E7
No events, xrefs: 0045C7C4
virtual memory, xrefs: 0045C9C7, 0045C9CC
The current filter excludes all %s events, xrefs: 0045C827
Showing all %s events, xrefs: 0045C855

Memory Dump Source

Source File: 00000000.00000002.639436822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.639422722.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639801425.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639950323.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639964900.00000000004C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639974043.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639981884.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Process Monitor.jbxd

Similarity

API ID: CriticalSection$EnterLeaveMessageSend$Item
String ID: (capture disabled)$Backed by %s$No events$Showing %s of %s events (%s%%)$Showing all %s events$The current filter excludes all %s events$virtual memory
API String ID: 4217143321-164489629
Opcode ID: 80169fa08f53c0db12421eaed0886652548f223247f25cb5e0c587994cf752d3
Instruction ID: d778914818a734f81e3cb1fb134ba218c124c931a86dba11365846cad497ec4b
Opcode Fuzzy Hash: 80169fa08f53c0db12421eaed0886652548f223247f25cb5e0c587994cf752d3
Instruction Fuzzy Hash: F271CA70900318ABDB11EB658C86BEE737C9F09315F0041AFF905B7282EB785B558B6A

Uniqueness

Uniqueness Score: -1.00%

Function 00406400 Relevance: 21.2, APIs: 14, Instructions: 168
windowCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E00406400(intOrPtr __ecx, intOrPtr* _a4, intOrPtr* _a8) {
				signed int _v8;
				struct tagRECT _v24;
				struct tagRECT _v40;
				void* _v56;
				intOrPtr _v64;
				void* _v72;
				struct tagTEXTMETRICW _v132;
				intOrPtr _v136;
				int _v140;
				int _v144;
				intOrPtr _v148;
				intOrPtr* _v152;
				intOrPtr _v156;
				intOrPtr* _v160;
				signed int _v164;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t78;
				int _t87;
				int _t88;
				signed int _t109;
				void* _t116;
				intOrPtr _t120;
				intOrPtr _t121;
				intOrPtr* _t122;
				intOrPtr _t125;
				intOrPtr _t129;
				intOrPtr* _t132;
				intOrPtr _t133;
				intOrPtr _t135;
				long _t136;
				signed int _t140;
				long _t141;
				struct HDC__* _t144;
				signed int _t146;
				intOrPtr _t148;
				signed int _t149;

				_t78 =  *0x4bb1dc; // 0x2927074f
				_v8 = _t78 ^ _t149;
				_v152 = _a4;
				_t133 = __ecx;
				_v160 = _a8;
				_v136 = __ecx;
				GetClientRect( *(__ecx + 8),  &_v24);
				_v140 = GetSystemMetrics(2);
				_v144 = GetSystemMetrics(3);
				_t141 = SendMessageW( *(_t133 + 0x14), 0x1200, 0, 0);
				_t87 = SendMessageW( *(_t133 + 0x14), 0x120f, 0, 0);
				_t13 = _t141 - 1; // -1
				_t88 = SendMessageW( *(_v136 + 0x14), 0x120f, _t13, 0);
				_t135 = _v136;
				SendMessageW( *(_t135 + 0x14), 0x1207, _t87,  &_v56);
				SendMessageW( *(_t135 + 0x14), 0x1207, _t88,  &_v72);
				_t120 = _t135;
				_v148 = _v64 - _v56;
				_v156 = _v24.right -  *((intOrPtr*)(_t120 + 0x90)) - _v24.left;
				_t144 = GetDC( *(_t120 + 8));
				SelectObject(_t144,  *(_t120 + 0x30));
				GetTextMetricsW(_t144,  &_v132);
				_t136 = _v132.tmHeight;
				ReleaseDC( *(_t120 + 8), _t144);
				if( *((intOrPtr*)(_t120 + 0x38)) != 0) {
					_t136 =  <  ? GetSystemMetrics(0x32) : _t136;
				}
				_t146 =  *((intOrPtr*)(_t120 + 0x68)) + _t136;
				_v164 = _t146;
				GetWindowRect( *(_t120 + 0xc),  &_v40);
				_t140 = _v40.top - _v40.bottom - _v24.top + _v24.bottom;
				if(( *(_t120 + 0x60) >> 0x00000004 & 0x00000001) != 0) {
					_t121 =  *((intOrPtr*)(_t120 + 0x5c));
					_t148 =  *((intOrPtr*)(_v136 + 0x54));
					if(_t148 == 0) {
						L7:
						_t146 = _v164;
						goto L8;
					}
					do {
						_t116 = E00406800(_t148);
						_t148 =  *((intOrPtr*)(_t148 + 0x10));
						_t121 = _t121 + _t116;
					} while (_t148 != 0);
					goto L7;
				} else {
					_t121 = 0;
					L8:
					_t125 = _v156;
					_t51 = _t121 + 1; // 0x1d
					_t129 = _v148;
					_t109 = _t51 * _t146 - 1;
					if(_t129 <= _t125) {
						if(_t109 <= _t140) {
							L16:
							asm("cdq");
							_t122 = _v152;
							 *(_t122 + 0xc) = _t109 / _t146;
							asm("cdq");
							_t132 = _v160;
							 *(_t122 + 0x10) = _t140 / _t146;
							 *_t122 = 0x1c;
							 *(_t122 + 4) = 3;
							 *(_t122 + 8) = 0;
							 *((intOrPtr*)(_t132 + 0x10)) = _t125;
							 *_t132 = 0x1c;
							 *(_t132 + 4) = 3;
							 *(_t132 + 8) = 0;
							 *((intOrPtr*)(_t132 + 0xc)) = _v148 - 1;
							return E0046F77E(_t122, _v8 ^ _t149, _t132, _t140, _t146);
						}
						_t125 = _t125 - _v140;
						if(_t129 <= _t125) {
							goto L16;
						}
						L15:
						_t140 = _t140 - _v144;
						goto L16;
					}
					if(_t109 <= _t140) {
						_t140 = _t140 - _v144;
						if(_t109 > _t140) {
							_t125 = _t125 - _v140;
						}
						goto L16;
					}
					_t125 = _t125 - _v140;
					goto L15;
				}
			}

0x00406409
0x00406410
0x00406419
0x0040641f
0x00406424
0x00406431
0x00406437
0x00406449
0x00406463
0x00406477
0x00406479
0x0040647d
0x00406491
0x0040649a
0x004064a8
0x004064b7
0x004064bc
0x004064c1
0x004064d6
0x004064e5
0x004064e8
0x004064f3
0x004064f9
0x00406500
0x0040650a
0x00406516
0x00406516
0x00406523
0x00406525
0x0040652b
0x0040653d
0x00406545
0x00406551
0x00406554
0x00406559
0x00406570
0x00406570
0x00000000
0x00406570
0x00406560
0x00406562
0x00406567
0x0040656a
0x0040656c
0x00000000
0x00406547
0x00406547
0x00406576
0x00406576
0x0040657c
0x0040657f
0x00406588
0x0040658b
0x004065ad
0x004065bf
0x004065bf
0x004065c2
0x004065c8
0x004065cd
0x004065d0
0x004065d6
0x004065df
0x004065e6
0x004065ed
0x004065f4
0x004065fe
0x00406604
0x0040660b
0x00406612
0x0040661e
0x0040661e
0x004065af
0x004065b7
0x00000000
0x00000000
0x004065b9
0x004065b9
0x00000000
0x004065b9
0x0040658f
0x00406599
0x004065a1
0x004065a3
0x004065a3
0x00000000
0x004065a1
0x00406591
0x00000000
0x00406591

APIs

GetClientRect.USER32 ref: 00406437
GetSystemMetrics.USER32 ref: 00406445
GetSystemMetrics.USER32 ref: 0040644F
SendMessageW.USER32(000007D6,00001200,00000000,00000000), ref: 00406469
SendMessageW.USER32(000007D6,0000120F,00000000,00000000), ref: 00406479
SendMessageW.USER32(000007D6,0000120F,-00000001,00000000), ref: 00406491
SendMessageW.USER32(000007D6,00001207,00000000,?), ref: 004064A8
SendMessageW.USER32(000007D6,00001207,00000000,?), ref: 004064B7
GetDC.USER32(00000000), ref: 004064DC
SelectObject.GDI32(00000000,?), ref: 004064E8
GetTextMetricsW.GDI32(00000000,?), ref: 004064F3
ReleaseDC.USER32 ref: 00406500
GetSystemMetrics.USER32 ref: 0040650E
GetWindowRect.USER32 ref: 0040652B

Memory Dump Source

Source File: 00000000.00000002.639436822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.639422722.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639801425.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639950323.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639964900.00000000004C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639974043.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639981884.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Process Monitor.jbxd

Similarity

API ID: MessageSend$Metrics$System$Rect$ClientObjectReleaseSelectTextWindow
String ID:
API String ID: 3762695110-0
Opcode ID: fc4d3a0d9b26a7c57270ff2065ffcd4205c5b0c2d0f1147da90ceba230d53045
Instruction ID: 5254ae7dd4c06d007933d360053c88acf4493a785edc9435a7cec3538c2c2045
Opcode Fuzzy Hash: fc4d3a0d9b26a7c57270ff2065ffcd4205c5b0c2d0f1147da90ceba230d53045
Instruction Fuzzy Hash: EF616C31900218AFDB10CF68DD84B9DBBB5FF08300F1582A9E909EB295DB34AD55CF94

Uniqueness

Uniqueness Score: -1.00%

Function 0046B5B3 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 127libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 0046C010: LoadLibraryW.KERNEL32(Ntdll.dll,NtQuerySystemInformation,2927074F), ref: 0046C04C
Part of subcall function 0046C010: GetProcAddress.KERNEL32(00000000), ref: 0046C053
Part of subcall function 0046C010: _malloc.LIBCMT ref: 0046C06D
Part of subcall function 0046C010: _free.LIBCMT ref: 0046C091
Part of subcall function 0046C010: _malloc.LIBCMT ref: 0046C0A0
Part of subcall function 0046C010: InterlockedDecrement.KERNEL32(00000008), ref: 0046C13F
Part of subcall function 0046C010: SysFreeString.OLEAUT32(00000000), ref: 0046C150

GetModuleHandleW.KERNEL32(kernel32.dll), ref: 0046B5DC
GetProcAddress.KERNEL32(00000000,Module32FirstW), ref: 0046B5F0
GetProcAddress.KERNEL32(00000000,Module32NextW), ref: 0046B5FD
GetProcAddress.KERNEL32(00000000,CreateToolhelp32Snapshot), ref: 0046B60A
EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,00000000), ref: 0046B727
LeaveCriticalSection.KERNEL32(?,00000000,?,?,?,?,?,?,?,00000000), ref: 0046B73E
CloseHandle.KERNEL32(00000000), ref: 0046B771

Strings

Module32FirstW, xrefs: 0046B5EA
kernel32.dll, xrefs: 0046B5D7
Module32NextW, xrefs: 0046B5F2
CreateToolhelp32Snapshot, xrefs: 0046B5FF
?, xrefs: 0046B78A

Memory Dump Source

Source File: 00000000.00000002.639436822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.639422722.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639801425.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639950323.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639964900.00000000004C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639974043.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639981884.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Process Monitor.jbxd

Similarity

API ID: AddressProc$CriticalHandleSection_malloc$CloseDecrementEnterFreeInterlockedLeaveLibraryLoadModuleString_free
String ID: CreateToolhelp32Snapshot$Module32FirstW$Module32NextW$kernel32.dll$?
API String ID: 2257269959-1737848390
Opcode ID: 6fa5268f381f76e86975ff1c481590eb93150eab83e9fa9f0c395a6660756135
Instruction ID: 8206d1a6a4757ee07e857d7ec09cf924f6024ffe780083d7c39e0d586593b5f9
Opcode Fuzzy Hash: 6fa5268f381f76e86975ff1c481590eb93150eab83e9fa9f0c395a6660756135
Instruction Fuzzy Hash: 0D41A7B19012189BDB21DF60DD85BAEB778EF44315F4400AFE909A3251EB785E84CF9E

Uniqueness

Uniqueness Score: -1.00%

Function 004522E0 Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 111
windowCOMMON

Download Yara Rule

C-Code - Quality: 89%

			E004522E0(void* __edx, struct HWND__* _a4) {
				signed int _v8;
				char _v526;
				char _v528;
				intOrPtr _v568;
				intOrPtr _v588;
				char* _v592;
				char* _v608;
				struct HWND__* _v616;
				struct tagOFNA _v620;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t21;
				signed int _t32;
				signed int _t34;
				signed int _t46;
				void* _t50;
				signed int _t51;
				void* _t52;
				void* _t57;
				struct HWND__* _t58;
				signed int _t60;
				void* _t61;
				void* _t62;
				void* _t63;
				intOrPtr* _t64;

				_t57 = __edx;
				_t21 =  *0x4bb1dc; // 0x2927074f
				_v8 = _t21 ^ _t60;
				_t58 = _a4;
				E00470030( &_v616, 0, 0x54);
				_v528 = 0;
				E00470030( &_v526, 0, 0x206);
				_t62 = _t61 + 0x18;
				_v620 = 0x58;
				_v616 = _t58;
				_v592 =  &_v528;
				_v588 = 0x104;
				_v608 = L"Procmon Log (*.PML,*.PMB)";
				_v568 = 0x100c;
				if(GetOpenFileNameW( &_v620) != 0) {
					_t32 = E00471495( &_v528, 0x2e);
					_t63 = _t62 + 8;
					__eflags = _t32;
					if(_t32 == 0) {
						L5:
						_t34 = E00452450(_t57, _t58,  &_v528, 0);
						_t64 = _t63 + 0xc;
					} else {
						_t46 = E0046F283(_t50, _t58, _t59, _t32, L".PMB");
						_t63 = _t63 + 8;
						__eflags = _t46;
						if(_t46 != 0) {
							goto L5;
						} else {
							_push( &_v528);
							_t34 = L00452150(_t59, _t58);
							_t64 = _t63 + 8;
						}
					}
					_t51 = _t34;
					__eflags = _t51;
					if(_t51 != 0) {
						_t59 = _t64;
						 *_t64 = E0046A6C0(_t51,  &_v528, E0046A530( &_v528));
						L00459F80(_t51, __eflags, _t58, _t52);
					}
					EnableMenuItem(GetMenu(_t58), 0x9c54, 2);
					SendMessageW(GetDlgItem(_t58, 0x66), 0x401, 0x9c54, 0);
					__eflags = _v8 ^ _t60;
					return E0046F77E(_t51, _v8 ^ _t60, _t57, _t58, _t59);
				} else {
					return E0046F77E(_t50, _v8 ^ _t60, _t57, _t58, _t59);
				}
			}

0x004522e0
0x004522e9
0x004522f0
0x004522f6
0x00452304
0x00452311
0x0045231f
0x00452324
0x00452327
0x00452337
0x0045233d
0x00452349
0x00452354
0x0045235e
0x00452370
0x0045238e
0x00452393
0x00452396
0x00452398
0x004523be
0x004523c8
0x004523cd
0x0045239a
0x004523a0
0x004523a5
0x004523a8
0x004523aa
0x00000000
0x004523ac
0x004523b2
0x004523b4
0x004523b9
0x004523b9
0x004523aa
0x004523d0
0x004523d2
0x004523d4
0x004523dd
0x004523f5
0x004523f8
0x004523fd
0x0045240f
0x0045242b
0x00452438
0x00452443
0x00452372
0x00452384
0x00452384

APIs

_memset.LIBCMT ref: 00452304
_memset.LIBCMT ref: 0045231F
GetOpenFileNameW.COMDLG32(00000058,?,?,?,?), ref: 00452368
_wcsrchr.LIBCMT ref: 0045238E
GetMenu.USER32(?), ref: 00452408
EnableMenuItem.USER32 ref: 0045240F
GetDlgItem.USER32 ref: 00452418
SendMessageW.USER32(00000000,00000401,00009C54,00000000), ref: 0045242B

Strings

<remote boot-log>, xrefs: 00452282
DEVICE_PATH, xrefs: 004521DC
X, xrefs: 00452327
.PMB, xrefs: 0045239A

Memory Dump Source

Source File: 00000000.00000002.639436822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.639422722.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639801425.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639950323.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639964900.00000000004C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639974043.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639981884.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Process Monitor.jbxd

Similarity

API ID: ItemMenu_memset$EnableFileMessageNameOpenSend_wcsrchr
String ID: .PMB$<remote boot-log>$DEVICE_PATH$X
API String ID: 1498896545-2981312674
Opcode ID: 0dd1eef838960c0619d22a4355a6c16e462ab6747308c0371084e606d4d55415
Instruction ID: fa4dff06e1e4cbd40efdff8277e63067eee8e9473af0acc2bc19f88155abf9b9
Opcode Fuzzy Hash: 0dd1eef838960c0619d22a4355a6c16e462ab6747308c0371084e606d4d55415
Instruction Fuzzy Hash: FA31E7B5D013086ADB209F619C4AFEE73BC9B05709F1001EBFD08E7142EA795A8C8F59

Uniqueness

Uniqueness Score: -1.00%

Function 0046E140 Relevance: 19.6, APIs: 13, Instructions: 70
COMMON

Download Yara Rule

C-Code - Quality: 95%

			E0046E140(struct HWND__* _a4) {
				signed int _v8;
				struct tagRECT _v24;
				struct HDC__* _v28;
				struct HWND__* _v32;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t17;
				signed int _t19;
				int _t23;
				struct HWND__* _t38;
				void* _t42;
				struct HDC__* _t43;
				void* _t44;
				struct HDC__* _t47;
				signed int _t48;

				_t17 =  *0x4bb1dc; // 0x2927074f
				_v8 = _t17 ^ _t48;
				_t38 = _a4;
				_v32 = _t38;
				_t19 = GetSystemMetrics(5);
				_t43 = GetWindowDC(_t38);
				_v28 = _t43;
				GetWindowRect(_t38,  &_v24);
				_t23 = SaveDC(_t43);
				SetROP2(_t43, 6);
				_t44 = CreatePen(6, _t19 + _t19 * 2, 0);
				SelectObject(_v28, _t44);
				SelectObject(_v28, GetStockObject(5));
				_t47 = _v28;
				Rectangle(_t47, 0, 0, _v24.right - _v24.left, _v24.bottom - _v24.top);
				RestoreDC(_t47, _t23);
				ReleaseDC(_v32, _t47);
				DeleteObject(_t44);
				return E0046F77E(_t23, _v8 ^ _t48, _t42, _t44, _t47);
			}

0x0046e146
0x0046e14d
0x0046e151
0x0046e158
0x0046e15b
0x0046e16b
0x0046e172
0x0046e175
0x0046e17c
0x0046e187
0x0046e19e
0x0046e1a4
0x0046e1b2
0x0046e1ba
0x0046e1ca
0x0046e1d2
0x0046e1dc
0x0046e1e3
0x0046e1f9

APIs

GetSystemMetrics.USER32 ref: 0046E15B
GetWindowDC.USER32(?), ref: 0046E165
GetWindowRect.USER32 ref: 0046E175
SaveDC.GDI32(00000000), ref: 0046E17C
SetROP2.GDI32(00000000,00000006), ref: 0046E187
CreatePen.GDI32(00000006,004BDD08,00000000), ref: 0046E192
SelectObject.GDI32(?,00000000), ref: 0046E1A4
GetStockObject.GDI32(00000005), ref: 0046E1A8
SelectObject.GDI32(?,00000000), ref: 0046E1B2
Rectangle.GDI32(?,00000000,00000000,?,?), ref: 0046E1CA
RestoreDC.GDI32(?,00000000), ref: 0046E1D2
ReleaseDC.USER32 ref: 0046E1DC
DeleteObject.GDI32(00000000), ref: 0046E1E3

Memory Dump Source

Source File: 00000000.00000002.639436822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.639422722.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639801425.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639950323.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639964900.00000000004C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639974043.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639981884.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Process Monitor.jbxd

Similarity

API ID: Object$SelectWindow$CreateDeleteMetricsRectRectangleReleaseRestoreSaveStockSystem
String ID:
API String ID: 509098715-0
Opcode ID: b038989be57793327eb908e48fba107928fce9c2a566d66974fc583396ad9b31
Instruction ID: cdbdd5aee6ab61eea0319067f1814683f5b17f668a9b4b3a594931a59000669e
Opcode Fuzzy Hash: b038989be57793327eb908e48fba107928fce9c2a566d66974fc583396ad9b31
Instruction Fuzzy Hash: 9D214D32900208AFCB10AFA9DC4DEAFBF78EB49711F100439FA05E7160CB3069058BA9

Uniqueness

Uniqueness Score: -1.00%

Function 00416DC0 Relevance: 19.5, APIs: 9, Strings: 2, Instructions: 224
COMMON

Download Yara Rule

C-Code - Quality: 79%

			E00416DC0(void* __ebx, void* __ecx, void* __eflags, intOrPtr* _a4, char _a8) {
				union %anon243 _v8;
				char _v16;
				signed int _v20;
				struct _MEMORYSTATUSEX _v84;
				struct _OSVERSIONINFOW _v368;
				char _v372;
				char _v373;
				union %anon243* _v380;
				union %anon243 _v384;
				intOrPtr _v388;
				intOrPtr* _v392;
				union %anon243 _v396;
				struct _SYSTEM_INFO _v432;
				void* __edi;
				void* __esi;
				signed int _t85;
				signed int _t86;
				intOrPtr _t97;
				char _t98;
				void* _t100;
				void* _t101;
				intOrPtr _t114;
				union %anon243* _t133;
				void* _t142;
				void* _t145;
				intOrPtr _t156;
				void* _t173;
				void* _t174;
				intOrPtr* _t176;
				char _t179;
				void* _t180;
				union %anon243 _t181;
				signed int _t182;
				void* _t183;
				void* _t184;

				_t145 = __ebx;
				_push(0xffffffff);
				_push(E00486F51);
				_push( *[fs:0x0]);
				_t184 = _t183 - 0x1a0;
				_t85 =  *0x4bb1dc; // 0x2927074f
				_t86 = _t85 ^ _t182;
				_v20 = _t86;
				_push(_t86);
				 *[fs:0x0] =  &_v16;
				_t173 = __ecx;
				_t176 = _a4;
				_v396 = 0;
				_v380 = _t176;
				_v392 = _t176;
				 *0x4bb0d0 = 9;
				_v384 = 0;
				_t8 = _t173 + 0x3c; // 0x4bca4c
				_v8 = 1;
				if(E0046A720(_t8) != 0) {
					_t10 = _t173 + 0x40; // 0x0
					_t170 =  *_t10;
					_t11 = _t173 + 0x3c; // 0x4bca4c
					_t12 = _t170 + 1; // 0x1
					 *((intOrPtr*)(__ecx + 0x40)) = _t12;
					_t142 = E00468070( *_t10,  &_v372, E0046A170(_t11),  *_t10);
					_t184 = _t184 + 0xc;
					_v8.dwOemId = 2;
					E0046A0B0( &_v384, _t142);
					_t169 = _v372;
					_v8.dwOemId = 1;
					_t190 = _v372;
					if(_v372 != 0) {
						E0046A700(_t169);
					}
				}
				asm("xorps xmm0, xmm0");
				_v432.dwOemId = 0;
				_v84.dwLength = 0x40;
				asm("movdqu [ebp-0x1a8], xmm0");
				_v84.dwMemoryLoad = 0;
				asm("movdqu [ebp-0x198], xmm0");
				E00470030( &(_v84.ullTotalPhys), 0, 0x38);
				_v368.dwOSVersionInfoSize = 0x11c;
				_v368.dwMajorVersion = 0;
				E00470030( &(_v368.dwMinorVersion), 0, 0x114);
				GetSystemInfo( &_v432);
				GlobalMemoryStatusEx( &_v84);
				GetVersionExW( &_v368);
				_push(0x590);
				_t97 = E0046EEB6(_t145, _t173, _t190);
				_v388 = _t97;
				_v8.dwOemId = 3;
				_t191 = _t97;
				if(_t97 == 0) {
					_t98 = 0;
					__eflags = 0;
				} else {
					_t98 = E00415A70(_t97, _t191);
				}
				_v8.dwOemId = 1;
				 *_t176 = _t98;
				if(_t98 != 0) {
					InterlockedIncrement(_t98 + 0x578);
				}
				_t34 = _t173 + 0x7c; // 0x4bca8c
				_v396 = 1;
				_t100 = E0046A170(_t34);
				_t39 = _t173 + 0x78; // 0x4bca88
				_t101 = E0046A170(_t39);
				if(E004671A0( *_t176, E0046A170( &_v384), 0xf4240, _t101, _t100, 0, _v84.ullTotalPhys, _v84.ullAvailPhys, _v432.lpMaximumApplicationAddress, 0, _v432.dwNumberOfProcessors,  &_v368) == 0) {
					__eflags = _a8;
					if(_a8 != 0) {
						_t45 = _t173 + 0x44; // 0x0
						E004681F0( *_v380,  *_t45);
					}
				} else {
					_t133 = _v380;
					_t181 = _t133->dwOemId;
					 *_t133 = 0;
					if(_t181 != 0 && InterlockedDecrement(_t181 + 0x578) < 2) {
						E00467460(_t181, _t135);
					}
				}
				_t46 = _t173 + 0x34; // 0x0
				_t47 = _t173 + 0x30; // 0x0
				_t48 = _t173 + 0x74; // 0xc8
				if( *_t46 -  *_t47 >> 2 >=  *_t48) {
					L16:
					_t51 = _t173 + 0x30; // 0x0
					_t179 =  *((intOrPtr*)( *_t51));
					_v372 = _t179;
					if(_t179 != 0) {
						InterlockedIncrement(_t179 + 0x578);
					}
					_push(_v392);
					_t55 = _t173 + 0x30; // 0x0
					_t56 = _t173 + 0x34; // 0x0
					_v8.dwOemId = 4;
					E00414F00( *_t55 + 4,  *_t56,  *_t55);
					_t58 = _t173 + 0x34; // 0x0
					_t152 =  *_t58;
					_push(_v392);
					_push( &_v373);
					_t61 = _t152 - 4; // -4
					E00414B00(_t61,  *_t58);
					 *((intOrPtr*)(_t173 + 0x34)) =  *((intOrPtr*)(_t173 + 0x34)) + 0xfffffffc;
					_t64 = _t173 + 0x1c; // 0x4bca2c
					 *((char*)(_t179 + 0x580)) = 1;
					E0040E870(_t64);
					_t66 = _t173 + 0x50; // 0x77d088
					_t68 = _t173 + 0x50; // 0x4bca60
					_v388 =  *_t66;
					_t114 = E004149B0(_t68,  *_t66,  *((intOrPtr*)( *_t66 + 4)),  &_v372);
					_t71 = _t173 + 0x54; // 0x0
					_t170 =  *_t71;
					_t156 = _t114;
					_t200 = 0x15555554 - _t170 - 1;
					if(0x15555554 - _t170 < 1) {
						_push("list<T> too long");
						E0046EB0F(_t200);
					}
					_t72 = _t170 + 1; // 0x1
					_v8.dwOemId = 1;
					 *((intOrPtr*)(_t173 + 0x54)) = _t72;
					 *((intOrPtr*)(_v388 + 4)) = _t156;
					 *((intOrPtr*)( *((intOrPtr*)(_t156 + 4)))) = _t156;
					if(InterlockedDecrement(_t179 + 0x578) < 2) {
						E00467460(_t179, _t121);
					}
					goto L22;
				} else {
					_t49 = _t173 + 0x34; // 0x0
					_t50 = _t173 + 0x30; // 0x0
					if( *_t49 -  *_t50 >> 2 < 0xc8) {
						L22:
						_t157 = _v384;
						_v8 = 0;
						if(_v384 != 0) {
							E0046A700(_t157);
						}
						 *[fs:0x0] = _v16;
						_pop(_t174);
						_pop(_t180);
						return E0046F77E(_t145, _v20 ^ _t182, _t170, _t174, _t180);
					}
					goto L16;
				}
			}

0x00416dc0
0x00416dc3
0x00416dc5
0x00416dd0
0x00416dd1
0x00416dd7
0x00416ddc
0x00416dde
0x00416de3
0x00416de7
0x00416ded
0x00416def
0x00416df2
0x00416dfc
0x00416e02
0x00416e08
0x00416e12
0x00416e1c
0x00416e1f
0x00416e2d
0x00416e2f
0x00416e2f
0x00416e32
0x00416e36
0x00416e39
0x00416e49
0x00416e4e
0x00416e58
0x00416e5c
0x00416e61
0x00416e67
0x00416e6b
0x00416e6d
0x00416e6f
0x00416e6f
0x00416e6d
0x00416e76
0x00416e79
0x00416e86
0x00416e90
0x00416e98
0x00416e9f
0x00416ea7
0x00416eb7
0x00416ec4
0x00416ece
0x00416edd
0x00416ee7
0x00416ef4
0x00416efa
0x00416eff
0x00416f07
0x00416f0d
0x00416f11
0x00416f13
0x00416f1e
0x00416f1e
0x00416f15
0x00416f17
0x00416f17
0x00416f20
0x00416f24
0x00416f28
0x00416f30
0x00416f30
0x00416f45
0x00416f48
0x00416f62
0x00416f68
0x00416f6b
0x00416f8b
0x00416fbb
0x00416fbf
0x00416fc7
0x00416fcc
0x00416fcc
0x00416f8d
0x00416f8d
0x00416f93
0x00416f95
0x00416f9d
0x00416fb4
0x00416fb4
0x00416f9d
0x00416fd1
0x00416fd4
0x00416fda
0x00416fdd
0x00416ff3
0x00416ff3
0x00416ff6
0x00416ff8
0x00417000
0x00417009
0x00417009
0x0041700f
0x00417015
0x00417019
0x0041701f
0x00417024
0x00417029
0x00417029
0x00417032
0x00417038
0x00417039
0x0041703e
0x00417043
0x00417047
0x0041704d
0x00417054
0x00417059
0x00417063
0x00417066
0x00417070
0x00417075
0x00417075
0x00417078
0x00417081
0x00417084
0x00417086
0x0041708b
0x0041708b
0x00417090
0x00417093
0x00417097
0x004170a0
0x004170a6
0x004170b8
0x004170bd
0x004170bd
0x00000000
0x00416fdf
0x00416fdf
0x00416fe2
0x00416fed
0x004170c2
0x004170c2
0x004170c8
0x004170ce
0x004170d0
0x004170d0
0x004170de
0x004170e6
0x004170e7
0x004170f5
0x004170f5
0x00000000
0x00416fed

APIs

_memset.LIBCMT ref: 00416EA7
_memset.LIBCMT ref: 00416ECE
GetSystemInfo.KERNEL32(00000000), ref: 00416EDD
GlobalMemoryStatusEx.KERNEL32(00000040), ref: 00416EE7
GetVersionExW.KERNEL32(0000011C), ref: 00416EF4
InterlockedIncrement.KERNEL32(-00000578), ref: 00416F30
InterlockedDecrement.KERNEL32(?), ref: 00416FA6

Part of subcall function 0046A0B0: InterlockedDecrement.KERNEL32(?), ref: 0046A0BE

InterlockedIncrement.KERNEL32(?), ref: 00417009
InterlockedDecrement.KERNEL32(?), ref: 004170AF

Part of subcall function 0046A700: InterlockedDecrement.KERNEL32(?), ref: 0046A704

Strings

list<T> too long, xrefs: 00417086
@, xrefs: 00416E86

Memory Dump Source

Source File: 00000000.00000002.639436822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.639422722.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639801425.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639950323.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639964900.00000000004C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639974043.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639981884.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Process Monitor.jbxd

Similarity

API ID: Interlocked$Decrement$Increment_memset$GlobalInfoMemoryStatusSystemVersion
String ID: @$list<T> too long
API String ID: 634433278-2626323653
Opcode ID: b344339d46f5152201c896806aad32913f07e206e8df1273b2ac231ce6a915bf
Instruction ID: e735995fdb9a4aae8d5efd385576a1f9c988c9aca7cf2d6d6dc8f1555e9dd5ea
Opcode Fuzzy Hash: b344339d46f5152201c896806aad32913f07e206e8df1273b2ac231ce6a915bf
Instruction Fuzzy Hash: C7918F71904619EFDB21DF64CD44BDEBBB8BF09304F00419EE909A3241EB79AA94CF95

Uniqueness

Uniqueness Score: -1.00%

Function 0044F652 Relevance: 19.3, APIs: 9, Strings: 2, Instructions: 95
windowCOMMON

Download Yara Rule

C-Code - Quality: 88%

			E0044F652(void* __ebx, void* __edx) {
				void* __esi;
				signed char _t22;
				void* _t45;
				void* _t54;
				struct HWND__* _t55;
				void* _t56;
				struct HWND__* _t57;
				void* _t59;
				signed int _t60;

				_t54 = __edx;
				_t45 = __ebx;
				_t55 = GetDlgItem(_t57, 0x3f9);
				if( *((intOrPtr*)(_t60 - 0x628)) != 0x9cd3) {
					 *0x4bb140 =  *0x4bb140 | 0x00000001;
				} else {
					 *0x4bb140 =  *0x4bb140 & 0xfffffffe;
				}
				_t22 =  *0x4bb140; // 0x0
				 *(_t60 - 0x624) = E00417D80(0x4bca10, SendMessageW(_t55, 0x1042, 0, 0), _t22 & 1);
				if( *(_t60 - 0x624) < E00416870(0x4bca10)) {
					 *(_t60 - 0x4c4) = 3;
					 *(_t60 - 0x4c8) = 0;
					SendMessageW(_t55, 0x102b, 0xffffffff, _t60 - 0x4d4);
					 *(_t60 - 0x4c4) = 3;
					 *(_t60 - 0x4c8) = 3;
					SendMessageW(_t55, 0x102b,  *(_t60 - 0x624), _t60 - 0x4d4);
					SendMessageW(_t55, 0x1013,  *(_t60 - 0x624), 0);
					SendMessageW(_t55, 0x1043, 0,  *(_t60 - 0x624));
					UpdateWindow(_t55);
				} else {
					 *(_t60 - 0x624) = E0046A6C0(_t45, L"No more highlights", E0046A530(L"No more highlights"));
					 *(_t60 - 4) = 0x17;
					SetForegroundWindow(_t57);
					MessageBoxW(_t57, E0046A170(_t60 - 0x624), L"Process Monitor", 0x30);
					_t53 =  *(_t60 - 0x624);
					 *(_t60 - 4) = 0xffffffff;
					if( *(_t60 - 0x624) != 0) {
						E0046A700(_t53);
					}
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t60 - 0xc));
				_pop(_t56);
				_pop(_t59);
				return E0046F77E(_t45,  *(_t60 - 0x10) ^ _t60, _t54, _t56, _t59);
			}

0x0044f652
0x0044f652
0x0044f65e
0x0044f66c
0x0044f677
0x0044f66e
0x0044f66e
0x0044f66e
0x0044f67e
0x0044f6a9
0x0044f6ba
0x0044f738
0x0044f742
0x0044f74c
0x0044f754
0x0044f765
0x0044f775
0x0044f785
0x0044f795
0x0044f798
0x0044f6bc
0x0044f6d4
0x0044f6db
0x0044f6e2
0x0044f6fc
0x0044f702
0x0044f708
0x0044f711
0x0044f717
0x0044f71c
0x0044f711
0x0044e740
0x0044e748
0x0044e749
0x0044e757

APIs

GetDlgItem.USER32 ref: 0044F658
SendMessageW.USER32(00000000,00001042,00000000,00000000), ref: 0044F693
SetForegroundWindow.USER32 ref: 0044F6E2
MessageBoxW.USER32(?,00000000,Process Monitor,00000030), ref: 0044F6FC
SendMessageW.USER32 ref: 0044F74C
SendMessageW.USER32(00000000,0000102B,?,?), ref: 0044F775
SendMessageW.USER32(00000000,00001013,?,00000000), ref: 0044F785
SendMessageW.USER32(00000000,00001043,00000000,?), ref: 0044F795
UpdateWindow.USER32(00000000), ref: 0044F798

Strings

Process Monitor, xrefs: 0044F6EA
No more highlights, xrefs: 0044F6BC, 0044F6C7

Memory Dump Source

Source File: 00000000.00000002.639436822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.639422722.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639801425.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639950323.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639964900.00000000004C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639974043.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639981884.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Process Monitor.jbxd

Similarity

API ID: Message$Send$Window$ForegroundItemUpdate
String ID: No more highlights$Process Monitor
API String ID: 4168949816-2014258138
Opcode ID: a221584f7a06ea669279d073b0a0ebf20c4e4ff6cf33949aa11d2e3ecd240a1b
Instruction ID: aadd6de0dafe7faddf9a92fddc98e46ef4f33171a5a4f0dfd851e4faf8d20821
Opcode Fuzzy Hash: a221584f7a06ea669279d073b0a0ebf20c4e4ff6cf33949aa11d2e3ecd240a1b
Instruction Fuzzy Hash: 1031E570901618BFEB209F60DC05BAD77B8EB88314F0001ABF505B61D0DB790A558F6D

Uniqueness

Uniqueness Score: -1.00%

Function 0046C340 Relevance: 17.8, APIs: 4, Strings: 6, Instructions: 261
COMMON

Download Yara Rule

C-Code - Quality: 40%

			E0046C340(signed int __edx, intOrPtr _a4, intOrPtr* _a8, intOrPtr _a12) {
				char _v8;
				char _v16;
				signed int _v20;
				char _v538;
				char _v540;
				intOrPtr _v544;
				char _v548;
				char _v552;
				intOrPtr _v556;
				intOrPtr* _v560;
				struct _CRITICAL_SECTION* _v564;
				char _v568;
				intOrPtr _v596;
				char _v600;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t60;
				signed int _t61;
				intOrPtr _t69;
				intOrPtr* _t76;
				char _t80;
				signed int _t82;
				signed int _t83;
				void* _t87;
				intOrPtr _t92;
				void* _t95;
				void* _t98;
				void* _t104;
				intOrPtr* _t113;
				intOrPtr* _t118;
				void* _t119;
				void* _t130;
				intOrPtr _t135;
				char _t137;
				intOrPtr _t140;
				signed int _t141;
				char _t143;
				void* _t144;
				intOrPtr _t147;
				void* _t148;
				intOrPtr* _t149;
				signed int _t150;
				void* _t151;
				void* _t152;
				void* _t153;
				void* _t154;

				_t141 = __edx;
				_push(0xffffffff);
				_push(E0048D471);
				_push( *[fs:0x0]);
				_t152 = _t151 - 0x248;
				_t60 =  *0x4bb1dc; // 0x2927074f
				_t61 = _t60 ^ _t150;
				_v20 = _t61;
				_push(_t61);
				 *[fs:0x0] =  &_v16;
				_t118 = _a8;
				_t146 = _a12;
				_v556 = _a4;
				_v564 = 0x4c27e4;
				EnterCriticalSection(0x4c27e4);
				_v8 = 0;
				_v560 = 0;
				if(_a12 == 0) {
					L8:
					if( *0x4bb1b4 == 0) {
						_t147 = _v556;
					} else {
						_t104 = E0046A170(0x4bdcc8);
						_t147 = _v556;
						 *0x4c27b8(_t147, _t104);
						 *0x4bb1b4 = 0;
					}
					_v540 = 0;
					E00470030( &_v538, 0, 0x206);
					_t141 =  &_v540;
					_t153 = _t152 + 0xc;
					_t69 =  ==  ? 0 :  *((intOrPtr*)(_t118 + 0x18));
					_v544 = _t69;
					_t143 =  *0x4c27b4(_t147, 0, E0046A170(_t118), _t118 + 8, _t69,  *((intOrPtr*)(_t118 + 0x1c)), 8, _t141, 0, 0);
					if(_t143 != 0) {
						L30:
						_push(0);
						_push(0);
						_push( *((intOrPtr*)(_t118 + 4)));
						asm("cdq");
						_push(_t141);
						_push( *((intOrPtr*)(_t118 + 0x24)));
						_push(0);
						_push( &_v540);
						_push(0);
						_push(_t147);
						if(( *0x4c2790() | _t141) == 0) {
							_t143 = 0;
						} else {
							_t143 = 1;
						}
						goto L33;
					} else {
						_t80 = E00471495(E0046A170(_t118), 0x5c);
						_t154 = _t153 + 8;
						_v548 = _t80;
						if(_t80 == 0) {
							L18:
							if(E00419470(0x4bca10) == 0) {
								L33:
								_t76 = _v560;
								if(_t76 != 0) {
									 *_t76 = _t143;
								}
								goto L35;
							}
							_t149 = 0x4bd2f8;
							_t82 = E00419470(0x4bca10);
							while(1) {
								_t130 =  *_t82;
								if(_t130 !=  *_t149) {
									break;
								}
								if(_t130 == 0) {
									L24:
									_t83 = 0;
									L26:
									if(_t83 != 0) {
										goto L33;
									}
									E00435CC0(_t118, _t118,  &_v548, E0046A170(_t118));
									_v8 = 2;
									_t87 = E0046A170( &_v548);
									_t147 = _v556;
									 *0x4c27b8(_t147, _t87);
									_t92 =  *0x4c27b4(_t147, 0, E0046A170(_t118), _t118 + 8, _v544,  *((intOrPtr*)(_t118 + 0x1c)), 8,  &_v540, 0, 0);
									_t134 = _v548;
									_t143 = _t92;
									 *0x4bb1b4 = 1;
									_v8 = 0;
									if(_v548 != 0) {
										E0046A700(_t134);
									}
									if(_t143 == 0) {
										goto L33;
									} else {
										goto L30;
									}
								}
								_t135 =  *((intOrPtr*)(_t82 + 2));
								if(_t135 !=  *((intOrPtr*)(_t149 + 2))) {
									break;
								}
								_t82 = _t82 + 4;
								_t149 = _t149 + 4;
								if(_t135 != 0) {
									continue;
								}
								goto L24;
							}
							asm("sbb eax, eax");
							_t83 = _t82 | 0x00000001;
							goto L26;
						}
						_t95 = E0046F283(_t118, _t143, _t147, _t80 + 2, L"ntoskrnl.exe");
						_t154 = _t154 + 8;
						if(_t95 != 0) {
							_t98 = E0046F283(_t118, _t143, _t147, _v548 + 2, L"ntkrnlpa.exe");
							_t154 = _t154 + 8;
							if(_t98 != 0) {
								goto L18;
							}
							_push(_t98);
							_push(_t98);
							_push( &_v540);
							_push(8);
							_push( *((intOrPtr*)(_t118 + 0x1c)));
							_push(_v544);
							_push(_t118 + 8);
							_push(L"Ntkrpamp.exe");
							L17:
							_t143 =  *0x4c27b4(_t147, 0);
							if(_t143 != 0) {
								goto L30;
							}
							goto L18;
						}
						_push(_t95);
						_push(_t95);
						_push( &_v540);
						_push(8);
						_push( *((intOrPtr*)(_t118 + 0x1c)));
						_push(_v544);
						_push(_t118 + 8);
						_push(L"Ntkrnlmp.exe");
						goto L17;
					}
				} else {
					_t137 =  *_t118;
					_v600 = _t137;
					if(_t137 != 0) {
						E0046A420(_t137);
					}
					asm("movdqu xmm0, [ebx+0x8]");
					_v596 =  *((intOrPtr*)(_t118 + 4));
					asm("movdqu [ebp-0x24c], xmm0");
					_v568 = 0;
					asm("movq xmm0, [ebx+0x18]");
					asm("movq [ebp-0x23c], xmm0");
					_v8 = 1;
					E0046ACD0(_t146,  &_v552, 0, E0046A740(_t146,  &_v600) + 0x10, _t108);
					_t140 = _v600;
					_t113 = _v552 + 0x30;
					_v560 = _t113;
					_v8 = 0;
					if(_v548 != 0) {
						if(_t140 != 0) {
							E0046A700(_t140);
						}
						goto L8;
					} else {
						_t143 =  *_t113;
						if(_t140 != 0) {
							E0046A700(_t140);
						}
						L35:
						LeaveCriticalSection(0x4c27e4);
						 *[fs:0x0] = _v16;
						_pop(_t144);
						_pop(_t148);
						_pop(_t119);
						return E0046F77E(_t119, _v20 ^ _t150, _t141, _t144, _t148);
					}
				}
			}

0x0046c340
0x0046c343
0x0046c345
0x0046c350
0x0046c351
0x0046c357
0x0046c35c
0x0046c35e
0x0046c364
0x0046c368
0x0046c371
0x0046c374
0x0046c37c
0x0046c382
0x0046c38c
0x0046c394
0x0046c39b
0x0046c3a3
0x0046c44d
0x0046c454
0x0046c477
0x0046c456
0x0046c45b
0x0046c460
0x0046c468
0x0046c46e
0x0046c46e
0x0046c485
0x0046c493
0x0046c49b
0x0046c4a1
0x0046c4a9
0x0046c4b9
0x0046c4d2
0x0046c4d6
0x0046c64a
0x0046c64d
0x0046c64f
0x0046c651
0x0046c654
0x0046c655
0x0046c656
0x0046c657
0x0046c65f
0x0046c660
0x0046c662
0x0046c66b
0x0046c674
0x0046c66d
0x0046c66d
0x0046c66d
0x00000000
0x0046c4dc
0x0046c4e6
0x0046c4eb
0x0046c4ee
0x0046c4f6
0x0046c577
0x0046c583
0x0046c676
0x0046c676
0x0046c67e
0x0046c680
0x0046c680
0x00000000
0x0046c67e
0x0046c58e
0x0046c593
0x0046c598
0x0046c598
0x0046c59e
0x00000000
0x00000000
0x0046c5a3
0x0046c5ba
0x0046c5ba
0x0046c5c3
0x0046c5c5
0x00000000
0x00000000
0x0046c5da
0x0046c5e8
0x0046c5ec
0x0046c5f1
0x0046c5f9
0x0046c624
0x0046c62a
0x0046c630
0x0046c632
0x0046c639
0x0046c63f
0x0046c641
0x0046c641
0x0046c648
0x00000000
0x00000000
0x00000000
0x00000000
0x0046c648
0x0046c5a5
0x0046c5ad
0x00000000
0x00000000
0x0046c5af
0x0046c5b2
0x0046c5b8
0x00000000
0x00000000
0x00000000
0x0046c5b8
0x0046c5be
0x0046c5c0
0x00000000
0x0046c5c0
0x0046c501
0x0046c506
0x0046c50b
0x0046c53b
0x0046c540
0x0046c545
0x00000000
0x00000000
0x0046c547
0x0046c548
0x0046c54f
0x0046c550
0x0046c552
0x0046c558
0x0046c55e
0x0046c55f
0x0046c564
0x0046c56d
0x0046c571
0x00000000
0x00000000
0x00000000
0x0046c571
0x0046c50d
0x0046c50e
0x0046c515
0x0046c516
0x0046c518
0x0046c51e
0x0046c524
0x0046c525
0x00000000
0x0046c525
0x0046c3a9
0x0046c3a9
0x0046c3ab
0x0046c3b3
0x0046c3b5
0x0046c3b5
0x0046c3ba
0x0046c3c2
0x0046c3c8
0x0046c3d0
0x0046c3da
0x0046c3df
0x0046c3ed
0x0046c409
0x0046c414
0x0046c41a
0x0046c424
0x0046c42a
0x0046c42e
0x0046c446
0x0046c448
0x0046c448
0x00000000
0x0046c430
0x0046c430
0x0046c434
0x0046c43a
0x0046c43a
0x0046c682
0x0046c687
0x0046c692
0x0046c69a
0x0046c69b
0x0046c69c
0x0046c6aa
0x0046c6aa
0x0046c42e

APIs

EnterCriticalSection.KERNEL32(004C27E4,2927074F,?,80000001,?), ref: 0046C38C
_memset.LIBCMT ref: 0046C493
_wcsrchr.LIBCMT ref: 0046C4E6
LeaveCriticalSection.KERNEL32(004C27E4,?,?,00000000,00000000), ref: 0046C687

Part of subcall function 0046A420: InterlockedIncrement.KERNEL32(00000000), ref: 0046A421

Part of subcall function 0046A700: InterlockedDecrement.KERNEL32(?), ref: 0046A704

Strings

Ntkrnlmp.exe, xrefs: 0046C525
445817, xrefs: 0046C58E
ntkrnlpa.exe, xrefs: 0046C535
ntoskrnl.exe, xrefs: 0046C4FB
'L, xrefs: 0046C382
Ntkrpamp.exe, xrefs: 0046C55F

Memory Dump Source

Source File: 00000000.00000002.639436822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.639422722.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639801425.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639950323.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639964900.00000000004C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639974043.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639981884.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Process Monitor.jbxd

Similarity

API ID: CriticalInterlockedSection$DecrementEnterIncrementLeave_memset_wcsrchr
String ID: 445817$Ntkrnlmp.exe$Ntkrpamp.exe$ntkrnlpa.exe$ntoskrnl.exe$'L
API String ID: 3643296620-3509980976
Opcode ID: 564904d35dbaa4c95fc1e043d784cc2f4c362646e36933ba5fb72d7f3135f101
Instruction ID: 935d1b3233bcf74d8d617b4d36e91cdb8793a9d55726b046eeee3e51907b5862
Opcode Fuzzy Hash: 564904d35dbaa4c95fc1e043d784cc2f4c362646e36933ba5fb72d7f3135f101
Instruction Fuzzy Hash: F691C471941218ABDF219B64CC95BFA77B8EF14304F1440AAE845E7281EB78DE44CF6A

Uniqueness

Uniqueness Score: -1.00%

Function 0043D845 Relevance: 17.8, APIs: 6, Strings: 4, Instructions: 251
networkCOMMON

Download Yara Rule

C-Code - Quality: 70%

			E0043D845(void* __eax, void* __ebx, intOrPtr __edx, void* __edi, intOrPtr* __esi, void* __eflags) {
				intOrPtr _t119;
				signed int _t120;
				intOrPtr _t139;
				void* _t144;
				void* _t149;
				intOrPtr _t150;
				intOrPtr* _t160;
				signed int _t161;
				intOrPtr _t162;
				void* _t163;
				int _t164;
				intOrPtr* _t183;
				intOrPtr _t186;
				void* _t187;
				intOrPtr* _t189;
				void* _t190;
				intOrPtr* _t191;
				intOrPtr* _t192;
				signed int _t193;
				void* _t195;
				void* _t197;

				_t189 = __esi;
				_t182 = __edx;
				_t163 = __ebx;
				while(1) {
					_t6 = _t144 + 0x43dc9c; // 0x1090909
					switch( *((intOrPtr*)(( *_t6 & 0x000000ff) * 4 +  &M0043DC74))) {
						case 0:
							goto L5;
						case 1:
							goto L17;
						case 2:
							goto L20;
						case 3:
							goto L23;
						case 4:
							goto L24;
						case 5:
							goto L25;
						case 6:
							goto L26;
						case 7:
							goto L30;
						case 8:
							goto L27;
						case 9:
							goto L9;
					}
					L9:
					_t164 =  *((intOrPtr*)(_t193 - 0x814));
					L10:
					 *((short*)(_t193 - 0x810)) = 0;
					_t149 = E0043C8C0(_t164,  *((intOrPtr*)( *((intOrPtr*)(_t193 - 0x81c)) + 0x4c)) +  *((intOrPtr*)( *((intOrPtr*)(_t193 - 0x81c)) + 0x48)), _t183, _t193 - 0x810, 0x400);
					_t195 = _t195 + 0x14;
					_t164 =  *((intOrPtr*)(_t193 - 0x814)) + _t149;
					 *((intOrPtr*)(_t193 - 0x814)) = _t164;
					if( *((char*)(_t193 - 0x815)) == 0) {
						E00404040(_t163,  *((intOrPtr*)(_t193 - 0x82c)));
						E00404040(_t163, 0x4bcff0);
						E00402050(_t193 - 0x810);
						 *((char*)(_t193 - 4)) = 4;
						E00404040(_t163, _t193 - 0x820);
						 *((char*)(_t193 - 4)) = 0;
						E00403A00(_t193 - 0x820);
						E00404040(_t163, 0x4bcff0);
						_t164 =  *((intOrPtr*)(_t193 - 0x814));
					}
					L12:
					_t150 =  *((intOrPtr*)(_t193 - 0x828));
					_t189 =  *_t189;
					_t182 =  *((intOrPtr*)(_t193 - 0x81c));
					_t31 = _t150 + 0x18; // 0x0
					if(_t189 !=  *_t31) {
						if(_t164 >=  *((intOrPtr*)(_t182 + 0x4c)) +  *((intOrPtr*)(_t182 + 0x48))) {
							goto L13;
						}
						_t183 =  *((intOrPtr*)(_t189 + 8));
						 *((intOrPtr*)(_t193 - 0x82c)) = _t183;
						_t144 =  *((intOrPtr*)(_t183 + 4)) + 1;
						if(_t144 > 0x2c) {
							goto L10;
						} else {
							do {
								_t6 = _t144 + 0x43dc9c; // 0x1090909
								switch( *((intOrPtr*)(( *_t6 & 0x000000ff) * 4 +  &M0043DC74))) {
									case 0:
										goto L5;
									case 1:
										goto L17;
									case 2:
										goto L20;
									case 3:
										goto L23;
									case 4:
										goto L24;
									case 5:
										goto L25;
									case 6:
										goto L26;
									case 7:
										goto L30;
									case 8:
										goto L27;
									case 9:
										goto L9;
								}
								goto L5;
							} while (_t144 <= 0x2c);
							goto L9;
						}
					}
					L13:
					_t186 =  *((intOrPtr*)(_t193 - 0x830));
					_t207 =  *((char*)(_t193 - 0x815));
					if( *((char*)(_t193 - 0x815)) == 0) {
						_push(0xc);
						_t34 = _t186 + 0x4c; // 0x4c
						_t191 = _t34;
						_t119 = E0046EEB6(_t163, _t186, _t207);
						_t197 = _t195 + 4;
						 *((intOrPtr*)(_t193 - 0x820)) = _t119;
						 *((char*)(_t193 - 4)) = 5;
						if(_t119 == 0) {
							_t120 = 0;
							__eflags = 0;
						} else {
							_push(0x4bcff0);
							_t120 = E00403C10(_t163, _t119, _t191);
						}
						 *((intOrPtr*)(_t193 - 0x820)) = _t120;
						 *((char*)(_t193 - 4)) = 0;
						if(_t120 == 0) {
							_t120 = E0046E410(0x8007000e);
						}
						_t192 =  *_t191;
						if(_t192 != 0) {
							if(InterlockedDecrement(_t192 + 8) == 0 && _t192 != 0) {
								_t139 =  *_t192;
								if(_t139 != 0) {
									__imp__#6(_t139);
									 *_t192 = 0;
								}
								_t140 =  *((intOrPtr*)(_t192 + 4));
								if( *((intOrPtr*)(_t192 + 4)) != 0) {
									E0046EF07(_t140);
									_t197 = _t197 + 4;
									 *((intOrPtr*)(_t192 + 4)) = 0;
								}
								E0046EF07(_t192);
							}
							_t120 =  *((intOrPtr*)(_t193 - 0x820));
							 *((intOrPtr*)(_t186 + 0x4c)) = 0;
						}
						 *((intOrPtr*)(_t186 + 0x4c)) = _t120;
						if( *((intOrPtr*)(_t186 + 0x18)) == 2 &&  *((intOrPtr*)(_t186 + 8)) == 3) {
							asm("movdqu xmm0, [edi+0x20]");
							_t182 =  *((intOrPtr*)(_t186 + 0x44));
							asm("movdqu xmm1, [edi+0x34]");
							asm("movdqu [edi+0x34], xmm0");
							 *((intOrPtr*)(_t186 + 0x44)) =  *((intOrPtr*)(_t186 + 0x30));
							asm("movdqu [edi+0x20], xmm1");
							 *(_t186 + 0x4a) =  *(_t186 + 0x48);
							 *((intOrPtr*)(_t186 + 0x30)) =  *((intOrPtr*)(_t186 + 0x44));
							 *(_t186 + 0x48) =  *(_t186 + 0x4a) & 0x0000ffff;
						}
						_t102 = _t186 + 0x38; // 0x38
						E004626C0(0x4c2538, _t102,  *(_t186 + 0x34) & 0x000000ff);
						_t104 = _t186 + 0x24; // 0x24
						E004628A0(0x4c255c,  *(_t186 + 0x48) & 0x0000ffff, (E004628A0(0x4c255c,  *(_t186 + 0x4a) & 0x0000ffff, (E004626C0(0x4c2538, _t104,  *(_t186 + 0x20) & 0x000000ff) & 0xffffff00 |  *((intOrPtr*)(_t186 + 0x18)) == 0x00000001) & 0x000000ff) & 0xffffff00 |  *((intOrPtr*)(_t186 + 0x18)) == 0x00000001) & 0x000000ff);
					}
					LeaveCriticalSection(0x4bcfc4);
					 *[fs:0x0] =  *((intOrPtr*)(_t193 - 0xc));
					_pop(_t187);
					_pop(_t190);
					return E0046F77E(_t163,  *(_t193 - 0x10) ^ _t193, _t182, _t187, _t190);
					L27:
					__eax =  *(__ebp - 0x834);
					__ecx = __eax;
					__edx = __edi[0x114];
					 *(__ebp - 0x82c) = __eax;
					__eax = __eax + __edx;
					__eflags = __eax - 0x100;
					if(__eax > 0x100) {
						__ecx = 0x100;
						__ecx = 0x100 - __edx;
						__eflags = 0x100;
						 *(__ebp - 0x82c) = 0x100;
					}
					__ecx * 4 =  *(__ebp - 0x814);
					__edx + 0x14 =  &(__edi[__edx + 0x14]);
					__eax = E00470850( &(__edi[__edx + 0x14]),  *(__ebp - 0x814), __ecx * 4);
					__ecx =  *(__ebp - 0x814);
					__eax =  *(__ebp - 0x834);
					__ecx =  *(__ebp - 0x814) +  *(__ebp - 0x834) * 4;
					__eax =  *(__ebp - 0x82c);
					__edi[0x114] = __edi[0x114] +  *(__ebp - 0x82c);
					 *(__ebp - 0x814) = __ecx;
					goto L12;
					L30:
					__ecx =  *(__ebp - 0x814);
					__ecx =  *(__ebp - 0x814) + 8;
					 *(__ebp - 0x814) = __ecx;
					goto L12;
					L26:
					__ecx =  *(__ebp - 0x814);
					__eax =  *__ecx;
					__ecx = __ecx + 4;
					 *__edi = __eax;
					 *(__ebp - 0x814) = __ecx;
					goto L12;
					L25:
					__ecx =  *(__ebp - 0x814);
					__eax =  *__ecx;
					__ecx = __ecx + 4;
					__edi[7] = __eax;
					 *(__ebp - 0x814) = __ecx;
					goto L12;
					L24:
					 *(__ebp - 0x814) =  *( *(__ebp - 0x814)) & 0x0000ffff;
					__imp__#15( *( *(__ebp - 0x814)) & 0x0000ffff);
					__ecx =  *(__ebp - 0x814);
					__ecx =  *(__ebp - 0x814) + 2;
					__edi[0x12] = __ax;
					 *(__ebp - 0x814) = __ecx;
					goto L12;
					L23:
					 *(__ebp - 0x814) =  *( *(__ebp - 0x814)) & 0x0000ffff;
					__imp__#15( *( *(__ebp - 0x814)) & 0x0000ffff);
					__ecx =  *(__ebp - 0x814);
					__ecx =  *(__ebp - 0x814) + 2;
					__edi[0x12] = __ax;
					 *(__ebp - 0x814) = __ecx;
					goto L12;
					L20:
					__eflags =  *((intOrPtr*)(__edx + 8)) - 0x1b;
					__ecx =  *(__ebp - 0x814);
					if(__eflags != 0) {
						__edi[8] = 0;
						__eax =  *__ecx;
						__ecx = __ecx + 4;
						__edi[9] = __eax;
						 *(__ebp - 0x814) = __ecx;
					} else {
						__edi[8] = 1;
						asm("movdqu xmm0, [ecx]");
						__ecx = __ecx + 0x10;
						 *(__ebp - 0x814) = __ecx;
						asm("movdqu [edi+0x24], xmm0");
					}
					goto L12;
					L17:
					__eflags =  *((intOrPtr*)(__edx + 8)) - 0x1b;
					__ecx =  *(__ebp - 0x814);
					if(__eflags != 0) {
						__edi[0xd] = 0;
						__eax =  *__ecx;
						__ecx = __ecx + 4;
						__edi[0xe] = __eax;
						 *(__ebp - 0x814) = __ecx;
					} else {
						__edi[0xd] = 1;
						asm("movdqu xmm0, [ecx]");
						__ecx = __ecx + 0x10;
						 *(__ebp - 0x814) = __ecx;
						asm("movdqu [edi+0x38], xmm0");
					}
					goto L12;
					L5:
					_t160 =  *_t183;
					if(_t160 == 0) {
						_t161 = 0;
						__eflags = 0;
					} else {
						_t161 =  *_t160;
					}
					_t162 = E0043CF00(_t161);
					_t183 =  *((intOrPtr*)(_t193 - 0x82c));
					_t195 = _t195 + 4;
					 *((intOrPtr*)(_t183 + 4)) = _t162;
					_t144 = _t162 + 1;
				}
			}

0x0043d845
0x0043d845
0x0043d845
0x0043d850
0x0043d850
0x0043d857
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x0043d8b6
0x0043d8b6
0x0043d8bc
0x0043d8be
0x0043d8e0
0x0043d8eb
0x0043d8ee
0x0043d8f7
0x0043d8fd
0x0043d90a
0x0043d916
0x0043d928
0x0043d933
0x0043d93a
0x0043d945
0x0043d949
0x0043d955
0x0043d95a
0x0043d95a
0x0043d960
0x0043d960
0x0043d966
0x0043d96e
0x0043d974
0x0043d977
0x0043d82b
0x00000000
0x00000000
0x0043d831
0x0043d834
0x0043d83d
0x0043d841
0x00000000
0x0043d843
0x0043d850
0x0043d850
0x0043d857
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x0043d857
0x00000000
0x0043d850
0x0043d841
0x0043d97d
0x0043d97d
0x0043d983
0x0043d98a
0x0043d990
0x0043d992
0x0043d992
0x0043d995
0x0043d99a
0x0043d99d
0x0043d9a3
0x0043d9a9
0x0043db40
0x0043db40
0x0043d9af
0x0043d9af
0x0043d9b7
0x0043d9b7
0x0043db42
0x0043db48
0x0043db4e
0x0043db55
0x0043db55
0x0043db5a
0x0043db5e
0x0043db6c
0x0043db72
0x0043db76
0x0043db79
0x0043db7f
0x0043db7f
0x0043db85
0x0043db8a
0x0043db8d
0x0043db92
0x0043db95
0x0043db95
0x0043db9d
0x0043dba2
0x0043dba5
0x0043dbab
0x0043dbab
0x0043dbb2
0x0043dbb9
0x0043dbc1
0x0043dbc6
0x0043dbc9
0x0043dbd5
0x0043dbda
0x0043dbe1
0x0043dbe6
0x0043dbea
0x0043dbed
0x0043dbed
0x0043dbfb
0x0043dbff
0x0043dc0e
0x0043dc46
0x0043dc46
0x0043dc50
0x0043dc59
0x0043dc61
0x0043dc62
0x0043dc70
0x0043dabe
0x0043dabe
0x0043dac4
0x0043dac6
0x0043dacc
0x0043dad2
0x0043dad4
0x0043dad9
0x0043dadb
0x0043dae0
0x0043dae0
0x0043dae2
0x0043dae2
0x0043daf0
0x0043dafa
0x0043dafe
0x0043db03
0x0043db0c
0x0043db12
0x0043db15
0x0043db1b
0x0043db21
0x00000000
0x0043db2c
0x0043db2c
0x0043db32
0x0043db35
0x00000000
0x0043daa6
0x0043daa6
0x0043daac
0x0043daae
0x0043dab1
0x0043dab3
0x00000000
0x0043da8d
0x0043da8d
0x0043da93
0x0043da95
0x0043da98
0x0043da9b
0x00000000
0x0043da65
0x0043da6b
0x0043da6f
0x0043da75
0x0043da7b
0x0043da7e
0x0043da82
0x00000000
0x0043da3d
0x0043da43
0x0043da47
0x0043da4d
0x0043da53
0x0043da56
0x0043da5a
0x00000000
0x0043d9ff
0x0043d9ff
0x0043da03
0x0043da09
0x0043da26
0x0043da2a
0x0043da2c
0x0043da2f
0x0043da32
0x0043da0b
0x0043da0b
0x0043da0f
0x0043da13
0x0043da16
0x0043da1c
0x0043da1c
0x00000000
0x0043d9c1
0x0043d9c1
0x0043d9c5
0x0043d9cb
0x0043d9e8
0x0043d9ec
0x0043d9ee
0x0043d9f1
0x0043d9f4
0x0043d9cd
0x0043d9cd
0x0043d9d1
0x0043d9d5
0x0043d9d8
0x0043d9de
0x0043d9de
0x00000000
0x0043d892
0x0043d892
0x0043d896
0x0043d89c
0x0043d89c
0x0043d898
0x0043d898
0x0043d898
0x0043d89f
0x0043d8a4
0x0043d8aa
0x0043d8ad
0x0043d8b0
0x0043d8b1

APIs

htons.WS2_32(?), ref: 0043DA47
htons.WS2_32(?), ref: 0043DA6F
_memmove.LIBCMT ref: 0043DAFE
InterlockedDecrement.KERNEL32(?), ref: 0043DB64
SysFreeString.OLEAUT32(00000000), ref: 0043DB79
LeaveCriticalSection.KERNEL32(004BCFC4), ref: 0043DC50

Strings

8%L, xrefs: 0043DC08
\%L, xrefs: 0043DC1B
8%L, xrefs: 0043DBF5
\%L, xrefs: 0043DC35

Memory Dump Source

Source File: 00000000.00000002.639436822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.639422722.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639801425.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639950323.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639964900.00000000004C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639974043.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639981884.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Process Monitor.jbxd

Similarity

API ID: htons$CriticalDecrementFreeInterlockedLeaveSectionString_memmove
String ID: 8%L$8%L$\%L$\%L
API String ID: 2490160392-738582094
Opcode ID: 2593ff9dfd143c0f45e2d6eeb24fb890e427c0e7fbb0937ba23da5e1437ec185
Instruction ID: 7361b369f1f3d64f38d6854f92d75577bbee8b28c055220b118fb83175fe993e
Opcode Fuzzy Hash: 2593ff9dfd143c0f45e2d6eeb24fb890e427c0e7fbb0937ba23da5e1437ec185
Instruction Fuzzy Hash: FDB1A5B0D006199BDB24DF25D9407AAB7F8BF48304F0490AED589A7341DB39BA91CFD9

Uniqueness

Uniqueness Score: -1.00%

Function 0043C3A0 Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 194
synchronizationCOMMON

Download Yara Rule

C-Code - Quality: 73%

			E0043C3A0(signed int __edx) {
				intOrPtr _v8;
				char _v16;
				signed int _v20;
				intOrPtr _v24;
				struct _CRITICAL_SECTION* _v28;
				char _v32;
				signed int _v36;
				union _LARGE_INTEGER _v40;
				signed int _v44;
				signed int _t50;
				signed int _t57;
				void* _t60;
				intOrPtr _t62;
				intOrPtr _t63;
				intOrPtr _t71;
				signed int _t90;
				intOrPtr* _t92;
				signed int _t96;
				signed int _t98;
				void* _t100;
				signed int _t106;
				intOrPtr _t109;
				intOrPtr* _t111;
				intOrPtr _t114;
				intOrPtr* _t116;
				intOrPtr _t117;
				signed int _t118;
				void* _t119;
				void* _t120;
				signed int _t122;
				void* _t125;

				_t106 = __edx;
				_push(0xffffffff);
				_push(E00489C88);
				_push( *[fs:0x0]);
				_t120 = _t119 - 0x20;
				_push(_t90);
				_t50 =  *0x4bb1dc; // 0x2927074f
				_push(_t50 ^ _t118);
				 *[fs:0x0] =  &_v16;
				if(WaitForSingleObject( *0x4bcfac, 0xfa) == 0x102) {
					_v28 = 0x4bcfc4;
					do {
						EnterCriticalSection(0x4bcfc4);
						_v8 = 0;
						QueryPerformanceCounter( &_v40);
						_t96 = _v40.LowPart -  *0x4bdcf0;
						_t57 = _v36;
						asm("sbb eax, [0x4bdcf4]");
						_t122 = _t57;
						if(_t122 > 0 || _t122 >= 0 && _t96 >= 0) {
							_t109 =  *0x4bdcfc; // 0x0
							_t114 =  *0x4bdcf8; // 0x20b4a8
							_push(_t109);
							_push(_t114);
							_push(_t57);
							_push(_t96);
							_v24 = E00472F90();
							_v20 = _t106;
							_t60 = E00472240(E004725C0(_t96, _t90, 0x989680, 0), _t106, _t114, _t109);
							_t98 = E004725C0(_v24, _v20, 0x989680, 0) + _t60;
							asm("adc edx, edi");
						} else {
							asm("adc eax, 0x0");
							_t98 =  ~(E0043C610(0x4bdce8,  ~_t96,  ~_t57));
							asm("adc edx, 0x0");
							_t106 =  ~_t106;
						}
						_t62 =  *0x4bdce8; // 0xa9d68f46
						_t90 =  *0x4bdcec; // 0x1d8cbbc
						_t63 = _t62 + _t98;
						_v24 = _t63;
						asm("adc ebx, edx");
						_v20 = _t90;
						if( *0x4bcfc0 > 0) {
							while(1) {
								_t116 =  *0x4bcfbc; // 0x787860
								_t117 =  *_t116;
								_t100 = _t63 -  *((intOrPtr*)(_t117 + 0x10));
								_t125 = _t100;
								asm("sbb eax, [esi+0x14]");
								_v44 = _t90;
								if(_t125 < 0 || _t125 <= 0 && _t100 < 0x989680) {
									goto L23;
								}
								_t111 =  *((intOrPtr*)(_t117 + 0x18));
								_t16 = _t111 + 0x18; // 0x0
								_t101 =  *_t16;
								if( *_t16 != 0) {
									_t18 = _t111 + 0x4c; // 0x4bd010
									_t19 = _t111 + 0x450; // 0x0
									_t20 = _t111 + 0x50; // 0x4bd014
									_t21 = _t111 + 0x4a; // 0x0
									_t22 = _t111 + 0x38; // 0x4bcffc
									_t26 = _t111 + 0x48; // 0x0
									_t27 = _t111 + 0x24; // 0x4bcfe8
									_t30 = _t111 + 0x1c; // 0x0
									_t33 = _t111 + 0x14; // 0x20007d0
									_t34 = _t111 + 0x10; // 0x0
									_t37 = _t111 + 8; // 0x0
									_t38 = _t111 + 4; // 0xffffffff
									E0043C6A0(_t106,  *_t111,  *_t38,  *_t37, ((_t27 & 0xffffff00 |  *((char*)(_t111 + 0x20)) == 0x00000000) & 0 | _t101 == 0x00000001) & 0x000000ff,  *((intOrPtr*)(_t117 + 0x10)),  *((intOrPtr*)(_t117 + 0x14)),  *_t34,  *_t33,  *_t30, (_t27 & 0xffffff00 |  *((char*)(_t111 + 0x20)) == 0x00000000) & 0x000000ff, _t27,  *_t26 & 0x0000ffff, (_t22 & 0xffffff00 |  *((char*)(_t111 + 0x34)) == 0x00000000) & 0x000000ff, _t22,  *_t21 & 0x0000ffff, _t20,  *_t19, _t18, 0x4bca10);
									_t120 = _t120 + 0x4c;
								}
								_t39 = _t111 + 0x4c; // 0x0
								_t92 =  *_t39;
								if(_t92 != 0) {
									_t40 = _t92 + 8; // 0x8
									if(InterlockedDecrement(_t40) == 0 && _t92 != 0) {
										_t71 =  *_t92;
										if(_t71 != 0) {
											__imp__#6(_t71);
											 *_t92 = 0;
										}
										_t72 =  *((intOrPtr*)(_t92 + 4));
										if( *((intOrPtr*)(_t92 + 4)) != 0) {
											E0046EF07(_t72);
											_t120 = _t120 + 4;
											 *((intOrPtr*)(_t92 + 4)) = 0;
										}
										E0046EF07(_t92);
										_t120 = _t120 + 4;
									}
									 *((intOrPtr*)(_t111 + 0x4c)) = 0;
								}
								E0046EF07(_t111);
								_t120 = _t120 + 4;
								E0045E300(0x4bcfbc,  &_v32, _t117);
								_t63 = _v24;
								_t90 = _v20;
								if( *0x4bcfc0 > 0) {
									continue;
								}
								goto L23;
							}
						}
						L23:
						_v8 = 0xffffffff;
						LeaveCriticalSection(0x4bcfc4);
					} while (WaitForSingleObject( *0x4bcfac, 0xfa) == 0x102);
				}
				 *[fs:0x0] = _v16;
				return 0;
			}

0x0043c3a0
0x0043c3a3
0x0043c3a5
0x0043c3b0
0x0043c3b1
0x0043c3b4
0x0043c3b7
0x0043c3be
0x0043c3c2
0x0043c3de
0x0043c3e4
0x0043c3f0
0x0043c3f5
0x0043c3fe
0x0043c406
0x0043c40f
0x0043c415
0x0043c418
0x0043c41e
0x0043c420
0x0043c446
0x0043c44c
0x0043c452
0x0043c453
0x0043c454
0x0043c455
0x0043c464
0x0043c467
0x0043c473
0x0043c490
0x0043c492
0x0043c428
0x0043c42a
0x0043c43d
0x0043c43f
0x0043c442
0x0043c442
0x0043c494
0x0043c499
0x0043c49f
0x0043c4a1
0x0043c4a4
0x0043c4ad
0x0043c4b0
0x0043c4b6
0x0043c4b6
0x0043c4c0
0x0043c4c2
0x0043c4c2
0x0043c4c5
0x0043c4c8
0x0043c4cb
0x00000000
0x00000000
0x0043c4df
0x0043c4e2
0x0043c4e2
0x0043c4e7
0x0043c4ed
0x0043c4f6
0x0043c4fc
0x0043c500
0x0043c505
0x0043c514
0x0043c519
0x0043c527
0x0043c52d
0x0043c533
0x0043c53d
0x0043c540
0x0043c545
0x0043c54a
0x0043c54a
0x0043c54d
0x0043c54d
0x0043c552
0x0043c554
0x0043c560
0x0043c566
0x0043c56a
0x0043c56d
0x0043c573
0x0043c573
0x0043c579
0x0043c57e
0x0043c581
0x0043c586
0x0043c589
0x0043c589
0x0043c591
0x0043c596
0x0043c596
0x0043c599
0x0043c599
0x0043c5a1
0x0043c5a6
0x0043c5b3
0x0043c5bf
0x0043c5c2
0x0043c5c5
0x00000000
0x00000000
0x00000000
0x0043c5c5
0x0043c4b6
0x0043c5cb
0x0043c5d0
0x0043c5d7
0x0043c5ee
0x0043c3f0
0x0043c5fe
0x0043c60c

APIs

WaitForSingleObject.KERNEL32(000000FA,2927074F), ref: 0043C3D3
EnterCriticalSection.KERNEL32(004BCFC4), ref: 0043C3F5
QueryPerformanceCounter.KERNEL32(?), ref: 0043C406
__alldvrm.LIBCMT ref: 0043C456
__aulldiv.LIBCMT ref: 0043C473
InterlockedDecrement.KERNEL32(00000008), ref: 0043C558
SysFreeString.OLEAUT32(00000000), ref: 0043C56D
LeaveCriticalSection.KERNEL32(004BCFC4,?,?,00989680,00000000,00000000,?,0020B4A8,00000000,?,?,00989680,00000000,?,?,0020B4A8), ref: 0043C5D7
WaitForSingleObject.KERNEL32(000000FA,?,0020B4A8,00000000,?,?,00989680,00000000,?,?,0020B4A8,00000000), ref: 0043C5E8

Strings

`xx, xrefs: 0043C4B6, 0043C5AC

Memory Dump Source

Source File: 00000000.00000002.639436822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.639422722.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639801425.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639950323.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639964900.00000000004C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639974043.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639981884.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Process Monitor.jbxd

Similarity

API ID: CriticalObjectSectionSingleWait$CounterDecrementEnterFreeInterlockedLeavePerformanceQueryString__alldvrm__aulldiv
String ID: `xx
API String ID: 614214945-246290626
Opcode ID: 7af9a71cf885ed586fbe6f227e5ff420b9e4d202ad52cde0c7373ed5faa7081d
Instruction ID: fb2263784f3bf87d740f73ffd5501f9d576c96d5dc8a5f789e2c6a76b8211184
Opcode Fuzzy Hash: 7af9a71cf885ed586fbe6f227e5ff420b9e4d202ad52cde0c7373ed5faa7081d
Instruction Fuzzy Hash: 7E61C3B1A00215BBDB14DF65DCC5BBBBBB9FB48304F14496AF901E2290D779B814CB68

Uniqueness

Uniqueness Score: -1.00%

Function 0046C010 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 179
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 45%

			E0046C010(void* __ebx, intOrPtr __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20) {
				long _v8;
				signed int _v12;
				char _v16;
				char _v20;
				char _v24;
				long _v28;
				intOrPtr* _v32;
				char _v36;
				intOrPtr* _v40;
				intOrPtr _v68;
				signed int _v80;
				short _v2060;
				void* __edi;
				void* __esi;
				signed int _t52;
				intOrPtr* _t55;
				signed int _t62;
				signed int _t68;
				char _t74;
				void* _t79;
				void* _t82;
				intOrPtr _t85;
				intOrPtr _t88;
				intOrPtr* _t96;
				intOrPtr* _t102;
				void* _t112;
				void* _t113;
				intOrPtr* _t115;
				intOrPtr _t116;
				void* _t117;
				intOrPtr* _t119;
				intOrPtr* _t121;
				intOrPtr* _t123;
				signed int _t124;
				void* _t125;
				char _t126;
				signed int _t128;
				void* _t129;
				void* _t130;
				void* _t131;
				signed int _t133;
				void* _t135;
				void* _t136;

				_t112 = __edx;
				_t104 = __ecx;
				_t101 = __ebx;
				_push(0xffffffff);
				_push(E0048D433);
				_push( *[fs:0x0]);
				_t130 = _t129 - 0x18;
				_push(__ebx);
				_push(_t113);
				_t52 =  *0x4bb1dc; // 0x2927074f
				_push(_t52 ^ _t127);
				 *[fs:0x0] =  &_v16;
				_t121 =  *0x4c27dc; // 0x0
				if(_t121 == 0) {
					_t121 = GetProcAddress(LoadLibraryW(L"Ntdll.dll"), "NtQuerySystemInformation");
					 *0x4c27dc = _t121;
				}
				_v20 = 0x1f40;
				_t55 = E00470444(_t101, _t112, _t113, 0x1f40);
				_t131 = _t130 + 4;
				_t102 = _t55;
				_push( &_v20);
				_push(0x1f40);
				_push(_t102);
				_push(0xb);
				if( *_t121() != 0) {
					do {
						E0047040C(_t102);
						_t126 = _v20 + _v20;
						_v20 = _t126;
						_t96 = E00470444(_t102, _t112, _t113, _t126);
						_t131 = _t131 + 8;
						_t102 = _t96;
						_push( &_v20);
						_push(_t126);
						_push(_t102);
						_push(0xb);
					} while ( *0x4c27dc() != 0);
				}
				_t140 =  *_t102;
				_v28 = 0;
				if( *_t102 <= 0) {
					L22:
					E0047040C(_t102);
					 *[fs:0x0] = _v16;
					return 1;
				} else {
					_t115 = _t102 + 0x10;
					_v32 = _t115;
					while(1) {
						_push(0xc);
						_t123 = E0046EEB6(_t102, _t115, _t140);
						_t133 = _t131 + 4;
						_v40 = _t123;
						_v8 = 0;
						if(_t123 == 0) {
							_t123 = 0;
							__eflags = 0;
						} else {
							_t13 = _t115 + 0x10; // 0x1f50
							 *((intOrPtr*)(_t123 + 4)) = 0;
							 *(_t123 + 8) = 1;
							 *_t123 = E0046E550(_t112, _t13);
						}
						_v8 = 0xffffffff;
						_v40 = _t123;
						if(_t123 == 0) {
							break;
						}
						_v8 = 1;
						_t74 = E0046A6C0(_t102,  *_t123, E0046A530( *_t123));
						_t135 = _t133 + 0xc;
						_v24 = _t74;
						_t20 = _t123 + 8; // 0x8
						_v8 = 3;
						if(InterlockedDecrement(_t20) == 0) {
							_t88 =  *_t123;
							if(_t88 != 0) {
								__imp__#6(_t88);
								 *_t123 = 0;
							}
							_t89 =  *((intOrPtr*)(_t123 + 4));
							if( *((intOrPtr*)(_t123 + 4)) != 0) {
								E0046EF07(_t89);
								_t135 = _t135 + 4;
								 *((intOrPtr*)(_t123 + 4)) = 0;
							}
							E0046EF07(_t123);
							_t135 = _t135 + 4;
						}
						_t79 = E0044C560(_t104, _t112,  &_v36,  &_v24, 1);
						_t136 = _t135 + 0xc;
						_v8 = 4;
						E0046A0B0( &_v24, _t79);
						_t110 = _v36;
						_v8 = 3;
						if(_v36 != 0) {
							E0046A700(_t110);
						}
						_t119 = _v32;
						_t82 = L0046B0D0(_t112, _a8, _a20,  &_v24, _a12, _a16,  *((intOrPtr*)(_t119 - 4)),  *_t119);
						_t131 = _t136 + 0x1c;
						E00442350(_t102, _a4, _t119, _t123, _t82);
						_t104 = _v24;
						_v8 = 0xffffffff;
						if(_v24 != 0) {
							E0046A700(_t104);
						}
						_t115 = _t119 + 0x11c;
						_t85 = _v28 + 1;
						_v32 = _t115;
						_v28 = _t85;
						if(_t85 <  *_t102) {
							continue;
						} else {
							goto L22;
						}
						goto L29;
					}
					E0046E410(0x8007000e);
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					_t128 = _t133;
					_t62 =  *0x4bb1dc; // 0x2927074f
					_v80 = _t62 ^ _t128;
					_push(_t123);
					_push(_t115);
					_t116 = _v68;
					_t124 = 0;
					EnterCriticalSection(0x4c27e4);
					__eflags =  *0x4c2774 - _t124; // 0x0
					if(__eflags != 0) {
						__eflags =  *0x4c2780 - _t124; // 0x0
						if(__eflags != 0) {
							 *0x4c2788(0x12237);
							_t68 =  *0x4c2774(_t116, 0, 0);
							__eflags =  *0x4c27cc;
							_t124 = _t68;
							if( *0x4c27cc != 0) {
								GetEnvironmentVariableW(L"TEMP",  &_v2060, 0x400);
								 *0x4c27cc(_t116,  &_v2060);
							}
						}
					}
					LeaveCriticalSection(0x4c27e4);
					__eflags = _t124;
					_pop(_t117);
					__eflags = _v12 ^ _t128;
					_pop(_t125);
					return E0046F77E(_t102, _v12 ^ _t128, _t112, _t117, _t125);
				}
				L29:
			}

0x0046c010
0x0046c010
0x0046c010
0x0046c013
0x0046c015
0x0046c020
0x0046c021
0x0046c024
0x0046c026
0x0046c027
0x0046c02e
0x0046c032
0x0046c038
0x0046c040
0x0046c059
0x0046c05b
0x0046c05b
0x0046c066
0x0046c06d
0x0046c072
0x0046c075
0x0046c07a
0x0046c07b
0x0046c080
0x0046c081
0x0046c087
0x0046c090
0x0046c091
0x0046c099
0x0046c09d
0x0046c0a0
0x0046c0a5
0x0046c0a8
0x0046c0ad
0x0046c0ae
0x0046c0af
0x0046c0b0
0x0046c0b8
0x0046c090
0x0046c0bc
0x0046c0bf
0x0046c0c6
0x0046c1ff
0x0046c200
0x0046c20d
0x0046c21b
0x0046c0cc
0x0046c0cc
0x0046c0cf
0x0046c0d2
0x0046c0d2
0x0046c0d9
0x0046c0db
0x0046c0de
0x0046c0e1
0x0046c0ea
0x0046c107
0x0046c107
0x0046c0ec
0x0046c0ec
0x0046c0ef
0x0046c0f7
0x0046c103
0x0046c103
0x0046c109
0x0046c110
0x0046c115
0x00000000
0x00000000
0x0046c11e
0x0046c12c
0x0046c131
0x0046c134
0x0046c137
0x0046c13a
0x0046c147
0x0046c149
0x0046c14d
0x0046c150
0x0046c156
0x0046c156
0x0046c15c
0x0046c161
0x0046c164
0x0046c169
0x0046c16c
0x0046c16c
0x0046c174
0x0046c179
0x0046c179
0x0046c186
0x0046c18b
0x0046c192
0x0046c196
0x0046c19b
0x0046c19e
0x0046c1a4
0x0046c1a6
0x0046c1a6
0x0046c1ab
0x0046c1c3
0x0046c1cb
0x0046c1cf
0x0046c1d4
0x0046c1d7
0x0046c1e0
0x0046c1e2
0x0046c1e2
0x0046c1ea
0x0046c1f0
0x0046c1f1
0x0046c1f4
0x0046c1f9
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x0046c1f9
0x0046c221
0x0046c226
0x0046c227
0x0046c228
0x0046c229
0x0046c22a
0x0046c22b
0x0046c22c
0x0046c22d
0x0046c22e
0x0046c22f
0x0046c231
0x0046c239
0x0046c240
0x0046c243
0x0046c244
0x0046c245
0x0046c248
0x0046c24f
0x0046c255
0x0046c25b
0x0046c25d
0x0046c263
0x0046c26a
0x0046c273
0x0046c279
0x0046c280
0x0046c282
0x0046c295
0x0046c2a3
0x0046c2a3
0x0046c282
0x0046c263
0x0046c2ae
0x0046c2b9
0x0046c2bb
0x0046c2bf
0x0046c2c1
0x0046c2ca
0x0046c2ca
0x00000000

APIs

LoadLibraryW.KERNEL32(Ntdll.dll,NtQuerySystemInformation,2927074F), ref: 0046C04C
GetProcAddress.KERNEL32(00000000), ref: 0046C053
_malloc.LIBCMT ref: 0046C06D
_free.LIBCMT ref: 0046C091
_malloc.LIBCMT ref: 0046C0A0
InterlockedDecrement.KERNEL32(00000008), ref: 0046C13F
SysFreeString.OLEAUT32(00000000), ref: 0046C150
_free.LIBCMT ref: 0046C200

Part of subcall function 0046A700: InterlockedDecrement.KERNEL32(?), ref: 0046A704

Strings

Ntdll.dll, xrefs: 0046C047
NtQuerySystemInformation, xrefs: 0046C042

Memory Dump Source

Source File: 00000000.00000002.639436822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.639422722.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639801425.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639950323.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639964900.00000000004C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639974043.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639981884.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Process Monitor.jbxd

Similarity

API ID: DecrementInterlocked_free_malloc$AddressFreeLibraryLoadProcString
String ID: NtQuerySystemInformation$Ntdll.dll
API String ID: 3096089922-1644510403
Opcode ID: dd76302cc5329800bce74b1d35ad59535168bf90e4404a6440b806d8e8e4b74c
Instruction ID: 911c0eaa9fac591052d90d2d784df6e079769e4dff30891d3f25152625c9add5
Opcode Fuzzy Hash: dd76302cc5329800bce74b1d35ad59535168bf90e4404a6440b806d8e8e4b74c
Instruction Fuzzy Hash: 7251B1B1900219EBDB10DFA1CD45BEFBBB8EF04704F10052AF915A7241E7799A148BEA

Uniqueness

Uniqueness Score: -1.00%

Function 00410030 Relevance: 17.7, APIs: 2, Strings: 8, Instructions: 175
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E00410030(void* __ebx, void* __ecx, void* __edx, signed int _a4, intOrPtr _a8) {
				intOrPtr _v8;
				char _v16;
				signed int _v20;
				long _v120;
				signed int _v124;
				signed int _v128;
				signed int _v132;
				char _v136;
				signed int _v140;
				signed int __edi;
				void* __esi;
				signed int _t56;
				signed int _t57;
				signed int _t59;
				intOrPtr _t79;
				void* _t80;
				void* _t83;
				signed int _t84;

				_t77 = __edx;
				_t69 = __ebx;
				_push(0xffffffff);
				_push(E0048650E);
				_push( *[fs:0x0]);
				_t56 =  *0x4bb1dc; // 0x2927074f
				_t57 = _t56 ^ _t84;
				_v20 = _t57;
				_push(_t57);
				 *[fs:0x0] =  &_v16;
				_t59 = _a4;
				_t79 = _a8;
				if(_t59 > 6) {
					L23:
				} else {
					switch( *((intOrPtr*)(_t59 * 4 +  &M00410294))) {
						case 0:
							asm("cdq");
							_t65 = E00436170(__ebx, __edx, _t79, _t88,  &_v136,  *((intOrPtr*)(__ecx + 0x34 + ( *(__ecx + 0x28) & 0x0000ffff) * 4)), __edx);
							_v8 = 0;
							E0046A0B0(_t79, _t65);
							_t76 = _v136;
							_v8 = 0xffffffff;
							if(_v136 != 0) {
								E0046A700(_t76);
							}
							goto L24;
						case 1:
							__ecx =  *(__esi + 0x28) & 0x0000ffff;
							__edx =  *((intOrPtr*)(__esi + 0x44 + __ecx * 4));
							__eax = E0047123F(__ecx, __edx);
							asm("divsd xmm0, [0x4962f8]");
							__esp = __esp - 8;
							__eax =  &_v120;
							asm("movsd [esp], xmm0");
							swprintf( &_v120, 0x32, L"%.07f seconds") =  &_v120;
							__ecx = __edi;
							E0046A0F0(__ecx,  &_v120) = L"User Time";
							goto L24;
						case 2:
							__ecx =  *(__esi + 0x28) & 0x0000ffff;
							__edx =  *((intOrPtr*)(__esi + 0x3c + __ecx * 4));
							__eax = E0047123F(__ecx, __edx);
							asm("divsd xmm0, [0x4962f8]");
							__esp = __esp - 8;
							__eax =  &_v120;
							asm("movsd [esp], xmm0");
							swprintf( &_v120, 0x32, L"%.07f seconds") =  &_v120;
							__ecx = __edi;
							E0046A0F0(__ecx,  &_v120) = L"Kernel Time";
							goto L24;
						case 3:
							__eflags =  *((intOrPtr*)(__esi + 0x2c)) - 0x34;
							if( *((intOrPtr*)(__esi + 0x2c)) < 0x34) {
								goto L23;
							} else {
								E00411B60(__ecx) =  &_v140;
								__eax = E00436C80(__ebx, __edx, __edi,  &_v140,  &_v140, __edx, 0);
								__ecx = __edi;
								_v8 = 1;
								__eax = E0046A0B0(__edi, __eax);
								__ecx = _v140;
								_v8 = 0xffffffff;
								__eflags = __ecx;
								if(__ecx != 0) {
									__eax = E0046A700(__ecx);
								}
								__eax = L"Private Bytes";
							}
							goto L24;
						case 4:
							__eflags =  *((intOrPtr*)(__esi + 0x2c)) - 0x34;
							if( *((intOrPtr*)(__esi + 0x2c)) < 0x34) {
								goto L23;
							} else {
								E00411B80(__ecx) =  &_v124;
								__eax = E00436C80(__ebx, __edx, __edi,  &_v124,  &_v124, __edx, 0);
								__ecx = __edi;
								_v8 = 2;
								__eax = E0046A0B0(__edi, __eax);
								__ecx = _v124;
								_v8 = 0xffffffff;
								__eflags = __ecx;
								if(__ecx != 0) {
									__eax = E0046A700(__ecx);
								}
								__eax = L"Peak Private Bytes";
							}
							goto L24;
						case 5:
							__eflags =  *((intOrPtr*)(__esi + 0x2c)) - 0x34;
							if( *((intOrPtr*)(__esi + 0x2c)) < 0x34) {
								goto L23;
							} else {
								E00411DF0(__ecx) =  &_v128;
								__eax = E00436C80(__ebx, __edx, __edi,  &_v128,  &_v128, __edx, 0);
								__ecx = __edi;
								_v8 = 3;
								__eax = E0046A0B0(__edi, __eax);
								__ecx = _v128;
								_v8 = 0xffffffff;
								__eflags = __ecx;
								if(__ecx != 0) {
									__eax = E0046A700(__ecx);
								}
								__eax = L"Working Set";
							}
							goto L24;
						case 6:
							__eflags =  *((intOrPtr*)(__esi + 0x2c)) - 0x34;
							if( *((intOrPtr*)(__esi + 0x2c)) < 0x34) {
								goto L23;
							} else {
								L00411E10(__ecx) =  &_v132;
								__eax = E00436C80(__ebx, __edx, __edi,  &_v132,  &_v132, __edx, 0);
								__ecx = __edi;
								_v8 = 4;
								__eax = E0046A0B0(__edi, __eax);
								__ecx = _v132;
								_v8 = 0xffffffff;
								__eflags = __ecx;
								if(__ecx != 0) {
									__eax = E0046A700(__ecx);
								}
								__eax = L"Peak Working Set";
							}
							goto L24;
					}
				}
				L24:
				 *[fs:0x0] = _v16;
				_pop(_t80);
				_pop(_t83);
				return E0046F77E(_t69, _v20 ^ _t84, _t77, _t80, _t83);
			}

0x00410030
0x00410030
0x00410033
0x00410035
0x00410040
0x00410044
0x00410049
0x0041004b
0x00410050
0x00410054
0x0041005c
0x0041005f
0x00410065
0x00410275
0x0041006b
0x0041006b
0x00000000
0x0041007a
0x00410084
0x0041008f
0x00410096
0x0041009b
0x004100a1
0x004100aa
0x004100ac
0x004100ac
0x00000000
0x00000000
0x004100bb
0x004100bf
0x004100c7
0x004100cc
0x004100d4
0x004100d7
0x004100da
0x004100ef
0x004100f2
0x004100fa
0x00000000
0x00000000
0x00410104
0x00410108
0x00410110
0x00410115
0x0041011d
0x00410120
0x00410123
0x00410138
0x0041013b
0x00410143
0x00000000
0x00000000
0x0041014d
0x00410151
0x00000000
0x00410157
0x00410160
0x00410167
0x00410170
0x00410172
0x00410179
0x0041017e
0x00410184
0x0041018b
0x0041018d
0x0041018f
0x0041018f
0x00410194
0x00410194
0x00000000
0x00000000
0x0041019e
0x004101a2
0x00000000
0x004101a8
0x004101b1
0x004101b5
0x004101be
0x004101c0
0x004101c7
0x004101cc
0x004101cf
0x004101d6
0x004101d8
0x004101da
0x004101da
0x004101df
0x004101df
0x00000000
0x00000000
0x004101e9
0x004101ed
0x00000000
0x004101f3
0x004101fc
0x00410200
0x00410209
0x0041020b
0x00410212
0x00410217
0x0041021a
0x00410221
0x00410223
0x00410225
0x00410225
0x0041022a
0x0041022a
0x00000000
0x00000000
0x00410231
0x00410235
0x00000000
0x00410237
0x00410240
0x00410244
0x0041024d
0x0041024f
0x00410256
0x0041025b
0x0041025e
0x00410265
0x00410267
0x00410269
0x00410269
0x0041026e
0x0041026e
0x00000000
0x00000000
0x0041006b
0x00410277
0x0041027a
0x00410282
0x00410283
0x00410291

APIs

swprintf.LIBCMT ref: 004100E7
swprintf.LIBCMT ref: 00410130

Strings

Private Bytes, xrefs: 00410194
Peak Working Set, xrefs: 0041026E
Kernel Time, xrefs: 00410143
User Time, xrefs: 004100FA
Peak Private Bytes, xrefs: 004101DF
Exit Status, xrefs: 004100B1
%.07f seconds, xrefs: 004100DF, 00410128
Working Set, xrefs: 0041022A

Memory Dump Source

Source File: 00000000.00000002.639436822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.639422722.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639801425.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639950323.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639964900.00000000004C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639974043.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639981884.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Process Monitor.jbxd

Similarity

API ID: swprintf
String ID: %.07f seconds$Exit Status$Kernel Time$Peak Private Bytes$Peak Working Set$Private Bytes$User Time$Working Set
API String ID: 233258989-1580877545
Opcode ID: 705c13613c73fe085f2cc6d4b53a6f90a933e6ba3ae07dacbc27be72c606d16f
Instruction ID: 61f67f27d68924ae97c0fa78da39233ebc07cfaf245c8216191b8d8203156d03
Opcode Fuzzy Hash: 705c13613c73fe085f2cc6d4b53a6f90a933e6ba3ae07dacbc27be72c606d16f
Instruction Fuzzy Hash: AD51FB70904604EBCF14EFA58905BAFB7B9EF44314F10466FF815A3282EB7999808B5B

Uniqueness

Uniqueness Score: -1.00%

Function 00465020 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 157
COMMON

Download Yara Rule

C-Code - Quality: 87%

			E00465020(void* __edx, void* __fp0, intOrPtr _a4) {
				intOrPtr _v8;
				char _v16;
				signed int _v20;
				struct tagLOGFONTW _v112;
				char _v116;
				char _v120;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t33;
				signed int _t34;
				void* _t53;
				void* _t56;
				void* _t61;
				signed int _t64;
				signed int _t65;
				void* _t66;
				intOrPtr _t70;
				void* _t71;
				void* _t86;
				intOrPtr _t88;
				void* _t89;
				void* _t91;
				void* _t92;
				signed int _t94;
				void* _t95;
				void* _t97;
				intOrPtr* _t98;
				signed int _t99;
				void* _t100;
				void* _t102;
				void* _t105;
				void* _t107;
				void* _t108;

				_t89 = __edx;
				_push(0xffffffff);
				_push(E0048CA30);
				_push( *[fs:0x0]);
				_t33 =  *0x4bb1dc; // 0x2927074f
				_t34 = _t33 ^ _t99;
				_v20 = _t34;
				_push(_t34);
				 *[fs:0x0] =  &_v16;
				_t70 = _a4;
				DeleteObject( *0x4bd708);
				E00470030(0x4bd708, 0, 0x5c0);
				_t102 = _t100 - 0x68 + 0xc;
				 *0x4bd790 = 7;
				_t94 = 0;
				goto L1;
				do {
					L3:
					E00464C80(_t95, _t89, _t91, __fp0, _t70);
					_t95 = _t95 + 0x18;
					_t91 = _t91 - 1;
				} while (_t91 != 0);
				_t107 =  *0x4bd708 - _t91; // 0x0
				if(_t107 == 0) {
					L6:
					GetObjectW(GetStockObject(0x11), 0x5c,  &_v112);
					_v112.lfWeight = 0x190;
					_v112.lfHeight =  ~(MulDiv(8,  *0x4bc898, 0x48));
					_v112.lfWidth = 0;
					 *0x4bd708 = CreateFontIndirectW( &_v112);
					_t50 =  <  ? 0x2bc : 0x320;
					_v112.lfWeight =  <  ? 0x2bc : 0x320;
					 *0x4bd70c = CreateFontIndirectW( &_v112);
					L7:
					_t53 = E0046A720(0x4bdab8);
					_t110 = _t53;
					if(_t53 != 0) {
						L21:
						_t56 = E00434DD0(_t70, 0x4bdab8, _t118,  &_v116, E0046A170(0x4bdab8));
						_v8 = 1;
						E0046A0B0(0x4bdcc8, _t56);
						_t77 = _v116;
						_v8 = 0xffffffff;
						if(_v116 != 0) {
							E0046A700(_t77);
						}
						 *[fs:0x0] = _v16;
						_pop(_t92);
						_pop(_t97);
						_pop(_t71);
						return E0046F77E(_t71, _v20 ^ _t99, _t89, _t92, _t97);
					}
					_t61 = E00434DD0(_t70, 0x4bdab8, _t110,  &_v120,  *0x4bb1b0);
					_t102 = _t102 + 8;
					_v8 = 0;
					E0046A0B0(0x4bdab8, _t61);
					_t83 = _v120;
					_v8 = 0xffffffff;
					if(_v120 != 0) {
						E0046A700(_t83);
					}
					if( *((short*)(E0046A170(0x4bdab8))) != 0x25) {
						goto L21;
					} else {
						_t98 =  *0x4bb1b0; // 0x4a6f64
						_t64 = E0046A170(0x4bdab8);
						while(1) {
							_t86 =  *_t64;
							if(_t86 !=  *_t98) {
								break;
							}
							if(_t86 == 0) {
								L16:
								_t65 = 0;
								L18:
								if(_t65 == 0) {
									_t66 = E00436680();
									_t118 = _t66;
									if(_t66 != 0) {
										E0046A0F0(0x4bdab8, L"srv*https://msdl.microsoft.com/download/symbols");
									}
								}
								goto L21;
							}
							_t88 =  *((intOrPtr*)(_t64 + 2));
							_t25 = _t98 + 2; // 0x4e005f
							if(_t88 !=  *_t25) {
								break;
							}
							_t64 = _t64 + 4;
							_t98 = _t98 + 4;
							if(_t88 != 0) {
								continue;
							}
							goto L16;
						}
						asm("sbb eax, eax");
						_t65 = _t64 | 0x00000001;
						__eflags = _t65;
						goto L18;
					}
				}
				_t108 =  *0x4bd70c - _t91; // 0x0
				if(_t108 != 0) {
					goto L7;
				}
				goto L6;
				L1:
				 *(0x4bd794 + _t94 * 4) =  *(0x4a6d80 + _t94 * 4) & 0x0000ffff;
				 *((short*)(0x4bd710 + _t94 * 2)) = MulDiv( *(0x4a6d82 + _t94 * 4) & 0x0000ffff,  *0x4bc894, 0x60);
				_t94 = _t94 + 1;
				_t105 = _t94 -  *0x4bd790; // 0x0
				if(_t105 < 0) {
					goto L1;
				} else {
					_t95 = 0x4c2588;
					_t91 = 0x14;
					goto L3;
				}
			}

0x00465020
0x00465023
0x00465025
0x00465030
0x00465034
0x00465039
0x0046503b
0x00465041
0x00465045
0x00465051
0x00465054
0x00465066
0x0046506b
0x0046506e
0x00465078
0x00465078
0x004650c1
0x004650c1
0x004650c4
0x004650c9
0x004650cc
0x004650cc
0x004650cf
0x004650d5
0x004650df
0x004650ee
0x004650fc
0x00465113
0x0046511a
0x00465128
0x00465135
0x00465138
0x00465141
0x00465146
0x0046514b
0x00465150
0x00465152
0x004651f7
0x00465206
0x00465214
0x0046521b
0x00465220
0x00465223
0x0046522c
0x0046522e
0x0046522e
0x00465236
0x0046523e
0x0046523f
0x00465240
0x0046524e
0x0046524e
0x00465162
0x00465167
0x00465170
0x00465177
0x0046517c
0x0046517f
0x00465188
0x0046518a
0x0046518a
0x0046519d
0x00000000
0x0046519f
0x0046519f
0x004651aa
0x004651b0
0x004651b0
0x004651b6
0x00000000
0x00000000
0x004651bb
0x004651d2
0x004651d2
0x004651db
0x004651dd
0x004651df
0x004651e4
0x004651e6
0x004651f2
0x004651f2
0x004651e6
0x00000000
0x004651dd
0x004651bd
0x004651c1
0x004651c5
0x00000000
0x00000000
0x004651c7
0x004651ca
0x004651d0
0x00000000
0x00000000
0x00000000
0x004651d0
0x004651d6
0x004651d8
0x004651d8
0x00000000
0x004651d8
0x0046519d
0x004650d7
0x004650dd
0x00000000
0x00000000
0x00000000
0x00465080
0x00465090
0x004650a6
0x004650ae
0x004650af
0x004650b5
0x00000000
0x004650b7
0x004650b7
0x004650bc
0x00000000
0x004650bc

APIs

DeleteObject.GDI32(2927074F), ref: 00465054
_memset.LIBCMT ref: 00465066
MulDiv.KERNEL32(00000000,00000060), ref: 004650A0
GetStockObject.GDI32(00000011), ref: 004650E7
GetObjectW.GDI32(00000000), ref: 004650EE
MulDiv.KERNEL32(00000008,00000048), ref: 00465105
CreateFontIndirectW.GDI32(?), ref: 00465121
CreateFontIndirectW.GDI32(?), ref: 0046513F

Part of subcall function 0046A700: InterlockedDecrement.KERNEL32(?), ref: 0046A704

Strings

srv*https://msdl.microsoft.com/download/symbols, xrefs: 004651E8
doJ, xrefs: 0046519F

Memory Dump Source

Source File: 00000000.00000002.639436822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.639422722.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639801425.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639950323.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639964900.00000000004C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639974043.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639981884.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Process Monitor.jbxd

Similarity

API ID: Object$CreateFontIndirect$DecrementDeleteInterlockedStock_memset
String ID: doJ$srv*https://msdl.microsoft.com/download/symbols
API String ID: 322558906-2671031595
Opcode ID: d1ce34e7df1e3220eb8d56a653f3553978a9cd95b89d48db75905ef8a14791e8
Instruction ID: 1d573b880a82d7db86defd0803699655c34448e5c5aa9a2b51a27252df7207ea
Opcode Fuzzy Hash: d1ce34e7df1e3220eb8d56a653f3553978a9cd95b89d48db75905ef8a14791e8
Instruction Fuzzy Hash: 9E51B071D00608ABDB14AFA5DC157EE77A4EB49314F10427BE906A7291FB7858408BAA

Uniqueness

Uniqueness Score: -1.00%

Function 00410A60 Relevance: 17.6, APIs: 4, Strings: 6, Instructions: 119
COMMON

Download Yara Rule

C-Code - Quality: 54%

			E00410A60(void* __ebx, void* __ecx, void* __edi, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				long _v108;
				void* __esi;
				signed int _t30;
				intOrPtr _t32;
				intOrPtr _t48;
				void* _t84;
				intOrPtr _t86;
				signed int _t87;
				void* _t95;

				_t85 = __edi;
				_t68 = __ebx;
				_t30 =  *0x4bb1dc; // 0x2927074f
				_v8 = _t30 ^ _t87;
				_t32 = _a4;
				_t86 = _a8;
				_t95 = _t32 - 2;
				if(_t95 > 0) {
					if(_t32 == 0xffffffff) {
						swprintf( &_v108, 0x32, L"Thread %u",  *((intOrPtr*)(__ecx + 4)));
						E0046A0F0(_t86,  &_v108);
						return E0046F77E(__ebx, _v8 ^ _t87, _t84, __edi, _t86);
					} else {
						goto L8;
					}
				} else {
					if(_t95 == 0) {
						swprintf( &_v108, 0x32, L"%u",  *((intOrPtr*)(__ecx + 0x3c + ( *(__ecx + 0x28) & 0x0000ffff) * 4)));
						E0046A0F0(_t86,  &_v108);
						return E0046F77E(__ebx, _v8 ^ _t87, _t84, __edi, _t86);
					} else {
						_t48 = _t32;
						if(_t48 == 0) {
							asm("movd xmm0, eax");
							asm("cvtdq2pd xmm0, xmm0");
							asm("addsd xmm0, [eax*8+0x496300]");
							asm("divsd xmm0, [0x4962f8]");
							asm("movsd [esp], xmm0");
							swprintf( &_v108, 0x32, L"%.07f");
							E0046A0F0(_t86,  &_v108);
							return E0046F77E(__ebx, _v8 ^ _t87, _t84, __edi, _t86);
						} else {
							if(_t48 != 1) {
								L8:
								return E0046F77E(_t68, _v8 ^ _t87, _t84, _t85, _t86);
							} else {
								asm("movd xmm0, eax");
								asm("cvtdq2pd xmm0, xmm0");
								asm("addsd xmm0, [eax*8+0x496300]");
								asm("divsd xmm0, [0x4962f8]");
								asm("movsd [esp], xmm0");
								swprintf( &_v108, 0x32, L"%.07f");
								E0046A0F0(_t86,  &_v108);
								return E0046F77E(__ebx, _v8 ^ _t87, _t84, __edi, _t86);
							}
						}
					}
				}
			}

0x00410a60
0x00410a60
0x00410a66
0x00410a6d
0x00410a70
0x00410a74
0x00410a77
0x00410a7a
0x00410b91
0x00410bb4
0x00410bc2
0x00410bda
0x00000000
0x00000000
0x00000000
0x00410a80
0x00410a80
0x00410b65
0x00410b73
0x00410b8b
0x00410a86
0x00410a86
0x00410a89
0x00410afd
0x00410b01
0x00410b08
0x00410b14
0x00410b1c
0x00410b29
0x00410b37
0x00410b4f
0x00410a8b
0x00410a8c
0x00410b93
0x00410ba3
0x00410a92
0x00410a9d
0x00410aa1
0x00410aa8
0x00410ab4
0x00410abc
0x00410ac9
0x00410ad7
0x00410aef
0x00410aef
0x00410a8c
0x00410a89
0x00410a80

APIs

swprintf.LIBCMT ref: 00410AC9

Part of subcall function 0046A0F0: _memmove.LIBCMT ref: 0046A13E
Part of subcall function 0046A0F0: InterlockedDecrement.KERNEL32(00000000), ref: 0046A151

swprintf.LIBCMT ref: 00410B29
swprintf.LIBCMT ref: 00410B65
swprintf.LIBCMT ref: 00410BB4

Strings

Context Switches, xrefs: 00410B78
Thread %u, xrefs: 00410BAC
%.07f, xrefs: 00410AC1, 00410B21
Kernel Time, xrefs: 00410ADC
User Time, xrefs: 00410B3C
Path, xrefs: 00410BCA

Memory Dump Source

Source File: 00000000.00000002.639436822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.639422722.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639801425.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639950323.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639964900.00000000004C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639974043.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639981884.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Process Monitor.jbxd

Similarity

API ID: swprintf$DecrementInterlocked_memmove
String ID: %.07f$Context Switches$Kernel Time$Path$Thread %u$User Time
API String ID: 3029431409-2724085046
Opcode ID: b51623d6437a960d37793f0c2fba35f52ac05d30d9a26e0d464ed86ec3f85cad
Instruction ID: 682898e6bec969aaa942449e4767acf74753b9f36be7af9bc600cc57eab72930
Opcode Fuzzy Hash: b51623d6437a960d37793f0c2fba35f52ac05d30d9a26e0d464ed86ec3f85cad
Instruction Fuzzy Hash: DF41F931A1420C9BCB10EFBC9812AEEB768DF14354F40427FFC09AB142FB299995C795

Uniqueness

Uniqueness Score: -1.00%

Function 0046E550 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 115
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 67%

			E0046E550(void* __edx, char _a4) {
				int _v8;
				signed int _v12;
				char _v20;
				short* _v28;
				signed int _v32;
				int _v36;
				short* _v40;
				int _v44;
				void* _v60;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t21;
				signed int _t22;
				int _t25;
				void* _t27;
				short* _t28;
				int _t29;
				int _t30;
				signed short _t35;
				signed short _t39;
				char* _t44;
				int _t45;
				void* _t46;
				void* _t51;
				int _t53;
				void* _t54;
				short* _t56;
				void* _t57;
				signed int _t58;
				void* _t59;
				short* _t60;

				_t51 = __edx;
				_push(0xfffffffe);
				_push(0x4b7590);
				_push(E00473BC0);
				_push( *[fs:0x0]);
				_t60 = _t59 - 0x18;
				_t21 =  *0x4bb1dc; // 0x2927074f
				_v12 = _v12 ^ _t21;
				_t22 = _t21 ^ _t58;
				_v32 = _t22;
				_push(_t22);
				 *[fs:0x0] =  &_v20;
				_v28 = _t60;
				_t6 =  &_a4; // 0x403d67
				_t44 =  *_t6;
				if(_t44 != 0) {
					_t25 = lstrlenA(_t44) + 1;
					_v36 = _t25;
					_t53 = MultiByteToWideChar(0, 0, _t44, _t25, 0, 0);
					_v44 = _t53;
					if(_t53 == 0) {
						_t39 = GetLastError();
						if(_t39 > 0) {
							_t39 = _t39 & 0x0000ffff | 0x80070000;
						}
						E0046E410(_t39);
					}
					_v8 = 0;
					_t27 = _t53 + _t53;
					if(_t53 >= 0x1000) {
						_t28 = E00470444(_t44, _t51, _t53, _t27);
						_t60 =  &(_t60[2]);
						_t56 = _t28;
						_v40 = _t56;
						_v8 = 0xfffffffe;
					} else {
						E00473B90(_t27);
						_v28 = _t60;
						_t56 = _t60;
						_v40 = _t56;
						_v8 = 0xfffffffe;
					}
					_t29 = _v36;
					if(_t56 == 0) {
						_t29 = E0046E410(0x8007000e);
					}
					_t30 = MultiByteToWideChar(0, 0, _t44, _t29, _t56, _t53);
					if(_t30 == 0) {
						if(_t53 >= 0x1000) {
							E0047040C(_t56);
							_t60 =  &(_t60[2]);
						}
						_t35 = GetLastError();
						if(_t35 > 0) {
							_t35 = _t35 & 0x0000ffff | 0x80070000;
						}
						_t30 = E0046E410(_t35);
					}
					__imp__#2(_t56);
					_t45 = _t30;
					if(_t53 >= 0x1000) {
						E0047040C(_t56);
					}
					if(_t45 == 0) {
						E0046E410(0x8007000e);
					}
				}
				 *[fs:0x0] = _v20;
				_pop(_t54);
				_pop(_t57);
				_pop(_t46);
				return E0046F77E(_t46, _v32 ^ _t58, _t51, _t54, _t57);
			}

0x0046e550
0x0046e553
0x0046e555
0x0046e55a
0x0046e565
0x0046e566
0x0046e569
0x0046e56e
0x0046e571
0x0046e573
0x0046e579
0x0046e57d
0x0046e583
0x0046e586
0x0046e586
0x0046e58b
0x0046e59b
0x0046e59c
0x0046e5af
0x0046e5b1
0x0046e5b6
0x0046e5b8
0x0046e5c0
0x0046e5c5
0x0046e5c5
0x0046e5cb
0x0046e5cb
0x0046e5d0
0x0046e5d7
0x0046e5e0
0x0046e5f9
0x0046e5fe
0x0046e601
0x0046e603
0x0046e606
0x0046e5e2
0x0046e5e2
0x0046e5e7
0x0046e5ea
0x0046e5ec
0x0046e5ef
0x0046e5ef
0x0046e62a
0x0046e62f
0x0046e636
0x0046e636
0x0046e643
0x0046e64b
0x0046e653
0x0046e656
0x0046e65b
0x0046e65b
0x0046e65e
0x0046e666
0x0046e66b
0x0046e66b
0x0046e671
0x0046e671
0x0046e677
0x0046e67d
0x0046e685
0x0046e688
0x0046e68d
0x0046e692
0x0046e699
0x0046e699
0x0046e69e
0x0046e6a6
0x0046e6ae
0x0046e6af
0x0046e6b0
0x0046e6be

APIs

lstrlenA.KERNEL32(g=@,2927074F,?,00000000,00000000,00473BC0,004B7590,000000FE,?,00403D67,?), ref: 0046E595
MultiByteToWideChar.KERNEL32(00000000,00000000,g=@,00000001,00000000,00000000,?,00403D67,?), ref: 0046E5A9
GetLastError.KERNEL32(?,00403D67,?), ref: 0046E5B8
MultiByteToWideChar.KERNEL32(00000000,00000000,g=@,?,00000000,00000000,?,?,?,?,?,00403D67), ref: 0046E643
_free.LIBCMT ref: 0046E656
GetLastError.KERNEL32(?,?,?,?,?,00403D67), ref: 0046E65E
SysAllocString.OLEAUT32(00000000), ref: 0046E677
_free.LIBCMT ref: 0046E688

Strings

g=@, xrefs: 0046E586, 0046E594, 0046E5A4, 0046E63E

Memory Dump Source

Source File: 00000000.00000002.639436822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.639422722.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639801425.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639950323.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639964900.00000000004C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639974043.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639981884.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Process Monitor.jbxd

Similarity

API ID: ByteCharErrorLastMultiWide_free$AllocStringlstrlen
String ID: g=@
API String ID: 2233872252-2934771097
Opcode ID: d4b1871760659264368abdf21c1ac9ea7ccb93c95ef2085e3b77f8a13e1d93dd
Instruction ID: 1c058940e48981cad7abeb9c7f54b4480e547c2ca87b84b9abba50be74cc396c
Opcode Fuzzy Hash: d4b1871760659264368abdf21c1ac9ea7ccb93c95ef2085e3b77f8a13e1d93dd
Instruction Fuzzy Hash: B631E6B5A00215ABDB109FA6CC45BAF77E8EB14754F10493FF505E3241FA79990087AE

Uniqueness

Uniqueness Score: -1.00%

Function 0042E860 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 91
windowCOMMON

Download Yara Rule

C-Code - Quality: 41%

			E0042E860(struct HWND__* _a4, int _a8, intOrPtr _a12) {
				signed int _v20;
				signed int _v28;
				void* _v48;
				struct HWND__* _t43;
				int _t49;
				int _t52;

				_t43 = _a4;
				_push( &_v48);
				if(_a12 != 0) {
					_t49 = _a8;
					_push(_t49);
					_push(0x120b);
					_push(_t43);
					if( *0x4bcb6b == 0) {
						_v48 = 0x24;
						SendMessageW(??, ??, ??, ??);
						_v28 = _v28 | 0x00001800;
						_v20 = 0 | _a12 < 0x00000000;
					} else {
						_v48 = 4;
						SendMessageW(??, ??, ??, ??);
						_t45 =  >=  ? 0x400 : 0x200;
						_t46 = ( >=  ? 0x400 : 0x200) | _v28 & 0xffffd9ff;
						_v28 = ( >=  ? 0x400 : 0x200) | _v28 & 0xffffd9ff;
					}
					SendMessageW(_t43, 0x120c, _t49,  &_v48);
					return UpdateWindow(_t43);
				} else {
					_t52 = _a8;
					_v48 = 4;
					SendMessageW(_t43, 0x120b, _t52, ??);
					if( *0x4bcb6b == 0) {
						_v28 = _v28 & 0xffffe7ff;
						SendMessageW(_t43, 0x120c, _t52,  &_v48);
						return UpdateWindow(_t43);
					} else {
						_v28 = _v28 & 0xffffd9ff;
						SendMessageW(_t43, 0x120c, _t52,  &_v48);
						return UpdateWindow(_t43);
					}
				}
			}

0x0042e86e
0x0042e873
0x0042e874
0x0042e8e3
0x0042e8ec
0x0042e8ed
0x0042e8f2
0x0042e8f3
0x0042e91f
0x0042e926
0x0042e928
0x0042e939
0x0042e8f5
0x0042e8f5
0x0042e8fc
0x0042e90d
0x0042e918
0x0042e91a
0x0042e91a
0x0042e947
0x0042e956
0x0042e876
0x0042e876
0x0042e886
0x0042e88d
0x0042e896
0x0042e8ba
0x0042e8cc
0x0042e8db
0x0042e898
0x0042e898
0x0042e8aa
0x0042e8b9
0x0042e8b9
0x0042e896

APIs

SendMessageW.USER32(?,0000120B,?,?), ref: 0042E88D
SendMessageW.USER32(?,0000120C,?,00000004), ref: 0042E8AA
UpdateWindow.USER32(?), ref: 0042E8AD
SendMessageW.USER32(?,0000120C,?,00000004), ref: 0042E8CC
UpdateWindow.USER32(?), ref: 0042E8CF
SendMessageW.USER32(?,0000120B,?,?), ref: 0042E8FC
SendMessageW.USER32(?,0000120C,?,00000024), ref: 0042E947
UpdateWindow.USER32(?), ref: 0042E94A

Strings

$, xrefs: 0042E91F

Memory Dump Source

Source File: 00000000.00000002.639436822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.639422722.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639801425.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639950323.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639964900.00000000004C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639974043.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639981884.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Process Monitor.jbxd

Similarity

API ID: MessageSend$UpdateWindow
String ID: $
API String ID: 3703574589-3993045852
Opcode ID: 407a7d15b29265aa55dc3592b4d5306164bf3a14f1ed65425d24c9a270303d6d
Instruction ID: 6d13bf7839245a7b388323642b21b2ee726aca2c2e83977cee172eef8834ca11
Opcode Fuzzy Hash: 407a7d15b29265aa55dc3592b4d5306164bf3a14f1ed65425d24c9a270303d6d
Instruction Fuzzy Hash: 8E2189B2A00218ABDB109FAADC85FEFBF7CFB48311F00462AE615E2151D7749516CBE4

Uniqueness

Uniqueness Score: -1.00%

Function 0042E680 Relevance: 16.6, APIs: 11, Instructions: 63
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0042E680(void* __ecx) {
				struct HINSTANCE__* _v8;
				int _t4;
				void* _t8;
				void* _t10;
				struct HINSTANCE__* _t14;
				void* _t20;

				_t14 = GetModuleHandleW(0);
				_v8 = _t14;
				_t4 = GetSystemMetrics(0x32);
				_t20 = ImageList_Create(GetSystemMetrics(0x31), _t4, 0xff, 0xa, 0x1e);
				ImageList_SetBkColor(_t20, 0xffffffff);
				_t8 = LoadImageW(_t14, 0x71, 1, 0x10, 0x10, 0x8000);
				if(_t8 == 0) {
					_t8 = LoadIconW(0, 0x7f01);
				}
				ImageList_ReplaceIcon(_t20, 0xffffffff, _t8);
				_t10 = LoadImageW(_v8, 0xcb, 1, 0x10, 0x10, 0x8000);
				if(_t10 == 0) {
					_t10 = LoadIconW(_t10, 0x7f01);
				}
				ImageList_ReplaceIcon(_t20, 0xffffffff, _t10);
				return _t20;
			}

0x0042e694
0x0042e6a1
0x0042e6a4
0x0042e6b2
0x0042e6b7
0x0042e6cb
0x0042e6d9
0x0042e6e2
0x0042e6e2
0x0042e6e8
0x0042e701
0x0042e709
0x0042e711
0x0042e711
0x0042e717
0x0042e724

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 0042E688
GetSystemMetrics.USER32 ref: 0042E6A4
GetSystemMetrics.USER32 ref: 0042E6A9
ImageList_Create.COMCTL32(00000000), ref: 0042E6AC
ImageList_SetBkColor.COMCTL32(00000000,000000FF), ref: 0042E6B7
LoadImageW.USER32 ref: 0042E6CB
LoadIconW.USER32(00000000,00007F01), ref: 0042E6E2
ImageList_ReplaceIcon.COMCTL32(00000000,000000FF,00000000), ref: 0042E6E8
LoadImageW.USER32 ref: 0042E701
LoadIconW.USER32(00000000,00007F01), ref: 0042E711
ImageList_ReplaceIcon.COMCTL32(00000000,000000FF,00000000), ref: 0042E717

Memory Dump Source

Source File: 00000000.00000002.639436822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.639422722.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639801425.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639950323.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639964900.00000000004C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639974043.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639981884.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Process Monitor.jbxd

Similarity

API ID: Image$IconList_Load$MetricsReplaceSystem$ColorCreateHandleModule
String ID:
API String ID: 2418092062-0
Opcode ID: c059bca90494d03836d4b9de98c7211088bb84e0a6eb80b3bd5667ae3e80491d
Instruction ID: f23090acc6e30923bc16430fc2220d056a4d089d90d466db7eeeb65361e5414f
Opcode Fuzzy Hash: c059bca90494d03836d4b9de98c7211088bb84e0a6eb80b3bd5667ae3e80491d
Instruction Fuzzy Hash: 3E1184307847187FFA201774AC4AFAE3A1CDB09B61F100B75BB14BA2D2CAE65D44576D

Uniqueness

Uniqueness Score: -1.00%

Function 004550E0 Relevance: 16.1, APIs: 8, Strings: 1, Instructions: 351
COMMON

Download Yara Rule

C-Code - Quality: 63%

			E004550E0(intOrPtr* __eax, intOrPtr __edx, char _a1, intOrPtr _a4, struct HDC__* _a8, struct HWND__* _a12) {
				struct HWND__* _v0;
				int _v8;
				intOrPtr _v16;
				signed int _v20;
				struct tagRECT _v36;
				struct tagRECT _v52;
				void* _v56;
				struct HWND__* _v60;
				struct HWND__* _v64;
				void* _v68;
				signed int _v72;
				char _v76;
				signed int _v80;
				signed int _v84;
				int _v88;
				char _v92;
				char _v96;
				signed char _v100;
				char _v104;
				char _v108;
				char _v112;
				signed int _v116;
				char _v120;
				signed int _v124;
				char _v128;
				signed int _v132;
				char _v136;
				signed int _v140;
				char _v144;
				signed int _v148;
				char _v152;
				char _v156;
				char _v160;
				char _v164;
				char _v168;
				char _v172;
				int _v176;
				int _v180;
				int _v184;
				intOrPtr _v188;
				void* _v192;
				int _v200;
				intOrPtr _v204;
				signed int _v208;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t314;
				signed int _t315;
				intOrPtr _t317;
				signed int _t318;
				signed int _t323;
				signed int _t351;
				signed int _t354;
				struct HWND__* _t355;
				void* _t361;
				void* _t366;
				signed char _t373;
				void* _t374;
				signed char _t375;
				intOrPtr* _t385;
				struct HWND__* _t391;
				struct HWND__* _t393;
				struct HWND__* _t395;
				struct HWND__* _t397;
				struct HWND__* _t399;
				struct HWND__* _t401;
				struct HWND__* _t403;
				struct HWND__* _t405;
				struct HWND__* _t407;
				struct HWND__* _t409;
				struct HWND__* _t411;
				struct HWND__* _t413;
				struct HWND__* _t415;
				struct HWND__* _t417;
				struct HWND__* _t419;
				struct HWND__* _t421;
				void* _t426;
				signed int _t428;
				void* _t435;
				intOrPtr* _t441;
				void* _t444;
				void* _t452;
				void* _t455;
				void* _t465;
				intOrPtr* _t477;
				WCHAR* _t482;
				void* _t487;
				void* _t496;
				void* _t503;
				void* _t509;
				void* _t515;
				struct HWND__* _t534;
				void* _t535;
				void* _t536;
				void* _t537;
				struct HWND__* _t538;
				void* _t539;
				signed int _t544;
				void* _t545;
				void* _t571;
				signed int* _t578;
				struct HWND__* _t648;
				void* _t649;
				signed char _t652;
				void* _t654;
				struct HDC__* _t657;
				void* _t658;
				signed int _t665;
				intOrPtr _t666;
				intOrPtr* _t667;
				void* _t669;
				intOrPtr* _t670;
				signed int _t671;
				struct HWND__* _t672;
				struct HWND__* _t673;
				signed int _t677;
				void* _t678;
				void* _t680;
				void* _t681;
				void* _t682;
				void* _t683;
				void* _t697;
				void* _t698;

				_t645 = __edx;
				asm("lodsd");
				_push(__eax);
				 *__eax =  *__eax + __eax;
				 *((intOrPtr*)(__edx + __eax + 8)) =  *((intOrPtr*)(__edx + __eax + 8)) + __eax + 8;
				asm("int3");
				asm("int3");
				_push( &_a1);
				_t675 = _t677;
				_push(0xffffffff);
				_push(E0048B980);
				_push( *[fs:0x0]);
				_t678 = _t677 - 0xc0;
				_t314 =  *0x4bb1dc; // 0x2927074f
				_t315 = _t314 ^ _t677;
				_v36.bottom = _t315;
				_push(_t315);
				 *[fs:0x0] =  &_v20;
				_t317 = _a4;
				_t648 = _v0;
				_t657 = _a8;
				_t534 = _a12;
				_v64 = _t648;
				_t697 = _t317 - 0x111;
				if(_t697 > 0) {
					_t318 = _t317 - 0x133;
					__eflags = _t318;
					if(_t318 == 0) {
						L91:
						__eflags =  *0x4bdfa8;
						if( *0x4bdfa8 == 0) {
							 *0x4bdfa8 = CreateSolidBrush(0xffffff);
						}
						SetBkColor(_t657, 0xffffff);
					} else {
						_t323 = _t318 - 3;
						__eflags = _t323;
						if(_t323 == 0) {
							goto L91;
						} else {
							__eflags = _t323 != 2;
							if(_t323 != 2) {
								goto L87;
							} else {
								goto L91;
							}
						}
					}
				} else {
					if(_t697 == 0) {
						_t544 = _t657 & 0x0000ffff;
						__eflags = _t544 - 0x474;
						if(_t544 > 0x474) {
							__eflags = _t544 - 0x47d - 1;
							if(_t544 - 0x47d <= 1) {
								goto L79;
							}
							goto L87;
						} else {
							__eflags = _t544 - 0x472;
							if(_t544 >= 0x472) {
								L79:
								__eflags = _t657 >> 0x10;
								if(_t657 >> 0x10 == 0) {
									_t545 = _t544 + 0xfffffb97;
									__eflags = _t545 - 0x15;
									if(_t545 <= 0x15) {
										switch( *((intOrPtr*)(( *(_t545 + 0x455d70) & 0x000000ff) * 4 +  &M00455D5C))) {
											case 0:
												_v60 = 4;
												goto L86;
											case 1:
												_v60 = 3;
												goto L86;
											case 2:
												_v60 = 2;
												goto L86;
											case 3:
												_v60 = 5;
												L86:
												_t650 = GetPropW(_t648,  *0x4bdce0 & 0x0000ffff);
												GetCursorPos( &(_v52.right));
												MapWindowPoints(0, _t534,  &(_v52.right), 1);
												GetClientRect(_t534,  &_v36);
												asm("sbb ecx, [edi+0x1c]");
												asm("cdq");
												_t338 = E004725C0( *((intOrPtr*)(_t650 + 0x20)) -  *((intOrPtr*)(_t650 + 0x18)),  *((intOrPtr*)(_t650 + 0x24)), _v52.right.x - _v36.left, _t645);
												asm("cdq");
												_t342 = E00472240(_t338, _t645, _v36.right - _v36.left, _t645) +  *((intOrPtr*)(_t650 + 0x18));
												__eflags = _t342;
												asm("adc edx, [edi+0x1c]");
												_v208 = _t342;
												_v204 = _t645;
												_v200 = 0;
												E00417B40(0x4bca10, E00417190( &_v208, 1),  *_t650, _v60, 0);
												_t346 =  *0x4bd2c0; // 0x0
												asm("xorps xmm0, xmm0");
												_v188 = _t346;
												asm("movq [ebp-0xb4], xmm0");
												_v176 = 0;
												_push( &_v192);
												_v192 = 0x14;
												_v184 = 3;
												_v180 = 5;
												_v176 = 0x64;
												__imp__FlashWindowEx();
												goto L87;
											case 4:
												goto L87;
										}
									}
								}
								goto L87;
							} else {
								__eflags = _t544 - 2;
								if(_t544 == 2) {
									SendMessageW(_t648, 0x10, 0, 0);
								} else {
									__eflags = _t544 - 0x468;
									if(_t544 <= 0x468) {
										goto L87;
									} else {
										__eflags = _t544 - 0x46b;
										if(_t544 <= 0x46b) {
											goto L79;
										} else {
										}
									}
								}
							}
						}
					} else {
						_t698 = _t317 - 0x10;
						if(_t698 > 0) {
							__eflags = _t317 - 0x110;
							if(__eflags != 0) {
								goto L87;
							} else {
								_push(0x90);
								_t351 = E0046EEB6(_t534, _t648, __eflags);
								_t680 = _t678 + 4;
								_v72 = _t351;
								_v8 = 0;
								__eflags = _t351;
								if(_t351 == 0) {
									_t536 = 0;
									__eflags = 0;
									_v56 = 0;
								} else {
									_t452 = E0041D860(_t534);
									_t536 = _t452;
									_v56 = _t452;
								}
								_v8 = 0xffffffff;
								SetPropW(_t648,  *0x4bdce0 & 0x0000ffff, _t536);
								_push(0x40);
								_t354 = E0046EEB6(_t536, _t648, __eflags);
								_t681 = _t680 + 4;
								_v72 = _t354;
								_v8 = 1;
								__eflags = _t354;
								if(_t354 == 0) {
									_t355 = 0;
									__eflags = 0;
								} else {
									_t355 = E00445770(_t648);
								}
								_v64 = _t355;
								_v8 = 0xffffffff;
								_v80 = E0046A6C0(_t536, ")", E0046A530(")"));
								_v8 = 2;
								_v84 = E0046A6C0(_t536, L" (", E0046A530(L" ("));
								_v8 = 3;
								_t361 = E00436170(_t536, _t645, _t648, __eflags,  &_v148,  *((intOrPtr*)(_t536 + 8)), 0);
								_t114 = _t536 + 0xc; // 0xc
								_v8 = 4;
								E0046A190( &_v140, L"Process Timeline - ", _t114);
								_t682 = _t681 + 0x30;
								_v8 = 5;
								E0046A230( &_v132,  &_v84);
								_v8 = 6;
								E0046A230( &_v124, _t361);
								_v8 = 7;
								_t366 = E0046A230( &_v116,  &_v80);
								_v8 = 8;
								SetWindowTextW(_t648, E0046A170(_t366));
								_t560 = _v116;
								_v8 = 7;
								__eflags = _v116;
								if(_v116 != 0) {
									E0046A700(_t560);
								}
								_t561 = _v124;
								_v8 = 6;
								__eflags = _v124;
								if(_v124 != 0) {
									E0046A700(_t561);
								}
								_t562 = _v132;
								_v8 = 5;
								__eflags = _v132;
								if(_v132 != 0) {
									E0046A700(_t562);
								}
								_t563 = _v140;
								_v8 = 4;
								__eflags = _v140;
								if(_v140 != 0) {
									E0046A700(_t563);
								}
								_t564 = _v148;
								_v8 = 3;
								__eflags = _v148;
								if(_v148 != 0) {
									E0046A700(_t564);
								}
								_t565 = _v84;
								_v8 = 2;
								__eflags = _v84;
								if(_v84 != 0) {
									E0046A700(_t565);
								}
								_t566 = _v80;
								_v8 = 0xffffffff;
								__eflags = _v80;
								if(_v80 != 0) {
									E0046A700(_t566);
								}
								_v36.top = 0;
								_v36.right = 0;
								_v36.bottom = 0;
								_v8 = 9;
								E0045E990( &(_v36.top), 8);
								_t537 = 0;
								__eflags = 0;
								_v52.bottom = _v36.top;
								do {
									_t147 = _t537 + 0x4a3cf0; // 0x469
									_t665 = GetDlgItem(_t648,  *_t147);
									_push(_t665);
									_v72 = _t665;
									E0042BA80(_t645);
									_t373 = L0042BF10(_t665);
									asm("movsd xmm0, [ebx+0x4a3d00]");
									_t682 = _t682 + 8;
									asm("ucomisd xmm0, [0x4a6818]");
									_v100 = _t373;
									_v88 = 0x989680;
									asm("lahf");
									__eflags = _t373 & 0x00000044;
									if((_t373 & 0x00000044) == 0) {
										_v88 = 0;
									}
									_t374 = _v56;
									_t666 =  *((intOrPtr*)(_t374 + 0x18));
									_t645 =  *((intOrPtr*)(_t374 + 0x24));
									_t375 = _v100;
									asm("sbb edx, edi");
									asm("adc edx, 0x0");
									 *((intOrPtr*)(_t375 + 4)) =  *((intOrPtr*)(_t374 + 0x1c));
									_t652 = _t375;
									 *_t375 = _t666;
									 *((intOrPtr*)(_t652 + 0xc)) = _t645;
									asm("cdq");
									 *((intOrPtr*)(_t652 + 8)) =  *((intOrPtr*)(_t374 + 0x20)) - _t666 + 1;
									_t571 = _t652 + 0x34;
									 *(_t652 + 0x10) = _v88;
									 *((intOrPtr*)(_t652 + 0x14)) = _t645;
									__eflags =  *(_t537 + 0x4a3d08) - 0xffffffff;
									if( *(_t537 + 0x4a3d08) != 0xffffffff) {
										_push(2);
										E0045E9F0(_t571);
										_t187 = _t537 + 0x4a3cf8; // 0xff
										 *((intOrPtr*)( *((intOrPtr*)(_t652 + 0x34)))) =  *_t187;
										_t189 = _t537 + 0x4a3d0c; // 0x3c943c
										 *((intOrPtr*)( *((intOrPtr*)(_t652 + 0x34)) + 0x20)) =  *_t189;
										_t192 = _t537 + 0x4a3cfc; // 0x4a3e70
										E00402120( *((intOrPtr*)(_t652 + 0x34)) + 4,  *_t192);
										_t194 = _t537 + 0x4a3d10; // 0x4a3e8c
										E00402120( *((intOrPtr*)(_t652 + 0x34)) + 0x24,  *_t194);
										asm("movsd xmm0, [ebx+0x4a3d00]");
										asm("movsd [eax+0x8], xmm0");
										asm("movsd xmm0, [ebx+0x4a3d18]");
										asm("movsd [eax+0x28], xmm0");
										_t385 =  *((intOrPtr*)(_v56 + 0x84));
										_t667 =  *_t385;
										__eflags = _t667 - _t385;
										if(_t667 != _t385) {
											do {
												_t199 = _t537 + 0x4a3cf4; // 0x0
												L00445F20(_t652, 0,  *((intOrPtr*)(_t667 + 8)),  *((intOrPtr*)(_t667 + 0xc)),  *((intOrPtr*)(_t667 + 0x10 +  *_t199 * 8)),  *((intOrPtr*)(_t667 + 0x14 +  *_t199 * 8)));
												_t208 = _t537 + 0x4a3d08; // 0x1
												L00445F20(_t652, 1,  *((intOrPtr*)(_t667 + 8)),  *((intOrPtr*)(_t667 + 0xc)),  *((intOrPtr*)(_t667 + 0x10 +  *_t208 * 8)),  *((intOrPtr*)(_t667 + 0x14 +  *_t208 * 8)));
												_t435 = _v56;
												_t667 =  *_t667;
												__eflags = _t667 -  *((intOrPtr*)(_t435 + 0x84));
											} while (_t667 !=  *((intOrPtr*)(_t435 + 0x84)));
										}
									} else {
										_push(1);
										E0045E9F0(_t571);
										_t169 = _t537 + 0x4a3cf8; // 0xff
										 *((intOrPtr*)( *((intOrPtr*)(_t652 + 0x34)))) =  *_t169;
										_t171 = _t537 + 0x4a3cfc; // 0x4a3e70
										E00402120( *((intOrPtr*)(_t652 + 0x34)) + 4,  *_t171);
										asm("movsd xmm0, [ebx+0x4a3d00]");
										asm("movsd [eax+0x8], xmm0");
										_t441 =  *((intOrPtr*)(_v56 + 0x84));
										_t670 =  *_t441;
										__eflags = _t670 - _t441;
										if(_t670 != _t441) {
											do {
												_t175 = _t537 + 0x4a3cf4; // 0x0
												L00445F20(_t652, 0,  *((intOrPtr*)(_t670 + 8)),  *((intOrPtr*)(_t670 + 0xc)),  *((intOrPtr*)(_t670 + 0x10 +  *_t175 * 8)),  *((intOrPtr*)(_t670 + 0x14 +  *_t175 * 8)));
												_t444 = _v56;
												_t670 =  *_t670;
												__eflags = _t670 -  *((intOrPtr*)(_t444 + 0x84));
											} while (_t670 !=  *((intOrPtr*)(_t444 + 0x84)));
										}
									}
									_t578 = _v52.bottom;
									_t537 = _t537 + 0x30;
									_t648 = _v60;
									 *_t578 = _v72;
									_v52.bottom =  &(_t578[1]);
									__eflags = _t537 - 0x180;
								} while (_t537 < 0x180);
								_t668 = _v64;
								E0045A0C0(_v64, _v36.right - _v36.top >> 2, _v36.top);
								_t538 = _t648;
								_t653 = GetDlgItem;
								_t391 = GetDlgItem(_t538, 0x46c);
								_push(1);
								E0044C460(_t538, _v64, GetDlgItem, _v64, _t391);
								asm("xorps xmm0, xmm0");
								asm("movups [eax+0x10], xmm0");
								_t393 = GetDlgItem(_t538, 0x46d);
								_push(1);
								E0044C460(_t538, _v64, GetDlgItem, _v64, _t393);
								asm("movaps xmm0, [0x4a6840]");
								asm("movups [eax+0x10], xmm0");
								_t395 = GetDlgItem(_t538, 0x46e);
								_push(1);
								E0044C460(_t538, _v64, GetDlgItem, _v64, _t395);
								asm("movaps xmm0, [0x4a6850]");
								asm("movups [eax+0x10], xmm0");
								_t397 = GetDlgItem(_t538, 0x46f);
								_push(1);
								E0044C460(_t538, _t668, GetDlgItem, _t668, _t397);
								asm("movaps xmm0, [0x4a6860]");
								asm("movups [eax+0x10], xmm0");
								_t399 = GetDlgItem(_t538, 0x475);
								_push(1);
								E0044C460(_t538, _t668, GetDlgItem, _t668, _t399);
								asm("movaps xmm0, [0x4a6870]");
								asm("movups [eax+0x10], xmm0");
								_t401 = GetDlgItem(_t538, 0x47c);
								_push(1);
								E0044C460(_t538, _t668, GetDlgItem, _t668, _t401);
								asm("movaps xmm0, [0x4a6880]");
								asm("movups [eax+0x10], xmm0");
								_t403 = GetDlgItem(_t538, 0x470);
								_push(1);
								E0044C460(_t538, _t668, GetDlgItem, _t668, _t403);
								asm("movaps xmm0, [0x4a6890]");
								asm("movups [eax+0x10], xmm0");
								_t405 = GetDlgItem(_t538, 0x471);
								_push(1);
								E0044C460(_t538, _t668, GetDlgItem, _t668, _t405);
								asm("movaps xmm0, [0x4a68a0]");
								asm("movups [eax+0x10], xmm0");
								_t407 = GetDlgItem(_t538, 0x476);
								_push(1);
								E0044C460(_t538, _t668, _t653, _t668, _t407);
								asm("xorps xmm0, xmm0");
								asm("movups [eax+0x10], xmm0");
								_t409 = GetDlgItem(_t538, 0x477);
								_push(1);
								E0044C460(_t538, _t668, _t653, _t668, _t409);
								asm("movaps xmm0, [0x4a6840]");
								asm("movups [eax+0x10], xmm0");
								_t411 = GetDlgItem(_t538, 0x478);
								_push(1);
								E0044C460(_t538, _t668, _t653, _t668, _t411);
								asm("movaps xmm0, [0x4a6850]");
								asm("movups [eax+0x10], xmm0");
								_t413 = GetDlgItem(_t538, 0x479);
								_push(1);
								E0044C460(_t538, _t668, _t653, _t668, _t413);
								asm("movaps xmm0, [0x4a6860]");
								asm("movups [eax+0x10], xmm0");
								_t415 = GetDlgItem(_t538, 0x47f);
								_push(1);
								E0044C460(_t538, _t668, _t653, _t668, _t415);
								asm("movaps xmm0, [0x4a6870]");
								asm("movups [eax+0x10], xmm0");
								_t417 = GetDlgItem(_t538, 0x480);
								_push(1);
								E0044C460(_t538, _t668, _t653, _t668, _t417);
								asm("movaps xmm0, [0x4a6880]");
								asm("movups [eax+0x10], xmm0");
								_t419 = GetDlgItem(_t538, 0x47a);
								_push(1);
								E0044C460(_t538, _t668, _t653, _t668, _t419);
								asm("movaps xmm0, [0x4a6890]");
								asm("movups [eax+0x10], xmm0");
								_t421 = GetDlgItem(_t538, 0x47b);
								_push(1);
								E0044C460(_t538, _t668, _t653, _t668, _t421);
								asm("movaps xmm0, [0x4a68a0]");
								asm("movups [eax+0x10], xmm0");
								E004585D0(_t538,  *0x4bd2b4, L"ProcessTimelineDialog");
								_t683 = _t682 + 0xc;
								SendMessageW(_t538, 5, 0, 0);
								_t669 = 0;
								__eflags = 0;
								do {
									_t226 = _t669 + 0x4a3cf0; // 0x469
									_t426 = L0042BF10(GetDlgItem(_t538,  *_t226));
									_t683 = _t683 + 4;
									E0042C230(_t426);
									_t669 = _t669 + 0x30;
									__eflags = _t669 - 0x180;
								} while (_t669 < 0x180);
								_t428 = _v36.top;
								__eflags = _t428;
								if(_t428 != 0) {
									E0046EF07(_t428);
								}
							}
						} else {
							if(_t698 == 0) {
								DestroyWindow(_t648);
							} else {
								_t455 = _t317 - 2;
								if(_t455 == 0) {
									E004595D0(_t648,  *0x4bd2b4, L"ProcessTimelineDialog");
									_t671 = GetPropW(_t648,  *0x4bdce0 & 0x0000ffff);
									__eflags = _t671;
									if(_t671 == 0) {
										goto L87;
									} else {
										E0041DC50();
										E0046EF07(_t671);
									}
								} else {
									if(_t455 != 3) {
										L87:
									} else {
										E00445490( &_v68);
										_v8 = 0xa;
										_t539 = 0;
										do {
											_t12 = _t539 + 0x4a3cf0; // 0x469
											_t672 = GetDlgItem(_t648,  *_t12);
											_t465 = L0042BF10(_t672);
											_t678 = _t678 + 4;
											_t654 = _t465;
											GetClientRect(_t672,  &_v52);
											E0042BAF0(_t654, _v52.right.x - _v52.left);
											_t16 = _t539 + 0x4a3cf0; // 0x469
											_v36.left =  *_t16;
											_v36.right =  *(_t654 + 0x40);
											_v36.bottom =  *(_t654 + 0x44);
											E00445050( &_v68,  &_v76, 0,  &_v36,  *0x4bdce3 & 0x000000ff);
											_t648 = _v60;
											_t539 = _t539 + 0x30;
										} while (_t539 < 0x180);
										_v92 = E0046A6C0(_t539, "%", E0046A530("%"));
										_v8 = 0xb;
										_push( &_v120);
										_v120 = 0x469;
										_t477 = E00445D40( &_v68);
										_push(3);
										_t645 =  *((intOrPtr*)(_t477 + 4));
										E004711AE(_t477,  *_t477,  *((intOrPtr*)(_t477 + 4)));
										asm("mulsd xmm0, [0x4962e8]");
										asm("divsd xmm0, [0x4962f8]");
										asm("movsd [esp], xmm0");
										_push( &_v156);
										E00435930(_t539, _t648);
										_v8 = 0xc;
										E0046A230( &_v56,  &_v92);
										_t619 = _v156;
										_v8 = 0xe;
										if(_v156 != 0) {
											E0046A700(_t619);
										}
										_t620 = _v92;
										_v8 = 0xf;
										_t704 = _v92;
										if(_v92 != 0) {
											E0046A700(_t620);
										}
										_t482 = E0046A170( &_v56);
										_t673 = _v60;
										_t655 = SetDlgItemTextW;
										SetDlgItemTextW(_t673, 0x476, _t482);
										_v164 = 0x46b;
										_push( &_v164);
										_t487 = E00436170(_t539, _t645, SetDlgItemTextW, _t704,  &_v112,  *((intOrPtr*)(E00445D40( &_v68))),  *((intOrPtr*)(_t485 + 4)));
										_v8 = 0x10;
										SetDlgItemTextW(_t673, 0x478, E0046A170(_t487));
										_t624 = _v112;
										_v8 = 0xf;
										if(_v112 != 0) {
											E0046A700(_t624);
										}
										_v96 = E0046A6C0(_t539, L"/second", E0046A530(L"/second"));
										_v8 = 0x11;
										_push( &_v172);
										_v172 = 0x46a;
										E004361D0(_t539, _t645,  &_v152,  *((intOrPtr*)(E00445D40( &_v68))),  *((intOrPtr*)(_t493 + 4)));
										_v8 = 0x12;
										_t496 = E0046A230( &_v104,  &_v96);
										_v8 = 0x13;
										E0046A0B0( &_v56, _t496);
										_t630 = _v104;
										_v8 = 0x12;
										if(_v104 != 0) {
											E0046A700(_t630);
										}
										_t631 = _v152;
										_v8 = 0x11;
										if(_v152 != 0) {
											E0046A700(_t631);
										}
										_t632 = _v96;
										_v8 = 0xf;
										_t708 = _v96;
										if(_v96 != 0) {
											E0046A700(_t632);
										}
										SetDlgItemTextW(_t673, 0x477, E0046A170( &_v56));
										_v128 = 0x472;
										_push( &_v128);
										_t503 = E00436170(_t539, _t645, _t655, _t708,  &_v168,  *((intOrPtr*)(E00445D40( &_v68))),  *((intOrPtr*)(_t501 + 4)));
										_v8 = 0x14;
										SetDlgItemTextW(_t673, 0x479, E0046A170(_t503));
										_t636 = _v168;
										_v8 = 0xf;
										if(_v168 != 0) {
											E0046A700(_t636);
										}
										_v136 = 0x473;
										_push( &_v136);
										_t509 = E004361D0(_t539, _t645,  &_v160,  *((intOrPtr*)(E00445D40( &_v68))),  *((intOrPtr*)(_t507 + 4)));
										_v8 = 0x15;
										SetDlgItemTextW(_t673, 0x47a, E0046A170(_t509));
										_t639 = _v160;
										_v8 = 0xf;
										if(_v160 != 0) {
											E0046A700(_t639);
										}
										_v144 = 0x474;
										_push( &_v144);
										_t515 = E004361D0(_t539, _t645,  &_v108,  *((intOrPtr*)(E00445D40( &_v68))),  *((intOrPtr*)(_t513 + 4)));
										_v8 = 0x16;
										SetDlgItemTextW(_t673, 0x47b, E0046A170(_t515));
										_t642 = _v108;
										_v8 = 0xf;
										if(_v108 != 0) {
											E0046A700(_t642);
										}
										_t643 = _v56;
										_v8 = 0xa;
										if(_v56 != 0) {
											E0046A700(_t643);
										}
										E0045E260( &_v68,  &_v72,  *_v68, _v68);
										E0046EF07(_v68);
									}
								}
							}
						}
					}
				}
				 *[fs:0x0] = _v16;
				_pop(_t649);
				_pop(_t658);
				_pop(_t535);
				return E0046F77E(_t535, _v20 ^ _t675, _t645, _t649, _t658);
			}

0x004550e0
0x004550e0
0x004550e1
0x004550e3
0x004550e9
0x0045514e
0x0045514f
0x00455150
0x00455151
0x00455153
0x00455155
0x00455160
0x00455161
0x00455167
0x0045516c
0x0045516e
0x00455174
0x00455178
0x0045517e
0x00455181
0x00455184
0x00455187
0x0045518a
0x0045518d
0x00455192
0x00455d00
0x00455d00
0x00455d05
0x00455d11
0x00455d11
0x00455d18
0x00455d25
0x00455d25
0x00455d30
0x00455d07
0x00455d07
0x00455d07
0x00455d0a
0x00000000
0x00455d0c
0x00455d0c
0x00455d0f
0x00000000
0x00000000
0x00000000
0x00000000
0x00455d0f
0x00455d0a
0x00455198
0x00455198
0x00455b5f
0x00455b62
0x00455b68
0x00455bac
0x00455baf
0x00000000
0x00000000
0x00000000
0x00455b6a
0x00455b6a
0x00455b70
0x00455bb5
0x00455bb8
0x00455bba
0x00455bc0
0x00455bc6
0x00455bc9
0x00455bd6
0x00000000
0x00455bdd
0x00000000
0x00000000
0x00455be6
0x00000000
0x00000000
0x00455bef
0x00000000
0x00000000
0x00455bf8
0x00455bff
0x00455c0e
0x00455c14
0x00455c23
0x00455c2e
0x00455c3d
0x00455c46
0x00455c4b
0x00455c5a
0x00455c6d
0x00455c6d
0x00455c70
0x00455c73
0x00455c80
0x00455c86
0x00455ca2
0x00455ca7
0x00455cac
0x00455caf
0x00455cbb
0x00455cc3
0x00455ccd
0x00455cce
0x00455cd8
0x00455ce2
0x00455cec
0x00455cf6
0x00000000
0x00000000
0x00000000
0x00000000
0x00455bd6
0x00455bc9
0x00000000
0x00455b72
0x00455b72
0x00455b75
0x00455b99
0x00455b77
0x00455b77
0x00455b7d
0x00000000
0x00455b83
0x00455b83
0x00455b89
0x00000000
0x00455b8b
0x00455b8b
0x00455b89
0x00455b7d
0x00455b75
0x00455b70
0x0045519e
0x0045519e
0x004551a1
0x00455569
0x0045556e
0x00000000
0x00455574
0x00455574
0x00455579
0x0045557e
0x00455581
0x00455584
0x0045558b
0x0045558d
0x0045559e
0x0045559e
0x004555a0
0x0045558f
0x00455592
0x00455597
0x00455599
0x00455599
0x004555ad
0x004555b4
0x004555ba
0x004555bc
0x004555c1
0x004555c4
0x004555c7
0x004555ce
0x004555d0
0x004555dc
0x004555dc
0x004555d2
0x004555d5
0x004555d5
0x004555e3
0x004555e6
0x004555fd
0x00455605
0x0045561c
0x0045562a
0x0045562f
0x00455636
0x00455639
0x0045564a
0x0045564f
0x00455655
0x00455660
0x00455669
0x00455670
0x00455678
0x00455683
0x0045568a
0x00455695
0x0045569b
0x0045569e
0x004556a2
0x004556a4
0x004556a6
0x004556a6
0x004556ab
0x004556ae
0x004556b2
0x004556b4
0x004556b6
0x004556b6
0x004556bb
0x004556be
0x004556c2
0x004556c4
0x004556c6
0x004556c6
0x004556cb
0x004556d1
0x004556d5
0x004556d7
0x004556d9
0x004556d9
0x004556de
0x004556e4
0x004556e8
0x004556ea
0x004556ec
0x004556ec
0x004556f1
0x004556f4
0x004556f8
0x004556fa
0x004556fc
0x004556fc
0x00455701
0x00455704
0x0045570b
0x0045570d
0x0045570f
0x0045570f
0x00455714
0x0045571b
0x00455722
0x0045572e
0x00455735
0x0045573d
0x0045573d
0x0045573f
0x00455742
0x00455742
0x0045574f
0x00455751
0x00455752
0x00455755
0x0045575b
0x00455760
0x00455768
0x0045576b
0x00455773
0x00455776
0x0045577d
0x0045577e
0x00455781
0x00455783
0x00455783
0x0045578a
0x00455790
0x00455796
0x0045579b
0x0045579e
0x004557a3
0x004557a6
0x004557a9
0x004557ab
0x004557b0
0x004557b3
0x004557b4
0x004557b7
0x004557ba
0x004557bd
0x004557c0
0x004557c7
0x0045583f
0x00455841
0x00455849
0x0045584f
0x00455854
0x0045585a
0x00455860
0x00455869
0x00455871
0x0045587a
0x00455882
0x0045588a
0x00455892
0x0045589a
0x004558a2
0x004558a8
0x004558aa
0x004558ac
0x004558b0
0x004558b0
0x004558c8
0x004558cd
0x004558e5
0x004558ea
0x004558ed
0x004558ef
0x004558ef
0x004558b0
0x004557c9
0x004557c9
0x004557cb
0x004557d3
0x004557d9
0x004557de
0x004557e7
0x004557ef
0x004557f7
0x004557ff
0x00455805
0x00455807
0x00455809
0x00455810
0x00455810
0x00455828
0x0045582d
0x00455830
0x00455832
0x00455832
0x0045583a
0x00455809
0x004558f7
0x004558fa
0x00455900
0x00455903
0x00455908
0x0045590b
0x0045590b
0x0045591d
0x00455929
0x00455933
0x00455935
0x0045593c
0x0045593e
0x00455943
0x0045594d
0x00455951
0x00455955
0x00455957
0x0045595c
0x00455961
0x0045596e
0x00455972
0x00455974
0x00455979
0x0045597e
0x0045598b
0x0045598f
0x00455991
0x00455996
0x0045599b
0x004559a8
0x004559ac
0x004559ae
0x004559b3
0x004559b8
0x004559c5
0x004559c9
0x004559cb
0x004559d0
0x004559d5
0x004559e2
0x004559e6
0x004559e8
0x004559ed
0x004559f2
0x004559ff
0x00455a03
0x00455a05
0x00455a0a
0x00455a0f
0x00455a1c
0x00455a20
0x00455a22
0x00455a27
0x00455a31
0x00455a35
0x00455a39
0x00455a3b
0x00455a40
0x00455a45
0x00455a52
0x00455a56
0x00455a58
0x00455a5d
0x00455a62
0x00455a6f
0x00455a73
0x00455a75
0x00455a7a
0x00455a7f
0x00455a8c
0x00455a90
0x00455a92
0x00455a97
0x00455a9c
0x00455aa9
0x00455aad
0x00455aaf
0x00455ab4
0x00455ab9
0x00455ac6
0x00455aca
0x00455acc
0x00455ad1
0x00455ad6
0x00455ae3
0x00455ae7
0x00455ae9
0x00455aee
0x00455af3
0x00455aff
0x00455b0a
0x00455b0f
0x00455b19
0x00455b1f
0x00455b1f
0x00455b21
0x00455b21
0x00455b2b
0x00455b30
0x00455b35
0x00455b3a
0x00455b3d
0x00455b3d
0x00455b45
0x00455b48
0x00455b4a
0x00455b4d
0x00455b52
0x00455b55
0x004551a7
0x004551a7
0x0045555c
0x004551ad
0x004551ad
0x004551b0
0x00455523
0x0045553a
0x0045553c
0x0045553e
0x00000000
0x00455544
0x00455546
0x0045554c
0x00455554
0x004551b6
0x004551b9
0x00455cfc
0x004551bf
0x004551c2
0x004551c7
0x004551ce
0x004551d0
0x004551d0
0x004551dd
0x004551e0
0x004551e5
0x004551e8
0x004551ef
0x004551fe
0x00455203
0x0045520f
0x0045521d
0x00455226
0x0045522d
0x00455232
0x00455235
0x00455238
0x00455258
0x0045525e
0x00455262
0x00455266
0x0045526d
0x00455272
0x00455274
0x00455279
0x0045527e
0x0045528f
0x00455297
0x0045529c
0x0045529d
0x004552a8
0x004552b3
0x004552b8
0x004552be
0x004552c4
0x004552c6
0x004552c6
0x004552cb
0x004552ce
0x004552d2
0x004552d4
0x004552d6
0x004552d6
0x004552de
0x004552e3
0x004552e6
0x004552f3
0x004552fb
0x00455305
0x00455317
0x00455321
0x00455331
0x00455333
0x00455336
0x0045533c
0x0045533e
0x0045533e
0x0045535b
0x00455364
0x00455368
0x0045536c
0x00455387
0x00455392
0x0045539d
0x004553a6
0x004553aa
0x004553af
0x004553b2
0x004553b8
0x004553ba
0x004553ba
0x004553bf
0x004553c5
0x004553cb
0x004553cd
0x004553cd
0x004553d2
0x004553d5
0x004553d9
0x004553db
0x004553dd
0x004553dd
0x004553f1
0x004553f6
0x004553fd
0x00455412
0x0045541c
0x0045542c
0x0045542e
0x00455434
0x0045543a
0x0045543c
0x0045543c
0x00455447
0x00455451
0x00455466
0x00455470
0x00455480
0x00455482
0x00455488
0x0045548e
0x00455490
0x00455490
0x0045549b
0x004554a5
0x004554b7
0x004554c1
0x004554d1
0x004554d3
0x004554d6
0x004554dc
0x004554de
0x004554de
0x004554e3
0x004554e6
0x004554ec
0x004554ee
0x004554ee
0x00455500
0x00455508
0x00455510
0x004551b9
0x004551b0
0x004551a7
0x004551a1
0x00455198
0x00455d3e
0x00455d46
0x00455d47
0x00455d48
0x00455d56

APIs

GetDlgItem.USER32 ref: 004551D7

Part of subcall function 0042BF10: GetPropW.USER32(?), ref: 0042BF1E

GetClientRect.USER32 ref: 004551EF
SetDlgItemTextW.USER32 ref: 004552F3
SetDlgItemTextW.USER32 ref: 00455331

Part of subcall function 0046A0B0: InterlockedDecrement.KERNEL32(?), ref: 0046A0BE

SetDlgItemTextW.USER32 ref: 004553F1
SetDlgItemTextW.USER32 ref: 0045542C
SetDlgItemTextW.USER32 ref: 00455480
SetDlgItemTextW.USER32 ref: 004554D1

Part of subcall function 0046A700: InterlockedDecrement.KERNEL32(?), ref: 0046A704

GetPropW.USER32(?,00000000), ref: 00455534
DestroyWindow.USER32(?,2927074F), ref: 0045555C
SetPropW.USER32 ref: 004555B4
SetWindowTextW.USER32(?,00000000), ref: 00455695
CreateSolidBrush.GDI32(00FFFFFF), ref: 00455D1F
SetBkColor.GDI32(?,00FFFFFF), ref: 00455D30

Strings

/second, xrefs: 00455343, 0045534E

Memory Dump Source

Source File: 00000000.00000002.639436822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.639422722.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639801425.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639950323.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639964900.00000000004C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639974043.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639981884.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Process Monitor.jbxd

Similarity

API ID: ItemText$Prop$DecrementInterlockedWindow$BrushClientColorCreateDestroyRectSolid
String ID: /second
API String ID: 1210633883-2739152577
Opcode ID: 5a0021d4edf9f7f34753d5c67cb6ab6f997b3d5d85e4ed2401c7b86f2ade93b1
Instruction ID: f89d0c663d8a1a831213f9c67d59fbe6df53949ea4a059c17e0357c2b95d7b79
Opcode Fuzzy Hash: 5a0021d4edf9f7f34753d5c67cb6ab6f997b3d5d85e4ed2401c7b86f2ade93b1
Instruction Fuzzy Hash: 66B1B675D00608EFDF15EFA1C955BEEB778AF05305F04406EF805A7242EB385A09CB6A

Uniqueness

Uniqueness Score: -1.00%

Function 0043F614 Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 264
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E0043F614(struct _CRITICAL_SECTION* __ebx, long* __edi, void* __eflags) {
				signed int _t158;
				void* _t177;
				long _t182;
				void* _t184;
				long _t185;
				signed int _t186;
				void* _t188;
				long _t189;
				void* _t194;
				long _t195;
				void* _t204;
				long* _t206;
				intOrPtr _t210;
				struct _CRITICAL_SECTION* _t225;
				signed int _t229;
				long** _t239;
				signed int _t243;
				void* _t244;
				long* _t253;
				struct _CRITICAL_SECTION* _t254;
				intOrPtr _t257;
				void* _t260;
				intOrPtr _t261;
				long* _t262;
				struct _CRITICAL_SECTION* _t264;
				long** _t266;
				intOrPtr _t267;
				void* _t268;
				void* _t277;

				_t277 = __eflags;
				_t262 = __edi;
				_t225 = __ebx;
				__edi[0x19] = 0;
				__edi[0x1a] = 0;
				__edi[0x19] = E00419990(0, 0);
				__edi[0x18] = 0;
				__edi[0xa] = 0;
				__edi[0xb] = 0;
				_t264 =  *(_t268 + 0xc);
				 *(_t268 - 4) = 0xffffffff;
				 *__edi =  *(_t264 + 0x34 + ( *(_t264 + 0x28) & 0x0000ffff) * 4);
				__edi[1] =  *(_t264 + 0x38 + ( *(_t264 + 0x28) & 0x0000ffff) * 4);
				_t158 =  *(_t264 + 0x28) & 0x0000ffff;
				__edi[8] =  *(_t264 + 0x4c + _t158 * 4);
				__edi[9] =  *(_t264 + 0x50 + _t158 * 4);
				__edi[6] =  *(_t264 + 0x44 + ( *(_t264 + 0x28) & 0x0000ffff) * 4);
				_t229 =  *(_t264 + 0x28) & 0x0000ffff;
				__edi[4] =  *(_t264 + 0x54 + _t229 * 4);
				__edi[5] =  *(_t264 + 0x58 + _t229 * 4);
				__edi[2] =  *(_t264 + 0x40 + ( *(_t264 + 0x28) & 0x0000ffff) * 4);
				__edi[3] =  *(_t264 + 0x3c + ( *(_t264 + 0x28) & 0x0000ffff) * 4);
				__edi[0xc] =  *(_t264 + 0x5c + ( *(_t264 + 0x28) & 0x0000ffff) * 4);
				__edi[0xd] =  *(_t264 + 0x48 + ( *(_t264 + 0x28) & 0x0000ffff) * 4);
				E00411A80(_t264, _t277, _t268 - 0x18);
				 *(_t268 - 4) = 1;
				__edi[0x11] = E0040DBC0( *((intOrPtr*)(__ebx + 0x20)), _t277, _t268 - 0x18);
				 *((intOrPtr*)(_t268 - 0x10)) = E0046A170(_t268 - 0x18);
				_t177 = E00471495(_t176, 0x5c);
				_t278 = _t177;
				if(_t177 == 0) {
					_t178 =  *((intOrPtr*)(_t268 - 0x10));
				} else {
					_t178 = _t177 + 2;
					 *((intOrPtr*)(_t268 - 0x10)) = _t177 + 2;
				}
				 *(_t268 - 0x1c) = E0046A6C0(_t225,  *((intOrPtr*)(_t268 - 0x10)), E0046A530(_t178));
				 *(_t268 - 4) = 2;
				_t182 = E0040DBC0( *((intOrPtr*)(_t225 + 0x20)), _t278, _t268 - 0x1c);
				_t234 =  *(_t268 - 0x1c);
				_t262[0x10] = _t182;
				 *(_t268 - 4) = 1;
				_t279 =  *(_t268 - 0x1c);
				if( *(_t268 - 0x1c) != 0) {
					E0046A700(_t234);
				}
				_t184 = E0040F990(_t264, _t268 - 0x1c);
				 *(_t268 - 4) = 3;
				_t185 = E0040DBC0( *((intOrPtr*)(_t225 + 0x20)), _t279, _t184);
				_t237 =  *(_t268 - 0x1c);
				_t262[0x12] = _t185;
				 *(_t268 - 4) = 1;
				if( *(_t268 - 0x1c) != 0) {
					E0046A700(_t237);
				}
				_t186 =  *(_t264 + 0x28) & 0x0000ffff;
				_t281 =  *((char*)(_t264 + 0x60 + _t186 * 4));
				if( *((char*)(_t264 + 0x60 + _t186 * 4)) != 0) {
					_t239 = _t264 + 0x68 + _t186 * 4;
				} else {
					_t239 = 0;
				}
				_t188 = E00437B60(_t268 - 0x1c, _t239);
				 *(_t268 - 4) = 4;
				_t189 = E0040DBC0( *((intOrPtr*)(_t225 + 0x20)), _t281, _t188);
				_t241 =  *(_t268 - 0x1c);
				_t262[0xf] = _t189;
				 *(_t268 - 4) = 1;
				if( *(_t268 - 0x1c) != 0) {
					E0046A700(_t241);
				}
				_t243 = ( *(_t264 + 0x28) & 0x0000ffff) + 0xd;
				_t283 =  *((char*)(_t264 + 0x2d + _t243 * 4));
				_t244 = _t264 + _t243 * 4;
				if( *((char*)(_t264 + 0x2d + _t243 * 4)) != 0) {
					_t192 = ( *(_t244 + 0x2c) & 0x000000ff) + 0x34 + _t244;
					__eflags = ( *(_t244 + 0x2c) & 0x000000ff) + 0x34 + _t244;
				} else {
					_t192 = 0;
				}
				_t194 = E00437B60(_t268 - 0x1c, _t192);
				 *(_t268 - 4) = 5;
				_t195 = E0040DBC0( *((intOrPtr*)(_t225 + 0x20)), _t283, _t194);
				_t246 =  *(_t268 - 0x1c);
				_t262[0xe] = _t195;
				 *(_t268 - 4) = 1;
				if( *(_t268 - 0x1c) != 0) {
					E0046A700(_t246);
				}
				_t262[0x14] = 0;
				_t262[0x13] = 0;
				_t262[0x15] = 0;
				_t262[0x16] = 0;
				_t262[0x17] = 0;
				 *(_t268 - 0x24) = _t225;
				EnterCriticalSection(_t225);
				_t117 = _t225 + 0x18; // -1235
				 *(_t268 - 0x20) =  *_t262;
				 *(_t268 - 4) = 6;
				 *(_t268 - 0x1c) = _t262;
				E0043E090(_t117, _t268 - 0x14, 0, _t268 - 0x20,  *0x4bd09c & 0x000000ff);
				 *(_t268 - 4) = 1;
				LeaveCriticalSection(_t225);
				 *((char*)(_t268 - 0x10)) =  *((short*)(_t264 + 0xc)) == 0;
				if( *0x4bce30 == 0) {
					L31:
					L00442050(_t225, _t260, __eflags, _t262,  *((intOrPtr*)(_t268 - 0x10)),  *((intOrPtr*)(_t264 + 0x1c)),  *((intOrPtr*)(_t264 + 0x20)), 0x4bca10);
				} else {
					_t204 = E00419890(0x4bca10);
					_t287 = _t204;
					if(_t204 == 0) {
						goto L31;
					} else {
						_push(0x18);
						_t266 = E0046EEB6(_t225, _t262, _t287);
						if(_t266 == 0) {
							_t266 = 0;
							__eflags = 0;
						} else {
							 *_t266 = 0;
						}
						_t206 =  *(_t268 + 8);
						_t253 =  *_t266;
						 *(_t268 - 0x24) = _t266;
						 *(_t268 - 0x1c) = _t253;
						 *_t266 = _t206;
						if(_t206 != 0) {
							InterlockedIncrement( &(_t206[0x15e]));
							_t253 =  *(_t268 - 0x1c);
						}
						if(_t253 != 0 && InterlockedDecrement( &(_t253[0x15e])) < 2) {
							E00467460( *(_t268 - 0x1c), _t217);
						}
						_t254 =  *(_t268 + 0xc);
						_t266[1] = _t225;
						_t266[2] = _t262;
						_t266[3] =  *((intOrPtr*)(_t268 - 0x10));
						_t266[4] =  *(_t254 + 0x1c);
						_t266[5] =  *(_t254 + 0x20);
						 *(_t268 + 0xc) = 0x4bd080;
						EnterCriticalSection(0x4bd080);
						_t267 =  *0x4bd078; // 0x77d010
						 *(_t268 - 4) = 7;
						_t210 = E004430E0(0x4bd078, _t267,  *((intOrPtr*)(_t267 + 4)), _t268 - 0x24);
						_t257 =  *0x4bd07c; // 0x0
						_t261 = _t210;
						_t293 = 0x15555554 - _t257 - 1;
						if(0x15555554 - _t257 < 1) {
							_push("list<T> too long");
							E0046EB0F(_t293);
						}
						 *0x4bd07c = _t257 + 1;
						 *((intOrPtr*)(_t267 + 4)) = _t261;
						 *((intOrPtr*)( *((intOrPtr*)(_t261 + 4)))) = _t261;
						ReleaseSemaphore( *0x4bd098, 1, 0);
						LeaveCriticalSection(0x4bd080);
					}
				}
				_t249 =  *((intOrPtr*)(_t268 - 0x18));
				 *(_t268 - 4) = 0xffffffff;
				if( *((intOrPtr*)(_t268 - 0x18)) != 0) {
					E0046A700(_t249);
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t268 - 0xc));
				return _t262;
			}

0x0043f614
0x0043f614
0x0043f614
0x0043f61b
0x0043f622
0x0043f62e
0x0043f631
0x0043f635
0x0043f63c
0x0043f647
0x0043f64a
0x0043f659
0x0043f663
0x0043f666
0x0043f672
0x0043f675
0x0043f680
0x0043f683
0x0043f68b
0x0043f694
0x0043f69f
0x0043f6aa
0x0043f6b5
0x0043f6c0
0x0043f6c7
0x0043f6d3
0x0043f6e2
0x0043f6ed
0x0043f6f0
0x0043f6f8
0x0043f6fa
0x0043f704
0x0043f6fc
0x0043f6fc
0x0043f6ff
0x0043f6ff
0x0043f719
0x0043f723
0x0043f727
0x0043f72c
0x0043f72f
0x0043f732
0x0043f736
0x0043f738
0x0043f73a
0x0043f73a
0x0043f745
0x0043f74e
0x0043f752
0x0043f757
0x0043f75a
0x0043f75d
0x0043f763
0x0043f765
0x0043f765
0x0043f76a
0x0043f76e
0x0043f773
0x0043f77c
0x0043f775
0x0043f775
0x0043f775
0x0043f784
0x0043f790
0x0043f794
0x0043f799
0x0043f79c
0x0043f79f
0x0043f7a5
0x0043f7a7
0x0043f7a7
0x0043f7b0
0x0043f7b3
0x0043f7b8
0x0043f7bb
0x0043f7c8
0x0043f7c8
0x0043f7bd
0x0043f7bd
0x0043f7bd
0x0043f7cf
0x0043f7db
0x0043f7df
0x0043f7e4
0x0043f7e7
0x0043f7ea
0x0043f7f0
0x0043f7f2
0x0043f7f2
0x0043f7f8
0x0043f7ff
0x0043f806
0x0043f80d
0x0043f814
0x0043f81b
0x0043f81e
0x0043f826
0x0043f829
0x0043f837
0x0043f841
0x0043f845
0x0043f84b
0x0043f84f
0x0043f85a
0x0043f865
0x0043f969
0x0043f97a
0x0043f86b
0x0043f870
0x0043f875
0x0043f877
0x00000000
0x0043f87d
0x0043f87d
0x0043f884
0x0043f88b
0x0043f895
0x0043f895
0x0043f88d
0x0043f88d
0x0043f88d
0x0043f897
0x0043f89a
0x0043f89c
0x0043f89f
0x0043f8a2
0x0043f8a6
0x0043f8ae
0x0043f8b4
0x0043f8b4
0x0043f8b9
0x0043f8d1
0x0043f8d1
0x0043f8d6
0x0043f8dc
0x0043f8df
0x0043f8e2
0x0043f8eb
0x0043f8f3
0x0043f8f6
0x0043f8fd
0x0043f903
0x0043f912
0x0043f91a
0x0043f91f
0x0043f925
0x0043f92e
0x0043f931
0x0043f933
0x0043f938
0x0043f938
0x0043f93e
0x0043f944
0x0043f94e
0x0043f956
0x0043f961
0x0043f961
0x0043f877
0x0043f97f
0x0043f982
0x0043f98b
0x0043f98d
0x0043f98d
0x0043f997
0x0043f9a5

APIs

_wcsrchr.LIBCMT ref: 0043F6F0

Part of subcall function 0040DBC0: EnterCriticalSection.KERNEL32(?,2927074F,00000000,?,-000004EB,000000FF,?,0043F6DF,?,?,?,?,004BCAF0,00000000,?,?), ref: 0040DC10
Part of subcall function 0040DBC0: LeaveCriticalSection.KERNEL32(?,00000000,00000000,?,00000000,?,?,?,?,0043F6DF,?), ref: 0040DC93

EnterCriticalSection.KERNEL32(-000004EB,00000000,?,00000000,?,?,?,?,?,?,?,?,?,004BCAF0,00000000,?), ref: 0043F81E
LeaveCriticalSection.KERNEL32(-000004EB,004BCAF0,00000000,?,00000000,?,00000000,?,?,?,?,?,?,?,?,?), ref: 0043F84F

Part of subcall function 0046A700: InterlockedDecrement.KERNEL32(?), ref: 0046A704

Strings

list<T> too long, xrefs: 0043F933

Memory Dump Source

Source File: 00000000.00000002.639436822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.639422722.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639801425.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639950323.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639964900.00000000004C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639974043.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639981884.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Process Monitor.jbxd

Similarity

API ID: CriticalSection$EnterLeave$DecrementInterlocked_wcsrchr
String ID: list<T> too long
API String ID: 2087211763-4027344264
Opcode ID: e73c044374c7344ae3947669a8470757abea1e14f3a0f796e019db3a0e5e7198
Instruction ID: 5658721990295d3085c59bd818fcc20c0425cd11ca6a7b67d71df850a249f1ab
Opcode Fuzzy Hash: e73c044374c7344ae3947669a8470757abea1e14f3a0f796e019db3a0e5e7198
Instruction Fuzzy Hash: 68B1BDB4D00705EFDB14DFA9C444BAABBF4BF08304F10452EE84697780D739A959CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 004640D0 Relevance: 16.0, APIs: 7, Strings: 2, Instructions: 222
COMMON

Download Yara Rule

C-Code - Quality: 34%

			E004640D0(void* __edi, intOrPtr* _a4, intOrPtr _a8, intOrPtr _a12, signed short _a16, signed short _a20, intOrPtr _a24, signed char _a28) {
				signed int _v8;
				short _v12;
				long _v16;
				signed short _v20;
				char _v24;
				signed short _v28;
				intOrPtr _v32;
				signed int _v36;
				void* __ebx;
				void* __esi;
				signed int _t49;
				long _t51;
				short _t52;
				signed short _t55;
				intOrPtr* _t60;
				intOrPtr _t61;
				void* _t66;
				void* _t67;
				char* _t71;
				void* _t78;
				signed char _t84;
				intOrPtr _t85;
				signed int _t91;
				intOrPtr* _t94;
				signed short _t100;
				signed short _t101;
				signed short _t107;
				intOrPtr _t110;
				void* _t111;
				void* _t113;
				void* _t114;
				void* _t115;
				void* _t116;
				intOrPtr* _t117;
				signed int _t118;
				void* _t119;

				_t109 = __edi;
				_t49 =  *0x4bb1dc; // 0x2927074f
				_v8 = _t49 ^ _t118;
				_t51 =  *"65535"; // 0x33353536
				_t85 = _a12;
				_t107 = _a20;
				_t84 = _a28;
				_t117 = _a4;
				_v16 = _t51;
				_t52 =  *0x4a6d40; // 0x35
				_v32 = _t85;
				_v28 = _t107;
				_v12 = _t52;
				if(_t117 == 0 || _a8 < 0x10) {
					return E0046F77E(_t84, _v8 ^ _t118, _t107, _t109, _t117);
				} else {
					if( *_t117 == 2) {
						_t55 = _a16;
						_push(__edi);
						_t110 = _a24;
						if(_t85 == 0 || _t55 == 0) {
							if(_t107 == 0 || _t110 == 0) {
								goto L37;
							} else {
								goto L8;
							}
						} else {
							L8:
							_t91 = _t84 & 0x00000002;
							_v36 = _t91;
							if(_t91 == 0 || (_t84 & 0x00000004) == 0) {
								if(_t107 == 0 || _t110 == 0) {
									L24:
									_t112 = _v32;
									if(_v32 == 0 || _t55 == 0) {
										L45:
										_pop(_t113);
										return E0046F77E(_t84, _v8 ^ _t118, _t107, _t113, _t117);
									} else {
										_t60 =  *((intOrPtr*)(_t117 + 4));
										_v24 = _t60;
										if(_t91 == 0) {
											_t60 =  &_v24;
											__imp__#51(_t60, 4, 2);
											if(_t60 == 0) {
												L33:
												if((_t84 & 0x00000004) == 0) {
													_push(_v24);
													goto L40;
												} else {
													__imp__#111();
													_t66 = _t60 - 0x2af9;
													if(_t66 == 0) {
														L37:
														_pop(_t111);
														return E0046F77E(_t84, _v8 ^ _t118, _t107, _t111, _t117);
													} else {
														_t67 = _t66 - 1;
														if(_t67 == 0) {
															_pop(_t115);
															return E0046F77E(_t84, _v8 ^ _t118, _t107, _t115, _t117);
														} else {
															if(_t67 == 1) {
																goto L46;
															} else {
																goto L37;
															}
														}
													}
												}
											} else {
												_t117 =  *_t60;
												if(_t117 == 0) {
													goto L33;
												} else {
													if((_t84 & 0x00000001) != 0) {
														_t71 = E004731F0(_t117, 0x2e);
														_t119 = _t119 + 8;
														if(_t71 != 0) {
															 *_t71 = 0;
														}
													}
													goto L41;
												}
											}
										} else {
											_push(_t60);
											L40:
											__imp__#12();
											_t117 = _t60;
											L41:
											_t94 = _t117;
											_t44 = _t94 + 1; // 0x1
											_t107 = _t44;
											do {
												_t61 =  *_t94;
												_t94 = _t94 + 1;
											} while (_t61 != 0);
											_t62 = _a16;
											if(_a16 <= _t94 - _t107) {
												goto L46;
											} else {
												E00473785(_t112, _t62, _t117);
												goto L45;
											}
										}
									}
								} else {
									_t100 =  *(_t117 + 2) & 0x0000ffff;
									_v20 = _t100;
									if((_t84 & 0x00000008) == 0) {
										_t73 =  ==  ? 0 : "udp";
										_t55 = _t100 & 0x0000ffff;
										__imp__#56(_t55,  ==  ? 0 : "udp");
										if(_t55 == 0) {
											L18:
											_push(_v20);
											goto L19;
										} else {
											_t55 =  *_t55;
											if(_t55 == 0) {
												goto L18;
											} else {
												_t107 = _t55;
											}
										}
									} else {
										_push(_t100);
										L19:
										__imp__#15();
										swprintf( &_v16, 6, "%u", _t55 & 0x0000ffff);
										_t107 =  &_v16;
										_t119 = _t119 + 0x10;
									}
									_t101 = _t107;
									_t27 = _t101 + 1; // 0x11
									_v20 = _t27;
									do {
										_t78 =  *_t101;
										_t101 = _t101 + 1;
									} while (_t78 != 0);
									if(_t110 <= _t101 - _v20) {
										L46:
										_pop(_t114);
										return E0046F77E(_t84, _v8 ^ _t118, _t107, _t114, _t117);
									} else {
										E00473785(_v28, _t110, _t107);
										_t55 = _a16;
										_t119 = _t119 + 0xc;
										_t91 = _v36;
										goto L24;
									}
								}
							} else {
								_pop(_t116);
								return E0046F77E(_t84, _v8 ^ _t118, _t107, _t116, _t117);
							}
						}
					} else {
						return E0046F77E(_t84, _v8 ^ _t118, _t107, __edi, _t117);
					}
				}
			}

0x004640d0
0x004640d6
0x004640dd
0x004640e0
0x004640e5
0x004640e8
0x004640ec
0x004640f0
0x004640f3
0x004640f6
0x004640fc
0x004640ff
0x00464102
0x00464108
0x0046431c
0x00464118
0x0046411c
0x00464135
0x00464138
0x00464139
0x0046413e
0x00464146
0x00000000
0x00000000
0x00000000
0x00000000
0x00464154
0x00464154
0x00464156
0x00464159
0x0046415c
0x0046417d
0x00464215
0x00464215
0x0046421a
0x004642db
0x004642db
0x004642ed
0x00464228
0x00464228
0x0046422b
0x00464230
0x00464239
0x0046423d
0x00464245
0x00464266
0x00464269
0x004642ae
0x00000000
0x0046426b
0x0046426b
0x00464271
0x00464276
0x0046427e
0x0046427e
0x00464293
0x00464278
0x00464278
0x00464279
0x00464296
0x004642ab
0x0046427b
0x0046427c
0x00000000
0x00000000
0x00000000
0x00000000
0x0046427c
0x00464279
0x00464276
0x00464247
0x00464247
0x0046424b
0x00000000
0x0046424d
0x00464250
0x00464255
0x0046425a
0x0046425f
0x00464261
0x00464261
0x0046425f
0x00000000
0x00464250
0x0046424b
0x00464232
0x00464232
0x004642b1
0x004642b1
0x004642b7
0x004642b9
0x004642b9
0x004642bb
0x004642bb
0x004642c0
0x004642c0
0x004642c2
0x004642c3
0x004642c7
0x004642ce
0x00000000
0x004642d0
0x004642d3
0x00000000
0x004642d8
0x004642ce
0x00464230
0x0046418b
0x0046418b
0x0046418f
0x00464195
0x004641a7
0x004641ab
0x004641af
0x004641b7
0x004641c3
0x004641c3
0x00000000
0x004641b9
0x004641b9
0x004641bd
0x00000000
0x004641bf
0x004641bf
0x004641bf
0x004641bd
0x00464197
0x00464197
0x004641c6
0x004641c6
0x004641db
0x004641e0
0x004641e3
0x004641e3
0x004641e6
0x004641e8
0x004641eb
0x004641f0
0x004641f0
0x004641f2
0x004641f3
0x004641fc
0x004642f0
0x004642f0
0x00464305
0x00464202
0x00464207
0x0046420c
0x0046420f
0x00464212
0x00000000
0x00464212
0x004641fc
0x00464163
0x00464163
0x00464178
0x00464178
0x0046415c
0x0046411f
0x00464132
0x00464132
0x0046411c

Strings

udp, xrefs: 004641A2, 004641AA, 004641AE
65535, xrefs: 004640E0

Memory Dump Source

Source File: 00000000.00000002.639436822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.639422722.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639801425.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639950323.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639964900.00000000004C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639974043.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639981884.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Process Monitor.jbxd

Similarity

API ID:
String ID: 65535$udp
API String ID: 0-1267037602
Opcode ID: 07f3befebc3ba3c3f2f212652c7ca2711e557622e349b5ead5aa57ede99c9f47
Instruction ID: a538bbda1f334a0d804692b8ea375d8b7127b36ff57f38a475d2fcb10e7dc3d4
Opcode Fuzzy Hash: 07f3befebc3ba3c3f2f212652c7ca2711e557622e349b5ead5aa57ede99c9f47
Instruction Fuzzy Hash: 7561DF35A001098BCF24DE99E855BFF73A4EFD5380F1441AFEC0697391EA398D4197AA

Uniqueness

Uniqueness Score: -1.00%

Function 004303A0 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 169
fileCOMMON

Download Yara Rule

C-Code - Quality: 19%

			E004303A0(struct _SECURITY_ATTRIBUTES** __ecx, void* __eflags, WCHAR* _a4, char _a8, intOrPtr _a12) {
				long _v8;
				struct _SECURITY_ATTRIBUTES* _v12;
				struct _SYSTEM_INFO _v48;
				intOrPtr _t69;
				intOrPtr _t75;
				intOrPtr _t77;
				void* _t79;
				long _t80;
				signed int _t86;
				void* _t89;
				struct _SECURITY_ATTRIBUTES* _t91;
				intOrPtr _t94;
				intOrPtr _t96;
				WCHAR* _t99;
				intOrPtr* _t100;

				_t100 = __ecx;
				E004309F0(__ecx);
				_t91 = _a8;
				_t2 = _t100 + 0xf8; // 0x4bceb8
				_t99 = _a4;
				__ecx[1] = 0;
				__ecx[1] = _t91;
				E00402120(_t2, _t99);
				__ecx[0x3f] = 0;
				if(_t99 == 0 ||  *_t99 == 0) {
					 *_t100 = 0x17d78400;
				} else {
					 *__ecx = 0;
				}
				GetSystemInfo( &_v48);
				_t94 = _a12;
				_t69 =  *0x4bcb6c; // 0x7879f0
				_t95 =  <  ? _v48.dwAllocationGranularity : _t94;
				 *((intOrPtr*)(_t100 + 8)) =  <  ? _v48.dwAllocationGranularity : _t94;
				 *(_t100 + 0x24) = 0;
				 *(_t100 + 0x28) = 0;
				 *(_t100 + 0x2c) = 0;
				 *(_t100 + 0x30) = 0;
				 *(_t100 + 0x34) = 0;
				 *(_t100 + 0x44) = 0;
				 *(_t100 + 0x48) = 0;
				 *(_t100 + 0x4c) = 0;
				 *(_t100 + 0x50) = 0;
				 *(_t100 + 0x54) = 0;
				 *(_t100 + 0x64) = 0;
				 *(_t100 + 0x68) = 0;
				 *(_t100 + 0x6c) = 0;
				 *(_t100 + 0x70) = 0;
				 *(_t100 + 0x74) = 0;
				 *(_t100 + 0x84) = 0;
				 *(_t100 + 0x88) = 0;
				 *(_t100 + 0x8c) = 0;
				 *(_t100 + 0x90) = 0;
				 *(_t100 + 0x94) = 0;
				 *(_t100 + 0xa4) = 0;
				 *(_t100 + 0xa8) = 0;
				 *(_t100 + 0xac) = 0;
				 *(_t100 + 0xb0) = 0;
				 *(_t100 + 0xb4) = 0;
				 *(_t100 + 0xc4) = 0;
				 *(_t100 + 0xc8) = 0;
				 *(_t100 + 0xcc) = 0;
				 *(_t100 + 0xd0) = 0;
				 *(_t100 + 0xd4) = 0;
				EnterCriticalSection(_t69 + 8);
				_t96 =  *0x4bcb6c; // 0x7879f0
				_a8 = _t100;
				E00444D20(_t96,  &_v12, 0,  &_a8,  *0x4bcb70 & 0x000000ff);
				_t75 =  *0x4bcb6c; // 0x7879f0
				LeaveCriticalSection(_t75 + 8);
				_t77 =  *_t100;
				_push(0);
				if(_t77 == 0) {
					_push(0);
					if(_t91 == 0) {
						_push(2);
						_push(0);
						_push(1);
						_push(0xc0000000);
						goto L12;
					} else {
						_t89 = CreateFileW(_t99, 0xc0000000, 1, 0, 3, ??, ??);
						 *(_t100 + 0xc) = _t89;
						if(_t89 == 0xffffffff && GetLastError() == 5) {
							_push(0);
							_push(0);
							_push(3);
							_push(0);
							_push(1);
							 *((char*)(_t100 + 4)) = 1;
							_push(0x80000000);
							L12:
							 *(_t100 + 0xc) = CreateFileW(_t99, ??, ??, ??, ??, ??, ??);
						}
					}
					_t52 = _t100 + 0xc; // 0x0
					_t79 =  *_t52;
					if(_t79 != 0xffffffff) {
						_v12 = 0;
						_v8 = 0;
						_t80 = GetFileSize(_t79,  &_v8);
						_v12 = _t80;
						 *(_t100 + 0x18) = _t80;
						 *((intOrPtr*)(_t100 + 0x1c)) = _v8;
						if(_t91 == 0) {
							return 1;
						} else {
							_push(0);
							_push(0);
							_push(0);
							_push(2 + (0 |  *((intOrPtr*)(_t100 + 4)) == 0x00000000) * 2);
							_push(0);
							_t65 = _t100 + 0xc; // 0x0
							_push( *_t65);
							goto L6;
						}
					} else {
						return 0;
					}
				} else {
					_push(_t77);
					_push(0);
					_push(0x4000004);
					_push(0);
					 *(_t100 + 0xc) = 0xffffffff;
					_push(0xffffffff);
					L6:
					_t86 = CreateFileMappingW();
					 *(_t100 + 0x10) = _t86;
					return _t86 & 0xffffff00 | _t86 != 0x00000000;
				}
			}

0x004303a9
0x004303ab
0x004303b0
0x004303b3
0x004303b9
0x004303bd
0x004303c1
0x004303c4
0x004303c9
0x004303d5
0x004303e5
0x004303dd
0x004303dd
0x004303dd
0x004303ef
0x004303f5
0x004303fb
0x00430400
0x00430407
0x0043040b
0x00430412
0x00430419
0x00430420
0x00430427
0x0043042e
0x00430435
0x0043043c
0x00430443
0x0043044a
0x00430451
0x00430458
0x0043045f
0x00430466
0x0043046d
0x00430474
0x0043047e
0x00430488
0x00430492
0x0043049c
0x004304a6
0x004304b0
0x004304ba
0x004304c4
0x004304ce
0x004304d8
0x004304e2
0x004304ec
0x004304f6
0x00430500
0x0043050a
0x00430517
0x00430521
0x0043052b
0x00430530
0x00430539
0x0043053f
0x00430541
0x00430545
0x00430573
0x00430577
0x004305b3
0x004305b5
0x004305b7
0x004305b9
0x00000000
0x00430579
0x00430585
0x0043058b
0x00430591
0x0043059e
0x004305a0
0x004305a2
0x004305a4
0x004305a6
0x004305a8
0x004305ac
0x004305be
0x004305c5
0x004305c5
0x00430591
0x004305c8
0x004305c8
0x004305ce
0x004305de
0x004305e7
0x004305ee
0x004305f4
0x004305f7
0x004305fd
0x00430602
0x0043062c
0x00430604
0x00430609
0x0043060b
0x00430610
0x00430619
0x0043061a
0x0043061c
0x0043061c
0x00000000
0x0043061c
0x004305d2
0x004305d8
0x004305d8
0x00430547
0x00430547
0x00430548
0x0043054a
0x0043054f
0x00430551
0x00430558
0x0043055a
0x0043055a
0x00430562
0x00430570
0x00430570

APIs

Part of subcall function 004309F0: EnterCriticalSection.KERNEL32(004BCEA0,2927074F,004BCA10,004BCA10,004BCA10,2927074F,004BCA10,004BCA10,0077A1E8,0077A1E8,0077A1E8), ref: 00430A24
Part of subcall function 004309F0: CloseHandle.KERNEL32(00000000), ref: 00430A46
Part of subcall function 004309F0: SetFilePointer.KERNEL32(00000000,00000000,?,00000000), ref: 00430A71
Part of subcall function 004309F0: SetEndOfFile.KERNEL32(00000000), ref: 00430A7A
Part of subcall function 004309F0: CloseHandle.KERNEL32(00000000), ref: 00430A83
Part of subcall function 004309F0: SysAllocString.OLEAUT32(00000000), ref: 00430AB7
Part of subcall function 004309F0: LeaveCriticalSection.KERNEL32(004BCEA0), ref: 00430AE2
Part of subcall function 004309F0: EnterCriticalSection.KERNEL32(007879E8), ref: 00430AED
Part of subcall function 004309F0: LeaveCriticalSection.KERNEL32(007879E8,?,?,?,?,?), ref: 00430B27

Part of subcall function 00402120: SysAllocString.OLEAUT32(004BCDC0), ref: 0040218C

GetSystemInfo.KERNEL32(?,004C255C,RqF8%L,004BCDC0,004BCA10,?,?,?,004683C4,RqF8%L,00000001,00400000,2927074F,00000000,004C255C,004BCA10), ref: 004303EF
EnterCriticalSection.KERNEL32(007879E8,?,?,?,004683C4,RqF8%L,00000001,00400000,2927074F,00000000,004C255C,004BCA10), ref: 0043050A
LeaveCriticalSection.KERNEL32(007879E8,004C255C,00000000,00000000,00000000,?,?,?,004683C4,RqF8%L,00000001,00400000,2927074F,00000000,004C255C,004BCA10), ref: 00430539
CreateFileMappingW.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,004683C4,RqF8%L,00000001,00400000,2927074F,00000000), ref: 0043055A
CreateFileW.KERNEL32(004C255C,C0000000,00000001,00000000,00000003,00000000,00000000,?,?,?,004683C4,RqF8%L,00000001,00400000,2927074F,00000000), ref: 00430585
GetLastError.KERNEL32(?,?,?,004683C4,RqF8%L,00000001,00400000,2927074F,00000000,004C255C,004BCA10), ref: 00430593
CreateFileW.KERNEL32(004C255C,C0000000,00000001,00000000,00000002,00000000,00000000,?,?,?,004683C4,RqF8%L,00000001,00400000,2927074F,00000000), ref: 004305BF
GetFileSize.KERNEL32(00000000,004BCA10,?,?,?,004683C4,RqF8%L,00000001,00400000,2927074F,00000000), ref: 004305EE

Strings

RqF8%L, xrefs: 004303A8

Memory Dump Source

Source File: 00000000.00000002.639436822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.639422722.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639801425.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639950323.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639964900.00000000004C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639974043.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639981884.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Process Monitor.jbxd

Similarity

API ID: CriticalFileSection$CreateEnterLeave$AllocCloseHandleString$ErrorInfoLastMappingPointerSizeSystem
String ID: RqF8%L
API String ID: 2557416345-933801909
Opcode ID: 2d357c1c224fef14f1ce71189bc32713b1347fd103022b4a81081e8abb442617
Instruction ID: e2d70f6e1b08f758ad6955ca50c5184528e0c44e445d498126fe13763827976c
Opcode Fuzzy Hash: 2d357c1c224fef14f1ce71189bc32713b1347fd103022b4a81081e8abb442617
Instruction Fuzzy Hash: 757140B1541700EFE720CF25D859B9BBBF4BB04714F108A1EE5AA9B6C0C7B9A548CF94

Uniqueness

Uniqueness Score: -1.00%

Function 0044D9F0 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 137
windowCOMMON

Download Yara Rule

C-Code - Quality: 92%

			E0044D9F0(void* __ebx, void* __edx, void* __edi, struct HWND__* _a4, int _a8, signed int _a12) {
				int _v8;
				char _v16;
				signed int _t22;
				int _t25;
				int _t29;
				void* _t35;
				int _t43;
				int _t47;
				void* _t51;
				int _t54;
				void* _t69;
				struct HWND__* _t73;
				struct HWND__* _t75;
				signed int _t78;
				void* _t83;

				_t69 = __edx;
				_push(0xffffffff);
				_push(E0048B0B0);
				_push( *[fs:0x0]);
				_t22 =  *0x4bb1dc; // 0x2927074f
				_push(_t22 ^ _t78);
				 *[fs:0x0] =  &_v16;
				_t25 = _a8;
				_t83 = _t25 - 0x110;
				if(_t83 > 0) {
					__eflags = _t25 - 0x111;
					if(_t25 != 0x111) {
						goto L18;
					} else {
						_t29 = (_a12 & 0x0000ffff) - 1;
						__eflags = _t29;
						if(_t29 == 0) {
							_t73 = _a4;
							__eflags = E004192D0(0x4bca10, GetDlgItemInt(_t73, 0x9c67, 0, 0) + 1);
							if(__eflags != 0) {
								EndDialog(_t73, 1);
								goto L17;
							} else {
								_t35 = E00436170(__ebx, _t69, __edi, __eflags,  &_a8, 0xc7, 0);
								_v8 = 0;
								E0046A190( &_a4, L"History depth must be 1-", _t35);
								_t59 = _a8;
								_v8 = 2;
								__eflags = _a8;
								if(_a8 != 0) {
									E0046A700(_t59);
								}
								MessageBoxW(_t73, E0046A170( &_a4), L"Process Monitor", 0x10);
								_t61 = _a4;
								_v8 = 0xffffffff;
								__eflags = _a4;
								if(_a4 == 0) {
									goto L18;
								} else {
									E0046A700(_t61);
									__eflags = 0;
									 *[fs:0x0] = _v16;
									return 0;
								}
							}
						} else {
							_t43 = _t29 - 1;
							__eflags = _t43;
							if(_t43 == 0) {
								EndDialog(_a4, _t43);
								goto L17;
							}
							goto L18;
						}
					}
				} else {
					if(_t83 == 0) {
						_t75 = _a4;
						SendMessageW(GetDlgItem(_t75, 0x9c66), 0x46f, 1, 0xc7);
						_t47 = E00417350(0x4bca10) - 1;
						__eflags = _t47;
						SetDlgItemInt(_t75, 0x9c67, _t47, 0);
						E004585D0(_t75,  *0x4bd2b4, L"HistoryDepthDialog");
						 *[fs:0x0] = _v16;
						return 1;
					} else {
						_t51 = _t25 - 2;
						if(_t51 == 0) {
							E004595D0(_a4,  *0x4bd2b4, L"HistoryDepthDialog");
							__eflags = 0;
							 *[fs:0x0] = _v16;
							return 0;
						} else {
							_t54 = _t51 - 0xe;
							if(_t54 == 0) {
								EndDialog(_a4, _t54);
								L17:
							}
							L18:
							 *[fs:0x0] = _v16;
							return 0;
						}
					}
				}
			}

0x0044d9f0
0x0044d9f3
0x0044d9f5
0x0044da00
0x0044da02
0x0044da09
0x0044da0d
0x0044da13
0x0044da16
0x0044da1b
0x0044dacb
0x0044dad0
0x00000000
0x0044dad6
0x0044dadc
0x0044dadc
0x0044dadd
0x0044daef
0x0044db0e
0x0044db10
0x0044db8c
0x00000000
0x0044db12
0x0044db1d
0x0044db26
0x0044db33
0x0044db3b
0x0044db3e
0x0044db42
0x0044db44
0x0044db46
0x0044db46
0x0044db5c
0x0044db62
0x0044db65
0x0044db6c
0x0044db6e
0x00000000
0x0044db70
0x0044db70
0x0044db75
0x0044db7a
0x0044db86
0x0044db86
0x0044db6e
0x0044dadf
0x0044dadf
0x0044dadf
0x0044dae0
0x0044db8c
0x00000000
0x0044db8c
0x00000000
0x0044dae0
0x0044dadd
0x0044da21
0x0044da21
0x0044da64
0x0044da80
0x0044da92
0x0044da92
0x0044da9a
0x0044daac
0x0044dabc
0x0044dac8
0x0044da23
0x0044da23
0x0044da26
0x0044da48
0x0044da50
0x0044da55
0x0044da61
0x0044da28
0x0044da28
0x0044da2b
0x0044db8c
0x0044db8c
0x0044db8c
0x0044db92
0x0044db97
0x0044dba3
0x0044dba3
0x0044da26
0x0044da21

APIs

GetDlgItem.USER32 ref: 0044DA79
SendMessageW.USER32(00000000,?,?,0048B0B0), ref: 0044DA80
SetDlgItemInt.USER32(?,00009C67,-00000001,00000000), ref: 0044DA9A
EndDialog.USER32(?,00000001), ref: 0044DB8C

Strings

HistoryDepthDialog, xrefs: 0044DA3A, 0044DAA0
Process Monitor, xrefs: 0044DB4D
History depth must be 1-, xrefs: 0044DB2D

Memory Dump Source

Source File: 00000000.00000002.639436822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.639422722.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639801425.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639950323.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639964900.00000000004C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639974043.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639981884.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Process Monitor.jbxd

Similarity

API ID: Item$DialogMessageSend
String ID: History depth must be 1-$HistoryDepthDialog$Process Monitor
API String ID: 2485852401-1818356290
Opcode ID: 4aec430f625e921a3eff927c02be17ac0fe21720cf1fe6bc157683b558677d0b
Instruction ID: e2f62e1f2920b9cb0531a605678a045585c73a9bc0edd1c3ceaa813e20ea3600
Opcode Fuzzy Hash: 4aec430f625e921a3eff927c02be17ac0fe21720cf1fe6bc157683b558677d0b
Instruction Fuzzy Hash: 44410371A44648BBEB15DF54DC42FAE3768EB09710F00856BFD01E72C1EBBAA910879D

Uniqueness

Uniqueness Score: -1.00%

Function 0040C108 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 125
registryCOMMON

Download Yara Rule

C-Code - Quality: 90%

			E0040C108(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi) {
				void* _t67;
				void* _t68;
				void* _t69;
				void* _t73;
				void* _t76;
				void* _t78;
				signed int _t79;

				_t73 = __edx;
				_t67 = __ebx;
				do {
					__eax =  *__ecx & 0x0000ffff;
					__ecx =  &(__ecx[1]);
					 *((short*)(__ecx + __edx - 2)) = __ax;
				} while (__ax != 0);
				__eax = 0;
				__ecx = 2;
				 *((short*)(__esi + 0x12)) = __ax;
				_t14 = __esi + 0x17; // 0x12f
				__eax = _t14;
				 *((short*)(__edi + 8)) =  *((short*)(__edi + 8)) + 1;
				__eax = _t14 & 0xfffffffc;
				_t17 = __eax + 0x12; // 0x141
				__esi = _t17;
				_t18 = __esi + 4; // 0x145
				__edx = _t18;
				 *((short*)(__eax + 0x10)) = __cx;
				__ecx = L"&Decline";
				 *((intOrPtr*)(__eax + 8)) = 0x9f00ff;
				__edx = _t18 - __ecx;
				 *((intOrPtr*)(__eax + 0xc)) = 0xe0032;
				 *__eax = 0x50010000;
				 *__esi = 0x80ffff;
				do {
					__eax =  *__ecx & 0x0000ffff;
					__ecx =  &(__ecx[1]);
					 *((short*)(__ecx + __edx - 2)) = __ax;
				} while (__ax != 0);
				__eax = 0;
				__ecx = 0x1f5;
				 *((short*)(__esi + 0x16)) = __ax;
				_t26 = __esi + 0x1b; // 0x15c
				__eax = _t26;
				 *((short*)(__edi + 8)) =  *((short*)(__edi + 8)) + 1;
				__eax = _t26 & 0xfffffffc;
				_t29 = __eax + 0x12; // 0x16e
				__esi = _t29;
				_t30 = __esi + 4; // 0x172
				__edx = _t30;
				 *((short*)(__eax + 0x10)) = __cx;
				__ecx = L"&Print";
				 *((intOrPtr*)(__eax + 8)) = 0x9f0007;
				__edx = _t30 - __ecx;
				 *((intOrPtr*)(__eax + 0xc)) = 0xe0032;
				 *__eax = 0x50010000;
				 *__esi = 0x80ffff;
				do {
					__eax =  *__ecx & 0x0000ffff;
					__ecx =  &(__ecx[1]);
					 *((short*)(__ecx + __edx - 2)) = __ax;
				} while (__ax != 0);
				__eax = 0;
				__ecx = 0x1f4;
				 *((short*)(__esi + 0x12)) = __ax;
				_t38 = __esi + 0x17; // 0x185
				__eax = _t38;
				 *((short*)(__edi + 8)) =  *((short*)(__edi + 8)) + 1;
				__eax = _t38 & 0xfffffffc;
				_t41 = __eax + 0x12; // 0x197
				__esi = _t41;
				 *((short*)(__eax + 0x10)) = __cx;
				__ecx = L"RICHEDIT";
				 *((intOrPtr*)(__eax + 8)) = 0xe0007;
				__edx = __esi;
				 *((intOrPtr*)(__eax + 0xc)) = 0x8c012a;
				 *__eax = 0x50a11844;
				__edx = __esi - __ecx;
				do {
					__eax =  *__ecx & 0x0000ffff;
					__ecx =  &(__ecx[1]);
					 *((short*)(__ecx + __edx - 2)) = __ax;
				} while (__ax != 0);
				__ecx = L"&Decline";
				_t48 = __esi + 0x12; // 0x1a9
				__edx = _t48;
				__edx = _t48 - __ecx;
				do {
					__eax =  *__ecx & 0x0000ffff;
					__ecx =  &(__ecx[1]);
					 *((short*)(__ecx + __edx - 2)) = __ax;
				} while (__ax != 0);
				__eax = 0;
				 *((short*)(__esi + 0x24)) = __ax;
				 *((short*)(__edi + 8)) =  *((short*)(__edi + 8)) + 1;
				 *(__ebp - 0x418) = DialogBoxIndirectParamW(0, __edi, 0, E0040B230,  *(__ebp - 0x42c));
				__eax = LocalFree(__edi);
				__eax =  *(__ebp - 0x418);
				if(__eax != 0) {
					if(RegCreateKeyW(0x80000001, _t79 - 0x20c, _t79 - 0x424) == 0) {
						RegSetValueExW( *(_t79 - 0x424), L"EulaAccepted", 0, 4, _t79 - 0x418, 4);
						RegCloseKey( *(_t79 - 0x424));
					}
					_t68 =  !=  ? 1 : _t67;
				}
				_pop(_t76);
				_pop(_t78);
				_pop(_t69);
				return E0046F77E(_t69,  *(_t79 - 4) ^ _t79, _t73, _t76, _t78);
			}

0x0040c108
0x0040c108
0x0040c110
0x0040c110
0x0040c113
0x0040c116
0x0040c11b
0x0040c120
0x0040c122
0x0040c127
0x0040c12b
0x0040c12b
0x0040c12e
0x0040c132
0x0040c135
0x0040c135
0x0040c138
0x0040c138
0x0040c13b
0x0040c13f
0x0040c144
0x0040c14b
0x0040c14d
0x0040c154
0x0040c15a
0x0040c160
0x0040c160
0x0040c163
0x0040c166
0x0040c16b
0x0040c170
0x0040c172
0x0040c177
0x0040c17b
0x0040c17b
0x0040c17e
0x0040c182
0x0040c185
0x0040c185
0x0040c188
0x0040c188
0x0040c18b
0x0040c18f
0x0040c194
0x0040c19b
0x0040c19d
0x0040c1a4
0x0040c1aa
0x0040c1b0
0x0040c1b0
0x0040c1b3
0x0040c1b6
0x0040c1bb
0x0040c1c0
0x0040c1c2
0x0040c1c7
0x0040c1cb
0x0040c1cb
0x0040c1ce
0x0040c1d2
0x0040c1d5
0x0040c1d5
0x0040c1d8
0x0040c1dc
0x0040c1e1
0x0040c1e8
0x0040c1ea
0x0040c1f1
0x0040c1f7
0x0040c200
0x0040c200
0x0040c203
0x0040c206
0x0040c20b
0x0040c210
0x0040c215
0x0040c215
0x0040c218
0x0040c220
0x0040c220
0x0040c223
0x0040c226
0x0040c22b
0x0040c236
0x0040c23f
0x0040c243
0x0040c24f
0x0040c255
0x0040c25b
0x0040c263
0x0040bf67
0x0040bf81
0x0040bf8d
0x0040bf8d
0x0040bf9a
0x0040bf9a
0x0040bfa4
0x0040bfaa
0x0040bfab
0x0040bfb4

APIs

RegCreateKeyW.ADVAPI32(80000001,?,00000000), ref: 0040BF5F
DialogBoxIndirectParamW.USER32 ref: 0040C248
LocalFree.KERNEL32(00000000), ref: 0040C255

Strings

&Decline, xrefs: 0040C13F, 0040C210
EulaAccepted, xrefs: 0040BF76
&Print, xrefs: 0040C18F
RICHEDIT, xrefs: 0040C1DC

Memory Dump Source

Source File: 00000000.00000002.639436822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.639422722.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639801425.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639950323.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639964900.00000000004C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639974043.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639981884.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Process Monitor.jbxd

Similarity

API ID: CreateDialogFreeIndirectLocalParam
String ID: &Decline$&Print$EulaAccepted$RICHEDIT
API String ID: 1545696324-943767652
Opcode ID: 2ca5fccb8d3d66ec023bd8a01adee3b1d949d2d4f57be89b990aae6dc2938067
Instruction ID: 0995d6fb336d04643696da90ce536f2966f4e21d8dca1fdeebc48a502bafac02
Opcode Fuzzy Hash: 2ca5fccb8d3d66ec023bd8a01adee3b1d949d2d4f57be89b990aae6dc2938067
Instruction Fuzzy Hash: 9551CF71100205CFCB25CF64C845BA6B3B0FF04304F118ABEE559DB6A2EB79DA4ACB58

Uniqueness

Uniqueness Score: -1.00%

Function 00452140 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 120
windowCOMMON

Download Yara Rule

C-Code - Quality: 55%

			E00452140(void* __eax, void* __ecx, void* __esi, struct HWND__* _a4, intOrPtr _a8) {
				signed int _v8;
				signed int _v12;
				char _v504;
				char _v528;
				signed int _v532;
				intOrPtr _v536;
				struct HWND__* _v540;
				signed int _v552;
				char _v1070;
				char _v1072;
				intOrPtr _v1112;
				intOrPtr _v1132;
				char* _v1136;
				WCHAR* _v1152;
				struct HWND__* _v1160;
				struct tagOFNA _v1164;
				void* __ebx;
				void* __edi;
				signed int _t39;
				intOrPtr _t47;
				void* _t53;
				signed int _t55;
				signed int _t64;
				signed int _t66;
				signed int _t68;
				signed int _t80;
				void* _t84;
				void* _t92;
				signed int _t93;
				void* _t94;
				void* _t95;
				void* _t97;
				intOrPtr* _t99;
				void* _t111;
				struct HWND__* _t113;
				struct HWND__* _t114;
				void* _t115;
				void* _t116;
				void* _t117;
				void* _t118;
				void* _t119;
				void* _t121;
				signed int _t123;
				signed int _t124;
				signed int _t128;
				void* _t130;
				void* _t131;
				signed int _t132;
				void* _t134;
				void* _t135;
				intOrPtr* _t136;

				_t118 = __esi;
				asm("int3");
				asm("int3");
				asm("int3");
				asm("int3");
				asm("int3");
				asm("int3");
				asm("int3");
				asm("int3");
				asm("int3");
				asm("int3");
				asm("int3");
				asm("int3");
				asm("int3");
				asm("int3");
				_t123 = _t128;
				_t39 =  *0x4bb1dc; // 0x2927074f
				_v8 = _t39 ^ _t123;
				_push(_t92);
				_t113 = _a4;
				_v536 = _a8;
				E00471495(_a8, 0x2e);
				_t130 = _t128 - 0x214 + 8;
				SendMessageW( *0x4bd2c0, 0x111, 0x9c8a, 0);
				if( *0x4bd895 != 0) {
					SendMessageW( *0x4bd2c0, 0x111, 0x9c53, 0);
				}
				UpdateWindow( *0x4bd2c0);
				 *0x4bd0a2 = 1;
				if( *0x4bdcdc != 0) {
					DialogBoxParamW(GetModuleHandleW(0), L"DEVICE_PATH", _t113, E00447A30, 0x48fc20);
				}
				asm("movdqu xmm0, [0x4a5240]");
				asm("movdqu [ebp-0x20c], xmm0");
				asm("movq xmm0, [0x4a5250]");
				asm("movq [ebp-0x1fc], xmm0");
				E00470030( &_v504, 0, 0x1f0);
				_t99 =  &_v528;
				_t131 = _t130 + 0xc;
				_t111 = _t99 + 2;
				do {
					_t47 =  *_t99;
					_t99 = _t99 + 2;
				} while (_t47 != 0);
				_t101 = _t99 - _t111 >> 1;
				_v532 = _t99 - _t111 >> 0x00000001 & 0x0000ffff;
				E00438850(_t113,  &_v528,  &_v532, 1);
				_t132 = _t131 + 0x10;
				_t53 = (_v532 & 0x0000ffff) + (_v532 & 0x0000ffff);
				if(_t53 >= 0x208) {
					E00472AA1();
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					_push(_t123);
					_t124 = _t132;
					_t55 =  *0x4bb1dc; // 0x2927074f
					_v552 = _t55 ^ _t124;
					_push(_t92);
					_push(_t118);
					_push(_t113);
					_t114 = _v540;
					E00470030( &_v1160, 0, 0x54);
					_v1072 = 0;
					E00470030( &_v1070, 0, 0x206);
					_t134 = _t132 - 0x268 + 0x18;
					_v1164 = 0x58;
					_v1160 = _t114;
					_v1136 =  &_v1072;
					_v1132 = 0x104;
					_v1152 = L"Procmon Log (*.PML,*.PMB)";
					_v1112 = 0x100c;
					_t64 = GetOpenFileNameW( &_v1164);
					__eflags = _t64;
					if(_t64 != 0) {
						_t66 = E00471495( &_v532, 0x2e);
						_t135 = _t134 + 8;
						__eflags = _t66;
						if(_t66 == 0) {
							L18:
							_t68 = E00452450(_t111, _t114,  &_v532, 0);
							_t136 = _t135 + 0xc;
						} else {
							_t80 = E0046F283(_t92, _t114, _t118, _t66, L".PMB");
							_t135 = _t135 + 8;
							__eflags = _t80;
							if(_t80 != 0) {
								goto L18;
							} else {
								_t68 =  &_v532;
								_push(_t68);
								_push(_t114);
								L1();
								_t136 = _t135 + 8;
							}
						}
						_t93 = _t68;
						__eflags = _t93;
						if(_t93 != 0) {
							 *_t136 = E0046A6C0(_t93,  &_v532, E0046A530( &_v532));
							L00459F80(_t93, __eflags, _t114, _t101);
						}
						EnableMenuItem(GetMenu(_t114), 0x9c54, 2);
						SendMessageW(GetDlgItem(_t114, 0x66), 0x401, 0x9c54, 0);
						_pop(_t115);
						_pop(_t119);
						__eflags = _v12 ^ _t124;
						_pop(_t94);
						return E0046F77E(_t94, _v12 ^ _t124, _t111, _t115, _t119);
					} else {
						_pop(_t116);
						_pop(_t121);
						_pop(_t95);
						__eflags = _v12 ^ _t124;
						return E0046F77E(_t95, _v12 ^ _t124, _t111, _t116, _t121);
					}
				} else {
					 *((short*)(_t123 + _t53 - 0x20c)) = 0;
					_t84 = E004168D0(0x4bca10, _t111, 0x4bdac0, 0, L"<remote boot-log>",  &_v528);
					_t96 = _t84;
					if(_t84 != 0) {
						_t96 = L0043AA70(_t111, _t113, _v536);
						_t148 = _t96;
						if(_t96 != 0) {
							E00418140(0x4bca10, _t148, 0);
						}
					}
					_pop(_t117);
					 *0x4bd0a2 = 0;
					_pop(_t97);
					return E0046F77E(_t97, _v8 ^ _t123, _t111, _t117, _t118);
				}
			}

0x00452140
0x00452142
0x00452143
0x00452144
0x00452145
0x00452146
0x00452147
0x00452148
0x00452149
0x0045214a
0x0045214b
0x0045214c
0x0045214d
0x0045214e
0x0045214f
0x00452151
0x00452159
0x00452160
0x00452166
0x00452168
0x0045216e
0x00452174
0x00452179
0x0045218e
0x0045219b
0x004521af
0x004521af
0x004521bb
0x004521c8
0x004521cf
0x004521ea
0x004521ea
0x004521f0
0x00452203
0x0045220d
0x00452216
0x0045221e
0x00452223
0x00452229
0x0045222c
0x00452230
0x00452230
0x00452233
0x00452236
0x0045223d
0x00452242
0x00452259
0x00452265
0x00452268
0x0045226f
0x004522d7
0x004522dc
0x004522dd
0x004522de
0x004522df
0x004522e0
0x004522e1
0x004522e9
0x004522f0
0x004522f3
0x004522f4
0x004522f5
0x004522f6
0x00452304
0x00452311
0x0045231f
0x00452324
0x00452327
0x00452337
0x0045233d
0x00452349
0x00452354
0x0045235e
0x00452368
0x0045236e
0x00452370
0x0045238e
0x00452393
0x00452396
0x00452398
0x004523be
0x004523c8
0x004523cd
0x0045239a
0x004523a0
0x004523a5
0x004523a8
0x004523aa
0x00000000
0x004523ac
0x004523ac
0x004523b2
0x004523b3
0x004523b4
0x004523b9
0x004523b9
0x004523aa
0x004523d0
0x004523d2
0x004523d4
0x004523f5
0x004523f8
0x004523fd
0x0045240f
0x0045242b
0x00452436
0x00452437
0x00452438
0x0045243a
0x00452443
0x00452372
0x00452374
0x00452375
0x00452376
0x0045237a
0x00452384
0x00452384
0x00452271
0x00452273
0x00452292
0x00452297
0x0045229b
0x004522a9
0x004522ae
0x004522b0
0x004522b9
0x004522b9
0x004522b0
0x004522c3
0x004522c6
0x004522cd
0x004522d6
0x004522d6

APIs

_wcsrchr.LIBCMT ref: 00452174
SendMessageW.USER32(00000111,00009C8A,00000000), ref: 0045218E
SendMessageW.USER32(00000111,00009C53,00000000), ref: 004521AF
UpdateWindow.USER32 ref: 004521BB
GetModuleHandleW.KERNEL32(00000000,DEVICE_PATH,?,Function_00047A30,0048FC20), ref: 004521E3
DialogBoxParamW.USER32 ref: 004521EA
_memset.LIBCMT ref: 0045221E

Strings

<remote boot-log>, xrefs: 00452282
DEVICE_PATH, xrefs: 004521DC

Memory Dump Source

Source File: 00000000.00000002.639436822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.639422722.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639801425.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639950323.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639964900.00000000004C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639974043.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639981884.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Process Monitor.jbxd

Similarity

API ID: MessageSend$DialogHandleModuleParamUpdateWindow_memset_wcsrchr
String ID: <remote boot-log>$DEVICE_PATH
API String ID: 599080338-810512831
Opcode ID: 8aacfc16f98c457e40652ebaf74651607f5c68ee0ffde444df5f9dfe6ce688e7
Instruction ID: 5910c2b2f21ec3a984413d127f3a44821854f0e691044b782e5919898a361d21
Opcode Fuzzy Hash: 8aacfc16f98c457e40652ebaf74651607f5c68ee0ffde444df5f9dfe6ce688e7
Instruction Fuzzy Hash: 0E413B319803087BD710AB64DD0AFEA77B4BB15700F0406FAF905A61D1E7B81A49CF6C

Uniqueness

Uniqueness Score: -1.00%

Function 0040F410 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 89
COMMON

Download Yara Rule

C-Code - Quality: 67%

			E0040F410(void* __ebx, void* __edx, void* __edi, intOrPtr _a4, char _a8) {
				signed int _v8;
				short _v528;
				short _v1048;
				intOrPtr _v1052;
				void* __esi;
				signed int _t20;
				void* _t49;
				void* _t54;
				void* _t55;
				intOrPtr _t56;
				signed int _t57;

				_t55 = __edi;
				_t54 = __edx;
				_t49 = __ebx;
				_t20 =  *0x4bb1dc; // 0x2927074f
				_v8 = _t20 ^ _t57;
				_t56 = _a4;
				_v1052 = 0;
				GetSystemDirectoryW( &_v1048, 0x104);
				_push(L"PROCMON23.SYS");
				L00401F90( &_v528, L"%s\\Drivers\\%s",  &_v1048);
				if(E0040F560(_t54, L"RCDRIVERNT",  &_v528) != 0 || GetLastError() == 0x20) {
					L8:
					_push( &_v528);
					goto L9;
				} else {
					if(_a8 == 0) {
						L00401F90( &_v1048, L"%%TEMP%%\\%s", L"PROCMON23.SYS");
						ExpandEnvironmentStringsW( &_v1048,  &_v528, 0x104);
						if(E0040F560(_t54, L"RCDRIVERNT",  &_v528) != 0) {
							goto L8;
						}
						GetCurrentDirectoryW(0x104,  &_v1048);
						_push(L"PROCMON23.SYS");
						L00401F90( &_v528, L"%s\\s",  &_v1048);
						if(E0040F560(_t54, L"RCDRIVERNT",  &_v528) == 0) {
							_push(0);
						} else {
							_push( &_v528);
						}
						L10:
						E00402050();
						return E0046F77E(_t49, _v8 ^ _t57, _t54, _t55, _t56);
					}
					_push(0);
					L9:
					goto L10;
				}
			}

0x0040f410
0x0040f410
0x0040f410
0x0040f419
0x0040f420
0x0040f424
0x0040f433
0x0040f43d
0x0040f443
0x0040f45b
0x0040f476
0x0040f538
0x0040f53e
0x00000000
0x0040f48b
0x0040f48f
0x0040f4a9
0x0040f4c4
0x0040f4e0
0x00000000
0x00000000
0x0040f4ee
0x0040f4f4
0x0040f50c
0x0040f529
0x0040f534
0x0040f52b
0x0040f531
0x0040f531
0x0040f541
0x0040f541
0x0040f556
0x0040f556
0x0040f491
0x0040f53f
0x00000000
0x0040f53f

APIs

GetSystemDirectoryW.KERNEL32(?,00000104), ref: 0040F43D

Part of subcall function 00401F90: vswprintf.LIBCMT ref: 00401FA2

Part of subcall function 0040F560: FindResourceW.KERNEL32(00000000,?,BINRES,74CB4DC0,?), ref: 0040F578

GetLastError.KERNEL32 ref: 0040F47C
ExpandEnvironmentStringsW.KERNEL32(?,?,00000104), ref: 0040F4C4
GetCurrentDirectoryW.KERNEL32(00000104,?), ref: 0040F4EE

Strings

RCDRIVERNT, xrefs: 0040F467, 0040F4D1, 0040F518
%s\s, xrefs: 0040F506
PROCMON23.SYS, xrefs: 0040F443, 0040F498, 0040F4F4
%s\Drivers\%s, xrefs: 0040F455
%%TEMP%%\%s, xrefs: 0040F4A3

Memory Dump Source

Source File: 00000000.00000002.639436822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.639422722.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639801425.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639950323.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639964900.00000000004C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639974043.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639981884.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Process Monitor.jbxd

Similarity

API ID: Directory$CurrentEnvironmentErrorExpandFindLastResourceStringsSystemvswprintf
String ID: %%TEMP%%\%s$%s\Drivers\%s$%s\s$PROCMON23.SYS$RCDRIVERNT
API String ID: 1788495707-1429033295
Opcode ID: 29aa2c56a8c2c7203ca79ce6c306388012ed70e1d22111f4dfefa9d123500f9c
Instruction ID: 42ffc13174dec74071dcec665475bdc6a08b52f20de27231c473856d93a0e1d0
Opcode Fuzzy Hash: 29aa2c56a8c2c7203ca79ce6c306388012ed70e1d22111f4dfefa9d123500f9c
Instruction Fuzzy Hash: 963130B694021CBACF20EB949C45BE9776C9B04704F5041B7B605F21C2D6796A898BAE

Uniqueness

Uniqueness Score: -1.00%

Function 00408970 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 85
windowCOMMON

Download Yara Rule

C-Code - Quality: 69%

			E00408970(void* __ecx) {
				signed int _v8;
				struct tagRECT _v24;
				struct tagSCROLLINFO _v52;
				struct tagRECT _v68;
				struct tagRECT _v100;
				struct HWND__* _v108;
				int _v112;
				void* _v116;
				void* __esi;
				signed int _t39;
				struct HWND__* _t58;
				void* _t64;
				intOrPtr _t70;
				void* _t73;
				void* _t75;
				void* _t76;
				signed int _t80;

				_t78 = _t80;
				_t39 =  *0x4bb1dc; // 0x2927074f
				_v8 = _t39 ^ _t80;
				_t75 = __ecx;
				GetClientRect( *(__ecx + 8),  &_v68);
				GetWindowRect( *(_t75 + 0x14),  &_v24);
				_v52.cbSize = 0x1c;
				asm("xorps xmm0, xmm0");
				_v52.nTrackPos = 0;
				asm("movdqu [ebp-0x28], xmm0");
				_v52.fMask = 4;
				GetScrollInfo( *(_t75 + 0x24), 2,  &_v52);
				_v24.left =  *((intOrPtr*)(_t75 + 0x90)) - _v52.nPos;
				_v24.right = _v68.right - _v68.left;
				_v24.bottom = _v24.bottom - _v24.top;
				_v24.top = 0;
				if((GetWindowLongW( *(_t75 + 0x1c), 0xfffffff0) >> 0x0000001c & 0x00000001) == 0) {
					_t70 = _v24.right;
				} else {
					_t70 = _v24.right - GetSystemMetrics(2);
					_v24.right = _t70;
				}
				SetWindowPos( *(_t75 + 0x14), 0, _v24.left, _v24.top, _t70 - _v24.left, _v24.bottom - _v24.top, 4);
				_t58 =  *(_t75 + 0x14);
				asm("xorps xmm0, xmm0");
				_v116 = 0x30;
				asm("movdqu [ebp-0x68], xmm0");
				_v112 = 0;
				asm("movdqu [ebp-0x58], xmm0");
				_v108 = _t58;
				asm("movq [ebp-0x48], xmm0");
				GetClientRect(_t58,  &_v100);
				SendMessageW( *(_t75 + 0x18), 0x434, 0,  &_v116);
				_pop(_t76);
				return E0046F77E(_t64, _v8 ^ _t78, _t70 - _v24.left, _t73, _t76);
			}

0x00408971
0x00408976
0x0040897d
0x00408981
0x0040898a
0x00408997
0x004089a0
0x004089ad
0x004089b0
0x004089b7
0x004089bc
0x004089c3
0x004089d2
0x004089e0
0x004089e6
0x004089e9
0x004089fb
0x00408a0f
0x004089fd
0x00408a08
0x00408a0a
0x00408a0a
0x00408a2a
0x00408a30
0x00408a36
0x00408a39
0x00408a41
0x00408a47
0x00408a4e
0x00408a53
0x00408a56
0x00408a5b
0x00408a6f
0x00408a7a
0x00000000

APIs

GetClientRect.USER32 ref: 0040898A
GetWindowRect.USER32 ref: 00408997
GetScrollInfo.USER32 ref: 004089C3
GetWindowLongW.USER32(?,000000F0), ref: 004089F0
GetSystemMetrics.USER32 ref: 004089FF
SetWindowPos.USER32(000007D6,00000000,?,00000000,?,?,00000004), ref: 00408A2A
GetClientRect.USER32 ref: 00408A5B
SendMessageW.USER32(?,00000434,00000000,00000030), ref: 00408A6F

Strings

0, xrefs: 00408A39

Memory Dump Source

Source File: 00000000.00000002.639436822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.639422722.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639801425.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639950323.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639964900.00000000004C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639974043.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639981884.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Process Monitor.jbxd

Similarity

API ID: RectWindow$Client$InfoLongMessageMetricsScrollSendSystem
String ID: 0
API String ID: 2994878272-4108050209
Opcode ID: d25abf97f291fab6d94ff2b5cc748ba3ab79190372b065ee0c46ed03d469ebc3
Instruction ID: 35121ddb4c4012bb67397ea5e34ead66a0600476a5623e5213b21b8d4fb90adf
Opcode Fuzzy Hash: d25abf97f291fab6d94ff2b5cc748ba3ab79190372b065ee0c46ed03d469ebc3
Instruction Fuzzy Hash: 2531E871D0021AAFDB10CFA8DD49BAEBBB4FF48301F20462DE855B6291EB706949CF54

Uniqueness

Uniqueness Score: -1.00%

Function 00453240 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 45
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00453240(intOrPtr _a4) {
				signed int _v8;
				short _v528;
				struct _MEMORYSTATUSEX _v592;
				signed int _t9;
				void* _t11;
				signed int _t22;

				_t9 =  *0x4bb1dc; // 0x2927074f
				_v8 = _t9 ^ _t22;
				_t11 =  *0x4bdce4; // 0x0
				if(_t11 != 0) {
					CloseHandle(_t11);
					 *0x4bdce4 = 0;
				}
				SetEvent( *0x4bce44);
				E0043A9E0(0, 0);
				if( *0x4bd2eb == 0) {
					_v592.dwLength = 0x40;
					_v592.dwMemoryLoad = 0;
					E00470030( &(_v592.ullTotalPhys), 0, 0x38);
					GlobalMemoryStatusEx( &_v592);
					L00401F90( &_v528, L"Out of memory: Unable to allocate a memory block of size %u", _a4);
					MessageBoxW(0,  &_v528, L"Process Monitor", 0x10);
				}
				ExitProcess(1);
			}

0x00453249
0x00453250
0x00453253
0x0045325a
0x0045325d
0x00453263
0x00453263
0x00453273
0x0045327d
0x0045328c
0x00453296
0x004532a3
0x004532ad
0x004532bc
0x004532d1
0x004532e9
0x004532e9
0x004532f1

APIs

CloseHandle.KERNEL32(00000000), ref: 0045325D
SetEvent.KERNEL32 ref: 00453273
_memset.LIBCMT ref: 004532AD
GlobalMemoryStatusEx.KERNEL32(00000040), ref: 004532BC
MessageBoxW.USER32(00000000,?,Process Monitor,00000010), ref: 004532E9
ExitProcess.KERNEL32 ref: 004532F1

Strings

Process Monitor, xrefs: 004532E1
Out of memory: Unable to allocate a memory block of size %u, xrefs: 004532CB
@, xrefs: 00453296

Memory Dump Source

Source File: 00000000.00000002.639436822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.639422722.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639801425.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639950323.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639964900.00000000004C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639974043.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639981884.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Process Monitor.jbxd

Similarity

API ID: CloseEventExitGlobalHandleMemoryMessageProcessStatus_memset
String ID: @$Out of memory: Unable to allocate a memory block of size %u$Process Monitor
API String ID: 1156009629-3197188753
Opcode ID: 15040be308c3330cf842389c80900666219f92327c6d2a370094a919a1f36dec
Instruction ID: 018250de0b4f0ddb748a8767479714af05903c77b7befa39dabdee93506e3ba9
Opcode Fuzzy Hash: 15040be308c3330cf842389c80900666219f92327c6d2a370094a919a1f36dec
Instruction Fuzzy Hash: A01184B5941308AFDB20EFA4EC0AF497BB8AB04705F1004B5F908E51D1EBB4A658CF5D

Uniqueness

Uniqueness Score: -1.00%

Function 0047CB97 Relevance: 15.2, APIs: 10, Instructions: 166
memoryCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 32%

			E0047CB97(char _a4, long _a8) {
				signed int _v8;
				signed int _v12;
				char _v19;
				char _v20;
				char _v24;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t57;
				void* _t62;
				intOrPtr* _t63;
				void* _t70;
				void* _t72;
				void* _t77;
				char _t78;
				signed int _t81;
				signed int _t86;
				char _t92;
				void* _t93;
				intOrPtr _t98;
				void* _t110;
				long _t112;
				void* _t113;
				void* _t116;
				signed int _t122;
				signed int _t123;

				if(0xffff == _a4) {
					return 0xffff;
				} else {
					_pop(_t121);
					_t122 = _t123;
					_t57 =  *0x4bb1dc; // 0x2927074f
					_v8 = _t57 ^ _t122;
					_t92 = _a4;
					_t112 = _a8;
					if(_t92 != 0xffff && (( *(_t112 + 0xc) & 0x00000001) != 0 || ( *(_t112 + 0xc) & 0x00000080) != 0 && ( *(_t112 + 0xc) & 0x00000002) == 0)) {
						if( *((intOrPtr*)(_t112 + 8)) == 0) {
							E0047F8AD(_t112);
						}
						if(( *(_t112 + 0xc) & 0x00000040) != 0) {
							L33:
							_t62 =  *((intOrPtr*)(_t112 + 8)) + 2;
							if( *_t112 >= _t62) {
								L37:
								 *_t112 =  *_t112 + 0xfffffffe;
								_t63 =  *_t112;
								if(( *(_t112 + 0xc) & 0x00000040) == 0) {
									 *_t63 = _t92;
									goto L43;
								} else {
									if( *_t63 == _t92) {
										L43:
										 *((intOrPtr*)(_t112 + 4)) =  *((intOrPtr*)(_t112 + 4)) + 2;
										 *(_t112 + 0xc) =  *(_t112 + 0xc) & 0xffffffef | 0x00000001;
										goto L32;
									} else {
										 *_t112 = _t63 + 2;
										goto L40;
									}
								}
							} else {
								if( *((intOrPtr*)(_t112 + 4)) != 0 ||  *((intOrPtr*)(_t112 + 0x18)) < 2) {
									goto L40;
								} else {
									 *_t112 = _t62;
									goto L37;
								}
							}
						} else {
							if(HeapCreate(_t112, ??, ??) == 0xffffffff || HeapCreate(_t112, ??, ??) == 0xfffffffe) {
								_t70 = 0x4bbfe0;
							} else {
								_t86 = HeapCreate(_t112, ??, ??);
								_t70 = ((HeapCreate(_t112, ??, ??) & 0x0000001f) << 6) +  *((intOrPtr*)(0x4c33f8 + (_t86 >> 5) * 4));
							}
							if(( *(_t70 + 4) & 0x00000080) == 0) {
								goto L33;
							} else {
								if(HeapCreate(_t112, ??, ??) == 0xffffffff || HeapCreate(_t112, ??, ??) == 0xfffffffe) {
									_t72 = 0x4bbfe0;
								} else {
									_t81 = HeapCreate(_t112, ??, ??);
									_t72 = ((HeapCreate(_t112, ??, ??) & 0x0000001f) << 6) +  *((intOrPtr*)(0x4c33f8 + (_t81 >> 5) * 4));
								}
								if(( *(_t72 + 0x24) & 0x0000007f) == 0) {
									if(E0047C3BF( &_v24,  &_v20, 5, _t92) == 0) {
										_t98 = _v24;
										goto L24;
									} else {
										goto L22;
									}
								} else {
									_t98 = 2;
									_v20 = _t92;
									_v19 = _t92;
									_v24 = _t98;
									L24:
									_t77 =  *((intOrPtr*)(_t112 + 8)) + _t98;
									if( *_t112 >= _t77) {
										L28:
										_t110 = _t98 - 1;
										if(_t110 >= 0) {
											do {
												 *_t112 =  *_t112 - 1;
												_t78 =  *((intOrPtr*)(_t122 + _t110 - 0xc));
												_t110 = _t110 - 1;
												 *((char*)( *_t112)) = _t78;
											} while (_t110 >= 0);
											_t98 = _v24;
										}
										 *((intOrPtr*)(_t112 + 4)) =  *((intOrPtr*)(_t112 + 4)) + _t98;
										 *(_t112 + 0xc) =  *(_t112 + 0xc) & 0xffffffef | 0x00000001;
										L32:
									} else {
										if( *((intOrPtr*)(_t112 + 4)) == 0 && _t98 <=  *((intOrPtr*)(_t112 + 0x18))) {
											 *_t112 = _t77;
											goto L28;
										}
									}
								}
							}
						}
					}
					_pop(_t113);
					_pop(_t116);
					_pop(_t93);
					return E0046F77E(_t93, _v12 ^ _t122, _t110, _t113, _t116);
				}
			}

0x0047cba3
0x0047cbac
0x0047cba5
0x0047cba5
0x0048248d
0x00482492
0x00482499
0x0048249d
0x004824a7
0x004824ad
0x004824d1
0x004824d4
0x004824d9
0x004824de
0x004825e7
0x004825ea
0x004825ef
0x004825ff
0x004825ff
0x00482606
0x00482608
0x00482628
0x00000000
0x0048260a
0x0048260d
0x0048262b
0x0048262e
0x00482638
0x00000000
0x0048260f
0x00482612
0x00000000
0x00482612
0x0048260d
0x004825f1
0x004825f5
0x00000000
0x004825fd
0x004825fd
0x00000000
0x004825fd
0x004825f5
0x004824e4
0x004824ee
0x00482523
0x004824fc
0x004824fd
0x00482513
0x00482520
0x0048252c
0x00000000
0x00482532
0x0048253c
0x0048256c
0x0048254a
0x0048254b
0x00482562
0x00482569
0x00482575
0x0048259a
0x004825a3
0x00000000
0x00000000
0x00000000
0x00000000
0x00482577
0x00482579
0x0048257a
0x0048257d
0x00482580
0x004825a6
0x004825a9
0x004825ad
0x004825bc
0x004825bc
0x004825c1
0x004825c3
0x004825c3
0x004825c7
0x004825cb
0x004825cc
0x004825cc
0x004825d0
0x004825d0
0x004825d3
0x004825df
0x004825e2
0x004825af
0x004825b3
0x004825ba
0x00000000
0x004825ba
0x004825b3
0x004825ad
0x00482575
0x0048252c
0x004824de
0x0048261a
0x0048261b
0x0048261e
0x00482627
0x00482627

APIs

__getbuf.LIBCMT ref: 004824D4
HeapCreate.KERNELBASE(?,00000001,?), ref: 004824E5
HeapCreate.KERNELBASE(?,00000001,?), ref: 004824F1
HeapCreate.KERNELBASE(?,00000001,?), ref: 004824FD
HeapCreate.KERNELBASE(?,?,00000001), ref: 00482508
HeapCreate.KERNELBASE(?,00000001,?), ref: 00482533
HeapCreate.KERNELBASE(?,00000001,?), ref: 0048253F
HeapCreate.KERNELBASE(?,00000001,?), ref: 0048254B
HeapCreate.KERNELBASE(?,?,00000001), ref: 00482556
__cftof.LIBCMT ref: 00482590

Part of subcall function 0047C3BF: __wctomb_s_l.LIBCMT ref: 0047C3D0

Memory Dump Source

Source File: 00000000.00000002.639436822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.639422722.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639801425.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639950323.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639964900.00000000004C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639974043.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639981884.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Process Monitor.jbxd

Similarity

API ID: CreateHeap$__cftof__getbuf__wctomb_s_l
String ID:
API String ID: 504320969-0
Opcode ID: d750ce161f56894d428f1aff4a9fbcc6860fbbb1bebcb728d194e648a7965248
Instruction ID: c9616e4440aad72da61df8734722963f9343728481dcd2229ba71f96b2d9f115
Opcode Fuzzy Hash: d750ce161f56894d428f1aff4a9fbcc6860fbbb1bebcb728d194e648a7965248
Instruction Fuzzy Hash: BD510731400206BFC714AB29C911B7EB360FF11324F14CA6BE825972C1D7BCE951CB99

Uniqueness

Uniqueness Score: -1.00%

Function 00442430 Relevance: 15.1, APIs: 10, Instructions: 146
synchronizationCOMMON

Download Yara Rule

C-Code - Quality: 92%

			E00442430() {
				long _v8;
				char _v16;
				struct _CRITICAL_SECTION* _v20;
				intOrPtr _v24;
				void* _v28;
				signed int _t29;
				void* _t32;
				intOrPtr _t33;
				long _t35;
				intOrPtr* _t39;
				intOrPtr* _t47;
				void* _t55;
				intOrPtr _t56;
				intOrPtr* _t77;
				intOrPtr* _t78;
				intOrPtr* _t81;
				intOrPtr* _t82;
				intOrPtr _t85;
				intOrPtr _t86;
				signed int _t87;
				void* _t88;
				void* _t89;
				void* _t90;

				_push(0xffffffff);
				_push(E0048A398);
				_push( *[fs:0x0]);
				_t89 = _t88 - 0xc;
				_t29 =  *0x4bb1dc; // 0x2927074f
				_push(_t29 ^ _t87);
				 *[fs:0x0] =  &_v16;
				_t32 =  *0x4bd098; // 0x20c
				_v28 = _t32;
				_t33 =  *0x4bce44; // 0x158
				_v24 = _t33;
				_t35 = WaitForMultipleObjects(2,  &_v28, 0, 0xffffffff);
				_t91 = _t35 - 1;
				if(_t35 != 1) {
					do {
						EnterCriticalSection(0x4bd080);
						_t47 =  *0x4bd078; // 0x77d010
						_t78 =  *_t47;
						_t82 =  *((intOrPtr*)(_t78 + 8));
						 *((intOrPtr*)( *((intOrPtr*)(_t78 + 4)))) =  *_t78;
						 *((intOrPtr*)( *_t78 + 4)) =  *((intOrPtr*)(_t78 + 4));
						 *0x4bd07c =  *0x4bd07c - 1;
						E0046EF07(_t78);
						_t90 = _t89 + 4;
						LeaveCriticalSection(0x4bd080);
						L00442050( *((intOrPtr*)(_t82 + 4)), _t78, _t91,  *((intOrPtr*)(_t82 + 8)),  *(_t82 + 0xc) & 0x000000ff,  *((intOrPtr*)(_t82 + 0x10)),  *((intOrPtr*)(_t82 + 0x14)), 0x4bca10);
						_t53 =  *((intOrPtr*)(_t82 + 8));
						if( *((intOrPtr*)( *((intOrPtr*)(_t82 + 8)) + 0x58)) != 0) {
							E004192A0(0x4bca10,  *_t53);
						}
						_t86 =  *_t82;
						if(_t86 != 0 && InterlockedDecrement(_t86 + 0x578) < 2) {
							E00467460(_t86, _t60);
						}
						E0046EF07(_t82);
						_t55 =  *0x4bd098; // 0x20c
						_t89 = _t90 + 4;
						_v28 = _t55;
						_t56 =  *0x4bce44; // 0x158
						_v24 = _t56;
					} while (WaitForMultipleObjects(2,  &_v28, 0, 0xffffffff) != 1);
				}
				WaitForSingleObject( *0x4bce24, 0xffffffff);
				_v20 = 0x4bd080;
				EnterCriticalSection(0x4bd080);
				_v8 = 0;
				if( *0x4bd07c != 0) {
					do {
						_t39 =  *0x4bd078; // 0x77d010
						_t77 =  *_t39;
						_t81 =  *((intOrPtr*)(_t77 + 8));
						 *((intOrPtr*)( *((intOrPtr*)(_t77 + 4)))) =  *_t77;
						 *((intOrPtr*)( *_t77 + 4)) =  *((intOrPtr*)(_t77 + 4));
						 *0x4bd07c =  *0x4bd07c - 1;
						E0046EF07(_t77);
						_t89 = _t89 + 4;
						if(_t81 != 0) {
							_t85 =  *_t81;
							if(_t85 != 0 && InterlockedDecrement(_t85 + 0x578) < 2) {
								E00467460(_t85, _t45);
							}
							E0046EF07(_t81);
							_t89 = _t89 + 4;
						}
					} while ( *0x4bd07c != 0);
					do {
						goto L17;
					} while (WaitForSingleObject( *0x4bd098, 0) != 0x102);
					LeaveCriticalSection(0x4bd080);
					 *[fs:0x0] = _v16;
					return 0;
				}
				L17:
			}

0x00442433
0x00442435
0x00442440
0x00442441
0x00442447
0x0044244e
0x00442452
0x00442458
0x0044245d
0x00442460
0x00442467
0x00442472
0x0044247e
0x00442481
0x00442490
0x00442495
0x0044249b
0x004424a0
0x004424a8
0x004424ab
0x004424b2
0x004424b5
0x004424bb
0x004424c0
0x004424c8
0x004424e4
0x004424e9
0x004424f0
0x004424f9
0x004424f9
0x004424fe
0x00442502
0x00442515
0x00442515
0x0044251b
0x00442520
0x00442525
0x00442528
0x0044252b
0x00442530
0x00442543
0x00442490
0x0044255a
0x00442561
0x00442568
0x00442575
0x0044257c
0x00442580
0x00442580
0x00442585
0x0044258d
0x00442590
0x00442597
0x0044259a
0x004425a0
0x004425a5
0x004425aa
0x004425ac
0x004425b0
0x004425c7
0x004425c7
0x004425cd
0x004425d2
0x004425d2
0x004425d5
0x004425e0
0x00000000
0x00000000
0x004425f6
0x00442601
0x0044260f
0x0044260f
0x004425e0

APIs

WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF,2927074F), ref: 00442472
EnterCriticalSection.KERNEL32(004BD080), ref: 00442495
LeaveCriticalSection.KERNEL32(004BD080), ref: 004424C8
InterlockedDecrement.KERNEL32(?), ref: 0044250B
WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF,004BCA10), ref: 0044253D

Part of subcall function 004192A0: GetParent.USER32(00000000), ref: 004192B0
Part of subcall function 004192A0: PostMessageW.USER32(00000000,?,004424FE,?), ref: 004192B7

WaitForSingleObject.KERNEL32(000000FF), ref: 0044255A
EnterCriticalSection.KERNEL32(004BD080), ref: 00442568
InterlockedDecrement.KERNEL32(?), ref: 004425B9
WaitForSingleObject.KERNEL32(00000000), ref: 004425E8
LeaveCriticalSection.KERNEL32(004BD080), ref: 004425F6

Memory Dump Source

Source File: 00000000.00000002.639436822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.639422722.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639801425.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639950323.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639964900.00000000004C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639974043.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639981884.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Process Monitor.jbxd

Similarity

API ID: CriticalSectionWait$DecrementEnterInterlockedLeaveMultipleObjectObjectsSingle$MessageParentPost
String ID:
API String ID: 2138347081-0
Opcode ID: 0d87183681fafab10de1dc84228f0615f441476280f5d92e4d1dcc12a320fe13
Instruction ID: 454ef0fe427a4b06f1390b7677d3a4cd733a1551e41e5fca1393525b7b1126dd
Opcode Fuzzy Hash: 0d87183681fafab10de1dc84228f0615f441476280f5d92e4d1dcc12a320fe13
Instruction Fuzzy Hash: A251CF75A00600EFD700EF68ED85B6AB7B5FB08318F10467AF915D73A0E775A891CB98

Uniqueness

Uniqueness Score: -1.00%

Function 0040C870 Relevance: 15.1, APIs: 10, Instructions: 99
threadCOMMON

Download Yara Rule

C-Code - Quality: 85%

			E0040C870(void* __ecx, void* __edx, void* __eflags, struct HWND__* _a4, struct HWND__* _a8, intOrPtr _a12, intOrPtr _a16) {
				signed int _v8;
				struct tagRECT _v24;
				long _v28;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t24;
				int _t33;
				int _t36;
				struct HWND__* _t39;
				struct HWND__* _t53;
				void* _t57;
				void* _t58;
				signed int _t61;

				_t57 = __edx;
				_t24 =  *0x4bb1dc; // 0x2927074f
				_v8 = _t24 ^ _t61;
				_t53 = _a4;
				_t59 = _a8;
				_t58 = __ecx;
				 *((intOrPtr*)(__ecx)) = _a12;
				 *(__ecx + 4) = 0;
				 *((intOrPtr*)(_t58 + 8)) = GetTickCount();
				 *((intOrPtr*)(_t58 + 0xc)) = E0046A6C0(_t53, _a8, E0046A530(_a8));
				 *((intOrPtr*)(_t58 + 0x10)) = _a16;
				 *(_t58 + 0x14) = 0;
				 *(_t58 + 0x24) = 0;
				if( *_t58 != 0) {
					if(_t53 == 0) {
						_t33 = GetSystemMetrics(0);
						asm("cdq");
						 *(_t58 + 0x18) = _t33 - _t57 >> 1;
						_t36 = GetSystemMetrics(1);
					} else {
						GetWindowRect(_t53,  &_v24);
						asm("cdq");
						 *(_t58 + 0x18) = _v24.right + _v24.left - _t57 >> 1;
						_t36 = _v24.bottom + _v24.top;
					}
					asm("cdq");
					 *(_t58 + 0x1c) = _t36 - _t57 >> 1;
					_t39 = GetAncestor(_t53, 2);
					_t53 = GetParent;
					_t59 = GetParent(_t39);
					 *(_t58 + 0x24) = _t59;
					if(_t59 != 0) {
						while(_t59 != GetDesktopWindow()) {
							EnableWindow(_t59, 0);
							_t59 = GetParent(_t59);
							if(_t59 != 0) {
								continue;
							}
							goto L8;
						}
					}
					L8:
					 *((intOrPtr*)(_t58 + 0x20)) = CreateThread(0, 0, E0040D190, _t58, 0,  &_v28);
				}
				return E0046F77E(_t53, _v8 ^ _t61, _t57, _t58, _t59);
			}

0x0040c870
0x0040c876
0x0040c87d
0x0040c884
0x0040c888
0x0040c88c
0x0040c88e
0x0040c890
0x0040c89e
0x0040c8ad
0x0040c8b9
0x0040c8bc
0x0040c8c3
0x0040c8ca
0x0040c8d2
0x0040c8fd
0x0040c8ff
0x0040c906
0x0040c909
0x0040c8d4
0x0040c8d9
0x0040c8e5
0x0040c8ea
0x0040c8f0
0x0040c8f0
0x0040c90b
0x0040c913
0x0040c916
0x0040c91c
0x0040c925
0x0040c927
0x0040c92c
0x0040c930
0x0040c93d
0x0040c946
0x0040c94a
0x00000000
0x00000000
0x00000000
0x0040c94a
0x0040c930
0x0040c94c
0x0040c962
0x0040c962
0x0040c977

APIs

GetTickCount.KERNEL32 ref: 0040C897
GetWindowRect.USER32 ref: 0040C8D9
GetSystemMetrics.USER32 ref: 0040C8FD
GetSystemMetrics.USER32 ref: 0040C909
GetAncestor.USER32(?,00000002), ref: 0040C916
GetParent.USER32(00000000), ref: 0040C923
GetDesktopWindow.USER32 ref: 0040C930
EnableWindow.USER32(00000000,00000000), ref: 0040C93D
GetParent.USER32(00000000), ref: 0040C944
CreateThread.KERNEL32 ref: 0040C95C

Memory Dump Source

Source File: 00000000.00000002.639436822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.639422722.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639801425.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639950323.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639964900.00000000004C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639974043.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639981884.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Process Monitor.jbxd

Similarity

API ID: Window$MetricsParentSystem$AncestorCountCreateDesktopEnableRectThreadTick
String ID:
API String ID: 3501152552-0
Opcode ID: 393b5ccbd8e0918057fdd0b0bd43075d10402da37524cf0ca01772b585e90529
Instruction ID: 66a4db3d973b2a2bd3d311970b95fb620afeaa093b9ed8136d27a6c5ce0b75a0
Opcode Fuzzy Hash: 393b5ccbd8e0918057fdd0b0bd43075d10402da37524cf0ca01772b585e90529
Instruction Fuzzy Hash: E8314FB1A01616ABC710DFA9DC85B9EB7F8BF08301F14463AE904E7281D774E9158BD9

Uniqueness

Uniqueness Score: -1.00%

Function 00458430 Relevance: 15.1, APIs: 10, Instructions: 86
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E00458430(long __ecx) {
				signed int _v8;
				struct tagRECT _v24;
				struct tagRECT _v40;
				struct tagRECT _v56;
				struct tagRECT _v72;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t33;
				int _t41;
				int _t42;
				long _t60;
				intOrPtr _t68;
				void* _t69;
				void* _t71;
				intOrPtr _t73;
				signed int _t75;

				_t33 =  *0x4bb1dc; // 0x2927074f
				_v8 = _t33 ^ _t75;
				_t60 = __ecx;
				if( *((intOrPtr*)(__ecx + 0x1c)) !=  *((intOrPtr*)(__ecx + 0x24)) ||  *((intOrPtr*)(__ecx + 0x18)) !=  *((intOrPtr*)(__ecx + 0x20))) {
					 *(_t60 + 0x28) = BeginDeferWindowPos(0x200);
					EnumChildWindows( *(_t60 + 0xc),  &M00457FD0, _t60);
					EndDeferWindowPos( *(_t60 + 0x28));
					GetClientRect( *(_t60 + 0xc),  &_v40);
					_t41 = GetSystemMetrics(0x15);
					_t42 = GetSystemMetrics(0x14);
					_t73 = _v40.right;
					_t68 = _v40.bottom;
					_v24.left = _t73 - _t41;
					_v24.right = _t73;
					_v24.top = _t68 - _t42;
					_v24.bottom = _t68;
					asm("movdqu xmm0, [ebp-0x14]");
					asm("movdqu [ebp-0x34], xmm0");
					OffsetRect( &_v56,  *((intOrPtr*)(_t60 + 0x18)) -  *((intOrPtr*)(_t60 + 0x20)),  *((intOrPtr*)(_t60 + 0x1c)) -  *((intOrPtr*)(_t60 + 0x24)));
					UnionRect( &_v72,  &_v56,  &_v24);
					InvalidateRect( *(_t60 + 0xc),  &_v72, 1);
					 *((intOrPtr*)(_t60 + 0x18)) =  *((intOrPtr*)(_t60 + 0x20));
					 *((intOrPtr*)(_t60 + 0x1c)) =  *((intOrPtr*)(_t60 + 0x24));
					InvalidateRect( *(_t60 + 0xc), 0, 1);
					_t69 = _t69;
					_t71 = _t71;
				}
				return E0046F77E(_t60, _v8 ^ _t75, _t68, _t69, _t71);
			}

0x00458436
0x0045843d
0x00458441
0x00458449
0x0045846d
0x00458470
0x00458479
0x00458486
0x00458494
0x0045849a
0x0045849c
0x004584a1
0x004584a6
0x004584ad
0x004584bd
0x004584c0
0x004584c3
0x004584cd
0x004584d2
0x004584e4
0x004584f9
0x00458505
0x0045850b
0x0045850e
0x00458510
0x00458511
0x00458511
0x00458520

APIs

BeginDeferWindowPos.USER32 ref: 0045845E
EnumChildWindows.USER32 ref: 00458470
EndDeferWindowPos.USER32(?), ref: 00458479
GetClientRect.USER32 ref: 00458486
GetSystemMetrics.USER32 ref: 00458494
GetSystemMetrics.USER32 ref: 0045849A
OffsetRect.USER32(?,?,?), ref: 004584D2
UnionRect.USER32 ref: 004584E4
InvalidateRect.USER32(?,?,00000001), ref: 004584F9
InvalidateRect.USER32(?,00000000,00000001), ref: 0045850E

Memory Dump Source

Source File: 00000000.00000002.639436822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.639422722.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639801425.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639950323.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639964900.00000000004C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639974043.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639981884.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Process Monitor.jbxd

Similarity

API ID: Rect$DeferInvalidateMetricsSystemWindow$BeginChildClientEnumOffsetUnionWindows
String ID:
API String ID: 3673833852-0
Opcode ID: 9d8a0f73d699f64359b05ed9af875125482166116cea93efc492415a7f939752
Instruction ID: bb0bfb3b41932417fb43ce67a6addc361fae0eba03b2f9689598c349a099ff28
Opcode Fuzzy Hash: 9d8a0f73d699f64359b05ed9af875125482166116cea93efc492415a7f939752
Instruction Fuzzy Hash: 87311071900109AFCF04DFA8D98599EBBB9EB0C310B21456AED05EB256DA70ED05CF94

Uniqueness

Uniqueness Score: -1.00%

Function 0043A870 Relevance: 15.1, APIs: 10, Instructions: 84
windowCOMMON

Download Yara Rule

C-Code - Quality: 71%

			E0043A870(void* __ebx, void* __edx, void* __edi, void* __esi, intOrPtr _a4) {
				signed int _v8;
				void* _v12;
				void* _v16;
				void* _v20;
				void* _v24;
				void* _v28;
				void* _v32;
				void* _v36;
				char _v40;
				signed int _t14;
				intOrPtr _t16;
				void* _t19;
				void* _t20;
				void* _t21;
				void* _t22;
				void* _t38;
				void* _t44;
				signed int _t46;

				_t44 = __esi;
				_t43 = __edi;
				_t42 = __edx;
				_t35 = __ebx;
				_t14 =  *0x4bb1dc; // 0x2927074f
				_v8 = _t14 ^ _t46;
				_t16 =  *0x4bb114; // 0xffffffff
				if(_t16 != 0xffffffff) {
					 *0x4bb0d0 = 9;
					_push( &_v40);
					_push(0);
					_push(0);
					_push(8);
					_v36 = 0;
					_push( &_v36);
					_push(_t16);
					_v32 = 0;
					L0046E3E6();
					E0043CF70(__ebx, __edx, __edi, __esi, 0, _a4);
					 *0x4bce3c = 0;
				}
				if( *0x4bce38 != 0) {
					SetEvent( *0x4bce44);
					if( *0x4bce38 != 1) {
						__imp__#3( *0x4bb118);
						 *0x4bb118 = 0xffffffff;
					}
					_t19 =  *0x4bce24; // 0x0
					_t42 = 5;
					_t38 =  *0x4bce2c; // 0x0
					_v28 = _t19;
					_t20 =  *0x4bce28; // 0x0
					_v24 = _t20;
					_t21 =  *0x4bce30; // 0x0
					_v16 = _t21;
					_t22 =  *0x4bce34; // 0x0
					_v12 = _t22;
					_v20 = _t38;
					_t25 =  !=  ? 5 : 2;
					WaitForMultipleObjects( !=  ? 5 : 2,  &_v28, 1, 0xffffffff);
					E0043B620(0x4bce48);
					CloseHandle( *0x4bce24);
					CloseHandle( *0x4bce28);
					CloseHandle( *0x4bce2c);
					CloseHandle( *0x4bce30);
					CloseHandle( *0x4bce34);
					 *0x4bce24 = 0;
					 *0x4bce28 = 0;
					 *0x4bce2c = 0;
					 *0x4bce30 = 0;
					 *0x4bce34 = 0;
					 *0x4bce38 = 0;
					ResetEvent( *0x4bce44);
					_t44 = _t44;
				}
				return E0046F77E(_t35, _v8 ^ _t46, _t42, _t43, _t44);
			}

0x0043a870
0x0043a870
0x0043a870
0x0043a870
0x0043a876
0x0043a87d
0x0043a880
0x0043a888
0x0043a88d
0x0043a897
0x0043a898
0x0043a89a
0x0043a89c
0x0043a8a1
0x0043a8a8
0x0043a8a9
0x0043a8aa
0x0043a8b1
0x0043a8bb
0x0043a8c3
0x0043a8c3
0x0043a8d1
0x0043a8dd
0x0043a8ea
0x0043a8f2
0x0043a8f8
0x0043a8f8
0x0043a902
0x0043a907
0x0043a90c
0x0043a914
0x0043a917
0x0043a91c
0x0043a91f
0x0043a925
0x0043a928
0x0043a92f
0x0043a93d
0x0043a940
0x0043a944
0x0043a94f
0x0043a960
0x0043a968
0x0043a970
0x0043a978
0x0043a980
0x0043a988
0x0043a992
0x0043a99c
0x0043a9a6
0x0043a9b0
0x0043a9ba
0x0043a9c4
0x0043a9ca
0x0043a9ca
0x0043a9d8

APIs

FilterSendMessage.FLTLIB(FFFFFFFF,?,00000008,00000000,00000000,?), ref: 0043A8B1
SetEvent.KERNEL32(?,?,?,?,?,?,?,0045F959,00000000), ref: 0043A8DD
closesocket.WS2_32 ref: 0043A8F2
WaitForMultipleObjects.KERNEL32(00000002,?,00000001,000000FF,749682C0,?,?,?,?,?,?,?,0045F959,00000000), ref: 0043A944
CloseHandle.KERNEL32(?,?,?,?,?,?,?,0045F959,00000000), ref: 0043A960
CloseHandle.KERNEL32(?,?,?,?,?,?,?,0045F959,00000000), ref: 0043A968
CloseHandle.KERNEL32(?,?,?,?,?,?,?,0045F959,00000000), ref: 0043A970
CloseHandle.KERNEL32(?,?,?,?,?,?,?,0045F959,00000000), ref: 0043A978
CloseHandle.KERNEL32(?,?,?,?,?,?,?,0045F959,00000000), ref: 0043A980
ResetEvent.KERNEL32(?,?,?,?,?,?,?,0045F959,00000000), ref: 0043A9C4

Memory Dump Source

Source File: 00000000.00000002.639436822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.639422722.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639801425.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639950323.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639964900.00000000004C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639974043.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639981884.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Process Monitor.jbxd

Similarity

API ID: CloseHandle$Event$FilterMessageMultipleObjectsResetSendWaitclosesocket
String ID:
API String ID: 315510332-0
Opcode ID: 3c165b71808c5e7da593015363cca6d18ded02272f723a44784c4cdb5b556d6f
Instruction ID: 9418dcb0314f092e69d71544753f704dd55a88a1e280ca49790a34dbf667e003
Opcode Fuzzy Hash: 3c165b71808c5e7da593015363cca6d18ded02272f723a44784c4cdb5b556d6f
Instruction Fuzzy Hash: 42310871900204DFDB15EF69ECD9B9A3FF1EB49314F10423AE418A62B0D7B5A854CFA9

Uniqueness

Uniqueness Score: -1.00%

Function 0044F916 Relevance: 15.1, APIs: 10, Instructions: 64
windowCOMMON

Download Yara Rule

C-Code - Quality: 86%

			E0044F916() {
				void* __esi;
				signed int _t22;
				long _t25;
				void* _t33;
				int _t35;
				intOrPtr _t40;
				int _t42;
				void* _t43;
				struct HWND__* _t44;
				void* _t45;
				signed int _t46;

				 *((intOrPtr*)(_t46 - 0x624)) = SendMessageW(GetDlgItem(_t44, 0x3f9), 0x100c, 0xffffffff, 1);
				_t22 = SendMessageW(GetDlgItem(_t44, 0x3f9), 0x1028, 0, 0);
				_t40 =  *((intOrPtr*)(_t46 - 0x624));
				if( *(_t46 - 0x628) != 0x9c8e) {
					_t42 = _t40 + (_t22 + _t22 * 4) * 2;
					_t25 = SendMessageW(GetDlgItem(_t44, 0x3f9), 0x1004, 0, 0);
					if(_t42 >= _t25) {
						_t15 = _t25 - 1; // -1
						_t42 = _t15;
					}
				} else {
					__eax =  ~__eax;
					__ecx =  ~__eax << 2;
					__ecx = ( ~__eax << 2) - __eax;
					__edi = __edx + __ecx * 2;
					if(__edi < 0) {
						__edi = 0;
					}
				}
				 *((intOrPtr*)(_t46 - 0x4c4)) = 3;
				 *((intOrPtr*)(_t46 - 0x4c8)) = 3;
				SendMessageW(GetDlgItem(_t44, 0x3f9), 0x102b, _t42, _t46 - 0x4d4);
				SendMessageW(GetDlgItem(_t44, 0x3f9), 0x1013, _t42, 0);
				_t35 =  *(_t46 + 0xc);
				DefWindowProcW(_t44, _t35,  *(_t46 - 0x628),  *(_t46 - 0x64c));
				 *[fs:0x0] =  *((intOrPtr*)(_t46 - 0xc));
				_pop(_t43);
				_pop(_t45);
				return E0046F77E(_t33,  *(_t46 - 0x10) ^ _t46, _t40, _t43, _t45);
			}

0x0044f943
0x0044f94c
0x0044f952
0x0044f964
0x0044f98c
0x0044f996
0x0044f99e
0x0044f9a0
0x0044f9a0
0x0044f9a0
0x0044f966
0x0044f968
0x0044f96a
0x0044f96d
0x0044f96f
0x0044f974
0x0044f976
0x0044f976
0x0044f974
0x0044f9a9
0x0044f9c0
0x0044f9d1
0x0044f9ec
0x0044e726
0x0044e737
0x0044e740
0x0044e748
0x0044e749
0x0044e757

APIs

GetDlgItem.USER32 ref: 0044F92B
SendMessageW.USER32(00000000,?,000003F9,0000100C), ref: 0044F92E
GetDlgItem.USER32 ref: 0044F949
SendMessageW.USER32(00000000,?,000003F9,00001028), ref: 0044F94C
GetDlgItem.USER32 ref: 0044F98F
SendMessageW.USER32(00000000,?,000003F9,00001004), ref: 0044F996
GetDlgItem.USER32 ref: 0044F9CA
SendMessageW.USER32(00000000,?,000003F9,0000102B), ref: 0044F9D1
GetDlgItem.USER32 ref: 0044F9E5
SendMessageW.USER32(00000000,?,000003F9,00001013), ref: 0044F9EC

Memory Dump Source

Source File: 00000000.00000002.639436822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.639422722.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639801425.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639950323.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639964900.00000000004C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639974043.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639981884.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Process Monitor.jbxd

Similarity

API ID: ItemMessageSend
String ID:
API String ID: 3015471070-0
Opcode ID: 01a6f57c8fcd499af6349fe364c8fd7afd3f8cabf904e5258bad660ea60be048
Instruction ID: d4475272f219ce0341268eb2607cffe2fe8f4bf8989d96fed4dbf978f5dab6fe
Opcode Fuzzy Hash: 01a6f57c8fcd499af6349fe364c8fd7afd3f8cabf904e5258bad660ea60be048
Instruction Fuzzy Hash: 47117F71A81A11BBFB215F60CC1DF9E366DEB88700F10067AF201FB1E1DBB5564A8B58

Uniqueness

Uniqueness Score: -1.00%

Function 00417690 Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 152
COMMON

Download Yara Rule

C-Code - Quality: 92%

			E00417690(intOrPtr* __ecx, intOrPtr _a4, char _a8, intOrPtr _a12, char _a16, intOrPtr _a20, intOrPtr _a24) {
				intOrPtr _v8;
				char _v16;
				void* _v20;
				char _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				char _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				char _v52;
				signed int _t62;
				intOrPtr _t77;
				intOrPtr _t81;
				intOrPtr _t91;
				intOrPtr _t134;
				intOrPtr _t136;
				intOrPtr _t137;
				intOrPtr _t139;
				intOrPtr* _t140;
				intOrPtr _t141;
				intOrPtr* _t142;
				signed int _t144;

				_push(0xffffffff);
				_push(E00487010);
				_push( *[fs:0x0]);
				_t62 =  *0x4bb1dc; // 0x2927074f
				_push(_t62 ^ _t144);
				_t1 =  &_v16; // 0x4160ea
				 *[fs:0x0] = _t1;
				_v20 = __ecx;
				_t110 =  *__ecx;
				_t139 =  *((intOrPtr*)(__ecx + 4));
				if((0x2aaaaaab * (_t139 -  *__ecx) >> 0x20 >> 2 >> 0x1f) + (0x2aaaaaab * (_t139 -  *__ecx) >> 0x20 >> 2) < (0x2aaaaaab * ( *((intOrPtr*)(__ecx + 8)) - _t110) >> 0x20 >> 2 >> 0x1f) + (0x2aaaaaab * ( *((intOrPtr*)(__ecx + 8)) - _t110) >> 0x20 >> 2)) {
					_t140 = _v20;
					L11:
					_v48 = 0;
					_v8 = 1;
					E00415190(_t140,  &_v20,  *_t140,  &_v52);
					_t141 = _v48;
					_v8 = 0xffffffff;
					if(_t141 != 0) {
						_t45 = _t141 + 0x578; // 0x578
						if(InterlockedDecrement(_t45) < 2) {
							E00467460(_t141, _t88);
						}
					}
					_t142 = _v20;
					 *_t142 = _a4;
					_t48 =  &_a8; // 0x4160ea
					_t77 =  *_t48;
					_t134 =  *((intOrPtr*)(_t142 + 4));
					 *((intOrPtr*)(_t142 + 4)) = _t77;
					if(_t77 != 0) {
						InterlockedIncrement(_t77 + 0x578);
					}
					if(_t134 != 0 && InterlockedDecrement(_t134 + 0x578) < 2) {
						E00467460(_t134, _t83);
					}
					 *((intOrPtr*)(_t142 + 8)) = _a12;
					 *((char*)(_t142 + 0xc)) = _a16;
					 *((intOrPtr*)(_t142 + 0x10)) = _a20;
					_t81 = _a24;
					 *((intOrPtr*)(_t142 + 0x14)) = _t81;
					_t60 =  &_v16; // 0x4160ea
					 *[fs:0x0] =  *_t60;
					return _t81;
				}
				_v52 =  *((intOrPtr*)(_t139 - 0x18));
				_t91 =  *((intOrPtr*)(_t139 - 0x14));
				_v48 = _t91;
				if(_t91 != 0) {
					InterlockedIncrement(_t91 + 0x578);
				}
				_v44 =  *((intOrPtr*)(_t139 - 0x10));
				_v40 =  *((intOrPtr*)(_t139 - 0xc));
				_v36 =  *((intOrPtr*)(_t139 - 8));
				_v32 =  *((intOrPtr*)(_t139 - 4));
				_t140 = _v20;
				_v8 = 0;
				E00414D50(_t140 + 0xc,  &_v28, 0,  &_v52,  *0x4bc8dc & 0x000000ff);
				_t136 = _v48;
				_v8 = 0xffffffff;
				if(_t136 != 0 && InterlockedDecrement(_t136 + 0x578) < 2) {
					E00467460(_t136, _t105);
				}
				_t137 =  *((intOrPtr*)( *((intOrPtr*)(_t140 + 4)) - 0x14));
				if(_t137 != 0) {
					_t35 = _t137 + 0x578; // 0x416662
					if(InterlockedDecrement(_t35) < 2) {
						E00467460(_t137, _t102);
					}
				}
				 *((intOrPtr*)(_t140 + 4)) =  *((intOrPtr*)(_t140 + 4)) + 0xffffffe8;
				goto L11;
			}

0x00417693
0x00417695
0x004176a0
0x004176a7
0x004176ae
0x004176af
0x004176b2
0x004176ba
0x004176bd
0x004176c2
0x004176f5
0x0041779d
0x004177a0
0x004177a0
0x004177aa
0x004177ba
0x004177bf
0x004177c2
0x004177cb
0x004177cd
0x004177d9
0x004177de
0x004177de
0x004177d9
0x004177e3
0x004177e9
0x004177eb
0x004177eb
0x004177ee
0x004177f1
0x004177f6
0x004177fe
0x004177fe
0x00417806
0x00417819
0x00417819
0x00417821
0x00417827
0x0041782d
0x00417830
0x00417833
0x00417836
0x00417839
0x00417847
0x00417847
0x004176fe
0x00417701
0x00417704
0x00417709
0x00417711
0x00417711
0x0041771a
0x00417720
0x00417726
0x0041772c
0x00417736
0x0041773d
0x0041774e
0x00417753
0x00417756
0x0041775f
0x00417772
0x00417772
0x0041777a
0x0041777f
0x00417781
0x0041778d
0x00417792
0x00417792
0x0041778d
0x00417797
0x00000000

APIs

InterlockedIncrement.KERNEL32(00415B72), ref: 00417711
InterlockedDecrement.KERNEL32(?), ref: 00417768
InterlockedDecrement.KERNEL32(00416662), ref: 00417788
InterlockedDecrement.KERNEL32(00000578), ref: 004177D4
InterlockedIncrement.KERNEL32(`A), ref: 004177FE
InterlockedDecrement.KERNEL32(?), ref: 0041780F

Strings

`A, xrefs: 004176AF, 00417836
`A, xrefs: 004177EB, 004177FD

Memory Dump Source

Source File: 00000000.00000002.639436822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.639422722.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639801425.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639950323.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639964900.00000000004C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639974043.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639981884.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Process Monitor.jbxd

Similarity

API ID: Interlocked$Decrement$Increment
String ID: `A$`A
API String ID: 2574743344-4043567493
Opcode ID: 3f513b029ce4a2a19dee1fbc49ce36c613dfe5d15a421275314b563957487ad9
Instruction ID: fa69ce6be81a7eea62d48eee039037863f56fb58f92b0ed12c41e9fbebb3af0c
Opcode Fuzzy Hash: 3f513b029ce4a2a19dee1fbc49ce36c613dfe5d15a421275314b563957487ad9
Instruction Fuzzy Hash: E25140B5A046049FCB10DF69C884AEEF7F9FB48710F144A2AE865D3381DB34E945CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 0043A130 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 134
synchronizationwindowCOMMON

Download Yara Rule

C-Code - Quality: 70%

			E0043A130(void* __edx, void* __edi, void* __eflags) {
				long _v8;
				char _v16;
				char _v20;
				char _v24;
				void* _v28;
				char _v32;
				signed int _v36;
				void* __ebx;
				void* __esi;
				signed int _t31;
				char _t41;
				char* _t43;
				void* _t53;
				signed int _t59;
				long _t60;
				signed int _t62;
				intOrPtr _t64;
				char* _t79;
				signed int _t80;
				void* _t81;
				void* _t83;

				_t75 = __edx;
				_push(0xffffffff);
				_push(E00489A40);
				_push( *[fs:0x0]);
				_push(_t59);
				_t31 =  *0x4bb1dc; // 0x2927074f
				_push(_t31 ^ _t80);
				 *[fs:0x0] =  &_v16;
				E0043B830(_t59, __edx,  &_v20);
				_t83 = _t81 - 0x14 + 4;
				_v8 = 0;
				if(E0046A720( &_v20) == 0) {
					if(E00439880(_t59, __edx) == 0) {
						_t64 =  *0x4bb114; // 0xffffffff
						 *0x4bce38 = 3;
						if(_t64 == 0xffffffff) {
							L15:
							_push(L"Error enabling capture");
							E00464AC0(_t37);
							L16:
							_t60 = 0;
							L17:
							_t65 = _v20;
							_v8 = 0xffffffff;
							if(_v20 != 0) {
								E0046A700(_t65);
							}
							 *[fs:0x0] = _v16;
							return _t60;
						}
						_t41 =  *0x4bb120; // 0x7
						_v24 = _t41;
						_push( &_v32);
						_push(0);
						_push(0);
						_push(8);
						_t43 =  &_v28;
						 *0x4bb0d0 = 9;
						_push(_t43);
						_push(_t64);
						_v28 = 0;
						L0046E3E6();
						_t79 = _t43;
						_t62 = _t59 & 0xffffff00 | _t79 == 0x00000000;
						_v36 = _t62;
						_t37 = E0043CF70(_t62, __edx, __edi, _t79, _v36, 0);
						_t83 = _t83 + 8;
						 *0x4bce3c = _t62;
						if(_t79 != 0) {
							goto L15;
						}
						E0043B6A0(_t64, _t75, 1);
						WaitForSingleObject( *0x4bce24, 0xffffffff);
						_t60 = 1;
						goto L17;
					}
					if(GetLastError() != 4) {
						_push(L"PROCMON: Unable to load device driver");
					} else {
						_push(L"PROCMON: already running on this system");
					}
					E00464AC0(_t46);
					__imp__#3( *0x4bb118);
					goto L16;
				}
				_v24 = E0046A6C0(_t59, L"\r\n", E0046A530(L"\r\n"));
				_v8 = 1;
				E0046A190( &_v36, L"PROCMON: Error waiting for console connection: ",  &_v20);
				_v8 = 2;
				_t53 = E0046A230( &_v32,  &_v24);
				_v8 = 3;
				_push(E0046A170(_t53));
				E00464AC0(_t54);
				_t72 = _v32;
				_v8 = 2;
				if(_v32 != 0) {
					E0046A700(_t72);
				}
				_t73 = _v36;
				_v8 = 1;
				if(_v36 != 0) {
					E0046A700(_t73);
				}
				_t74 = _v24;
				_v8 = 0;
				if(_v24 != 0) {
					E0046A700(_t74);
				}
				goto L16;
			}

0x0043a130
0x0043a133
0x0043a135
0x0043a140
0x0043a144
0x0043a146
0x0043a14d
0x0043a151
0x0043a15b
0x0043a160
0x0043a166
0x0043a174
0x0043a212
0x0043a244
0x0043a24a
0x0043a257
0x0043a2c3
0x0043a2c3
0x0043a2c8
0x0043a2d0
0x0043a2d0
0x0043a2d2
0x0043a2d2
0x0043a2d5
0x0043a2de
0x0043a2e0
0x0043a2e0
0x0043a2ea
0x0043a2f7
0x0043a2f7
0x0043a259
0x0043a25e
0x0043a264
0x0043a265
0x0043a267
0x0043a269
0x0043a26b
0x0043a26e
0x0043a278
0x0043a279
0x0043a27a
0x0043a281
0x0043a286
0x0043a28c
0x0043a28f
0x0043a295
0x0043a29a
0x0043a29d
0x0043a2a5
0x00000000
0x00000000
0x0043a2a9
0x0043a2b9
0x0043a2bf
0x00000000
0x0043a2bf
0x0043a21d
0x0043a226
0x0043a21f
0x0043a21f
0x0043a21f
0x0043a22b
0x0043a239
0x00000000
0x0043a239
0x0043a18f
0x0043a195
0x0043a1a3
0x0043a1ae
0x0043a1b9
0x0043a1c0
0x0043a1c9
0x0043a1ca
0x0043a1cf
0x0043a1d5
0x0043a1db
0x0043a1dd
0x0043a1dd
0x0043a1e2
0x0043a1e5
0x0043a1eb
0x0043a1ed
0x0043a1ed
0x0043a1f2
0x0043a1f5
0x0043a1fb
0x0043a201
0x0043a201
0x00000000

APIs

Part of subcall function 0043B830: socket.WS2_32(00000002,00000001,00000000), ref: 0043B858

GetLastError.KERNEL32(?,00000000,00489A40,000000FF), ref: 0043A214
closesocket.WS2_32 ref: 0043A239

Part of subcall function 0046A230: InterlockedIncrement.KERNEL32(004373F9), ref: 0046A267

Part of subcall function 0046A700: InterlockedDecrement.KERNEL32(?), ref: 0046A704

FilterSendMessage.FLTLIB(FFFFFFFF,?,00000008,00000000,00000000,?), ref: 0043A281
WaitForSingleObject.KERNEL32(000000FF,?,00000000,?), ref: 0043A2B9

Strings

Error enabling capture, xrefs: 0043A2C3
PROCMON: Error waiting for console connection: , xrefs: 0043A19D
PROCMON: Unable to load device driver, xrefs: 0043A226
PROCMON: already running on this system, xrefs: 0043A21F

Memory Dump Source

Source File: 00000000.00000002.639436822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.639422722.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639801425.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639950323.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639964900.00000000004C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639974043.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639981884.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Process Monitor.jbxd

Similarity

API ID: Interlocked$DecrementErrorFilterIncrementLastMessageObjectSendSingleWaitclosesocketsocket
String ID: Error enabling capture$PROCMON: Error waiting for console connection: $PROCMON: Unable to load device driver$PROCMON: already running on this system
API String ID: 1108568522-2204442083
Opcode ID: 7b4ceedd670857ccee67c826e268bc67c07913df756570065898b18c170d3b6a
Instruction ID: 4e67ca3b8364b884ad8a15f7bb3affe28c0b2c00b8246a141de0c218807a1b9a
Opcode Fuzzy Hash: 7b4ceedd670857ccee67c826e268bc67c07913df756570065898b18c170d3b6a
Instruction Fuzzy Hash: AB4118B59442089BDF04EBA4DC52BAF7774AB05318F14026FE812733C2E7799914CAAB

Uniqueness

Uniqueness Score: -1.00%

Function 00462FA0 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 125
sleepCOMMON

Download Yara Rule

C-Code - Quality: 77%

			E00462FA0(struct _CRITICAL_SECTION* __ecx, struct _CRITICAL_SECTION* _a4) {
				struct _CRITICAL_SECTION* _v8;
				struct _CRITICAL_SECTION* _v12;
				char _v16;
				intOrPtr* _v20;
				signed int _v24;
				struct _CRITICAL_SECTION* _v28;
				struct _CRITICAL_SECTION* _v32;
				intOrPtr _v36;
				char _v40;
				intOrPtr _v44;
				void* _v48;
				struct _CRITICAL_SECTION* _v52;
				intOrPtr* _v56;
				intOrPtr* _v60;
				intOrPtr _v64;
				struct _CRITICAL_SECTION* _v72;
				char _v80;
				signed int _v84;
				intOrPtr* _v108;
				struct _CRITICAL_SECTION* _v112;
				char _v116;
				intOrPtr* _v124;
				struct _CRITICAL_SECTION* _v128;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t85;
				signed int _t94;
				signed int _t98;
				signed int _t99;
				char _t102;
				intOrPtr _t105;
				struct _CRITICAL_SECTION* _t122;
				intOrPtr* _t123;
				void* _t124;
				struct _CRITICAL_SECTION* _t126;
				intOrPtr* _t127;
				void* _t128;
				void* _t129;
				signed int _t130;
				void* _t131;
				signed int _t137;
				struct _CRITICAL_SECTION* _t140;
				intOrPtr* _t141;
				intOrPtr _t143;
				intOrPtr _t149;
				signed int _t155;
				intOrPtr* _t158;
				void* _t160;
				signed char* _t161;
				struct _CRITICAL_SECTION* _t162;
				intOrPtr _t165;
				void* _t167;
				signed int* _t168;
				char _t169;
				void* _t172;
				signed int _t173;

				_push(0xffffffff);
				_push(E0048C858);
				_push( *[fs:0x0]);
				_t173 = _t172 - 0x20;
				_push(_t162);
				_t85 =  *0x4bb1dc; // 0x2927074f
				_push(_t85 ^ _t170);
				 *[fs:0x0] =  &_v16;
				_t122 = __ecx;
				_v28 = __ecx;
				if( *((intOrPtr*)(__ecx + 0x18)) > 0) {
					_t162 = Sleep;
					do {
						Sleep(0x64);
					} while ( *((intOrPtr*)(_t122 + 0x18)) > 0);
				}
				_v32 = _t122;
				EnterCriticalSection(_t122);
				_t123 = _t122 + 0x1c;
				_v8 = 0;
				_v20 = _t123;
				E004635A0(_t123,  *((intOrPtr*)( *((intOrPtr*)(_t122 + 0x1c)) + 4)));
				_t158 = _a4;
				 *((intOrPtr*)( *_t123 + 4)) =  *_t123;
				 *((intOrPtr*)( *_t123)) =  *_t123;
				 *((intOrPtr*)( *_t123 + 8)) =  *_t123;
				 *(_t123 + 4) = 0;
				_t137 =  *(_t158 + 4);
				_t15 = _t137 + 4; // 0x4
				_t155 = _t15;
				if(_t155 >  *((intOrPtr*)(_t158 + 8))) {
					_a4 = 0x7a;
					E0046F78D( &_a4, 0x4affc8);
				}
				_t124 = 0;
				_t94 =  *((intOrPtr*)( *_t158 + _t137));
				_v24 = _t94;
				 *(_t158 + 4) = _t155;
				if(_t94 == 0) {
					L15:
					LeaveCriticalSection(_v28);
					 *[fs:0x0] = _v16;
					return _t94;
				} else {
					while(1) {
						_a4 = 0;
						_t140 =  *(_t158 + 4);
						_v8 = 1;
						_t25 = _t140 + 4; // 0x4
						_t156 = _t25;
						if(_t156 >  *((intOrPtr*)(_t158 + 8))) {
							break;
						}
						_t169 =  *((intOrPtr*)( *_t158 + _t140));
						 *(_t158 + 4) = _t156;
						E004648D0(_t124, _t158, _t158, _t169,  &_a4);
						_v40 = _t169;
						_t162 = _a4;
						_v36 = _t162;
						if(_t162 != 0) {
							E0046A420(_t162);
						}
						_t34 =  &_v40; // 0x4c2538
						_v8 = 2;
						_t94 = E004622F0(_v20,  &_v48, 0, _t34,  *0x4c2580 & 0x000000ff);
						_v8 = 1;
						if(_t162 != 0) {
							_t94 = E0046A700(_t162);
						}
						_t152 = _a4;
						_v8 = 0;
						if(_a4 != 0) {
							_t94 = E0046A700(_t152);
						}
						_t124 = _t124 + 1;
						if(_t124 < _v24) {
							continue;
						} else {
							goto L15;
						}
						goto L38;
					}
					_v24 = 0x7a;
					E0046F78D( &_v24, 0x4affc8);
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					_t171 = _t173;
					_push(0xffffffff);
					_push(E0048C888);
					_push( *[fs:0x0]);
					_t98 =  *0x4bb1dc; // 0x2927074f
					_t99 = _t98 ^ _t173;
					_v84 = _t99;
					_push(_t124);
					_push(_t162);
					_push(_t158);
					_push(_t99);
					 *[fs:0x0] =  &_v80;
					_t126 = _t140;
					_v112 = _t126;
					_t141 = _v56;
					_v108 = _v60;
					_t102 = _v52;
					_v124 = _t141;
					_v116 = _t102;
					_v128 = 0;
					if(_t102 == 0) {
						asm("xorps xmm0, xmm0");
						_v40 =  *_t141;
						asm("movq [ebp-0x1c], xmm0");
						_v28 = 0;
					} else {
						asm("movdqu xmm0, [ecx]");
						asm("movdqu [ebp-0x20], xmm0");
					}
					_v72 = _t126;
					EnterCriticalSection(_t126);
					_t127 = _t126 + 0x1c;
					_v12 = 0;
					_v60 = _t127;
					_t105 = E00463640(_t127,  &_v40);
					_t143 =  *_t127;
					if(_t105 == _t143) {
						L30:
						_v44 = _t143;
					} else {
						_t61 = _t105 + 0x10; // 0x10
						_t161 = _t61;
						_t129 = 0xc;
						_t168 =  &_v40;
						while(1) {
							_t156 =  *_t168;
							if(_t156 !=  *_t161) {
								break;
							}
							_t168 =  &(_t168[1]);
							_t161 =  &(_t161[4]);
							_t129 = _t129 - 4;
							if(_t129 >= 0) {
								continue;
							} else {
								_t131 = 0;
							}
							L29:
							_v44 = _t105;
							if(_t131 < 0) {
								goto L30;
							}
							goto L31;
						}
						_t130 = _t156 & 0x000000ff;
						_t156 =  *_t161 & 0x000000ff;
						_t131 = _t130 - ( *_t161 & 0x000000ff);
						if(_t131 == 0) {
							_t156 = _t161[1] & 0x000000ff;
							_t131 = (_t168[0] & 0x000000ff) - (_t161[1] & 0x000000ff);
							if(_t131 == 0) {
								_t156 = _t161[2] & 0x000000ff;
								_t131 = (_t168[0] & 0x000000ff) - (_t161[2] & 0x000000ff);
								if(_t131 == 0) {
									_t156 = _t161[3] & 0x000000ff;
									_t131 = (_t168[0] & 0x000000ff) - (_t161[3] & 0x000000ff);
								}
							}
						}
						goto L29;
					}
					L31:
					_t165 = _v44;
					if(_t165 ==  *_v60 || E0046A720(_t165 + 0x20) == 0) {
						_v12 = 0xffffffff;
						LeaveCriticalSection(_v52);
						L00435FF0(_v48, _v48, _v64, _v56, 0xffffffff);
					} else {
						_t149 =  *((intOrPtr*)(_t165 + 0x20));
						 *_v48 = _t149;
						if(_t149 != 0) {
							E0046A420(_t149);
						}
						LeaveCriticalSection(_v52);
					}
					 *[fs:0x0] = _v20;
					_pop(_t160);
					_pop(_t167);
					_pop(_t128);
					return E0046F77E(_t128, _v24 ^ _t171, _t156, _t160, _t167);
				}
				L38:
			}

0x00462fa3
0x00462fa5
0x00462fb0
0x00462fb1
0x00462fb5
0x00462fb7
0x00462fbe
0x00462fc2
0x00462fc8
0x00462fca
0x00462fd1
0x00462fd3
0x00462fe0
0x00462fe2
0x00462fe4
0x00462fe0
0x00462feb
0x00462fee
0x00462ff7
0x00462ffc
0x00463003
0x00463009
0x00463010
0x00463013
0x00463018
0x0046301c
0x0046301f
0x00463026
0x00463029
0x00463029
0x0046302f
0x00463039
0x00463041
0x00463041
0x00463048
0x0046304a
0x0046304d
0x00463050
0x00463055
0x004630e8
0x004630eb
0x004630f4
0x00463102
0x0046305b
0x00463060
0x00463060
0x00463067
0x0046306a
0x0046306e
0x0046306e
0x00463074
0x00000000
0x00000000
0x0046307c
0x00463085
0x00463088
0x0046308d
0x00463090
0x00463093
0x00463098
0x0046309c
0x0046309c
0x004630ac
0x004630af
0x004630ba
0x004630bf
0x004630c5
0x004630c9
0x004630c9
0x004630ce
0x004630d1
0x004630d7
0x004630d9
0x004630d9
0x004630de
0x004630e2
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x004630e2
0x0046310d
0x00463115
0x0046311a
0x0046311b
0x0046311c
0x0046311d
0x0046311e
0x0046311f
0x00463121
0x00463123
0x00463125
0x00463130
0x00463134
0x00463139
0x0046313b
0x0046313e
0x0046313f
0x00463140
0x00463141
0x00463145
0x0046314b
0x0046314d
0x00463153
0x00463156
0x00463159
0x0046315c
0x0046315f
0x00463162
0x0046316b
0x0046317a
0x0046317d
0x00463180
0x00463185
0x0046316d
0x0046316d
0x00463171
0x00463171
0x0046318d
0x00463190
0x00463196
0x00463199
0x004631a3
0x004631a9
0x004631ae
0x004631b2
0x00463208
0x00463208
0x004631b4
0x004631b4
0x004631b4
0x004631b7
0x004631bc
0x004631c0
0x004631c0
0x004631c4
0x00000000
0x00000000
0x004631c6
0x004631c9
0x004631cc
0x004631cf
0x00000000
0x004631d1
0x004631d1
0x004631d1
0x00463201
0x00463201
0x00463206
0x00000000
0x00000000
0x00000000
0x00463206
0x004631d5
0x004631d8
0x004631db
0x004631dd
0x004631e3
0x004631e7
0x004631e9
0x004631ef
0x004631f3
0x004631f5
0x004631fb
0x004631ff
0x004631ff
0x004631f5
0x004631e9
0x00000000
0x004631dd
0x0046320b
0x00463211
0x00463215
0x00463242
0x00463249
0x0046325b
0x00463223
0x00463223
0x00463229
0x0046322d
0x0046322f
0x0046322f
0x00463237
0x00463237
0x00463268
0x00463270
0x00463271
0x00463272
0x00463280
0x00463280
0x00000000

APIs

Sleep.KERNEL32(00000064,2927074F,00000000,00000000,004C2538,?,?,?,?,?,?,?,?,?,2927074F,0048C818), ref: 00462FE2
EnterCriticalSection.KERNEL32(?,2927074F,00000000,00000000,004C2538,?,?,?,?,?,?,?,?,?,2927074F,0048C818), ref: 00462FEE
__CxxThrowException@8.LIBCMT ref: 00463041
LeaveCriticalSection.KERNEL32(?,?,?,2927074F,00000000,00000000,004C2538), ref: 004630EB

Strings

8%L, xrefs: 004630AC, 004630B3
z, xrefs: 0046310D
z, xrefs: 00463039

Memory Dump Source

Source File: 00000000.00000002.639436822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.639422722.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639801425.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639950323.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639964900.00000000004C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639974043.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639981884.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Process Monitor.jbxd

Similarity

API ID: CriticalSection$EnterException@8LeaveSleepThrow
String ID: 8%L$z$z
API String ID: 1240790709-4220303853
Opcode ID: 73c879ca3677fe091227bf5e5a4a448c520e3d4cb3cb0156e815ea251d6287d0
Instruction ID: 92a2dc2cc1595309a8499ce544759e93e0c9cf9e8b992c359b82f55cd243e73f
Opcode Fuzzy Hash: 73c879ca3677fe091227bf5e5a4a448c520e3d4cb3cb0156e815ea251d6287d0
Instruction Fuzzy Hash: CF417D74A01659EFCB10DF58C991B9EBBB5FF09304F10816EE804AB345E778AA05CB96

Uniqueness

Uniqueness Score: -1.00%

Function 0043C260 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 80
synchronizationCOMMON

Download Yara Rule

C-Code - Quality: 57%

			E0043C260(void* __ebx, void* __edi, void* __esi) {
				signed int _v8;
				intOrPtr _v16;
				intOrPtr _v24;
				intOrPtr _v40;
				intOrPtr _v404;
				intOrPtr _v408;
				char _v420;
				char _v424;
				signed int _v428;
				signed int _v432;
				char _v436;
				signed int _t18;
				signed int _t25;
				signed int _t45;
				void* _t47;
				void* _t48;
				void* _t51;
				signed int _t52;

				_t18 =  *0x4bb1dc; // 0x2927074f
				_v8 = _t18 ^ _t52;
				EnterCriticalSection(0x4bcfc4);
				E00430DE0(0x4bcfbc);
				LeaveCriticalSection(0x4bcfc4);
				_v424 = 0;
				E00470030( &_v420, 0, 0x19c);
				E00436690();
				_v424 = 0;
				_t45 = L"NT Kernel Logger";
				_v16 = 0;
				_v40 = E0043C250;
				_v408 = 0;
				_t40 =  ==  ? _t45 : L"PROCMON TRACE";
				_v24 = E0043D290;
				asm("xorps xmm0, xmm0");
				_v420 =  ==  ? _t45 : L"PROCMON TRACE";
				asm("movlpd [ebp-0x19c], xmm0");
				_v404 = 0x1100;
				_t25 =  *0x4bcfe8( &_v424);
				_v432 = _t25;
				_v428 = _t45;
				if((_t25 | _t45) == 0) {
					return E0046F77E(__ebx, _v8 ^ _t52, _t45, __edi, __esi);
				} else {
					_t47 = E00472D60(0, 0, E0043C3A0, 0, 0,  &_v436);
					 *0x4bcfec( &_v432, 0, 0, __edi, __esi);
					WaitForSingleObject(_t47, 0xffffffff);
					CloseHandle(_t47);
					_pop(_t48);
					_t51 = 1;
					return E0046F77E(__ebx, _v8 ^ _t52, _t45, _t48, _t51);
				}
			}

0x0043c269
0x0043c270
0x0043c278
0x0043c283
0x0043c28d
0x0043c29e
0x0043c2ab
0x0043c2b3
0x0043c2ba
0x0043c2c4
0x0043c2c9
0x0043c2d5
0x0043c2e2
0x0043c2ec
0x0043c2ef
0x0043c2f6
0x0043c2f9
0x0043c300
0x0043c308
0x0043c312
0x0043c318
0x0043c320
0x0043c326
0x0043c391
0x0043c328
0x0043c346
0x0043c355
0x0043c360
0x0043c367
0x0043c36d
0x0043c370
0x0043c37e
0x0043c37e

APIs

EnterCriticalSection.KERNEL32(004BCFC4), ref: 0043C278
LeaveCriticalSection.KERNEL32(004BCFC4), ref: 0043C28D
_memset.LIBCMT ref: 0043C2AB

Part of subcall function 00436690: GetVersion.KERNEL32(0043D049,?,?,00000000), ref: 00436690
Part of subcall function 00436690: GetVersion.KERNEL32(?,?,00000000), ref: 0043669A

WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 0043C360
CloseHandle.KERNEL32(00000000), ref: 0043C367

Strings

PROCMON TRACE, xrefs: 0043C2D0
NT Kernel Logger, xrefs: 0043C2C4
`xx, xrefs: 0043C27E

Memory Dump Source

Source File: 00000000.00000002.639436822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.639422722.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639801425.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639950323.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639964900.00000000004C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639974043.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639981884.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Process Monitor.jbxd

Similarity

API ID: CriticalSectionVersion$CloseEnterHandleLeaveObjectSingleWait_memset
String ID: NT Kernel Logger$PROCMON TRACE$`xx
API String ID: 764731704-887401100
Opcode ID: 76d8a9eeb404d7a5d91a4cd849ff703f6118c8bf4416c6db46bc8b0042b6c9f9
Instruction ID: d8647d0785f5a18e88d09ef89e5303aac16b648b718f07fff491cac032023de1
Opcode Fuzzy Hash: 76d8a9eeb404d7a5d91a4cd849ff703f6118c8bf4416c6db46bc8b0042b6c9f9
Instruction Fuzzy Hash: 97319371E01218AFDB20DFA49D46BEEB7B4AF49710F1042EEF905A62C0D7B41A448F99

Uniqueness

Uniqueness Score: -1.00%

Function 0044F7D5 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 59
fileCOMMON

Download Yara Rule

C-Code - Quality: 79%

			E0044F7D5(void* __ebx, void* __edx, void* __eflags) {
				void* __esi;
				void* _t24;
				void* _t32;
				void* _t33;
				void* _t34;
				void* _t35;
				signed int _t36;

				_t32 = __edx;
				_t24 = __ebx;
				GetModuleFileNameW(0, _t36 - 0x288, 0x208);
				E0046EF0C(E00471495(_t36 - 0x288, 0x5c), _t36 - 0x80 - _t13 >> 1, L"\\procmon.chm");
				swprintf(_t36 - 0x490, 0x104, L"%s:Zone.Identifier", _t36 - 0x288);
				DeleteFileW(_t36 - 0x490);
				if(E00401149(_t32, _t34, _t36 - 0x288, 0, 0) == 0) {
					SetLastError(__eax);
					__ecx = __esp;
					E0040C980(__ebx, __esp, L"Unable to open help file") = E00437AE0(__ebx, __eflags, __esp, 0);
					__eax = 0;
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t36 - 0xc));
				_pop(_t33);
				_pop(_t35);
				return E0046F77E(_t24,  *(_t36 - 0x10) ^ _t36, _t32, _t33, _t35);
			}

0x0044f7d5
0x0044f7d5
0x0044f7e3
0x0044f805
0x0044f822
0x0044f831
0x0044f84a
0x0044f851
0x0044f85a
0x0044f866
0x0044f86e
0x0044f86e
0x0044e740
0x0044e748
0x0044e749
0x0044e757

APIs

GetModuleFileNameW.KERNEL32(00000000,?,00000208), ref: 0044F7E3
_wcsrchr.LIBCMT ref: 0044F7F2
swprintf.LIBCMT ref: 0044F822
DeleteFileW.KERNEL32(?), ref: 0044F831

Part of subcall function 00401149: LoadLibraryA.KERNEL32(?), ref: 00401196
Part of subcall function 00401149: LoadLibraryA.KERNEL32(hhctrl.ocx), ref: 004011AC

SetLastError.KERNEL32(00000000), ref: 0044F851

Part of subcall function 00437AE0: MessageBoxW.USER32(00000000,Process Monitor,00000010), ref: 00437B2E

Strings

Unable to open help file, xrefs: 0044F85C
\procmon.chm, xrefs: 0044F7FC
%s:Zone.Identifier, xrefs: 0044F811

Memory Dump Source

Source File: 00000000.00000002.639436822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.639422722.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639801425.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639950323.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639964900.00000000004C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639974043.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639981884.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Process Monitor.jbxd

Similarity

API ID: FileLibraryLoad$DeleteErrorLastMessageModuleName_wcsrchrswprintf
String ID: %s:Zone.Identifier$Unable to open help file$\procmon.chm
API String ID: 3973298440-1170110365
Opcode ID: b62d389bf69bd382fecc4a8e7c2c75d22bd77737901313886c5ab3d63dc7a2db
Instruction ID: 5f7d05bf8f8ebaaddd823cbe78a043793710daae44f943c485a0efd52fced2c0
Opcode Fuzzy Hash: b62d389bf69bd382fecc4a8e7c2c75d22bd77737901313886c5ab3d63dc7a2db
Instruction Fuzzy Hash: 3011CAB5A402086BDB54E7A19C4BFFF736CAB04705F40057BFA06D61C1EF7856448B29

Uniqueness

Uniqueness Score: -1.00%

Function 0044F4C3 Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 46
windowCOMMON

Download Yara Rule

C-Code - Quality: 84%

			E0044F4C3(void* __ebx, void* __edx) {
				void* __esi;
				struct HWND__* _t15;
				void* _t26;
				int _t29;
				void* _t35;
				void* _t37;
				struct HWND__* _t38;
				void* _t39;
				signed int _t40;

				_t35 = __edx;
				_t26 = __ebx;
				_t15 =  *0x4bd2bc; // 0x0
				if(_t15 == 0) {
					 *0x4bd2bc = CreateDialogParamW( *0x4bd2c4, L"PROCESS_TREE", _t38, 0x455ea0, 0);
				} else {
					SetForegroundWindow( *0x4bd2bc);
				}
				 *(_t40 - 0x494) = 0x4bca10;
				EnterCriticalSection(0x4bca10);
				 *((intOrPtr*)(_t40 - 4)) = 0x15;
				E0040D160(0x4bca10, _t40 - 0x4b4, SendMessageW(GetDlgItem(_t38, 0x3f9), 0x1042, 0, 0));
				 *((char*)(_t40 - 4)) = 0x16;
				if( *((intOrPtr*)(_t40 - 0x4ac)) != 0) {
					SendMessageW( *0x4bd2bc, 0x8003, 0,  *(E00411BA0(_t40 - 0x4b4) + 4));
				}
				 *((char*)(_t40 - 4)) = 0x15;
				E0040F960(_t40 - 0x4b4, _t38);
				LeaveCriticalSection(0x4bca10);
				_t29 =  *(_t40 + 0xc);
				DefWindowProcW(_t38, _t29,  *(_t40 - 0x628),  *(_t40 - 0x64c));
				 *[fs:0x0] =  *((intOrPtr*)(_t40 - 0xc));
				_pop(_t37);
				_pop(_t39);
				return E0046F77E(_t26,  *(_t40 - 0x10) ^ _t40, _t35, _t37, _t39);
			}

0x0044f4c3
0x0044f4c3
0x0044f4c3
0x0044f4ca
0x0044f4fc
0x0044f4cc
0x0044f4db
0x0044f4db
0x0044f506
0x0044f510
0x0044f525
0x0044f548
0x0044f554
0x0044f558
0x0044f575
0x0044f575
0x0044f577
0x0044eab3
0x0044eabd
0x0044e726
0x0044e737
0x0044e740
0x0044e748
0x0044e749
0x0044e757

APIs

ShowWindow.USER32(00000000,00000005), ref: 0044F4CF
SetForegroundWindow.USER32 ref: 0044F4DB
CreateDialogParamW.USER32 ref: 0044F4F6
EnterCriticalSection.KERNEL32 ref: 0044F510
GetDlgItem.USER32 ref: 0044F52C
SendMessageW.USER32(00000000,?,000003F9,00001042), ref: 0044F539
SendMessageW.USER32(00008003,00000000,?,?), ref: 0044F575

Strings

PROCESS_TREE, xrefs: 0044F4EB

Memory Dump Source

Source File: 00000000.00000002.639436822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.639422722.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639801425.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639950323.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639964900.00000000004C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639974043.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639981884.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Process Monitor.jbxd

Similarity

API ID: MessageSendWindow$CreateCriticalDialogEnterForegroundItemParamSectionShow
String ID: PROCESS_TREE
API String ID: 1199324052-203746045
Opcode ID: c168b1eb69096e0bbd1a785fe35151404997c9262086742d3a174bd5c925a64a
Instruction ID: 6293099238add065e4c2abc52148a7b6675fb4023216d0ff1d4e072ef0198f14
Opcode Fuzzy Hash: c168b1eb69096e0bbd1a785fe35151404997c9262086742d3a174bd5c925a64a
Instruction Fuzzy Hash: C2116570941344FFEB119F70EC4EF9E7A68AB44705F1045BAB201B62E2D7B899089F1C

Uniqueness

Uniqueness Score: -1.00%

Function 0043A0B0 Relevance: 14.0, APIs: 5, Strings: 3, Instructions: 30
threadlibraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 82%

			E0043A0B0(void* __ecx) {
				char _v8;
				_Unknown_base(*)()* _t6;

				SetThreadPriority(GetCurrentThread(), 0xf);
				_t6 = GetProcAddress(LoadLibraryW(L"ntdll.dll"), "ZwSetInformationThread");
				 *0x4bce40 = _t6;
				if(_t6 != 0) {
					E0040F360(L"SeIncreaseBasePriorityPrivilege");
					_v8 = 0x10;
					 *0x4bce40(GetCurrentThread(), 2,  &_v8, 4);
				}
				return 1;
			}

0x0043a0bd
0x0043a0d4
0x0043a0da
0x0043a0e1
0x0043a0e8
0x0043a0f0
0x0043a106
0x0043a106
0x0043a111

APIs

GetCurrentThread.KERNEL32 ref: 0043A0B6
SetThreadPriority.KERNEL32(00000000,?,?,00439EDE), ref: 0043A0BD
LoadLibraryW.KERNEL32(ntdll.dll,ZwSetInformationThread,?,?,00439EDE), ref: 0043A0CD
GetProcAddress.KERNEL32(00000000), ref: 0043A0D4

Part of subcall function 0040F360: GetCurrentProcess.KERNEL32(00000028,0045F38B,749682C0,?,?,0045F38B,SeDebugPrivilege,?,?,00000003,00000000,?,?,04000000), ref: 0040F37A
Part of subcall function 0040F360: OpenProcessToken.ADVAPI32(00000000,?,?,0045F38B,SeDebugPrivilege,?,?,00000003,00000000,?,?,04000000), ref: 0040F381

GetCurrentThread.KERNEL32 ref: 0043A0FF

Strings

ntdll.dll, xrefs: 0043A0C8
ZwSetInformationThread, xrefs: 0043A0C3
SeIncreaseBasePriorityPrivilege, xrefs: 0043A0E3

Memory Dump Source

Source File: 00000000.00000002.639436822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.639422722.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639801425.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639950323.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639964900.00000000004C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639974043.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639981884.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Process Monitor.jbxd

Similarity

API ID: CurrentThread$Process$AddressLibraryLoadOpenPriorityProcToken
String ID: SeIncreaseBasePriorityPrivilege$ZwSetInformationThread$ntdll.dll
API String ID: 4275216229-2582132723
Opcode ID: c4af19f7349cde5d297450fe68a73259abfe4c7cf103f1587f066133fe0390d9
Instruction ID: 77fa9e02ea755215629da48c2c456b1eb0466f03fadcfc56501681e8de1fa65e
Opcode Fuzzy Hash: c4af19f7349cde5d297450fe68a73259abfe4c7cf103f1587f066133fe0390d9
Instruction Fuzzy Hash: F2F082B5940308EBDB10ABE4AC0EB1D7A2CF705705F100439FE01C2190DAB9A504AB29

Uniqueness

Uniqueness Score: -1.00%

Function 00453480 Relevance: 13.8, APIs: 9, Instructions: 277
COMMON

Download Yara Rule

C-Code - Quality: 79%

			E00453480(void* __ebx, intOrPtr __ecx, void* __esi, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a20) {
				signed int _v8;
				void* _v12;
				void* _v16;
				void* _v20;
				void* _v24;
				void* _v28;
				void* _v32;
				void* _v36;
				void* _v40;
				intOrPtr _v44;
				void* _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				void* _v60;
				void* _v64;
				void* _v68;
				void* _v72;
				void* _v76;
				void* _v80;
				void* _v84;
				void* _v92;
				void* __edi;
				signed int _t105;
				void* _t109;
				intOrPtr _t232;
				signed int _t249;

				_t241 = __esi;
				_t173 = __ebx;
				_t105 =  *0x4bb1dc; // 0x2927074f
				_v8 = _t105 ^ _t249;
				_t232 = _a20;
				_v52 = _a8;
				_t109 = _a12 + 0xfffffffe;
				_v44 = __ecx;
				_t235 = _a4;
				_v56 = _a4;
				if(_t109 > 0xc) {
					L22:
					return E0046F77E(_t173, _v8 ^ _t249, _t232, _t235, _t241);
				} else {
					switch( *((intOrPtr*)(( *(_t109 + 0x4537a4) & 0x000000ff) * 4 +  &M0045379C))) {
						case 0:
							goto L2;
						case 1:
							goto L22;
					}
				}
			}

0x00453480
0x00453480
0x00453486
0x0045348d
0x00453493
0x00453496
0x0045349c
0x0045349f
0x004534a3
0x004534a6
0x004534ac
0x00453789
0x00453799
0x004534b2
0x004534b9
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x004534b9

Memory Dump Source

Source File: 00000000.00000002.639436822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.639422722.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639801425.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639950323.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639964900.00000000004C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639974043.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639981884.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Process Monitor.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7eff6c3506273b119bc744858204e64a566af3393f78ddd6925ab8e4b66c3f6f
Instruction ID: f89add634b84a7e46df6b2f7f2b92f9980017c1aa993de02832718c2266ef247
Opcode Fuzzy Hash: 7eff6c3506273b119bc744858204e64a566af3393f78ddd6925ab8e4b66c3f6f
Instruction Fuzzy Hash: BDB16E71A002099FCF14DFA9D8919AEBBF5FF48315F14456EE802AB352DB34A905CF94

Uniqueness

Uniqueness Score: -1.00%

Function 00430130 Relevance: 13.7, APIs: 9, Instructions: 168
memoryCOMMON

Download Yara Rule

C-Code - Quality: 60%

			E00430130(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				long _v8;
				char _v16;
				signed int _v20;
				char _v2068;
				intOrPtr* _v2072;
				intOrPtr _v2076;
				intOrPtr _v2080;
				char _v2084;
				intOrPtr* _v2088;
				intOrPtr _v2092;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t42;
				signed int _t43;
				void* _t50;
				intOrPtr* _t53;
				intOrPtr _t54;
				intOrPtr* _t55;
				char _t58;
				intOrPtr _t62;
				intOrPtr _t72;
				void* _t73;
				intOrPtr* _t83;
				void* _t86;
				intOrPtr* _t87;
				char* _t88;
				intOrPtr _t91;
				void* _t92;
				intOrPtr* _t93;
				signed int _t94;
				void* _t95;
				void* _t96;
				void* _t98;
				void* _t99;

				_push(0xffffffff);
				_push(E00489019);
				_push( *[fs:0x0]);
				_t96 = _t95 - 0x81c;
				_t42 =  *0x4bb1dc; // 0x2927074f
				_t43 = _t42 ^ _t94;
				_v20 = _t43;
				_push(_t43);
				 *[fs:0x0] =  &_v16;
				_t91 = _a12;
				_t72 = _a4;
				_v2092 = _a8;
				_v2076 = _t91;
				if(_t91 != 0) {
					do {
						_t87 = 0;
						_v2072 = 0;
						_t101 = _a16;
						if(_a16 > 0) {
							do {
								_v2084 = 0x400;
								_t53 = E00406130(_t91);
								_t84 =  *_t53;
								_t83 = _t53;
								_t54 =  *((intOrPtr*)( *_t53 + 8))(_t91, _t87,  &_v2068,  &_v2084);
								_push(0xc);
								_v2080 = _t54;
								_t55 = E0046EEB6(_t72, _t87, _t101);
								_t93 = _t55;
								_t98 = _t96 + 4;
								_v2088 = _t93;
								_v8 = 0;
								if(_t93 == 0) {
									L7:
									_t93 = 0;
								} else {
									 *((intOrPtr*)(_t93 + 4)) = 0;
									 *(_t93 + 8) = 1;
									__imp__#2(_v2080);
									 *_t93 = _t55;
									if(_t55 == 0 && _v2080 != _t55) {
										L6:
										E0046E410(0x8007000e);
										goto L7;
									}
								}
								_v8 = 0xffffffff;
								_v2088 = _t93;
								if(_t93 == 0) {
									goto L6;
								}
								_v8 = 1;
								_t107 = _t87;
								if(_t87 != 0) {
									_push(_t72);
									_push(0x2c);
									E00472868(_t72, _t87, _t93, _t107);
									_t98 = _t98 + 8;
								}
								_push(_t72);
								_push(0x22);
								E00472868(_t72, _t87, _t93, _t107);
								_t99 = _t98 + 8;
								if( *((intOrPtr*)(_t93 + 4)) == 0) {
									 *((intOrPtr*)(_t93 + 4)) = E0046E430(_t83,  *_t93);
								}
								_t88 =  *((intOrPtr*)(_t93 + 4));
								_t58 =  *_t88;
								while(_t58 != 0) {
									_t110 = _t58 - 0x22;
									if(_t58 == 0x22) {
										_push(_t72);
										_push(0x22);
										E00472868(_t72, _t88, _t93, _t110);
										_t99 = _t99 + 8;
									}
									_push(_t72);
									_push( *_t88);
									E00472868(_t72, _t88, _t93, _t110);
									_t58 =  *((intOrPtr*)(_t88 + 1));
									_t88 = _t88 + 1;
									_t99 = _t99 + 8;
									_t111 = _t58;
								}
								_push(_t72);
								_push(0x22);
								E00472868(_t72, _t88, _t93, _t111);
								_t96 = _t99 + 8;
								_v8 = 0xffffffff;
								_t29 = _t93 + 8; // 0x8
								if(InterlockedDecrement(_t29) == 0) {
									_t62 =  *_t93;
									if(_t62 != 0) {
										__imp__#6(_t62);
										 *_t93 = 0;
									}
									_t63 =  *((intOrPtr*)(_t93 + 4));
									if( *((intOrPtr*)(_t93 + 4)) != 0) {
										E0046EF07(_t63);
										_t96 = _t96 + 4;
										 *((intOrPtr*)(_t93 + 4)) = 0;
									}
									E0046EF07(_t93);
									_t96 = _t96 + 4;
								}
								_t91 = _v2076;
								_t87 = _v2072 + 1;
								_v2072 = _t87;
								_t115 = _t87 - _a16;
							} while (_t87 < _a16);
						}
						_push(_t72);
						_push(0xa);
						E00472868(_t72, _t87, _t91, _t115);
						_t50 = E00430130(_t72, _v2092, E00406140(_t91), _a16);
						_t96 = _t96 + 0x18;
						if(_t50 != 0) {
							goto L26;
						}
						goto L28;
						L26:
						_t91 = E004063A0(_t91);
						_v2076 = _t91;
					} while (_t91 != 0);
					goto L27;
				}
				L28:
				 *[fs:0x0] = _v16;
				_pop(_t86);
				_pop(_t92);
				_pop(_t73);
				return E0046F77E(_t73, _v20 ^ _t94, _t84, _t86, _t92);
			}

0x00430133
0x00430135
0x00430140
0x00430141
0x00430147
0x0043014c
0x0043014e
0x00430154
0x00430158
0x0043015e
0x00430164
0x00430167
0x0043016d
0x00430175
0x00430180
0x00430180
0x00430182
0x00430188
0x0043018b
0x00430191
0x00430193
0x0043019d
0x004301af
0x004301b4
0x004301b6
0x004301b9
0x004301bb
0x004301c1
0x004301c6
0x004301c8
0x004301cb
0x004301d1
0x004301da
0x0043020e
0x0043020e
0x004301dc
0x004301e2
0x004301e9
0x004301f0
0x004301f6
0x004301fa
0x00430204
0x00430209
0x00000000
0x00430209
0x004301fa
0x00430210
0x00430217
0x0043021f
0x00000000
0x00000000
0x00430221
0x00430228
0x0043022a
0x0043022c
0x0043022d
0x0043022f
0x00430234
0x00430234
0x00430237
0x00430238
0x0043023a
0x0043023f
0x00430246
0x0043024f
0x0043024f
0x00430252
0x00430255
0x00430259
0x00430260
0x00430262
0x00430264
0x00430265
0x00430267
0x0043026c
0x0043026c
0x00430272
0x00430273
0x00430274
0x00430279
0x0043027c
0x0043027d
0x00430280
0x00430280
0x00430284
0x00430285
0x00430287
0x0043028c
0x0043028f
0x00430296
0x004302a2
0x004302a4
0x004302a8
0x004302ab
0x004302b1
0x004302b1
0x004302b7
0x004302bc
0x004302bf
0x004302c4
0x004302c7
0x004302c7
0x004302cf
0x004302d4
0x004302d4
0x004302dd
0x004302e3
0x004302e4
0x004302ea
0x004302ea
0x00430191
0x004302f3
0x004302f4
0x004302f6
0x00430310
0x00430315
0x0043031a
0x00000000
0x00000000
0x00000000
0x0043031c
0x00430323
0x00430325
0x0043032b
0x00000000
0x00430180
0x00430335
0x00430338
0x00430340
0x00430341
0x00430342
0x00430350

APIs

_fputc.LIBCMT ref: 004302F6

Part of subcall function 0046EEB6: _malloc.LIBCMT ref: 0046EECE

SysAllocString.OLEAUT32(?), ref: 004301F0
_fputc.LIBCMT ref: 0043022F
_fputc.LIBCMT ref: 0043023A
_fputc.LIBCMT ref: 00430267
_fputc.LIBCMT ref: 00430274
_fputc.LIBCMT ref: 00430287
InterlockedDecrement.KERNEL32(00000008), ref: 0043029A
SysFreeString.OLEAUT32(00000000), ref: 004302AB

Memory Dump Source

Source File: 00000000.00000002.639436822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.639422722.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639801425.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639950323.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639964900.00000000004C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639974043.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639981884.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Process Monitor.jbxd

Similarity

API ID: _fputc$String$AllocDecrementFreeInterlocked_malloc
String ID:
API String ID: 2691016415-0
Opcode ID: 23d90cd5a112fd3e0fac1be6a7c9970a4cffb8c667a15f7007af1abc7ed6bc6b
Instruction ID: 7be8d825ceb2636b55046b71d7c39e109af7dbc995ad19d73cb73d47b5db1072
Opcode Fuzzy Hash: 23d90cd5a112fd3e0fac1be6a7c9970a4cffb8c667a15f7007af1abc7ed6bc6b
Instruction Fuzzy Hash: B251D4B0D00218DBDF209F518D157ABB7E8EF04704F0086AAE85967381EB799D41CBE9

Uniqueness

Uniqueness Score: -1.00%

Function 00442489 Relevance: 13.6, APIs: 9, Instructions: 118
synchronizationCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00442489(void* __eflags) {
				intOrPtr* _t24;
				void* _t32;
				intOrPtr _t33;
				intOrPtr* _t39;
				intOrPtr* _t63;
				intOrPtr* _t64;
				intOrPtr* _t65;
				intOrPtr* _t67;
				intOrPtr _t68;
				intOrPtr _t70;
				void* _t71;
				void* _t73;
				void* _t74;
				void* _t76;

				_t76 = __eflags;
				do {
					EnterCriticalSection(0x4bd080);
					_t24 =  *0x4bd078; // 0x77d010
					_t63 =  *_t24;
					_t65 =  *((intOrPtr*)(_t63 + 8));
					 *((intOrPtr*)( *((intOrPtr*)(_t63 + 4)))) =  *_t63;
					 *((intOrPtr*)( *_t63 + 4)) =  *((intOrPtr*)(_t63 + 4));
					 *0x4bd07c =  *0x4bd07c - 1;
					E0046EF07(_t63);
					_t74 = _t73 + 4;
					LeaveCriticalSection(0x4bd080);
					L00442050( *((intOrPtr*)(_t65 + 4)), _t63, _t76,  *((intOrPtr*)(_t65 + 8)),  *(_t65 + 0xc) & 0x000000ff,  *((intOrPtr*)(_t65 + 0x10)),  *((intOrPtr*)(_t65 + 0x14)), 0x4bca10);
					_t30 =  *((intOrPtr*)(_t65 + 8));
					if( *((intOrPtr*)( *((intOrPtr*)(_t65 + 8)) + 0x58)) != 0) {
						E004192A0(0x4bca10,  *_t30);
					}
					_t68 =  *_t65;
					if(_t68 != 0 && InterlockedDecrement(_t68 + 0x578) < 2) {
						E00467460(_t68, _t48);
					}
					E0046EF07(_t65);
					_t32 =  *0x4bd098; // 0x20c
					_t73 = _t74 + 4;
					 *(_t71 - 0x18) = _t32;
					_t33 =  *0x4bce44; // 0x158
					 *((intOrPtr*)(_t71 - 0x14)) = _t33;
				} while (WaitForMultipleObjects(2, _t71 - 0x18, 0, 0xffffffff) != 1);
				WaitForSingleObject( *0x4bce24, 0xffffffff);
				 *(_t71 - 0x10) = 0x4bd080;
				EnterCriticalSection(0x4bd080);
				 *(_t71 - 4) = 0;
				if( *0x4bd07c != 0) {
					do {
						_t39 =  *0x4bd078; // 0x77d010
						_t64 =  *_t39;
						_t67 =  *((intOrPtr*)(_t64 + 8));
						 *((intOrPtr*)( *((intOrPtr*)(_t64 + 4)))) =  *_t64;
						 *((intOrPtr*)( *_t64 + 4)) =  *((intOrPtr*)(_t64 + 4));
						 *0x4bd07c =  *0x4bd07c - 1;
						E0046EF07(_t64);
						_t73 = _t73 + 4;
						if(_t67 != 0) {
							_t70 =  *_t67;
							if(_t70 != 0 && InterlockedDecrement(_t70 + 0x578) < 2) {
								E00467460(_t70, _t45);
							}
							E0046EF07(_t67);
							_t73 = _t73 + 4;
						}
					} while ( *0x4bd07c != 0);
					do {
						goto L16;
					} while (WaitForSingleObject( *0x4bd098, 0) != 0x102);
					LeaveCriticalSection(0x4bd080);
					 *[fs:0x0] =  *((intOrPtr*)(_t71 - 0xc));
					return 0;
				}
				L16:
			}

0x00442489
0x00442490
0x00442495
0x0044249b
0x004424a0
0x004424a8
0x004424ab
0x004424b2
0x004424b5
0x004424bb
0x004424c0
0x004424c8
0x004424e4
0x004424e9
0x004424f0
0x004424f9
0x004424f9
0x004424fe
0x00442502
0x00442515
0x00442515
0x0044251b
0x00442520
0x00442525
0x00442528
0x0044252b
0x00442530
0x00442543
0x0044255a
0x00442561
0x00442568
0x00442575
0x0044257c
0x00442580
0x00442580
0x00442585
0x0044258d
0x00442590
0x00442597
0x0044259a
0x004425a0
0x004425a5
0x004425aa
0x004425ac
0x004425b0
0x004425c7
0x004425c7
0x004425cd
0x004425d2
0x004425d2
0x004425d5
0x004425e0
0x00000000
0x00000000
0x004425f6
0x00442601
0x0044260f
0x0044260f
0x004425e0

APIs

EnterCriticalSection.KERNEL32(004BD080), ref: 00442495
LeaveCriticalSection.KERNEL32(004BD080), ref: 004424C8
InterlockedDecrement.KERNEL32(?), ref: 0044250B
WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF,004BCA10), ref: 0044253D
WaitForSingleObject.KERNEL32(000000FF), ref: 0044255A
EnterCriticalSection.KERNEL32(004BD080), ref: 00442568
InterlockedDecrement.KERNEL32(?), ref: 004425B9
WaitForSingleObject.KERNEL32(00000000), ref: 004425E8
LeaveCriticalSection.KERNEL32(004BD080), ref: 004425F6

Part of subcall function 004192A0: GetParent.USER32(00000000), ref: 004192B0
Part of subcall function 004192A0: PostMessageW.USER32(00000000,?,004424FE,?), ref: 004192B7

Memory Dump Source

Source File: 00000000.00000002.639436822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.639422722.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639801425.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639950323.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639964900.00000000004C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639974043.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639981884.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Process Monitor.jbxd

Similarity

API ID: CriticalSection$Wait$DecrementEnterInterlockedLeaveObjectSingle$MessageMultipleObjectsParentPost
String ID:
API String ID: 575899497-0
Opcode ID: 569e081c3ba6bc04285c915687bd8635f0e72101fff7c8936a55e9f104adeecb
Instruction ID: 9ffcb0451f50334456f6d3844c42466557712d721e3ee28d40b9a370e44b6ad4
Opcode Fuzzy Hash: 569e081c3ba6bc04285c915687bd8635f0e72101fff7c8936a55e9f104adeecb
Instruction Fuzzy Hash: 3E41D175A00500AFD300EF64ED85B2AB7B1FB48318F1042BAE915973A0E775A892CB98

Uniqueness

Uniqueness Score: -1.00%

Function 004309F0 Relevance: 13.6, APIs: 9, Instructions: 104
filememoryCOMMON

Download Yara Rule

C-Code - Quality: 76%

			E004309F0(struct _CRITICAL_SECTION* __ecx) {
				long _v8;
				char _v16;
				struct _CRITICAL_SECTION* _v20;
				long _v24;
				long _v28;
				void* __ebx;
				void* __edi;
				signed int _t30;
				void* _t34;
				intOrPtr* _t36;
				intOrPtr _t37;
				intOrPtr _t44;
				struct _CRITICAL_SECTION* _t45;
				struct _CRITICAL_SECTION* _t54;
				intOrPtr _t59;
				intOrPtr _t60;
				long _t63;
				void* _t64;
				void* _t66;
				intOrPtr* _t67;
				struct _CRITICAL_SECTION* _t71;
				signed int _t73;

				_push(0xffffffff);
				_push(E00489093);
				_push( *[fs:0x0]);
				_t30 =  *0x4bb1dc; // 0x2927074f
				_push(_t30 ^ _t73);
				 *[fs:0x0] =  &_v16;
				_t54 = __ecx;
				_t2 = _t54 + 0xe0; // 0x4bcea0
				_t71 = _t2;
				_v20 = _t71;
				EnterCriticalSection(_t71);
				_v8 = 0;
				E004309B0(_t54);
				_t5 = _t54 + 0x10; // 0x0
				_t34 =  *_t5;
				_t66 = CloseHandle;
				if(_t34 != 0) {
					CloseHandle(_t34);
					 *(_t54 + 0x10) = 0;
				}
				_t7 = _t54 + 0xc; // 0x0
				_t64 =  *_t7;
				if(_t64 != 0xffffffff) {
					_t79 =  *((char*)(_t54 + 5));
					if( *((char*)(_t54 + 5)) == 0) {
						_t9 = _t54 + 0x1c; // 0x0
						_t10 = _t54 + 0x18; // 0x0
						_t63 =  *_t10;
						_v24 =  *_t9;
						_v28 = _t63;
						SetFilePointer(_t64, _t63,  &_v24, 0);
						_t14 = _t54 + 0xc; // 0x0
						SetEndOfFile( *_t14);
					}
					_t15 = _t54 + 0xc; // 0x0
					CloseHandle( *_t15);
					 *(_t54 + 0xc) = 0xffffffff;
				}
				_t17 = _t54 + 0xf8; // 0x4bceb8
				E00403A00(_t17);
				_push(0xc);
				_t36 = E0046EEB6(_t54, _t66, _t79);
				_t67 = _t36;
				if(_t67 == 0) {
					_t67 = 0;
					__eflags = 0;
				} else {
					 *(_t67 + 4) = 0;
					 *((intOrPtr*)(_t67 + 8)) = 1;
					__imp__#2(0);
					 *_t67 = _t36;
				}
				_v8 = 0;
				 *((intOrPtr*)(_t54 + 0xf8)) = _t67;
				if(_t67 == 0) {
					E0046E410(0x8007000e);
				}
				LeaveCriticalSection(_t71);
				_t37 =  *0x4bcb6c; // 0x7879f0
				EnterCriticalSection(_t37 + 8);
				_t59 =  *0x4bcb6c; // 0x7879f0
				_v20 = _t54;
				E0045CE10(_t59,  &_v28,  &_v20);
				_t60 =  *0x4bcb6c; // 0x7879f0
				E0045E260(_t60,  &_v20, _v28, _v24);
				_t44 =  *0x4bcb6c; // 0x7879f0
				_t45 = _t44 + 8;
				LeaveCriticalSection(_t45);
				 *[fs:0x0] = _v16;
				return _t45;
			}

0x004309f3
0x004309f5
0x00430a00
0x00430a07
0x00430a0e
0x00430a12
0x00430a18
0x00430a1a
0x00430a1a
0x00430a21
0x00430a24
0x00430a2c
0x00430a33
0x00430a38
0x00430a38
0x00430a3b
0x00430a43
0x00430a46
0x00430a48
0x00430a48
0x00430a4f
0x00430a4f
0x00430a55
0x00430a57
0x00430a5b
0x00430a5d
0x00430a60
0x00430a60
0x00430a65
0x00430a6e
0x00430a71
0x00430a77
0x00430a7a
0x00430a7a
0x00430a80
0x00430a83
0x00430a85
0x00430a85
0x00430a8c
0x00430a92
0x00430a97
0x00430a99
0x00430aa1
0x00430aa5
0x00430ac1
0x00430ac1
0x00430aa7
0x00430aa9
0x00430ab0
0x00430ab7
0x00430abd
0x00430abd
0x00430ac3
0x00430ac7
0x00430acf
0x00430ad6
0x00430ad6
0x00430ae2
0x00430ae4
0x00430aed
0x00430af3
0x00430b00
0x00430b04
0x00430b0c
0x00430b19
0x00430b1e
0x00430b23
0x00430b27
0x00430b2c
0x00430b3a

APIs

EnterCriticalSection.KERNEL32(004BCEA0,2927074F,004BCA10,004BCA10,004BCA10,2927074F,004BCA10,004BCA10,0077A1E8,0077A1E8,0077A1E8), ref: 00430A24

Part of subcall function 004309B0: UnmapViewOfFile.KERNEL32(00000000,00000001,004C2588,004BD710,00000008,004AFFC8), ref: 004309C8

CloseHandle.KERNEL32(00000000), ref: 00430A46
SetFilePointer.KERNEL32(00000000,00000000,?,00000000), ref: 00430A71
SetEndOfFile.KERNEL32(00000000), ref: 00430A7A
CloseHandle.KERNEL32(00000000), ref: 00430A83
SysAllocString.OLEAUT32(00000000), ref: 00430AB7
LeaveCriticalSection.KERNEL32(004BCEA0), ref: 00430AE2
EnterCriticalSection.KERNEL32(007879E8), ref: 00430AED
LeaveCriticalSection.KERNEL32(007879E8,?,?,?,?,?), ref: 00430B27

Memory Dump Source

Source File: 00000000.00000002.639436822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.639422722.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639801425.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639950323.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639964900.00000000004C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639974043.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639981884.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Process Monitor.jbxd

Similarity

API ID: CriticalSection$File$CloseEnterHandleLeave$AllocPointerStringUnmapView
String ID:
API String ID: 1573715334-0
Opcode ID: 8b5fcdf4aab2b0dc802e851a883f91248c52ea1838e5ac7df0c4b276080f62c9
Instruction ID: 9f0fc5b4c8c2ac91b8dcd932cf8d813787ce5ae151a1e963a3ad7d2738c30790
Opcode Fuzzy Hash: 8b5fcdf4aab2b0dc802e851a883f91248c52ea1838e5ac7df0c4b276080f62c9
Instruction Fuzzy Hash: 0641A072900205DFCB00EFA5DC85BAFBBB8EF44710F14463AE81497391DB79A914CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 0042E9F0 Relevance: 13.6, APIs: 9, Instructions: 98
windowCOMMON

Download Yara Rule

C-Code - Quality: 86%

			E0042E9F0(void* __edx, struct HWND__* _a4, struct HWND__* _a8, intOrPtr _a12, int _a16, char _a20) {
				signed int _v8;
				short _v528;
				int _v532;
				signed short _v548;
				int _v552;
				int _v556;
				void* _v560;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t24;
				struct HWND__* _t30;
				long _t33;
				signed short _t35;
				struct HWND__* _t42;
				void* _t46;
				int _t47;
				void* _t48;
				signed int _t50;

				_t46 = __edx;
				_t24 =  *0x4bb1dc; // 0x2927074f
				_v8 = _t24 ^ _t50;
				_t42 = _a4;
				_t49 = _a8;
				SendMessageW(_t42, 0x1036, _a16, _a16);
				_t47 = 0;
				if(_a12 > 0) {
					do {
						_t35 = _t49->i;
						if(_t35 != 0) {
							if((_t35 & 0xffff0000) == 0) {
								_t43 =  &_v528;
								LoadStringW(GetModuleHandleW(0), _t35 & 0x0000ffff,  &_v528, 0x104);
								_t35 =  &_v528;
							}
							asm("xorps xmm0, xmm0");
							asm("movdqu [ebp-0x228], xmm0");
							_v532 = 0;
							asm("movq [ebp-0x218], xmm0");
							_v560 = 6;
							if( *((intOrPtr*)(_t49 + 8)) == 1) {
								_v560 = 7;
								_v556 = 1;
							}
							_v548 = _t35;
							_v552 = MulDiv( *(_t49 + 4),  *0x4bc894, 0x60);
							SendMessageW(_t42, 0x1061, _t47,  &_v560);
						}
						_t47 = _t47 + 1;
						_t49 = _t49 + 0xc;
					} while (_t47 < _a12);
				}
				if(_a20 == 0) {
					_t48 = SendMessageW;
				} else {
					_t33 = E0042E730(_t43);
					_t48 = SendMessageW;
					SendMessageW(_t42, 0x1003, 1, _t33);
				}
				if((GetWindowLongW(_t42, 0xfffffff0) & 0x00008000) == 0) {
					_t30 = SendMessageW(_t42, 0x101f, 0, 0);
					_t49 = _t30;
					SendMessageW(_t30, 0x1208, 0, E0042E680(_t43));
				}
				return E0046F77E(_t42, _v8 ^ _t50, _t46, _t48, _t49);
			}

0x0042e9f0
0x0042e9f9
0x0042ea00
0x0042ea07
0x0042ea0b
0x0042ea17
0x0042ea1d
0x0042ea22
0x0042ea30
0x0042ea30
0x0042ea34
0x0042ea3f
0x0042ea46
0x0042ea5a
0x0042ea60
0x0042ea60
0x0042ea6a
0x0042ea6d
0x0042ea75
0x0042ea7f
0x0042ea87
0x0042ea91
0x0042ea93
0x0042ea9d
0x0042ea9d
0x0042eaaf
0x0042eabe
0x0042ead2
0x0042ead2
0x0042ead8
0x0042ead9
0x0042eadc
0x0042ea30
0x0042eae9
0x0042eb03
0x0042eaeb
0x0042eaeb
0x0042eaf0
0x0042eaff
0x0042eaff
0x0042eb17
0x0042eb23
0x0042eb25
0x0042eb35
0x0042eb35
0x0042eb47

APIs

SendMessageW.USER32(?,00001036,?,?), ref: 0042EA17
GetModuleHandleW.KERNEL32(00000000,?,?,00000104), ref: 0042EA53
LoadStringW.USER32(00000000), ref: 0042EA5A
MulDiv.KERNEL32(?,00000060), ref: 0042EAB8
SendMessageW.USER32(?,00001061,00000000,00000006), ref: 0042EAD2
SendMessageW.USER32(?,00001003,00000001,00000000), ref: 0042EAFF
GetWindowLongW.USER32(?,000000F0), ref: 0042EB0C
SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 0042EB23
SendMessageW.USER32(00000000,00001208,00000000,00000000), ref: 0042EB35

Memory Dump Source

Source File: 00000000.00000002.639436822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.639422722.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639801425.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639950323.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639964900.00000000004C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639974043.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639981884.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Process Monitor.jbxd

Similarity

API ID: MessageSend$HandleLoadLongModuleStringWindow
String ID:
API String ID: 2968044529-0
Opcode ID: bbe70a3191f57360def90a7d0d24c38f43c713dc79f98bf40fd94af939e0f77b
Instruction ID: eb6b02f80f71d907c2d2e77855e090158569cea4392e649839b9ea4b39b07bd4
Opcode Fuzzy Hash: bbe70a3191f57360def90a7d0d24c38f43c713dc79f98bf40fd94af939e0f77b
Instruction Fuzzy Hash: E231B871A00318BBEB209F65EC49FAF7778FF48700F50066AF945A6190D7B4A985CF58

Uniqueness

Uniqueness Score: -1.00%

Function 00408810 Relevance: 13.6, APIs: 9, Instructions: 81
COMMON

Download Yara Rule

C-Code - Quality: 79%

			E00408810(intOrPtr __ecx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				struct tagRECT _v24;
				struct tagSCROLLINFO _v52;
				struct tagRECT _v68;
				struct tagTEXTMETRICW _v128;
				intOrPtr _v132;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t33;
				intOrPtr _t51;
				intOrPtr _t55;
				long _t56;
				void* _t60;
				intOrPtr _t61;
				void* _t65;
				struct HDC__* _t66;
				intOrPtr _t67;
				signed int _t69;
				signed int _t70;

				_t33 =  *0x4bb1dc; // 0x2927074f
				_v8 = _t33 ^ _t70;
				_t61 = _a8;
				_t55 = __ecx;
				_v132 = __ecx;
				if(_t61 >= _a4) {
					_push(_t65);
					_v52.cbSize = 0x1c;
					asm("xorps xmm0, xmm0");
					_v52.nTrackPos = 0;
					asm("movdqu [ebp-0x28], xmm0");
					_v52.fMask = 4;
					GetScrollInfo( *(__ecx + 0x1c), 2,  &_v52);
					_t66 = GetDC( *(_t55 + 8));
					SelectObject(_t66,  *(_t55 + 0x30));
					GetTextMetricsW(_t66,  &_v128);
					_t56 = _v128.tmHeight;
					_t67 = _v132;
					ReleaseDC( *(_t67 + 8), _t66);
					if( *((intOrPtr*)(_t67 + 0x38)) != 0) {
						_t56 =  <  ? GetSystemMetrics(0x32) : _t56;
					}
					_t69 =  *((intOrPtr*)(_t67 + 0x68)) + _t56;
					_t55 = _v132;
					GetWindowRect( *(_t55 + 0xc),  &_v68);
					GetClientRect( *(_t55 + 8),  &_v24);
					_t51 = (_a4 - _v52.nPos) * _t69 - _v68.top + _v68.bottom;
					_t61 = (_t61 - _a4 + 1) * _t69 + _t51;
					_v24.top = _t51;
					_v24.bottom = _t61;
					InvalidateRect( *(_t55 + 8),  &_v24, 0);
					_pop(_t65);
				}
				return E0046F77E(_t55, _v8 ^ _t70, _t60, _t61, _t65);
			}

0x00408819
0x00408820
0x00408825
0x00408828
0x0040882a
0x00408830
0x00408836
0x0040883a
0x00408847
0x0040884a
0x00408851
0x00408856
0x0040885d
0x0040886f
0x00408872
0x0040887d
0x00408883
0x00408887
0x0040888d
0x00408897
0x004088a3
0x004088a3
0x004088ac
0x004088ae
0x004088b5
0x004088c2
0x004088dd
0x004088e0
0x004088e2
0x004088e8
0x004088ef
0x004088f5
0x004088f5
0x00408905

APIs

GetScrollInfo.USER32 ref: 0040885D
GetDC.USER32(00000000), ref: 00408866
SelectObject.GDI32(00000000,?), ref: 00408872
GetTextMetricsW.GDI32(00000000,?,?,?,00000000), ref: 0040887D
ReleaseDC.USER32 ref: 0040888D
GetSystemMetrics.USER32 ref: 0040889B
GetWindowRect.USER32 ref: 004088B5
GetClientRect.USER32 ref: 004088C2
InvalidateRect.USER32(00000000,?,00000000,?,?,00000000), ref: 004088EF

Memory Dump Source

Source File: 00000000.00000002.639436822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.639422722.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639801425.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639950323.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639964900.00000000004C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639974043.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639981884.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Process Monitor.jbxd

Similarity

API ID: Rect$Metrics$ClientInfoInvalidateObjectReleaseScrollSelectSystemTextWindow
String ID:
API String ID: 3363554863-0
Opcode ID: b01c4aba5cfe914e4b5d3df0029aee23ebd4b4b11b55d9dba066c5ee383db628
Instruction ID: e58e5c351e194f2fdef3b5aae992920220fa09e7f1dfa65b59c85c71385329a4
Opcode Fuzzy Hash: b01c4aba5cfe914e4b5d3df0029aee23ebd4b4b11b55d9dba066c5ee383db628
Instruction Fuzzy Hash: 6B314F72900219EFDB10DFA8DC88AAEBBB8FF48310F104129F905F7261D770A945CB94

Uniqueness

Uniqueness Score: -1.00%

Function 0042E450 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 154
windowCOMMON

Download Yara Rule

C-Code - Quality: 97%

			E0042E450(void* __fp0, int _a4, int _a8, struct HWND__** _a12) {
				signed int _v8;
				char _v528;
				char _v1048;
				long _v1052;
				long _v1056;
				signed int _v1060;
				char _v1064;
				intOrPtr _v1068;
				char _v1072;
				int _v1088;
				void* _v1096;
				intOrPtr _v1124;
				char* _v1128;
				struct HWND__* _v1140;
				void* _v1148;
				signed int __ebx;
				void* __edi;
				signed int __esi;
				signed int _t55;
				int _t57;
				signed int _t69;
				void* _t75;
				void* _t84;
				struct HWND__** _t85;
				signed int _t86;
				signed int _t87;

				_t55 =  *0x4bb1dc; // 0x2927074f
				_v8 = _t55 ^ _t87;
				_t57 = _a4;
				_t75 = SendMessageW;
				_t85 = _a12;
				_t86 = 2;
				if(_t85[3] == 0) {
					_v1088 = _t57;
					_v1096 = 1;
					_v1056 = SendMessageW( *_t85, 0x1053, 0xffffffff,  &_v1096);
					_v1088 = _a8;
					_v1052 = SendMessageW( *_t85, 0x1053, 0xffffffff,  &_v1096);
					_t57 = _v1056;
				} else {
					_v1052 = _a8;
				}
				_v1140 = _t85[2];
				_v1128 =  &_v1048;
				_v1124 = 0x104;
				SendMessageW( *_t85, 0x1073, _t57,  &_v1148);
				_v1140 = _t85[2];
				_v1128 =  &_v528;
				_v1124 = 0x104;
				SendMessageW( *_t85, 0x1073, _v1052,  &_v1148);
				_t69 =  *(_t85[1] + 8 + (_t85[2] + _t85[2] * 2) * 4);
				if(_t69 <= 3) {
					switch( *((intOrPtr*)(_t69 * 4 +  &M0042E668))) {
						case 0:
							_t86 = E0042E810( &_v1048,  &_v528);
							goto L24;
						case 1:
							 *(__edi + 0x18) & 0x0000ffff =  &_v528;
							__eax =  &_v1048;
							__esi = E0042FC20(__ecx,  &_v1048,  &_v528,  *(__edi + 0x18) & 0x0000ffff);
							goto L24;
						case 2:
							__eax =  &_v1048;
							__esi = E00437BE0(__ecx, __edx, __fp0,  &_v1048, 0);
							__ebx = __edx;
							__eax =  &_v528;
							__eax = E00437BE0(__ecx, __edx, __fp0,  &_v528, 0);
							__eflags = __ebx - __edx;
							if(__eflags > 0) {
								goto L22;
							} else {
								if(__eflags < 0) {
									goto L18;
								} else {
									__eflags = __esi - __eax;
									if(__esi >= __eax) {
										__eflags = __ebx - __edx;
										if(__eflags < 0) {
											goto L23;
										} else {
											if(__eflags > 0) {
												goto L22;
											} else {
												__eflags = __esi - __eax;
												if(__esi <= __eax) {
													goto L23;
												} else {
													goto L22;
												}
											}
										}
									} else {
										goto L18;
									}
								}
							}
							goto L24;
						case 3:
							 &_v1072 =  &_v1048;
							E004727D1( &_v1048, L"%I64x",  &_v1072) =  &_v1064;
							 &_v528 = E004727D1( &_v528, L"%I64x",  &_v1064);
							__edx = _v1068;
							__esi = _v1060;
							__eax = _v1072;
							__ecx = _v1064;
							__eflags = __edx - __esi;
							if(__eflags < 0) {
								L18:
								__esi = __esi | 0xffffffff;
							} else {
								if(__eflags > 0) {
									L22:
									__esi = 1;
								} else {
									__eflags = __eax - __ecx;
									if(__eax <= __ecx) {
										__eflags = __edx - __esi;
										if(__eflags > 0) {
											L23:
											__esi = 0;
											__eflags = 0;
										} else {
											if(__eflags < 0) {
												goto L18;
											} else {
												__eflags = __eax - __ecx;
												if(__eax >= __ecx) {
													goto L23;
												} else {
													__esi = __esi | 0xffffffff;
												}
											}
										}
									} else {
										__esi = 1;
									}
								}
							}
							goto L24;
					}
				}
				L24:
				if(_t85[3] != 0) {
					_t86 =  ~_t86;
				}
				return E0046F77E(_t75, _v8 ^ _t87, _t84, _t85, _t86);
			}

0x0042e459
0x0042e460
0x0042e463
0x0042e467
0x0042e46f
0x0042e472
0x0042e47b
0x0042e488
0x0042e49e
0x0042e4ad
0x0042e4c3
0x0042e4cb
0x0042e4d1
0x0042e47d
0x0042e480
0x0042e480
0x0042e4da
0x0042e4e6
0x0042e4fb
0x0042e505
0x0042e50a
0x0042e516
0x0042e529
0x0042e53a
0x0042e545
0x0042e54c
0x0042e552
0x00000000
0x0042e56f
0x00000000
0x00000000
0x0042e57b
0x0042e582
0x0042e591
0x00000000
0x00000000
0x0042e603
0x0042e611
0x0042e613
0x0042e615
0x0042e61e
0x0042e626
0x0042e628
0x00000000
0x0042e62a
0x0042e62a
0x00000000
0x0042e62c
0x0042e62c
0x0042e62e
0x0042e635
0x0042e637
0x00000000
0x0042e639
0x0042e639
0x00000000
0x0042e63b
0x0042e63b
0x0042e63d
0x00000000
0x00000000
0x00000000
0x00000000
0x0042e63d
0x0042e639
0x00000000
0x00000000
0x00000000
0x0042e62e
0x0042e62a
0x00000000
0x00000000
0x0042e59f
0x0042e5b0
0x0042e5c3
0x0042e5c8
0x0042e5d1
0x0042e5d7
0x0042e5dd
0x0042e5e3
0x0042e5e5
0x0042e630
0x0042e630
0x0042e5e7
0x0042e5e7
0x0042e63f
0x0042e63f
0x0042e5e9
0x0042e5e9
0x0042e5eb
0x0042e5f4
0x0042e5f6
0x0042e646
0x0042e646
0x0042e646
0x0042e5f8
0x0042e5f8
0x00000000
0x0042e5fa
0x0042e5fa
0x0042e5fc
0x00000000
0x0042e5fe
0x0042e5fe
0x0042e5fe
0x0042e5fc
0x0042e5f8
0x0042e5ed
0x0042e5ed
0x0042e5ed
0x0042e5eb
0x0042e5e7
0x00000000
0x00000000
0x0042e552
0x0042e648
0x0042e64c
0x0042e64e
0x0042e64e
0x0042e662

APIs

SendMessageW.USER32(?,00001053,000000FF,?), ref: 0042E4A8
SendMessageW.USER32(?,00001053,000000FF,00000001), ref: 0042E4C9
SendMessageW.USER32(?,00001073,?,?), ref: 0042E505
SendMessageW.USER32(?,00001073,?,?), ref: 0042E53A

Part of subcall function 0042E810: CompareStringW.KERNEL32(00000400,00030001,?,000000FF,?,000000FF,?,0042E56C,?,?), ref: 0042E827
Part of subcall function 0042E810: CompareStringW.KERNEL32(00000400,00001000,?,000000FF,?,000000FF,?,0042E56C,?,?), ref: 0042E846

Strings

%I64x, xrefs: 0042E5A5, 0042E5BD

Memory Dump Source

Source File: 00000000.00000002.639436822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.639422722.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639801425.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639950323.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639964900.00000000004C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639974043.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639981884.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Process Monitor.jbxd

Similarity

API ID: MessageSend$CompareString
String ID: %I64x
API String ID: 1253357016-3960328965
Opcode ID: 099e52b2fd2e62911847de777550364772376ed0794bbdfebbdc8067640cd3d3
Instruction ID: 8b360e60b197116286b41930d0b2c21215c09b2f73114f9090990bfd5118977c
Opcode Fuzzy Hash: 099e52b2fd2e62911847de777550364772376ed0794bbdfebbdc8067640cd3d3
Instruction Fuzzy Hash: 265151B5E011289BDB30DB55DC80BDDF3B8BB18314F9442EBE619A3281D7749E848F99

Uniqueness

Uniqueness Score: -1.00%

Function 00462E10 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 122
sleepCOMMON

Download Yara Rule

C-Code - Quality: 74%

			E00462E10(struct _CRITICAL_SECTION* __ecx, struct _CRITICAL_SECTION* _a4) {
				struct _CRITICAL_SECTION* _v0;
				struct _CRITICAL_SECTION* _v8;
				struct _CRITICAL_SECTION* _v12;
				struct _CRITICAL_SECTION* _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				struct _CRITICAL_SECTION* _v32;
				struct _CRITICAL_SECTION* _v36;
				char _v40;
				struct _CRITICAL_SECTION* _v44;
				char _v48;
				struct _CRITICAL_SECTION* _v52;
				struct _CRITICAL_SECTION* _v56;
				intOrPtr _v60;
				intOrPtr* _v64;
				intOrPtr _v68;
				struct _CRITICAL_SECTION* _v76;
				char _v108;
				struct _CRITICAL_SECTION* _v120;
				char _v144;
				struct _CRITICAL_SECTION** _v148;
				intOrPtr _v152;
				char _v172;
				signed int _v176;
				intOrPtr _v200;
				struct _CRITICAL_SECTION* _v204;
				char _v208;
				struct _CRITICAL_SECTION** _v216;
				struct _CRITICAL_SECTION* _v220;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t131;
				signed int _t132;
				char _t140;
				signed int _t145;
				signed int _t154;
				signed int _t158;
				signed int _t159;
				char _t162;
				intOrPtr _t165;
				struct _CRITICAL_SECTION* _t194;
				void* _t195;
				struct _CRITICAL_SECTION* _t196;
				intOrPtr* _t197;
				void* _t198;
				struct _CRITICAL_SECTION* _t200;
				intOrPtr* _t201;
				void* _t202;
				void* _t203;
				signed int _t204;
				void* _t205;
				struct _CRITICAL_SECTION* _t211;
				struct _CRITICAL_SECTION* _t216;
				signed int _t218;
				struct _CRITICAL_SECTION* _t221;
				struct _CRITICAL_SECTION** _t222;
				intOrPtr _t224;
				struct _CRITICAL_SECTION _t230;
				signed int _t237;
				struct _CRITICAL_SECTION* _t241;
				signed int _t242;
				void* _t245;
				void* _t246;
				intOrPtr* _t247;
				void* _t249;
				signed char* _t250;
				struct _CRITICAL_SECTION* _t253;
				void* _t254;
				intOrPtr _t257;
				void* _t259;
				signed int* _t260;
				struct _CRITICAL_SECTION* _t261;
				signed int _t262;
				signed int _t263;
				void* _t265;
				signed int _t266;
				signed int _t267;

				_push(0xffffffff);
				_push(E0048C818);
				_push( *[fs:0x0]);
				_t266 = _t265 - 0x3c;
				_t131 =  *0x4bb1dc; // 0x2927074f
				_t132 = _t131 ^ _t262;
				_v20 = _t132;
				_push(_t132);
				 *[fs:0x0] =  &_v16;
				_t194 = __ecx;
				_t253 = _a4;
				if( *((intOrPtr*)(__ecx + 0x18)) > 0) {
					do {
						Sleep(0x64);
					} while ( *((intOrPtr*)(_t194 + 0x18)) > 0);
				}
				_v52 = _t194;
				EnterCriticalSection(_t194);
				_t7 = _t194 + 0x1c; // 0x780140
				_t8 = _t194 + 0x1c; // 0x4c2554
				_v8 = 0;
				E004635F0(_t8,  *((intOrPtr*)( *_t7 + 4)));
				_t11 = _t194 + 0x1c; // 0x780140
				 *((intOrPtr*)( *_t11 + 4)) =  *_t11;
				_t13 = _t194 + 0x1c; // 0x780140
				 *((intOrPtr*)( *_t13)) =  *_t13;
				_t14 = _t194 + 0x1c; // 0x780140
				 *((intOrPtr*)( *_t14 + 8)) =  *_t14;
				 *(_t194 + 0x20) = 0;
				_t211 =  *(_t253 + 4);
				_t241 = _t211 + 4;
				if(_t241 >  *((intOrPtr*)(_t253 + 8))) {
					_v44 = 0x7a;
					E0046F78D( &_v44, 0x4affc8);
				}
				_t245 = 0;
				_t140 =  *((intOrPtr*)( *_t253 + _t211));
				_v48 = _t140;
				 *(_t253 + 4) = _t241;
				if(_t140 == 0) {
					L15:
					LeaveCriticalSection(_t194);
					 *[fs:0x0] = _v16;
					_pop(_t246);
					_pop(_t254);
					_pop(_t195);
					return E0046F77E(_t195, _v20 ^ _t262, _t241, _t246, _t254);
				} else {
					while(1) {
						_v44 = 0;
						_t216 =  *(_t253 + 4);
						_v8 = 1;
						_t241 = _t216 + 0x10;
						if(_t241 >  *((intOrPtr*)(_t253 + 8))) {
							break;
						}
						asm("movdqu xmm0, [eax+ecx]");
						 *(_t253 + 4) = _t241;
						asm("movdqu [ebp-0x40], xmm0");
						E004648D0(_t194, _t253, _t245, _t253,  &_v44);
						asm("movdqu xmm0, [ebp-0x40]");
						_t237 = _v44;
						_v24 = _t237;
						asm("movdqu [ebp-0x24], xmm0");
						if(_t237 != 0) {
							E0046A420(_t237);
						}
						_t34 = _t194 + 0x1c; // 0x4c2554
						_v8 = 2;
						E00462400(_t34,  &_v76, 0,  &_v40,  *0x4c2580 & 0x000000ff);
						_t239 = _v24;
						_v8 = 1;
						if(_v24 != 0) {
							E0046A700(_t239);
						}
						_t240 = _v44;
						_v8 = 0;
						if(_v44 != 0) {
							E0046A700(_t240);
						}
						_t245 = _t245 + 1;
						if(_t245 < _v48) {
							continue;
						} else {
							goto L15;
						}
						goto L55;
					}
					_v48 = 0x7a;
					E0046F78D( &_v48, 0x4affc8);
					asm("int3");
					_push(_t262);
					_t263 = _t266;
					_push(0xffffffff);
					_push(E0048C858);
					_push( *[fs:0x0]);
					_t267 = _t266 - 0x20;
					_push(_t194);
					_push(_t253);
					_push(_t245);
					_t145 =  *0x4bb1dc; // 0x2927074f
					_push(_t145 ^ _t263);
					 *[fs:0x0] =  &_v108;
					_t196 = _t216;
					_v120 = _t196;
					if( *((intOrPtr*)(_t196 + 0x18)) > 0) {
						_t253 = Sleep;
						do {
							Sleep(0x64);
						} while ( *((intOrPtr*)(_t196 + 0x18)) > 0);
					}
					_v36 = _t196;
					EnterCriticalSection(_t196);
					_t197 = _t196 + 0x1c;
					_v12 = 0;
					_v24 = _t197;
					E004635A0(_t197,  *((intOrPtr*)( *((intOrPtr*)(_t196 + 0x1c)) + 4)));
					_t247 = _v0;
					 *((intOrPtr*)( *_t197 + 4)) =  *_t197;
					 *((intOrPtr*)( *_t197)) =  *_t197;
					 *((intOrPtr*)( *_t197 + 8)) =  *_t197;
					 *(_t197 + 4) = 0;
					_t218 =  *(_t247 + 4);
					_t61 = _t218 + 4; // 0x4
					_t242 = _t61;
					if(_t242 >  *((intOrPtr*)(_t247 + 8))) {
						_v0 = 0x7a;
						E0046F78D( &_v0, 0x4affc8);
					}
					_t198 = 0;
					_t154 =  *((intOrPtr*)( *_t247 + _t218));
					_v28 = _t154;
					 *(_t247 + 4) = _t242;
					if(_t154 == 0) {
						L32:
						LeaveCriticalSection(_v32);
						 *[fs:0x0] = _v20;
						return _t154;
					} else {
						while(1) {
							_v0 = 0;
							_t221 =  *(_t247 + 4);
							_v12 = 1;
							_t71 = _t221 + 4; // 0x4
							_t243 = _t71;
							if(_t243 >  *((intOrPtr*)(_t247 + 8))) {
								break;
							}
							_t261 =  *((intOrPtr*)( *_t247 + _t221));
							 *(_t247 + 4) = _t243;
							E004648D0(_t198, _t247, _t247, _t261,  &_v0);
							_v44 = _t261;
							_t253 = _v0;
							_v40 = _t253;
							if(_t253 != 0) {
								E0046A420(_t253);
							}
							_t80 =  &_v44; // 0x4c2538
							_v12 = 2;
							_t154 = E004622F0(_v24,  &_v52, 0, _t80,  *0x4c2580 & 0x000000ff);
							_v12 = 1;
							if(_t253 != 0) {
								_t154 = E0046A700(_t253);
							}
							_t233 = _v0;
							_v12 = 0;
							if(_v0 != 0) {
								_t154 = E0046A700(_t233);
							}
							_t198 = _t198 + 1;
							if(_t198 < _v28) {
								continue;
							} else {
								goto L32;
							}
							goto L55;
						}
						_v28 = 0x7a;
						E0046F78D( &_v28, 0x4affc8);
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						_push(_t263);
						_t264 = _t267;
						_push(0xffffffff);
						_push(E0048C888);
						_push( *[fs:0x0]);
						_t158 =  *0x4bb1dc; // 0x2927074f
						_t159 = _t158 ^ _t267;
						_v176 = _t159;
						_push(_t198);
						_push(_t253);
						_push(_t247);
						_push(_t159);
						 *[fs:0x0] =  &_v172;
						_t200 = _t221;
						_v204 = _t200;
						_t222 = _v148;
						_v200 = _v152;
						_t162 = _v144;
						_v216 = _t222;
						_v208 = _t162;
						_v220 = 0;
						if(_t162 == 0) {
							asm("xorps xmm0, xmm0");
							_v44 =  *_t222;
							asm("movq [ebp-0x1c], xmm0");
							_v32 = 0;
						} else {
							asm("movdqu xmm0, [ecx]");
							asm("movdqu [ebp-0x20], xmm0");
						}
						_v76 = _t200;
						EnterCriticalSection(_t200);
						_t201 = _t200 + 0x1c;
						_v16 = 0;
						_v64 = _t201;
						_t165 = E00463640(_t201,  &_v44);
						_t224 =  *_t201;
						if(_t165 == _t224) {
							L47:
							_v48 = _t224;
						} else {
							_t107 = _t165 + 0x10; // 0x10
							_t250 = _t107;
							_t203 = 0xc;
							_t260 =  &_v44;
							while(1) {
								_t243 =  *_t260;
								if(_t243 !=  *_t250) {
									break;
								}
								_t260 =  &(_t260[1]);
								_t250 =  &(_t250[4]);
								_t203 = _t203 - 4;
								if(_t203 >= 0) {
									continue;
								} else {
									_t205 = 0;
								}
								L46:
								_v48 = _t165;
								if(_t205 < 0) {
									goto L47;
								}
								goto L48;
							}
							_t204 = _t243 & 0x000000ff;
							_t243 =  *_t250 & 0x000000ff;
							_t205 = _t204 - ( *_t250 & 0x000000ff);
							if(_t205 == 0) {
								_t243 = _t250[1] & 0x000000ff;
								_t205 = (_t260[0] & 0x000000ff) - (_t250[1] & 0x000000ff);
								if(_t205 == 0) {
									_t243 = _t250[2] & 0x000000ff;
									_t205 = (_t260[0] & 0x000000ff) - (_t250[2] & 0x000000ff);
									if(_t205 == 0) {
										_t243 = _t250[3] & 0x000000ff;
										_t205 = (_t260[0] & 0x000000ff) - (_t250[3] & 0x000000ff);
									}
								}
							}
							goto L46;
						}
						L48:
						_t257 = _v48;
						if(_t257 ==  *_v64 || E0046A720(_t257 + 0x20) == 0) {
							_v16 = 0xffffffff;
							LeaveCriticalSection(_v56);
							L00435FF0(_v52, _v52, _v68, _v60, 0xffffffff);
						} else {
							_t230 =  *(_t257 + 0x20);
							 *_v52 = _t230;
							if(_t230 != 0) {
								E0046A420(_t230);
							}
							LeaveCriticalSection(_v56);
						}
						 *[fs:0x0] = _v24;
						_pop(_t249);
						_pop(_t259);
						_pop(_t202);
						return E0046F77E(_t202, _v28 ^ _t264, _t243, _t249, _t259);
					}
				}
				L55:
			}

0x00462e13
0x00462e15
0x00462e20
0x00462e21
0x00462e24
0x00462e29
0x00462e2b
0x00462e31
0x00462e35
0x00462e3b
0x00462e41
0x00462e44
0x00462e50
0x00462e52
0x00462e54
0x00462e50
0x00462e5b
0x00462e5e
0x00462e64
0x00462e67
0x00462e6a
0x00462e74
0x00462e79
0x00462e7c
0x00462e7f
0x00462e82
0x00462e84
0x00462e87
0x00462e8a
0x00462e91
0x00462e94
0x00462e9a
0x00462ea4
0x00462eac
0x00462eac
0x00462eb3
0x00462eb5
0x00462eb8
0x00462ebb
0x00462ec0
0x00462f65
0x00462f66
0x00462f6f
0x00462f77
0x00462f78
0x00462f79
0x00462f87
0x00462ec6
0x00462ed0
0x00462ed0
0x00462ed7
0x00462eda
0x00462ede
0x00462ee4
0x00000000
0x00000000
0x00462eec
0x00462ef4
0x00462efa
0x00462eff
0x00462f04
0x00462f09
0x00462f0c
0x00462f0f
0x00462f16
0x00462f18
0x00462f18
0x00462f24
0x00462f2b
0x00462f36
0x00462f3b
0x00462f3e
0x00462f44
0x00462f46
0x00462f46
0x00462f4b
0x00462f4e
0x00462f54
0x00462f56
0x00462f56
0x00462f5b
0x00462f5f
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00462f5f
0x00462f92
0x00462f9a
0x00462f9f
0x00462fa0
0x00462fa1
0x00462fa3
0x00462fa5
0x00462fb0
0x00462fb1
0x00462fb4
0x00462fb5
0x00462fb6
0x00462fb7
0x00462fbe
0x00462fc2
0x00462fc8
0x00462fca
0x00462fd1
0x00462fd3
0x00462fe0
0x00462fe2
0x00462fe4
0x00462fe0
0x00462feb
0x00462fee
0x00462ff7
0x00462ffc
0x00463003
0x00463009
0x00463010
0x00463013
0x00463018
0x0046301c
0x0046301f
0x00463026
0x00463029
0x00463029
0x0046302f
0x00463039
0x00463041
0x00463041
0x00463048
0x0046304a
0x0046304d
0x00463050
0x00463055
0x004630e8
0x004630eb
0x004630f4
0x00463102
0x0046305b
0x00463060
0x00463060
0x00463067
0x0046306a
0x0046306e
0x0046306e
0x00463074
0x00000000
0x00000000
0x0046307c
0x00463085
0x00463088
0x0046308d
0x00463090
0x00463093
0x00463098
0x0046309c
0x0046309c
0x004630ac
0x004630af
0x004630ba
0x004630bf
0x004630c5
0x004630c9
0x004630c9
0x004630ce
0x004630d1
0x004630d7
0x004630d9
0x004630d9
0x004630de
0x004630e2
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x004630e2
0x0046310d
0x00463115
0x0046311a
0x0046311b
0x0046311c
0x0046311d
0x0046311e
0x0046311f
0x00463120
0x00463121
0x00463123
0x00463125
0x00463130
0x00463134
0x00463139
0x0046313b
0x0046313e
0x0046313f
0x00463140
0x00463141
0x00463145
0x0046314b
0x0046314d
0x00463153
0x00463156
0x00463159
0x0046315c
0x0046315f
0x00463162
0x0046316b
0x0046317a
0x0046317d
0x00463180
0x00463185
0x0046316d
0x0046316d
0x00463171
0x00463171
0x0046318d
0x00463190
0x00463196
0x00463199
0x004631a3
0x004631a9
0x004631ae
0x004631b2
0x00463208
0x00463208
0x004631b4
0x004631b4
0x004631b4
0x004631b7
0x004631bc
0x004631c0
0x004631c0
0x004631c4
0x00000000
0x00000000
0x004631c6
0x004631c9
0x004631cc
0x004631cf
0x00000000
0x004631d1
0x004631d1
0x004631d1
0x00463201
0x00463201
0x00463206
0x00000000
0x00000000
0x00000000
0x00463206
0x004631d5
0x004631d8
0x004631db
0x004631dd
0x004631e3
0x004631e7
0x004631e9
0x004631ef
0x004631f3
0x004631f5
0x004631fb
0x004631ff
0x004631ff
0x004631f5
0x004631e9
0x00000000
0x004631dd
0x0046320b
0x00463211
0x00463215
0x00463242
0x00463249
0x0046325b
0x00463223
0x00463223
0x00463229
0x0046322d
0x0046322f
0x0046322f
0x00463237
0x00463237
0x00463268
0x00463270
0x00463271
0x00463272
0x00463280
0x00463280
0x00463055
0x00000000

APIs

Sleep.KERNEL32(00000064,2927074F,00000000,00000000,004BCA10,?,2927074F,0048C818,000000FF,?,00468B0C,2927074F,00000001,00000000,00000000,00000000), ref: 00462E52
EnterCriticalSection.KERNEL32(004C2538,2927074F,00000000,00000000,004BCA10,?,2927074F,0048C818,000000FF,?,00468B0C,2927074F,00000001,00000000,00000000,00000000), ref: 00462E5E
__CxxThrowException@8.LIBCMT ref: 00462EAC
LeaveCriticalSection.KERNEL32(004C2538,?,?,2927074F,0048C818,000000FF,?,00468B0C,2927074F,00000001,00000000,00000000,00000000,00000000,2927074F), ref: 00462F66

Strings

z, xrefs: 00462F92
z, xrefs: 00462EA4

Memory Dump Source

Source File: 00000000.00000002.639436822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.639422722.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639801425.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639950323.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639964900.00000000004C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639974043.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639981884.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Process Monitor.jbxd

Similarity

API ID: CriticalSection$EnterException@8LeaveSleepThrow
String ID: z$z
API String ID: 1240790709-3877588240
Opcode ID: 269a3431638a40818070f6f3fdd4677a4c2514a0d43a8bd68eb774f7055b90f7
Instruction ID: 04198763236e5cf2d2d9d51e0479a2644a85f0894e1e46b6af8d3e5c242f530e
Opcode Fuzzy Hash: 269a3431638a40818070f6f3fdd4677a4c2514a0d43a8bd68eb774f7055b90f7
Instruction Fuzzy Hash: 66518170900609EFDB14DFA8C981B9EBBF4FF48314F10846EE845A7381E778A945CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 00410840 Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 114
COMMON

Download Yara Rule

C-Code - Quality: 76%

			E00410840(void* __ebx, void* __ecx, signed int _a4, intOrPtr _a8) {
				intOrPtr _v8;
				char _v16;
				signed int _v20;
				long _v120;
				signed int _v124;
				char _v128;
				signed int __edi;
				void* __esi;
				signed int _t45;
				signed int _t46;
				void* _t58;
				signed int _t60;
				void* _t67;
				intOrPtr _t69;
				void* _t70;
				void* _t72;
				void* _t73;
				signed int _t74;

				_t58 = __ebx;
				_push(0xffffffff);
				_push(E004865D0);
				_push( *[fs:0x0]);
				_t45 =  *0x4bb1dc; // 0x2927074f
				_t46 = _t45 ^ _t74;
				_v20 = _t46;
				_push(_t46);
				 *[fs:0x0] =  &_v16;
				_t72 = __ecx;
				_t60 = _a4;
				_t69 = _a8;
				if(_t60 >= 0 &&  *((intOrPtr*)(__ecx + 0x34 + ( *(__ecx + 0x28) & 0x0000ffff) * 4)) == 0x103) {
					_t60 = _t60 + 1;
				}
				if(_t60 > 3) {
				} else {
					switch( *((intOrPtr*)(_t60 * 4 +  &M004109C0))) {
						case 0:
							asm("cdq");
							_t53 = E00436170(_t58, _t67, _t69, _t81,  &_v128,  *((intOrPtr*)(_t72 + 0x34 + ( *(_t72 + 0x28) & 0x0000ffff) * 4)), _t67);
							_v8 = 0;
							E0046A0B0(_t69, _t53);
							_t66 = _v128;
							_v8 = 0xffffffff;
							if(_v128 != 0) {
								E0046A700(_t66);
							}
							goto L14;
						case 1:
							 &_v124 = E00436170(__ebx, __edx, __edi, __eflags,  &_v124,  *((intOrPtr*)(__esi + 4)), 0);
							__ecx = __edi;
							_v8 = 1;
							__eax = E0046A0B0(__edi, __eax);
							__ecx = _v124;
							_v8 = 0xffffffff;
							__eflags = __ecx;
							if(__ecx != 0) {
								__eax = E0046A700(__ecx);
							}
							__eax = L"Thread ID";
							goto L14;
						case 2:
							__ecx =  *(__esi + 0x28) & 0x0000ffff;
							__edx =  *((intOrPtr*)(__esi + 0x44 + __ecx * 4));
							__eax = E0047123F(__ecx, __edx);
							asm("divsd xmm0, [0x4962f8]");
							__esp = __esp - 8;
							__eax =  &_v120;
							asm("movsd [esp], xmm0");
							swprintf( &_v120, 0x32, L"%.07f") =  &_v120;
							__ecx = __edi;
							E0046A0F0(__ecx,  &_v120) = L"User Time";
							goto L14;
						case 3:
							__ecx =  *(__esi + 0x28) & 0x0000ffff;
							__edx =  *((intOrPtr*)(__esi + 0x3c + __ecx * 4));
							__eax = E0047123F(__ecx, __edx);
							asm("divsd xmm0, [0x4962f8]");
							__esp = __esp - 8;
							__eax =  &_v120;
							asm("movsd [esp], xmm0");
							swprintf( &_v120, 0x32, L"%.07f") =  &_v120;
							__ecx = __edi;
							E0046A0F0(__ecx,  &_v120) = L"Kernel Time";
							goto L14;
					}
				}
				L14:
				 *[fs:0x0] = _v16;
				_pop(_t70);
				_pop(_t73);
				return E0046F77E(_t58, _v20 ^ _t74, _t67, _t70, _t73);
			}

0x00410840
0x00410843
0x00410845
0x00410850
0x00410854
0x00410859
0x0041085b
0x00410860
0x00410864
0x0041086a
0x0041086c
0x0041086f
0x00410874
0x00410884
0x00410884
0x00410888
0x0041088e
0x0041088e
0x00000000
0x0041089d
0x004108a4
0x004108af
0x004108b6
0x004108bb
0x004108be
0x004108c7
0x004108c9
0x004108c9
0x00000000
0x00000000
0x004108e1
0x004108ea
0x004108ec
0x004108f3
0x004108f8
0x004108fb
0x00410902
0x00410904
0x00410906
0x00410906
0x0041090b
0x00000000
0x00000000
0x00410915
0x00410919
0x00410921
0x00410926
0x0041092e
0x00410931
0x00410934
0x00410949
0x0041094c
0x00410954
0x00000000
0x00000000
0x0041095b
0x0041095f
0x00410967
0x0041096c
0x00410974
0x00410977
0x0041097a
0x0041098f
0x00410992
0x0041099a
0x00000000
0x00000000
0x0041088e
0x004109a3
0x004109a6
0x004109ae
0x004109af
0x004109bd

APIs

Part of subcall function 0046A0B0: InterlockedDecrement.KERNEL32(?), ref: 0046A0BE

Part of subcall function 0046A700: InterlockedDecrement.KERNEL32(?), ref: 0046A704

swprintf.LIBCMT ref: 00410941

Part of subcall function 0046A0F0: _memmove.LIBCMT ref: 0046A13E
Part of subcall function 0046A0F0: InterlockedDecrement.KERNEL32(00000000), ref: 0046A151

Strings

Thread ID, xrefs: 0041090B
%.07f, xrefs: 00410939, 0041097F
User Time, xrefs: 00410954
Kernel Time, xrefs: 0041099A
Exit Status, xrefs: 004108CE

Memory Dump Source

Source File: 00000000.00000002.639436822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.639422722.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639801425.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639950323.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639964900.00000000004C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639974043.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639981884.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Process Monitor.jbxd

Similarity

API ID: DecrementInterlocked$_memmoveswprintf
String ID: %.07f$Exit Status$Kernel Time$Thread ID$User Time
API String ID: 1945265472-999235600
Opcode ID: 3e1dc04793d4b9ef039cac32aace04b091001c5157a0d1e324ecdee283f4d896
Instruction ID: 9be4d5b375ef57258bd1fae79fcbde8119614bbb6b5766eaf2a02e03b714bc75
Opcode Fuzzy Hash: 3e1dc04793d4b9ef039cac32aace04b091001c5157a0d1e324ecdee283f4d896
Instruction Fuzzy Hash: 2B41FCB0904604DBCB24EF65C911BBFB7B9EF44310F10463FF856A3282EB789984CA56

Uniqueness

Uniqueness Score: -1.00%

Function 004103D0 Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 109
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E004103D0(void* __ebx, void* __ecx, intOrPtr __edx, signed int _a4, intOrPtr _a8) {
				intOrPtr _v8;
				char _v16;
				signed int _v20;
				long _v120;
				void* _v124;
				void* _v128;
				signed int __edi;
				void* __esi;
				signed int _t50;
				signed int _t51;
				signed int _t53;
				void* _t62;
				intOrPtr _t73;
				void* _t74;
				void* _t77;
				signed int _t78;

				_t71 = __edx;
				_t62 = __ebx;
				_push(0xffffffff);
				_push(E004865D0);
				_push( *[fs:0x0]);
				_t50 =  *0x4bb1dc; // 0x2927074f
				_t51 = _t50 ^ _t78;
				_v20 = _t51;
				_push(_t51);
				 *[fs:0x0] =  &_v16;
				_t53 = _a4;
				_t73 = _a8;
				if(_t53 <= 3) {
					switch( *((intOrPtr*)(_t53 * 4 +  &M0041054C))) {
						case 0:
							_t71 =  *((intOrPtr*)(__ecx + 0x38 + ( *(__ecx + 0x28) & 0x0000ffff) * 4));
							E004711AE(_t53,  *((intOrPtr*)(__ecx + 0x34 + ( *(__ecx + 0x28) & 0x0000ffff) * 4)),  *((intOrPtr*)(__ecx + 0x38 + ( *(__ecx + 0x28) & 0x0000ffff) * 4)));
							asm("divsd xmm0, [0x4962f8]");
							asm("movsd [esp], xmm0");
							swprintf( &_v120, 0x32, L"%.07f seconds");
							E0046A0F0(_t73,  &_v120);
							goto L11;
						case 1:
							__ecx =  *(__esi + 0x28) & 0x0000ffff;
							__edx =  *((intOrPtr*)(__esi + 0x40 + __ecx * 4));
							__eax = E004711AE(__eax, __ecx, __edx);
							asm("divsd xmm0, [0x4962f8]");
							__esp = __esp - 8;
							__eax =  &_v120;
							asm("movsd [esp], xmm0");
							swprintf( &_v120, 0x32, L"%.07f seconds") =  &_v120;
							__ecx = __edi;
							E0046A0F0(__ecx,  &_v120) = L"Kernel Time";
							goto L11;
						case 2:
							 *(__esi + 0x28) & 0x0000ffff =  &_v128;
							__eax = E00436C80(__ebx, __edx, __edi,  &_v128,  *((intOrPtr*)(__esi + 0x4c +  &_v128 * 4)),  *((intOrPtr*)(__esi + 0x50 +  &_v128 * 4)), 0);
							__ecx = __edi;
							_v8 = 0;
							__eax = E0046A0B0(__edi, __eax);
							__ecx = _v128;
							_v8 = 0xffffffff;
							if(__ecx != 0) {
								__eax = E0046A700(__ecx);
							}
							__eax = L"Private Bytes";
							goto L11;
						case 3:
							 *(__esi + 0x28) & 0x0000ffff =  &_v124;
							__eax = E00436C80(__ebx, __edx, __edi,  &_v124,  *((intOrPtr*)(__esi + 0x44 +  &_v124 * 4)),  *((intOrPtr*)(__esi + 0x48 +  &_v124 * 4)), 0);
							__ecx = __edi;
							_v8 = 1;
							__eax = E0046A0B0(__edi, __eax);
							__ecx = _v124;
							_v8 = 0xffffffff;
							if(__ecx != 0) {
								__eax = E0046A700(__ecx);
							}
							__eax = L"Working Set";
							goto L11;
					}
				}
				L11:
				 *[fs:0x0] = _v16;
				_pop(_t74);
				_pop(_t77);
				return E0046F77E(_t62, _v20 ^ _t78, _t71, _t74, _t77);
			}

0x004103d0
0x004103d0
0x004103d3
0x004103d5
0x004103e0
0x004103e4
0x004103e9
0x004103eb
0x004103f0
0x004103f4
0x004103fc
0x004103ff
0x00410405
0x0041040b
0x00000000
0x00410416
0x0041041e
0x00410423
0x00410431
0x0041043e
0x0041044c
0x00000000
0x00000000
0x0041045b
0x0041045f
0x00410467
0x0041046c
0x00410474
0x00410477
0x0041047a
0x0041048f
0x00410492
0x0041049a
0x00000000
0x00000000
0x004104b2
0x004104b6
0x004104bf
0x004104c1
0x004104c8
0x004104cd
0x004104d0
0x004104d9
0x004104db
0x004104db
0x004104e0
0x00000000
0x00000000
0x004104f5
0x004104f9
0x00410502
0x00410504
0x0041050b
0x00410510
0x00410513
0x0041051c
0x0041051e
0x0041051e
0x00410523
0x00000000
0x00000000
0x0041040b
0x0041052c
0x0041052f
0x00410537
0x00410538
0x00410546

APIs

swprintf.LIBCMT ref: 0041043E
swprintf.LIBCMT ref: 00410487

Strings

Private Bytes, xrefs: 004104E0
Kernel Time, xrefs: 0041049A
User Time, xrefs: 00410451
%.07f seconds, xrefs: 00410436, 0041047F
Working Set, xrefs: 00410523

Memory Dump Source

Source File: 00000000.00000002.639436822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.639422722.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639801425.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639950323.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639964900.00000000004C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639974043.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639981884.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Process Monitor.jbxd

Similarity

API ID: swprintf
String ID: %.07f seconds$Kernel Time$Private Bytes$User Time$Working Set
API String ID: 233258989-2080617067
Opcode ID: b9ad065bd582b839260f9f2dc83c7e81c35b1e7406148df78600cf017d3186c1
Instruction ID: b5956aca837ec026178d447e50d14d746e63e3168267c7782314cfb4b624f05e
Opcode Fuzzy Hash: b9ad065bd582b839260f9f2dc83c7e81c35b1e7406148df78600cf017d3186c1
Instruction Fuzzy Hash: BB41FC70A04604DBCB20EFA9C901BBEB7B9EF04311F10462FF815A3282E7799550CF59

Uniqueness

Uniqueness Score: -1.00%

Function 00434010 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 106
COMMON

Download Yara Rule

C-Code - Quality: 72%

			E00434010(intOrPtr __edx, void* __eflags, intOrPtr* _a4, intOrPtr* _a8, char _a12) {
				signed int _v8;
				char _v136;
				intOrPtr* _v140;
				intOrPtr _v144;
				intOrPtr _v148;
				intOrPtr _v152;
				intOrPtr _v156;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t19;
				intOrPtr* _t22;
				signed int _t55;
				intOrPtr _t60;
				void* _t61;
				signed int _t63;
				signed int _t65;

				_t60 = __edx;
				_t19 =  *0x4bb1dc; // 0x2927074f
				_v8 = _t19 ^ _t65;
				_v140 = _a4;
				_t22 = _a8;
				_v152 = 0;
				_v144 =  *_t22;
				_v148 =  *((intOrPtr*)(_t22 + 4));
				_t61 = E00472240(E00472240( *_t22,  *((intOrPtr*)(_t22 + 4)), 0x2710, 0), _t60, 0x3e8, 0);
				_t63 = E00472240(_t61, _t60, 0x3c, 0);
				_t55 = E00472240(_t63, _t60, 0x3c, 0);
				_v156 = _t60;
				if(_a12 == 0) {
					_t62 = _t61 - ((_t63 << 4) - _t63 << 2);
					_push(_t61 - ((_t63 << 4) - _t63 << 2));
					_t64 = _t63 - ((_t55 << 4) - _t55 << 2);
					_push(_t63 - ((_t55 << 4) - _t55 << 2));
					E00431890( &_v136, L"%02u:%02u:%02u", _t55);
				} else {
					_push(E00472090(_v144, _v148, 0x989680, 0));
					_t62 = _t61 - ((_t63 << 4) - _t63 << 2);
					_push(_t61 - ((_t63 << 4) - _t63 << 2));
					_t64 = _t63 - ((_t55 << 4) - _t55 << 2);
					_push(_t63 - ((_t55 << 4) - _t55 << 2));
					E00431890( &_v136, L"%02u:%02u:%02u.%07u", _t55);
				}
				 *_v140 = E0046A6C0(_t55,  &_v136, E0046A530( &_v136));
				return E0046F77E(_t55, _v8 ^ _t65, _t60, _t62, _t64);
			}

0x00434010
0x00434019
0x00434020
0x00434029
0x0043402f
0x00434039
0x0043404a
0x00434050
0x0043406d
0x0043407a
0x00434087
0x00434089
0x0043408f
0x004340e5
0x004340f1
0x004340f2
0x004340fa
0x00434102
0x00434091
0x004340a9
0x004340b4
0x004340c0
0x004340c1
0x004340c9
0x004340d1
0x004340d6
0x0043412c
0x00434140

APIs

__aulldiv.LIBCMT ref: 00434056
__aulldiv.LIBCMT ref: 00434064
__aulldiv.LIBCMT ref: 00434071
__aulldiv.LIBCMT ref: 0043407E
__aullrem.LIBCMT ref: 004340A4

Part of subcall function 00431890: vswprintf.LIBCMT ref: 0043189F

Strings

%02u:%02u:%02u, xrefs: 004340FC
%02u:%02u:%02u.%07u, xrefs: 004340CB

Memory Dump Source

Source File: 00000000.00000002.639436822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.639422722.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639801425.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639950323.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639964900.00000000004C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639974043.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639981884.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Process Monitor.jbxd

Similarity

API ID: __aulldiv$__aullremvswprintf
String ID: %02u:%02u:%02u$%02u:%02u:%02u.%07u
API String ID: 3442584846-3914380685
Opcode ID: 623ab6cd1ceefd3afee796853c057c6da4f17b666b53313240bd9e9736b17e3e
Instruction ID: 05dc7aef1c08a582af74dc69a9556379fa6599bae63f6cf1da78ead00f5b78e9
Opcode Fuzzy Hash: 623ab6cd1ceefd3afee796853c057c6da4f17b666b53313240bd9e9736b17e3e
Instruction Fuzzy Hash: D931BD71A002246FFB209E798D46FAB76BCDB44744F0041AAF60DE7281D974EF548B98

Uniqueness

Uniqueness Score: -1.00%

Function 0043AB75 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 97
filesynchronizationCOMMON

Download Yara Rule

C-Code - Quality: 81%

			E0043AB75() {
				void* __ebx;
				long _t39;
				intOrPtr _t41;
				long _t43;
				intOrPtr _t48;
				void* _t51;
				void* _t52;
				void* _t54;
				long _t64;
				void* _t65;
				intOrPtr _t66;
				void* _t68;
				void* _t71;
				signed int _t72;
				void* _t74;

				while(WaitForSingleObject( *0x4bce44, 0) != 0 && ReadFile(_t51, _t72 - 0x20010, 0x20000, _t72 - 0x20014, 0) != 0) {
					_t39 =  *(_t72 - 0x20014);
					if(_t39 != 0) {
						_t66 = 0;
						if(_t39 >= 0x34) {
							while(1) {
								_t54 = _t72 - 0x20010 + _t66;
								_t64 = _t54 + 0x34;
								_t71 =  *((intOrPtr*)(_t54 + 0x2c)) + ( *(_t54 + 0x28) & 0x0000ffff) * 4 - _t54 + _t64;
								_t41 = _t71 + _t66;
								 *((intOrPtr*)(_t72 - 0x20038)) = _t41;
								if(_t41 >  *(_t72 - 0x20014)) {
									break;
								}
								L0043B170(_t54, _t71);
								_t74 = _t74 + 8;
								 *((intOrPtr*)(_t72 - 0x20034)) =  *((intOrPtr*)(_t72 - 0x20034)) + _t71;
								asm("adc ebx, 0x0");
								_t48 = E00472240( *((intOrPtr*)(_t72 - 0x20034)) + _t71,  *((intOrPtr*)(_t72 - 0x2002c)), 0x3e8, 0);
								_t66 =  *((intOrPtr*)(_t72 - 0x20038));
								 *((intOrPtr*)(_t72 - 0x20074)) = _t48;
								if( *(_t72 - 0x20014) - _t66 >= 0x34) {
									continue;
								}
								break;
							}
							if(_t66 == 0) {
								_t51 =  *(_t72 - 0x20030);
							} else {
								E00418740(0x4bca10, 0);
								_t51 =  *(_t72 - 0x20030);
								_t43 = _t66 -  *(_t72 - 0x20014);
								asm("cdq");
								 *(_t72 - 0x20044) = _t43;
								 *(_t72 - 0x20040) = _t64;
								SetFilePointer(_t51, _t43, _t72 - 0x20040, 1);
								if( *((char*)(_t72 - 0x20025)) == 0) {
									continue;
								} else {
								}
							}
						}
					}
					break;
				}
				CloseHandle(_t51);
				 *0x4bce38 = 0;
				 *((char*)(_t72 - 4)) = 0;
				E0040C9C0(_t72 - 0x20078);
				LeaveCriticalSection(0x4bca10);
				 *[fs:0x0] =  *((intOrPtr*)(_t72 - 0xc));
				_pop(_t65);
				_pop(_t68);
				_pop(_t52);
				return E0046F77E(_t52,  *(_t72 - 0x10) ^ _t72, _t64, _t65, _t68);
			}

0x0043ab80
0x0043abba
0x0043abc2
0x0043abc8
0x0043abcd
0x0043abd3
0x0043abd9
0x0043abde
0x0043abea
0x0043abec
0x0043abef
0x0043abfb
0x00000000
0x00000000
0x0043abff
0x0043ac0a
0x0043ac15
0x0043ac1b
0x0043ac2d
0x0043ac32
0x0043ac38
0x0043ac49
0x00000000
0x00000000
0x00000000
0x0043ac49
0x0043ac4d
0x0043ac96
0x0043ac4f
0x0043ac56
0x0043ac67
0x0043ac6d
0x0043ac71
0x0043ac75
0x0043ac7b
0x0043ac81
0x0043ac8e
0x00000000
0x00000000
0x0043ac94
0x0043ac8e
0x0043ac4d
0x0043abcd
0x00000000
0x0043abc2
0x0043ac9d
0x0043aca9
0x0043acb3
0x0043acb7
0x0043acc1
0x0043accc
0x0043acd4
0x0043acd5
0x0043acd6
0x0043ace4

APIs

WaitForSingleObject.KERNEL32(00000000,?,Converting boot-time event data,00000000,00000000,?,000003E8,00000000,?,?,0044703B,0045F84E,00000000,?,00000000,445817), ref: 0043AB88
ReadFile.KERNEL32(00000000,?,00020000,?,00000000,?,0044703B,0045F84E,00000000,?,00000000,445817), ref: 0043ABAC
__aulldiv.LIBCMT ref: 0043AC2D
SetFilePointer.KERNEL32(?,?,?,00000001,00000000,?,0044703B,0045F84E,00000000,?,00000000,445817), ref: 0043AC81
CloseHandle.KERNEL32(00000000,?,Converting boot-time event data,00000000,00000000,?,000003E8,00000000,?,?,0044703B,0045F84E,00000000,?,00000000,445817), ref: 0043AC9D
LeaveCriticalSection.KERNEL32(004BCA10,?,0044703B,0045F84E,00000000,?,00000000,445817), ref: 0043ACC1

Strings

tGj, xrefs: 0043AC4D

Memory Dump Source

Source File: 00000000.00000002.639436822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.639422722.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639801425.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639950323.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639964900.00000000004C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639974043.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639981884.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Process Monitor.jbxd

Similarity

API ID: File$CloseCriticalHandleLeaveObjectPointerReadSectionSingleWait__aulldiv
String ID: tGj
API String ID: 1515721997-3202762778
Opcode ID: 63ea609412c39e8a76e31b0831fa9e7370a1f8efd113e73782375df2830c4356
Instruction ID: 6991972ef08b4f96b0454f63ad61b6941432448effec7db9db7f7480cf8e2cf3
Opcode Fuzzy Hash: 63ea609412c39e8a76e31b0831fa9e7370a1f8efd113e73782375df2830c4356
Instruction Fuzzy Hash: FE31B5709843188FEB21CF24DDC5B99B778FB08344F0014EAE90DA3252D774A954CF69

Uniqueness

Uniqueness Score: -1.00%

Function 0044EF01 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 83
windowCOMMON

Download Yara Rule

C-Code - Quality: 73%

			E0044EF01(void* __ebx, void* __edx) {
				struct HWND__* __esi;
				void* _t25;
				int _t26;
				void* _t31;
				void* _t33;
				struct HWND__* _t34;
				void* _t35;
				signed int _t36;

				_t31 = __edx;
				_t25 = __ebx;
				if(SendMessageW(GetDlgItem(_t34, 0x3f9), 0x1042, 0, 0) >= 0) {
					 *(__ebp - 0x62c) = 0x4bca10;
					EnterCriticalSection(0x4bca10);
					__eax = __ebp - 0x4b4;
					 *(__ebp - 4) = 0x10;
					__ecx = 0x4bca10;
					__eax = E0040D160(0x4bca10, __ebp - 0x4b4, __edi);
					 *(__ebp - 0x624) = 0;
					__eax = __ebp - 0x624;
					 *(__ebp - 4) = 0x12;
					__ecx = __ebp - 0x4b4;
					E00410F20(__ebx, __ecx, __edi, __esi, 0xffffffff, __ebp - 0x624) =  *((intOrPtr*)(__ebp - 0x4ac));
					__eax =  *( *((intOrPtr*)(__ebp - 0x4ac)) + 8) & 0x0000ffff;
					__eax = ( *( *((intOrPtr*)(__ebp - 0x4ac)) + 8) & 0x0000ffff) - 2;
					__eflags = __eax;
					if(__eax == 0) {
						_push(__ecx);
						__ecx =  *(__ebp - 0x624);
						__eax = __esp;
						 *__esp = __ecx;
						__eflags = __ecx;
						if(__eflags != 0) {
							__eax = E0046A420(__ecx);
						}
						_push(__esi);
						__eax = L0042DF30(__edx, __eflags);
						L14:
						__esp = __esp + 8;
						L15:
						__ecx =  *(__ebp - 0x624);
						 *(__ebp - 4) = 0x11;
						__eflags = __ecx;
						if(__ecx != 0) {
							__eax = E0046A700(__ecx);
						}
						 *(__ebp - 4) = 0x10;
						__ecx = __ebp - 0x4b4;
						__eax = E0040F960(__ecx, __esi);
						LeaveCriticalSection(0x4bca10);
						goto L1;
					}
					__eax = __eax - 1;
					__eflags = __eax;
					if(__eax == 0) {
						_push(__ecx);
						__ecx =  *(__ebp - 0x624);
						__eax = __esp;
						 *__esp = __ecx;
						__eflags = __ecx;
						if(__eflags != 0) {
							__eax = E0046A420(__ecx);
						}
						_push(__esi);
						__eax = E0042DD50(__eflags);
						goto L14;
					}
					__eax = MessageBoxW(__esi, L"Jump not implemented for this event class", L"Process Monitor", 0x10);
					goto L15;
				}
				L1:
				_t26 =  *(_t36 + 0xc);
				DefWindowProcW(_t34, _t26,  *(_t36 - 0x628),  *(_t36 - 0x64c));
				 *[fs:0x0] =  *((intOrPtr*)(_t36 - 0xc));
				_pop(_t33);
				_pop(_t35);
				return E0046F77E(_t25,  *(_t36 - 0x10) ^ _t36, _t31, _t33, _t35);
			}

0x0044ef01
0x0044ef01
0x0044ef21
0x0044ef2c
0x0044ef36
0x0044ef3d
0x0044ef43
0x0044ef4b
0x0044ef50
0x0044ef55
0x0044ef5f
0x0044ef65
0x0044ef6c
0x0044ef77
0x0044ef7d
0x0044ef81
0x0044ef81
0x0044ef84
0x0044efba
0x0044efbb
0x0044efc1
0x0044efc3
0x0044efc5
0x0044efc7
0x0044efc9
0x0044efc9
0x0044efce
0x0044efcf
0x0044efd4
0x0044efd4
0x0044efd7
0x0044efd7
0x0044efdd
0x0044efe1
0x0044efe3
0x0044efe5
0x0044efe5
0x0044efea
0x0044eaad
0x0044eab3
0x0044eabd
0x00000000
0x0044eabd
0x0044ef86
0x0044ef86
0x0044ef87
0x0044ef9e
0x0044ef9f
0x0044efa5
0x0044efa7
0x0044efa9
0x0044efab
0x0044efad
0x0044efad
0x0044efb2
0x0044efb3
0x00000000
0x0044efb3
0x0044ef96
0x00000000
0x0044ef96
0x0044e726
0x0044e726
0x0044e737
0x0044e740
0x0044e748
0x0044e749
0x0044e757

APIs

DefWindowProcW.USER32(?,?,?,?,2927074F), ref: 0044E737
GetDlgItem.USER32 ref: 0044EF10
SendMessageW.USER32(00000000,?,000003F9,00001042), ref: 0044EF17
EnterCriticalSection.KERNEL32 ref: 0044EF36
MessageBoxW.USER32(?,Jump not implemented for this event class,Process Monitor,00000010), ref: 0044EF96

Strings

Process Monitor, xrefs: 0044EF8B
Jump not implemented for this event class, xrefs: 0044EF90

Memory Dump Source

Source File: 00000000.00000002.639436822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.639422722.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639801425.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639950323.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639964900.00000000004C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639974043.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639981884.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Process Monitor.jbxd

Similarity

API ID: Message$CriticalEnterItemProcSectionSendWindow
String ID: Jump not implemented for this event class$Process Monitor
API String ID: 3564307289-1122045185
Opcode ID: 1b3f1e16749e08ff99f2c85114aeed385d71495c560e2d86b8cab84490d61236
Instruction ID: 5d3cba4240bbbd27c077e0feca74d7389505e3050b246488eef36b1d4723ff7c
Opcode Fuzzy Hash: 1b3f1e16749e08ff99f2c85114aeed385d71495c560e2d86b8cab84490d61236
Instruction Fuzzy Hash: 0231E574601A18AFDB249B55DC16BEE77B5BF49314F1040AEF406B2281CB785E54CF2E

Uniqueness

Uniqueness Score: -1.00%

Function 004736A9 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 69COMMON

Download Yara Rule

APIs

FindCompleteObject.LIBCMT ref: 004736CA
FindMITargetTypeInstance.LIBCMT ref: 00473703

Part of subcall function 00473369: PMDtoOffset.LIBCMT ref: 004733FB

FindVITargetTypeInstance.LIBCMT ref: 0047370A
PMDtoOffset.LIBCMT ref: 0047371B
std::bad_exception::bad_exception.LIBCMT ref: 00473744
__CxxThrowException@8.LIBCMT ref: 00473752

Strings

Bad dynamic_cast!, xrefs: 0047373C

Memory Dump Source

Source File: 00000000.00000002.639436822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.639422722.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639801425.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639950323.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639964900.00000000004C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639974043.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639981884.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Process Monitor.jbxd

Similarity

API ID: Find$InstanceOffsetTargetType$CompleteException@8ObjectThrowstd::bad_exception::bad_exception
String ID: Bad dynamic_cast!
API String ID: 1565299582-2956939130
Opcode ID: 409682e920be8ba57342652390a666177a26016009435b18c5c8cb24434f5de9
Instruction ID: b97ec3ceff1eb10dda2e6b550741ce4db0d786c6e329014cb8c9b55fa9d200c6
Opcode Fuzzy Hash: 409682e920be8ba57342652390a666177a26016009435b18c5c8cb24434f5de9
Instruction Fuzzy Hash: B921C6B2A00205AFCB15DFA5CC41AEF7B74AB48702F14C05FF81993341DA389B00EBA9

Uniqueness

Uniqueness Score: -1.00%

Function 0042F2A7 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 58
windowCOMMON

Download Yara Rule

C-Code - Quality: 74%

			E0042F2A7(void* __ebx, signed int __edx) {
				void* __edi;
				long _t131;
				struct HICON__* _t136;
				int _t137;
				int _t146;
				long _t150;
				int _t151;
				int _t154;
				int _t157;
				int _t158;
				int _t159;
				int _t170;
				long _t172;
				intOrPtr _t177;
				int _t183;
				long _t186;
				int _t187;
				int _t188;
				void* _t203;
				int _t212;
				void* _t219;
				signed int _t222;
				struct HWND__* _t228;
				int _t229;
				struct HWND__* _t230;
				void* _t231;
				int _t232;
				int _t233;
				int _t234;
				int _t235;
				void* _t236;
				int _t237;
				int _t238;
				int* _t239;
				signed int _t241;
				void* _t243;
				void* _t244;
				void* _t247;
				void* _t248;
				void* _t249;
				void* _t250;
				void* _t251;

				_t222 = __edx;
				_t203 = __ebx;
				while(1) {
					_push(L".CSV");
					E00435A10(_t241 - 0x218, 0x104);
					_t229 = E00405D60(_t228);
					_t244 = _t243 + 0x10;
					 *(_t241 - 0x438) = _t229;
					if(_t229 == 0) {
						_t131 = SendMessageW(SendMessageW( *(_t241 - 0x430), 0x101f, 0, 0), 0x1200, 0, 0);
					} else {
						_t131 = E00404130(_t229);
					}
					 *(_t241 - 0x434) = _t131;
					 *(_t241 - 0x424) = 0;
					E00471CA4(_t241 - 0x424, _t241 - 0x218, L"wt");
					_t243 = _t244 + 0xc;
					if( *(_t241 - 0x424) != 0) {
						break;
					}
					_t228 =  *(_t241 - 0x430);
					MessageBoxW(_t228, L"Unable to open file for writing", L"Export Listview", 0x10);
					 *(_t241 - 0x4f8) = 0x58;
					 *((intOrPtr*)(_t241 - 0x4dc)) = _t241 - 0x218;
					 *(_t241 - 0x4f4) = _t228;
					 *((intOrPtr*)(_t241 - 0x4d8)) = 0x104;
					 *((intOrPtr*)(_t241 - 0x4ec)) = L"Text File (*.CSV)";
					 *((intOrPtr*)(_t241 - 0x4c4)) = 8;
					if(GetSaveFileNameW(_t241 - 0x4f8) != 0) {
						continue;
					}
					L7:
					 *[fs:0x0] =  *((intOrPtr*)(_t241 - 0xc));
					_pop(_t231);
					_pop(_t236);
					return E0046F77E(_t203,  *(_t241 - 0x10) ^ _t241, _t222, _t231, _t236);
				}
				_t136 = SetCursor(LoadCursorW(0, 0x7f02));
				__eflags =  *((char*)(_t241 + 0xc));
				 *(_t241 - 0x43c) = _t136;
				if( *((char*)(_t241 + 0xc)) == 0) {
					L36:
					_t230 =  *(_t241 - 0x430);
					_t137 = SendMessageW(_t230, 0x1004, 0, 0);
					_t235 = 0;
					 *(_t241 - 0x438) = _t137;
					 *(_t241 - 0x42c) = 0;
					__eflags = _t137;
					if(__eflags == 0) {
						L65:
						_push( *(_t241 - 0x424));
						L00471E1F(_t203, _t230, _t235, __eflags);
						SetCursor( *(_t241 - 0x43c));
						goto L7;
					}
					do {
						E00470030(_t241 - 0x470, 0, 0x30);
						 *(_t241 - 0x474) = 1;
						 *(_t241 - 0x45c) = 0x400;
						_t222 = 0x800 >> 0x20;
						_push( ~(0 | __eflags > 0x00000000) | 0x800);
						_t146 = E0046EE59(_t203, _t230, __eflags);
						_t212 = 0;
						 *(_t241 - 0x460) = _t146;
						_t247 = _t243 + 0x10;
						 *(_t241 - 0x428) = 0;
						__eflags =  *(_t241 - 0x434);
						if(__eflags <= 0) {
							goto L64;
						}
						while(1) {
							 *_t146 = 0;
							 *(_t241 - 0x470) = _t235;
							 *(_t241 - 0x46c) = _t212;
							_t150 = SendMessageW(_t230, 0x1073, _t235, _t241 - 0x474);
							_t222 =  *(_t241 - 0x45c);
							_t79 = _t222 - 1; // 0x3ff
							_t213 = _t79;
							__eflags = _t150 - _t79;
							if(__eflags != 0) {
								goto L42;
							}
							do {
								L41:
								 *(_t241 - 0x45c) = _t222 + 0x400;
								L0047002A( *(_t241 - 0x460));
								_push( ~(0 | __eflags > 0x00000000) |  *(_t241 - 0x45c) * 0x00000002);
								_t170 = E0046EE59(_t203, _t230, __eflags);
								_t247 = _t247 + 8;
								 *(_t241 - 0x460) = _t170;
								_t172 = SendMessageW(_t230, 0x1073, _t235, _t241 - 0x474);
								_t222 =  *(_t241 - 0x45c);
								_t92 = _t222 - 1; // 0x3ff
								_t213 = _t92;
								__eflags = _t172 - _t92;
							} while (__eflags == 0);
							L42:
							_t232 =  *(_t241 - 0x460);
							_push(0xc);
							_t151 = E0046EEB6(_t203, _t232, __eflags);
							_t237 = _t151;
							_t248 = _t247 + 4;
							 *(_t241 - 0x440) = _t237;
							 *(_t241 - 4) = 1;
							__eflags = _t237;
							if(_t237 == 0) {
								L46:
								_t237 = 0;
								__eflags = 0;
								L47:
								 *(_t241 - 4) = 0xffffffff;
								 *(_t241 - 0x440) = _t237;
								__eflags = _t237;
								if(_t237 == 0) {
									L45:
									E0046E410(0x8007000e);
									goto L46;
								}
								__eflags =  *(_t241 - 0x428);
								 *(_t241 - 4) = 2;
								if(__eflags != 0) {
									_push( *(_t241 - 0x424));
									_push(0x2c);
									E00472868(_t203, _t232, _t237, __eflags);
									_t248 = _t248 + 8;
								}
								_push( *(_t241 - 0x424));
								_push(0x22);
								E00472868(_t203, _t232, _t237, __eflags);
								_t249 = _t248 + 8;
								__eflags =  *(_t237 + 4);
								if( *(_t237 + 4) == 0) {
									 *(_t237 + 4) = E0046E430(_t213,  *_t237);
								}
								_t233 =  *(_t237 + 4);
								_t154 =  *_t233;
								__eflags = _t154;
								if(__eflags == 0) {
									L56:
									_push( *(_t241 - 0x424));
									_push(0x22);
									E00472868(_t203, _t233, _t237, __eflags);
									_t247 = _t249 + 8;
									 *(_t241 - 4) = 0xffffffff;
									_t112 = _t237 + 8; // 0x8
									_t157 = InterlockedDecrement(_t112);
									__eflags = _t157;
									if(_t157 != 0) {
										L62:
										_t235 =  *(_t241 - 0x42c);
										_t212 =  *(_t241 - 0x428) + 1;
										_t230 =  *(_t241 - 0x430);
										 *(_t241 - 0x428) = _t212;
										__eflags = _t212 -  *(_t241 - 0x434);
										if(__eflags >= 0) {
											break;
										}
										_t146 =  *(_t241 - 0x460);
										 *_t146 = 0;
										 *(_t241 - 0x470) = _t235;
										 *(_t241 - 0x46c) = _t212;
										_t150 = SendMessageW(_t230, 0x1073, _t235, _t241 - 0x474);
										_t222 =  *(_t241 - 0x45c);
										_t79 = _t222 - 1; // 0x3ff
										_t213 = _t79;
										__eflags = _t150 - _t79;
										if(__eflags != 0) {
											goto L42;
										}
										goto L41;
									}
									_t158 =  *_t237;
									__eflags = _t158;
									if(_t158 != 0) {
										__imp__#6(_t158);
										 *_t237 = 0;
									}
									_t159 =  *(_t237 + 4);
									__eflags = _t159;
									if(_t159 != 0) {
										E0046EF07(_t159);
										_t247 = _t247 + 4;
										 *(_t237 + 4) = 0;
									}
									E0046EF07(_t237);
									_t247 = _t247 + 4;
									goto L62;
								} else {
									do {
										__eflags = _t154 - 0x22;
										if(__eflags == 0) {
											_push( *(_t241 - 0x424));
											_push(0x22);
											E00472868(_t203, _t233, _t237, __eflags);
											_t249 = _t249 + 8;
										}
										_push( *(_t241 - 0x424));
										_push( *_t233);
										E00472868(_t203, _t233, _t237, __eflags);
										_t154 =  *(_t233 + 1);
										_t233 = _t233 + 1;
										_t249 = _t249 + 8;
										__eflags = _t154;
									} while (__eflags != 0);
									goto L56;
								}
							}
							 *(_t237 + 4) = 0;
							 *(_t237 + 8) = 1;
							__imp__#2(_t232);
							 *_t237 = _t151;
							__eflags = _t151;
							if(_t151 != 0) {
								goto L47;
							}
							__eflags = _t232;
							if(_t232 == 0) {
								goto L47;
							}
							goto L45;
						}
						L64:
						_push( *(_t241 - 0x424));
						_push(0xa);
						E00472868(_t203, _t230, _t235, __eflags);
						L0047002A( *(_t241 - 0x460));
						_t235 = _t235 + 1;
						_t243 = _t247 + 0xc;
						 *(_t241 - 0x42c) = _t235;
						__eflags = _t235 -  *(_t241 - 0x438);
					} while (__eflags < 0);
					goto L65;
				}
				_t238 = 0;
				 *(_t241 - 0x428) = 0;
				__eflags =  *(_t241 - 0x434);
				if(__eflags <= 0) {
					L35:
					_push( *(_t241 - 0x424));
					_push(0xa);
					E00472868(_t203, _t229, _t238, __eflags);
					_t243 = _t243 + 8;
					goto L36;
				}
				do {
					 *((short*)(_t241 - 0x420)) = 0;
					E00470030(_t241 - 0x41e, 0, 0x206);
					_t250 = _t243 + 0xc;
					_t177 = _t241 - 0x420;
					asm("xorps xmm0, xmm0");
					__eflags = _t229;
					if(_t229 == 0) {
						asm("movdqu [ebp-0x490], xmm0");
						 *((intOrPtr*)(_t241 - 0x488)) = _t177;
						asm("movq [ebp-0x480], xmm0");
						 *(_t241 - 0x478) = 0;
						 *(_t241 - 0x494) = 4;
						 *((intOrPtr*)(_t241 - 0x484)) = 0x104;
						SendMessageW( *(_t241 - 0x430), 0x105f, _t238, _t241 - 0x494);
					} else {
						asm("movdqu [ebp-0x49c], xmm0");
						 *((intOrPtr*)(_t241 - 0x498)) = _t177;
						asm("movq [ebp-0x47c], xmm0");
						asm("movdqu [ebp-0x48c], xmm0");
						 *(_t241 - 0x4a0) = 2;
						 *((intOrPtr*)(_t241 - 0x490)) = 0x104;
						E00406150(_t229, _t238, _t241 - 0x4a0);
					}
					_t219 = _t241 - 0x42c;
					E00402050(_t241 - 0x420);
					 *(_t241 - 4) = 0;
					__eflags = _t238;
					if(__eflags != 0) {
						_push( *(_t241 - 0x424));
						_push(0x2c);
						E00472868(_t203, _t229, _t238, __eflags);
						_t250 = _t250 + 8;
					}
					_push( *(_t241 - 0x424));
					_push(0x22);
					E00472868(_t203, _t229, _t238, __eflags);
					_t239 =  *(_t241 - 0x42c);
					_t251 = _t250 + 8;
					__eflags = _t239;
					if(_t239 == 0) {
						_t234 = 0;
						__eflags = 0;
					} else {
						__eflags = _t239[1];
						if(_t239[1] == 0) {
							_t239[1] = E0046E430(_t219,  *_t239);
						}
						_t234 = _t239[1];
					}
					_t183 =  *_t234;
					__eflags = _t183;
					if(__eflags != 0) {
						do {
							__eflags = _t183 - 0x22;
							if(__eflags == 0) {
								_push( *(_t241 - 0x424));
								_push(0x22);
								E00472868(_t203, _t234, _t239, __eflags);
								_t251 = _t251 + 8;
							}
							_push( *(_t241 - 0x424));
							_push( *_t234);
							E00472868(_t203, _t234, _t239, __eflags);
							_t183 =  *(_t234 + 1);
							_t234 = _t234 + 1;
							_t251 = _t251 + 8;
							__eflags = _t183;
						} while (__eflags != 0);
					}
					_push( *(_t241 - 0x424));
					_push(0x22);
					E00472868(_t203, _t234, _t239, __eflags);
					_t243 = _t251 + 8;
					 *(_t241 - 4) = 0xffffffff;
					__eflags = _t239;
					if(_t239 != 0) {
						_t186 = InterlockedDecrement( &(_t239[2]));
						__eflags = _t186;
						if(_t186 == 0) {
							_t187 =  *_t239;
							__eflags = _t187;
							if(_t187 != 0) {
								__imp__#6(_t187);
								 *_t239 = 0;
							}
							_t188 = _t239[1];
							__eflags = _t188;
							if(_t188 != 0) {
								E0046EF07(_t188);
								_t243 = _t243 + 4;
								_t239[1] = 0;
							}
							E0046EF07(_t239);
							_t243 = _t243 + 4;
						}
						 *(_t241 - 0x42c) = 0;
					}
					_t229 =  *(_t241 - 0x438);
					_t238 =  *(_t241 - 0x428) + 1;
					 *(_t241 - 0x428) = _t238;
					__eflags = _t238 -  *(_t241 - 0x434);
				} while (__eflags < 0);
				goto L35;
			}

0x0042f2a7
0x0042f2a7
0x0042f2b0
0x0042f2b0
0x0042f2c1
0x0042f2cc
0x0042f2ce
0x0042f2d1
0x0042f2d9
0x0042f303
0x0042f2db
0x0042f2dd
0x0042f2dd
0x0042f309
0x0042f321
0x0042f32c
0x0042f331
0x0042f33b
0x00000000
0x00000000
0x0042f341
0x0042f354
0x0042f360
0x0042f36a
0x0042f377
0x0042f37d
0x0042f387
0x0042f391
0x0042f39f
0x00000000
0x00000000
0x0042f3a7
0x0042f3aa
0x0042f3b2
0x0042f3b3
0x0042f3c1
0x0042f3c1
0x0042f3d0
0x0042f3d6
0x0042f3da
0x0042f3e0
0x0042f5e3
0x0042f5e3
0x0042f5f3
0x0042f5f9
0x0042f5fb
0x0042f601
0x0042f607
0x0042f609
0x0042f887
0x0042f887
0x0042f88d
0x0042f89b
0x00000000
0x0042f8a1
0x0042f610
0x0042f61b
0x0042f622
0x0042f631
0x0042f640
0x0042f649
0x0042f64a
0x0042f64f
0x0042f651
0x0042f657
0x0042f65a
0x0042f660
0x0042f666
0x00000000
0x00000000
0x0042f670
0x0042f672
0x0042f683
0x0042f689
0x0042f68f
0x0042f695
0x0042f69b
0x0042f69b
0x0042f69e
0x0042f6a0
0x00000000
0x00000000
0x0042f6a2
0x0042f6a2
0x0042f6ae
0x0042f6b4
0x0042f6cf
0x0042f6d0
0x0042f6d5
0x0042f6d8
0x0042f6ec
0x0042f6f2
0x0042f6f8
0x0042f6f8
0x0042f6fb
0x0042f6fb
0x0042f6ff
0x0042f6ff
0x0042f705
0x0042f707
0x0042f70c
0x0042f70e
0x0042f711
0x0042f717
0x0042f71e
0x0042f720
0x0042f74b
0x0042f74b
0x0042f74b
0x0042f74d
0x0042f74d
0x0042f754
0x0042f75a
0x0042f75c
0x0042f741
0x0042f746
0x00000000
0x0042f746
0x0042f75e
0x0042f765
0x0042f76c
0x0042f76e
0x0042f774
0x0042f776
0x0042f77b
0x0042f77b
0x0042f77e
0x0042f784
0x0042f786
0x0042f78b
0x0042f78e
0x0042f792
0x0042f79b
0x0042f79b
0x0042f79e
0x0042f7a1
0x0042f7a3
0x0042f7a5
0x0042f7d5
0x0042f7d5
0x0042f7db
0x0042f7dd
0x0042f7e2
0x0042f7e5
0x0042f7ec
0x0042f7f0
0x0042f7f6
0x0042f7f8
0x0042f82d
0x0042f833
0x0042f839
0x0042f83a
0x0042f840
0x0042f846
0x0042f84c
0x00000000
0x00000000
0x0042f84e
0x0042f672
0x0042f683
0x0042f689
0x0042f68f
0x0042f695
0x0042f69b
0x0042f69b
0x0042f69e
0x0042f6a0
0x00000000
0x00000000
0x00000000
0x0042f6a0
0x0042f7fa
0x0042f7fc
0x0042f7fe
0x0042f801
0x0042f807
0x0042f807
0x0042f80d
0x0042f810
0x0042f812
0x0042f815
0x0042f81a
0x0042f81d
0x0042f81d
0x0042f825
0x0042f82a
0x00000000
0x0042f7a7
0x0042f7a7
0x0042f7a7
0x0042f7a9
0x0042f7ab
0x0042f7b1
0x0042f7b3
0x0042f7b8
0x0042f7b8
0x0042f7bb
0x0042f7c4
0x0042f7c5
0x0042f7ca
0x0042f7cd
0x0042f7ce
0x0042f7d1
0x0042f7d1
0x00000000
0x0042f7a7
0x0042f7a5
0x0042f723
0x0042f72a
0x0042f731
0x0042f737
0x0042f739
0x0042f73b
0x00000000
0x00000000
0x0042f73d
0x0042f73f
0x00000000
0x00000000
0x00000000
0x0042f73f
0x0042f859
0x0042f859
0x0042f85f
0x0042f861
0x0042f86c
0x0042f871
0x0042f872
0x0042f875
0x0042f87b
0x0042f87b
0x00000000
0x0042f610
0x0042f3e6
0x0042f3e8
0x0042f3ee
0x0042f3f4
0x0042f5d3
0x0042f5d3
0x0042f5d9
0x0042f5db
0x0042f5e0
0x00000000
0x0042f5e0
0x0042f400
0x0042f408
0x0042f416
0x0042f41b
0x0042f41e
0x0042f424
0x0042f427
0x0042f429
0x0042f46e
0x0042f476
0x0042f48f
0x0042f497
0x0042f4a1
0x0042f4ab
0x0042f4b5
0x0042f42b
0x0042f42b
0x0042f433
0x0042f441
0x0042f44b
0x0042f453
0x0042f45d
0x0042f467
0x0042f467
0x0042f4c2
0x0042f4c8
0x0042f4cd
0x0042f4d4
0x0042f4d6
0x0042f4d8
0x0042f4de
0x0042f4e0
0x0042f4e5
0x0042f4e5
0x0042f4e8
0x0042f4ee
0x0042f4f0
0x0042f4f5
0x0042f4fb
0x0042f4fe
0x0042f500
0x0042f517
0x0042f517
0x0042f502
0x0042f502
0x0042f506
0x0042f50f
0x0042f50f
0x0042f512
0x0042f512
0x0042f519
0x0042f51b
0x0042f51d
0x0042f520
0x0042f520
0x0042f522
0x0042f524
0x0042f52a
0x0042f52c
0x0042f531
0x0042f531
0x0042f534
0x0042f53d
0x0042f53e
0x0042f543
0x0042f546
0x0042f547
0x0042f54a
0x0042f54a
0x0042f520
0x0042f54e
0x0042f554
0x0042f556
0x0042f55b
0x0042f55e
0x0042f565
0x0042f567
0x0042f56d
0x0042f573
0x0042f575
0x0042f577
0x0042f579
0x0042f57b
0x0042f57e
0x0042f584
0x0042f584
0x0042f58a
0x0042f58d
0x0042f58f
0x0042f592
0x0042f597
0x0042f59a
0x0042f59a
0x0042f5a2
0x0042f5a7
0x0042f5a7
0x0042f5aa
0x0042f5aa
0x0042f5ba
0x0042f5c0
0x0042f5c1
0x0042f5c7
0x0042f5c7
0x00000000

APIs

Part of subcall function 00435A10: _wcsrchr.LIBCMT ref: 00435A18

Part of subcall function 00405D60: GetPropW.USER32(?), ref: 00405D6E

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 0042F2F3
SendMessageW.USER32(00000000,00001200,00000000,00000000), ref: 0042F303
__wfopen_s.LIBCMT ref: 0042F32C
MessageBoxW.USER32(?,Unable to open file for writing,Export Listview,00000010), ref: 0042F354
GetSaveFileNameW.COMDLG32(00000058), ref: 0042F39B

Part of subcall function 00404130: SendMessageW.USER32(?,00001200,00000000,00000000), ref: 0040413C

Strings

Unable to open file for writing, xrefs: 0042F34E
.CSV, xrefs: 0042F2B0
X, xrefs: 0042F360
Export Listview, xrefs: 0042F349

Memory Dump Source

Source File: 00000000.00000002.639436822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.639422722.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639801425.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639950323.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639964900.00000000004C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639974043.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639981884.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Process Monitor.jbxd

Similarity

API ID: Message$Send$FileNamePropSave__wfopen_s_wcsrchr
String ID: .CSV$Export Listview$Unable to open file for writing$X
API String ID: 4122999536-2764136903
Opcode ID: af21463c0bb0a7fb31024d840ccfbc7b09184047e5173ebbb77f50af14892e5c
Instruction ID: c5e7e49ba89f6a58e284cd480785c9c2bcf435adfce36819d088f0cf7dfd649d
Opcode Fuzzy Hash: af21463c0bb0a7fb31024d840ccfbc7b09184047e5173ebbb77f50af14892e5c
Instruction Fuzzy Hash: 87215EF1A4021C9ACF20DB50DD85BEEB7B8EB84704F5001EBE60867241DB785A898F5C

Uniqueness

Uniqueness Score: -1.00%

Function 0044EDE6 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 52
windowCOMMON

Download Yara Rule

C-Code - Quality: 84%

			E0044EDE6(void* __ebx, void* __edx) {
				void* __esi;
				void* _t38;
				int _t39;
				void* _t46;
				void* _t48;
				struct HWND__* _t49;
				void* _t50;
				signed int _t51;

				_t46 = __edx;
				_t38 = __ebx;
				if( *(_t51 - 0x628) != 0x9cdd) {
					 *0x4bb140 =  *0x4bb140 | 0x00000001;
				} else {
					 *0x4bb140 =  *0x4bb140 & 0xfffffffe;
				}
				 *((char*)(_t51 - 0x61d)) = 0;
				if(E0040CEE0(_t46, GetDlgItem(_t49, 0x3f9), (0 | ( *0x4bb140 & 0x00000001) != 0x00000000) * 2 - 1, _t51 - 0x61d) == 0 &&  *((char*)(_t51 - 0x61d)) == 0) {
					 *((intOrPtr*)(_t51 - 0x624)) = E0046A6C0(_t38, L"No more bookmarks", E0046A530(L"No more bookmarks"));
					 *((intOrPtr*)(_t51 - 4)) = 0xf;
					SetForegroundWindow(_t49);
					MessageBoxW(_t49, E0046A170(_t51 - 0x624), L"Process Monitor", 0x30);
					_t45 =  *((intOrPtr*)(_t51 - 0x624));
					 *((intOrPtr*)(_t51 - 4)) = 0xffffffff;
					if( *((intOrPtr*)(_t51 - 0x624)) != 0) {
						E0046A700(_t45);
					}
				}
				SetFocus(_t49);
				SetForegroundWindow(_t49);
				_t39 =  *(_t51 + 0xc);
				DefWindowProcW(_t49, _t39,  *(_t51 - 0x628),  *(_t51 - 0x64c));
				 *[fs:0x0] =  *((intOrPtr*)(_t51 - 0xc));
				_pop(_t48);
				_pop(_t50);
				return E0046F77E(_t38,  *(_t51 - 0x10) ^ _t51, _t46, _t48, _t50);
			}

0x0044ede6
0x0044ede6
0x0044edf2
0x0044edfd
0x0044edf4
0x0044edf4
0x0044edf4
0x0044ee17
0x0044ee46
0x0044ee69
0x0044ee70
0x0044ee77
0x0044ee8d
0x0044ee93
0x0044ee99
0x0044eea2
0x0044eea4
0x0044eea4
0x0044eea2
0x0044eeaa
0x0044eeb1
0x0044e726
0x0044e737
0x0044e740
0x0044e748
0x0044e749
0x0044e757

APIs

GetDlgItem.USER32 ref: 0044EE2F
SetForegroundWindow.USER32 ref: 0044EE77
MessageBoxW.USER32(?,00000000,Process Monitor,00000030), ref: 0044EE8D
SetFocus.USER32 ref: 0044EEAA
SetForegroundWindow.USER32 ref: 0044EEB1

Strings

No more bookmarks, xrefs: 0044EE51, 0044EE5C
Process Monitor, xrefs: 0044EE7B

Memory Dump Source

Source File: 00000000.00000002.639436822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.639422722.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639801425.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639950323.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639964900.00000000004C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639974043.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639981884.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Process Monitor.jbxd

Similarity

API ID: ForegroundWindow$FocusItemMessage
String ID: No more bookmarks$Process Monitor
API String ID: 2662367236-1941388099
Opcode ID: ff1b783e59c4465deb01230d3fb1adeaac47ac02f989b48836bdb04ead0b9dfd
Instruction ID: a0c0e8480582982da0362c0a307528a5a429b03c8bb85efc6b4baaab953e5b1d
Opcode Fuzzy Hash: ff1b783e59c4465deb01230d3fb1adeaac47ac02f989b48836bdb04ead0b9dfd
Instruction Fuzzy Hash: 84113D70801618AFEB209F55DC197AE3778FF55364F1002AAF401A21D2D77D0B598F9E

Uniqueness

Uniqueness Score: -1.00%

Function 0042F034 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 44
windowCOMMON

Download Yara Rule

C-Code - Quality: 61%

			E0042F034(void* __edx) {
				void* __ebx;
				struct HICON__* _t35;
				signed int _t36;
				struct HWND__* _t55;
				void* _t56;
				void* _t57;
				void* _t62;
				int _t63;
				void* _t64;
				void* _t65;
				void* _t66;
				void* _t67;
				signed short* _t68;
				void* _t69;
				signed int _t70;
				void* _t73;
				void* _t76;

				_t62 = __edx;
				while(1) {
					_push(L".CSV");
					E00435A10(_t70 - 0x20c, 0x104);
					 *(_t70 - 0x1210) = 0;
					E00471CA4(_t70 - 0x1210, _t70 - 0x20c, L"wt");
					_t73 = _t73 + 0x18;
					if( *(_t70 - 0x1210) != 0) {
						break;
					}
					MessageBoxW(_t55, L"Unable to open file for writing", L"Export Listview", 0x10);
					 *(_t70 - 0x1270) = 0x58;
					 *((intOrPtr*)(_t70 - 0x1254)) = _t70 - 0x20c;
					 *(_t70 - 0x126c) = _t55;
					 *((intOrPtr*)(_t70 - 0x1250)) = 0x104;
					 *((intOrPtr*)(_t70 - 0x1264)) = L"Text File (*.CSV)";
					 *((intOrPtr*)(_t70 - 0x123c)) = 8;
					if(GetSaveFileNameW(_t70 - 0x1270) != 0) {
						continue;
					} else {
						_pop(_t65);
						_pop(_t69);
						_pop(_t57);
						return E0046F77E(_t57,  *(_t70 - 4) ^ _t70, _t62, _t65, _t69);
					}
					L12:
				}
				_t35 = SetCursor(LoadCursorW(0, 0x7f02));
				_t66 = SendMessageW;
				 *(_t70 - 0x1214) = _t35;
				_t36 = SendMessageW(_t55, 0x18b, 0, 0);
				_t63 = 0;
				 *(_t70 - 0x1218) = _t36;
				__eflags = _t36;
				if(__eflags != 0) {
					do {
						SendMessageW(_t55, 0x189, _t63, _t70 - 0x120c);
						_push( *(_t70 - 0x1210));
						_push(0x22);
						E00472868(_t55, _t63, _t66, __eflags);
						_t76 = _t73 + 8;
						_t68 = _t70 - 0x120c;
						__eflags =  *(_t70 - 0x120c);
						while(__eflags != 0) {
							__eflags =  *_t68 - 0x22;
							if(__eflags == 0) {
								_push( *(_t70 - 0x1210));
								_push(0x22);
								E00472868(_t55, _t63, _t68, __eflags);
								_t76 = _t76 + 8;
							}
							_push( *(_t70 - 0x1210));
							_push( *_t68 & 0x0000ffff);
							E00472868(_t55, _t63, _t68, __eflags);
							_t68 =  &(_t68[1]);
							_t76 = _t76 + 8;
							__eflags =  *_t68;
						}
						_push( *(_t70 - 0x1210));
						_push(0x22);
						E00472868(_t55, _t63, _t68, __eflags);
						_push( *(_t70 - 0x1210));
						_push(0xa);
						E00472868(_t55, _t63, _t68, __eflags);
						_t66 = SendMessageW;
						_t63 = _t63 + 1;
						_t73 = _t76 + 0x10;
						__eflags = _t63 -  *(_t70 - 0x1218);
					} while (__eflags < 0);
				}
				_push( *(_t70 - 0x1210));
				L00471E1F(_t55, _t63, _t66, __eflags);
				SetCursor( *(_t70 - 0x1214));
				_pop(_t64);
				_pop(_t67);
				__eflags =  *(_t70 - 4) ^ _t70;
				_pop(_t56);
				return E0046F77E(_t56,  *(_t70 - 4) ^ _t70, _t62, _t64, _t67);
				goto L12;
			}

0x0042f034
0x0042f040
0x0042f040
0x0042f051
0x0042f061
0x0042f073
0x0042f078
0x0042f082
0x00000000
0x00000000
0x0042f091
0x0042f099
0x0042f0a3
0x0042f0b0
0x0042f0b6
0x0042f0c0
0x0042f0ca
0x0042f0d8
0x00000000
0x0042f0de
0x0042f0de
0x0042f0df
0x0042f0e2
0x0042f0f0
0x0042f0f0
0x00000000
0x0042f0d8
0x0042f0ff
0x0042f105
0x0042f115
0x0042f11b
0x0042f11d
0x0042f11f
0x0042f125
0x0042f127
0x0042f130
0x0042f13e
0x0042f140
0x0042f146
0x0042f148
0x0042f14d
0x0042f150
0x0042f156
0x0042f15e
0x0042f160
0x0042f164
0x0042f166
0x0042f16c
0x0042f16e
0x0042f173
0x0042f173
0x0042f176
0x0042f17f
0x0042f180
0x0042f185
0x0042f188
0x0042f18b
0x0042f18b
0x0042f191
0x0042f197
0x0042f199
0x0042f19e
0x0042f1a4
0x0042f1a6
0x0042f1ab
0x0042f1b1
0x0042f1b2
0x0042f1b5
0x0042f1b5
0x0042f130
0x0042f1c1
0x0042f1c7
0x0042f1d5
0x0042f1e0
0x0042f1e1
0x0042f1e2
0x0042f1e4
0x0042f1ed
0x00000000

APIs

Part of subcall function 00435A10: _wcsrchr.LIBCMT ref: 00435A18

__wfopen_s.LIBCMT ref: 0042F073
MessageBoxW.USER32(?,Unable to open file for writing,Export Listview,00000010), ref: 0042F091
GetSaveFileNameW.COMDLG32(00000058), ref: 0042F0D4
LoadCursorW.USER32(00000000,00007F02), ref: 0042F0F8
SetCursor.USER32(00000000), ref: 0042F0FF
SendMessageW.USER32(?,0000018B,00000000,00000000), ref: 0042F11B
SendMessageW.USER32(?,00000189,00000000,?), ref: 0042F13E
_fputc.LIBCMT ref: 0042F148
_fputc.LIBCMT ref: 0042F16E
_fputc.LIBCMT ref: 0042F180
_fputc.LIBCMT ref: 0042F199
_fputc.LIBCMT ref: 0042F1A6
SetCursor.USER32(?), ref: 0042F1D5

Strings

Unable to open file for writing, xrefs: 0042F08B
.CSV, xrefs: 0042F040
X, xrefs: 0042F099
Export Listview, xrefs: 0042F086

Memory Dump Source

Source File: 00000000.00000002.639436822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.639422722.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639801425.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639950323.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639964900.00000000004C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639974043.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639981884.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Process Monitor.jbxd

Similarity

API ID: _fputc$CursorMessage$Send$FileLoadNameSave__wfopen_s_wcsrchr
String ID: .CSV$Export Listview$Unable to open file for writing$X
API String ID: 2410324009-2764136903
Opcode ID: 3b850a740050be6668df019f384b9163bbe70225dd0edc3510a94de2884e6ed5
Instruction ID: 78fb5a5c0655f117630b16dcebd51a89154a004a4191bf6672706b0da61f04f3
Opcode Fuzzy Hash: 3b850a740050be6668df019f384b9163bbe70225dd0edc3510a94de2884e6ed5
Instruction Fuzzy Hash: 9F015EB194022C9ACF20DB51DC85BC9B7B8BB44704F5001EBE548F2181D7B85AA88F88

Uniqueness

Uniqueness Score: -1.00%

Function 0046E360 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 34
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0046E360(int* __ecx, intOrPtr _a4) {
				int* _t17;

				_t17 = __ecx;
				if( *((intOrPtr*)(_a4 + 0xc)) ==  *((intOrPtr*)(__ecx + 0x14))) {
					SetWindowPos( *(__ecx + 0x1c), 1, 0, 0, 0, 0, 3);
					SetCursor(_t17[3]);
					SetCapture(_t17[7]);
					_t17[1] = 1;
					 *_t17 = 0;
					if( *0x4c285c == 0) {
						 *0x4c285c = GetProcAddress(LoadLibraryW(L"user32.dll"), "HungWindowFromGhostWindow");
					}
				}
				return 0;
			}

0x0046e367
0x0046e36f
0x0046e380
0x0046e389
0x0046e392
0x0046e398
0x0046e39c
0x0046e3a9
0x0046e3c2
0x0046e3c2
0x0046e3a9
0x0046e3cb

APIs

SetWindowPos.USER32(?,00000001,00000000,00000000,00000000,00000000,00000003), ref: 0046E380
SetCursor.USER32(?), ref: 0046E389
SetCapture.USER32(?), ref: 0046E392
LoadLibraryW.KERNEL32(user32.dll,HungWindowFromGhostWindow), ref: 0046E3B5
GetProcAddress.KERNEL32(00000000), ref: 0046E3BC

Strings

user32.dll, xrefs: 0046E3B0
HungWindowFromGhostWindow, xrefs: 0046E3AB

Memory Dump Source

Source File: 00000000.00000002.639436822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.639422722.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639801425.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639950323.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639964900.00000000004C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639974043.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639981884.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Process Monitor.jbxd

Similarity

API ID: AddressCaptureCursorLibraryLoadProcWindow
String ID: HungWindowFromGhostWindow$user32.dll
API String ID: 3141864440-1648181015
Opcode ID: ef06a880d7765b650022b4f2c1a4a501abe4ac48899b06a4e66da1af39ef8794
Instruction ID: 22ac66824e77bdc4cd6d4fb2a79ccaf24ca01ff2538325538738bd6d15e816b0
Opcode Fuzzy Hash: ef06a880d7765b650022b4f2c1a4a501abe4ac48899b06a4e66da1af39ef8794
Instruction Fuzzy Hash: 34F03731244304AFE7209FA4EC09F4A7BE4AB14B11F20893EFA45A66E0D2B5A8548B5C

Uniqueness

Uniqueness Score: -1.00%

Function 00408420 Relevance: 12.2, APIs: 8, Instructions: 197
windowCOMMON

Download Yara Rule

C-Code - Quality: 77%

			E00408420(intOrPtr __ecx, struct HWND__* _a4, long _a8) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				long _v36;
				intOrPtr _v40;
				long _v44;
				int _v48;
				void* _v52;
				void* _v56;
				intOrPtr _t69;
				signed int _t87;
				long _t100;
				long _t103;
				long _t106;

				_t101 = __ecx;
				_t106 = _a8;
				_v8 = __ecx;
				_t103 =  *((intOrPtr*)(_t106 + 0x10));
				if(_t103 == 0) {
					_t100 = 0;
					__eflags = 0;
				} else {
					_t100 =  *((intOrPtr*)(_t103 + 4));
				}
				_t69 =  *((intOrPtr*)(_t106 + 8));
				if(_t69 > 0x7d5) {
					__eflags = _t69 - 0xfffffffb;
					if(__eflags > 0) {
						__eflags = _t69 + 3 - 1;
						if(_t69 + 3 > 1) {
							goto L25;
						} else {
							goto L19;
						}
					} else {
						if(__eflags == 0) {
							L19:
							E00470030( &_v52, 0, 0x2c);
							asm("movq xmm0, [esi]");
							_t74 =  *((intOrPtr*)(_t106 + 8));
							asm("movq [ebp-0x34], xmm0");
							_v48 =  *((intOrPtr*)(_t106 + 8));
							__eflags = _t103;
							if(_t103 == 0) {
								_v44 = 0xffffffff;
							} else {
								_v44 = E00405CE0(_t74, _v8, _t103);
							}
							_v40 =  *((intOrPtr*)(_t106 + 0x14));
							__eflags = _t100;
							if(_t100 == 0) {
								_v16 = 0;
								return SendMessageW(_a4, 0x4e, _v52,  &_v56);
							} else {
								_v16 =  *((intOrPtr*)(_t100 + 4));
								return SendMessageW(_a4, 0x4e, _v52,  &_v56);
							}
						} else {
							__eflags = _t69 - 0x7d6;
							if(_t69 != 0x7d6) {
								goto L25;
							} else {
								asm("xorps xmm0, xmm0");
								asm("movdqu [ebp-0x2c], xmm0");
								_v44 = _t69;
								asm("movdqu [ebp-0x1c], xmm0");
								asm("movq [ebp-0xc], xmm0");
								asm("movq xmm0, [esi]");
								asm("movq [ebp-0x30], xmm0");
								_v44 = 0xffffff99;
								_v40 = E00405CE0(_t69, _t101, _t103);
								_v12 =  *((intOrPtr*)(_t100 + 4));
								SendMessageW(_a4, 0x4e, _v48,  &_v52);
								__eflags = 0;
								return 0;
							}
						}
					}
				} else {
					if(_t69 >= 0x7d4) {
						L25:
						return SendMessageW(_a4, 0x4e,  *(_t106 + 4), _t106);
					} else {
						_t87 = _t69 - 0x7d0;
						if(_t87 > 3) {
							goto L25;
						} else {
							switch( *((intOrPtr*)(_t87 * 4 +  &M00408680))) {
								case 0:
									_t88 =  *((intOrPtr*)(_t106 + 8));
									asm("xorps xmm0, xmm0");
									_t104 =  *((intOrPtr*)(_t106 + 0xc));
									asm("movq [ebp-0xc], xmm0");
									asm("movdqu [ebp-0x2c], xmm0");
									_v44 =  *((intOrPtr*)(_t106 + 8));
									_v44 = 0xffffff9b;
									asm("movdqu [ebp-0x1c], xmm0");
									asm("movq xmm0, [esi]");
									asm("movq [ebp-0x30], xmm0");
									if(_t104 == 0) {
										_t105 = _a4;
									} else {
										_v40 = E00405CE0(_t88, _t101, _t104);
										_t105 = _a4;
										_v12 =  *((intOrPtr*)( *((intOrPtr*)(_t104 + 4)) + 4));
										_v28 = 3;
										_v32 = 0;
										_v24 = 3;
										SendMessageW(_t105, 0x4e, _v48,  &_v52);
										_t101 = _v8;
									}
									_t89 =  *((intOrPtr*)(_t106 + 0x10));
									if( *((intOrPtr*)(_t106 + 0x10)) != 0) {
										_v40 = E00405CE0(_t89, _t101, _t89);
										_v12 =  *((intOrPtr*)(_t100 + 4));
										_v32 = 0;
										_v28 = 3;
										_v24 = 3;
										SendMessageW(_t105, 0x4e, _v48,  &_v52);
									}
									return 0;
									goto L26;
								case 1:
									goto L25;
								case 2:
									__eax =  *((intOrPtr*)(__esi + 8));
									asm("xorps xmm0, xmm0");
									asm("movdqu [ebp-0x2c], xmm0");
									_v44 =  *((intOrPtr*)(__esi + 8));
									__eax =  *((intOrPtr*)(__esi + 0x14));
									_v36 =  *((intOrPtr*)(__esi + 0x14));
									__eax =  &_v52;
									asm("movdqu [ebp-0x1c], xmm0");
									asm("movq [ebp-0xc], xmm0");
									asm("movq xmm0, [esi]");
									asm("movq [ebp-0x30], xmm0");
									_v44 = 0xffffff94;
									_v40 = 0xffffffff;
									SendMessageW(_a4, 0x4e,  *(__esi + 4),  &_v52) = 0;
									__eflags = 0;
									return 0;
									goto L26;
							}
						}
					}
				}
				L26:
			}

0x00408420
0x00408428
0x0040842c
0x0040842f
0x00408434
0x0040843b
0x0040843b
0x00408436
0x00408436
0x00408436
0x0040843d
0x00408445
0x00408574
0x00408577
0x004085da
0x004085dd
0x00000000
0x00000000
0x00000000
0x00000000
0x00408579
0x00408579
0x004085e3
0x004085eb
0x004085f0
0x004085f7
0x004085fa
0x004085ff
0x00408602
0x00408604
0x00408614
0x00408606
0x0040860f
0x0040860f
0x0040861e
0x00408621
0x00408623
0x00408649
0x00408665
0x00408625
0x00408628
0x00408643
0x00408643
0x0040857b
0x0040857b
0x00408580
0x00000000
0x00408586
0x00408586
0x00408589
0x0040858e
0x00408591
0x00408597
0x0040859c
0x004085a0
0x004085a5
0x004085b1
0x004085b7
0x004085c6
0x004085ce
0x004085d4
0x004085d4
0x00408580
0x00408579
0x0040844b
0x00408450
0x00408668
0x0040867d
0x00408456
0x00408456
0x0040845e
0x00000000
0x00408464
0x00408464
0x00000000
0x0040846b
0x0040846e
0x00408471
0x00408474
0x00408479
0x0040847e
0x00408481
0x00408488
0x0040848d
0x00408491
0x00408498
0x004084d9
0x0040849a
0x004084a0
0x004084a6
0x004084ac
0x004084b6
0x004084c0
0x004084c7
0x004084ce
0x004084d4
0x004084d4
0x004084dc
0x004084e1
0x004084e9
0x004084ef
0x004084f9
0x00408503
0x0040850a
0x00408511
0x00408511
0x0040851f
0x00000000
0x00000000
0x00000000
0x00000000
0x00408522
0x00408525
0x00408528
0x0040852d
0x00408530
0x00408533
0x00408536
0x0040853d
0x00408547
0x0040854c
0x00408550
0x00408555
0x0040855c
0x0040856b
0x0040856b
0x00408571
0x00000000
0x00000000
0x00408464
0x0040845e
0x00408450
0x00000000

APIs

SendMessageW.USER32(?,0000004E,?,?), ref: 004084CE
SendMessageW.USER32(?,0000004E,?,?), ref: 00408511
SendMessageW.USER32(00000000,0000004E,00000000,?), ref: 00408563

Memory Dump Source

Source File: 00000000.00000002.639436822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.639422722.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639801425.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639950323.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639964900.00000000004C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639974043.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639981884.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Process Monitor.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 49b1ddd20fe2895491c7a1eaf270035d39b6b92ce684a795cb0eb04a19957264
Instruction ID: fe815d61149b6d89e5b311ac1038ce3523dcc7aaaac358735e8aa58be1a6e859
Opcode Fuzzy Hash: 49b1ddd20fe2895491c7a1eaf270035d39b6b92ce684a795cb0eb04a19957264
Instruction Fuzzy Hash: BA715072D00709ABDB10DFA9D940AEEFBB4FF58310F14862FE954B2290E7759941CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00424BB0 Relevance: 12.2, APIs: 8, Instructions: 187
windowCOMMON

Download Yara Rule

C-Code - Quality: 89%

			E00424BB0(void* __edx, struct HICON__* _a4, intOrPtr* _a8, intOrPtr* _a12, intOrPtr* _a16) {
				signed int _v8;
				char _v1031;
				void _v1032;
				intOrPtr _v1036;
				intOrPtr* _v1040;
				intOrPtr* _v1044;
				intOrPtr* _v1048;
				signed int _v1052;
				signed int _v1056;
				struct _ICONINFO _v1076;
				signed int _v1080;
				intOrPtr _v1084;
				signed short _v1090;
				signed int _v1100;
				signed int _v1104;
				void _v1108;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t62;
				struct HICON__* _t64;
				void* _t71;
				signed int _t83;
				void* _t86;
				signed int _t93;
				void* _t94;
				void* _t96;
				intOrPtr* _t101;
				signed int _t103;
				intOrPtr _t111;
				signed int _t114;
				char _t116;
				void* _t118;
				signed int _t120;
				signed int _t122;
				signed int _t125;
				void* _t128;
				void* _t129;
				signed int _t130;

				_t118 = __edx;
				_t62 =  *0x4bb1dc; // 0x2927074f
				_v8 = _t62 ^ _t130;
				_t64 = _a4;
				_v1044 = _a12;
				_v1048 = _a16;
				_t101 = _a8;
				_v1040 = _t101;
				if(_t64 == 0 || GetIconInfo(_t64,  &_v1076) == 0) {
					L31:
					 *_v1048 = 0;
					 *_v1044 = 0;
					 *_t101 = 0;
					return E0046F77E(_t101, _v8 ^ _t130, _t118, _t122, _t125);
				} else {
					_v1084 = _v1076.xHotspot;
					_v1036 = _v1076.yHotspot;
					_t71 = _v1076.hbmColor;
					if(_t71 == 0) {
						if(GetObjectW(_v1076.hbmMask, 0x18,  &_v1108) == 0) {
							goto L31;
						} else {
							asm("cdq");
							_t122 = _v1100 - _t118 >> 1;
							goto L8;
						}
					} else {
						_t125 = GetObjectW;
						if(GetObjectW(_t71, 0x18,  &_v1108) == 0) {
							goto L31;
						} else {
							_t122 = _v1100;
							if(GetObjectW(_v1076.hbmMask, 0x18,  &_v1108) == 0) {
								goto L31;
							} else {
								L8:
								_v1032 = 0;
								E00470030( &_v1031, 0, 0x3ff);
								asm("cdq");
								_t125 = _t118 + (_v1090 & 0x0000ffff) * _v1104 >> 3;
								_v1056 = _t125;
								_t103 = _t125 + 0x00000001 & 0xfffffffe;
								_v1052 = _t103;
								if(GetBitmapBits(_v1076.hbmMask, 0x400,  &_v1032) == 0) {
									_t101 = _v1040;
									goto L31;
								} else {
									_t83 = (_t122 - 1) * _t103;
									if(_v1076.hbmColor == 0) {
										_t120 = _t103 * _t122;
										_t128 =  &_v1032 + _t83;
										_v1080 = _t120;
										if(_t128 >  &_v1032) {
											_t93 = _v1052;
											_t103 = _v1056 + _t128;
											while(_t122 > _v1036) {
												_t120 = _t120 + _t103;
												_t114 = _t103;
												if(_t103 <= _t128) {
													L26:
													_t120 = _v1080;
													_t128 = _t128 - _t93;
													_t103 = _t103 - _t93;
													_t122 = _t122 - 1;
													if(_t128 >  &_v1032) {
														continue;
													}
												} else {
													while(1) {
														_t94 =  *(_t114 - 1);
														_t114 = _t114 - 1;
														if(_t94 != 0xff) {
															goto L27;
														}
														_t120 = _t120 - 1;
														if( *_t120 == 0) {
															if(_t114 > _t128) {
																continue;
															} else {
																_t93 = _v1052;
																goto L26;
															}
														}
														goto L27;
													}
												}
												goto L27;
											}
										}
									} else {
										_t120 =  &_v1032 + _t83;
										if(_t120 >  &_v1032) {
											while(_t122 > _v1036) {
												_t96 = _t120 + _t125;
												if(_t96 <= _t120) {
													L16:
													_t120 = _t120 - _t103;
													_t122 = _t122 - 1;
													if(_t120 >  &_v1032) {
														continue;
													} else {
													}
												} else {
													while(1) {
														_t116 =  *((char*)(_t96 - 1));
														_t96 = _t96 - 1;
														if(_t116 != 0xff) {
															goto L27;
														}
														if(_t96 > _t120) {
															continue;
														} else {
															goto L16;
														}
														goto L27;
													}
												}
												goto L27;
											}
										}
									}
									L27:
									_t129 = DeleteObject;
									DeleteObject(_v1076.hbmMask);
									_t86 = _v1076.hbmColor;
									if(_t86 != 0) {
										DeleteObject(_t86);
									}
									 *_v1048 = _t122 - _v1036;
									_t111 = _v1084;
									 *_v1040 = _t111;
									 *_v1044 = _t122 - _t111;
									return E0046F77E(_t103, _v8 ^ _t130, _t120, _t122 - _t111, _t129);
								}
							}
						}
					}
				}
			}

0x00424bb0
0x00424bb9
0x00424bc0
0x00424bc6
0x00424bc9
0x00424bd2
0x00424bd9
0x00424bdc
0x00424be6
0x00424e1d
0x00424e28
0x00424e36
0x00424e3c
0x00424e4b
0x00424c02
0x00424c08
0x00424c14
0x00424c1a
0x00424c22
0x00424c76
0x00000000
0x00424c7c
0x00424c82
0x00424c87
0x00000000
0x00424c87
0x00424c24
0x00424c24
0x00424c38
0x00000000
0x00424c3e
0x00424c3e
0x00424c57
0x00000000
0x00424c5d
0x00424c89
0x00424c94
0x00424c9e
0x00424cb4
0x00424cbb
0x00424cd3
0x00424cd9
0x00424cdc
0x00424cea
0x00424e17
0x00000000
0x00424cf0
0x00424cf3
0x00424cfd
0x00424d5f
0x00424d62
0x00424d6a
0x00424d72
0x00424d7a
0x00424d80
0x00424d82
0x00424d8a
0x00424d8c
0x00424d90
0x00424dae
0x00424dae
0x00424dba
0x00424dbc
0x00424dbe
0x00424dc1
0x00000000
0x00000000
0x00000000
0x00424d92
0x00424d92
0x00424d96
0x00424d9c
0x00000000
0x00000000
0x00424d9e
0x00424da2
0x00424da6
0x00000000
0x00424da8
0x00424da8
0x00000000
0x00424da8
0x00424da6
0x00000000
0x00424da2
0x00424d92
0x00000000
0x00424d90
0x00424d82
0x00424cff
0x00424d05
0x00424d0f
0x00424d20
0x00424d2c
0x00424d31
0x00424d48
0x00424d48
0x00424d50
0x00424d53
0x00000000
0x00000000
0x00424d55
0x00000000
0x00424d33
0x00424d33
0x00424d37
0x00424d3e
0x00000000
0x00000000
0x00424d46
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00424d46
0x00424d33
0x00000000
0x00424d31
0x00424d20
0x00424d0f
0x00424dc3
0x00424dc9
0x00424dcf
0x00424dd1
0x00424dd9
0x00424ddc
0x00424ddc
0x00424dec
0x00424df4
0x00424dfc
0x00424e04
0x00424e16
0x00424e16
0x00424cea
0x00424c57
0x00424c38
0x00424c22

APIs

GetIconInfo.USER32(?,?), ref: 00424BF4
GetObjectW.GDI32(?,00000018,?), ref: 00424C34
GetObjectW.GDI32(?,00000018,?), ref: 00424C53
GetObjectW.GDI32(?,00000018,?), ref: 00424C6E
_memset.LIBCMT ref: 00424C9E
GetBitmapBits.GDI32(?,00000400,00000000), ref: 00424CE2
DeleteObject.GDI32(?), ref: 00424DCF
DeleteObject.GDI32(00000000), ref: 00424DDC

Memory Dump Source

Source File: 00000000.00000002.639436822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.639422722.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639801425.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639950323.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639964900.00000000004C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639974043.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639981884.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Process Monitor.jbxd

Similarity

API ID: Object$Delete$BitmapBitsIconInfo_memset
String ID:
API String ID: 478080979-0
Opcode ID: 7b6716528e0d4513c2a302cec48e0b8d043c87587ffdf5dc92bed3e490aa4115
Instruction ID: 46fde01475c72cebea3430318c75b6b36bb095a80e1fdbbddb4713b79b004a6b
Opcode Fuzzy Hash: 7b6716528e0d4513c2a302cec48e0b8d043c87587ffdf5dc92bed3e490aa4115
Instruction Fuzzy Hash: F77131B1B001398BDB20CF24DD84BEDB7B5EF84344F5445EAD608A7241DA74AE858F5C

Uniqueness

Uniqueness Score: -1.00%

Function 00416B90 Relevance: 12.2, APIs: 8, Instructions: 155
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E00416B90(struct _CRITICAL_SECTION* __ecx, void* __edx, WCHAR* _a4, intOrPtr _a8, intOrPtr _a12) {
				RECT* _v8;
				char _v16;
				signed int _v20;
				char _v538;
				short _v540;
				char _v544;
				RECT* _v548;
				RECT* _v552;
				intOrPtr _v556;
				struct _CRITICAL_SECTION* _v560;
				char _v564;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t49;
				signed int _t50;
				void* _t55;
				intOrPtr* _t62;
				long _t69;
				intOrPtr _t89;
				intOrPtr _t90;
				void* _t91;
				void* _t111;
				struct _CRITICAL_SECTION* _t113;
				void* _t114;
				WCHAR* _t116;
				intOrPtr* _t118;
				void* _t119;
				signed int _t120;
				void* _t121;
				void* _t122;

				_t111 = __edx;
				_push(0xffffffff);
				_push(E00486ED1);
				_push( *[fs:0x0]);
				_t122 = _t121 - 0x224;
				_t49 =  *0x4bb1dc; // 0x2927074f
				_t50 = _t49 ^ _t120;
				_v20 = _t50;
				_push(_t50);
				 *[fs:0x0] =  &_v16;
				_t113 = __ecx;
				_t116 = _a4;
				_t89 = _a8;
				_v556 = _a12;
				_v560 = __ecx;
				EnterCriticalSection(__ecx);
				_v8 = 0;
				if(_t116 == 0 ||  *_t116 == 0) {
					_push(0x48fc20);
				} else {
					_v540 = 0;
					E00470030( &_v538, 0, 0x206);
					_t122 = _t122 + 0xc;
					GetFullPathNameW(_t116, 0x104,  &_v540, 0);
					_push( &_v540);
				}
				_t13 = _t113 + 0x3c; // 0x4bca4c
				_t117 = _t13;
				E0046A0F0(_t13);
				 *(_t113 + 0x40) = 0;
				E00416270(_t113, 0);
				_t55 = E0046A720(_t13);
				_t125 = _t55;
				if(_t55 != 0) {
					_v552 = 0;
					_v548 = 0;
					_v552 = E0045CBA0();
					_v8 = 1;
					E00467CF0( &_v552, _t111, E0046A170(_t117));
					E004673D0( &_v552);
					_v8 = 0;
					E0040E1E0( &_v552,  &_v564, _v552->left, _v552);
					E0046EF07(_v552);
					_t122 = _t122 + 4;
				}
				_t27 = _t113 + 0x78; // 0x4bca88
				E0046A0F0(_t27, _t89);
				_t29 = _t113 + 0x7c; // 0x4bca8c
				E0046A0F0(_t29, _v556);
				E00416DC0(_t89, _t113, _t125,  &_v544, 0);
				_v8 = 2;
				if(_v544 != 0) {
					_t34 = _t113 + 0x30; // 0x4bca40
					E0041A520(_t34,  &_v544);
					_t35 = _t113 + 0x6c; // 0x77d058
					_t62 =  *_t35;
					_t90 = _v544;
					 *((intOrPtr*)(_t113 + 0x44)) = _t90;
					_t118 =  *_t62;
					__eflags = _t118 - _t62;
					if(_t118 == _t62) {
						L12:
						_v8 = 0;
						__eflags = _t90;
						if(_t90 != 0) {
							_t42 = _t90 + 0x578; // 0x578
							_t69 = InterlockedDecrement(_t42);
							__eflags = _t69 - 2;
							if(_t69 < 2) {
								E00467460(_t90, _t69);
							}
						}
						_v8 = 0xffffffff;
						LeaveCriticalSection(_t113);
						E00418740(_t113, 1);
						_t44 = _t113 + 0x18; // 0x0
						InvalidateRect( *_t44, 0, 0);
						_t45 = _t113 + 0x18; // 0x0
						UpdateWindow( *_t45);
						goto L16;
					}
					do {
						_t38 = _t118 + 8; // 0x0
						 *((intOrPtr*)( *_t38))(0);
						_t118 =  *_t118;
						_t122 = _t122 + 4;
						_t39 = _t113 + 0x6c; // 0x77d058
						__eflags = _t118 -  *_t39;
					} while (_t118 !=  *_t39);
					_t90 = _v544;
					goto L12;
				} else {
					LeaveCriticalSection(_t113);
					L16:
					 *[fs:0x0] = _v16;
					_pop(_t114);
					_pop(_t119);
					_pop(_t91);
					return E0046F77E(_t91, _v20 ^ _t120, _t111, _t114, _t119);
				}
			}

0x00416b90
0x00416b93
0x00416b95
0x00416ba0
0x00416ba1
0x00416ba7
0x00416bac
0x00416bae
0x00416bb4
0x00416bb8
0x00416bbe
0x00416bc3
0x00416bc6
0x00416bca
0x00416bd0
0x00416bd6
0x00416bdc
0x00416be5
0x00416c29
0x00416bed
0x00416bf5
0x00416c03
0x00416c08
0x00416c1a
0x00416c26
0x00416c26
0x00416c2e
0x00416c2e
0x00416c33
0x00416c3c
0x00416c43
0x00416c4a
0x00416c4f
0x00416c51
0x00416c59
0x00416c63
0x00416c72
0x00416c7a
0x00416c8a
0x00416c95
0x00416ca7
0x00416cb4
0x00416cbf
0x00416cc4
0x00416cc4
0x00416cc8
0x00416ccb
0x00416cd6
0x00416cd9
0x00416ce9
0x00416cf5
0x00416cf9
0x00416d10
0x00416d13
0x00416d18
0x00416d18
0x00416d1b
0x00416d21
0x00416d24
0x00416d26
0x00416d28
0x00416d47
0x00416d47
0x00416d4b
0x00416d4d
0x00416d4f
0x00416d56
0x00416d5c
0x00416d5f
0x00416d64
0x00416d64
0x00416d5f
0x00416d6a
0x00416d71
0x00416d7b
0x00416d84
0x00416d87
0x00416d8d
0x00416d90
0x00000000
0x00416d96
0x00416d30
0x00416d30
0x00416d35
0x00416d37
0x00416d39
0x00416d3c
0x00416d3c
0x00416d3c
0x00416d41
0x00000000
0x00416cfb
0x00416cfc
0x00416d98
0x00416d9b
0x00416da3
0x00416da4
0x00416da5
0x00416db3
0x00416db3

APIs

EnterCriticalSection.KERNEL32(004BCA10,2927074F,004BCA10,?,?), ref: 00416BD6
_memset.LIBCMT ref: 00416C03
GetFullPathNameW.KERNEL32(0045F84E,00000104,?,00000000), ref: 00416C1A
LeaveCriticalSection.KERNEL32(004BCA10,?,00000000,0048FC20,749682C0,00000000,0048FC20), ref: 00416CFC
InterlockedDecrement.KERNEL32(00000578), ref: 00416D56
LeaveCriticalSection.KERNEL32(004BCA10,00000000,?,00000000,0048FC20,749682C0,00000000,0048FC20), ref: 00416D71
InvalidateRect.USER32(00000000,00000000,00000000,00000001), ref: 00416D87
UpdateWindow.USER32(00000000), ref: 00416D90

Memory Dump Source

Source File: 00000000.00000002.639436822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.639422722.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639801425.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639950323.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639964900.00000000004C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639974043.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639981884.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Process Monitor.jbxd

Similarity

API ID: CriticalSection$Leave$DecrementEnterFullInterlockedInvalidateNamePathRectUpdateWindow_memset
String ID:
API String ID: 382245041-0
Opcode ID: 7ed2aa67a50dbee96e8de4e88bb1483962fef527b75b115035ca7495f207fad9
Instruction ID: 4581ef7c1bbd1798c715ad9e8e554016a8aefdd26cba2d0e09975ca556742f08
Opcode Fuzzy Hash: 7ed2aa67a50dbee96e8de4e88bb1483962fef527b75b115035ca7495f207fad9
Instruction Fuzzy Hash: 0551C975900219ABCB20EF55DC49BDDB7B4FF08304F0005AEE805A7290EB78AE95CF99

Uniqueness

Uniqueness Score: -1.00%

Function 004043E0 Relevance: 12.1, APIs: 8, Instructions: 111
windowCOMMON

Download Yara Rule

C-Code - Quality: 53%

			E004043E0(void* __ecx, int _a4) {
				signed int _v8;
				char _v528;
				intOrPtr _v556;
				char* _v564;
				intOrPtr _v568;
				void* _v572;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t22;
				int _t24;
				long _t30;
				int _t31;
				void* _t48;
				void* _t50;
				void* _t51;
				void* _t52;
				void* _t63;
				void* _t64;
				void* _t65;
				void* _t67;
				void* _t68;
				void* _t69;
				signed int _t70;

				_t22 =  *0x4bb1dc; // 0x2927074f
				_v8 = _t22 ^ _t70;
				_t24 = _a4;
				_t64 = __ecx;
				if(_t24 != 0) {
					SendMessageW( *(__ecx + 0x14), 0x1202, _t24 - 1, 0);
					asm("sbb eax, eax");
					return E0046F77E(_t48, _v8 ^ _t70, _t63, _t64, _t65);
				} else {
					_push(_t48);
					_push(_t65);
					_t30 = SendMessageW( *(__ecx + 0xc), 0x1200, _t24, _t24);
					_t31 = SendMessageW( *(_t64 + 0x14), 0x1200, 0, 0);
					if(_t30 != 0) {
						if(_t31 != 0) {
							_v572 = 7;
							_v564 =  &_v528;
							_v556 = 0x104;
							SendMessageW( *(_t64 + 0x14), 0x120b, 0,  &_v572);
							SendMessageW( *(_t64 + 0xc), 0x1202, 0, 0);
							SendMessageW( *(_t64 + 0x14), 0x1202, 0, 0);
							SendMessageW( *(_t64 + 0xc), 0x120a, 0,  &_v572);
							E00408A90(_t64, _v568);
							_pop(_t67);
							_pop(_t50);
							return E0046F77E(_t50, _v8 ^ _t70, _t63, _t64, _t67);
						} else {
							SendMessageW( *(_t64 + 0xc), 0x1202, _t31, _t31);
							_pop(_t68);
							asm("sbb eax, eax");
							_pop(_t51);
							return E0046F77E(_t51, _v8 ^ _t70, _t63, _t64, _t68);
						}
					} else {
						_pop(_t69);
						_pop(_t52);
						return E0046F77E(_t52, _v8 ^ _t70, _t63, _t64, _t69);
					}
				}
			}

0x004043e9
0x004043f0
0x004043f3
0x004043f7
0x004043fb
0x004044f7
0x00404503
0x00404511
0x00404401
0x00404401
0x00404408
0x00404413
0x00404423
0x00404427
0x00404440
0x0040446d
0x00404477
0x0040448e
0x00404498
0x004044a6
0x004044b4
0x004044c7
0x004044d1
0x004044d6
0x004044d7
0x004044e8
0x00404442
0x0040444c
0x00404450
0x00404451
0x00404453
0x00404464
0x00404464
0x00404429
0x00404429
0x0040442a
0x0040443b
0x0040443b
0x00404427

APIs

SendMessageW.USER32(?,00001200,?,?), ref: 00404413
SendMessageW.USER32(?,00001200,00000000,00000000), ref: 00404423
SendMessageW.USER32(?,00001202,00000000,00000000), ref: 0040444C
SendMessageW.USER32(?,00001202,?,00000000), ref: 004044F7

Memory Dump Source

Source File: 00000000.00000002.639436822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.639422722.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639801425.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639950323.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639964900.00000000004C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639974043.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639981884.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Process Monitor.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: c7a5f805df9f7770bb47f6dd0f226d5e1402bae95bc46e3268a4019ff058b3d3
Instruction ID: b0d3550a98a902ebe6448c28e7a9791e58c979546bfc5b014a3cdfccee82bec9
Opcode Fuzzy Hash: c7a5f805df9f7770bb47f6dd0f226d5e1402bae95bc46e3268a4019ff058b3d3
Instruction Fuzzy Hash: CB31D471640209BBEB21DFA4EC42FB9F368EB04711F104366BA05EA1E0DB75AD208A58

Uniqueness

Uniqueness Score: -1.00%

Function 004091F0 Relevance: 12.1, APIs: 8, Instructions: 107
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004091F0(void* __ebx, void* __ecx, void* __edi, void* __esi, struct HWND__* _a4, void* _a8) {
				signed int _v8;
				struct tagRECT _v24;
				signed int _t8;
				signed int _t25;

				_t8 =  *0x4bb1dc; // 0x2927074f
				_v8 = _t8 ^ _t25;
				GetClientRect( *(__ecx + 8),  &_v24);
				return GetWindowLongW(_a4, 0xfffffff0) >> 0x0000001c & 0x00000001;
			}

0x004091f6
0x004091fd
0x0040920f
0x00000000

APIs

GetClientRect.USER32 ref: 0040920F
GetWindowLongW.USER32(?,000000F0), ref: 00409218
GetSystemMetrics.USER32 ref: 0040923E
GetSystemMetrics.USER32 ref: 00409245
GetSystemMetrics.USER32 ref: 00409280
SetWindowPos.USER32(?,00000000,?,?,?,00000000,00000044,?,?,?,?,?,?,?,00408C74,?), ref: 004092A1
SetScrollInfo.USER32(?,00000002,00408C74,00000001), ref: 004092EE
ShowWindow.USER32(?,00000000,?,00000000,?,?), ref: 00409301

Memory Dump Source

Source File: 00000000.00000002.639436822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.639422722.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639801425.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639950323.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639964900.00000000004C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639974043.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639981884.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Process Monitor.jbxd

Similarity

API ID: MetricsSystemWindow$ClientInfoLongRectScrollShow
String ID:
API String ID: 3099491822-0
Opcode ID: 81afd192f19d1c19f2e28d9848cdfe0ec21c77e4bebf89543c4d8cea923775da
Instruction ID: 6909159586a6d9752e9e1a128f1b70523e9dbc29dd1a8984a4e74a8ea064cf5f
Opcode Fuzzy Hash: 81afd192f19d1c19f2e28d9848cdfe0ec21c77e4bebf89543c4d8cea923775da
Instruction Fuzzy Hash: 2C31AF72900208AFDB10DFA8DC85BEEBBB4EB49300F10056EF945B7291DB742C498B58

Uniqueness

Uniqueness Score: -1.00%

Function 00439880 Relevance: 12.1, APIs: 8, Instructions: 101
fileCOMMON

Download Yara Rule

C-Code - Quality: 79%

			E00439880(void* __ebx, void* __edx) {
				long _v8;
				char _v16;
				WCHAR** _v20;
				void* __ecx;
				void* __edi;
				void* __esi;
				signed int _t12;
				WCHAR** _t18;
				WCHAR** _t22;
				WCHAR** _t23;
				WCHAR* _t24;
				WCHAR** _t26;
				WCHAR* _t31;
				long _t33;
				WCHAR** _t39;
				void* _t42;
				void* _t43;
				long _t45;
				void* _t48;
				long _t49;
				signed int _t52;

				_t42 = __edx;
				_push(0xffffffff);
				_push(E004899F8);
				_push( *[fs:0x0]);
				_push(_t43);
				_t12 =  *0x4bb1dc; // 0x2927074f
				_push(_t12 ^ _t52);
				 *[fs:0x0] =  &_v16;
				_t48 = SetLastError;
				SetLastError(0);
				if(E0040F8A0(0x4bb114, 0) != 0) {
					E0040F410(__ebx, _t42, _t43,  &_v20, 0);
					_t18 = _v20;
					_v8 = 0;
					__eflags = _t18;
					if(_t18 == 0) {
						L16:
						_t49 = GetLastError();
					} else {
						_t22 =  *_t18;
						__eflags = _t22;
						if(_t22 == 0) {
							goto L16;
						} else {
							__imp__#7(_t22);
							__eflags = _t22;
							if(_t22 == 0) {
								goto L16;
							} else {
								_t23 = _v20;
								__eflags = _t23;
								if(__eflags == 0) {
									_t24 = 0;
									__eflags = 0;
								} else {
									_t24 =  *_t23;
								}
								_t45 = E0040F670(_t48, __eflags, _t24, 0x4bb114);
								__eflags = _t45;
								if(_t45 == 0) {
									_t26 = _v20;
									__eflags = _t26;
									if(_t26 == 0) {
										DeleteFileW(0);
										_t49 = 0;
									} else {
										DeleteFileW( *_t26);
										_t49 = 0;
									}
								} else {
									_t39 = _v20;
									__eflags = _t39;
									if(_t39 == 0) {
										_t31 = 0;
										__eflags = 0;
									} else {
										_t31 =  *_t39;
									}
									DeleteFileW(_t31);
									__eflags = _t45 - 0x800704d6;
									if(_t45 != 0x800704d6) {
										SetLastError(_t45);
									} else {
										SetLastError(4);
									}
									goto L16;
								}
							}
						}
					}
					E00403A00( &_v20);
					 *[fs:0x0] = _v16;
					return _t49;
				} else {
					_t33 = GetLastError();
					 *[fs:0x0] = _v16;
					return _t33;
				}
			}

0x00439880
0x00439883
0x00439885
0x00439890
0x00439893
0x00439894
0x0043989b
0x0043989f
0x004398a5
0x004398ad
0x004398c0
0x004398df
0x004398e7
0x004398ea
0x004398f1
0x004398f3
0x0043994a
0x00439950
0x004398f5
0x004398f5
0x004398f7
0x004398f9
0x00000000
0x004398fb
0x004398fc
0x00439902
0x00439904
0x00000000
0x00439906
0x00439906
0x00439909
0x0043990b
0x00439911
0x00439911
0x0043990d
0x0043990d
0x0043990d
0x0043991e
0x00439923
0x00439925
0x0043996d
0x00439970
0x00439972
0x00439984
0x0043998a
0x00439974
0x00439977
0x0043997d
0x0043997d
0x00439927
0x00439927
0x0043992a
0x0043992c
0x00439932
0x00439932
0x0043992e
0x0043992e
0x0043992e
0x00439935
0x0043993b
0x00439941
0x00439948
0x00439943
0x00439948
0x00439948
0x00000000
0x00439948
0x00439925
0x00439904
0x004398f9
0x00439955
0x0043995f
0x0043996c
0x004398c2
0x004398c2
0x004398cb
0x004398d8
0x004398d8

APIs

SetLastError.KERNEL32(00000000,2927074F,00000000,749682C0,?,00000000,004899F8,000000FF,?,0043A210,?,00000000,00489A40,000000FF), ref: 004398AD

Part of subcall function 0040F8A0: FilterConnectCommunicationPort.FLTLIB(\ProcessMonitor23Port,00000000,000000FF,00000004,00000000,?,?,004398BB,004BB114,00000000,?,00000000,004899F8,000000FF,?,0043A210), ref: 0040F8B5

GetLastError.KERNEL32(?,0043A210,?,00000000,00489A40,000000FF), ref: 004398C2
SysStringLen.OLEAUT32(?), ref: 004398FC
DeleteFileW.KERNEL32(00000000), ref: 00439935
SetLastError.KERNEL32(00000000), ref: 00439948
GetLastError.KERNEL32 ref: 0043994A

Memory Dump Source

Source File: 00000000.00000002.639436822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.639422722.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639801425.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639950323.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639964900.00000000004C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639974043.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639981884.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Process Monitor.jbxd

Similarity

API ID: ErrorLast$CommunicationConnectDeleteFileFilterPortString
String ID:
API String ID: 309765145-0
Opcode ID: 0b15fd4f2a09055b951ee5363556620380fc53224cd0547c9cb599c9375f95fc
Instruction ID: 40389f126f5ff98b192305ceed768f8a9eefa4cb9a779d34ade97b7904e8b02d
Opcode Fuzzy Hash: 0b15fd4f2a09055b951ee5363556620380fc53224cd0547c9cb599c9375f95fc
Instruction Fuzzy Hash: A8318EB6A442059BDB10DB65DC45B6FB7A8EF48750F14497FEC01E7380EBB99C008BA8

Uniqueness

Uniqueness Score: -1.00%

Function 00407720 Relevance: 12.1, APIs: 8, Instructions: 82
COMMON

Download Yara Rule

C-Code - Quality: 78%

			E00407720(void* __ecx, intOrPtr _a4) {
				signed int _v8;
				struct tagSCROLLINFO _v36;
				struct tagRECT _v52;
				struct tagRECT _v68;
				struct tagTEXTMETRICW _v128;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t29;
				signed int _t46;
				void* _t52;
				intOrPtr _t54;
				signed int _t59;
				long _t60;
				intOrPtr _t61;
				struct HDC__* _t62;
				signed int _t64;
				signed int _t65;

				_t29 =  *0x4bb1dc; // 0x2927074f
				_v8 = _t29 ^ _t65;
				_v36.cbSize = 0x1c;
				_t52 = __ecx;
				_v36.nTrackPos = 0;
				asm("xorps xmm0, xmm0");
				_v36.fMask = 4;
				asm("movdqu [ebp-0x18], xmm0");
				GetScrollInfo( *(__ecx + 0x1c), 2,  &_v36);
				_t62 = GetDC( *(_t52 + 8));
				SelectObject(_t62,  *(_t52 + 0x30));
				GetTextMetricsW(_t62,  &_v128);
				_t60 = _v128.tmHeight;
				ReleaseDC( *(_t52 + 8), _t62);
				if( *((intOrPtr*)(_t52 + 0x38)) != 0) {
					_t60 =  <  ? GetSystemMetrics(0x32) : _t60;
				}
				_t64 =  *((intOrPtr*)(_t52 + 0x68)) + _t60;
				GetWindowRect( *(_t52 + 0xc),  &_v52);
				GetClientRect( *(_t52 + 8),  &_v68);
				_t54 = _a4;
				_t61 = _v36.nPos;
				if(_t54 < _t61) {
					L5:
					return E0046F77E(_t52, _v8 ^ _t65, _t59, _t61, _t64);
				} else {
					_t46 = _v52.top - _v52.bottom + _v68.bottom;
					asm("cdq");
					_t59 = _t46 % _t64;
					if(_t54 > _t46 / _t64 + _t61) {
						goto L5;
					} else {
						return E0046F77E(_t52, _v8 ^ _t65, _t59, _t61, _t64);
					}
				}
			}

0x00407726
0x0040772d
0x00407736
0x0040773d
0x0040773f
0x00407749
0x0040774c
0x00407756
0x0040775b
0x0040776d
0x00407770
0x0040777b
0x00407781
0x00407788
0x00407792
0x0040779e
0x0040779e
0x004077ab
0x004077ad
0x004077ba
0x004077c0
0x004077c3
0x004077c8
0x004077f1
0x00407803
0x004077ca
0x004077d0
0x004077d3
0x004077d4
0x004077da
0x00000000
0x004077de
0x004077ee
0x004077ee
0x004077da

APIs

GetScrollInfo.USER32 ref: 0040775B
GetDC.USER32(00000000), ref: 00407764
SelectObject.GDI32(00000000,?), ref: 00407770
GetTextMetricsW.GDI32(00000000,?), ref: 0040777B
ReleaseDC.USER32 ref: 00407788
GetSystemMetrics.USER32 ref: 00407796
GetWindowRect.USER32 ref: 004077AD
GetClientRect.USER32 ref: 004077BA

Memory Dump Source

Source File: 00000000.00000002.639436822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.639422722.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639801425.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639950323.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639964900.00000000004C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639974043.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639981884.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Process Monitor.jbxd

Similarity

API ID: MetricsRect$ClientInfoObjectReleaseScrollSelectSystemTextWindow
String ID:
API String ID: 763249787-0
Opcode ID: 527aacdd67219e9e32fe8b5bd3c5d01943b04c4c49c14024a937b1a1744be605
Instruction ID: 8291074952fea97ae062c0a22edad48266503ff4048fa6e6d20d995106f28cbe
Opcode Fuzzy Hash: 527aacdd67219e9e32fe8b5bd3c5d01943b04c4c49c14024a937b1a1744be605
Instruction Fuzzy Hash: 2F21AC72900108EFDF00DFA8DC88AAEBBB9EF48311F244179E801A7261D7356D46DB98

Uniqueness

Uniqueness Score: -1.00%

Function 004062B0 Relevance: 12.1, APIs: 8, Instructions: 71
COMMON

Download Yara Rule

C-Code - Quality: 71%

			E004062B0(void* __ecx, intOrPtr _a4, struct tagRECT* _a8) {
				signed int _v8;
				struct tagSCROLLINFO _v36;
				struct tagRECT _v52;
				struct tagTEXTMETRICW _v112;
				struct tagRECT* _v116;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t27;
				long _t41;
				void* _t47;
				void* _t48;
				void* _t56;
				long _t58;
				struct tagRECT* _t59;
				void* _t60;
				struct HDC__* _t62;
				signed int _t64;
				void* _t65;
				signed int _t66;

				_t27 =  *0x4bb1dc; // 0x2927074f
				_v8 = _t27 ^ _t66;
				asm("xorps xmm0, xmm0");
				_v116 = _a8;
				_t47 = __ecx;
				_v36.cbSize = 0x1c;
				asm("movdqu [ebp-0x18], xmm0");
				_v36.nTrackPos = 0;
				_v36.fMask = 4;
				GetScrollInfo( *(__ecx + 0x1c), 2,  &_v36);
				_t62 = GetDC( *(_t47 + 8));
				SelectObject(_t62,  *(_t47 + 0x30));
				GetTextMetricsW(_t62,  &_v112);
				_t58 = _v112.tmHeight;
				ReleaseDC( *(_t47 + 8), _t62);
				if( *((intOrPtr*)(_t47 + 0x38)) != 0) {
					_t58 =  <  ? GetSystemMetrics(0x32) : _t58;
				}
				_t64 =  *((intOrPtr*)(_t47 + 0x68)) + _t58;
				_t59 = _v116;
				GetClientRect( *(_t47 + 8), _t59);
				GetWindowRect( *(_t47 + 0xc),  &_v52);
				_t41 = _v52.bottom + (_a4 - _v36.nPos) * _t64 - _v52.top;
				_t59->top = _t41;
				_t59->bottom = _t41 + _t64;
				_pop(_t60);
				_pop(_t65);
				_pop(_t48);
				return E0046F77E(_t48, _v8 ^ _t66, _t56, _t60, _t65);
			}

0x004062b6
0x004062bd
0x004062c3
0x004062c9
0x004062cc
0x004062d1
0x004062de
0x004062e3
0x004062ea
0x004062f1
0x00406303
0x00406306
0x00406311
0x00406317
0x0040631e
0x00406328
0x00406334
0x00406334
0x0040633a
0x0040633c
0x00406343
0x00406350
0x00406365
0x0040636a
0x00406371
0x00406376
0x00406377
0x00406378
0x00406381

APIs

GetScrollInfo.USER32 ref: 004062F1
GetDC.USER32(00000000), ref: 004062FA
SelectObject.GDI32(00000000,?), ref: 00406306
GetTextMetricsW.GDI32(00000000,?), ref: 00406311
ReleaseDC.USER32 ref: 0040631E
GetSystemMetrics.USER32 ref: 0040632C
GetClientRect.USER32 ref: 00406343
GetWindowRect.USER32 ref: 00406350

Memory Dump Source

Source File: 00000000.00000002.639436822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.639422722.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639801425.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639950323.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639964900.00000000004C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639974043.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639981884.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Process Monitor.jbxd

Similarity

API ID: MetricsRect$ClientInfoObjectReleaseScrollSelectSystemTextWindow
String ID:
API String ID: 763249787-0
Opcode ID: 9cc15975631bfc9ceacc2c983862a5c552dbabb8f3b0a357ece90f1eeeb3cb89
Instruction ID: 3057e24b754122b2c805f32a9bf1915e0a86187914d6aff7f5107074d968cb53
Opcode Fuzzy Hash: 9cc15975631bfc9ceacc2c983862a5c552dbabb8f3b0a357ece90f1eeeb3cb89
Instruction Fuzzy Hash: 29211B72900118AFCB00DFA8DC88AAEBBB9FF48311F158169E905EB261D7349955CF94

Uniqueness

Uniqueness Score: -1.00%

Function 0040C9C0 Relevance: 12.1, APIs: 8, Instructions: 57
sleepsynchronizationwindowCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E0040C9C0(intOrPtr* __ecx) {
				struct HWND__* _t8;
				LONG* _t20;
				intOrPtr* _t22;
				LONG* _t25;
				struct HWND__* _t28;

				_t22 = __ecx;
				if( *__ecx == 0) {
					L10:
					_t20 =  *(_t22 + 0xc);
					if(_t20 != 0) {
						_t25 = _t20;
						if(InterlockedDecrement(_t25) != 0) {
							return  *_t25;
						} else {
							L0047002A(_t25);
							return 0;
						}
					} else {
						return _t8;
					}
				}
				_push(_t24);
				if( *((intOrPtr*)(__ecx + 0x14)) != 0) {
					L4:
					SendMessageW( *(_t22 + 0x14), 0x111, 1, 0);
					WaitForSingleObject( *(_t22 + 0x20), 0xffffffff);
					_t8 = CloseHandle( *(_t22 + 0x20));
					_t28 =  *(_t22 + 0x24);
					if(_t28 == 0) {
						L9:
						_pop(_t24);
						goto L10;
					}
					while(1) {
						_t8 = GetDesktopWindow();
						if(_t28 == _t8) {
							break;
						}
						EnableWindow(_t28, 1);
						_t8 = GetParent(_t28);
						_t28 = _t8;
						if(_t28 != 0) {
							continue;
						}
						break;
					}
					goto L9;
				} else {
					do {
						Sleep(0x32);
					} while ( *(_t22 + 0x14) == 0);
					goto L4;
				}
			}

0x0040c9c1
0x0040c9c6
0x0040ca31
0x0040ca31
0x0040ca37
0x0046a701
0x0046a70c
0x0046a71e
0x0046a70e
0x0046a70f
0x0046a71a
0x0046a71a
0x0040ca3d
0x0040ca3d
0x0040ca3d
0x0040ca37
0x0040c9cc
0x0040c9cd
0x0040c9df
0x0040c9eb
0x0040c9f6
0x0040c9ff
0x0040ca05
0x0040ca0a
0x0040ca30
0x0040ca30
0x00000000
0x0040ca30
0x0040ca13
0x0040ca13
0x0040ca17
0x00000000
0x00000000
0x0040ca1c
0x0040ca23
0x0040ca29
0x0040ca2d
0x00000000
0x00000000
0x00000000
0x0040ca2d
0x00000000
0x0040c9cf
0x0040c9d5
0x0040c9d7
0x0040c9d9
0x00000000
0x0040c9d5

APIs

Sleep.KERNEL32(00000032,?,749682C0,0043ACBC,?,0044703B,0045F84E,00000000,?,00000000,445817), ref: 0040C9D7
SendMessageW.USER32(?,00000111,00000001,00000000), ref: 0040C9EB
WaitForSingleObject.KERNEL32(?,000000FF,?,0044703B,0045F84E,00000000,?,00000000,445817), ref: 0040C9F6
CloseHandle.KERNEL32(?,?,0044703B,0045F84E,00000000,?,00000000,445817), ref: 0040C9FF
GetDesktopWindow.USER32 ref: 0040CA13
EnableWindow.USER32(?,00000001), ref: 0040CA1C
GetParent.USER32(?), ref: 0040CA23

Memory Dump Source

Source File: 00000000.00000002.639436822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.639422722.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639801425.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639950323.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639964900.00000000004C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639974043.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639981884.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Process Monitor.jbxd

Similarity

API ID: Window$CloseDesktopEnableHandleMessageObjectParentSendSingleSleepWait
String ID:
API String ID: 364389641-0
Opcode ID: 31f16d72f3a39e6e6bba9887ec8de512dabebed3248d1daeaa8db76ed6e1992b
Instruction ID: f857d6bc3513493a88a10acd25e19a1f53ed7feb2496e5f301382b019afb631d
Opcode Fuzzy Hash: 31f16d72f3a39e6e6bba9887ec8de512dabebed3248d1daeaa8db76ed6e1992b
Instruction Fuzzy Hash: 26118232601921FBDB215B64EC48B9EB365BF08721F04033AF901B26E0EB74AC51CBD9

Uniqueness

Uniqueness Score: -1.00%

Function 00451295 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 330
windowCOMMON

Download Yara Rule

C-Code - Quality: 85%

			E00451295(intOrPtr __eax, void* __ebx, intOrPtr __edi, void* __esi) {
				intOrPtr _t142;
				void* _t145;
				struct HWND__* _t149;
				void* _t176;
				void* _t181;
				void* _t186;
				void* _t191;
				void* _t196;
				void* _t201;
				void* _t206;
				void* _t220;
				struct HWND__** _t245;
				intOrPtr _t270;
				struct HWND__* _t271;
				void* _t272;
				struct HWND__* _t274;
				void* _t275;
				signed int _t277;
				void* _t279;
				void* _t285;
				void* _t286;
				void* _t287;
				void* _t288;
				void* _t289;
				void* _t290;
				void* _t291;

				_t270 = __edi;
				_t220 = __ebx;
				_t142 = __eax;
				do {
					 *((intOrPtr*)(_t277 - 0x2ec)) =  *((intOrPtr*)(_t277 - 0x2ec)) +  *((intOrPtr*)(_t142 + 0x20));
					asm("adc ecx, [eax+0x24]");
					 *((intOrPtr*)(_t277 - 0x2e4)) =  *((intOrPtr*)(_t277 - 0x2e4)) +  *((intOrPtr*)(_t142 + 0x28));
					 *((intOrPtr*)(_t277 - 0x2e0)) =  *((intOrPtr*)(_t277 - 0x2e0)) +  *((intOrPtr*)(_t142 + 0x2c));
					 *((intOrPtr*)(_t277 - 0x2dc)) =  *((intOrPtr*)(_t277 - 0x2dc)) +  *((intOrPtr*)(_t142 + 0x30));
					 *((intOrPtr*)(_t277 - 0x2d8)) =  *((intOrPtr*)(_t277 - 0x2d8)) +  *((intOrPtr*)(_t142 + 0x34));
					 *((intOrPtr*)(_t277 - 0x2d4)) =  *((intOrPtr*)(_t277 - 0x2d4)) +  *((intOrPtr*)(_t142 + 0x38));
					 *((intOrPtr*)(_t277 - 0x2cc)) =  *((intOrPtr*)(_t277 - 0x2cc)) +  *((intOrPtr*)(_t142 + 0x40));
					asm("adc ecx, [eax+0x44]");
					 *((intOrPtr*)(_t277 - 0x2c4)) =  *((intOrPtr*)(_t277 - 0x2c4)) +  *((intOrPtr*)(_t142 + 0x48));
					asm("adc ecx, [eax+0x4c]");
					_t270 = _t270 +  *((intOrPtr*)(_t142 + 0x50));
					 *((intOrPtr*)(_t277 - 0x2bc)) = _t270;
					E00462600(_t277 - 0x284);
					_t142 =  *((intOrPtr*)(_t277 - 0x284));
				} while (_t142 != __esi);
				_t271 =  *(_t277 - 0x294);
				_t145 = E0041A630(_t277 - 0x2f4, _t277 - 0x2f4);
				 *((char*)(_t277 - 4)) = 5;
				E0041CC70(_t277 - 0x290, _t277 - 0x298, 0, _t145,  *0x4bdce3 & 0x000000ff);
				 *((char*)(_t277 - 4)) = 4;
				E0041DB70();
				_t245 =  *(_t277 - 0x290);
				_t149 =  *_t245;
				 *(_t277 - 0x294) = _t149;
				if(_t149 != _t245) {
					do {
						_t269 =  *((intOrPtr*)(_t149 + 0x24));
						_t46 = _t149 + 0x18; // 0x18
						_t276 = _t46;
						E004711AE(_t149,  *((intOrPtr*)(_t46 + 8)),  *((intOrPtr*)(_t149 + 0x24)));
						asm("divsd xmm0, [0x4962f8]");
						asm("movsd [esp], xmm0");
						_push(L"%.07f");
						_push(_t277 - 0x27c);
						L00401F90();
						E00470030(_t277 - 0x324, 0, 0x30);
						 *((intOrPtr*)(_t277 - 0x324)) = 0x7fffffff;
						 *(_t277 - 0x328) = 1;
						 *((intOrPtr*)(_t277 - 0x314)) = _t277 - 0x27c;
						 *((intOrPtr*)(_t277 - 0x284)) = SendMessageW(_t271, 0x104d, 0, _t277 - 0x328);
						E00436C80(_t220,  *((intOrPtr*)(_t149 + 0x24)), _t271, _t277 - 0x280,  *((intOrPtr*)(_t46 + 0x10)), 0, 0);
						 *((char*)(_t277 - 4)) = 6;
						E00436730(_t271,  *((intOrPtr*)(_t277 - 0x284)), 1, _t277 - 0x280);
						_t176 = E00436C80(_t220,  *((intOrPtr*)(_t149 + 0x24)), _t271, _t277 - 0x2a4,  *((intOrPtr*)(_t46 + 0x14)), 0, 0);
						_t285 = _t279 - 8 + 0x4c;
						 *((char*)(_t277 - 4)) = 7;
						E0046A0B0(_t277 - 0x280, _t176);
						_t254 =  *((intOrPtr*)(_t277 - 0x2a4));
						 *((char*)(_t277 - 4)) = 6;
						if( *((intOrPtr*)(_t277 - 0x2a4)) != 0) {
							E0046A700(_t254);
						}
						E00436730(_t271,  *((intOrPtr*)(_t277 - 0x284)), 2, _t277 - 0x280);
						_t181 = E00436C80(_t220, _t269, _t271, _t277 - 0x2a0,  *((intOrPtr*)(_t276 + 0x18)), 0, 0);
						_t286 = _t285 + 0x20;
						 *((char*)(_t277 - 4)) = 8;
						E0046A0B0(_t277 - 0x280, _t181);
						_t256 =  *((intOrPtr*)(_t277 - 0x2a0));
						 *((char*)(_t277 - 4)) = 6;
						if( *((intOrPtr*)(_t277 - 0x2a0)) != 0) {
							E0046A700(_t256);
						}
						E00436730(_t271,  *((intOrPtr*)(_t277 - 0x284)), 3, _t277 - 0x280);
						_t186 = E00436C80(_t220, _t269, _t271, _t277 - 0x2b4,  *((intOrPtr*)(_t276 + 0x1c)), 0, 0);
						_t287 = _t286 + 0x20;
						 *((char*)(_t277 - 4)) = 9;
						E0046A0B0(_t277 - 0x280, _t186);
						_t258 =  *((intOrPtr*)(_t277 - 0x2b4));
						 *((char*)(_t277 - 4)) = 6;
						if( *((intOrPtr*)(_t277 - 0x2b4)) != 0) {
							E0046A700(_t258);
						}
						E00436730(_t271,  *((intOrPtr*)(_t277 - 0x284)), 4, _t277 - 0x280);
						_t191 = E00436C80(_t220, _t269, _t271, _t277 - 0x2b0,  *((intOrPtr*)(_t276 + 0x20)), 0, 0);
						_t288 = _t287 + 0x20;
						 *((char*)(_t277 - 4)) = 0xa;
						E0046A0B0(_t277 - 0x280, _t191);
						_t260 =  *((intOrPtr*)(_t277 - 0x2b0));
						 *((char*)(_t277 - 4)) = 6;
						if( *((intOrPtr*)(_t277 - 0x2b0)) != 0) {
							E0046A700(_t260);
						}
						E00436730(_t271,  *((intOrPtr*)(_t277 - 0x284)), 5, _t277 - 0x280);
						_t196 = E00436C80(_t220, _t269, _t271, _t277 - 0x29c,  *((intOrPtr*)(_t276 + 0x28)),  *((intOrPtr*)(_t276 + 0x2c)), 0);
						_t289 = _t288 + 0x20;
						 *((char*)(_t277 - 4)) = 0xb;
						E0046A0B0(_t277 - 0x280, _t196);
						_t262 =  *((intOrPtr*)(_t277 - 0x29c));
						 *((char*)(_t277 - 4)) = 6;
						if( *((intOrPtr*)(_t277 - 0x29c)) != 0) {
							E0046A700(_t262);
						}
						E00436730(_t271,  *((intOrPtr*)(_t277 - 0x284)), 6, _t277 - 0x280);
						_t201 = E00436C80(_t220, _t269, _t271, _t277 - 0x2a8,  *((intOrPtr*)(_t276 + 0x30)),  *((intOrPtr*)(_t276 + 0x34)), 0);
						_t290 = _t289 + 0x20;
						 *((char*)(_t277 - 4)) = 0xc;
						E0046A0B0(_t277 - 0x280, _t201);
						_t264 =  *((intOrPtr*)(_t277 - 0x2a8));
						 *((char*)(_t277 - 4)) = 6;
						if( *((intOrPtr*)(_t277 - 0x2a8)) != 0) {
							E0046A700(_t264);
						}
						E00436730(_t271,  *((intOrPtr*)(_t277 - 0x284)), 7, _t277 - 0x280);
						_t206 = E00436C80(_t220, _t269, _t271, _t277 - 0x2ac,  *((intOrPtr*)(_t276 + 0x38)), 0, 0);
						_t291 = _t290 + 0x20;
						 *((char*)(_t277 - 4)) = 0xd;
						E0046A0B0(_t277 - 0x280, _t206);
						_t266 =  *((intOrPtr*)(_t277 - 0x2ac));
						 *((char*)(_t277 - 4)) = 6;
						if( *((intOrPtr*)(_t277 - 0x2ac)) != 0) {
							E0046A700(_t266);
						}
						E00436730(_t271,  *((intOrPtr*)(_t277 - 0x284)), 8, _t277 - 0x280);
						E00436730(_t271,  *((intOrPtr*)(_t277 - 0x284)), 9, _t276);
						_t267 =  *((intOrPtr*)(_t277 - 0x280));
						_t279 = _t291 + 0x20;
						 *((char*)(_t277 - 4)) = 4;
						if( *((intOrPtr*)(_t277 - 0x280)) != 0) {
							E0046A700(_t267);
						}
						E00462600(_t277 - 0x294);
						_t149 =  *(_t277 - 0x294);
					} while (_t149 !=  *(_t277 - 0x290));
				}
				_t274 =  *(_t277 - 0x288);
				asm("xorps xmm0, xmm0");
				 *(_t277 - 0x354) = _t271;
				asm("movdqu [ebp-0x350], xmm0");
				asm("movdqu [ebp-0x340], xmm0");
				 *((intOrPtr*)(_t277 - 0x34c)) = 0xffffff94;
				asm("movq [ebp-0x330], xmm0");
				 *((intOrPtr*)(_t277 - 0x344)) = 1;
				SendMessageW(_t274, 0x4e, 0x3f9, _t277 - 0x354);
				E00431870(_t277 - 0x74, L"%u items",  *((intOrPtr*)(_t277 - 0x28c)));
				SetDlgItemTextW(_t274, 0x42f, _t277 - 0x74);
				_t246 =  *((intOrPtr*)(_t277 - 0x2f4));
				 *((char*)(_t277 - 4)) = 3;
				if( *((intOrPtr*)(_t277 - 0x2f4)) != 0) {
					E0046A700(_t246);
				}
				 *((intOrPtr*)(_t277 - 4)) = 0xffffffff;
				L0045DE90(_t277 - 0x290, _t277 - 0x288,  *( *(_t277 - 0x290)),  *(_t277 - 0x290));
				E0046EF07( *(_t277 - 0x290));
				 *[fs:0x0] =  *((intOrPtr*)(_t277 - 0xc));
				_pop(_t272);
				_pop(_t275);
				return E0046F77E(_t220,  *(_t277 - 0x10) ^ _t277, _t269, _t272, _t275);
			}

0x00451295
0x00451295
0x00451295
0x004512a0
0x004512a9
0x004512b5
0x004512c7
0x004512d6
0x004512e5
0x004512f4
0x00451303
0x00451312
0x0045131e
0x00451330
0x0045133c
0x0045134b
0x0045134e
0x00451354
0x00451359
0x0045135f
0x00451367
0x0045137b
0x00451391
0x0045139c
0x004513a7
0x004513ab
0x004513b0
0x004513b6
0x004513b8
0x004513c0
0x004513c6
0x004513c6
0x004513c9
0x004513c9
0x004513cf
0x004513d4
0x004513e5
0x004513ea
0x004513ef
0x004513f0
0x00451400
0x00451408
0x00451418
0x00451422
0x00451444
0x00451451
0x0045145c
0x0045146a
0x0045147d
0x00451482
0x0045148c
0x00451490
0x00451495
0x0045149b
0x004514a1
0x004514a3
0x004514a3
0x004514b8
0x004514cb
0x004514d0
0x004514da
0x004514de
0x004514e3
0x004514e9
0x004514ef
0x004514f1
0x004514f1
0x00451506
0x00451519
0x0045151e
0x00451528
0x0045152c
0x00451531
0x00451537
0x0045153d
0x0045153f
0x0045153f
0x00451554
0x00451567
0x0045156c
0x00451576
0x0045157a
0x0045157f
0x00451585
0x0045158b
0x0045158d
0x0045158d
0x004515a2
0x004515b6
0x004515bb
0x004515c5
0x004515c9
0x004515ce
0x004515d4
0x004515da
0x004515dc
0x004515dc
0x004515f1
0x00451605
0x0045160a
0x00451614
0x00451618
0x0045161d
0x00451623
0x00451629
0x0045162b
0x0045162b
0x00451640
0x00451653
0x00451658
0x00451662
0x00451666
0x0045166b
0x00451671
0x00451677
0x00451679
0x00451679
0x0045168e
0x0045169d
0x004516a2
0x004516a8
0x004516ab
0x004516b1
0x004516b3
0x004516b3
0x004516be
0x004516c3
0x004516c9
0x004513c6
0x004516d5
0x004516e7
0x004516ea
0x004516f2
0x004516fb
0x00451703
0x0045170d
0x00451715
0x0045171f
0x00451734
0x00451746
0x0045174c
0x00451752
0x00451758
0x0045175a
0x0045175a
0x0045176c
0x0045177c
0x00451787
0x004518c9
0x004518d1
0x004518d2
0x004518e0

APIs

_memset.LIBCMT ref: 00451400
SendMessageW.USER32(?,0000004E,000003F9,?), ref: 0045171F
SetDlgItemTextW.USER32 ref: 00451746
SendMessageW.USER32(00000000,0000104D,00000000,00000001), ref: 00451437

Part of subcall function 0046A700: InterlockedDecrement.KERNEL32(?), ref: 0046A704

Part of subcall function 0046A0B0: InterlockedDecrement.KERNEL32(?), ref: 0046A0BE

Strings

%.07f, xrefs: 004513EA
%u items, xrefs: 0045172E

Memory Dump Source

Source File: 00000000.00000002.639436822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.639422722.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639801425.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639950323.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639964900.00000000004C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639974043.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639981884.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Process Monitor.jbxd

Similarity

API ID: DecrementInterlockedMessageSend$ItemText_memset
String ID: %.07f$%u items
API String ID: 2681218156-3895357420
Opcode ID: 5ce193dccc635c35befb6132dc9aebb40787e544f1ad77ab83f8d7cc8b98ec03
Instruction ID: 27af7b8174e416f141388874c5273ffe3abcede14b587fe88d646ff323110463
Opcode Fuzzy Hash: 5ce193dccc635c35befb6132dc9aebb40787e544f1ad77ab83f8d7cc8b98ec03
Instruction Fuzzy Hash: 2BE16D74901219ABDF25EB51CD89FEEB779AF08308F1040DEE50967292EB346B84CF59

Uniqueness

Uniqueness Score: -1.00%

Function 00457938 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 281
windowCOMMON

Download Yara Rule

C-Code - Quality: 84%

			E00457938(intOrPtr __eax, void* __ebx, intOrPtr __edi, intOrPtr __esi) {
				intOrPtr _t121;
				void* _t124;
				struct HWND__* _t128;
				void* _t158;
				void* _t164;
				void* _t170;
				void* _t176;
				void* _t182;
				void* _t194;
				struct HWND__** _t211;
				intOrPtr _t232;
				struct HWND__* _t233;
				void* _t234;
				intOrPtr _t235;
				struct HWND__* _t236;
				void* _t237;
				signed int _t238;
				void* _t240;
				void* _t246;
				void* _t247;
				void* _t248;
				void* _t249;
				void* _t250;

				_t235 = __esi;
				_t232 = __edi;
				_t194 = __ebx;
				_t121 = __eax;
				do {
					 *((intOrPtr*)(_t238 - 0x2b8)) =  *((intOrPtr*)(_t238 - 0x2b8)) +  *((intOrPtr*)(_t121 + 0x20));
					asm("adc ecx, [eax+0x24]");
					 *((intOrPtr*)(_t238 - 0x2b0)) =  *((intOrPtr*)(_t238 - 0x2b0)) +  *((intOrPtr*)(_t121 + 0x28));
					 *((intOrPtr*)(_t238 - 0x2ac)) =  *((intOrPtr*)(_t238 - 0x2ac)) +  *((intOrPtr*)(_t121 + 0x2c));
					 *((intOrPtr*)(_t238 - 0x2a8)) =  *((intOrPtr*)(_t238 - 0x2a8)) +  *((intOrPtr*)(_t121 + 0x30));
					 *((intOrPtr*)(_t238 - 0x2a4)) =  *((intOrPtr*)(_t238 - 0x2a4)) +  *((intOrPtr*)(_t121 + 0x34));
					_t235 = _t235 +  *((intOrPtr*)(_t121 + 0x38));
					 *((intOrPtr*)(_t238 - 0x2a0)) = _t235;
					_t232 = _t232 +  *((intOrPtr*)(_t121 + 0x3c));
					 *((intOrPtr*)(_t238 - 0x29c)) = _t232;
					E00462600(_t238 - 0x280);
					_t121 =  *((intOrPtr*)(_t238 - 0x280));
				} while (_t121 !=  *(_t238 - 0x298));
				_t233 =  *(_t238 - 0x28c);
				_t236 =  *(_t238 - 0x288);
				_t124 = E0041A690(_t238 - 0x2c0, _t238 - 0x2c0);
				 *((char*)(_t238 - 4)) = 5;
				E0041CD80(_t238 - 0x298, _t238 - 0x290, 0, _t124,  *0x4bdce3 & 0x000000ff);
				 *((char*)(_t238 - 4)) = 4;
				E0041DB70();
				_t211 =  *(_t238 - 0x298);
				_t128 =  *_t211;
				 *(_t238 - 0x28c) = _t128;
				if(_t128 != _t211) {
					do {
						_t231 =  *((intOrPtr*)(_t128 + 0x24));
						 *(_t238 - 0x288) = _t128 + 0x18;
						E004711AE(_t128 + 0x18,  *((intOrPtr*)(_t128 + 0x20)),  *((intOrPtr*)(_t128 + 0x24)));
						asm("divsd xmm0, [0x4962f8]");
						asm("movsd [esp], xmm0");
						_push(L"%.07f");
						_push(_t238 - 0x27c);
						L00401F90();
						E00470030(_t238 - 0x304, 0, 0x30);
						 *((intOrPtr*)(_t238 - 0x304)) = 0x7fffffff;
						 *(_t238 - 0x308) = 1;
						 *((intOrPtr*)(_t238 - 0x2f4)) = _t238 - 0x27c;
						 *((intOrPtr*)(_t238 - 0x280)) = SendMessageW(_t236, 0x104d, 0, _t238 - 0x308);
						E00436C80(_t194,  *((intOrPtr*)(_t128 + 0x24)), _t233, _t238 - 0x284,  *((intOrPtr*)( *(_t238 - 0x288) + 0x10)), 0, 0);
						 *((char*)(_t238 - 4)) = 6;
						E00436730(_t236,  *((intOrPtr*)(_t238 - 0x280)), 1, _t238 - 0x284);
						_t158 = E00436C80(_t194,  *((intOrPtr*)(_t128 + 0x24)), _t233, _t238 - 0x2cc,  *((intOrPtr*)( *(_t238 - 0x288) + 0x14)), 0, 0);
						_t246 = _t240 - 8 + 0x4c;
						 *((char*)(_t238 - 4)) = 7;
						E0046A0B0(_t238 - 0x284, _t158);
						_t220 =  *((intOrPtr*)(_t238 - 0x2cc));
						 *((char*)(_t238 - 4)) = 6;
						if( *((intOrPtr*)(_t238 - 0x2cc)) != 0) {
							E0046A700(_t220);
						}
						E00436730(_t236,  *((intOrPtr*)(_t238 - 0x280)), 2, _t238 - 0x284);
						_t164 = E00436C80(_t194, _t231, _t233, _t238 - 0x2d0,  *((intOrPtr*)( *(_t238 - 0x288) + 0x18)), 0, 0);
						_t247 = _t246 + 0x20;
						 *((char*)(_t238 - 4)) = 8;
						E0046A0B0(_t238 - 0x284, _t164);
						_t222 =  *((intOrPtr*)(_t238 - 0x2d0));
						 *((char*)(_t238 - 4)) = 6;
						if( *((intOrPtr*)(_t238 - 0x2d0)) != 0) {
							E0046A700(_t222);
						}
						E00436730(_t236,  *((intOrPtr*)(_t238 - 0x280)), 3, _t238 - 0x284);
						_t170 = E00436C80(_t194, _t231, _t233, _t238 - 0x2d4,  *((intOrPtr*)( *(_t238 - 0x288) + 0x1c)), 0, 0);
						_t248 = _t247 + 0x20;
						 *((char*)(_t238 - 4)) = 9;
						E0046A0B0(_t238 - 0x284, _t170);
						_t224 =  *((intOrPtr*)(_t238 - 0x2d4));
						 *((char*)(_t238 - 4)) = 6;
						if( *((intOrPtr*)(_t238 - 0x2d4)) != 0) {
							E0046A700(_t224);
						}
						E00436730(_t236,  *((intOrPtr*)(_t238 - 0x280)), 4, _t238 - 0x284);
						_t176 = E00436C80(_t194, _t231, _t233, _t238 - 0x2c4,  *((intOrPtr*)( *(_t238 - 0x288) + 0x20)), 0, 0);
						_t249 = _t248 + 0x20;
						 *((char*)(_t238 - 4)) = 0xa;
						E0046A0B0(_t238 - 0x284, _t176);
						_t226 =  *((intOrPtr*)(_t238 - 0x2c4));
						 *((char*)(_t238 - 4)) = 6;
						if( *((intOrPtr*)(_t238 - 0x2c4)) != 0) {
							E0046A700(_t226);
						}
						E00436730(_t236,  *((intOrPtr*)(_t238 - 0x280)), 5, _t238 - 0x284);
						_t182 = E00436C80(_t194, _t231, _t233, _t238 - 0x2c8,  *((intOrPtr*)( *(_t238 - 0x288) + 0x24)), 0, 0);
						_t250 = _t249 + 0x20;
						 *((char*)(_t238 - 4)) = 0xb;
						E0046A0B0(_t238 - 0x284, _t182);
						_t228 =  *((intOrPtr*)(_t238 - 0x2c8));
						 *((char*)(_t238 - 4)) = 6;
						if( *((intOrPtr*)(_t238 - 0x2c8)) != 0) {
							E0046A700(_t228);
						}
						E00436730(_t236,  *((intOrPtr*)(_t238 - 0x280)), 6, _t238 - 0x284);
						E00436730(_t236,  *((intOrPtr*)(_t238 - 0x280)), 7,  *(_t238 - 0x288));
						_t229 =  *((intOrPtr*)(_t238 - 0x284));
						_t240 = _t250 + 0x20;
						 *((char*)(_t238 - 4)) = 4;
						if( *((intOrPtr*)(_t238 - 0x284)) != 0) {
							E0046A700(_t229);
						}
						E00462600(_t238 - 0x28c);
						_t128 =  *(_t238 - 0x28c);
					} while (_t128 !=  *(_t238 - 0x298));
				}
				 *(_t238 - 0x334) = _t236;
				asm("xorps xmm0, xmm0");
				asm("movdqu [ebp-0x330], xmm0");
				asm("movdqu [ebp-0x320], xmm0");
				 *((intOrPtr*)(_t238 - 0x32c)) = 0xffffff94;
				asm("movq [ebp-0x310], xmm0");
				 *((intOrPtr*)(_t238 - 0x324)) = 1;
				SendMessageW(_t233, 0x4e, 0x3f9, _t238 - 0x334);
				E00431870(_t238 - 0x74, L"%u items",  *((intOrPtr*)(_t238 - 0x294)));
				SetDlgItemTextW(_t233, 0x42f, _t238 - 0x74);
				_t212 =  *((intOrPtr*)(_t238 - 0x2c0));
				 *((char*)(_t238 - 4)) = 3;
				if( *((intOrPtr*)(_t238 - 0x2c0)) != 0) {
					E0046A700(_t212);
				}
				 *((intOrPtr*)(_t238 - 4)) = 0xffffffff;
				L0045DE90(_t238 - 0x298, _t238 - 0x28c,  *( *(_t238 - 0x298)),  *(_t238 - 0x298));
				E0046EF07( *(_t238 - 0x298));
				 *[fs:0x0] =  *((intOrPtr*)(_t238 - 0xc));
				_pop(_t234);
				_pop(_t237);
				return E0046F77E(_t194,  *(_t238 - 0x10) ^ _t238, _t231, _t234, _t237);
			}

0x00457938
0x00457938
0x00457938
0x00457938
0x00457940
0x00457949
0x00457955
0x00457967
0x00457976
0x00457985
0x00457994
0x004579a0
0x004579a3
0x004579a9
0x004579ac
0x004579b2
0x004579b7
0x004579bd
0x004579c9
0x004579cf
0x004579e3
0x004579f9
0x00457a04
0x00457a0f
0x00457a13
0x00457a18
0x00457a1e
0x00457a20
0x00457a28
0x00457a30
0x00457a30
0x00457a36
0x00457a3f
0x00457a44
0x00457a55
0x00457a5a
0x00457a5f
0x00457a60
0x00457a70
0x00457a78
0x00457a88
0x00457a92
0x00457aad
0x00457ac7
0x00457ad2
0x00457ae0
0x00457af9
0x00457afe
0x00457b08
0x00457b0c
0x00457b11
0x00457b17
0x00457b1d
0x00457b1f
0x00457b1f
0x00457b34
0x00457b4d
0x00457b52
0x00457b5c
0x00457b60
0x00457b65
0x00457b6b
0x00457b71
0x00457b73
0x00457b73
0x00457b88
0x00457ba1
0x00457ba6
0x00457bb0
0x00457bb4
0x00457bb9
0x00457bbf
0x00457bc5
0x00457bc7
0x00457bc7
0x00457bdc
0x00457bf5
0x00457bfa
0x00457c04
0x00457c08
0x00457c0d
0x00457c13
0x00457c19
0x00457c1b
0x00457c1b
0x00457c30
0x00457c49
0x00457c4e
0x00457c58
0x00457c5c
0x00457c61
0x00457c67
0x00457c6d
0x00457c6f
0x00457c6f
0x00457c84
0x00457c98
0x00457c9d
0x00457ca3
0x00457ca6
0x00457cac
0x00457cae
0x00457cae
0x00457cb9
0x00457cbe
0x00457cc4
0x00457a30
0x00457cd6
0x00457ce2
0x00457ce7
0x00457cf0
0x00457cf8
0x00457d02
0x00457d0a
0x00457d14
0x00457d29
0x00457d3b
0x00457d41
0x00457d47
0x00457d4d
0x00457d4f
0x00457d4f
0x00457d61
0x00457d71
0x00457d7c
0x00457ebe
0x00457ec6
0x00457ec7
0x00457ed5

APIs

_memset.LIBCMT ref: 00457A70
SendMessageW.USER32(00000000,0000104D,00000000,00000001), ref: 00457AA7

Part of subcall function 0046A0B0: InterlockedDecrement.KERNEL32(?), ref: 0046A0BE

Part of subcall function 0046A700: InterlockedDecrement.KERNEL32(?), ref: 0046A704

SendMessageW.USER32(?,0000004E,000003F9,?), ref: 00457D14

Part of subcall function 00431870: vswprintf.LIBCMT ref: 0043187F

SetDlgItemTextW.USER32 ref: 00457D3B

Strings

%.07f, xrefs: 00457A5A
%u items, xrefs: 00457D23

Memory Dump Source

Source File: 00000000.00000002.639436822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.639422722.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639801425.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639950323.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639964900.00000000004C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639974043.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639981884.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Process Monitor.jbxd

Similarity

API ID: DecrementInterlockedMessageSend$ItemText_memsetvswprintf
String ID: %.07f$%u items
API String ID: 2381182906-3895357420
Opcode ID: 7fbb5029a3055bf1375585e23f9cf2c30a1fd4e123c27fdaa035122a255b93f8
Instruction ID: 95417cc0078c92cef0bc97144a2d581d0e52d4cca39736fc6e535f6bedea751b
Opcode Fuzzy Hash: 7fbb5029a3055bf1375585e23f9cf2c30a1fd4e123c27fdaa035122a255b93f8
Instruction Fuzzy Hash: 96C15C74902229AFDF65EB50CD89FDEB778AF08304F1041DAE50967292DB346B84CF59

Uniqueness

Uniqueness Score: -1.00%

Function 00436910 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 223
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E00436910(void* __edx, int* _a4, void* _a8) {
				char _v8;
				char _v16;
				signed int _v20;
				short _v540;
				short _v1060;
				int* _v1064;
				void* _v1068;
				int _v1072;
				union _SID_NAME_USE _v1076;
				int _v1080;
				int _v1084;
				int _v1088;
				int _v1092;
				char _v1096;
				long _v1100;
				char _v1104;
				long _v1108;
				int* _v1112;
				int _v1116;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t77;
				signed int _t78;
				signed int _t80;
				int _t96;
				int _t101;
				void* _t115;
				void* _t133;
				void* _t134;
				int* _t139;
				int _t140;
				void* _t161;
				int* _t163;
				void* _t164;
				int _t166;
				void* _t167;
				signed int _t168;
				void* _t169;
				void* _t170;

				_t161 = __edx;
				_push(0xffffffff);
				_push(E004896DE);
				_push( *[fs:0x0]);
				_t170 = _t169 - 0x44c;
				_t77 =  *0x4bb1dc; // 0x2927074f
				_t78 = _t77 ^ _t168;
				_v20 = _t78;
				_push(_t78);
				 *[fs:0x0] =  &_v16;
				_t163 = _a4;
				_t133 = _a8;
				_v1104 = 0;
				_t80 =  *0x4bce20; // 0x0
				_v1112 = _t163;
				if((_t80 & 0x00000001) == 0) {
					 *0x4bce20 = _t80 | 0x00000001;
					_v8 = 1;
					 *0x4bce18 = 0;
					 *0x4bce1c = 0;
					 *0x4bce18 = E00438EF0();
					E0046FD29(_t80 | 0x00000001, E0048D850);
					_t170 = _t170 + 4;
					_v8 = 0;
				}
				if(_t133 != 0) {
					_t166 = E0046A6C0(_t133, _t133, GetLengthSid(_t133));
					_v1116 = _t166;
					_v8 = 2;
					_v1084 = 0;
					_v8 = 3;
					_v1080 = _t166;
					__eflags = _t166;
					if(_t166 != 0) {
						E0046A420(_t166);
					}
					_v1076 = 0;
					_v8 = 5;
					E004315F0(0x4bce18,  &_v1096, 0,  &_v1080,  *0x4bcb78 & 0x000000ff);
					_t136 = _v1076;
					_v8 = 6;
					__eflags = _v1076;
					if(_v1076 != 0) {
						E0046A700(_t136);
					}
					_t137 = _v1080;
					_v8 = 3;
					__eflags = _v1080;
					if(_v1080 != 0) {
						E0046A700(_t137);
					}
					_t139 = _v1096 + 0x14;
					_v8 = 2;
					__eflags = _v1092;
					_v1064 = _t139;
					if(_v1092 != 0) {
						_v1100 = 0x104;
						_v1108 = 0x104;
						_t96 = LookupAccountSidW(0x48fc20, _t133,  &_v540,  &_v1108,  &_v1060,  &_v1100,  &_v1076);
						__eflags = _t96;
						if(_t96 == 0) {
							_v1068 = 0;
							_push( &_v1068);
							_push(_t133);
							L0046E3F8();
							E0046A0F0(_v1064, _v1068);
							LocalFree(_v1068);
						} else {
							_push(L" Mandatory Level");
							_push( &_v540);
							_t101 = E0046EF68(_t139);
							__eflags = _t101;
							if(_t101 == 0) {
								_v1072 = E0046A6C0(_t133,  &_v540, E0046A530( &_v540));
								_v8 = 7;
								_v1088 = E0046A6C0(_t133, "\\", E0046A530("\\"));
								_v8 = 8;
								_v1068 = E0046A6C0(_t133,  &_v1060, E0046A530( &_v1060));
								_v8 = 9;
								E0046A230( &_v1084,  &_v1088);
								_v8 = 0xa;
								_t115 = E0046A230( &_v1092,  &_v1072);
								_v8 = 0xb;
								E0046A0B0(_v1064, _t115);
								_t152 = _v1092;
								_v8 = 0xa;
								__eflags = _v1092;
								if(_v1092 != 0) {
									E0046A700(_t152);
								}
								_t153 = _v1084;
								_v8 = 9;
								__eflags = _v1084;
								if(_v1084 != 0) {
									E0046A700(_t153);
								}
								_t154 = _v1068;
								_v8 = 8;
								__eflags = _v1068;
								if(_v1068 != 0) {
									E0046A700(_t154);
								}
								_t155 = _v1088;
								_v8 = 7;
								__eflags = _v1088;
								if(_v1088 != 0) {
									E0046A700(_t155);
								}
								_t156 = _v1072;
								_v8 = 2;
								__eflags = _v1072;
								if(_v1072 != 0) {
									E0046A700(_t156);
								}
							} else {
								 *_t101 = 0;
								E0046A0F0(_v1064,  &_v540);
							}
						}
						_t139 = _v1064;
					}
					_t140 =  *_t139;
					 *_t163 = _t140;
					__eflags = _t140;
					if(_t140 != 0) {
						E0046A420(_t140);
					}
					_v1104 = 1;
					_v8 = 0;
					__eflags = _t166;
					if(_t166 != 0) {
						E0046A700(_t166);
					}
				} else {
					 *_t163 = E0046A6C0(_t133, _t133, E0046A530(_t133));
				}
				 *[fs:0x0] = _v16;
				_pop(_t164);
				_pop(_t167);
				_pop(_t134);
				return E0046F77E(_t134, _v20 ^ _t168, _t161, _t164, _t167);
			}

0x00436910
0x00436913
0x00436915
0x00436920
0x00436921
0x00436927
0x0043692c
0x0043692e
0x00436934
0x00436938
0x0043693e
0x00436941
0x00436944
0x0043694e
0x00436953
0x0043695b
0x00436960
0x0043696a
0x00436971
0x0043697b
0x0043698f
0x00436994
0x00436999
0x0043699c
0x0043699c
0x004369a2
0x004369c9
0x004369ce
0x004369d4
0x004369db
0x004369e5
0x004369e9
0x004369ef
0x004369f1
0x004369f5
0x004369f5
0x004369fa
0x00436a17
0x00436a25
0x00436a2a
0x00436a30
0x00436a34
0x00436a36
0x00436a38
0x00436a38
0x00436a3d
0x00436a43
0x00436a47
0x00436a49
0x00436a4b
0x00436a4b
0x00436a56
0x00436a59
0x00436a5d
0x00436a64
0x00436a6a
0x00436a76
0x00436a87
0x00436aad
0x00436ab3
0x00436ab5
0x00436c00
0x00436c0a
0x00436c0b
0x00436c0c
0x00436c1d
0x00436c28
0x00436abb
0x00436ac1
0x00436ac6
0x00436ac7
0x00436acf
0x00436ad1
0x00436b08
0x00436b13
0x00436b27
0x00436b33
0x00436b4d
0x00436b59
0x00436b6b
0x00436b76
0x00436b84
0x00436b90
0x00436b94
0x00436b99
0x00436b9f
0x00436ba3
0x00436ba5
0x00436ba7
0x00436ba7
0x00436bac
0x00436bb2
0x00436bb6
0x00436bb8
0x00436bba
0x00436bba
0x00436bbf
0x00436bc5
0x00436bc9
0x00436bcb
0x00436bcd
0x00436bcd
0x00436bd2
0x00436bd8
0x00436bdc
0x00436bde
0x00436be0
0x00436be0
0x00436be5
0x00436beb
0x00436bef
0x00436bf1
0x00436bf3
0x00436bf3
0x00436ad3
0x00436ad5
0x00436ae5
0x00436ae5
0x00436ad1
0x00436c2e
0x00436c2e
0x00436c34
0x00436c36
0x00436c38
0x00436c3a
0x00436c3c
0x00436c3c
0x00436c41
0x00436c4b
0x00436c4f
0x00436c51
0x00436c55
0x00436c55
0x004369a4
0x004369b4
0x004369b4
0x00436c5f
0x00436c67
0x00436c68
0x00436c69
0x00436c77

APIs

GetLengthSid.ADVAPI32(0044212E,2927074F,-000004EB,00000000,004BCA10), ref: 004369BC
LookupAccountSidW.ADVAPI32(0048FC20,0044212E,?,00000104,?,00000104,00000000), ref: 00436AAD
ConvertSidToStringSidW.ADVAPI32(0044212E,?), ref: 00436C0C

Part of subcall function 0046A0F0: _memmove.LIBCMT ref: 0046A13E
Part of subcall function 0046A0F0: InterlockedDecrement.KERNEL32(00000000), ref: 0046A151

LocalFree.KERNEL32(00000000,00000000,0044212E,?), ref: 00436C28
_wcsstr.LIBCMT ref: 00436AC7

Part of subcall function 0046A420: InterlockedIncrement.KERNEL32(00000000), ref: 0046A421

Part of subcall function 0046A6C0: _memmove.LIBCMT ref: 0046A6ED

Part of subcall function 0046A230: InterlockedIncrement.KERNEL32(004373F9), ref: 0046A267

Part of subcall function 0046A0B0: InterlockedDecrement.KERNEL32(?), ref: 0046A0BE

Part of subcall function 0046A700: InterlockedDecrement.KERNEL32(?), ref: 0046A704

Strings

Mandatory Level, xrefs: 00436AC1

Memory Dump Source

Source File: 00000000.00000002.639436822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.639422722.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639801425.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639950323.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639964900.00000000004C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639974043.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639981884.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Process Monitor.jbxd

Similarity

API ID: Interlocked$Decrement$Increment_memmove$AccountConvertFreeLengthLocalLookupString_wcsstr
String ID: Mandatory Level
API String ID: 2655583403-3823167193
Opcode ID: d278b104f8f0e76e08cee043ff80b3e4f3b73671b9903d10d8a7a09bf31db928
Instruction ID: 03be426e505c839952e6c180ddfab0db50c18948fcc38002c1e911ddf9b7cca4
Opcode Fuzzy Hash: d278b104f8f0e76e08cee043ff80b3e4f3b73671b9903d10d8a7a09bf31db928
Instruction Fuzzy Hash: 8E9173F4901258AADB24DB61CD95B9EB7B8AF08308F0440DEE90567242EB785B54CF6E

Uniqueness

Uniqueness Score: -1.00%

Function 004168D0 Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 213
windowCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E004168D0(struct _CRITICAL_SECTION* __ecx, void* __edx, WCHAR* _a4, char _a8, char _a12, intOrPtr _a16) {
				int _v8;
				char _v16;
				intOrPtr _v20;
				char _v24;
				char _v28;
				char _v32;
				char _v36;
				char _v40;
				char _v44;
				void* __ebx;
				signed int _t63;
				WCHAR* _t70;
				void* _t82;
				intOrPtr _t95;
				WCHAR* _t100;
				int _t101;
				void* _t109;
				void* _t110;
				intOrPtr _t138;
				void* _t141;
				struct _CRITICAL_SECTION* _t143;
				WCHAR* _t147;
				signed int _t150;
				void* _t151;
				void* _t152;

				_t141 = __edx;
				_push(0xffffffff);
				_push(E00486E88);
				_push( *[fs:0x0]);
				_t152 = _t151 - 0x1c;
				_push(_t109);
				_t63 =  *0x4bb1dc; // 0x2927074f
				_push(_t63 ^ _t150);
				 *[fs:0x0] =  &_v16;
				_t143 = __ecx;
				_t147 = _a4;
				if(_a8 != 0 || _t147 == 0 || GetFileAttributesW(_t147) == 0xffffffff) {
					L17:
					_t110 = E00416B90(_t143, _t141, _t147, _a12, _a16);
					if(_t110 == 0) {
						_a4 = E0046A6C0(_t110, L"An error occurred opening the snapshot", E0046A530(L"An error occurred opening the snapshot"));
						_v8 = 9;
						if(_t147 != 0 &&  *_t147 != 0) {
							_v32 = E0046A6C0(_t110, "\'", E0046A530("\'"));
							_v8 = 0xa;
							_a12 = E0046A6C0(_t110, _t147, E0046A530(_t147));
							_v8 = 0xb;
							_a16 = E0046A6C0(_t110, L" \'", E0046A530(L" \'"));
							_v8 = 0xc;
							E0046A230( &_v44,  &_a12);
							_v8 = 0xd;
							_t82 = E0046A230( &_v40,  &_v32);
							_v8 = 0xe;
							E0046A310( &_a4, _t82);
							_t124 = _v40;
							_v8 = 0xd;
							if(_v40 != 0) {
								E0046A700(_t124);
							}
							_t125 = _v44;
							_v8 = 0xc;
							if(_v44 != 0) {
								E0046A700(_t125);
							}
							_t126 = _a16;
							_v8 = 0xb;
							if(_a16 != 0) {
								E0046A700(_t126);
							}
							_t127 = _a12;
							_v8 = 0xa;
							if(_a12 != 0) {
								E0046A700(_t127);
							}
							_t128 = _v32;
							_v8 = 9;
							if(_v32 != 0) {
								E0046A700(_t128);
							}
						}
						_t70 = E0046A170( &_a4);
						_t58 = _t143 + 0x18; // 0x0
						MessageBoxW( *_t58, _t70, L"Process Monitor", 0);
						_t118 = _a4;
						_v8 = 0xffffffff;
						if(_a4 != 0) {
							E0046A700(_t118);
						}
					}
					 *[fs:0x0] = _v16;
					return _t110;
				} else {
					_v28 = E0046A6C0(_t109, L"\'?", E0046A530(L"\'?"));
					_v8 = 0;
					_v24 = E0046A6C0(_t109, _t147, E0046A530(_t147));
					_v8 = 1;
					_t95 = E0046A6C0(_t109, L"Okay to overwrite event log \'", E0046A530(L"Okay to overwrite event log \'"));
					_t152 = _t152 + 0x24;
					_v20 = _t95;
					_v8 = 2;
					E0046A230( &_v36,  &_v24);
					_v8 = 3;
					E0046A230( &_a8,  &_v28);
					_t133 = _v36;
					_v8 = 5;
					if(_v36 != 0) {
						E0046A700(_t133);
					}
					_t134 = _v20;
					_v8 = 6;
					if(_v20 != 0) {
						E0046A700(_t134);
					}
					_t135 = _v24;
					_v8 = 7;
					if(_v24 != 0) {
						E0046A700(_t135);
					}
					_t136 = _v28;
					_v8 = 8;
					if(_v28 != 0) {
						E0046A700(_t136);
					}
					_t100 = E0046A170( &_a8);
					_t25 = _t143 + 0x18; // 0x0
					_t101 = MessageBoxW( *_t25, _t100, L"Process Monitor", 4);
					_t138 = _a8;
					_v8 = 0xffffffff;
					if(_t101 == 6) {
						if(_t138 != 0) {
							E0046A700(_t138);
						}
						goto L17;
					} else {
						if(_t138 != 0) {
							E0046A700(_t138);
						}
						 *[fs:0x0] = _v16;
						return 0;
					}
				}
			}

0x004168d0
0x004168d3
0x004168d5
0x004168e0
0x004168e1
0x004168e4
0x004168e7
0x004168ee
0x004168f2
0x004168f8
0x004168fe
0x00416901
0x00416a24
0x00416a32
0x00416a36
0x00416a54
0x00416a57
0x00416a60
0x00416a85
0x00416a89
0x00416a99
0x00416aa1
0x00416ab8
0x00416abe
0x00416aca
0x00416ad2
0x00416add
0x00416ae6
0x00416aea
0x00416aef
0x00416af2
0x00416af8
0x00416afa
0x00416afa
0x00416aff
0x00416b02
0x00416b08
0x00416b0a
0x00416b0a
0x00416b0f
0x00416b12
0x00416b18
0x00416b1a
0x00416b1a
0x00416b1f
0x00416b22
0x00416b28
0x00416b2a
0x00416b2a
0x00416b2f
0x00416b32
0x00416b38
0x00416b3a
0x00416b3a
0x00416b38
0x00416b49
0x00416b4f
0x00416b52
0x00416b58
0x00416b5b
0x00416b64
0x00416b66
0x00416b66
0x00416b64
0x00416b70
0x00416b7e
0x0041691f
0x00416934
0x00416938
0x0041694b
0x00416953
0x00416962
0x00416967
0x0041696a
0x00416970
0x0041697c
0x00416984
0x0041698f
0x00416994
0x00416997
0x0041699d
0x0041699f
0x0041699f
0x004169a4
0x004169a7
0x004169ad
0x004169af
0x004169af
0x004169b4
0x004169b7
0x004169bd
0x004169bf
0x004169bf
0x004169c4
0x004169c7
0x004169cd
0x004169cf
0x004169cf
0x004169de
0x004169e4
0x004169e7
0x004169ed
0x004169f0
0x004169fa
0x00416a1d
0x00416a1f
0x00416a1f
0x00000000
0x004169fc
0x004169fe
0x00416a00
0x00416a00
0x00416a0a
0x00416a18
0x00416a18
0x004169fa

APIs

MessageBoxW.USER32(00000000,00000000,Process Monitor,00000004), ref: 004169E7

Part of subcall function 0046A700: InterlockedDecrement.KERNEL32(?), ref: 0046A704

GetFileAttributesW.KERNEL32(?,2927074F,749682C0,0045F84E,?,000000FF,?,00446FA2,?), ref: 00416910

Part of subcall function 0046A6C0: _memmove.LIBCMT ref: 0046A6ED

Part of subcall function 0046A230: InterlockedIncrement.KERNEL32(004373F9), ref: 0046A267

MessageBoxW.USER32(00000000,00000000,Process Monitor,00000000), ref: 00416B52

Strings

Process Monitor, xrefs: 004169D6, 00416B41
Okay to overwrite event log ', xrefs: 0041694E, 0041695D
An error occurred opening the snapshot, xrefs: 00416A3C, 00416A47

Memory Dump Source

Source File: 00000000.00000002.639436822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.639422722.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639801425.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639950323.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639964900.00000000004C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639974043.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639981884.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Process Monitor.jbxd

Similarity

API ID: InterlockedMessage$AttributesDecrementFileIncrement_memmove
String ID: An error occurred opening the snapshot$Okay to overwrite event log '$Process Monitor
API String ID: 2175919600-2133655519
Opcode ID: 79d35e3fad8c91f94ac1cd0485e628d13c6d5b583d8e03d9f458cd6057e7b9a5
Instruction ID: 9fb1c7997dc43d48bfb5a55e75e6231287b76d0963755e631de4862be5c97fc6
Opcode Fuzzy Hash: 79d35e3fad8c91f94ac1cd0485e628d13c6d5b583d8e03d9f458cd6057e7b9a5
Instruction Fuzzy Hash: 4371E1B4905648AADF05EFA5C911BEF7BB4AF01314F14405FE801B3381EB389A14CBAB

Uniqueness

Uniqueness Score: -1.00%

Function 00416270 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 164
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E00416270(struct _CRITICAL_SECTION* __ecx, char _a4) {
				void* _v8;
				char _v16;
				signed int _v17;
				char _v18;
				intOrPtr _v24;
				signed int _v28;
				char _v32;
				struct _CRITICAL_SECTION* _v36;
				void* __ebx;
				signed int _t70;
				intOrPtr* _t81;
				signed int _t84;
				char _t90;
				signed char _t96;
				void* _t99;
				void* _t100;
				signed int _t106;
				char _t107;
				intOrPtr _t109;
				intOrPtr* _t112;
				struct _CRITICAL_SECTION* _t128;
				intOrPtr* _t131;
				intOrPtr* _t132;
				intOrPtr* _t134;
				signed int _t135;
				void* _t136;
				void* _t138;
				signed int _t149;

				_push(0xffffffff);
				_push(E00486DE1);
				_push( *[fs:0x0]);
				_t70 =  *0x4bb1dc; // 0x2927074f
				_push(_t70 ^ _t135);
				_t1 =  &_v16; // 0x416c48
				 *[fs:0x0] = _t1;
				_t128 = __ecx;
				_t106 = 0;
				_v17 = 1;
				_v28 = 0;
				_v36 = __ecx;
				EnterCriticalSection(__ecx);
				_push(_a4);
				 *0x4bb0c8 = 0xffffffff;
				 *0x4bb0cc = 0x7fffffff;
				_push( &_v18);
				 *((intOrPtr*)(_t128 + 0x44)) = 0;
				_t8 = _t128 + 0x5c; // 0x77a1e8
				_v8 = 0;
				_t10 = _t128 + 0x58; // 0x77a1e8
				E00414AB0( *_t10,  *_t8);
				_t11 = _t128 + 0x58; // 0x77a1e8
				_t12 = _t128 + 0x64; // 0x4bca74
				 *((intOrPtr*)(_t128 + 0x5c)) =  *_t11;
				_t138 = _t136 - 0x14 + 0x10;
				_t14 = _t128 + 0x64; // 0x780350
				E00419A50(_t12,  *((intOrPtr*)( *_t14 + 4)));
				_t16 = _t128 + 0x64; // 0x780350
				 *((intOrPtr*)( *_t16 + 4)) =  *_t16;
				_t18 = _t128 + 0x64; // 0x780350
				 *((intOrPtr*)( *_t18)) =  *_t18;
				_t19 = _t128 + 0x64; // 0x780350
				 *((intOrPtr*)( *_t19 + 8)) =  *_t19;
				 *((intOrPtr*)(_t128 + 0x68)) = 0;
				_t22 = _t128 + 0x48; // 0x77cfc8
				_t81 =  *_t22;
				_t112 =  *_t81;
				 *_t81 = _t81;
				_t23 = _t128 + 0x48; // 0x77cfc8
				 *((intOrPtr*)( *_t23 + 4)) =  *_t23;
				 *((intOrPtr*)(_t128 + 0x4c)) = 0;
				_t26 = _t128 + 0x48; // 0x77cfc8
				if(_t112 ==  *_t26) {
					L3:
					_t28 = _t128 + 0x50; // 0x4bca60
					E0041A140(_t28);
					_t29 = _t128 + 0x2c; // 0xbebc200
					_t84 =  *_t29;
					if(_t84 == 0) {
						_t33 = _t128 + 0x20; // 0x23b0000
						E0047040C( *_t33);
						 *(_t128 + 0x20) = 0;
					} else {
						_t32 = _t128 + 0x20; // 0x23b0000
						VirtualFree( *_t32, _t84 + _t84 * 2 << 3, 0x4000);
					}
					 *(_t128 + 0x24) = 0;
					_t36 = _t128 + 0xe0; // 0x4bcaf0
					 *(_t128 + 0x28) = 0;
					 *((char*)(_t128 + 0x1c)) = 0;
					E00419200(_t36);
					_t39 = _t128 + 0x78; // 0x4bca88
					E0046A0F0(_t39, 0);
					_t40 = _t128 + 0x7c; // 0x4bca8c
					E0046A0F0(_t40, 0);
					_t41 = _t128 + 0x30; // 0x0
					_t131 =  *_t41;
					_t42 = _t128 + 0x34; // 0x0
					if(_t131 ==  *_t42) {
						L16:
						_t60 = _t128 + 0x34; // 0x0
						_t107 =  *_t60;
						_t61 = _t128 + 0x30; // 0x0
						_t132 =  *_t61;
						_a4 = _t107;
						if(_t132 == _t107) {
							L23:
							_t65 = _t128 + 0x30; // 0x0
							 *((intOrPtr*)(_t128 + 0x34)) =  *_t65;
							LeaveCriticalSection(_t128);
							_t68 =  &_v16; // 0x416c48
							 *[fs:0x0] =  *_t68;
							return _v17;
						}
						_t90 = _t107;
						do {
							_t109 =  *_t132;
							if(_t109 != 0) {
								_t63 = _t109 + 0x578; // 0x578
								if(InterlockedDecrement(_t63) < 2) {
									E00467460(_t109, _t92);
								}
								_t90 = _a4;
							}
							_t132 = _t132 + 4;
						} while (_t132 != _t90);
						goto L23;
					} else {
						do {
							_t144 = _a4;
							_t94 =  *_t131;
							_v24 =  *_t131;
							if(_a4 != 0) {
								L9:
								_v18 = 1;
								goto L10;
							}
							_t99 = E00467720(_t106, _t94, _t144,  &_v32);
							_t106 = _t106 | 0x00000001;
							_v8 = 1;
							_v28 = _t106;
							_t100 = E0046A720(_t99);
							_v18 = 0;
							if(_t100 == 0) {
								goto L10;
							}
							goto L9;
							L10:
							_v8 = 0;
							if((_t106 & 0x00000001) != 0) {
								_t123 = _v32;
								_t106 = _t106 & 0xfffffffe;
								if(_v32 != 0) {
									E0046A700(_t123);
								}
							}
							if(_v18 != 0) {
								_t96 = E00466B40(_v24);
								asm("sbb al, al");
								_t56 =  &_v17;
								 *_t56 = _v17 &  ~_t96;
								_t149 =  *_t56;
							}
							E00466AD0(_v24, _t149);
							_t131 = _t131 + 4;
							_t59 = _t128 + 0x34; // 0x0
						} while (_t131 !=  *_t59);
						goto L16;
					}
				}
				do {
					_t134 =  *_t112;
					E0046EF07(_t112);
					_t138 = _t138 + 4;
					_t112 = _t134;
					_t27 = _t128 + 0x48; // 0x77cfc8
				} while (_t134 !=  *_t27);
				goto L3;
			}

0x00416273
0x00416275
0x00416280
0x00416287
0x0041628e
0x0041628f
0x00416292
0x00416298
0x0041629a
0x0041629c
0x004162a0
0x004162a4
0x004162a7
0x004162ad
0x004162b0
0x004162bd
0x004162c7
0x004162c8
0x004162cb
0x004162ce
0x004162d1
0x004162d4
0x004162d9
0x004162dc
0x004162df
0x004162e2
0x004162e5
0x004162eb
0x004162f0
0x004162f3
0x004162f6
0x004162f9
0x004162fb
0x004162fe
0x00416301
0x00416304
0x00416304
0x00416307
0x00416309
0x0041630b
0x0041630e
0x00416311
0x00416314
0x00416317
0x00416332
0x00416332
0x00416335
0x0041633a
0x0041633a
0x0041633f
0x00416358
0x0041635b
0x00416363
0x00416341
0x0041634d
0x00416350
0x00416350
0x0041636a
0x00416371
0x00416377
0x0041637e
0x00416382
0x00416389
0x0041638c
0x00416393
0x00416396
0x0041639b
0x0041639b
0x0041639e
0x004163a1
0x00416416
0x00416416
0x00416416
0x00416419
0x00416419
0x0041641c
0x00416421
0x0041644f
0x0041644f
0x00416453
0x00416456
0x0041645f
0x00416462
0x00416470
0x00416470
0x00416423
0x00416425
0x00416425
0x00416429
0x0041642b
0x0041643b
0x00416440
0x00416440
0x00416445
0x00416445
0x00416448
0x0041644b
0x00000000
0x004163a3
0x004163a3
0x004163a3
0x004163a7
0x004163a9
0x004163ac
0x004163d2
0x004163d2
0x00000000
0x004163d2
0x004163b4
0x004163b9
0x004163bc
0x004163c2
0x004163c5
0x004163ca
0x004163d0
0x00000000
0x00000000
0x00000000
0x004163d6
0x004163d6
0x004163e0
0x004163e2
0x004163e5
0x004163ea
0x004163ec
0x004163ec
0x004163ea
0x004163f5
0x004163fa
0x00416401
0x00416403
0x00416403
0x00416403
0x00416403
0x00416409
0x0041640e
0x00416411
0x00416411
0x00000000
0x004163a3
0x004163a1
0x00416320
0x00416320
0x00416323
0x00416328
0x0041632b
0x0041632d
0x0041632d
0x00000000

APIs

EnterCriticalSection.KERNEL32(004BCA10,2927074F,004BCA10,004BCA4C,749682C0,000000FF,?,00416C48,00000000,0048FC20), ref: 004162A7

Part of subcall function 00414AB0: InterlockedDecrement.KERNEL32(004BCF88), ref: 00414AD0

Part of subcall function 00419A50: InterlockedDecrement.KERNEL32(8B484D03), ref: 00419A7D

VirtualFree.KERNEL32(023B0000,0BEBC200,00004000,?,?,?,?,?,?,?,00416C48,00000000,0048FC20), ref: 00416350
_free.LIBCMT ref: 0041635B
InterlockedDecrement.KERNEL32(00000578), ref: 00416432
LeaveCriticalSection.KERNEL32(004BCA10,00000000,00000000,?,?,?,?,?,?,?,00416C48,00000000,0048FC20), ref: 00416456

Strings

HlA, xrefs: 0041628F, 0041645F

Memory Dump Source

Source File: 00000000.00000002.639436822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.639422722.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639801425.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639950323.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639964900.00000000004C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639974043.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639981884.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Process Monitor.jbxd

Similarity

API ID: DecrementInterlocked$CriticalSection$EnterFreeLeaveVirtual_free
String ID: HlA
API String ID: 2721110373-1230721223
Opcode ID: e324b1fe1bffa558d40ad4fcb2a9af6a9091f5b532c7f34cfabc09c2f5a52fff
Instruction ID: 8b2c23a67b89603f4ac865ef620e084f1e4154cea5ea597e8b2b78e9defb11ee
Opcode Fuzzy Hash: e324b1fe1bffa558d40ad4fcb2a9af6a9091f5b532c7f34cfabc09c2f5a52fff
Instruction Fuzzy Hash: 8561BD71900605AFDB14DF69C980BEABBB0FF04304F01416EE81597791DB39F964CB99

Uniqueness

Uniqueness Score: -1.00%

Function 00452820 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 164
COMMON

Download Yara Rule

C-Code - Quality: 87%

			E00452820(short* _a4, intOrPtr _a8, struct _SECURITY_ATTRIBUTES** _a12) {
				char _v8;
				char _v16;
				char _v20;
				char _v24;
				short* _v28;
				char _v32;
				void* __ebx;
				void* __esi;
				signed int _t36;
				short* _t39;
				short* _t43;
				void* _t47;
				char _t51;
				void* _t57;
				void* _t65;
				short* _t66;
				intOrPtr _t70;
				intOrPtr _t82;
				short* _t87;
				signed short* _t89;
				signed int _t95;
				void* _t96;
				signed int _t97;
				void* _t98;
				void* _t99;
				void* _t101;
				signed int _t108;

				_push(0xffffffff);
				_push(E0048B528);
				_push( *[fs:0x0]);
				_t99 = _t98 - 0x10;
				_t36 =  *0x4bb1dc; // 0x2927074f
				_push(_t36 ^ _t97);
				 *[fs:0x0] =  &_v16;
				_t39 = _a4;
				_t102 =  *_t39;
				if( *_t39 == 0) {
					L28:
					__eflags = 0;
					 *[fs:0x0] = _v16;
					return 0;
				} else {
					_t73 = _a12;
					if(E004303A0(_a12, _t102, _t39, 1, 0) != 0) {
						L27:
						 *[fs:0x0] = _v16;
						return 1;
					} else {
						_t70 = _a8;
						while(1) {
							_push(0x3b);
							_push(_t70);
							_t43 = E004713E7(_t73);
							_t87 = _t43;
							_t99 = _t99 + 8;
							_v28 = _t87;
							if(_t87 == 0) {
								_push(_t43);
								_push(_t70);
								_t66 = E004713E7(_t73);
								_t99 = _t99 + 8;
								_v28 = _t66;
								_t87 = _t66;
							}
							_t95 = _t87 - _t70 >> 1;
							if(_t95 > 0) {
								_t7 = _t95 - 1; // -1
								_t89 = _t70 + _t7 * 2;
								while(1) {
									_t65 = E00472318(_t73,  *_t89 & 0x0000ffff);
									_t99 = _t99 + 4;
									if(_t65 == 0) {
										break;
									}
									_t95 = _t95 - 1;
									_t89 = _t89 - 2;
									if(_t95 > 0) {
										continue;
									}
									break;
								}
								_t87 = _v28;
								_t108 = _t95;
							}
							if(_t108 == 0) {
								L21:
								if( *_t87 == 0) {
									goto L28;
								} else {
									_t30 = _t87 + 2; // 0x4
									_t70 = _t30;
									continue;
								}
							} else {
								E00434E40(_t73,  &_v24, _t70, _t95);
								_v8 = 0;
								_t47 = L0046FE7B(_t70,  &_v24, _t95, E0046A170( &_v24), L"srv*", 4);
								_t99 = _t99 + 0x18;
								if(_t47 == 0) {
									L19:
									_t73 = _v24;
									_v8 = 0xffffffff;
									if(_v24 != 0) {
										E0046A700(_t73);
									}
									goto L21;
								} else {
									_push(0x5c);
									_push(_a4);
									_t96 = E004713E7( &_v24);
									_t99 = _t99 + 8;
									if(_t96 == 0) {
										goto L19;
									} else {
										while(1) {
											_t51 = E0046A6C0(_t70, _t96, E0046A530(_t96));
											_t101 = _t99 + 0xc;
											_v32 = _t51;
											_v8 = 1;
											E0046A230( &_v20,  &_v32);
											_t78 = _v32;
											_v8 = 3;
											_t111 = _v32;
											if(_v32 != 0) {
												E0046A700(_t78);
											}
											E0046A170( &_v20);
											_t57 = E004303A0(_a12, _t111, E0046A170( &_v20), 1, 0);
											_t82 = _v20;
											_v8 = 0;
											if(_t57 != 0) {
												break;
											}
											if(_t82 != 0) {
												E0046A700(_t82);
											}
											_t27 = _t96 + 2; // 0x2
											_push(0x5c);
											_t96 = E004713E7(_t82);
											_t99 = _t101 + 8;
											if(_t96 != 0) {
												continue;
											} else {
												goto L19;
											}
											goto L29;
										}
										__eflags = _t82;
										if(_t82 != 0) {
											E0046A700(_t82);
										}
										_t83 = _v24;
										_v8 = 0xffffffff;
										__eflags = _v24;
										if(_v24 != 0) {
											E0046A700(_t83);
										}
										goto L27;
									}
								}
							}
							goto L29;
						}
					}
				}
				L29:
			}

0x00452823
0x00452825
0x00452830
0x00452831
0x00452837
0x0045283e
0x00452842
0x00452848
0x0045284b
0x0045284f
0x004529df
0x004529df
0x004529e4
0x004529f2
0x00452855
0x00452855
0x00452864
0x004529cb
0x004529d0
0x004529de
0x0045286a
0x0045286a
0x00452870
0x00452870
0x00452872
0x00452873
0x00452878
0x0045287a
0x0045287d
0x00452882
0x00452884
0x00452885
0x00452886
0x0045288b
0x0045288e
0x00452891
0x00452891
0x00452897
0x0045289b
0x0045289d
0x004528a0
0x004528a3
0x004528a7
0x004528ac
0x004528b1
0x00000000
0x00000000
0x004528b3
0x004528b4
0x004528b9
0x00000000
0x00000000
0x00000000
0x004528b9
0x004528bb
0x004528be
0x004528be
0x004528c0
0x004529a1
0x004529a5
0x00000000
0x004529a7
0x004529a7
0x004529a7
0x00000000
0x004529a7
0x004528c6
0x004528cc
0x004528de
0x004528eb
0x004528f0
0x004528f5
0x0045298e
0x0045298e
0x00452991
0x0045299a
0x0045299c
0x0045299c
0x00000000
0x004528fb
0x004528fb
0x004528fd
0x00452905
0x00452907
0x0045290c
0x00000000
0x00452912
0x00452912
0x0045291a
0x0045291f
0x00452922
0x00452928
0x00452934
0x00452939
0x0045293c
0x00452940
0x00452942
0x00452944
0x00452944
0x0045294c
0x00452961
0x00452966
0x00452969
0x0045296f
0x00000000
0x00000000
0x00452973
0x00452975
0x00452975
0x0045297a
0x0045297d
0x00452985
0x00452987
0x0045298c
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x0045298c
0x004529af
0x004529b1
0x004529b3
0x004529b3
0x004529b8
0x004529bb
0x004529c2
0x004529c4
0x004529c6
0x004529c6
0x00000000
0x004529c4
0x0045290c
0x004528f5
0x00000000
0x004528c0
0x00452870
0x00452864
0x00000000

APIs

Part of subcall function 004303A0: GetSystemInfo.KERNEL32(?,004C255C,RqF8%L,004BCDC0,004BCA10,?,?,?,004683C4,RqF8%L,00000001,00400000,2927074F,00000000,004C255C,004BCA10), ref: 004303EF
Part of subcall function 004303A0: EnterCriticalSection.KERNEL32(007879E8,?,?,?,004683C4,RqF8%L,00000001,00400000,2927074F,00000000,004C255C,004BCA10), ref: 0043050A
Part of subcall function 004303A0: LeaveCriticalSection.KERNEL32(007879E8,004C255C,00000000,00000000,00000000,?,?,?,004683C4,RqF8%L,00000001,00400000,2927074F,00000000,004C255C,004BCA10), ref: 00430539
Part of subcall function 004303A0: CreateFileMappingW.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,004683C4,RqF8%L,00000001,00400000,2927074F,00000000), ref: 0043055A

_wcschr.LIBCMT ref: 00452873
_wcschr.LIBCMT ref: 00452886
__wcsnicmp.LIBCMT ref: 004528EB
_wcschr.LIBCMT ref: 00452900
_wcschr.LIBCMT ref: 00452980

Part of subcall function 0046A700: InterlockedDecrement.KERNEL32(?), ref: 0046A704

Strings

srv*, xrefs: 004528D6

Memory Dump Source

Source File: 00000000.00000002.639436822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.639422722.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639801425.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639950323.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639964900.00000000004C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639974043.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639981884.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Process Monitor.jbxd

Similarity

API ID: _wcschr$CriticalSection$CreateDecrementEnterFileInfoInterlockedLeaveMappingSystem__wcsnicmp
String ID: srv*
API String ID: 3119516881-2909109238
Opcode ID: c12dd486fb54dbb4cb55875bffe9bda63b4a4621a67173044bf174c5c956e6fe
Instruction ID: 8ab299ca4af1ca0e4f7acdaf5218beb667a42d55c5458f7dd1d5dada3374db8d
Opcode Fuzzy Hash: c12dd486fb54dbb4cb55875bffe9bda63b4a4621a67173044bf174c5c956e6fe
Instruction Fuzzy Hash: D051B8B1D00705ABDB14EBA5C942BEFB364AF01315F14011FEC0577382E7799A09C7AA

Uniqueness

Uniqueness Score: -1.00%

Function 00453300 Relevance: 10.6, APIs: 7, Instructions: 135
COMMON

Download Yara Rule

C-Code - Quality: 59%

			E00453300(signed int __ecx, void* __edx, void* __esi, struct HDC__* _a8, intOrPtr _a12, signed char _a16, RECT* _a20) {
				signed int _v8;
				struct tagRECT _v24;
				void* _v28;
				signed int _v32;
				void* _v36;
				RECT* _v40;
				signed int _v44;
				struct HDC__* _v48;
				void* __ebx;
				void* __edi;
				signed int _t48;
				struct HBRUSH__* _t67;
				RECT* _t75;
				void* _t77;
				void* _t78;
				intOrPtr _t86;
				long _t92;
				signed int _t102;
				long _t105;
				struct HDC__* _t106;
				signed int _t108;
				RECT* _t109;
				void* _t111;
				intOrPtr _t113;
				void* _t115;
				void* _t116;
				void* _t117;
				signed int _t118;

				_t48 =  *0x4bb1dc; // 0x2927074f
				_v8 = _t48 ^ _t118;
				_t75 = _a20;
				_t106 = _a8;
				_v32 = __ecx;
				_v48 = _t106;
				_v40 = _t75;
				if(_a12 == 3) {
					_push(__esi);
					_t111 = CreateSolidBrush(GetBkColor(_t106));
					FillRect(_t106, _t75, _t111);
					DeleteObject(_t111);
					_t112 = _v32;
					_v36 = _t75->right - _t75->left;
					_t113 =  *((intOrPtr*)(_v32 + 4));
					asm("sbb edx, ebx");
					E0047123F( *((intOrPtr*)( *((intOrPtr*)(_t112 + 0xc)) + 8)) -  *((intOrPtr*)( *((intOrPtr*)(_t112 + 0xc)))),  *((intOrPtr*)( *((intOrPtr*)(_t112 + 0xc)) + 0xc)));
					asm("movsd [ebp-0x34], xmm0");
					asm("sbb edx, ebx");
					E0047123F( *((intOrPtr*)(_t113 + 0x30)) -  *((intOrPtr*)( *((intOrPtr*)(_t112 + 0xc)))),  *((intOrPtr*)(_t113 + 0x34)));
					_v32 =  *((intOrPtr*)(_t113 + 0x38));
					asm("movd xmm1, eax");
					asm("cvtdq2pd xmm1, xmm1");
					asm("mulsd xmm0, xmm1");
					asm("divsd xmm0, [ebp-0x34]");
					asm("cvttsd2si eax, xmm0");
					_v28 = _v36;
					asm("sbb edx, ebx");
					_v44 =  *((intOrPtr*)(_t113 + 0x3c));
					E0047123F( *((intOrPtr*)(_t113 + 0x38)) -  *((intOrPtr*)( *((intOrPtr*)(_t112 + 0xc)))),  *((intOrPtr*)(_t113 + 0x3c)));
					_t86 = _v36;
					_t102 = _v32;
					_t108 = _v44;
					_t77 = _v28;
					asm("movd xmm1, ecx");
					asm("cvtdq2pd xmm1, xmm1");
					asm("mulsd xmm0, xmm1");
					asm("divsd xmm0, [ebp-0x34]");
					asm("cvttsd2si esi, xmm0");
					_t115 =  ==  ? _t86 : _t113 + 1;
					if(_t77 == _t86) {
						_t77 = _t86 - 1;
					}
					_t78 =  <  ? 0 : _t77;
					_t116 =  <  ? 0 : _t115;
					if((_t102 | _t108) != 0) {
					}
					_t66 =  !=  ? 0xed349 : 0x8000;
					_t67 = CreateSolidBrush( !=  ? 0xed349 : 0x8000);
					_t109 = _v40;
					_v28 = _t67;
					_t105 = _t109->left;
					_v24.left = _t105 + _t78;
					_v24.top = _t109->top + 1;
					_v24.right = _t105 + _t116;
					_t92 = _t109->bottom;
					_v24.bottom = _t92;
					_pop(_t117);
					if((_a16 & 0x00000001) != 0) {
						_v24.bottom = _t92 - 1;
					}
					FillRect(_v48,  &_v24, _t67);
					DeleteObject(_v28);
					return E0046F77E(_t78, _v8 ^ _t118, _t105, _t109, _t117);
				} else {
					return E0046F77E(_t75, _v8 ^ _t118, __edx, _t106, __esi);
				}
			}

0x00453306
0x0045330d
0x00453315
0x00453319
0x0045331c
0x0045331f
0x00453322
0x00453325
0x0045333b
0x0045334a
0x0045334f
0x00453356
0x00453361
0x00453364
0x0045336a
0x0045337a
0x0045337c
0x00453389
0x0045338e
0x00453390
0x0045339b
0x004533a0
0x004533a4
0x004533a8
0x004533ac
0x004533b1
0x004533b5
0x004533bd
0x004533bf
0x004533c2
0x004533c7
0x004533ca
0x004533cf
0x004533d2
0x004533d5
0x004533d9
0x004533dd
0x004533e1
0x004533e6
0x004533ed
0x004533f2
0x004533f4
0x004533f4
0x004533fb
0x00453400
0x00453405
0x00453405
0x00453419
0x0045341d
0x00453423
0x00453426
0x00453429
0x0045342e
0x00453439
0x0045343f
0x00453442
0x00453445
0x00453448
0x00453449
0x0045344c
0x0045344c
0x00453457
0x00453460
0x00453477
0x00453328
0x00453338
0x00453338

APIs

GetBkColor.GDI32(?), ref: 0045333D
CreateSolidBrush.GDI32(00000000), ref: 00453344
FillRect.USER32 ref: 0045334F
DeleteObject.GDI32(00000000), ref: 00453356
CreateSolidBrush.GDI32(00008000), ref: 0045341D
FillRect.USER32 ref: 00453457

Memory Dump Source

Source File: 00000000.00000002.639436822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.639422722.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639801425.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639950323.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639964900.00000000004C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639974043.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639981884.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Process Monitor.jbxd

Similarity

API ID: BrushCreateFillRectSolid$ColorDeleteObject
String ID:
API String ID: 1632911439-0
Opcode ID: 69ade4fd5f79bd30ef12499a8b3b28c9646df8917d51debae57860d62ab130e0
Instruction ID: e521f3f4b57df708ecc568472f1cb9d46d53707cc262f45914a351cffc314b1c
Opcode Fuzzy Hash: 69ade4fd5f79bd30ef12499a8b3b28c9646df8917d51debae57860d62ab130e0
Instruction Fuzzy Hash: CF515D75A006099FCB05DFB9D4948AEFBB5FF49350B10826AE806A7312DB34AD06CF94

Uniqueness

Uniqueness Score: -1.00%

Function 00430C30 Relevance: 10.6, APIs: 7, Instructions: 110
COMMON

Download Yara Rule

C-Code - Quality: 89%

			E00430C30(intOrPtr* __ecx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				long _v12;
				long _v16;
				intOrPtr _t38;
				signed int _t40;
				struct _SECURITY_ATTRIBUTES* _t46;
				signed int _t57;
				intOrPtr _t59;
				intOrPtr* _t62;
				struct _CRITICAL_SECTION* _t63;
				void* _t70;

				_t62 = __ecx;
				_t1 = _t62 + 0xe0; // 0x4c2668
				_t63 = _t1;
				EnterCriticalSection(_t63);
				if( *_t62 != 0) {
					L12:
					 *((intOrPtr*)(_t62 + 0x18)) = _a4;
					 *((intOrPtr*)(_t62 + 0x1c)) = _a8;
					goto L13;
				} else {
					_t2 = _t62 + 0x1c; // 0x0
					_t3 = _t62 + 0x18; // 0x7801d0
					_t38 =  *_t3;
					_t70 = _a8 -  *_t2;
					if(_t70 > 0) {
						_t59 = _a4;
						goto L6;
					} else {
						if(_t70 < 0) {
							L13:
							LeaveCriticalSection(_t63);
							return 1;
						} else {
							_t59 = _a4;
							if(_t59 >= _t38) {
								L6:
								if( *((char*)(_t62 + 5)) != 0) {
									L11:
									LeaveCriticalSection(_t63);
									return 0;
								} else {
									_t8 = _t62 + 8; // 0x80
									_t40 =  *_t8;
									_v8 = _t40;
									_t57 =  ~_t40;
									asm("adc eax, ebx");
									asm("adc edx, [ebp+0xc]");
									asm("adc edx, 0xffffffff");
									_v12 = _v8 + _t59 + 0xffffffff & _t57;
									_t12 = _t62 + 0x18; // 0x7801d0
									_v8 = _v8 +  *_t12;
									_t15 = _t62 + 0xe0; // 0x4c2668
									_t63 = _t15;
									_v16 = 0;
									asm("adc ebx, [edi+0x1c]"); // 0x0
									_v8 = _v8 + 0xffffffff;
									asm("adc ebx, 0xffffffff");
									_v8 = _v8 & _t57;
									if(_v12 != _v8 || 0 != 0) {
										E004309B0(_t62);
										_t23 = _t62 + 0x10; // 0x0
										CloseHandle( *_t23);
										_t26 = _t62 + 0xc; // 0x4bd710
										_t46 = CreateFileMappingW( *_t26, 0, 4, _v16, _v12, 0);
										 *(_t62 + 0x10) = _t46;
										if(_t46 != 0) {
											goto L12;
										} else {
											_t29 = _t62 + 0xc; // 0x4bd710
											 *(_t62 + 0x10) = CreateFileMappingW( *_t29, _t46, 4, 0, _v8, _t46);
											goto L11;
										}
									} else {
										goto L12;
									}
								}
							} else {
								LeaveCriticalSection(_t63);
								return 1;
							}
						}
					}
				}
			}

0x00430c39
0x00430c3b
0x00430c3b
0x00430c42
0x00430c4b
0x00430d31
0x00430d34
0x00430d3a
0x00000000
0x00430c51
0x00430c51
0x00430c54
0x00430c54
0x00430c57
0x00430c5a
0x00430c7d
0x00000000
0x00430c5c
0x00430c5c
0x00430d3d
0x00430d40
0x00430d4e
0x00430c62
0x00430c62
0x00430c67
0x00430c80
0x00430c84
0x00430d1d
0x00430d20
0x00430d2e
0x00430c8a
0x00430c8a
0x00430c8a
0x00430c91
0x00430c97
0x00430c9b
0x00430ca3
0x00430ca9
0x00430cb0
0x00430cb3
0x00430cb6
0x00430cb9
0x00430cb9
0x00430cbf
0x00430cc2
0x00430cc5
0x00430cc9
0x00430ccc
0x00430cd7
0x00430cdf
0x00430ce4
0x00430ce7
0x00430cf9
0x00430cfc
0x00430d02
0x00430d07
0x00000000
0x00430d09
0x00430d11
0x00430d1a
0x00000000
0x00430d1a
0x00000000
0x00000000
0x00000000
0x00430cd7
0x00430c69
0x00430c6c
0x00430c7a
0x00430c7a
0x00430c67
0x00430c5c
0x00430c5a

APIs

EnterCriticalSection.KERNEL32(004C2668,2927074F,004C2588,004BD710), ref: 00430C42
LeaveCriticalSection.KERNEL32(004C2668), ref: 00430C6C
CloseHandle.KERNEL32(00000000), ref: 00430CE7
CreateFileMappingW.KERNEL32(004BD710,00000000,00000004,?,?,00000000), ref: 00430CFC
CreateFileMappingW.KERNEL32(004BD710,00000000,00000004,00000000,000000FF,00000000), ref: 00430D14
LeaveCriticalSection.KERNEL32(004C2668), ref: 00430D20
LeaveCriticalSection.KERNEL32(004C2668), ref: 00430D40

Memory Dump Source

Source File: 00000000.00000002.639436822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.639422722.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639801425.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639950323.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639964900.00000000004C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639974043.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639981884.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Process Monitor.jbxd

Similarity

API ID: CriticalSection$Leave$CreateFileMapping$CloseEnterHandle
String ID:
API String ID: 3358740952-0
Opcode ID: 33f77654fbd79c274056dd2f479c0735eaa95eae88f066109125821417730114
Instruction ID: c0c654b7c518914112a756f095e4fc8be518e2b19adf01b01bc9857a6340c489
Opcode Fuzzy Hash: 33f77654fbd79c274056dd2f479c0735eaa95eae88f066109125821417730114
Instruction Fuzzy Hash: 7D318D32A00619AFCB00DFA8DC40ADDB7B5FF49321F14936AE924E3690C775AD658B94

Uniqueness

Uniqueness Score: -1.00%

Function 0042D780 Relevance: 10.6, APIs: 7, Instructions: 104
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0042D780(struct HINSTANCE__* _a4, WCHAR* _a8, WCHAR* _a12, intOrPtr* _a16) {
				long _v8;
				WCHAR* _v12;
				WCHAR* _v16;
				intOrPtr _v20;
				struct HRSRC__* _t35;
				WCHAR* _t39;
				void* _t47;
				void* _t50;
				void* _t51;
				signed short _t53;
				signed int _t55;
				void* _t59;
				struct HINSTANCE__* _t60;
				intOrPtr _t62;
				intOrPtr* _t64;
				struct HRSRC__* _t65;
				WCHAR* _t66;
				void* _t68;
				void* _t69;

				_t60 = _a4;
				_t35 = FindResourceW(_t60, _a12, _a8);
				if(_t35 != 0) {
					_t59 = LockResource(LoadResource(_t60, _t35));
					_v20 = _t59;
					_t55 =  *(_t59 + 4) & 0x0000ffff;
					if(_t55 < 1) {
						goto L1;
					} else {
						_t39 = 0;
						_t53 = 0;
						_a8 = 0;
						_a12 = 0;
						_v12 = 0;
						_v16 = 0;
						_v8 = 0;
						if(0 < _t55) {
							do {
								_t65 = FindResourceW(_t60,  *(_t59 + 0x12 + ((_t53 & 0x0000ffff) * 8 - (_t53 & 0x0000ffff)) * 2) & 0x0000ffff, 3);
								_t47 = LoadResource(_t60, _t65);
								_v8 = SizeofResource(_a4, _t65);
								_t66 = LockResource(_t47);
								_t50 = E0042D520(_t59, _t66, _a8, 0x10);
								_t62 = _v8;
								_t69 = _t68 + 0xc;
								if(_t50 < 0) {
									_a8 = _t66;
									_v12 = _t62;
								}
								_t51 = E0042D520(_t59, _t66, _a12, 0x20);
								_t68 = _t69 + 0xc;
								if(_t51 < 0) {
									_a12 = _t66;
									_v16 = _t62;
								}
								_t59 = _v20;
								_t53 = _t53 + 1;
								_t60 = _a4;
							} while (_t53 <  *(_t59 + 4));
							_t39 = _a8;
						}
						_t64 = _a16;
						 *((intOrPtr*)( *_t64 + 4)) = 0x10;
						E0046A4D0( *_t64, _t39, _v12);
						 *((intOrPtr*)( *((intOrPtr*)(_t64 + 4)) + 4)) = 0x20;
						E0046A4D0( *((intOrPtr*)(_t64 + 4)), _a12, _v16);
						return 0;
					}
				} else {
					L1:
					return 1;
				}
			}

0x0042d791
0x0042d798
0x0042d79c
0x0042d7ba
0x0042d7bc
0x0042d7bf
0x0042d7c6
0x00000000
0x0042d7c8
0x0042d7c8
0x0042d7cb
0x0042d7cd
0x0042d7d0
0x0042d7d3
0x0042d7d6
0x0042d7d9
0x0042d7df
0x0042d7f0
0x0042d807
0x0042d80b
0x0042d81e
0x0042d82c
0x0042d82f
0x0042d834
0x0042d837
0x0042d83c
0x0042d83e
0x0042d841
0x0042d841
0x0042d84a
0x0042d84f
0x0042d854
0x0042d856
0x0042d859
0x0042d859
0x0042d85c
0x0042d85f
0x0042d860
0x0042d869
0x0042d86f
0x0042d86f
0x0042d872
0x0042d87b
0x0042d882
0x0042d890
0x0042d897
0x0042d8a4
0x0042d8a4
0x0042d79f
0x0042d79f
0x0042d7a8
0x0042d7a8

APIs

FindResourceW.KERNEL32(?,?,?), ref: 0042D798
LoadResource.KERNEL32(?,00000000), ref: 0042D7AD
LockResource.KERNEL32(00000000), ref: 0042D7B4
FindResourceW.KERNEL32(?,?,00000003), ref: 0042D805
LoadResource.KERNEL32(?,00000000), ref: 0042D80B
SizeofResource.KERNEL32(?,00000000), ref: 0042D817
LockResource.KERNEL32(00000000), ref: 0042D821

Memory Dump Source

Source File: 00000000.00000002.639436822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.639422722.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639801425.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639950323.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639964900.00000000004C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639974043.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639981884.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Process Monitor.jbxd

Similarity

API ID: Resource$FindLoadLock$Sizeof
String ID:
API String ID: 4215241788-0
Opcode ID: 704a184c1af9bef7e71aef0680eaa0c727f5a3c98234cc8467ab8b3e530d5c2c
Instruction ID: b635d07bbb3b3279290af56b3da1118e366b8b4b776597efb4bde777012e0a61
Opcode Fuzzy Hash: 704a184c1af9bef7e71aef0680eaa0c727f5a3c98234cc8467ab8b3e530d5c2c
Instruction Fuzzy Hash: 52318275D00218AFCB00AFA9DD04AAEBBB9FF48310F10846BFC14D7211D7799961DB99

Uniqueness

Uniqueness Score: -1.00%

Function 00409960 Relevance: 10.6, APIs: 7, Instructions: 90
COMMON

Download Yara Rule

C-Code - Quality: 73%

			E00409960(void* __ecx, void* __edx, intOrPtr _a4) {
				signed int _v8;
				struct tagSCROLLINFO _v36;
				struct tagRECT _v52;
				struct tagRECT _v68;
				struct tagRECT _v84;
				intOrPtr _v88;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t39;
				intOrPtr _t46;
				signed int _t47;
				intOrPtr _t50;
				void* _t64;
				void* _t69;
				void* _t70;
				void* _t75;
				intOrPtr _t76;
				signed int _t78;

				_t69 = __edx;
				_t39 =  *0x4bb1dc; // 0x2927074f
				_v8 = _t39 ^ _t78;
				_t64 = __ecx;
				if((GetWindowLongW( *(__ecx + 0x1c), 0xfffffff0) >> 0x0000001c & 0x00000001) != 0) {
					_push(_t75);
					_t76 = _a4;
					asm("xorps xmm0, xmm0");
					_v36.cbSize = 0x1c;
					_v36.nTrackPos = 0;
					_v36.fMask = 4;
					_push(_t70);
					asm("movdqu [ebp-0x18], xmm0");
					if(_t76 != 0) {
						GetScrollInfo( *(_t64 + 0x1c), 2,  &_v36);
						_v36.nPos = _v36.nPos + _t76;
						SetScrollInfo( *(_t64 + 0x1c), 2,  &_v36, 1);
					}
					GetScrollInfo( *(_t64 + 0x1c), 2,  &_v36);
					_t46 = _v36.nPos;
					_v88 = _t46;
					if(_t46 !=  *((intOrPtr*)(_t64 + 0x80))) {
						_t47 = E004078D0(_t64);
						GetClientRect( *(_t64 + 8),  &_v68);
						_t50 = _v88;
						 *((intOrPtr*)(_t64 + 0x80)) = _t50;
						_v52.left = _v68.left;
						GetWindowRect( *(_t64 + 0xc),  &_v84);
						_v52.top = _v84.bottom - _v84.top;
						_v52.right = _v68.right;
						_v52.bottom = _v68.bottom;
						ScrollWindowEx( *(_t64 + 8), 0, ( *((intOrPtr*)(_t64 + 0x80)) - _t50) * _t47,  &_v52, 0, 0, 0, 2);
					}
					_pop(_t70);
					_pop(_t75);
				}
				return E0046F77E(_t64, _v8 ^ _t78, _t69, _t70, _t75);
			}

0x00409960
0x00409966
0x0040996d
0x00409971
0x00409983
0x00409989
0x0040998a
0x0040998d
0x00409990
0x00409997
0x0040999e
0x004099a5
0x004099ac
0x004099b3
0x004099be
0x004099c0
0x004099ce
0x004099ce
0x004099dd
0x004099df
0x004099e2
0x004099eb
0x004099ef
0x004099fd
0x00409a09
0x00409a0e
0x00409a17
0x00409a24
0x00409a34
0x00409a3c
0x00409a44
0x00409a51
0x00409a51
0x00409a57
0x00409a58
0x00409a58
0x00409a67

APIs

GetWindowLongW.USER32(?,000000F0), ref: 00409978
GetScrollInfo.USER32 ref: 004099BE
SetScrollInfo.USER32(?,00000002,0000001C,00000001), ref: 004099CE
GetScrollInfo.USER32 ref: 004099DD
GetClientRect.USER32 ref: 004099FD
GetWindowRect.USER32 ref: 00409A24
ScrollWindowEx.USER32 ref: 00409A51

Memory Dump Source

Source File: 00000000.00000002.639436822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.639422722.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639801425.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639950323.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639964900.00000000004C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639974043.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639981884.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Process Monitor.jbxd

Similarity

API ID: Scroll$InfoWindow$Rect$ClientLong
String ID:
API String ID: 4212222061-0
Opcode ID: 96b4b7f22038e5941099e4983d04146f687b52a2cde7927722c611d6871ebe1a
Instruction ID: 690d807b1badc51194a60c762812f65cd4b4050fb6382c576febdff304189302
Opcode Fuzzy Hash: 96b4b7f22038e5941099e4983d04146f687b52a2cde7927722c611d6871ebe1a
Instruction Fuzzy Hash: C631D971A00218AFDB00DF94DC85FAEB7B9FF48710F14816AE901BB295D7759D058B54

Uniqueness

Uniqueness Score: -1.00%

Function 00459490 Relevance: 10.6, APIs: 1, Strings: 6, Instructions: 86
COMMON

Download Yara Rule

C-Code - Quality: 45%

			E00459490(void* __ebx, signed int* _a4, signed int _a8) {
				intOrPtr _v8;
				signed int _v16;
				signed int _v20;
				signed int _t17;
				signed int _t20;
				void* _t25;
				signed int _t32;

				_t25 = __ebx;
				_push(0xffffffff);
				_push(E0048BD08);
				_push( *[fs:0x0]);
				_t17 =  *0x4bb1dc; // 0x2927074f
				_push(_t17 ^ _t32);
				 *[fs:0x0] =  &_v16;
				_t20 = _a8;
				_v20 = 0;
				if(_t20 > 5) {
					_push(E0046A530(L": An error occurred saving the data"));
					_push(L": An error occurred saving the data");
					goto L13;
				} else {
					switch( *((intOrPtr*)(_t20 * 4 +  &M004595B8))) {
						case 0:
							_push(E0046A530(L": The operation was successful"));
							_push(L": The operation was successful");
							goto L13;
						case 1:
							_push(E0046A530(L": The operation was cancelled"));
							_push(L": The operation was cancelled");
							goto L13;
						case 2:
							_push(E0046A530(L": There are no items to be saved"));
							_push(L": There are no items to be saved");
							goto L13;
						case 3:
							_push(E0046A530(L": The selected file is not writable"));
							_push(L": The selected file is not writable");
							goto L13;
						case 4:
							_push(E0046A530(L": The disk is full, or an internal size limit was exceeded"));
							_push(L": The disk is full, or an internal size limit was exceeded");
							L13:
							_t22 = E0046A6C0(_t25);
							_t27 = _a4;
							 *_t27 = _t22;
							 *[fs:0x0] = _v16;
							return _t27;
							goto L14;
						case 5:
							_a8 = 0;
							_v8 = 0;
							GetLastError() =  &_a8;
							__eax = E00435D40(__ebx,  &_a8,  &_a8);
							__esi = _a4;
							__ecx = _a8;
							 *__esi = __ecx;
							if(__ecx != 0) {
								__eax = E0046A420(__ecx);
								__ecx = _a8;
							}
							_v8 = 0xffffffff;
							if(__ecx != 0) {
								__eax = E0046A700(__ecx);
							}
							__eax = __esi;
							__ecx = _v16;
							 *[fs:0x0] = _v16;
							_pop(__ecx);
							_pop(__esi);
							return __esi;
							goto L14;
					}
				}
				L14:
			}

0x00459490
0x00459493
0x00459495
0x004594a0
0x004594a3
0x004594aa
0x004594ae
0x004594b4
0x004594b7
0x004594c1
0x00459592
0x00459593
0x00000000
0x004594c7
0x004594c7
0x00000000
0x00459580
0x00459581
0x00000000
0x00000000
0x004594d8
0x004594d9
0x00000000
0x00000000
0x004594ed
0x004594ee
0x00000000
0x00000000
0x00459502
0x00459503
0x00000000
0x00000000
0x00459517
0x00459518
0x00459598
0x00459598
0x0045959d
0x004595a3
0x004595aa
0x004595b6
0x00000000
0x00000000
0x0045951f
0x00459526
0x00459534
0x00459538
0x0045953d
0x00459543
0x00459546
0x0045954a
0x0045954c
0x00459551
0x00459551
0x00459554
0x0045955d
0x0045955f
0x0045955f
0x00459564
0x00459566
0x00459569
0x00459570
0x00459571
0x00459575
0x00000000
0x00000000
0x004594c7
0x00000000

APIs

GetLastError.KERNEL32(: The disk is full, or an internal size limit was exceeded,00000000,: The disk is full, or an internal size limit was exceeded,: The selected file is not writable,00000000,: The selected file is not writable,: There are no items to be saved,00000000,: There are no items to be saved,: The operation was cancelled,00000000,: The operation was cancelled), ref: 0045952D

Strings

: An error occurred saving the data, xrefs: 00459588, 00459593
: There are no items to be saved, xrefs: 004594E3, 004594EE
: The operation was successful, xrefs: 00459576, 00459581
: The operation was cancelled, xrefs: 004594CE, 004594D9
: The disk is full, or an internal size limit was exceeded, xrefs: 0045950D, 00459518
: The selected file is not writable, xrefs: 004594F8, 00459503

Memory Dump Source

Source File: 00000000.00000002.639436822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.639422722.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639801425.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639950323.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639964900.00000000004C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639974043.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639981884.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Process Monitor.jbxd

Similarity

API ID: ErrorLast
String ID: : An error occurred saving the data$: The disk is full, or an internal size limit was exceeded$: The operation was cancelled$: The operation was successful$: The selected file is not writable$: There are no items to be saved
API String ID: 1452528299-2313026800
Opcode ID: 8f8048150f9115d2da3bead2ab54e593f9ba4305662efa0db86abd2994af4a22
Instruction ID: 064f4b50e04d21bc2836e2393997cf126af0d5d6658f458d30d7b9688e4b43ff
Opcode Fuzzy Hash: 8f8048150f9115d2da3bead2ab54e593f9ba4305662efa0db86abd2994af4a22
Instruction Fuzzy Hash: AB21B172644708FAD705AF84D802BAE7368EB95715F20415FFC16A6281F7BC5A108A5F

Uniqueness

Uniqueness Score: -1.00%

Function 00409320 Relevance: 10.6, APIs: 7, Instructions: 84
COMMON

Download Yara Rule

C-Code - Quality: 84%

			E00409320(void* __ecx, void* __esi, intOrPtr _a4, char _a8) {
				signed int _v8;
				struct tagRECT _v24;
				struct tagSCROLLINFO _v52;
				int _v56;
				void* __ebx;
				void* __edi;
				signed int _t25;
				unsigned int _t29;
				signed char _t31;
				int _t39;
				int _t41;
				signed int _t45;
				signed int _t46;
				intOrPtr _t48;
				void* _t53;
				void* _t57;
				int _t59;
				void* _t60;
				void* _t61;
				signed int _t62;

				_t61 = __esi;
				_t25 =  *0x4bb1dc; // 0x2927074f
				_v8 = _t25 ^ _t62;
				_t60 = __ecx;
				GetClientRect( *(__ecx + 8),  &_v24);
				_t29 = GetWindowLongW( *(_t60 + 0x1c), 0xfffffff0);
				_t48 = _a4;
				_t31 = _t29 >> 0x0000001c & 0x00000001;
				_t46 = _t45 & 0xffffff00 | _t31 != _t48;
				if(_t48 == 0) {
					if(_t31 != 0) {
						_v52.cbSize = 0x1c;
						asm("xorps xmm0, xmm0");
						_v52.nTrackPos = 0;
						asm("movdqu [ebp-0x28], xmm0");
						_v52.fMask = 4;
						_v52.nPos = 0;
						SetScrollInfo( *(_t60 + 0x1c), 2,  &_v52, 1);
						E00409960(_t60, _t57, 0);
						ShowWindow( *(_t60 + 0x1c), 0);
					}
					return E0046F77E(_t46, _v8 ^ _t62, _t57, _t60, _t61);
				} else {
					_v56 = GetSystemMetrics(3);
					_t39 = GetSystemMetrics(2);
					_t53 = _v24.right - _v24.left;
					_t59 = _t53 - _t39;
					_t41 = _v24.bottom - _v24.top;
					if(_a8 != 0) {
						_t41 = _t41 - _v56;
					}
					SetWindowPos( *(_t60 + 0x1c), 0, _t59, 0, _t53 - _t59, _t41, 0x44);
					return E0046F77E(_t46, _v8 ^ _t62, _t59, _t60, _t61);
				}
			}

0x00409320
0x00409326
0x0040932d
0x00409332
0x0040933b
0x00409346
0x0040934c
0x00409352
0x00409356
0x0040935b
0x004093b3
0x004093ba
0x004093c7
0x004093ca
0x004093d1
0x004093d6
0x004093dd
0x004093e4
0x004093ee
0x004093f8
0x004093f8
0x0040940f
0x0040935d
0x00409367
0x0040936a
0x00409373
0x00409378
0x0040937d
0x00409384
0x00409386
0x00409386
0x00409397
0x004093ae
0x004093ae

APIs

GetClientRect.USER32 ref: 0040933B
GetWindowLongW.USER32(?,000000F0), ref: 00409346
GetSystemMetrics.USER32 ref: 0040935F
GetSystemMetrics.USER32 ref: 0040936A
SetWindowPos.USER32(?,00000000,?,00000000,?,?,00000044,?,?,?,?,?,?,00408C63,?,00000000), ref: 00409397
SetScrollInfo.USER32(?,00000002,?,00000001), ref: 004093E4
ShowWindow.USER32(?,00000000,00000000), ref: 004093F8

Memory Dump Source

Source File: 00000000.00000002.639436822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.639422722.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639801425.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639950323.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639964900.00000000004C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639974043.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639981884.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Process Monitor.jbxd

Similarity

API ID: Window$MetricsSystem$ClientInfoLongRectScrollShow
String ID:
API String ID: 121325680-0
Opcode ID: 6c018c04a9311e85ea65dad198851994afb079299ca204a04dfaa1ecb1655e2d
Instruction ID: 210a952e3ad08c5f64eb6167151eb32b67c4ee66196116ac1fee544d63ae09e5
Opcode Fuzzy Hash: 6c018c04a9311e85ea65dad198851994afb079299ca204a04dfaa1ecb1655e2d
Instruction Fuzzy Hash: A9318171940209BFDB00DFA4DC59BAEBB75EB48300F20422AF901B62D1DB755949CB54

Uniqueness

Uniqueness Score: -1.00%

Function 0046E260 Relevance: 10.6, APIs: 7, Instructions: 73
threadCOMMON

Download Yara Rule

C-Code - Quality: 84%

			E0046E260(struct HWND__** __ecx, struct HWND__* _a4, long _a8) {
				struct tagPOINT _v12;
				struct HWND__* _t19;
				intOrPtr* _t26;
				unsigned int _t38;
				struct HWND__* _t41;
				struct HWND__** _t44;
				void* _t45;

				_t44 = __ecx;
				if( *((char*)(__ecx + 4)) == 0) {
					L12:
					return 0;
				} else {
					_t19 = GetCapture();
					_t2 =  &(_t44[7]); // 0x0
					if(_t19 !=  *_t2) {
						_t3 =  &(_t44[2]); // 0x0
						SetCursor( *_t3);
						_t44[1] = 0;
						 *_t44 = 0;
					}
					_t38 = _a8;
					_v12.x = _t38;
					_v12.y = _t38 >> 0x10;
					ClientToScreen(_a4,  &_v12);
					_push(_v12.y);
					_t41 = WindowFromPoint(_v12);
					if(_t41 ==  *_t44) {
						L11:
						_t17 =  &(_t44[3]); // 0x0
						SetCursor( *_t17);
						goto L12;
					} else {
						_t26 =  *0x4c285c; // 0x0
						if(_t26 != 0) {
							_t41 =  !=  ?  *_t26(_t41) : _t41;
						}
						_t27 =  *_t44;
						if( *_t44 != 0) {
							E0046E140(_t27);
							_t45 = _t45 + 4;
						}
						_a8 = 0;
						GetWindowThreadProcessId(_t41,  &_a8);
						_t15 =  &(_t44[6]); // 0x0
						if(_a8 !=  *_t15) {
							 *_t44 = _t41;
							E0046E140(_t41);
							goto L11;
						} else {
							_t16 =  &(_t44[3]); // 0x0
							 *_t44 = 0;
							SetCursor( *_t16);
							return 0;
						}
					}
				}
			}

0x0046e267
0x0046e26d
0x0046e32b
0x0046e331
0x0046e273
0x0046e273
0x0046e279
0x0046e27c
0x0046e27e
0x0046e281
0x0046e287
0x0046e28b
0x0046e28b
0x0046e291
0x0046e297
0x0046e2a1
0x0046e2ab
0x0046e2b1
0x0046e2bd
0x0046e2c1
0x0046e321
0x0046e321
0x0046e324
0x00000000
0x0046e2c3
0x0046e2c3
0x0046e2ca
0x0046e2d1
0x0046e2d1
0x0046e2d4
0x0046e2d8
0x0046e2db
0x0046e2e0
0x0046e2e0
0x0046e2e6
0x0046e2ef
0x0046e2f8
0x0046e2fb
0x0046e317
0x0046e319
0x00000000
0x0046e2fd
0x0046e2fd
0x0046e300
0x0046e306
0x0046e313
0x0046e313
0x0046e2fb
0x0046e2c1

APIs

GetCapture.USER32 ref: 0046E273
SetCursor.USER32(00000000,?,?,?), ref: 0046E281

Part of subcall function 0046E140: GetSystemMetrics.USER32 ref: 0046E15B
Part of subcall function 0046E140: GetWindowDC.USER32(?), ref: 0046E165
Part of subcall function 0046E140: GetWindowRect.USER32 ref: 0046E175
Part of subcall function 0046E140: SaveDC.GDI32(00000000), ref: 0046E17C
Part of subcall function 0046E140: SetROP2.GDI32(00000000,00000006), ref: 0046E187
Part of subcall function 0046E140: CreatePen.GDI32(00000006,004BDD08,00000000), ref: 0046E192
Part of subcall function 0046E140: SelectObject.GDI32(?,00000000), ref: 0046E1A4
Part of subcall function 0046E140: GetStockObject.GDI32(00000005), ref: 0046E1A8
Part of subcall function 0046E140: SelectObject.GDI32(?,00000000), ref: 0046E1B2
Part of subcall function 0046E140: Rectangle.GDI32(?,00000000,00000000,?,?), ref: 0046E1CA
Part of subcall function 0046E140: RestoreDC.GDI32(?,00000000), ref: 0046E1D2
Part of subcall function 0046E140: ReleaseDC.USER32 ref: 0046E1DC
Part of subcall function 0046E140: DeleteObject.GDI32(00000000), ref: 0046E1E3

ClientToScreen.USER32(?,?), ref: 0046E2AB
WindowFromPoint.USER32(?,?,?,?,?), ref: 0046E2B7
GetWindowThreadProcessId.USER32(00000000,?), ref: 0046E2EF
SetCursor.USER32(00000000), ref: 0046E306
SetCursor.USER32(00000000,?,?,?), ref: 0046E324

Memory Dump Source

Source File: 00000000.00000002.639436822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.639422722.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639801425.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639950323.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639964900.00000000004C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639974043.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639981884.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Process Monitor.jbxd

Similarity

API ID: ObjectWindow$Cursor$Select$CaptureClientCreateDeleteFromMetricsPointProcessRectRectangleReleaseRestoreSaveScreenStockSystemThread
String ID:
API String ID: 3016394092-0
Opcode ID: ecc6abef36a7845c6fbb26cd4505d3e7503e133e2a2addbf45841ca5eb1b22a7
Instruction ID: 053d7ce14d9b8a061197d23dc5118e1c38a01714f958c5ff6865fd4ba99ce6bc
Opcode Fuzzy Hash: ecc6abef36a7845c6fbb26cd4505d3e7503e133e2a2addbf45841ca5eb1b22a7
Instruction Fuzzy Hash: 52218E35500204AFD721AF66E844A6EBBE8EF54311F14887EEC85D2620E734E958CB95

Uniqueness

Uniqueness Score: -1.00%

Function 0043ADA0 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 64networkCOMMON

Download Yara Rule

APIs

socket.WS2_32(00000002,00000001,00000000), ref: 0043ADC2
htons.WS2_32(00005AB3), ref: 0043AE0A
connect.WS2_32(00000000,00000000,00000010), ref: 0043AE1B
closesocket.WS2_32(00000000), ref: 0043AE26

Strings

Unable to create socket, xrefs: 0043ADCF, 0043ADDA
Unable to connect to remote system, xrefs: 0043AE2C, 0043AE37

Memory Dump Source

Source File: 00000000.00000002.639436822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.639422722.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639801425.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639950323.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639964900.00000000004C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639974043.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639981884.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Process Monitor.jbxd

Similarity

API ID: closesocketconnecthtonssocket
String ID: Unable to connect to remote system$Unable to create socket
API String ID: 3817148366-3686872937
Opcode ID: 0318d9e1ce1986073e407371d3e00d8c2d6b0ebccb403bd40588c2fa7c768c79
Instruction ID: a5fe6110f55870ef68b0e69b54964807733591c9143cacbc79672b4fb609a5bb
Opcode Fuzzy Hash: 0318d9e1ce1986073e407371d3e00d8c2d6b0ebccb403bd40588c2fa7c768c79
Instruction Fuzzy Hash: 1D118470A80308ABD7009FA49C46BAE7774EF55700F10462BF941B72D0E7B85A15879F

Uniqueness

Uniqueness Score: -1.00%

Function 0045C3C0 Relevance: 10.6, APIs: 7, Instructions: 60
windowCOMMON

Download Yara Rule

C-Code - Quality: 82%

			E0045C3C0(struct HMENU__* _a4, struct HWND__* _a8) {
				int _v8;
				struct tagMENUINFO _v36;
				long _t13;
				int _t14;
				signed int _t22;
				int _t23;
				struct HMENU__* _t24;
				int _t25;
				intOrPtr _t26;

				_t13 = SendMessageW(_a8, 0x1042, 0, 0);
				_t24 = _a4;
				_t22 = 0 | _t13 < 0x00000000;
				_t14 = GetMenuItemCount(_t24);
				_t25 = 0;
				_v8 = _t14;
				if(_t14 != 0) {
					_t23 = _t22 | 0x00000400;
					do {
						EnableMenuItem(_t24, _t25, _t23);
						_t25 = _t25 + 1;
					} while (_t25 < _v8);
				}
				EnterCriticalSection(0x4bca94);
				_t26 =  *0x4bcab0; // 0x0
				LeaveCriticalSection(0x4bca94);
				EnableMenuItem(_t24, 0x9c4e, 0 | _t26 -  *0x4bcaac >> 0x00000005 == 0x00000000);
				_v36.cbSize = 0x1c;
				asm("xorps xmm0, xmm0");
				asm("movdqu [ebp-0x1c], xmm0");
				asm("movq [ebp-0xc], xmm0");
				_v36.fMask = 0x10;
				_v36.dwStyle = 0x8000000;
				return SetMenuInfo(_t24,  &_v36);
			}

0x0045c3d5
0x0045c3db
0x0045c3e3
0x0045c3e6
0x0045c3ec
0x0045c3ee
0x0045c3f3
0x0045c3f5
0x0045c400
0x0045c403
0x0045c409
0x0045c40a
0x0045c400
0x0045c414
0x0045c41a
0x0045c42e
0x0045c442
0x0045c44b
0x0045c452
0x0045c456
0x0045c45c
0x0045c461
0x0045c468
0x0045c47b

APIs

SendMessageW.USER32(00000000,00001042,00000000,00000000), ref: 0045C3D5
GetMenuItemCount.USER32 ref: 0045C3E6
EnableMenuItem.USER32 ref: 0045C403
EnterCriticalSection.KERNEL32(004BCA94,?,?,?,?,00450400,?,00000000), ref: 0045C414
LeaveCriticalSection.KERNEL32(004BCA94,?,?,?,?,00450400,?,00000000), ref: 0045C42E
EnableMenuItem.USER32 ref: 0045C442
SetMenuInfo.USER32(?,?), ref: 0045C46F

Memory Dump Source

Source File: 00000000.00000002.639436822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.639422722.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639801425.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639950323.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639964900.00000000004C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639974043.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639981884.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Process Monitor.jbxd

Similarity

API ID: Menu$Item$CriticalEnableSection$CountEnterInfoLeaveMessageSend
String ID:
API String ID: 2047965942-0
Opcode ID: 07b83e60cf09dac22b41fa48f1668487707fae71f9a3817f6fd500d937037269
Instruction ID: 7b50dadb4ff69eedd90e48d622fb12386d3effa0435db0d767ed49b0688c6914
Opcode Fuzzy Hash: 07b83e60cf09dac22b41fa48f1668487707fae71f9a3817f6fd500d937037269
Instruction Fuzzy Hash: 0711C472D40319AFEB008FA99C88BAF7B78EF49705F114239FD00B6150D778594A8BA8

Uniqueness

Uniqueness Score: -1.00%

Function 0046E615 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 58
memoryCOMMON

Download Yara Rule

C-Code - Quality: 44%

			E0046E615(void* __edx) {
				int _t10;
				int _t11;
				signed short _t16;
				char* _t19;
				int _t20;
				void* _t21;
				void* _t26;
				int _t27;
				void* _t28;
				void* _t30;
				signed int _t31;
				intOrPtr _t33;

				_t26 = __edx;
				_t33 =  *((intOrPtr*)(_t31 - 0x18));
				 *((intOrPtr*)(_t31 - 0x24)) = 0;
				 *((intOrPtr*)(_t31 - 4)) = 0xfffffffe;
				_t19 =  *(_t31 + 8);
				_t27 =  *(_t31 - 0x28);
				_t10 =  *(_t31 - 0x20);
				if(0 == 0) {
					_t10 = E0046E410(0x8007000e);
				}
				_t11 = MultiByteToWideChar(0, 0, _t19, _t10, 0, _t27);
				if(_t11 == 0) {
					if(_t27 >= 0x1000) {
						E0047040C(0);
						_t33 = _t33 + 4;
					}
					_t16 = GetLastError();
					if(_t16 > 0) {
						_t16 = _t16 & 0x0000ffff | 0x80070000;
					}
					_t11 = E0046E410(_t16);
				}
				__imp__#2(0);
				_t20 = _t11;
				if(_t27 >= 0x1000) {
					E0047040C(0);
				}
				if(_t20 == 0) {
					E0046E410(0x8007000e);
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t31 - 0x10));
				_pop(_t28);
				_pop(_t30);
				_pop(_t21);
				return E0046F77E(_t21,  *(_t31 - 0x1c) ^ _t31, _t26, _t28, _t30);
			}

0x0046e615
0x0046e615
0x0046e61a
0x0046e61d
0x0046e624
0x0046e627
0x0046e62a
0x0046e62f
0x0046e636
0x0046e636
0x0046e643
0x0046e64b
0x0046e653
0x0046e656
0x0046e65b
0x0046e65b
0x0046e65e
0x0046e666
0x0046e66b
0x0046e66b
0x0046e671
0x0046e671
0x0046e677
0x0046e67d
0x0046e685
0x0046e688
0x0046e68d
0x0046e692
0x0046e699
0x0046e699
0x0046e6a6
0x0046e6ae
0x0046e6af
0x0046e6b0
0x0046e6be

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,g=@,?,00000000,00000000,?,?,?,?,?,00403D67), ref: 0046E643
_free.LIBCMT ref: 0046E656
GetLastError.KERNEL32(?,?,?,?,?,00403D67), ref: 0046E65E
SysAllocString.OLEAUT32(00000000), ref: 0046E677
_free.LIBCMT ref: 0046E688

Strings

g=@, xrefs: 0046E63E

Memory Dump Source

Source File: 00000000.00000002.639436822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.639422722.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639801425.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639950323.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639964900.00000000004C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639974043.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639981884.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Process Monitor.jbxd

Similarity

API ID: _free$AllocByteCharErrorLastMultiStringWide
String ID: g=@
API String ID: 3133011222-2934771097
Opcode ID: 9aa515d80cb41a6496ae2fc755031c51ec4026286fef5ed7fba62d180915a318
Instruction ID: 5ec8222c8a2ca641bd151f2d29172b9dcafeb97a437ffe2f4f850c76767372f8
Opcode Fuzzy Hash: 9aa515d80cb41a6496ae2fc755031c51ec4026286fef5ed7fba62d180915a318
Instruction Fuzzy Hash: 7C11A375A002149BDB20ABA6D845BEF77A4AB18364F10493FF905E7241FA29981486AE

Uniqueness

Uniqueness Score: -1.00%

Function 0044E5E1 Relevance: 10.5, APIs: 7, Instructions: 47
COMMON

Download Yara Rule

C-Code - Quality: 68%

			E0044E5E1(intOrPtr* __eax, void* __edi, void* __eflags) {
				void* _t33;

				_t33 = __edi;
				asm("aas");
				if (__eflags != 0) goto 0xe727;
				 *__eax =  *__eax + __eax;
			}

0x0044e5e1
0x0044e5e1
0x0044e5e2
0x0044e5e7

APIs

GetDlgItem.USER32 ref: 0044E5FC
GetDC.USER32(00000000), ref: 0044E603
SelectObject.GDI32(00000000), ref: 0044E616
GetTextMetricsW.GDI32(?,?,?,000003F9), ref: 0044E629
GetDlgItem.USER32 ref: 0044E649
ReleaseDC.USER32 ref: 0044E650
DefWindowProcW.USER32(?,?,?,?,2927074F), ref: 0044E737

Memory Dump Source

Source File: 00000000.00000002.639436822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.639422722.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639801425.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639950323.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639964900.00000000004C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639974043.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639981884.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Process Monitor.jbxd

Similarity

API ID: Item$MetricsObjectProcReleaseSelectTextWindow
String ID:
API String ID: 745525926-0
Opcode ID: 112e80ec081956e665387c57de27e1315d7be7b10604e9af2d21ec8824fa80f7
Instruction ID: cde73816911212ef7d182155b7b55121660d7d30ebf605b603269baba6bc1a5c
Opcode Fuzzy Hash: 112e80ec081956e665387c57de27e1315d7be7b10604e9af2d21ec8824fa80f7
Instruction Fuzzy Hash: EE116171900915AFDB115FA0DC09AAEBBB9FF0C311F0049BAE505E2161DB365965CF58

Uniqueness

Uniqueness Score: -1.00%

Function 004752C5 Relevance: 10.5, APIs: 7, Instructions: 45
threadCOMMON

Download Yara Rule

C-Code - Quality: 91%

			E004752C5(void* __ebx, void* __edi, void* __eflags) {
				void* __esi;
				void* _t3;
				intOrPtr _t6;
				long _t14;
				long* _t27;

				E00470227(_t3);
				if(E0047822E() != 0) {
					_t6 = E0047827C(E00475020);
					 *0x4bb8a8 = _t6;
					__eflags = _t6 - 0xffffffff;
					if(_t6 == 0xffffffff) {
						goto L1;
					} else {
						_t27 = E00477D65(1, 0x3bc);
						__eflags = _t27;
						if(_t27 == 0) {
							L6:
							E0047533B();
							__eflags = 0;
							return 0;
						} else {
							__eflags = E004782D8( *0x4bb8a8, _t27);
							if(__eflags == 0) {
								goto L6;
							} else {
								_push(0);
								_push(_t27);
								E00475212(__ebx, __edi, _t27, __eflags);
								_t14 = GetCurrentThreadId();
								_t27[1] = _t27[1] | 0xffffffff;
								 *_t27 = _t14;
								__eflags = 1;
								return 1;
							}
						}
					}
				} else {
					L1:
					E0047533B();
					return 0;
				}
			}

0x004752c5
0x004752d1
0x004752e0
0x004752e5
0x004752eb
0x004752ee
0x00000000
0x004752f0
0x004752fd
0x00475301
0x00475303
0x00475332
0x00475332
0x00475337
0x0047533a
0x00475305
0x00475313
0x00475315
0x00000000
0x00475317
0x00475317
0x00475319
0x0047531a
0x00475321
0x00475327
0x0047532b
0x0047532f
0x00475331
0x00475331
0x00475315
0x00475303
0x004752d3
0x004752d3
0x004752d3
0x004752da
0x004752da

APIs

__init_pointers.LIBCMT ref: 004752C5

Part of subcall function 00470227: RtlEncodePointer.NTDLL(00000000,?,004752CA,00473DD8,004B7A40,00000014), ref: 0047022A
Part of subcall function 00470227: __initp_misc_winsig.LIBCMT ref: 00470245
Part of subcall function 00470227: GetModuleHandleW.KERNEL32(kernel32.dll), ref: 00478392
Part of subcall function 00470227: GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 004783A6
Part of subcall function 00470227: GetProcAddress.KERNEL32(00000000,FlsFree), ref: 004783B9
Part of subcall function 00470227: GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 004783CC
Part of subcall function 00470227: GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 004783DF
Part of subcall function 00470227: GetProcAddress.KERNEL32(00000000,InitializeCriticalSectionEx), ref: 004783F2
Part of subcall function 00470227: GetProcAddress.KERNEL32(00000000,CreateEventExW), ref: 00478405
Part of subcall function 00470227: GetProcAddress.KERNEL32(00000000,CreateSemaphoreExW), ref: 00478418
Part of subcall function 00470227: GetProcAddress.KERNEL32(00000000,SetThreadStackGuarantee), ref: 0047842B
Part of subcall function 00470227: GetProcAddress.KERNEL32(00000000,CreateThreadpoolTimer), ref: 0047843E
Part of subcall function 00470227: GetProcAddress.KERNEL32(00000000,SetThreadpoolTimer), ref: 00478451
Part of subcall function 00470227: GetProcAddress.KERNEL32(00000000,WaitForThreadpoolTimerCallbacks), ref: 00478464
Part of subcall function 00470227: GetProcAddress.KERNEL32(00000000,CloseThreadpoolTimer), ref: 00478477
Part of subcall function 00470227: GetProcAddress.KERNEL32(00000000,CreateThreadpoolWait), ref: 0047848A
Part of subcall function 00470227: GetProcAddress.KERNEL32(00000000,SetThreadpoolWait), ref: 0047849D
Part of subcall function 00470227: GetProcAddress.KERNEL32(00000000,CloseThreadpoolWait), ref: 004784B0

__mtinitlocks.LIBCMT ref: 004752CA
__mtterm.LIBCMT ref: 004752D3

Part of subcall function 0047533B: DeleteCriticalSection.KERNEL32(00000000,00000000,?,?,004752D8,00473DD8,004B7A40,00000014), ref: 00478148
Part of subcall function 0047533B: _free.LIBCMT ref: 0047814F
Part of subcall function 0047533B: DeleteCriticalSection.KERNEL32(H,L,?,?,004752D8,00473DD8,004B7A40,00000014), ref: 00478171

__calloc_crt.LIBCMT ref: 004752F8
__initptd.LIBCMT ref: 0047531A
GetCurrentThreadId.KERNEL32 ref: 00475321

Memory Dump Source

Source File: 00000000.00000002.639436822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.639422722.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639801425.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639950323.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639964900.00000000004C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639974043.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639981884.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Process Monitor.jbxd

Similarity

API ID: AddressProc$CriticalDeleteSection$CurrentEncodeHandleModulePointerThread__calloc_crt__init_pointers__initp_misc_winsig__initptd__mtinitlocks__mtterm_free
String ID:
API String ID: 3567560977-0
Opcode ID: 1f2e5e43d50deb095edef526142b265b35e0d6a73bc7c9bc2c234088728939e4
Instruction ID: 54a5f28b794457c3f42769103cccce5348bd934e22a66912eaf35aa178f045d7
Opcode Fuzzy Hash: 1f2e5e43d50deb095edef526142b265b35e0d6a73bc7c9bc2c234088728939e4
Instruction Fuzzy Hash: 4EF06232549B116EE224767A7C066CB2684DF01774B21C66FF858D91E3EED98842459C

Uniqueness

Uniqueness Score: -1.00%

Function 00472E68 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 24
libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 15%

			E00472E68() {
				_Unknown_base(*)()* _t1;
				signed int _t2;

				if( *0x4c2bec != 0) {
					L4:
					__imp__DecodePointer( *0x4c2be8, 1);
					_t2 =  *_t1();
					asm("sbb eax, eax");
					return  ~_t2 + 1;
				} else {
					_t1 = GetProcAddress(LoadLibraryExW(L"combase.dll", 0, 0x800), "RoInitialize");
					if(_t1 != 0) {
						__imp__EncodePointer(_t1);
						 *0x4c2be8 = _t1;
						 *0x4c2bec = 1;
						goto L4;
					} else {
						return _t1;
					}
				}
			}

0x00472e6f
0x00472eaa
0x00472eb2
0x00472eb8
0x00472ebc
0x00472ebf
0x00472e71
0x00472e89
0x00472e91
0x00472e95
0x00472e9b
0x00472ea0
0x00000000
0x00472e93
0x00472e93
0x00472e93
0x00472e91

APIs

LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoInitialize,00472F31,?), ref: 00472E82
GetProcAddress.KERNEL32(00000000), ref: 00472E89
EncodePointer.KERNEL32(00000000), ref: 00472E95
DecodePointer.KERNEL32(00000001,00472F31,?), ref: 00472EB2

Strings

RoInitialize, xrefs: 00472E71
combase.dll, xrefs: 00472E7D

Memory Dump Source

Source File: 00000000.00000002.639436822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.639422722.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639801425.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639950323.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639964900.00000000004C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639974043.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639981884.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Process Monitor.jbxd

Similarity

API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
String ID: RoInitialize$combase.dll
API String ID: 3489934621-340411864
Opcode ID: ae9216142891f7cca0eb432ae84c9c8301b60fa0c34bb1ac083bbc67b6d5177e
Instruction ID: 19bf3f48c2be4b5a79e8ab09192f98264ae362db981b3d9c4da0e56ae73f86a2
Opcode Fuzzy Hash: ae9216142891f7cca0eb432ae84c9c8301b60fa0c34bb1ac083bbc67b6d5177e
Instruction Fuzzy Hash: 23E0E5746A4301ABDBD09F70ED09F593AA8B714702F508479B002D92E0EBF968489B0C

Uniqueness

Uniqueness Score: -1.00%

Function 0044F1B9 Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 20
windowCOMMON

Download Yara Rule

C-Code - Quality: 24%

			E0044F1B9(void* __ebx, void* __edx, void* __eflags) {
				struct HWND__* __esi;
				void* _t11;
				int _t14;
				void* _t19;
				void* _t20;
				struct HWND__* _t21;
				void* _t22;
				signed int _t23;

				_t19 = __edx;
				_t11 = __ebx;
				if(E00416890(0x4bca94) != 0) {
					_push(0);
					_push(E00458EF0);
					_push(_t21);
					_push(L"SAVE_FILTER");
					DialogBoxParamW( *0x4bd2c4, ??, ??, ??, ??);
					E0044AEF0(0x4bdd00,  *0x4c22c0);
				} else {
					MessageBoxW(__esi, L"No filter rules are currently defined", L"Process Monitor", 0x40);
				}
				_t14 =  *(_t23 + 0xc);
				DefWindowProcW(_t21, _t14,  *(_t23 - 0x628),  *(_t23 - 0x64c));
				 *[fs:0x0] =  *((intOrPtr*)(_t23 - 0xc));
				_pop(_t20);
				_pop(_t22);
				return E0046F77E(_t11,  *(_t23 - 0x10) ^ _t23, _t19, _t20, _t22);
			}

0x0044f1b9
0x0044f1b9
0x0044f1c5
0x0044f1df
0x0044f1e1
0x0044f1e6
0x0044f1e7
0x0044f1f2
0x0044f203
0x0044f1c7
0x0044f1d4
0x0044f1d4
0x0044e726
0x0044e737
0x0044e740
0x0044e748
0x0044e749
0x0044e757

APIs

Part of subcall function 00416890: EnterCriticalSection.KERNEL32(?,?,00000000,0044B828,00000002,?,?,?), ref: 00416895
Part of subcall function 00416890: LeaveCriticalSection.KERNEL32(?), ref: 004168A5

MessageBoxW.USER32(?,No filter rules are currently defined,Process Monitor,00000040), ref: 0044F1D4
DialogBoxParamW.USER32 ref: 0044F1F2

Strings

pHx, xrefs: 0044F1FE
Process Monitor, xrefs: 0044F1C9
SAVE_FILTER, xrefs: 0044F1E7
No filter rules are currently defined, xrefs: 0044F1CE

Memory Dump Source

Source File: 00000000.00000002.639436822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.639422722.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639801425.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639950323.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639964900.00000000004C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639974043.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639981884.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Process Monitor.jbxd

Similarity

API ID: CriticalSection$DialogEnterLeaveMessageParam
String ID: No filter rules are currently defined$Process Monitor$SAVE_FILTER$pHx
API String ID: 3255859317-2591432011
Opcode ID: b4aca1c6d98f636418d980b67032a42bf3ae3b3e59ee6d0ef35b6fef50109122
Instruction ID: d90e7ff82a31b345dddde6b8a6f3bc37c9c7377e4e16bbde71f4d756774ffaea
Opcode Fuzzy Hash: b4aca1c6d98f636418d980b67032a42bf3ae3b3e59ee6d0ef35b6fef50109122
Instruction Fuzzy Hash: D6E08C30380201BAE6202B929D57F6A7A26BB44B45F20047BBA02700E2EF9C6915562E

Uniqueness

Uniqueness Score: -1.00%

Function 00472F3D Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 19
libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 37%

			E00472F3D() {
				_Unknown_base(*)()* _t1;

				if( *0x4c2bf4 != 0) {
					L3:
					__imp__DecodePointer( *0x4c2bf0);
					goto __eax;
				}
				_t1 = GetProcAddress(LoadLibraryExW(L"combase.dll", 0, 0x800), "RoUninitialize");
				if(_t1 != 0) {
					__imp__EncodePointer(_t1);
					 *0x4c2bf0 = _t1;
					 *0x4c2bf4 = 1;
					goto L3;
				}
				return _t1;
			}

0x00472f44
0x00472f7e
0x00472f84
0x00472f8a
0x00472f8a
0x00472f5e
0x00472f66
0x00472f69
0x00472f6f
0x00472f74
0x00000000
0x00472f74
0x00472f8c

APIs

LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoUninitialize,00472E57), ref: 00472F57
GetProcAddress.KERNEL32(00000000), ref: 00472F5E
EncodePointer.KERNEL32(00000000), ref: 00472F69
DecodePointer.KERNEL32(00472E57), ref: 00472F84

Strings

combase.dll, xrefs: 00472F52
RoUninitialize, xrefs: 00472F46

Memory Dump Source

Source File: 00000000.00000002.639436822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.639422722.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639801425.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639950323.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639964900.00000000004C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639974043.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639981884.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Process Monitor.jbxd

Similarity

API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
String ID: RoUninitialize$combase.dll
API String ID: 3489934621-2819208100
Opcode ID: 36e315c907799744eb38c6b879574b177ab4a2434a389efa82b4d5b15bba3c59
Instruction ID: 3b4be73c2bc49ef47e7a1a7ff67454a7cdc6e5690cca996ba7639da30ff24781
Opcode Fuzzy Hash: 36e315c907799744eb38c6b879574b177ab4a2434a389efa82b4d5b15bba3c59
Instruction Fuzzy Hash: F5E0BF78655202EBD7945F60AE0DF093BB5B714702F104879F115E12B0EBF99814FB1C

Uniqueness

Uniqueness Score: -1.00%

Function 00448330 Relevance: 10.1, APIs: 8, Instructions: 137
COMMON

Download Yara Rule

C-Code - Quality: 87%

			E00448330(void* __fp0, signed int _a4, char _a8) {
				char _v8;
				char _v16;
				signed int _v20;
				intOrPtr _v24;
				char _v28;
				signed int _v32;
				struct _CRITICAL_SECTION* _v36;
				struct _CRITICAL_SECTION* _v40;
				signed int _t38;
				void* _t42;
				intOrPtr _t45;
				signed int _t46;
				signed int _t51;
				signed int _t53;
				signed int _t54;
				intOrPtr _t60;
				intOrPtr _t61;
				intOrPtr _t62;
				char _t69;
				void* _t71;
				intOrPtr _t74;
				void* _t76;
				intOrPtr _t79;
				intOrPtr _t83;
				intOrPtr* _t86;
				signed int _t87;
				void* _t105;

				_t105 = __fp0;
				_push(0xffffffff);
				_push(E0048AAC9);
				_push( *[fs:0x0]);
				_t38 =  *0x4bb1dc; // 0x2927074f
				_push(_t38 ^ _t87);
				 *[fs:0x0] =  &_v16;
				_v32 = 0;
				_v20 = 0;
				_v36 = 0x4bca10;
				EnterCriticalSection(0x4bca10);
				_v8 = 0;
				_v40 = 0x4bca94;
				EnterCriticalSection(0x4bca94);
				_v8 = 1;
				_t76 = 0;
				EnterCriticalSection(0x4bca94);
				_t79 =  *0x4bcab0; // 0x0
				LeaveCriticalSection(0x4bca94);
				if(_t79 -  *0x4bcaac >> 5 == 0) {
					L23:
					_t104 = _a8;
					if(_a8 == 0) {
						E00412AD0(0x4bca94, _t105, 0x9c92, 0,  *((intOrPtr*)(0x496af0 + _a4 * 4)), 0);
					}
					_t42 = E00418140(0x4bca10, _t104, 0);
					LeaveCriticalSection(0x4bca94);
					LeaveCriticalSection(0x4bca10);
					 *[fs:0x0] = _v16;
					return _t42;
				}
				_t60 = 0;
				_v24 = 0;
				do {
					_t45 =  *0x4bcaac; // 0x0
					if( *((intOrPtr*)(_t60 + _t45)) != 0x9c92) {
						L14:
						_t61 = 0;
						__eflags = 0;
						goto L15;
					}
					_t69 =  *((intOrPtr*)(_t60 + _t45 + 8));
					_v28 = _t69;
					if(_t69 != 0) {
						E0046A420(_t69);
					}
					_t51 = _v20 | 0x00000001;
					_v8 = 2;
					_v20 = _t51;
					_v32 = _t51;
					_t86 =  *((intOrPtr*)(0x496af0 + _a4 * 4));
					_t53 = E0046A170( &_v28);
					while(1) {
						_t71 =  *_t53;
						if(_t71 !=  *_t86) {
							break;
						}
						if(_t71 == 0) {
							L10:
							_t54 = 0;
							L12:
							if(_t54 != 0) {
								goto L14;
							}
							_t61 = 1;
							goto L15;
						}
						_t74 =  *((intOrPtr*)(_t53 + 2));
						if(_t74 !=  *((intOrPtr*)(_t86 + 2))) {
							break;
						}
						_t53 = _t53 + 4;
						_t86 = _t86 + 4;
						if(_t74 != 0) {
							continue;
						}
						goto L10;
					}
					asm("sbb eax, eax");
					_t54 = _t53 | 0x00000001;
					__eflags = _t54;
					goto L12;
					L15:
					_t46 = _v20;
					_v8 = 1;
					if((_t46 & 0x00000001) != 0) {
						_t72 = _v28;
						_v20 = _t46 & 0xfffffffe;
						if(_v28 != 0) {
							E0046A700(_t72);
						}
					}
					if(_t61 == 0) {
						_t62 = _v24;
					} else {
						E00413A20(_t76);
						_t76 = _t76 - 1;
						_t62 = _v24 - 0x20;
					}
					_t60 = _t62 + 0x20;
					_t76 = _t76 + 1;
					_v24 = _t60;
					EnterCriticalSection(0x4bca94);
					_t83 =  *0x4bcab0; // 0x0
					LeaveCriticalSection(0x4bca94);
				} while (_t76 < _t83 -  *0x4bcaac >> 5);
				goto L23;
			}

0x00448330
0x00448333
0x00448335
0x00448340
0x00448347
0x0044834e
0x00448352
0x0044835a
0x00448368
0x0044836b
0x00448372
0x00448379
0x00448380
0x00448387
0x0044838e
0x00448392
0x00448394
0x00448396
0x004483b0
0x004483b4
0x004484aa
0x004484aa
0x004484ae
0x004484c8
0x004484c8
0x004484d4
0x004484de
0x004484e5
0x004484ea
0x004484f8
0x004484f8
0x004483ba
0x004483bc
0x004483c0
0x004483c0
0x004483cc
0x00448433
0x00448433
0x00448433
0x00000000
0x00448433
0x004483ce
0x004483d2
0x004483d7
0x004483d9
0x004483d9
0x004483e4
0x004483e7
0x004483eb
0x004483ee
0x004483f4
0x004483fb
0x00448400
0x00448400
0x00448406
0x00000000
0x00000000
0x0044840b
0x00448422
0x00448422
0x0044842b
0x0044842d
0x00000000
0x00000000
0x0044842f
0x00000000
0x0044842f
0x0044840d
0x00448415
0x00000000
0x00000000
0x00448417
0x0044841a
0x00448420
0x00000000
0x00000000
0x00000000
0x00448420
0x00448426
0x00448428
0x00448428
0x00000000
0x00448435
0x00448435
0x00448438
0x00448441
0x00448443
0x00448449
0x0044844e
0x00448450
0x00448450
0x0044844e
0x00448457
0x0044846d
0x00448459
0x0044845f
0x00448467
0x00448468
0x00448468
0x00448470
0x00448473
0x00448479
0x0044847c
0x00448482
0x00448496
0x0044849c
0x00000000

APIs

EnterCriticalSection.KERNEL32(004BCA10,2927074F), ref: 00448372
EnterCriticalSection.KERNEL32(004BCA94), ref: 00448387
EnterCriticalSection.KERNEL32(004BCA94), ref: 00448394
LeaveCriticalSection.KERNEL32(004BCA94), ref: 004483B0
EnterCriticalSection.KERNEL32(004BCA94), ref: 0044847C
LeaveCriticalSection.KERNEL32(004BCA94), ref: 00448496

Part of subcall function 0046A420: InterlockedIncrement.KERNEL32(00000000), ref: 0046A421

LeaveCriticalSection.KERNEL32(004BCA94), ref: 004484DE
LeaveCriticalSection.KERNEL32(004BCA10), ref: 004484E5

Memory Dump Source

Source File: 00000000.00000002.639436822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.639422722.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639801425.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639950323.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639964900.00000000004C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639974043.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639981884.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Process Monitor.jbxd

Similarity

API ID: CriticalSection$EnterLeave$IncrementInterlocked
String ID:
API String ID: 1988634917-0
Opcode ID: b81d5080697891de40987d137d353edba3debcb98514e484c9da1b180c7ed387
Instruction ID: 96391db6a8a7d02bcbfaa17c3504a03399e123af56fac041af8a3b2beff3c273
Opcode Fuzzy Hash: b81d5080697891de40987d137d353edba3debcb98514e484c9da1b180c7ed387
Instruction Fuzzy Hash: 3C419431A0020A9BEB10DFA9DCC27AFB7B4EB19754F11452EE901B7340EBB85D40CB69

Uniqueness

Uniqueness Score: -1.00%

Function 0041EC70 Relevance: 9.4, APIs: 3, Strings: 3, Instructions: 370
COMMON

Download Yara Rule

C-Code - Quality: 96%

			E0041EC70(struct _CRITICAL_SECTION* __ecx, void* __edx, void* __eflags, struct _CRITICAL_SECTION* _a4) {
				char _v8;
				char _v16;
				void* _v17;
				char _v18;
				signed int _v24;
				char* _v28;
				char _v32;
				void* _v36;
				char _v40;
				void* _v44;
				signed int _v48;
				struct _CRITICAL_SECTION* _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				void* _v72;
				void* _v80;
				signed int _v84;
				intOrPtr _v92;
				char _v104;
				char _v108;
				char _v112;
				char _v116;
				struct _CRITICAL_SECTION* _v120;
				char _v128;
				char _v132;
				char _v140;
				char _v148;
				intOrPtr _v184;
				char _v188;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t138;
				struct _CRITICAL_SECTION _t151;
				intOrPtr* _t153;
				intOrPtr* _t154;
				intOrPtr* _t155;
				void* _t161;
				signed int _t163;
				signed int _t168;
				signed int _t169;
				signed int _t170;
				signed int _t171;
				intOrPtr* _t180;
				signed int _t213;
				struct _CRITICAL_SECTION* _t227;
				signed int _t228;
				void* _t230;
				signed int _t234;
				signed int _t245;
				signed int _t247;
				signed int _t248;
				signed int _t256;
				signed int _t267;
				signed int _t270;
				signed int _t271;
				signed int _t274;
				signed int _t275;
				intOrPtr* _t279;
				intOrPtr* _t281;
				intOrPtr* _t282;
				signed int _t284;
				void* _t285;
				void* _t286;
				void* _t288;

				_push(0xffffffff);
				_push(E00487AAB);
				_push( *[fs:0x0]);
				_t286 = _t285 - 0xac;
				_t138 =  *0x4bb1dc; // 0x2927074f
				_push(_t138 ^ _t284);
				 *[fs:0x0] =  &_v16;
				_t227 = __ecx;
				_v52 = __ecx;
				_v17 = 0;
				_t274 = E00416870(__ecx);
				_v56 = _t274;
				E0040C870( &_v188, __edx, __eflags,  *((intOrPtr*)(__ecx + 0x18)), L"Scanning events", _t274,  &_v17);
				_t279 = _a4;
				_v8 = 0;
				E004235A0(_t279,  *((intOrPtr*)( *_t279 + 4)));
				 *((intOrPtr*)( *_t279 + 4)) =  *_t279;
				 *((intOrPtr*)( *_t279)) =  *_t279;
				 *((intOrPtr*)( *_t279 + 8)) =  *_t279;
				 *((intOrPtr*)(_t279 + 4)) = 0;
				if(_t274 != 0) {
					_t275 = 0;
					__eflags = _v56;
					if(_v56 > 0) {
						_v120 = __ecx;
						do {
							EnterCriticalSection(_t227);
							_v8 = 1;
							E0040D160(_t227,  &_v104, _t275);
							_v24 = 0;
							_v8 = 3;
							E00410F20(_t227,  &_v104, _t275, _t279, 0xfffffffe,  &_v24);
							_t282 =  *0x496bf4; // 0x49722c
							_t168 = E0046A170( &_v24);
							while(1) {
								_t245 =  *_t168;
								__eflags = _t245 -  *_t282;
								if(_t245 !=  *_t282) {
									break;
								}
								__eflags = _t245;
								if(_t245 == 0) {
									L9:
									_t169 = 0;
								} else {
									_t271 =  *((intOrPtr*)(_t168 + 2));
									_t24 = _t282 + 2; // 0x610065
									__eflags = _t271 -  *_t24;
									if(_t271 !=  *_t24) {
										break;
									} else {
										_t168 = _t168 + 4;
										_t282 = _t282 + 4;
										__eflags = _t271;
										if(_t271 != 0) {
											continue;
										} else {
											goto L9;
										}
									}
								}
								L11:
								__eflags = _t169;
								if(_t169 != 0) {
									_t279 =  *0x496bf8; // 0x497238
									_t170 = E0046A170( &_v24);
									while(1) {
										_t247 =  *_t170;
										__eflags = _t247 -  *_t279;
										if(_t247 !=  *_t279) {
											break;
										}
										__eflags = _t247;
										if(_t247 == 0) {
											L18:
											_t171 = 0;
										} else {
											_t270 =  *((intOrPtr*)(_t170 + 2));
											_t28 = _t279 + 2; // 0x690072
											__eflags = _t270 -  *_t28;
											if(_t270 !=  *_t28) {
												break;
											} else {
												_t170 = _t170 + 4;
												_t279 = _t279 + 4;
												__eflags = _t270;
												if(_t270 != 0) {
													continue;
												} else {
													goto L18;
												}
											}
										}
										L20:
										__eflags = _t171;
										if(_t171 == 0) {
											_t29 = _t171 + 2; // 0x2
											_t230 = _t29;
											goto L22;
										}
										goto L34;
									}
									asm("sbb eax, eax");
									_t171 = _t170 | 0x00000001;
									__eflags = _t171;
									goto L20;
								} else {
									_t25 = _t169 + 1; // 0x1
									_t230 = _t25;
									L22:
									_v48 = 0;
									_v8 = 4;
									E00410F20(_t230,  &_v104, _t275, _t279, 0xffffffff,  &_v48);
									_t180 = E00467450(_v92,  *((intOrPtr*)(E00411BA0( &_v104) + 0x40)));
									_v44 = 0;
									_t279 = _t180;
									_v40 = 0;
									_v44 = E0045CBA0();
									_v8 = 5;
									_v36 = 0;
									_v32 = 0;
									_v36 = E0045CBA0();
									_t256 = _v48;
									_v8 = 6;
									_v84 = _t256;
									__eflags = _t256;
									if(_t256 != 0) {
										E0046A420(_t256);
									}
									_v8 = 7;
									_v28 =  &_v80;
									_push( &_v18);
									E0041D480( &_v80,  &_v44);
									_v8 = 8;
									_push( &_v18);
									E0041D480( &_v72,  &_v36);
									_v8 = 9;
									E0041CA10(_a4,  &_v128, 0,  &_v84,  *0x4bca04 & 0x000000ff);
									_v8 = 0xa;
									E0040E1E0( &_v72,  &_v108,  *_v72, _v72);
									E0046EF07(_v72);
									E0040E1E0( &_v80,  &_v132,  *_v80, _v80);
									E0046EF07(_v80);
									_t262 = _v84;
									_t288 = _t286 + 8;
									_v8 = 6;
									__eflags = _v84;
									if(_v84 != 0) {
										E0046A700(_t262);
									}
									_v8 = 4;
									E0040E1E0( &_v36,  &_v116,  *_v36, _v36);
									E0046EF07(_v36);
									E0040E1E0( &_v44,  &_v112,  *_v44, _v44);
									E0046EF07(_v44);
									_v28 = _v128 + 0x14;
									_t213 = E0046A6C0(_t230, _t279, E0046A530(_t279));
									_t286 = _t288 + 0x14;
									__eflags = _t230 - 1;
									if(_t230 != 1) {
										_v64 = _t213;
										_v8 = 0xc;
										__eflags = _v28 + 8;
										E0041D0E0(_v28 + 8,  &_v140, 0,  &_v64,  *0x4bca04 & 0x000000ff);
										_t267 = _v64;
									} else {
										_v60 = _t213;
										_v8 = 0xb;
										E0041D0E0(_v28,  &_v148, 0,  &_v60,  *0x4bca04 & 0x000000ff);
										_t267 = _v60;
									}
									_v8 = 4;
									__eflags = _t267;
									if(_t267 != 0) {
										E0046A700(_t267);
									}
									_t268 = _v48;
									_v8 = 3;
									__eflags = _v48;
									if(_v48 != 0) {
										E0046A700(_t268);
									}
									_t227 = _v52;
								}
								L34:
								__eflags = _v17;
								_t248 = _v24;
								_v184 = _t275;
								_v8 = 2;
								if(_v17 != 0) {
									__eflags = _t248;
									if(_t248 != 0) {
										E0046A700(_t248);
									}
									_v8 = 1;
									E0040F960( &_v104, _t279);
									_v8 = 0;
									LeaveCriticalSection(_t227);
								} else {
									goto L35;
								}
								goto L42;
							}
							asm("sbb eax, eax");
							_t169 = _t168 | 0x00000001;
							__eflags = _t169;
							goto L11;
							L35:
							__eflags = _t248;
							if(_t248 != 0) {
								E0046A700(_t248);
							}
							_v8 = 1;
							E0040F960( &_v104, _t279);
							_v8 = 0;
							LeaveCriticalSection(_t227);
							_t275 = _t275 + 1;
							__eflags = _t275 - _v56;
						} while (_t275 < _v56);
					}
					L42:
					_t234 = _v17;
					__eflags = _t234;
					if(__eflags == 0) {
						_t227 = _a4;
						_t151 =  *_t227;
						_t281 =  *_t151;
						__eflags = _t281 - _t151;
						if(_t281 != _t151) {
							do {
								_t114 = _t281 + 0x20; // 0x740061
								__eflags =  *_t114 - 1;
								if(__eflags > 0) {
									L50:
									__eflags =  *((char*)(_t281 + 0xd));
									if( *((char*)(_t281 + 0xd)) == 0) {
										_t153 =  *((intOrPtr*)(_t281 + 8));
										__eflags =  *((char*)(_t153 + 0xd));
										if( *((char*)(_t153 + 0xd)) != 0) {
											_t154 =  *((intOrPtr*)(_t281 + 4));
											__eflags =  *((char*)(_t154 + 0xd));
											if( *((char*)(_t154 + 0xd)) == 0) {
												while(1) {
													__eflags = _t281 -  *((intOrPtr*)(_t154 + 8));
													if(_t281 !=  *((intOrPtr*)(_t154 + 8))) {
														goto L59;
													}
													_t281 = _t154;
													_t154 =  *((intOrPtr*)(_t154 + 4));
													__eflags =  *((char*)(_t154 + 0xd));
													if( *((char*)(_t154 + 0xd)) == 0) {
														continue;
													}
													goto L59;
												}
											}
											L59:
											_t281 = _t154;
										} else {
											_t281 = _t153;
											_t155 =  *_t281;
											__eflags =  *((char*)(_t155 + 0xd));
											while( *((char*)(_t155 + 0xd)) == 0) {
												_t281 = _t155;
												_t155 =  *_t281;
												__eflags =  *((char*)(_t155 + 0xd));
											}
										}
									}
								} else {
									if(__eflags != 0) {
										L49:
										_t281 =  *((intOrPtr*)(E00423B50(_t227,  &_a4, _t281)));
									} else {
										_t115 = _t281 + 0x18; // 0x740065
										__eflags =  *_t115 - 1;
										if(__eflags > 0) {
											goto L50;
										} else {
											if(__eflags != 0) {
												goto L49;
											} else {
												_t116 = _t281 + 0x1c; // 0x640061
												_t117 = _t281 + 0x14; // 0x4d0020
												_t277 =  *((intOrPtr*)( *_t117));
												_t161 = E0046A170( *((intOrPtr*)( *_t116)) + 0x10);
												_t119 = _t277 + 0x10; // 0x10
												_t163 = E0046F283(_t227,  *((intOrPtr*)( *_t117)), _t281, E0046A170(_t119), _t161);
												_t286 = _t286 + 8;
												__eflags = _t163;
												if(_t163 != 0) {
													goto L50;
												} else {
													goto L49;
												}
											}
										}
									}
								}
								__eflags = _t281 -  *_t227;
							} while (_t281 !=  *_t227);
							_t234 = _v17;
						}
						__eflags = _t234;
					}
					_t133 = __eflags == 0;
					__eflags = _t133;
					_t228 = _t227 & 0xffffff00 | _t133;
				} else {
					_t228 = 1;
				}
				_v8 = 0xffffffff;
				E0040C9C0( &_v188);
				 *[fs:0x0] = _v16;
				return _t228;
			}

0x0041ec73
0x0041ec75
0x0041ec80
0x0041ec81
0x0041ec8a
0x0041ec91
0x0041ec95
0x0041ec9b
0x0041ec9d
0x0041eca0
0x0041eca9
0x0041ecb4
0x0041ecc1
0x0041ecc6
0x0041eccb
0x0041ecd7
0x0041ecde
0x0041ece3
0x0041ece7
0x0041ecea
0x0041ecf3
0x0041ecfc
0x0041ecfe
0x0041ed01
0x0041ed07
0x0041ed10
0x0041ed11
0x0041ed1b
0x0041ed22
0x0041ed27
0x0041ed31
0x0041ed3b
0x0041ed40
0x0041ed49
0x0041ed50
0x0041ed50
0x0041ed53
0x0041ed56
0x00000000
0x00000000
0x0041ed58
0x0041ed5b
0x0041ed72
0x0041ed72
0x0041ed5d
0x0041ed5d
0x0041ed61
0x0041ed61
0x0041ed65
0x00000000
0x0041ed67
0x0041ed67
0x0041ed6a
0x0041ed6d
0x0041ed70
0x00000000
0x00000000
0x00000000
0x00000000
0x0041ed70
0x0041ed65
0x0041ed7b
0x0041ed7b
0x0041ed7d
0x0041ed84
0x0041ed8d
0x0041ed92
0x0041ed92
0x0041ed95
0x0041ed98
0x00000000
0x00000000
0x0041ed9a
0x0041ed9d
0x0041edb4
0x0041edb4
0x0041ed9f
0x0041ed9f
0x0041eda3
0x0041eda3
0x0041eda7
0x00000000
0x0041eda9
0x0041eda9
0x0041edac
0x0041edaf
0x0041edb2
0x00000000
0x00000000
0x00000000
0x00000000
0x0041edb2
0x0041eda7
0x0041edbd
0x0041edbd
0x0041edbf
0x0041edc5
0x0041edc5
0x00000000
0x0041edc5
0x00000000
0x0041edbf
0x0041edb8
0x0041edba
0x0041edba
0x00000000
0x0041ed7f
0x0041ed7f
0x0041ed7f
0x0041edc8
0x0041edc8
0x0041edd2
0x0041eddc
0x0041edf2
0x0041edfa
0x0041ee01
0x0041ee03
0x0041ee0f
0x0041ee15
0x0041ee19
0x0041ee20
0x0041ee2c
0x0041ee2f
0x0041ee32
0x0041ee36
0x0041ee39
0x0041ee3b
0x0041ee3d
0x0041ee3d
0x0041ee45
0x0041ee49
0x0041ee52
0x0041ee57
0x0041ee5f
0x0041ee63
0x0041ee6b
0x0041ee7e
0x0041ee89
0x0041ee95
0x0041ee9f
0x0041eea7
0x0041eebc
0x0041eec4
0x0041eec9
0x0041eecc
0x0041eecf
0x0041eed3
0x0041eed5
0x0041eed7
0x0041eed7
0x0041eee3
0x0041eeed
0x0041eef5
0x0041ef0a
0x0041ef12
0x0041ef20
0x0041ef2b
0x0041ef30
0x0041ef33
0x0041ef36
0x0041ef61
0x0041ef72
0x0041ef7f
0x0041ef83
0x0041ef88
0x0041ef38
0x0041ef38
0x0041ef49
0x0041ef57
0x0041ef5c
0x0041ef5c
0x0041ef8b
0x0041ef8f
0x0041ef91
0x0041ef93
0x0041ef93
0x0041ef98
0x0041ef9b
0x0041ef9f
0x0041efa1
0x0041efa3
0x0041efa3
0x0041efa8
0x0041efa8
0x0041efab
0x0041efab
0x0041efaf
0x0041efb2
0x0041efb8
0x0041efbc
0x0041efea
0x0041efec
0x0041efee
0x0041efee
0x0041eff6
0x0041effa
0x0041f000
0x0041f004
0x00000000
0x00000000
0x00000000
0x00000000
0x0041efbc
0x0041ed76
0x0041ed78
0x0041ed78
0x00000000
0x0041efbe
0x0041efbe
0x0041efc0
0x0041efc2
0x0041efc2
0x0041efca
0x0041efce
0x0041efd4
0x0041efd8
0x0041efde
0x0041efdf
0x0041efdf
0x0041efe8
0x0041f00a
0x0041f00a
0x0041f00d
0x0041f00f
0x0041f015
0x0041f018
0x0041f01a
0x0041f01c
0x0041f01e
0x0041f024
0x0041f024
0x0041f027
0x0041f02a
0x0041f070
0x0041f070
0x0041f074
0x0041f076
0x0041f079
0x0041f07d
0x0041f09c
0x0041f09f
0x0041f0a3
0x0041f0a5
0x0041f0a5
0x0041f0a8
0x00000000
0x00000000
0x0041f0aa
0x0041f0ac
0x0041f0af
0x0041f0b3
0x00000000
0x00000000
0x00000000
0x0041f0b3
0x0041f0a5
0x0041f0b5
0x0041f0b5
0x0041f07f
0x0041f07f
0x0041f081
0x0041f083
0x0041f087
0x0041f090
0x0041f092
0x0041f094
0x0041f094
0x0041f087
0x0041f07d
0x0041f02c
0x0041f02c
0x0041f060
0x0041f06c
0x0041f02e
0x0041f02e
0x0041f031
0x0041f034
0x00000000
0x0041f036
0x0041f036
0x00000000
0x0041f038
0x0041f038
0x0041f03d
0x0041f043
0x0041f045
0x0041f04b
0x0041f054
0x0041f059
0x0041f05c
0x0041f05e
0x00000000
0x00000000
0x00000000
0x00000000
0x0041f05e
0x0041f036
0x0041f034
0x0041f02c
0x0041f0b7
0x0041f0b7
0x0041f0bf
0x0041f0bf
0x0041f0c2
0x0041f0c2
0x0041f0c4
0x0041f0c4
0x0041f0c4
0x0041ecf5
0x0041ecf5
0x0041ecf5
0x0041f0cd
0x0041f0d4
0x0041f0de
0x0041f0ec

APIs

Part of subcall function 00416870: EnterCriticalSection.KERNEL32(004BCA10,00000000,?,0043B1A2,2927074F,00000000,?,?,?,0044703B,0045F84E,00000000,?,00000000,445817), ref: 00416875
Part of subcall function 00416870: LeaveCriticalSection.KERNEL32(004BCA10,?,0044703B,0045F84E,00000000,?,00000000,445817), ref: 0041687F

Part of subcall function 0040C870: GetTickCount.KERNEL32 ref: 0040C897
Part of subcall function 0040C870: GetWindowRect.USER32 ref: 0040C8D9
Part of subcall function 0040C870: GetAncestor.USER32(?,00000002), ref: 0040C916
Part of subcall function 0040C870: GetParent.USER32(00000000), ref: 0040C923
Part of subcall function 0040C870: GetDesktopWindow.USER32 ref: 0040C930
Part of subcall function 0040C870: EnableWindow.USER32(00000000,00000000), ref: 0040C93D
Part of subcall function 0040C870: GetParent.USER32(00000000), ref: 0040C944
Part of subcall function 0040C870: CreateThread.KERNEL32 ref: 0040C95C

EnterCriticalSection.KERNEL32(?,?,?,Scanning events,00000000,00000000,2927074F), ref: 0041ED11

Part of subcall function 0040C9C0: Sleep.KERNEL32(00000032,?,749682C0,0043ACBC,?,0044703B,0045F84E,00000000,?,00000000,445817), ref: 0040C9D7
Part of subcall function 0040C9C0: SendMessageW.USER32(?,00000111,00000001,00000000), ref: 0040C9EB
Part of subcall function 0040C9C0: WaitForSingleObject.KERNEL32(?,000000FF,?,0044703B,0045F84E,00000000,?,00000000,445817), ref: 0040C9F6
Part of subcall function 0040C9C0: CloseHandle.KERNEL32(?,?,0044703B,0045F84E,00000000,?,00000000,445817), ref: 0040C9FF
Part of subcall function 0040C9C0: GetDesktopWindow.USER32 ref: 0040CA13
Part of subcall function 0040C9C0: EnableWindow.USER32(?,00000001), ref: 0040CA1C
Part of subcall function 0040C9C0: GetParent.USER32(?), ref: 0040CA23

Strings

8rI, xrefs: 0041ED84
Scanning events, xrefs: 0041ECB9
,rI, xrefs: 0041ED40

Memory Dump Source

Source File: 00000000.00000002.639436822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.639422722.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639801425.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639950323.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639964900.00000000004C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639974043.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639981884.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Process Monitor.jbxd

Similarity

API ID: Window$CriticalParentSection$DesktopEnableEnter$AncestorCloseCountCreateHandleLeaveMessageObjectRectSendSingleSleepThreadTickWait
String ID: ,rI$8rI$Scanning events
API String ID: 2670945486-2438122357
Opcode ID: 4ca8aebda44e5d8f2f8496b9c7d348345c7acd6de254ae554200a585b882a3e8
Instruction ID: 2fb700a818aaafe62d5d7ed59904fdf6e7bf9386891e7b4ce6c6ed20575ec60a
Opcode Fuzzy Hash: 4ca8aebda44e5d8f2f8496b9c7d348345c7acd6de254ae554200a585b882a3e8
Instruction Fuzzy Hash: 37E1B475D002499FDF10DBA5C851BEEBBF4AF18308F14406AE845A7392E738AE49CB65

Uniqueness

Uniqueness Score: -1.00%

Function 00442149 Relevance: 9.2, APIs: 6, Instructions: 155
COMMON

Download Yara Rule

C-Code - Quality: 96%

			E00442149(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __eflags) {
				void* _t76;
				long _t103;
				void* _t106;
				void* _t131;
				void* _t132;
				struct _CRITICAL_SECTION* _t134;
				void* _t136;

				_t132 = __edi;
				_t131 = __edx;
				_t106 = __ebx;
				E0046A700(__ecx);
				LocalFree( *(_t136 - 0x10));
				 *(_t136 - 0x10) = 0;
				_push(_t136 - 0x10);
				_push(E0046A170(_t136 - 0x14));
				L0046E3FE();
				_t76 = E00436910(_t131, _t136 + 0x18,  *(_t136 - 0x10));
				 *((char*)(_t136 - 4)) = 4;
				E0046A0B0(_t136 - 0x14, _t76);
				_t111 =  *((intOrPtr*)(_t136 + 0x18));
				 *((char*)(_t136 - 4)) = 2;
				_t145 =  *((intOrPtr*)(_t136 + 0x18));
				if( *((intOrPtr*)(_t136 + 0x18)) != 0) {
					E0046A700(_t111);
				}
				LocalFree( *(_t136 - 0x10));
				 *(_t136 - 0x24) = 0;
				 *(_t136 - 0x20) = 0;
				 *(_t136 - 0x1c) = 0;
				 *((char*)(_t136 - 4)) = 7;
				L0046DF00(_t136 - 0x28, E0046A170(_t136 - 0x28), _t136 - 0x24, _t136 - 0x20, _t136 - 0x1c);
				 *(_t136 - 0x38) = 0;
				 *(_t136 - 0x34) = 0;
				 *(_t136 - 0x30) = 0;
				 *(_t136 - 0x2c) = 0;
				 *((char*)(_t136 - 4)) = 9;
				E0042D8B0(E0046A170(_t136 - 0x28), _t136 - 0x38, _t136 - 0x30);
				EnterCriticalSection(_t134);
				 *((intOrPtr*)(_t106 + 0x3c)) = E0040DBC0( *((intOrPtr*)(_t132 + 0x20)), _t145, _t136 - 0x18);
				 *((intOrPtr*)(_t106 + 0x38)) = E0040DBC0( *((intOrPtr*)(_t132 + 0x20)), _t145, _t136 - 0x14);
				 *((intOrPtr*)(_t106 + 0x50)) = E0040DBC0( *((intOrPtr*)(_t132 + 0x20)), _t145, _t136 - 0x24);
				 *((intOrPtr*)(_t106 + 0x4c)) = E0040DBC0( *((intOrPtr*)(_t132 + 0x20)), _t145, _t136 - 0x20);
				 *((intOrPtr*)(_t106 + 0x54)) = E0040DBC0( *((intOrPtr*)(_t132 + 0x20)), _t145, _t136 - 0x1c);
				 *((intOrPtr*)(_t106 + 0x58)) = E0042D240( *((intOrPtr*)(_t132 + 0x24)), _t136 - 0x38);
				 *((intOrPtr*)(_t106 + 0x5c)) = E0042D240( *((intOrPtr*)(_t132 + 0x24)), _t136 - 0x30);
				LeaveCriticalSection(_t134);
				_t146 =  *((char*)(_t136 + 0xc));
				if( *((char*)(_t136 + 0xc)) != 0) {
					L0046B550(_t131, _t146, _t106,  *((intOrPtr*)(_t136 + 0x10)),  *((intOrPtr*)(_t136 + 0x14)),  *((intOrPtr*)(_t132 + 0x20)), _t134);
				}
				_t53 = _t132 + 0x28; // -1219
				_t103 = InterlockedDecrement(_t53);
				_t121 =  *(_t136 - 0x30);
				 *((char*)(_t136 - 4)) = 8;
				if( *(_t136 - 0x30) != 0) {
					_t103 = E0046A700(_t121);
				}
				_t122 =  *(_t136 - 0x38);
				 *((char*)(_t136 - 4)) = 7;
				if( *(_t136 - 0x38) != 0) {
					_t103 = E0046A700(_t122);
				}
				_t123 =  *(_t136 - 0x1c);
				 *((char*)(_t136 - 4)) = 6;
				if( *(_t136 - 0x1c) != 0) {
					_t103 = E0046A700(_t123);
				}
				_t124 =  *(_t136 - 0x20);
				 *((char*)(_t136 - 4)) = 5;
				if( *(_t136 - 0x20) != 0) {
					_t103 = E0046A700(_t124);
				}
				_t125 =  *(_t136 - 0x24);
				 *((char*)(_t136 - 4)) = 2;
				if( *(_t136 - 0x24) != 0) {
					_t103 = E0046A700(_t125);
				}
				_t126 =  *((intOrPtr*)(_t136 - 0x14));
				 *((char*)(_t136 - 4)) = 1;
				if( *((intOrPtr*)(_t136 - 0x14)) != 0) {
					_t103 = E0046A700(_t126);
				}
				_t127 =  *((intOrPtr*)(_t136 - 0x18));
				 *((char*)(_t136 - 4)) = 0;
				if( *((intOrPtr*)(_t136 - 0x18)) != 0) {
					_t103 = E0046A700(_t127);
				}
				_t128 =  *((intOrPtr*)(_t136 - 0x28));
				 *((intOrPtr*)(_t136 - 4)) = 0xffffffff;
				if( *((intOrPtr*)(_t136 - 0x28)) != 0) {
					_t103 = E0046A700(_t128);
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t136 - 0xc));
				return _t103;
			}

0x00442149
0x00442149
0x00442149
0x00442149
0x00442151
0x0044215a
0x00442161
0x0044216a
0x0044216b
0x00442177
0x00442183
0x00442187
0x0044218c
0x0044218f
0x00442193
0x00442195
0x00442197
0x00442197
0x0044219f
0x004421a5
0x004421ac
0x004421b3
0x004421bd
0x004421d3
0x004421db
0x004421e2
0x004421e9
0x004421f0
0x004421fa
0x0044220c
0x00442215
0x00442227
0x00442236
0x00442245
0x00442254
0x00442263
0x00442272
0x00442282
0x00442285
0x0044228b
0x0044228f
0x0044229c
0x004422a1
0x004422a4
0x004422a8
0x004422ae
0x004422b1
0x004422b7
0x004422b9
0x004422b9
0x004422be
0x004422c1
0x004422c7
0x004422c9
0x004422c9
0x004422ce
0x004422d1
0x004422d7
0x004422d9
0x004422d9
0x004422de
0x004422e1
0x004422e7
0x004422e9
0x004422e9
0x004422ee
0x004422f1
0x004422f7
0x004422f9
0x004422f9
0x004422fe
0x00442301
0x00442307
0x00442309
0x00442309
0x0044230e
0x00442311
0x00442317
0x00442319
0x00442319
0x0044231e
0x00442321
0x0044232a
0x0044232c
0x0044232c
0x00442334
0x00442342

APIs

Part of subcall function 0046A700: InterlockedDecrement.KERNEL32(?), ref: 0046A704

LocalFree.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,?,00000000,?,?,?,?,?,00000000), ref: 00442151
ConvertStringSidToSidW.ADVAPI32(00000000,00000000), ref: 0044216B

Part of subcall function 0046A0B0: InterlockedDecrement.KERNEL32(?), ref: 0046A0BE

LocalFree.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,?,00000000,?,?,00000000), ref: 0044219F
EnterCriticalSection.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00442215
LeaveCriticalSection.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00442285
InterlockedDecrement.KERNEL32(-000004C3), ref: 004422A8

Memory Dump Source

Source File: 00000000.00000002.639436822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.639422722.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639801425.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639950323.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639964900.00000000004C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639974043.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639981884.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Process Monitor.jbxd

Similarity

API ID: DecrementInterlocked$CriticalFreeLocalSection$ConvertEnterLeaveString
String ID:
API String ID: 4095171749-0
Opcode ID: c1968028f5e03092c5ef64bafc14234d349c3291268a42fe3966bf580bc838ad
Instruction ID: 530f279bf8b4022ecfd26a710a5a53812adf9379b234ccc48c708dc78db6ace9
Opcode Fuzzy Hash: c1968028f5e03092c5ef64bafc14234d349c3291268a42fe3966bf580bc838ad
Instruction Fuzzy Hash: 345130B5901209EADF05EFE1C955BEFBBB5BF08304F04015EE801B3241EB79A914CBA6

Uniqueness

Uniqueness Score: -1.00%

Function 00460040 Relevance: 9.2, APIs: 6, Instructions: 152
threadCOMMON

Download Yara Rule

C-Code - Quality: 24%

			E00460040(intOrPtr _a4, void** _a8, long _a16, char _a20, intOrPtr _a24, intOrPtr _a28) {
				int _v8;
				char _v16;
				intOrPtr _v20;
				signed int _v24;
				void* _v741;
				char _v755;
				char _v756;
				intOrPtr _v944;
				intOrPtr _v952;
				long _v956;
				intOrPtr _v960;
				int _v968;
				long _v972;
				intOrPtr _v976;
				intOrPtr _v984;
				long _v988;
				intOrPtr _v1008;
				char _v1012;
				signed int _v1016;
				signed int _v1020;
				int _v1024;
				long _v1028;
				intOrPtr _v1032;
				CONTEXT* _v1036;
				void** _v1040;
				intOrPtr _v1044;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t56;
				signed int _t57;
				long _t69;
				void* _t75;
				void* _t80;
				char _t91;
				signed int _t92;
				void* _t93;
				signed int _t99;
				void* _t101;
				void** _t103;
				void* _t104;
				CONTEXT* _t107;
				signed short _t108;
				void* _t109;
				signed int _t110;
				void* _t111;

				_push(0xffffffff);
				_push(E0048C2E0);
				_push( *[fs:0x0]);
				_t56 =  *0x4bb1dc; // 0x2927074f
				_t57 = _t56 ^ _t110;
				_v24 = _t57;
				_push(_t57);
				 *[fs:0x0] =  &_v16;
				_v20 = _t111 - 0x404;
				_t91 = _a20;
				_t103 = _a8;
				_v1032 = _a4;
				_v1028 = _a16;
				_v1040 = _t103;
				_v1044 = _a24;
				_v1024 = 0;
				if(_t91 != 0) {
					 *0x4c24f4( *_t103,  &_v1024);
				}
				_v756 = 0;
				E00470030( &_v755, 0, 0x2da);
				_t107 =  &_v741 & 0xfffffff0;
				_v1036 = _t107;
				_t107->ContextFlags = 0x10001;
				if(GetThreadContext( *_t103, _t107) != 0) {
					L12:
					E00470030( &_v1012, 0, 0x100);
					_v1020 = _t107->Eip;
					_v972 = _t107->Esp;
					_t69 = _t107->Ebp;
					_t108 = 0;
					_v1016 = 0;
					_v1008 = 3;
					_v968 = 0;
					_v960 = 3;
					_v988 = _t69;
					_v984 = 0;
					_v976 = 3;
					_v956 = _t69;
					_v952 = 0;
					_v944 = 3;
					while(1) {
						_t92 = _t108 & 0x0000ffff;
						_v1028 = _t108;
						if(_t92 >= _a28) {
							break;
						}
						_v8 = 0;
						_t75 =  *0x4c278c(0x14c, _v1032,  *_t103,  &_v1020, _v1036, 0,  *0x4c2778,  *0x4c27ac, 0);
						_v8 = 0xffffffff;
						if(_t75 == 0) {
							break;
						}
						_t99 = _v1020;
						if((_t99 | _v1016) == 0) {
							break;
						}
						_t108 = _t108 + 1;
						 *(_v1044 + _t92 * 4) = _t99;
					}
					if(_a20 != 0) {
						 *0x4c24f8( *_t103,  &_v1024);
					}
					goto L20;
				} else {
					if(_t91 != 0) {
						 *0x4c24f8( *_t103,  &_v1024);
					}
					CloseHandle( *_t103);
					_t80 = OpenThread(0x1f03ff, 0, _v1028);
					 *_t103 = _t80;
					if(_t80 == 0) {
						L11:
						L20:
						 *[fs:0x0] = _v16;
						_pop(_t104);
						_pop(_t109);
						_pop(_t93);
						return E0046F77E(_t93, _v24 ^ _t110, _t101, _t104, _t109);
					} else {
						if(_t91 != 0) {
							 *0x4c24f4(_t80,  &_v1024);
						}
						if(GetThreadContext( *_t103, _t107) != 0) {
							goto L12;
						} else {
							if(_t91 != 0) {
								 *0x4c24f8( *_t103,  &_v1024);
							}
							goto L11;
						}
					}
				}
			}

0x00460043
0x00460045
0x00460050
0x00460057
0x0046005c
0x0046005e
0x00460064
0x00460068
0x0046006e
0x00460074
0x00460077
0x0046007a
0x00460083
0x0046008c
0x00460092
0x00460098
0x004600a4
0x004600af
0x004600af
0x004600c0
0x004600ca
0x004600d8
0x004600db
0x004600e4
0x004600f2
0x00460161
0x0046016f
0x0046017c
0x0046018b
0x00460191
0x00460197
0x00460199
0x004601a3
0x004601ad
0x004601b7
0x004601c1
0x004601c7
0x004601cd
0x004601d7
0x004601dd
0x004601e3
0x004601ed
0x004601ed
0x004601f0
0x004601f9
0x00000000
0x00000000
0x00460209
0x0046022c
0x00460232
0x0046023b
0x00000000
0x00000000
0x0046023d
0x0046024b
0x00000000
0x00000000
0x00460253
0x00460254
0x00460254
0x00460276
0x00460281
0x00460281
0x00000000
0x004600f4
0x004600f6
0x00460101
0x00460101
0x00460109
0x0046011c
0x00460122
0x00460126
0x0046015a
0x0046028a
0x0046028d
0x00460295
0x00460296
0x00460297
0x004602a5
0x00460128
0x0046012a
0x00460134
0x00460134
0x00460145
0x00000000
0x00460147
0x00460149
0x00460154
0x00460154
0x00000000
0x00460149
0x00460145
0x00460126

APIs

_memset.LIBCMT ref: 004600CA
GetThreadContext.KERNEL32(?,?,?,00000000,?), ref: 004600EA
CloseHandle.KERNEL32(?), ref: 00460109
OpenThread.KERNEL32(001F03FF,00000000,?), ref: 0046011C
GetThreadContext.KERNEL32(?,?), ref: 0046013D
_memset.LIBCMT ref: 0046016F

Memory Dump Source

Source File: 00000000.00000002.639436822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.639422722.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639801425.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639950323.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639964900.00000000004C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639974043.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639981884.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Process Monitor.jbxd

Similarity

API ID: Thread$Context_memset$CloseHandleOpen
String ID:
API String ID: 3132144710-0
Opcode ID: 55bd53e6189fc0d547017218917e9a0bd0c309d5b3ef93edc78ba60048ce4595
Instruction ID: 127fe4627a877426a7e4d74b63cd31af11b865ca71a7ad1b376b5385bbde0aea
Opcode Fuzzy Hash: 55bd53e6189fc0d547017218917e9a0bd0c309d5b3ef93edc78ba60048ce4595
Instruction Fuzzy Hash: DE616FB5D4121A9FDB25CF54CD44BDABBB8FF08310F1040AAE908A7290D7B55E84CF59

Uniqueness

Uniqueness Score: -1.00%

Function 0043C6A0 Relevance: 9.2, APIs: 6, Instructions: 151
COMMON

Download Yara Rule

C-Code - Quality: 63%

			E0043C6A0(void* __edx, intOrPtr _a4, intOrPtr _a8, short _a12, void* _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr _a32, signed short _a36, intOrPtr _a40, void* _a44, signed short _a48, void* _a52, void* _a56, signed short _a60, intOrPtr _a64, signed int _a68, signed int** _a72, struct _CRITICAL_SECTION* _a76) {
				intOrPtr _v8;
				char _v16;
				signed int _v20;
				char _v66528;
				intOrPtr _v66532;
				intOrPtr _v66536;
				signed int _v66540;
				intOrPtr _v66544;
				intOrPtr _v66548;
				intOrPtr _v66552;
				intOrPtr _v66556;
				intOrPtr _v66560;
				signed int _v66564;
				short _v66568;
				short _v66572;
				intOrPtr _v66576;
				char _v66580;
				intOrPtr _v66584;
				struct _CRITICAL_SECTION* _v66588;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t70;
				signed int _t71;
				signed int* _t101;
				signed int _t102;
				signed int* _t103;
				signed int _t104;
				char _t115;
				signed short* _t117;
				void* _t118;
				signed int _t121;
				signed short _t125;
				signed int** _t136;
				void* _t137;
				struct _CRITICAL_SECTION* _t139;
				void* _t140;
				void* _t141;
				signed int _t142;

				_t133 = __edx;
				_push(0xffffffff);
				_push(E00489CBB);
				_push( *[fs:0x0]);
				E00472600(0x1040c);
				_t70 =  *0x4bb1dc; // 0x2927074f
				_t71 = _t70 ^ _t142;
				_v20 = _t71;
				_push(_t71);
				 *[fs:0x0] =  &_v16;
				_t139 = _a76;
				_t136 = _a72;
				_v66584 = _a64;
				_v66588 = _t139;
				EnterCriticalSection(_t139);
				_t8 = _t139 + 0x34; // 0x0
				_t9 = _t139 + 0x30; // 0x0
				_v8 = 0;
				if(( *_t8 -  *_t9 & 0xfffffffc) != 0) {
					_t13 = _t139 + 0x34; // 0x0
					_t115 = E00442DA0( *((intOrPtr*)( *_t13 - 4)) + 0x4ec, _a4);
					_v8 = 0xffffffff;
					LeaveCriticalSection(_t139);
					if(_t115 != 0xffffffff) {
						_t121 =  *0x4bcfa8; // 0x0
						_v66576 = _a8;
						_v66572 = 5;
						_v66568 = _a12;
						_v66580 = _t115;
						_v66564 = _t121 | 0x20000000;
						_v66560 = _a28;
						_v66556 = _a32;
						_v66552 = _a20;
						_v66548 = _a24;
						_v66540 = _a68;
						 *0x4bcfa8 = _t121 + 1;
						_v66544 = 0;
						_v66532 = 0;
						E00470850( &_v66528, _v66584, _a68 * 4);
						_t133 = 2;
						_t117 =  &_v66528 + (_v66540 & 0x0000ffff) * 4;
						_t124 =  !=  ? 4 : 0;
						_t125 = ( !=  ? 4 : 0) | 0 | _a40 != 0x00000000;
						_t95 =  !=  ? 2 : 0;
						_t126 = _t125 | ( !=  ? 2 : 0);
						_t117[2] = _a36;
						 *_t117 = _t125 | ( !=  ? 2 : 0);
						asm("movdqu xmm0, [eax]");
						asm("movdqu [ebx+0x8], xmm0");
						asm("movdqu xmm0, [eax]");
						_t117[0x14] = _a48;
						asm("movdqu [ebx+0x18], xmm0");
						_t117[0x15] = _a60;
						_t101 =  *_t136;
						if(_t101 == 0) {
							L7:
							_t102 = 0;
						} else {
							_t102 =  *_t101;
							if(_t102 == 0) {
								goto L7;
							} else {
								__imp__#7(_t102);
							}
						}
						_t140 = 2 + _t102 * 2;
						_t103 =  *_t136;
						if(_t103 == 0) {
							_t104 = 0;
						} else {
							_t104 =  *_t103;
						}
						E00470850( &(_t117[0x16]), _t104, _t140);
						_t60 = _t140 + 0x30; // 0x4bca40
						_v66536 = _t60;
						E004397E0(_t60 + ((_v66540 & 0x0000ffff) + 0xd) * 4,  &_v66580);
					} else {
					}
				} else {
					LeaveCriticalSection(_t139);
				}
				 *[fs:0x0] = _v16;
				_pop(_t137);
				_pop(_t141);
				_pop(_t118);
				return E0046F77E(_t118, _v20 ^ _t142, _t133, _t137, _t141);
			}

0x0043c6a0
0x0043c6a3
0x0043c6a5
0x0043c6b0
0x0043c6b6
0x0043c6bb
0x0043c6c0
0x0043c6c2
0x0043c6c8
0x0043c6cc
0x0043c6d2
0x0043c6d8
0x0043c6dc
0x0043c6e2
0x0043c6e8
0x0043c6ee
0x0043c6f1
0x0043c6f4
0x0043c700
0x0043c710
0x0043c725
0x0043c727
0x0043c72e
0x0043c737
0x0043c743
0x0043c74c
0x0043c757
0x0043c761
0x0043c76f
0x0043c775
0x0043c77f
0x0043c788
0x0043c791
0x0043c79a
0x0043c7b4
0x0043c7bc
0x0043c7c2
0x0043c7cc
0x0043c7d6
0x0043c7f0
0x0043c7f5
0x0043c7fd
0x0043c808
0x0043c810
0x0043c813
0x0043c819
0x0043c81f
0x0043c822
0x0043c829
0x0043c82e
0x0043c836
0x0043c83e
0x0043c843
0x0043c847
0x0043c84b
0x0043c85c
0x0043c85c
0x0043c84d
0x0043c84d
0x0043c851
0x00000000
0x0043c853
0x0043c854
0x0043c854
0x0043c851
0x0043c85e
0x0043c865
0x0043c869
0x0043c86f
0x0043c86b
0x0043c86b
0x0043c86b
0x0043c877
0x0043c883
0x0043c889
0x0043c89a
0x0043c739
0x0043c739
0x0043c702
0x0043c703
0x0043c709
0x0043c8a5
0x0043c8ad
0x0043c8ae
0x0043c8af
0x0043c8bd

APIs

EnterCriticalSection.KERNEL32(004BCA10,2927074F,004BCFC4,?,01D8CBBC,?,00489CBB,000000FF,?,0043C54A,004BCFC4,FFFFFFFF,00000000,?,?,?), ref: 0043C6E8
LeaveCriticalSection.KERNEL32(004BCA10,?,0043C54A,004BCFC4,FFFFFFFF,00000000,?,?,?,00000000,020007D0,00000000,00000000,004BCFE8,00000000,00000000), ref: 0043C703
LeaveCriticalSection.KERNEL32(004BCA10,?,?,0043C54A,004BCFC4,FFFFFFFF,00000000,?,?,?,00000000,020007D0,00000000,00000000,004BCFE8,00000000), ref: 0043C72E

Memory Dump Source

Source File: 00000000.00000002.639436822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.639422722.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639801425.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639950323.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639964900.00000000004C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639974043.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639981884.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Process Monitor.jbxd

Similarity

API ID: CriticalSection$Leave$Enter
String ID:
API String ID: 2978645861-0
Opcode ID: 83875ca99a14bc6fdb58c5bb357f730c1c67241298488f74fc153fa8da2d5031
Instruction ID: 6588b610bed045b3866fafe8954812f8306e3dde56d43800ff011a9c5d5342da
Opcode Fuzzy Hash: 83875ca99a14bc6fdb58c5bb357f730c1c67241298488f74fc153fa8da2d5031
Instruction Fuzzy Hash: C7514CB49002599FDB50DF68C880AEAB7F8FF08310F1045AAF969E7341E774AA85CF54

Uniqueness

Uniqueness Score: -1.00%

Function 00462C30 Relevance: 9.2, APIs: 6, Instructions: 151
networkCOMMON

Download Yara Rule

C-Code - Quality: 38%

			E00462C30(void* __ebx, void* __edx, struct _CRITICAL_SECTION** _a4) {
				char _v8;
				char _v16;
				signed int _v20;
				char _v52;
				short _v54;
				char _v58;
				signed int _v66;
				char _v68;
				signed int _v78;
				char _v80;
				struct _CRITICAL_SECTION* _v84;
				char _v88;
				void* __edi;
				void* __esi;
				signed int _t43;
				signed int _t44;
				signed int _t47;
				struct _CRITICAL_SECTION* _t49;
				void* _t53;
				intOrPtr* _t67;
				struct _CRITICAL_SECTION* _t68;
				signed int _t72;
				void* _t74;
				char* _t76;
				void* _t89;
				struct _CRITICAL_SECTION** _t91;
				void* _t92;
				void* _t95;
				struct _CRITICAL_SECTION* _t96;
				void* _t97;
				void* _t99;
				signed int _t100;
				void* _t101;
				void* _t102;

				_t89 = __edx;
				_t74 = __ebx;
				_push(0xffffffff);
				_push(E0048C7D0);
				_push( *[fs:0x0]);
				_t102 = _t101 - 0x48;
				_t43 =  *0x4bb1dc; // 0x2927074f
				_t44 = _t43 ^ _t100;
				_v20 = _t44;
				_push(_t44);
				 *[fs:0x0] =  &_v16;
				_t91 = _a4;
				asm("xorps xmm0, xmm0");
				_v52 = 0;
				_v54 = 0;
				if(_t91[1] == 0) {
					asm("movq [ebp-0x3e], xmm0");
					_v68 = 2;
					_t47 = _t91[1] & 0x0000ffff;
					_v58 = 0;
					__imp__#9(_t47);
					_v66 = _t47;
					__eflags = _t91[1];
					_t95 =  !=  ? 0 : 0x10;
					_t49 =  *0x4c2534; // 0x0
					__eflags = _t49;
					if(__eflags == 0) {
						_t49 = E00464320(1);
						 *0x4c2534 = _t49;
					}
					_push(_t95);
					_push(0x20);
					_push( &_v52);
					_push(0);
					_push(0);
					_push(0x10);
					_t76 =  &_v68;
				} else {
					asm("movq [ebp-0x3a], xmm0");
					_v80 = 0x17;
					_t72 = _t91[1] & 0x0000ffff;
					asm("movdqu [ebp-0x4a], xmm0");
					__imp__#9(_t72);
					_v78 = _t72;
					_t99 =  !=  ? 0 : 0x10;
					_t49 =  *0x4c2534; // 0x0
					if(_t49 == 0) {
						_t49 = E00464320(1);
						 *0x4c2534 = _t49;
					}
					_push(_t99);
					_push(0x20);
					_push( &_v52);
					_push(0);
					_push(0);
					_push(0x1c);
					_t76 =  &_v80;
				}
				__imp__#112( *_t49(_t76));
				_v88 = 0;
				_v8 = 0;
				if(_v52 == 0) {
					asm("cdq");
					_t53 = E00436170(_t74, _t89, _t91, __eflags,  &_v84, _t91[1] & 0x0000ffff, _t89);
					_t102 = _t102 + 0xc;
					_v8 = 2;
					E0046A0B0( &_v88, _t53);
					_t78 = _v84;
					_v8 = 0;
					__eflags = _v84;
					if(_v84 != 0) {
						E0046A700(_t78);
					}
				} else {
					_t67 =  *((intOrPtr*)(E00403D10( &_v52)));
					_v8 = 1;
					if(_t67 == 0) {
						_t68 = 0;
						__eflags = 0;
					} else {
						_t68 =  *_t67;
					}
					E0046A0F0( &_v88, _t68);
					E00403A00( &_v84);
				}
				_t96 =  *_t91;
				_v84 = _t96;
				EnterCriticalSection(_t96);
				_v8 = 3;
				E0046A0B0(_t91[2],  &_v88);
				LeaveCriticalSection(_t96);
				InterlockedDecrement( *_t91 + 0x18);
				E0046EF07(_t91);
				_t80 = _v88;
				_v8 = 0xffffffff;
				if(_v88 != 0) {
					E0046A700(_t80);
				}
				 *[fs:0x0] = _v16;
				_pop(_t92);
				_pop(_t97);
				return E0046F77E(_t74, _v20 ^ _t100, _t89, _t92, _t97);
			}

0x00462c30
0x00462c30
0x00462c33
0x00462c35
0x00462c40
0x00462c41
0x00462c44
0x00462c49
0x00462c4b
0x00462c50
0x00462c54
0x00462c5a
0x00462c5d
0x00462c60
0x00462c64
0x00462c6e
0x00462ccb
0x00462cd0
0x00462cd4
0x00462cd9
0x00462ce0
0x00462ce6
0x00462cf1
0x00462cf4
0x00462cf7
0x00462cfc
0x00462cfe
0x00462d02
0x00462d07
0x00462d07
0x00462d0c
0x00462d0d
0x00462d12
0x00462d13
0x00462d15
0x00462d17
0x00462d19
0x00462c70
0x00462c75
0x00462c7a
0x00462c7e
0x00462c83
0x00462c88
0x00462c8e
0x00462c9c
0x00462c9f
0x00462ca6
0x00462caa
0x00462caf
0x00462caf
0x00462cb4
0x00462cb5
0x00462cba
0x00462cbb
0x00462cbd
0x00462cbf
0x00462cc1
0x00462cc1
0x00462d20
0x00462d26
0x00462d31
0x00462d38
0x00462d6d
0x00462d74
0x00462d79
0x00462d80
0x00462d84
0x00462d89
0x00462d8c
0x00462d90
0x00462d92
0x00462d94
0x00462d94
0x00462d3a
0x00462d46
0x00462d48
0x00462d4e
0x00462d54
0x00462d54
0x00462d50
0x00462d50
0x00462d50
0x00462d5a
0x00462d62
0x00462d62
0x00462d99
0x00462d9c
0x00462d9f
0x00462dac
0x00462db0
0x00462db6
0x00462dc2
0x00462dc9
0x00462dce
0x00462dd4
0x00462ddd
0x00462ddf
0x00462ddf
0x00462de9
0x00462df1
0x00462df2
0x00462e00

APIs

htons.WS2_32(?), ref: 00462C88

Part of subcall function 00464320: GetSystemDirectoryA.KERNEL32 ref: 00464388
Part of subcall function 00464320: LoadLibraryA.KERNEL32(?,?,?,?,?,?), ref: 004643D1
Part of subcall function 00464320: GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 004643EF
Part of subcall function 00464320: FreeLibrary.KERNEL32(00000000,?,?,?,?,?), ref: 004643F6
Part of subcall function 00464320: LoadLibraryA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00464430
Part of subcall function 00464320: GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 00464442
Part of subcall function 00464320: FreeLibrary.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?), ref: 00464449

htons.WS2_32(?), ref: 00462CE0
WSASetLastError.WS2_32(00000000), ref: 00462D20
EnterCriticalSection.KERNEL32(00000010,00000000), ref: 00462D9F
LeaveCriticalSection.KERNEL32(00000010,00000000), ref: 00462DB6
InterlockedDecrement.KERNEL32(-00000018), ref: 00462DC2

Memory Dump Source

Source File: 00000000.00000002.639436822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.639422722.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639801425.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639950323.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639964900.00000000004C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639974043.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639981884.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Process Monitor.jbxd

Similarity

API ID: Library$AddressCriticalFreeLoadProcSectionhtons$DecrementDirectoryEnterErrorInterlockedLastLeaveSystem
String ID:
API String ID: 1132610150-0
Opcode ID: ff4c859fe4d649112f3942b37904931eb611e2b39e6fbb71cf6081574cd937be
Instruction ID: 03d54999e2e115d5b84bc87d5d2115361591ab0c38e441916771c7f8fcbd3a34
Opcode Fuzzy Hash: ff4c859fe4d649112f3942b37904931eb611e2b39e6fbb71cf6081574cd937be
Instruction Fuzzy Hash: BC518F71A10658BEDB14DFE5DE45BEEB7B8AF04304F00412EF805A7291FBB85904CB6A

Uniqueness

Uniqueness Score: -1.00%

Function 0044CF90 Relevance: 9.1, APIs: 2, Strings: 3, Instructions: 371
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E0044CF90(void* __ebx, void* __ecx, void* __edx, void* __edi, long _a8, wchar_t* _a12, int* _a16) {
				char _v8;
				long _v16;
				long _v20;
				long _v24;
				long _v28;
				long _v32;
				long _v36;
				long _v40;
				long _v44;
				long _v48;
				long _v52;
				long _v56;
				long _v60;
				signed int _t123;
				signed int _t126;
				short* _t142;
				signed int _t145;

				_push(0xffffffff);
				_push(E0048B040);
				_push( *[fs:0x0]);
				_t123 =  *0x4bb1dc; // 0x2927074f
				_push(_t123 ^ _t145);
				 *[fs:0x0] =  &_v16;
				_t126 = _a8;
				if(_t126 > 0xe) {
					_t142 = _a12;
					 *_t142 = 0;
					goto L33;
				} else {
					switch( *((intOrPtr*)(_t126 * 4 +  &M0044D48C))) {
						case 0:
							_t129 = E0046A170( *((intOrPtr*)(__ecx + 0xc)) + 0xc);
							 *[fs:0x0] = _v16;
							return _t129;
							goto L34;
						case 1:
							__eax = __esi[3];
							__esi = _a12;
							_a16 = swprintf(__esi,  *_a16, L"%u", _a16[2]);
							__eax = __esi;
							__ecx = _v16;
							 *[fs:0x0] = _v16;
							_pop(__ecx);
							_pop(__esi);
							return __esi;
							goto L34;
						case 2:
							__eax = __esi[3];
							__ecx = __eax[0xc];
							__ecx = __eax[0xc] + __eax[0xa];
							__edx = __eax[0xd];
							asm("adc edx, [eax+0x2c]");
							__eax = E004711AE(__eax, __eax[0xc] + __eax[0xa], __eax[0xd]);
							asm("divsd xmm0, [0x4962f8]");
							__eax = _a16;
							__esp = __esp - 8;
							__esi = _a12;
							asm("movsd [esp], xmm0");
							swprintf(__esi,  *_a16, L"%.07f") = __esi;
							__ecx = _v16;
							 *[fs:0x0] = _v16;
							_pop(__ecx);
							_pop(__esi);
							return __esi;
							goto L34;
						case 3:
							__esi[3] =  &_v24;
							__ecx = E00436C80(__ebx, __edx, __edi,  &_v24, ( &_v24)[0x17], 0, 0);
							_v8 = 0;
							__eax = E0046A170(__eax);
							__esi = _a12;
							_a16 = E0046EF0C(__esi,  *_a16, _a16);
							__ecx = _v24;
							_v8 = 0xffffffff;
							if(__ecx == 0) {
								goto L33;
							} else {
								E0046A700(__ecx) = __esi;
								__ecx = _v16;
								 *[fs:0x0] = _v16;
								_pop(__ecx);
								_pop(__esi);
								return __esi;
							}
							goto L34;
						case 4:
							__esi[3] =  &_v28;
							__ecx = E00436C80(__ebx, __edx, __edi,  &_v28, ( &_v28)[0x18], 0, 0);
							_v8 = 1;
							__eax = E0046A170(__eax);
							__esi = _a12;
							_a16 = E0046EF0C(__esi,  *_a16, _a16);
							__ecx = _v28;
							_v8 = 0xffffffff;
							if(__ecx == 0) {
								goto L33;
							} else {
								E0046A700(__ecx) = __esi;
								__ecx = _v16;
								 *[fs:0x0] = _v16;
								_pop(__ecx);
								_pop(__esi);
								return __esi;
							}
							goto L34;
						case 5:
							__esi[3] =  &_v32;
							__ecx = E00436C80(__ebx, __edx, __edi,  &_v32, ( &_v32)[0x19], 0, 0);
							_v8 = 2;
							__eax = E0046A170(__eax);
							__esi = _a12;
							_a16 = E0046EF0C(__esi,  *_a16, _a16);
							__ecx = _v32;
							_v8 = 0xffffffff;
							if(__ecx == 0) {
								goto L33;
							} else {
								E0046A700(__ecx) = __esi;
								__ecx = _v16;
								 *[fs:0x0] = _v16;
								_pop(__ecx);
								_pop(__esi);
								return __esi;
							}
							goto L34;
						case 6:
							__esi[3] =  &_v36;
							__ecx = E00436C80(__ebx, __edx, __edi,  &_v36, ( &_v36)[0x19], 0, 0);
							_v8 = 3;
							__eax = E0046A170(__eax);
							__esi = _a12;
							_a16 = E0046EF0C(__esi,  *_a16, _a16);
							__ecx = _v36;
							_v8 = 0xffffffff;
							if(__ecx == 0) {
								goto L33;
							} else {
								E0046A700(__ecx) = __esi;
								__ecx = _v16;
								 *[fs:0x0] = _v16;
								_pop(__ecx);
								_pop(__esi);
								return __esi;
							}
							goto L34;
						case 7:
							__ecx = __esi[3];
							 *(__ecx + 0x40) =  *(__ecx + 0x40) |  *(__ecx + 0x44);
							if(( *(__ecx + 0x40) |  *(__ecx + 0x44)) == 0) {
								goto L20;
							} else {
								__eax = E0046A530(L" MB");
								__eax = E0046A6C0(__ebx, L" MB", __eax);
								_a8 = __eax;
								__ecx = __esi[3];
								_push(3);
								_v8 = 4;
								__edx =  *(__ecx + 0x44);
								__eax = E004711AE(__eax, __ecx, __edx);
								asm("mulsd xmm0, [0x4a1b30]");
								__eax =  &_v44;
								__esp = __esp - 8;
								asm("movsd [esp], xmm0");
								_push( &_v44);
								__eax = E00435930(__ebx, __edi);
								__esp = __esp + 0x10;
								__ecx =  &_a8;
								_v8 = 5;
								 &_v40 = __eax;
								__ecx = E0046A230( &_v40,  &_a8);
								_v8 = 6;
								__eax = E0046A170(__eax);
								__esi = _a12;
								_a16 = E0046EF0C(__esi,  *_a16, _a16);
								__ecx = _v40;
								_v8 = 5;
								if(__ecx != 0) {
									__eax = E0046A700(__ecx);
								}
								__ecx = _v44;
								_v8 = 4;
								if(__ecx != 0) {
									__eax = E0046A700(__ecx);
								}
								__ecx = _a8;
								_v8 = 0xffffffff;
								if(__ecx == 0) {
									goto L33;
								} else {
									E0046A700(__ecx) = __esi;
									__ecx = _v16;
									 *[fs:0x0] = _v16;
									_pop(__ecx);
									_pop(__esi);
									return __esi;
								}
							}
							goto L34;
						case 8:
							__esi[3] =  &_v48;
							__ecx = E00436C80(__ebx, __edx, __edi,  &_v48, ( &_v48)[0x10], ( &_v48)[0x11], 0);
							_v8 = 7;
							__eax = E0046A170(__eax);
							__esi = _a12;
							_a16 = E0046EF0C(__esi,  *_a16, _a16);
							__ecx = _v48;
							_v8 = 0xffffffff;
							if(__ecx == 0) {
								goto L33;
							} else {
								E0046A700(__ecx) = __esi;
								__ecx = _v16;
								 *[fs:0x0] = _v16;
								_pop(__ecx);
								_pop(__esi);
								return __esi;
							}
							goto L34;
						case 9:
							__ecx = __esi[3];
							 *(__ecx + 0x50) =  *(__ecx + 0x50) |  *(__ecx + 0x54);
							if(( *(__ecx + 0x50) |  *(__ecx + 0x54)) == 0) {
								L20:
								__eax = L"n/a";
								__ecx = _v16;
								 *[fs:0x0] = _v16;
								_pop(__ecx);
								_pop(__esi);
								return L"n/a";
							} else {
								__eax = E0046A530(L" MB");
								__eax = E0046A6C0(__ebx, L" MB", __eax);
								_v20 = __eax;
								__ecx = __esi[3];
								_push(3);
								_v8 = 8;
								__edx =  *(__ecx + 0x54);
								__eax = E004711AE(__eax, __ecx, __edx);
								asm("mulsd xmm0, [0x4a1b30]");
								__eax =  &_v56;
								__esp = __esp - 8;
								asm("movsd [esp], xmm0");
								_push( &_v56);
								__eax = E00435930(__ebx, __edi);
								__esp = __esp + 0x10;
								__ecx =  &_v20;
								_v8 = 9;
								 &_v52 = __eax;
								__ecx = E0046A230( &_v52,  &_v20);
								_v8 = 0xa;
								__eax = E0046A170(__eax);
								__esi = _a12;
								_a16 = E0046EF0C(__esi,  *_a16, _a16);
								__ecx = _v52;
								_v8 = 9;
								if(__ecx != 0) {
									__eax = E0046A700(__ecx);
								}
								__ecx = _v56;
								_v8 = 8;
								if(__ecx != 0) {
									__eax = E0046A700(__ecx);
								}
								__ecx = _v20;
								_v8 = 0xffffffff;
								if(__ecx == 0) {
									goto L33;
								} else {
									E0046A700(__ecx) = __esi;
									__ecx = _v16;
									 *[fs:0x0] = _v16;
									_pop(__ecx);
									_pop(__esi);
									return __esi;
								}
							}
							goto L34;
						case 0xa:
							__esi[3] =  &_v60;
							__ecx = E00436C80(__ebx, __edx, __edi,  &_v60, ( &_v60)[0x14], ( &_v60)[0x15], 0);
							_v8 = 0xb;
							__eax = E0046A170(__eax);
							__esi = _a12;
							_a16 = E0046EF0C(__esi,  *_a16, _a16);
							__ecx = _v60;
							_v8 = 0xffffffff;
							if(__ecx == 0) {
								L33:
								 *[fs:0x0] = _v16;
								return _t142;
							} else {
								E0046A700(__ecx) = __esi;
								__ecx = _v16;
								 *[fs:0x0] = _v16;
								_pop(__ecx);
								_pop(__esi);
								return __esi;
							}
							goto L34;
					}
				}
				L34:
			}

0x0044cf93
0x0044cf95
0x0044cfa0
0x0044cfa5
0x0044cfac
0x0044cfb0
0x0044cfb8
0x0044cfbe
0x0044d46d
0x0044d472
0x00000000
0x0044cfc4
0x0044cfc4
0x00000000
0x0044cfd1
0x0044cfd9
0x0044cfe5
0x00000000
0x00000000
0x0044cfe8
0x0044cfeb
0x0044cffc
0x0044d004
0x0044d006
0x0044d009
0x0044d010
0x0044d011
0x0044d015
0x00000000
0x00000000
0x0044d018
0x0044d01b
0x0044d01e
0x0044d021
0x0044d024
0x0044d027
0x0044d02c
0x0044d034
0x0044d037
0x0044d03a
0x0044d03d
0x0044d052
0x0044d054
0x0044d057
0x0044d05e
0x0044d05f
0x0044d063
0x00000000
0x00000000
0x0044d070
0x0044d07c
0x0044d07e
0x0044d085
0x0044d08a
0x0044d094
0x0044d099
0x0044d09f
0x0044d0a8
0x00000000
0x0044d0ae
0x0044d0b3
0x0044d0b5
0x0044d0b8
0x0044d0bf
0x0044d0c0
0x0044d0c4
0x0044d0c4
0x00000000
0x00000000
0x0044d0d1
0x0044d0dd
0x0044d0df
0x0044d0e6
0x0044d0eb
0x0044d0f5
0x0044d0fa
0x0044d100
0x0044d109
0x00000000
0x0044d10f
0x0044d114
0x0044d116
0x0044d119
0x0044d120
0x0044d121
0x0044d125
0x0044d125
0x00000000
0x00000000
0x0044d132
0x0044d13e
0x0044d140
0x0044d147
0x0044d14c
0x0044d156
0x0044d15b
0x0044d161
0x0044d16a
0x00000000
0x0044d170
0x0044d175
0x0044d177
0x0044d17a
0x0044d181
0x0044d182
0x0044d186
0x0044d186
0x00000000
0x00000000
0x0044d193
0x0044d19f
0x0044d1a1
0x0044d1a8
0x0044d1ad
0x0044d1b7
0x0044d1bc
0x0044d1c2
0x0044d1cb
0x00000000
0x0044d1d1
0x0044d1d6
0x0044d1d8
0x0044d1db
0x0044d1e2
0x0044d1e3
0x0044d1e7
0x0044d1e7
0x00000000
0x00000000
0x0044d1ea
0x0044d1f0
0x0044d1f3
0x00000000
0x0044d1f9
0x0044d1fe
0x0044d209
0x0044d211
0x0044d214
0x0044d217
0x0044d219
0x0044d220
0x0044d226
0x0044d22b
0x0044d233
0x0044d236
0x0044d239
0x0044d23e
0x0044d23f
0x0044d244
0x0044d247
0x0044d24a
0x0044d253
0x0044d25a
0x0044d25c
0x0044d260
0x0044d265
0x0044d26f
0x0044d274
0x0044d27a
0x0044d280
0x0044d282
0x0044d282
0x0044d287
0x0044d28a
0x0044d290
0x0044d292
0x0044d292
0x0044d297
0x0044d29a
0x0044d2a3
0x00000000
0x0044d2a9
0x0044d2ae
0x0044d2b0
0x0044d2b3
0x0044d2ba
0x0044d2bb
0x0044d2bf
0x0044d2bf
0x0044d2a3
0x00000000
0x00000000
0x0044d2e4
0x0044d2f0
0x0044d2f2
0x0044d2f9
0x0044d2fe
0x0044d308
0x0044d30d
0x0044d313
0x0044d31c
0x00000000
0x0044d322
0x0044d327
0x0044d329
0x0044d32c
0x0044d333
0x0044d334
0x0044d338
0x0044d338
0x00000000
0x00000000
0x0044d33b
0x0044d341
0x0044d344
0x0044d2c2
0x0044d2c2
0x0044d2c7
0x0044d2ca
0x0044d2d1
0x0044d2d2
0x0044d2d6
0x0044d34a
0x0044d34f
0x0044d35a
0x0044d362
0x0044d365
0x0044d368
0x0044d36a
0x0044d371
0x0044d377
0x0044d37c
0x0044d384
0x0044d387
0x0044d38a
0x0044d38f
0x0044d390
0x0044d395
0x0044d398
0x0044d39b
0x0044d3a4
0x0044d3ab
0x0044d3ad
0x0044d3b1
0x0044d3b6
0x0044d3c0
0x0044d3c5
0x0044d3cb
0x0044d3d1
0x0044d3d3
0x0044d3d3
0x0044d3d8
0x0044d3db
0x0044d3e1
0x0044d3e3
0x0044d3e3
0x0044d3e8
0x0044d3eb
0x0044d3f4
0x00000000
0x0044d3f6
0x0044d3fb
0x0044d3fd
0x0044d400
0x0044d407
0x0044d408
0x0044d40c
0x0044d40c
0x0044d3f4
0x00000000
0x00000000
0x0044d41a
0x0044d426
0x0044d428
0x0044d42f
0x0044d434
0x0044d43e
0x0044d443
0x0044d449
0x0044d452
0x0044d475
0x0044d47a
0x0044d486
0x0044d454
0x0044d459
0x0044d45b
0x0044d45e
0x0044d465
0x0044d466
0x0044d46a
0x0044d46a
0x00000000
0x00000000
0x0044cfc4
0x00000000

APIs

swprintf.LIBCMT ref: 0044CFFC
swprintf.LIBCMT ref: 0044D04A

Strings

%.07f, xrefs: 0044D042
MB, xrefs: 0044D1F9, 0044D204, 0044D34A, 0044D355
n/a, xrefs: 0044D2C2

Memory Dump Source

Source File: 00000000.00000002.639436822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.639422722.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639801425.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639950323.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639964900.00000000004C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639974043.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639981884.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Process Monitor.jbxd

Similarity

API ID: swprintf
String ID: MB$%.07f$n/a
API String ID: 233258989-470853679
Opcode ID: 3919876617dca2efe990951e6311ec4461cfc635525e5523ecce34bdacfc970d
Instruction ID: f3d93c7a0d27a25868a3855e9a705cf01405d00a57d6a021267507c930aad90d
Opcode Fuzzy Hash: 3919876617dca2efe990951e6311ec4461cfc635525e5523ecce34bdacfc970d
Instruction Fuzzy Hash: B6D1C775A04608EFDB14DF98D852BAE77B4EF49314F00419FF815AB381E739A910CB9A

Uniqueness

Uniqueness Score: -1.00%

Function 004075D0 Relevance: 9.1, APIs: 6, Instructions: 108
COMMON

Download Yara Rule

C-Code - Quality: 81%

			E004075D0(void* __ebx, void* __ecx, intOrPtr __edx, void* __esi, intOrPtr _a4, signed int _a8) {
				signed int _v8;
				struct tagRECT _v24;
				struct tagRECT _v40;
				struct tagSCROLLINFO _v68;
				void* __edi;
				signed int _t41;
				intOrPtr _t56;
				int _t66;
				intOrPtr _t75;
				intOrPtr _t79;
				void* _t81;
				signed int _t83;
				intOrPtr _t84;
				signed int _t85;

				_t82 = __esi;
				_t79 = __edx;
				_t64 = __ebx;
				_t41 =  *0x4bb1dc; // 0x2927074f
				_v8 = _t41 ^ _t85;
				_t81 = __ecx;
				if(_a8 != 0 &&  *((char*)(__ecx + 0x9d)) == 0) {
					_push(__ebx);
					_push(__esi);
					_v68.cbSize = 0x1c;
					asm("xorps xmm0, xmm0");
					_v68.nTrackPos = 0;
					asm("movdqu [ebp-0x38], xmm0");
					_v68.fMask = 4;
					GetScrollInfo( *(__ecx + 0x1c), 2,  &_v68);
					_t83 = E004078D0(_t81);
					GetClientRect( *(_t81 + 8),  &_v40);
					_t66 = _t83 * _a8;
					GetWindowRect( *(_t81 + 0xc),  &_v24);
					_v24.left = _v40.left;
					_v24.right = _v40.right;
					_t75 = (_a4 - _v68.nPos) * _t83 - _v24.top + _v24.bottom;
					if(_a8 < 0) {
						_t84 = _v40.bottom;
						_t53 =  &_v24;
						_v24.bottom = _t84;
						_t79 = _t75 - _t66;
						__eflags = _t79 - _t84;
						if(__eflags < 0) {
							_v24.top = _t79;
							ScrollWindowEx( *(_t81 + 8), 0, _t66,  &_v24, 0, 0, 0, 2);
							_t56 = _v40.bottom + _t66;
							__eflags = _t56;
							_v24.top = _t56;
							_t53 =  &_v24;
						} else {
							_v24.top = _t75;
						}
						InvalidateRect( *(_t81 + 8), _t53, 0);
					} else {
						_v24.bottom = _v40.bottom;
						_v24.top = _t75;
						ScrollWindowEx( *(_t81 + 8), 0, _t66,  &_v24, 0, 0, 0, 2);
					}
					_t89 =  *((char*)(_t81 + 0x9c));
					_pop(_t82);
					_pop(_t64);
					if( *((char*)(_t81 + 0x9c)) != 0) {
						 *((intOrPtr*)(_t81 + 0x98)) = E00405D80(_t81, 0);
						E00408CF0(_t81, _t79);
					}
					E00408C20(_t81, _t79, _t81, _t89);
				}
				return E0046F77E(_t64, _v8 ^ _t85, _t79, _t81, _t82);
			}

0x004075d0
0x004075d0
0x004075d0
0x004075d6
0x004075dd
0x004075e5
0x004075e7
0x004075fa
0x004075fb
0x004075ff
0x0040760c
0x0040760f
0x00407616
0x0040761b
0x00407622
0x0040762f
0x00407638
0x00407643
0x0040764b
0x0040765d
0x00407663
0x00407669
0x00407670
0x00407695
0x00407698
0x0040769d
0x004076a0
0x004076a2
0x004076a4
0x004076ba
0x004076bd
0x004076c6
0x004076c6
0x004076c8
0x004076cb
0x004076a6
0x004076a6
0x004076a6
0x004076d4
0x00407672
0x0040767d
0x0040768a
0x0040768d
0x0040768d
0x004076da
0x004076e1
0x004076e2
0x004076e3
0x004076f0
0x004076f6
0x004076f6
0x004076fd
0x004076fd
0x00407710

APIs

GetScrollInfo.USER32 ref: 00407622

Part of subcall function 004078D0: GetDC.USER32(00000000), ref: 004078E8
Part of subcall function 004078D0: SelectObject.GDI32(00000000,?), ref: 004078F4
Part of subcall function 004078D0: GetTextMetricsW.GDI32(00000000,?), ref: 004078FF
Part of subcall function 004078D0: ReleaseDC.USER32 ref: 0040790C
Part of subcall function 004078D0: GetSystemMetrics.USER32 ref: 0040791A

GetClientRect.USER32 ref: 00407638
GetWindowRect.USER32 ref: 0040764B
ScrollWindowEx.USER32 ref: 0040768D
InvalidateRect.USER32(00000000,?,00000000), ref: 004076D4

Memory Dump Source

Source File: 00000000.00000002.639436822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.639422722.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639801425.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639950323.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639964900.00000000004C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639974043.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639981884.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Process Monitor.jbxd

Similarity

API ID: Rect$MetricsScrollWindow$ClientInfoInvalidateObjectReleaseSelectSystemText
String ID:
API String ID: 2726689342-0
Opcode ID: 515b6b2f2ad702aa160e20a43fbc576f5d89fd697fd17e49b0e1f82d922a829c
Instruction ID: 256e76cf072f74bfb3fa6f2031ba75c91269682b32f8f873d902b41cfcfe0fa1
Opcode Fuzzy Hash: 515b6b2f2ad702aa160e20a43fbc576f5d89fd697fd17e49b0e1f82d922a829c
Instruction Fuzzy Hash: 03416D71E00209AFDB14DFA4CD85BAEFBB5FF44304F20852AE901BA291DB746D548B99

Uniqueness

Uniqueness Score: -1.00%

Function 00408EC0 Relevance: 9.1, APIs: 6, Instructions: 104
windowregistryCOMMON

Download Yara Rule

C-Code - Quality: 83%

			E00408EC0(void* __ecx, void* __eflags, void* _a4, short* _a8) {
				signed int _v8;
				intOrPtr _v16;
				struct tagPOINT _v24;
				signed int _v28;
				char* _v32;
				short* _v36;
				void* _v40;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t43;
				signed int _t48;
				signed int _t49;
				signed int _t52;
				signed int _t54;
				void* _t69;
				char* _t70;
				char* _t82;
				signed int _t84;
				void* _t85;
				int _t87;
				signed int _t88;
				void* _t92;

				_t92 = __eflags;
				_t43 =  *0x4bb1dc; // 0x2927074f
				_v8 = _t43 ^ _t88;
				_t85 = __ecx;
				_v40 = _a4;
				_v36 = _a8;
				_t48 = SendMessageW( *(__ecx + 0x14), 0x1200, 0, 0) + 1;
				_v28 = _t48;
				_t49 = _t48 + _t48;
				_t84 = _t49 * 4 >> 0x20;
				_push( ~(0 | _t92 > 0x00000000) | _t49 * 0x00000004);
				_t70 = E0046EE59(_t69, _t85, _t92);
				_t52 = _v28;
				_v32 = _t70;
				 *(_t70 + _t52 * 4) = 0;
				SendMessageW( *(_t85 + 0x14), 0x1211, _t52 - 1, _t70 + (_t52 + 1) * 4);
				_t54 = _v28;
				_t87 = 0;
				if(_t54 > 0) {
					do {
						_push( &_v24);
						if(_t87 != 0) {
							_t29 = _t87 - 1; // -1
							SendMessageW( *(_t85 + 0x14), 0x1207, _t29, ??);
							MapWindowPoints( *(_t85 + 0x14),  *(_t85 + 8),  &_v24, 2);
						} else {
							SendMessageW( *(_t85 + 0xc), 0x1207, _t87, ??);
							MapWindowPoints( *(_t85 + 0xc),  *(_t85 + 8),  &_v24, 2);
						}
						_t82 = _v32;
						 *((intOrPtr*)(_t82 + _t87 * 4)) = _v16 - _v24.x;
						_t87 = _t87 + 1;
						_t54 = _v28;
					} while (_t87 < _t54);
					_t70 = _t82;
				}
				RegSetValueExW(_v40, _v36, 0, 3, _t70, _t54 << 3);
				L0047002A(_t70);
				return E0046F77E(_t70, _v8 ^ _t88, _t84, _t85, _t87);
			}

0x00408ec0
0x00408ec6
0x00408ecd
0x00408ede
0x00408ee0
0x00408ef0
0x00408ef5
0x00408ef8
0x00408f00
0x00408f02
0x00408f0b
0x00408f11
0x00408f16
0x00408f19
0x00408f1f
0x00408f36
0x00408f38
0x00408f3b
0x00408f3f
0x00408f47
0x00408f4a
0x00408f4d
0x00408f6c
0x00408f78
0x00408f8a
0x00408f4f
0x00408f58
0x00408f8a
0x00408f8a
0x00408f8c
0x00408f95
0x00408f98
0x00408f99
0x00408f9c
0x00408fa0
0x00408fa0
0x00408fb1
0x00408fb8
0x00408fd2

APIs

SendMessageW.USER32(?,00001200,00000000,00000000), ref: 00408EF3
SendMessageW.USER32(?,00001211,?,?), ref: 00408F36
SendMessageW.USER32(?,00001207,00000000,?), ref: 00408F58
SendMessageW.USER32(?,00001207,-00000001,?), ref: 00408F78
MapWindowPoints.USER32 ref: 00408F8A
RegSetValueExW.ADVAPI32(?,?,00000000,00000003,00000000,?), ref: 00408FB1

Memory Dump Source

Source File: 00000000.00000002.639436822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.639422722.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639801425.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639950323.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639964900.00000000004C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639974043.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639981884.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Process Monitor.jbxd

Similarity

API ID: MessageSend$PointsValueWindow
String ID:
API String ID: 1696023120-0
Opcode ID: 8af25418050917dcb8509a66b6a5ad9402db2359ff955ef8dac3b4cd91af5e19
Instruction ID: e8d6a5c68c127f28d509d58c8c053ebda383ea7514777d1ac83fbe1d6573130b
Opcode Fuzzy Hash: 8af25418050917dcb8509a66b6a5ad9402db2359ff955ef8dac3b4cd91af5e19
Instruction Fuzzy Hash: D6316371A00109BFDB00DFA4DD45FAEBBB9FB08300F00412AF645E7291DB76A925CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 0042EB50 Relevance: 9.1, APIs: 6, Instructions: 85
windowregistryCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E0042EB50(void* __eflags, struct HWND__* _a4, void* _a8, short* _a12) {
				char _v5;
				int _v12;
				int _v16;
				void* __ebx;
				void* __edi;
				char* _t32;
				int _t42;
				void* _t46;
				char* _t47;
				int _t54;
				int _t56;
				void* _t60;

				_t60 = __eflags;
				_t54 = SendMessageW(SendMessageW(_a4, 0x101f, 0, 0), 0x1200, 0, 0);
				_push( ~(0 | _t60 > 0x00000000) | (_t54 + _t54) * 0x00000004);
				_t32 = E0046EE59(_t46, _t54, _t60);
				_v5 = 0;
				_t47 = _t32;
				_v12 = 0xffffffff;
				_v16 = _t54 * 8;
				if(RegQueryValueExW(_a8, _a12, 0,  &_v12, _t47,  &_v16) == 0 && _v12 == 3 && _v16 == _t54 * 8) {
					SendMessageW(_a4, 0x103a, _t54, _t47 + _t54 * 4);
					_t56 = 0;
					if(_t54 != 0) {
						do {
							_t42 =  *(_t47 + _t56 * 4);
							if(_t42 != 0) {
								SendMessageW(_a4, 0x101e, _t56, MulDiv(_t42,  *0x4bc894, 0x60) & 0x0000ffff);
							}
							_t56 = _t56 + 1;
						} while (_t56 < _t54);
					}
					_v5 = 1;
				}
				L0047002A(_t47);
				return _v5;
			}

0x0042eb50
0x0042eb79
0x0042eb8e
0x0042eb8f
0x0042eb97
0x0042eb9b
0x0042eb9d
0x0042ebab
0x0042ebc7
0x0042ebe8
0x0042ebea
0x0042ebee
0x0042ebf0
0x0042ebf0
0x0042ebf5
0x0042ec13
0x0042ec13
0x0042ec19
0x0042ec1a
0x0042ebf0
0x0042ec1e
0x0042ec1e
0x0042ec23
0x0042ec34

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 0042EB6B
SendMessageW.USER32(00000000,00001200,00000000,00000000), ref: 0042EB77
RegQueryValueExW.ADVAPI32(?,?,00000000,FFFFFFFF,00000000,?), ref: 0042EBBF
SendMessageW.USER32(00000003,0000103A,00000000,00000000), ref: 0042EBE8
MulDiv.KERNEL32(00000000,00000060), ref: 0042EC00
SendMessageW.USER32(00000003,0000101E,00000000,?), ref: 0042EC13

Memory Dump Source

Source File: 00000000.00000002.639436822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.639422722.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639801425.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639950323.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639964900.00000000004C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639974043.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639981884.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Process Monitor.jbxd

Similarity

API ID: MessageSend$QueryValue
String ID:
API String ID: 2593870389-0
Opcode ID: 829599c14ca1e6fb283f1dd32e985da0d22de974c80b5f18c4e2dc571cfbd65a
Instruction ID: 68418ce0d111f893889786acc204599c9e061f8c6bcff02bb638311b34fd61a1
Opcode Fuzzy Hash: 829599c14ca1e6fb283f1dd32e985da0d22de974c80b5f18c4e2dc571cfbd65a
Instruction Fuzzy Hash: 9221F471A00218BBEB208FA5DC45FEF7BADEB04740F004176FA15EA191E77699158BA8

Uniqueness

Uniqueness Score: -1.00%

Function 0042ECF0 Relevance: 9.1, APIs: 6, Instructions: 84
windowCOMMON

Download Yara Rule

C-Code - Quality: 92%

			E0042ECF0(struct HWND__* _a4, struct tagPOINT* _a8) {
				signed int _v8;
				struct tagRECT _v24;
				void* __edi;
				void* __esi;
				signed int _t25;
				int _t33;
				long _t39;
				long _t40;
				void* _t46;
				void* _t54;
				struct HWND__* _t55;
				struct tagPOINT* _t56;
				signed int _t57;

				_t25 =  *0x4bb1dc; // 0x2927074f
				_v8 = _t25 ^ _t57;
				_t56 = _a8;
				_t55 = _a4;
				if(_t56->x != 0xffffffff || _t56->y != 0xffffffff) {
					GetWindowRect(_t55,  &_v24);
					PtInRect( &_v24, _t56->x);
					return E0046F77E(_t46, _v8 ^ _t57, _t54, _t55, _t56, _t56->y);
				} else {
					_t33 = SendMessageW(_t55, 0x1042, 0, 0);
					if(_t33 >= 0) {
						_v24.left = 2;
						SendMessageW(_t55, 0x100e, _t33,  &_v24);
						 *_t56 = _v24.left;
						_t56->y = _v24.top;
						GetClientRect(_t55,  &_v24);
						_t39 = _v24.top;
						if(_t56->y < _t39) {
							_t56->y = _t39;
						}
						_t40 = _v24.bottom;
						if(_t56->y > _t40) {
							_t56->y = _t40;
						}
						ClientToScreen(_t55, _t56);
						return E0046F77E(_t46, _v8 ^ _t57, _t54, _t55, _t56);
					} else {
						return E0046F77E(_t46, _v8 ^ _t57, _t54, _t55, _t56);
					}
				}
			}

0x0042ecf6
0x0042ecfd
0x0042ed01
0x0042ed05
0x0042ed0b
0x0042eda4
0x0042edb3
0x0042edcd
0x0042ed1b
0x0042ed25
0x0042ed2d
0x0042ed44
0x0042ed53
0x0042ed5c
0x0042ed61
0x0042ed69
0x0042ed6f
0x0042ed75
0x0042ed77
0x0042ed77
0x0042ed7a
0x0042ed80
0x0042ed82
0x0042ed82
0x0042ed87
0x0042ed9e
0x0042ed30
0x0042ed40
0x0042ed40
0x0042ed2d

APIs

SendMessageW.USER32(?,00001042,00000000,00000000), ref: 0042ED25
SendMessageW.USER32(?,0000100E,00000000,?), ref: 0042ED53
GetClientRect.USER32 ref: 0042ED69
ClientToScreen.USER32(?,?), ref: 0042ED87
GetWindowRect.USER32 ref: 0042EDA4
PtInRect.USER32(?,?,?), ref: 0042EDB3

Memory Dump Source

Source File: 00000000.00000002.639436822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.639422722.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639801425.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639950323.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639964900.00000000004C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639974043.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639981884.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Process Monitor.jbxd

Similarity

API ID: Rect$ClientMessageSend$ScreenWindow
String ID:
API String ID: 3626819562-0
Opcode ID: 1041a113d4950a525b2d33a9bb6e6be99709db38e3a96d69e532dd4c1e775049
Instruction ID: 6d27f46e81dcb35da30efe6e0f13e419a9d85bc90cb52bde0a8f80545d23ee42
Opcode Fuzzy Hash: 1041a113d4950a525b2d33a9bb6e6be99709db38e3a96d69e532dd4c1e775049
Instruction Fuzzy Hash: D3219E31A00209AFCB20DFA9E945ABFB7F8EF04711B10466EE856E7290D734A9058B65

Uniqueness

Uniqueness Score: -1.00%

Function 00422030 Relevance: 9.1, APIs: 6, Instructions: 78
COMMON

Download Yara Rule

C-Code - Quality: 68%

			E00422030(void* __edx, void* __esi, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				short _v8200;
				intOrPtr _v8204;
				void* __ebx;
				void* __edi;
				signed int _t14;
				signed int _t23;
				signed int _t27;
				void* _t33;
				intOrPtr _t34;
				signed short* _t36;
				signed int _t37;
				void* _t38;
				void* _t40;
				void* _t41;
				void* _t47;

				_t35 = __esi;
				_t33 = __edx;
				E00472600(0x2008);
				_t14 =  *0x4bb1dc; // 0x2927074f
				_v8 = _t14 ^ _t37;
				_t27 = 0;
				_v8204 = _a8;
				_t34 = _a4;
				_t41 =  *0x4bd790 - _t27; // 0x0
				if(_t41 > 0) {
					_push(__esi);
					do {
						E004110C0(_t33, _t34,  *((intOrPtr*)(0x4bd794 + _t27 * 4)),  &_v8200, 0x1000);
						if(_t27 > 0) {
							E00472329(_t33, 0x2c, _t34);
							_t38 = _t38 + 8;
						}
						E00472329(_t33, 0x22, _t34);
						_t40 = _t38 + 8;
						_t36 =  &_v8200;
						if(_v8200 != 0) {
							do {
								if( *_t36 == 0x22) {
									E00472329(_t33, 0x22, _t34);
									_t40 = _t40 + 8;
								}
								_t23 =  *_t36 & 0x0000ffff;
								_push(_t34);
								if(_t23 != 0xa) {
									_push(_t23);
								} else {
									_push(0x3b);
								}
								E00472329(_t33);
								_t36 =  &(_t36[1]);
								_t40 = _t40 + 8;
							} while ( *_t36 != 0);
						}
						E00472329(_t33, 0x22, _t34);
						_t27 = _t27 + 1;
						_t38 = _t40 + 8;
						_t47 = _t27 -  *0x4bd790; // 0x0
					} while (_t47 < 0);
					_pop(_t35);
				}
				E00472329(_t33, 0xa, _t34);
				asm("sbb eax, eax");
				return E0046F77E(_t27, _v8 ^ _t37, _t33, _t34, _t35);
			}

0x00422030
0x00422030
0x00422038
0x0042203d
0x00422044
0x0042204b
0x0042204d
0x00422054
0x00422057
0x0042205d
0x00422063
0x00422064
0x00422079
0x00422080
0x00422085
0x0042208a
0x0042208a
0x00422090
0x00422095
0x00422098
0x004220a6
0x004220a8
0x004220ac
0x004220b1
0x004220b6
0x004220b6
0x004220b9
0x004220bc
0x004220c0
0x004220c6
0x004220c2
0x004220c2
0x004220c2
0x004220c7
0x004220cc
0x004220cf
0x004220d2
0x004220a8
0x004220db
0x004220e6
0x004220e7
0x004220ea
0x004220ea
0x004220f6
0x004220f6
0x004220fa
0x0042210b
0x0042211b

APIs

__fputwc_nolock.LIBCMT ref: 00422085

Part of subcall function 00472329: HeapCreate.KERNELBASE(?,?,00000000), ref: 0047234A
Part of subcall function 00472329: HeapCreate.KERNELBASE(?,?,00000000), ref: 0047235B
Part of subcall function 00472329: HeapCreate.KERNELBASE(?,?,00000000), ref: 00472367
Part of subcall function 00472329: HeapCreate.KERNELBASE(?,?,?), ref: 00472372
Part of subcall function 00472329: HeapCreate.KERNELBASE(?,?,00000000), ref: 00472398
Part of subcall function 00472329: HeapCreate.KERNELBASE(?,?,00000000), ref: 004723A4
Part of subcall function 00472329: HeapCreate.KERNELBASE(?,?,00000000), ref: 004723B0
Part of subcall function 00472329: HeapCreate.KERNELBASE(?,?,?), ref: 004723BB
Part of subcall function 00472329: HeapCreate.KERNELBASE(?,?,00000000), ref: 004723E1
Part of subcall function 00472329: HeapCreate.KERNELBASE(?,?,00000000), ref: 004723ED
Part of subcall function 00472329: HeapCreate.KERNELBASE(?,?,00000000), ref: 004723F9
Part of subcall function 00472329: HeapCreate.KERNELBASE(?,?,?), ref: 00472404
Part of subcall function 00472329: __cftof.LIBCMT ref: 0047242D

__fputwc_nolock.LIBCMT ref: 00422090
__fputwc_nolock.LIBCMT ref: 004220B1
__fputwc_nolock.LIBCMT ref: 004220C7
__fputwc_nolock.LIBCMT ref: 004220DB
__fputwc_nolock.LIBCMT ref: 004220FA

Memory Dump Source

Source File: 00000000.00000002.639436822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.639422722.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639801425.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639950323.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639964900.00000000004C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639974043.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639981884.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Process Monitor.jbxd

Similarity

API ID: CreateHeap$__fputwc_nolock$__cftof
String ID:
API String ID: 4074333276-0
Opcode ID: 76109bda763a5a6def185722245085a1bb25806925d048e836647f49429a075d
Instruction ID: 886eb50d661d37b0b9f79526cb97e1a95d9fc596d125a53b899121a008b95987
Opcode Fuzzy Hash: 76109bda763a5a6def185722245085a1bb25806925d048e836647f49429a075d
Instruction Fuzzy Hash: 6E21DA71E0021477D730AF65AE86AEA73A4EB51700F90416EFB4C97181FAFC5A84C669

Uniqueness

Uniqueness Score: -1.00%

Function 0042EC40 Relevance: 9.1, APIs: 6, Instructions: 67
windowregistryCOMMON

Download Yara Rule

C-Code - Quality: 89%

			E0042EC40(void* __eflags, struct HWND__* _a4, void* _a8, short* _a12) {
				void* __ebx;
				void* __edi;
				int _t29;
				void* _t37;
				char* _t38;
				int _t40;
				void* _t44;

				_t44 = __eflags;
				_t29 = SendMessageW(SendMessageW(_a4, 0x101f, 0, 0), 0x1200, 0, 0);
				_push( ~(0 | _t44 > 0x00000000) | (_t29 + _t29) * 0x00000004);
				_t38 = E0046EE59(_t29, _t37, _t44);
				SendMessageW(_a4, 0x103b, _t29, _t38 + _t29 * 4);
				_t40 = 0;
				if(_t29 != 0) {
					do {
						 *((intOrPtr*)(_t38 + _t40 * 4)) = MulDiv(SendMessageW(_a4, 0x101d, _t40, 0), 0x60,  *0x4bc894);
						_t40 = _t40 + 1;
					} while (_t40 < _t29);
				}
				RegSetValueExW(_a8, _a12, 0, 3, _t38, _t29 * 8);
				return L0047002A(_t38);
			}

0x0042ec40
0x0042ec66
0x0042ec7b
0x0042ec84
0x0042ec93
0x0042ec95
0x0042ec99
0x0042eca0
0x0042ecc0
0x0042ecc3
0x0042ecc4
0x0042eca0
0x0042ecdb
0x0042ecee

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 0042EC58
SendMessageW.USER32(00000000,00001200,00000000,00000000), ref: 0042EC64
SendMessageW.USER32(?,0000103B,00000000), ref: 0042EC93
SendMessageW.USER32(?,0000101D,00000000,00000000), ref: 0042ECB3
MulDiv.KERNEL32(00000000), ref: 0042ECBA
RegSetValueExW.ADVAPI32(00000000,00000000,00000000,00000003,00000000,00000000), ref: 0042ECDB

Memory Dump Source

Source File: 00000000.00000002.639436822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.639422722.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639801425.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639950323.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639964900.00000000004C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639974043.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639981884.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Process Monitor.jbxd

Similarity

API ID: MessageSend$Value
String ID:
API String ID: 2464815477-0
Opcode ID: ca794250acf4ee7b64008666353c9340a9e463ab154bd2329c9d206358f795df
Instruction ID: 060cd88721f9c15eb07163cfb4217a794d20ffe4aef0ed52f1e1a37d4ca58b62
Opcode Fuzzy Hash: ca794250acf4ee7b64008666353c9340a9e463ab154bd2329c9d206358f795df
Instruction Fuzzy Hash: 291140726403147BFB105FA1EC46FAB3E5CEB09750F000139F705A91E0D7B66815D798

Uniqueness

Uniqueness Score: -1.00%

Function 00472D60 Relevance: 9.1, APIs: 6, Instructions: 61
threadCOMMON

Download Yara Rule

C-Code - Quality: 92%

			E00472D60(struct _SECURITY_ATTRIBUTES* _a4, long _a8, char _a12, intOrPtr _a16, long _a20, DWORD* _a24) {
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t15;
				DWORD* _t20;
				char _t25;
				void* _t34;

				_t25 = _a12;
				_t32 = 0;
				if(_t25 != 0) {
					_t34 = E00477D65(1, 0x3bc);
					__eflags = _t34;
					if(_t34 == 0) {
						L7:
						E0047040C(_t34);
						__eflags = _t32;
						if(_t32 != 0) {
							E00474331(_t32);
						}
						_t15 = 0;
						__eflags = 0;
						L10:
						return _t15;
					}
					_push( *((intOrPtr*)(E0047518B() + 0x6c)));
					_push(_t34);
					E00475212(_t25, 0, _t34, __eflags);
					 *(_t34 + 4) =  *(_t34 + 4) | 0xffffffff;
					 *((intOrPtr*)(_t34 + 0x58)) = _a16;
					_t20 = _a24;
					 *((intOrPtr*)(_t34 + 0x54)) = _t25;
					__eflags = _t20;
					if(_t20 == 0) {
						_t20 =  &_a12;
					}
					_t15 = CreateThread(_a4, _a8, E00472EC0, _t34, _a20, _t20);
					__eflags = _t15;
					if(_t15 != 0) {
						goto L10;
					} else {
						_t32 = GetLastError();
						goto L7;
					}
				}
				 *((intOrPtr*)(E00474352())) = 0x16;
				E004742E3();
				return 0;
			}

0x00472d64
0x00472d68
0x00472d6c
0x00472d8f
0x00472d93
0x00472d95
0x00472de0
0x00472de1
0x00472de7
0x00472de9
0x00472dec
0x00472df1
0x00472df2
0x00472df2
0x00472df4
0x00000000
0x00472df4
0x00472d9c
0x00472d9f
0x00472da0
0x00472da8
0x00472dac
0x00472daf
0x00472db2
0x00472db7
0x00472db9
0x00472dbb
0x00472dbb
0x00472dce
0x00472dd4
0x00472dd6
0x00000000
0x00472dd8
0x00472dde
0x00000000
0x00472dde
0x00472dd6
0x00472d73
0x00472d79
0x00000000

APIs

__calloc_crt.LIBCMT ref: 00472D8A
__initptd.LIBCMT ref: 00472DA0
CreateThread.KERNEL32 ref: 00472DCE
GetLastError.KERNEL32(?,0043D1F7,00000000,00000000,0043C260,00000000,00000000,?), ref: 00472DD8
_free.LIBCMT ref: 00472DE1
__dosmaperr.LIBCMT ref: 00472DEC

Part of subcall function 00474352: __getptd_noexit.LIBCMT ref: 00474352

Memory Dump Source

Source File: 00000000.00000002.639436822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.639422722.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639801425.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639950323.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639964900.00000000004C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639974043.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639981884.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Process Monitor.jbxd

Similarity

API ID: CreateErrorLastThread__calloc_crt__dosmaperr__getptd_noexit__initptd_free
String ID:
API String ID: 2249848437-0
Opcode ID: 0e7719480df7b89aa48c68bd9251f33f0e1ca4b27bc527e95bcbaad37db77b94
Instruction ID: c804bd99ccf9f9af4a6e13f3cf8bf96da379ca6ce36e34047cfe865b1c24c06a
Opcode Fuzzy Hash: 0e7719480df7b89aa48c68bd9251f33f0e1ca4b27bc527e95bcbaad37db77b94
Instruction Fuzzy Hash: B711C2321046066F9720AFA6DD419EB7B99EF44764B10802FFD1CC6251EB7998018768

Uniqueness

Uniqueness Score: -1.00%

Function 00424E50 Relevance: 9.1, APIs: 6, Instructions: 57
COMMON

Download Yara Rule

C-Code - Quality: 73%

			E00424E50(struct HDC__* _a4, WCHAR* _a8, RECT* _a12, signed int _a16) {
				signed int _v8;
				struct tagRECT _v24;
				WCHAR* _v28;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t14;
				struct HDC__* _t25;
				void* _t29;
				signed int _t31;
				void* _t36;
				signed int _t37;

				_t14 =  *0x4bb1dc; // 0x2927074f
				_v8 = _t14 ^ _t37;
				_t25 = _a4;
				_t35 = _a12;
				_v28 = _a8;
				_t36 = CreateSolidBrush(GetBkColor(_t25));
				FillRect(_t25, _a12, _t36);
				DeleteObject(_t36);
				SetBkMode(_t25, 2);
				asm("movdqu xmm0, [edi]");
				_t31 = _a16;
				asm("movdqu [ebp-0x14], xmm0");
				if(_t31 != 0) {
					_t29 = _v24.right - 6;
					_t30 =  <  ? _v24.left : _t29;
					_v24.right =  <  ? _v24.left : _t29;
				}
				asm("sbb edx, edx");
				DrawTextW(_t25, _v28, 0xffffffff,  &_v24,  ~_t31 & 0x00000002 | 0x00040824);
				return E0046F77E(_t25, _v8 ^ _t37,  ~_t31 & 0x00000002 | 0x00040824, _t35, _t36);
			}

0x00424e56
0x00424e5d
0x00424e64
0x00424e69
0x00424e6d
0x00424e7d
0x00424e82
0x00424e89
0x00424e92
0x00424e98
0x00424e9c
0x00424e9f
0x00424ea6
0x00424eab
0x00424eb1
0x00424eb5
0x00424eb5
0x00424ebd
0x00424ed0
0x00424ee6

APIs

GetBkColor.GDI32(?), ref: 00424E70
CreateSolidBrush.GDI32(00000000), ref: 00424E77
FillRect.USER32 ref: 00424E82
DeleteObject.GDI32(00000000), ref: 00424E89
SetBkMode.GDI32(?,00000002), ref: 00424E92
DrawTextW.USER32(?,?,000000FF,?,?), ref: 00424ED0

Memory Dump Source

Source File: 00000000.00000002.639436822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.639422722.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639801425.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639950323.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639964900.00000000004C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639974043.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639981884.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Process Monitor.jbxd

Similarity

API ID: BrushColorCreateDeleteDrawFillModeObjectRectSolidText
String ID:
API String ID: 3977782055-0
Opcode ID: 38539a5861904a787a3fab941d1a82843328e77784f4a9d0a04b568b56e50966
Instruction ID: c394a178d6c05f7e1326b2b677d398f8279a337d5fdab54dfb041070e539647a
Opcode Fuzzy Hash: 38539a5861904a787a3fab941d1a82843328e77784f4a9d0a04b568b56e50966
Instruction Fuzzy Hash: 21119471901209EBCB00DFA9DD49CAFBBB9FF89311B10853DF902A3240DA345904CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 0043B620 Relevance: 9.0, APIs: 6, Instructions: 45
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0043B620(struct _CRITICAL_SECTION* __ecx) {
				int _t15;
				long _t22;
				void* _t24;
				intOrPtr* _t29;
				struct _CRITICAL_SECTION* _t33;
				void* _t34;

				_t33 = __ecx;
				EnterCriticalSection(__ecx);
				if( *((intOrPtr*)(_t33 + 0x20)) != 0) {
					do {
						_t2 = _t33 + 0x1c; // 0x77cfe0
						_t24 =  *( *((intOrPtr*)( *_t2)) + 8);
						_t4 = _t33 + 0x1c; // 0x77cfe0
						_t29 =  *((intOrPtr*)( *_t4));
						 *((intOrPtr*)( *((intOrPtr*)(_t29 + 4)))) =  *_t29;
						 *((intOrPtr*)( *_t29 + 4)) =  *((intOrPtr*)(_t29 + 4));
						 *((intOrPtr*)(_t33 + 0x20)) =  *((intOrPtr*)(_t33 + 0x20)) - 1;
						E0046EF07(_t29);
						_t34 = _t34 + 4;
						_t10 = _t33 + 0x28; // 0x2340000
						_t22 = HeapSize( *_t10, 0, _t24);
						_t11 = _t33 + 0x28; // 0x2340000
						_t15 = HeapFree( *_t11, 0, _t24);
						EnterCriticalSection(_t33);
						 *((intOrPtr*)(_t33 + 0x24)) =  *((intOrPtr*)(_t33 + 0x24)) - _t22;
						LeaveCriticalSection(_t33);
					} while ( *((intOrPtr*)(_t33 + 0x20)) != 0);
				}
				LeaveCriticalSection(_t33);
				return _t15;
			}

0x0043b621
0x0043b624
0x0043b62e
0x0043b632
0x0043b632
0x0043b637
0x0043b63a
0x0043b63d
0x0043b645
0x0043b64c
0x0043b64f
0x0043b652
0x0043b657
0x0043b65d
0x0043b660
0x0043b669
0x0043b66e
0x0043b675
0x0043b67b
0x0043b67f
0x0043b685
0x0043b68c
0x0043b68e
0x0043b695

APIs

EnterCriticalSection.KERNEL32(004BCE48,749682C0,0043A954,?,?,?,?,?,?,?,0045F959,00000000), ref: 0043B624
HeapSize.KERNEL32(02340000,00000000,?,?,?,?,?,?,?,?,?,0045F959,00000000), ref: 0043B660
HeapFree.KERNEL32(02340000,00000000,?,?,?,?,?,?,?,?,0045F959,00000000), ref: 0043B66E
EnterCriticalSection.KERNEL32(004BCE48,?,?,?,?,?,?,?,0045F959,00000000), ref: 0043B675
LeaveCriticalSection.KERNEL32(004BCE48,?,?,?,?,?,?,?,0045F959,00000000), ref: 0043B67F
LeaveCriticalSection.KERNEL32(004BCE48,?,?,?,?,?,?,?,0045F959,00000000), ref: 0043B68E

Memory Dump Source

Source File: 00000000.00000002.639436822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.639422722.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639801425.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639950323.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639964900.00000000004C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639974043.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639981884.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Process Monitor.jbxd

Similarity

API ID: CriticalSection$EnterHeapLeave$FreeSize
String ID:
API String ID: 759786483-0
Opcode ID: b2b959f9bf7a9bf6a038a99d916087625dcf50dd240839aa0dc55d69e3783ed9
Instruction ID: cdf045a6680d61cba78d442a94e13a0e8a45849389dad05a6b061654c650357c
Opcode Fuzzy Hash: b2b959f9bf7a9bf6a038a99d916087625dcf50dd240839aa0dc55d69e3783ed9
Instruction Fuzzy Hash: A0012975501A00DFD320DF29E848A1AB7F4FF49315F14466DF94687261D734AC86CB99

Uniqueness

Uniqueness Score: -1.00%

Function 0040B856 Relevance: 9.0, APIs: 6, Instructions: 36
windowCOMMON

Download Yara Rule

C-Code - Quality: 66%

			E0040B856(long __esi) {
				void* __ebx;
				struct HWND__* _t19;
				void* _t20;
				void* _t23;
				void* _t24;
				long _t25;
				void* _t26;
				signed int _t27;

				_t25 = __esi;
				do {
					 *((intOrPtr*)(_t27 - 0xc)) = _t25;
					 *((intOrPtr*)(_t27 - 8)) = 0xffffffff;
					StartPage( *(_t27 - 0x74));
					_t25 = SendMessageW(_t19, 0x439, 1, _t27 - 0x34);
					EndPage( *(_t27 - 0x74));
				} while (_t25 <  *((intOrPtr*)(_t27 - 0x38)));
				SendMessageW(_t19, 0x439, 0, 0);
				EndDoc( *(_t27 - 0x74));
				SetCursor( *(_t27 - 0x3c));
				_pop(_t24);
				_pop(_t20);
				_pop(_t26);
				return E0046F77E(_t20,  *(_t27 - 4) ^ _t27, _t23, _t24, _t26);
			}

0x0040b856
0x0040b860
0x0040b863
0x0040b866
0x0040b86d
0x0040b884
0x0040b886
0x0040b88c
0x0040b89b
0x0040b8a0
0x0040b8a9
0x0040b8b7
0x0040b8b8
0x0040b8bb
0x0040b8c4

APIs

StartPage.GDI32(?), ref: 0040B86D
SendMessageW.USER32(?,00000439,00000001,00000000), ref: 0040B87F
EndPage.GDI32(?), ref: 0040B886
SendMessageW.USER32(?,00000439,00000000,00000000), ref: 0040B89B
EndDoc.GDI32(?), ref: 0040B8A0
SetCursor.USER32(?,?,?,?,?,?,?), ref: 0040B8A9

Memory Dump Source

Source File: 00000000.00000002.639436822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.639422722.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639801425.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639950323.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639964900.00000000004C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639974043.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639981884.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Process Monitor.jbxd

Similarity

API ID: MessagePageSend$CursorStart
String ID:
API String ID: 3588982206-0
Opcode ID: 14861edaa4a43491112908429129786118c1c00b4b03a67f6171740a7a860474
Instruction ID: 1be4333e8fa50693fe1fb5097db30ea9c369a9aa3d3974d14f4f67169dacdc5e
Opcode Fuzzy Hash: 14861edaa4a43491112908429129786118c1c00b4b03a67f6171740a7a860474
Instruction Fuzzy Hash: E7F03C35A00209EBCF20AFA1EC4AB9CBB35FB44711F204679F511A61E1DA751E55CF88

Uniqueness

Uniqueness Score: -1.00%

Function 0041F7A0 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 262
COMMON

Download Yara Rule

C-Code - Quality: 92%

			E0041F7A0(struct _CRITICAL_SECTION* __ecx, void* __edx, void* __eflags, intOrPtr _a4) {
				char _v8;
				char _v16;
				char _v17;
				char _v24;
				char _v28;
				void* _v32;
				intOrPtr _v36;
				intOrPtr _v48;
				char _v56;
				char _v60;
				char _v64;
				intOrPtr _v72;
				intOrPtr _v76;
				intOrPtr _v80;
				intOrPtr _v84;
				intOrPtr _v88;
				intOrPtr _v96;
				intOrPtr _v100;
				intOrPtr _v104;
				intOrPtr _v108;
				intOrPtr _v112;
				intOrPtr _v116;
				intOrPtr _v120;
				char _v128;
				struct _CRITICAL_SECTION* _v132;
				intOrPtr _v140;
				intOrPtr _v144;
				intOrPtr _v148;
				intOrPtr _v152;
				intOrPtr _v156;
				intOrPtr _v164;
				intOrPtr _v168;
				intOrPtr _v172;
				intOrPtr _v176;
				intOrPtr _v180;
				intOrPtr _v184;
				intOrPtr _v188;
				intOrPtr _v196;
				char _v204;
				signed int _v240;
				char _v244;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t136;
				intOrPtr _t148;
				void* _t154;
				intOrPtr _t173;
				signed int _t176;
				signed int _t187;
				char _t203;
				intOrPtr _t207;
				struct _CRITICAL_SECTION* _t213;
				void* _t217;
				intOrPtr _t218;
				signed int _t219;
				void* _t220;
				void* _t221;

				_push(0xffffffff);
				_push(E00487BDC);
				_push( *[fs:0x0]);
				_t221 = _t220 - 0xe4;
				_t136 =  *0x4bb1dc; // 0x2927074f
				_push(_t136 ^ _t219);
				 *[fs:0x0] =  &_v16;
				_t213 = __ecx;
				_v17 = 0;
				E0040C870( &_v244, __edx, __eflags,  *((intOrPtr*)(__ecx + 0x18)), L"Scanning Network information", E00416870(__ecx),  &_v17);
				_v8 = 0;
				_t187 = 0;
				if(E00416870(__ecx) == 0) {
					L41:
					_v8 = 0xffffffff;
					E0040C9C0( &_v244);
					 *[fs:0x0] = _v16;
					return _t187 & 0xffffff00 | _v17 == 0x00000000;
				} else {
					_t217 = LeaveCriticalSection;
					_v132 = __ecx;
					do {
						EnterCriticalSection(_t213);
						_v8 = 1;
						E0040D160(_t213,  &_v56, _t187);
						_v8 = 2;
						if( *((short*)(_v48 + 8)) != 5) {
							L37:
							_t148 = E00416870(_t213);
							_v240 = _t187;
							_v244 = _t148;
							_v8 = 1;
							if(_v17 != 0) {
								E0040F960( &_v56, _t217);
								LeaveCriticalSection(_t213);
								goto L41;
							}
							goto L38;
						}
						_v24 = 0;
						_v8 = 3;
						E00410F20(_t187,  &_v56, _t213, _t217, 0xffffffff,  &_v24);
						_t201 =  &_v24;
						_t154 = E0046A170( &_v24);
						if(_t154 == 0) {
							L10:
							_v128 = 0;
							_v8 = 4;
							E0046A0B0( &_v128,  &_v24);
							_t203 = _v128;
							_v204 = _t203;
							if(_t203 != 0) {
								E0046A420(_t203);
								_t203 = _v128;
							}
							_v8 = 5;
							_v196 = _t203;
							if(_t203 != 0) {
								E0046A420(_t203);
							}
							_v188 = _v120;
							_v184 = _v116;
							_v180 = _v112;
							_v176 = _v108;
							_v172 = _v104;
							_v168 = _v100;
							_v164 = _v96;
							_v156 = _v88;
							_v152 = _v84;
							_v148 = _v80;
							_v144 = _v76;
							_v140 = _v72;
							_v8 = 6;
							E0041CC70(_a4,  &_v64, 0,  &_v204,  *0x4bca04 & 0x000000ff);
							_t205 = _v196;
							_v8 = 7;
							if(_v196 != 0) {
								E0046A700(_t205);
							}
							_t206 = _v204;
							_v8 = 4;
							if(_v204 != 0) {
								E0046A700(_t206);
							}
							_t218 = _v64;
							if(_v60 != 0) {
								 *((intOrPtr*)(_t218 + 0x34)) = 0;
								 *((intOrPtr*)(_t218 + 0x38)) = 0;
								 *((intOrPtr*)(_t218 + 0x40)) = 0;
								 *((intOrPtr*)(_t218 + 0x44)) = 0;
								 *((intOrPtr*)(_t218 + 0x48)) = 0;
								 *((intOrPtr*)(_t218 + 0x4c)) = 0;
								 *((intOrPtr*)(_t218 + 0x2c)) = 0;
								 *((intOrPtr*)(_t218 + 0x30)) = 0;
								 *((intOrPtr*)(_t218 + 0x50)) = 0;
								 *((intOrPtr*)(_t218 + 0x28)) = 0;
								 *((intOrPtr*)(_t218 + 0x20)) = 0;
								 *((intOrPtr*)(_t218 + 0x24)) = 0;
							}
							_t173 = _v48;
							if( *((intOrPtr*)(_t173 + 0x24)) != 0x103) {
								_t207 =  *((intOrPtr*)(_t173 + 0x14));
							} else {
								asm("xorps xmm0, xmm0");
								asm("movlpd [ebp-0x20], xmm0");
								_t207 = _v36;
							}
							 *((intOrPtr*)(_t218 + 0x20)) =  *((intOrPtr*)(_t218 + 0x20)) + _t207;
							asm("adc [esi+0x24], eax");
							 *((intOrPtr*)(_t218 + 0x28)) =  *((intOrPtr*)(_t218 + 0x28)) + 1;
							_t176 =  *(_v48 + 0xc) & 0x0000ffff;
							if(_t176 > 9) {
								L32:
								_t208 = _v128;
								_v8 = 3;
								if(_v128 != 0) {
									E0046A700(_t208);
								}
								_t209 = _v24;
								_v8 = 2;
								if(_v24 != 0) {
									E0046A700(_t209);
								}
								_t217 = LeaveCriticalSection;
								goto L37;
							} else {
								switch( *((intOrPtr*)(_t176 * 4 +  &M0041FB5C))) {
									case 0:
										_t117 = __esi + 0x50;
										 *_t117 =  *((intOrPtr*)(__esi + 0x50)) + 1;
										__eflags =  *_t117;
										goto L32;
									case 1:
										 *((intOrPtr*)(__esi + 0x34)) =  *((intOrPtr*)(__esi + 0x34)) + 1;
										_v32 = 0;
										__eax =  &_v32;
										_v8 = 8;
										__ecx =  &_v56;
										__eax = E00410F20(__ebx,  &_v56, __edi, __esi, 0,  &_v32);
										__ecx =  &_v32;
										__eax = E0046A170( &_v32);
										__eax = L00437F10(__edx, __eax);
										__ecx = _v32;
										 *((intOrPtr*)(__esi + 0x40)) =  *((intOrPtr*)(__esi + 0x40)) + __eax;
										_v8 = 4;
										asm("adc [esi+0x44], edx");
										__eflags = __ecx;
										if(__ecx != 0) {
											__eax = E0046A700(__ecx);
										}
										goto L32;
									case 2:
										 *((intOrPtr*)(__esi + 0x38)) =  *((intOrPtr*)(__esi + 0x38)) + 1;
										_v28 = 0;
										__eax =  &_v28;
										_v8 = 9;
										__ecx =  &_v56;
										__eax = E00410F20(__ebx,  &_v56, __edi, __esi, 0,  &_v28);
										__ecx =  &_v28;
										__eax = E0046A170( &_v28);
										__eax = L00437F10(__edx, __eax);
										__ecx = _v28;
										 *((intOrPtr*)(__esi + 0x48)) =  *((intOrPtr*)(__esi + 0x48)) + __eax;
										_v8 = 4;
										asm("adc [esi+0x4c], edx");
										__eflags = __ecx;
										if(__ecx != 0) {
											__eax = E0046A700(__ecx);
										}
										goto L32;
									case 3:
										 *((intOrPtr*)(_t218 + 0x2c)) =  *((intOrPtr*)(_t218 + 0x2c)) + 1;
										goto L32;
									case 4:
										 *((intOrPtr*)(__esi + 0x30)) =  *((intOrPtr*)(__esi + 0x30)) + 1;
										goto L32;
								}
							}
						}
						while(1) {
							_push(0x20);
							_push(_t154);
							_t154 = E004713E7(_t201);
							_t221 = _t221 + 8;
							if(_t154 == 0) {
								goto L10;
							}
							if( *((short*)(_t154 + 2)) != 0x2d ||  *((short*)(_t154 + 4)) != 0x3e ||  *((short*)(_t154 + 6)) != 0x20) {
								continue;
							} else {
								E0046A0F0( &_v24, _t154 + 8);
								goto L10;
							}
						}
						goto L10;
						L38:
						E0040F960( &_v56, _t217);
						_v8 = 0;
						LeaveCriticalSection(_t213);
						_t187 = _t187 + 1;
					} while (_t187 < E00416870(_t213));
					goto L41;
				}
			}

0x0041f7a3
0x0041f7a5
0x0041f7b0
0x0041f7b1
0x0041f7ba
0x0041f7c1
0x0041f7c5
0x0041f7cb
0x0041f7d0
0x0041f7e9
0x0041f7f0
0x0041f7f7
0x0041f800
0x0041fb2a
0x0041fb34
0x0041fb3e
0x0041fb48
0x0041fb56
0x0041f806
0x0041f806
0x0041f80c
0x0041f810
0x0041f811
0x0041f81b
0x0041f822
0x0041f82a
0x0041f833
0x0041fae4
0x0041fae6
0x0041faf2
0x0041faf8
0x0041fafe
0x0041fb02
0x0041fb22
0x0041fb28
0x00000000
0x0041fb28
0x00000000
0x0041fb02
0x0041f839
0x0041f843
0x0041f84d
0x0041f852
0x0041f855
0x0041f85c
0x0041f890
0x0041f890
0x0041f89a
0x0041f8a2
0x0041f8a7
0x0041f8aa
0x0041f8b2
0x0041f8b4
0x0041f8b9
0x0041f8b9
0x0041f8bc
0x0041f8c0
0x0041f8c8
0x0041f8ca
0x0041f8ca
0x0041f8d2
0x0041f8db
0x0041f8e4
0x0041f8ed
0x0041f8f6
0x0041f8ff
0x0041f908
0x0041f911
0x0041f91a
0x0041f923
0x0041f92c
0x0041f935
0x0041f94c
0x0041f957
0x0041f95c
0x0041f962
0x0041f968
0x0041f96a
0x0041f96a
0x0041f96f
0x0041f975
0x0041f97b
0x0041f97d
0x0041f97d
0x0041f986
0x0041f989
0x0041f98b
0x0041f992
0x0041f999
0x0041f9a0
0x0041f9a7
0x0041f9ae
0x0041f9b5
0x0041f9bc
0x0041f9c3
0x0041f9ca
0x0041f9d1
0x0041f9d8
0x0041f9d8
0x0041f9df
0x0041f9e9
0x0041f9fb
0x0041f9eb
0x0041f9eb
0x0041f9ee
0x0041f9f6
0x0041f9f6
0x0041fa01
0x0041fa04
0x0041fa07
0x0041fa0d
0x0041fa14
0x0041fabe
0x0041fabe
0x0041fac1
0x0041fac7
0x0041fac9
0x0041fac9
0x0041face
0x0041fad1
0x0041fad7
0x0041fad9
0x0041fad9
0x0041fade
0x00000000
0x0041fa1a
0x0041fa1a
0x00000000
0x0041fabb
0x0041fabb
0x0041fabb
0x00000000
0x00000000
0x0041fa31
0x0041fa34
0x0041fa3b
0x0041fa3e
0x0041fa45
0x0041fa48
0x0041fa4d
0x0041fa50
0x0041fa56
0x0041fa5b
0x0041fa61
0x0041fa64
0x0041fa68
0x0041fa6b
0x0041fa6d
0x0041fa6f
0x0041fa6f
0x00000000
0x00000000
0x0041fa76
0x0041fa79
0x0041fa80
0x0041fa83
0x0041fa8a
0x0041fa8d
0x0041fa92
0x0041fa95
0x0041fa9b
0x0041faa0
0x0041faa6
0x0041faa9
0x0041faad
0x0041fab0
0x0041fab2
0x0041fab4
0x0041fab4
0x00000000
0x00000000
0x0041fa21
0x00000000
0x00000000
0x0041fa29
0x00000000
0x00000000
0x0041fa1a
0x0041fa14
0x0041f860
0x0041f860
0x0041f862
0x0041f863
0x0041f868
0x0041f86d
0x00000000
0x00000000
0x0041f874
0x00000000
0x0041f884
0x0041f88b
0x00000000
0x0041f88b
0x0041f874
0x00000000
0x0041fb04
0x0041fb04
0x0041fb0a
0x0041fb0e
0x0041fb12
0x0041fb18
0x00000000
0x0041fb20

APIs

Part of subcall function 00416870: EnterCriticalSection.KERNEL32(004BCA10,00000000,?,0043B1A2,2927074F,00000000,?,?,?,0044703B,0045F84E,00000000,?,00000000,445817), ref: 00416875
Part of subcall function 00416870: LeaveCriticalSection.KERNEL32(004BCA10,?,0044703B,0045F84E,00000000,?,00000000,445817), ref: 0041687F

Part of subcall function 0040C870: GetTickCount.KERNEL32 ref: 0040C897
Part of subcall function 0040C870: GetWindowRect.USER32 ref: 0040C8D9
Part of subcall function 0040C870: GetAncestor.USER32(?,00000002), ref: 0040C916
Part of subcall function 0040C870: GetParent.USER32(00000000), ref: 0040C923
Part of subcall function 0040C870: GetDesktopWindow.USER32 ref: 0040C930
Part of subcall function 0040C870: EnableWindow.USER32(00000000,00000000), ref: 0040C93D
Part of subcall function 0040C870: GetParent.USER32(00000000), ref: 0040C944
Part of subcall function 0040C870: CreateThread.KERNEL32 ref: 0040C95C

EnterCriticalSection.KERNEL32(?,?,Scanning Network information,00000000,?,2927074F), ref: 0041F811
_wcschr.LIBCMT ref: 0041F863
LeaveCriticalSection.KERNEL32(?,?,00000000,?,?,Scanning Network information,00000000,?,2927074F), ref: 0041FB0E
LeaveCriticalSection.KERNEL32(?,?,00000000,?,?,Scanning Network information,00000000,?,2927074F), ref: 0041FB28

Part of subcall function 0046A700: InterlockedDecrement.KERNEL32(?), ref: 0046A704

Strings

Scanning Network information, xrefs: 0041F7DB

Memory Dump Source

Source File: 00000000.00000002.639436822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.639422722.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639801425.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639950323.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639964900.00000000004C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639974043.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639981884.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Process Monitor.jbxd

Similarity

API ID: CriticalSection$LeaveWindow$EnterParent$AncestorCountCreateDecrementDesktopEnableInterlockedRectThreadTick_wcschr
String ID: Scanning Network information
API String ID: 890716818-1195040691
Opcode ID: 3e5e4639a7ada4dccc757b7c2e1a0cf53b517c3a5b339bba8c4623c8d0323c70
Instruction ID: 2f7157c3bbc7971924a086146a241187e5ebd8934d7aeea2614ef0c37a44c8e1
Opcode Fuzzy Hash: 3e5e4639a7ada4dccc757b7c2e1a0cf53b517c3a5b339bba8c4623c8d0323c70
Instruction Fuzzy Hash: 75B14B74D01248DFDB20DFA5C955BEEBBF4AF04304F1041AEE845A3681D778AA89CB5A

Uniqueness

Uniqueness Score: -1.00%

Function 0044CC60 Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 260
COMMON

Download Yara Rule

C-Code - Quality: 61%

			E0044CC60(void* __ecx, void* __edi, signed int _a8, char* _a12, char* _a16) {
				signed char _v8;
				signed int _v16;
				signed char _v20;
				char _v24;
				char _v28;
				char _v32;
				signed int _v36;
				signed int _v40;
				signed int _t69;
				signed int _t72;
				void* _t112;
				signed int _t116;

				_push(0xffffffff);
				_push(E0048AFC2);
				_push( *[fs:0x0]);
				_t69 =  *0x4bb1dc; // 0x2927074f
				_push(_t69 ^ _t116);
				 *[fs:0x0] =  &_v16;
				_t112 = __ecx;
				_v20 = 0;
				_t72 = _a8;
				if(_t72 > 8) {
					 *[fs:0x0] = _v16;
					return L"<undefined>";
				} else {
					switch( *((intOrPtr*)(_t72 * 4 +  &M0044CF60))) {
						case 0:
							_t122 =  *0x4bd899;
							_push(0);
							_push( *((intOrPtr*)( *((intOrPtr*)(__ecx + 4)) + 0x2c)));
							if( *0x4bd899 == 0) {
								_push( &_v24);
								_t76 = E00436170(_t91, _t109, __edi, __eflags);
								_v8 = 1;
								_t93 = 2;
							} else {
								_push( &_v28);
								_t76 = E00436110(_t91, _t109, __edi, _t122);
								_v8 = 0;
								_t93 = 1;
							}
							_t98 =  *_t76;
							_v20 = _t93;
							_a8 = _t98;
							if(_t98 != 0) {
								E0046A420(_t98);
							}
							_v8 = 3;
							if((_t93 & 0x00000002) != 0) {
								_t108 = _v24;
								_t93 = _t93 & 0xfffffffd;
								_v20 = _t93;
								if(_v24 != 0) {
									E0046A700(_t108);
								}
							}
							_v8 = 4;
							if((_t93 & 0x00000001) != 0) {
								_t107 = _v28;
								if(_v28 != 0) {
									E0046A700(_t107);
								}
							}
							_t79 =  *((intOrPtr*)(E00402050(E0046A170( &_a8))));
							_v8 = 5;
							if(_t79 == 0) {
								_t80 = 0;
								__eflags = 0;
							} else {
								_t80 =  *_t79;
							}
							_push(_t80);
							_t81 = E0046A170( *((intOrPtr*)(_t112 + 4)) + 0xc);
							_t114 = _a12;
							E0046F3F1(_t114,  *_a16, 0xffffffff, L"%s (%s)", _t81);
							E00403A00( &_v32);
							_t104 = _a8;
							_v8 = 0xffffffff;
							if(_a8 != 0) {
								E0046A700(_t104);
							}
							goto L18;
						case 1:
							__ecx = __esi[4];
							__ecx = __esi[4] + 0x14;
							__eflags = __ecx;
							__eax = E0046A170(__ecx);
							__ecx = _v16;
							 *[fs:0x0] = _v16;
							_pop(__ecx);
							_pop(__esi);
							_pop(__ebx);
							return __eax;
							goto L33;
						case 2:
							__ecx = __esi[4];
							__ecx = __esi[4] + 0x10;
							__eflags = __ecx;
							__eax = E0046A170(__ecx);
							__ecx = _v16;
							 *[fs:0x0] = _v16;
							_pop(__ecx);
							_pop(__esi);
							_pop(__ebx);
							return __eax;
							goto L33;
						case 3:
							__eax = L"<graph>";
							__ecx = _v16;
							 *[fs:0x0] = _v16;
							_pop(__ecx);
							_pop(__esi);
							_pop(__ebx);
							return L"<graph>";
							goto L33;
						case 4:
							__ecx = __esi[4];
							__ecx = __esi[4] + 0x18;
							__eflags = __ecx;
							__eax = E0046A170(__ecx);
							__ecx = _v16;
							 *[fs:0x0] = _v16;
							_pop(__ecx);
							_pop(__esi);
							_pop(__ebx);
							return __eax;
							goto L33;
						case 5:
							__ecx = __esi[4];
							__ecx = __esi[4] + 0x1c;
							__eflags = __ecx;
							__eax = E0046A170(__ecx);
							__ecx = _v16;
							 *[fs:0x0] = _v16;
							_pop(__ecx);
							_pop(__esi);
							_pop(__ebx);
							return __eax;
							goto L33;
						case 6:
							__ecx = __esi[4];
							__ecx = __esi[4] + 0x20;
							__eflags = __ecx;
							__eax = E0046A170(__ecx);
							__ecx = _v16;
							 *[fs:0x0] = _v16;
							_pop(__ecx);
							_pop(__esi);
							_pop(__ebx);
							return __eax;
							goto L33;
						case 7:
							__eax = __esi[4];
							_push( *((intOrPtr*)(__esi[4] + 0x34)));
							__eax =  &_v36;
							__ecx = L00433FE0(__ecx,  &_v36, ( &_v36)[0xc]);
							_v8 = 6;
							__eax = E0046A170(__eax);
							__esi = _a12;
							_a16 = L0046FDBD(__esi,  *_a16, _a16, 0xffffffff);
							__ecx = _v36;
							_v8 = 0xffffffff;
							__eflags = __ecx;
							if(__ecx == 0) {
								L18:
								 *[fs:0x0] = _v16;
								return _t114;
							} else {
								E0046A700(__ecx) = __esi;
								__ecx = _v16;
								 *[fs:0x0] = _v16;
								_pop(__ecx);
								_pop(__esi);
								_pop(__ebx);
								return __esi;
							}
							goto L33;
						case 8:
							__eax = __esi[4];
							__edx = __eax[0x38];
							__ecx = __eax[0x3c];
							__edx = __edx | __ecx;
							__eflags = __edx | __ecx;
							if((__edx | __ecx) == 0) {
								__eax = _a16;
								__esi = _a12;
								__eax = L0046FDBD(__esi,  *_a16, L"n/a", 0xffffffff);
								goto L31;
							} else {
								_push(__ecx);
								__eax =  &_v40;
								__ecx = L00433FE0(__ecx,  &_v40, __edx);
								_v8 = 7;
								__eax = E0046A170(__eax);
								__esi = _a12;
								_a16 = L0046FDBD(__esi,  *_a16, _a16, 0xffffffff);
								__ecx = _v40;
								_v8 = 0xffffffff;
								__eflags = __ecx;
								if(__ecx == 0) {
									L31:
									__eax = __esi;
									__ecx = _v16;
									 *[fs:0x0] = _v16;
									_pop(__ecx);
									_pop(__esi);
									_pop(__ebx);
									return __esi;
								} else {
									E0046A700(__ecx) = __esi;
									__ecx = _v16;
									 *[fs:0x0] = _v16;
									_pop(__ecx);
									_pop(__esi);
									_pop(__ebx);
									return __esi;
								}
							}
							goto L33;
					}
				}
				L33:
			}

0x0044cc63
0x0044cc65
0x0044cc70
0x0044cc76
0x0044cc7d
0x0044cc81
0x0044cc87
0x0044cc89
0x0044cc90
0x0044cc96
0x0044cf4d
0x0044cf5a
0x0044cc9c
0x0044cc9c
0x00000000
0x0044cca3
0x0044ccad
0x0044ccaf
0x0044ccb2
0x0044ccd1
0x0044ccd2
0x0044ccda
0x0044cce1
0x0044ccb4
0x0044ccb7
0x0044ccb8
0x0044ccc0
0x0044ccc7
0x0044ccc7
0x0044cce6
0x0044cce8
0x0044cceb
0x0044ccf0
0x0044ccf2
0x0044ccf2
0x0044ccf7
0x0044cd01
0x0044cd03
0x0044cd06
0x0044cd09
0x0044cd0e
0x0044cd10
0x0044cd10
0x0044cd0e
0x0044cd15
0x0044cd1c
0x0044cd1e
0x0044cd23
0x0044cd25
0x0044cd25
0x0044cd23
0x0044cd3b
0x0044cd3d
0x0044cd43
0x0044cd49
0x0044cd49
0x0044cd45
0x0044cd45
0x0044cd45
0x0044cd4e
0x0044cd52
0x0044cd57
0x0044cd68
0x0044cd73
0x0044cd78
0x0044cd7b
0x0044cd84
0x0044cd86
0x0044cd86
0x00000000
0x00000000
0x0044cda0
0x0044cda3
0x0044cda3
0x0044cda6
0x0044cdab
0x0044cdae
0x0044cdb5
0x0044cdb6
0x0044cdb7
0x0044cdbb
0x00000000
0x00000000
0x0044cdbe
0x0044cdc1
0x0044cdc1
0x0044cdc4
0x0044cdc9
0x0044cdcc
0x0044cdd3
0x0044cdd4
0x0044cdd5
0x0044cdd9
0x00000000
0x00000000
0x0044cddc
0x0044cde1
0x0044cde4
0x0044cdeb
0x0044cdec
0x0044cded
0x0044cdf1
0x00000000
0x00000000
0x0044cdf4
0x0044cdf7
0x0044cdf7
0x0044cdfa
0x0044cdff
0x0044ce02
0x0044ce09
0x0044ce0a
0x0044ce0b
0x0044ce0f
0x00000000
0x00000000
0x0044ce12
0x0044ce15
0x0044ce15
0x0044ce18
0x0044ce1d
0x0044ce20
0x0044ce27
0x0044ce28
0x0044ce29
0x0044ce2d
0x00000000
0x00000000
0x0044ce30
0x0044ce33
0x0044ce33
0x0044ce36
0x0044ce3b
0x0044ce3e
0x0044ce45
0x0044ce46
0x0044ce47
0x0044ce4b
0x00000000
0x00000000
0x0044ce4e
0x0044ce51
0x0044ce57
0x0044ce65
0x0044ce67
0x0044ce6e
0x0044ce73
0x0044ce7d
0x0044ce82
0x0044ce88
0x0044ce8f
0x0044ce91
0x0044cd8b
0x0044cd90
0x0044cd9d
0x0044ce97
0x0044ce9c
0x0044ce9e
0x0044cea1
0x0044cea8
0x0044cea9
0x0044ceaa
0x0044ceae
0x0044ceae
0x00000000
0x00000000
0x0044ceb1
0x0044ceb4
0x0044ceb7
0x0044cebc
0x0044cebc
0x0044cebe
0x0044cf18
0x0044cf1b
0x0044cf28
0x00000000
0x0044cec0
0x0044cec0
0x0044cec2
0x0044ced0
0x0044ced2
0x0044ced9
0x0044cede
0x0044cee8
0x0044ceed
0x0044cef3
0x0044cefa
0x0044cefc
0x0044cf30
0x0044cf30
0x0044cf32
0x0044cf35
0x0044cf3c
0x0044cf3d
0x0044cf3e
0x0044cf42
0x0044cefe
0x0044cf03
0x0044cf05
0x0044cf08
0x0044cf0f
0x0044cf10
0x0044cf11
0x0044cf15
0x0044cf15
0x0044cefc
0x00000000
0x00000000
0x0044cc9c
0x00000000

APIs

__snprintf_s.LIBCMT ref: 0044CD68

Strings

%s (%s), xrefs: 0044CD5E
<undefined>, xrefs: 0044CF45
n/a, xrefs: 0044CF20
<graph>, xrefs: 0044CDDC

Memory Dump Source

Source File: 00000000.00000002.639436822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.639422722.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639801425.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639950323.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639964900.00000000004C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639974043.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639981884.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Process Monitor.jbxd

Similarity

API ID: __snprintf_s
String ID: %s (%s)$<graph>$<undefined>$n/a
API String ID: 3587532853-98280733
Opcode ID: 5d263747a0c1587d3756355a79be80404c5cf2ef30429fc5e0b8385616836805
Instruction ID: c4d7d0c2098316d26bbefa5641703704f88e1392cbd6890b22cdb3856a65fe2c
Opcode Fuzzy Hash: 5d263747a0c1587d3756355a79be80404c5cf2ef30429fc5e0b8385616836805
Instruction Fuzzy Hash: 3D911A72A046089FDB04DF89D851BAEB7B5EF04320F14426FE815977C1EB3AAD10CB99

Uniqueness

Uniqueness Score: -1.00%

Function 00442B90 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 175
COMMON

Download Yara Rule

C-Code - Quality: 88%

			E00442B90(void* __ebx, void* __ecx, void* __edi, void* __esi, char _a4) {
				char _v0;
				intOrPtr* _v12;
				intOrPtr _v16;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v36;
				intOrPtr _t75;
				intOrPtr* _t77;
				intOrPtr* _t84;
				intOrPtr* _t89;
				intOrPtr* _t90;
				intOrPtr* _t91;
				intOrPtr _t95;
				void* _t104;
				intOrPtr _t106;
				intOrPtr* _t107;
				intOrPtr _t110;
				intOrPtr _t111;
				intOrPtr _t112;
				signed int _t114;
				intOrPtr _t115;
				intOrPtr _t117;
				intOrPtr _t118;
				intOrPtr* _t119;
				intOrPtr _t121;
				intOrPtr* _t123;
				intOrPtr* _t125;
				void* _t128;
				intOrPtr _t129;
				intOrPtr* _t130;
				intOrPtr _t132;
				intOrPtr _t133;
				intOrPtr _t134;
				intOrPtr* _t135;
				void* _t138;
				void* _t140;

				_t123 = _a4;
				_t104 = __ecx;
				_t110 =  *_t123;
				if(_t110 == 0 ||  *((intOrPtr*)(_t123 + 4)) + 0x64 <=  *((intOrPtr*)(_t123 + 8))) {
					_t75 =  *((intOrPtr*)(_t123 + 4));
					_t128 = _t75 + _t110;
					 *((intOrPtr*)(_t123 + 4)) = _t75 + 0x64;
					if(_t110 != 0) {
						E00470850(_t128, _t104, 0x64);
						_t140 = _t140 + 0xc;
						 *((char*)(_t128 + 0x60)) = 1;
					}
					_t111 =  *_t123;
					_t129 =  *((intOrPtr*)(_t104 + 0x68));
					if(_t111 == 0) {
						L7:
						 *((intOrPtr*)(_t123 + 4)) =  *((intOrPtr*)(_t123 + 4)) + 4;
						_t77 =  *((intOrPtr*)(_t104 + 0x64));
						_t130 =  *_t77;
						if(_t130 == _t77) {
							L12:
							return _t77;
						} else {
							do {
								_t111 =  *_t123;
								if(_t111 == 0) {
									goto L11;
								} else {
									_t116 =  *((intOrPtr*)(_t123 + 4));
									if( *((intOrPtr*)(_t123 + 4)) + 0x38 >  *((intOrPtr*)(_t123 + 8))) {
										goto L13;
									} else {
										_t77 = E00470850(_t116 + _t111,  *((intOrPtr*)(_t130 + 8)), 0x38);
										_t140 = _t140 + 0xc;
										goto L11;
									}
								}
								goto L37;
								L11:
								 *((intOrPtr*)(_t123 + 4)) =  *((intOrPtr*)(_t123 + 4)) + 0x38;
								_t130 =  *_t130;
							} while (_t130 !=  *((intOrPtr*)(_t104 + 0x64)));
							goto L12;
						}
					} else {
						_t121 =  *((intOrPtr*)(_t123 + 4));
						if(_t121 + 4 >  *((intOrPtr*)(_t123 + 8))) {
							goto L13;
						} else {
							 *((intOrPtr*)(_t121 + _t111)) = _t129;
							goto L7;
						}
					}
				} else {
					L13:
					_a4 = 0x7a;
					E0046F78D( &_a4, 0x4affc8);
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					_t138 = _t140;
					_push(_t104);
					_push(_t130);
					_push(_t123);
					_t125 = _v12;
					_t106 = _t111;
					_v24 = _t106;
					_t117 =  *_t125;
					_t28 = _t125 + 4; // 0xffffffff
					_t112 =  *_t28;
					_t29 = _t106 + 0x1c; // 0x0
					_t132 =  *_t29;
					_v28 = _t112;
					if(_t117 == 0) {
						L17:
						 *((intOrPtr*)(_t125 + 4)) =  *((intOrPtr*)(_t125 + 4)) + 4;
						_t36 = _t106 + 0x1c; // 0x0
						_t118 =  *_t125;
						_t37 = _t125 + 4; // 0xffffffff
						_t133 =  *_t37;
						_t114 =  *_t36 << 2;
						if(_t118 == 0) {
							L19:
							_t134 = _t133 + _t114;
							 *((intOrPtr*)(_t125 + 4)) = _t134;
							_t42 = _t106 + 0x1c; // 0x0
							_t114 =  *_t42;
							_v0 = _t133 + _t118;
							if(_t118 == 0) {
								L21:
								 *((intOrPtr*)(_t125 + 4)) = _t134 + _t114 * 4;
								_t107 = _t134 + _t118;
								_t52 = _v12 + 0x18; // 0x0
								_t84 =  *_t52;
								_t135 =  *_t84;
								if(_t135 != _t84) {
									do {
										_t115 =  *((intOrPtr*)(_t135 + 0x14));
										if( *_t125 != 0) {
											_t119 = _v0;
											 *_t119 =  *((intOrPtr*)(_t135 + 0x10));
											_t56 = _t125 + 4; // 0xffffffff
											 *_t107 =  *_t56 - _v16;
											_t107 = _t107 + 4;
											_v0 = _t119 + 4;
										}
										E00442B90(_t107, _t115, _t125, _t135, _t125);
										if( *((char*)(_t135 + 0xd)) == 0) {
											_t89 =  *((intOrPtr*)(_t135 + 8));
											if( *((char*)(_t89 + 0xd)) != 0) {
												_t90 =  *((intOrPtr*)(_t135 + 4));
												if( *((char*)(_t90 + 0xd)) == 0) {
													while(_t135 ==  *((intOrPtr*)(_t90 + 8))) {
														_t135 = _t90;
														_t90 =  *((intOrPtr*)(_t90 + 4));
														if( *((char*)(_t90 + 0xd)) == 0) {
															continue;
														}
														goto L32;
													}
												}
												L32:
												_t135 = _t90;
											} else {
												_t135 = _t89;
												_t91 =  *_t135;
												while( *((char*)(_t91 + 0xd)) == 0) {
													_t135 = _t91;
													_t91 =  *_t135;
												}
											}
										}
										_t84 = _v12;
										_t70 = _t84 + 0x18; // 0x0
									} while (_t135 !=  *_t70);
								}
								return _t84;
							} else {
								_t46 = _t125 + 8; // 0x0
								if(_t134 + _t114 * 4 >  *_t46) {
									goto L35;
								} else {
									goto L21;
								}
							}
						} else {
							_t39 = _t125 + 8; // 0x0
							if(_t133 + _t114 >  *_t39) {
								goto L35;
							} else {
								goto L19;
							}
						}
					} else {
						_t31 = _t112 + 4; // 0x100000003
						_t32 = _t125 + 8; // 0x0
						if(_t31 >  *_t32) {
							L35:
							_v0 = 0x7a;
							E0046F78D( &_v0, 0x4affc8);
							asm("int3");
							asm("int3");
							_push(_t138);
							_t95 = _v36;
							 *((intOrPtr*)(_t114 + 0x2c)) = _t95;
							return _t95;
						} else {
							 *((intOrPtr*)(_t117 + _t112)) = _t132;
							goto L17;
						}
					}
				}
				L37:
			}

0x00442b96
0x00442b99
0x00442b9b
0x00442b9f
0x00442bac
0x00442baf
0x00442bb5
0x00442bba
0x00442bc0
0x00442bc5
0x00442bc8
0x00442bc8
0x00442bcc
0x00442bce
0x00442bd3
0x00442be3
0x00442be3
0x00442be7
0x00442bea
0x00442bee
0x00442c1d
0x00442c21
0x00442bf0
0x00442bf0
0x00442bf0
0x00442bf4
0x00000000
0x00442bf6
0x00442bf6
0x00442bff
0x00000000
0x00442c01
0x00442c0a
0x00442c0f
0x00000000
0x00442c0f
0x00442bff
0x00000000
0x00442c12
0x00442c12
0x00442c16
0x00442c18
0x00000000
0x00442bf0
0x00442bd5
0x00442bd5
0x00442bde
0x00000000
0x00442be0
0x00442be0
0x00000000
0x00442be0
0x00442bde
0x00442c24
0x00442c24
0x00442c2c
0x00442c34
0x00442c39
0x00442c3a
0x00442c3b
0x00442c3c
0x00442c3d
0x00442c3e
0x00442c3f
0x00442c41
0x00442c46
0x00442c47
0x00442c48
0x00442c49
0x00442c4c
0x00442c4e
0x00442c51
0x00442c53
0x00442c53
0x00442c56
0x00442c56
0x00442c59
0x00442c5e
0x00442c6f
0x00442c6f
0x00442c73
0x00442c76
0x00442c78
0x00442c78
0x00442c7b
0x00442c80
0x00442c8e
0x00442c91
0x00442c93
0x00442c96
0x00442c96
0x00442c99
0x00442c9e
0x00442cac
0x00442caf
0x00442cb2
0x00442cb8
0x00442cb8
0x00442cbb
0x00442cbf
0x00442cc1
0x00442cc4
0x00442cc7
0x00442cc9
0x00442ccf
0x00442cd4
0x00442cda
0x00442cdc
0x00442cdf
0x00442cdf
0x00442ce3
0x00442cec
0x00442cee
0x00442cf5
0x00442d0d
0x00442d14
0x00442d16
0x00442d1b
0x00442d1d
0x00442d24
0x00000000
0x00000000
0x00000000
0x00442d24
0x00442d16
0x00442d26
0x00442d26
0x00442cf7
0x00442cf7
0x00442cf9
0x00442cff
0x00442d01
0x00442d03
0x00442d05
0x00442cff
0x00442cf5
0x00442d28
0x00442d2b
0x00442d2b
0x00442cc1
0x00442d36
0x00442ca0
0x00442ca3
0x00442ca6
0x00000000
0x00000000
0x00000000
0x00000000
0x00442ca6
0x00442c82
0x00442c85
0x00442c88
0x00000000
0x00000000
0x00000000
0x00000000
0x00442c88
0x00442c60
0x00442c60
0x00442c63
0x00442c66
0x00442d39
0x00442d41
0x00442d49
0x00442d4e
0x00442d4f
0x00442d50
0x00442d53
0x00442d56
0x00442d5a
0x00442c6c
0x00442c6c
0x00000000
0x00442c6c
0x00442c66
0x00442c5e
0x00000000

APIs

_memmove.LIBCMT ref: 00442BC0
_memmove.LIBCMT ref: 00442C0A
__CxxThrowException@8.LIBCMT ref: 00442C34
__CxxThrowException@8.LIBCMT ref: 00442D49

Strings

z, xrefs: 00442D41

Memory Dump Source

Source File: 00000000.00000002.639436822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.639422722.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639801425.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639950323.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639964900.00000000004C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639974043.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639981884.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Process Monitor.jbxd

Similarity

API ID: Exception@8Throw_memmove
String ID: z
API String ID: 630105538-1657960367
Opcode ID: 814458c130e4ed0127d217a5682fbdfba191363e1041b975f3879e0365df7959
Instruction ID: 9bf071df77175af0c6e2c98acb3d5aa57bbd294b7271284c17e27bcd32bf8aee
Opcode Fuzzy Hash: 814458c130e4ed0127d217a5682fbdfba191363e1041b975f3879e0365df7959
Instruction Fuzzy Hash: A361BDB190060AAFEB24CF08C280A5AF7E5FF41354F98C56AE8589B701D378FD94CB94

Uniqueness

Uniqueness Score: -1.00%

Function 0043B1D9 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 170networkCOMMON

Download Yara Rule

APIs

send.WS2_32(?,?,00000000), ref: 0043B29C
send.WS2_32(?,00000004,00000000), ref: 0043B346
send.WS2_32(?,?,00000000), ref: 0043B35B

Part of subcall function 0046EEB6: _malloc.LIBCMT ref: 0046EECE

Part of subcall function 00415A70: InitializeCriticalSection.KERNEL32(-000004EC,2927074F,004BCA10,00000000,749682C0), ref: 00415ADA
Part of subcall function 00415A70: InitializeSRWLock.KERNEL32(?,00000000,00000000), ref: 00415B8F

ExitProcess.KERNEL32 ref: 0043B3E1

Strings

PROCMON: Terminating due to unexpected socket error, xrefs: 0043B3D2

Memory Dump Source

Source File: 00000000.00000002.639436822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.639422722.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639801425.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639950323.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639964900.00000000004C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639974043.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639981884.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Process Monitor.jbxd

Similarity

API ID: send$Initialize$CriticalExitLockProcessSection_malloc
String ID: PROCMON: Terminating due to unexpected socket error
API String ID: 61645318-1104934420
Opcode ID: b933cf50be831982245a72740b6b74e186413ace2bb33f016c777b197b3f8e20
Instruction ID: daaeec84ee512b3cfa3c446c0299bc563e32a0fd57e7302c2cb4f5e8904a487c
Opcode Fuzzy Hash: b933cf50be831982245a72740b6b74e186413ace2bb33f016c777b197b3f8e20
Instruction Fuzzy Hash: 3F61D071900214DFDB21CF64C885BAE7BB4FF09314F14822FE94697291E779E945CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 00460438 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 145
synchronizationCOMMON

Download Yara Rule

C-Code - Quality: 75%

			E00460438(intOrPtr* __esi) {
				intOrPtr _t76;
				signed int _t98;
				void* _t106;
				void* _t116;
				void* _t117;
				intOrPtr _t118;
				signed int _t119;
				intOrPtr _t125;
				signed int _t127;
				void* _t128;
				long _t129;
				intOrPtr _t130;
				signed int _t131;
				intOrPtr _t132;
				intOrPtr* _t134;
				void* _t135;
				intOrPtr* _t136;
				signed int _t137;
				void* _t139;
				void* _t149;
				void* _t151;

				_t134 = __esi;
				L6:
				while(1) {
					while(WaitForSingleObject( *0x4bce44, 0) != 0) {
						 *((intOrPtr*)(_t137 - 0x20050)) =  *((intOrPtr*)(_t136 + 0x20));
						 *((intOrPtr*)(_t137 - 0x2004c)) =  *((intOrPtr*)(_t136 + 0x30));
						 *((intOrPtr*)(_t137 - 0x20048)) =  *_t136;
						 *(_t137 - 0x20044) =  *(_t136 + 4);
						asm("movdqu xmm0, [ebp-0x20050]");
						 *(_t137 - 0x20040) =  *(_t136 + 8);
						 *(_t137 - 0x2003c) =  *(_t136 + 0xc);
						 *((intOrPtr*)(_t137 - 0x20078)) =  *((intOrPtr*)(_t136 + 0x24));
						asm("movdqu [ebp-0x20070], xmm0");
						asm("movq xmm0, [ebp-0x20040]");
						asm("movq [ebp-0x20060], xmm0");
						E0045FCF0(0x4c2524, _t137 - 0x20058, 0, _t137 - 0x20078,  *0x4c24fc & 0x000000ff);
						_t125 =  *((intOrPtr*)(_t137 - 0x20058));
						if( *((char*)(_t137 - 0x20054)) != 0 ||  *((intOrPtr*)(_t125 + 0x18)) !=  *((intOrPtr*)(_t136 + 0x20))) {
							L23:
							asm("movdqu xmm0, [ebp-0x20050]");
							asm("movdqu [ecx+0x18], xmm0");
							asm("movq xmm0, [ebp-0x20040]");
							asm("movq [ecx+0x28], xmm0");
						} else {
							_t98 =  *(_t136 + 0xc);
							_t127 =  *(_t136 + 8);
							_t149 =  *(_t125 + 0x2c) - _t98;
							if(_t149 > 0 || _t149 >= 0 &&  *(_t125 + 0x28) > _t127) {
								goto L23;
							} else {
								_t131 =  *(_t136 + 4);
								_t151 =  *(_t125 + 0x24) - _t131;
								_t118 =  *_t136;
								 *(_t137 - 0x20024) = _t131;
								_t130 =  *((intOrPtr*)(_t137 - 0x20014));
								if(_t151 > 0 || _t151 >= 0 &&  *((intOrPtr*)(_t125 + 0x20)) > _t118) {
									L22:
									_t117 =  *(_t137 - 0x20018);
									goto L23;
								} else {
									_t132 =  *((intOrPtr*)(_t136 + 0x30));
									if( *((intOrPtr*)(_t125 + 0x1c)) > _t132) {
										_t130 =  *((intOrPtr*)(_t137 - 0x20014));
										goto L22;
									} else {
										_t127 = _t127 -  *(_t125 + 0x28);
										asm("sbb eax, [ecx+0x2c]");
										_t119 = _t118 -  *((intOrPtr*)(_t125 + 0x20));
										 *(_t137 - 0x20034) = _t98;
										asm("sbb eax, [ecx+0x24]");
										_t133 = _t132 !=  *((intOrPtr*)(_t125 + 0x1c));
										 *(_t137 - 0x20038) =  *(_t137 - 0x20024);
										 *((intOrPtr*)(_t125 + 0x20)) =  *_t136;
										 *(_t125 + 0x24) =  *(_t137 - 0x20024);
										 *(_t125 + 0x28) =  *(_t136 + 8);
										 *(_t125 + 0x2c) =  *(_t136 + 0xc);
										 *((intOrPtr*)(_t125 + 0x1c)) =  *((intOrPtr*)(_t136 + 0x30));
										if(_t132 !=  *((intOrPtr*)(_t125 + 0x1c)) || (_t127 |  *(_t137 - 0x20034)) != 0 || (_t119 |  *(_t137 - 0x20038)) != 0) {
											_t117 =  *(_t137 - 0x20018);
											_t106 = L0045FE00(_t127,  *((intOrPtr*)(_t136 + 0x20)),  *((intOrPtr*)(_t136 + 0x24)), _t117, _t127, _t119, _t133, _t137 - 0x20010,  *((intOrPtr*)(_t137 - 0x2002c)));
											_t139 = _t139 + 0x20;
											if(_t106 != 0) {
												E004397E0( *((intOrPtr*)(_t137 - 0x1ffe4)) + ( *(_t137 - 0x1ffe8) & 0x0000ffff) * 4 + 0x34, _t137 - 0x20010);
												_t139 = _t139 + 8;
											}
										} else {
											_t117 =  *(_t137 - 0x20018);
										}
										_t130 =  *((intOrPtr*)(_t137 - 0x20014));
									}
								}
							}
						}
						_t130 = _t130 + 1;
						_t136 = _t136 + 0x40;
						 *((intOrPtr*)(_t137 - 0x20014)) = _t130;
						if(_t130 <  *((intOrPtr*)( *((intOrPtr*)(_t137 - 0x2001c)) + 4))) {
							continue;
						} else {
							break;
						}
						do {
							goto L27;
							L4:
							_t130 = 0;
							_t136 = _t134 + 0xb8;
							 *((intOrPtr*)(_t137 - 0x20014)) = 0;
						} while ( *((intOrPtr*)( *((intOrPtr*)(_t137 - 0x2001c)) + 4)) <= 0);
					}
					L27:
					CloseHandle(_t117);
					_t134 =  *((intOrPtr*)(_t137 - 0x2001c));
					while(1) {
						_t76 =  *_t134;
						if(_t76 == 0) {
							break;
						}
						_t134 = _t134 + _t76;
						 *((intOrPtr*)(_t137 - 0x2001c)) = _t134;
						if( *(_t134 + 0x44) > 4) {
							_t129 =  *(_t134 + 0x44);
							if(_t129 != GetCurrentProcessId()) {
								_t117 = OpenProcess(0x1f0fff, 0, _t129);
								 *(_t137 - 0x20018) = _t117;
								if(_t117 != 0) {
									goto L4;
								}
							}
						}
						L31:
					}
					E0047040C( *((intOrPtr*)(_t137 - 0x20020)));
					 *[fs:0x0] =  *((intOrPtr*)(_t137 - 0xc));
					_pop(_t128);
					_pop(_t135);
					_pop(_t116);
					return E0046F77E(_t116,  *(_t137 - 0x10) ^ _t137, _t127, _t128, _t135);
					goto L31;
				}
			}

0x00460438
0x00000000
0x00460440
0x00460440
0x0046045e
0x00460467
0x0046046f
0x00460478
0x00460481
0x00460489
0x00460492
0x0046049b
0x004604b0
0x004604be
0x004604c9
0x004604d1
0x004604dd
0x004604e3
0x004605f1
0x004605f1
0x004605f9
0x004605fe
0x00460606
0x004604f5
0x004604f5
0x004604f8
0x004604fb
0x004604fe
0x00000000
0x0046050f
0x0046050f
0x00460512
0x00460515
0x00460517
0x0046051d
0x00460523
0x004605eb
0x004605eb
0x00000000
0x00460534
0x00460534
0x0046053a
0x004605e5
0x00000000
0x00460540
0x00460540
0x00460543
0x00460546
0x00460549
0x00460555
0x00460558
0x0046055b
0x00460563
0x0046056c
0x00460572
0x00460578
0x0046057e
0x00460581
0x004605a6
0x004605b4
0x004605b9
0x004605be
0x004605db
0x004605e0
0x004605e0
0x0046060d
0x0046060d
0x0046060d
0x00460613
0x00460613
0x0046053a
0x00460523
0x004604fe
0x0046061f
0x00460620
0x00460623
0x0046062c
0x00000000
0x00000000
0x00000000
0x00000000
0x00460632
0x00000000
0x00460419
0x0046041f
0x00460421
0x00460427
0x0046042d
0x00460436
0x00460632
0x00460633
0x00460639
0x0046063f
0x0046063f
0x00460643
0x00000000
0x00000000
0x00460645
0x00460647
0x004603e4
0x004603ea
0x004603f5
0x00460409
0x0046040b
0x00460413
0x00000000
0x00000000
0x00460413
0x004603f5
0x00000000
0x004603e4
0x00460658
0x00460668
0x00460670
0x00460671
0x00460672
0x00460680
0x00000000
0x00460680

APIs

GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 004603ED
OpenProcess.KERNEL32(001F0FFF,00000000,?), ref: 00460403
WaitForSingleObject.KERNEL32(00000000), ref: 00460448
CloseHandle.KERNEL32(00000000), ref: 00460633
_free.LIBCMT ref: 00460658

Strings

$%L, xrefs: 00460459

Memory Dump Source

Source File: 00000000.00000002.639436822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.639422722.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639801425.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639950323.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639964900.00000000004C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639974043.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639981884.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Process Monitor.jbxd

Similarity

API ID: Process$CloseCurrentHandleObjectOpenSingleWait_free
String ID: $%L
API String ID: 4293809632-1469901426
Opcode ID: 3b17448df21e1e2a76c24a361ec3c8ea0663af06c67ef2091a842dc00599ccf3
Instruction ID: 054334d0affc64991f50076fb92af76e1215d0e0d5a232ef7d0c30133867ff2c
Opcode Fuzzy Hash: 3b17448df21e1e2a76c24a361ec3c8ea0663af06c67ef2091a842dc00599ccf3
Instruction Fuzzy Hash: B46116B1944318DFDB70CF28C980B9AB7F0BB48304F1045AAE94DA7612E735E996CF59

Uniqueness

Uniqueness Score: -1.00%

Function 004603D9 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 144
synchronizationCOMMON

Download Yara Rule

C-Code - Quality: 75%

			E004603D9(intOrPtr* __esi) {
				intOrPtr _t76;
				signed int _t98;
				void* _t106;
				void* _t116;
				void* _t117;
				intOrPtr _t118;
				signed int _t119;
				intOrPtr _t125;
				signed int _t127;
				void* _t128;
				long _t129;
				intOrPtr _t130;
				signed int _t131;
				intOrPtr _t132;
				intOrPtr* _t134;
				void* _t135;
				intOrPtr* _t136;
				signed int _t137;
				void* _t139;
				void* _t149;
				void* _t151;

				_t134 = __esi;
				L1:
				while(1) {
					if( *(_t134 + 0x44) <= 4) {
						L28:
						_t76 =  *_t134;
						if(_t76 == 0) {
							E0047040C( *((intOrPtr*)(_t137 - 0x20020)));
							 *[fs:0x0] =  *((intOrPtr*)(_t137 - 0xc));
							_pop(_t128);
							_pop(_t135);
							_pop(_t116);
							return E0046F77E(_t116,  *(_t137 - 0x10) ^ _t137, _t127, _t128, _t135);
						}
						_t134 = _t134 + _t76;
						 *((intOrPtr*)(_t137 - 0x2001c)) = _t134;
						continue;
					}
					_t129 =  *(_t134 + 0x44);
					if(_t129 == GetCurrentProcessId()) {
						goto L28;
					}
					_t117 = OpenProcess(0x1f0fff, 0, _t129);
					 *(_t137 - 0x20018) = _t117;
					if(_t117 == 0) {
						goto L28;
					}
					_t130 = 0;
					_t136 = _t134 + 0xb8;
					 *((intOrPtr*)(_t137 - 0x20014)) = 0;
					if( *((intOrPtr*)( *((intOrPtr*)(_t137 - 0x2001c)) + 4)) <= 0) {
						L27:
						CloseHandle(_t117);
						_t134 =  *((intOrPtr*)(_t137 - 0x2001c));
						goto L28;
					}
					while(WaitForSingleObject( *0x4bce44, 0) != 0) {
						 *((intOrPtr*)(_t137 - 0x20050)) =  *((intOrPtr*)(_t136 + 0x20));
						 *((intOrPtr*)(_t137 - 0x2004c)) =  *((intOrPtr*)(_t136 + 0x30));
						 *((intOrPtr*)(_t137 - 0x20048)) =  *_t136;
						 *(_t137 - 0x20044) =  *(_t136 + 4);
						asm("movdqu xmm0, [ebp-0x20050]");
						 *(_t137 - 0x20040) =  *(_t136 + 8);
						 *(_t137 - 0x2003c) =  *(_t136 + 0xc);
						 *((intOrPtr*)(_t137 - 0x20078)) =  *((intOrPtr*)(_t136 + 0x24));
						asm("movdqu [ebp-0x20070], xmm0");
						asm("movq xmm0, [ebp-0x20040]");
						asm("movq [ebp-0x20060], xmm0");
						E0045FCF0(0x4c2524, _t137 - 0x20058, 0, _t137 - 0x20078,  *0x4c24fc & 0x000000ff);
						_t125 =  *((intOrPtr*)(_t137 - 0x20058));
						if( *((char*)(_t137 - 0x20054)) != 0 ||  *((intOrPtr*)(_t125 + 0x18)) !=  *((intOrPtr*)(_t136 + 0x20))) {
							L23:
							asm("movdqu xmm0, [ebp-0x20050]");
							asm("movdqu [ecx+0x18], xmm0");
							asm("movq xmm0, [ebp-0x20040]");
							asm("movq [ecx+0x28], xmm0");
							goto L26;
						} else {
							_t98 =  *(_t136 + 0xc);
							_t127 =  *(_t136 + 8);
							_t149 =  *(_t125 + 0x2c) - _t98;
							if(_t149 > 0 || _t149 >= 0 &&  *(_t125 + 0x28) > _t127) {
								goto L23;
							} else {
								_t131 =  *(_t136 + 4);
								_t151 =  *(_t125 + 0x24) - _t131;
								_t118 =  *_t136;
								 *(_t137 - 0x20024) = _t131;
								_t130 =  *((intOrPtr*)(_t137 - 0x20014));
								if(_t151 > 0 || _t151 >= 0 &&  *((intOrPtr*)(_t125 + 0x20)) > _t118) {
									L22:
									_t117 =  *(_t137 - 0x20018);
									goto L23;
								} else {
									_t132 =  *((intOrPtr*)(_t136 + 0x30));
									if( *((intOrPtr*)(_t125 + 0x1c)) > _t132) {
										_t130 =  *((intOrPtr*)(_t137 - 0x20014));
										goto L22;
									}
									_t127 = _t127 -  *(_t125 + 0x28);
									asm("sbb eax, [ecx+0x2c]");
									_t119 = _t118 -  *((intOrPtr*)(_t125 + 0x20));
									 *(_t137 - 0x20034) = _t98;
									asm("sbb eax, [ecx+0x24]");
									_t133 = _t132 !=  *((intOrPtr*)(_t125 + 0x1c));
									 *(_t137 - 0x20038) =  *(_t137 - 0x20024);
									 *((intOrPtr*)(_t125 + 0x20)) =  *_t136;
									 *(_t125 + 0x24) =  *(_t137 - 0x20024);
									 *(_t125 + 0x28) =  *(_t136 + 8);
									 *(_t125 + 0x2c) =  *(_t136 + 0xc);
									 *((intOrPtr*)(_t125 + 0x1c)) =  *((intOrPtr*)(_t136 + 0x30));
									if(_t132 !=  *((intOrPtr*)(_t125 + 0x1c)) || (_t127 |  *(_t137 - 0x20034)) != 0 || (_t119 |  *(_t137 - 0x20038)) != 0) {
										_t117 =  *(_t137 - 0x20018);
										_t106 = L0045FE00(_t127,  *((intOrPtr*)(_t136 + 0x20)),  *((intOrPtr*)(_t136 + 0x24)), _t117, _t127, _t119, _t133, _t137 - 0x20010,  *((intOrPtr*)(_t137 - 0x2002c)));
										_t139 = _t139 + 0x20;
										if(_t106 != 0) {
											E004397E0( *((intOrPtr*)(_t137 - 0x1ffe4)) + ( *(_t137 - 0x1ffe8) & 0x0000ffff) * 4 + 0x34, _t137 - 0x20010);
											_t139 = _t139 + 8;
										}
									} else {
										_t117 =  *(_t137 - 0x20018);
									}
									_t130 =  *((intOrPtr*)(_t137 - 0x20014));
									L26:
									_t130 = _t130 + 1;
									_t136 = _t136 + 0x40;
									 *((intOrPtr*)(_t137 - 0x20014)) = _t130;
									if(_t130 <  *((intOrPtr*)( *((intOrPtr*)(_t137 - 0x2001c)) + 4))) {
										continue;
									}
									goto L27;
								}
							}
						}
					}
					goto L27;
				}
			}

0x004603d9
0x00000000
0x004603e0
0x004603e4
0x0046063f
0x0046063f
0x00460643
0x00460658
0x00460668
0x00460670
0x00460671
0x00460672
0x00460680
0x00460680
0x00460645
0x00460647
0x00000000
0x00460647
0x004603ea
0x004603f5
0x00000000
0x00000000
0x00460409
0x0046040b
0x00460413
0x00000000
0x00000000
0x0046041f
0x00460421
0x00460427
0x00460430
0x00460632
0x00460633
0x00460639
0x00000000
0x00460639
0x00460440
0x0046045e
0x00460467
0x0046046f
0x00460478
0x00460481
0x00460489
0x00460492
0x0046049b
0x004604b0
0x004604be
0x004604c9
0x004604d1
0x004604dd
0x004604e3
0x004605f1
0x004605f1
0x004605f9
0x004605fe
0x00460606
0x00000000
0x004604f5
0x004604f5
0x004604f8
0x004604fb
0x004604fe
0x00000000
0x0046050f
0x0046050f
0x00460512
0x00460515
0x00460517
0x0046051d
0x00460523
0x004605eb
0x004605eb
0x00000000
0x00460534
0x00460534
0x0046053a
0x004605e5
0x00000000
0x004605e5
0x00460540
0x00460543
0x00460546
0x00460549
0x00460555
0x00460558
0x0046055b
0x00460563
0x0046056c
0x00460572
0x00460578
0x0046057e
0x00460581
0x004605a6
0x004605b4
0x004605b9
0x004605be
0x004605db
0x004605e0
0x004605e0
0x0046060d
0x0046060d
0x0046060d
0x00460613
0x00460619
0x0046061f
0x00460620
0x00460623
0x0046062c
0x00000000
0x00000000
0x00000000
0x0046062c
0x00460523
0x004604fe
0x004604e3
0x00000000
0x00460440

APIs

GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 004603ED
OpenProcess.KERNEL32(001F0FFF,00000000,?), ref: 00460403
WaitForSingleObject.KERNEL32(00000000), ref: 00460448

Strings

$%L, xrefs: 00460459

Memory Dump Source

Source File: 00000000.00000002.639436822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.639422722.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639801425.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639950323.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639964900.00000000004C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639974043.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639981884.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Process Monitor.jbxd

Similarity

API ID: Process$CurrentObjectOpenSingleWait
String ID: $%L
API String ID: 1880014924-1469901426
Opcode ID: 45d13453b7ef8bad0665a957b8d2454d708a76d5aacafd728216bf787f752597
Instruction ID: eff336c207c32b37e3a9e8587185cc06b05564e7c6c58465ae280d5185d86c3c
Opcode Fuzzy Hash: 45d13453b7ef8bad0665a957b8d2454d708a76d5aacafd728216bf787f752597
Instruction Fuzzy Hash: FE6106B1944318DFDB70CF28C980B5AB7F0BB48304F1045AAE94DA7612E735E996CF59

Uniqueness

Uniqueness Score: -1.00%

Function 00417460 Relevance: 8.9, APIs: 7, Instructions: 130
COMMON

Download Yara Rule

C-Code - Quality: 91%

			E00417460(struct _CRITICAL_SECTION* __ecx, void* __edx, intOrPtr* _a4, intOrPtr _a8) {
				char _v8;
				char _v16;
				char _v20;
				struct _CRITICAL_SECTION* _v24;
				struct _CRITICAL_SECTION* _v28;
				void* __ebx;
				signed int _t34;
				void* _t40;
				intOrPtr _t41;
				intOrPtr _t50;
				intOrPtr _t53;
				void* _t75;
				struct _CRITICAL_SECTION* _t77;
				intOrPtr _t85;
				intOrPtr* _t87;
				intOrPtr* _t89;
				signed int _t91;

				_t75 = __edx;
				_push(0xffffffff);
				_push(E00486FE1);
				_push( *[fs:0x0]);
				_t34 =  *0x4bb1dc; // 0x2927074f
				_push(_t34 ^ _t91);
				 *[fs:0x0] =  &_v16;
				_t77 = __ecx;
				_v20 = 0;
				_v24 = __ecx;
				EnterCriticalSection(__ecx);
				_v8 = 1;
				_v28 = _t77;
				EnterCriticalSection(_t77);
				_t6 = _t77 + 0x34; // 0x0
				_t7 = _t77 + 0x30; // 0x0
				_v8 = 2;
				if(( *_t6 -  *_t7 & 0xfffffffc) != 0) {
					_t12 = _t77 + 0x34; // 0x0
					_t40 = E004405B0( *((intOrPtr*)( *_t12 - 4)) + 0x4ec, _t75, _a8);
					_t56 = LeaveCriticalSection;
					_t83 = _t40;
					_v8 = 1;
					LeaveCriticalSection(_t77);
					if(_t40 != 0) {
						_t18 = _t77 + 0x34; // 0x0
						_t19 = _t77 + 0x30; // 0x0
						_t65 =  *_t18 -  *_t19 >> 2;
						if( *_t18 -  *_t19 >> 2 != 0) {
							_t41 =  *0x4bca40; // 0x0
							_t85 = E0046A6C0(LeaveCriticalSection, _t42, E0046A530(E00467450( *((intOrPtr*)(_t41 + _t65 * 4 - 4)),  *((intOrPtr*)(_t83 + 0x3c)))));
							_a8 = _t85;
							_v8 = 3;
							 *_a4 = _t85;
							if(_t85 != 0) {
								E0046A420(_t85);
							}
							_v20 = 1;
							_v8 = 1;
							if(_t85 != 0) {
								E0046A700(_t85);
							}
							LeaveCriticalSection(_t77);
							 *[fs:0x0] = _v16;
							return _a4;
						} else {
							_t50 = E0046A6C0(LeaveCriticalSection, 0x48fc20, E0046A530(0x48fc20));
							_t87 = _a4;
							 *_t87 = _t50;
							LeaveCriticalSection(_t77);
							 *[fs:0x0] = _v16;
							return _t87;
						}
					} else {
						goto L3;
					}
				} else {
					_t56 = LeaveCriticalSection;
					_v8 = 1;
					LeaveCriticalSection(_t77);
					L3:
					_t53 = E0046A6C0(_t56, 0x48fc20, E0046A530(0x48fc20));
					_t89 = _a4;
					 *_t89 = _t53;
					LeaveCriticalSection(_t77);
					 *[fs:0x0] = _v16;
					return _t89;
				}
			}

0x00417460
0x00417463
0x00417465
0x00417470
0x00417477
0x0041747e
0x00417482
0x00417488
0x0041748a
0x00417498
0x0041749b
0x0041749e
0x004174a5
0x004174a8
0x004174aa
0x004174ad
0x004174b0
0x004174b9
0x004174ca
0x004174d9
0x004174de
0x004174e4
0x004174e7
0x004174eb
0x004174ef
0x00417527
0x0041752a
0x0041752d
0x00417532
0x0041756a
0x0041758a
0x0041758f
0x00417595
0x00417599
0x0041759d
0x004175a1
0x004175a1
0x004175a6
0x004175ad
0x004175b3
0x004175b7
0x004175b7
0x004175bd
0x004175c5
0x004175d3
0x00417534
0x00417544
0x00417549
0x00417550
0x00417552
0x00417559
0x00417567
0x00417567
0x00000000
0x00000000
0x00000000
0x004174bb
0x004174bb
0x004174c2
0x004174c6
0x004174f1
0x00417501
0x00417506
0x0041750c
0x0041750f
0x00417516
0x00417524
0x00417524

APIs

EnterCriticalSection.KERNEL32(004BCA10,2927074F,?,00000000), ref: 0041749B
EnterCriticalSection.KERNEL32(004BCA10), ref: 004174A8
LeaveCriticalSection.KERNEL32(004BCA10), ref: 004174C6
LeaveCriticalSection.KERNEL32(004BCA10,?), ref: 004174EB
LeaveCriticalSection.KERNEL32(004BCA10), ref: 0041750F
LeaveCriticalSection.KERNEL32(004BCA10), ref: 00417552
LeaveCriticalSection.KERNEL32(004BCA10,?,?), ref: 004175BD

Memory Dump Source

Source File: 00000000.00000002.639436822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.639422722.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639801425.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639950323.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639964900.00000000004C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639974043.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639981884.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Process Monitor.jbxd

Similarity

API ID: CriticalSection$Leave$Enter
String ID:
API String ID: 2978645861-0
Opcode ID: 5ed38df8e0bf5dd6c0912cc4a316c87dd5a122fa2ea6f7aef810968f401fe0a9
Instruction ID: 2b40e8349d61656b0f498a40875a9b9b021f701b3a7586f5355d26e5c506424b
Opcode Fuzzy Hash: 5ed38df8e0bf5dd6c0912cc4a316c87dd5a122fa2ea6f7aef810968f401fe0a9
Instruction Fuzzy Hash: 5E41B131A05614ABC700EF99D941BAEBBB4FF44714F00456FEC01A7740DB79AA108B9A

Uniqueness

Uniqueness Score: -1.00%

Function 0045F59B Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 105
threadCOMMON

Download Yara Rule

C-Code - Quality: 90%

			E0045F59B(void* __ebx, void* __edx, void* __edi, void* __esi) {
				void* _t44;
				void* _t47;
				void* _t49;
				void* _t51;
				signed int _t52;

				_t47 = __edx;
				 *0x4bdac0 = 0;
				__eax = E00436680();
				__eflags = __al;
				if(__al != 0) {
					 *0x4bb120 =  *0x4bb120 | 0x00000040;
					__eflags =  *0x4bb120;
					 *0x4bd2e9 = 1;
				}
				__eax =  *0x4bd89c; // 0x0
				__ecx = 1;
				__eflags =  *((char*)(__ebp - 0x40d));
				 *0x4bd89c = __eax;
				GetCurrentThread() = SetThreadPriority(__eax, 2);
				__eax = E0046C6B0(__ecx, __edx);
				__eflags = __edi;
				if(__edi == 0) {
					L16:
					__eflags =  *((char*)(__ebp - 0x40f));
					if(__eflags != 0) {
						__eax = E0043A130(__edx, __edi, __eflags);
						goto L42;
					} else {
						__eax = RegisterWindowMessageW(L"commdlg_FindReplace");
						__ebx =  *(__ebp - 0x430);
						 *0x4bd2b0 = __eax;
						 *(__ebp - 0x400) = LoadAcceleratorsW(__ebx, L"ACCELERATORS");
						__eax = E0044DC00(__ebx);
						__esi = MulDiv;
						MulDiv(0x12c,  *0x4bc898, 0x60) = MulDiv(0x1f4,  *0x4bc894, 0x60);
						MulDiv(0xc8,  *0x4bc898, 0x60) = MulDiv(0x64,  *0x4bc894, 0x60);
						__bl =  *((intOrPtr*)(__ebp - 0x40a));
						__ecx = 0x20000000;
						__eax = 0;
						__eflags = __bl;
						__eax =  !=  ? 0x20000000 : 0;
						__eax = ( !=  ? 0x20000000 : 0) | 0x00cf0000;
						__ecx = __eax;
						 *0x4bd2c0 = __ecx;
						__eflags = __ecx;
						if(__ecx == 0) {
							goto L1;
						} else {
							__eflags = __bl;
							if(__bl == 0) {
								__eax =  *(__ebp + 0x14);
								__edx = 5;
								__eflags = __eax - 1;
								__eax =  ==  ? 5 : __eax;
							} else {
								__eax = 2;
							}
							__eax = UpdateWindow( *0x4bd2c0);
							__ecx = 0x4bca94;
							__eax = E00414130(0x4bca94);
							__eflags = __al;
							if(__eflags == 0) {
								__eflags = __bl;
								if(__eflags == 0) {
									__eflags =  *((intOrPtr*)(__ebp - 0x405)) - __bl;
									if(__eflags == 0) {
										__eax = DialogBoxParamW( *0x4bd2c4, L"FILTER_INIT",  *0x4bd2c0,  &M0044BE70, 1);
									}
								}
							}
							__eax = L00446DF0(__edx, __eflags,  *0x4bd2c0, 0);
							__eflags = __al;
							if(__eflags == 0) {
								__eflags = __edi;
								if(__edi == 0) {
									__eflags =  *((char*)(__ebp - 0x408));
									if( *((char*)(__ebp - 0x408)) == 0) {
										__eflags =  *0x4bd0a3;
										if( *0x4bd0a3 == 0) {
											__eax = 0;
											__eflags =  *(__ebp - 0x418);
											_t32 =  *(__ebp - 0x418) != 0;
											__eflags = _t32;
											0 | _t32 = SendMessageW( *0x4bd2c0, 0x111, 0x9c87, 0 | _t32);
										}
									}
								} else {
									__eflags =  *0x4bd895;
									if( *0x4bd895 != 0) {
										__eax = SendMessageW( *0x4bd2c0, 0x111, 0x9c53, 0);
									}
									__eax = E00452450(__edx,  *0x4bd2c0, __edi, 0);
								}
							} else {
								__ecx = 0x4bca10;
								__eax = E00418140(0x4bca10, __eflags, 0);
							}
							__edi = GetMessageW;
							__eax = __ebp - 0x464;
							__eax = GetMessageW(__ebp - 0x464, 0, 0, 0);
							__eflags = __eax;
							if(__eax != 0) {
								__ebx = TranslateMessage;
								do {
									__esi = GetActiveWindow();
									__eax = __ebp - 0x464;
									__eax = TranslateAcceleratorW(__esi,  *(__ebp - 0x400), __ebp - 0x464);
									__eflags = __eax;
									if(__eax == 0) {
										__eax = __ebp - 0x464;
										__eax = IsDialogMessageW(__esi, __ebp - 0x464);
										__eflags = __eax;
										if(__eax == 0) {
											__ebp - 0x464 = TranslateMessage(__ebp - 0x464);
											__ebp - 0x464 = DispatchMessageW(__ebp - 0x464);
										}
									}
									__eax = __ebp - 0x464;
									__eax = GetMessageW(__ebp - 0x464, 0, 0, 0);
									__eflags = __eax;
								} while (__eax != 0);
							}
							L42:
							E0043A870(__ebx, __edx, __edi, __esi, 0) = E004376B0( *0x4bd2b4, L"DeviceNameMap", "PHx");
							goto L2;
						}
					}
				} else {
					__eflags = __ebx;
					if(__ebx == 0) {
						goto L16;
					} else {
						__eax = E00471495(__ebx, 0x2e);
						__eflags = __eax;
						if(__eax == 0) {
							L15:
							__eax = __esi->i(0, L"Invalid file extension in /SaveAs option", L"Process Monitor", 0x10);
							goto L1;
						} else {
							__eax = E0044C740(__eax);
							 *(__ebp - 0x400) = __eax;
							__eflags = __eax;
							if(__eax < 0) {
								goto L15;
							} else {
								__eax = E00452450(__edx, 0, __edi, 0);
								__eflags = __al;
								if(__eflags == 0) {
									L1:
									_pop(_t49);
									_pop(_t51);
									_pop(_t44);
									return E0046F77E(_t44,  *(_t52 - 4) ^ _t52, _t47, _t49, _t51);
								} else {
									__ecx = 0x4bca10;
									__eax = E00418140(0x4bca10, __eflags, 0);
									__eflags =  *(__ebp - 0x3f8) - 2;
									__ecx = 0x4bca10;
									__eax = __eax & 0xffffff00 |  *(__ebp - 0x3f8) - 0x00000002 >= 0x00000000;
									__eflags =  *(__ebp - 0x3f8) - 1;
									__al & 0x000000ff = __al & 0 |  *(__ebp - 0x3f8) - 0x00000001 >= 0x00000000;
									__al & 0x000000ff =  *(__ebp - 0x400);
									__eax = 0;
									__eflags =  *((intOrPtr*)(__ebp - 0x3fa)) - __al;
									__eax = 0 |  *((intOrPtr*)(__ebp - 0x3fa)) != __al;
									__edi = E00421580(0x4bca10, __edx, 0, __ebx,  *((intOrPtr*)(__ebp - 0x3fa)) != __al,  *((intOrPtr*)(0x4a2ce8 + ( *((intOrPtr*)(__ebp - 0x3fa)) != __al) * 8)), 1, __al & 0x000000ff,  *((intOrPtr*)(__ebp - 0x3fa)) != __al);
									__eflags = __edi;
									if(__edi == 0) {
										L2:
										__eax = 0;
										_pop(__edi);
										_pop(__esi);
										_pop(__ebx);
										__ecx =  *(__ebp - 4);
										__ecx =  *(__ebp - 4) ^ __ebp;
										__eflags = __ecx;
										__eax = E0046F77E(__ebx, __ecx, __edx, __edi, __esi);
										__esp = __ebp;
										_pop(__ebp);
										return __eax;
									} else {
										__eax = E0046A530(L"The file was not saved. ");
										 *(__ebp - 0x3f8) = __eax;
										__ebp - 0x400 = E00459490(__ebx, __ebp - 0x400, __edi);
										__ecx = __ebp - 0x3f8;
										__eax = E0046A310(__ebp - 0x3f8, __eax);
										__ecx =  *(__ebp - 0x400);
										__eflags = __ecx;
										if(__ecx != 0) {
											__eax = E0046A700(__ecx);
										}
										__ecx = __ebp - 0x3f8;
										__eax = __esi->i(0, E0046A170(__ebp - 0x3f8), L"Process Monitor", 0x10);
										__ecx =  *(__ebp - 0x3f8);
										__eflags = __ecx;
										if(__ecx != 0) {
											__eax = E0046A700(__ecx);
										}
										goto L1;
									}
								}
							}
						}
					}
				}
			}

0x0045f59b
0x0045f59d
0x0045f5a3
0x0045f5a8
0x0045f5aa
0x0045f5ac
0x0045f5ac
0x0045f5b3
0x0045f5b3
0x0045f5ba
0x0045f5bf
0x0045f5c4
0x0045f5d0
0x0045f5dc
0x0045f5e2
0x0045f5e7
0x0045f5e9
0x0045f71a
0x0045f71a
0x0045f721
0x0045f94d
0x00000000
0x0045f727
0x0045f72c
0x0045f732
0x0045f73e
0x0045f74a
0x0045f750
0x0045f755
0x0045f782
0x0045f79f
0x0045f7a1
0x0045f7a7
0x0045f7ad
0x0045f7af
0x0045f7b1
0x0045f7b4
0x0045f7cc
0x0045f7ce
0x0045f7d4
0x0045f7d6
0x00000000
0x0045f7dc
0x0045f7dc
0x0045f7de
0x0045f7e7
0x0045f7ea
0x0045f7ef
0x0045f7f2
0x0045f7e0
0x0045f7e0
0x0045f7e0
0x0045f803
0x0045f809
0x0045f80e
0x0045f813
0x0045f815
0x0045f817
0x0045f819
0x0045f81b
0x0045f821
0x0045f83b
0x0045f83b
0x0045f821
0x0045f819
0x0045f849
0x0045f851
0x0045f853
0x0045f863
0x0045f865
0x0045f89b
0x0045f8a2
0x0045f8a4
0x0045f8ab
0x0045f8ad
0x0045f8af
0x0045f8b5
0x0045f8b5
0x0045f8c9
0x0045f8c9
0x0045f8ab
0x0045f867
0x0045f867
0x0045f86e
0x0045f882
0x0045f882
0x0045f891
0x0045f896
0x0045f855
0x0045f857
0x0045f85c
0x0045f85c
0x0045f8cf
0x0045f8d5
0x0045f8e2
0x0045f8e4
0x0045f8e6
0x0045f8e8
0x0045f8f0
0x0045f8f6
0x0045f8f8
0x0045f906
0x0045f90c
0x0045f90e
0x0045f910
0x0045f918
0x0045f91e
0x0045f920
0x0045f929
0x0045f932
0x0045f932
0x0045f920
0x0045f93e
0x0045f945
0x0045f947
0x0045f947
0x0045f94b
0x0045f952
0x0045f969
0x00000000
0x0045f96e
0x0045f7d6
0x0045f5ef
0x0045f5ef
0x0045f5f1
0x00000000
0x0045f5f7
0x0045f5fa
0x0045f602
0x0045f604
0x0045f705
0x0045f713
0x00000000
0x0045f60a
0x0045f60b
0x0045f613
0x0045f619
0x0045f61b
0x00000000
0x0045f621
0x0045f626
0x0045f62e
0x0045f630
0x0045f088
0x0045f08d
0x0045f08e
0x0045f08f
0x0045f09d
0x0045f636
0x0045f638
0x0045f63d
0x0045f642
0x0045f649
0x0045f64e
0x0045f651
0x0045f65c
0x0045f663
0x0045f672
0x0045f674
0x0045f67a
0x0045f686
0x0045f688
0x0045f68a
0x0045f25f
0x0045f25f
0x0045f261
0x0045f262
0x0045f263
0x0045f264
0x0045f267
0x0045f267
0x0045f269
0x0045f26e
0x0045f270
0x0045f271
0x0045f690
0x0045f695
0x0045f6a5
0x0045f6b3
0x0045f6bb
0x0045f6c2
0x0045f6c7
0x0045f6cd
0x0045f6cf
0x0045f6d1
0x0045f6d1
0x0045f6dd
0x0045f6eb
0x0045f6ed
0x0045f6f3
0x0045f6f5
0x0045f6fb
0x0045f6fb
0x00000000
0x0045f6f5
0x0045f68a
0x0045f630
0x0045f61b
0x0045f604
0x0045f5f1

APIs

Part of subcall function 00436680: GetVersion.KERNEL32(004651E4,00000000), ref: 00436680

GetCurrentThread.KERNEL32 ref: 0045F5D5
SetThreadPriority.KERNEL32(00000000), ref: 0045F5DC
_wcsrchr.LIBCMT ref: 0045F5FA

Strings

Process Monitor, xrefs: 0045F6D8
The file was not saved. , xrefs: 0045F690, 0045F69B

Memory Dump Source

Source File: 00000000.00000002.639436822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.639422722.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639801425.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639950323.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639964900.00000000004C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639974043.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639981884.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Process Monitor.jbxd

Similarity

API ID: Thread$CurrentPriorityVersion_wcsrchr
String ID: Process Monitor$The file was not saved.
API String ID: 3509214146-1825103812
Opcode ID: 1bc22b1064d6b3f62ca724905099f64d2e6ed8ea40df09f6ddd260b72de1adea
Instruction ID: a27e0e56db8d11244c2f6114249db28c6e3e8ed38731eb6c4fd9ce52175aa1e2
Opcode Fuzzy Hash: 1bc22b1064d6b3f62ca724905099f64d2e6ed8ea40df09f6ddd260b72de1adea
Instruction Fuzzy Hash: 9E31FBB4E4031567DB10AB659C46B7A3268AF4470AF0500BFFD05A6183FA7D8A5C8A1E

Uniqueness

Uniqueness Score: -1.00%

Function 00463450 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 95
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E00463450(struct _CRITICAL_SECTION* __ecx, char _a4) {
				intOrPtr _v8;
				char _v16;
				struct _CRITICAL_SECTION* _v20;
				struct _CRITICAL_SECTION* _v24;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t38;
				intOrPtr* _t41;
				intOrPtr* _t46;
				struct _CRITICAL_SECTION* _t49;
				intOrPtr _t54;
				intOrPtr _t56;
				intOrPtr* _t58;
				intOrPtr* _t61;
				signed int _t63;

				_push(0xffffffff);
				_push(E004862B8);
				_push( *[fs:0x0]);
				_t38 =  *0x4bb1dc; // 0x2927074f
				_push(_t38 ^ _t63);
				_t1 =  &_v16; // 0x4c2538
				 *[fs:0x0] = _t1;
				_t49 = __ecx;
				_v20 = __ecx;
				_v24 = __ecx;
				EnterCriticalSection(__ecx);
				_t4 =  &_a4; // 0x7a
				_t58 =  *_t4;
				_t61 =  *((intOrPtr*)(_t49 + 0x20));
				_v8 = 0;
				_t56 =  *_t58;
				if(_t56 != 0) {
					_t54 =  *((intOrPtr*)(_t58 + 4));
					_t8 = _t54 + 4; // 0x8
					if(_t8 >  *((intOrPtr*)(_t58 + 8))) {
						L2:
						_a4 = 0x7a;
						E0046F78D( &_a4, 0x4affc8);
					}
					 *((intOrPtr*)(_t54 + _t56)) = _t61;
				}
				 *((intOrPtr*)(_t58 + 4)) =  *((intOrPtr*)(_t58 + 4)) + 4;
				_t41 =  *((intOrPtr*)(_t49 + 0x1c));
				_t61 =  *_t41;
				if(_t61 != _t41) {
					do {
						_t54 =  *_t58;
						_t49 =  *(_t61 + 0x10);
						if(_t54 == 0) {
							L9:
							 *((intOrPtr*)(_t58 + 4)) =  *((intOrPtr*)(_t58 + 4)) + 4;
							_t41 = E004649D0(_t49, _t58, _t58, _t61, _t70, _t61 + 0x14);
							if( *((char*)(_t61 + 0xd)) == 0) {
								_t46 =  *((intOrPtr*)(_t61 + 8));
								if( *((char*)(_t46 + 0xd)) != 0) {
									_t41 =  *((intOrPtr*)(_t61 + 4));
									__eflags =  *((char*)(_t41 + 0xd));
									if(__eflags == 0) {
										while(1) {
											__eflags = _t61 -  *((intOrPtr*)(_t41 + 8));
											if(__eflags != 0) {
												goto L18;
											}
											_t61 = _t41;
											_t41 =  *((intOrPtr*)(_t41 + 4));
											__eflags =  *((char*)(_t41 + 0xd));
											if(__eflags == 0) {
												continue;
											}
											goto L18;
										}
									}
									L18:
									_t61 = _t41;
								} else {
									_t61 = _t46;
									_t41 =  *_t61;
									while( *((char*)(_t41 + 0xd)) == 0) {
										_t61 = _t41;
										_t41 =  *_t61;
									}
								}
							}
							goto L19;
						} else {
							_t56 =  *((intOrPtr*)(_t58 + 4));
							_t18 = _t56 + 4; // 0x8
							_t70 = _t18 -  *((intOrPtr*)(_t58 + 8));
							if(_t18 >  *((intOrPtr*)(_t58 + 8))) {
								goto L2;
							} else {
								 *(_t56 + _t54) = _t49;
								goto L9;
							}
						}
						goto L20;
						L19:
						_t49 = _v20;
					} while (_t61 !=  *((intOrPtr*)(_t49 + 0x1c)));
				}
				L20:
				LeaveCriticalSection(_t49);
				_t36 =  &_v16; // 0x4c2538
				 *[fs:0x0] =  *_t36;
				return _t41;
			}

0x00463453
0x00463455
0x00463460
0x00463467
0x0046346e
0x0046346f
0x00463472
0x00463478
0x0046347a
0x0046347e
0x00463481
0x00463487
0x00463487
0x0046348a
0x0046348d
0x00463494
0x00463498
0x0046349a
0x0046349d
0x004634a3
0x004634a5
0x004634ad
0x004634b5
0x004634b5
0x004634ba
0x004634ba
0x004634bd
0x004634c1
0x004634c4
0x004634c8
0x004634d0
0x004634d0
0x004634d2
0x004634d7
0x004634e7
0x004634e7
0x004634f1
0x004634fa
0x004634fc
0x00463503
0x0046351c
0x0046351f
0x00463523
0x00463525
0x00463525
0x00463528
0x00000000
0x00000000
0x0046352a
0x0046352c
0x0046352f
0x00463533
0x00000000
0x00000000
0x00000000
0x00463533
0x00463525
0x00463535
0x00463535
0x00463505
0x00463505
0x00463507
0x0046350d
0x00463510
0x00463512
0x00463514
0x0046350d
0x00463503
0x00000000
0x004634d9
0x004634d9
0x004634dc
0x004634df
0x004634e2
0x00000000
0x004634e4
0x004634e4
0x00000000
0x004634e4
0x004634e2
0x00000000
0x00463537
0x00463537
0x0046353a
0x004634d0
0x0046353f
0x00463540
0x00463546
0x00463549
0x00463557

APIs

EnterCriticalSection.KERNEL32(?,2927074F,?,00000000,004C2538), ref: 00463481
__CxxThrowException@8.LIBCMT ref: 004634B5

Part of subcall function 0046F78D: RaiseException.KERNEL32(?,?,000000FF,004B76C4,?,00000000,?,?,?,0046EF06,000000FF,004B76C4,?,00000001), ref: 0046F7E2

LeaveCriticalSection.KERNEL32(?,?,2927074F,?,00000000,004C2538), ref: 00463540

Strings

8%Lz6oF, xrefs: 0046346F, 00463546
z6oF, xrefs: 00463487

Memory Dump Source

Source File: 00000000.00000002.639436822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.639422722.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639801425.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639950323.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639964900.00000000004C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639974043.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639981884.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Process Monitor.jbxd

Similarity

API ID: CriticalSection$EnterExceptionException@8LeaveRaiseThrow
String ID: 8%Lz6oF$z6oF
API String ID: 1973487628-4120004401
Opcode ID: 2cab05fc65f188f0273399c7c3da705b8566cb8d4365007b18ab285c9420d7fc
Instruction ID: b69f93ae2614b6336a75f46ea18ec53e76a749f0a82d05b1117f04dab6f248a2
Opcode Fuzzy Hash: 2cab05fc65f188f0273399c7c3da705b8566cb8d4365007b18ab285c9420d7fc
Instruction Fuzzy Hash: 6031CE71900288AFDB20CF18D484B5AF7E5FB04355F48C5AAD85A9B781E738FD44CB95

Uniqueness

Uniqueness Score: -1.00%

Function 0045B7A0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 75
windowCOMMON

Download Yara Rule

C-Code - Quality: 97%

			E0045B7A0(void* __ecx, void* _a4) {
				char _v8;
				void* _t17;
				intOrPtr* _t18;
				intOrPtr* _t22;
				intOrPtr* _t23;
				struct HWND__* _t33;
				intOrPtr _t34;
				intOrPtr* _t37;

				_push(__ecx);
				if(_a4 == 0) {
					_t18 =  *0x4bdcd0; // 0x784a50
					_t37 =  *_t18;
					if(_t37 == _t18) {
						L18:
						return _t18;
					}
					while(1) {
						_t33 =  *(_t37 + 0x10);
						if(SendMessageW(GetDlgItem(_t33, 0x40c), 0x1004, 0, 0) == 0) {
							DestroyWindow(GetDlgItem(_t33, 0x40c));
						}
						_t22 = E0045E300(0x4bdcd0,  &_v8, _t37);
						_t34 =  *0x4bdcd0; // 0x784a50
						_t18 =  *_t22;
						_a4 = _t18;
						if(_t18 == _t34) {
							break;
						}
						_t18 = E0040DD80( &_a4);
						_t37 = _a4;
						if( *((char*)(_t37 + 0xd)) != 0) {
							L16:
							if(_t37 != _t34) {
								continue;
							}
							break;
						}
						_t23 =  *((intOrPtr*)(_t37 + 8));
						if( *((char*)(_t23 + 0xd)) != 0) {
							_t18 =  *((intOrPtr*)(_t37 + 4));
							if( *((char*)(_t18 + 0xd)) != 0) {
								L15:
								_t37 = _t18;
								goto L16;
							}
							while(_t37 ==  *((intOrPtr*)(_t18 + 8))) {
								_t37 = _t18;
								_t18 =  *((intOrPtr*)(_t18 + 4));
								if( *((char*)(_t18 + 0xd)) == 0) {
									continue;
								}
								goto L15;
							}
							goto L15;
						}
						_t37 = _t23;
						_t18 =  *_t37;
						if( *((char*)(_t18 + 0xd)) != 0) {
							goto L16;
						} else {
							goto L9;
						}
						do {
							L9:
							_t37 = _t18;
							_t18 =  *_t37;
						} while ( *((char*)(_t18 + 0xd)) == 0);
						goto L16;
					}
					goto L18;
				}
				return _t17;
			}

0x0045b7a3
0x0045b7a8
0x0045b7ae
0x0045b7b4
0x0045b7b8
0x0045b86c
0x00000000
0x0045b86c
0x0045b7c6
0x0045b7c6
0x0045b7e3
0x0045b7ee
0x0045b7ee
0x0045b7fe
0x0045b803
0x0045b809
0x0045b80b
0x0045b810
0x00000000
0x00000000
0x0045b815
0x0045b81a
0x0045b821
0x0045b862
0x0045b864
0x00000000
0x00000000
0x00000000
0x0045b864
0x0045b823
0x0045b82a
0x0045b842
0x0045b849
0x0045b860
0x0045b860
0x00000000
0x0045b860
0x0045b850
0x0045b855
0x0045b857
0x0045b85e
0x00000000
0x00000000
0x00000000
0x0045b85e
0x00000000
0x0045b850
0x0045b82c
0x0045b82e
0x0045b834
0x00000000
0x00000000
0x00000000
0x00000000
0x0045b836
0x0045b836
0x0045b836
0x0045b838
0x0045b83a
0x00000000
0x0045b840
0x00000000
0x0045b86b
0x0045b870

APIs

GetDlgItem.USER32 ref: 0045B7D8
SendMessageW.USER32(00000000), ref: 0045B7DB
GetDlgItem.USER32 ref: 0045B7EB
DestroyWindow.USER32(00000000), ref: 0045B7EE

Strings

PJx, xrefs: 0045B7AE, 0045B7F8, 0045B803

Memory Dump Source

Source File: 00000000.00000002.639436822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.639422722.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639801425.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639950323.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639964900.00000000004C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639974043.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639981884.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Process Monitor.jbxd

Similarity

API ID: Item$DestroyMessageSendWindow
String ID: PJx
API String ID: 3090131160-3350571299
Opcode ID: 90083a7b86a796010353caabf768aca4efe9af2c27cdb60fe0c7f891ecd49965
Instruction ID: dbeb1edefcfa9855529c1146dff7bd16c89c213aab3af41ea2c2e5b28652b01f
Opcode Fuzzy Hash: 90083a7b86a796010353caabf768aca4efe9af2c27cdb60fe0c7f891ecd49965
Instruction Fuzzy Hash: 6321DB31D00218AFD720EF25C884B5677D8EB14751F09D5AAED45972A3D378EC48C7C8

Uniqueness

Uniqueness Score: -1.00%

Function 0042EDD0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 70
windowCOMMON

Download Yara Rule

C-Code - Quality: 15%

			E0042EDD0(signed int __ecx, struct HWND__* _a4, char* _a8) {
				struct HWND__* _v8;
				long _v12;
				intOrPtr _v28;
				signed int _v36;
				char _v56;
				struct HWND__* _t19;
				long _t20;
				char* _t21;
				signed int _t26;
				signed int _t27;
				signed int _t28;
				signed int _t29;
				signed int _t31;
				signed int _t33;

				_t29 = __ecx;
				_t19 = SendMessageW(_a4, 0x101f, 0, 0);
				_v8 = _t19;
				_t28 = _t27 | 0xffffffff;
				_t20 = SendMessageW(_t19, 0x1200, 0, 0);
				_t33 = 0;
				_v12 = _t20;
				_t31 = 0;
				if(_t20 > 0) {
					do {
						_push( &_v56);
						_push(_t31);
						_push(0x120b);
						_push(_v8);
						if( *0x4bcb6b == 0) {
							_v56 = 0x24;
							SendMessageW(??, ??, ??, ??);
							if((_v36 & 0x00000800) != 0) {
								asm("sbb esi, esi");
								_t33 =  ~(_v28 - 1) + 2;
								goto L7;
							}
						} else {
							_v56 = 4;
							SendMessageW(??, ??, ??, ??);
							_t26 = _v36;
							if((_t26 & 0x00000600) != 0) {
								asm("sbb esi, esi");
								_t33 =  ~( ~(_t26 & 0x00000200)) + 1;
								L7:
								_t28 = _t31;
							}
						}
						_t31 = _t31 + 1;
					} while (_t31 < _v12);
				}
				_t21 = _a8;
				if(_t21 != 0) {
					 *_t21 = _t29 & 0xffffff00 | _t33 == 0x00000002;
				}
				return _t28;
			}

0x0042edd0
0x0042edeb
0x0042edf7
0x0042edfa
0x0042edfd
0x0042edff
0x0042ee01
0x0042ee04
0x0042ee08
0x0042ee10
0x0042ee1a
0x0042ee1b
0x0042ee1c
0x0042ee21
0x0042ee24
0x0042ee4e
0x0042ee55
0x0042ee62
0x0042ee6a
0x0042ee6c
0x00000000
0x0042ee6c
0x0042ee26
0x0042ee26
0x0042ee2d
0x0042ee33
0x0042ee3b
0x0042ee47
0x0042ee4b
0x0042ee6f
0x0042ee6f
0x0042ee6f
0x0042ee3b
0x0042ee71
0x0042ee72
0x0042ee10
0x0042ee77
0x0042ee7c
0x0042ee84
0x0042ee84
0x0042ee8e

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 0042EDEB
SendMessageW.USER32(00000000,00001200,00000000,00000000), ref: 0042EDFD
SendMessageW.USER32(?,0000120B,00000000,?), ref: 0042EE2D
SendMessageW.USER32(?,0000120B,00000000,?), ref: 0042EE55

Strings

$, xrefs: 0042EE4E

Memory Dump Source

Source File: 00000000.00000002.639436822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.639422722.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639801425.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639950323.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639964900.00000000004C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639974043.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639981884.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Process Monitor.jbxd

Similarity

API ID: MessageSend
String ID: $
API String ID: 3850602802-3993045852
Opcode ID: 2ed7b4d438ef3935741a1c97becbcba7c4c6bf4065449dfb50126691a5de2677
Instruction ID: 2603edf92fbbb36558880d873853b78c07aa145653b882f39098b381128ce0b6
Opcode Fuzzy Hash: 2ed7b4d438ef3935741a1c97becbcba7c4c6bf4065449dfb50126691a5de2677
Instruction Fuzzy Hash: 0211B472A40238BBEB208FA9EC45BDE7B74BB04710F050265E914B72D0C3746D05C7E8

Uniqueness

Uniqueness Score: -1.00%

Function 00401063 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 70
registryCOMMON

Download Yara Rule

C-Code - Quality: 69%

			E00401063(void* __ebx, CHAR* _a4) {
				signed int _v8;
				long _v9;
				char _v268;
				void* _v272;
				CHAR* _v276;
				int _v280;
				int _v284;
				void* __edi;
				void* __esi;
				signed int _t21;
				long _t31;
				void* _t38;
				void* _t44;
				void* _t45;
				void* _t49;
				signed int _t53;

				_t38 = __ebx;
				_t51 = _t53;
				_t21 =  *0x4bb1dc; // 0x2927074f
				_v8 = _t21 ^ _t53;
				_v276 = _a4;
				if(RegOpenKeyExA(0x80000000, "CLSID\\{ADB880A6-D8FF-11CF-9377-00AA003B7A11}\\InprocServer32", 0, 0x20019,  &_v272) == 0) {
					_push(_t45);
					_v284 = 0x104;
					_v280 = 1;
					_t31 = RegQueryValueExA(_v272, 0, 0,  &_v280,  &_v268,  &_v284);
					if(_t31 == 0) {
						_v9 = _t31;
						if(_v280 != 2) {
							E00401000(_v276, 0x104,  &_v268);
						} else {
							ExpandEnvironmentStringsA( &_v268, _v276, 0x104);
							asm("sbb esi, esi");
						}
					}
					RegCloseKey(_v272);
					_pop(_t45);
				}
				_pop(_t49);
				return E0046F77E(_t38, _v8 ^ _t51, _t44, _t45, _t49);
			}

0x00401063
0x00401066
0x0040106e
0x00401075
0x0040107c
0x004010a3
0x004010a9
0x004010cc
0x004010d2
0x004010dc
0x004010e4
0x004010ed
0x004010f6
0x00401119
0x004010f8
0x00401100
0x0040110c
0x0040110e
0x004010f6
0x0040112d
0x00401135
0x00401135
0x0040113f
0x00401146

APIs

RegOpenKeyExA.ADVAPI32(80000000,CLSID\{ADB880A6-D8FF-11CF-9377-00AA003B7A11}\InprocServer32,00000000,00020019,?), ref: 0040109B
RegQueryValueExA.ADVAPI32(?,00000000,00000000,?,?,?), ref: 004010DC
ExpandEnvironmentStringsA.KERNEL32(?,?,00000104), ref: 00401100
RegCloseKey.ADVAPI32(?), ref: 0040112D

Strings

CLSID\{ADB880A6-D8FF-11CF-9377-00AA003B7A11}\InprocServer32, xrefs: 00401091

Memory Dump Source

Source File: 00000000.00000002.639436822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.639422722.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639801425.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639950323.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639964900.00000000004C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639974043.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639981884.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Process Monitor.jbxd

Similarity

API ID: CloseEnvironmentExpandOpenQueryStringsValue
String ID: CLSID\{ADB880A6-D8FF-11CF-9377-00AA003B7A11}\InprocServer32
API String ID: 1800380464-4062393554
Opcode ID: 57a50e2b4bfb8e9b6b6a3db8d1fa4e2e861c5d2a1c89f99ef3948d4b9040399c
Instruction ID: 57e2b20bb804647ff0a9c65b1f677b67efd32404279a7136e9849a598fa53d45
Opcode Fuzzy Hash: 57a50e2b4bfb8e9b6b6a3db8d1fa4e2e861c5d2a1c89f99ef3948d4b9040399c
Instruction Fuzzy Hash: 8821A171A0012CABCB259B65DC05FDFBBB8EF5A740F0001BAE649E2150DAB49E94CF94

Uniqueness

Uniqueness Score: -1.00%

Function 00408690 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 67
windowCOMMON

Download Yara Rule

C-Code - Quality: 78%

			E00408690(intOrPtr __ecx, intOrPtr* _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a20) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v32;
				struct HWND__* _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				int _v52;
				void* _v56;
				intOrPtr* _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t29;
				intOrPtr* _t31;
				intOrPtr _t32;
				int _t35;
				int _t53;
				intOrPtr _t56;
				signed int _t57;

				_t29 =  *0x4bb1dc; // 0x2927074f
				_v8 = _t29 ^ _t57;
				_t31 = _a4;
				_v64 = __ecx;
				_v60 = _t31;
				_v68 =  *_t31;
				_t32 = E00405CE0(_t31,  *_t31, _t31);
				_v56 = 0;
				E00470030( &_v52, 0, 0x2c);
				_v32 = _a8;
				_t56 = _v68;
				_t35 = GetWindowLongW( *(_t56 + 8), 0xfffffff4);
				asm("movdqu xmm0, [ebx]");
				_t53 = _t35;
				_v56 = 0x66;
				_v52 = _t53;
				_v36 =  *(_t56 + 8);
				_v40 =  *((intOrPtr*)(_v60 + 0x20));
				asm("movdqu [ebp-0x18], xmm0");
				_v48 = _t32;
				_v44 = _a12;
				_v12 =  *((intOrPtr*)(_v64 + 4));
				SendMessageW(GetParent( *(_t56 + 8)), 0x2b, _t53,  &_v56);
				asm("sbb eax, eax");
				return E0046F77E(_a20, _v8 ^ _t57, _t53, _t32, _t56);
			}

0x00408696
0x0040869d
0x004086a0
0x004086ac
0x004086b2
0x004086b5
0x004086b8
0x004086c1
0x004086ce
0x004086d6
0x004086d9
0x004086e1
0x004086e7
0x004086eb
0x004086ed
0x004086f7
0x004086fd
0x00408706
0x0040870c
0x00408711
0x00408714
0x0040871a
0x0040872e
0x0040873a
0x0040874a

APIs

_memset.LIBCMT ref: 004086CE
GetWindowLongW.USER32(?,000000F4), ref: 004086E1
GetParent.USER32(?), ref: 00408727
SendMessageW.USER32(00000000), ref: 0040872E

Strings

f, xrefs: 004086ED

Memory Dump Source

Source File: 00000000.00000002.639436822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.639422722.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639801425.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639950323.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639964900.00000000004C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639974043.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639981884.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Process Monitor.jbxd

Similarity

API ID: LongMessageParentSendWindow_memset
String ID: f
API String ID: 2702428208-1993550816
Opcode ID: b9911cde587ea5fbd2a31bf44aa6a387c60d112a14f31eaca1f54a7ae3c47f71
Instruction ID: d56c89ba7365657e4ab2a6b7fd20295e189cef172ca257e34539eacd89840edd
Opcode Fuzzy Hash: b9911cde587ea5fbd2a31bf44aa6a387c60d112a14f31eaca1f54a7ae3c47f71
Instruction Fuzzy Hash: 5321D671D01218AFDB00DFA9E885A9EBBF5FB48310F10856AF915E7350DB71A904CB54

Uniqueness

Uniqueness Score: -1.00%

Function 00446210 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 65
COMMON

Download Yara Rule

C-Code - Quality: 36%

			E00446210(void* __ecx, struct HWND__* _a4) {
				signed int _v8;
				struct tagRECT _v24;
				void* __edi;
				void* __esi;
				signed int _t22;
				intOrPtr _t27;
				intOrPtr* _t28;
				void* _t43;
				void* _t48;
				intOrPtr* _t49;
				struct HWND__* _t50;
				struct HWND__* _t51;
				signed int _t52;

				_t22 =  *0x4bb1dc; // 0x2927074f
				_v8 = _t22 ^ _t52;
				_t50 = _a4;
				_t49 = __ecx;
				 *(__ecx + 0xc) = _t50;
				SetPropW(_t50, L"ResizerClass", __ecx);
				 *((intOrPtr*)(_t49 + 8)) = GetWindowLongW(_t50, 0xfffffffc);
				SetWindowLongW(_t50, 0xfffffffc, E0045B880);
				_t27 =  *((intOrPtr*)(_t49 + 4));
				_t51 =  *(_t49 + 0xc);
				if(_t27 != 0) {
					 *0x4bc890(_t27);
				}
				 *((intOrPtr*)(_t49 + 4)) = 0;
				_t28 =  *0x4bc884; // 0x73c34310
				if(_t28 != 0 &&  *_t28() != 0) {
					 *((intOrPtr*)(_t49 + 4)) =  *0x4bc888(_t51,  *((intOrPtr*)( *_t49))());
				}
				GetWindowRect( *(_t49 + 0xc),  &_v24);
				 *((intOrPtr*)(_t49 + 0x18)) = _v24.right - _v24.left;
				 *((intOrPtr*)(_t49 + 0x1c)) = _v24.bottom - _v24.top;
				 *((intOrPtr*)(_t49 + 0x10)) =  *((intOrPtr*)(_t49 + 0x18));
				 *((intOrPtr*)(_t49 + 0x14)) =  *((intOrPtr*)(_t49 + 0x1c));
				return E0046F77E(_t43, _v8 ^ _t52, _t48, _t49, _t51);
			}

0x00446216
0x0044621d
0x00446221
0x00446225
0x0044622e
0x00446231
0x00446248
0x0044624b
0x00446251
0x00446254
0x00446259
0x0044625c
0x0044625c
0x00446262
0x00446269
0x00446270
0x00446286
0x00446286
0x00446290
0x0044629f
0x004462aa
0x004462b0
0x004462b6
0x004462c3

APIs

SetPropW.USER32 ref: 00446231
GetWindowLongW.USER32(?,000000FC), ref: 0044623A
SetWindowLongW.USER32 ref: 0044624B
GetWindowRect.USER32 ref: 00446290

Strings

ResizerClass, xrefs: 00446228

Memory Dump Source

Source File: 00000000.00000002.639436822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.639422722.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639801425.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639950323.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639964900.00000000004C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639974043.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639981884.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Process Monitor.jbxd

Similarity

API ID: Window$Long$PropRect
String ID: ResizerClass
API String ID: 86103434-804565684
Opcode ID: e823772a61c67883c766d3909182e1d75ba84df7a1d048da369abcb11a5d3e7b
Instruction ID: 50a281ef1c3c98e742daea7722003ae6f183a23b17d6b99e2ab52f6523025418
Opcode Fuzzy Hash: e823772a61c67883c766d3909182e1d75ba84df7a1d048da369abcb11a5d3e7b
Instruction Fuzzy Hash: 5A212975A00616BFC700EFA9D94895ABBF8FF49311710826AE815D3750DB74E910CBE9

Uniqueness

Uniqueness Score: -1.00%

Function 0045006D Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 64
windowCOMMON

Download Yara Rule

C-Code - Quality: 66%

			E0045006D(void* __ebx, void* __edx, void* __eflags) {
				struct HWND__* __esi;
				int _t21;
				void* _t27;
				struct HWND__* _t28;
				void* _t29;
				signed int _t30;

				_t26 = __edx;
				_t18 = __ebx;
				E00431D20(__ebx, __edx, _t30 - 0x624, _t28);
				 *((intOrPtr*)(_t30 - 4)) = 0x21;
				if(E0046A720(_t30 - 0x624) != 0) {
					SendMessageW(__esi, 0x111, 0x9c8a, 0);
					__ecx = 0x4bca10;
					E004168D0(0x4bca10, __edx, 0x4bdac0, 0, L"<remote computer name>", L"<remote system root>");
					__eflags = __al;
					if(__al != 0) {
						_push(0x4bca10);
						__ecx =  *((intOrPtr*)(__ebp - 0x624));
						 *__esp = __ecx;
						__eflags = __ecx;
						if(__ecx != 0) {
							E0046A420(__ecx);
						}
						_push(__esi);
						E0043A4B0(__edx);
						__esp = __esp + 8;
					}
					E0045C360(__esi);
					__ecx = __esp;
					E0040C980(__ebx, __esp, 0x4bdac0);
					_push(__esi);
					L00459F80(__ebx, __eflags);
					__esp = __esp + 8;
				}
				_t20 =  *((intOrPtr*)(_t30 - 0x624));
				 *((intOrPtr*)(_t30 - 4)) = 0xffffffff;
				__eflags =  *((intOrPtr*)(_t30 - 0x624));
				if( *((intOrPtr*)(_t30 - 0x624)) != 0) {
					E0046A700(_t20);
				}
				_t21 =  *(_t30 + 0xc);
				DefWindowProcW(_t28, _t21,  *(_t30 - 0x628),  *(_t30 - 0x64c));
				 *[fs:0x0] =  *((intOrPtr*)(_t30 - 0xc));
				_pop(_t27);
				_pop(_t29);
				return E0046F77E(_t18,  *(_t30 - 0x10) ^ _t30, _t26, _t27, _t29);
			}

0x0045006d
0x0045006d
0x00450075
0x00450083
0x00450091
0x004500a0
0x004500b7
0x004500bc
0x004500c1
0x004500c3
0x004500c5
0x004500c6
0x004500ce
0x004500d0
0x004500d2
0x004500d4
0x004500d4
0x004500d9
0x004500da
0x004500df
0x004500df
0x004500e3
0x004500e8
0x004500ef
0x004500f4
0x004500f5
0x004500fa
0x004500fa
0x004500fd
0x00450103
0x0045010a
0x0045010c
0x00450112
0x00450112
0x0044e726
0x0044e737
0x0044e740
0x0044e748
0x0044e749
0x0044e757

APIs

Part of subcall function 00431D20: _memset.LIBCMT ref: 00431D5B
Part of subcall function 00431D20: SHGetMalloc.SHELL32(?), ref: 00431D6A
Part of subcall function 00431D20: SHGetSpecialFolderLocation.SHELL32(?,00000012,?), ref: 00431D7A

DefWindowProcW.USER32(?,?,?,?,2927074F), ref: 0044E737
SendMessageW.USER32(?,00000111,00009C8A,00000000), ref: 004500A0

Part of subcall function 004168D0: GetFileAttributesW.KERNEL32(?,2927074F,749682C0,0045F84E,?,000000FF,?,00446FA2,?), ref: 00416910
Part of subcall function 004168D0: MessageBoxW.USER32(00000000,00000000,Process Monitor,00000004), ref: 004169E7

Part of subcall function 0046A420: InterlockedIncrement.KERNEL32(00000000), ref: 0046A421

Strings

<remote system root>, xrefs: 004500A6
<remote computer name>, xrefs: 004500AB
!, xrefs: 00450083

Memory Dump Source

Source File: 00000000.00000002.639436822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.639422722.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639801425.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639950323.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639964900.00000000004C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639974043.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639981884.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Process Monitor.jbxd

Similarity

API ID: Message$AttributesFileFolderIncrementInterlockedLocationMallocProcSendSpecialWindow_memset
String ID: !$<remote computer name>$<remote system root>
API String ID: 3391029906-3868171836
Opcode ID: c9855349e85020dbfd6d6e1c07586392de703f02663cd40a9e49650f44eef08b
Instruction ID: 594ea4c26ff175275be3057f92aa15699a68a2a7911c69e1ca0e322c6a839dee
Opcode Fuzzy Hash: c9855349e85020dbfd6d6e1c07586392de703f02663cd40a9e49650f44eef08b
Instruction Fuzzy Hash: 7A112935A01A086BCB14AB519C43BDE7361AF49716F00016FF906722C2EF7D5A15CA6E

Uniqueness

Uniqueness Score: -1.00%

Function 004481D0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 61
windowCOMMON

Download Yara Rule

C-Code - Quality: 74%

			E004481D0(void* __edx, struct HMENU__* _a4) {
				signed int _v8;
				char _v528;
				struct HMENU__* _v532;
				struct tagMENUITEMINFOW _v580;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t15;
				intOrPtr _t27;
				struct HMENU__* _t28;
				int _t29;
				void* _t32;
				struct HMENU__* _t33;
				int _t34;
				signed int _t35;
				void* _t36;

				_t32 = __edx;
				_t15 =  *0x4bb1dc; // 0x2927074f
				_v8 = _t15 ^ _t35;
				_t28 = _a4;
				_v532 = _t28;
				_t33 = CreatePopupMenu();
				_t29 = GetMenuItemCount(_t28);
				_t34 = 0;
				if(_t29 != 0) {
					do {
						asm("xorps xmm0, xmm0");
						_v580.cbSize = 0x30;
						asm("movq [ebp-0x218], xmm0");
						asm("movdqu [ebp-0x228], xmm0");
						_v580.dwTypeData =  &_v528;
						asm("movdqu [ebp-0x238], xmm0");
						_v580.fMask = 0x146;
						_v580.cch = 0x104;
						GetMenuItemInfoW(_v532, _t34, 1,  &_v580);
						_t24 = _v580.hSubMenu;
						if(_v580.hSubMenu != 0) {
							_t27 = E004481D0(_t32, _t24);
							_t36 = _t36 + 4;
							_v580.hSubMenu = _t27;
						}
						InsertMenuItemW(_t33, _t34, 1,  &_v580);
						_t34 = _t34 + 1;
					} while (_t34 < _t29);
				}
				return E0046F77E(_t29, _v8 ^ _t35, _t32, _t33, _t34);
			}

0x004481d0
0x004481d9
0x004481e0
0x004481e4
0x004481e9
0x004481f6
0x004481fe
0x00448200
0x00448204
0x00448210
0x00448210
0x00448213
0x00448223
0x0044822b
0x00448233
0x00448249
0x00448251
0x0044825b
0x00448265
0x0044826b
0x00448273
0x00448276
0x0044827b
0x0044827e
0x0044827e
0x0044828f
0x00448295
0x00448296
0x00448210
0x004482b0

APIs

CreatePopupMenu.USER32 ref: 004481EF
GetMenuItemCount.USER32 ref: 004481F8
GetMenuItemInfoW.USER32(?,00000000,00000001,00000030), ref: 00448265
InsertMenuItemW.USER32(00000000,00000000,00000001,00000030), ref: 0044828F

Strings

0, xrefs: 00448213

Memory Dump Source

Source File: 00000000.00000002.639436822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.639422722.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639801425.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639950323.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639964900.00000000004C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639974043.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639981884.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Process Monitor.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup
String ID: 0
API String ID: 93392585-4108050209
Opcode ID: 3c59bff39158b1863f87fb4845e8bc7060e1fffe5c76e9da6bcac874f3f8e9f4
Instruction ID: e3580ccdd48fd54cf6803f069ec41eb037bf39d497c2bc11114eba10b486eb84
Opcode Fuzzy Hash: 3c59bff39158b1863f87fb4845e8bc7060e1fffe5c76e9da6bcac874f3f8e9f4
Instruction Fuzzy Hash: 81211271D1171C9BDB209F65DCC8BDEB7B8FB55300F1006EAE909A6211DBB45A848F94

Uniqueness

Uniqueness Score: -1.00%

Function 004771D8 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 48
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 23%

			E004771D8(void* __ebx, void* __esi, char _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr* _a32, intOrPtr _a36, intOrPtr _a40) {
				void* __edi;
				void* __ebp;
				void* _t25;
				void* _t28;
				intOrPtr _t29;
				void* _t30;
				intOrPtr* _t31;
				void* _t33;

				_t30 = __esi;
				_t27 = __ebx;
				_t35 = _a28;
				_t29 = _a8;
				if(_a28 != 0) {
					_push(_a28);
					_push(_a24);
					_push(_t29);
					_t5 =  &_a4; // 0x47763c
					_push( *_t5);
					E00477806(__ebx, _t29, __esi, _t35);
					_t33 = _t33 + 0x10;
				}
				_t36 = _a40;
				_t7 =  &_a4; // 0x47763c
				_push( *_t7);
				if(_a40 != 0) {
					_push(_a40);
				} else {
					_push(_t29);
				}
				E0046FAAE(_t28);
				_push(_t30);
				_t31 = _a32;
				_push( *_t31);
				_push(_a20);
				_push(_a16);
				_push(_t29);
				E00477AA4(_t27, _t31, _t36);
				_push(0x100);
				_push(_a36);
				 *((intOrPtr*)(_t29 + 8)) =  *((intOrPtr*)(_t31 + 4)) + 1;
				_push( *((intOrPtr*)(_a24 + 0xc)));
				_push(_a20);
				_push(_a12);
				_push(_t29);
				_push(_a4);
				_t25 = E00476FD2(_t27, _t29, _t31, _t36);
				if(_t25 != 0) {
					E0046FA7C(_t25, _t29);
					return _t25;
				}
				return _t25;
			}

0x004771d8
0x004771d8
0x004771db
0x004771e0
0x004771e3
0x004771e5
0x004771e8
0x004771eb
0x004771ec
0x004771ec
0x004771ef
0x004771f4
0x004771f4
0x004771f7
0x004771fb
0x004771fb
0x004771fe
0x00477203
0x00477200
0x00477200
0x00477200
0x00477206
0x0047720b
0x0047720c
0x0047720f
0x00477211
0x00477214
0x00477217
0x00477218
0x00477221
0x00477226
0x00477229
0x0047722f
0x00477232
0x00477235
0x00477238
0x00477239
0x0047723c
0x00477247
0x0047724b
0x00000000
0x0047724b
0x00477252

APIs

___BuildCatchObject.LIBCMT ref: 004771EF

Part of subcall function 00477806: ___AdjustPointer.LIBCMT ref: 0047784F

_UnwindNestedFrames.LIBCMT ref: 00477206
___FrameUnwindToState.LIBCMT ref: 00477218
CallCatchBlock.LIBCMT ref: 0047723C

Strings

<vG, xrefs: 004771FB, 004771EC

Memory Dump Source

Source File: 00000000.00000002.639436822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.639422722.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639801425.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639950323.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639964900.00000000004C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639974043.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639981884.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Process Monitor.jbxd

Similarity

API ID: CatchUnwind$AdjustBlockBuildCallFrameFramesNestedObjectPointerState
String ID: <vG
API String ID: 2633735394-1139658661
Opcode ID: 8e282003c125f46c22240d1f402eaa53352985f9c45b0f7294695b1a535063d5
Instruction ID: cbfe12a23117bc77d280d440e4ff9a929e0d3159e5d187a996e8ff4940c270c3
Opcode Fuzzy Hash: 8e282003c125f46c22240d1f402eaa53352985f9c45b0f7294695b1a535063d5
Instruction Fuzzy Hash: 91014C32100109BBCF129F56DD01EDB3BBAFF48758F45805AF95C61121D33AE861DBA9

Uniqueness

Uniqueness Score: -1.00%

Function 00402360 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 41memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32(MAX), ref: 0040237A
VariantInit.OLEAUT32(?), ref: 00402386
SysFreeString.OLEAUT32(00000000), ref: 0040239E
VariantClear.OLEAUT32(?), ref: 004023B6

Strings

MAX, xrefs: 00402375

Memory Dump Source

Source File: 00000000.00000002.639436822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.639422722.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639801425.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639950323.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639964900.00000000004C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639974043.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639981884.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Process Monitor.jbxd

Similarity

API ID: StringVariant$AllocClearFreeInit
String ID: MAX
API String ID: 760788290-198270979
Opcode ID: a2cf9e0ad25e5b13e7c8518b990fbbb50376fd41eef7d5395fef13a1adbcedec
Instruction ID: ab4dfa62cec0e1dfa26afbfa7cf38645cff2efa1bf96839c6626141418c26da3
Opcode Fuzzy Hash: a2cf9e0ad25e5b13e7c8518b990fbbb50376fd41eef7d5395fef13a1adbcedec
Instruction Fuzzy Hash: AFF03172900219ABDB21ABA4DC4DFAFB7BCEB44754F04097AFD01E3291D6B4590587A4

Uniqueness

Uniqueness Score: -1.00%

Function 0044F895 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 30
windowCOMMON

Download Yara Rule

C-Code - Quality: 46%

			E0044F895() {
				void* __esi;
				void* _t23;
				int _t25;
				void* _t30;
				void* _t32;
				struct HWND__* _t33;
				void* _t34;
				signed int _t35;

				asm("xorps xmm0, xmm0");
				 *(_t35 - 0x4d0) = 0x30;
				asm("movdqu [ebp-0x4c8], xmm0");
				 *((intOrPtr*)(_t35 - 0x4cc)) = 1;
				asm("movdqu [ebp-0x4b8], xmm0");
				asm("movq [ebp-0x4a8], xmm0");
				GetMenuItemInfoW(GetMenu(_t33), 0x9cb0, 0, _t35 - 0x4d0);
				 *0x4bd8a4 =  !( *(_t35 - 0x4c4) >> 3) & 0x00000001;
				_t18 =  !=  ? 8 : 0;
				CheckMenuItem(GetMenu(_t33), 0x9cb0,  !=  ? 8 : 0);
				_t25 =  *(_t35 + 0xc);
				DefWindowProcW(_t33, _t25,  *(_t35 - 0x628),  *(_t35 - 0x64c));
				 *[fs:0x0] =  *((intOrPtr*)(_t35 - 0xc));
				_pop(_t32);
				_pop(_t34);
				return E0046F77E(_t23,  *(_t35 - 0x10) ^ _t35, _t30, _t32, _t34);
			}

0x0044f8a4
0x0044f8a7
0x0044f8b7
0x0044f8bf
0x0044f8c9
0x0044f8d1
0x0044f8dc
0x0044f8f4
0x0044f8fe
0x0044f90b
0x0044e726
0x0044e737
0x0044e740
0x0044e748
0x0044e749
0x0044e757

APIs

GetMenu.USER32 ref: 0044F8D9
GetMenuItemInfoW.USER32(00000000,?,00009CB0), ref: 0044F8DC
GetMenu.USER32 ref: 0044F908
CheckMenuItem.USER32(00000000,?,00009CB0), ref: 0044F90B

Strings

0, xrefs: 0044F8A7

Memory Dump Source

Source File: 00000000.00000002.639436822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.639422722.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639801425.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639950323.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639964900.00000000004C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639974043.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639981884.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Process Monitor.jbxd

Similarity

API ID: Menu$Item$CheckInfo
String ID: 0
API String ID: 3642386136-4108050209
Opcode ID: 97145b62ac67521fa44190ba62b4216c8f358736c29c212b1845d912d3708c29
Instruction ID: 96fbf8aa5cb7c3ae7de82bac89f20c18f7078bf8c65d3d66828b3097bc71cbe0
Opcode Fuzzy Hash: 97145b62ac67521fa44190ba62b4216c8f358736c29c212b1845d912d3708c29
Instruction Fuzzy Hash: 4FF096B1D113599AFB609B20CD45FAA7778EF95304F10019AF648A3181DB789AC4CF68

Uniqueness

Uniqueness Score: -1.00%

Function 0040F610 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 28
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040F610() {
				char _v8;
				void* _v12;
				int _v16;
				int _v20;

				_v8 = 4;
				if(RegOpenKeyW(0x80000002, L"System\\CurrentControlSet\\Services\\PROCMON23",  &_v12) == 0) {
					_v16 = 4;
					RegQueryValueExW(_v12, L"Start", 0,  &_v20,  &_v8,  &_v16);
					RegCloseKey(_v12);
				}
				return _v8;
			}

0x0040f619
0x0040f633
0x0040f638
0x0040f652
0x0040f65b
0x0040f65b
0x0040f667

APIs

RegOpenKeyW.ADVAPI32(80000002,System\CurrentControlSet\Services\PROCMON23,?), ref: 0040F62B
RegQueryValueExW.ADVAPI32(?,Start,00000000,?,00000004,?), ref: 0040F652
RegCloseKey.ADVAPI32(?), ref: 0040F65B

Strings

Start, xrefs: 0040F64A
System\CurrentControlSet\Services\PROCMON23, xrefs: 0040F621

Memory Dump Source

Source File: 00000000.00000002.639436822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.639422722.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639801425.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639950323.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639964900.00000000004C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639974043.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639981884.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Process Monitor.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Start$System\CurrentControlSet\Services\PROCMON23
API String ID: 3677997916-446470844
Opcode ID: e1d602a48fe345480bf97b8eb76f81f5ad90d4319184725b4f336708afb01a4f
Instruction ID: 06b745128995ef4381ba93970c477a71e0423597a650d42fb9cfe7c1ffd0d29d
Opcode Fuzzy Hash: e1d602a48fe345480bf97b8eb76f81f5ad90d4319184725b4f336708afb01a4f
Instruction Fuzzy Hash: C5F0F87594020CBFDB11DB90DD09FAEBBBCEB05715F1004BAEA00B2251D7745B189B58

Uniqueness

Uniqueness Score: -1.00%

Function 0044F43B Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 19
windowCOMMON

Download Yara Rule

C-Code - Quality: 64%

			E0044F43B(void* __ebx, void* __edx) {
				struct HWND__* __esi;
				void* _t7;
				void* _t13;
				void* _t14;
				struct HWND__* _t15;
				void* _t16;
				signed int _t17;

				_t13 = __edx;
				_t7 = __ebx;
				if(E00416870(0x4bca10) == 0) {
					MessageBoxW(_t15, L"There are no events in the trace", L"Process Monitor", 0x10);
				} else {
					DialogBoxParamW( *0x4bd2c4, L"SYSTEM_DETAILS", __esi, E0045BBB0, 0);
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t17 - 0xc));
				_pop(_t14);
				_pop(_t16);
				return E0046F77E(_t7,  *(_t17 - 0x10) ^ _t17, _t13, _t14, _t16);
			}

0x0044f43b
0x0044f43b
0x0044f447
0x0044f476
0x0044f449
0x0044f45c
0x0044f462
0x0044e740
0x0044e748
0x0044e749
0x0044e757

APIs

Part of subcall function 00416870: EnterCriticalSection.KERNEL32(004BCA10,00000000,?,0043B1A2,2927074F,00000000,?,?,?,0044703B,0045F84E,00000000,?,00000000,445817), ref: 00416875
Part of subcall function 00416870: LeaveCriticalSection.KERNEL32(004BCA10,?,0044703B,0045F84E,00000000,?,00000000,445817), ref: 0041687F

DialogBoxParamW.USER32 ref: 0044F45C
MessageBoxW.USER32(?,There are no events in the trace,Process Monitor,00000010), ref: 0044F476

Strings

Process Monitor, xrefs: 0044F46B
SYSTEM_DETAILS, xrefs: 0044F451
There are no events in the trace, xrefs: 0044F470

Memory Dump Source

Source File: 00000000.00000002.639436822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.639422722.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639801425.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639950323.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639964900.00000000004C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639974043.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639981884.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Process Monitor.jbxd

Similarity

API ID: CriticalSection$DialogEnterLeaveMessageParam
String ID: Process Monitor$SYSTEM_DETAILS$There are no events in the trace
API String ID: 3255859317-90052472
Opcode ID: 13cfa99df327642fe0cc62f6a27bbd3f3b67361a6e71a2454386412e73d40701
Instruction ID: 9585328530989cb1dada43aadcda8d29bebca161180bd9fcc10a99cffdddbb03
Opcode Fuzzy Hash: 13cfa99df327642fe0cc62f6a27bbd3f3b67361a6e71a2454386412e73d40701
Instruction Fuzzy Hash: BED0C7303802027AEA0027228E06F6A2940BB29B80F600832B603F40D2DBCCE42A866D

Uniqueness

Uniqueness Score: -1.00%

Function 004626C0 Relevance: 7.7, APIs: 5, Instructions: 155
COMMON

Download Yara Rule

C-Code - Quality: 67%

			E004626C0(struct _CRITICAL_SECTION* __ecx, intOrPtr* _a4, void* _a8) {
				char _v8;
				char _v16;
				signed int _v20;
				intOrPtr* _v24;
				char _v36;
				char _v40;
				intOrPtr _v44;
				struct _CRITICAL_SECTION* _v48;
				intOrPtr* _v52;
				char _v56;
				struct _CRITICAL_SECTION* _v60;
				char _v64;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t45;
				signed int _t46;
				intOrPtr* _t48;
				intOrPtr _t51;
				struct _CRITICAL_SECTION* _t72;
				intOrPtr* _t73;
				struct _CRITICAL_SECTION* _t74;
				void* _t75;
				void* _t77;
				signed int _t78;
				intOrPtr _t84;
				struct _CRITICAL_SECTION* _t96;
				void* _t97;
				signed char* _t98;
				struct _CRITICAL_SECTION** _t101;
				void* _t102;
				signed int* _t103;
				signed int _t104;

				_push(0xffffffff);
				_push(E0048C6F0);
				_push( *[fs:0x0]);
				_t45 =  *0x4bb1dc; // 0x2927074f
				_t46 = _t45 ^ _t104;
				_v20 = _t46;
				_push(_t46);
				 *[fs:0x0] =  &_v16;
				_t72 = __ecx;
				_v48 = __ecx;
				_t48 = _a4;
				if(_a8 == 0) {
					asm("xorps xmm0, xmm0");
					_v36 =  *_t48;
					asm("movq [ebp-0x1c], xmm0");
					_v24 = 0;
					asm("movdqu xmm0, [ebp-0x20]");
				} else {
					asm("movdqu xmm0, [eax]");
					asm("movdqu [ebp-0x20], xmm0");
				}
				asm("movdqu [ebp-0x4c], xmm0");
				_v60 = _t72;
				EnterCriticalSection(_t72);
				_t73 = _t72 + 0x1c;
				_v8 = 0;
				_v52 = _t73;
				_t51 = E00463640(_t73,  &_v36);
				_t84 =  *_t73;
				if(_t51 == _t84) {
					L13:
					_v44 = _t84;
					goto L14;
				} else {
					_t12 = _t51 + 0x10; // 0x10
					_t98 = _t12;
					_t77 = 0xc;
					_t103 =  &_v36;
					while(1) {
						_t93 =  *_t103;
						if(_t93 !=  *_t98) {
							break;
						}
						_t103 =  &(_t103[1]);
						_t98 =  &(_t98[4]);
						_t77 = _t77 - 4;
						if(_t77 >= 0) {
							continue;
						} else {
							_t73 = 0;
							L12:
							_v44 = _t51;
							if(_t73 >= 0) {
								L14:
								_t100 = _v52;
								_t53 = _v44;
								if(_v44 ==  *_v52) {
									asm("movdqu xmm0, [ebp-0x4c]");
									asm("movdqu [ebp-0x24], xmm0");
									_v24 = E0046A6C0(_t73, 0x48fc20, E0046A530(0x48fc20));
									_v8 = 1;
									E00462400(_t100,  &_v56, 0,  &_v40,  *0x4c2580 & 0x000000ff);
									_t86 = _v24;
									_v8 = 0;
									__eflags = _v24;
									if(__eflags != 0) {
										E0046A700(_t86);
									}
									_t74 = _v48;
									_t96 = _v56 + 0x20;
									_v8 = 0xffffffff;
									LeaveCriticalSection(_t74);
									_push(0x1c);
									_t101 = E0046EEB6(_t74, _t96, __eflags);
									InterlockedIncrement(_t74 + 0x18);
									asm("movdqu xmm0, [ebp-0x4c]");
									_t101[5] = _a8;
									 *_t101 = _t74;
									asm("movdqu [esi+0x4], xmm0");
									_t101[6] = _t96;
									CloseHandle(E00472D60(0, 0, E00462A20, _t101, 0,  &_v64));
									__eflags = 0;
								} else {
									E0046A720(_t53 + 0x20);
									LeaveCriticalSection(_v48);
								}
								 *[fs:0x0] = _v16;
								_pop(_t97);
								_pop(_t102);
								_pop(_t75);
								return E0046F77E(_t75, _v20 ^ _t104, _t93, _t97, _t102);
							}
							goto L13;
						}
					}
					_t78 = _t93 & 0x000000ff;
					_t93 =  *_t98 & 0x000000ff;
					_t73 = _t78 - ( *_t98 & 0x000000ff);
					__eflags = _t73;
					if(_t73 == 0) {
						_t93 = _t98[1] & 0x000000ff;
						_t73 = (_t103[0] & 0x000000ff) - (_t98[1] & 0x000000ff);
						__eflags = _t73;
						if(_t73 == 0) {
							_t93 = _t98[2] & 0x000000ff;
							_t73 = (_t103[0] & 0x000000ff) - (_t98[2] & 0x000000ff);
							__eflags = _t73;
							if(_t73 == 0) {
								_t93 = _t98[3] & 0x000000ff;
								_t73 = (_t103[0] & 0x000000ff) - (_t98[3] & 0x000000ff);
								__eflags = _t73;
							}
						}
					}
					goto L12;
				}
			}

0x004626c3
0x004626c5
0x004626d0
0x004626d4
0x004626d9
0x004626db
0x004626e1
0x004626e5
0x004626eb
0x004626ed
0x004626f4
0x004626f7
0x00462706
0x00462709
0x0046270c
0x00462711
0x00462718
0x004626f9
0x004626f9
0x004626fd
0x004626fd
0x0046271e
0x00462723
0x00462726
0x0046272c
0x0046272f
0x00462739
0x0046273f
0x00462744
0x00462748
0x0046279d
0x0046279d
0x00000000
0x0046274a
0x0046274a
0x0046274a
0x0046274d
0x00462752
0x00462755
0x00462755
0x00462759
0x00000000
0x00000000
0x0046275b
0x0046275e
0x00462761
0x00462764
0x00000000
0x00462766
0x00462766
0x00462796
0x00462796
0x0046279b
0x004627a0
0x004627a0
0x004627a6
0x004627aa
0x004627c9
0x004627d3
0x004627eb
0x004627fb
0x00462806
0x0046280b
0x0046280e
0x00462812
0x00462814
0x00462816
0x00462816
0x0046281e
0x00462821
0x00462825
0x0046282c
0x00462832
0x0046283f
0x00462842
0x0046284b
0x00462850
0x00462863
0x00462865
0x0046286a
0x00462876
0x0046287c
0x004627ac
0x004627af
0x004627bc
0x004627c2
0x00462881
0x00462889
0x0046288a
0x0046288b
0x00462899
0x00462899
0x00000000
0x0046279b
0x00462764
0x0046276a
0x0046276d
0x00462770
0x00462770
0x00462772
0x00462778
0x0046277c
0x0046277c
0x0046277e
0x00462784
0x00462788
0x00462788
0x0046278a
0x00462790
0x00462794
0x00462794
0x00462794
0x0046278a
0x0046277e
0x00000000
0x00462772

APIs

EnterCriticalSection.KERNEL32(004C2538,2927074F,00000000,?,?,?,?,?,?,?,?,?,?,?,00000038,0048C6F0), ref: 00462726
LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000038,0048C6F0), ref: 004627BC
LeaveCriticalSection.KERNEL32(?,?,00000000,?,00000000,?,?), ref: 0046282C
InterlockedIncrement.KERNEL32(00000002), ref: 00462842
CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 00462876

Memory Dump Source

Source File: 00000000.00000002.639436822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.639422722.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639801425.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639950323.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639964900.00000000004C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639974043.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639981884.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Process Monitor.jbxd

Similarity

API ID: CriticalSection$Leave$CloseEnterHandleIncrementInterlocked
String ID:
API String ID: 2221547374-0
Opcode ID: 423f9921a6aae2c53b492aa1a37c348a36f6da3c05878f7bc167d0f01b2d4af8
Instruction ID: cedc09605930e013a6394a9126f218496ba3b8e852b7b00c7a2293f994959775
Opcode Fuzzy Hash: 423f9921a6aae2c53b492aa1a37c348a36f6da3c05878f7bc167d0f01b2d4af8
Instruction Fuzzy Hash: B751C171D00759ABDB10DFA9C980BAEBBB4EF59310F14462AE851B3241E7786A04CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 00419060 Relevance: 7.7, APIs: 5, Instructions: 154
COMMON

Download Yara Rule

C-Code - Quality: 98%

			E00419060(intOrPtr* __ecx, intOrPtr _a4, void* _a8) {
				intOrPtr _v8;
				intOrPtr* _v12;
				intOrPtr _t49;
				intOrPtr _t51;
				intOrPtr _t64;
				intOrPtr _t71;
				intOrPtr** _t81;
				intOrPtr* _t82;
				intOrPtr _t84;
				intOrPtr* _t88;
				intOrPtr* _t92;
				intOrPtr _t93;
				intOrPtr _t96;
				intOrPtr* _t97;
				intOrPtr* _t100;
				intOrPtr _t102;
				intOrPtr _t103;
				intOrPtr _t105;
				intOrPtr* _t107;
				intOrPtr* _t108;
				intOrPtr _t110;
				void* _t114;
				void* _t120;

				_t49 = _a4;
				_t81 = __ecx;
				_t107 =  *((intOrPtr*)(__ecx));
				_t2 = _t81 + 4; // 0x77a1e8
				_t96 =  *_t2;
				if(_t107 == _t96) {
					L4:
					_t3 = _t81 + 0xc; // 0x780350
					_t108 =  *_t3;
					_t82 = _t81 + 0xc;
					_v12 = _t82;
					_t97 = _t108;
					_t88 =  *((intOrPtr*)(_t108 + 4));
					while( *((char*)(_t88 + 0xd)) == 0) {
						if( *((intOrPtr*)(_t88 + 0x10)) >= _t49) {
							_t97 = _t88;
							_t88 =  *_t88;
						} else {
							_t88 =  *((intOrPtr*)(_t88 + 8));
						}
					}
					if(_t97 == _t108) {
						L24:
						_v8 = _t108;
					} else {
						_v8 = _t97;
						if(_t49 <  *((intOrPtr*)(_t97 + 0x10))) {
							goto L24;
						}
					}
					_t110 = _v8;
					if(_t110 ==  *_t82) {
						goto L32;
					} else {
						_t100 = _a8;
						_t51 =  *((intOrPtr*)(_t110 + 0x14));
						_t84 =  *_t100;
						 *_t100 = _t51;
						if(_t51 != 0) {
							InterlockedIncrement(_t51 + 0x578);
						}
						if(_t84 != 0) {
							_t38 = _t84 + 0x578; // 0x4bcfd4
							if(InterlockedDecrement(_t38) < 2) {
								E00467460(_t84, _t60);
							}
						}
						 *((intOrPtr*)(_t100 + 4)) =  *((intOrPtr*)(_t110 + 0x18));
						 *((char*)(_t100 + 8)) =  *((intOrPtr*)(_t110 + 0x1c));
						 *((intOrPtr*)(_t100 + 0xc)) =  *((intOrPtr*)(_t110 + 0x20));
						 *((intOrPtr*)(_t100 + 0x10)) =  *((intOrPtr*)(_t110 + 0x24));
						E0041A1A0(_v12,  &_a8, _t110);
						return 1;
					}
				} else {
					while(1) {
						_t120 = _t49 -  *_t107;
						if(_t120 == 0) {
							_t92 = _a8;
							_t64 =  *((intOrPtr*)(_t107 + 4));
							_t102 =  *_t92;
							 *_t92 = _t64;
							if(_t64 != 0) {
								InterlockedIncrement(_t64 + 0x578);
							}
							break;
						}
						if(_t120 > 0) {
							L32:
							return 0;
						} else {
							_t107 = _t107 + 0x18;
							if(_t107 != _t96) {
								continue;
							} else {
								goto L4;
							}
						}
						goto L33;
					}
					if(_t102 != 0) {
						_t11 = _t102 + 0x578; // 0x4bcf88
						if(InterlockedDecrement(_t11) < 2) {
							E00467460(_t102, _t76);
						}
					}
					_t93 = _a8;
					_push(_a8);
					 *((intOrPtr*)(_t93 + 4)) =  *((intOrPtr*)(_t107 + 8));
					 *((char*)(_t93 + 8)) =  *((intOrPtr*)(_t107 + 0xc));
					 *((intOrPtr*)(_t93 + 0xc)) =  *((intOrPtr*)(_t107 + 0x10));
					 *((intOrPtr*)(_t93 + 0x10)) =  *((intOrPtr*)(_t107 + 0x14));
					_t22 = _t81 + 4; // 0x77a1e8
					E00414E60(_t107 + 0x18,  *_t22, _t107);
					_t23 = _t81 + 4; // 0x77a1e8
					_t103 =  *_t23;
					_a8 = _t103;
					_t25 = _t103 - 0x18; // 0x77a1d0
					_t114 = _t25;
					if(_t114 != _t103) {
						_t71 = _t103;
						do {
							_t105 =  *((intOrPtr*)(_t114 + 4));
							if(_t105 != 0) {
								if(InterlockedDecrement(_t105 + 0x578) < 2) {
									E00467460(_t105, _t73);
								}
								_t71 = _a8;
							}
							_t114 = _t114 + 0x18;
						} while (_t114 != _t71);
					}
					 *((intOrPtr*)(_t81 + 4)) =  *((intOrPtr*)(_t81 + 4)) + 0xffffffe8;
					return 1;
				}
				L33:
			}

0x00419063
0x0041906a
0x0041906e
0x00419070
0x00419070
0x00419075
0x0041908a
0x0041908a
0x0041908a
0x0041908d
0x00419090
0x00419093
0x00419095
0x0041909c
0x004190a5
0x00419162
0x00419164
0x004190ab
0x004190ab
0x004190ab
0x00419166
0x00419172
0x0041917c
0x0041917c
0x00419174
0x00419174
0x0041917a
0x00000000
0x00000000
0x0041917a
0x00419182
0x00419186
0x00000000
0x00419188
0x00419188
0x0041918b
0x0041918e
0x00419190
0x00419194
0x0041919c
0x0041919c
0x004191a4
0x004191a6
0x004191b6
0x004191bb
0x004191bb
0x004191b6
0x004191c6
0x004191cc
0x004191d2
0x004191d8
0x004191e0
0x004191ed
0x004191ed
0x00419077
0x00419077
0x00419079
0x0041907b
0x004190b3
0x004190b6
0x004190b9
0x004190bb
0x004190bf
0x004190c7
0x004190c7
0x00000000
0x004190bf
0x0041907d
0x004191f0
0x004191f8
0x00419083
0x00419083
0x00419088
0x00000000
0x00000000
0x00000000
0x00000000
0x00419088
0x00000000
0x0041907d
0x004190cf
0x004190d1
0x004190e1
0x004190e6
0x004190e6
0x004190e1
0x004190eb
0x004190f1
0x004190f4
0x004190fa
0x00419100
0x00419107
0x0041910d
0x00419111
0x00419116
0x00419116
0x0041911c
0x0041911f
0x0041911f
0x00419124
0x00419126
0x00419128
0x00419128
0x0041912d
0x0041913f
0x00419144
0x00419144
0x00419149
0x00419149
0x0041914c
0x0041914f
0x00419128
0x00419153
0x0041915f
0x0041915f
0x00000000

APIs

InterlockedIncrement.KERNEL32(?), ref: 004190C7
InterlockedDecrement.KERNEL32(004BCF88), ref: 004190D8
InterlockedDecrement.KERNEL32(?), ref: 00419136
InterlockedIncrement.KERNEL32(?), ref: 0041919C
InterlockedDecrement.KERNEL32(004BCFD4), ref: 004191AD

Memory Dump Source

Source File: 00000000.00000002.639436822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.639422722.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639801425.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639950323.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639964900.00000000004C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639974043.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639981884.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Process Monitor.jbxd

Similarity

API ID: Interlocked$Decrement$Increment
String ID:
API String ID: 2574743344-0
Opcode ID: ce6c10cb85c5e899a59e551a18fcc09f9aeb76f26506662f460078190bbda19a
Instruction ID: c5f395b23be86c51c3bcb69469e3992ff501c2e5de10b96fbc0d2ca5f588a2a2
Opcode Fuzzy Hash: ce6c10cb85c5e899a59e551a18fcc09f9aeb76f26506662f460078190bbda19a
Instruction Fuzzy Hash: 1E51E576A00605ABCB10CF29C8949EABBF5FF58310B18856EEC59DB301D735EC85CB94

Uniqueness

Uniqueness Score: -1.00%

Function 004628A0 Relevance: 7.6, APIs: 5, Instructions: 128
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E004628A0(struct _CRITICAL_SECTION* __ecx, signed int _a4, signed int _a8) {
				char _v8;
				char _v16;
				intOrPtr* _v20;
				char _v24;
				struct _CRITICAL_SECTION* _v28;
				signed int _v32;
				struct _CRITICAL_SECTION* _v36;
				char _v40;
				void* __ebx;
				void* __edi;
				signed int _t41;
				intOrPtr* _t45;
				intOrPtr _t47;
				void* _t62;
				struct _CRITICAL_SECTION* _t65;
				intOrPtr* _t70;
				intOrPtr* _t79;
				struct _CRITICAL_SECTION* _t83;
				signed int _t89;
				struct _CRITICAL_SECTION* _t90;
				struct _CRITICAL_SECTION** _t91;
				signed int _t94;

				_push(0xffffffff);
				_push(E0048C730);
				_push( *[fs:0x0]);
				_t41 =  *0x4bb1dc; // 0x2927074f
				_push(_t41 ^ _t94);
				 *[fs:0x0] =  &_v16;
				_t65 = __ecx;
				_v28 = __ecx;
				_t89 = (_a8 & 0x000000ff) << 0x00000010 | _a4 & 0x0000ffff;
				_v36 = __ecx;
				EnterCriticalSection(__ecx);
				_t6 = _t65 + 0x1c; // 0x784770
				_t45 =  *_t6;
				_t79 = _t45;
				_v8 = 0;
				_t70 =  *((intOrPtr*)(_t45 + 4));
				if( *((char*)(_t70 + 0xd)) != 0) {
					L6:
					if(_t79 == _t45) {
						L8:
						_v20 = _t45;
						L9:
						_t47 = _v20;
						_t17 = _t65 + 0x1c; // 0x784770
						if(_t47 ==  *_t17) {
							_v32 = _t89;
							_t90 = E0046A6C0(_t65, 0x48fc20, E0046A530(0x48fc20));
							_v28 = _t90;
							_v8 = 1;
							_t28 = _t65 + 0x1c; // 0x4c2578
							E004622F0(_t28,  &_v24, 0,  &_v32,  *0x4c2580 & 0x000000ff);
							_v8 = 0;
							__eflags = _t90;
							if(__eflags != 0) {
								E0046A700(_t90);
							}
							_t83 = _v24 + 0x14;
							_v8 = 0xffffffff;
							LeaveCriticalSection(_t65);
							_push(0xc);
							_t91 = E0046EEB6(_t65, _t83, __eflags);
							InterlockedIncrement(_t65 + 0x18);
							_t91[1] = _a4;
							_t91[1] = _a8;
							 *_t91 = _t65;
							_t91[2] = _t83;
							CloseHandle(E00472D60(0, 0, E00462C30, _t91, 0,  &_v40));
							__eflags = 0;
							 *[fs:0x0] = _v16;
							return 0;
						} else {
							_t18 = _t47 + 0x14; // 0x784784
							_t62 = E0046A720(_t18);
							LeaveCriticalSection(_v28);
							 *[fs:0x0] = _v16;
							return _t65 & 0xffffff00 | _t62 != 0x00000000;
						}
					}
					_v20 = _t79;
					if(_t89 >=  *((intOrPtr*)(_t79 + 0x10))) {
						goto L9;
					}
					goto L8;
				}
				do {
					if( *((intOrPtr*)(_t70 + 0x10)) >= _t89) {
						_t79 = _t70;
						_t70 =  *_t70;
					} else {
						_t70 =  *((intOrPtr*)(_t70 + 8));
					}
				} while ( *((char*)(_t70 + 0xd)) == 0);
				goto L6;
			}

0x004628a3
0x004628a5
0x004628b0
0x004628b7
0x004628be
0x004628c2
0x004628c8
0x004628ca
0x004628d9
0x004628db
0x004628de
0x004628e4
0x004628e4
0x004628e7
0x004628e9
0x004628f0
0x004628f7
0x00462914
0x00462916
0x00462920
0x00462920
0x00462923
0x00462926
0x00462928
0x0046292b
0x0046295e
0x00462971
0x00462976
0x0046298a
0x0046298f
0x00462992
0x00462997
0x0046299b
0x0046299d
0x004629a1
0x004629a1
0x004629aa
0x004629ad
0x004629b4
0x004629ba
0x004629c7
0x004629ca
0x004629d4
0x004629db
0x004629ee
0x004629f0
0x004629fc
0x00462a02
0x00462a07
0x00462a15
0x0046292d
0x0046292d
0x00462930
0x0046293d
0x00462948
0x00462956
0x00462956
0x0046292b
0x00462918
0x0046291e
0x00000000
0x00000000
0x00000000
0x0046291e
0x00462900
0x00462903
0x0046290a
0x0046290c
0x00462905
0x00462905
0x00462905
0x0046290e
0x00000000

APIs

EnterCriticalSection.KERNEL32(004C255C,2927074F,00000000,?,?,?,?,00000024,?,00000038,?), ref: 004628DE
LeaveCriticalSection.KERNEL32(?,?,?,?,00000024,?,00000038), ref: 0046293D
LeaveCriticalSection.KERNEL32(004C255C,?,00000000,?,?,?,?,?,?,?,00000024,?,00000038), ref: 004629B4
InterlockedIncrement.KERNEL32(00000001), ref: 004629CA
CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000024,?,00000038), ref: 004629FC

Memory Dump Source

Source File: 00000000.00000002.639436822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.639422722.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639801425.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639950323.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639964900.00000000004C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639974043.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639981884.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Process Monitor.jbxd

Similarity

API ID: CriticalSection$Leave$CloseEnterHandleIncrementInterlocked
String ID:
API String ID: 2221547374-0
Opcode ID: 03e68234a9fcdbb8afb072d532f2f8bd97af3e95e7e93558d42f7c575236c8b2
Instruction ID: f4dabaf2f29fb71a1846d6770473eb9346aa305de83060fe4d78d51c51e3c16b
Opcode Fuzzy Hash: 03e68234a9fcdbb8afb072d532f2f8bd97af3e95e7e93558d42f7c575236c8b2
Instruction Fuzzy Hash: F441F8B1A00218AFCB10DF54D941BAFBBB4FB44710F10856FEC55A7381E7789905CBAA

Uniqueness

Uniqueness Score: -1.00%

Function 00466380 Relevance: 7.6, APIs: 5, Instructions: 126
fileCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E00466380(intOrPtr __ecx, void* __eflags) {
				char _v8;
				char _v16;
				char _v20;
				intOrPtr _v24;
				char _v28;
				void* __ebx;
				signed int _t47;
				intOrPtr* _t53;
				intOrPtr* _t55;
				signed int _t58;
				void* _t66;
				intOrPtr _t77;
				intOrPtr* _t81;
				intOrPtr* _t83;
				intOrPtr* _t98;
				intOrPtr* _t99;
				signed int _t100;
				void* _t101;
				void* _t102;
				void* _t103;

				_push(0xffffffff);
				_push(E0048CBBC);
				_push( *[fs:0x0]);
				_t102 = _t101 - 0xc;
				_t47 =  *0x4bb1dc; // 0x2927074f
				_push(_t47 ^ _t100);
				 *[fs:0x0] =  &_v16;
				_t77 = __ecx;
				_v24 = __ecx;
				_v8 = 5;
				E00467720(__ecx, __ecx, __eflags,  &_v20);
				_v8 = 6;
				E00468F50(__ecx);
				if( *((char*)(_t77 + 0x580)) != 0 && E0046A720( &_v20) != 0) {
					DeleteFileW(E0046A170( &_v20));
				}
				_t9 = _t77 + 0x584; // 0x0
				_t53 =  *_t9;
				_t81 =  *_t53;
				 *_t53 = _t53;
				_t10 = _t77 + 0x584; // 0x0
				 *((intOrPtr*)( *_t10 + 4)) =  *_t10;
				 *(_t77 + 0x588) = 0;
				_t13 = _t77 + 0x584; // 0x0
				if(_t81 !=  *_t13) {
					do {
						_t99 =  *_t81;
						E0046EF07(_t81);
						_t102 = _t102 + 4;
						_t81 = _t99;
						_t14 = _t77 + 0x584; // 0x0
					} while (_t99 !=  *_t14);
				}
				_t82 = _v20;
				_v8 = 5;
				if(_v20 != 0) {
					E0046A700(_t82);
				}
				_t17 = _t77 + 0x584; // 0x0
				_t55 =  *_t17;
				_t83 =  *_t55;
				 *_t55 = _t55;
				_t18 = _t77 + 0x584; // 0x0
				 *((intOrPtr*)( *_t18 + 4)) =  *_t18;
				 *(_t77 + 0x588) = 0;
				_t21 = _t77 + 0x584; // 0x0
				if(_t83 !=  *_t21) {
					do {
						_t98 =  *_t83;
						E0046EF07(_t83);
						_t102 = _t102 + 4;
						_t83 = _t98;
						_t22 = _t77 + 0x584; // 0x0
					} while (_t98 !=  *_t22);
				}
				_t23 = _t77 + 0x584; // 0x0
				E0046EF07( *_t23);
				_t24 = _t77 + 0x574; // 0x0
				_t58 =  *_t24;
				_t103 = _t102 + 4;
				if(_t58 == 0) {
					_t28 = _t77 + 0x568; // 0x0
					E0047040C( *_t28);
					_t103 = _t103 + 4;
					 *(_t77 + 0x568) = 0;
				} else {
					_t27 = _t77 + 0x568; // 0x0
					VirtualFree( *_t27, _t58 + _t58 * 4, 0x4000);
				}
				_t114 =  *(_t77 + 0x574);
				 *(_t77 + 0x56c) = 0;
				 *(_t77 + 0x570) = 0;
				if( *(_t77 + 0x574) != 0) {
					_t33 = _t77 + 0x568; // 0x0
					VirtualFree( *_t33, 0, 0x8000);
				}
				_t34 = _t77 + 0x51c; // 0x4bcf2c
				_v8 = 2;
				E00415C50(_t34);
				_t36 = _t77 + 0x504; // 0x0
				_t37 = _t77 + 0x4ec; // 0x4bcefc
				_t93 = _t37;
				_t38 = _t93 + 0x18; // 0x4bcf14
				E0045E260(_t38,  &_v28,  *((intOrPtr*)( *_t36)),  *_t36);
				_t40 = _t93 + 0x18; // 0x0
				E0046EF07( *_t40);
				DeleteCriticalSection(_t37);
				_t41 = _t77 + 0x4b8; // 0x4bcec8
				_v8 = 0;
				E0040DB40(_t41);
				_v8 = 0xffffffff;
				_t66 = E00415CF0(_t114);
				 *[fs:0x0] = _v16;
				return _t66;
			}

0x00466383
0x00466385
0x00466390
0x00466391
0x00466397
0x0046639e
0x004663a2
0x004663a8
0x004663aa
0x004663b0
0x004663b8
0x004663bf
0x004663c3
0x004663cf
0x004663e6
0x004663e6
0x004663ec
0x004663ec
0x004663f2
0x004663f4
0x004663f6
0x004663fc
0x004663ff
0x00466409
0x0046640f
0x00466411
0x00466411
0x00466414
0x00466419
0x0046641c
0x0046641e
0x0046641e
0x00466411
0x00466426
0x00466429
0x0046642f
0x00466431
0x00466431
0x00466436
0x00466436
0x0046643c
0x0046643e
0x00466440
0x00466446
0x00466449
0x00466453
0x00466459
0x00466460
0x00466460
0x00466463
0x00466468
0x0046646b
0x0046646d
0x0046646d
0x00466460
0x00466475
0x0046647b
0x00466480
0x00466480
0x00466486
0x00466491
0x004664a6
0x004664ac
0x004664b1
0x004664b4
0x00466493
0x0046649c
0x004664a2
0x004664a2
0x004664be
0x004664c5
0x004664cf
0x004664d9
0x004664e2
0x004664e8
0x004664e8
0x004664ea
0x004664f0
0x004664f4
0x004664f9
0x004664ff
0x004664ff
0x00466506
0x0046650f
0x00466514
0x00466517
0x00466520
0x00466526
0x0046652c
0x00466530
0x0046653b
0x00466542
0x0046654a
0x00466558

APIs

Part of subcall function 00467720: InterlockedDecrement.KERNEL32(004BCA18), ref: 00467790
Part of subcall function 00467720: SysFreeString.OLEAUT32(00000000), ref: 004677A5

Part of subcall function 00468F50: UnmapViewOfFile.KERNEL32(00000000,004BCA10,004663C8,0077A1E8,2927074F,004BCA10,004BCA10,0077A1E8,0077A1E8,0077A1E8), ref: 00468F5E
Part of subcall function 00468F50: VirtualFree.KERNEL32(00000000,00000000,00004000,004BCA10,004663C8,0077A1E8,2927074F,004BCA10,004BCA10,0077A1E8,0077A1E8,0077A1E8), ref: 00468F9C

DeleteFileW.KERNEL32(00000000,0077A1E8,2927074F,004BCA10,004BCA10,0077A1E8,0077A1E8,0077A1E8), ref: 004663E6
VirtualFree.KERNEL32(00000000,00000000,00004000,0077A1E8,0077A1E8,0077A1E8), ref: 004664A2
VirtualFree.KERNEL32(00000000,00000000,00008000,?,0077A1E8,0077A1E8,0077A1E8), ref: 004664E8
DeleteCriticalSection.KERNEL32(004BCEFC,00000000,?,0077A1E8,0077A1E8,0077A1E8), ref: 00466520

Memory Dump Source

Source File: 00000000.00000002.639436822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.639422722.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639801425.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639950323.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639964900.00000000004C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639974043.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639981884.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Process Monitor.jbxd

Similarity

API ID: Free$Virtual$DeleteFile$CriticalDecrementInterlockedSectionStringUnmapView
String ID:
API String ID: 791553281-0
Opcode ID: 93716766afa78805105b53e0cdf5bcc98f90819cc8a3efc3b08823de0462adb8
Instruction ID: bc0e6185c501654d1f7e49a1e199b274b37556a4cc12c51c8c29d5ba50207cdc
Opcode Fuzzy Hash: 93716766afa78805105b53e0cdf5bcc98f90819cc8a3efc3b08823de0462adb8
Instruction Fuzzy Hash: DB5170B0500604DFCF14DF65CD85BAA7BB4AF04305F0541BAEC09AF296EB396904CF6A

Uniqueness

Uniqueness Score: -1.00%

Function 0041E160 Relevance: 7.6, APIs: 2, Strings: 3, Instructions: 114
COMMON

Download Yara Rule

C-Code - Quality: 72%

			E0041E160(void* __ebx, void* __edi, signed int _a4, signed int _a8, short* _a12, intOrPtr _a16) {
				char _v8;
				char _v16;
				struct _CRITICAL_SECTION* _v20;
				signed int _t37;
				short* _t43;
				signed int _t45;
				struct _CRITICAL_SECTION* _t51;
				signed int _t52;
				intOrPtr _t56;
				struct _CRITICAL_SECTION* _t62;
				signed int _t64;

				_push(0xffffffff);
				_push(E00487960);
				_push( *[fs:0x0]);
				_push(_t51);
				_t37 =  *0x4bb1dc; // 0x2927074f
				_push(_t37 ^ _t64);
				 *[fs:0x0] =  &_v16;
				_t62 = _t51;
				_v20 = _t62;
				EnterCriticalSection(_t62);
				_t52 = _a4;
				_v8 = 0;
				if(_t52 >=  *((intOrPtr*)(_t62 + 0x34)) -  *((intOrPtr*)(_t62 + 0x30)) >> 2) {
					L18:
					_t43 = _a12;
					 *_t43 = 0;
					L19:
					LeaveCriticalSection(_t62);
					 *[fs:0x0] = _v16;
					return _t43;
				}
				_t56 =  *((intOrPtr*)( *((intOrPtr*)(_t62 + 0x30)) + _t52 * 4));
				_t45 = _a8;
				if(_t45 > 7) {
					goto L18;
				}
				switch( *((intOrPtr*)(_t45 * 4 +  &M0041E2DC))) {
					case 0:
						E00467720(__ebx, _t56, _t68,  &_a4);
						_v8 = 1;
						if(E0046A720( &_a4) == 0) {
							_push(L"<pagefile>");
						} else {
							_push(E0046A170( &_a4));
						}
						_push(_a16);
						_push(_a12);
						_t43 = E0046EF0C();
						_t58 = _a4;
						_v8 = 0;
						if(_a4 != 0) {
							_t43 = E0046A700(_t58);
						}
						goto L19;
					case 1:
						__eax = E004168B0(__ecx);
						goto L9;
					case 2:
						__eax = E00436D00(__ebx, __edi, _a12, _a16,  *((intOrPtr*)(__ecx + 0x4b0)),  *((intOrPtr*)(__ecx + 0x4b4)));
						goto L19;
					case 3:
						 *((intOrPtr*)(__ecx + 0x578)) =  *((intOrPtr*)(__ecx + 0x578)) - 1;
						asm("cdq");
						__eax = E00436D00(__ebx, __edi, _a12, _a16,  *((intOrPtr*)(__ecx + 0x578)) - 1, __edx);
						goto L19;
					case 4:
						__eax =  *((intOrPtr*)(__ecx + 0x518));
						__eflags = __eax;
						if(__eax == 0) {
							__eax =  *((intOrPtr*)(__ecx + 0x508));
						} else {
							__eax =  *__eax;
						}
						goto L9;
					case 5:
						__eax = L0040DE40(__ecx);
						goto L9;
					case 6:
						__eax = L0041DF30(__ecx);
						L9:
						__eax = E00436D00(__ebx, __edi, _a12, _a16, __eax, 0);
						goto L19;
					case 7:
						__eax = E00417930(__ecx);
						__eflags = __al;
						__edx = L"No";
						L"Yes" =  ==  ? L"No" : L"Yes";
						__eax = E0046EF0C(_a12, _a16,  ==  ? L"No" : L"Yes");
						goto L19;
				}
			}

0x0041e163
0x0041e165
0x0041e170
0x0041e171
0x0041e173
0x0041e17a
0x0041e17e
0x0041e184
0x0041e187
0x0041e18a
0x0041e196
0x0041e19c
0x0041e1a5
0x0041e2ba
0x0041e2ba
0x0041e2bf
0x0041e2c2
0x0041e2c3
0x0041e2cc
0x0041e2d8
0x0041e2d8
0x0041e1ae
0x0041e1b1
0x0041e1b7
0x00000000
0x00000000
0x0041e1bd
0x00000000
0x0041e1c8
0x0041e1d0
0x0041e1db
0x0041e1e8
0x0041e1dd
0x0041e1e5
0x0041e1e5
0x0041e1ed
0x0041e1f0
0x0041e1f3
0x0041e1f8
0x0041e1fe
0x0041e204
0x0041e20a
0x0041e20a
0x00000000
0x00000000
0x0041e214
0x00000000
0x00000000
0x0041e241
0x00000000
0x00000000
0x0041e251
0x0041e252
0x0041e25b
0x00000000
0x00000000
0x0041e265
0x0041e26b
0x0041e26d
0x0041e273
0x0041e26f
0x0041e26f
0x0041e26f
0x00000000
0x00000000
0x0041e281
0x00000000
0x00000000
0x0041e28e
0x0041e219
0x0041e222
0x00000000
0x00000000
0x0041e295
0x0041e29a
0x0041e29c
0x0041e2a6
0x0041e2b0
0x00000000
0x00000000

APIs

EnterCriticalSection.KERNEL32(?,2927074F,?,?,?,00487960,000000FF), ref: 0041E18A
LeaveCriticalSection.KERNEL32(?,?,2927074F,?,?,?,00487960,000000FF), ref: 0041E2C3

Strings

,zI, xrefs: 0041E29C
<pagefile>, xrefs: 0041E1E8
Yes, xrefs: 0041E2A1, 0041E2A9

Memory Dump Source

Source File: 00000000.00000002.639436822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.639422722.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639801425.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639950323.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639964900.00000000004C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639974043.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639981884.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Process Monitor.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID: ,zI$<pagefile>$Yes
API String ID: 3168844106-819533410
Opcode ID: 3f2cb7dfd06655bd979eade8df60a39856009fb96dc42c024fb0bdb134038b48
Instruction ID: 04a9bdd30fb4af8374fc74d1ac8cb315f4c31c5c6facfc552ec1caf549e50560
Opcode Fuzzy Hash: 3f2cb7dfd06655bd979eade8df60a39856009fb96dc42c024fb0bdb134038b48
Instruction Fuzzy Hash: 8441EF75604504EBDB00EF56DC15AEE37A8FF05304F1444AEFD0287291EB3AAA619B6A

Uniqueness

Uniqueness Score: -1.00%

Function 00426A50 Relevance: 7.6, APIs: 5, Instructions: 111
windowCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E00426A50(signed int __edx, struct HWND__* _a4, intOrPtr* _a8, intOrPtr _a12, intOrPtr _a16) {
				signed int _v8;
				short _v528;
				intOrPtr* _v532;
				int _v536;
				int _v544;
				WCHAR* _v552;
				intOrPtr _v556;
				signed int _v560;
				void* _v564;
				intOrPtr _v568;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t38;
				void* _t64;
				void* _t67;
				void* _t68;
				signed short _t71;
				signed int _t74;
				struct HWND__* _t76;
				void* _t77;
				void* _t78;
				int _t80;
				void* _t81;
				void* _t82;
				signed int _t83;
				void* _t84;

				_t74 = __edx;
				_t38 =  *0x4bb1dc; // 0x2927074f
				_v8 = _t38 ^ _t83;
				asm("xorps xmm0, xmm0");
				_v532 = _a8;
				_t76 = _a4;
				_v568 = _a12;
				_v564 = 0;
				asm("movdqu [ebp-0x22c], xmm0");
				_v536 = 0;
				asm("movq [ebp-0x21c], xmm0");
				do {
				} while (SendMessageW(_t76, 0x101c, 0, 0) != 0);
				_t80 = 0;
				_v564 = 0xf;
				_v552 =  &_v528;
				if(_a16 <= 0) {
					L8:
					if(E00426300( *_v532) != 0) {
						_v564 = 1;
						SendMessageW(_t76, 0x105f, 0,  &_v564);
						_v560 = _v560 | 0x00000001;
						_v564 = 1;
						SendMessageW(_t76, 0x1060, 0,  &_v564);
					}
					_pop(_t77);
					_pop(_t81);
					_pop(_t67);
					return E0046F77E(_t67, _v8 ^ _t83, _t74, _t77, _t81);
				} else {
					do {
						LoadStringW( *0x4bd2c4,  *(_v532 + _t80 * 4),  &_v528, 0x104);
						_v544 = _t80;
						_t71 =  *(_v568 + _t80 * 2) & 0x0000ffff;
						asm("cdq");
						_v556 = (_t71 ^ _t74) - _t74;
						if(_t71 < 0) {
							L5:
							_v560 = 1;
						} else {
							_t64 = E00426300( *(_v532 + _t80 * 4));
							_t84 = _t84 + 4;
							_v560 = 0;
							if(_t64 != 0) {
								goto L5;
							}
						}
						if(SendMessageW(_t76, 0x1061, _t80,  &_v564) == 0xffffffff) {
							_pop(_t78);
							_pop(_t82);
							_pop(_t68);
							return E0046F77E(_t68, _v8 ^ _t83, _t74, _t78, _t82);
						} else {
							goto L7;
						}
						goto L12;
						L7:
						_t80 = _t80 + 1;
					} while (_t80 < _a16);
					goto L8;
				}
				L12:
			}

0x00426a50
0x00426a59
0x00426a60
0x00426a66
0x00426a71
0x00426a7b
0x00426a7e
0x00426a84
0x00426a8e
0x00426a96
0x00426aa0
0x00426ab0
0x00426abc
0x00426ac0
0x00426ac2
0x00426ad2
0x00426adb
0x00426b6d
0x00426b7f
0x00426b87
0x00426b9a
0x00426b9c
0x00426bb2
0x00426bbc
0x00426bbc
0x00426bbe
0x00426bbf
0x00426bc5
0x00426bd3
0x00426ae1
0x00426ae1
0x00426afc
0x00426b08
0x00426b0e
0x00426b15
0x00426b1a
0x00426b23
0x00426b44
0x00426b44
0x00426b25
0x00426b2e
0x00426b33
0x00426b36
0x00426b42
0x00000000
0x00000000
0x00426b42
0x00426b61
0x00426bdb
0x00426bdc
0x00426bdf
0x00426be8
0x00000000
0x00000000
0x00000000
0x00000000
0x00426b63
0x00426b63
0x00426b64
0x00000000
0x00426ae1
0x00000000

APIs

SendMessageW.USER32(?,0000101C,00000000,00000000), ref: 00426ABA
LoadStringW.USER32(?,?,00000104), ref: 00426AFC
SendMessageW.USER32(?,00001061,00000000,0000000F), ref: 00426B5C
SendMessageW.USER32(?,0000105F,00000000,0000000F), ref: 00426B9A
SendMessageW.USER32(?,00001060,00000000,00000001), ref: 00426BBC

Memory Dump Source

Source File: 00000000.00000002.639436822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.639422722.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639801425.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639950323.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639964900.00000000004C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639974043.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639981884.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Process Monitor.jbxd

Similarity

API ID: MessageSend$LoadString
String ID:
API String ID: 4010343828-0
Opcode ID: 08e14cad0fd46da37b3ffe6bc7cb0dd217f42fe7b0447ff18460bdd47dc83877
Instruction ID: 04851ae6912faecf93f7f3f53daa1ddf897f9566e7d5cbf5b716198b033b0708
Opcode Fuzzy Hash: 08e14cad0fd46da37b3ffe6bc7cb0dd217f42fe7b0447ff18460bdd47dc83877
Instruction Fuzzy Hash: FD416571A4122C9BDB20DF54DC95BEEB7B4FF08300F5001EAE909A6291D778AE85CF54

Uniqueness

Uniqueness Score: -1.00%

Function 00437030 Relevance: 7.6, APIs: 5, Instructions: 103
fileCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E00437030(struct _OVERLAPPED** _a4, WCHAR* _a8) {
				struct _OVERLAPPED* _v8;
				char _v16;
				long _v20;
				void _v24;
				struct _OVERLAPPED* _v28;
				struct _OVERLAPPED* _v32;
				signed int _t23;
				struct _OVERLAPPED** _t27;
				void* _t33;
				void* _t51;
				struct _OVERLAPPED** _t53;
				struct _OVERLAPPED* _t57;
				signed int _t59;

				_push(0xffffffff);
				_push(E00489768);
				_push( *[fs:0x0]);
				_t23 =  *0x4bb1dc; // 0x2927074f
				_push(_t23 ^ _t59);
				 *[fs:0x0] =  &_v16;
				_v28 = 0;
				_t51 = CreateFileW(_a8, 0x80000000, 0, 0, 3, 0, 0);
				if(_t51 == 0xffffffff) {
					L16:
					_t27 = _a4;
					 *_t27 = 0;
					 *[fs:0x0] = _v16;
					return _t27;
				} else {
					_v20 = 0;
					_v24 = 0;
					if(ReadFile(_t51,  &_v24, 4,  &_v20, 0) == 0 || _v20 != 4) {
						L15:
						CloseHandle(_t51);
						goto L16;
					} else {
						_t57 = E0046A630(_v24);
						_v32 = _t57;
						_v8 = 0;
						if(_t57 == 0) {
							_t33 = 0;
						} else {
							_t33 = E0046A620(_t57);
						}
						if(ReadFile(_t51, _t33, _v24,  &_v20, 0) == 0 || _v20 != _v24) {
							_v8 = 0xffffffff;
							if(_t57 != 0) {
								E0046A700(_t57);
							}
							goto L15;
						} else {
							CloseHandle(_t51);
							_t53 = _a4;
							 *_t53 = _t57;
							if(_t57 != 0) {
								E0046A420(_t57);
							}
							_v8 = 0xffffffff;
							if(_t57 != 0) {
								E0046A700(_t57);
							}
							 *[fs:0x0] = _v16;
							return _t53;
						}
					}
				}
			}

0x00437033
0x00437035
0x00437040
0x00437046
0x0043704d
0x00437051
0x00437069
0x00437076
0x0043707b
0x0043714c
0x0043714c
0x0043714f
0x00437158
0x00437165
0x00437081
0x00437086
0x00437093
0x004370a4
0x00437145
0x00437146
0x00000000
0x004370b4
0x004370bc
0x004370c1
0x004370c4
0x004370cd
0x004370d8
0x004370cf
0x004370d1
0x004370d1
0x004370ed
0x00437133
0x0043713c
0x00437140
0x00437140
0x00000000
0x004370f7
0x004370f8
0x004370fe
0x00437101
0x00437105
0x00437109
0x00437109
0x0043710e
0x00437117
0x0043711b
0x0043711b
0x00437125
0x00437132
0x00437132
0x004370ed
0x004370a4

APIs

CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,2927074F), ref: 00437070
ReadFile.KERNEL32(00000000,?,00000004,?,00000000), ref: 0043709C
ReadFile.KERNEL32(00000000,00000000,00000000,00000004,00000000), ref: 004370E5
CloseHandle.KERNEL32(00000000), ref: 004370F8

Part of subcall function 0046A700: InterlockedDecrement.KERNEL32(?), ref: 0046A704

CloseHandle.KERNEL32(00000000), ref: 00437146

Memory Dump Source

Source File: 00000000.00000002.639436822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.639422722.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639801425.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639950323.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639964900.00000000004C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639974043.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639981884.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Process Monitor.jbxd

Similarity

API ID: File$CloseHandleRead$CreateDecrementInterlocked
String ID:
API String ID: 3332336045-0
Opcode ID: 29afad876f2ecb9e512e90609ad622df532bfa7396d0572a49490b9a52fff9d6
Instruction ID: f5c21de34be17f44599c1ccbca804c353dcbe327e73f79aeafe6cc1ed10115db
Opcode Fuzzy Hash: 29afad876f2ecb9e512e90609ad622df532bfa7396d0572a49490b9a52fff9d6
Instruction Fuzzy Hash: AD318871A04615ABDB219F54DC45BBFB7B8EB48B20F24062AEC11B73C0D7785D058B9A

Uniqueness

Uniqueness Score: -1.00%

Function 00408DB0 Relevance: 7.6, APIs: 5, Instructions: 100
windowregistryCOMMON

Download Yara Rule

C-Code - Quality: 55%

			E00408DB0(void* __ecx, void* __eflags, void* _a4, short* _a8) {
				char _v5;
				signed int _v12;
				char* _v16;
				int _v20;
				int _v24;
				signed int _v28;
				intOrPtr _v68;
				char _v72;
				void* __ebx;
				void* __edi;
				signed int _t44;
				signed int _t49;
				signed int _t60;
				void* _t65;
				void* _t74;
				char* _t75;
				intOrPtr _t76;
				signed int _t78;
				void* _t82;

				_t82 = __eflags;
				_t65 = __ecx;
				_t44 = SendMessageW( *(__ecx + 0x14), 0x1200, 0, 0) + 1;
				_v12 = _t44;
				_push( ~(0 | _t82 > 0x00000000) | (_t44 + _t44) * 0x00000004);
				_t75 = E0046EE59(_t65, _t74, _t82);
				_v5 = 0;
				_t49 = _v12 << 3;
				_v28 = _t49;
				_v24 = _t49;
				_v16 = _t75;
				_v20 = 0xffffffff;
				if(RegQueryValueExW(_a4, _a8, 0,  &_v20, _t75,  &_v24) == 0 && _v20 == 3 && _v24 == _v28) {
					SendMessageW( *(_t65 + 0x14), 0x1212, _v12 - 1, _t75 + (_v12 + 1) * 4);
					_t60 = _v12;
					_t78 = 0;
					if(_t60 > 0) {
						do {
							if( *((intOrPtr*)(_t75 + _t78 * 4)) > 0) {
								_t76 =  *((intOrPtr*)(_t75 + _t78 * 4));
								if(_t76 < GetSystemMetrics(0x4e)) {
									_v72 = 1;
									_v68 = _t76;
									_push( &_v72);
									if(_t78 != 0) {
										_t37 = _t78 - 1; // -1
										_push(0x120c);
										_push( *(_t65 + 0x14));
									} else {
										_push(_t78);
										_push(0x120c);
										_push( *((intOrPtr*)(_t65 + 0xc)));
									}
									SendMessageW();
								}
								_t60 = _v12;
								_t75 = _v16;
							}
							_t78 = _t78 + 1;
						} while (_t78 < _t60);
					}
					_v5 = 1;
				}
				L0047002A(_t75);
				return _v5;
			}

0x00408db0
0x00408dbe
0x00408dcf
0x00408dd2
0x00408de5
0x00408deb
0x00408ded
0x00408df7
0x00408dfa
0x00408dfd
0x00408e08
0x00408e11
0x00408e23
0x00408e4d
0x00408e4f
0x00408e52
0x00408e56
0x00408e58
0x00408e5c
0x00408e5e
0x00408e6b
0x00408e6d
0x00408e77
0x00408e7a
0x00408e7d
0x00408e8a
0x00408e8e
0x00408e93
0x00408e7f
0x00408e7f
0x00408e80
0x00408e85
0x00408e85
0x00408e96
0x00408e96
0x00408e9c
0x00408e9f
0x00408e9f
0x00408ea2
0x00408ea3
0x00408e58
0x00408ea7
0x00408ea7
0x00408eac
0x00408ebd

APIs

SendMessageW.USER32(?,00001200,00000000,00000000), ref: 00408DCD
RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 00408E1B
SendMessageW.USER32(?,00001212,00000000,00000000), ref: 00408E4D
GetSystemMetrics.USER32 ref: 00408E63
SendMessageW.USER32(?,0000120C,-00000001,00000001), ref: 00408E96

Memory Dump Source

Source File: 00000000.00000002.639436822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.639422722.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639801425.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639950323.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639964900.00000000004C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639974043.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639981884.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Process Monitor.jbxd

Similarity

API ID: MessageSend$MetricsQuerySystemValue
String ID:
API String ID: 888030558-0
Opcode ID: 3326b5e0d90e3d8da8eaf2370e9493f2cfa8d3c4c47068009bf99e191913340a
Instruction ID: 37bfb07d3ae843c4f52df5444bffc759f42025349b72d00db19fb7b61ed10252
Opcode Fuzzy Hash: 3326b5e0d90e3d8da8eaf2370e9493f2cfa8d3c4c47068009bf99e191913340a
Instruction Fuzzy Hash: 1D31AF71900209EBDB20CFA4CD41BAFBBB8EF44714F10027AE941F6291D776A916CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 0044E9A7 Relevance: 7.6, APIs: 5, Instructions: 89
windowCOMMON

Download Yara Rule

C-Code - Quality: 92%

			E0044E9A7(void* __ebx, void* __edx, void* __edi) {
				intOrPtr _t34;
				void* _t39;
				int _t40;
				void* _t45;
				void* _t47;
				struct HWND__* _t48;
				void* _t49;
				signed int _t50;

				_t45 = __edx;
				_t39 = __ebx;
				_t34 =  *((intOrPtr*)(__edi + 8));
				if(_t34 > 0xffffff4f) {
					__eflags = _t34 - 0xffffff51;
					if(_t34 == 0xffffff51) {
						goto L9;
					}
					__eflags = _t34 - 0xfffffffd;
					if(_t34 != 0xfffffffd) {
						goto L2;
					}
					SendMessageW(_t48, 0x111, 0x9c65, 0);
				} else {
					if(__eflags == 0) {
						__eflags =  *((intOrPtr*)(__ebp - 0x628)) - 0x3f9;
						if( *((intOrPtr*)(__ebp - 0x628)) != 0x3f9) {
							L2:
							DefWindowProcW(_t48, _t40,  *(_t50 - 0x628),  *(_t50 - 0x64c));
							L3:
							 *[fs:0x0] =  *((intOrPtr*)(_t50 - 0xc));
							_pop(_t47);
							_pop(_t49);
							return E0046F77E(_t39,  *(_t50 - 0x10) ^ _t50, _t45, _t47, _t49);
						}
						__eflags =  *(__edi + 0xc) & 0x00000001;
						if(( *(__edi + 0xc) & 0x00000001) == 0) {
							goto L2;
						}
						__eax =  *(__edi + 0x14);
						__eax =  *(0x4bd794 +  *(__edi + 0x14) * 4);
						 *(__ebp - 0x624) = __eax;
						__eflags = __eax - 0x9c7a;
						if(__eax != 0x9c7a) {
							 *(__ebp - 0x62c) = 0x4bca10;
							EnterCriticalSection(0x4bca10);
							__eax = __ebp - 0x4b4;
							 *((intOrPtr*)(__ebp - 4)) = 2;
							__ecx = 0x4bca10;
							__eax = E0040D160(0x4bca10, __ebp - 0x4b4,  *((intOrPtr*)(__edi + 0x10)));
							__eflags =  *(__ebp - 0x4ac);
							 *((char*)(__ebp - 4)) = 3;
							if( *(__ebp - 0x4ac) == 0) {
								__eax =  *(__edi + 0x20);
								__ecx = 0;
								__eflags = 0;
								 *( *(__edi + 0x20)) = __cx;
							} else {
								__ecx = __ebp - 0x4b4;
								__eax = E004110C0(__edx, __edi,  *(__ebp - 0x624),  *(__edi + 0x20),  *(__edi + 0x24));
							}
							 *((char*)(__ebp - 4)) = 2;
							__ecx = __ebp - 0x4b4;
							__eax = E0040F960(__ecx, __esi);
							LeaveCriticalSection(0x4bca10);
							goto L1;
						}
						__eax = swprintf( *(__edi + 0x20),  *(__edi + 0x24), L"%d",  *((intOrPtr*)(__edi + 0x10)));
						goto L1;
					}
					__eflags = __eax - 0xfffffd33;
					if(__eax == 0xfffffd33) {
						goto L2;
					}
					__eflags = __eax - 0xfffffd43;
					if(__eax == 0xfffffd43) {
						__ecx = 0x4bdd08;
						__eax = E0046E360(0x4bdd08, __edi);
						goto L1;
					}
					__eflags = __eax - 0xfffffdee;
					if(__eax != 0xfffffdee) {
						goto L2;
					}
					__eax =  *0x4bd2c4; // 0x400000
					 *(__edi + 0xb0) = __eax;
					__eax =  *(__edi + 4);
					 *(__edi + 0xc) =  *(__edi + 4);
					L9:
					goto L3;
				}
				L1:
				_t40 =  *(_t50 + 0xc);
				goto L2;
			}

0x0044e9a7
0x0044e9a7
0x0044e9a7
0x0044e9af
0x0044eac8
0x0044eacd
0x00000000
0x00000000
0x0044ead3
0x0044ead6
0x00000000
0x00000000
0x0044eae9
0x0044e9b5
0x0044e9b5
0x0044e9ff
0x0044ea09
0x0044e729
0x0044e737
0x0044e73d
0x0044e740
0x0044e748
0x0044e749
0x0044e757
0x0044e757
0x0044ea0f
0x0044ea13
0x00000000
0x00000000
0x0044ea19
0x0044ea1c
0x0044ea23
0x0044ea29
0x0044ea2e
0x0044ea50
0x0044ea5a
0x0044ea63
0x0044ea69
0x0044ea71
0x0044ea76
0x0044ea7b
0x0044ea82
0x0044ea86
0x0044eaa1
0x0044eaa4
0x0044eaa4
0x0044eaa6
0x0044ea88
0x0044ea8b
0x0044ea9a
0x0044ea9a
0x0044eaa9
0x0044eaad
0x0044eab3
0x0044eabd
0x00000000
0x0044eabd
0x0044ea3e
0x00000000
0x0044ea43
0x0044e9b7
0x0044e9bc
0x00000000
0x00000000
0x0044e9c2
0x0044e9c7
0x0044e9f0
0x0044e9f5
0x00000000
0x0044e9f5
0x0044e9c9
0x0044e9ce
0x00000000
0x00000000
0x0044e9d4
0x0044e9d9
0x0044e9df
0x0044e9e2
0x0044e9e5
0x00000000
0x0044e9e5
0x0044e726
0x0044e726
0x00000000

APIs

DefWindowProcW.USER32(?,?,?,?,2927074F), ref: 0044E737
swprintf.LIBCMT ref: 0044EA3E
SendMessageW.USER32(?,00000111,00009C65,00000000), ref: 0044EAE9

Memory Dump Source

Source File: 00000000.00000002.639436822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.639422722.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639801425.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639950323.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639964900.00000000004C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639974043.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639981884.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Process Monitor.jbxd

Similarity

API ID: MessageProcSendWindowswprintf
String ID:
API String ID: 2860400617-0
Opcode ID: 5e476637d91b9205c3e3f702a6c8f665af8b6c79f30200eef0ea9afabf54a3f7
Instruction ID: a898df1dd44d9d8edc3c91d43b1d7d68c439bba3836163ce947bdb937701b4a4
Opcode Fuzzy Hash: 5e476637d91b9205c3e3f702a6c8f665af8b6c79f30200eef0ea9afabf54a3f7
Instruction Fuzzy Hash: 5C31D670900505EBEB24CB69DC85B9DF7B0BF08324F1446ABE105A26E2D739A960DF5E

Uniqueness

Uniqueness Score: -1.00%

Function 00430B40 Relevance: 7.6, APIs: 5, Instructions: 81
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00430B40(void* __ecx) {
				struct _CRITICAL_SECTION* _v8;
				intOrPtr _t20;
				intOrPtr* _t22;
				struct _CRITICAL_SECTION* _t23;
				struct _CRITICAL_SECTION* _t24;
				intOrPtr* _t26;
				intOrPtr* _t27;
				intOrPtr* _t28;
				void* _t29;
				void* _t34;
				intOrPtr* _t37;
				intOrPtr _t39;
				void** _t41;
				intOrPtr* _t43;

				_t20 =  *0x4bcb6c; // 0x7879f0
				EnterCriticalSection(_t20 + 8);
				_t37 =  *0x4bcb6c; // 0x7879f0
				_t22 =  *_t37;
				_t43 =  *_t22;
				if(_t43 == _t22) {
					L21:
					_t19 = _t37 + 8; // 0x7879f8
					_t23 = _t19;
					LeaveCriticalSection(_t23);
					return _t23;
				}
				do {
					_t1 = _t43 + 0x10; // 0x0
					_t39 =  *_t1;
					_t2 = _t39 + 0xe0; // 0xe0
					_t24 = _t2;
					_v8 = _t24;
					if(TryEnterCriticalSection(_t24) == 0) {
						L9:
						if( *((char*)(_t43 + 0xd)) != 0) {
							goto L19;
						}
						_t10 = _t43 + 8; // 0x80
						_t26 =  *_t10;
						if( *((char*)(_t26 + 0xd)) != 0) {
							_t14 = _t43 + 4; // 0x9
							_t27 =  *_t14;
							if( *((char*)(_t27 + 0xd)) != 0) {
								L18:
								_t43 = _t27;
								goto L19;
							}
							while(_t43 ==  *((intOrPtr*)(_t27 + 8))) {
								_t43 = _t27;
								_t27 =  *((intOrPtr*)(_t27 + 4));
								if( *((char*)(_t27 + 0xd)) == 0) {
									continue;
								}
								goto L18;
							}
							goto L18;
						}
						_t43 = _t26;
						_t28 =  *_t43;
						if( *((char*)(_t28 + 0xd)) != 0) {
							goto L19;
						} else {
							goto L12;
						}
						do {
							L12:
							_t43 = _t28;
							_t28 =  *_t43;
						} while ( *((char*)(_t28 + 0xd)) == 0);
						goto L19;
					}
					_t41 = _t39 + 0x24;
					_t34 = 6;
					do {
						if(_t41[4] == 0) {
							_t29 =  *_t41;
							if(_t29 != 0) {
								UnmapViewOfFile(_t29);
								 *_t41 = 0;
								_t41[1] = 0;
								_t41[2] = 0;
								_t41[3] = 0;
							}
						}
						_t41 =  &(_t41[8]);
						_t34 = _t34 - 1;
					} while (_t34 != 0);
					LeaveCriticalSection(_v8);
					goto L9;
					L19:
					_t37 =  *0x4bcb6c; // 0x7879f0
				} while (_t43 !=  *_t37);
				goto L21;
			}

0x00430b44
0x00430b4f
0x00430b55
0x00430b61
0x00430b63
0x00430b67
0x00430c21
0x00430c21
0x00430c21
0x00430c25
0x00430c2c
0x00430c2c
0x00430b70
0x00430b70
0x00430b70
0x00430b73
0x00430b73
0x00430b7a
0x00430b85
0x00430bcf
0x00430bd3
0x00000000
0x00000000
0x00430bd5
0x00430bd5
0x00430bdc
0x00430bf4
0x00430bf4
0x00430bfb
0x00430c10
0x00430c10
0x00000000
0x00430c10
0x00430c00
0x00430c05
0x00430c07
0x00430c0e
0x00000000
0x00000000
0x00000000
0x00430c0e
0x00000000
0x00430c00
0x00430bde
0x00430be0
0x00430be6
0x00000000
0x00000000
0x00000000
0x00000000
0x00430be8
0x00430be8
0x00430be8
0x00430bea
0x00430bec
0x00000000
0x00430bf2
0x00430b87
0x00430b8a
0x00430b90
0x00430b94
0x00430b96
0x00430b9a
0x00430b9d
0x00430ba3
0x00430ba9
0x00430bb0
0x00430bb7
0x00430bb7
0x00430b9a
0x00430bbe
0x00430bc1
0x00430bc1
0x00430bcd
0x00000000
0x00430c12
0x00430c12
0x00430c18
0x00000000

APIs

EnterCriticalSection.KERNEL32(007879E8,004C2588,004BD710,?,?,004308CF), ref: 00430B4F
TryEnterCriticalSection.KERNEL32(000000E0,0000000100000000,?,?,004308CF), ref: 00430B7D
UnmapViewOfFile.KERNEL32(00000000,?,?,004308CF), ref: 00430B9D
LeaveCriticalSection.KERNEL32(?,?,?,004308CF), ref: 00430BCD
LeaveCriticalSection.KERNEL32(007879F8,?,?,004308CF), ref: 00430C25

Memory Dump Source

Source File: 00000000.00000002.639436822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.639422722.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639801425.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639950323.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639964900.00000000004C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639974043.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639981884.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Process Monitor.jbxd

Similarity

API ID: CriticalSection$EnterLeave$FileUnmapView
String ID:
API String ID: 1020797247-0
Opcode ID: 82e97487232d05f03fd18cf3e1a526058e3efab57bf34b187f497c3d57d96c9c
Instruction ID: 93512ba8ecd15ef2c97173989fa546fa44adf7510def24e1f26ae31fa2d142f3
Opcode Fuzzy Hash: 82e97487232d05f03fd18cf3e1a526058e3efab57bf34b187f497c3d57d96c9c
Instruction Fuzzy Hash: A031A5719002089FD724CB58D898B16F7E5FB08354F19D7AAD858973A1D378FC84CB98

Uniqueness

Uniqueness Score: -1.00%

Function 00438B60 Relevance: 7.6, APIs: 5, Instructions: 78
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00438B60(WCHAR* _a4, intOrPtr* _a8) {
				long _v8;
				void _v12;
				void* _t21;
				void* _t28;
				intOrPtr* _t34;
				void* _t36;

				_t36 = CreateFileW(_a4, 0x40000000, 0, 0, 2, 0, 0);
				if(_t36 != 0xffffffff) {
					_t34 = _a8;
					_v8 = 0;
					_t30 =  *_t34;
					if( *_t34 == 0) {
						_v12 = 0;
					} else {
						_v12 = E00406130(_t30);
					}
					if(WriteFile(_t36,  &_v12, 4,  &_v8, 0) == 0 || _v8 != 4) {
						L13:
						_t28 = 0;
					} else {
						_t31 =  *_t34;
						if( *_t34 == 0) {
							_t21 = 0;
						} else {
							_t21 = E0046A620(_t31);
						}
						if(WriteFile(_t36, _t21, _v12,  &_v8, 0) == 0 || _v8 != _v12) {
							goto L13;
						} else {
							_t28 = 1;
						}
					}
					CloseHandle(_t36);
					if(_t28 == 0) {
						DeleteFileW(_a4);
					}
					return _t28;
				} else {
					return 0;
				}
			}

0x00438b7f
0x00438b84
0x00438b8f
0x00438b92
0x00438b99
0x00438b9d
0x00438ba9
0x00438b9f
0x00438ba4
0x00438ba4
0x00438bc7
0x00438bfb
0x00438bfb
0x00438bcf
0x00438bcf
0x00438bd3
0x00438bdc
0x00438bd5
0x00438bd5
0x00438bd5
0x00438bed
0x00000000
0x00438bf7
0x00438bf7
0x00438bf7
0x00438bed
0x00438bfe
0x00438c06
0x00438c0b
0x00438c0b
0x00438c19
0x00438b86
0x00438b8c
0x00438b8c

APIs

CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 00438B79
WriteFile.KERNEL32(00000000,00000000,00000004,00000000,00000000), ref: 00438BC3
WriteFile.KERNEL32(00000000,00000000,00000000,00000004,00000000), ref: 00438BE9
CloseHandle.KERNEL32(00000000), ref: 00438BFE
DeleteFileW.KERNEL32(00000000), ref: 00438C0B

Memory Dump Source

Source File: 00000000.00000002.639436822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.639422722.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639801425.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639950323.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639964900.00000000004C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639974043.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639981884.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Process Monitor.jbxd

Similarity

API ID: File$Write$CloseCreateDeleteHandle
String ID:
API String ID: 2321045852-0
Opcode ID: 166b06dad3341dcc400cb50d4d90b9acbd2e46b17c732f0ca447de1e37becef7
Instruction ID: 9af35ed8d2b8e34c335e4e01ef455db8dc786475f95d3a661caad1b44e1a813f
Opcode Fuzzy Hash: 166b06dad3341dcc400cb50d4d90b9acbd2e46b17c732f0ca447de1e37becef7
Instruction Fuzzy Hash: 5F21DE7164130ABAEB109F94DC81BEEF7689B09310F24506EF901A7280CB35AE059BAD

Uniqueness

Uniqueness Score: -1.00%

Function 00418660 Relevance: 7.6, APIs: 5, Instructions: 73
windowCOMMON

Download Yara Rule

C-Code - Quality: 84%

			E00418660(struct _CRITICAL_SECTION* __ecx, intOrPtr _a4) {
				RECT* _v8;
				char _v16;
				struct _CRITICAL_SECTION* _v20;
				intOrPtr _v32;
				char _v40;
				void* __esi;
				signed int _t19;
				long _t23;
				struct _CRITICAL_SECTION* _t29;
				void* _t41;
				long _t44;
				signed int _t46;

				_push(0xffffffff);
				_push(E004870B0);
				_push( *[fs:0x0]);
				_t19 =  *0x4bb1dc; // 0x2927074f
				_push(_t19 ^ _t46);
				 *[fs:0x0] =  &_v16;
				_t29 = __ecx;
				_v20 = __ecx;
				EnterCriticalSection(__ecx);
				_v8 = 0;
				_t44 = SendMessageW( *(_t29 + 0x18), 0x1027, 0, 0);
				_t23 = SendMessageW( *(_t29 + 0x18), 0x1028, 0, 0);
				_t41 = _t44 + _t23;
				if(_t44 < _t41) {
					while(1) {
						E0040D160(_t29,  &_v40, _t44);
						_v8 = 1;
						if(_v32 == 0 ||  *((intOrPtr*)(E00411BA0( &_v40))) == _a4) {
							break;
						}
						_v8 = 0;
						_t23 = E0040F960( &_v40, _t44);
						_t44 = _t44 + 1;
						if(_t44 < _t41) {
							continue;
						} else {
						}
						goto L6;
					}
					InvalidateRect( *(_t29 + 0x18), 0, 0);
					_v8 = 0;
					_t23 = E0040F960( &_v40, _t44);
				}
				L6:
				LeaveCriticalSection(_t29);
				 *[fs:0x0] = _v16;
				return _t23;
			}

0x00418663
0x00418665
0x00418670
0x00418677
0x0041867e
0x00418682
0x00418688
0x0041868b
0x0041868e
0x004186a6
0x004186bb
0x004186bd
0x004186bf
0x004186c4
0x004186c6
0x004186cd
0x004186d6
0x004186da
0x00000000
0x00000000
0x004186ee
0x004186f2
0x004186f7
0x004186fa
0x00000000
0x00000000
0x004186fc
0x00000000
0x004186fa
0x00418705
0x0041870e
0x00418712
0x00418712
0x00418717
0x00418718
0x00418721
0x0041872f

APIs

EnterCriticalSection.KERNEL32(?,2927074F), ref: 0041868E
SendMessageW.USER32(?,00001027,00000000,00000000), ref: 004186AD
SendMessageW.USER32(?,00001028,00000000,00000000), ref: 004186BD
InvalidateRect.USER32(?,00000000,00000000,?,00000000,?,2927074F), ref: 00418705

Part of subcall function 0040F960: ReleaseSRWLockShared.KERNEL32(?,004C2538,00468906,004C2538,000000FF,?,?,00467152,00000000,004C255C), ref: 0040F971

LeaveCriticalSection.KERNEL32(?,?,2927074F), ref: 00418718

Memory Dump Source

Source File: 00000000.00000002.639436822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.639422722.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639801425.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639950323.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639964900.00000000004C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639974043.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639981884.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Process Monitor.jbxd

Similarity

API ID: CriticalMessageSectionSend$EnterInvalidateLeaveLockRectReleaseShared
String ID:
API String ID: 3214903406-0
Opcode ID: d2fd22f9cf2a1eee9c075bcb7911b1072eeb6f954a7c495bbea1deb8bc189672
Instruction ID: 8ff0b4cf18bcb0d9a23f1c8e6db2f0c09795545a9054658aac09096d19d17496
Opcode Fuzzy Hash: d2fd22f9cf2a1eee9c075bcb7911b1072eeb6f954a7c495bbea1deb8bc189672
Instruction Fuzzy Hash: 2D21F571904208ABDB21DF64CC45BDEB7B4EB08700F20057EE901772D1DB796D44CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 0040CAE0 Relevance: 7.6, APIs: 5, Instructions: 70
windowCOMMON

Download Yara Rule

C-Code - Quality: 84%

			E0040CAE0(struct HWND__* _a4) {
				int _v8;
				char _v16;
				struct _CRITICAL_SECTION* _v20;
				intOrPtr _v32;
				char _v40;
				void* __esi;
				signed int _t13;
				int _t17;
				intOrPtr _t20;
				void* _t23;
				struct HWND__* _t30;
				int _t33;
				signed int _t35;

				_push(0xffffffff);
				_push(E00486078);
				_push( *[fs:0x0]);
				_t13 =  *0x4bb1dc; // 0x2927074f
				_push(_t13 ^ _t35);
				 *[fs:0x0] =  &_v16;
				_t30 = _a4;
				E00405D60(_t30);
				_t23 = 0;
				_t17 = SendMessageW(_t30, 0x100c, 0xffffffff, 2);
				_t33 = _t17;
				if(_t33 < 0) {
					L7:
					 *[fs:0x0] = _v16;
					return _t17;
				}
				_v20 = 0x4bca10;
				do {
					EnterCriticalSection(0x4bca10);
					_v8 = 0;
					E0040D160(0x4bca10,  &_v40, _t33);
					_t20 = _v32;
					if(_t20 != 0) {
						 *(_t20 + 0xa) =  *(_t20 + 0xa) ^ 0x00000001;
					}
					E0040F960( &_v40, _t33);
					_v8 = 0xffffffff;
					LeaveCriticalSection(0x4bca10);
					_t23 = _t23 + 1;
					_t17 = SendMessageW(_t30, 0x100c, _t33, 2);
					_t33 = _t17;
				} while (_t33 >= 0);
				if(_t23 != 0) {
					_t17 = InvalidateRect(_t30, 0, 0);
				}
				goto L7;
			}

0x0040cae3
0x0040cae5
0x0040caf0
0x0040caf7
0x0040cafe
0x0040cb02
0x0040cb08
0x0040cb0c
0x0040cb14
0x0040cb20
0x0040cb26
0x0040cb2a
0x0040cb9f
0x0040cba2
0x0040cbb0
0x0040cbb0
0x0040cb2c
0x0040cb33
0x0040cb38
0x0040cb42
0x0040cb4f
0x0040cb54
0x0040cb59
0x0040cb5b
0x0040cb5b
0x0040cb63
0x0040cb6d
0x0040cb74
0x0040cb83
0x0040cb84
0x0040cb8a
0x0040cb8c
0x0040cb92
0x0040cb99
0x0040cb99
0x00000000

APIs

Part of subcall function 00405D60: GetPropW.USER32(?), ref: 00405D6E

SendMessageW.USER32(?,0000100C,000000FF,00000002), ref: 0040CB20
EnterCriticalSection.KERNEL32(004BCA10), ref: 0040CB38
LeaveCriticalSection.KERNEL32(004BCA10,?,00000000), ref: 0040CB74
SendMessageW.USER32(?,0000100C,00000000,00000002), ref: 0040CB84
InvalidateRect.USER32(?,00000000,00000000), ref: 0040CB99

Memory Dump Source

Source File: 00000000.00000002.639436822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.639422722.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639801425.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639950323.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639964900.00000000004C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639974043.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639981884.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Process Monitor.jbxd

Similarity

API ID: CriticalMessageSectionSend$EnterInvalidateLeavePropRect
String ID:
API String ID: 4088579126-0
Opcode ID: 2f8ad34c76a878419cb0663431e1ff244d75fe301de9460edf9c60cf8e19016e
Instruction ID: 262653e7e21285bb609475ce40ad3a4dba42d84ab4c133e59d254f192af88b21
Opcode Fuzzy Hash: 2f8ad34c76a878419cb0663431e1ff244d75fe301de9460edf9c60cf8e19016e
Instruction Fuzzy Hash: 4D21D831A40208ABD710EBA4EC86F9F77B8EB05B60F10473AF911B72D1D778680587A8

Uniqueness

Uniqueness Score: -1.00%

Function 00458530 Relevance: 7.6, APIs: 5, Instructions: 65
COMMON

Download Yara Rule

C-Code - Quality: 95%

			E00458530(struct HWND__* _a8, struct HWND__* _a12, struct HWND__* _a16, signed int _a20, signed int _a24) {
				signed int _v8;
				struct tagRECT _v24;
				int _v28;
				int _v32;
				struct HWND__* _v36;
				struct HWND__* _v40;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t22;
				struct HWND__* _t25;
				int _t30;
				void* _t45;
				int _t46;
				signed int _t48;
				signed int _t50;

				_t22 =  *0x4bb1dc; // 0x2927074f
				_v8 = _t22 ^ _t50;
				_v36 = _a8;
				_t25 = _a16;
				_v40 = _t25;
				GetWindowRect(_t25,  &_v24);
				_v32 = _v24.bottom - _v24.top;
				_t12 = GetSystemMetrics(0x32) + 0xa; // 0xa
				_t46 = _t12;
				_t30 = _a20 & 0x0000ffff;
				_v28 = _t30;
				MoveWindow(_a12, 0, 0, _t30, _t46, 1);
				_t48 = _a24 & 0x0000ffff;
				MoveWindow(_v36, 0, _t46, _v28, _t48 - _t46 - _v32, 1);
				MoveWindow(_v40, 0, _t48 - _v32, _v28, _v32, 1);
				return E0046F77E(MoveWindow, _v8 ^ _t50, _t45, _t46, _t48 - _v32);
			}

0x00458536
0x0045853d
0x0045854c
0x0045854f
0x00458554
0x00458557
0x00458565
0x00458579
0x00458579
0x0045857c
0x00458586
0x00458589
0x0045858e
0x004585a4
0x004585b7
0x004585c9

APIs

GetWindowRect.USER32 ref: 00458557
GetSystemMetrics.USER32 ref: 00458568
MoveWindow.USER32(?,00000000,00000000,00000000,0000000A,00000001), ref: 00458589
MoveWindow.USER32(?,00000000,0000000A,?,?,00000001), ref: 004585A4
MoveWindow.USER32(?,00000000,?,?,?,00000001), ref: 004585B7

Memory Dump Source

Source File: 00000000.00000002.639436822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.639422722.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639801425.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639950323.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639964900.00000000004C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639974043.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639981884.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Process Monitor.jbxd

Similarity

API ID: Window$Move$MetricsRectSystem
String ID:
API String ID: 3580639495-0
Opcode ID: b0531c787a101473c167cdf9207a5270b2c202bcf2634aeabe8fa31da8e05362
Instruction ID: c6f8b4d19f8485539403891547560a9151426a3b8604b6ec6c67ff7b1fbd1e0a
Opcode Fuzzy Hash: b0531c787a101473c167cdf9207a5270b2c202bcf2634aeabe8fa31da8e05362
Instruction Fuzzy Hash: 7711FC71A00219AFDF10DFA9DD45FEEBBB8EB48700F100569FA04E7290D6B5A915CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 0046A430 Relevance: 7.6, APIs: 5, Instructions: 64
COMMON

Download Yara Rule

C-Code - Quality: 91%

			E0046A430(long __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				long _v8;
				void* __ebx;
				void* __edi;
				void* _t13;
				long _t22;
				LONG** _t27;
				intOrPtr _t33;
				LONG* _t34;
				LONG* _t37;
				void* _t39;

				_push(__ecx);
				_t33 = _a8;
				_t27 = __ecx;
				_v8 = __ecx;
				_t13 = _a16 + _t33;
				if(_t13 != 0) {
					_push(_t13 + 0xb);
					_t37 = E0046EE59(__ecx, _t33, __eflags);
					_t6 =  &(_t37[2]); // 0x8
					 *_t37 = 1;
					_t37[1] = _a16 + _t33;
					E00470850(_t6, _a4, _t33);
					_t9 = _t33 + 8; // 0x437401
					_t20 = _t9 + _t37;
					__eflags = _t9 + _t37;
					E00470850(_t20, _a12, _a16);
					_t39 = _t39 + 0x1c;
				} else {
					_t37 = 0;
				}
				_t34 =  *_t27;
				if(_t34 != 0 && InterlockedDecrement(_t34) == 0) {
					L0047002A(_t34);
					_t39 = _t39 + 4;
				}
				_t22 = _v8;
				 *_t22 = _t37;
				if(_t37 != 0) {
					InterlockedIncrement(_t37);
					_t22 = InterlockedDecrement(_t37);
					if(_t22 == 0) {
						_t22 = L0047002A(_t37);
					}
				}
				return _t22;
			}

0x0046a433
0x0046a43a
0x0046a43d
0x0046a43f
0x0046a442
0x0046a444
0x0046a44d
0x0046a453
0x0046a45e
0x0046a461
0x0046a468
0x0046a46b
0x0046a473
0x0046a479
0x0046a479
0x0046a47c
0x0046a481
0x0046a446
0x0046a446
0x0046a446
0x0046a484
0x0046a48e
0x0046a498
0x0046a49d
0x0046a49d
0x0046a4a0
0x0046a4a3
0x0046a4a7
0x0046a4aa
0x0046a4b1
0x0046a4b5
0x0046a4b8
0x0046a4bd
0x0046a4b5
0x0046a4c6

APIs

_memmove.LIBCMT ref: 0046A46B
_memmove.LIBCMT ref: 0046A47C
InterlockedDecrement.KERNEL32(004373F9), ref: 0046A491
InterlockedIncrement.KERNEL32(00000000), ref: 0046A4AA
InterlockedDecrement.KERNEL32(00000000), ref: 0046A4B1

Memory Dump Source

Source File: 00000000.00000002.639436822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.639422722.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639801425.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639950323.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639964900.00000000004C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639974043.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639981884.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Process Monitor.jbxd

Similarity

API ID: Interlocked$Decrement_memmove$Increment
String ID:
API String ID: 3220810191-0
Opcode ID: 38c98898daa727aba42d78b847501081c7cda7ab0bffe7c157d72b9b7b63265a
Instruction ID: 9fd9f90e77977edebbf22fe789ff42ed41a12cd2dfe3090811f5f3f97a7d2b68
Opcode Fuzzy Hash: 38c98898daa727aba42d78b847501081c7cda7ab0bffe7c157d72b9b7b63265a
Instruction Fuzzy Hash: DC11C4B2501A15ABCB119F55EC45A9B77A8DF45724B04452AFD08E3301FB39ED208AAF

Uniqueness

Uniqueness Score: -1.00%

Function 00434180 Relevance: 7.6, APIs: 5, Instructions: 59
registryCOMMON

Download Yara Rule

C-Code - Quality: 85%

			E00434180(void* __edx, void* _a4, short* _a8) {
				signed int _v8;
				short _v528;
				void* _v532;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t14;
				short* _t29;
				void* _t32;
				void* _t33;
				void* _t34;
				signed int _t35;
				void* _t36;

				_t32 = __edx;
				_t14 =  *0x4bb1dc; // 0x2927074f
				_v8 = _t14 ^ _t35;
				_t29 = _a8;
				_t33 = _a4;
				_v532 = 0;
				RegOpenKeyExW(_t33, _t29, 0, 0xf003f,  &_v532);
				_t34 = RegEnumKeyW;
				while(RegEnumKeyW(_v532, 0,  &_v528, 0x104) == 0) {
					E00434180(_t32, _v532,  &_v528);
					_t36 = _t36 + 8;
				}
				RegCloseKey(_v532);
				RegDeleteKeyW(_t33, _t29);
				asm("sbb eax, eax");
				return E0046F77E(_t29, _v8 ^ _t35, _t32, _t33, _t34);
			}

0x00434180
0x00434189
0x00434190
0x00434194
0x0043419f
0x004341ac
0x004341b6
0x004341bc
0x004341da
0x004341ed
0x004341f2
0x0043420b
0x00434215
0x0043421d
0x00434229
0x00434238

APIs

RegOpenKeyExW.ADVAPI32(00000000,80000001,00000000,000F003F,?,?,?,?), ref: 004341B6
RegEnumKeyW.ADVAPI32(00000000,00000000,?,00000104), ref: 004341D6
RegCloseKey.ADVAPI32(00000000), ref: 00434215
RegDeleteKeyW.ADVAPI32(00000000,80000001), ref: 0043421D

Part of subcall function 00434180: RegEnumKeyW.ADVAPI32(00000000,00000000,?,00000104), ref: 00434209

Memory Dump Source

Source File: 00000000.00000002.639436822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.639422722.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639801425.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639950323.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639964900.00000000004C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639974043.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639981884.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Process Monitor.jbxd

Similarity

API ID: Enum$CloseDeleteOpen
String ID:
API String ID: 2095303065-0
Opcode ID: 1b29c5982bfdbf8436c43525a3994f3bf901b8ae5f414c1e068870183e795f19
Instruction ID: 7f8e17e657c7ef7eada3138b4eefec75c1e9cfe12be57839f2c492c62310dd11
Opcode Fuzzy Hash: 1b29c5982bfdbf8436c43525a3994f3bf901b8ae5f414c1e068870183e795f19
Instruction Fuzzy Hash: 3D118F71A4021CAFDF20DB50DC89FEEBB7CFB15744F1004A5F918A2191D6B06E888F94

Uniqueness

Uniqueness Score: -1.00%

Function 00409160 Relevance: 7.6, APIs: 5, Instructions: 54
COMMON

Download Yara Rule

C-Code - Quality: 90%

			E00409160(void* __ecx, char _a4) {
				signed int _v8;
				struct tagRECT _v24;
				void* __edi;
				signed int _t15;
				int _t22;
				void* _t27;
				intOrPtr _t33;
				void* _t38;
				int _t40;
				void* _t41;
				void* _t42;
				signed int _t43;

				_t15 =  *0x4bb1dc; // 0x2927074f
				_v8 = _t15 ^ _t43;
				_t41 = __ecx;
				if(_a4 == 0) {
					ShowWindow( *(__ecx + 0x28), 0);
					return E0046F77E(_t27, _v8 ^ _t43, _t38, _t41, _t42);
				} else {
					GetClientRect( *(__ecx + 8),  &_v24);
					_v24.left = _v24.right - GetSystemMetrics(2);
					_t22 = GetSystemMetrics(3);
					_t33 = _v24.bottom;
					_t40 = _t33 - _t22;
					_v24.top = _t40;
					SetWindowPos( *(_t41 + 0x28), 0, _v24.left, _t40, _v24.right - _v24.left, _t33 - _t40, 0x44);
					return E0046F77E(_t27, _v8 ^ _t43, _t40, _t41, _t42);
				}
			}

0x00409166
0x0040916d
0x00409175
0x00409177
0x004091d9
0x004091ed
0x00409179
0x00409180
0x00409195
0x00409198
0x0040919e
0x004091a3
0x004091ac
0x004091bd
0x004091d1
0x004091d1

APIs

GetClientRect.USER32 ref: 00409180
GetSystemMetrics.USER32 ref: 00409188
GetSystemMetrics.USER32 ref: 00409198
SetWindowPos.USER32(00000000,00000000,?,00000000,?,00000000,00000044,?,?,?,?), ref: 004091BD
ShowWindow.USER32(00000000,00000000,?,?,?,?), ref: 004091D9

Memory Dump Source

Source File: 00000000.00000002.639436822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.639422722.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639801425.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639950323.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639964900.00000000004C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639974043.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639981884.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Process Monitor.jbxd

Similarity

API ID: MetricsSystemWindow$ClientRectShow
String ID:
API String ID: 386910847-0
Opcode ID: d7f749cd21f037aeefb3de77fcdccb5ab0dfb53a679eef2f2e86300538422f21
Instruction ID: 2cb20ff1c1ba8411431499abc485fc3f655e571cafc35aed58c767e7cd23a58f
Opcode Fuzzy Hash: d7f749cd21f037aeefb3de77fcdccb5ab0dfb53a679eef2f2e86300538422f21
Instruction Fuzzy Hash: 26117071A01108AFDB04DFB8DC09BBEFB75EB48311F10427EA906A62A0DB706D158B58

Uniqueness

Uniqueness Score: -1.00%

Function 004397E0 Relevance: 7.6, APIs: 5, Instructions: 52
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004397E0(void _a4, intOrPtr _a8) {
				intOrPtr _t5;
				long _t9;
				void _t14;
				void* _t17;
				void* _t23;
				void* _t24;

				_t5 =  *0x4bd2d0; // 0x0
				_t23 = 0 -  *0x4bd2e4; // 0x0
				if(_t23 > 0) {
					L5:
					return 0;
				} else {
					if(_t23 < 0) {
						L3:
						_t14 = _a4;
						_t2 = _t14 + 4; // 0x4
						_t17 = HeapAlloc( *0x4bce70, 0, _t2);
						if(_t17 == 0) {
							goto L5;
						} else {
							_t9 = HeapSize( *0x4bce70, 0, _t17);
							EnterCriticalSection(0x4bce48);
							 *0x4bce6c =  *0x4bce6c + _t9;
							LeaveCriticalSection(0x4bce48);
							_t4 = _t17 + 4; // 0x4
							 *_t17 = _t14;
							E00470850(_t4, _a8, _t14);
							E0043B490(_t17);
							return 1;
						}
					} else {
						_t24 = _t5 -  *0x4bd2e0; // 0x0
						if(_t24 >= 0) {
							goto L5;
						} else {
							goto L3;
						}
					}
				}
			}

0x004397e3
0x004397ec
0x004397f2
0x0043986c
0x00439870
0x004397f4
0x004397f4
0x004397fe
0x004397fe
0x00439801
0x00439813
0x00439817
0x00000000
0x00439819
0x00439823
0x00439830
0x00439836
0x00439841
0x0043984b
0x0043984e
0x00439851
0x0043985f
0x0043986a
0x0043986a
0x004397f6
0x004397f6
0x004397fc
0x00000000
0x00000000
0x00000000
0x00000000
0x004397fc
0x004397f4

APIs

HeapAlloc.KERNEL32(00000000,00000004,7416ED70,749682C0,?,00439E1E,00000000,?), ref: 0043980D
HeapSize.KERNEL32(00000000,00000000,74D0F750,?,00439E1E,00000000,?), ref: 00439823
EnterCriticalSection.KERNEL32(004BCE48,?,00439E1E,00000000,?), ref: 00439830
LeaveCriticalSection.KERNEL32(004BCE48,?,00439E1E,00000000,?), ref: 00439841
_memmove.LIBCMT ref: 00439851

Memory Dump Source

Source File: 00000000.00000002.639436822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.639422722.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639801425.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639950323.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639964900.00000000004C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639974043.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639981884.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Process Monitor.jbxd

Similarity

API ID: CriticalHeapSection$AllocEnterLeaveSize_memmove
String ID:
API String ID: 976096013-0
Opcode ID: 8d84da336c3fa7a1d38ec04177527c4bffa742d7e5d8cd9bf74684403608c876
Instruction ID: 303c0251d54795dc38ace334e433ed1b12c3001d25730d3659ca0dd5e3e0e6bc
Opcode Fuzzy Hash: 8d84da336c3fa7a1d38ec04177527c4bffa742d7e5d8cd9bf74684403608c876
Instruction Fuzzy Hash: 3801DE32400205EBDB149B19ECC9A6A776CFB85718F10047BF509D6220D675EC02CB2C

Uniqueness

Uniqueness Score: -1.00%

Function 004245A0 Relevance: 7.5, APIs: 5, Instructions: 46
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004245A0(char* __ecx) {
				signed int _t19;
				signed int _t21;
				int _t22;
				char* _t31;
				void* _t32;

				_t31 = __ecx;
				_t19 =  *(__ecx + 0x10);
				if(_t19 == 0) {
					E0047040C( *(__ecx + 4));
					_t32 = _t32 + 4;
					 *(_t31 + 4) = 0;
				} else {
					VirtualFree( *(__ecx + 4), _t19 + _t19 * 2 << 3, 0x4000);
				}
				 *(_t31 + 8) = 0;
				 *(_t31 + 0xc) = 0;
				 *_t31 = 0;
				_t21 =  *(_t31 + 0x10);
				if(_t21 == 0) {
					_t22 = E0047040C( *(_t31 + 4));
					 *(_t31 + 4) = 0;
				} else {
					_t22 = VirtualFree( *(_t31 + 4), _t21 + _t21 * 2 << 3, 0x4000);
				}
				 *(_t31 + 8) = 0;
				 *(_t31 + 0xc) = 0;
				if( *(_t31 + 0x10) != 0) {
					return VirtualFree( *(_t31 + 4), 0, 0x8000);
				}
				return _t22;
			}

0x004245a1
0x004245aa
0x004245af
0x004245c7
0x004245cc
0x004245cf
0x004245b1
0x004245c0
0x004245c0
0x004245d6
0x004245dd
0x004245e4
0x004245e7
0x004245ec
0x00424604
0x0042460c
0x004245ee
0x004245fd
0x004245fd
0x00424617
0x0042461e
0x00424625
0x00000000
0x00424631
0x00424635

APIs

VirtualFree.KERNEL32(00424806,?,00004000,?,?,00424806,?,?,?), ref: 004245C0
_free.LIBCMT ref: 004245C7
VirtualFree.KERNEL32(00000000,?,00004000,?,?,?,?,?,?,?,004882F5,000000FF), ref: 004245FD
_free.LIBCMT ref: 00424604

Part of subcall function 0047040C: HeapFree.KERNEL32(00000000,00000000,?,00478154,00000000,?,?,004752D8,00473DD8,004B7A40,00000014), ref: 00470420
Part of subcall function 0047040C: GetLastError.KERNEL32(H,L,?,00478154,00000000,?,?,004752D8,00473DD8,004B7A40,00000014), ref: 00470432

VirtualFree.KERNEL32(00000000,00000000,00008000,?,?,?,?,?,?,?,?,?,004882F5,000000FF), ref: 00424631

Memory Dump Source

Source File: 00000000.00000002.639436822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.639422722.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639801425.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639950323.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639964900.00000000004C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639974043.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639981884.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Process Monitor.jbxd

Similarity

API ID: Free$Virtual$_free$ErrorHeapLast
String ID:
API String ID: 1915832315-0
Opcode ID: 3ce423a70daf3c965b8f5764d9b4b2f06a1feab8dd99a7653b94f79742c096c5
Instruction ID: 1f6aa2e51565bfc6de8375433161878ca0b9b80306315d1977e4f0e20e33435e
Opcode Fuzzy Hash: 3ce423a70daf3c965b8f5764d9b4b2f06a1feab8dd99a7653b94f79742c096c5
Instruction Fuzzy Hash: 62012DB0200B10DBE7319F15EC01B57B7E4EF80740F15882DE1AA96AA0D7BAE959CF45

Uniqueness

Uniqueness Score: -1.00%

Function 004366B0 Relevance: 7.5, APIs: 5, Instructions: 45
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004366B0(struct HWND__* _a4, int _a8, char _a12) {
				long _v40;
				long _v44;
				void* _v56;
				long _t15;
				struct HWND__* _t17;
				int _t19;

				_t17 = _a4;
				_v40 = 3;
				_v44 = 0;
				SendMessageW(_t17, 0x102b, 0xffffffff,  &_v56);
				_t19 = _a8;
				SendMessageW(_t17, 0x1043, 0, _t19);
				_v40 = 3;
				_v44 = 3;
				SendMessageW(_t17, 0x102b, _t19,  &_v56);
				_t15 = SendMessageW(_t17, 0x1013, _t19, 0);
				if(_a12 != 0) {
					return SetFocus(_t17);
				}
				return _t15;
			}

0x004366b7
0x004366ce
0x004366d5
0x004366dc
0x004366de
0x004366ea
0x004366ef
0x004366fe
0x00436705
0x00436710
0x00436716
0x00000000
0x00436719
0x00436725

APIs

SendMessageW.USER32(?,0000102B,000000FF,?), ref: 004366DC
SendMessageW.USER32(?,00001043,00000000,?), ref: 004366EA
SendMessageW.USER32(?,0000102B,?,?), ref: 00436705
SendMessageW.USER32(?,00001013,?,00000000), ref: 00436710
SetFocus.USER32(?,?,?,?,?,?,?), ref: 00436719

Memory Dump Source

Source File: 00000000.00000002.639436822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.639422722.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639801425.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639950323.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639964900.00000000004C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639974043.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639981884.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Process Monitor.jbxd

Similarity

API ID: MessageSend$Focus
String ID:
API String ID: 3982298024-0
Opcode ID: a8d18e81e6e7c180aa6de6d6b6d259ea5749bee62bb2441f7e493bda47e72425
Instruction ID: bd854187839b677579376cbecc0ebdbe721a6c5c9ed66b5954e9a2dd386ed18b
Opcode Fuzzy Hash: a8d18e81e6e7c180aa6de6d6b6d259ea5749bee62bb2441f7e493bda47e72425
Instruction Fuzzy Hash: 910181B15012087AE720AB95DC89FDFBBACFF48324F100115FA08B61D1C3B45A458BB4

Uniqueness

Uniqueness Score: -1.00%

Function 0040A046 Relevance: 7.5, APIs: 5, Instructions: 41
COMMON

Download Yara Rule

C-Code - Quality: 74%

			E0040A046(void* __ebx, intOrPtr __esi) {
				struct HRGN__* _t10;
				void* _t21;
				void* _t27;
				struct HWND__* _t28;
				void* _t29;
				void* _t31;
				signed int _t32;

				_t21 = __ebx;
				_t10 = CreateRectRgn(0, 0, 0, 0);
				_t28 =  *(_t32 - 0x2a0);
				 *(_t32 - 0x298) = _t10;
				if(GetUpdateRgn(_t28, _t10, 0) != 1) {
					BeginPaint(_t28, _t32 - 0x268);
					E00404C10(__esi, _t32 - 0x268,  *(_t32 - 0x298));
					EndPaint(_t28, _t32 - 0x268);
				}
				DeleteObject( *(_t32 - 0x298));
				 *[fs:0x0] =  *((intOrPtr*)(_t32 - 0xc));
				_pop(_t29);
				_pop(_t31);
				return E0046F77E(_t21,  *(_t32 - 0x10) ^ _t32, _t27, _t29, _t31);
			}

0x0040a046
0x0040a04e
0x0040a054
0x0040a05e
0x0040a06d
0x0040a077
0x0040a08c
0x0040a099
0x0040a099
0x0040a0a5
0x0040a4a0
0x0040a4a8
0x0040a4a9
0x0040a4b7

APIs

CreateRectRgn.GDI32(00000000,00000000,00000000,00000000), ref: 0040A04E
GetUpdateRgn.USER32 ref: 0040A064
BeginPaint.USER32(?,?), ref: 0040A077

Part of subcall function 00404C10: GetDC.USER32(?), ref: 00404C3D
Part of subcall function 00404C10: SelectObject.GDI32(00000000,?), ref: 00404C49
Part of subcall function 00404C10: GetTextMetricsW.GDI32(00000000,?), ref: 00404C57
Part of subcall function 00404C10: ReleaseDC.USER32 ref: 00404C6D
Part of subcall function 00404C10: GetSystemMetrics.USER32 ref: 00404C7B
Part of subcall function 00404C10: GetWindowRect.USER32 ref: 00404CA9
Part of subcall function 00404C10: SendMessageW.USER32(?,00001200,00000000,00000000), ref: 00404CC7
Part of subcall function 00404C10: SendMessageW.USER32(?,00001211,?,00000004), ref: 00404D5A

EndPaint.USER32(?,?), ref: 0040A099
DeleteObject.GDI32(?), ref: 0040A0A5

Memory Dump Source

Source File: 00000000.00000002.639436822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.639422722.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639801425.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639950323.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639964900.00000000004C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639974043.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639981884.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Process Monitor.jbxd

Similarity

API ID: MessageMetricsObjectPaintRectSend$BeginCreateDeleteReleaseSelectSystemTextUpdateWindow
String ID:
API String ID: 3863374259-0
Opcode ID: 419b1e6bca0050a1c3c5c20ccf9ed9e5dc13f21d726c0a6910c7e1fd718739ac
Instruction ID: 258c7d6719d5b1d2723b34e8ec80c1bd7bd4bb175707858ebad598bddb700a66
Opcode Fuzzy Hash: 419b1e6bca0050a1c3c5c20ccf9ed9e5dc13f21d726c0a6910c7e1fd718739ac
Instruction Fuzzy Hash: F101A231A04218AFDB209F60EC4DBAE7778EB49710F100ABAF506E21B0EB3519C5CF19

Uniqueness

Uniqueness Score: -1.00%

Function 0045CA50 Relevance: 7.5, APIs: 5, Instructions: 41
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0045CA50(struct HWND__* _a4, signed int _a8, intOrPtr _a12, signed char _a16) {
				long _t10;
				signed char _t14;
				int _t18;
				struct HWND__* _t19;
				struct HWND__* _t20;

				_t14 = _a16;
				_t19 = _a4;
				_t18 = _a8 & 0x0000ffff;
				_t8 =  !=  ? 8 : 0;
				_t10 = CheckMenuItem(GetMenu(_t19), _t18,  !=  ? 8 : 0);
				if(_a12 >= 0) {
					_t20 = GetDlgItem(_t19, 0x66);
					SendMessageW(_t20, 0x42b, _t18, (_t14 & 0x000000ff) + _a12);
					return InvalidateRect(_t20, 0, 1);
				}
				return _t10;
			}

0x0045ca5c
0x0045ca60
0x0045ca64
0x0045ca6b
0x0045ca78
0x0045ca82
0x0045ca90
0x0045ca9d
0x00000000
0x0045caa8
0x0045cab2

APIs

GetMenu.USER32(?), ref: 0045CA71
CheckMenuItem.USER32(00000000,?,00000000), ref: 0045CA78
GetDlgItem.USER32 ref: 0045CA87
SendMessageW.USER32(00000000,0000042B,?,00000000), ref: 0045CA9D
InvalidateRect.USER32(00000000,00000000,00000001,?,00000000,?,00000000), ref: 0045CAA8

Memory Dump Source

Source File: 00000000.00000002.639436822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.639422722.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639801425.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639950323.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639964900.00000000004C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639974043.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639981884.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Process Monitor.jbxd

Similarity

API ID: ItemMenu$CheckInvalidateMessageRectSend
String ID:
API String ID: 1831280364-0
Opcode ID: dfd458e54b297a9a2355243670f294537026a4d095860f6b27cbe0671f24d5f7
Instruction ID: aa80dee7c25a9826c34d93da3805d0b6db0a140ea288890058f1b5ae47192ac8
Opcode Fuzzy Hash: dfd458e54b297a9a2355243670f294537026a4d095860f6b27cbe0671f24d5f7
Instruction Fuzzy Hash: A1F06D32241614BBE7145F65DC18FEF77ACEB8A712F04453AFA41E2190C7B8990987B8

Uniqueness

Uniqueness Score: -1.00%

Function 004078D0 Relevance: 7.5, APIs: 5, Instructions: 41
COMMON

Download Yara Rule

C-Code - Quality: 91%

			E004078D0(void* __ecx) {
				signed int _v8;
				struct tagTEXTMETRICW _v68;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t10;
				void* _t21;
				void* _t25;
				long _t26;
				struct HDC__* _t27;
				signed int _t28;

				_t10 =  *0x4bb1dc; // 0x2927074f
				_v8 = _t10 ^ _t28;
				_t21 = __ecx;
				_t27 = GetDC( *(__ecx + 8));
				SelectObject(_t27,  *(_t21 + 0x30));
				GetTextMetricsW(_t27,  &_v68);
				_t26 = _v68.tmHeight;
				ReleaseDC( *(_t21 + 8), _t27);
				if( *((intOrPtr*)(_t21 + 0x38)) != 0) {
					_t26 =  <  ? GetSystemMetrics(0x32) : _t26;
				}
				return E0046F77E(_t21, _v8 ^ _t28, _t25, _t26, _t27);
			}

0x004078d6
0x004078dd
0x004078e2
0x004078f1
0x004078f4
0x004078ff
0x00407905
0x0040790c
0x00407916
0x00407922
0x00407922
0x0040793a

APIs

GetDC.USER32(00000000), ref: 004078E8
SelectObject.GDI32(00000000,?), ref: 004078F4
GetTextMetricsW.GDI32(00000000,?), ref: 004078FF
ReleaseDC.USER32 ref: 0040790C
GetSystemMetrics.USER32 ref: 0040791A

Memory Dump Source

Source File: 00000000.00000002.639436822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.639422722.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639801425.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639950323.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639964900.00000000004C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639974043.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639981884.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Process Monitor.jbxd

Similarity

API ID: Metrics$ObjectReleaseSelectSystemText
String ID:
API String ID: 1631443687-0
Opcode ID: d175ef1905383af40aa1379293a0a5f6687184af14e7c3d54f996f32c9c10850
Instruction ID: fc2b8466ede5de7176e1a1450a755a12007f21949c18122208d84ca2f26b7177
Opcode Fuzzy Hash: d175ef1905383af40aa1379293a0a5f6687184af14e7c3d54f996f32c9c10850
Instruction Fuzzy Hash: 43018132601208EFDB00AFA8DC889AE77BDFF49351B040179F901D6261EB309C46CB95

Uniqueness

Uniqueness Score: -1.00%

Function 0045C360 Relevance: 7.5, APIs: 5, Instructions: 36
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0045C360(struct HWND__* _a4) {
				signed char _t2;
				struct HWND__* _t14;
				struct HWND__* _t15;

				_t2 = E0043A120();
				_t14 = _a4;
				_t11 =  !=  ? 8 : 0;
				CheckMenuItem(GetMenu(_t14), 0x9c52,  !=  ? 8 : 0);
				_t15 = GetDlgItem(_t14, 0x66);
				SendMessageW(_t15, 0x42b, 0x9c52, (_t2 & 0x000000ff) + 1);
				return InvalidateRect(_t15, 0, 1);
			}

0x0045c365
0x0045c36a
0x0045c378
0x0045c389
0x0045c39b
0x0045c3aa
0x0045c3be

APIs

GetMenu.USER32(?), ref: 0045C382
CheckMenuItem.USER32(00000000), ref: 0045C389
GetDlgItem.USER32 ref: 0045C392
SendMessageW.USER32(00000000,0000042B,00009C52), ref: 0045C3AA
InvalidateRect.USER32(00000000,00000000,00000001,?,?,?,00450787,?,00000000,00000000), ref: 0045C3B5

Memory Dump Source

Source File: 00000000.00000002.639436822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.639422722.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639801425.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639950323.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639964900.00000000004C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639974043.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639981884.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Process Monitor.jbxd

Similarity

API ID: ItemMenu$CheckInvalidateMessageRectSend
String ID:
API String ID: 1831280364-0
Opcode ID: ec6fe0c30e66c946a389050e989ca4dc2fd4fa8bfa690336fe6368461f555154
Instruction ID: db0672b206c43e4d02d190597bef6a8f5fa8b582bfe88a6780c4a46a8cd7ed73
Opcode Fuzzy Hash: ec6fe0c30e66c946a389050e989ca4dc2fd4fa8bfa690336fe6368461f555154
Instruction Fuzzy Hash: D0F08271681A107BF6042760AC1AFAF378CEB06752F01453EFA41E60D1DB951D0947AD

Uniqueness

Uniqueness Score: -1.00%

Function 0046E200 Relevance: 7.5, APIs: 5, Instructions: 34
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0046E200(intOrPtr* __ecx) {
				intOrPtr* _t16;

				_t16 = __ecx;
				if(GetCapture() == 0) {
					return 0;
				} else {
					_t1 = _t16 + 0xc; // 0x0
					SetCursor( *_t1);
					ReleaseCapture();
					_t2 = _t16 + 0x14; // 0x0
					 *((char*)(_t16 + 4)) = 0;
					_t4 = _t16 + 0x10; // 0x0
					SendMessageW( *_t4, 0x403,  *_t2, 0);
					_t5 = _t16 + 0x1c; // 0x0
					SetWindowPos( *_t5, 0, 0, 0, 0, 0, 3);
					_t12 =  *_t16;
					if( *_t16 != 0) {
						E0046E140(_t12);
					}
					return  *_t16;
				}
			}

0x0046e201
0x0046e20b
0x0046e25e
0x0046e20d
0x0046e20d
0x0046e210
0x0046e216
0x0046e21e
0x0046e221
0x0046e22a
0x0046e22d
0x0046e23f
0x0046e242
0x0046e248
0x0046e24c
0x0046e24f
0x0046e254
0x0046e25a
0x0046e25a

APIs

GetCapture.USER32 ref: 0046E203
SetCursor.USER32(00000000,?,?,?), ref: 0046E210
ReleaseCapture.USER32(?,?,?), ref: 0046E216
SendMessageW.USER32(00000000,00000403,00000000,00000000), ref: 0046E22D
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000003,?,?,?), ref: 0046E242

Part of subcall function 0046E140: GetSystemMetrics.USER32 ref: 0046E15B
Part of subcall function 0046E140: GetWindowDC.USER32(?), ref: 0046E165
Part of subcall function 0046E140: GetWindowRect.USER32 ref: 0046E175
Part of subcall function 0046E140: SaveDC.GDI32(00000000), ref: 0046E17C
Part of subcall function 0046E140: SetROP2.GDI32(00000000,00000006), ref: 0046E187
Part of subcall function 0046E140: CreatePen.GDI32(00000006,004BDD08,00000000), ref: 0046E192
Part of subcall function 0046E140: SelectObject.GDI32(?,00000000), ref: 0046E1A4
Part of subcall function 0046E140: GetStockObject.GDI32(00000005), ref: 0046E1A8
Part of subcall function 0046E140: SelectObject.GDI32(?,00000000), ref: 0046E1B2
Part of subcall function 0046E140: Rectangle.GDI32(?,00000000,00000000,?,?), ref: 0046E1CA
Part of subcall function 0046E140: RestoreDC.GDI32(?,00000000), ref: 0046E1D2
Part of subcall function 0046E140: ReleaseDC.USER32 ref: 0046E1DC
Part of subcall function 0046E140: DeleteObject.GDI32(00000000), ref: 0046E1E3

Memory Dump Source

Source File: 00000000.00000002.639436822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.639422722.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639801425.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639950323.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639964900.00000000004C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639974043.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639981884.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Process Monitor.jbxd

Similarity

API ID: Object$Window$CaptureReleaseSelect$CreateCursorDeleteMessageMetricsRectRectangleRestoreSaveSendStockSystem
String ID:
API String ID: 2045408311-0
Opcode ID: 50dad748ba0d2c6757100f9b104efabbecd0d0c33b61e8344579b9cce02f4e5b
Instruction ID: 70de6f7dbd2a3c33f83e3721621a6f8deae50b6c7d86cef4a9622af53475adc3
Opcode Fuzzy Hash: 50dad748ba0d2c6757100f9b104efabbecd0d0c33b61e8344579b9cce02f4e5b
Instruction Fuzzy Hash: FCF03A30100700ABD7316F25FC08B4A7BE4AF14700F184D7DB582A15A0E765E8099B19

Uniqueness

Uniqueness Score: -1.00%

Function 00419590 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 196
COMMON

Download Yara Rule

C-Code - Quality: 56%

			E00419590(struct _CRITICAL_SECTION* __ecx, intOrPtr __edx, void* __eflags, intOrPtr _a4) {
				char _v8;
				char _v16;
				char _v20;
				intOrPtr _v24;
				struct _CRITICAL_SECTION* _v28;
				intOrPtr _v32;
				char _v36;
				intOrPtr _v40;
				char _v44;
				signed int _v48;
				intOrPtr _v52;
				signed int _v56;
				intOrPtr _v60;
				char _v64;
				intOrPtr _v72;
				char _v76;
				char _v84;
				void* __esi;
				signed int _t76;
				intOrPtr* _t82;
				intOrPtr* _t88;
				char _t89;
				signed int _t98;
				char _t101;
				intOrPtr* _t103;
				intOrPtr* _t105;
				intOrPtr _t116;
				signed char _t117;
				char _t119;
				signed int _t120;
				char _t122;
				intOrPtr _t146;
				intOrPtr _t147;
				struct _CRITICAL_SECTION* _t149;
				intOrPtr _t156;
				signed int _t159;
				void* _t160;
				void* _t161;
				intOrPtr* _t162;
				void* _t163;
				intOrPtr* _t164;
				intOrPtr* _t165;

				_t146 = __edx;
				_push(0xffffffff);
				_push(E00487278);
				_push( *[fs:0x0]);
				_t161 = _t160 - 0x44;
				_t76 =  *0x4bb1dc; // 0x2927074f
				_push(_t76 ^ _t159);
				 *[fs:0x0] =  &_v16;
				_t149 = __ecx;
				_v28 = __ecx;
				EnterCriticalSection(__ecx);
				_v8 = 0;
				_v64 = 0;
				_t116 = _a4;
				_t7 = _t149 + 0x58; // 0x4bca68
				_v8 = 1;
				if(E00419060(_t7,  *((intOrPtr*)(_t116 + 0x10)),  &_v64) != 0) {
					__eflags =  *((intOrPtr*)(_t116 + 0x2c));
					asm("xorps xmm0, xmm0");
					asm("movlpd [ebp-0x20], xmm0");
					_v20 = 0;
					if(__eflags == 0) {
						_t23 =  &_v36; // 0x41675f
						_t152 = _v64;
						_v24 =  *_t23;
					} else {
						_t152 = _v64;
						asm("cdq");
						_v24 = E00417850(_v64, __eflags, _v60, _v56 & 0x000000ff, _t116 + (( *(_t116 + 0x28) & 0x0000ffff) + 0xd) * 4,  *((intOrPtr*)(_t116 + 0x2c)));
						_v32 = _t146;
						_v20 =  *((intOrPtr*)(_t116 + 0x2c)) + 2;
					}
					_t117 = _v56;
					_push(0);
					_t162 = _t161 - 8;
					_t82 = _t162;
					 *_t82 = _v60;
					 *(_t82 + 4) = _t117;
					_push( &_v84);
					E00467970(_t152, __eflags);
					_t155 = _v60 + _v20;
					asm("cdq");
					_v8 = 2;
					asm("adc ebx, 0x0");
					_t163 = _t162 - 0x14;
					E0040F8C0(_t163,  &_v84);
					_t164 = _t163 - 8;
					_t88 = _t164;
					 *_t88 = _v60 + _v20;
					 *((char*)(_t88 + 4)) = _t117 & 0x000000ff;
					_t89 = E00468220(_v64);
					_t129 = _v76;
					_t119 = _t89;
					__eflags = _v76;
					if(_v76 == 0) {
						_t120 = 0;
						__eflags = 0;
					} else {
						_t155 = _a4;
						E00411BD0(_t129,  *((intOrPtr*)(_t155 + 0x24)),  *((intOrPtr*)(_t155 + 0x1c)),  *((intOrPtr*)(_t155 + 0x20)), _v24);
						__eflags =  *((intOrPtr*)(_t149 + 0x80)) -  *((intOrPtr*)(_t155 + 0x10));
						if( *((intOrPtr*)(_t149 + 0x80)) >=  *((intOrPtr*)(_t155 + 0x10))) {
							L9:
							__eflags =  *((intOrPtr*)(_t149 + 0xac));
							_t147 = _v76;
							_v44 =  *((intOrPtr*)(_t147 + 0x1c));
							_v40 =  *((intOrPtr*)(_t147 + 0x20));
							_v36 =  *((intOrPtr*)(_t147 + 0x10));
							if( *((intOrPtr*)(_t149 + 0xac)) <= 0) {
								__eflags = _v48;
								if(_v48 == 0) {
									L20:
									_t120 = 1;
									L22:
									_v8 = 1;
									E0040F960( &_v84, _t155);
									L23:
									_t156 = _v64;
									_v8 = 0;
									if(_t156 != 0) {
										_t73 = _t156 + 0x578; // 0x578
										if(InterlockedDecrement(_t73) < 2) {
											E00467460(_t156, _t93);
										}
									}
									LeaveCriticalSection(_t149);
									 *[fs:0x0] = _v16;
									return _t120;
								}
								_t98 = 1;
								L19:
								_t68 = _t149 + 0xe0; // 0x4bcaf0
								E00417A20(_t68, _t98,  &_v44);
								goto L20;
							}
							_t53 = _t149 + 0x84; // 0x4bca94
							_t101 = E00414070(_t53,  &_v84);
							__eflags = _t101;
							if(_t101 == 0) {
								__eflags = _v48;
								_t98 = 0 | _v48 == 0x00000000;
								__eflags =  *0x4bd8a4;
								if( *0x4bd8a4 == 0) {
									L15:
									__eflags = _t98 - 0xffffffff;
									if(_t98 == 0xffffffff) {
										goto L20;
									}
									goto L19;
								}
								__eflags = _t119;
								if(_t119 == 0) {
									goto L15;
								}
								_t155 = _v52;
								_t122 = _v56;
								_t165 = _t164 - 8;
								_t103 = _t165;
								 *_t103 = _v60;
								 *((char*)(_t103 + 4)) = _t122;
								E00468B50(_v72);
								_t105 = _t165 - 8;
								 *_t105 = _v60;
								 *((char*)(_t105 + 4)) = _t122;
								E00416240(_t149, _v52, _v52, _v20);
								_t98 = 0;
								goto L19;
							}
							asm("sbb eax, eax");
							_t98 =  ~_v48 + 2;
							goto L19;
						}
						__eflags =  *0x4bd8a4;
						if( *0x4bd8a4 != 0) {
							goto L9;
						}
						_t120 = 1;
					}
					goto L22;
				}
				_t120 = 0;
				goto L23;
			}

0x00419590
0x00419593
0x00419595
0x004195a0
0x004195a1
0x004195a7
0x004195ae
0x004195b2
0x004195b8
0x004195bb
0x004195be
0x004195c4
0x004195cb
0x004195d2
0x004195d9
0x004195dc
0x004195ea
0x004195f3
0x004195f7
0x004195fa
0x004195ff
0x00419606
0x0041963d
0x00419640
0x00419643
0x00419608
0x0041961f
0x00419622
0x0041962c
0x00419635
0x00419638
0x00419638
0x00419649
0x0041964c
0x0041964e
0x00419651
0x00419653
0x00419657
0x0041965d
0x0041965e
0x0041966b
0x0041966e
0x00419671
0x00419675
0x0041967b
0x00419681
0x00419689
0x0041968c
0x0041968e
0x00419690
0x00419693
0x00419698
0x0041969b
0x0041969d
0x0041969f
0x00419784
0x00419784
0x004196a5
0x004196a5
0x004196b4
0x004196bc
0x004196c2
0x004196d4
0x004196d4
0x004196db
0x004196e4
0x004196ea
0x004196ed
0x004196f0
0x00419765
0x00419769
0x00419780
0x00419780
0x00419786
0x00419789
0x0041978d
0x00419792
0x00419792
0x00419795
0x0041979b
0x0041979d
0x004197ad
0x004197b2
0x004197b2
0x004197ad
0x004197b8
0x004197c3
0x004197d1
0x004197d1
0x0041976b
0x00419770
0x00419775
0x0041977b
0x00000000
0x0041977b
0x004196f6
0x004196fc
0x00419701
0x00419703
0x00419713
0x00419716
0x00419719
0x00419720
0x0041975e
0x0041975e
0x00419761
0x00000000
0x00000000
0x00000000
0x00419763
0x00419722
0x00419724
0x00000000
0x00000000
0x00419729
0x0041972f
0x00419733
0x00419736
0x00419738
0x0041973d
0x00419740
0x0041974c
0x0041974e
0x00419752
0x00419755
0x0041975a
0x00000000
0x0041975a
0x0041970a
0x0041970c
0x00000000
0x0041970c
0x004196c4
0x004196cb
0x00000000
0x00000000
0x004196cd
0x004196cd
0x00000000
0x0041969f
0x004195ec
0x00000000

APIs

EnterCriticalSection.KERNEL32(004BCA10,2927074F,004BCA10,?,00000000,00000000,00487278,000000FF,?,0043B0BC,?,?,?,?,0041675F,?), ref: 004195BE

Part of subcall function 00419060: InterlockedIncrement.KERNEL32(?), ref: 0041919C
Part of subcall function 00419060: InterlockedDecrement.KERNEL32(004BCFD4), ref: 004191AD

InterlockedDecrement.KERNEL32(00000578), ref: 004197A4
LeaveCriticalSection.KERNEL32(004BCA10), ref: 004197B8

Strings

_gA, xrefs: 0041963D

Memory Dump Source

Source File: 00000000.00000002.639436822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.639422722.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639801425.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639950323.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639964900.00000000004C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639974043.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639981884.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Process Monitor.jbxd

Similarity

API ID: Interlocked$CriticalDecrementSection$EnterIncrementLeave
String ID: _gA
API String ID: 759824558-3016113401
Opcode ID: 9f6158129335152305280a3ceb958349988c8f137cfe46c97be90c5feb2e85b1
Instruction ID: 8df0ca80b6cd55f5133a0556b8fdcae3c15b64b356c4028d31d603515904135c
Opcode Fuzzy Hash: 9f6158129335152305280a3ceb958349988c8f137cfe46c97be90c5feb2e85b1
Instruction Fuzzy Hash: 9471CF71A15208EFCF05DFA8D855BEEBBB4BF09304F04416AE815A7391D738AC84CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 00414360 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 136
COMMON

Download Yara Rule

C-Code - Quality: 92%

			E00414360(struct _CRITICAL_SECTION* __ecx, char _a4, char _a7) {
				intOrPtr _v8;
				char _v16;
				char _v17;
				intOrPtr _v24;
				intOrPtr _v28;
				struct _CRITICAL_SECTION* _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t71;
				signed int _t76;
				struct _CRITICAL_SECTION* _t98;
				signed int _t104;
				intOrPtr _t107;
				intOrPtr _t108;
				intOrPtr _t109;
				intOrPtr _t110;
				intOrPtr _t113;
				intOrPtr _t114;
				intOrPtr _t115;
				intOrPtr _t116;
				intOrPtr _t118;
				intOrPtr _t120;
				intOrPtr* _t123;
				void* _t124;
				intOrPtr* _t126;
				signed int _t128;

				_push(0xffffffff);
				_push(E00486B38);
				_push( *[fs:0x0]);
				_t71 =  *0x4bb1dc; // 0x2927074f
				_push(_t71 ^ _t128);
				 *[fs:0x0] =  &_v16;
				_t98 = __ecx;
				_v32 = __ecx;
				EnterCriticalSection(__ecx);
				_t126 = _a4;
				_v8 = 0;
				_v17 = 1;
				if( *_t126 != 0) {
					_t116 =  *((intOrPtr*)(_t126 + 4));
					_t7 = _t116 + 1; // 0x2
					if(_t7 >  *((intOrPtr*)(_t126 + 8))) {
						L2:
						_a4 = 0x7a;
						E0046F78D( &_a4, 0x4affc8);
					}
					 *((char*)(_t116 + _t110)) = _v17;
				}
				 *((intOrPtr*)(_t126 + 4)) =  *((intOrPtr*)(_t126 + 4)) + 1;
				_t120 =  *_t126;
				_t113 =  *((intOrPtr*)(_t126 + 4));
				_t104 =  *((intOrPtr*)(_t98 + 0x1c)) -  *((intOrPtr*)(_t98 + 0x18)) >> 5;
				if(_t120 != 0) {
					_t18 = _t113 + 4; // 0x4
					if(_t18 >  *((intOrPtr*)(_t126 + 8))) {
						goto L2;
					} else {
						 *(_t113 + _t120) = _t104;
					}
				}
				 *((intOrPtr*)(_t126 + 4)) =  *((intOrPtr*)(_t126 + 4)) + 4;
				_t76 =  *((intOrPtr*)(_t98 + 0x1c)) -  *((intOrPtr*)(_t98 + 0x18)) >> 5;
				_v24 = 0;
				if(_t76 != 0) {
					_t107 = 0;
					_v28 = 0;
					do {
						_t123 =  *((intOrPtr*)(_t98 + 0x18)) + _t107;
						_t108 =  *_t126;
						_a4 =  *_t123;
						if(_t108 == 0) {
							L12:
							 *((intOrPtr*)(_t126 + 4)) =  *((intOrPtr*)(_t126 + 4)) + 4;
							_t114 =  *_t126;
							_t109 =  *((intOrPtr*)(_t126 + 4));
							_a4 =  *((intOrPtr*)(_t123 + 4));
							if(_t114 == 0) {
								L15:
								 *((intOrPtr*)(_t126 + 4)) =  *((intOrPtr*)(_t126 + 4)) + 4;
								_t115 =  *_t126;
								_t110 =  *((intOrPtr*)(_t126 + 4));
								_a7 =  *((intOrPtr*)(_t123 + 0x18));
								if(_t115 == 0) {
									L18:
									 *((intOrPtr*)(_t126 + 4)) =  *((intOrPtr*)(_t126 + 4)) + 1;
									_t124 = _t123 + 8;
									E004649D0(_t98, _t126, _t124, _t126, _t142, _t124);
									_t116 =  *_t126;
									_v40 =  *((intOrPtr*)(_t124 + 8));
									_v36 =  *((intOrPtr*)(_t124 + 0xc));
									if(_t116 == 0) {
										goto L21;
									} else {
										_t110 =  *((intOrPtr*)(_t126 + 4));
										_t59 = _t110 + 8; // 0x8
										if(_t59 >  *((intOrPtr*)(_t126 + 8))) {
											goto L2;
										} else {
											asm("movq xmm0, [ebp-0x24]");
											asm("movq [ecx+edx], xmm0");
											goto L21;
										}
									}
								} else {
									_t48 = _t110 + 1; // 0x5
									_t142 = _t48 -  *((intOrPtr*)(_t126 + 8));
									if(_t48 >  *((intOrPtr*)(_t126 + 8))) {
										goto L2;
									} else {
										 *((char*)(_t110 + _t115)) = _a7;
										goto L18;
									}
								}
							} else {
								_t39 = _t109 + 4; // 0x8
								if(_t39 >  *((intOrPtr*)(_t126 + 8))) {
									goto L2;
								} else {
									 *((intOrPtr*)(_t109 + _t114)) = _a4;
									goto L15;
								}
							}
						} else {
							_t116 =  *((intOrPtr*)(_t126 + 4));
							_t30 = _t116 + 4; // 0x8
							if(_t30 >  *((intOrPtr*)(_t126 + 8))) {
								goto L2;
							} else {
								 *((intOrPtr*)(_t116 + _t108)) = _a4;
								goto L12;
							}
						}
						goto L22;
						L21:
						 *((intOrPtr*)(_t126 + 4)) =  *((intOrPtr*)(_t126 + 4)) + 8;
						_t118 = _v24 + 1;
						_t107 = _v28 + 0x20;
						_t76 =  *((intOrPtr*)(_t98 + 0x1c)) -  *((intOrPtr*)(_t98 + 0x18)) >> 5;
						_v24 = _t118;
						_v28 = _t107;
					} while (_t118 < _t76);
				}
				L22:
				LeaveCriticalSection(_t98);
				 *[fs:0x0] = _v16;
				return _t76;
			}

0x00414363
0x00414365
0x00414370
0x00414377
0x0041437e
0x00414382
0x00414388
0x0041438b
0x0041438e
0x00414394
0x00414397
0x0041439e
0x004143a6
0x004143a8
0x004143ab
0x004143b1
0x004143b3
0x004143bb
0x004143c3
0x004143c3
0x004143cb
0x004143cb
0x004143ce
0x004143d7
0x004143d9
0x004143dc
0x004143e1
0x004143e3
0x004143e9
0x00000000
0x004143eb
0x004143eb
0x004143eb
0x004143e9
0x004143ee
0x004143f8
0x004143fb
0x00414404
0x0041440a
0x0041440c
0x00414410
0x00414413
0x00414415
0x00414419
0x0041441e
0x00414431
0x00414431
0x00414435
0x0041443a
0x0041443d
0x00414442
0x00414456
0x00414456
0x0041445d
0x0041445f
0x00414462
0x00414467
0x0041447b
0x0041447b
0x0041447e
0x00414484
0x0041448c
0x0041448e
0x00414494
0x00414499
0x00000000
0x0041449b
0x0041449b
0x0041449e
0x004144a4
0x00000000
0x004144aa
0x004144aa
0x004144af
0x00000000
0x004144af
0x004144a4
0x00414469
0x00414469
0x0041446c
0x0041446f
0x00000000
0x00414475
0x00414478
0x00000000
0x00414478
0x0041446f
0x00414444
0x00414444
0x0041444a
0x00000000
0x00414450
0x00414453
0x00000000
0x00414453
0x0041444a
0x00414420
0x00414420
0x00414423
0x00414429
0x00000000
0x0041442b
0x0041442e
0x00000000
0x0041442e
0x00414429
0x00000000
0x004144b4
0x004144b4
0x004144c1
0x004144c5
0x004144c8
0x004144cb
0x004144ce
0x004144d1
0x00414410
0x004144d9
0x004144da
0x004144e3
0x004144f1

APIs

EnterCriticalSection.KERNEL32(?,2927074F,?,?,?,?,?,2927074F), ref: 0041438E
__CxxThrowException@8.LIBCMT ref: 004143C3

Part of subcall function 0046F78D: RaiseException.KERNEL32(?,?,000000FF,004B76C4,?,00000000,?,?,?,0046EF06,000000FF,004B76C4,?,00000001), ref: 0046F7E2

LeaveCriticalSection.KERNEL32(?,?,2927074F,?,?,?,?), ref: 004144DA

Strings

z, xrefs: 004143BB

Memory Dump Source

Source File: 00000000.00000002.639436822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.639422722.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639801425.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639950323.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639964900.00000000004C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639974043.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639981884.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Process Monitor.jbxd

Similarity

API ID: CriticalSection$EnterExceptionException@8LeaveRaiseThrow
String ID: z
API String ID: 1973487628-1657960367
Opcode ID: 8a4f2ecc328f4e8b1b5db678637e986eaa82d676fbb4fc695737de265af8c2be
Instruction ID: 49095dfdf0bf2fa1d56c4d270ff96dff1486637a5aaf576951a41c41265bd208
Opcode Fuzzy Hash: 8a4f2ecc328f4e8b1b5db678637e986eaa82d676fbb4fc695737de265af8c2be
Instruction Fuzzy Hash: 35518E74A0060A9FCB24CF18C580A9AFBF1FF84714B24C56ED89997705D734F982CB94

Uniqueness

Uniqueness Score: -1.00%

Function 0040CEE0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 107
windowCOMMON

Download Yara Rule

C-Code - Quality: 91%

			E0040CEE0(void* __edx, struct HWND__* _a4, struct _CRITICAL_SECTION* _a8, intOrPtr* _a12) {
				int _v8;
				char _v16;
				intOrPtr _v28;
				char _v36;
				intOrPtr _v72;
				char _v76;
				void* __esi;
				signed int _t24;
				long _t27;
				int _t28;
				intOrPtr _t35;
				char _t39;
				char _t45;
				signed char _t47;
				void* _t60;
				struct _CRITICAL_SECTION* _t62;
				long _t65;
				int _t66;
				signed int _t68;

				_t60 = __edx;
				_push(0xffffffff);
				_push(E004860F0);
				_push( *[fs:0x0]);
				_t24 =  *0x4bb1dc; // 0x2927074f
				_push(_t24 ^ _t68);
				 *[fs:0x0] =  &_v16;
				_t44 = _a4;
				_t27 = SendMessageW(_a4, 0x1042, 0, 0);
				_t62 = _a8;
				_t65 = _t27;
				if(_t65 != 0xffffffff) {
					_t66 = _t65 + _t62;
					__eflags = _t66;
				} else {
					if(_t62 <= 0) {
						_t4 = E00416870(0x4bca10) - 1; // -1
						_t66 = _t4;
					} else {
						_t66 = 0;
					}
				}
				_t74 = _t62;
				if(_t62 <= 0) {
					_t28 = _t66;
				} else {
					_t28 = E00416870(0x4bca10) - _t66;
				}
				E0040C870( &_v76, _t60, _t74, _t44, L"Searching for Bookmarks", _t28, _a12);
				_v8 = 0;
				if(_t66 >= E00416870(0x4bca10)) {
					L15:
					_t45 = 0;
					goto L16;
				} else {
					_a8 = 0x4bca10;
					while(1) {
						_t47 = 0;
						EnterCriticalSection(0x4bca10);
						_v8 = 1;
						E0040D160(0x4bca10,  &_v36, _t66);
						_t35 = _v28;
						if(_t35 != 0) {
							_t47 =  *(_t35 + 0xa) & 0x00000001;
						}
						E0040F960( &_v36, _t66);
						_v8 = 0;
						LeaveCriticalSection(0x4bca10);
						if(_t47 != 0) {
							break;
						}
						if( *_a12 != _t47) {
							goto L15;
						}
						_t39 = E00416870(0x4bca10);
						_v72 = _v72 + 1;
						_v76 = _t39;
						_t66 = _t66 + _t62;
						if(_t66 < E00416870(0x4bca10)) {
							continue;
						}
						goto L15;
					}
					E004366B0(_a4, _t66, 1);
					_t45 = 1;
					L16:
					_v8 = 0xffffffff;
					E0040C9C0( &_v76);
					 *[fs:0x0] = _v16;
					return _t45;
				}
			}

0x0040cee0
0x0040cee3
0x0040cee5
0x0040cef0
0x0040cef7
0x0040cefe
0x0040cf02
0x0040cf08
0x0040cf15
0x0040cf1b
0x0040cf1e
0x0040cf23
0x0040cf3c
0x0040cf3c
0x0040cf25
0x0040cf27
0x0040cf37
0x0040cf37
0x0040cf29
0x0040cf29
0x0040cf29
0x0040cf27
0x0040cf3e
0x0040cf40
0x0040cf50
0x0040cf42
0x0040cf4c
0x0040cf4c
0x0040cf5f
0x0040cf69
0x0040cf77
0x0040cfef
0x0040cfef
0x00000000
0x0040cf79
0x0040cf79
0x0040cf80
0x0040cf85
0x0040cf87
0x0040cf91
0x0040cf9b
0x0040cfa0
0x0040cfa5
0x0040cfaa
0x0040cfaa
0x0040cfb0
0x0040cfba
0x0040cfbe
0x0040cfc6
0x00000000
0x00000000
0x0040cfcd
0x00000000
0x00000000
0x0040cfd4
0x0040cfd9
0x0040cfe1
0x0040cfe4
0x0040cfed
0x00000000
0x00000000
0x00000000
0x0040cfed
0x0040d01a
0x0040d022
0x0040cff1
0x0040cff4
0x0040cffb
0x0040d005
0x0040d013
0x0040d013

APIs

SendMessageW.USER32(?,00001042,00000000,00000000), ref: 0040CF15
EnterCriticalSection.KERNEL32(004BCA10,?,Searching for Bookmarks,00000000,?), ref: 0040CF87
LeaveCriticalSection.KERNEL32(004BCA10,?,00000000), ref: 0040CFBE

Strings

Searching for Bookmarks, xrefs: 0040CF59

Memory Dump Source

Source File: 00000000.00000002.639436822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.639422722.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639801425.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639950323.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639964900.00000000004C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639974043.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639981884.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Process Monitor.jbxd

Similarity

API ID: CriticalSection$EnterLeaveMessageSend
String ID: Searching for Bookmarks
API String ID: 417868457-3594038144
Opcode ID: a122f435009b261292e7c1fb1fd0f27b8c6b5e0bbba09dbbc6ceaae476e92597
Instruction ID: 1326093650d370c2299bb4e125942425e892cec076e3afcd1c3459475c9b7e37
Opcode Fuzzy Hash: a122f435009b261292e7c1fb1fd0f27b8c6b5e0bbba09dbbc6ceaae476e92597
Instruction Fuzzy Hash: 1331F372644209EBCB10EB65D8C2BDEBB65EB06350F10463BF916772C1D77C880587AD

Uniqueness

Uniqueness Score: -1.00%

Function 0042D940 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 105
COMMON

Download Yara Rule

C-Code - Quality: 92%

			E0042D940(struct _CRITICAL_SECTION* __ecx, signed int* _a4) {
				intOrPtr _v8;
				char _v16;
				intOrPtr _v20;
				intOrPtr _v28;
				signed int _v32;
				struct _CRITICAL_SECTION* _v36;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t50;
				signed int _t53;
				signed int _t58;
				struct _CRITICAL_SECTION* _t74;
				signed int _t82;
				signed int _t87;
				signed int _t90;
				signed int* _t93;
				signed int _t96;

				_push(0xffffffff);
				_push(E00488DE8);
				_push( *[fs:0x0]);
				_t50 =  *0x4bb1dc; // 0x2927074f
				_push(_t50 ^ _t96);
				 *[fs:0x0] =  &_v16;
				_t74 = __ecx;
				_v36 = __ecx;
				EnterCriticalSection(__ecx);
				_t93 = _a4;
				_t87 = _t93[1];
				_v8 = 0;
				_v32 = _t87;
				if( *_t93 != 0) {
					if(_t87 + 4 > _t93[2]) {
						L2:
						_a4 = 0x7a;
						E0046F78D( &_a4, 0x4affc8);
					}
					 *(_t90 + _t87) = _t82;
				}
				_t93[1] = _t93[1] + 4;
				_t16 = _t74 + 0x1c; // 0x0
				_t17 = _t74 + 0x18; // 0x0
				_t53 =  *_t93;
				_t90 = _t93[1];
				_t82 =  *_t16 -  *_t17 >> 3;
				if(_t53 != 0) {
					if(_t90 + _t82 * 4 > _t93[2]) {
						goto L2;
					} else {
						_t53 =  *_t93;
					}
				}
				_v20 = _t53 + _t90;
				_t93[1] = _t90 + _t82 * 4;
				_t90 = 0;
				_t26 = _t74 + 0x1c; // 0x0
				_t27 = _t74 + 0x18; // 0x0
				_t58 =  *_t26 -  *_t27 >> 3;
				if(_t58 != 0) {
					L9:
					while(1) {
						if( *_t93 != 0) {
							 *((intOrPtr*)(_v20 + _t90 * 4)) = _t93[1] - _t87;
						}
						_t32 = _t74 + 0x18; // 0x0
						_t82 =  *_t93;
						_t87 =  *( *_t32 + _t90 * 8);
						_v28 =  *((intOrPtr*)(_t87 + 4));
						if(_t82 == 0) {
							L14:
							_t93[1] = _t93[1] + 4;
							E00464930(_t74, _t93, _t90, _t93, _t87);
							_t45 = _t74 + 0x1c; // 0x0
							_t90 = _t90 + 1;
							_t46 = _t74 + 0x18; // 0x0
							_t58 =  *_t45 -  *_t46 >> 3;
							if(_t90 < _t58) {
								_t87 = _v32;
								continue;
							}
						} else {
							if(_t93[1] + 4 > _t93[2]) {
								goto L2;
							} else {
								 *((intOrPtr*)(_t82 + _t93[1])) = _v28;
								_t93 = _a4;
								goto L14;
							}
						}
						goto L16;
					}
				}
				L16:
				LeaveCriticalSection(_t74);
				 *[fs:0x0] = _v16;
				return _t58;
			}

0x0042d943
0x0042d945
0x0042d950
0x0042d957
0x0042d95e
0x0042d962
0x0042d968
0x0042d96b
0x0042d96e
0x0042d974
0x0042d982
0x0042d985
0x0042d98c
0x0042d991
0x0042d999
0x0042d99b
0x0042d9a3
0x0042d9ab
0x0042d9ab
0x0042d9b0
0x0042d9b0
0x0042d9b3
0x0042d9b7
0x0042d9ba
0x0042d9bd
0x0042d9bf
0x0042d9c2
0x0042d9c7
0x0042d9cf
0x00000000
0x0042d9d1
0x0042d9d1
0x0042d9d1
0x0042d9cf
0x0042d9d5
0x0042d9db
0x0042d9de
0x0042d9e0
0x0042d9e3
0x0042d9e6
0x0042d9eb
0x00000000
0x0042d9f0
0x0042d9f3
0x0042d9fd
0x0042d9fd
0x0042da00
0x0042da03
0x0042da05
0x0042da0b
0x0042da10
0x0042da2d
0x0042da2d
0x0042da34
0x0042da39
0x0042da3c
0x0042da3d
0x0042da40
0x0042da45
0x0042da47
0x00000000
0x0042da47
0x0042da12
0x0042da1b
0x00000000
0x0042da21
0x0042da27
0x0042da2a
0x00000000
0x0042da2a
0x0042da1b
0x00000000
0x0042da10
0x0042d9f0
0x0042da4c
0x0042da4d
0x0042da56
0x0042da64

APIs

EnterCriticalSection.KERNEL32(004BCF2C,2927074F,004BCA10,00000000,004BCA10,004674DB,2927074F,004BCA10,004BCA10,0077A1E8,0048CCB8), ref: 0042D96E
__CxxThrowException@8.LIBCMT ref: 0042D9AB

Part of subcall function 0046F78D: RaiseException.KERNEL32(?,?,000000FF,004B76C4,?,00000000,?,?,?,0046EF06,000000FF,004B76C4,?,00000001), ref: 0046F7E2

LeaveCriticalSection.KERNEL32(004BCF2C), ref: 0042DA4D

Strings

z, xrefs: 0042D9A3

Memory Dump Source

Source File: 00000000.00000002.639436822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.639422722.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639801425.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639950323.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639964900.00000000004C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639974043.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639981884.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Process Monitor.jbxd

Similarity

API ID: CriticalSection$EnterExceptionException@8LeaveRaiseThrow
String ID: z
API String ID: 1973487628-1657960367
Opcode ID: ed36447133a5116a3a6c357280fe594db28f5777e83a3d33ee6e61715c54d8da
Instruction ID: 6f8f9d574eade6f333df2b9ee369d2445e7a79a901e0858e21a8404d71f23064
Opcode Fuzzy Hash: ed36447133a5116a3a6c357280fe594db28f5777e83a3d33ee6e61715c54d8da
Instruction Fuzzy Hash: D14189B1A006098FCB24CF18D880A6BF7F4FF44310B548A6EE85A97345D738F851CB88

Uniqueness

Uniqueness Score: -1.00%

Function 0044C340 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 86
windowCOMMON

Download Yara Rule

C-Code - Quality: 74%

			E0044C340(struct HMENU__* _a4, signed int _a8, int* _a12) {
				signed int _v8;
				char _v528;
				int* _v532;
				struct tagMENUITEMINFOW _v580;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t19;
				signed int _t28;
				signed int _t29;
				int* _t30;
				void* _t31;
				int _t33;
				intOrPtr* _t36;
				intOrPtr _t37;
				intOrPtr _t40;
				struct HMENU__* _t41;
				int _t43;
				signed int _t44;

				_t19 =  *0x4bb1dc; // 0x2927074f
				_v8 = _t19 ^ _t44;
				_t41 = _a4;
				_v532 = _a12;
				_t33 = GetMenuItemCount(_t41);
				_t43 = 0;
				if(_t33 == 0) {
					L12:
					return E0046F77E(_t33, _v8 ^ _t44, _t40, _t41, _t43);
				} else {
					do {
						asm("xorps xmm0, xmm0");
						_v580.cbSize = 0x30;
						asm("movq [ebp-0x218], xmm0");
						asm("movdqu [ebp-0x228], xmm0");
						_v580.dwTypeData =  &_v528;
						asm("movdqu [ebp-0x238], xmm0");
						_v580.fMask = 0x44;
						_v580.cch = 0x104;
						if(GetMenuItemInfoW(_t41, _t43, 1,  &_v580) == 0) {
							goto L11;
						} else {
							_t28 = _a8;
							_t36 =  &_v528;
							while(1) {
								_t40 =  *_t36;
								if(_t40 !=  *_t28) {
									break;
								}
								if(_t40 == 0) {
									L8:
									_t29 = 0;
								} else {
									_t40 =  *((intOrPtr*)(_t36 + 2));
									if(_t40 !=  *((intOrPtr*)(_t28 + 2))) {
										break;
									} else {
										_t36 = _t36 + 4;
										_t28 = _t28 + 4;
										if(_t40 != 0) {
											continue;
										} else {
											goto L8;
										}
									}
								}
								L10:
								if(_t29 == 0) {
									_t30 = _v532;
									if(_t30 != 0) {
										 *_t30 = _t43;
									}
									_t37 = _v580.hSubMenu;
									_t42 =  !=  ? _t37 : _t41;
									_t31 =  !=  ? _t37 : _t41;
									return E0046F77E(_t33, _v8 ^ _t44, _t40,  !=  ? _t37 : _t41, _t43);
								} else {
									goto L11;
								}
								goto L16;
							}
							asm("sbb eax, eax");
							_t29 = _t28 | 0x00000001;
							goto L10;
						}
						goto L16;
						L11:
						_t43 = _t43 + 1;
					} while (_t43 < _t33);
					goto L12;
				}
				L16:
			}

0x0044c349
0x0044c350
0x0044c359
0x0044c35d
0x0044c369
0x0044c36b
0x0044c36f
0x0044c41d
0x0044c42d
0x0044c375
0x0044c380
0x0044c380
0x0044c383
0x0044c393
0x0044c39b
0x0044c3a3
0x0044c3b4
0x0044c3bc
0x0044c3c6
0x0044c3d8
0x00000000
0x0044c3da
0x0044c3da
0x0044c3dd
0x0044c3e3
0x0044c3e3
0x0044c3e9
0x00000000
0x00000000
0x0044c3ee
0x0044c405
0x0044c405
0x0044c3f0
0x0044c3f0
0x0044c3f8
0x00000000
0x0044c3fa
0x0044c3fa
0x0044c3fd
0x0044c403
0x00000000
0x00000000
0x00000000
0x00000000
0x0044c403
0x0044c3f8
0x0044c40e
0x0044c410
0x0044c42e
0x0044c436
0x0044c438
0x0044c438
0x0044c43a
0x0044c442
0x0044c448
0x0044c457
0x00000000
0x00000000
0x00000000
0x00000000
0x0044c410
0x0044c409
0x0044c40b
0x00000000
0x0044c40b
0x00000000
0x0044c412
0x0044c412
0x0044c413
0x00000000
0x0044c380
0x00000000

APIs

GetMenuItemCount.USER32 ref: 0044C363
GetMenuItemInfoW.USER32(?,00000000,00000001,00000030), ref: 0044C3D0

Strings

0, xrefs: 0044C383
D, xrefs: 0044C3BC

Memory Dump Source

Source File: 00000000.00000002.639436822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.639422722.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639801425.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639950323.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639964900.00000000004C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639974043.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639981884.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Process Monitor.jbxd

Similarity

API ID: ItemMenu$CountInfo
String ID: 0$D
API String ID: 115949281-1534285997
Opcode ID: d0a4b368c10b0835b90e17c6f85b6c7f4a8a3599d7ccb7eae0c6ee21e518f648
Instruction ID: dfc15bc5d43ee8e7fb09349405a6d1e0530e3730c5af981beacb0006ed7f8548
Opcode Fuzzy Hash: d0a4b368c10b0835b90e17c6f85b6c7f4a8a3599d7ccb7eae0c6ee21e518f648
Instruction Fuzzy Hash: C631D571A012199BEB60DF65DDD47FAB3B4EF64340F1402ABE909D3210EB758E85CB94

Uniqueness

Uniqueness Score: -1.00%

Function 0044C290 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 70
windowCOMMON

Download Yara Rule

C-Code - Quality: 88%

			E0044C290(struct HMENU__* _a4, intOrPtr _a8, int* _a12) {
				struct tagMENUITEMINFOW _v52;
				void* _t13;
				int* _t17;
				struct HMENU__* _t19;
				int _t20;
				int _t21;
				int _t22;
				void* _t23;

				_t19 = _a4;
				_t20 = GetMenuItemCount(_t19);
				_t21 = 0;
				if(_t20 == 0) {
					L5:
					_t22 = 0;
					if(_t20 == 0) {
						L9:
						return 0;
					} else {
						goto L6;
					}
					do {
						L6:
						if(GetSubMenu(_t19, _t22) == 0) {
							goto L8;
						}
						_t13 = E0044C290(_t12, _a8, _a12);
						_t23 = _t23 + 0xc;
						if(_t13 == 0) {
							goto L8;
						}
						return _t13;
						goto L14;
						L8:
						_t22 = _t22 + 1;
					} while (_t22 < _t20);
					goto L9;
				} else {
					while(1) {
						_v52.cbSize = 0x30;
						asm("xorps xmm0, xmm0");
						_v52.fMask = 2;
						asm("movdqu [ebp-0x28], xmm0");
						asm("movdqu [ebp-0x18], xmm0");
						asm("movq [ebp-0x8], xmm0");
						if(GetMenuItemInfoW(_t19, _t21, 1,  &_v52) != 0 && _v52.wID == _a8) {
							break;
						}
						_t21 = _t21 + 1;
						if(_t21 < _t20) {
							continue;
						} else {
							goto L5;
						}
						goto L14;
					}
					_t17 = _a12;
					if(_t17 != 0) {
						 *_t17 = _t21;
					}
					return _t19;
				}
				L14:
			}

0x0044c297
0x0044c2a3
0x0044c2a5
0x0044c2a9
0x0044c2ef
0x0044c2ef
0x0044c2f3
0x0044c319
0x00000000
0x00000000
0x00000000
0x00000000
0x0044c2f5
0x0044c2f5
0x0044c2ff
0x00000000
0x00000000
0x0044c308
0x0044c30d
0x0044c312
0x00000000
0x00000000
0x0044c321
0x00000000
0x0044c314
0x0044c314
0x0044c315
0x00000000
0x0044c2ab
0x0044c2b0
0x0044c2b3
0x0044c2bd
0x0044c2c0
0x0044c2c9
0x0044c2ce
0x0044c2d3
0x0044c2e0
0x00000000
0x00000000
0x0044c2ea
0x0044c2ed
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x0044c2ed
0x0044c322
0x0044c327
0x0044c329
0x0044c329
0x0044c333
0x0044c333
0x00000000

APIs

GetMenuItemCount.USER32 ref: 0044C29D
GetMenuItemInfoW.USER32(?,00000000,00000001,?), ref: 0044C2D8
GetSubMenu.USER32 ref: 0044C2F7

Strings

0, xrefs: 0044C2B3

Memory Dump Source

Source File: 00000000.00000002.639436822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.639422722.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639801425.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639950323.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639964900.00000000004C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639974043.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639981884.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Process Monitor.jbxd

Similarity

API ID: Menu$Item$CountInfo
String ID: 0
API String ID: 3929006210-4108050209
Opcode ID: e993201f6aa35abd83035c587c14cd1a8075e8b51ab8e70137a642d3fa1a553a
Instruction ID: 358a65001d27f9df0e39d02ef9c82d83a95e12c1df1b096427f2c67a53a9bf88
Opcode Fuzzy Hash: e993201f6aa35abd83035c587c14cd1a8075e8b51ab8e70137a642d3fa1a553a
Instruction Fuzzy Hash: 3511BC72E0131997EB518FA59CC4A9FFB6CFB49754F184677FD08E2201EB75844087A8

Uniqueness

Uniqueness Score: -1.00%

Function 00401149 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 61
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E00401149(void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				signed int _v8;
				char _v268;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t9;
				_Unknown_base(*)()* _t11;
				intOrPtr _t21;
				void* _t22;
				struct HINSTANCE__* _t23;
				void* _t26;
				intOrPtr _t28;
				void* _t29;
				void* _t31;
				signed int _t36;
				void* _t40;

				_t26 = __edx;
				_t34 = _t36;
				_t9 =  *0x4bb1dc; // 0x2927074f
				_v8 = _t9 ^ _t36;
				_t23 =  *0x4c286c; // 0x0
				_t21 = _a8;
				_t28 = _a4;
				if(_t23 != 0) {
					L8:
					_t11 =  *0x4c2864; // 0x0
					if(_t11 != 0) {
						L10:
						 *_t11(_t28, _t21, _a12, _a16);
					} else {
						_t11 = GetProcAddress(_t23, 0xf);
						 *0x4c2864 = _t11;
						if(_t11 == 0) {
							goto L7;
						} else {
							goto L10;
						}
					}
				} else {
					_t40 =  *0x4c2868 - _t23; // 0x0
					if(_t40 != 0) {
						goto L8;
					} else {
						if(E00401063(_t21,  &_v268) != 0) {
							 *0x4c286c = LoadLibraryA( &_v268);
						}
						_t23 =  *0x4c286c; // 0x0
						if(_t23 != 0) {
							goto L8;
						} else {
							_t23 = LoadLibraryA("hhctrl.ocx");
							 *0x4c286c = _t23;
							if(_t23 != 0) {
								goto L8;
							} else {
								L7:
								 *0x4c2868 = 1;
							}
						}
					}
				}
				_pop(_t29);
				_pop(_t31);
				_pop(_t22);
				return E0046F77E(_t22, _v8 ^ _t34, _t26, _t29, _t31);
			}

0x00401149
0x0040114c
0x00401154
0x0040115b
0x0040115e
0x00401165
0x0040116a
0x0040116f
0x004011c8
0x004011c8
0x004011cf
0x004011e3
0x004011eb
0x004011d1
0x004011d4
0x004011da
0x004011e1
0x00000000
0x00000000
0x00000000
0x00000000
0x004011e1
0x00401171
0x00401171
0x00401177
0x00000000
0x00401179
0x0040118d
0x00401198
0x00401198
0x0040119d
0x004011a5
0x00000000
0x004011a7
0x004011ae
0x004011b0
0x004011b8
0x00000000
0x004011ba
0x004011ba
0x004011ba
0x004011c4
0x004011b8
0x004011a5
0x00401177
0x004011f0
0x004011f1
0x004011f4
0x004011fb

APIs

GetProcAddress.KERNEL32(00000000,0000000F), ref: 004011D4

Part of subcall function 00401063: RegOpenKeyExA.ADVAPI32(80000000,CLSID\{ADB880A6-D8FF-11CF-9377-00AA003B7A11}\InprocServer32,00000000,00020019,?), ref: 0040109B
Part of subcall function 00401063: RegQueryValueExA.ADVAPI32(?,00000000,00000000,?,?,?), ref: 004010DC
Part of subcall function 00401063: ExpandEnvironmentStringsA.KERNEL32(?,?,00000104), ref: 00401100
Part of subcall function 00401063: RegCloseKey.ADVAPI32(?), ref: 0040112D

LoadLibraryA.KERNEL32(?), ref: 00401196
LoadLibraryA.KERNEL32(hhctrl.ocx), ref: 004011AC

Strings

hhctrl.ocx, xrefs: 004011A7

Memory Dump Source

Source File: 00000000.00000002.639436822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.639422722.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639801425.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639950323.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639964900.00000000004C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639974043.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639981884.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Process Monitor.jbxd

Similarity

API ID: LibraryLoad$AddressCloseEnvironmentExpandOpenProcQueryStringsValue
String ID: hhctrl.ocx
API String ID: 1060647816-2298675154
Opcode ID: 230988b66aa210b7204f16b00ce9c0d63c41f113d0b09ad96f8c693b6fa91175
Instruction ID: eb0bad19058ae58541c3e4e117b03f62a5ca1cca60fc6bda2a762ab21292080a
Opcode Fuzzy Hash: 230988b66aa210b7204f16b00ce9c0d63c41f113d0b09ad96f8c693b6fa91175
Instruction Fuzzy Hash: BE1163316003099BCF58DF66ED84E6A37E8AB58340B00093EE505E72A0DBF4DA44CB68

Uniqueness

Uniqueness Score: -1.00%

Function 0043B490 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 55
COMMON

Download Yara Rule

C-Code - Quality: 62%

			E0043B490(char _a4) {
				long* _v8;
				char _v16;
				struct _CRITICAL_SECTION* _v20;
				void* __ecx;
				signed int _t15;
				intOrPtr _t20;
				int _t23;
				intOrPtr _t25;
				struct _CRITICAL_SECTION* _t27;
				intOrPtr _t33;
				struct _CRITICAL_SECTION* _t37;
				signed int _t39;

				_push(0xffffffff);
				_push(E0048BB78);
				_push( *[fs:0x0]);
				_push(_t27);
				_t15 =  *0x4bb1dc; // 0x2927074f
				_push(_t15 ^ _t39);
				 *[fs:0x0] =  &_v16;
				_t37 = _t27;
				_v20 = _t37;
				EnterCriticalSection(_t37);
				_t3 = _t37 + 0x1c; // 0x77cfe0
				_t25 =  *_t3;
				_t5 = _t37 + 0x1c; // 0x4bce64
				_v8 = 0;
				_t33 = E004430E0(_t5, _t25,  *((intOrPtr*)(_t25 + 4)),  &_a4);
				_t8 = _t37 + 0x20; // 0x0
				_t20 =  *_t8;
				_t40 = 0x15555554 - _t20 - 1;
				if(0x15555554 - _t20 < 1) {
					_push("list<T> too long");
					_t20 = E0046EB0F(_t40);
				}
				 *((intOrPtr*)(_t37 + 0x20)) = _t20 + 1;
				 *((intOrPtr*)(_t25 + 4)) = _t33;
				 *((intOrPtr*)( *((intOrPtr*)(_t33 + 4)))) = _t33;
				_t12 = _t37 + 0x18; // 0x204
				_t23 = ReleaseSemaphore( *_t12, 1, 0);
				LeaveCriticalSection(_t37);
				 *[fs:0x0] = _v16;
				return _t23;
			}

0x0043b493
0x0043b495
0x0043b4a0
0x0043b4a1
0x0043b4a5
0x0043b4ac
0x0043b4b0
0x0043b4b6
0x0043b4b9
0x0043b4bc
0x0043b4c2
0x0043b4c2
0x0043b4c9
0x0043b4cc
0x0043b4dc
0x0043b4e3
0x0043b4e3
0x0043b4e8
0x0043b4eb
0x0043b4ed
0x0043b4f2
0x0043b4f2
0x0043b4f8
0x0043b4fb
0x0043b505
0x0043b507
0x0043b50a
0x0043b511
0x0043b51a
0x0043b528

APIs

EnterCriticalSection.KERNEL32(004BCE48,2927074F,00000000,00000000,00000000,004BCE48,00000000,0048BB78,000000FF,?,00439864,00000000,00439E1E,00000000,?), ref: 0043B4BC
ReleaseSemaphore.KERNEL32(00000204,00000001,00000000,0077CFE0,?,00439864,?,00439864), ref: 0043B50A
LeaveCriticalSection.KERNEL32(004BCE48,?,00439864), ref: 0043B511

Part of subcall function 0046EB0F: std::exception::exception.LIBCMT ref: 0046EB22
Part of subcall function 0046EB0F: __CxxThrowException@8.LIBCMT ref: 0046EB37

Strings

list<T> too long, xrefs: 0043B4ED

Memory Dump Source

Source File: 00000000.00000002.639436822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.639422722.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639801425.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639950323.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639964900.00000000004C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639974043.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639981884.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Process Monitor.jbxd

Similarity

API ID: CriticalSection$EnterException@8LeaveReleaseSemaphoreThrowstd::exception::exception
String ID: list<T> too long
API String ID: 239888488-4027344264
Opcode ID: 18318d9890a7c6cc48e00a21d6a7aa320421368b1f1911eca6da4ad615afe9ee
Instruction ID: e97bc6c4bbef8970c447ca52d8dbb170772f8c12e809775ba2a6587529f0982b
Opcode Fuzzy Hash: 18318d9890a7c6cc48e00a21d6a7aa320421368b1f1911eca6da4ad615afe9ee
Instruction Fuzzy Hash: 87119A76600604AFC714DF59CC45B6ABBF8FB09710F108A2EE906C7650EB75A9048BA8

Uniqueness

Uniqueness Score: -1.00%

Function 00404260 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 51
windowCOMMON

Download Yara Rule

C-Code - Quality: 61%

			E00404260(struct HINSTANCE__* _a4, struct HWND__* _a8) {
				signed int _v8;
				intOrPtr _v20;
				struct tagRECT _v40;
				struct HWND__* _v48;
				intOrPtr _v52;
				void* _v56;
				void* __edi;
				void* __esi;
				signed int _t11;
				struct HWND__* _t14;
				void* _t21;
				void* _t24;
				struct HWND__* _t25;
				signed int _t27;

				_t11 =  *0x4bb1dc; // 0x2927074f
				_v8 = _t11 ^ _t27;
				_t25 = _a8;
				_t14 = CreateWindowExW(0, L"tooltips_class32", 0, 0x80000033, 0, 0, 0, 0, _t25, 0, _a4, 0);
				_v56 = 0x30;
				asm("xorps xmm0, xmm0");
				_v52 = 0x100;
				asm("movq [ebp-0xc], xmm0");
				asm("movdqu [ebp-0x2c], xmm0");
				asm("movdqu [ebp-0x1c], xmm0");
				_v48 = _t25;
				_v20 = 0xffffffff;
				GetClientRect(_t25,  &_v40);
				SendMessageW(_t14, 0x432, 0,  &_v56);
				return E0046F77E(_t21, _v8 ^ _t27, _t24, _t25, _t14);
			}

0x00404266
0x0040426d
0x00404275
0x00404294
0x0040429c
0x004042a3
0x004042a6
0x004042b0
0x004042b6
0x004042bc
0x004042c1
0x004042c4
0x004042cb
0x004042dd
0x004042f4

APIs

CreateWindowExW.USER32 ref: 00404294
GetClientRect.USER32 ref: 004042CB
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 004042DD

Strings

tooltips_class32, xrefs: 0040428D

Memory Dump Source

Source File: 00000000.00000002.639436822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.639422722.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639801425.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639950323.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639964900.00000000004C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639974043.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639981884.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Process Monitor.jbxd

Similarity

API ID: ClientCreateMessageRectSendWindow
String ID: tooltips_class32
API String ID: 2975604703-1918224756
Opcode ID: 7aaeb647f1370dd71b149c007c47b72493e07881174edefd0de70986a7d17ab1
Instruction ID: 0fa52784fdaa81c8e79f4e518a3184bf8146da279579ff1be6e912023f2a14b7
Opcode Fuzzy Hash: 7aaeb647f1370dd71b149c007c47b72493e07881174edefd0de70986a7d17ab1
Instruction Fuzzy Hash: 21110C71E41308BAD710DF99DC05FDEB7B8EB59710F20422AF910B62D0D7B46A45CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 0046C230 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47
COMMON

Download Yara Rule

C-Code - Quality: 35%

			E0046C230(intOrPtr _a4) {
				signed int _v8;
				short _v2056;
				void* __edi;
				void* __esi;
				signed int _t8;
				void* _t19;
				void* _t22;
				intOrPtr _t23;
				void* _t24;
				signed int _t25;
				void* _t26;
				void* _t27;

				_t8 =  *0x4bb1dc; // 0x2927074f
				_v8 = _t8 ^ _t25;
				_t23 = _a4;
				_t24 = 0;
				EnterCriticalSection(0x4c27e4);
				_t26 =  *0x4c2774 - _t24; // 0x0
				if(_t26 != 0) {
					_t27 =  *0x4c2780 - _t24; // 0x0
					if(_t27 != 0) {
						 *0x4c2788(0x12237);
						_t24 =  *0x4c2774(_t23, 0, 0);
						if( *0x4c27cc != 0) {
							GetEnvironmentVariableW(L"TEMP",  &_v2056, 0x400);
							 *0x4c27cc(_t23,  &_v2056);
						}
					}
				}
				LeaveCriticalSection(0x4c27e4);
				return E0046F77E(_t19, _v8 ^ _t25, _t22, _t23, _t24);
			}

0x0046c239
0x0046c240
0x0046c245
0x0046c248
0x0046c24f
0x0046c255
0x0046c25b
0x0046c25d
0x0046c263
0x0046c26a
0x0046c280
0x0046c282
0x0046c295
0x0046c2a3
0x0046c2a3
0x0046c282
0x0046c263
0x0046c2ae
0x0046c2ca

APIs

EnterCriticalSection.KERNEL32(004C27E4,004880B8,?), ref: 0046C24F
GetEnvironmentVariableW.KERNEL32(TEMP,?,00000400), ref: 0046C295
LeaveCriticalSection.KERNEL32(004C27E4), ref: 0046C2AE

Strings

TEMP, xrefs: 0046C290

Memory Dump Source

Source File: 00000000.00000002.639436822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.639422722.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639801425.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639950323.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639964900.00000000004C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639974043.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639981884.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Process Monitor.jbxd

Similarity

API ID: CriticalSection$EnterEnvironmentLeaveVariable
String ID: TEMP
API String ID: 4026623713-1036413054
Opcode ID: 6fe8d67242e3190c39c73f5238e3553d65c12f712458f99b69a649939470cdb0
Instruction ID: eff8252cd34751d9b54f607630d24f25588b53317a23f2b0c6fa5fdda508c612
Opcode Fuzzy Hash: 6fe8d67242e3190c39c73f5238e3553d65c12f712458f99b69a649939470cdb0
Instruction Fuzzy Hash: A1012831902219AFC7609BA5ED99EAFBBB8EF05B11F00017EF90096150DFF84814CBE9

Uniqueness

Uniqueness Score: -1.00%

Function 0042E960 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 46
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 34%

			E0042E960() {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v24;
				char _v28;
				signed int _t10;
				_Unknown_base(*)()* _t13;
				void* _t21;
				void* _t29;
				void* _t30;
				void* _t31;
				signed int _t32;

				_t10 =  *0x4bb1dc; // 0x2927074f
				_v8 = _t10 ^ _t32;
				_t13 = GetProcAddress(LoadLibraryW(L"comctl32.dll"), "DllGetVersion");
				if(_t13 != 0) {
					_v28 = 0x14;
					asm("xorps xmm0, xmm0");
					_v24 = 0;
					_push( &_v28);
					asm("movq [ebp-0x10], xmm0");
					_v12 = 0;
					if( *_t13() < 0 || _v24 < 6) {
						return E0046F77E(_t21, _v8 ^ _t32, _t29, _t30, _t31);
					} else {
						return E0046F77E(_t21, _v8 ^ _t32, _t29, _t30, _t31);
					}
				} else {
					return E0046F77E(_t21, _v8 ^ _t32, _t29, _t30, _t31);
				}
			}

0x0042e966
0x0042e96d
0x0042e981
0x0042e989
0x0042e99e
0x0042e9a5
0x0042e9a8
0x0042e9af
0x0042e9b0
0x0042e9b5
0x0042e9c0
0x0042e9ea
0x0042e9c8
0x0042e9da
0x0042e9da
0x0042e98b
0x0042e99a
0x0042e99a

APIs

LoadLibraryW.KERNEL32(comctl32.dll,DllGetVersion), ref: 0042E97A
GetProcAddress.KERNEL32(00000000), ref: 0042E981

Strings

comctl32.dll, xrefs: 0042E975
DllGetVersion, xrefs: 0042E970

Memory Dump Source

Source File: 00000000.00000002.639436822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.639422722.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639801425.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639950323.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639964900.00000000004C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639974043.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639981884.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Process Monitor.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: DllGetVersion$comctl32.dll
API String ID: 2574300362-3857068685
Opcode ID: 4501b2684e6fb7a259a09464f9a60240e78f0e646789b18cf0608bc5c905b229
Instruction ID: 4980d9cd10564e07fc620f147903b50c8b9974c2fea83d835eb9b5732d1c8843
Opcode Fuzzy Hash: 4501b2684e6fb7a259a09464f9a60240e78f0e646789b18cf0608bc5c905b229
Instruction Fuzzy Hash: 1E01B570A1020D9BCF40EFF6A8153BEB7B4EF45305F50017FE805A3240EB785A448789

Uniqueness

Uniqueness Score: -1.00%

Function 00459640 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 37
COMMON

Download Yara Rule

C-Code - Quality: 38%

			E00459640(intOrPtr _a4) {
				signed int _v8;
				char _v72;
				struct %anon38 _v108;
				signed int _t15;
				intOrPtr _t20;
				void* _t24;
				void* _t27;
				void* _t28;
				void* _t29;
				signed int _t30;

				_t15 =  *0x4bb1dc; // 0x2927074f
				_v8 = _t15 ^ _t30;
				asm("movdqa xmm0, [0x4a6830]");
				asm("movdqu [ebp-0x44], xmm0");
				asm("movdqu [ebp-0x34], xmm0");
				_v108.lStructSize = 0x24;
				asm("movdqu [ebp-0x24], xmm0");
				asm("movdqu [ebp-0x14], xmm0");
				asm("xorps xmm0, xmm0");
				asm("movdqu [ebp-0x64], xmm0");
				_v108.hwndOwner = _a4;
				asm("movdqu [ebp-0x54], xmm0");
				_v108.Flags = 0x35;
				_v108.hInstance = GetModuleHandleW(0);
				_v108.lpCustColors =  &_v72;
				_t20 =  *0x4bd8a8; // 0x0
				_v108.rgbResult = _t20;
				_v108.lCustData = 0;
				_v108.lpTemplateName = L"SELECTHIGHLIGHTCOLORS";
				_v108.lpfnHook = E004596E0;
				ChooseColorW( &_v108);
				return E0046F77E(_t24, _v8 ^ _t30, _t27, _t28, _t29);
			}

0x00459646
0x0045964d
0x00459650
0x0045965b
0x00459662
0x00459667
0x0045966e
0x00459673
0x00459678
0x0045967b
0x00459680
0x00459683
0x00459688
0x00459695
0x0045969b
0x0045969e
0x004596a3
0x004596aa
0x004596b1
0x004596b8
0x004596bf
0x004596d2

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 0045968F
ChooseColorW.COMDLG32(00000024), ref: 004596BF

Strings

$, xrefs: 00459667
5, xrefs: 00459688

Memory Dump Source

Source File: 00000000.00000002.639436822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.639422722.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639801425.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639950323.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639964900.00000000004C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639974043.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639981884.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Process Monitor.jbxd

Similarity

API ID: ChooseColorHandleModule
String ID: $$5
API String ID: 1834649618-1734218411
Opcode ID: d157a96eedcd2a77c97be0b058e10d06b0b2f74112c7a1adf00803797f11b52f
Instruction ID: 9e80630c3c9763325bc3dbd23c9b5f7f90b014cea05a175457eb0371069e98b1
Opcode Fuzzy Hash: d157a96eedcd2a77c97be0b058e10d06b0b2f74112c7a1adf00803797f11b52f
Instruction Fuzzy Hash: 3411BE71D1178CCBDB00DFD4D9456EDFBF4EF99300F20521AE845AA211EB745A48CB85

Uniqueness

Uniqueness Score: -1.00%

Function 0047804C Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 33
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 89%

			E0047804C(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				signed int _t14;
				intOrPtr* _t22;
				intOrPtr* _t25;
				intOrPtr _t28;
				void* _t29;

				_push(0xc);
				_push(0x4b7cb0);
				L00477E90(__ebx, __edi, __esi);
				E004780FD(0xe);
				 *(_t29 - 4) =  *(_t29 - 4) & 0x00000000;
				_t28 =  *((intOrPtr*)(_t29 + 8));
				_t14 =  *(_t28 + 4);
				if(_t14 != 0) {
					_t22 =  *0x4c2c40; // 0x0
					_t25 = 0x4c2c3c;
					while(1) {
						 *((intOrPtr*)(_t29 - 0x1c)) = _t22;
						if(_t22 == 0) {
							break;
						}
						if( *_t22 != _t14) {
							_t25 = _t22;
							continue;
						} else {
							 *((intOrPtr*)(_t25 + 4)) =  *((intOrPtr*)(_t22 + 4));
							E0047040C(_t22);
						}
						break;
					}
					E0047040C( *(_t28 + 4));
					 *(_t28 + 4) =  *(_t28 + 4) & 0x00000000;
				}
				 *(_t29 - 4) = 0xfffffffe;
				return L00477ED5(E004780B4());
			}

0x0047804c
0x0047804e
0x00478053
0x0047805a
0x00478060
0x00478064
0x00478067
0x0047806c
0x0047806e
0x00478074
0x00478079
0x00478079
0x0047807e
0x00000000
0x00000000
0x00478082
0x004780b0
0x00000000
0x00478084
0x00478087
0x0047808b
0x00478090
0x00000000
0x00478082
0x00478094
0x0047809a
0x0047809a
0x0047809e
0x004780af

APIs

__lock.LIBCMT ref: 0047805A

Part of subcall function 004780FD: __mtinitlocknum.LIBCMT ref: 0047810F
Part of subcall function 004780FD: EnterCriticalSection.KERNEL32(00000000,?,0047525B,0000000D), ref: 00478128

_free.LIBCMT ref: 0047808B
_free.LIBCMT ref: 00478094

Strings

<,L, xrefs: 00478074

Memory Dump Source

Source File: 00000000.00000002.639436822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.639422722.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639801425.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639950323.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639964900.00000000004C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639974043.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639981884.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Process Monitor.jbxd

Similarity

API ID: _free$CriticalEnterSection__lock__mtinitlocknum
String ID: <,L
API String ID: 3990512260-2490082291
Opcode ID: 40fd9164ae7e2a9beba09c66205b455ab4c40f1294708e07bfccbe0f60be97ac
Instruction ID: 39820c0b104cbb8e6812550646580d6f6a0c153bf74ff7965d6a3dd28abb6b69
Opcode Fuzzy Hash: 40fd9164ae7e2a9beba09c66205b455ab4c40f1294708e07bfccbe0f60be97ac
Instruction Fuzzy Hash: A3F0A931681301DADB24AB21C506BABB7A0AB40328F20C45EE50C5A382CEBDD8428A49

Uniqueness

Uniqueness Score: -1.00%

Function 0045F225 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 29
sleepwindowCOMMON

Download Yara Rule

C-Code - Quality: 47%

			E0045F225() {
				void* _t6;
				void* _t9;
				void* _t11;
				void* _t13;
				signed int _t14;

				while(1) {
					__eax = FindWindowW(L"PROCMON_WINDOW_CLASS", 0);
					if(__eax != 0) {
						break;
					}
					Sleep(0x64);
					__esi = __esi + 1;
					if(__esi < 0x64) {
						continue;
					} else {
						_pop(_t11);
						_pop(_t13);
						_pop(_t6);
						return E0046F77E(_t6,  *(_t14 - 4) ^ _t14, _t9, _t11, _t13);
					}
					L8:
				}
				__eax = SendMessageW(__eax, ??, ??, ??);
				__eax = 0;
				__edi = 0x8009;
				__esi = 0;
				__ebx = 0;
				__ecx =  *(__ebp - 4);
				__ecx =  *(__ebp - 4) ^ __ebp;
				__eax = E0046F77E(__ebx,  *(__ebp - 4) ^ __ebp, __edx, __edi, __esi);
				__esp = __ebp;
				_pop(__ebp);
				return __eax;
				goto L8;
			}

0x0045f233
0x0045f23a
0x0045f23e
0x00000000
0x00000000
0x0045f242
0x0045f244
0x0045f248
0x00000000
0x0045f24a
0x0045f08d
0x0045f08e
0x0045f08f
0x0045f09d
0x0045f09d
0x00000000
0x0045f248
0x0045f259
0x0045f25f
0x0045f261
0x0045f262
0x0045f263
0x0045f264
0x0045f267
0x0045f269
0x0045f26e
0x0045f270
0x0045f271
0x00000000

APIs

FindWindowW.USER32(PROCMON_WINDOW_CLASS,00000000), ref: 0045F23A
Sleep.KERNEL32(00000064), ref: 0045F242
SendMessageW.USER32(00000000,00008009,00000000,00000000), ref: 0045F259

Strings

PROCMON_WINDOW_CLASS, xrefs: 0045F235

Memory Dump Source

Source File: 00000000.00000002.639436822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.639422722.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639801425.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639950323.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639964900.00000000004C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639974043.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639981884.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Process Monitor.jbxd

Similarity

API ID: FindMessageSendSleepWindow
String ID: PROCMON_WINDOW_CLASS
API String ID: 602436415-2120583162
Opcode ID: 7c6dc02aebdb1c6f32844da44df82233469dffa12b02e863364aff044676f23d
Instruction ID: 6e6fa7450f9c6bf891260e0423c122004ae6bef84e69b2c6ccbbe5b004a9c905
Opcode Fuzzy Hash: 7c6dc02aebdb1c6f32844da44df82233469dffa12b02e863364aff044676f23d
Instruction Fuzzy Hash: 0AE0D8367807046BD120ABF46C46B1D73C4EB5CB22F61053BFE02EA0D2D5A56C0D479E

Uniqueness

Uniqueness Score: -1.00%

Function 0042C260 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 25
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0042C260() {
				struct _WNDCLASSEXW _v52;

				E00470030( &(_v52.style), 0, 0x2c);
				_v52.cbSize = 0x30;
				_v52.lpfnWndProc = E0042C2C0;
				_v52.hCursor = LoadCursorW(0, 0x7f00);
				_v52.hbrBackground = 0;
				_v52.lpszMenuName = 0;
				_v52.style = 8;
				_v52.lpszClassName = L"GraphWindowClass";
				return RegisterClassExW( &_v52);
			}

0x0042c26e
0x0042c276
0x0042c27d
0x0042c291
0x0042c298
0x0042c29f
0x0042c2a6
0x0042c2ad
0x0042c2bd

APIs

_memset.LIBCMT ref: 0042C26E
LoadCursorW.USER32(00000000,00007F00), ref: 0042C28B
RegisterClassExW.USER32 ref: 0042C2B4

Strings

0, xrefs: 0042C276

Memory Dump Source

Source File: 00000000.00000002.639436822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.639422722.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639801425.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639950323.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639964900.00000000004C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639974043.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639981884.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Process Monitor.jbxd

Similarity

API ID: ClassCursorLoadRegister_memset
String ID: 0
API String ID: 2700477685-4108050209
Opcode ID: 6a50e79a81cec3826684878947434d64ad3c0528f6bab13573366df70596056f
Instruction ID: a4919fc102ca0766b9a15d0551f9e234a4ff8a14a634c2905b33e545030361f8
Opcode Fuzzy Hash: 6a50e79a81cec3826684878947434d64ad3c0528f6bab13573366df70596056f
Instruction Fuzzy Hash: 3EF01275D10308ABDB009FE4ED49BDDBBB8BB04304F008569E51476281D7B911088FE9

Uniqueness

Uniqueness Score: -1.00%

Function 00408910 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 24
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00408910() {
				struct _WNDCLASSEXW _v52;

				E00470030( &(_v52.style), 0, 0x2c);
				_v52.cbSize = 0x30;
				_v52.lpfnWndProc = E00409670;
				_v52.hCursor = LoadCursorW(0, 0x7f00);
				_v52.hbrBackground = 0;
				_v52.lpszMenuName = 0;
				_v52.style = 8;
				_v52.lpszClassName = L"TreeListWindowClass";
				return RegisterClassExW( &_v52);
			}

0x0040891e
0x00408926
0x0040892d
0x00408941
0x00408948
0x0040894f
0x00408956
0x0040895d
0x00000000

APIs

_memset.LIBCMT ref: 0040891E
LoadCursorW.USER32(00000000,00007F00), ref: 0040893B
RegisterClassExW.USER32 ref: 00408964

Strings

0, xrefs: 00408926

Memory Dump Source

Source File: 00000000.00000002.639436822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.639422722.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639801425.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639950323.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639964900.00000000004C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639974043.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639981884.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Process Monitor.jbxd

Similarity

API ID: ClassCursorLoadRegister_memset
String ID: 0
API String ID: 2700477685-4108050209
Opcode ID: a7d7bf640baf26a3457a09439ead35267faf1ea9fd0290e3cc29c3b2da928a9d
Instruction ID: 788c1d58350c8ddeffb0164aff34ea4c00e22711d748b1ce0fc1c3db022901ab
Opcode Fuzzy Hash: a7d7bf640baf26a3457a09439ead35267faf1ea9fd0290e3cc29c3b2da928a9d
Instruction Fuzzy Hash: 66F01270D10308ABDB009FE0DC19BDDBBB4BB04304F008529E51476281D7B911088F99

Uniqueness

Uniqueness Score: -1.00%

Function 00448500 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 20
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 37%

			E00448500(intOrPtr _a4) {
				_Unknown_base(*)()* _t3;
				signed int _t5;

				_t3 = GetProcAddress(GetModuleHandleW(L"uxtheme.dll"), "EnableThemeDialogTexture");
				if(_t3 == 0) {
					return 0;
				} else {
					_t5 =  *_t3(_a4, 6);
					asm("sbb eax, eax");
					return  ~_t5 + 1;
				}
			}

0x00448514
0x0044851c
0x0044852f
0x0044851e
0x00448523
0x00448527
0x0044852b
0x0044852b

APIs

GetModuleHandleW.KERNEL32(uxtheme.dll,EnableThemeDialogTexture), ref: 0044850D
GetProcAddress.KERNEL32(00000000), ref: 00448514

Strings

EnableThemeDialogTexture, xrefs: 00448503
uxtheme.dll, xrefs: 00448508

Memory Dump Source

Source File: 00000000.00000002.639436822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.639422722.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639801425.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639950323.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639964900.00000000004C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639974043.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639981884.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Process Monitor.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: EnableThemeDialogTexture$uxtheme.dll
API String ID: 1646373207-3124852905
Opcode ID: 21330b90fe88880ae59adbd51cc8056d5fe6d2b3bad977e4e0955f2ef4b72551
Instruction ID: c56fc05c147b585f7de12fe85e993efc32129f74ba3dd57f578309e5d3763d6f
Opcode Fuzzy Hash: 21330b90fe88880ae59adbd51cc8056d5fe6d2b3bad977e4e0955f2ef4b72551
Instruction Fuzzy Hash: 85D0A7312C430836DE102FF1EC05A2E3B9CA741B95B000835B90DC1091DD699414A618

Uniqueness

Uniqueness Score: -1.00%

Function 0044F16F Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 19
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E0044F16F() {
				struct HWND__* _t3;
				void* _t7;
				void* _t12;
				void* _t13;
				struct HWND__* _t14;
				void* _t15;
				signed int _t16;

				_t3 =  *0x4bd2ec; // 0x0
				if(_t3 == 0) {
					 *0x4bd2ec = CreateDialogParamW( *0x4bd2c4, L"FILTER", _t14,  &M0044BE70, 0);
				} else {
					SetForegroundWindow( *0x4bd2ec) = 0;
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t16 - 0xc));
				_pop(_t13);
				_pop(_t15);
				return E0046F77E(_t7,  *(_t16 - 0x10) ^ _t16, _t12, _t13, _t15);
			}

0x0044f16f
0x0044f176
0x0044f1ad
0x0044f178
0x0044f18d
0x0044f18d
0x0044e740
0x0044e748
0x0044e749
0x0044e757

APIs

ShowWindow.USER32(00000000,00000005), ref: 0044F17B
SetForegroundWindow.USER32 ref: 0044F187
CreateDialogParamW.USER32 ref: 0044F1A7

Strings

FILTER, xrefs: 0044F19C

Memory Dump Source

Source File: 00000000.00000002.639436822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.639422722.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639801425.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639950323.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639964900.00000000004C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639974043.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639981884.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Process Monitor.jbxd

Similarity

API ID: Window$CreateDialogForegroundParamShow
String ID: FILTER
API String ID: 1672865720-2403113115
Opcode ID: 4eb0b324ac6b6e3b0a6914dcf47d7e590524b8a4f74ac06bc2c5e4cd05c9ccfa
Instruction ID: ad0b05d9a24b7ccd3b10e21c0dc036b98988cbfaa4be60d4d5d013771ba123ec
Opcode Fuzzy Hash: 4eb0b324ac6b6e3b0a6914dcf47d7e590524b8a4f74ac06bc2c5e4cd05c9ccfa
Instruction Fuzzy Hash: BAE0B674641241ABE7149FB1EC09B1B3B69AB18751B208AB6B502E52B1E768D405EF1C

Uniqueness

Uniqueness Score: -1.00%

Function 0044EDA6 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 17
windowCOMMON

Download Yara Rule

C-Code - Quality: 70%

			E0044EDA6(void* __ebx, void* __edx) {
				struct HWND__* __esi;
				void* _t11;
				int _t13;
				void* _t18;
				void* _t19;
				struct HWND__* _t20;
				void* _t21;
				signed int _t22;

				_t18 = __edx;
				_t11 = __ebx;
				if(E00417A00(0x4bca10) == 0) {
					E0040CAE0(GetDlgItem(_t20, 0x3f9));
				} else {
					MessageBoxW(__esi, L"Bookmarks are not enabled because the file is read-only.", L"Process Monitor", 0x10);
				}
				_t13 =  *(_t22 + 0xc);
				DefWindowProcW(_t20, _t13,  *(_t22 - 0x628),  *(_t22 - 0x64c));
				 *[fs:0x0] =  *((intOrPtr*)(_t22 - 0xc));
				_pop(_t19);
				_pop(_t21);
				return E0046F77E(_t11,  *(_t22 - 0x10) ^ _t22, _t18, _t19, _t21);
			}

0x0044eda6
0x0044eda6
0x0044edb2
0x0044edd9
0x0044edb4
0x0044edc1
0x0044edc1
0x0044e726
0x0044e737
0x0044e740
0x0044e748
0x0044e749
0x0044e757

APIs

MessageBoxW.USER32(?,Bookmarks are not enabled because the file is read-only.,Process Monitor,00000010), ref: 0044EDC1
GetDlgItem.USER32 ref: 0044EDD2

Strings

Bookmarks are not enabled because the file is read-only., xrefs: 0044EDBB
Process Monitor, xrefs: 0044EDB6

Memory Dump Source

Source File: 00000000.00000002.639436822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.639422722.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639801425.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639950323.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639964900.00000000004C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639974043.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639981884.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Process Monitor.jbxd

Similarity

API ID: ItemMessage
String ID: Bookmarks are not enabled because the file is read-only.$Process Monitor
API String ID: 2153124984-2281171109
Opcode ID: b3e36a030014fa009dfc88b1b8e36cfbe07735da2e798745b5455e9681545b0e
Instruction ID: a220b4c56788a77530e683528ab45aab0e317e95493c171c6c91007fa4f85d0a
Opcode Fuzzy Hash: b3e36a030014fa009dfc88b1b8e36cfbe07735da2e798745b5455e9681545b0e
Instruction Fuzzy Hash: 39D0A770A80601B7E9113B629D8BBAF6524AF0A7C8F100C3BF603B10C38B9D5616556F

Uniqueness

Uniqueness Score: -1.00%

Function 0044F21C Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 17
COMMON

Download Yara Rule

C-Code - Quality: 67%

			E0044F21C() {
				void* __esi;
				struct HWND__* _t6;
				void* _t10;
				int _t11;
				void* _t16;
				void* _t17;
				struct HWND__* _t18;
				void* _t19;
				signed int _t20;

				_t6 =  *0x4bd2f0; // 0x0
				if(_t6 == 0) {
					 *0x4bd2f0 = CreateDialogParamW( *0x4bd2c4, L"HIGHLIGHT", _t18, E0044D520, 0);
				} else {
					SetForegroundWindow( *0x4bd2f0);
				}
				_t11 =  *(_t20 + 0xc);
				DefWindowProcW(_t18, _t11,  *(_t20 - 0x628),  *(_t20 - 0x64c));
				 *[fs:0x0] =  *((intOrPtr*)(_t20 - 0xc));
				_pop(_t17);
				_pop(_t19);
				return E0046F77E(_t10,  *(_t20 - 0x10) ^ _t20, _t16, _t17, _t19);
			}

0x0044f21c
0x0044f223
0x0044f258
0x0044f225
0x0044f234
0x0044f234
0x0044e726
0x0044e737
0x0044e740
0x0044e748
0x0044e749
0x0044e757

APIs

ShowWindow.USER32(00000000,00000005), ref: 0044F228
SetForegroundWindow.USER32 ref: 0044F234
CreateDialogParamW.USER32 ref: 0044F252

Strings

HIGHLIGHT, xrefs: 0044F247

Memory Dump Source

Source File: 00000000.00000002.639436822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.639422722.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639801425.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639950323.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639964900.00000000004C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639974043.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639981884.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Process Monitor.jbxd

Similarity

API ID: Window$CreateDialogForegroundParamShow
String ID: HIGHLIGHT
API String ID: 1672865720-2371536603
Opcode ID: 4258f0a16b0191d3e7ddd31defa8a5855bd881e61b9780e7c85dfb9de609e6b0
Instruction ID: 2aa828662719af6ae489739ec5cbc567d37c3b36def849dd28e2a7410c61b60b
Opcode Fuzzy Hash: 4258f0a16b0191d3e7ddd31defa8a5855bd881e61b9780e7c85dfb9de609e6b0
Instruction Fuzzy Hash: 3FE0EC70A40242BBE62C5F61ED4DF1A3A24B714B91B100AB6B002E10B1E774A4059F5D

Uniqueness

Uniqueness Score: -1.00%

Function 00420D20 Relevance: 6.4, APIs: 3, Strings: 1, Instructions: 358
COMMON

Download Yara Rule

C-Code - Quality: 80%

			E00420D20(void* __ebx, struct _CRITICAL_SECTION* __ecx, intOrPtr __edx, void* __eflags, intOrPtr _a4, intOrPtr _a8) {
				char _v8;
				char _v16;
				signed int _v20;
				char _v28;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				char _v60;
				char _v64;
				char _v68;
				char _v72;
				char _v76;
				char _v80;
				char _v112;
				char _v113;
				char _v114;
				char _v120;
				intOrPtr _v124;
				signed int _v128;
				intOrPtr _v132;
				intOrPtr _v136;
				char _v140;
				char _v144;
				intOrPtr _v148;
				char _v152;
				intOrPtr _v156;
				intOrPtr _v164;
				intOrPtr _v168;
				char _v176;
				char _v180;
				struct _CRITICAL_SECTION* _v184;
				intOrPtr _v188;
				signed int _v192;
				char _v196;
				char _v200;
				char _v204;
				char _v208;
				char _v212;
				char _v216;
				char _v220;
				intOrPtr _v228;
				intOrPtr _v232;
				char _v236;
				char _v240;
				char _v244;
				struct _CRITICAL_SECTION* _v248;
				intOrPtr _v284;
				char _v288;
				void* __edi;
				void* __esi;
				signed int _t164;
				signed int _t165;
				intOrPtr _t179;
				signed int _t180;
				intOrPtr _t181;
				void* _t184;
				signed int _t186;
				intOrPtr _t188;
				char _t189;
				intOrPtr* _t194;
				intOrPtr _t201;
				intOrPtr _t216;
				void* _t221;
				char _t233;
				void* _t244;
				signed int _t256;
				intOrPtr _t263;
				void* _t293;
				intOrPtr _t294;
				intOrPtr _t295;
				char _t299;
				struct _CRITICAL_SECTION* _t303;
				void* _t304;
				intOrPtr _t305;
				signed int _t307;
				void* _t308;
				void* _t309;
				void* _t313;

				_t290 = __edx;
				_t244 = __ebx;
				_push(0xffffffff);
				_push(E00487DD1);
				_push( *[fs:0x0]);
				_t309 = _t308 - 0x110;
				_t164 =  *0x4bb1dc; // 0x2927074f
				_t165 = _t164 ^ _t307;
				_v20 = _t165;
				_push(_t165);
				 *[fs:0x0] =  &_v16;
				_t303 = __ecx;
				_v184 = __ecx;
				_t292 = _a8;
				_v148 = _a4;
				_v124 = _a8;
				_v113 = 0;
				E0040C870( &_v288, __edx, __eflags,  *((intOrPtr*)(__ecx + 0x18)), L"Scanning event stack information", E00416870(__ecx),  &_v113);
				_v8 = 0;
				_v120 = 0;
				if(E00416870(__ecx) == 0) {
					L45:
					E004231D0( &_v236, _v148);
					_v8 = 0xffffffff;
					__eflags = _v113;
					_v114 = _v113 == 0;
					E0040C9C0( &_v288);
					 *[fs:0x0] = _v16;
					_pop(_t293);
					_pop(_t304);
					__eflags = _v20 ^ _t307;
					return E0046F77E(_t244, _v20 ^ _t307, _t290, _t293, _t304);
				}
				_v248 = __ecx;
				do {
					EnterCriticalSection(_t303);
					_v8 = 1;
					E0040D160(_t303,  &_v176, _v120);
					_t305 = _v148;
					_v8 = 2;
					_t179 = E00441C60(_v164 + 0x4ec);
					_t290 = _v168;
					_v188 = _t179;
					_t180 =  *(_t290 + 0x28) & 0x0000ffff;
					_v192 = _t180;
					_t256 = _t180;
					_v128 = _t180;
					if(_t180 < 0) {
						L41:
						_t303 = _v184;
						_t181 = E00416870(_t303);
						__eflags = _v113;
						_t294 = _v120;
						_v284 = _t294;
						_v288 = _t181;
						_v8 = 1;
						if(_v113 != 0) {
							E0040F960( &_v176, _t303);
							_v8 = 0;
							LeaveCriticalSection(_t303);
							goto L45;
						}
						goto L42;
					} else {
						goto L3;
					}
					while(1) {
						L3:
						_t317 = _t256 - _t180;
						if(_t256 != _t180) {
							goto L26;
						}
						L4:
						_v112 = 0;
						_v72 = 0;
						_v8 = 3;
						_v144 = E0046A6C0(_t244, ")", E0046A530(")"));
						_v8 = 4;
						_v140 = E0046A6C0(_t244, "(", E0046A530("("));
						_v8 = 5;
						_v132 = E00436170(_t244, _t290, _t292, _t317,  &_v200,  *((intOrPtr*)(E00411BA0( &_v176) + 4)), 0);
						_v8 = 6;
						_t290 =  *((intOrPtr*)(E00411BA0( &_v176) + 0x44));
						_t216 = E0046A6C0(_t244, _t214, E0046A530(E00467450(_v164,  *((intOrPtr*)(E00411BA0( &_v176) + 0x44)))));
						_t313 = _t309 + 0x30;
						_v156 = _t216;
						_v8 = 7;
						E0046A230( &_v180,  &_v140);
						_v8 = 8;
						E0046A230( &_v196, _v132);
						_v8 = 9;
						_t221 = E0046A230( &_v204,  &_v144);
						_v8 = 0xa;
						E0046A0B0( &_v112, _t221);
						_t276 = _v204;
						_v8 = 9;
						if(_v204 != 0) {
							E0046A700(_t276);
						}
						_t277 = _v196;
						_v8 = 8;
						if(_v196 != 0) {
							E0046A700(_t277);
						}
						_t278 = _v180;
						_v8 = 7;
						if(_v180 != 0) {
							E0046A700(_t278);
						}
						_t279 = _v156;
						_v8 = 6;
						if(_v156 != 0) {
							E0046A700(_t279);
						}
						_t280 = _v200;
						_v8 = 5;
						if(_v200 != 0) {
							E0046A700(_t280);
						}
						_t281 = _v140;
						_v8 = 4;
						if(_v140 != 0) {
							E0046A700(_t281);
						}
						_t282 = _v144;
						_v8 = 3;
						if(_v144 != 0) {
							E0046A700(_t282);
						}
						_v80 = 0;
						_v76 = 0;
						E0041C670(_v124,  &_v212, 0,  &_v112,  *0x4bca04 & 0x000000ff);
						_t299 = _v212 + 0x10;
						_v132 = _t299;
						if(_v208 != 0) {
							_t233 = E0046A6C0(_t244, _t231, E0046A530(E00467450(_v164,  *((intOrPtr*)(E00411BA0( &_v176) + 0x40)))));
							_t313 = _t313 + 0xc;
							_v152 = _t233;
							_t299 = _v132;
							_v8 = 0xb;
							E0046A0B0(_t299 + 0x28,  &_v152);
							_t289 = _v152;
							_v8 = 3;
							if(_v152 != 0) {
								E0046A700(_t289);
							}
							asm("xorps xmm0, xmm0");
							asm("movdqu [edi+0x8], xmm0");
							asm("movq [edi+0x18], xmm0");
						}
						_t284 = _v72;
						_v8 = 0xc;
						if(_v72 != 0) {
							E0046A700(_t284);
						}
						_t285 = _v112;
						_v8 = 2;
						if(_v112 != 0) {
							E0046A700(_t285);
						}
						L29:
						_v68 = _t299;
						_v64 = 0;
						_v60 = 0;
						_t189 = E004232E0();
						asm("xorps xmm0, xmm0");
						_v64 = _t189;
						_v52 = 0xffffffff;
						_v48 = 0xffffffff;
						_v44 = 0xffffffff;
						asm("movlpd [ebp-0x20], xmm0");
						_v28 = 0;
						_v8 = 0xd;
						E0041C560(_t305 + 4,  &_v220, 0,  &_v68,  *0x4bca04 & 0x000000ff);
						_t305 = _v220 + 0x10;
						if(_v216 != 0) {
							_t290 = _v168;
							_v236 =  *((intOrPtr*)(_t290 + 0x1c));
							_v232 =  *((intOrPtr*)(_t290 + 0x20));
							_v228 =  *((intOrPtr*)(_t290 + 0x10));
							asm("movdqu xmm0, [ebp-0xe8]");
							asm("movdqu [esi+0x10], xmm0");
						}
						if(_v128 == 0) {
							 *((intOrPtr*)(_t305 + 0x28)) =  *((intOrPtr*)(_t305 + 0x28)) + 1;
							_t201 = _v168;
							if( *((intOrPtr*)(_t201 + 0x24)) != 0x103) {
								_t263 =  *((intOrPtr*)(_t201 + 0x14));
							} else {
								asm("xorps xmm0, xmm0");
								asm("movlpd [ebp-0x84], xmm0");
								_t263 = _v136;
							}
							 *((intOrPtr*)(_t305 + 0x20)) =  *((intOrPtr*)(_t305 + 0x20)) + _t263;
							asm("adc [esi+0x24], eax");
						}
						_t194 = _v64;
						_push(_t194);
						_v8 = 2;
						_push( *_t194);
						if(_v113 != 0) {
							_push( &_v244);
							L00423E40( &_v64);
							E0046EF07(_v64);
							_t309 = _t313 + 4;
							goto L41;
						} else {
							_push( &_v240);
							L00423E40( &_v64);
							E0046EF07(_v64);
							_t290 = _v168;
							_t309 = _t313 + 4;
							_t256 = _v128;
							_t292 = _v124;
							L38:
							_t256 = _t256 - 1;
							_v128 = _t256;
							if(_t256 < 0) {
								goto L41;
							}
							_t180 = _v192;
							L3:
							_t317 = _t256 - _t180;
							if(_t256 != _t180) {
								goto L26;
							}
							goto L4;
						}
						L26:
						__eflags = _t256 - ( *(_t290 + 0x28) & 0x0000ffff);
						if(_t256 >= ( *(_t290 + 0x28) & 0x0000ffff)) {
							goto L38;
						}
						_t186 =  *(_t290 + 0x34 + _t256 * 4);
						__eflags = _t186;
						if(_t186 == 0) {
							goto L38;
						}
						_t188 = E0041DD90(_t244, _t290, _t292,  &_v176, _t186, _v188);
						_t313 = _t309 + 0x10;
						_t299 = _t188;
						goto L29;
					}
					L42:
					E0040F960( &_v176, _t303);
					_v8 = 0;
					LeaveCriticalSection(_t303);
					_t295 = _t294 + 1;
					_v120 = _t295;
					_t184 = E00416870(_t303);
					__eflags = _t295 - _t184;
					_t292 = _v124;
				} while (_t295 < _t184);
				goto L45;
			}

0x00420d20
0x00420d20
0x00420d23
0x00420d25
0x00420d30
0x00420d31
0x00420d37
0x00420d3c
0x00420d3e
0x00420d43
0x00420d47
0x00420d4d
0x00420d4f
0x00420d58
0x00420d5b
0x00420d65
0x00420d68
0x00420d80
0x00420d87
0x00420d8e
0x00420d9c
0x0042122c
0x00421239
0x00421241
0x00421248
0x00421252
0x00421256
0x00421261
0x00421269
0x0042126a
0x0042126e
0x00421278
0x00421278
0x00420da2
0x00420da8
0x00420da9
0x00420db8
0x00420dbf
0x00420dca
0x00420dd0
0x00420dda
0x00420ddf
0x00420de5
0x00420deb
0x00420def
0x00420df5
0x00420df7
0x00420dfc
0x004211c8
0x004211c8
0x004211d0
0x004211d5
0x004211df
0x004211e2
0x004211e8
0x004211ee
0x004211f2
0x0042121c
0x00421222
0x00421226
0x00000000
0x00421226
0x00000000
0x00000000
0x00000000
0x00000000
0x00420e02
0x00420e02
0x00420e02
0x00420e04
0x00000000
0x00000000
0x00420e0a
0x00420e0a
0x00420e11
0x00420e1d
0x00420e31
0x00420e3c
0x00420e53
0x00420e5f
0x00420e7d
0x00420e8c
0x00420e97
0x00420eaa
0x00420eaf
0x00420eb2
0x00420ebe
0x00420ed0
0x00420ede
0x00420ee5
0x00420ef0
0x00420efe
0x00420f07
0x00420f0b
0x00420f10
0x00420f16
0x00420f1c
0x00420f1e
0x00420f1e
0x00420f23
0x00420f29
0x00420f2f
0x00420f31
0x00420f31
0x00420f36
0x00420f3c
0x00420f42
0x00420f44
0x00420f44
0x00420f49
0x00420f4f
0x00420f55
0x00420f57
0x00420f57
0x00420f5c
0x00420f62
0x00420f68
0x00420f6a
0x00420f6a
0x00420f6f
0x00420f75
0x00420f7b
0x00420f7d
0x00420f7d
0x00420f82
0x00420f88
0x00420f8e
0x00420f90
0x00420f90
0x00420fa3
0x00420fb3
0x00420fb8
0x00420fc3
0x00420fcd
0x00420fd0
0x00420ff8
0x00420ffd
0x00421000
0x00421006
0x00421010
0x00421017
0x0042101c
0x00421022
0x00421028
0x0042102a
0x0042102a
0x0042102f
0x00421032
0x00421037
0x00421037
0x0042103c
0x0042103f
0x00421045
0x00421047
0x00421047
0x0042104c
0x0042104f
0x00421055
0x00421057
0x00421057
0x0042108f
0x00421092
0x00421095
0x0042109c
0x004210a3
0x004210a8
0x004210ab
0x004210ae
0x004210b5
0x004210bc
0x004210c3
0x004210c8
0x004210dd
0x004210eb
0x004210f6
0x00421100
0x00421102
0x0042110e
0x00421117
0x0042111d
0x00421123
0x0042112b
0x0042112b
0x00421134
0x00421136
0x00421139
0x00421146
0x0042115e
0x00421148
0x00421148
0x0042114b
0x00421156
0x00421156
0x00421164
0x00421167
0x00421167
0x00421171
0x00421174
0x00421175
0x00421179
0x0042117b
0x004211b7
0x004211b8
0x004211c0
0x004211c5
0x00000000
0x0042117d
0x00421183
0x00421184
0x0042118c
0x00421191
0x00421197
0x0042119a
0x0042119d
0x004211a0
0x004211a0
0x004211a1
0x004211a4
0x00000000
0x00000000
0x004211a6
0x00420e02
0x00420e02
0x00420e04
0x00000000
0x00000000
0x00000000
0x00420e04
0x0042105e
0x00421062
0x00421064
0x00000000
0x00000000
0x0042106a
0x0042106e
0x00421070
0x00000000
0x00000000
0x00421085
0x0042108a
0x0042108d
0x00000000
0x0042108d
0x004211f4
0x004211f4
0x004211fa
0x004211fe
0x00421204
0x00421207
0x0042120a
0x0042120f
0x00421211
0x00421211
0x00000000

APIs

Part of subcall function 00416870: EnterCriticalSection.KERNEL32(004BCA10,00000000,?,0043B1A2,2927074F,00000000,?,?,?,0044703B,0045F84E,00000000,?,00000000,445817), ref: 00416875
Part of subcall function 00416870: LeaveCriticalSection.KERNEL32(004BCA10,?,0044703B,0045F84E,00000000,?,00000000,445817), ref: 0041687F

Part of subcall function 0040C870: GetTickCount.KERNEL32 ref: 0040C897
Part of subcall function 0040C870: GetWindowRect.USER32 ref: 0040C8D9
Part of subcall function 0040C870: GetAncestor.USER32(?,00000002), ref: 0040C916
Part of subcall function 0040C870: GetParent.USER32(00000000), ref: 0040C923
Part of subcall function 0040C870: GetDesktopWindow.USER32 ref: 0040C930
Part of subcall function 0040C870: EnableWindow.USER32(00000000,00000000), ref: 0040C93D
Part of subcall function 0040C870: GetParent.USER32(00000000), ref: 0040C944
Part of subcall function 0040C870: CreateThread.KERNEL32 ref: 0040C95C

EnterCriticalSection.KERNEL32(?,?,Scanning event stack information,00000000,?,2927074F), ref: 00420DA9

Part of subcall function 00441C60: EnterCriticalSection.KERNEL32(?,2927074F,?,?,?,00000000,?,2927074F), ref: 00441C91
Part of subcall function 00441C60: LeaveCriticalSection.KERNEL32(?,?,00000000,?,2927074F), ref: 00441D53

LeaveCriticalSection.KERNEL32(?,?,00000000,?,?,Scanning event stack information,00000000,?,2927074F), ref: 004211FE

Part of subcall function 0046A230: InterlockedIncrement.KERNEL32(004373F9), ref: 0046A267

Part of subcall function 0046A0B0: InterlockedDecrement.KERNEL32(?), ref: 0046A0BE

LeaveCriticalSection.KERNEL32(?,?,00000000,?,?,Scanning event stack information,00000000,?,2927074F), ref: 00421226

Part of subcall function 0046A700: InterlockedDecrement.KERNEL32(?), ref: 0046A704

Strings

Scanning event stack information, xrefs: 00420D72

Memory Dump Source

Source File: 00000000.00000002.639436822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.639422722.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639801425.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639950323.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639964900.00000000004C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639974043.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639981884.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Process Monitor.jbxd

Similarity

API ID: CriticalSection$Leave$EnterInterlockedWindow$DecrementParent$AncestorCountCreateDesktopEnableIncrementRectThreadTick
String ID: Scanning event stack information
API String ID: 2193223387-2547972981
Opcode ID: d7679e8baa8faaad2e2a829c32750fdce853c3e6aa20cd1c5cf640b61353f0d4
Instruction ID: 8cee23a67ce618b5cf46a20280318b6af7ed604bcae0973faffbfe997194ce20
Opcode Fuzzy Hash: d7679e8baa8faaad2e2a829c32750fdce853c3e6aa20cd1c5cf640b61353f0d4
Instruction Fuzzy Hash: F2F1B070D00258DEDF24DBA5C940BEEBBB5AF55304F1441DEE449B3282EB385A84CF6A

Uniqueness

Uniqueness Score: -1.00%

Function 0041F1C0 Relevance: 6.3, APIs: 3, Strings: 1, Instructions: 278
COMMON

Download Yara Rule

C-Code - Quality: 87%

			E0041F1C0(struct _CRITICAL_SECTION* __ecx, void* __edx, void* __eflags, intOrPtr _a4) {
				char _v8;
				char _v16;
				char _v17;
				char _v24;
				intOrPtr _v28;
				char _v32;
				char _v36;
				intOrPtr _v48;
				char _v56;
				char _v64;
				char _v68;
				char _v72;
				intOrPtr _v76;
				intOrPtr _v80;
				intOrPtr _v84;
				intOrPtr _v88;
				char _v96;
				char _v100;
				char _v104;
				char _v108;
				char _v112;
				intOrPtr _v116;
				intOrPtr _v120;
				char _v128;
				struct _CRITICAL_SECTION* _v132;
				char _v140;
				intOrPtr _v148;
				intOrPtr _v152;
				intOrPtr _v156;
				intOrPtr _v160;
				intOrPtr _v164;
				intOrPtr _v168;
				intOrPtr _v172;
				intOrPtr _v180;
				intOrPtr _v184;
				intOrPtr _v188;
				intOrPtr _v192;
				intOrPtr _v196;
				intOrPtr _v200;
				intOrPtr _v204;
				intOrPtr _v212;
				char _v220;
				signed int _v256;
				char _v260;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t155;
				intOrPtr _t167;
				intOrPtr _t193;
				void* _t197;
				signed int _t210;
				char _t225;
				intOrPtr _t229;
				struct _CRITICAL_SECTION* _t236;
				void* _t240;
				intOrPtr _t241;
				signed int _t242;

				_push(0xffffffff);
				_push(E00487B2C);
				_push( *[fs:0x0]);
				_t155 =  *0x4bb1dc; // 0x2927074f
				_push(_t155 ^ _t242);
				 *[fs:0x0] =  &_v16;
				_t236 = __ecx;
				_v17 = 0;
				E0040C870( &_v260, __edx, __eflags,  *((intOrPtr*)(__ecx + 0x18)), L"Scanning file information", E00416870(__ecx),  &_v17);
				_v8 = 0;
				_t210 = 0;
				if(E00416870(__ecx) == 0) {
					L40:
					_v8 = 0xffffffff;
					E0040C9C0( &_v260);
					 *[fs:0x0] = _v16;
					return _t210 & 0xffffff00 | _v17 == 0x00000000;
				} else {
					_t240 = LeaveCriticalSection;
					_v132 = __ecx;
					do {
						EnterCriticalSection(_t236);
						_v8 = 1;
						E0040D160(_t236,  &_v56, _t210);
						_v8 = 2;
						if( *((short*)(_v48 + 8)) != 3) {
							L36:
							_t167 = E00416870(_t236);
							_v256 = _t210;
							_v260 = _t167;
							_v8 = 1;
							if(_v17 != 0) {
								E0040F960( &_v56, _t240);
								LeaveCriticalSection(_t236);
								goto L40;
							}
							goto L37;
						}
						_v36 = 0;
						_v8 = 3;
						E00410F20(_t210,  &_v56, _t236, _t240, 0xffffffff,  &_v36);
						asm("xorps xmm0, xmm0");
						_v128 = 0;
						asm("movlpd [ebp-0x74], xmm0");
						_v112 = 0;
						_v108 = 0;
						_v104 = 0;
						_v100 = 0;
						_v96 = 0;
						asm("movlpd [ebp-0x54], xmm0");
						asm("movlpd [ebp-0x4c], xmm0");
						_v72 = 0;
						_v68 = 0;
						_v64 = 0;
						_v8 = 4;
						E0046A0B0( &_v128,  &_v36);
						_t225 = _v128;
						_v220 = _t225;
						if(_t225 != 0) {
							E0046A420(_t225);
							_t225 = _v128;
						}
						_v8 = 5;
						_v212 = _t225;
						if(_t225 != 0) {
							E0046A420(_t225);
						}
						_v204 = _v120;
						_v200 = _v116;
						_v196 = _v112;
						_v192 = _v108;
						_v188 = _v104;
						_v184 = _v100;
						_v180 = _v96;
						_v172 = _v88;
						_v168 = _v84;
						_v164 = _v80;
						_v160 = _v76;
						_v156 = _v72;
						_v152 = _v68;
						_v148 = _v64;
						_v8 = 6;
						E0041CB60(_a4,  &_v140, 0,  &_v220,  *0x4bca04 & 0x000000ff);
						_t227 = _v212;
						_v8 = 7;
						if(_v212 != 0) {
							E0046A700(_t227);
						}
						_t228 = _v220;
						_v8 = 4;
						if(_v220 != 0) {
							E0046A700(_t228);
						}
						_t193 = _v48;
						_t241 = _v140;
						if( *((intOrPtr*)(_t193 + 0x24)) != 0x103) {
							_t229 =  *((intOrPtr*)(_t193 + 0x14));
						} else {
							asm("xorps xmm0, xmm0");
							asm("movlpd [ebp-0x18], xmm0");
							_t229 = _v28;
						}
						 *((intOrPtr*)(_t241 + 0x20)) =  *((intOrPtr*)(_t241 + 0x20)) + _t229;
						asm("adc [esi+0x24], eax");
						 *((intOrPtr*)(_t241 + 0x28)) =  *((intOrPtr*)(_t241 + 0x28)) + 1;
						_t197 = ( *(_v48 + 0xc) & 0x0000ffff) + 0xffffffec;
						if(_t197 > 0x15) {
							L30:
							_t136 = _t241 + 0x58;
							 *_t136 =  *((intOrPtr*)(_t241 + 0x58)) + 1;
							__eflags =  *_t136;
							goto L31;
						} else {
							switch( *((intOrPtr*)(( *(_t197 + 0x41f5e4) & 0x000000ff) * 4 +  &M0041F5BC))) {
								case 0:
									 *((intOrPtr*)(__esi + 0x2c)) =  *((intOrPtr*)(__esi + 0x2c)) + 1;
									goto L31;
								case 1:
									L29:
									 *((intOrPtr*)(__esi + 0x30)) =  *((intOrPtr*)(__esi + 0x30)) + 1;
									goto L31;
								case 2:
									 *((intOrPtr*)(__esi + 0x34)) =  *((intOrPtr*)(__esi + 0x34)) + 1;
									_v32 = 0;
									__eax =  &_v32;
									_v8 = 9;
									__ecx =  &_v56;
									__eax = E00410F20(__ebx,  &_v56, __edi, __esi, 1,  &_v32);
									__ecx =  &_v32;
									__eax = E0046A170( &_v32);
									__eax = L00437F10(__edx, __eax);
									__ecx = _v32;
									 *((intOrPtr*)(__esi + 0x40)) =  *((intOrPtr*)(__esi + 0x40)) + __eax;
									_v8 = 4;
									asm("adc [esi+0x44], edx");
									__eflags = __ecx;
									if(__ecx != 0) {
										__eax = E0046A700(__ecx);
									}
									goto L31;
								case 3:
									 *((intOrPtr*)(__esi + 0x38)) =  *((intOrPtr*)(__esi + 0x38)) + 1;
									_v24 = 0;
									__eax =  &_v24;
									_v8 = 8;
									__ecx =  &_v56;
									__eax = E00410F20(__ebx,  &_v56, __edi, __esi, 1,  &_v24);
									__ecx =  &_v24;
									__eax = E0046A170( &_v24);
									__eax = L00437F10(__edx, __eax);
									__ecx = _v24;
									 *((intOrPtr*)(__esi + 0x48)) =  *((intOrPtr*)(__esi + 0x48)) + __eax;
									_v8 = 4;
									asm("adc [esi+0x4c], edx");
									__eflags = __ecx;
									if(__ecx != 0) {
										__eax = E0046A700(__ecx);
									}
									goto L31;
								case 4:
									 *((intOrPtr*)(__esi + 0x58)) =  *((intOrPtr*)(__esi + 0x58)) + 1;
									__eax = _v48;
									__eflags =  *((intOrPtr*)(__eax + 0x24)) - 0x103;
									if( *((intOrPtr*)(__eax + 0x24)) != 0x103) {
										goto L18;
									}
									asm("xorps xmm0, xmm0");
									asm("movlpd [ebp-0x18], xmm0");
									__ecx = _v28;
									 *((intOrPtr*)(__esi + 0x20)) =  *((intOrPtr*)(__esi + 0x20)) - __ecx;
									__eax = _v24;
									asm("sbb [esi+0x24], eax");
									goto L31;
								case 5:
									 *((intOrPtr*)(_t241 + 0x58)) =  *((intOrPtr*)(_t241 + 0x58)) + 1;
									_t201 = _v48;
									if( *((intOrPtr*)(_t201 + 0x24)) != 0x103) {
										L18:
										 *((intOrPtr*)(_t241 + 0x20)) =  *((intOrPtr*)(_t241 + 0x20)) -  *((intOrPtr*)(_t201 + 0x14));
										asm("sbb [esi+0x24], eax");
										goto L31;
									}
									asm("xorps xmm0, xmm0");
									asm("movlpd [ebp-0x18], xmm0");
									 *((intOrPtr*)(_t241 + 0x20)) =  *((intOrPtr*)(_t241 + 0x20)) - _v28;
									asm("sbb [esi+0x24], eax");
									goto L31;
								case 6:
									__eflags =  *0x4bd896;
									if( *0x4bd896 != 0) {
										goto L31;
									}
									goto L29;
								case 7:
									 *((intOrPtr*)(__esi + 0x50)) =  *((intOrPtr*)(__esi + 0x50)) + 1;
									goto L31;
								case 8:
									 *((intOrPtr*)(__esi + 0x54)) =  *((intOrPtr*)(__esi + 0x54)) + 1;
									L31:
									_t230 = _v128;
									_v8 = 3;
									if(_v128 != 0) {
										E0046A700(_t230);
									}
									_t231 = _v36;
									_v8 = 2;
									if(_v36 != 0) {
										E0046A700(_t231);
									}
									_t240 = LeaveCriticalSection;
									goto L36;
								case 9:
									goto L30;
							}
						}
						L37:
						E0040F960( &_v56, _t240);
						_v8 = 0;
						LeaveCriticalSection(_t236);
						_t210 = _t210 + 1;
					} while (_t210 < E00416870(_t236));
					goto L40;
				}
			}

0x0041f1c3
0x0041f1c5
0x0041f1d0
0x0041f1da
0x0041f1e1
0x0041f1e5
0x0041f1eb
0x0041f1f0
0x0041f209
0x0041f210
0x0041f217
0x0041f220
0x0041f58c
0x0041f596
0x0041f5a0
0x0041f5aa
0x0041f5b8
0x0041f226
0x0041f226
0x0041f22c
0x0041f230
0x0041f231
0x0041f23b
0x0041f242
0x0041f24a
0x0041f253
0x0041f546
0x0041f548
0x0041f554
0x0041f55a
0x0041f560
0x0041f564
0x0041f584
0x0041f58a
0x00000000
0x0041f58a
0x00000000
0x0041f564
0x0041f259
0x0041f263
0x0041f26d
0x0041f272
0x0041f275
0x0041f27c
0x0041f281
0x0041f288
0x0041f28f
0x0041f296
0x0041f29d
0x0041f2a4
0x0041f2a9
0x0041f2ae
0x0041f2b5
0x0041f2bc
0x0041f2c6
0x0041f2ce
0x0041f2d3
0x0041f2d6
0x0041f2de
0x0041f2e0
0x0041f2e5
0x0041f2e5
0x0041f2e8
0x0041f2ec
0x0041f2f4
0x0041f2f6
0x0041f2f6
0x0041f2fe
0x0041f307
0x0041f310
0x0041f319
0x0041f322
0x0041f32b
0x0041f334
0x0041f33d
0x0041f346
0x0041f34f
0x0041f358
0x0041f361
0x0041f36a
0x0041f373
0x0041f38a
0x0041f398
0x0041f39d
0x0041f3a3
0x0041f3a9
0x0041f3ab
0x0041f3ab
0x0041f3b0
0x0041f3b6
0x0041f3bc
0x0041f3be
0x0041f3be
0x0041f3c3
0x0041f3c6
0x0041f3d3
0x0041f3e5
0x0041f3d5
0x0041f3d5
0x0041f3d8
0x0041f3e0
0x0041f3e0
0x0041f3eb
0x0041f3ee
0x0041f3f1
0x0041f3fb
0x0041f401
0x0041f51d
0x0041f51d
0x0041f51d
0x0041f51d
0x00000000
0x0041f407
0x0041f40e
0x00000000
0x0041f500
0x00000000
0x00000000
0x0041f518
0x0041f518
0x00000000
0x00000000
0x0041f4bb
0x0041f4be
0x0041f4c5
0x0041f4c8
0x0041f4cf
0x0041f4d2
0x0041f4d7
0x0041f4da
0x0041f4e0
0x0041f4e5
0x0041f4eb
0x0041f4ee
0x0041f4f2
0x0041f4f5
0x0041f4f7
0x0041f4f9
0x0041f4f9
0x00000000
0x00000000
0x0041f476
0x0041f479
0x0041f480
0x0041f483
0x0041f48a
0x0041f48d
0x0041f492
0x0041f495
0x0041f49b
0x0041f4a0
0x0041f4a6
0x0041f4a9
0x0041f4ad
0x0041f4b0
0x0041f4b2
0x0041f4b4
0x0041f4b4
0x00000000
0x00000000
0x0041f44e
0x0041f451
0x0041f454
0x0041f45b
0x00000000
0x00000000
0x0041f45d
0x0041f460
0x0041f465
0x0041f468
0x0041f46b
0x0041f46e
0x00000000
0x00000000
0x0041f415
0x0041f418
0x0041f422
0x0041f43d
0x0041f443
0x0041f446
0x00000000
0x0041f446
0x0041f424
0x0041f427
0x0041f42f
0x0041f435
0x00000000
0x00000000
0x0041f50f
0x0041f516
0x00000000
0x00000000
0x00000000
0x00000000
0x0041f505
0x00000000
0x00000000
0x0041f50a
0x0041f520
0x0041f520
0x0041f523
0x0041f529
0x0041f52b
0x0041f52b
0x0041f530
0x0041f533
0x0041f539
0x0041f53b
0x0041f53b
0x0041f540
0x00000000
0x00000000
0x00000000
0x00000000
0x0041f40e
0x0041f566
0x0041f566
0x0041f56c
0x0041f570
0x0041f574
0x0041f57a
0x00000000
0x0041f582

APIs

Part of subcall function 00416870: EnterCriticalSection.KERNEL32(004BCA10,00000000,?,0043B1A2,2927074F,00000000,?,?,?,0044703B,0045F84E,00000000,?,00000000,445817), ref: 00416875
Part of subcall function 00416870: LeaveCriticalSection.KERNEL32(004BCA10,?,0044703B,0045F84E,00000000,?,00000000,445817), ref: 0041687F

Part of subcall function 0040C870: GetTickCount.KERNEL32 ref: 0040C897
Part of subcall function 0040C870: GetWindowRect.USER32 ref: 0040C8D9
Part of subcall function 0040C870: GetAncestor.USER32(?,00000002), ref: 0040C916
Part of subcall function 0040C870: GetParent.USER32(00000000), ref: 0040C923
Part of subcall function 0040C870: GetDesktopWindow.USER32 ref: 0040C930
Part of subcall function 0040C870: EnableWindow.USER32(00000000,00000000), ref: 0040C93D
Part of subcall function 0040C870: GetParent.USER32(00000000), ref: 0040C944
Part of subcall function 0040C870: CreateThread.KERNEL32 ref: 0040C95C

EnterCriticalSection.KERNEL32(?,?,Scanning file information,00000000,?,2927074F), ref: 0041F231
LeaveCriticalSection.KERNEL32(?,?,00000000,?,?,Scanning file information,00000000,?,2927074F), ref: 0041F570

Part of subcall function 0046A0B0: InterlockedDecrement.KERNEL32(?), ref: 0046A0BE

Part of subcall function 0046A420: InterlockedIncrement.KERNEL32(00000000), ref: 0046A421

LeaveCriticalSection.KERNEL32(?,?,00000000,?,?,Scanning file information,00000000,?,2927074F), ref: 0041F58A

Strings

Scanning file information, xrefs: 0041F1FB

Memory Dump Source

Source File: 00000000.00000002.639436822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.639422722.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639801425.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639950323.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639964900.00000000004C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639974043.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639981884.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Process Monitor.jbxd

Similarity

API ID: CriticalSection$LeaveWindow$EnterInterlockedParent$AncestorCountCreateDecrementDesktopEnableIncrementRectThreadTick
String ID: Scanning file information
API String ID: 870216910-2877107569
Opcode ID: 0cacfc3dd1614e3af82102e04215c1e0208d672574551696ff3048aa87ceb29d
Instruction ID: 85c54a833db6cd2b68e0534a97b64f25381fd518fb0fcd5c31d3b2561010d06f
Opcode Fuzzy Hash: 0cacfc3dd1614e3af82102e04215c1e0208d672574551696ff3048aa87ceb29d
Instruction Fuzzy Hash: 89C12974D01248DFDB24DFA9C9507EEB7B5BF08304F1041AEE849A3282D7789A89CF56

Uniqueness

Uniqueness Score: -1.00%

Function 00420990 Relevance: 6.2, APIs: 3, Strings: 1, Instructions: 190
COMMON

Download Yara Rule

C-Code - Quality: 92%

			E00420990(struct _CRITICAL_SECTION* __ecx, void* __edx, void* __eflags, intOrPtr _a4) {
				char _v8;
				char _v16;
				char _v17;
				char _v24;
				void* _v28;
				intOrPtr _v32;
				char _v36;
				char _v40;
				intOrPtr _v52;
				char _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				intOrPtr _v76;
				intOrPtr _v80;
				intOrPtr _v84;
				intOrPtr _v88;
				intOrPtr _v92;
				char _v100;
				intOrPtr _v104;
				intOrPtr _v108;
				intOrPtr _v112;
				intOrPtr _v116;
				intOrPtr _v120;
				intOrPtr _v124;
				intOrPtr _v128;
				intOrPtr _v132;
				intOrPtr _v140;
				char _v148;
				struct _CRITICAL_SECTION* _v152;
				intOrPtr _v188;
				char _v192;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t102;
				intOrPtr _t114;
				intOrPtr _t134;
				signed int _t141;
				char _t156;
				intOrPtr _t160;
				signed int _t163;
				intOrPtr _t169;
				intOrPtr _t171;
				struct _CRITICAL_SECTION* _t174;
				signed int _t176;

				_push(0xffffffff);
				_push(E00487D1F);
				_push( *[fs:0x0]);
				_push(_t141);
				_t102 =  *0x4bb1dc; // 0x2927074f
				_push(_t102 ^ _t176);
				 *[fs:0x0] =  &_v16;
				_t174 = __ecx;
				_v17 = 0;
				E0040C870( &_v192, __edx, __eflags,  *((intOrPtr*)(__ecx + 0x18)), L"Scanning Registry information", E00416870(__ecx),  &_v17);
				_v8 = 0;
				_t171 = 0;
				if(E00416870(__ecx) == 0) {
					L31:
					_v8 = 0xffffffff;
					E0040C9C0( &_v192);
					 *[fs:0x0] = _v16;
					return _t141 & 0xffffff00 | _v17 == 0x00000000;
				}
				_t141 = LeaveCriticalSection;
				_v152 = __ecx;
				do {
					EnterCriticalSection(_t174);
					_v8 = 1;
					E0040D160(_t174,  &_v60, _t171);
					_v8 = 2;
					if( *((short*)(_v52 + 8)) != 2) {
						L27:
						_t114 = E00416870(_t174);
						_v188 = _t171;
						_v192 = _t114;
						_v8 = 1;
						if(_v17 != 0) {
							E0040F960( &_v60, _t174);
							LeaveCriticalSection(_t174);
							goto L31;
						}
						goto L28;
					}
					_v24 = 0;
					_v8 = 3;
					E00410F20(_t141,  &_v60, _t171, _t174, 0xffffffff,  &_v24);
					_v100 = 0;
					_v8 = 4;
					E0046A0B0( &_v100,  &_v24);
					_t156 = _v100;
					_v148 = _t156;
					if(_t156 != 0) {
						E0046A420(_t156);
						_t156 = _v100;
					}
					_v8 = 5;
					_v140 = _t156;
					if(_t156 != 0) {
						E0046A420(_t156);
					}
					_v132 = _v92;
					_v128 = _v88;
					_v124 = _v84;
					_v120 = _v80;
					_v116 = _v76;
					_v112 = _v72;
					_v108 = _v68;
					_v104 = _v64;
					_v8 = 6;
					E0041CD80(_a4,  &_v40, 0,  &_v148,  *0x4bca04 & 0x000000ff);
					_t158 = _v140;
					_v8 = 7;
					if(_v140 != 0) {
						E0046A700(_t158);
					}
					_t159 = _v148;
					_v8 = 4;
					if(_v148 != 0) {
						E0046A700(_t159);
					}
					_t134 = _v40;
					if(_v36 != 0) {
						 *((intOrPtr*)(_t134 + 0x2c)) = 0;
						 *((intOrPtr*)(_t134 + 0x30)) = 0;
						 *((intOrPtr*)(_t134 + 0x34)) = 0;
						 *((intOrPtr*)(_t134 + 0x38)) = 0;
						 *((intOrPtr*)(_t134 + 0x3c)) = 0;
						 *((intOrPtr*)(_t134 + 0x28)) = 0;
						 *((intOrPtr*)(_t134 + 0x20)) = 0;
						 *((intOrPtr*)(_t134 + 0x24)) = 0;
					}
					_t160 = _v52;
					if( *((intOrPtr*)(_t160 + 0x24)) != 0x103) {
						_t169 =  *((intOrPtr*)(_t160 + 0x14));
					} else {
						asm("xorps xmm0, xmm0");
						asm("movlpd [ebp-0x1c], xmm0");
						_t169 = _v32;
					}
					 *((intOrPtr*)(_t134 + 0x20)) =  *((intOrPtr*)(_t134 + 0x20)) + _t169;
					asm("adc [eax+0x24], ecx");
					 *((intOrPtr*)(_t134 + 0x28)) =  *((intOrPtr*)(_t134 + 0x28)) + 1;
					_t163 =  *(_v52 + 0xc) & 0x0000ffff;
					if(_t163 > 0xf) {
						L22:
						_t83 = _t134 + 0x3c;
						 *_t83 =  *((intOrPtr*)(_t134 + 0x3c)) + 1;
						__eflags =  *_t83;
						goto L23;
					} else {
						switch( *((intOrPtr*)(( *(_t163 + 0x420c40) & 0x000000ff) * 4 +  &M00420C2C))) {
							case 0:
								 *((intOrPtr*)(__eax + 0x2c)) =  *((intOrPtr*)(__eax + 0x2c)) + 1;
								goto L23;
							case 1:
								 *((intOrPtr*)(__eax + 0x30)) =  *((intOrPtr*)(__eax + 0x30)) + 1;
								goto L23;
							case 2:
								 *((intOrPtr*)(_t134 + 0x38)) =  *((intOrPtr*)(_t134 + 0x38)) + 1;
								goto L23;
							case 3:
								 *((intOrPtr*)(__eax + 0x34)) =  *((intOrPtr*)(__eax + 0x34)) + 1;
								L23:
								_t164 = _v100;
								_v8 = 3;
								if(_v100 != 0) {
									E0046A700(_t164);
								}
								_t165 = _v24;
								_v8 = 2;
								if(_v24 != 0) {
									E0046A700(_t165);
								}
								goto L27;
							case 4:
								goto L22;
						}
					}
					L28:
					E0040F960( &_v60, _t174);
					_v8 = 0;
					LeaveCriticalSection(_t174);
					_t171 = _t171 + 1;
				} while (_t171 < E00416870(_t174));
				goto L31;
			}

0x00420993
0x00420995
0x004209a0
0x004209a7
0x004209aa
0x004209b1
0x004209b5
0x004209bb
0x004209c0
0x004209d9
0x004209e0
0x004209e7
0x004209f0
0x00420bfd
0x00420c07
0x00420c11
0x00420c1b
0x00420c29
0x00420c29
0x004209f6
0x004209fc
0x00420a02
0x00420a03
0x00420a0d
0x00420a14
0x00420a1c
0x00420a25
0x00420bb7
0x00420bb9
0x00420bc5
0x00420bcb
0x00420bd1
0x00420bd5
0x00420bf5
0x00420bfb
0x00000000
0x00420bfb
0x00000000
0x00420bd5
0x00420a2b
0x00420a35
0x00420a3f
0x00420a44
0x00420a4e
0x00420a56
0x00420a5b
0x00420a5e
0x00420a66
0x00420a68
0x00420a6d
0x00420a6d
0x00420a70
0x00420a74
0x00420a7c
0x00420a7e
0x00420a7e
0x00420a86
0x00420a8c
0x00420a92
0x00420a98
0x00420a9e
0x00420aa4
0x00420aaa
0x00420ab0
0x00420ac4
0x00420acf
0x00420ad4
0x00420ada
0x00420ae0
0x00420ae2
0x00420ae2
0x00420ae7
0x00420aed
0x00420af3
0x00420af5
0x00420af5
0x00420afe
0x00420b01
0x00420b03
0x00420b0a
0x00420b11
0x00420b18
0x00420b1f
0x00420b26
0x00420b2d
0x00420b34
0x00420b34
0x00420b3b
0x00420b45
0x00420b57
0x00420b47
0x00420b47
0x00420b4a
0x00420b52
0x00420b52
0x00420b5d
0x00420b60
0x00420b63
0x00420b69
0x00420b70
0x00420b94
0x00420b94
0x00420b94
0x00420b94
0x00000000
0x00420b72
0x00420b79
0x00000000
0x00420b8a
0x00000000
0x00000000
0x00420b8f
0x00000000
0x00000000
0x00420b80
0x00000000
0x00000000
0x00420b85
0x00420b97
0x00420b97
0x00420b9a
0x00420ba0
0x00420ba2
0x00420ba2
0x00420ba7
0x00420baa
0x00420bb0
0x00420bb2
0x00420bb2
0x00000000
0x00000000
0x00000000
0x00000000
0x00420b79
0x00420bd7
0x00420bd7
0x00420bdd
0x00420be1
0x00420be5
0x00420beb
0x00000000

APIs

Part of subcall function 00416870: EnterCriticalSection.KERNEL32(004BCA10,00000000,?,0043B1A2,2927074F,00000000,?,?,?,0044703B,0045F84E,00000000,?,00000000,445817), ref: 00416875
Part of subcall function 00416870: LeaveCriticalSection.KERNEL32(004BCA10,?,0044703B,0045F84E,00000000,?,00000000,445817), ref: 0041687F

Part of subcall function 0040C870: GetTickCount.KERNEL32 ref: 0040C897
Part of subcall function 0040C870: GetWindowRect.USER32 ref: 0040C8D9
Part of subcall function 0040C870: GetAncestor.USER32(?,00000002), ref: 0040C916
Part of subcall function 0040C870: GetParent.USER32(00000000), ref: 0040C923
Part of subcall function 0040C870: GetDesktopWindow.USER32 ref: 0040C930
Part of subcall function 0040C870: EnableWindow.USER32(00000000,00000000), ref: 0040C93D
Part of subcall function 0040C870: GetParent.USER32(00000000), ref: 0040C944
Part of subcall function 0040C870: CreateThread.KERNEL32 ref: 0040C95C

EnterCriticalSection.KERNEL32(?,?,Scanning Registry information,00000000,?,2927074F), ref: 00420A03
LeaveCriticalSection.KERNEL32(?,?,00000000,?,?,Scanning Registry information,00000000,?,2927074F), ref: 00420BE1

Part of subcall function 0046A0B0: InterlockedDecrement.KERNEL32(?), ref: 0046A0BE

Part of subcall function 0046A420: InterlockedIncrement.KERNEL32(00000000), ref: 0046A421

LeaveCriticalSection.KERNEL32(?,?,00000000,?,?,Scanning Registry information,00000000,?,2927074F), ref: 00420BFB

Part of subcall function 0046A700: InterlockedDecrement.KERNEL32(?), ref: 0046A704

Strings

Scanning Registry information, xrefs: 004209CB

Memory Dump Source

Source File: 00000000.00000002.639436822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.639422722.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639801425.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639950323.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639964900.00000000004C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639974043.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639981884.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Process Monitor.jbxd

Similarity

API ID: CriticalSection$InterlockedLeaveWindow$DecrementEnterParent$AncestorCountCreateDesktopEnableIncrementRectThreadTick
String ID: Scanning Registry information
API String ID: 148051042-2198435549
Opcode ID: 6bf4a087445b6afc87236ac291f31c7e8550a111bc2868b80fceb7c749ed6cb7
Instruction ID: e7c27dfb8d84879022226e3bdd1eeabebcdf51af959ed01f200638b037c5cc11
Opcode Fuzzy Hash: 6bf4a087445b6afc87236ac291f31c7e8550a111bc2868b80fceb7c749ed6cb7
Instruction Fuzzy Hash: 5381C0B4A01268DFDB24DFA5C954BAEBBF4AF04308F10419EE405A7382CB789E45CF59

Uniqueness

Uniqueness Score: -1.00%

Function 00477894 Relevance: 6.2, APIs: 4, Instructions: 162
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 40%

			E00477894(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				signed char* _t41;
				intOrPtr _t42;
				intOrPtr* _t64;
				intOrPtr _t69;
				signed int _t70;
				signed char _t72;
				signed char _t73;
				signed char* _t95;
				signed char _t100;
				signed char** _t102;
				signed char* _t105;
				void* _t106;

				_push(0xc);
				_push(0x4b7c58);
				L00477E90(__ebx, __edi, __esi);
				_t69 = 0;
				_t41 =  *(_t106 + 0x10);
				_t72 = _t41[4];
				if(_t72 == 0 ||  *((intOrPtr*)(_t72 + 8)) == 0) {
					L34:
					_t42 = 0;
				} else {
					_t100 = _t41[8];
					if(_t100 != 0 || ( *_t41 & 0x80000000) != 0) {
						_t73 =  *_t41;
						_t102 =  *(_t106 + 0xc);
						if(_t73 >= 0) {
							_t102 =  &(_t102[3]) + _t100;
						}
						 *((intOrPtr*)(_t106 - 4)) = _t69;
						_t105 =  *(_t106 + 0x14);
						if(_t73 >= 0 || ( *_t105 & 0x00000010) == 0) {
							L14:
							_push(1);
							_push( *( *((intOrPtr*)(_t106 + 8)) + 0x18));
							if((_t73 & 0x00000008) == 0) {
								if(( *_t105 & 0x00000001) == 0) {
									if(_t105[0x18] != _t69) {
										if(E004807C7() == 0) {
											goto L32;
										} else {
											_push(1);
											if(E004807C7(_t102) == 0 || E004807C7(_t105[0x18]) == 0) {
												goto L32;
											} else {
												_t70 = 0;
												_t69 = (_t70 & 0xffffff00 | ( *_t105 & 0x00000004) != 0x00000000) + 1;
												 *((intOrPtr*)(_t106 - 0x1c)) = _t69;
											}
										}
									} else {
										if(E004807C7() == 0) {
											goto L32;
										} else {
											_push(1);
											if(E004807C7(_t102) == 0) {
												goto L32;
											} else {
												E00471540(_t102, E004777E1( *( *((intOrPtr*)(_t106 + 8)) + 0x18),  &(_t105[8])), _t105[0x14]);
											}
										}
									}
								} else {
									if(E004807C7() == 0) {
										goto L32;
									} else {
										_push(1);
										if(E004807C7(_t102) == 0) {
											goto L32;
										} else {
											E00471540(_t102,  *( *((intOrPtr*)(_t106 + 8)) + 0x18), _t105[0x14]);
											if(_t105[0x14] == 4 &&  *_t102 != 0) {
												_push( &(_t105[8]));
												_push( *_t102);
												goto L13;
											}
										}
									}
								}
							} else {
								if(E004807C7() == 0) {
									goto L32;
								} else {
									_push(1);
									if(E004807C7(_t102) == 0) {
										goto L32;
									} else {
										_t95 =  *( *((intOrPtr*)(_t106 + 8)) + 0x18);
										goto L12;
									}
								}
							}
						} else {
							_t64 =  *0x4c2c30; // 0x0
							if(_t64 == 0) {
								goto L14;
							} else {
								 *(_t106 + 0x10) =  *_t64();
								_push(1);
								if(E004807C7(_t65) == 0) {
									L32:
									E00476E6C();
								} else {
									_push(1);
									if(E004807C7(_t102) == 0) {
										goto L32;
									} else {
										_t95 =  *(_t106 + 0x10);
										L12:
										 *_t102 = _t95;
										_push( &(_t105[8]));
										_push(_t95);
										L13:
										 *_t102 = E004777E1();
									}
								}
							}
						}
						 *((intOrPtr*)(_t106 - 4)) = 0xfffffffe;
						_t42 = _t69;
					} else {
						goto L34;
					}
				}
				return L00477ED5(_t42);
			}

0x00477894
0x00477896
0x0047789b
0x004778a0
0x004778a2
0x004778a5
0x004778aa
0x00477a4e
0x00477a4e
0x004778b9
0x004778b9
0x004778be
0x004778cc
0x004778ce
0x004778d3
0x004778d8
0x004778d8
0x004778da
0x004778dd
0x004778e2
0x00477933
0x00477933
0x00477938
0x0047793e
0x0047796c
0x004779c2
0x00477a06
0x00000000
0x00477a08
0x00477a08
0x00477a14
0x00000000
0x00477a23
0x00477a28
0x00477a2c
0x00477a2d
0x00477a2d
0x00477a14
0x004779c4
0x004779cd
0x00000000
0x004779cf
0x004779cf
0x004779db
0x00000000
0x004779dd
0x004779f3
0x004779f8
0x004779db
0x004779cd
0x0047796e
0x00477977
0x00000000
0x0047797d
0x0047797d
0x00477989
0x00000000
0x0047798f
0x00477999
0x004779a5
0x004779b7
0x004779b8
0x00000000
0x004779b8
0x004779a5
0x00477989
0x00477977
0x00477940
0x00477949
0x00000000
0x0047794f
0x0047794f
0x0047795b
0x00000000
0x00477961
0x00477964
0x00000000
0x00477964
0x0047795b
0x00477949
0x004778e9
0x004778e9
0x004778f0
0x00000000
0x004778f2
0x004778f4
0x004778f7
0x00477903
0x00477a32
0x00477a32
0x00477909
0x00477909
0x00477915
0x00000000
0x0047791b
0x0047791b
0x0047791e
0x0047791e
0x00477923
0x00477924
0x00477925
0x0047792c
0x0047792c
0x00477915
0x00477903
0x004778f0
0x00477a37
0x00477a3e
0x00000000
0x00000000
0x00000000
0x004778be
0x00477a55

APIs

___AdjustPointer.LIBCMT ref: 00477925
_memmove.LIBCMT ref: 00477999
___AdjustPointer.LIBCMT ref: 004779EA
_memmove.LIBCMT ref: 004779F3

Memory Dump Source

Source File: 00000000.00000002.639436822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.639422722.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639801425.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639950323.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639964900.00000000004C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639974043.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639981884.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Process Monitor.jbxd

Similarity

API ID: AdjustPointer_memmove
String ID:
API String ID: 1721217611-0
Opcode ID: ef686e7f78b9a8c42936ff3b3a8df68cd021233afaf7df9bd4ae0e8ebc5eb29b
Instruction ID: ce8d01ded96a3ae53c18377cab0dadf23142db01a4ba1d1daa8baa460807c160
Opcode Fuzzy Hash: ef686e7f78b9a8c42936ff3b3a8df68cd021233afaf7df9bd4ae0e8ebc5eb29b
Instruction Fuzzy Hash: 9441B6712483029FFB28AE25D881BEF33A49F01724FA4841FE948866D1EF79E944C759

Uniqueness

Uniqueness Score: -1.00%

Function 00462A20 Relevance: 6.1, APIs: 4, Instructions: 141
networkCOMMON

Download Yara Rule

C-Code - Quality: 43%

			E00462A20(void* __ebx, void* __edx, struct _CRITICAL_SECTION** _a4) {
				char _v8;
				char _v16;
				signed int _v20;
				char _v1048;
				short _v1050;
				char _v1054;
				struct _CRITICAL_SECTION* _v1060;
				char _v1064;
				char _v1076;
				struct _CRITICAL_SECTION* _v1080;
				char _v1084;
				void* __edi;
				void* __esi;
				signed int _t39;
				signed int _t40;
				intOrPtr* _t44;
				void* _t48;
				intOrPtr* _t62;
				intOrPtr _t63;
				void* _t67;
				char* _t69;
				void* _t82;
				struct _CRITICAL_SECTION** _t84;
				void* _t85;
				struct _CRITICAL_SECTION** _t87;
				struct _CRITICAL_SECTION* _t88;
				void* _t89;
				signed int _t90;
				void* _t91;
				void* _t92;

				_t82 = __edx;
				_t67 = __ebx;
				_push(0xffffffff);
				_push(E0048C77C);
				_push( *[fs:0x0]);
				_t92 = _t91 - 0x42c;
				_t39 =  *0x4bb1dc; // 0x2927074f
				_t40 = _t39 ^ _t90;
				_v20 = _t40;
				_push(_t40);
				 *[fs:0x0] =  &_v16;
				_t84 = _a4;
				asm("xorps xmm0, xmm0");
				_v1048 = 0;
				_v1050 = 0;
				_t87 =  &(_t84[1]);
				if(_t84[5] == 0) {
					asm("movq [ebp-0x422], xmm0");
					_v1064 = 2;
					_v1060 =  *_t87;
					_t44 =  *0x4c2534; // 0x0
					_v1054 = 0;
					asm("movq [ebp-0x41c], xmm0");
					if(_t44 == 0) {
						_t44 = E00464320(1);
						 *0x4c2534 = _t44;
					}
					_push(0);
					_push(0);
					_push(0);
					_push(0x401);
					_push( &_v1048);
					_push(0x10);
					_t69 =  &_v1064;
				} else {
					asm("movdqu [ebp-0x42e], xmm0");
					asm("movq [ebp-0x41e], xmm0");
					asm("movdqu xmm0, [esi]");
					_v1076 = 0x17;
					_t44 =  *0x4c2534; // 0x0
					asm("movdqu [ebp-0x428], xmm0");
					if(_t44 == 0) {
						_t44 = E00464320(1);
						 *0x4c2534 = _t44;
					}
					_push(0);
					_push(0);
					_push(0);
					_push(0x401);
					_push( &_v1048);
					_push(0x1c);
					_t69 =  &_v1076;
				}
				__imp__#112( *_t44(_t69));
				_v1084 = 0;
				_v8 = 0;
				if(_v1048 == 0) {
					_t48 = L00435FF0(_t87,  &_v1080, _t87, _t84[5] & 0x000000ff, 0xffffffff);
					_t92 = _t92 + 0x10;
					_v8 = 2;
					E0046A0B0( &_v1084, _t48);
					_t71 = _v1080;
					_v8 = 0;
					if(_v1080 != 0) {
						E0046A700(_t71);
					}
				} else {
					_t62 =  *((intOrPtr*)(E00403D10( &_v1048)));
					_v8 = 1;
					if(_t62 == 0) {
						_t63 = 0;
					} else {
						_t63 =  *_t62;
					}
					E0046A0F0( &_v1084, _t63);
					E00403A00( &_v1080);
				}
				_t88 =  *_t84;
				_v1080 = _t88;
				EnterCriticalSection(_t88);
				_v8 = 3;
				E0046A0B0(_t84[6],  &_v1084);
				LeaveCriticalSection(_t88);
				InterlockedDecrement( *_t84 + 0x18);
				E0046EF07(_t84);
				_t73 = _v1084;
				_v8 = 0xffffffff;
				if(_v1084 != 0) {
					E0046A700(_t73);
				}
				 *[fs:0x0] = _v16;
				_pop(_t85);
				_pop(_t89);
				return E0046F77E(_t67, _v20 ^ _t90, _t82, _t85, _t89);
			}

0x00462a20
0x00462a20
0x00462a23
0x00462a25
0x00462a30
0x00462a31
0x00462a37
0x00462a3c
0x00462a3e
0x00462a43
0x00462a47
0x00462a4d
0x00462a50
0x00462a53
0x00462a5a
0x00462a67
0x00462a6a
0x00462aca
0x00462ad2
0x00462adb
0x00462ae1
0x00462ae6
0x00462af0
0x00462afa
0x00462afe
0x00462b03
0x00462b03
0x00462b08
0x00462b0a
0x00462b0c
0x00462b0e
0x00462b19
0x00462b1a
0x00462b1c
0x00462a6c
0x00462a6c
0x00462a79
0x00462a81
0x00462a85
0x00462a8c
0x00462a91
0x00462a9b
0x00462a9f
0x00462aa4
0x00462aa4
0x00462aa9
0x00462aab
0x00462aad
0x00462aaf
0x00462aba
0x00462abb
0x00462abd
0x00462abd
0x00462b26
0x00462b2c
0x00462b3d
0x00462b44
0x00462b90
0x00462b95
0x00462b9f
0x00462ba3
0x00462ba8
0x00462bae
0x00462bb4
0x00462bb6
0x00462bb6
0x00462b46
0x00462b58
0x00462b5a
0x00462b60
0x00462b66
0x00462b62
0x00462b62
0x00462b62
0x00462b6f
0x00462b7a
0x00462b7a
0x00462bbb
0x00462bbe
0x00462bc4
0x00462bd4
0x00462bd8
0x00462bde
0x00462bea
0x00462bf1
0x00462bf6
0x00462bff
0x00462c08
0x00462c0a
0x00462c0a
0x00462c14
0x00462c1c
0x00462c1d
0x00462c2b

APIs

WSASetLastError.WS2_32(00000000), ref: 00462B26
EnterCriticalSection.KERNEL32(?,00000000), ref: 00462BC4
LeaveCriticalSection.KERNEL32(?,00000000), ref: 00462BDE
InterlockedDecrement.KERNEL32(-00000018), ref: 00462BEA

Part of subcall function 00464320: GetSystemDirectoryA.KERNEL32 ref: 00464388
Part of subcall function 00464320: LoadLibraryA.KERNEL32(?,?,?,?,?,?), ref: 004643D1
Part of subcall function 00464320: GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 004643EF
Part of subcall function 00464320: FreeLibrary.KERNEL32(00000000,?,?,?,?,?), ref: 004643F6
Part of subcall function 00464320: LoadLibraryA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00464430
Part of subcall function 00464320: GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 00464442
Part of subcall function 00464320: FreeLibrary.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?), ref: 00464449

Memory Dump Source

Source File: 00000000.00000002.639436822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.639422722.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639801425.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639950323.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639964900.00000000004C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639974043.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639981884.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Process Monitor.jbxd

Similarity

API ID: Library$AddressCriticalFreeLoadProcSection$DecrementDirectoryEnterErrorInterlockedLastLeaveSystem
String ID:
API String ID: 1007326777-0
Opcode ID: 281cfc41fd620b1b5f522d60bf5e300ed990983258cbb9eb3ebfa0ae3f3456cc
Instruction ID: 01ffba7f586849016567de15a1ccc9d961bdc59d8ebe5ab4d112fa28fa64bb85
Opcode Fuzzy Hash: 281cfc41fd620b1b5f522d60bf5e300ed990983258cbb9eb3ebfa0ae3f3456cc
Instruction Fuzzy Hash: 2451B8B1A01658AADB10DF54CD41BDEB778EF44304F40019AF605A7281EBB86B84CF9E

Uniqueness

Uniqueness Score: -1.00%

Function 0041E8D0 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 136
COMMON

Download Yara Rule

C-Code - Quality: 84%

			E0041E8D0(signed int __ecx, void* __edx, void* __eflags, intOrPtr _a4, intOrPtr _a8) {
				char _v8;
				char _v16;
				signed int _v20;
				char _v540;
				char _v541;
				char _v548;
				char _v552;
				intOrPtr _v556;
				char _v560;
				char _v564;
				signed int _v568;
				intOrPtr _v572;
				char _v592;
				intOrPtr _v628;
				char _v632;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t49;
				signed int _t50;
				struct _CRITICAL_SECTION* _t82;
				void* _t84;
				void* _t104;
				intOrPtr _t106;
				void* _t107;
				void* _t109;
				char _t110;
				signed int _t111;
				void* _t112;
				void* _t113;
				void* _t114;

				_t114 = __eflags;
				_t104 = __edx;
				_push(0xffffffff);
				_push(E00487A17);
				_push( *[fs:0x0]);
				_t113 = _t112 - 0x268;
				_t49 =  *0x4bb1dc; // 0x2927074f
				_t50 = _t49 ^ _t111;
				_v20 = _t50;
				_push(_t50);
				 *[fs:0x0] =  &_v16;
				_t82 = __ecx;
				_v556 = _a8;
				_v541 = 0;
				E00418740(__ecx, 0);
				E0040C870( &_v632, _t104, _t114,  *((intOrPtr*)(__ecx + 0x18)), L"Counting occurrences of values", E00416870(__ecx),  &_v541);
				_v8 = 0;
				_t106 = 0;
				if(E00416870(__ecx) != 0) {
					_v568 = __ecx;
					while(1) {
						EnterCriticalSection(_t82);
						_v8 = 1;
						E0040D160(_t82,  &_v592, _t106);
						_v8 = 2;
						E004110C0(_t104, _t106, _a4,  &_v540, 0x104);
						_t110 = E0046A6C0(_t82,  &_v540, E0046A530( &_v540));
						_t113 = _t113 + 0xc;
						_v572 = _t110;
						_v8 = 3;
						_v552 = _t110;
						if(_t110 != 0) {
							E0046A420(_t110);
						}
						_v548 = 1;
						_v8 = 4;
						E0041C8C0(_v556,  &_v564, 0,  &_v552,  *0x4bca04 & 0x000000ff);
						_t97 = _v552;
						_v8 = 3;
						if(_v552 != 0) {
							E0046A700(_t97);
						}
						if(_v560 == 0) {
							 *((intOrPtr*)(_v564 + 0x14)) =  *((intOrPtr*)(_v564 + 0x14)) + 1;
						}
						_v628 = _t106;
						_v8 = 2;
						if(_v541 != 0) {
							break;
						}
						if(_t110 != 0) {
							E0046A700(_t110);
						}
						_v8 = 1;
						E0040F960( &_v592, _t110);
						_v8 = 0;
						LeaveCriticalSection(_t82);
						_t106 = _t106 + 1;
						if(_t106 < E00416870(_t82)) {
							continue;
						} else {
						}
						goto L16;
					}
					__eflags = _t110;
					if(_t110 != 0) {
						E0046A700(_t110);
					}
					_v8 = 1;
					E0040F960( &_v592, _t110);
					LeaveCriticalSection(_t82);
				}
				L16:
				_v8 = 0xffffffff;
				E0040C9C0( &_v632);
				 *[fs:0x0] = _v16;
				_pop(_t107);
				_pop(_t109);
				_pop(_t84);
				return E0046F77E(_t84, _v20 ^ _t111, _t104, _t107, _t109);
			}

0x0041e8d0
0x0041e8d0
0x0041e8d3
0x0041e8d5
0x0041e8e0
0x0041e8e1
0x0041e8e7
0x0041e8ec
0x0041e8ee
0x0041e8f4
0x0041e8f8
0x0041e8fe
0x0041e905
0x0041e90b
0x0041e912
0x0041e934
0x0041e93b
0x0041e942
0x0041e94b
0x0041e951
0x0041e957
0x0041e958
0x0041e965
0x0041e96c
0x0041e97c
0x0041e98a
0x0041e9a8
0x0041e9aa
0x0041e9ad
0x0041e9b3
0x0041e9b7
0x0041e9bf
0x0041e9c3
0x0041e9c3
0x0041e9c8
0x0041e9e6
0x0041e9f4
0x0041e9f9
0x0041e9ff
0x0041ea05
0x0041ea07
0x0041ea07
0x0041ea13
0x0041ea1b
0x0041ea1b
0x0041ea25
0x0041ea2b
0x0041ea2f
0x00000000
0x00000000
0x0041ea33
0x0041ea37
0x0041ea37
0x0041ea42
0x0041ea46
0x0041ea4c
0x0041ea50
0x0041ea58
0x0041ea60
0x00000000
0x00000000
0x0041ea66
0x00000000
0x0041ea60
0x0041ea68
0x0041ea6a
0x0041ea6e
0x0041ea6e
0x0041ea79
0x0041ea7d
0x0041ea83
0x0041ea83
0x0041ea89
0x0041ea96
0x0041eaa0
0x0041eaaa
0x0041eab2
0x0041eab3
0x0041eab4
0x0041eac2

APIs

Part of subcall function 00418740: SendMessageW.USER32(00000000,00001027,00000000,00000000), ref: 00418788
Part of subcall function 00418740: SendMessageW.USER32(00000000,00001028,00000000,00000000), ref: 0041879E
Part of subcall function 00418740: EnterCriticalSection.KERNEL32(004BCA10), ref: 004187A8
Part of subcall function 00418740: LeaveCriticalSection.KERNEL32(004BCA10), ref: 004187B9
Part of subcall function 00418740: EnterCriticalSection.KERNEL32(004BCA10), ref: 004187C8
Part of subcall function 00418740: LeaveCriticalSection.KERNEL32(004BCA10), ref: 004187D9
Part of subcall function 00418740: EnterCriticalSection.KERNEL32(004BCA10), ref: 004187EE

Part of subcall function 00416870: EnterCriticalSection.KERNEL32(004BCA10,00000000,?,0043B1A2,2927074F,00000000,?,?,?,0044703B,0045F84E,00000000,?,00000000,445817), ref: 00416875
Part of subcall function 00416870: LeaveCriticalSection.KERNEL32(004BCA10,?,0044703B,0045F84E,00000000,?,00000000,445817), ref: 0041687F

Part of subcall function 0040C870: GetTickCount.KERNEL32 ref: 0040C897
Part of subcall function 0040C870: GetWindowRect.USER32 ref: 0040C8D9
Part of subcall function 0040C870: GetAncestor.USER32(?,00000002), ref: 0040C916
Part of subcall function 0040C870: GetParent.USER32(00000000), ref: 0040C923
Part of subcall function 0040C870: GetDesktopWindow.USER32 ref: 0040C930
Part of subcall function 0040C870: EnableWindow.USER32(00000000,00000000), ref: 0040C93D
Part of subcall function 0040C870: GetParent.USER32(00000000), ref: 0040C944
Part of subcall function 0040C870: CreateThread.KERNEL32 ref: 0040C95C

EnterCriticalSection.KERNEL32(?,?,Counting occurrences of values,00000000,00000000,00000000,2927074F), ref: 0041E958
LeaveCriticalSection.KERNEL32 ref: 0041EA50

Part of subcall function 0046A420: InterlockedIncrement.KERNEL32(00000000), ref: 0046A421

LeaveCriticalSection.KERNEL32 ref: 0041EA83

Part of subcall function 0046A700: InterlockedDecrement.KERNEL32(?), ref: 0046A704

Strings

Counting occurrences of values, xrefs: 0041E926

Memory Dump Source

Source File: 00000000.00000002.639436822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.639422722.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639801425.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639950323.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639964900.00000000004C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639974043.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639981884.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Process Monitor.jbxd

Similarity

API ID: CriticalSection$EnterLeave$Window$InterlockedMessageParentSend$AncestorCountCreateDecrementDesktopEnableIncrementRectThreadTick
String ID: Counting occurrences of values
API String ID: 372580158-3810591583
Opcode ID: fe11d1000b66026b24078eebd824a6b7b6502fb0bf225dfade8eb5a2a66bbe5f
Instruction ID: 6978ff492b50aee504f81805a5b8c313cf55d41dbe5cf6a5c0aae14ac791b1c2
Opcode Fuzzy Hash: fe11d1000b66026b24078eebd824a6b7b6502fb0bf225dfade8eb5a2a66bbe5f
Instruction Fuzzy Hash: FF51D974D05258AADF21EB65DD89BDDBBB8AF04304F0001EEE80563281DB785F89CF59

Uniqueness

Uniqueness Score: -1.00%

Function 004263A0 Relevance: 6.1, APIs: 4, Instructions: 128
windowCOMMON

Download Yara Rule

C-Code - Quality: 74%

			E004263A0(void* __eax, void* __ecx, struct HWND__* _a4, int _a8, struct HDC__* _a12, long _a16) {
				struct HINSTANCE__* _v8;
				char _v16;
				signed int _v20;
				struct tagRECT _v36;
				struct tagRECT _v52;
				struct HINSTANCE__* _v56;
				long _v60;
				intOrPtr _v64;
				void* _v68;
				struct HWND__* _v72;
				struct HDC__* _v76;
				struct tagPOINT _v84;
				intOrPtr _v88;
				char _v92;
				intOrPtr _v96;
				struct HINSTANCE__* _v100;
				long _v112;
				struct HDC__* _v116;
				int _v120;
				void* _v124;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t79;
				signed int _t80;
				intOrPtr _t86;
				intOrPtr _t91;
				int _t116;
				void* _t133;
				void* _t145;
				intOrPtr _t147;
				intOrPtr _t148;
				struct HWND__* _t151;
				long _t162;
				void* _t163;
				int _t166;
				void* _t167;
				struct HWND__* _t168;
				signed int _t173;
				void* _t181;
				void* _t182;
				void* _t183;

				asm("int3");
				asm("int3");
				asm("int3");
				asm("int3");
				asm("int3");
				asm("int3");
				asm("int3");
				asm("int3");
				asm("int3");
				asm("int3");
				asm("int3");
				asm("int3");
				asm("int3");
				asm("int3");
				_t171 = _t173;
				_push(0xffffffff);
				_push(E004884C8);
				_push( *[fs:0x0]);
				_t79 =  *0x4bb1dc; // 0x2927074f
				_t80 = _t79 ^ _t173;
				_v20 = _t80;
				_push(_t80);
				 *[fs:0x0] =  &_v16;
				_t166 = _a8;
				_t151 = _a4;
				_t162 = _a16;
				_v72 = _t151;
				_v76 = _a12;
				if(_t166 < 0x200 || _t166 > 0x20d) {
					if(_t166 == 0x101) {
						goto L6;
					}
				} else {
					if(_t166 == 0x101) {
						L6:
						GetCursorPos( &_v84);
						MapWindowPoints(0, _v72,  &_v84, 1);
						_t131 = _v84.y;
						_t160 = _v84.x;
						_t151 = _v72;
					} else {
						_t160 = _t162;
						_t131 = _t162 >> 0x10;
						_v84.x = _t162;
						_v84.y = _t162 >> 0x10;
					}
					asm("xorps xmm0, xmm0");
					_v116 = _v76;
					_t147 =  *0x4bb0fc; // 0xffffffff
					_v88 = _t147;
					_t148 =  *0x4bb0f8; // 0xffffffff
					_v124 = _t151;
					_v120 = _t166;
					_v112 = _t162;
					asm("movq [ebp-0x68], xmm0");
					_v100 = 0;
					_v96 = _t148;
					_t133 = L00425E10(_t148,  &_v92, _t151, _t160, _t131, 0x4bb0fc, 0x4bb0f8, 0x4bcb48, 0x4bca08);
					_v8 = 0;
					E0046A0B0(0x4bcb34, _t133);
					_t159 = _v92;
					_v8 = 0xffffffff;
					if(_v92 != 0) {
						E0046A700(_t159);
					}
					_t181 = _v96 -  *0x4bb0f8; // 0xffffffff
					if(_t181 != 0) {
						L11:
						SendMessageW( *0x4bcb44, 0x41c, 0, 0);
					} else {
						_t182 = _v88 -  *0x4bb0fc; // 0xffffffff
						if(_t182 != 0) {
							goto L11;
						}
					}
					SendMessageW( *0x4bcb44, 0x407, 0,  &_v124);
					_t151 = _v72;
				}
				_t183 = _t166 - 0x4e;
				if(_t183 > 0) {
					if(_t166 >= 0x114 && (_t166 <= 0x115 || _t166 == 0x20a)) {
						SendMessageW( *0x4bcb44, 0x41c, 0, 0);
					}
					goto L28;
				} else {
					if(_t183 == 0) {
						_t86 =  *((intOrPtr*)(_t162 + 8));
						if(_t86 == 0xfffffdee) {
							 *((intOrPtr*)(_t162 + 0xc)) = E0046A170(0x4bcb34);
							SendMessageW( *0x4bcb44, 0x418, 0, 0x3e8);
						} else {
							if(_t86 != 0xfffffdf7) {
								goto L28;
							} else {
								SetWindowPos( *0x4bcb44, 0,  *0x4bcb48,  *0x4bcb4c, 0, 0, 0x15);
								_t91 =  *0x4bd708; // 0x0
								_t92 =  !=  ?  *0x4bd70c : _t91;
								SendMessageW( *0x4bcb44, 0x30,  !=  ?  *0x4bd70c : _t91, 0);
							}
						}
					} else {
						if(_t166 == 0x14) {
							if(SendMessageW(_t151, 0x1004, 0, 0) == 0) {
								goto L28;
							} else {
								_t168 = _v72;
								GetClientRect(_t168,  &_v52);
								_v68 = 0;
								SendMessageW(_t168, 0x100e, SendMessageW(_t168, 0x1004, 0, 0) - 1,  &_v68);
								_v36.left = _v60;
								_v36.right = _v52.right;
								_v36.top = _v52.top;
								_v36.bottom = _v52.bottom;
								FillRect(_v76,  &_v36, GetSysColorBrush(5));
								_v36.left = _v52.left;
								_v36.right = _v52.right;
								_v36.top = _v56;
								_v36.bottom = _v52.bottom;
								FillRect(_v76,  &_v36, GetSysColorBrush(5));
								_t116 = SendMessageW(_v72, 0x1027, 0, 0);
								_v68 = 0;
								SendMessageW(_v72, 0x100e, _t116,  &_v68);
								_v36.right = _v52.right;
								_v36.left = 0;
								_v36.top = 0;
								_v36.bottom = _v64;
								FillRect(_v76,  &_v36, GetSysColorBrush(5));
							}
						} else {
							if(_t166 != 0x20) {
								L28:
								CallWindowProcW( *0x4bcb3c, _v72, _t166, _v76, _t162);
							} else {
								SetCursor(LoadCursorW(0, 0x7f00));
							}
						}
					}
				}
				 *[fs:0x0] = _v16;
				_pop(_t163);
				_pop(_t167);
				_pop(_t145);
				return E0046F77E(_t145, _v20 ^ _t171, _t160, _t163, _t167);
			}

0x004263a2
0x004263a3
0x004263a4
0x004263a5
0x004263a6
0x004263a7
0x004263a8
0x004263a9
0x004263aa
0x004263ab
0x004263ac
0x004263ad
0x004263ae
0x004263af
0x004263b1
0x004263b3
0x004263b5
0x004263c0
0x004263c4
0x004263c9
0x004263cb
0x004263d1
0x004263d5
0x004263db
0x004263de
0x004263e4
0x004263ed
0x004263f0
0x004263f9
0x00426422
0x00000000
0x00000000
0x00426403
0x00426409
0x00426428
0x0042642c
0x0042643d
0x00426443
0x00426446
0x00426449
0x0042640b
0x0042640d
0x00426413
0x00426414
0x00426417
0x00426417
0x0042644f
0x00426468
0x0042646e
0x00426475
0x00426478
0x0042647f
0x00426482
0x00426485
0x00426488
0x0042648d
0x00426494
0x00426497
0x004264a5
0x004264ac
0x004264b1
0x004264ba
0x004264c3
0x004264c5
0x004264c5
0x004264cd
0x004264d3
0x004264e0
0x004264ef
0x004264d5
0x004264d8
0x004264de
0x00000000
0x00000000
0x004264de
0x00426502
0x00426504
0x00426504
0x00426507
0x0042650a
0x004266b8
0x004266d9
0x004266d9
0x00000000
0x00426510
0x00426510
0x00426631
0x00426639
0x004266a9
0x004266ac
0x0042663b
0x00426640
0x00000000
0x00426646
0x00426660
0x0042666d
0x00426672
0x00426684
0x00426686
0x00426640
0x00426516
0x00426519
0x0042654e
0x00000000
0x00426554
0x00426554
0x0042655c
0x00426565
0x00426581
0x0042658c
0x00426592
0x00426598
0x004265a0
0x004265b3
0x004265b8
0x004265be
0x004265c4
0x004265cc
0x004265d9
0x004265e7
0x004265ec
0x004265fd
0x00426602
0x0042660a
0x00426611
0x00426618
0x00426625
0x00426627
0x0042651b
0x0042651e
0x004266db
0x004266e9
0x00426524
0x00426532
0x00426538
0x0042651e
0x00426519
0x00426510
0x004266f2
0x004266fa
0x004266fb
0x004266fc
0x0042670a

APIs

GetCursorPos.USER32(?), ref: 0042642C
MapWindowPoints.USER32 ref: 0042643D
SendMessageW.USER32(0000041C,00000000,00000000,00000000), ref: 004264EF
SendMessageW.USER32(00000407,00000000,?), ref: 00426502
LoadCursorW.USER32(00000000,00007F00), ref: 0042652B
SetCursor.USER32(00000000), ref: 00426532
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0042654A
GetClientRect.USER32 ref: 0042655C
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00426577
SendMessageW.USER32(?,0000100E,-00000001), ref: 00426581
GetSysColorBrush.USER32(00000005), ref: 004265A3
FillRect.USER32 ref: 004265B3
GetSysColorBrush.USER32(00000005), ref: 004265CF
FillRect.USER32 ref: 004265D9
SendMessageW.USER32(?,00001027,00000000,00000000), ref: 004265E7
SendMessageW.USER32(?,0000100E,00000000,00000000), ref: 004265FD
GetSysColorBrush.USER32(00000005), ref: 0042661B
FillRect.USER32 ref: 00426625
SetWindowPos.USER32(00000000,00000000,00000000,00000015,2927074F), ref: 00426660
SendMessageW.USER32(00000030,00000000,00000000), ref: 00426684

Memory Dump Source

Source File: 00000000.00000002.639436822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.639422722.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639801425.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639950323.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639964900.00000000004C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639974043.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639981884.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Process Monitor.jbxd

Similarity

API ID: MessageSend$Rect$BrushColorCursorFill$Window$ClientLoadPoints
String ID:
API String ID: 3779856903-0
Opcode ID: c656cba45b13e1b74346c56f552dfe308fe7b0de20cd415ed85923aa7a999fe0
Instruction ID: 0eb297500559dde30f18a972ea17788a46c117c9893ba195a9065cc78686fee0
Opcode Fuzzy Hash: c656cba45b13e1b74346c56f552dfe308fe7b0de20cd415ed85923aa7a999fe0
Instruction Fuzzy Hash: 6441C571E04218DBDB10DF99ECC1B9EB7B4EB08710F51462AE915A7391D77868408F68

Uniqueness

Uniqueness Score: -1.00%

Function 004671A0 Relevance: 6.1, APIs: 4, Instructions: 127
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004671A0(void* __ecx, intOrPtr _a4, signed int _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, char _a23, intOrPtr _a24, intOrPtr _a28, intOrPtr _a32, intOrPtr _a36, void* _a40, void* _a44) {
				void* _v8;
				intOrPtr _v12;
				char _v16;
				intOrPtr _t55;
				void* _t67;
				char _t68;
				long _t69;
				signed int _t79;
				void* _t83;
				intOrPtr _t84;
				void* _t97;
				intOrPtr* _t100;

				_t83 = __ecx;
				 *(__ecx + 0x550) = 0;
				 *(__ecx + 0x554) = 0;
				 *(__ecx + 0x4b0) = 0;
				 *(__ecx + 0x4b4) = 0;
				if( *((intOrPtr*)(__ecx + 0x570)) == 0) {
					if( *((intOrPtr*)(__ecx + 0x574)) != 0) {
						VirtualFree( *(__ecx + 0x568), 0, 0x8000);
					}
					_t79 = _a8;
					 *(_t83 + 0x574) = _t79;
					if(_t79 != 0) {
						 *((intOrPtr*)(_t83 + 0x568)) = VirtualAlloc(0, _t79 + _t79 * 4, 0x2000, 4);
					}
				}
				_t100 = _t83 + 8;
				E00470030(_t100, 0, 0x3a8);
				 *_t100 = 0x5f4c4d50;
				_t55 =  *0x4bb0d0; // 0x9
				 *((intOrPtr*)(_t83 + 0xc)) = _t55;
				 *((intOrPtr*)(_t83 + 0x3a0)) = 0x3a8;
				E0046EF0C(_t83 + 0x14, 0x10, _a12);
				E0046EF0C(_t83 + 0x34, 0x104, _a16);
				 *(_t83 + 0x10) = 0 | _a20 != 0x00000000;
				 *((intOrPtr*)(_t83 + 0x270)) = _a32;
				 *((intOrPtr*)(_t83 + 0x274)) = _a36;
				 *((intOrPtr*)(_t83 + 0x398)) = _a24;
				 *((intOrPtr*)(_t83 + 0x39c)) = _a28;
				_t67 = memcpy(_t83 + 0x278, _a44, 0x47 << 2);
				_t102 = _t83 + 0x3b0;
				 *(_t83 + 0x394) = _t67;
				 *((intOrPtr*)(_t83 + 0x248)) = 0x3a8;
				 *(_t83 + 0x24c) = 0;
				_a8 = _t83 + 0x3b0;
				_t68 = E004303A0(_t83 + 0x3b0, _a20, _a4, 0, 0x400000);
				_a23 = _t68;
				if(_t68 == 0) {
					L13:
					_t69 = GetLastError();
					E004309F0(_a8);
					return _t69;
				} else {
					E004180C0(_t102,  &_v16, 0, 0, 0x3a8, 1);
					_t97 = _v8;
					if(_t97 == 0) {
						_t84 = 0;
						__eflags = 0;
					} else {
						memcpy(_t97, _t83 + 8, 0xea << 2);
						 *((intOrPtr*)(_t83 + 0x4b0)) =  *((intOrPtr*)(_t83 + 0x248));
						 *(_t83 + 0x4b4) =  *(_t83 + 0x24c);
						_t84 = _a23;
					}
					_t91 = _v12;
					if(_v12 != 0) {
						E00430D60(_t91, 0xffffffff, 0xffffffff);
					}
					if(_t84 == 0) {
						goto L13;
					} else {
						return 0;
					}
				}
			}

0x004671a7
0x004671ab
0x004671b5
0x004671bf
0x004671c9
0x004671da
0x004671e3
0x004671f2
0x004671f2
0x004671f8
0x004671fb
0x00467203
0x00467218
0x00467218
0x00467203
0x00467223
0x00467229
0x00467231
0x00467237
0x0046723c
0x00467245
0x0046724f
0x00467260
0x0046727e
0x00467284
0x0046728d
0x00467296
0x0046729f
0x004672a8
0x004672b4
0x004672ba
0x004672c2
0x004672cc
0x004672d6
0x004672d9
0x004672de
0x004672e3
0x0046734a
0x0046734a
0x00467355
0x00467362
0x004672e5
0x004672f6
0x004672fb
0x00467300
0x00467329
0x00467329
0x00467302
0x0046730a
0x00467312
0x0046731e
0x00467324
0x00467324
0x0046732b
0x00467330
0x00467336
0x00467336
0x0046733d
0x00000000
0x00467341
0x00467347
0x00467347
0x0046733d

APIs

VirtualFree.KERNEL32(?,00000000,00008000,004BCA10,?,749682C0,00000000,?,0000011C), ref: 004671F2
VirtualAlloc.KERNEL32(00000000,00000000,00002000,00000004,004BCA10,?,749682C0,00000000,?,0000011C), ref: 00467212
_memset.LIBCMT ref: 00467229
GetLastError.KERNEL32(?,00000000,00400000,?,?,?,?,?,?,004BCA10,?,749682C0,00000000,?,0000011C), ref: 0046734A

Memory Dump Source

Source File: 00000000.00000002.639436822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.639422722.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639801425.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639950323.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639964900.00000000004C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639974043.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639981884.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Process Monitor.jbxd

Similarity

API ID: Virtual$AllocErrorFreeLast_memset
String ID:
API String ID: 638017552-0
Opcode ID: 0b18e20abaf13b921b76fb437d68f2d332687564701b9f79c6df925288d9068f
Instruction ID: c04f66efb2d7cf7632f916b3cc05f019acaf223a3a6f5949e413cd9b3090d5b3
Opcode Fuzzy Hash: 0b18e20abaf13b921b76fb437d68f2d332687564701b9f79c6df925288d9068f
Instruction Fuzzy Hash: 90515A716442049BDF10DF68C885BDA3BA4FB08715F0801BAFD08AF386D7789944CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 0044C460 Relevance: 6.1, APIs: 4, Instructions: 110
COMMON

Download Yara Rule

C-Code - Quality: 55%

			E0044C460(void* __ebx, intOrPtr __ecx, intOrPtr __edi, void* __esi, struct HWND__* _a4, char _a8) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v28;
				intOrPtr* _t51;
				intOrPtr _t57;
				void* _t58;
				signed int _t64;
				signed int _t65;
				intOrPtr _t70;
				intOrPtr _t71;
				struct tagPOINT* _t73;
				struct HWND__* _t78;

				_t72 = __edi;
				_push(__ecx);
				_push(__ebx);
				_t78 = _a4;
				_t57 = __ecx;
				_v8 = __ecx;
				if(_t78 != 0) {
					_t70 =  *((intOrPtr*)(__ecx + 0x3c));
					_t64 = 0;
					_push(__edi);
					if(_t70 <= 0) {
						L6:
						if(_a8 != 0) {
							_t65 = _t70 + 1;
							 *(_t57 + 0x3c) = _t65;
							_t71 = E00471B84(_t57, _t70, _t72,  *((intOrPtr*)(_t57 + 0x38)), _t65 * 8 - _t65 << 3);
							if(_t71 == 0) {
								_a8 = 8;
								E0046F78D( &_a8, 0x4affc8);
								asm("int3");
								asm("int3");
								asm("int3");
								asm("int3");
								asm("int3");
								asm("int3");
								asm("int3");
								asm("int3");
								asm("int3");
								asm("int3");
								asm("int3");
								asm("int3");
								asm("int3");
								asm("int3");
								asm("int3");
								_push(_t65);
								_v28 = 0;
								E00435660(_t71, _v16, _v12, E00419530(0x4bca10), _v8);
								return _v16;
							} else {
								asm("movaps xmm0, [0x4a68c0]");
								 *((intOrPtr*)(_t57 + 0x38)) = _t71;
								_t58 = _t71 + ( *(_t57 + 0x3c) * 8 -  *(_t57 + 0x3c)) * 8;
								_t73 = _t58 - 0x18;
								 *(_t58 - 8) = _t78;
								asm("movups [ebx-0x38], xmm0");
								asm("movups [ebx-0x28], xmm0");
								GetWindowRect(_t78, _t73);
								ScreenToClient( *(_v8 + 0xc), _t73);
								ScreenToClient( *(_v8 + 0xc), _t73 + 8);
								return _t58 - 0x38;
							}
						} else {
							return 0;
						}
					} else {
						_t72 =  *((intOrPtr*)(__ecx + 0x38));
						_t51 = _t72 + 0x30;
						while( *_t51 != _t78) {
							_t64 = _t64 + 1;
							_t51 = _t51 + 0x38;
							if(_t64 < _t70) {
								continue;
							} else {
								goto L6;
							}
							goto L13;
						}
						return _t72 + (_t64 * 8 - _t64) * 8;
					}
				} else {
					return 0;
				}
				L13:
			}

0x0044c460
0x0044c463
0x0044c464
0x0044c466
0x0044c469
0x0044c46b
0x0044c470
0x0044c47c
0x0044c47f
0x0044c481
0x0044c484
0x0044c49c
0x0044c4a0
0x0044c4c2
0x0044c4cc
0x0044c4dd
0x0044c4e4
0x0044c544
0x0044c54c
0x0044c551
0x0044c552
0x0044c553
0x0044c554
0x0044c555
0x0044c556
0x0044c557
0x0044c558
0x0044c559
0x0044c55a
0x0044c55b
0x0044c55c
0x0044c55d
0x0044c55e
0x0044c55f
0x0044c563
0x0044c56c
0x0044c57f
0x0044c58d
0x0044c4e6
0x0044c4e9
0x0044c4f0
0x0044c4fc
0x0044c4ff
0x0044c502
0x0044c507
0x0044c50b
0x0044c50f
0x0044c522
0x0044c52e
0x0044c539
0x0044c539
0x0044c4a2
0x0044c4aa
0x0044c4aa
0x0044c486
0x0044c486
0x0044c489
0x0044c490
0x0044c494
0x0044c495
0x0044c49a
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x0044c49a
0x0044c4bf
0x0044c4bf
0x0044c472
0x0044c479
0x0044c479
0x00000000

Memory Dump Source

Source File: 00000000.00000002.639436822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.639422722.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639801425.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639950323.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639964900.00000000004C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639974043.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639981884.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Process Monitor.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: df527caf164d4786784d477ebc54f36c419b0c70a79f5bd1557afd6869d3a906
Instruction ID: 2c9283bef27e294543e2d78474d09795c3579c944a4dc52f2e71afc970af1f8e
Opcode Fuzzy Hash: df527caf164d4786784d477ebc54f36c419b0c70a79f5bd1557afd6869d3a906
Instruction Fuzzy Hash: 9031C732A011199FDB54CF59E8C4AEAB7A8FB54320F54816FEC04C7215E735ADA9CBD0

Uniqueness

Uniqueness Score: -1.00%

Function 0046E430 Relevance: 6.1, APIs: 4, Instructions: 106
COMMON

Download Yara Rule

C-Code - Quality: 65%

			E0046E430(void* __ecx, int _a4) {
				int _v8;
				int _v12;
				char _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				short* _v32;
				signed int _v36;
				int _v40;
				short* _v44;
				signed int _v48;
				char _v56;
				short* _v64;
				signed int _v68;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t32;
				signed int _t35;
				int _t36;
				signed int _t41;
				signed int _t42;
				int _t45;
				void* _t47;
				short* _t48;
				int _t49;
				signed int _t50;
				signed int _t55;
				signed int _t59;
				int _t63;
				long _t66;
				signed int _t69;
				int _t74;
				char* _t75;
				signed int _t76;
				void* _t77;
				short* _t81;
				short* _t92;
				short* _t94;
				int _t95;
				void* _t96;
				char* _t100;
				short* _t101;
				void* _t102;
				signed int _t106;
				intOrPtr _t107;
				signed int _t108;
				short* _t109;

				_push(0xffffffff);
				_push(E0048D6A0);
				_push( *[fs:0x0]);
				_push(__ecx);
				_t32 =  *0x4bb1dc; // 0x2927074f
				_push(_t32 ^ _t105);
				 *[fs:0x0] =  &_v16;
				_v20 = _t107;
				_t94 = _a4;
				if(_t94 != 0) {
					_t81 = _t94;
					_t92 =  &(_t81[1]);
					do {
						_t35 =  *_t81;
						_t81 =  &(_t81[1]);
						__eflags = _t35;
					} while (_t35 != 0);
					_t36 = (_t81 - _t92 >> 1) + 1;
					_a4 = _t36;
					_t74 = WideCharToMultiByte(0, 0, _t94, _t36, 0, 0, 0, 0);
					__eflags = _t74;
					if(__eflags == 0) {
						_t69 = GetLastError();
						__eflags = _t69;
						if(__eflags > 0) {
							__eflags = _t69;
						}
						E0046E410(_t69);
					}
					_push(_t74);
					_v8 = 0;
					_t100 = E0046EEB6(_t74, _t94, __eflags);
					_v8 = 0xffffffff;
					_t108 = _t107 + 4;
					__eflags = _t100;
					if(_t100 == 0) {
						E0046E410(0x8007000e);
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						_t106 = _t108;
						_push(0xfffffffe);
						_push(0x4b7590);
						_push(E00473BC0);
						_push( *[fs:0x0]);
						_t109 = _t108 - 0x18;
						_t41 =  *0x4bb1dc; // 0x2927074f
						_v48 = _v48 ^ _t41;
						_t42 = _t41 ^ _t106;
						_v68 = _t42;
						_push(_t74);
						_push(_t100);
						_push(_t94);
						_push(_t42);
						 *[fs:0x0] =  &_v56;
						_v64 = _t109;
						_t17 =  &_v32; // 0x403d67
						_t75 =  *_t17;
						__eflags = _t75;
						if(_t75 != 0) {
							_t45 = lstrlenA(_t75) + 1;
							_v40 = _t45;
							_t95 = MultiByteToWideChar(0, 0, _t75, _t45, 0, 0);
							_v48 = _t95;
							__eflags = _t95;
							if(_t95 == 0) {
								_t59 = GetLastError();
								__eflags = _t59;
								if(_t59 > 0) {
									__eflags = _t59;
								}
								E0046E410(_t59);
							}
							_v12 = 0;
							_t47 = _t95 + _t95;
							__eflags = _t95 - 0x1000;
							if(_t95 >= 0x1000) {
								_t48 = E00470444(_t75, _t92, _t95, _t47);
								_t109 =  &(_t109[2]);
								_t101 = _t48;
								_v44 = _t101;
								_v12 = 0xfffffffe;
							} else {
								E00473B90(_t47);
								_v32 = _t109;
								_t101 = _t109;
								_v44 = _t101;
								_v12 = 0xfffffffe;
							}
							_t49 = _v40;
							__eflags = _t101;
							if(_t101 == 0) {
								_t49 = E0046E410(0x8007000e);
							}
							_t50 = MultiByteToWideChar(0, 0, _t75, _t49, _t101, _t95);
							__eflags = _t50;
							if(_t50 == 0) {
								__eflags = _t95 - 0x1000;
								if(_t95 >= 0x1000) {
									E0047040C(_t101);
									_t109 =  &(_t109[2]);
								}
								_t55 = GetLastError();
								__eflags = _t55;
								if(_t55 > 0) {
									__eflags = _t55;
								}
								_t50 = E0046E410(_t55);
							}
							__imp__#2(_t101);
							_t76 = _t50;
							__eflags = _t95 - 0x1000;
							if(_t95 >= 0x1000) {
								E0047040C(_t101);
							}
							__eflags = _t76;
							if(_t76 == 0) {
								E0046E410(0x8007000e);
							}
						} else {
						}
						 *[fs:0x0] = _v24;
						_pop(_t96);
						_pop(_t102);
						_pop(_t77);
						__eflags = _v36 ^ _t106;
						return E0046F77E(_t77, _v36 ^ _t106, _t92, _t96, _t102);
					} else {
						_t63 = WideCharToMultiByte(0, 0, _t94, _a4, _t100, _t74, 0, 0);
						__eflags = _t63;
						if(_t63 == 0) {
							E0046EF07(_t100);
							_t66 = GetLastError();
							__eflags = _t66;
							if(_t66 > 0) {
								__eflags = _t66;
							}
							E0046E410(_t66);
						}
						 *[fs:0x0] = _v16;
						return _t100;
					}
				} else {
					 *[fs:0x0] = _v16;
					return 0;
				}
			}

0x0046e433
0x0046e435
0x0046e440
0x0046e441
0x0046e445
0x0046e44c
0x0046e450
0x0046e456
0x0046e459
0x0046e45e
0x0046e476
0x0046e478
0x0046e480
0x0046e480
0x0046e483
0x0046e486
0x0046e486
0x0046e497
0x0046e4a0
0x0046e4a9
0x0046e4ab
0x0046e4ad
0x0046e4af
0x0046e4b5
0x0046e4b7
0x0046e4bc
0x0046e4bc
0x0046e4c2
0x0046e4c2
0x0046e4c7
0x0046e4c8
0x0046e4d4
0x0046e4d6
0x0046e4dd
0x0046e4e0
0x0046e4e2
0x0046e545
0x0046e54a
0x0046e54b
0x0046e54c
0x0046e54d
0x0046e54e
0x0046e54f
0x0046e551
0x0046e553
0x0046e555
0x0046e55a
0x0046e565
0x0046e566
0x0046e569
0x0046e56e
0x0046e571
0x0046e573
0x0046e576
0x0046e577
0x0046e578
0x0046e579
0x0046e57d
0x0046e583
0x0046e586
0x0046e586
0x0046e589
0x0046e58b
0x0046e59b
0x0046e59c
0x0046e5af
0x0046e5b1
0x0046e5b4
0x0046e5b6
0x0046e5b8
0x0046e5be
0x0046e5c0
0x0046e5c5
0x0046e5c5
0x0046e5cb
0x0046e5cb
0x0046e5d0
0x0046e5d7
0x0046e5da
0x0046e5e0
0x0046e5f9
0x0046e5fe
0x0046e601
0x0046e603
0x0046e606
0x0046e5e2
0x0046e5e2
0x0046e5e7
0x0046e5ea
0x0046e5ec
0x0046e5ef
0x0046e5ef
0x0046e62a
0x0046e62d
0x0046e62f
0x0046e636
0x0046e636
0x0046e643
0x0046e649
0x0046e64b
0x0046e64d
0x0046e653
0x0046e656
0x0046e65b
0x0046e65b
0x0046e65e
0x0046e664
0x0046e666
0x0046e66b
0x0046e66b
0x0046e671
0x0046e671
0x0046e677
0x0046e67d
0x0046e67f
0x0046e685
0x0046e688
0x0046e68d
0x0046e690
0x0046e692
0x0046e699
0x0046e699
0x0046e58d
0x0046e58d
0x0046e6a6
0x0046e6ae
0x0046e6af
0x0046e6b0
0x0046e6b4
0x0046e6be
0x0046e4e4
0x0046e4f2
0x0046e4f8
0x0046e4fa
0x0046e4fd
0x0046e505
0x0046e50b
0x0046e50d
0x0046e512
0x0046e512
0x0046e518
0x0046e518
0x0046e522
0x0046e530
0x0046e530
0x0046e460
0x0046e465
0x0046e473
0x0046e473

APIs

WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,2927074F,?,?,?,?,?,0048D6A0,000000FF), ref: 0046E4A3
GetLastError.KERNEL32(?,?,?,?,?,0048D6A0,000000FF,?,00403F41,?,2927074F,?,?,?,?,Function_00085EDB), ref: 0046E4AF
WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000000,00000000,00000000,00000000,00000000), ref: 0046E4F2
GetLastError.KERNEL32 ref: 0046E505

Memory Dump Source

Source File: 00000000.00000002.639436822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.639422722.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639801425.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639950323.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639964900.00000000004C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639974043.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639981884.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Process Monitor.jbxd

Similarity

API ID: ByteCharErrorLastMultiWide
String ID:
API String ID: 203985260-0
Opcode ID: f49b48176eff5fbd289b5ce4c90f18ce60d8680024be788dfc333920d6b968a0
Instruction ID: 259033824bdf9363afc9c0f773e259707840da6bd80d20f4c26df050672b122e
Opcode Fuzzy Hash: f49b48176eff5fbd289b5ce4c90f18ce60d8680024be788dfc333920d6b968a0
Instruction Fuzzy Hash: AE31EA75600204ABD7209B769C06FAB77E8EB40B54F10463FF905D73C0FA7A990086A9

Uniqueness

Uniqueness Score: -1.00%

Function 0047F8F3 Relevance: 6.1, APIs: 4, Instructions: 97
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E0047F8F3(short* _a4, char* _a8, intOrPtr _a12, intOrPtr _a16) {
				char _v8;
				intOrPtr _v12;
				int _v20;
				int _t35;
				int _t38;
				int _t42;
				intOrPtr* _t44;
				int _t47;
				short* _t49;
				intOrPtr _t50;
				intOrPtr _t54;
				int _t55;
				int _t59;
				char* _t62;

				_t62 = _a8;
				if(_t62 == 0) {
					L5:
					return 0;
				}
				_t50 = _a12;
				if(_t50 == 0) {
					goto L5;
				}
				if( *_t62 != 0) {
					E0046F1FB( &_v20, _a16);
					_t35 = _v20;
					__eflags =  *(_t35 + 0xa8);
					if( *(_t35 + 0xa8) != 0) {
						_t38 = E004722A8( *_t62 & 0x000000ff,  &_v20);
						__eflags = _t38;
						if(_t38 == 0) {
							__eflags = _a4;
							_t59 = 1;
							_t42 = MultiByteToWideChar( *(_v20 + 4), 9, _t62, 1, _a4, 0 | _a4 != 0x00000000);
							__eflags = _t42;
							if(_t42 != 0) {
								L21:
								__eflags = _v8;
								if(_v8 != 0) {
									_t54 = _v12;
									_t31 = _t54 + 0x70;
									 *_t31 =  *(_t54 + 0x70) & 0xfffffffd;
									__eflags =  *_t31;
								}
								return _t59;
							}
							L20:
							_t44 = E00474352();
							_t59 = _t59 | 0xffffffff;
							__eflags = _t59;
							 *_t44 = 0x2a;
							goto L21;
						}
						_t59 = _v20;
						__eflags =  *(_t59 + 0x74) - 1;
						if( *(_t59 + 0x74) <= 1) {
							L15:
							__eflags = _t50 -  *(_t59 + 0x74);
							L16:
							if(__eflags < 0) {
								goto L20;
							}
							__eflags = _t62[1];
							if(_t62[1] == 0) {
								goto L20;
							}
							L18:
							_t59 =  *(_t59 + 0x74);
							goto L21;
						}
						__eflags = _t50 -  *(_t59 + 0x74);
						if(__eflags < 0) {
							goto L16;
						}
						__eflags = _a4;
						_t47 = MultiByteToWideChar( *(_t59 + 4), 9, _t62,  *(_t59 + 0x74), _a4, 0 | _a4 != 0x00000000);
						_t59 = _v20;
						__eflags = _t47;
						if(_t47 != 0) {
							goto L18;
						}
						goto L15;
					}
					_t55 = _a4;
					__eflags = _t55;
					if(_t55 != 0) {
						 *_t55 =  *_t62 & 0x000000ff;
					}
					_t59 = 1;
					goto L21;
				}
				_t49 = _a4;
				if(_t49 != 0) {
					 *_t49 = 0;
				}
				goto L5;
			}

0x0047f8fb
0x0047f900
0x0047f91a
0x00000000
0x0047f91a
0x0047f902
0x0047f907
0x00000000
0x00000000
0x0047f90c
0x0047f929
0x0047f92e
0x0047f931
0x0047f938
0x0047f957
0x0047f95e
0x0047f960
0x0047f9a4
0x0047f9b3
0x0047f9bb
0x0047f9c1
0x0047f9c3
0x0047f9d3
0x0047f9d3
0x0047f9d7
0x0047f9d9
0x0047f9dc
0x0047f9dc
0x0047f9dc
0x0047f9dc
0x00000000
0x0047f9e2
0x0047f9c5
0x0047f9c5
0x0047f9ca
0x0047f9ca
0x0047f9cd
0x00000000
0x0047f9cd
0x0047f962
0x0047f965
0x0047f969
0x0047f992
0x0047f992
0x0047f995
0x0047f995
0x00000000
0x00000000
0x0047f997
0x0047f99b
0x00000000
0x00000000
0x0047f99d
0x0047f99d
0x00000000
0x0047f99d
0x0047f96b
0x0047f96e
0x00000000
0x00000000
0x0047f972
0x0047f985
0x0047f98b
0x0047f98e
0x0047f990
0x00000000
0x00000000
0x00000000
0x0047f990
0x0047f93a
0x0047f93d
0x0047f93f
0x0047f944
0x0047f944
0x0047f949
0x00000000
0x0047f949
0x0047f90e
0x0047f913
0x0047f917
0x0047f917
0x00000000

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 0047F929
__isleadbyte_l.LIBCMT ref: 0047F957
MultiByteToWideChar.KERNEL32(?,00000009,?,00000001,?,00000000,00000000,?,?,00000000,?,?,?,?), ref: 0047F985
MultiByteToWideChar.KERNEL32(?,00000009,?,00000001,?,00000000,00000000,?,?,00000000,?,?,?,?), ref: 0047F9BB

Memory Dump Source

Source File: 00000000.00000002.639436822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.639422722.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639801425.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639950323.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639964900.00000000004C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639974043.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639981884.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Process Monitor.jbxd

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: bf3dc35b3fa50a78735ea518cc312f42ad6d0e472ccb1665ce3912ee30a06228
Instruction ID: d3b5026e8a566ac3db637fa296e35eac4b581ef4ee6579fefac9e86d3c541468
Opcode Fuzzy Hash: bf3dc35b3fa50a78735ea518cc312f42ad6d0e472ccb1665ce3912ee30a06228
Instruction Fuzzy Hash: 2131CDB1600246BFDB218E35C844BFB7BA5FF41314F15803AE9A8872A0E738DC59DB94

Uniqueness

Uniqueness Score: -1.00%

Function 00404520 Relevance: 6.1, APIs: 4, Instructions: 90
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00404520(intOrPtr __ecx, void* __edx, intOrPtr _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				int _v28;
				void* _v32;
				void* __ebx;
				void* __esi;
				struct HWND__* _t29;
				int _t30;
				long _t32;
				void* _t36;
				void* _t43;
				intOrPtr _t44;
				intOrPtr _t55;
				intOrPtr _t56;

				_t54 = __edx;
				_t55 = _a4;
				_t56 = __ecx;
				_t28 =  *((intOrPtr*)(_t55 + 0x14));
				while( *((intOrPtr*)(_t55 + 0x14)) != 0) {
					E00404520(__ecx, __edx, _t28);
					_t28 =  *((intOrPtr*)(_t55 + 0x14));
				}
				_t29 =  *(_t56 + 8);
				_v24 = 0x7d6;
				_v32 = _t29;
				_t30 = GetWindowLongW(_t29, 0xfffffff4);
				_v28 = _t30;
				_v12 = 0;
				_v20 = 0;
				_v16 = _t55;
				_v8 = 0;
				if( *((char*)(_t56 + 0xc4)) == 0) {
					_t32 = SendMessageW(GetParent( *(_t56 + 8)), 0x4e, _t30,  &_v32);
				} else {
					_t32 = E00408420(_t56, GetParent( *(_t56 + 8)),  &_v32);
				}
				if( *((intOrPtr*)(_t56 + 0x7c)) == _t55) {
					_t32 = E00404B90(_t56,  *(_t56 + 8), 0x7d0, 0, 0, _t55, 0);
					 *((intOrPtr*)(_t56 + 0x7c)) = 0;
				}
				if( *((intOrPtr*)(_t56 + 0xac)) == _t55) {
					 *((intOrPtr*)(_t56 + 0xac)) = 0;
				}
				_a4 = E00405CE0(_t32, _t56, _t55);
				E004075D0(_t43, _t56, _t54, _t56, _t33, 0xffffffff);
				_t44 =  *((intOrPtr*)(_t55 + 8));
				L00403EA0(_t55);
				_t36 = E0046EF07(_t55);
				if(_t44 != 0 && ( *(_t44 + 0x20) & 0x00000040) == 0) {
					return E00408810(_t56, _a4 - 1, _a4 - 1);
				}
				return _t36;
			}

0x00404520
0x00404529
0x0040452c
0x0040452e
0x00404533
0x00404538
0x0040453d
0x00404540
0x00404544
0x0040454a
0x00404551
0x00404554
0x00404561
0x00404564
0x0040456b
0x00404572
0x00404575
0x0040457c
0x004045a6
0x0040457e
0x0040458e
0x0040458e
0x004045af
0x004045c2
0x004045c7
0x004045c7
0x004045d4
0x004045d6
0x004045d6
0x004045ed
0x004045f0
0x004045f5
0x004045fa
0x00404600
0x0040460a
0x00000000
0x0040461a
0x00404625

APIs

GetWindowLongW.USER32(?,000000F4), ref: 00404554
GetParent.USER32(00000000), ref: 00404585

Part of subcall function 00404520: GetParent.USER32(00000000), ref: 0040459F
Part of subcall function 00404520: SendMessageW.USER32(00000000), ref: 004045A6

Memory Dump Source

Source File: 00000000.00000002.639436822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.639422722.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639801425.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639950323.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639964900.00000000004C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639974043.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639981884.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Process Monitor.jbxd

Similarity

API ID: Parent$LongMessageSendWindow
String ID:
API String ID: 3337775700-0
Opcode ID: 95e163bedb0c45225ccb0a8580d869a2e3bf00a1ee37a46b9207722227746fcd
Instruction ID: c279d0b1ef588b47bd578b2fde28043c7b7a9b6f994eb0221ab92b08f5ae9746
Opcode Fuzzy Hash: 95e163bedb0c45225ccb0a8580d869a2e3bf00a1ee37a46b9207722227746fcd
Instruction Fuzzy Hash: C031C4B0A00705BFDB109F66CC05B6FBAF8AF84714F00452EF655E62D1EB7CA9008B99

Uniqueness

Uniqueness Score: -1.00%

Function 0045C480 Relevance: 6.1, APIs: 4, Instructions: 84
windowCOMMON

Download Yara Rule

C-Code - Quality: 66%

			E0045C480(void* __edx, void* __fp0, struct HWND__* _a4, intOrPtr _a8, intOrPtr _a12) {
				int _v8;
				char _v16;
				signed int _v20;
				char _v540;
				signed char _v544;
				struct _CRITICAL_SECTION* _v548;
				char _v568;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t22;
				signed int _t23;
				signed char _t33;
				signed char _t37;
				void* _t38;
				void* _t49;
				struct HWND__* _t51;
				void* _t52;
				int _t54;
				void* _t55;
				signed int _t56;

				_t49 = __edx;
				_push(0xffffffff);
				_push(E0048C146);
				_push( *[fs:0x0]);
				_t22 =  *0x4bb1dc; // 0x2927074f
				_t23 = _t22 ^ _t56;
				_v20 = _t23;
				_push(_t23);
				 *[fs:0x0] =  &_v16;
				_t51 = _a4;
				_t37 = 1;
				_v544 = 1;
				_t54 = SendMessageW(_t51, 0x100c, 0xffffffff, 2);
				if(_t54 >= 0) {
					_v548 = 0x4bca10;
					do {
						EnterCriticalSection(0x4bca10);
						_v8 = 0;
						E0040D160(0x4bca10,  &_v568, _t54);
						_v8 = 1;
						E004110C0(_t49, _t51, _a8,  &_v540, 0x104);
						_v8 = 0;
						E0040F960( &_v568, _t54);
						_t33 = E00412AD0(0x4bca94, __fp0, _a8, 0,  &_v540, _a12);
						_v8 = 0xffffffff;
						asm("sbb al, al");
						_t37 = _t37 &  ~_t33;
						LeaveCriticalSection(0x4bca10);
						_t54 = SendMessageW(_t51, 0x100c, _t54, 2);
						_t60 = _t54;
					} while (_t54 >= 0);
					_v544 = _t37;
				}
				E00418140(0x4bca10, _t60, _v544);
				 *[fs:0x0] = _v16;
				_pop(_t52);
				_pop(_t55);
				_pop(_t38);
				return E0046F77E(_t38, _v20 ^ _t56, _t49, _t52, _t55);
			}

0x0045c480
0x0045c483
0x0045c485
0x0045c490
0x0045c497
0x0045c49c
0x0045c49e
0x0045c4a4
0x0045c4a8
0x0045c4ae
0x0045c4b1
0x0045c4bd
0x0045c4c9
0x0045c4cd
0x0045c4d3
0x0045c4e0
0x0045c4e5
0x0045c4f2
0x0045c4ff
0x0045c50f
0x0045c519
0x0045c524
0x0045c528
0x0045c541
0x0045c548
0x0045c554
0x0045c556
0x0045c558
0x0045c56d
0x0045c56f
0x0045c56f
0x0045c577
0x0045c577
0x0045c588
0x0045c590
0x0045c598
0x0045c599
0x0045c59a
0x0045c5a8

APIs

SendMessageW.USER32(00450718,0000100C,000000FF,00000002), ref: 0045C4C3
EnterCriticalSection.KERNEL32(004BCA10), ref: 0045C4E5

Part of subcall function 0040F960: ReleaseSRWLockShared.KERNEL32(?,004C2538,00468906,004C2538,000000FF,?,?,00467152,00000000,004C255C), ref: 0040F971

Part of subcall function 00412AD0: EnterCriticalSection.KERNEL32(?,2927074F,?,00000000,2927074F), ref: 00412B02
Part of subcall function 00412AD0: EnterCriticalSection.KERNEL32(?), ref: 00412BC1
Part of subcall function 00412AD0: LeaveCriticalSection.KERNEL32(?), ref: 00412BEF

LeaveCriticalSection.KERNEL32(004BCA10,?,00000000,?,000000FF,?,00000000), ref: 0045C558
SendMessageW.USER32(00450718,0000100C,00000000,00000002), ref: 0045C567

Memory Dump Source

Source File: 00000000.00000002.639436822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.639422722.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639801425.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639950323.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639964900.00000000004C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639974043.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639981884.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Process Monitor.jbxd

Similarity

API ID: CriticalSection$Enter$LeaveMessageSend$LockReleaseShared
String ID:
API String ID: 1942342200-0
Opcode ID: fba5bb9275dc2f9f9882dc04321b9d00f6d86f0decfb0eb6cf38af3bdd5eaabd
Instruction ID: 76f7763768e08c91c0633799dc90c6b738bd9870a28555a498feb060fd741e37
Opcode Fuzzy Hash: fba5bb9275dc2f9f9882dc04321b9d00f6d86f0decfb0eb6cf38af3bdd5eaabd
Instruction Fuzzy Hash: BE31243594121CBBCB20DB64DC89BDDBB74EB09720F1042AEF815B72D1DB785A08CB68

Uniqueness

Uniqueness Score: -1.00%

Function 0045C610 Relevance: 6.1, APIs: 4, Instructions: 78
windowCOMMON

Download Yara Rule

C-Code - Quality: 67%

			E0045C610(void* __edx, void* __fp0, struct HWND__* _a4, intOrPtr _a8) {
				int _v8;
				char _v16;
				signed int _v20;
				char _v540;
				struct _CRITICAL_SECTION* _v544;
				char _v564;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t18;
				signed int _t19;
				void* _t33;
				void* _t44;
				struct HWND__* _t46;
				void* _t47;
				int _t49;
				void* _t50;
				signed int _t51;

				_t44 = __edx;
				_push(0xffffffff);
				_push(E0048C186);
				_push( *[fs:0x0]);
				_t18 =  *0x4bb1dc; // 0x2927074f
				_t19 = _t18 ^ _t51;
				_v20 = _t19;
				_push(_t19);
				 *[fs:0x0] =  &_v16;
				_t46 = _a4;
				_t49 = SendMessageW(_t46, 0x100c, 0xffffffff, 2);
				if(_t49 >= 0) {
					_v544 = 0x4bca10;
					do {
						EnterCriticalSection(0x4bca10);
						_v8 = 0;
						E0040D160(0x4bca10,  &_v564, _t49);
						_v8 = 1;
						E004110C0(_t44, _t46, _a8,  &_v540, 0x104);
						_v8 = 0;
						E0040F960( &_v564, _t49);
						E00412AD0(0x4bcac0, __fp0, _a8, 0,  &_v540, 1);
						_v8 = 0xffffffff;
						LeaveCriticalSection(0x4bca10);
						_t49 = SendMessageW(_t46, 0x100c, _t49, 2);
					} while (_t49 >= 0);
				}
				E00418650(0x4bca10);
				 *[fs:0x0] = _v16;
				_pop(_t47);
				_pop(_t50);
				_pop(_t33);
				return E0046F77E(_t33, _v20 ^ _t51, _t44, _t47, _t50);
			}

0x0045c610
0x0045c613
0x0045c615
0x0045c620
0x0045c627
0x0045c62c
0x0045c62e
0x0045c634
0x0045c638
0x0045c63e
0x0045c653
0x0045c657
0x0045c65d
0x0045c670
0x0045c675
0x0045c682
0x0045c68f
0x0045c69f
0x0045c6a9
0x0045c6b4
0x0045c6b8
0x0045c6d0
0x0045c6da
0x0045c6e1
0x0045c6f2
0x0045c6f4
0x0045c670
0x0045c701
0x0045c709
0x0045c711
0x0045c712
0x0045c713
0x0045c721

APIs

SendMessageW.USER32(004506D6,0000100C,000000FF,00000002), ref: 0045C651
EnterCriticalSection.KERNEL32(004BCA10), ref: 0045C675

Part of subcall function 0040F960: ReleaseSRWLockShared.KERNEL32(?,004C2538,00468906,004C2538,000000FF,?,?,00467152,00000000,004C255C), ref: 0040F971

Part of subcall function 00412AD0: EnterCriticalSection.KERNEL32(?,2927074F,?,00000000,2927074F), ref: 00412B02
Part of subcall function 00412AD0: EnterCriticalSection.KERNEL32(?), ref: 00412BC1
Part of subcall function 00412AD0: LeaveCriticalSection.KERNEL32(?), ref: 00412BEF

LeaveCriticalSection.KERNEL32(004BCA10,?,00000000,?,00000001,?,00000000), ref: 0045C6E1
SendMessageW.USER32(004506D6,0000100C,00000000,00000002), ref: 0045C6F0

Memory Dump Source

Source File: 00000000.00000002.639436822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.639422722.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639801425.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639950323.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639964900.00000000004C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639974043.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639981884.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Process Monitor.jbxd

Similarity

API ID: CriticalSection$Enter$LeaveMessageSend$LockReleaseShared
String ID:
API String ID: 1942342200-0
Opcode ID: 226d8e25a459785eb0f7f2c2da0ed6be672494003f854540b5063578f72e7b6c
Instruction ID: 1ad072ab6615f174718e20d8df4317b58af0a1d93eb43c122bbc80b165f300c8
Opcode Fuzzy Hash: 226d8e25a459785eb0f7f2c2da0ed6be672494003f854540b5063578f72e7b6c
Instruction Fuzzy Hash: 25210731A40258BBCB20DB64DCC6FDE77A4EB09760F10466AF915B72C0CB785A448BA8

Uniqueness

Uniqueness Score: -1.00%

Function 0046D1A0 Relevance: 6.1, APIs: 4, Instructions: 77
COMMON

Download Yara Rule

C-Code - Quality: 49%

			E0046D1A0(void* _a4, intOrPtr _a8, intOrPtr _a12) {
				signed int _v8;
				char _v528;
				int _v532;
				struct _ITEMIDLIST* _v536;
				int _v544;
				int _v548;
				intOrPtr _v552;
				intOrPtr _v556;
				char* _v560;
				struct _ITEMIDLIST* _v564;
				void* _v568;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t28;
				void* _t37;
				intOrPtr* _t38;
				intOrPtr _t44;
				intOrPtr* _t49;
				void* _t53;
				intOrPtr _t56;
				void* _t57;
				signed int _t58;

				_t28 =  *0x4bb1dc; // 0x2927074f
				_v8 = _t28 ^ _t58;
				_t44 = _a12;
				_t57 = _a4;
				_t56 = _a8;
				_v532 = 0;
				__imp__SHGetMalloc( &_v532);
				if(SHGetSpecialFolderLocation(_t57, 0,  &_v536) < 0) {
					L4:
					return E0046F77E(_t44, _v8 ^ _t58, _t53, _t56, _t57);
				} else {
					_v564 = _v536;
					_v560 =  &_v528;
					_t37 =  &_v568;
					_v568 = _t57;
					_v556 = _t56;
					_v552 = 0x11;
					_v548 = 0;
					_v544 = 0;
					__imp__SHBrowseForFolderW(_t37);
					_t57 = _t37;
					if(_t57 == 0) {
						_t38 = _v532;
						 *((intOrPtr*)( *_t38 + 0x14))(_t38, _v536);
						goto L4;
					} else {
						__imp__SHGetPathFromIDListW(_t57, _t44);
						_t49 = _v532;
						 *((intOrPtr*)( *_t49 + 0x14))(_t49, _t57);
						 *((intOrPtr*)( *_v532 + 0x14))(_v536);
						return E0046F77E(_t37, _v8 ^ _t58,  *_v532, _t56, _t57, _v532);
					}
				}
			}

0x0046d1a9
0x0046d1b0
0x0046d1b4
0x0046d1be
0x0046d1c2
0x0046d1c6
0x0046d1d0
0x0046d1e8
0x0046d291
0x0046d2a3
0x0046d1ee
0x0046d1f4
0x0046d200
0x0046d206
0x0046d20d
0x0046d213
0x0046d219
0x0046d223
0x0046d22d
0x0046d237
0x0046d23d
0x0046d241
0x0046d27f
0x0046d28e
0x00000000
0x0046d243
0x0046d245
0x0046d24b
0x0046d257
0x0046d269
0x0046d27e
0x0046d27e
0x0046d241

APIs

SHGetMalloc.SHELL32(?), ref: 0046D1D0
SHGetSpecialFolderLocation.SHELL32(?,00000000,?), ref: 0046D1E0
SHBrowseForFolderW.SHELL32(?), ref: 0046D237
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 0046D245

Memory Dump Source

Source File: 00000000.00000002.639436822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.639422722.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639801425.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639950323.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639964900.00000000004C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639974043.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639981884.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Process Monitor.jbxd

Similarity

API ID: Folder$BrowseFromListLocationMallocPathSpecial
String ID:
API String ID: 1177674635-0
Opcode ID: 4f86ba800b4047cb2421ddcc37b7111960b39e9769add398492bbf8b175d46cf
Instruction ID: 81ddbfa95f22b55f70c625058e52c491191616d9a660c9591f1212599ffc18c8
Opcode Fuzzy Hash: 4f86ba800b4047cb2421ddcc37b7111960b39e9769add398492bbf8b175d46cf
Instruction Fuzzy Hash: FC310B71A4112D9BCB20DF54EC88BDAB7B8EF18300F1001EAE90997210D7749E858FA5

Uniqueness

Uniqueness Score: -1.00%

Function 004269A0 Relevance: 6.1, APIs: 4, Instructions: 69
windowCOMMON

Download Yara Rule

C-Code - Quality: 91%

			E004269A0(void* __esi, struct HWND__* _a4, int _a8, intOrPtr _a12, long _a16) {
				signed int _v8;
				intOrPtr _v16;
				void* _v24;
				void* __ebx;
				void* __edi;
				signed int _t14;
				intOrPtr _t16;
				long _t17;
				struct HWND__* _t27;
				void* _t32;
				long _t33;
				void* _t34;
				void* _t36;
				signed int _t37;

				_t34 = __esi;
				_t14 =  *0x4bb1dc; // 0x2927074f
				_v8 = _t14 ^ _t37;
				_t16 = _a12;
				_t27 = _a4;
				_t33 = _a16;
				if(_t16 == 0) {
					if(_t33 == 0) {
						_t17 = 0;
					} else {
						 *_t33 = 0;
						_t17 = _t33;
					}
					SendMessageW(_t27, 0x100e, _a8, _t17);
					SendMessageW(SendMessageW(_t27, 0x101f, 0, 0), 0x1207, 0,  &_v24);
					 *_t33 = _v24;
					_t36 = _t34;
					 *((intOrPtr*)(_t33 + 8)) = _v16;
					return E0046F77E(_t27, _v8 ^ _t37, _t32, _t33, _t36);
				} else {
					if(_t33 == 0) {
						_t33 = 0;
					} else {
						 *((intOrPtr*)(_t33 + 4)) = _t16;
						 *_t33 = 0;
					}
					SendMessageW(_t27, 0x1038, _a8, _t33);
					return E0046F77E(_t27, _v8 ^ _t37, _t32, _t33, _t34);
				}
			}

0x004269a0
0x004269a6
0x004269ad
0x004269b0
0x004269b4
0x004269b8
0x004269bd
0x004269f2
0x004269fe
0x004269f4
0x004269f4
0x004269fa
0x004269fa
0x00426a11
0x00426a2b
0x00426a33
0x00426a3a
0x00426a3b
0x00426a48
0x004269bf
0x004269c1
0x004269ce
0x004269c3
0x004269c3
0x004269c6
0x004269c6
0x004269da
0x004269ef
0x004269ef

APIs

SendMessageW.USER32(?,00001038,?,00000000), ref: 004269DA
SendMessageW.USER32(?,0000100E,?,00000000), ref: 00426A11
SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00426A28
SendMessageW.USER32(00000000,?,0042611F,?), ref: 00426A2B

Memory Dump Source

Source File: 00000000.00000002.639436822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.639422722.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639801425.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639950323.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639964900.00000000004C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639974043.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639981884.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Process Monitor.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: c623acdf051f324b38dc69873fae0aefe757c99360cdd5a052b1f261e9ce6b2c
Instruction ID: 06966cef8216538f6bbca56a67f5ac7db17d9719453b703a82ba9c531a413dbe
Opcode Fuzzy Hash: c623acdf051f324b38dc69873fae0aefe757c99360cdd5a052b1f261e9ce6b2c
Instruction Fuzzy Hash: 9711B6B2700249BBDB10DF69DC41FABB7ACEF48700F11452BB909E7281DBB4A9148B64

Uniqueness

Uniqueness Score: -1.00%

Function 0042EE90 Relevance: 6.1, APIs: 4, Instructions: 67
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0042EE90(signed int __ecx, void* __eflags, struct HWND__* _a4, int _a8, void* _a12) {
				char _v5;
				signed int _v32;
				void* _v52;
				int _t23;
				signed int _t31;
				signed int _t32;
				int _t37;
				struct HWND__* _t38;
				struct HWND__* _t39;
				char _t45;

				_t38 = _a4;
				_t37 = E0042EDD0(__ecx, _t38,  &_v5);
				_t39 = SendMessageW(_t38, 0x101f, 0, 0);
				_t23 = _a8;
				if(_t23 == _t37) {
					_t45 = _v5;
				}
				_t32 = _t31 & 0xffffff00 | _t45 == 0x00000000;
				if(_t37 >= 0) {
					_v52 = 4;
					SendMessageW(_t39, 0x120b, _t37,  &_v52);
					if( *0x4bcb6b == 0) {
						_v32 = _v32 & 0xffffe7ff;
					} else {
						_v32 = _v32 & 0xffffd9ff;
					}
					SendMessageW(_t39, 0x120c, _t37,  &_v52);
					UpdateWindow(_t39);
					_t23 = _a8;
				}
				if(_t23 >= 0) {
					E0042E860(_t39, _t23, (0 | _t32 == 0x00000000) * 2 - 1);
				}
				return _t32;
			}

0x0042ee9b
0x0042eea9
0x0042eebb
0x0042eebd
0x0042eec2
0x0042eec4
0x0042eec4
0x0042eece
0x0042eed3
0x0042eed8
0x0042eee7
0x0042eef4
0x0042eeff
0x0042eef6
0x0042eef6
0x0042eef6
0x0042ef11
0x0042ef18
0x0042ef1e
0x0042ef1e
0x0042ef23
0x0042ef36
0x0042ef3b
0x0042ef46

APIs

Part of subcall function 0042EDD0: SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 0042EDEB
Part of subcall function 0042EDD0: SendMessageW.USER32(00000000,00001200,00000000,00000000), ref: 0042EDFD
Part of subcall function 0042EDD0: SendMessageW.USER32(?,0000120B,00000000,?), ref: 0042EE2D

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 0042EEB5
SendMessageW.USER32(00000000,0000120B,00000000,?), ref: 0042EEE7
SendMessageW.USER32(00000000,0000120C,00000000,00000004), ref: 0042EF11
UpdateWindow.USER32(00000000), ref: 0042EF18

Memory Dump Source

Source File: 00000000.00000002.639436822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.639422722.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639801425.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639950323.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639964900.00000000004C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639974043.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639981884.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Process Monitor.jbxd

Similarity

API ID: MessageSend$UpdateWindow
String ID:
API String ID: 3703574589-0
Opcode ID: 581086e6264328645e27c7cae509f16c3300a2fde868573d5510883a5825965d
Instruction ID: 2ce1d918be64d18b220022b0c60d63880238d98f2774ef326c11ec9885668174
Opcode Fuzzy Hash: 581086e6264328645e27c7cae509f16c3300a2fde868573d5510883a5825965d
Instruction Fuzzy Hash: 9D113876A106647BE7119B62EC09FEF3B6CEF45311F44032AF910A21D0E774560AC7A9

Uniqueness

Uniqueness Score: -1.00%

Function 0042D7E7 Relevance: 6.1, APIs: 4, Instructions: 66
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0042D7E7(signed short __ebx, intOrPtr __edx, void* __eflags) {
				void* _t29;
				void* _t32;
				void* _t33;
				intOrPtr _t34;
				signed short _t38;
				intOrPtr _t43;
				struct HINSTANCE__* _t44;
				intOrPtr _t46;
				struct HRSRC__* _t48;
				void* _t49;
				intOrPtr* _t51;
				void* _t53;
				void* _t55;
				void* _t56;

				_t43 = __edx;
				_t38 = __ebx;
				do {
					_t48 = FindResourceW(_t44,  *(_t43 + 0x12 + ((_t38 & 0x0000ffff) * 8 - (_t38 & 0x0000ffff)) * 2) & 0x0000ffff, 3);
					_t29 = LoadResource(_t44, _t48);
					 *((intOrPtr*)(_t53 - 4)) = SizeofResource( *(_t53 + 8), _t48);
					_t49 = LockResource(_t29);
					_t32 = E0042D520(_t43, _t49,  *((intOrPtr*)(_t53 + 0xc)), 0x10);
					_t46 =  *((intOrPtr*)(_t53 - 4));
					_t56 = _t55 + 0xc;
					if(_t32 < 0) {
						 *((intOrPtr*)(_t53 + 0xc)) = _t49;
						 *((intOrPtr*)(_t53 - 8)) = _t46;
					}
					_t33 = E0042D520(_t43, _t49,  *((intOrPtr*)(_t53 + 0x10)), 0x20);
					_t55 = _t56 + 0xc;
					if(_t33 < 0) {
						 *((intOrPtr*)(_t53 + 0x10)) = _t49;
						 *((intOrPtr*)(_t53 - 0xc)) = _t46;
					}
					_t43 =  *((intOrPtr*)(_t53 - 0x10));
					_t38 = _t38 + 1;
					_t44 =  *(_t53 + 8);
				} while (_t38 <  *((intOrPtr*)(_t43 + 4)));
				_t34 =  *((intOrPtr*)(_t53 + 0xc));
				_t51 =  *((intOrPtr*)(_t53 + 0x14));
				 *((intOrPtr*)( *_t51 + 4)) = 0x10;
				E0046A4D0( *_t51, _t34,  *((intOrPtr*)(_t53 - 8)));
				 *((intOrPtr*)( *((intOrPtr*)(_t51 + 4)) + 4)) = 0x20;
				E0046A4D0( *((intOrPtr*)(_t51 + 4)),  *((intOrPtr*)(_t53 + 0x10)),  *((intOrPtr*)(_t53 - 0xc)));
				return 0;
			}

0x0042d7e7
0x0042d7e7
0x0042d7f0
0x0042d807
0x0042d80b
0x0042d81e
0x0042d82c
0x0042d82f
0x0042d834
0x0042d837
0x0042d83c
0x0042d83e
0x0042d841
0x0042d841
0x0042d84a
0x0042d84f
0x0042d854
0x0042d856
0x0042d859
0x0042d859
0x0042d85c
0x0042d85f
0x0042d860
0x0042d869
0x0042d86f
0x0042d872
0x0042d87b
0x0042d882
0x0042d890
0x0042d897
0x0042d8a4

APIs

FindResourceW.KERNEL32(?,?,00000003), ref: 0042D805
LoadResource.KERNEL32(?,00000000), ref: 0042D80B
SizeofResource.KERNEL32(?,00000000), ref: 0042D817
LockResource.KERNEL32(00000000), ref: 0042D821

Memory Dump Source

Source File: 00000000.00000002.639436822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.639422722.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639801425.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639950323.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639964900.00000000004C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639974043.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639981884.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Process Monitor.jbxd

Similarity

API ID: Resource$FindLoadLockSizeof
String ID:
API String ID: 3473537107-0
Opcode ID: 6cbdf1a8847ae62315614c1d8929c674e76bc9eaa433d6b91a3285c3a64f5ff8
Instruction ID: 900bc1a379b5186dd370e5cfb3e57c7c9e06bbb419ca0d85b97006c54b7a6ce7
Opcode Fuzzy Hash: 6cbdf1a8847ae62315614c1d8929c674e76bc9eaa433d6b91a3285c3a64f5ff8
Instruction Fuzzy Hash: B621AE36900228BFCB109F99EC04BAEBBB9FF88314F14845AFC14D7211D7B99960DB95

Uniqueness

Uniqueness Score: -1.00%

Function 0042D8B0 Relevance: 6.1, APIs: 4, Instructions: 64
libraryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0042D8B0(WCHAR* _a4, intOrPtr* _a8, intOrPtr* _a12) {
				intOrPtr* _v8;
				void* _v12;
				intOrPtr* _t18;
				struct HINSTANCE__* _t25;
				intOrPtr* _t27;

				_t25 = LoadLibraryExW(_a4, 0, 2);
				if(_t25 != 0) {
					_t18 = _a8;
					_t27 = _a12;
					_v12 = _t18;
					_v8 = _t27;
					EnumResourceNamesW(_t25, 0xe, E0042D780,  &_v12);
					if(_t18 == 0) {
						L5:
						if(_t27 == 0) {
							L9:
							FreeLibrary(_t25);
							return 0;
						} else {
							_t23 =  *_t27;
							if( *_t27 == 0 || E0046A620(_t23) == 0) {
								goto L9;
							} else {
								goto L8;
							}
						}
					} else {
						_t24 =  *_t18;
						if( *_t18 == 0 || E0046A620(_t24) == 0) {
							goto L5;
						} else {
							L8:
							FreeLibrary(_t25);
							return 1;
						}
					}
				} else {
					return 0;
				}
			}

0x0042d8c4
0x0042d8c8
0x0042d8d2
0x0042d8d9
0x0042d8e5
0x0042d8e8
0x0042d8eb
0x0042d8f3
0x0042d904
0x0042d906
0x0042d929
0x0042d92c
0x0042d93a
0x0042d908
0x0042d908
0x0042d90c
0x00000000
0x00000000
0x00000000
0x00000000
0x0042d90c
0x0042d8f5
0x0042d8f5
0x0042d8f9
0x00000000
0x0042d917
0x0042d917
0x0042d91a
0x0042d928
0x0042d928
0x0042d8f9
0x0042d8ca
0x0042d8d0
0x0042d8d0

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000002,-000004EB,00000000,00000000), ref: 0042D8BE
EnumResourceNamesW.KERNEL32(00000000,0000000E,0042D780,?,00000000,004BCA10), ref: 0042D8EB
FreeLibrary.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,00000000,?,?,00000000), ref: 0042D91A

Memory Dump Source

Source File: 00000000.00000002.639436822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.639422722.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639801425.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639950323.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639964900.00000000004C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639974043.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639981884.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Process Monitor.jbxd

Similarity

API ID: Library$EnumFreeLoadNamesResource
String ID:
API String ID: 4012870511-0
Opcode ID: ee97f885510f4a8b02c429c1f1cd97c84b54cdf08787a53f106ae3f2758cc672
Instruction ID: 5ad11dd2178fa7e7a6659fbda2c4857555bad07c5a2ec38c1005b4915a1d30ae
Opcode Fuzzy Hash: ee97f885510f4a8b02c429c1f1cd97c84b54cdf08787a53f106ae3f2758cc672
Instruction Fuzzy Hash: E701E171B82229ABDB109E5AFC45AEAB3ACEF45715F14016FFC04D3200DB6588458799

Uniqueness

Uniqueness Score: -1.00%

Function 00406720 Relevance: 6.1, APIs: 4, Instructions: 54
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00406720(void* __ecx, intOrPtr* _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr* _a16) {
				intOrPtr _v24;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				int _v64;
				void* _v68;
				intOrPtr _t23;
				intOrPtr _t33;
				int _t40;
				void* _t41;

				_t22 = _a4;
				_t33 =  *_a4;
				_t41 = __ecx;
				_t23 = E00405CE0(_t22, _t33, _t22);
				_v68 = 0;
				E00470030( &_v64, 0, 0x3c);
				_v68 =  *(_t33 + 8);
				_t40 = GetWindowLongW( *(_t33 + 8), 0xfffffff4);
				_v48 = _a8;
				_v24 =  *((intOrPtr*)(_t41 + 4));
				_v32 =  *_a16;
				_v64 = _t40;
				_v60 = 0xffffff4f;
				_v56 = 1;
				_v52 = _t23;
				_v36 = _a12;
				SendMessageW(GetParent( *(_t33 + 8)), 0x4e, _t40,  &_v68);
				return _v36;
			}

0x00406726
0x0040672c
0x0040672e
0x00406733
0x0040673c
0x00406749
0x00406754
0x00406765
0x0040676a
0x00406770
0x00406778
0x00406782
0x00406785
0x0040678c
0x00406793
0x00406796
0x004067a3
0x004067b2

APIs

_memset.LIBCMT ref: 00406749
GetWindowLongW.USER32(?,000000F4), ref: 0040675C
GetParent.USER32(?), ref: 0040679C
SendMessageW.USER32(00000000), ref: 004067A3

Memory Dump Source

Source File: 00000000.00000002.639436822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.639422722.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639801425.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639950323.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639964900.00000000004C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639974043.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639981884.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Process Monitor.jbxd

Similarity

API ID: LongMessageParentSendWindow_memset
String ID:
API String ID: 2702428208-0
Opcode ID: 443c687ee284de9c09facd59c3391943ae8435e8b4b1a64eeb6c3815f0e54ed9
Instruction ID: 573f846d1b45e0ef0d44dad9e4187f27f00912542403926c27406c7a1c523595
Opcode Fuzzy Hash: 443c687ee284de9c09facd59c3391943ae8435e8b4b1a64eeb6c3815f0e54ed9
Instruction Fuzzy Hash: 5C11ECB5900218AFDB04DF99DC85A9DB7B9FB48310F00412AF915E7391D7759C15CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 0044EFF3 Relevance: 6.1, APIs: 4, Instructions: 53
windowCOMMON

Download Yara Rule

C-Code - Quality: 85%

			E0044EFF3(void* __ebx, void* __edx) {
				void* __esi;
				void* _t20;
				int _t21;
				void* _t26;
				void* _t28;
				struct HWND__* _t29;
				void* _t30;
				signed int _t31;

				_t26 = __edx;
				_t20 = __ebx;
				if(SendMessageW(GetDlgItem(_t29, 0x3f9), 0x1042, 0, 0) >= 0) {
					 *(__ebp - 0x494) = 0x4bca10;
					EnterCriticalSection(0x4bca10);
					 *((intOrPtr*)(__ebp - 4)) = 0x13;
					__ecx = 0x4bca10;
					E0040D160(0x4bca10, __ebp - 0x4b4, __edi);
					 *((char*)(__ebp - 4)) = 0x14;
					if( *((intOrPtr*)(__ebp - 0x4ac)) != 0) {
						__ecx = __ebp - 0x4b4;
						E004110C0(__edx, __edi, 0x9c75, __ebp - 0x288, 0x104);
						E004377C0(__edx, __esi, __ebp - 0x288);
					}
					 *((char*)(__ebp - 4)) = 0x13;
					__ecx = __ebp - 0x4b4;
					E0040F960(__ecx, __esi);
					LeaveCriticalSection(0x4bca10);
				}
				_t21 =  *(_t31 + 0xc);
				DefWindowProcW(_t29, _t21,  *(_t31 - 0x628),  *(_t31 - 0x64c));
				 *[fs:0x0] =  *((intOrPtr*)(_t31 - 0xc));
				_pop(_t28);
				_pop(_t30);
				return E0046F77E(_t20,  *(_t31 - 0x10) ^ _t31, _t26, _t28, _t30);
			}

0x0044eff3
0x0044eff3
0x0044f013
0x0044f01e
0x0044f028
0x0044f035
0x0044f03d
0x0044f042
0x0044f04e
0x0044f052
0x0044f065
0x0044f06b
0x0044f078
0x0044f07d
0x0044f080
0x0044eaad
0x0044eab3
0x0044eabd
0x0044eabd
0x0044e726
0x0044e737
0x0044e740
0x0044e748
0x0044e749
0x0044e757

APIs

DefWindowProcW.USER32(?,?,?,?,2927074F), ref: 0044E737
GetDlgItem.USER32 ref: 0044F002
SendMessageW.USER32(00000000,?,000003F9,00001042), ref: 0044F009
EnterCriticalSection.KERNEL32 ref: 0044F028

Part of subcall function 004377C0: _memset.LIBCMT ref: 00437807
Part of subcall function 004377C0: RegOpenKeyExW.ADVAPI32(80000001,Software\Microsoft\Windows\Shell\Associations\UrlAssociations\http\UserChoice,00000000,00020019,?), ref: 0043782D
Part of subcall function 004377C0: RegQueryValueExW.ADVAPI32(?,ProgId,00000000,00000000,?,?), ref: 00437866
Part of subcall function 004377C0: RegCloseKey.ADVAPI32(?), ref: 00437870
Part of subcall function 004377C0: RegOpenKeyExW.ADVAPI32(80000000,?,00000000,00020019,?), ref: 004378AC
Part of subcall function 004377C0: RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,00000104), ref: 004378D7
Part of subcall function 004377C0: RegCloseKey.ADVAPI32(?), ref: 004378E1
Part of subcall function 004377C0: RegOpenKeyExW.ADVAPI32(80000000,http\shell\open\command,00000000,00020019,?), ref: 00437903
Part of subcall function 004377C0: RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?), ref: 0043792D

Memory Dump Source

Source File: 00000000.00000002.639436822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.639422722.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639801425.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639950323.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639964900.00000000004C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639974043.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639981884.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Process Monitor.jbxd

Similarity

API ID: OpenQueryValue$Close$CriticalEnterItemMessageProcSectionSendWindow_memset
String ID:
API String ID: 3164690574-0
Opcode ID: afcac3faf0b4f40ae079d1308cca24a7b8c8beb9b5c9bf3322be86f6c0c446db
Instruction ID: 89d94f998de9e4427bfe644e63197b292705dbf659179c3bd028b3999e467b85
Opcode Fuzzy Hash: afcac3faf0b4f40ae079d1308cca24a7b8c8beb9b5c9bf3322be86f6c0c446db
Instruction Fuzzy Hash: 8211E77590161CAFEB20DB50DC46FDD7778EB49700F0041AAF606B2192DB791B48CF29

Uniqueness

Uniqueness Score: -1.00%

Function 00406200 Relevance: 6.1, APIs: 4, Instructions: 51
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00406200(void* __ecx, intOrPtr* _a4, signed int* _a8) {
				intOrPtr _v24;
				intOrPtr _v28;
				unsigned int _v44;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				int _v64;
				void* _v68;
				intOrPtr _t19;
				int _t22;
				void* _t27;
				intOrPtr _t36;

				_t18 = _a4;
				_t36 =  *_a4;
				_t27 = __ecx;
				_t19 = E00405CE0(_a4, _t36, _t18);
				_v68 = 0;
				E00470030( &_v64, 0, 0x3c);
				_v68 =  *(_t36 + 8);
				_t22 = GetWindowLongW( *(_t36 + 8), 0xfffffff4);
				_v24 =  *((intOrPtr*)(_t27 + 4));
				_v64 = _t22;
				_v60 = 0xffffff4f;
				_v56 = 0xa;
				_v52 = _t19;
				SendMessageW(GetParent( *(_t36 + 8)), 0x4e, _t22,  &_v68);
				 *_a8 = _v44 >> 0x00000008 & 0x000000ff;
				return _v28;
			}

0x00406206
0x0040620c
0x0040620e
0x00406213
0x0040621c
0x00406229
0x00406234
0x0040623c
0x00406245
0x0040624f
0x00406252
0x00406259
0x00406260
0x0040626d
0x00406284
0x0040628d

APIs

_memset.LIBCMT ref: 00406229
GetWindowLongW.USER32(?,000000F4), ref: 0040623C
GetParent.USER32(?), ref: 00406266
SendMessageW.USER32(00000000), ref: 0040626D

Memory Dump Source

Source File: 00000000.00000002.639436822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.639422722.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639801425.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639950323.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639964900.00000000004C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639974043.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639981884.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Process Monitor.jbxd

Similarity

API ID: LongMessageParentSendWindow_memset
String ID:
API String ID: 2702428208-0
Opcode ID: b797cd1aae7231f683b686f9dfc0163ed071df8d219e069081566c2dd0990158
Instruction ID: ace7118a75845a1584e24e109266dd5763baeb84e3b9868ee1d1feef5fe0f609
Opcode Fuzzy Hash: b797cd1aae7231f683b686f9dfc0163ed071df8d219e069081566c2dd0990158
Instruction Fuzzy Hash: 11112E71900208EFDB14DF99DC99AADBBB8FB48320F00422AF519A7390D7706C15CB94

Uniqueness

Uniqueness Score: -1.00%

Function 0047A53B Relevance: 6.0, APIs: 4, Instructions: 48
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E0047A53B(void* __esi, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28) {
				intOrPtr _t25;
				void* _t26;

				_t25 = _a16;
				if(_t25 == 0x65 || _t25 == 0x45) {
					_t26 = E0047AA8C(__eflags, _a4, _a8, _a12, _a20, _a24, _a28);
					goto L9;
				} else {
					_t34 = _t25 - 0x66;
					if(_t25 != 0x66) {
						__eflags = _t25 - 0x61;
						if(_t25 == 0x61) {
							L7:
							_t26 = E0047A5C1(_a4, _a8, _a12, _a20, _a24, _a28);
						} else {
							__eflags = _t25 - 0x41;
							if(__eflags == 0) {
								goto L7;
							} else {
								_t26 = E0047AD07(__esi, __eflags, _a4, _a8, _a12, _a20, _a24, _a28);
							}
						}
						L9:
						return _t26;
					} else {
						return E0047AC46(__esi, _t34, _a4, _a8, _a12, _a20, _a28);
					}
				}
			}

0x0047a53e
0x0047a544
0x0047a5b7
0x00000000
0x0047a54b
0x0047a54b
0x0047a54e
0x0047a569
0x0047a56c
0x0047a58c
0x0047a59e
0x0047a56e
0x0047a56e
0x0047a571
0x00000000
0x0047a573
0x0047a585
0x0047a585
0x0047a571
0x0047a5bc
0x0047a5c0
0x0047a550
0x0047a568
0x0047a568
0x0047a54e

APIs

__cftof_l.LIBCMT ref: 0047A55F

Part of subcall function 0047AC46: __fltout2.LIBCMT ref: 0047AC6F

__cftog_l.LIBCMT ref: 0047A585
__cftoe_l.LIBCMT ref: 0047A5B7

Memory Dump Source

Source File: 00000000.00000002.639436822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.639422722.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639801425.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639950323.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639964900.00000000004C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639974043.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639981884.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Process Monitor.jbxd

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
Instruction ID: 6065256088f9221d480d4c09d33161ac2c285a7db1985858c66e851028d5b963
Opcode Fuzzy Hash: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
Instruction Fuzzy Hash: 7B010B7200014AFBCF166E85DC41CEE3F66BB58355B58841AFE1C59131D33ACAB5AB8A

Uniqueness

Uniqueness Score: -1.00%

Function 00404B90 Relevance: 6.0, APIs: 4, Instructions: 46
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00404B90(intOrPtr __ecx, struct HWND__* _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				int _v28;
				void* _v32;
				struct HWND__* _t20;
				int _t21;
				intOrPtr _t34;

				_v24 = _a8;
				_t34 = __ecx;
				_t20 = _a4;
				_v32 = _t20;
				_t21 = GetWindowLongW(_t20, 0xfffffff4);
				_v12 = _a12;
				_v20 = _a20;
				_v16 = _a16;
				_v28 = _t21;
				_v8 = _a24;
				if( *((char*)(_t34 + 0xc4)) == 0) {
					return SendMessageW(GetParent( *(_t34 + 8)), 0x4e, _t21,  &_v32);
				} else {
					return E00408420(_t34, GetParent( *(_t34 + 8)),  &_v32);
				}
			}

0x00404b9a
0x00404b9d
0x00404b9f
0x00404ba5
0x00404ba8
0x00404bb8
0x00404bbe
0x00404bc4
0x00404bca
0x00404bcd
0x00404bd0
0x00404c09
0x00404bd2
0x00404beb
0x00404beb

APIs

GetWindowLongW.USER32(?,000000F4), ref: 00404BA8
GetParent.USER32(00000000), ref: 00404BD9
GetParent.USER32(00000000), ref: 00404BF8
SendMessageW.USER32(00000000), ref: 00404BFF

Memory Dump Source

Source File: 00000000.00000002.639436822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.639422722.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639801425.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639950323.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639964900.00000000004C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639974043.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639981884.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Process Monitor.jbxd

Similarity

API ID: Parent$LongMessageSendWindow
String ID:
API String ID: 3337775700-0
Opcode ID: 207e5649440e5a92ea655a6d2b7f920f1bd7743ff6bb1ac6b535fc1a46d2a7b1
Instruction ID: 35d7d5fe4c4b2a385043659bffc6480a636900154da40fa62d10d03042218809
Opcode Fuzzy Hash: 207e5649440e5a92ea655a6d2b7f920f1bd7743ff6bb1ac6b535fc1a46d2a7b1
Instruction Fuzzy Hash: 23011BB1D04209AFCB04DF98D8449AE7BB8FB08310F00856EF916E3390EB749A15CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 004136B0 Relevance: 6.0, APIs: 4, Instructions: 41
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E004136B0(void* __edi, void* __esi, int* _a4, int* _a8) {
				signed int _v8;
				short _v528;
				short _v1048;
				void* __ebx;
				signed int _t11;
				void* _t29;
				signed int _t32;

				_t11 =  *0x4bb1dc; // 0x2927074f
				_v8 = _t11 ^ _t32;
				LoadStringW(GetModuleHandleW(0),  *_a4,  &_v1048, 0x104);
				LoadStringW(GetModuleHandleW(0),  *_a8,  &_v528, 0x104);
				E0046F283(_a8, __edi, __esi,  &_v1048,  &_v528);
				return E0046F77E(_a8, _v8 ^ _t32, _t29, __edi, __esi);
			}

0x004136b9
0x004136c0
0x004136e1
0x004136fe
0x00413712
0x0041372f

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000104), ref: 004136DA
LoadStringW.USER32(00000000), ref: 004136E1
GetModuleHandleW.KERNEL32(00000000,?,?,00000104), ref: 004136F7
LoadStringW.USER32(00000000), ref: 004136FE

Memory Dump Source

Source File: 00000000.00000002.639436822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.639422722.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639801425.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639950323.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639964900.00000000004C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639974043.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639981884.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Process Monitor.jbxd

Similarity

API ID: HandleLoadModuleString
String ID:
API String ID: 3590730445-0
Opcode ID: 97d202e46ce8cb964d8db58589472f3fa818b540aba5fb0d71bd7941029464d3
Instruction ID: 2836c1e3fc9de2d50c824aefd2f9da0c2c0e2b7a8ecaaa2d4822d559dd2a0bbd
Opcode Fuzzy Hash: 97d202e46ce8cb964d8db58589472f3fa818b540aba5fb0d71bd7941029464d3
Instruction Fuzzy Hash: 2001FFB190020CABDB10DFE4DC4AF9977ACEB48305F0045B9B605C6191EA75AA488B65

Uniqueness

Uniqueness Score: -1.00%

Function 00413730 Relevance: 6.0, APIs: 4, Instructions: 41
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E00413730(void* __edi, void* __esi, int* _a4, int* _a8) {
				signed int _v8;
				short _v528;
				short _v1048;
				void* __ebx;
				signed int _t11;
				void* _t29;
				signed int _t32;

				_t11 =  *0x4bb1dc; // 0x2927074f
				_v8 = _t11 ^ _t32;
				LoadStringW(GetModuleHandleW(0),  *_a8,  &_v1048, 0x104);
				LoadStringW(GetModuleHandleW(0),  *_a4,  &_v528, 0x104);
				E0046F283(_a4, __edi, __esi,  &_v1048,  &_v528);
				return E0046F77E(_a4, _v8 ^ _t32, _t29, __edi, __esi);
			}

0x00413739
0x00413740
0x00413761
0x0041377e
0x00413792
0x004137af

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000104), ref: 0041375A
LoadStringW.USER32(00000000), ref: 00413761
GetModuleHandleW.KERNEL32(00000000,?,?,00000104), ref: 00413777
LoadStringW.USER32(00000000), ref: 0041377E

Memory Dump Source

Source File: 00000000.00000002.639436822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.639422722.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639801425.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639950323.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639964900.00000000004C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639974043.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639981884.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Process Monitor.jbxd

Similarity

API ID: HandleLoadModuleString
String ID:
API String ID: 3590730445-0
Opcode ID: 953559f68fb21d0d7d865d1d06cd4575234f23d0a617886074acfe8e0b6694a3
Instruction ID: 84c2056b5710dc79aca4d9482579502139d2d1b78880f4952378d36838343b6a
Opcode Fuzzy Hash: 953559f68fb21d0d7d865d1d06cd4575234f23d0a617886074acfe8e0b6694a3
Instruction Fuzzy Hash: 6701FFB190020CABDB10DFE4DC4ABD977ACEB48305F0045B9B605C6191EA75AA488B65

Uniqueness

Uniqueness Score: -1.00%

Function 0046C2D0 Relevance: 6.0, APIs: 4, Instructions: 37
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0046C2D0(void* __edi, void* __eflags, short* _a4) {
				void* _v8;
				int _v12;
				void* __ebx;
				void* _t10;
				int _t11;
				void* _t12;
				void* _t15;
				void* _t18;
				int _t20;

				_v12 = 0;
				_t15 = 0;
				_t20 = GetFileVersionInfoSizeW(_a4,  &_v12);
				_t10 = E00470444(0, _t18, __edi, _t20);
				_v8 = _t10;
				_t11 = GetFileVersionInfoW(_a4, 0, _t20, _t10);
				_t12 = _v8;
				if(_t11 != 0) {
					_t15 =  >=  ? 1 : 0;
				}
				E0047040C(_t12);
				return _t15;
			}

0x0046c2db
0x0046c2e6
0x0046c2ed
0x0046c2f0
0x0046c2f8
0x0046c302
0x0046c309
0x0046c30c
0x0046c31d
0x0046c31d
0x0046c321
0x0046c330

APIs

GetFileVersionInfoSizeW.VERSION(00000000,?), ref: 0046C2E8
_malloc.LIBCMT ref: 0046C2F0

Part of subcall function 00470444: __FF_MSGBANNER.LIBCMT ref: 0047045B
Part of subcall function 00470444: __NMSG_WRITE.LIBCMT ref: 00470462
Part of subcall function 00470444: RtlAllocateHeap.NTDLL(?,00000000,00000001,00000000,00000000,00000000,?,00477DC3,00000000,00000000,00000000,00000000,?,004781C7,00000018,004B7CD0), ref: 00470487

GetFileVersionInfoW.VERSION(00000000,00000000,00000000,00000000), ref: 0046C302
_free.LIBCMT ref: 0046C321

Memory Dump Source

Source File: 00000000.00000002.639436822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.639422722.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639801425.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639950323.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639964900.00000000004C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639974043.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639981884.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Process Monitor.jbxd

Similarity

API ID: FileInfoVersion$AllocateHeapSize_free_malloc
String ID:
API String ID: 1309076661-0
Opcode ID: 980c6611521f6d08a303adc84b32eee6935dd0fab2c4d50451486443443b08e2
Instruction ID: 211cf0c9feee96b67dbe3a13f2d18b3ccd1588f8c96c16029745e34a397f7d7b
Opcode Fuzzy Hash: 980c6611521f6d08a303adc84b32eee6935dd0fab2c4d50451486443443b08e2
Instruction Fuzzy Hash: 49F0B4F1941218BFEB10AB66DC42BFE7BECDB00314F100076FC0897201E679AE5886A6

Uniqueness

Uniqueness Score: -1.00%

Function 00438E60 Relevance: 6.0, APIs: 4, Instructions: 36
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00438E60(void* __eflags, intOrPtr _a4, signed short* _a8, char _a12) {
				void* _t11;
				signed short* _t13;
				void* _t14;
				void* _t15;

				_t12 = _a4;
				E00472329(_t11, 0x3c, _a4);
				_t15 = _t14 + 8;
				if(_a12 == 0) {
					E00472329(_t11, 0x2f, _t12);
					_t15 = _t15 + 8;
				}
				_t13 = _a8;
				_t7 =  *_t13 & 0x0000ffff;
				if(( *_t13 & 0x0000ffff) != 0) {
					do {
						E00472329(_t11, _t7, _t12);
						_t7 = _t13[1] & 0x0000ffff;
						_t13 =  &(_t13[1]);
						_t15 = _t15 + 8;
					} while (_t7 != 0);
				}
				return E00472329(_t11, 0x3e, _t12);
			}

0x00438e65
0x00438e6b
0x00438e70
0x00438e77
0x00438e7c
0x00438e81
0x00438e81
0x00438e84
0x00438e87
0x00438e8d
0x00438e90
0x00438e92
0x00438e97
0x00438e9b
0x00438e9e
0x00438ea1
0x00438e90
0x00438eb4

APIs

__fputwc_nolock.LIBCMT ref: 00438E6B

Part of subcall function 00472329: HeapCreate.KERNELBASE(?,?,00000000), ref: 0047234A
Part of subcall function 00472329: HeapCreate.KERNELBASE(?,?,00000000), ref: 0047235B
Part of subcall function 00472329: HeapCreate.KERNELBASE(?,?,00000000), ref: 00472367
Part of subcall function 00472329: HeapCreate.KERNELBASE(?,?,?), ref: 00472372
Part of subcall function 00472329: HeapCreate.KERNELBASE(?,?,00000000), ref: 00472398
Part of subcall function 00472329: HeapCreate.KERNELBASE(?,?,00000000), ref: 004723A4
Part of subcall function 00472329: HeapCreate.KERNELBASE(?,?,00000000), ref: 004723B0
Part of subcall function 00472329: HeapCreate.KERNELBASE(?,?,?), ref: 004723BB
Part of subcall function 00472329: HeapCreate.KERNELBASE(?,?,00000000), ref: 004723E1
Part of subcall function 00472329: HeapCreate.KERNELBASE(?,?,00000000), ref: 004723ED
Part of subcall function 00472329: HeapCreate.KERNELBASE(?,?,00000000), ref: 004723F9
Part of subcall function 00472329: HeapCreate.KERNELBASE(?,?,?), ref: 00472404
Part of subcall function 00472329: __cftof.LIBCMT ref: 0047242D

__fputwc_nolock.LIBCMT ref: 00438E7C
__fputwc_nolock.LIBCMT ref: 00438E92
__fputwc_nolock.LIBCMT ref: 00438EA9

Memory Dump Source

Source File: 00000000.00000002.639436822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.639422722.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639801425.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639950323.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639964900.00000000004C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639974043.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639981884.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Process Monitor.jbxd

Similarity

API ID: CreateHeap$__fputwc_nolock$__cftof
String ID:
API String ID: 4074333276-0
Opcode ID: 5dbaf5128a2e7db7779b47afbdde8c3efb30c8ec09a2d3748a44145e1ddff08c
Instruction ID: 587dcdcc6747802496a5c018f43e05a3ab126bd1408ccdcc278aa6923bb13b1a
Opcode Fuzzy Hash: 5dbaf5128a2e7db7779b47afbdde8c3efb30c8ec09a2d3748a44145e1ddff08c
Instruction Fuzzy Hash: 04F0891184035972DA3126535D07FA776AC8F81B59F54401FFD8CA6181E6ECB754C2B5

Uniqueness

Uniqueness Score: -1.00%

Function 00472D35 Relevance: 6.0, APIs: 4, Instructions: 14
threadCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00472D35() {
				void* _t6;
				void* _t8;
				void* _t9;

				_t9 = E004751A3(_t6);
				if(_t9 != 0) {
					if( *(_t9 + 4) != 0xffffffff) {
						CloseHandle( *(_t9 + 4));
					}
					E00475155(_t6, _t8, _t9);
				}
				ExitThread(0);
			}

0x00472d3b
0x00472d3f
0x00472d45
0x00472d4a
0x00472d4a
0x00472d51
0x00472d56
0x00472d59

APIs

__getptd_noexit.LIBCMT ref: 00472D36

Part of subcall function 004751A3: GetLastError.KERNEL32(H,L,H,L,00474357,00470430,H,L,?,00478154,00000000,?,?,004752D8,00473DD8,004B7A40,00000014), ref: 004751A5
Part of subcall function 004751A3: __calloc_crt.LIBCMT ref: 004751C6
Part of subcall function 004751A3: __initptd.LIBCMT ref: 004751E8
Part of subcall function 004751A3: GetCurrentThreadId.KERNEL32 ref: 004751EF
Part of subcall function 004751A3: SetLastError.KERNEL32(00000000,00478154,00000000,?,?,004752D8,00473DD8,004B7A40,00000014), ref: 00475207

CloseHandle.KERNEL32(?,?,0043A095), ref: 00472D4A
__freeptd.LIBCMT ref: 00472D51
ExitThread.KERNEL32 ref: 00472D59

Memory Dump Source

Source File: 00000000.00000002.639436822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.639422722.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639801425.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639950323.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639964900.00000000004C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639974043.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639981884.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Process Monitor.jbxd

Similarity

API ID: ErrorLastThread$CloseCurrentExitHandle__calloc_crt__freeptd__getptd_noexit__initptd
String ID:
API String ID: 4169687693-0
Opcode ID: 781b4a2dec228754cd32ab81cf4d7f05b784cdc6f4f89678a364a8b036e5cd08
Instruction ID: bcd19e405614ea3b55d2f1a1fe383915493bc84c4b9e5147365ef01c5381dbba
Opcode Fuzzy Hash: 781b4a2dec228754cd32ab81cf4d7f05b784cdc6f4f89678a364a8b036e5cd08
Instruction Fuzzy Hash: FCD05E31801E114AD23227218D0978E22509F04B22B10872AE42DA91A09BE89806468D

Uniqueness

Uniqueness Score: -1.00%

Function 004202C0 Relevance: 5.7, APIs: 2, Strings: 1, Instructions: 449
COMMON

Download Yara Rule

C-Code - Quality: 87%

			E004202C0(void* __edx, signed int _a4, intOrPtr _a8, intOrPtr* _a12, intOrPtr* _a16) {
				char _v8;
				char _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				char _v128;
				char _v136;
				void* _v200;
				char _v208;
				signed int _v216;
				signed int _v220;
				signed int _v336;
				signed int _v340;
				char _v352;
				signed int _t288;
				intOrPtr _t291;
				char _t295;
				signed int _t303;
				signed int _t305;
				char _t316;
				void* _t319;
				void* _t323;
				intOrPtr _t325;
				signed int _t326;
				void* _t327;
				intOrPtr _t332;
				void* _t336;
				signed int _t337;
				signed int _t338;
				void* _t367;
				intOrPtr _t368;
				intOrPtr _t372;
				void* _t373;
				signed int _t374;
				void* _t376;
				signed int _t377;
				signed int _t381;
				void* _t389;

				_t367 = __edx;
				_push(0xffffffff);
				_push(E00487CAC);
				_push( *[fs:0x0]);
				_t288 =  *0x4bb1dc; // 0x2927074f
				 *[fs:0x0] =  &_v16;
				_t337 = _a4;
				_t291 =  *((intOrPtr*)(_t337 + 8));
				_t377 =  *((intOrPtr*)(_t291 + 0x1c));
				_a4 = _t377;
				_v32 =  *((intOrPtr*)(_t291 + 0x20));
				_v340 = 0;
				_v8 = 0;
				_v336 = 0;
				_v8 = 1;
				_v220 = 0;
				_v216 = 0;
				_v220 = E00423310(0, 0, _t288 ^ _t381, _t373, _t376, _t336);
				_v8 = 2;
				_t295 =  *((intOrPtr*)( *((intOrPtr*)(_t337 + 8))));
				_v352 = _t295;
				_v208 = _t295;
				E0041D860( &_v352);
				_v8 = 3;
				E0041C7B0(_a8,  &_v28, 0,  &_v208,  *0x4bca04 & 0x000000ff);
				_v8 = 2;
				E0041DC50();
				_t374 = _v28;
				if(_v24 != 0) {
					 *((char*)(_t374 + 0x1c)) = _t316;
					_t319 = E00467450( *((intOrPtr*)(_t337 + 0xc)),  *((intOrPtr*)(E00411BA0(_t337) + 0x48)));
					_t38 = _t374 + 0x28; // 0x28
					E0046A0F0(_t38, _t319);
					_t323 = E00467450( *((intOrPtr*)(_t337 + 0xc)),  *((intOrPtr*)(E00411BA0(_t337) + 0x40)));
					_t41 = _t374 + 0x24; // 0x24
					E0046A0F0(_t41, _t323);
					_t325 = E004119A0(_t337, _t367, 0x10);
					_t377 = _a4;
					 *((intOrPtr*)(_t374 + 0x2c)) = _t325;
					_t326 = _v32;
					 *((intOrPtr*)(_t374 + 0x30)) = _t377;
					 *((intOrPtr*)(_t374 + 0x34)) = _t326;
					 *((intOrPtr*)(_t374 + 0x38)) = _t377;
					 *((intOrPtr*)(_t374 + 0x3c)) = _t326;
					 *((intOrPtr*)(_t374 + 0x40)) = 0;
					 *((intOrPtr*)(_t374 + 0x44)) = 0;
					 *((intOrPtr*)(_t374 + 0x48)) = 0;
					 *((intOrPtr*)(_t374 + 0x4c)) = 0;
					 *((intOrPtr*)(_t374 + 0x70)) = 0;
					 *((intOrPtr*)(_t374 + 0x74)) = 0;
					 *((intOrPtr*)(_t374 + 0x78)) = 0;
					 *((intOrPtr*)(_t374 + 0x7c)) = 0;
					 *((intOrPtr*)(_t374 + 0x80)) = 0;
					 *((intOrPtr*)(_t374 + 0x84)) = 0;
					 *((intOrPtr*)(_t374 + 0x88)) = 0;
					 *((intOrPtr*)(_t374 + 0x8c)) = 0;
					 *((intOrPtr*)(_t374 + 0x90)) = 0;
					 *((intOrPtr*)(_t374 + 0x94)) = 0;
					 *((intOrPtr*)(_t374 + 0x50)) = 0;
					 *((intOrPtr*)(_t374 + 0x54)) = 0;
					 *((intOrPtr*)(_t374 + 0x58)) = 0;
					 *((intOrPtr*)(_t374 + 0x5c)) = 0;
					 *((intOrPtr*)(_t374 + 0x60)) = 0;
					 *((intOrPtr*)(_t374 + 0x64)) = 0;
					 *((intOrPtr*)(_t374 + 0x68)) = 0;
					 *((intOrPtr*)(_t374 + 0x6c)) = 0;
					_t327 = E00411BA0(_t337);
					asm("xorps xmm0, xmm0");
					 *((intOrPtr*)(_t374 + 0x98)) =  *((intOrPtr*)(_t327 + 8));
					asm("movlpd [ebp-0x84], xmm0");
					E00470030( &_v128, 0, 0x48);
					_t363 =  *((intOrPtr*)(_t374 + 0x9c));
					_v24 =  *((intOrPtr*)(_t374 + 0x9c));
					_t372 = E0041A890( *((intOrPtr*)(_t374 + 0x9c)),  *((intOrPtr*)(_t363 + 4)),  &_v136);
					_t332 =  *((intOrPtr*)(_t374 + 0xa0));
					_t387 = 0x2e8ba2d - _t332 - 1;
					if(0x2e8ba2d - _t332 < 1) {
						_push("list<T> too long");
						_t332 = E0046EB0F(_t387);
					}
					 *((intOrPtr*)(_t374 + 0xa0)) = _t332 + 1;
					 *((intOrPtr*)(_v24 + 4)) = _t372;
					 *((intOrPtr*)( *((intOrPtr*)(_t372 + 4)))) = _t372;
				}
				_t303 = _v32;
				_t389 = _t303 -  *((intOrPtr*)(_t374 + 0x3c));
				if(_t389 >= 0 && (_t389 > 0 || _t377 >  *((intOrPtr*)(_t374 + 0x38)))) {
					 *((intOrPtr*)(_t374 + 0x38)) = _t377;
					 *((intOrPtr*)(_t374 + 0x3c)) = _t303;
				}
				_t368 =  *((intOrPtr*)(_t337 + 8));
				_t305 = ( *(_t368 + 8) & 0x0000ffff) - 1;
				if(_t305 > 4) {
					L32:
					_t338 = _a4;
					goto L33;
				} else {
					switch( *((intOrPtr*)(_t305 * 4 +  &M00420934))) {
						case 0:
							if( *((short*)(_t368 + 0xc)) == 2 ||  *((short*)(_t368 + 0xc)) == 8) {
								if( *((intOrPtr*)(_t368 + 0x2c)) < 0x34) {
									asm("xorps xmm0, xmm0");
									asm("movlpd [ebp-0x18], xmm0");
									_t308 = _v24;
									_t349 = _v28;
								} else {
									_t312 =  *(_t368 + 0x28) & 0x0000ffff;
									_t349 =  *((intOrPtr*)(_t368 + 0x60 + _t312 * 4));
									_t308 =  *((intOrPtr*)(_t368 + 0x64 + _t312 * 4));
								}
								 *((intOrPtr*)(_t374 + 0x58)) = _t349;
								 *((intOrPtr*)(_t374 + 0x5c)) = _t308;
								_t350 =  *((intOrPtr*)(_t337 + 8));
								if( *((intOrPtr*)(_t350 + 0x2c)) < 0x34) {
									asm("xorps xmm0, xmm0");
									asm("movlpd [ebp-0x18], xmm0");
									 *((intOrPtr*)(_t374 + 0x68)) = _v28;
									 *((intOrPtr*)(_t374 + 0x6c)) = _v24;
								} else {
									_t310 =  *(_t350 + 0x28) & 0x0000ffff;
									 *((intOrPtr*)(_t374 + 0x68)) =  *((intOrPtr*)(_t350 + 0x50 + _t310 * 4));
									 *((intOrPtr*)(_t374 + 0x6c)) =  *((intOrPtr*)(_t350 + 0x54 + _t310 * 4));
								}
							}
							goto L32;
						case 1:
							 *((intOrPtr*)(__edi + 0x78)) =  *((intOrPtr*)(__edi + 0x78)) + 1;
							__eax =  *(__ebx + 8);
							__eflags =  *(__eax + 0x24) - 0x103;
							if( *(__eax + 0x24) != 0x103) {
								__ecx =  *(__eax + 0x14);
								__eax =  *(__eax + 0x18);
							} else {
								asm("xorps xmm0, xmm0");
								asm("movlpd [ebp-0x18], xmm0");
								__eax = _v24;
								__ecx = _v28;
							}
							 *((intOrPtr*)(__edi + 0x88)) =  *((intOrPtr*)(__edi + 0x88)) + __ecx;
							asm("adc [edi+0x8c], eax");
							__eax =  *(__edi + 0x9c);
							__eax =  *( *(__edi + 0x9c) + 4);
							 *((intOrPtr*)( *( *(__edi + 0x9c) + 4) + 0x30)) =  *((intOrPtr*)( *( *(__edi + 0x9c) + 4) + 0x30)) + 1;
							asm("adc dword [eax+0x34], 0x0");
							goto L32;
						case 2:
							__eax =  *(__edi + 0x9c);
							 *((intOrPtr*)(__edi + 0x74)) =  *((intOrPtr*)(__edi + 0x74)) + 1;
							__eax =  *( *(__edi + 0x9c) + 4);
							 *((intOrPtr*)( *( *(__edi + 0x9c) + 4) + 0x38)) =  *((intOrPtr*)( *( *(__edi + 0x9c) + 4) + 0x38)) + 1;
							asm("adc dword [eax+0x3c], 0x0");
							__ecx =  *(__ebx + 8);
							__eflags =  *(__ecx + 0xc) - 0x20;
							if( *(__ecx + 0xc) == 0x20) {
								goto L41;
							}
							__eflags =  *(__ecx + 0xc) - 0x21;
							if( *(__ecx + 0xc) == 0x21) {
								goto L41;
							}
							 *((intOrPtr*)(__edi + 0x80)) =  *((intOrPtr*)(__edi + 0x80)) + E00411B30(__ecx);
							asm("adc [edi+0x84], edx");
							__eax =  *(__ebx + 8);
							__eflags =  *(__eax + 0x24);
							if( *(__eax + 0x24) != 0) {
								goto L32;
							}
							__eax =  *(__eax + 0xc) & 0x0000ffff;
							__eax = __eax + 0xffffffe9;
							__eflags = __eax - 1;
							if(__eax > 1) {
								goto L32;
							}
							_v20 = 0;
							__eax =  &_v20;
							_v8 = 4;
							__ecx = __ebx;
							__eax = E00410F20(__ebx, __ebx, __edi, __esi, 1,  &_v20);
							__ecx =  &_v20;
							__eax = E0046A170( &_v20);
							__eax = L00437F10(__edx, __eax);
							__ecx =  *(__edi + 0x9c);
							__ecx =  *( *(__edi + 0x9c) + 4);
							 *((intOrPtr*)( *( *(__edi + 0x9c) + 4) + 0x40)) =  *((intOrPtr*)( *( *(__edi + 0x9c) + 4) + 0x40)) + __eax;
							asm("adc [ecx+0x44], edx");
							goto L30;
						case 3:
							__eflags =  *((short*)(__edx + 0xc)) - 1;
							if( *((short*)(__edx + 0xc)) != 1) {
								goto L32;
							}
							__esi =  *(__edi + 0x40);
							__esi = __esi |  *(__edi + 0x44);
							__eflags = __esi |  *(__edi + 0x44);
							if((__esi |  *(__edi + 0x44)) == 0) {
								asm("xorps xmm0, xmm0");
								asm("movlpd [ebp-0x34], xmm0");
								__eax = _v52;
								_v24 = _v52;
								__eax = _v56;
								_v52 = _v56;
							} else {
								__eax =  *(__edx + 0x28) & 0x0000ffff;
								__ecx =  *(__edx + 0x34 + __eax * 4);
								__ebx =  *(__edx + 0x38 + __eax * 4);
								__ecx =  *(__edx + 0x34 + __eax * 4) - __esi;
								_v52 =  *(__edx + 0x34 + __eax * 4) - __esi;
								asm("sbb ebx, [edi+0x44]");
								_v24 =  *(__edx + 0x38 + __eax * 4);
							}
							__esi =  *(__edi + 0x48);
							__eax = __esi;
							__ebx =  *(__edi + 0x4c);
							__eax = __esi |  *(__edi + 0x4c);
							__eflags = __esi |  *(__edi + 0x4c);
							if((__esi |  *(__edi + 0x4c)) == 0) {
								asm("xorps xmm0, xmm0");
								asm("movlpd [ebp-0x2c], xmm0");
								__eax = _v44;
								_v40 = _v44;
								__eax = _v48;
								_v44 = _v48;
							} else {
								__eax =  *(__edx + 0x28) & 0x0000ffff;
								__ecx =  *(__edx + 0x3c + __eax * 4);
								__eax =  *(__edx + 0x40 + __eax * 4);
								_v44 = __ecx;
								asm("sbb eax, ebx");
								_v40 = __eax;
							}
							__eax =  *(__edx + 0x28) & 0x0000ffff;
							__esi =  *(__edi + 0x9c);
							__ebx = _a4;
							__ecx = __edx + ( *(__edx + 0x28) & 0x0000ffff) * 4;
							__eax =  *(__ecx + 0x34);
							 *(__edi + 0x40) =  *(__ecx + 0x34);
							__eax =  *(__ecx + 0x38);
							 *(__edi + 0x44) =  *(__ecx + 0x38);
							__eax =  *(__edx + 0x28) & 0x0000ffff;
							__ecx = __edx + ( *(__edx + 0x28) & 0x0000ffff) * 4;
							__eax =  *(__ecx + 0x3c);
							 *(__edi + 0x48) =  *(__ecx + 0x3c);
							__eax =  *(__ecx + 0x40);
							 *(__edi + 0x4c) =  *(__ecx + 0x40);
							_t243 = __edi + 0x9c; // 0x9c
							__eax = _t243;
							__ecx =  *(__esi + 4);
							 *(__ecx + 8) = _a4;
							__ecx = __ecx + 8;
							_v36 = _t243;
							__eax = _v32;
							_v20 = __ecx;
							__ebx = _v20;
							 *((intOrPtr*)(__ecx + 4)) = _v32;
							__eax = _v44;
							 *(__ecx + 8) = _v44;
							__eax = _v40;
							 *(__ecx + 0xc) = _v40;
							__eax = _v52;
							 *(__ecx + 0x10) = _v52;
							__eax = _v24;
							 *((intOrPtr*)(__ecx + 0x14)) = _v24;
							__eax =  *(__edx + 0x28) & 0x0000ffff;
							__ecx =  *(__edx + 0x4c + __eax * 4);
							__eax =  *(__edx + 0x50 + __eax * 4);
							 *(__ebx + 0x18) = __ecx;
							__ecx = __ebx;
							 *(__ebx + 0x1c) = __eax;
							__eax =  *(__edx + 0x28) & 0x0000ffff;
							__ecx =  *(__edx + 0x44 + __eax * 4);
							__eax =  *(__edx + 0x48 + __eax * 4);
							__edx = __ebx;
							__ebx = _a4;
							 *(__edx + 0x20) = __ecx;
							 *(__edx + 0x24) = __eax;
							__eflags =  *((intOrPtr*)(__edi + 0xa0)) - 2;
							if(__eflags < 0) {
								L58:
								__esi = _v36;
								goto L59;
							} else {
								__esi =  *(__esi + 4);
								__ecx = __edx;
								__edi =  *(__esi + 4);
								__edi =  *(__esi + 4) + 8;
								__eax = E00421420(__edx, __eflags, __edi);
								__eflags = __al;
								if(__al == 0) {
									goto L58;
								}
								__ecx = _v20;
								__eax = E004214D0(_v20, __edi);
								__esi = _v36;
								__eax =  &_a4;
								__ecx = __esi;
								__eax = E00424170(__esi,  &_a4, __esi);
								L59:
								__eax =  &_v128;
								asm("xorps xmm0, xmm0");
								asm("movlpd [ebp-0x84], xmm0");
								E00470030( &_v128, 0, 0x48) =  &_v136;
								__ecx = __esi;
								__eax = E004241B0(__esi, __edi,  &_v136);
								L33:
								_t344 = _a12;
								_t306 = _v32;
								_t396 = _t306 -  *(_t344 + 4);
								if(_t396 <= 0 && (_t396 < 0 || _t338 <  *_t344)) {
									 *_t344 = _t338;
									 *(_t344 + 4) = _t306;
								}
								_t345 = _a16;
								_t398 = _t306 -  *(_t345 + 4);
								if(_t398 >= 0 && (_t398 > 0 || _t338 >  *_t345)) {
									 *_t345 = _t338;
									 *(_t345 + 4) = _t306;
								}
								L41:
								_v8 = 0xffffffff;
								_t307 = E0041DC50();
								 *[fs:0x0] = _v16;
								return _t307;
							}
						case 4:
							 *((intOrPtr*)(__edi + 0x7c)) =  *((intOrPtr*)(__edi + 0x7c)) + 1;
							__eax =  *(__ebx + 8);
							__eflags =  *(__eax + 0x24) - 0x103;
							if( *(__eax + 0x24) != 0x103) {
								__ecx =  *(__eax + 0x14);
								__eax =  *(__eax + 0x18);
							} else {
								asm("xorps xmm0, xmm0");
								asm("movlpd [ebp-0x18], xmm0");
								__eax = _v24;
								__ecx = _v28;
							}
							 *((intOrPtr*)(__edi + 0x90)) =  *((intOrPtr*)(__edi + 0x90)) + __ecx;
							asm("adc [edi+0x94], eax");
							__eax =  *(__edi + 0x9c);
							__eax =  *( *(__edi + 0x9c) + 4);
							 *((intOrPtr*)( *( *(__edi + 0x9c) + 4) + 0x48)) =  *((intOrPtr*)( *( *(__edi + 0x9c) + 4) + 0x48)) + 1;
							asm("adc dword [eax+0x4c], 0x0");
							__eax =  *(__ebx + 8);
							__eflags =  *(__eax + 0x24);
							if( *(__eax + 0x24) == 0) {
								__eax =  *(__eax + 0xc) & 0x0000ffff;
								__eax = __eax + 0xfffffffe;
								__eflags = __eax - 1;
								if(__eax > 1) {
									goto L32;
								}
								_v20 = 0;
								__eax =  &_v20;
								_v8 = 5;
								__ecx = __ebx;
								__eax = E00410F20(__ebx, __ebx, __edi, __esi, 0,  &_v20);
								__ecx =  &_v20;
								__eax = E0046A170( &_v20);
								__eax = L00437F10(__edx, __eax);
								__ecx =  *(__edi + 0x9c);
								__ecx =  *( *(__edi + 0x9c) + 4);
								 *((intOrPtr*)( *( *(__edi + 0x9c) + 4) + 0x50)) =  *((intOrPtr*)( *( *(__edi + 0x9c) + 4) + 0x50)) + __eax;
								asm("adc [ecx+0x54], edx");
								L30:
								__ecx = _v20;
								_v8 = 2;
								__eflags = __ecx;
								if(__ecx != 0) {
									__eax = E0046A700(__ecx);
								}
							}
							goto L32;
					}
				}
			}

0x004202c0
0x004202c3
0x004202c5
0x004202d0
0x004202da
0x004202e5
0x004202eb
0x004202ee
0x004202f1
0x004202f7
0x004202fa
0x004202fd
0x00420307
0x0042030e
0x00420322
0x00420326
0x00420330
0x0042033f
0x0042034e
0x00420355
0x00420357
0x0042035d
0x0042036a
0x00420380
0x0042038b
0x00420396
0x0042039a
0x004203a3
0x004203a6
0x004203cf
0x004203e2
0x004203e8
0x004203eb
0x00420400
0x00420406
0x00420409
0x00420412
0x00420417
0x0042041c
0x0042041f
0x00420422
0x00420425
0x00420428
0x0042042b
0x0042042e
0x00420435
0x0042043c
0x00420443
0x0042044a
0x00420451
0x00420458
0x0042045f
0x00420466
0x00420470
0x0042047a
0x00420484
0x0042048e
0x00420498
0x004204a2
0x004204a9
0x004204b0
0x004204b7
0x004204be
0x004204c5
0x004204cc
0x004204d3
0x004204da
0x004204e1
0x004204e9
0x004204f3
0x004204fb
0x00420500
0x0042050f
0x00420522
0x00420529
0x00420531
0x00420534
0x00420536
0x0042053b
0x0042053b
0x00420541
0x0042054a
0x00420550
0x00420550
0x00420552
0x00420555
0x00420558
0x00420561
0x00420564
0x00420564
0x00420567
0x0042056e
0x00420572
0x004206d4
0x004206d4
0x00000000
0x00420578
0x00420578
0x00000000
0x00420584
0x00420595
0x004205a5
0x004205a8
0x004205ad
0x004205b0
0x00420597
0x00420597
0x0042059b
0x0042059f
0x0042059f
0x004205b3
0x004205b6
0x004205b9
0x004205c0
0x004205d9
0x004205dc
0x004205e7
0x004205ea
0x004205c2
0x004205c2
0x004205ce
0x004205d1
0x004205d1
0x004205c0
0x00000000
0x00000000
0x004205f2
0x004205f5
0x004205f8
0x004205ff
0x00420611
0x00420614
0x00420601
0x00420601
0x00420604
0x00420609
0x0042060c
0x0042060c
0x00420617
0x0042061d
0x00420623
0x00420629
0x0042062c
0x00420630
0x00000000
0x00000000
0x00420639
0x0042063f
0x00420642
0x00420645
0x00420649
0x0042064d
0x00420650
0x00420655
0x00000000
0x00000000
0x0042065b
0x00420660
0x00000000
0x00000000
0x0042066b
0x00420671
0x00420677
0x0042067a
0x0042067e
0x00000000
0x00000000
0x00420680
0x00420684
0x00420687
0x0042068a
0x00000000
0x00000000
0x0042068c
0x00420693
0x00420696
0x0042069d
0x0042069f
0x004206a4
0x004206a7
0x004206ad
0x004206b2
0x004206bb
0x004206be
0x004206c1
0x00000000
0x00000000
0x004207c0
0x004207c5
0x00000000
0x00000000
0x004207cb
0x004207d0
0x004207d0
0x004207d3
0x004207ee
0x004207f1
0x004207f6
0x004207f9
0x004207fc
0x004207ff
0x004207d5
0x004207d5
0x004207d9
0x004207dd
0x004207e1
0x004207e3
0x004207e6
0x004207e9
0x004207e9
0x00420802
0x00420805
0x00420807
0x0042080a
0x0042080a
0x0042080c
0x00420826
0x00420829
0x0042082e
0x00420831
0x00420834
0x00420837
0x0042080e
0x0042080e
0x00420812
0x00420816
0x0042081c
0x0042081f
0x00420821
0x00420821
0x0042083a
0x0042083e
0x00420844
0x00420847
0x0042084a
0x0042084d
0x00420850
0x00420853
0x00420856
0x0042085a
0x0042085d
0x00420860
0x00420863
0x00420866
0x00420869
0x00420869
0x0042086f
0x00420872
0x00420875
0x00420878
0x0042087b
0x0042087e
0x00420881
0x00420884
0x00420887
0x0042088a
0x0042088d
0x00420890
0x00420893
0x00420896
0x00420899
0x0042089c
0x0042089f
0x004208a3
0x004208a7
0x004208ab
0x004208ae
0x004208b0
0x004208b3
0x004208b7
0x004208bb
0x004208bf
0x004208c1
0x004208c4
0x004208c7
0x004208ca
0x004208d1
0x00420902
0x00420902
0x00000000
0x004208d3
0x004208d3
0x004208d6
0x004208d8
0x004208db
0x004208df
0x004208e4
0x004208e6
0x00000000
0x00000000
0x004208e8
0x004208ec
0x004208f2
0x004208f5
0x004208f9
0x004208fb
0x00420905
0x00420907
0x0042090a
0x00420910
0x00420920
0x00420926
0x00420929
0x004206d7
0x004206d7
0x004206da
0x004206dd
0x004206e0
0x004206e8
0x004206ea
0x004206ea
0x004206ed
0x004206f0
0x004206f3
0x004206fb
0x004206fd
0x004206fd
0x00420700
0x00420706
0x0042070d
0x00420715
0x00420723
0x00420723
0x00000000
0x00420724
0x00420727
0x0042072a
0x00420731
0x00420743
0x00420746
0x00420733
0x00420733
0x00420736
0x0042073b
0x0042073e
0x0042073e
0x00420749
0x0042074f
0x00420755
0x0042075b
0x0042075e
0x00420762
0x00420766
0x00420769
0x0042076d
0x00420773
0x00420777
0x0042077a
0x0042077d
0x00000000
0x00000000
0x00420783
0x0042078a
0x0042078d
0x00420794
0x00420796
0x0042079b
0x0042079e
0x004207a4
0x004207a9
0x004207b2
0x004207b5
0x004207b8
0x004206c4
0x004206c4
0x004206c7
0x004206cb
0x004206cd
0x004206cf
0x004206cf
0x004206cd
0x00000000
0x00000000
0x00420578

APIs

_memset.LIBCMT ref: 004204FB
_memset.LIBCMT ref: 00420918

Strings

list<T> too long, xrefs: 00420536

Memory Dump Source

Source File: 00000000.00000002.639436822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.639422722.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639801425.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639950323.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639964900.00000000004C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639974043.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639981884.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Process Monitor.jbxd

Similarity

API ID: _memset
String ID: list<T> too long
API String ID: 2102423945-4027344264
Opcode ID: cb268f0ae0c4c5a3d21a68fa7a102655aea4c5f4f8078af82c44c41ba4fe436b
Instruction ID: 4ea7011cfdefa75ab6648d970668547f45f46c3662acc26fd29f881094f66863
Opcode Fuzzy Hash: cb268f0ae0c4c5a3d21a68fa7a102655aea4c5f4f8078af82c44c41ba4fe436b
Instruction Fuzzy Hash: EE224BB0A00616DFDB04CF69C584BA9F7F0BF48314F54829AE809AB342D779E995CF94

Uniqueness

Uniqueness Score: -1.00%

Function 00442620 Relevance: 5.7, APIs: 1, Strings: 2, Instructions: 432
COMMON

Download Yara Rule

C-Code - Quality: 90%

			E00442620(intOrPtr __ecx, char _a4, char _a8, char _a12) {
				intOrPtr _v8;
				char _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				char _v32;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t204;
				char _t213;
				char _t218;
				char _t223;
				char _t228;
				char _t233;
				char _t238;
				char _t243;
				void* _t247;
				void* _t250;
				intOrPtr* _t252;
				intOrPtr _t253;
				char _t258;
				char* _t264;
				intOrPtr _t295;
				intOrPtr _t301;
				intOrPtr _t302;
				intOrPtr _t303;
				intOrPtr _t304;
				intOrPtr _t306;
				intOrPtr _t307;
				intOrPtr _t308;
				intOrPtr _t336;
				intOrPtr _t340;
				intOrPtr _t341;
				char _t345;
				intOrPtr _t347;
				intOrPtr _t348;
				intOrPtr _t349;
				intOrPtr _t350;
				intOrPtr _t351;
				intOrPtr _t354;
				intOrPtr* _t355;
				intOrPtr _t357;
				intOrPtr* _t359;
				intOrPtr _t363;
				intOrPtr _t364;
				intOrPtr _t365;
				intOrPtr _t366;
				intOrPtr _t367;
				intOrPtr* _t376;
				signed int _t378;
				void* _t379;
				void* _t380;
				void* _t381;
				void* _t382;
				void* _t383;
				void* _t384;
				void* _t385;
				void* _t386;

				_push(0xffffffff);
				_push(E0048A410);
				_push( *[fs:0x0]);
				_t380 = _t379 - 0x10;
				_t204 =  *0x4bb1dc; // 0x2927074f
				_push(_t204 ^ _t378);
				 *[fs:0x0] =  &_v16;
				_t295 = __ecx;
				_v24 = __ecx;
				_t359 = _a4;
				if( *_t359 != 0) {
					_t357 =  *((intOrPtr*)(_t359 + 4));
					if(_t357 + 4 >  *((intOrPtr*)(_t359 + 8))) {
						L2:
						_a8 = 0x7a;
						_t264 =  &_a8;
						_push(0x4affc8);
						L3:
						_push(_t264);
						E0046F78D();
					}
					 *((intOrPtr*)(_t357 + _t345)) = _t376;
				}
				 *((intOrPtr*)(_t359 + 4)) =  *((intOrPtr*)(_t359 + 4)) + 4;
				_t301 =  *_t359;
				_t347 =  *((intOrPtr*)(_t359 + 4));
				_t363 =  *((intOrPtr*)(_t295 + 4));
				if(_t301 != 0) {
					_t14 = _t347 + 4; // 0x8
					if(_t14 >  *((intOrPtr*)(_t359 + 8))) {
						goto L2;
					} else {
						 *((intOrPtr*)(_t347 + _t301)) = _t363;
					}
				}
				 *((intOrPtr*)(_t359 + 4)) =  *((intOrPtr*)(_t359 + 4)) + 4;
				_t302 =  *_t359;
				_t348 =  *((intOrPtr*)(_t359 + 4));
				_t364 =  *((intOrPtr*)(_t295 + 8));
				if(_t302 != 0) {
					_t21 = _t348 + 4; // 0x8
					if(_t21 >  *((intOrPtr*)(_t359 + 8))) {
						goto L2;
					} else {
						 *((intOrPtr*)(_t348 + _t302)) = _t364;
					}
				}
				 *((intOrPtr*)(_t359 + 4)) =  *((intOrPtr*)(_t359 + 4)) + 4;
				_t303 =  *_t359;
				_t349 =  *((intOrPtr*)(_t359 + 4));
				_t365 =  *((intOrPtr*)(_t295 + 0xc));
				if(_t303 != 0) {
					_t28 = _t349 + 4; // 0x8
					if(_t28 >  *((intOrPtr*)(_t359 + 8))) {
						goto L2;
					} else {
						 *((intOrPtr*)(_t349 + _t303)) = _t365;
					}
				}
				 *((intOrPtr*)(_t359 + 4)) =  *((intOrPtr*)(_t359 + 4)) + 4;
				_t304 =  *_t359;
				_t350 =  *((intOrPtr*)(_t359 + 4));
				_t366 =  *((intOrPtr*)(_t295 + 0x18));
				if(_t304 != 0) {
					_t35 = _t350 + 4; // 0x8
					if(_t35 >  *((intOrPtr*)(_t359 + 8))) {
						goto L2;
					} else {
						 *((intOrPtr*)(_t350 + _t304)) = _t366;
					}
				}
				 *((intOrPtr*)(_t359 + 4)) =  *((intOrPtr*)(_t359 + 4)) + 4;
				_t351 =  *((intOrPtr*)(_t359 + 4));
				if( *_t359 != 0) {
					_t41 = _t351 + 8; // 0xc
					if(_t41 >  *((intOrPtr*)(_t359 + 8))) {
						goto L2;
					} else {
						asm("movq xmm0, [ebx+0x10]");
						asm("movq [edx+ecx], xmm0");
					}
				}
				 *((intOrPtr*)(_t359 + 4)) =  *((intOrPtr*)(_t359 + 4)) + 8;
				_t306 =  *((intOrPtr*)(_t359 + 4));
				_v32 =  *((intOrPtr*)(_t295 + 0x20));
				_v28 =  *((intOrPtr*)(_t295 + 0x24));
				if( *_t359 != 0) {
					_t50 = _t306 + 8; // 0x10
					if(_t50 >  *((intOrPtr*)(_t359 + 8))) {
						goto L2;
					} else {
						asm("movq xmm0, [ebp-0x1c]");
						asm("movq [ecx+edx], xmm0");
					}
				}
				 *((intOrPtr*)(_t359 + 4)) =  *((intOrPtr*)(_t359 + 4)) + 8;
				_t307 =  *((intOrPtr*)(_t359 + 4));
				_v32 =  *((intOrPtr*)(_t295 + 0x28));
				_v28 =  *((intOrPtr*)(_t295 + 0x2c));
				if( *_t359 != 0) {
					_t59 = _t307 + 8; // 0x10
					if(_t59 >  *((intOrPtr*)(_t359 + 8))) {
						goto L2;
					} else {
						asm("movq xmm0, [ebp-0x1c]");
						asm("movq [ecx+edx], xmm0");
					}
				}
				 *((intOrPtr*)(_t359 + 4)) =  *((intOrPtr*)(_t359 + 4)) + 8;
				_t308 =  *_t359;
				_t354 =  *((intOrPtr*)(_t359 + 4));
				_t367 =  *((intOrPtr*)(_t295 + 0x34));
				if(_t308 != 0) {
					_t65 = _t354 + 4; // 0xc
					_t404 = _t65 -  *((intOrPtr*)(_t359 + 8));
					if(_t65 >  *((intOrPtr*)(_t359 + 8))) {
						goto L2;
					} else {
						 *((intOrPtr*)(_t354 + _t308)) = _t367;
					}
				}
				 *((intOrPtr*)(_t359 + 4)) =  *((intOrPtr*)(_t359 + 4)) + 4;
				_t368 = E0040DCB0( *((intOrPtr*)(_t295 + 0x3c)));
				_t213 = E0046A6C0(_t295, _t368, E0046A530(_t211));
				_t381 = _t380 + 0xc;
				_a4 = _t213;
				_v8 = 0;
				E004649D0(_t295, _t359, _t359, _t368, _t404,  &_a4);
				_t311 = _a4;
				_v8 = 0xffffffff;
				_t405 = _a4;
				if(_a4 != 0) {
					E0046A700(_t311);
				}
				_t369 = E0040DCB0( *((intOrPtr*)(_t295 + 0x40)));
				_t218 = E0046A6C0(_t295, _t369, E0046A530(_t216));
				_t382 = _t381 + 0xc;
				_a4 = _t218;
				_v8 = 1;
				E004649D0(_t295, _t359, _t359, _t369, _t405,  &_a4);
				_t314 = _a4;
				_v8 = 0xffffffff;
				_t406 = _a4;
				if(_a4 != 0) {
					E0046A700(_t314);
				}
				_t370 = E0040DCB0( *((intOrPtr*)(_t295 + 0x44)));
				_t223 = E0046A6C0(_t295, _t370, E0046A530(_t221));
				_t383 = _t382 + 0xc;
				_a4 = _t223;
				_v8 = 2;
				E004649D0(_t295, _t359, _t359, _t370, _t406,  &_a4);
				_t317 = _a4;
				_v8 = 0xffffffff;
				_t407 = _a4;
				if(_a4 != 0) {
					E0046A700(_t317);
				}
				_t371 = E0040DCB0( *((intOrPtr*)(_t295 + 0x48)));
				_t228 = E0046A6C0(_t295, _t371, E0046A530(_t226));
				_t384 = _t383 + 0xc;
				_a4 = _t228;
				_v8 = 3;
				E004649D0(_t295, _t359, _t359, _t371, _t407,  &_a4);
				_t320 = _a4;
				_v8 = 0xffffffff;
				_t408 = _a4;
				if(_a4 != 0) {
					E0046A700(_t320);
				}
				_t372 = E0040DCB0( *((intOrPtr*)(_t295 + 0x4c)));
				_t233 = E0046A6C0(_t295, _t372, E0046A530(_t231));
				_t385 = _t384 + 0xc;
				_a4 = _t233;
				_v8 = 4;
				E004649D0(_t295, _t359, _t359, _t372, _t408,  &_a4);
				_t323 = _a4;
				_v8 = 0xffffffff;
				_t409 = _a4;
				if(_a4 != 0) {
					E0046A700(_t323);
				}
				_t373 = E0040DCB0( *((intOrPtr*)(_t295 + 0x50)));
				_t238 = E0046A6C0(_t295, _t373, E0046A530(_t236));
				_t386 = _t385 + 0xc;
				_a4 = _t238;
				_v8 = 5;
				E004649D0(_t295, _t359, _t359, _t373, _t409,  &_a4);
				_t326 = _a4;
				_v8 = 0xffffffff;
				_t410 = _a4;
				if(_a4 != 0) {
					E0046A700(_t326);
				}
				_t374 = E0040DCB0( *((intOrPtr*)(_t295 + 0x54)));
				_t243 = E0046A6C0(_t295, _t374, E0046A530(_t241));
				_t380 = _t386 + 0xc;
				_a4 = _t243;
				_v8 = 6;
				E004649D0(_t295, _t359, _t359, _t374, _t410,  &_a4);
				_t329 = _a4;
				_v8 = 0xffffffff;
				if(_a4 != 0) {
					E0046A700(_t329);
				}
				_t375 = _a12;
				_t247 = E0042D380(_a12,  &_v32,  *((intOrPtr*)(_t295 + 0x58)));
				_v8 = 7;
				E0042DA70(_t295, _t247, _t359, _t375, _t359);
				_t332 = _v32;
				_v8 = 0xffffffff;
				if(_v32 != 0) {
					E0046A700(_t332);
				}
				_t250 = E0042D380(_t375,  &_v32,  *((intOrPtr*)(_t295 + 0x5c)));
				_v8 = 8;
				E0042DA70(_t295, _t250, _t359, _t375, _t359);
				_t335 = _v32;
				_v8 = 0xffffffff;
				if(_v32 != 0) {
					E0046A700(_t335);
				}
				_t336 =  *_t359;
				_t376 =  *((intOrPtr*)(_t295 + 0x68));
				if(_t336 != 0) {
					_t357 =  *((intOrPtr*)(_t359 + 4));
					_t132 = _t357 + 4; // 0x100000003
					if(_t132 >  *((intOrPtr*)(_t359 + 8))) {
						goto L2;
					} else {
						 *((intOrPtr*)(_t357 + _t336)) = _t376;
					}
				}
				 *((intOrPtr*)(_t359 + 4)) =  *((intOrPtr*)(_t359 + 4)) + 4;
				_t252 =  *((intOrPtr*)(_t295 + 0x64));
				_t376 =  *_t252;
				if(_t376 != _t252) {
					do {
						_t355 =  *((intOrPtr*)(_t376 + 8));
						_a12 = _t355;
						if( *0x4bb0d0 < 6) {
							_t253 =  *_t355;
							_v28 = 0;
						} else {
							_t253 =  *_t355;
							_v28 =  *((intOrPtr*)(_t355 + 0x34));
						}
						_v32 = _t253;
						if( *_t359 == 0) {
							L58:
							 *((intOrPtr*)(_t359 + 4)) =  *((intOrPtr*)(_t359 + 4)) + 8;
							_t295 =  *_t359;
							_t340 =  *((intOrPtr*)(_t359 + 4));
							_v20 =  *((intOrPtr*)(_t355 + 4));
							if(_t295 == 0) {
								L61:
								 *((intOrPtr*)(_t359 + 4)) =  *((intOrPtr*)(_t359 + 4)) + 4;
								_t295 =  *_t359;
								_t341 =  *((intOrPtr*)(_t359 + 4));
								_v20 =  *((intOrPtr*)(_t355 + 8));
								if(_t295 == 0) {
									L64:
									 *((intOrPtr*)(_t359 + 4)) =  *((intOrPtr*)(_t359 + 4)) + 4;
									_t298 = E0040DCB0( *((intOrPtr*)(_t355 + 0xc)));
									_t258 = E0046A6C0(_t298, _t298, E0046A530(_t256));
									_t380 = _t380 + 0xc;
									_a4 = _t258;
									_v8 = 9;
									E004649D0(_t298, _t359, _t359, _t376, _t423,  &_a4);
									_t344 = _a4;
									_v8 = 0xffffffff;
									if(_a4 != 0) {
										E0046A700(_t344);
									}
									if( *_t359 == 0) {
										_t345 = _a12;
										goto L70;
									} else {
										_t295 =  *((intOrPtr*)(_t359 + 4));
										_t175 = _t295 + 0x10; // 0x10000000f
										if(_t175 >  *((intOrPtr*)(_t359 + 8))) {
											goto L2;
										} else {
											_t345 = _a12;
											asm("movdqu xmm0, [ecx+0x1c]");
											asm("movdqu [ebx+edx], xmm0");
											L70:
											 *((intOrPtr*)(_t359 + 4)) =  *((intOrPtr*)(_t359 + 4)) + 0x10;
											_t295 =  *_t359;
											_t357 =  *((intOrPtr*)(_t359 + 4));
											_a12 =  *((intOrPtr*)(_t345 + 0x2c));
											if(_t295 == 0) {
												L73:
												 *((intOrPtr*)(_t359 + 4)) =  *((intOrPtr*)(_t359 + 4)) + 4;
												_t295 =  *((intOrPtr*)(_t345 + 0x30));
												_t345 =  *_t359;
												_t357 =  *((intOrPtr*)(_t359 + 4));
												if(_t345 == 0) {
													goto L76;
												} else {
													_t192 = _t357 + 4; // 0x8
													if(_t192 >  *((intOrPtr*)(_t359 + 8))) {
														_a12 = 0x7a;
														_t264 =  &_a12;
														_push(0x4affc8);
														goto L3;
													} else {
														 *((intOrPtr*)(_t357 + _t345)) = _t295;
														goto L76;
													}
												}
											} else {
												_t184 = _t357 + 4; // 0x14
												if(_t184 >  *((intOrPtr*)(_t359 + 8))) {
													goto L2;
												} else {
													 *((intOrPtr*)(_t357 + _t295)) = _a12;
													goto L73;
												}
											}
										}
									}
								} else {
									_t161 = _t341 + 4; // 0x8
									_t423 = _t161 -  *((intOrPtr*)(_t359 + 8));
									if(_t161 >  *((intOrPtr*)(_t359 + 8))) {
										goto L2;
									} else {
										 *((intOrPtr*)(_t341 + _t295)) = _v20;
										goto L64;
									}
								}
							} else {
								_t152 = _t340 + 4; // 0xc
								if(_t152 >  *((intOrPtr*)(_t359 + 8))) {
									goto L2;
								} else {
									 *((intOrPtr*)(_t340 + _t295)) = _v20;
									goto L61;
								}
							}
						} else {
							_t145 = _t295 + 8; // 0xc
							if(_t145 >  *((intOrPtr*)(_t359 + 8))) {
								goto L2;
							} else {
								asm("movq xmm0, [ebp-0x1c]");
								asm("movq [ebx+ecx], xmm0");
								goto L58;
							}
						}
						goto L77;
						L76:
						_t252 = _v24;
						 *((intOrPtr*)(_t359 + 4)) =  *((intOrPtr*)(_t359 + 4)) + 4;
						_t376 =  *_t376;
						_t295 =  *((intOrPtr*)(_t359 + 4));
					} while (_t376 !=  *((intOrPtr*)(_t252 + 0x64)));
				}
				L77:
				 *[fs:0x0] = _v16;
				return _t252;
			}

0x00442623
0x00442625
0x00442630
0x00442631
0x00442637
0x0044263e
0x00442642
0x00442648
0x0044264a
0x0044264d
0x00442656
0x00442658
0x00442661
0x00442663
0x00442663
0x0044266a
0x0044266d
0x00442672
0x00442672
0x00442673
0x00442673
0x00442678
0x00442678
0x0044267b
0x0044267f
0x00442681
0x00442684
0x00442689
0x0044268b
0x00442691
0x00000000
0x00442693
0x00442693
0x00442693
0x00442691
0x00442696
0x0044269a
0x0044269c
0x0044269f
0x004426a4
0x004426a6
0x004426ac
0x00000000
0x004426ae
0x004426ae
0x004426ae
0x004426ac
0x004426b1
0x004426b5
0x004426b7
0x004426ba
0x004426bf
0x004426c1
0x004426c7
0x00000000
0x004426c9
0x004426c9
0x004426c9
0x004426c7
0x004426cc
0x004426d0
0x004426d2
0x004426d5
0x004426da
0x004426dc
0x004426e2
0x00000000
0x004426e8
0x004426e8
0x004426e8
0x004426e2
0x004426eb
0x004426f1
0x004426f6
0x004426f8
0x004426fe
0x00000000
0x00442704
0x00442704
0x00442709
0x00442709
0x004426fe
0x0044270e
0x00442717
0x0044271a
0x00442720
0x00442725
0x00442727
0x0044272d
0x00000000
0x00442733
0x00442733
0x00442738
0x00442738
0x0044272d
0x0044273d
0x00442746
0x00442749
0x0044274f
0x00442754
0x00442756
0x0044275c
0x00000000
0x00442762
0x00442762
0x00442767
0x00442767
0x0044275c
0x0044276c
0x00442770
0x00442772
0x00442775
0x0044277a
0x0044277c
0x0044277f
0x00442782
0x00000000
0x00442788
0x00442788
0x00442788
0x00442782
0x0044278b
0x0044279a
0x004427a4
0x004427a9
0x004427ac
0x004427b2
0x004427bc
0x004427c1
0x004427c4
0x004427cb
0x004427cd
0x004427cf
0x004427cf
0x004427df
0x004427e9
0x004427ee
0x004427f1
0x004427f7
0x00442801
0x00442806
0x00442809
0x00442810
0x00442812
0x00442814
0x00442814
0x00442824
0x0044282e
0x00442833
0x00442836
0x0044283c
0x00442846
0x0044284b
0x0044284e
0x00442855
0x00442857
0x00442859
0x00442859
0x00442869
0x00442873
0x00442878
0x0044287b
0x00442881
0x0044288b
0x00442890
0x00442893
0x0044289a
0x0044289c
0x0044289e
0x0044289e
0x004428ae
0x004428b8
0x004428bd
0x004428c0
0x004428c6
0x004428d0
0x004428d5
0x004428d8
0x004428df
0x004428e1
0x004428e3
0x004428e3
0x004428f3
0x004428fd
0x00442902
0x00442905
0x0044290b
0x00442915
0x0044291a
0x0044291d
0x00442924
0x00442926
0x00442928
0x00442928
0x00442938
0x00442942
0x00442947
0x0044294a
0x00442950
0x0044295a
0x0044295f
0x00442962
0x0044296b
0x0044296d
0x0044296d
0x00442975
0x0044297e
0x00442986
0x0044298d
0x00442992
0x00442995
0x0044299e
0x004429a0
0x004429a0
0x004429ae
0x004429b6
0x004429bd
0x004429c2
0x004429c5
0x004429ce
0x004429d0
0x004429d0
0x004429d5
0x004429d7
0x004429dc
0x004429de
0x004429e1
0x004429e7
0x00000000
0x004429ed
0x004429ed
0x004429ed
0x004429e7
0x004429f0
0x004429f4
0x004429f7
0x004429fb
0x00442a10
0x00442a17
0x00442a1a
0x00442a1d
0x00442a2b
0x00442a2d
0x00442a1f
0x00442a24
0x00442a26
0x00442a26
0x00442a36
0x00442a3b
0x00442a53
0x00442a53
0x00442a57
0x00442a5c
0x00442a5f
0x00442a64
0x00442a78
0x00442a78
0x00442a7c
0x00442a81
0x00442a84
0x00442a89
0x00442a9d
0x00442a9d
0x00442aac
0x00442ab6
0x00442abb
0x00442abe
0x00442ac4
0x00442ace
0x00442ad3
0x00442ad6
0x00442adf
0x00442ae1
0x00442ae1
0x00442aea
0x00442b0a
0x00000000
0x00442aec
0x00442aec
0x00442aef
0x00442af5
0x00000000
0x00442afb
0x00442afb
0x00442afe
0x00442b03
0x00442b0d
0x00442b0d
0x00442b11
0x00442b16
0x00442b19
0x00442b1e
0x00442b32
0x00442b32
0x00442b36
0x00442b39
0x00442b3b
0x00442b40
0x00000000
0x00442b42
0x00442b42
0x00442b48
0x00442b76
0x00442b7d
0x00442b80
0x00000000
0x00442b4a
0x00442b4a
0x00000000
0x00442b4a
0x00442b48
0x00442b20
0x00442b20
0x00442b26
0x00000000
0x00442b2c
0x00442b2f
0x00000000
0x00442b2f
0x00442b26
0x00442b1e
0x00442af5
0x00442a8b
0x00442a8b
0x00442a8e
0x00442a91
0x00000000
0x00442a97
0x00442a9a
0x00000000
0x00442a9a
0x00442a91
0x00442a66
0x00442a66
0x00442a6c
0x00000000
0x00442a72
0x00442a75
0x00000000
0x00442a75
0x00442a6c
0x00442a3d
0x00442a3d
0x00442a43
0x00000000
0x00442a49
0x00442a49
0x00442a4e
0x00000000
0x00442a4e
0x00442a43
0x00000000
0x00442b4d
0x00442b4d
0x00442b50
0x00442b54
0x00442b56
0x00442b59
0x00442a10
0x00442b62
0x00442b65
0x00442b73

APIs

__CxxThrowException@8.LIBCMT ref: 00442673

Part of subcall function 0046F78D: RaiseException.KERNEL32(?,?,000000FF,004B76C4,?,00000000,?,?,?,0046EF06,000000FF,004B76C4,?,00000001), ref: 0046F7E2

Part of subcall function 0046A700: InterlockedDecrement.KERNEL32(?), ref: 0046A704

Strings

z, xrefs: 00442663
z, xrefs: 00442B76

Memory Dump Source

Source File: 00000000.00000002.639436822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.639422722.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639801425.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639950323.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639964900.00000000004C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639974043.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639981884.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Process Monitor.jbxd

Similarity

API ID: DecrementExceptionException@8InterlockedRaiseThrow
String ID: z$z
API String ID: 1869640917-3877588240
Opcode ID: 03bf364e19c90bd7704eb8fdd528e1824a91f4aeb9be1579ee4276f00b53bad5
Instruction ID: 241eee74fe49353457803281b4a4808942294d2007f724f35f87e5048d49c282
Opcode Fuzzy Hash: 03bf364e19c90bd7704eb8fdd528e1824a91f4aeb9be1579ee4276f00b53bad5
Instruction Fuzzy Hash: E302AEB0A01606AFDB04DF55C580AAEF7B5FF44314B50825EE819AB341E778EE51CBC9

Uniqueness

Uniqueness Score: -1.00%

Function 0044C7B0 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 366
COMMON

Download Yara Rule

C-Code - Quality: 83%

			E0044C7B0(void* __ebx, void* __ecx, void* __edx, void* __edi, signed int _a8, wchar_t* _a12, int* _a16) {
				intOrPtr _v8;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _t96;
				signed int _t99;
				signed int _t119;

				_push(0xffffffff);
				_push(E0048AF50);
				_push( *[fs:0x0]);
				_t96 =  *0x4bb1dc; // 0x2927074f
				_push(_t96 ^ _t119);
				 *[fs:0x0] =  &_v16;
				_t99 = _a8;
				if(_t99 > 0xb) {
					 *[fs:0x0] = _v16;
					return L"<bad>";
				} else {
					switch( *((intOrPtr*)(_t99 * 4 +  &M0044CC28))) {
						case 0:
							if( *0x4bd0a0 == 0) {
								_t101 = E0046A170(__ecx + 8);
								 *[fs:0x0] = _v16;
								return _t101;
							} else {
								_t102 = E0046A170(__ecx + 0x50);
								 *[fs:0x0] = _v16;
								return _t102;
							}
							goto L28;
						case 1:
							__edx =  *((intOrPtr*)(__ecx + 0x14));
							__eax = E004711AE(__eax, __ecx, __edx);
							asm("divsd xmm0, [0x4962f8]");
							__eax = _a16;
							__esp = __esp - 8;
							__esi = _a12;
							asm("movsd [esp], xmm0");
							swprintf(__esi,  *_a16, L"%.07f") = __esi;
							__ecx = _v16;
							 *[fs:0x0] = _v16;
							_pop(__ecx);
							_pop(__esi);
							return __esi;
							goto L28;
						case 2:
							__eax =  &_a8;
							__ecx = E00436C80(__ebx, __edx, __edi,  &_a8,  *((intOrPtr*)(__ecx + 0x18)), 0, 0);
							_v8 = 0;
							__eax = E0046A170(__eax);
							__esi = _a12;
							_a16 = E0046EF0C(__esi,  *_a16, _a16);
							__ecx = _a8;
							_v8 = 0xffffffff;
							if(__ecx != 0) {
								__eax = E0046A700(__ecx);
							}
							goto L8;
						case 3:
							__eax =  &_v20;
							__ecx = E00436C80(__ebx, __edx, __edi,  &_v20,  *((intOrPtr*)(__ecx + 0x1c)), 0, 0);
							_v8 = 1;
							__eax = E0046A170(__eax);
							__esi = _a12;
							_a16 = E0046EF0C(__esi,  *_a16, _a16);
							__ecx = _v20;
							_v8 = 0xffffffff;
							if(__ecx == 0) {
								goto L8;
							} else {
								E0046A700(__ecx) = __esi;
								__ecx = _v16;
								 *[fs:0x0] = _v16;
								_pop(__ecx);
								_pop(__esi);
								return __esi;
							}
							goto L28;
						case 4:
							__eax =  &_v24;
							__ecx = E00436C80(__ebx, __edx, __edi,  &_v24,  *((intOrPtr*)(__ecx + 0x20)), 0, 0);
							_v8 = 2;
							__eax = E0046A170(__eax);
							__esi = _a12;
							_a16 = E0046EF0C(__esi,  *_a16, _a16);
							__ecx = _v24;
							_v8 = 0xffffffff;
							if(__ecx == 0) {
								goto L8;
							} else {
								E0046A700(__ecx) = __esi;
								__ecx = _v16;
								 *[fs:0x0] = _v16;
								_pop(__ecx);
								_pop(__esi);
								return __esi;
							}
							goto L28;
						case 5:
							__eax =  &_v28;
							__ecx = E00436C80(__ebx, __edx, __edi,  &_v28,  *((intOrPtr*)(__ecx + 0x24)), 0, 0);
							_v8 = 3;
							__eax = E0046A170(__eax);
							__esi = _a12;
							_a16 = E0046EF0C(__esi,  *_a16, _a16);
							__ecx = _v28;
							_v8 = 0xffffffff;
							if(__ecx == 0) {
								goto L8;
							} else {
								E0046A700(__ecx) = __esi;
								__ecx = _v16;
								 *[fs:0x0] = _v16;
								_pop(__ecx);
								_pop(__esi);
								return __esi;
							}
							goto L28;
						case 6:
							__eax =  &_v32;
							__ecx = E00436C80(__ebx, __edx, __edi,  &_v32,  *((intOrPtr*)(__ecx + 0x28)), 0, 0);
							_v8 = 4;
							__eax = E0046A170(__eax);
							__esi = _a12;
							_a16 = E0046EF0C(__esi,  *_a16, _a16);
							__ecx = _v32;
							_v8 = 0xffffffff;
							if(__ecx == 0) {
								goto L8;
							} else {
								E0046A700(__ecx) = __esi;
								__ecx = _v16;
								 *[fs:0x0] = _v16;
								_pop(__ecx);
								_pop(__esi);
								return __esi;
							}
							goto L28;
						case 7:
							__eax =  &_v36;
							__ecx = E00436C80(__ebx, __edx, __edi,  &_v36,  *((intOrPtr*)(__ecx + 0x30)),  *((intOrPtr*)(__ecx + 0x34)), 0);
							_v8 = 5;
							__eax = E0046A170(__eax);
							__esi = _a12;
							_a16 = E0046EF0C(__esi,  *_a16, _a16);
							__ecx = _v36;
							_v8 = 0xffffffff;
							if(__ecx == 0) {
								goto L8;
							} else {
								E0046A700(__ecx) = __esi;
								__ecx = _v16;
								 *[fs:0x0] = _v16;
								_pop(__ecx);
								_pop(__esi);
								return __esi;
							}
							goto L28;
						case 8:
							__eax =  &_v40;
							__ecx = E00436C80(__ebx, __edx, __edi,  &_v40,  *((intOrPtr*)(__ecx + 0x38)),  *((intOrPtr*)(__ecx + 0x3c)), 0);
							_v8 = 6;
							__eax = E0046A170(__eax);
							__esi = _a12;
							_a16 = E0046EF0C(__esi,  *_a16, _a16);
							__ecx = _v40;
							_v8 = 0xffffffff;
							if(__ecx == 0) {
								goto L8;
							} else {
								E0046A700(__ecx) = __esi;
								__ecx = _v16;
								 *[fs:0x0] = _v16;
								_pop(__ecx);
								_pop(__esi);
								return __esi;
							}
							goto L28;
						case 9:
							__eax =  &_v44;
							__ecx = E00436C80(__ebx, __edx, __edi,  &_v44,  *((intOrPtr*)(__ecx + 0x40)), 0, 0);
							_v8 = 7;
							__eax = E0046A170(__eax);
							__esi = _a12;
							_a16 = E0046EF0C(__esi,  *_a16, _a16);
							__ecx = _v44;
							_v8 = 0xffffffff;
							if(__ecx == 0) {
								goto L8;
							} else {
								E0046A700(__ecx) = __esi;
								__ecx = _v16;
								 *[fs:0x0] = _v16;
								_pop(__ecx);
								_pop(__esi);
								return __esi;
							}
							goto L28;
						case 0xa:
							__eax =  &_v48;
							__ecx = E00436C80(__ebx, __edx, __edi,  &_v48,  *((intOrPtr*)(__ecx + 0x44)), 0, 0);
							_v8 = 8;
							__eax = E0046A170(__eax);
							__esi = _a12;
							_a16 = E0046EF0C(__esi,  *_a16, _a16);
							__ecx = _v48;
							_v8 = 0xffffffff;
							if(__ecx == 0) {
								goto L8;
							} else {
								E0046A700(__ecx) = __esi;
								__ecx = _v16;
								 *[fs:0x0] = _v16;
								_pop(__ecx);
								_pop(__esi);
								return __esi;
							}
							goto L28;
						case 0xb:
							__eax =  &_v52;
							__ecx = E00436C80(__ebx, __edx, __edi,  &_v52,  *((intOrPtr*)(__ecx + 0x48)), 0, 0);
							_v8 = 9;
							__eax = E0046A170(__eax);
							__esi = _a12;
							_a16 = E0046EF0C(__esi,  *_a16, _a16);
							__ecx = _v52;
							_v8 = 0xffffffff;
							if(__ecx == 0) {
								L8:
								__eax = __esi;
								__ecx = _v16;
								 *[fs:0x0] = _v16;
								_pop(__ecx);
								_pop(__esi);
								return __esi;
							} else {
								E0046A700(__ecx) = __esi;
								__ecx = _v16;
								 *[fs:0x0] = _v16;
								_pop(__ecx);
								_pop(__esi);
								return __esi;
							}
							goto L28;
					}
				}
				L28:
			}

0x0044c7b3
0x0044c7b5
0x0044c7c0
0x0044c7c5
0x0044c7cc
0x0044c7d0
0x0044c7d6
0x0044c7dc
0x0044cc19
0x0044cc25
0x0044c7e2
0x0044c7e2
0x00000000
0x0044c7f0
0x0044c80f
0x0044c817
0x0044c823
0x0044c7f2
0x0044c7f5
0x0044c7fd
0x0044c809
0x0044c809
0x00000000
0x00000000
0x0044c826
0x0044c82c
0x0044c831
0x0044c839
0x0044c83c
0x0044c83f
0x0044c842
0x0044c857
0x0044c859
0x0044c85c
0x0044c863
0x0044c864
0x0044c868
0x00000000
0x00000000
0x0044c872
0x0044c87e
0x0044c880
0x0044c887
0x0044c88c
0x0044c896
0x0044c89b
0x0044c8a1
0x0044c8aa
0x0044c8ac
0x0044c8ac
0x00000000
0x00000000
0x0044c8cc
0x0044c8d8
0x0044c8da
0x0044c8e1
0x0044c8e6
0x0044c8f0
0x0044c8f5
0x0044c8fb
0x0044c904
0x00000000
0x0044c906
0x0044c90b
0x0044c90d
0x0044c910
0x0044c917
0x0044c918
0x0044c91c
0x0044c91c
0x00000000
0x00000000
0x0044c926
0x0044c932
0x0044c934
0x0044c93b
0x0044c940
0x0044c94a
0x0044c94f
0x0044c955
0x0044c95e
0x00000000
0x0044c964
0x0044c969
0x0044c96b
0x0044c96e
0x0044c975
0x0044c976
0x0044c97a
0x0044c97a
0x00000000
0x00000000
0x0044c984
0x0044c990
0x0044c992
0x0044c999
0x0044c99e
0x0044c9a8
0x0044c9ad
0x0044c9b3
0x0044c9bc
0x00000000
0x0044c9c2
0x0044c9c7
0x0044c9c9
0x0044c9cc
0x0044c9d3
0x0044c9d4
0x0044c9d8
0x0044c9d8
0x00000000
0x00000000
0x0044c9e2
0x0044c9ee
0x0044c9f0
0x0044c9f7
0x0044c9fc
0x0044ca06
0x0044ca0b
0x0044ca11
0x0044ca1a
0x00000000
0x0044ca20
0x0044ca25
0x0044ca27
0x0044ca2a
0x0044ca31
0x0044ca32
0x0044ca36
0x0044ca36
0x00000000
0x00000000
0x0044ca3e
0x0044ca4d
0x0044ca4f
0x0044ca56
0x0044ca5b
0x0044ca65
0x0044ca6a
0x0044ca70
0x0044ca79
0x00000000
0x0044ca7f
0x0044ca84
0x0044ca86
0x0044ca89
0x0044ca90
0x0044ca91
0x0044ca95
0x0044ca95
0x00000000
0x00000000
0x0044ca9d
0x0044caac
0x0044caae
0x0044cab5
0x0044caba
0x0044cac4
0x0044cac9
0x0044cacf
0x0044cad8
0x00000000
0x0044cade
0x0044cae3
0x0044cae5
0x0044cae8
0x0044caef
0x0044caf0
0x0044caf4
0x0044caf4
0x00000000
0x00000000
0x0044cafe
0x0044cb0a
0x0044cb0c
0x0044cb13
0x0044cb18
0x0044cb22
0x0044cb27
0x0044cb2d
0x0044cb36
0x00000000
0x0044cb3c
0x0044cb41
0x0044cb43
0x0044cb46
0x0044cb4d
0x0044cb4e
0x0044cb52
0x0044cb52
0x00000000
0x00000000
0x0044cb5c
0x0044cb68
0x0044cb6a
0x0044cb71
0x0044cb76
0x0044cb80
0x0044cb85
0x0044cb8b
0x0044cb94
0x00000000
0x0044cb9a
0x0044cb9f
0x0044cba1
0x0044cba4
0x0044cbab
0x0044cbac
0x0044cbb0
0x0044cbb0
0x00000000
0x00000000
0x0044cbba
0x0044cbc6
0x0044cbc8
0x0044cbcf
0x0044cbd4
0x0044cbde
0x0044cbe3
0x0044cbe9
0x0044cbf2
0x0044c8b1
0x0044c8b1
0x0044c8b3
0x0044c8b6
0x0044c8bd
0x0044c8be
0x0044c8c2
0x0044cbf8
0x0044cbfd
0x0044cbff
0x0044cc02
0x0044cc09
0x0044cc0a
0x0044cc0e
0x0044cc0e
0x00000000
0x00000000
0x0044c7e2
0x00000000

APIs

swprintf.LIBCMT ref: 0044C84F

Strings

%.07f, xrefs: 0044C847
<bad>, xrefs: 0044CC11

Memory Dump Source

Source File: 00000000.00000002.639436822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.639422722.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639801425.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639950323.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639964900.00000000004C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639974043.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639981884.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Process Monitor.jbxd

Similarity

API ID: swprintf
String ID: %.07f$<bad>
API String ID: 233258989-1688304963
Opcode ID: f97b11a938c8f6e8c892d75de4397b3444a1f2f01d19790cf54c8d0a34b7e87a
Instruction ID: 7f03533bf13a7d45c7fc50e1c8a30f80bd87730389c464761d3c515e4770393a
Opcode Fuzzy Hash: f97b11a938c8f6e8c892d75de4397b3444a1f2f01d19790cf54c8d0a34b7e87a
Instruction Fuzzy Hash: 61D1DC72A05609AFDF14EF98DC02B9E73B4EF48314F10415FF815A7381E73699218B9A

Uniqueness

Uniqueness Score: -1.00%

Function 00425610 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 203
windowCOMMON

Download Yara Rule

C-Code - Quality: 82%

			E00425610(struct HWND__* _a4, intOrPtr _a8, char* _a12) {
				int _v8;
				char _v16;
				signed int _v20;
				char _v8212;
				int _v8216;
				intOrPtr _v8220;
				signed short* _v8224;
				signed int _v8228;
				struct HWND__* _v8232;
				intOrPtr _v8236;
				intOrPtr _v8240;
				intOrPtr _v8244;
				intOrPtr _v8248;
				intOrPtr _v8252;
				intOrPtr _v8288;
				char _v8292;
				intOrPtr _v8320;
				char* _v8324;
				intOrPtr _v8336;
				void* _v8344;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t82;
				signed int _t83;
				intOrPtr _t91;
				int _t92;
				intOrPtr _t94;
				intOrPtr _t99;
				intOrPtr _t101;
				intOrPtr _t106;
				intOrPtr _t109;
				void* _t114;
				void* _t123;
				void* _t125;
				intOrPtr _t129;
				intOrPtr _t130;
				void* _t131;
				char* _t132;
				intOrPtr* _t134;
				void* _t147;
				signed int _t148;
				void* _t152;
				struct HWND__* _t154;
				void* _t155;
				intOrPtr* _t156;
				signed int _t158;
				long _t160;
				int _t161;
				void* _t162;
				void* _t163;
				signed int _t164;
				void* _t165;
				void* _t166;

				_push(0xffffffff);
				_push(E0048835B);
				_push( *[fs:0x0]);
				E00472600(0x2088);
				_t82 =  *0x4bb1dc; // 0x2927074f
				_t83 = _t82 ^ _t164;
				_v20 = _t83;
				_push(_t83);
				 *[fs:0x0] =  &_v16;
				_t129 = _a8;
				_t154 = _a4;
				_v8232 = _t154;
				_v8240 = _t129;
				_v8220 = (0 | ( *(_t129 + 0xc) & 0x00000001) != 0x00000000) * 2 - 1;
				_t160 = SendMessageW(_t154, 0x1042, 0, 0);
				if(_t160 != 0xffffffff) {
					_t161 = _t160 + _v8220;
					__eflags = _t161;
				} else {
					if(_v8220 <= 0) {
						_t16 = E00416870(0x4bca10) - 1; // -1
						_t161 = _t16;
					} else {
						_t161 = 0;
					}
				}
				_v8216 = _t161;
				_t90 =  !=  ? E0047262B : L0046FE7B;
				_t134 =  *((intOrPtr*)(_t129 + 0x10));
				_v8252 =  !=  ? E0047262B : L0046FE7B;
				_t152 = _t134 + 2;
				do {
					_t91 =  *_t134;
					_t134 = _t134 + 2;
				} while (_t91 != 0);
				_t173 = _v8220;
				_v8228 = _t134 - _t152 >> 1;
				if(_v8220 <= 0) {
					_t92 = _t161;
				} else {
					_t92 = E00416870(0x4bca10) - _t161;
				}
				E0040C870( &_v8292, _t152, _t173, _t154, L"Searching", _t92, _a12);
				_v8 = 0;
				_t94 = E0042FBF0(_t154);
				_t166 = _t165 + 4;
				_t130 = _t94;
				_v8244 = _t130;
				if(_t161 >= E00416870(0x4bca10)) {
					L28:
					_v8 = 0xffffffff;
					E0040C9C0( &_v8292);
					goto L29;
				} else {
					do {
						_t99 = 0;
						_v8236 = 0;
						if(_t130 <= 0) {
							L26:
							if( *_a12 != 0) {
								goto L28;
							}
							goto L27;
						} else {
							goto L13;
						}
						do {
							L13:
							_v8336 = _t99;
							_v8212 = 0;
							_v8324 =  &_v8212;
							_v8320 = 0x1000;
							SendMessageW(_t154, 0x1073, _t161,  &_v8344);
							_t156 =  &_v8212;
							_t147 = _t156 + 2;
							do {
								_t106 =  *_t156;
								_t156 = _t156 + 2;
							} while (_t106 != 0);
							_t163 = 0;
							_t148 = _v8228;
							_t158 = _t156 - _t147 >> 1;
							_t109 = _t158 - _t148 + 1;
							_v8248 = _t109;
							if(_t109 <= 0) {
								goto L25;
							}
							_t132 =  &_v8212;
							_v8224 = _t132 + _t148 * 2;
							do {
								_t114 = _v8252(_t132,  *((intOrPtr*)(_v8240 + 0x10)), _t148);
								_t166 = _t166 + 0xc;
								if(_t114 != 0) {
									goto L23;
								}
								if(( *(_v8240 + 0xc) & 0x00000002) == 0) {
									L30:
									E004366B0(_v8232, _v8216, 1);
									_v8 = 0xffffffff;
									E0040C9C0( &_v8292);
									L29:
									 *[fs:0x0] = _v16;
									_pop(_t155);
									_pop(_t162);
									_pop(_t131);
									return E0046F77E(_t131, _v20 ^ _t164, _t152, _t155, _t162);
								}
								if(_t163 <= 0) {
									L21:
									if(_v8228 + _t163 >= _t158) {
										goto L30;
									}
									_t123 = E004722F3(_t148,  *_v8224 & 0x0000ffff);
									_t166 = _t166 + 4;
									if(_t123 == 0) {
										goto L30;
									}
									goto L23;
								}
								_t125 = E004722F3(_t148,  *(_t132 - 2) & 0x0000ffff);
								_t166 = _t166 + 4;
								if(_t125 != 0) {
									goto L23;
								}
								goto L21;
								L23:
								_v8224 =  &(_v8224[1]);
								_t163 = _t163 + 1;
								_t148 = _v8228;
								_t132 = _t132 + 2;
							} while (_t163 < _v8248);
							_t130 = _v8244;
							L25:
							_t161 = _v8216;
							_t99 = _v8236 + 1;
							_t154 = _v8232;
							_v8236 = _t99;
						} while (_t99 < _t130);
						goto L26;
						L27:
						_t101 = E00416870(0x4bca10);
						_t161 = _t161 + _v8220;
						_v8288 = _v8288 + 1;
						_v8292 = _t101;
						_v8216 = _t161;
					} while (_t161 < E00416870(0x4bca10));
					goto L28;
				}
			}

0x00425613
0x00425615
0x00425620
0x00425626
0x0042562b
0x00425630
0x00425632
0x00425638
0x0042563c
0x00425642
0x0042564a
0x0042565d
0x00425664
0x00425671
0x0042567d
0x00425682
0x004256a0
0x004256a0
0x00425684
0x0042568b
0x0042569b
0x0042569b
0x0042568d
0x0042568d
0x0042568d
0x0042568b
0x004256b4
0x004256ba
0x004256bd
0x004256c0
0x004256c6
0x004256d0
0x004256d0
0x004256d3
0x004256d6
0x004256df
0x004256e6
0x004256ec
0x004256fc
0x004256ee
0x004256f8
0x004256f8
0x0042570e
0x00425714
0x0042571b
0x00425720
0x00425723
0x0042572a
0x00425737
0x004258b3
0x004258b9
0x004258c0
0x00000000
0x00425740
0x00425740
0x00425740
0x00425742
0x0042574a
0x00425877
0x0042587d
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00425750
0x00425750
0x00425750
0x0042575e
0x00425765
0x00425779
0x00425783
0x00425789
0x0042578f
0x00425792
0x00425792
0x00425795
0x00425798
0x0042579f
0x004257a1
0x004257a7
0x004257ad
0x004257ae
0x004257b6
0x00000000
0x00000000
0x004257bc
0x004257c7
0x004257d0
0x004257db
0x004257e1
0x004257e6
0x00000000
0x00000000
0x004257f2
0x004258e3
0x004258f1
0x004258f9
0x00425906
0x004258c7
0x004258ca
0x004258d2
0x004258d3
0x004258d4
0x004258e2
0x004258e2
0x004257fa
0x0042580d
0x00425817
0x00000000
0x00000000
0x00425827
0x0042582c
0x00425831
0x00000000
0x00000000
0x00000000
0x00425831
0x00425801
0x00425806
0x0042580b
0x00000000
0x00000000
0x00000000
0x00425837
0x00425837
0x0042583e
0x0042583f
0x00425845
0x00425848
0x00425850
0x00425856
0x0042585c
0x00425862
0x00425863
0x00425869
0x0042586f
0x00000000
0x0042587f
0x00425884
0x00425889
0x00425894
0x0042589a
0x004258a0
0x004258ab
0x00000000
0x00425740

APIs

SendMessageW.USER32(?,00001042,00000000,00000000), ref: 00425677
SendMessageW.USER32 ref: 00425783

Part of subcall function 004366B0: SendMessageW.USER32(?,0000102B,000000FF,?), ref: 004366DC
Part of subcall function 004366B0: SendMessageW.USER32(?,00001043,00000000,?), ref: 004366EA
Part of subcall function 004366B0: SendMessageW.USER32(?,0000102B,?,?), ref: 00436705
Part of subcall function 004366B0: SendMessageW.USER32(?,00001013,?,00000000), ref: 00436710
Part of subcall function 004366B0: SetFocus.USER32(?,?,?,?,?,?,?), ref: 00436719

Part of subcall function 0040C9C0: Sleep.KERNEL32(00000032,?,749682C0,0043ACBC,?,0044703B,0045F84E,00000000,?,00000000,445817), ref: 0040C9D7
Part of subcall function 0040C9C0: SendMessageW.USER32(?,00000111,00000001,00000000), ref: 0040C9EB
Part of subcall function 0040C9C0: WaitForSingleObject.KERNEL32(?,000000FF,?,0044703B,0045F84E,00000000,?,00000000,445817), ref: 0040C9F6
Part of subcall function 0040C9C0: CloseHandle.KERNEL32(?,?,0044703B,0045F84E,00000000,?,00000000,445817), ref: 0040C9FF
Part of subcall function 0040C9C0: GetDesktopWindow.USER32 ref: 0040CA13
Part of subcall function 0040C9C0: EnableWindow.USER32(?,00000001), ref: 0040CA1C
Part of subcall function 0040C9C0: GetParent.USER32(?), ref: 0040CA23

Strings

Searching, xrefs: 00425708

Memory Dump Source

Source File: 00000000.00000002.639436822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.639422722.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639801425.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639950323.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639964900.00000000004C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639974043.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639981884.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Process Monitor.jbxd

Similarity

API ID: MessageSend$Window$CloseDesktopEnableFocusHandleObjectParentSingleSleepWait
String ID: Searching
API String ID: 2581860014-291028053
Opcode ID: 9bbca2b5e1d229a4eb8b955f866bf584321636a0e2b5f615a8de53d2c929a686
Instruction ID: 17e8be69534531964609fe764c964fb261c66496f2e575be0c38dba66ed182d6
Opcode Fuzzy Hash: 9bbca2b5e1d229a4eb8b955f866bf584321636a0e2b5f615a8de53d2c929a686
Instruction Fuzzy Hash: 4081AE71E00328CBDB24DF25DC8979AB7B5AB08314F4041EBE909A7282E7749E95CF58

Uniqueness

Uniqueness Score: -1.00%

Function 00468070 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 129
COMMON

Download Yara Rule

C-Code - Quality: 81%

			E00468070(void* __edx, intOrPtr* _a4, intOrPtr _a8, intOrPtr _a12) {
				signed int _v8;
				char _v16;
				signed int _v20;
				char _v52;
				signed int _v56;
				char _v60;
				char _v64;
				char _v68;
				intOrPtr _v72;
				intOrPtr* _v76;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t39;
				signed int _t40;
				intOrPtr _t43;
				intOrPtr* _t46;
				void* _t63;
				signed int _t64;
				void* _t66;
				char _t67;
				intOrPtr _t69;
				void* _t80;
				intOrPtr* _t82;
				void* _t83;
				intOrPtr _t85;
				char _t86;
				void* _t87;
				signed int _t88;

				_t80 = __edx;
				_push(0xffffffff);
				_push(E0048CEF3);
				_push( *[fs:0x0]);
				_t39 =  *0x4bb1dc; // 0x2927074f
				_t40 = _t39 ^ _t88;
				_v20 = _t40;
				_push(_t63);
				_push(_t40);
				 *[fs:0x0] =  &_v16;
				_t82 = _a4;
				_t85 = _a8;
				_v76 = _t82;
				_v56 = 0;
				if(_a12 != 0) {
					_t43 = E00471495(E00471495(_t85, 0x5c), 0x2e);
					_v72 = _t43;
					if(_t43 == 0) {
						_t86 = E0046A6C0(_t63, _t85, E0046A530(_t85));
						_v64 = _t86;
						_t46 =  &_v64;
						_v8 = 2;
						_t64 = 4;
					} else {
						_t46 = E00434E40(_t43 - _t85 >> 1,  &_v68, _t85, _t43 - _t85 >> 1);
						_t86 = _v64;
						_t64 = 2;
						_v8 = 1;
					}
					_t67 =  *_t46;
					_v56 = _t64;
					_v60 = _t67;
					if(_t67 != 0) {
						E0046A420(_t67);
					}
					_v8 = 4;
					if((_t64 & 0x00000004) != 0) {
						_t64 = _t64 & 0xfffffffb;
						_v56 = _t64;
						if(_t86 != 0) {
							E0046A700(_t86);
						}
					}
					_v8 = 5;
					if((_t64 & 0x00000002) != 0) {
						_t75 = _v68;
						_t64 = _t64 & 0xfffffffd;
						_v56 = _t64;
						if(_v68 != 0) {
							E0046A700(_t75);
						}
					}
					E0043EDA0( &_v52, L"-%d", _a12);
					E0046A390( &_v60,  &_v52);
					_t51 = _v72;
					if(_v72 != 0) {
						E0046A390( &_v60, _t51);
					}
					_t69 = _v60;
					 *_t82 = _t69;
					if(_t69 != 0) {
						E0046A420(_t69);
						_t69 = _v60;
					}
					_v8 = 0;
					_v56 = _t64 | 0x00000001;
					if(_t69 != 0) {
						E0046A700(_t69);
					}
					goto L19;
				} else {
					 *_t82 = E0046A6C0(_t63, _t85, E0046A530(_t85));
					L19:
					 *[fs:0x0] = _v16;
					_pop(_t83);
					_pop(_t87);
					_pop(_t66);
					return E0046F77E(_t66, _v20 ^ _t88, _t80, _t83, _t87);
				}
			}

0x00468070
0x00468073
0x00468075
0x00468080
0x00468084
0x00468089
0x0046808b
0x0046808e
0x00468091
0x00468095
0x0046809f
0x004680a2
0x004680a5
0x004680a8
0x004680af
0x004680d3
0x004680db
0x004680e0
0x00468114
0x00468119
0x0046811c
0x0046811f
0x00468126
0x004680e2
0x004680ee
0x004680f6
0x004680f9
0x004680fe
0x004680fe
0x0046812b
0x0046812d
0x00468130
0x00468135
0x00468137
0x00468137
0x0046813c
0x00468146
0x00468148
0x0046814b
0x00468150
0x00468154
0x00468154
0x00468150
0x00468159
0x00468160
0x00468162
0x00468165
0x00468168
0x0046816d
0x0046816f
0x0046816f
0x0046816d
0x00468180
0x0046818f
0x00468194
0x00468199
0x0046819f
0x0046819f
0x004681a4
0x004681a7
0x004681ab
0x004681ad
0x004681b2
0x004681b2
0x004681b8
0x004681bc
0x004681c1
0x004681c3
0x004681c3
0x00000000
0x004680b1
0x004680c1
0x004681c8
0x004681cd
0x004681d5
0x004681d6
0x004681d7
0x004681e5
0x004681e5

APIs

_wcsrchr.LIBCMT ref: 004680CB
_wcsrchr.LIBCMT ref: 004680D3

Strings

-%d, xrefs: 0046817A

Memory Dump Source

Source File: 00000000.00000002.639436822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.639422722.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639801425.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639950323.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639964900.00000000004C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639974043.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639981884.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Process Monitor.jbxd

Similarity

API ID: _wcsrchr
String ID: -%d
API String ID: 1752292252-1845000455
Opcode ID: ec1415df8159465eddbcdd383418f7fe4b3ff4809104977d044ac21721ba3347
Instruction ID: a9782d79f1b60a01e616674537f5b58c567ba66da2c61d6de8aadd5c4fd9edf7
Opcode Fuzzy Hash: ec1415df8159465eddbcdd383418f7fe4b3ff4809104977d044ac21721ba3347
Instruction Fuzzy Hash: F04192B0D01619ABDB14EF95E855BEEB778EF45314F14022FF80167381EB785A018B9A

Uniqueness

Uniqueness Score: -1.00%

Function 00442F70 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 120COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00442F2C
Concurrency::details::_Concurrent_queue_base_v4::_Internal_throw_exception.LIBCPMT ref: 00442F66

Part of subcall function 0046EADE: std::exception::exception.LIBCMT ref: 0046EAF4
Part of subcall function 0046EADE: __CxxThrowException@8.LIBCMT ref: 0046EB09

Strings

vector<T> too long, xrefs: 00442FD8

Memory Dump Source

Source File: 00000000.00000002.639436822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.639422722.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639801425.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639950323.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639964900.00000000004C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639974043.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639981884.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Process Monitor.jbxd

Similarity

API ID: Concurrency::details::_Concurrent_queue_base_v4::_Exception@8Internal_throw_exceptionThrow_memmovestd::exception::exception
String ID: vector<T> too long
API String ID: 3224774664-3788999226
Opcode ID: 5cbd6a7f0e9de7a99b8975d6ff37ae1307384e6fee97cbc7e0d2fae0356cb664
Instruction ID: 535facabd2452ff9d1a5db512d98c8118e2b5256a4355872e7a83a7785204074
Opcode Fuzzy Hash: 5cbd6a7f0e9de7a99b8975d6ff37ae1307384e6fee97cbc7e0d2fae0356cb664
Instruction Fuzzy Hash: DC3159727002155BD710DEBDDA8046AF799FB84320768823BF904C3344E675E915C7D8

Uniqueness

Uniqueness Score: -1.00%

Function 00406640 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 75
windowCOMMON

Download Yara Rule

C-Code - Quality: 15%

			E00406640(signed int __ecx, signed int __edx, char* _a4) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v28;
				signed int _v36;
				char _v56;
				intOrPtr _t29;
				char* _t30;
				signed int _t36;
				signed int _t37;
				signed int _t44;
				signed int _t46;
				signed int _t47;
				signed int _t48;
				signed int _t49;

				_t46 = __edx;
				_t44 = __ecx;
				_t48 = __ecx;
				_t29 = SendMessageW( *(__ecx + 0x14), 0x1200, 0, 0) + 1;
				_t47 = _t46 | 0xffffffff;
				_t37 = 0;
				_v12 = _t29;
				_t49 = 0;
				_v8 = _t47;
				if(_t29 > 0) {
					do {
						_v56 = 0x24;
						_push( &_v56);
						if(_t49 != 0) {
							_t7 = _t49 - 1; // -1
							_push(0x120b);
							_push( *((intOrPtr*)(_t48 + 0x14)));
						} else {
							_push(_t49);
							_push(0x120b);
							_push( *((intOrPtr*)(_t48 + 0xc)));
						}
						SendMessageW();
						if( *0x4bcb6b == 0) {
							if((_v36 & 0x00000800) == 0) {
								goto L9;
							} else {
								_t47 = _t49;
								_v8 = _t47;
								_t37 = (0 | _v28 !=  *((intOrPtr*)(_t48 + 0xb8))) * 2 - 1;
							}
						} else {
							_t36 = _v36;
							if((_t36 & 0x00000600) == 0) {
								L9:
								_t47 = _v8;
							} else {
								_t47 = _t49;
								_v8 = _t47;
								asm("sbb ebx, ebx");
								_t37 = ( ~(_t36 & 0x00000200) & 0xfffffffe) + 1;
							}
						}
						_t49 = _t49 + 1;
					} while (_t49 < _v12);
				}
				_t30 = _a4;
				if(_t30 != 0) {
					 *_t30 = _t44 & 0xffffff00 | _t37 < 0x00000000;
				}
				return _t47;
			}

0x00406640
0x00406640
0x0040664b
0x0040665d
0x0040665e
0x00406661
0x00406663
0x00406666
0x00406668
0x0040666d
0x00406673
0x00406673
0x0040667d
0x00406680
0x0040668d
0x00406691
0x00406696
0x00406682
0x00406682
0x00406683
0x00406688
0x00406688
0x00406699
0x004066a6
0x004066d0
0x00000000
0x004066d2
0x004066dd
0x004066df
0x004066e5
0x004066e5
0x004066a8
0x004066a8
0x004066b0
0x004066ee
0x004066ee
0x004066b2
0x004066b4
0x004066bc
0x004066c1
0x004066c6
0x004066c6
0x004066b0
0x004066f1
0x004066f2
0x00406673
0x004066fb
0x00406700
0x00406707
0x00406707
0x00406711

APIs

SendMessageW.USER32(?,00001200,00000000,00000000), ref: 00406657
SendMessageW.USER32(?,0000120B,-00000001,00000024), ref: 00406699

Strings

$, xrefs: 00406673

Memory Dump Source

Source File: 00000000.00000002.639436822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.639422722.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639801425.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639950323.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639964900.00000000004C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639974043.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639981884.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Process Monitor.jbxd

Similarity

API ID: MessageSend
String ID: $
API String ID: 3850602802-3993045852
Opcode ID: f0c48c779e88a75c88556c100fc41dd620580156fabff6120ada9b722d23a639
Instruction ID: 397cd91322a553e6c11feef8ff3f3ce5e08852bfc0958b4324de64d17f6c383c
Opcode Fuzzy Hash: f0c48c779e88a75c88556c100fc41dd620580156fabff6120ada9b722d23a639
Instruction Fuzzy Hash: E921D330A00615ABE711CFA8D8C5B9EB7B8AB44320F11473AE511B72D0C775A925D7A4

Uniqueness

Uniqueness Score: -1.00%

Function 00464730 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 74
networkCOMMON

Download Yara Rule

C-Code - Quality: 37%

			E00464730(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr* _a20, char _a24) {
				intOrPtr* _t14;
				signed int _t15;
				intOrPtr _t20;
				intOrPtr* _t22;
				void* _t23;
				intOrPtr* _t24;
				intOrPtr* _t27;

				_t14 = _a20;
				_t2 =  &_a24; // 0x46455f
				_t24 =  *_t2;
				 *_t24 = 0;
				 *_t14 = 0;
				__imp__#52(_a4);
				_t22 = _t14;
				if(_t22 == 0) {
					__imp__#111();
					_t15 = _t14 + 0xffffd507;
					if(_t15 > 3) {
						L11:
						return 0x2af9;
					} else {
						switch( *((intOrPtr*)(_t15 * 4 +  &M004647F8))) {
							case 0:
								goto L11;
							case 1:
								return 0x2afa;
								goto L14;
							case 2:
								return 0x2afb;
								goto L14;
						}
					}
				} else {
					if( *((short*)(_t22 + 8)) != 2 ||  *((short*)(_t22 + 0xa)) != 4) {
						L7:
						E0047383D(_a20, 0x401,  *_t22, 0x400);
						return 0;
					} else {
						_t27 =  *((intOrPtr*)(_t22 + 0xc));
						_t19 =  *_t27;
						if( *_t27 == 0) {
							goto L7;
						} else {
							while(1) {
								_t20 = E00464660(_t23, _a8, _a12, _a16,  *_t19);
								 *_t24 = _t20;
								if(_t20 == 0) {
									break;
								}
								_t27 = _t27 + 4;
								_t10 = _t20 + 0x1c; // 0x1c
								_t24 = _t10;
								_t19 =  *_t27;
								if( *_t27 != 0) {
									continue;
								} else {
									goto L7;
								}
								goto L14;
							}
							return 8;
						}
					}
				}
				L14:
			}

0x00464733
0x00464738
0x00464738
0x0046473e
0x00464744
0x00464747
0x0046474d
0x00464751
0x004647be
0x004647c4
0x004647cc
0x004647d6
0x004647dd
0x004647ce
0x004647ce
0x00000000
0x00000000
0x00000000
0x004647e8
0x00000000
0x00000000
0x004647f3
0x00000000
0x00000000
0x004647ce
0x00464753
0x00464759
0x00464792
0x004647a1
0x004647af
0x00464762
0x00464762
0x00464765
0x00464769
0x00000000
0x0046476b
0x00464770
0x0046477b
0x00464780
0x00464784
0x00000000
0x00000000
0x00464786
0x00464789
0x00464789
0x0046478c
0x00464790
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00464790
0x004647bb
0x004647bb
0x00464769
0x00464759
0x00000000

APIs

gethostbyname.WS2_32(00000000), ref: 00464747
WSAGetLastError.WS2_32(?,0046455F,?,?,?,?,00000000,?,?,?,?,?,?,?,?,?), ref: 004647BE

Part of subcall function 00464660: _calloc.LIBCMT ref: 00464668
Part of subcall function 00464660: _calloc.LIBCMT ref: 0046467A
Part of subcall function 00464660: _free.LIBCMT ref: 00464689

Strings

_EF, xrefs: 00464738

Memory Dump Source

Source File: 00000000.00000002.639436822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.639422722.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639801425.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639950323.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639964900.00000000004C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639974043.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639981884.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Process Monitor.jbxd

Similarity

API ID: _calloc$ErrorLast_freegethostbyname
String ID: _EF
API String ID: 1270084651-2316365690
Opcode ID: d5706a44e261e2a060d0342617027367c70bf0a60eca6a28672cf1f5cca81894
Instruction ID: 8e7baa64578a7a5ab84137199069d59cbc5fbbcf911f2e6a7fa8f13b6d70c8c6
Opcode Fuzzy Hash: d5706a44e261e2a060d0342617027367c70bf0a60eca6a28672cf1f5cca81894
Instruction Fuzzy Hash: 5B21A5332001098BDF50AF9CFC40A5AB7A8EF96325F148033F904DB261E77AD865DB96

Uniqueness

Uniqueness Score: -1.00%

Function 0040A0C9 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 68
windowCOMMON

Download Yara Rule

C-Code - Quality: 22%

			E0040A0C9(void* __ebx, void* __edi, intOrPtr* __esi, void* __eflags) {
				struct HWND__* _t23;
				intOrPtr _t31;
				intOrPtr* _t32;
				void* _t39;
				void* _t51;
				intOrPtr _t53;
				void* _t54;
				intOrPtr* _t55;
				void* _t56;
				signed int _t57;

				_t55 = __esi;
				_t39 = __ebx;
				E00408C20(__esi, _t51, __edi, __eflags);
				E00408CF0(__esi, _t51);
				E00408970(__esi);
				_t23 =  *(__esi + 8);
				asm("xorps xmm0, xmm0");
				 *(_t57 - 0x258) = 0x30;
				asm("movdqu [ebp-0x250], xmm0");
				 *(_t57 - 0x254) = 0;
				asm("movdqu [ebp-0x240], xmm0");
				 *(_t57 - 0x250) = _t23;
				asm("movq [ebp-0x230], xmm0");
				GetClientRect(_t23, _t57 - 0x248);
				SendMessageW( *(__esi + 0x2c), 0x434, 0, _t57 - 0x258);
				if( *((intOrPtr*)(_t57 + 0xc)) == 0x31a) {
					_t31 =  *((intOrPtr*)(__esi + 4));
					if(_t31 != 0) {
						 *0x4bc890(_t31);
					}
					 *(_t55 + 4) = 0;
					_t32 =  *0x4bc884; // 0x73c34310
					if(_t32 != 0 &&  *_t32() != 0) {
						 *(_t55 + 4) =  *0x4bc888( *((intOrPtr*)(_t57 - 0x2a0)),  *((intOrPtr*)( *((intOrPtr*)( *_t55))))());
					}
				}
				_t53 =  *((intOrPtr*)(_t57 - 0x2b4));
				 *((intOrPtr*)( *((intOrPtr*)( *_t55 + 4))))( *((intOrPtr*)(_t57 - 0x2a0)),  *((intOrPtr*)(_t57 + 0xc)),  *((intOrPtr*)(_t57 - 0x29c)), _t53);
				 *[fs:0x0] =  *((intOrPtr*)(_t57 - 0xc));
				_pop(_t54);
				_pop(_t56);
				return E0046F77E(_t39,  *(_t57 - 0x10) ^ _t57, _t51, _t54, _t56);
			}

0x0040a0c9
0x0040a0c9
0x0040a0cb
0x0040a0d2
0x0040a0d9
0x0040a0de
0x0040a0e7
0x0040a0ea
0x0040a0f5
0x0040a0fe
0x0040a108
0x0040a110
0x0040a116
0x0040a11e
0x0040a135
0x0040a43f
0x0040a441
0x0040a446
0x0040a449
0x0040a449
0x0040a44f
0x0040a456
0x0040a45d
0x0040a47a
0x0040a47a
0x0040a45d
0x0040a47d
0x0040a49b
0x0040a4a0
0x0040a4a8
0x0040a4a9
0x0040a4b7

APIs

Part of subcall function 00408C20: SetScrollInfo.USER32(?,00000002,?,00000001), ref: 00408CA5
Part of subcall function 00408C20: SetScrollInfo.USER32(?,00000002,?,00000001), ref: 00408CC1

Part of subcall function 00408CF0: GetClientRect.USER32 ref: 00408D19
Part of subcall function 00408CF0: SetScrollInfo.USER32(?,00000002,0000001C,00000001), ref: 00408D84

Part of subcall function 00408970: GetClientRect.USER32 ref: 0040898A
Part of subcall function 00408970: GetWindowRect.USER32 ref: 00408997
Part of subcall function 00408970: GetScrollInfo.USER32 ref: 004089C3
Part of subcall function 00408970: GetWindowLongW.USER32(?,000000F0), ref: 004089F0
Part of subcall function 00408970: GetSystemMetrics.USER32 ref: 004089FF
Part of subcall function 00408970: SetWindowPos.USER32(000007D6,00000000,?,00000000,?,?,00000004), ref: 00408A2A
Part of subcall function 00408970: GetClientRect.USER32 ref: 00408A5B
Part of subcall function 00408970: SendMessageW.USER32(?,00000434,00000000,00000030), ref: 00408A6F

GetClientRect.USER32 ref: 0040A11E
SendMessageW.USER32(?,00000434,00000000,00000030), ref: 0040A135

Strings

0, xrefs: 0040A0EA

Memory Dump Source

Source File: 00000000.00000002.639436822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.639422722.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639801425.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639950323.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639964900.00000000004C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639974043.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639981884.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Process Monitor.jbxd

Similarity

API ID: Rect$ClientInfoScroll$Window$MessageSend$LongMetricsSystem
String ID: 0
API String ID: 353851528-4108050209
Opcode ID: be28b624dc0e1640f58b41b2038280d0e2692426f2e19270e74843baa734f982
Instruction ID: 3ce6116ac95e5166c427eb26232effc32cda75a5bf5744eb634b3cde5e05ed6d
Opcode Fuzzy Hash: be28b624dc0e1640f58b41b2038280d0e2692426f2e19270e74843baa734f982
Instruction Fuzzy Hash: 50219470A106149FDB24DF14DC58BAEB7F4EF88701F0041AEE84AA3290DB749E40CF19

Uniqueness

Uniqueness Score: -1.00%

Function 0048E240 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 61
sleepCOMMON

Download Yara Rule

C-Code - Quality: 79%

			E0048E240() {
				intOrPtr _v8;
				char _v16;
				char _v17;
				char _v24;
				signed int _t15;
				intOrPtr* _t18;
				void* _t30;
				intOrPtr _t42;
				signed int _t45;

				_push(0xffffffff);
				_push(E0048C68A);
				_push( *[fs:0x0]);
				_t15 =  *0x4bb1dc; // 0x2927074f
				_push(_t15 ^ _t45);
				 *[fs:0x0] =  &_v16;
				_v8 = 0;
				while( *0x4c2550 > 0) {
					Sleep(0x64);
				}
				_t18 =  *0x4c2554; // 0x780140
				E00463A00(0x4c2554,  &_v24,  *_t18, _t18);
				_t42 =  *0x4c2554; // 0x780140
				E0043E9D0(E0041D520( &_v17), _t42);
				E0041D520( &_v17);
				_t7 = _t42 + 4; // 0x780144
				E0043E9D0(_t7, _t7);
				E0041D520( &_v17);
				_t10 = _t42 + 8; // 0x780148
				E0043E9D0(_t10, _t10);
				E0041D520( &_v17);
				_t30 = E0046EF07(_t42);
				DeleteCriticalSection(0x4c2538);
				 *[fs:0x0] = _v16;
				return _t30;
			}

0x0048e243
0x0048e245
0x0048e250
0x0048e255
0x0048e25c
0x0048e260
0x0048e26d
0x0048e274
0x0048e282
0x0048e284
0x0048e28d
0x0048e29e
0x0048e2a3
0x0048e2b5
0x0048e2bd
0x0048e2c2
0x0048e2c9
0x0048e2d1
0x0048e2d6
0x0048e2dd
0x0048e2e5
0x0048e2eb
0x0048e2f8
0x0048e301
0x0048e30d

APIs

Sleep.KERNEL32(00000064,2927074F), ref: 0048E282
DeleteCriticalSection.KERNEL32(004C2538), ref: 0048E2F8

Strings

T%L, xrefs: 0048E292

Memory Dump Source

Source File: 00000000.00000002.639436822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.639422722.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639801425.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639950323.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639964900.00000000004C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639974043.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639981884.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Process Monitor.jbxd

Similarity

API ID: CriticalDeleteSectionSleep
String ID: T%L
API String ID: 2931644207-57508386
Opcode ID: 0594a7a083f5470d9ec5b44d162d88c73c5883afb1a16560bd220f5749cbab38
Instruction ID: fb3a40922af56abc0d5fef447dda8070e21ae772ce8824ec5caf5c36e2cbe881
Opcode Fuzzy Hash: 0594a7a083f5470d9ec5b44d162d88c73c5883afb1a16560bd220f5749cbab38
Instruction Fuzzy Hash: 28214F71C10159BBC714EF99DD51FDEB3BDEB04318F00457AE806A3590EBB866488B99

Uniqueness

Uniqueness Score: -1.00%

Function 0048E310 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 61
sleepCOMMON

Download Yara Rule

C-Code - Quality: 79%

			E0048E310() {
				intOrPtr _v8;
				char _v16;
				char _v17;
				char _v24;
				signed int _t15;
				intOrPtr* _t18;
				void* _t30;
				intOrPtr _t42;
				signed int _t45;

				_push(0xffffffff);
				_push(E0048C6BA);
				_push( *[fs:0x0]);
				_t15 =  *0x4bb1dc; // 0x2927074f
				_push(_t15 ^ _t45);
				 *[fs:0x0] =  &_v16;
				_v8 = 0;
				while( *0x4c2574 > 0) {
					Sleep(0x64);
				}
				_t18 =  *0x4c2578; // 0x784770
				E004636C0(0x4c2578,  &_v24,  *_t18, _t18);
				_t42 =  *0x4c2578; // 0x784770
				E0043E9D0(E0041D520( &_v17), _t42);
				E0041D520( &_v17);
				_t7 = _t42 + 4; // 0x784774
				E0043E9D0(_t7, _t7);
				E0041D520( &_v17);
				_t10 = _t42 + 8; // 0x784778
				E0043E9D0(_t10, _t10);
				E0041D520( &_v17);
				_t30 = E0046EF07(_t42);
				DeleteCriticalSection(0x4c255c);
				 *[fs:0x0] = _v16;
				return _t30;
			}

0x0048e313
0x0048e315
0x0048e320
0x0048e325
0x0048e32c
0x0048e330
0x0048e33d
0x0048e344
0x0048e352
0x0048e354
0x0048e35d
0x0048e36e
0x0048e373
0x0048e385
0x0048e38d
0x0048e392
0x0048e399
0x0048e3a1
0x0048e3a6
0x0048e3ad
0x0048e3b5
0x0048e3bb
0x0048e3c8
0x0048e3d1
0x0048e3dd

APIs

Sleep.KERNEL32(00000064,2927074F), ref: 0048E352
DeleteCriticalSection.KERNEL32(004C255C), ref: 0048E3C8

Strings

pGx, xrefs: 0048E35D, 0048E362, 0048E373

Memory Dump Source

Source File: 00000000.00000002.639436822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.639422722.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639801425.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639950323.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639964900.00000000004C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639974043.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639981884.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Process Monitor.jbxd

Similarity

API ID: CriticalDeleteSectionSleep
String ID: pGx
API String ID: 2931644207-1247187342
Opcode ID: 604550d0f4075bbb71afdd50a7c418a4572b71b318d8f4be24f7e7bf28f2fdf2
Instruction ID: 8cb2014d7c4457bcd3e09771ecbb129305098a557330f1fb383d568678628a26
Opcode Fuzzy Hash: 604550d0f4075bbb71afdd50a7c418a4572b71b318d8f4be24f7e7bf28f2fdf2
Instruction Fuzzy Hash: 45215EB1C10118FBC714EB69DD51B9EB3BDEB04708F00057AA805A3290EBB86A488B99

Uniqueness

Uniqueness Score: -1.00%

Function 0042D6E0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 55
windowCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E0042D6E0(void* __ebx, intOrPtr* __ecx, void* __edx) {
				signed int _v8;
				struct _SHFILEINFOW _v700;
				void* __edi;
				void* __esi;
				signed int _t8;
				long _t10;
				void* _t20;
				void* _t26;
				BYTE* _t27;
				intOrPtr* _t28;
				int _t29;
				signed int _t30;

				_t26 = __edx;
				_t20 = __ebx;
				_t8 =  *0x4bb1dc; // 0x2927074f
				_v8 = _t8 ^ _t30;
				_t28 = __ecx;
				_t22 =  *__ecx;
				if( *__ecx == 0) {
					_t27 = 0;
				} else {
					_t27 = E0046A620(_t22);
				}
				_t23 =  *_t28;
				if( *_t28 == 0) {
					_t10 = 0;
				} else {
					_t10 = E00406130(_t23);
				}
				_t29 =  *(_t28 + 4);
				if(_t10 == 0 || CreateIconFromResourceEx(_t27, _t10, 1, 0x30000, _t29, _t29, 0) == 0) {
					SHGetFileInfoW(L".exe", 0x80,  &_v700, 0x2b4, 0 | _t29 == 0x00000010 | 0x00000110);
				}
				return E0046F77E(_t20, _v8 ^ _t30, _t26, _t27, _t29);
			}

0x0042d6e0
0x0042d6e0
0x0042d6e9
0x0042d6f0
0x0042d6f4
0x0042d6f7
0x0042d6fb
0x0042d706
0x0042d6fd
0x0042d702
0x0042d702
0x0042d708
0x0042d70c
0x0042d715
0x0042d70e
0x0042d70e
0x0042d70e
0x0042d717
0x0042d71c
0x0042d759
0x0042d75f
0x0042d774

APIs

CreateIconFromResourceEx.USER32 ref: 0042D72B
SHGetFileInfoW.SHELL32(.exe,00000080,?,000002B4,00000000), ref: 0042D759

Strings

.exe, xrefs: 0042D754

Memory Dump Source

Source File: 00000000.00000002.639436822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.639422722.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639801425.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639950323.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639964900.00000000004C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639974043.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639981884.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Process Monitor.jbxd

Similarity

API ID: CreateFileFromIconInfoResource
String ID: .exe
API String ID: 3733809802-4119554291
Opcode ID: 650b0fe9a0a07c4da53f57ba7f25a20f2b512e3fb0125aaa978cf1b7a096c291
Instruction ID: 8eea3f7fe4c7512ef7920a56185b9e34801518f25619bf9ee555e15c9f6e6b11
Opcode Fuzzy Hash: 650b0fe9a0a07c4da53f57ba7f25a20f2b512e3fb0125aaa978cf1b7a096c291
Instruction Fuzzy Hash: 40012D31B013246BEB74AE69AC45F7BB3ACDF44B10F50057EFC45E3280EB68AC008699

Uniqueness

Uniqueness Score: -1.00%

Function 0044C377 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50
windowCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E0044C377(void* __ebx) {
				void* __edi;
				void* __esi;
				signed int _t20;
				signed int _t21;
				int* _t22;
				void* _t23;
				void* _t25;
				void* _t26;
				void* _t27;
				intOrPtr* _t28;
				intOrPtr _t29;
				intOrPtr _t34;
				struct HMENU__* _t35;
				void* _t36;
				void* _t38;
				int _t39;
				void* _t40;
				void* _t41;
				signed int _t42;

				_t25 = __ebx;
				do {
					asm("xorps xmm0, xmm0");
					 *(_t42 - 0x240) = 0x30;
					asm("movq [ebp-0x218], xmm0");
					asm("movdqu [ebp-0x228], xmm0");
					 *((intOrPtr*)(_t42 - 0x21c)) = _t42 - 0x20c;
					asm("movdqu [ebp-0x238], xmm0");
					 *((intOrPtr*)(_t42 - 0x23c)) = 0x44;
					 *((intOrPtr*)(_t42 - 0x218)) = 0x104;
					if(GetMenuItemInfoW(_t35, _t39, 1, _t42 - 0x240) == 0) {
						goto L10;
					} else {
						_t20 =  *(_t42 + 0xc);
						_t28 = _t42 - 0x20c;
						while(1) {
							_t34 =  *_t28;
							if(_t34 !=  *_t20) {
								break;
							}
							if(_t34 == 0) {
								L7:
								_t21 = 0;
							} else {
								_t34 =  *((intOrPtr*)(_t28 + 2));
								if(_t34 !=  *((intOrPtr*)(_t20 + 2))) {
									break;
								} else {
									_t28 = _t28 + 4;
									_t20 = _t20 + 4;
									if(_t34 != 0) {
										continue;
									} else {
										goto L7;
									}
								}
							}
							L9:
							if(_t21 == 0) {
								_t22 =  *(_t42 - 0x210);
								if(_t22 != 0) {
									 *_t22 = _t39;
								}
								_t29 =  *((intOrPtr*)(_t42 - 0x22c));
								_t37 =  !=  ? _t29 : _t35;
								_t23 =  !=  ? _t29 : _t35;
								_pop(_t38);
								_pop(_t41);
								_pop(_t26);
								return E0046F77E(_t26,  *(_t42 - 4) ^ _t42, _t34, _t38, _t41);
							} else {
								goto L10;
							}
							goto L15;
						}
						asm("sbb eax, eax");
						_t21 = _t20 | 0x00000001;
						goto L9;
					}
					L15:
					L10:
					_t39 = _t39 + 1;
				} while (_t39 < _t25);
				_pop(_t36);
				_pop(_t40);
				_pop(_t27);
				return E0046F77E(_t27,  *(_t42 - 4) ^ _t42, _t34, _t36, _t40);
				goto L15;
			}

0x0044c377
0x0044c380
0x0044c380
0x0044c383
0x0044c393
0x0044c39b
0x0044c3a3
0x0044c3b4
0x0044c3bc
0x0044c3c6
0x0044c3d8
0x00000000
0x0044c3da
0x0044c3da
0x0044c3dd
0x0044c3e3
0x0044c3e3
0x0044c3e9
0x00000000
0x00000000
0x0044c3ee
0x0044c405
0x0044c405
0x0044c3f0
0x0044c3f0
0x0044c3f8
0x00000000
0x0044c3fa
0x0044c3fa
0x0044c3fd
0x0044c403
0x00000000
0x00000000
0x00000000
0x00000000
0x0044c403
0x0044c3f8
0x0044c40e
0x0044c410
0x0044c42e
0x0044c436
0x0044c438
0x0044c438
0x0044c43a
0x0044c442
0x0044c448
0x0044c44c
0x0044c44d
0x0044c44e
0x0044c457
0x00000000
0x00000000
0x00000000
0x00000000
0x0044c410
0x0044c409
0x0044c40b
0x00000000
0x0044c40b
0x00000000
0x0044c412
0x0044c412
0x0044c413
0x0044c41b
0x0044c41c
0x0044c41f
0x0044c42d
0x00000000

APIs

GetMenuItemInfoW.USER32(?,00000000,00000001,00000030), ref: 0044C3D0

Strings

0, xrefs: 0044C383
D, xrefs: 0044C3BC

Memory Dump Source

Source File: 00000000.00000002.639436822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.639422722.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639801425.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639950323.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639964900.00000000004C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639974043.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639981884.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Process Monitor.jbxd

Similarity

API ID: InfoItemMenu
String ID: 0$D
API String ID: 1619232296-1534285997
Opcode ID: 9e3fedc07a60d021e6bcd45346b4b51e196bdd9a9b409ad889f59caecbca3f07
Instruction ID: b3510b946a45e2c270118e24e0d9b5ac621febcf0d0ff70a8ea9d4f9177d0a9b
Opcode Fuzzy Hash: 9e3fedc07a60d021e6bcd45346b4b51e196bdd9a9b409ad889f59caecbca3f07
Instruction Fuzzy Hash: DE11C271D112198AEB70DF11C9C43FAB3B5EFA4350F2402EAD949A6201EB758BC1CB54

Uniqueness

Uniqueness Score: -1.00%

Function 004595D0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 39
registryCOMMON

Download Yara Rule

C-Code - Quality: 55%

			E004595D0(struct HWND__* _a4, void* _a8, short* _a12) {
				signed int _v8;
				int _v12;
				int _v48;
				char _v52;
				void* __edi;
				void* __esi;
				signed int _t11;
				void* _t18;
				void* _t22;
				short* _t24;
				void* _t25;
				void* _t26;
				signed int _t27;

				_t11 =  *0x4bb1dc; // 0x2927074f
				_v8 = _t11 ^ _t27;
				_t26 = _a8;
				asm("xorps xmm0, xmm0");
				_t24 = _a12;
				_v52 = 0x2c;
				_v48 = 0;
				asm("movdqu [ebp-0x28], xmm0");
				_v12 = 0;
				asm("movdqu [ebp-0x18], xmm0");
				if(GetWindowPlacement(_a4,  &_v52) != 0) {
					RegSetValueExW(_t26, _t24, 0, 3,  &_v52, 0x2c);
				}
				_pop(_t25);
				return E0046F77E(_t18, _v8 ^ _t27, _t22, _t25, _t26);
			}

0x004595d6
0x004595dd
0x004595e7
0x004595ea
0x004595ee
0x004595f3
0x004595fa
0x00459601
0x00459606
0x0045960d
0x0045961a
0x00459628
0x00459628
0x00459631
0x0045963d

APIs

GetWindowPlacement.USER32(?,?), ref: 00459612
RegSetValueExW.ADVAPI32(?,2927074F,00000000,00000003,0000002C,0000002C), ref: 00459628

Strings

,, xrefs: 004595F3

Memory Dump Source

Source File: 00000000.00000002.639436822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.639422722.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639801425.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639950323.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639964900.00000000004C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639974043.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639981884.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Process Monitor.jbxd

Similarity

API ID: PlacementValueWindow
String ID: ,
API String ID: 1267345894-3772416878
Opcode ID: b964f7a5a197240ed98693c9c8e52d7ea3bb0ae9680c2775d4e296a536706f37
Instruction ID: ec912080b8f327a14370e3315d4ff40dfa7d442689d2a333d7e62e7f9628e64f
Opcode Fuzzy Hash: b964f7a5a197240ed98693c9c8e52d7ea3bb0ae9680c2775d4e296a536706f37
Instruction Fuzzy Hash: 9701FF71D1021CEBDB10DFA5DC45FEEB7B8EF49710F14416DF900A6240DBB466488B95

Uniqueness

Uniqueness Score: -1.00%

Function 0045F10D Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 31
windowCOMMON

Download Yara Rule

C-Code - Quality: 83%

			E0045F10D(struct HWND__* __eax, signed int __edx, struct HWND__* __edi) {
				signed int _t115;
				intOrPtr _t124;
				short* _t137;
				void* _t141;
				WCHAR* _t145;
				signed int _t146;
				intOrPtr _t147;
				int _t157;
				int _t160;
				int _t161;
				int _t162;
				int _t163;
				intOrPtr _t168;
				int _t169;
				signed int _t173;
				signed int _t175;
				signed int _t178;
				signed int _t180;
				signed int _t182;
				signed int _t194;
				signed int _t196;
				signed int _t198;
				void* _t225;
				struct HWND__* _t232;
				signed int _t239;
				struct HWND__* _t246;
				void* _t247;
				void* _t248;
				struct HINSTANCE__* _t249;
				void* _t250;
				void* _t251;
				struct HWND__* _t273;
				signed int _t296;
				struct HWND__* _t297;
				void* _t298;
				void* _t299;
				signed int _t300;
				void* _t301;
				void* _t302;
				void* _t304;
				void* _t305;
				struct HWND__* _t307;
				void* _t308;
				void* _t309;
				void* _t310;
				signed int _t311;
				signed int _t312;
				void* _t317;
				void* _t320;
				void* _t324;
				void* _t325;
				void* _t328;
				void* _t344;

				_t297 = __edi;
				_t296 = __edx;
				 *(_t312 - 0x3f8) = 1;
				_t246 = __eax;
				if( *((char*)(_t312 - 0x40e)) != 0) {
					L99:
					DialogBoxParamW( *(_t312 - 0x430), L"USAGE", 0, E0040C2C0, 0);
					goto L1;
				} else {
					if( *((intOrPtr*)(_t312 - 0x3f4)) != 1 ||  *((char*)(_t312 - 0x3f9)) != 0 &&  *(_t312 - 0x418) != 0) {
						 *(_t312 - 0x404) = E0046A6C0(_t246,  *((intOrPtr*)(_t304 + 4)), E0046A530( *((intOrPtr*)(_t304 + 4))));
						 *(_t312 - 0x428) = E0046A6C0(_t246, L"Invalid argument: ", E0046A530(L"Invalid argument: "));
						E0046A230(_t312 - 0x41c, _t312 - 0x404);
						_t256 =  *(_t312 - 0x428);
						__eflags =  *(_t312 - 0x428);
						if( *(_t312 - 0x428) != 0) {
							E0046A700(_t256);
						}
						_t257 =  *(_t312 - 0x404);
						__eflags =  *(_t312 - 0x404);
						if( *(_t312 - 0x404) != 0) {
							E0046A700(_t257);
						}
						MessageBoxW(0, E0046A170(_t312 - 0x41c), L"Process Monitor", 0x10);
						_t259 =  *(_t312 - 0x41c);
						__eflags =  *(_t312 - 0x41c);
						if( *(_t312 - 0x41c) != 0) {
							E0046A700(_t259);
						}
						goto L99;
					} else {
						if(_t246 == 0 || _t297 != 0) {
							_t114 =  *(_t312 - 0x438);
							__eflags =  *(_t312 - 0x438);
							if(__eflags == 0) {
								__eflags =  *(_t312 - 0x3fa);
								_t307 = MessageBoxW;
								if( *(_t312 - 0x3fa) != 0) {
									__eflags = _t246;
									if(_t246 == 0) {
										_t239 = E0046A6C0(_t246, L"The /SaveApplyFilter option is valid only when used with /SaveAs", E0046A530(L"The /SaveApplyFilter option is valid only when used with /SaveAs"));
										_t317 = _t317 + 0xc;
										 *(_t312 - 0x404) = _t239;
										MessageBoxW(_t246, E0046A170(_t312 - 0x404), L"Process Monitor", 0x10);
										_t294 =  *(_t312 - 0x404);
										__eflags =  *(_t312 - 0x404);
										if( *(_t312 - 0x404) != 0) {
											E0046A700(_t294);
										}
									}
								}
								_t115 = E00417660(0x4bca10);
								__eflags = _t115;
								if(_t115 != 0) {
									__eflags =  *((char*)(_t312 - 0x40c));
									if( *((char*)(_t312 - 0x40c)) == 0) {
										__eflags =  *((char*)(_t312 - 0x409));
										if( *((char*)(_t312 - 0x409)) == 0) {
											__eflags =  *((char*)(_t312 - 0x406));
											if( *((char*)(_t312 - 0x406)) == 0) {
												E0044D4E0(0x4bdce4, 0x4000000);
												 *(_t312 - 0x44) = 0x40;
												 *(_t312 - 0x40) = 0;
												E00470030(_t312 - 0x3c, 0, 0x38);
												_t320 = _t317 + 0xc;
												GlobalMemoryStatusEx(_t312 - 0x44);
												__eflags =  *((intOrPtr*)(_t312 - 0x15c)) - 6;
												asm("sbb eax, eax");
												asm("sbb eax, 0x0");
												_t124 = E00472240( *((intOrPtr*)(_t312 - 0x3c)) - (_t312 - 0x00000044 & 0xef4f8a00) + 0x1dcd6500 +  *((intOrPtr*)(_t312 - 0x3c)) - (_t312 - 0x00000044 & 0xef4f8a00) + 0x1dcd6500, ( *(_t312 - 0x38) << 0x00000020 |  *((intOrPtr*)(_t312 - 0x3c)) - (_t312 - 0x00000044 & 0xef4f8a00) + 0x1dcd6500) << 1, 3, 0);
												 *0x4bd2d8 = _t124;
												 *0x4bd2dc = _t296;
												__eflags = _t296;
												if(__eflags > 0) {
													_t124 = 0x3e800000;
													_t296 = 0;
													__eflags = 0;
													 *0x4bd2d8 = _t124;
													 *0x4bd2dc = 0;
												} else {
													if (__eflags < 0) goto L35;
													_pop(es);
												}
												asm("adc edx, 0x0");
												 *0x4bd2e0 = _t124 + 0x2000000;
												 *0x4bd2e4 = _t296;
												E0040F360(L"SeDebugPrivilege");
												__imp__OleInitialize(0);
												E00434860(_t296,  *(_t312 - 0x400), L".PML", L"ProcMon.Logfile.1", L"ProcMon Log File", 1);
												 *((short*)(_t312 - 0x3f0)) = 0;
												E00470030(_t312 - 0x3ee, 0, 0x18e);
												__imp__#115(0x202, _t312 - 0x3f0);
												E00471C3C(E00453240);
												E0047331B(1);
												SetConsoleCtrlHandler(E00446D00, 1);
												SetProcessShutdownParameters(0x1ff, 1);
												__eflags =  *0x4bd0a3;
												_t137 =  ==  ? L"Software\\Sysinternals\\Process Monitor" : L"Software\\Sysinternals\\Process Monitor32";
												 *0x4bd2b8 = _t137;
												RegCreateKeyExW(0x80000001, _t137, 0, 0, 0, 0xf003f, 0, 0x4bd2b4, 0);
												E00464AA0(_t312 - 0x424,  *0x4bd2b4);
												_t141 = E00465020(_t296, _t344, _t312 - 0x424);
												_t324 = _t320 + 0x30;
												E00464AC0(_t141);
												E004192D0(0x4bca10,  *0x4bd8a0);
												__eflags =  *(_t312 - 0x428);
												if(__eflags == 0) {
													L45:
													__eflags =  *((char*)(_t312 - 0x407));
													if( *((char*)(_t312 - 0x407)) != 0) {
														 *0x4bb120 =  *0x4bb120 | 0x00000010;
														__eflags =  *0x4bb120;
													}
													__eflags =  *((char*)(_t312 - 0x40b));
													if( *((char*)(_t312 - 0x40b)) != 0) {
														L00457F20(_t344, 0);
													}
													E00436760( *0x4bd2b4, L"DeviceNameMap", "PHx");
													_t145 =  *(_t312 - 0x418);
													_t325 = _t324 + 0xc;
													__eflags = _t145;
													if(_t145 == 0) {
														__eflags =  *((char*)(_t312 - 0x3f9));
														if( *((char*)(_t312 - 0x3f9)) != 0) {
															__eflags = 0;
															 *0x4bdac0 = 0;
														}
													} else {
														GetFullPathNameW(_t145, 0x104, 0x4bdac0, 0);
														_push(L".PML");
														E00435A10(0x4bdac0, 0x104);
														_t325 = _t325 + 0xc;
													}
													_t146 = E00436680();
													__eflags = _t146;
													if(_t146 != 0) {
														 *0x4bb120 =  *0x4bb120 | 0x00000040;
														__eflags =  *0x4bb120;
														 *0x4bd2e9 = 1;
													}
													_t147 =  *0x4bd89c; // 0x0
													__eflags =  *((char*)(_t312 - 0x40d));
													_t148 =  !=  ? 1 : _t147;
													 *0x4bd89c =  !=  ? 1 : _t147;
													SetThreadPriority(GetCurrentThread(), 2);
													E0046C6B0(1, _t296);
													__eflags = _t297;
													if(_t297 == 0) {
														L66:
														__eflags =  *((char*)(_t312 - 0x40f));
														if(__eflags != 0) {
															E0043A130(_t296, _t297, __eflags);
															goto L92;
														} else {
															_t157 = RegisterWindowMessageW(L"commdlg_FindReplace");
															_t249 =  *(_t312 - 0x430);
															 *0x4bd2b0 = _t157;
															 *(_t312 - 0x400) = LoadAcceleratorsW(_t249, L"ACCELERATORS");
															E0044DC00(_t249);
															_t307 = MulDiv;
															_t328 = _t325 + 4;
															_t160 = MulDiv(0x12c,  *0x4bc898, 0x60);
															_t161 = MulDiv(0x1f4,  *0x4bc894, 0x60);
															_t162 = MulDiv(0xc8,  *0x4bc898, 0x60);
															_t163 = MulDiv(0x64,  *0x4bc894, 0x60);
															_t246 =  *((intOrPtr*)(_t312 - 0x40a));
															__eflags = _t246;
															_t165 =  !=  ? 0x20000000 : 0;
															_t166 = ( !=  ? 0x20000000 : 0) | 0x00cf0000;
															_t273 = CreateWindowExW(0, L"PROCMON_WINDOW_CLASS", L"Process Monitor - Sysinternals: www.sysinternals.com", ( !=  ? 0x20000000 : 0) | 0x00cf0000, _t163, _t162, _t161, _t160, 0, 0, _t249, 0);
															 *0x4bd2c0 = _t273;
															__eflags = _t273;
															if(_t273 == 0) {
																goto L1;
															} else {
																__eflags = _t246;
																if(_t246 == 0) {
																	_t168 =  *((intOrPtr*)(_t312 + 0x14));
																	_t296 = 5;
																	__eflags = _t168 - 1;
																	_t169 =  ==  ? 5 : _t168;
																} else {
																	_t169 = 2;
																}
																ShowWindow(_t273, _t169);
																UpdateWindow( *0x4bd2c0);
																__eflags = E00414130(0x4bca94);
																if(__eflags == 0) {
																	__eflags = _t246;
																	if(__eflags == 0) {
																		__eflags =  *((intOrPtr*)(_t312 - 0x405)) - _t246;
																		if(__eflags == 0) {
																			DialogBoxParamW( *0x4bd2c4, L"FILTER_INIT",  *0x4bd2c0,  &M0044BE70, 1);
																		}
																	}
																}
																_t173 = L00446DF0(_t296, __eflags,  *0x4bd2c0, 0);
																_t325 = _t328 + 8;
																__eflags = _t173;
																if(__eflags == 0) {
																	__eflags = _t297;
																	if(_t297 == 0) {
																		__eflags =  *((char*)(_t312 - 0x408));
																		if( *((char*)(_t312 - 0x408)) == 0) {
																			__eflags =  *0x4bd0a3;
																			if( *0x4bd0a3 == 0) {
																				__eflags =  *(_t312 - 0x418);
																				_t79 =  *(_t312 - 0x418) != 0;
																				__eflags = _t79;
																				SendMessageW( *0x4bd2c0, 0x111, 0x9c87, 0 | _t79);
																			}
																		}
																	} else {
																		__eflags =  *0x4bd895;
																		if( *0x4bd895 != 0) {
																			SendMessageW( *0x4bd2c0, 0x111, 0x9c53, 0);
																		}
																		E00452450(_t296,  *0x4bd2c0, _t297, 0);
																		_t325 = _t325 + 0xc;
																	}
																} else {
																	E00418140(0x4bca10, __eflags, 0);
																}
																_t297 = GetMessageW;
																_t175 = GetMessageW(_t312 - 0x464, 0, 0, 0);
																__eflags = _t175;
																if(_t175 != 0) {
																	_t246 = TranslateMessage;
																	do {
																		_t307 = GetActiveWindow();
																		_t178 = TranslateAcceleratorW(_t307,  *(_t312 - 0x400), _t312 - 0x464);
																		__eflags = _t178;
																		if(_t178 == 0) {
																			_t182 = IsDialogMessageW(_t307, _t312 - 0x464);
																			__eflags = _t182;
																			if(_t182 == 0) {
																				TranslateMessage(_t312 - 0x464);
																				DispatchMessageW(_t312 - 0x464);
																			}
																		}
																		_t180 = GetMessageW(_t312 - 0x464, 0, 0, 0);
																		__eflags = _t180;
																	} while (_t180 != 0);
																}
																L92:
																E0043A870(_t246, _t296, _t297, _t307, 0);
																E004376B0( *0x4bd2b4, L"DeviceNameMap", "PHx");
																goto L25;
															}
														}
													} else {
														__eflags = _t246;
														if(_t246 == 0) {
															goto L66;
														} else {
															_t194 = E00471495(_t246, 0x2e);
															__eflags = _t194;
															if(_t194 == 0) {
																L65:
																_t307->i(0, L"Invalid file extension in /SaveAs option", L"Process Monitor", 0x10);
																goto L1;
															} else {
																_t196 = E0044C740(_t194);
																 *(_t312 - 0x400) = _t196;
																__eflags = _t196;
																if(_t196 < 0) {
																	goto L65;
																} else {
																	__eflags = E00452450(_t296, 0, _t297, 0);
																	if(__eflags == 0) {
																		goto L1;
																	} else {
																		_t198 = E00418140(0x4bca10, __eflags, 0);
																		 *(_t312 - 0x3f8) - 2 =  *(_t312 - 0x3f8) - 1;
																		__eflags =  *(_t312 - 0x3fa);
																		_t300 = E00421580(0x4bca10, _t296, 0, _t246, 0 |  *(_t312 - 0x3fa) != 0x00000000,  *((intOrPtr*)(0x4a2ce8 +  *(_t312 - 0x400) * 8)), 1, ((_t198 & 0xffffff00 |  *(_t312 - 0x3f8) - 0x00000002 >= 0x00000000) & 0 |  *(_t312 - 0x3fa) >= 0x00000000) & 0x000000ff, (_t198 & 0xffffff00 |  *(_t312 - 0x3f8) - 0x00000002 >= 0x00000000) & 0x000000ff);
																		__eflags = _t300;
																		if(_t300 == 0) {
																			goto L25;
																		} else {
																			 *(_t312 - 0x3f8) = E0046A6C0(_t246, L"The file was not saved. ", E0046A530(L"The file was not saved. "));
																			E0046A310(_t312 - 0x3f8, E00459490(_t246, _t312 - 0x400, _t300));
																			_t279 =  *(_t312 - 0x400);
																			__eflags =  *(_t312 - 0x400);
																			if( *(_t312 - 0x400) != 0) {
																				E0046A700(_t279);
																			}
																			_t307->i(0, E0046A170(_t312 - 0x3f8), L"Process Monitor", 0x10);
																			_t281 =  *(_t312 - 0x3f8);
																			__eflags =  *(_t312 - 0x3f8);
																			if( *(_t312 - 0x3f8) != 0) {
																				E0046A700(_t281);
																			}
																			goto L1;
																		}
																	}
																}
															}
														}
													}
												} else {
													E00415890(_t312 - 0x260);
													__eflags = E004303A0(_t312 - 0x260, __eflags,  *(_t312 - 0x428), 1, 0);
													if(__eflags != 0) {
														E00464A80(_t312 - 0x424, _t312 - 0x260);
														_t225 = E00465020(_t296, _t344, _t312 - 0x424);
														_t324 = _t324 + 4;
														E00464AC0(_t225);
														E00415CF0(__eflags);
														goto L45;
													} else {
														_t307->i(L"The selected configuration file cannot be opened", L"Process Monitor", 0x10);
														E00415CF0(__eflags);
														_t301 = 0;
														_pop(_t309);
														__eflags =  *(_t312 - 4) ^ _t312;
														_pop(_t250);
														return E0046F77E(_t250,  *(_t312 - 4) ^ _t312, _t296, _t301, _t309);
													}
												}
											} else {
												_t232 = FindWindowW(L"PROCMON_WINDOW_CLASS", 0);
												__eflags = _t232;
												if(_t232 == 0) {
													goto L1;
												} else {
													_push(0);
													_push(0);
													_push(0x800a);
													goto L24;
												}
											}
										} else {
											E0040EFC0(_t296, 0, 1, 1);
											_pop(_t302);
											_pop(_t310);
											_pop(_t251);
											__eflags =  *(_t312 - 4) ^ _t312;
											return E0046F77E(_t251,  *(_t312 - 4) ^ _t312, _t296, _t302, _t310);
										}
									} else {
										_t311 = 0;
										__eflags = 0;
										while(1) {
											_t232 = FindWindowW(L"PROCMON_WINDOW_CLASS", 0);
											__eflags = _t232;
											if(_t232 != 0) {
												break;
											}
											Sleep(0x64);
											_t311 = _t311 + 1;
											__eflags = _t311 - 0x64;
											if(_t311 < 0x64) {
												continue;
											} else {
												goto L1;
											}
											goto L100;
										}
										_push(0);
										_push(0);
										_push(0x8009);
										L24:
										SendMessageW(_t232, ??, ??, ??);
										goto L25;
									}
								} else {
									_t307->i(0, L"Procmon was unable to allocate sufficient memory to run.\nTry increasing the size of your page file.", L"Process Monitor", 0x10);
									goto L1;
								}
							} else {
								__eflags = L00446DF0(_t296, __eflags,  *0x4bd2c0, _t114);
								if(__eflags != 0) {
									E00418140(0x4bca10, __eflags, 0);
								}
								L25:
								_pop(_t299);
								_pop(_t308);
								_pop(_t248);
								__eflags =  *(_t312 - 4) ^ _t312;
								return E0046F77E(_t248,  *(_t312 - 4) ^ _t312, _t296, _t299, _t308);
							}
						} else {
							MessageBoxW(_t297, L"The /SaveAs option is valid only when used with /OpenLog", L"Process Monitor", 0x10);
							L1:
							_pop(_t298);
							_pop(_t305);
							_pop(_t247);
							return E0046F77E(_t247,  *(_t312 - 4) ^ _t312, _t296, _t298, _t305);
						}
					}
				}
				L100:
			}

0x0045f10d
0x0045f10d
0x0045f10d
0x0045f117
0x0045f128
0x0045fa0b
0x0045fa1f
0x00000000
0x0045f12e
0x0045f135
0x0045f98b
0x0045f9a4
0x0045f9be
0x0045f9c3
0x0045f9c9
0x0045f9cb
0x0045f9cd
0x0045f9cd
0x0045f9d2
0x0045f9d8
0x0045f9da
0x0045f9dc
0x0045f9dc
0x0045f9f6
0x0045f9fc
0x0045fa02
0x0045fa04
0x0045fa06
0x0045fa06
0x00000000
0x0045f151
0x0045f153
0x0045f171
0x0045f177
0x0045f179
0x0045f1a3
0x0045f1aa
0x0045f1b0
0x0045f1b2
0x0045f1b4
0x0045f1c6
0x0045f1cb
0x0045f1ce
0x0045f1e8
0x0045f1ea
0x0045f1f0
0x0045f1f2
0x0045f1f4
0x0045f1f4
0x0045f1f2
0x0045f1b4
0x0045f1fe
0x0045f203
0x0045f205
0x0045f21c
0x0045f223
0x0045f274
0x0045f27b
0x0045f2a1
0x0045f2a8
0x0045f2d4
0x0045f2de
0x0045f2e8
0x0045f2ef
0x0045f2f4
0x0045f2fb
0x0045f301
0x0045f30b
0x0045f31e
0x0045f32b
0x0045f330
0x0045f335
0x0045f33b
0x0045f33d
0x0045f35c
0x0045f361
0x0045f361
0x0045f363
0x0045f368
0x0045f33f
0x0045f33f
0x0045f340
0x0045f340
0x0045f378
0x0045f37b
0x0045f380
0x0045f386
0x0045f390
0x0045f3ad
0x0045f3ba
0x0045f3c8
0x0045f3dc
0x0045f3e7
0x0045f3ee
0x0045f3fd
0x0045f40a
0x0045f410
0x0045f433
0x0045f43e
0x0045f443
0x0045f455
0x0045f461
0x0045f466
0x0045f46f
0x0045f47f
0x0045f484
0x0045f48b
0x0045f51f
0x0045f51f
0x0045f526
0x0045f528
0x0045f528
0x0045f528
0x0045f52f
0x0045f536
0x0045f53f
0x0045f53f
0x0045f554
0x0045f559
0x0045f55f
0x0045f562
0x0045f564
0x0045f592
0x0045f599
0x0045f59b
0x0045f59d
0x0045f59d
0x0045f566
0x0045f573
0x0045f579
0x0045f588
0x0045f58d
0x0045f58d
0x0045f5a3
0x0045f5a8
0x0045f5aa
0x0045f5ac
0x0045f5ac
0x0045f5b3
0x0045f5b3
0x0045f5ba
0x0045f5c4
0x0045f5cd
0x0045f5d0
0x0045f5dc
0x0045f5e2
0x0045f5e7
0x0045f5e9
0x0045f71a
0x0045f71a
0x0045f721
0x0045f94d
0x00000000
0x0045f727
0x0045f72c
0x0045f732
0x0045f73e
0x0045f74a
0x0045f750
0x0045f755
0x0045f75b
0x0045f772
0x0045f782
0x0045f792
0x0045f79f
0x0045f7a1
0x0045f7af
0x0045f7b1
0x0045f7b4
0x0045f7cc
0x0045f7ce
0x0045f7d4
0x0045f7d6
0x00000000
0x0045f7dc
0x0045f7dc
0x0045f7de
0x0045f7e7
0x0045f7ea
0x0045f7ef
0x0045f7f2
0x0045f7e0
0x0045f7e0
0x0045f7e0
0x0045f7f7
0x0045f803
0x0045f813
0x0045f815
0x0045f817
0x0045f819
0x0045f81b
0x0045f821
0x0045f83b
0x0045f83b
0x0045f821
0x0045f819
0x0045f849
0x0045f84e
0x0045f851
0x0045f853
0x0045f863
0x0045f865
0x0045f89b
0x0045f8a2
0x0045f8a4
0x0045f8ab
0x0045f8af
0x0045f8b5
0x0045f8b5
0x0045f8c9
0x0045f8c9
0x0045f8ab
0x0045f867
0x0045f867
0x0045f86e
0x0045f882
0x0045f882
0x0045f891
0x0045f896
0x0045f896
0x0045f855
0x0045f85c
0x0045f85c
0x0045f8cf
0x0045f8e2
0x0045f8e4
0x0045f8e6
0x0045f8e8
0x0045f8f0
0x0045f8f6
0x0045f906
0x0045f90c
0x0045f90e
0x0045f918
0x0045f91e
0x0045f920
0x0045f929
0x0045f932
0x0045f932
0x0045f920
0x0045f945
0x0045f947
0x0045f947
0x0045f94b
0x0045f952
0x0045f954
0x0045f969
0x00000000
0x0045f96e
0x0045f7d6
0x0045f5ef
0x0045f5ef
0x0045f5f1
0x00000000
0x0045f5f7
0x0045f5fa
0x0045f602
0x0045f604
0x0045f705
0x0045f713
0x00000000
0x0045f60a
0x0045f60b
0x0045f613
0x0045f619
0x0045f61b
0x00000000
0x0045f621
0x0045f62e
0x0045f630
0x00000000
0x0045f636
0x0045f63d
0x0045f651
0x0045f674
0x0045f686
0x0045f688
0x0045f68a
0x00000000
0x0045f690
0x0045f6a5
0x0045f6c2
0x0045f6c7
0x0045f6cd
0x0045f6cf
0x0045f6d1
0x0045f6d1
0x0045f6eb
0x0045f6ed
0x0045f6f3
0x0045f6f5
0x0045f6fb
0x0045f6fb
0x00000000
0x0045f6f5
0x0045f68a
0x0045f630
0x0045f61b
0x0045f604
0x0045f5f1
0x0045f491
0x0045f497
0x0045f4b1
0x0045f4b3
0x0045f4f5
0x0045f501
0x0045f506
0x0045f50f
0x0045f51a
0x00000000
0x0045f4b5
0x0045f4c3
0x0045f4cb
0x0045f4d8
0x0045f4d9
0x0045f4da
0x0045f4dc
0x0045f4e5
0x0045f4e5
0x0045f4b3
0x0045f2aa
0x0045f2b1
0x0045f2b7
0x0045f2b9
0x00000000
0x0045f2bf
0x0045f2bf
0x0045f2c1
0x0045f2c3
0x00000000
0x0045f2c3
0x0045f2b9
0x0045f27d
0x0045f283
0x0045f28e
0x0045f28f
0x0045f290
0x0045f294
0x0045f29e
0x0045f29e
0x0045f225
0x0045f22b
0x0045f22b
0x0045f233
0x0045f23a
0x0045f23c
0x0045f23e
0x00000000
0x00000000
0x0045f242
0x0045f244
0x0045f245
0x0045f248
0x00000000
0x0045f24a
0x00000000
0x0045f24a
0x00000000
0x0045f248
0x0045f24f
0x0045f251
0x0045f253
0x0045f258
0x0045f259
0x00000000
0x0045f259
0x0045f207
0x0045f215
0x00000000
0x0045f215
0x0045f17b
0x0045f18a
0x0045f18c
0x0045f199
0x0045f199
0x0045f25f
0x0045f261
0x0045f262
0x0045f263
0x0045f267
0x0045f271
0x0045f271
0x0045f159
0x0045f166
0x0045f088
0x0045f08d
0x0045f08e
0x0045f08f
0x0045f09d
0x0045f09d
0x0045f153
0x0045f135
0x00000000

APIs

MessageBoxW.USER32(00000000,The /SaveAs option is valid only when used with /OpenLog,Process Monitor,00000010), ref: 0045F166
MessageBoxW.USER32(00000000,00000000,Process Monitor,00000010), ref: 0045F9F6
DialogBoxParamW.USER32 ref: 0045FA1F

Strings

The /SaveAs option is valid only when used with /OpenLog, xrefs: 0045F160
Process Monitor, xrefs: 0045F15B

Memory Dump Source

Source File: 00000000.00000002.639436822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.639422722.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639801425.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639950323.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639964900.00000000004C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639974043.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639981884.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Process Monitor.jbxd

Similarity

API ID: Message$DialogParam
String ID: Process Monitor$The /SaveAs option is valid only when used with /OpenLog
API String ID: 881688129-554902480
Opcode ID: c66186b5d1cde3ea21319e7ef5de431853ef2120705d77d7312604ea27a74eb2
Instruction ID: 186e2e53766dfb0b3c2c5a4c9253a661d7217b31606e4e6980c4d3730b3397ca
Opcode Fuzzy Hash: c66186b5d1cde3ea21319e7ef5de431853ef2120705d77d7312604ea27a74eb2
Instruction Fuzzy Hash: 58F0E270F40B59AADF368A40D8447BA76A4CB1571AF1000FFDD0A61283C6BD0ECC9A4F

Uniqueness

Uniqueness Score: -1.00%

Function 0045F2AA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 31
windowCOMMON

Download Yara Rule

C-Code - Quality: 34%

			E0045F2AA() {
				void* _t6;
				void* _t9;
				void* _t10;
				void* _t11;
				signed int _t12;

				if(FindWindowW(L"PROCMON_WINDOW_CLASS", 0) == 0) {
					_pop(_t10);
					_pop(_t11);
					_pop(_t6);
					return E0046F77E(_t6,  *(_t12 - 4) ^ _t12, _t9, _t10, _t11);
				} else {
					__eax = SendMessageW(__eax, ??, ??, ??);
					__eax = 0;
					__edi = 0x800a;
					__esi = 0;
					__ebx = 0;
					__ecx =  *(__ebp - 4);
					__ecx =  *(__ebp - 4) ^ __ebp;
					__eax = E0046F77E(__ebx,  *(__ebp - 4) ^ __ebp, __edx, __edi, __esi);
					__esp = __ebp;
					_pop(__ebp);
					return __eax;
				}
			}

0x0045f2b9
0x0045f08d
0x0045f08e
0x0045f08f
0x0045f09d
0x0045f2bf
0x0045f259
0x0045f25f
0x0045f261
0x0045f262
0x0045f263
0x0045f264
0x0045f267
0x0045f269
0x0045f26e
0x0045f270
0x0045f271
0x0045f271

APIs

SendMessageW.USER32(00000000,00008009,00000000,00000000), ref: 0045F259
FindWindowW.USER32(PROCMON_WINDOW_CLASS,00000000), ref: 0045F2B1

Strings

PROCMON_WINDOW_CLASS, xrefs: 0045F2AC

Memory Dump Source

Source File: 00000000.00000002.639436822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.639422722.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639801425.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639950323.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639964900.00000000004C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639974043.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639981884.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Process Monitor.jbxd

Similarity

API ID: FindMessageSendWindow
String ID: PROCMON_WINDOW_CLASS
API String ID: 1741975844-2120583162
Opcode ID: 86e8d842841db00f69f3422c069607e3709ae09d227da918d4a113b2d54dc57d
Instruction ID: 176b54e40342c3ee766454d09986e478ea3cb04a42f57375afef2e6e85e3a9d1
Opcode Fuzzy Hash: 86e8d842841db00f69f3422c069607e3709ae09d227da918d4a113b2d54dc57d
Instruction Fuzzy Hash: 19E09B3234010866D530AFA57C46BAE7354EB98713F60057FF907D90C2D996541D565D

Uniqueness

Uniqueness Score: -1.00%

Function 0046EB3D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E0046EB3D(void* __eflags, char _a4, intOrPtr _a8) {
				intOrPtr _v0;
				intOrPtr _v8;
				intOrPtr* _v12;
				char _v16;
				intOrPtr _v20;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t32;
				intOrPtr _t34;
				intOrPtr _t35;
				intOrPtr* _t36;
				intOrPtr* _t37;
				intOrPtr* _t38;
				intOrPtr _t40;
				intOrPtr* _t42;
				intOrPtr* _t51;
				intOrPtr _t52;
				intOrPtr* _t56;
				intOrPtr* _t59;
				intOrPtr _t62;
				intOrPtr _t63;
				intOrPtr _t65;
				intOrPtr* _t68;
				intOrPtr* _t69;
				void* _t73;
				void* _t75;

				_t2 =  &_v16; // -220
				_t56 = _t2;
				_t4 =  &_a4; // -200
				E0047400F(_t56, _t4);
				_t5 =  &_v16; // -220
				_v16 = 0x4a9358;
				E0046F78D(_t5, 0x4b7770);
				asm("int3");
				_t73 = _t75;
				_t32 = _v8;
				_t51 = _v12;
				_t68 = _t56;
				_t62 =  *((intOrPtr*)(_t51 + 0x10));
				if(_t62 < _t32) {
					_push("invalid string position");
					E0046EB3D(__eflags);
					asm("int3");
					_push(_t73);
					_push(_t51);
					_t52 = _v20;
					_push(_t68);
					_t69 = _t56;
					_t34 = E0046EA5F(_t56, _t52);
					__eflags = _t34;
					if(_t34 == 0) {
						_push(_t62);
						_t63 = _v0;
						_push(0);
						_t35 = E0046E9FB(_t52, _t69, _t63, _t63);
						__eflags = _t35;
						if(_t35 != 0) {
							__eflags =  *((intOrPtr*)(_t69 + 0x14)) - 0x10;
							if( *((intOrPtr*)(_t69 + 0x14)) < 0x10) {
								_t37 = _t69;
							} else {
								_t37 =  *_t69;
							}
							__eflags = _t63;
							if(_t63 != 0) {
								E00470850(_t37, _t52, _t63);
							}
							__eflags =  *((intOrPtr*)(_t69 + 0x14)) - 0x10;
							 *((intOrPtr*)(_t69 + 0x10)) = _t63;
							if( *((intOrPtr*)(_t69 + 0x14)) < 0x10) {
								_t38 = _t69;
							} else {
								_t38 =  *_t69;
							}
							 *((char*)(_t38 + _t63)) = 0;
						}
						_t36 = _t69;
					} else {
						__eflags =  *((intOrPtr*)(_t69 + 0x14)) - 0x10;
						if( *((intOrPtr*)(_t69 + 0x14)) < 0x10) {
							_t36 = _t69;
						} else {
							_t36 =  *_t69;
						}
						_push(_v0);
						_push(_t52 - _t36);
						_push(_t69);
						L1();
					}
					return _t36;
				} else {
					_t65 = _t62 - _t32;
					if(_a8 < _t65) {
						_t65 = _a8;
					}
					if(_t68 != _t51) {
						_push(0);
						_t40 = E0046E9FB(_t51, _t56, _t65, _t65);
						__eflags = _t40;
						if(_t40 != 0) {
							__eflags =  *((intOrPtr*)(_t51 + 0x14)) - 0x10;
							if( *((intOrPtr*)(_t51 + 0x14)) >= 0x10) {
								_t51 =  *_t51;
							}
							__eflags =  *((intOrPtr*)(_t68 + 0x14)) - 0x10;
							if( *((intOrPtr*)(_t68 + 0x14)) < 0x10) {
								_t59 = _t68;
							} else {
								_t59 =  *_t68;
							}
							__eflags = _t65;
							if(_t65 != 0) {
								_t44 = _a4 + _t51;
								__eflags = _a4 + _t51;
								E00470850(_t59, _t44, _t65);
							}
							__eflags =  *((intOrPtr*)(_t68 + 0x14)) - 0x10;
							 *((intOrPtr*)(_t68 + 0x10)) = _t65;
							if( *((intOrPtr*)(_t68 + 0x14)) < 0x10) {
								_t42 = _t68;
							} else {
								_t42 =  *_t68;
							}
							 *((char*)(_t42 + _t65)) = 0;
						}
					} else {
						_push(_t32 + _t65);
						E0046ECF5(_t51, _t56, _t65, _t68);
						_push(_a4);
						E0046ED24(_t51, _t68, _t65, _t68, 0);
					}
					return _t68;
				}
			}

0x0046eb46
0x0046eb46
0x0046eb4c
0x0046eb50
0x0046eb5a
0x0046eb5d
0x0046eb65
0x0046eb6a
0x0046eb6c
0x0046eb6e
0x0046eb72
0x0046eb77
0x0046eb79
0x0046eb7e
0x0046ebf5
0x0046ebfa
0x0046ebff
0x0046ec00
0x0046ec03
0x0046ec04
0x0046ec07
0x0046ec09
0x0046ec0b
0x0046ec10
0x0046ec12
0x0046ec30
0x0046ec31
0x0046ec36
0x0046ec39
0x0046ec3e
0x0046ec40
0x0046ec42
0x0046ec46
0x0046ec4c
0x0046ec48
0x0046ec48
0x0046ec48
0x0046ec4e
0x0046ec50
0x0046ec55
0x0046ec5a
0x0046ec5d
0x0046ec61
0x0046ec64
0x0046ec6a
0x0046ec66
0x0046ec66
0x0046ec66
0x0046ec6c
0x0046ec6c
0x0046ec70
0x0046ec14
0x0046ec14
0x0046ec18
0x0046ec1e
0x0046ec1a
0x0046ec1a
0x0046ec1a
0x0046ec20
0x0046ec27
0x0046ec28
0x0046ec29
0x0046ec29
0x0046ec76
0x0046eb80
0x0046eb80
0x0046eb85
0x0046eb87
0x0046eb87
0x0046eb8c
0x0046eba5
0x0046eba8
0x0046ebad
0x0046ebaf
0x0046ebb1
0x0046ebb5
0x0046ebb7
0x0046ebb7
0x0046ebb9
0x0046ebbd
0x0046ebc3
0x0046ebbf
0x0046ebbf
0x0046ebbf
0x0046ebc5
0x0046ebc7
0x0046ebcd
0x0046ebcd
0x0046ebd1
0x0046ebd6
0x0046ebd9
0x0046ebdd
0x0046ebe0
0x0046ebe6
0x0046ebe2
0x0046ebe2
0x0046ebe2
0x0046ebe8
0x0046ebe8
0x0046eb8e
0x0046eb90
0x0046eb91
0x0046eb9b
0x0046eb9e
0x0046eb9e
0x0046ebf2
0x0046ebf2

APIs

std::exception::exception.LIBCMT ref: 0046EB50

Part of subcall function 0047400F: std::exception::_Copy_str.LIBCMT ref: 00474028

__CxxThrowException@8.LIBCMT ref: 0046EB65

Part of subcall function 0046F78D: RaiseException.KERNEL32(?,?,000000FF,004B76C4,?,00000000,?,?,?,0046EF06,000000FF,004B76C4,?,00000001), ref: 0046F7E2

Strings

invalid string position, xrefs: 0046EBF5

Memory Dump Source

Source File: 00000000.00000002.639436822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.639422722.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639801425.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639950323.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639964900.00000000004C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639974043.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639981884.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Process Monitor.jbxd

Similarity

API ID: Copy_strExceptionException@8RaiseThrowstd::exception::_std::exception::exception
String ID: invalid string position
API String ID: 757275642-1799206989
Opcode ID: 103d8ccb89d59c7176ded4995dd7b7fe767626b2d05f74cbe23a635e3c4fde3d
Instruction ID: 10cdbd04ba2ff9e5fd7788606fb9608aea55e9366cfb5bf3e17fb6b9331ace28
Opcode Fuzzy Hash: 103d8ccb89d59c7176ded4995dd7b7fe767626b2d05f74cbe23a635e3c4fde3d
Instruction Fuzzy Hash: D7F0377590030C7B8B04DF9AD485CCDB7FDAA48744B408027FD1497241EB74FA048BA9

Uniqueness

Uniqueness Score: -1.00%

Function 0047376A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 17COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBCMT ref: 00473752

Part of subcall function 0046F78D: RaiseException.KERNEL32(?,?,000000FF,004B76C4,?,00000000,?,?,?,0046EF06,000000FF,004B76C4,?,00000001), ref: 0046F7E2

std::bad_exception::bad_exception.LIBCMT ref: 00473779

Part of subcall function 00473F86: std::bad_exception::bad_exception.LIBCMT ref: 00473F8F

Strings

Access violation - no RTTI data!, xrefs: 00473771

Memory Dump Source

Source File: 00000000.00000002.639436822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.639422722.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639801425.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639950323.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639964900.00000000004C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639974043.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639981884.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Process Monitor.jbxd

Similarity

API ID: std::bad_exception::bad_exception$ExceptionException@8RaiseThrow
String ID: Access violation - no RTTI data!
API String ID: 1432139112-2158758863
Opcode ID: f8cab04202455dd207f9b84b9ea8d2b8240584d891999be821f8e0506f2b22fe
Instruction ID: c27ac21c5fc864ca76141e65e5815641571082d389982c62d4eac9e4da952dc9
Opcode Fuzzy Hash: f8cab04202455dd207f9b84b9ea8d2b8240584d891999be821f8e0506f2b22fe
Instruction Fuzzy Hash: 27E0ECB5E042049FCB08DFA1C842AED7770AB09716F15406AE411A7190D778A951DF6A

Uniqueness

Uniqueness Score: -1.00%

Function 0040D190 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040D190(long _a4) {

				DialogBoxParamW(GetModuleHandleW(0), L"PROGRESS", 0, E0040CBC0, _a4);
				return 0;
			}

0x0040d1ab
0x0040d1b4

APIs

GetModuleHandleW.KERNEL32(00000000,PROGRESS,00000000,0040CBC0,?), ref: 0040D1A4
DialogBoxParamW.USER32 ref: 0040D1AB

Strings

PROGRESS, xrefs: 0040D19D

Memory Dump Source

Source File: 00000000.00000002.639436822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.639422722.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639801425.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639950323.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639964900.00000000004C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639974043.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639981884.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Process Monitor.jbxd

Similarity

API ID: DialogHandleModuleParam
String ID: PROGRESS
API String ID: 3900296288-3828510218
Opcode ID: 29816b740b92cb32ff5ff321162c9349e06ebc6da3d3825761354f4cedcaedc1
Instruction ID: 94c2c1f3efeb8195ecc4c8276429a5d5def001d5286c2aa2b08045ef91090c33
Opcode Fuzzy Hash: 29816b740b92cb32ff5ff321162c9349e06ebc6da3d3825761354f4cedcaedc1
Instruction Fuzzy Hash: 25C01232284304BBD6006BE0AC0AF0A3F589B58B41F104435B704D40D1D5B5A010475C

Uniqueness

Uniqueness Score: -1.00%

Function 00430380 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 11COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?,WyF,0040F937,WyF,?,004679DD,004BCA10,00000000,00000000,?,?,00010400,00000000,2927074F,004C255C), ref: 0043038B
InterlockedIncrement.KERNEL32(?), ref: 00430395

Strings

WyF, xrefs: 00430380

Memory Dump Source

Source File: 00000000.00000002.639436822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.639422722.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639801425.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639950323.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639964900.00000000004C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639974043.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639981884.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Process Monitor.jbxd

Similarity

API ID: CriticalEnterIncrementInterlockedSection
String ID: WyF
API String ID: 3631425434-4159751997
Opcode ID: 36f637d8d0d65f729e7219ea591b3b7d35b098a722c613ac605804146a9698c0
Instruction ID: 4f714c9b0a41694e61e393a2ec6088ad90d4f2cc8b6c466e4c4a1f2087357d14
Opcode Fuzzy Hash: 36f637d8d0d65f729e7219ea591b3b7d35b098a722c613ac605804146a9698c0
Instruction Fuzzy Hash: 6FC002724047159BDA209B68F849A8A77ACAB08611B250D7AB441D3110D664A9898B68

Uniqueness

Uniqueness Score: -1.00%

Function 0044F20D Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 11
COMMON

Download Yara Rule

C-Code - Quality: 21%

			E0044F20D(void* __ebx, void* __edx) {
				void* __esi;
				int _t12;
				void* _t17;
				void* _t18;
				struct HWND__* _t19;
				void* _t20;
				signed int _t21;

				_t17 = __edx;
				_push(0);
				_push(E00452A00);
				_push(L"ORGANIZE_FILTERS");
				DialogBoxParamW( *0x4bd2c4, ??, ??, ??, ??);
				E0044AEF0(0x4bdd00,  *0x4c22c0);
				_t12 =  *(_t21 + 0xc);
				DefWindowProcW(_t19, _t12,  *(_t21 - 0x628),  *(_t21 - 0x64c));
				 *[fs:0x0] =  *((intOrPtr*)(_t21 - 0xc));
				_pop(_t18);
				_t20 = _t19;
				return E0046F77E(__ebx,  *(_t21 - 0x10) ^ _t21, _t17, _t18, _t20);
			}

0x0044f20d
0x0044f20d
0x0044f20f
0x0044f215
0x0044f1f2
0x0044f203
0x0044e726
0x0044e737
0x0044e740
0x0044e748
0x0044e749
0x0044e757

APIs

DialogBoxParamW.USER32 ref: 0044F1F2

Part of subcall function 0044AEF0: DeleteMenu.USER32(?,00000000,00000400), ref: 0044AF09
Part of subcall function 0044AEF0: InsertMenuW.USER32(?,7FFFFFFF,00000400,000000FF,00000000), ref: 0044AF36

Strings

pHx, xrefs: 0044F1FE
ORGANIZE_FILTERS, xrefs: 0044F215

Memory Dump Source

Source File: 00000000.00000002.639436822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.639422722.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639801425.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639950323.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639964900.00000000004C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639974043.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639981884.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Process Monitor.jbxd

Similarity

API ID: Menu$DeleteDialogInsertParam
String ID: ORGANIZE_FILTERS$pHx
API String ID: 439955159-3297381552
Opcode ID: 73206cb9297e49957eb01c97924af171e872d290d28f16aee274106ad1070855
Instruction ID: 26b786d1c4b9a96dfe17484a3bb3e2c60fcc95a40aa532948cca7151973b5a47
Opcode Fuzzy Hash: 73206cb9297e49957eb01c97924af171e872d290d28f16aee274106ad1070855
Instruction Fuzzy Hash: A9C08034684241F7F7201B51DE56F1D7A15F745741F3004F7B502100F29ADC1815972F

Uniqueness

Uniqueness Score: -1.00%

Function 0044F5C5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 11windowCOMMON

Download Yara Rule

APIs

CreateDialogParamW.USER32 ref: 0044F593
SetFocus.USER32(00000000,?,Function_000539F0,00000000), ref: 0044F59A

Strings

NETWORK_SUMMARY, xrefs: 0044F5CD

Memory Dump Source

Source File: 00000000.00000002.639436822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.639422722.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639801425.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639950323.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639964900.00000000004C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639974043.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639981884.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Process Monitor.jbxd

Similarity

API ID: CreateDialogFocusParam
String ID: NETWORK_SUMMARY
API String ID: 3693717765-4026570748
Opcode ID: a318cfd41ee1336666b40471398b7aabb7a09a166511f72c80926ce16af007f1
Instruction ID: e2d4ebaec743793b179b269571d543adafe7d4db8401537ee3bef945474fb94a
Opcode Fuzzy Hash: a318cfd41ee1336666b40471398b7aabb7a09a166511f72c80926ce16af007f1
Instruction Fuzzy Hash: CDC01230240202BBDA000B609D0AF2B2A55BB28B52FA00DB6B102A40A1D668A05A9A2D

Uniqueness

Uniqueness Score: -1.00%

Function 0044F5A7 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 11windowCOMMON

Download Yara Rule

APIs

CreateDialogParamW.USER32 ref: 0044F593
SetFocus.USER32(00000000,?,Function_000539F0,00000000), ref: 0044F59A

Strings

FILE_SUMMARY, xrefs: 0044F5AF

Memory Dump Source

Source File: 00000000.00000002.639436822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.639422722.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639801425.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639950323.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639964900.00000000004C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639974043.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639981884.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Process Monitor.jbxd

Similarity

API ID: CreateDialogFocusParam
String ID: FILE_SUMMARY
API String ID: 3693717765-4178244638
Opcode ID: 6e947e96dd1977b2360b58d8127d25886a4fd98fdf0e5c9f2b88bb1d63089f45
Instruction ID: 30fe78fa68819fe0dcd7ee384198775dd020800f8510df31f19b7aee8571d17a
Opcode Fuzzy Hash: 6e947e96dd1977b2360b58d8127d25886a4fd98fdf0e5c9f2b88bb1d63089f45
Instruction Fuzzy Hash: D3C01230240201BAD6001B209D09F1A29546B38711BA009B77102F40A0D5A86015962D

Uniqueness

Uniqueness Score: -1.00%

Function 0044F5B6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 11windowCOMMON

Download Yara Rule

APIs

CreateDialogParamW.USER32 ref: 0044F593
SetFocus.USER32(00000000,?,Function_000539F0,00000000), ref: 0044F59A

Strings

REGISTRY_SUMMARY, xrefs: 0044F5BE

Memory Dump Source

Source File: 00000000.00000002.639436822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.639422722.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639801425.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639950323.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639964900.00000000004C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639974043.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639981884.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Process Monitor.jbxd

Similarity

API ID: CreateDialogFocusParam
String ID: REGISTRY_SUMMARY
API String ID: 3693717765-1153926329
Opcode ID: 30136cf2fd8c12c7c1227dfaf4fa6c718ffa70b5e82ee46ae98a9f61fb1bef00
Instruction ID: c3819d338fc0a0be7795ad5aeb7e0ef73b270b3e371d22f89c33124cce91e0db
Opcode Fuzzy Hash: 30136cf2fd8c12c7c1227dfaf4fa6c718ffa70b5e82ee46ae98a9f61fb1bef00
Instruction Fuzzy Hash: 3CC08030144101BBD6000B209D0DF1B3954BB3C711F700D77B102F40B1E56C601AD72D

Uniqueness

Uniqueness Score: -1.00%

Function 0044F580 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 10windowCOMMON

Download Yara Rule

APIs

CreateDialogParamW.USER32 ref: 0044F593
SetFocus.USER32(00000000,?,Function_000539F0,00000000), ref: 0044F59A

Strings

PROCESS_SUMMARY, xrefs: 0044F588

Memory Dump Source

Source File: 00000000.00000002.639436822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.639422722.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639801425.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639950323.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639964900.00000000004C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639974043.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639981884.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Process Monitor.jbxd

Similarity

API ID: CreateDialogFocusParam
String ID: PROCESS_SUMMARY
API String ID: 3693717765-483105347
Opcode ID: 4fe7aa7cbd1dc94b66b620d7550b13b6c30156d6c2f91d92369a36d7b8b98669
Instruction ID: 57b64b125dd6e12faac1e5ad995f8ca5a9ec464c97d9cb264c6745902e741ff6
Opcode Fuzzy Hash: 4fe7aa7cbd1dc94b66b620d7550b13b6c30156d6c2f91d92369a36d7b8b98669
Instruction Fuzzy Hash: B8C04C71680202BBDB111B619D0EF1B3A59BB39B57F6409B6B106E40B1DAA86419DB2C

Uniqueness

Uniqueness Score: -1.00%

Function 00412AD0 Relevance: 5.1, APIs: 4, Instructions: 114COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?,2927074F,?,00000000,2927074F), ref: 00412B02
EnterCriticalSection.KERNEL32(?), ref: 00412BC1
LeaveCriticalSection.KERNEL32(?), ref: 00412BEF
LeaveCriticalSection.KERNEL32(?), ref: 00412C02

Memory Dump Source

Source File: 00000000.00000002.639436822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.639422722.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639801425.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639950323.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639964900.00000000004C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639974043.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639981884.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Process Monitor.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID:
API String ID: 3168844106-0
Opcode ID: 354a31d78d0dad147f16aeab2e478c8575791f51c5abf951e3fa6bdde69a48d7
Instruction ID: 20a33e9e7f6855541dcacaa357b3229cea02ce752447db3989c1394d61922408
Opcode Fuzzy Hash: 354a31d78d0dad147f16aeab2e478c8575791f51c5abf951e3fa6bdde69a48d7
Instruction Fuzzy Hash: CF41E270904648AFDB21DF69C980BDFBBF8EF59304F14815EE841A3342D778AA45CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 004405B0 Relevance: 5.1, APIs: 4, Instructions: 87COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?,00000000,?,000000C8,?,?,00411BBC,?,?,00412F7B,000000C8,?), ref: 004405BA
LeaveCriticalSection.KERNEL32(?), ref: 00440601
LeaveCriticalSection.KERNEL32(?,?,000000C8,?,?,00411BBC,?,?,00412F7B,000000C8,?), ref: 00440653
LeaveCriticalSection.KERNEL32(?,?,000000C8,?,?,00411BBC,?,?,00412F7B,000000C8,?), ref: 0044066A

Memory Dump Source

Source File: 00000000.00000002.639436822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.639422722.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639801425.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639950323.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639964900.00000000004C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639974043.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639981884.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Process Monitor.jbxd

Similarity

API ID: CriticalSection$Leave$Enter
String ID:
API String ID: 2978645861-0
Opcode ID: faded4e4a1b854d6487a263f9375cd88b5f16fa82a1e3797a68edc69e7fd1211
Instruction ID: 303f8230590ceb4c9ced01b19ecfaa3a042a0d1d03c2bac93e98573f95070e61
Opcode Fuzzy Hash: faded4e4a1b854d6487a263f9375cd88b5f16fa82a1e3797a68edc69e7fd1211
Instruction Fuzzy Hash: F721D6727011189FDB10CF19D884E5AB7A9EBD4711F1584ABEA0ACB301D734ED25CBD4

Uniqueness

Uniqueness Score: -1.00%

Function 00467460 Relevance: 5.1, APIs: 4, Instructions: 82COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(004BCA10,2927074F,0077A1E4,00000000,0048CCF0,000000FF,?,00414AE3,00000000,?,004162D9,0077A1E8), ref: 004674BD

Part of subcall function 00466B40: _memmove.LIBCMT ref: 00466C1E

LeaveCriticalSection.KERNEL32(004BCA10,?,00414AE3,00000000,?,004162D9,0077A1E8), ref: 004674E0
EnterCriticalSection.KERNEL32(004BCA10,2927074F,0077A1E4,00000000,0048CCF0,000000FF,?,00414AE3,00000000,?,004162D9,0077A1E8), ref: 00467506
LeaveCriticalSection.KERNEL32(004BCA10,?,00414AE3,00000000,?,004162D9,0077A1E8), ref: 00467529

Memory Dump Source

Source File: 00000000.00000002.639436822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.639422722.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639801425.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639950323.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639964900.00000000004C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639974043.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.639981884.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Process Monitor.jbxd

Similarity

API ID: CriticalSection$EnterLeave$_memmove
String ID:
API String ID: 1145044787-0
Opcode ID: d80618efa2bc65a2a7d9a9e32f2a23f2c3c66bc58ddba738f2bee9c03d16b1d6
Instruction ID: 5e4cf923ebb22fe19418f5317a5dc6ddc188f10ee29e0b94f3c489150a58ddb4
Opcode Fuzzy Hash: d80618efa2bc65a2a7d9a9e32f2a23f2c3c66bc58ddba738f2bee9c03d16b1d6
Instruction Fuzzy Hash: 11210A729087049BCB10DF54E88279AB7E4EB09714F10896FEC16A3780EB796810DF9D

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to collect elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Application logs, Process monitoring, Windows Error Reporting
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, Access tokens, Authentication logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may hook into Windows application programming interface (API) functions to collect user credentials. Malicious hooking mechanisms may capture API calls that include parameters that reveal user authentication credentials.Unlike Keylogging , this technique focuses specifically on API functions that include parameters that reveal user credentials. Hooking involves redirecting calls to these functions and can be implemented via:
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Loaded DLLs, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations. Taking a screenshot is also typically possible through native utilities or API calls, such as `CopyFromScreen` , `xwd` , or `screencapture` .
Tactics:	Collection
Data Sources:	API monitoring, File monitoring, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	API monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Process Monitor.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Memory Dumps

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Snort IDS Alerts

Network Port Distribution

UDP Packets

DNS Queries

DNS Answers

Statistics

CPU Usage

Memory Usage

Windows Analysis Report
Process Monitor.exe

Function 00437270 Relevance: 51.0, APIs: 18, Strings: 11, Instructions: 261
libraryfileloaderCOMMON

Function 0045EAC2 Relevance: 45.6, APIs: 16, Strings: 10, Instructions: 149
registrylibraryloaderCOMMON

Function 00436580 Relevance: 15.1, APIs: 10, Instructions: 93
memoryCOMMON

Function 0040F560 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 69
COMMON

Function 00401500 Relevance: 4.5, APIs: 3, Instructions: 42
memoryCOMMON

Function 0040BA20 Relevance: 40.5, APIs: 10, Strings: 13, Instructions: 205
registrymemorylibraryCOMMON

Function 0045EF04 Relevance: 28.2, APIs: 6, Strings: 10, Instructions: 233
registrywindowCOMMON

Function 0040B230 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 115
windowCOMMON

Function 00473D9D Relevance: 16.6, APIs: 11, Instructions: 73
COMMON

Function 00473D54 Relevance: 15.1, APIs: 10, Instructions: 51
COMMON

Function 0040B570 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 48
registryCOMMON

Function 0040B630 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 40
registryCOMMON

Function 0040B450 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 41
registryCOMMON

Function 00401230 Relevance: 6.0, APIs: 4, Instructions: 16
COMMON

Function 0040B4D0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46
COMMON

Function 0044AF50 Relevance: 298.5, APIs: 168, Strings: 2, Instructions: 1041
windowCOMMONCrypto

Function 00448AA0 Relevance: 169.8, APIs: 86, Strings: 10, Instructions: 1790
windowCOMMONCrypto

Function 00404C10 Relevance: 113.4, APIs: 75, Instructions: 883
windowCOMMONCrypto

Function 0042F1F0 Relevance: 66.9, APIs: 34, Strings: 4, Instructions: 429
windowmemoryCOMMONCrypto

Function 0046CD20 Relevance: 61.6, APIs: 28, Strings: 7, Instructions: 303
windowfileCOMMON

Function 00418140 Relevance: 47.6, APIs: 23, Strings: 4, Instructions: 399
windowCOMMONCrypto

Function 00421580 Relevance: 46.2, APIs: 19, Strings: 7, Instructions: 675
windowCOMMONCrypto

Function 0041E300 Relevance: 40.7, APIs: 22, Strings: 1, Instructions: 404
windowCOMMONCrypto

Function 0043C8C0 Relevance: 35.4, APIs: 12, Strings: 8, Instructions: 355
networkCOMMONCrypto

Function 00401910 Relevance: 29.0, Strings: 23, Instructions: 261
COMMONCrypto

Function 00418740 Relevance: 28.6, APIs: 15, Strings: 1, Instructions: 632
windowCOMMONCrypto

Function 0043A300 Relevance: 26.4, APIs: 8, Strings: 7, Instructions: 147
windowCOMMON

Function 00468B50 Relevance: 17.8, APIs: 8, Strings: 2, Instructions: 294
COMMONCrypto

Function 00418939 Relevance: 16.2, APIs: 8, Strings: 1, Instructions: 447
COMMONCrypto

Function 0040C7B0 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 69
libraryloaderCOMMON

Function 0042F8B0 Relevance: 12.1, APIs: 8, Instructions: 67
clipboardmemoryCOMMON

Function 0040F360 Relevance: 9.1, APIs: 6, Instructions: 62
COMMON

Function 00406B50 Relevance: 6.2, APIs: 4, Instructions: 227
COMMONCrypto