Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample Name:	file.exe
Analysis ID:	767253
MD5:	1e8ce5705381fdef436f4fae5a30334b
SHA1:	5f0de42379d874d64b2ceb3615e5e8715bcc1880
SHA256:	cc8f23f2566b9bdc9723d0bc664cd65edbf206f096c596c8c749a769567e3c8b
Tags:	exe
Infos:

Detection

Babadeda

Score:	56
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Yara detected Babadeda

Uses 32bit PE files

Yara signature match

Sample file is different than original file name gathered from version info

Drops PE files

Contains functionality to query locales information (e.g. system language)

Uses code obfuscation techniques (call, push, ret)

PE file contains sections with non-standard names

Detected potential crypto function

Queries keyboard layouts

Stores files to the Windows start menu directory

Dropped file seen in connection with other malware

Found dropped PE file which has not been started or loaded

Found large amount of non-executed APIs

PE file contains executable resources (Code or Archives)

Classification

Process Tree

System is w10x64

file.exe (PID: 4416 cmdline: C:\Users\user\Desktop\file.exe MD5: 1E8CE5705381FDEF436F4FAE5A30334B)

cleanup

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
81	SUSP_BAT2EXE_BDargo_Converted_BAT	Detects binaries created with BDARGO Advanced BAT to EXE converter	Florian Roth	0x10270:$s1: Error #bdembed1 -- Quiting 0x100d4:$s2: %s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s 0x10360:$s3: \a.txt 0xf120:$s4: command.com 0x1303c:$s6: DFDHERGDCV 0x13550:$s7: DFDHERGGZV 0x10040:$s8: %s%s%s%s%s%s%s%s 0x1009c:$s8: %s%s%s%s%s%s%s%s 0x100d4:$s8: %s%s%s%s%s%s%s%s 0x10184:$s8: %s%s%s%s%s%s%s%s 0x102b8:$s8: %s%s%s%s%s%s%s%s 0x102f4:$s8: %s%s%s%s%s%s%s%s 0x1030c:$s8: %s%s%s%s%s%s%s%s
84	JoeSecurity_Babadeda	Yara detected Babadeda	Joe Security
74	JoeSecurity_Babadeda	Yara detected Babadeda	Joe Security
70	SUSP_BAT2EXE_BDargo_Converted_BAT	Detects binaries created with BDARGO Advanced BAT to EXE converter	Florian Roth	0x10270:$s1: Error #bdembed1 -- Quiting 0x100d4:$s2: %s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s 0x10360:$s3: \a.txt 0xf120:$s4: command.com 0x1303c:$s6: DFDHERGDCV 0x13550:$s7: DFDHERGGZV 0x10040:$s8: %s%s%s%s%s%s%s%s 0x1009c:$s8: %s%s%s%s%s%s%s%s 0x100d4:$s8: %s%s%s%s%s%s%s%s 0x10184:$s8: %s%s%s%s%s%s%s%s 0x102b8:$s8: %s%s%s%s%s%s%s%s 0x102f4:$s8: %s%s%s%s%s%s%s%s 0x1030c:$s8: %s%s%s%s%s%s%s%s

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.307570236.0000000000401000.00000040.00000001.01000000.00000003.sdmp	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.file.exe.400000.0.unpack	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: file.exe	Virustotal: Detection: 23%			Perma Link
Source: file.exe	ReversingLabs: Detection: 23%

Source: file.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0040D930 FindFirstFileW,FindClose,	0_2_0040D930
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00425210 FindFirstFileW,FindClose,	0_2_00425210
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0040D364 GetModuleHandleW,GetProcAddress,FindFirstFileW,FindClose,lstrlenW,lstrlenW,	0_2_0040D364
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004253F4 FindFirstFileW,FindClose,	0_2_004253F4

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00423160 GetLogicalDriveStringsW,QueryDosDeviceW,

0_2_00423160

Source: Remove Old Setup in Start Menu.exe.0.dr, Create (BW) Backend Backup.exe.0.dr, Delete a Folder FOP Export Import.exe.0.dr	String found in binary or memory: http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s
Source: Remove Old Setup in Start Menu.exe.0.dr, Create (BW) Backend Backup.exe.0.dr, Delete a Folder FOP Export Import.exe.0.dr	String found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
Source: Remove Old Setup in Start Menu.exe.0.dr, Create (BW) Backend Backup.exe.0.dr, Delete a Folder FOP Export Import.exe.0.dr	String found in binary or memory: http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#
Source: Remove Old Setup in Start Menu.exe.0.dr, Create (BW) Backend Backup.exe.0.dr, Delete a Folder FOP Export Import.exe.0.dr	String found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
Source: 0, 1	String found in binary or memory: http://home.att.net/~dashish
Source: Remove Old Setup in Start Menu.exe.0.dr, Create (BW) Backend Backup.exe.0.dr, Delete a Folder FOP Export Import.exe.0.dr	String found in binary or memory: http://ocsp.sectigo.com0
Source: file.exe, file.exe, 00000000.00000002.307570236.0000000000401000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: http://www.actualinstaller.
Source: file.exe, file.exe, 00000000.00000002.307570236.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Englishai.lng.0.dr	String found in binary or memory: http://www.actualinstaller.com
Source: file.exe	String found in binary or memory: http://www.actualinstaller.com/?r=setup
Source: file.exe, 00000000.00000002.307570236.0000000000401000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: http://www.actualinstaller.com/?r=setupopenU
Source: file.exe, 00000000.00000003.306882963.00000000025AA000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.actualinstaller.com1q
Source: file.exe, 00000000.00000003.306882963.00000000025AA000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.actualinstaller.coma
Source: file.exe	String found in binary or memory: http://www.google.com
Source: file.exe, 00000000.00000002.307570236.0000000000401000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: http://www.google.comU
Source: Remove Old Setup in Start Menu.exe.0.dr, Create (BW) Backend Backup.exe.0.dr, Delete a Folder FOP Export Import.exe.0.dr	String found in binary or memory: https://sectigo.com/CPS0
Source: 0, 1	String found in binary or memory: https://www.bearware.org
Source: aisetup.ini.0.dr	String found in binary or memory: https://www.bearware.org/download/IL014/update3210.txt
Source: file.exe, 00000000.00000003.306741615.00000000024BD000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.bearware.org/download/IL014/update3210.txtaa
Source: Remove Old Setup in Start Menu.exe.0.dr	String found in binary or memory: https://www.vbsedit.comopeniexplore.exeWScriptVBScriptScripting

Source: file.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

Source: 81, type: SAMPLE	Matched rule: SUSP_BAT2EXE_BDargo_Converted_BAT date = 2018-07-28, hash1 = a547a02eb4fcb8f446da9b50838503de0d46f9bb2fd197c9ff63021243ea6d88, author = Florian Roth, description = Detects binaries created with BDARGO Advanced BAT to EXE converter, score = d428d79f58425d831c2ee0a73f04749715e8c4dd30ccd81d92fe17485e6dfcda, reference = https://www.majorgeeks.com/files/details/advanced_bat_to_exe_converter.html, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, modified = 2022-06-23
Source: 70, type: SAMPLE	Matched rule: SUSP_BAT2EXE_BDargo_Converted_BAT date = 2018-07-28, hash1 = a547a02eb4fcb8f446da9b50838503de0d46f9bb2fd197c9ff63021243ea6d88, author = Florian Roth, description = Detects binaries created with BDARGO Advanced BAT to EXE converter, score = d428d79f58425d831c2ee0a73f04749715e8c4dd30ccd81d92fe17485e6dfcda, reference = https://www.majorgeeks.com/files/details/advanced_bat_to_exe_converter.html, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, modified = 2022-06-23

Source: file.exe, 00000000.00000003.306712754.0000000002495000.00000004.00001000.00020000.00000000.sdmp

Binary or memory string: OriginalFilenameUninstall.exeF vs file.exe

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0043E304

0_2_0043E304

Source: Joe Sandbox View

Dropped File: C:\Users\user\AppData\Local\Temp\AITMP960\Uninstall.exe 190474CD3AD662AB796EE93ABBBFAE52C2E2E3C7A13C708D76AABF1085D8B676

Source: Uninstall.exe.0.dr

Static PE information: Resource name: RT_GROUP_CURSOR type: DOS executable (COM, 0x8C-variant)

Source: file.exe	Static PE information: Section: UPX1 ZLIB complexity 0.9910195182724253
Source: Uninstall.exe.0.dr	Static PE information: Section: UPX1 ZLIB complexity 0.9907685774374461

Source: file.exe	Virustotal: Detection: 23%
Source: file.exe	ReversingLabs: Detection: 23%

Source: C:\Users\user\Desktop\file.exe

File read: C:\Users\user\Desktop\file.exe

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales			Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

File created: C:\Users\user\AppData\Local\Temp\AITMP960

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

File written: C:\Users\user\AppData\Local\Temp\AITMP960\aisetup.ini

Jump to behavior

Source: classification engine

Classification label: mal56.troj.winEXE@1/10@0/0

Source: Yara match	File source: 0.2.file.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.307570236.0000000000401000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\file.exe

File read: C:\Users\user\AppData\Local\Temp\AITMP960\aisetup.ini

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00425F78 GetDiskFreeSpaceW,

0_2_00425F78

Source: C:\Users\user\Desktop\file.exe

Window found: window name: TButton

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: file.exe

Static file information: File size 21062092 > 1048576

Data Obfuscation

Yara detected Babadeda

Source: Yara match	File source: 84, type: SAMPLE
Source: Yara match	File source: 74, type: SAMPLE

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0041C048 push ecx; mov dword ptr [esp], eax	0_2_0041C04A
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00433050 push 00433145h; ret	0_2_0043313D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0046A0B0 push ecx; mov dword ptr [esp], edx	0_2_0046A0B1
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00469A60 push ecx; mov dword ptr [esp], ecx	0_2_00469A64
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0046B228 push ecx; mov dword ptr [esp], edx	0_2_0046B229
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0046AB40 push ecx; mov dword ptr [esp], ecx	0_2_0046AB44
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0041C33C push 0041C374h; ret	0_2_0041C36C
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0043C3AC push 0043C403h; ret	0_2_0043C3FB
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0043B4EC push ecx; mov dword ptr [esp], ecx	0_2_0043B4EF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00432484 push ecx; mov dword ptr [esp], eax	0_2_00432485
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004674AC push ecx; mov dword ptr [esp], eax	0_2_004674AE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004324B4 push ecx; mov dword ptr [esp], eax	0_2_004324B5
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0046BCB8 push ecx; mov dword ptr [esp], ecx	0_2_0046BCBC
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0042A550 push 0042A5E9h; ret	0_2_0042A5E1
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00406DB4 push ecx; mov dword ptr [esp], eax	0_2_00406DB5
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0041BE70 push ecx; mov dword ptr [esp], eax	0_2_0041BE72
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0040E63C push ecx; mov dword ptr [esp], edx	0_2_0040E63D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0046869C push ecx; mov dword ptr [esp], ecx	0_2_004686A0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00463FCC push ecx; mov dword ptr [esp], ecx	0_2_00463FD0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00468FD0 push ecx; mov dword ptr [esp], edx	0_2_00468FD1

Source: Create (BW) Backend Backup.exe.0.dr	Static PE information: section name: .giats
Source: Remove Old Setup in Start Menu.exe.0.dr	Static PE information: section name: _RDATA

Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1

Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\AppData\Local\Temp\AITMP960\Remove Old Setup in Start Menu.exe	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\AppData\Local\Temp\AITMP960\Delete a Folder FOP Export Import.exe	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\AppData\Local\Temp\AITMP960\Uninstall.exe	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\AppData\Local\Temp\AITMP960\Create (BW) Backend Backup.exe	Jump to dropped file

Source: C:\Users\user\Desktop\file.exe

File created: C:\Users\user\AppData\Local\Temp\AITMP960\Remove Old Setup in Start Menu.exe

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\04090409

Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\AITMP960\Remove Old Setup in Start Menu.exe	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\AITMP960\Delete a Folder FOP Export Import.exe	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\AITMP960\Uninstall.exe	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\AITMP960\Create (BW) Backend Backup.exe	Jump to dropped file

Source: C:\Users\user\Desktop\file.exe

API coverage: 8.9 %

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0040D930 FindFirstFileW,FindClose,	0_2_0040D930
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00425210 FindFirstFileW,FindClose,	0_2_00425210
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0040D364 GetModuleHandleW,GetProcAddress,FindFirstFileW,FindClose,lstrlenW,lstrlenW,	0_2_0040D364
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004253F4 FindFirstFileW,FindClose,	0_2_004253F4

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00423160 GetLogicalDriveStringsW,QueryDosDeviceW,

0_2_00423160

Source: 0	Binary or memory string: B8XHZVYZ_AFLDQNDUDELHGFSIIEPZI
Source: 0	Binary or memory string: +>SCXHZVYZ_AFLDQNDUDELHGFSIIEPZI

Source: C:\Users\user\Desktop\file.exe	Code function: GetUserDefaultUILanguage,GetLocaleInfoW,	0_2_0040DA68
Source: C:\Users\user\Desktop\file.exe	Code function: EnumSystemLocalesW,	0_2_0042D9C8
Source: C:\Users\user\Desktop\file.exe	Code function: GetLocaleInfoW,	0_2_00429DF0
Source: C:\Users\user\Desktop\file.exe	Code function: GetLocaleInfoW,	0_2_00429DA4
Source: C:\Users\user\Desktop\file.exe	Code function: IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	0_2_0040CF08
Source: C:\Users\user\Desktop\file.exe	Code function: GetLocaleInfoW,	0_2_0042D78C

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00428158 GetLocalTime,

0_2_00428158

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation	1 Registry Run Keys / Startup Folder	1 Registry Run Keys / Startup Folder	11 Software Packing	OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	Exfiltration Over Other Network Medium	1 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	11 Obfuscated Files or Information	LSASS Memory	1 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Junk Data	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information	Security Account Manager	4 File and Directory Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Binary Padding	NTDS	23 System Information Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
file.exe	24%	Virustotal		Browse
file.exe	23%	ReversingLabs

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\AppData\Local\Temp\AITMP960\Create (BW) Backend Backup.exe	11%	ReversingLabs
C:\Users\user\AppData\Local\Temp\AITMP960\Delete a Folder FOP Export Import.exe	5%	ReversingLabs
C:\Users\user\AppData\Local\Temp\AITMP960\Remove Old Setup in Start Menu.exe	8%	ReversingLabs	Win64.Trojan.Generic
C:\Users\user\AppData\Local\Temp\AITMP960\Uninstall.exe	4%	ReversingLabs

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
0.0.file.exe.400000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen		Download File
0.2.file.exe.400000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen		Download File

URLs

Source	Detection	Scanner	Label
http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t	0%	URL Reputation	safe
http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t	0%	URL Reputation	safe
https://sectigo.com/CPS0	0%	URL Reputation	safe
https://sectigo.com/CPS0	0%	URL Reputation	safe
http://ocsp.sectigo.com0	0%	URL Reputation	safe
http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#	0%	URL Reputation	safe
http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s	0%	URL Reputation	safe
http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#	0%	URL Reputation	safe
https://www.bearware.org/download/IL014/update3210.txtaa	0%	Avira URL Cloud	safe
https://www.bearware.org/download/IL014/update3210.txt	0%	Avira URL Cloud	safe
https://www.bearware.org	0%	Avira URL Cloud	safe
http://www.actualinstaller.	0%	Avira URL Cloud	safe
http://www.actualinstaller.com/?r=setup	0%	Avira URL Cloud	safe
http://www.actualinstaller.com/?r=setupopenU	0%	Avira URL Cloud	safe
http://www.actualinstaller.com1q	0%	Avira URL Cloud	safe
http://www.google.comU	0%	Avira URL Cloud	safe
http://www.actualinstaller.com	0%	Avira URL Cloud	safe
http://www.actualinstaller.coma	0%	Avira URL Cloud	safe

General Information

Joe Sandbox Version:	36.0.0 Rainbow Opal
Analysis ID:	767253
Start date and time:	2022-12-14 20:24:14 +01:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 5m 14s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	file.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	1
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal56.troj.winEXE@1/10@0/0
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 100% (good quality ratio 98.1%) Quality average: 81.4% Quality standard deviation: 24.5%
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .exe Stop behavior analysis, all processes terminated

Joe Sandbox View / Context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
C:\Users\user\AppData\Local\Temp\AITMP960\Uninstall.exe	lst_setup_v4_0_5 (1).exe	Get hash	malicious	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Temp\AITMP960\Create (BW) Backend Backup.exe

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	442328
Entropy (8bit):	6.416651319102807
Encrypted:	false
SSDEEP:	6144:3vXaZ6Sh1Ter4Ixlua8L5+L9AiBxu765tGTIgQQfxEBD8LZ0H0xN9o6r5Vgph1Wz:3vaZfhhSlueBxcpRxN9o4Mhk1udyrlT
MD5:	ABA5EB43C5D620807FC7B8535CEBB112
SHA1:	3C5F1E75AA73C58F0625AAC406144795E1D106B6
SHA-256:	2235408C770C184F4E71EAD53E7F7A79F972537D877C4CDA4D6B4896AEAB4551
SHA-512:	BDAD0EA97A29A5630904381F860B983FB299D7CB603DBB6499943245601A84901C9668C44621DA31BE5B9B1244C10919BDC4D24B9992F74181F20240025E01CC
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 11%
Reputation:	low
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$........G.t.&.'.&.'.&.'..p'.&.'..r'.&.'..s'.&.'B..&.&.'z.O'.&.'z.N'.&.'z.Q'.&.'z.J'.&.'.&.'.$.'.x.&.&.'.x.&.&.'.x.&"&.'0x.&.&.'5x~'.&.'.&.'.&.'0x.&.&.'Rich.&.'........PE..L...j.%\.................R...H...............p....@.......................... .......Q....@..........................................`...e...............!.......E...o..8...................Dp.......o..@............p...............................text....P.......R.................. ..`.rdata...m...p...n...V..............@..@.data....I..........................@....gfids.......0......................@..@.giats.......@......................@..@.tls.........P......................@....rsrc....e...`...f..................@..@.reloc...E.......F...X..............@..B................................................................................................................................................

C:\Users\user\AppData\Local\Temp\AITMP960\Delete a Folder FOP Export Import.exe

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	274392
Entropy (8bit):	6.234549947077301
Encrypted:	false
SSDEEP:	6144:PYyjyyDFOAQsovMqSWcFJiOuLbsHd6v1d63:9FI0WcFJiOuEHdS63
MD5:	B2291B18CF1637C068925EFC3D7A889B
SHA1:	051AA9D0E2A6D7E40923BA145A985F56AB555BB9
SHA-256:	746E6CC942E50B62F8E789B00BBBB67AE398678D50BBC0EDE58DD52D1C59911B
SHA-512:	DC262DF649AD2930F934AA3A819E028038F84B77C4D21FF53904948AF87C7850AC0CC6A5B7C2282226246A696964C4AB54628CB6704F754AD4007652AB8EC967
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 5%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........HI`..I`..I`..n...A`..n...\`..I`..Lb..W2+.P`..W2=..`..W2:..`..W24.A`..W2*.H`..W2/.H`..RichI`..................PE..L....Z.Z.....................Z...................@..........................p......M.....@.................................@T...........................!.......-......................................@...............\|....S..@....................text.............................. ..`.rdata..............................@..@.data....`...p...$...b..............@....rsrc...............................@..@.reloc...y.......z..................@..B........................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\AITMP960\Englishai.lng

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	8768
Entropy (8bit):	5.020687261832037
Encrypted:	false
SSDEEP:	96:BlSdcorjZ9sQFh+6d2KWqwfqi0M0C0DMgFOrZ3HHubESQyGo08G9oukN4by5KxMJ:BgK64YddxzMR0DMiIXHu4Qdr4by5JUk
MD5:	92319FFAC6A7773659EC222752858B3D
SHA1:	A12A299E3F361EF5C30EF62A4B24F4391C27A8B2
SHA-256:	D8382C3546AD899CA9DC3B874DF4E2074A097771BF7082C906DA413ACA2AF45C
SHA-512:	988A56774C797903097E0BB1A0007130AB5352D3F3073CA24D4C8894BDB6DF7689DF1693282DD607D62FE60EE24E5E0CC70686109CEB21BFA6E97FEF323EF9B6
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	.[Info]..id=1033..lng=en..translator=http://www.actualinstaller.com....[Buttons]..0=< &Back..1=&Next >..2=&Cancel..3=&Install..4=E&xit..5=&Yes..6=&No..7=&Browse.....8=&Finish..9=&Extract..10=OK..11=I &Agree..12=Print..13=Exit....[Title]..0=<AppNameVersion> Setup....[Language]..0=Welcome to <AppName> Setup..1=Select the setup language:....[Welcome]..0=Welcome to <AppName> Setup..1=This will install <AppNameVersion> on your computer.<#><#>Click Next to continue, or Cancel to exit Setup...2=Copyright . %s..3=Options....[LicenseAgreement]..0=License Agreement..1=Please read the following important information before continuing...2=Please read the following License Agreement. You must accept the terms of this agreement before continuing with the installation...3=If you accept the terms of the agreement, click "I Agree" to continue...4=I accept the agreement..5=By installing this product, you agree to our..6=License Agreement....[Readme]..0=Readme Information..1=Please read additional inf

C:\Users\user\AppData\Local\Temp\AITMP960\L(Default).rtf

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	Unicode text, UTF-8 (with BOM) text, with very long lines (739), with CRLF line terminators
Category:	dropped
Size (bytes):	5054
Entropy (8bit):	4.889814109728986
Encrypted:	false
SSDEEP:	96:Ezqr+EyzwAPm1ZsrHF9EvAbhrMyAq0qmdSbBZ3Un18dx98TW:Xr+Ey+MrrQANrDAbdSbb3USqi
MD5:	EBA4B2CC27AA2DCBABEBC80C23C79CAF
SHA1:	B77A4ABD5B7DDAEF2C5EF5E8759017B75A92C3F9
SHA-256:	8826D7118F6863D0B8DBF69D35C9CF68DE99E4BEB0F4ED75CE516ABF6443204F
SHA-512:	17C359D9F2552CD1B6A328051353A143ACC3A4D05F9B8B5736B592081755CC2752F6699B792258AB374964D2F36C0C4AC876F60570B7FA4E31F369BE3F37E867
Malicious:	false
Reputation:	low
Preview:	.License agreement for the package: F.O.P. Membership..This license agreement is a legal agreement between you ..(Either an individual or a single entity) and the author..of this software package. .. NOTE PRICE CHANGE AS OF MAY 2016 - See replacement and Fees area ....Bearware Software..James Caulfield..5160 Douglas rd...Oswego, Illinois 60543-9492....Support@bearware.org.. https://www.bearware.org..--------------------------------------------------------------------------------..Replacement and Fees:..Off Site Backup: $5.00 a Month minimum 12 backups or $5.00 a Week minimum 52 backups (internet connection is needed)....CD-ROM / Replacement CD: $100.00 + 1yr renewal ..( contains all files for reinstallation of original data information in event of complete loss )....Rebuild:..Lodge Membership conversion to newer version of Access or rebuild installer $170.00....Yearly Re-license fee:..Lodges with membership Under 300, flat fee $ 100.00..Lodges with memb

C:\Users\user\AppData\Local\Temp\AITMP960\R_nstarfopv_red.ico

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	MS Windows icon resource - 1 icon, 32x32, 16 colors, 4 bits/pixel
Category:	dropped
Size (bytes):	766
Entropy (8bit):	1.882945063517906
Encrypted:	false
SSDEEP:	3:wX/JFllfl/t+lxlllXvllfl/Ft/vl/talAotuZLttCAXwswswseNiP8OrP8OSS82:xlUlAj
MD5:	D2AC1037F928DBA4CF4DC81EBFD50EC3
SHA1:	DD412C088DF738E7B919321418889C8D810EA69A
SHA-256:	4BD0F149B90852C30086B392D4B0F74A28C5AD5E679C70108540BFD68DCDE3F5
SHA-512:	21C01FFF9F1880567C91732838626A804A3185EE704B58FE5949328DA0EF97C3E6C6C7F37BBA3031521401D4EA0E00092FEBCBA62E94FB1D5ACB59DAC5AC49A3
Malicious:	false
Reputation:	low
Preview:	...... ..............(... ...@...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\AITMP960\Remove Old Setup in Start Menu.exe

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	PE32+ executable (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	687064
Entropy (8bit):	5.916379307511307
Encrypted:	false
SSDEEP:	12288:5tC1dK/uwBx3wkMOlJbRB/MPa0Mcn3BcTCHWb1GJK:5A1wm+3wkzvbn/My03Bvk
MD5:	6B21FD84659BEDAA723004C1CA9725A9
SHA1:	66AA9BA14063BF38AB05CBFEC7DF2BD75CFDBBD0
SHA-256:	581EA677CF2F46ECFC0230AAF447A6C569B37052576C5694B2C48911E8968665
SHA-512:	577B5FCC60CF321EA59C49E57F4BDF7FC68846A810D9DB2FD4B68314B0A2E845EB058E08F31EF06B8357882BCA05258A7B25C46A2C0D7302089E60E7E0020594
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 8%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......:..~...~...~...%..x...%..k...%.....%......%..g...~...F......l......w.............w....._.....~.7............Rich~...................PE..d......^.........."..........~......4!.........@.....................................D....`.................................................8...........P........E...Z...!...........r..8...................(t..(... s..................(............................text............................... ..`.rdata...?.......@..................@..@.data....u...0...$..................@....pdata...E.......F...@..............@..@_RDATA..............................@..@.rsrc...P...........................@..@.reloc...............B..............@..B........................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\AITMP960\Uninstall.exe

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
Category:	dropped
Size (bytes):	614912
Entropy (8bit):	7.885964608571698
Encrypted:	false
SSDEEP:	12288:lcmnEU6A7Uiu7QErsCkby2sdtw/YcSKs9FuKb0a6j2nMt3/AQ:lEnyUiu7QBuDdOYcQ62MN/H
MD5:	8AAFA112EF5FDC35F3242986F5DF6FEB
SHA1:	DBD09C2FC0D111CB8623659552D4DDC57CB18E60
SHA-256:	190474CD3AD662AB796EE93ABBBFAE52C2E2E3C7A13C708D76AABF1085D8B676
SHA-512:	607677B36865EA88B6F4D94A8C181AE1436A5B1ED1C7BABBC1CB6E6BC4A7DCCB237812C8DD189E5B077D2E70B63808247AB2D7CD5D3B2675F0273EBA8D564BA4
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 4%
Joe Sandbox View:	Filename: lst_setup_v4_0_5 (1).exe, Detection: malicious, Browse
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L...9..b.....................P...P.. j$..`...p$...@...........................$..................@.................... ._...d.$.`....p$.dM...................................................k$..............................p .....................UPX0.....P..............................UPX1.........`......................@....rsrc....P...p$..P..................@..............................................................................................................................................................................................................................................................................................................................................................................3.96.UPX!....

C:\Users\user\AppData\Local\Temp\AITMP960\ailogo.bmp

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	PC bitmap, Windows 3.x format, 494 x 135 x 24, image size 200340, cbSize 200394, bits offset 54
Category:	dropped
Size (bytes):	200394
Entropy (8bit):	1.9529244566216357
Encrypted:	false
SSDEEP:	768:VX8RJv0/m0NEAKuMETnDz479961UGHrxd4kEGPfVCKjTyiB:p8Q/NKupTDzkWUAqGFljTbB
MD5:	22C4A8AEE84CDE39B2126C4ACB7B7D59
SHA1:	051BC6C2FEFE8AF51DE4F9C0FD151537B2C279DF
SHA-256:	8D7AFE922D00729AEEA775B37D46EAC204254101AFD64F3A3C32C0376DC8C5B1
SHA-512:	49F4945BCC76D996F0298B7BD25AC393228C4022AC8228C4877780E62A6A9DBDD2DD02B7EFD62C5932E29FE78C8CF7566C067FBC50936672086C26BB1995D48B
Malicious:	false
Preview:	BM........6...(.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\AITMP960\aisetup.ini

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	10109
Entropy (8bit):	5.6783960085018155
Encrypted:	false
SSDEEP:	192:RJctfTxO3/qi622vtgQqoiaVRXZUFd6N0Odjk0hicPL3TSu+yPQJRWY/Y5IzLiBd:YTQqz2W
MD5:	74610E96323FC296DB2928E6800D1642
SHA1:	0C3B693FD2B897B9B41CB3A4728E08968A68D3F4
SHA-256:	E5088C12CECC26EF1F79F3562A024ACA4088B1E2CD062D030F3A5FE2FAB4B04F
SHA-512:	A5BE11DDBF7B469F4EE22F8CA330428A8051E04FBAEC47D662B1C59D143393B45F8A1EEDE1FD9B7C19EEFE93970513E236735D9AC3DA823C13D23B2D736BDD78
Malicious:	false
Preview:	.[Setup]..AIVer=9.2..BDID=221213..GUID={87556C32-A425-4B4A-B702-2B12C8E027AB}..AppName=F.O.P. Membership System..AppVersion=9.12.56..AppDescription=Update (32 bit) 2010 package to version 9.12.56..CompanyName=James Caulfield, Consulting Service..WebSite=www.bearware.org..SupportLink=www.bearware.org..PackageType=0..InstallLevel=2..UpgradeMode=1..RunAsAdmin=0..CheckVersions=1..CheckMinVer=9.12.0..CheckMaxVer=9.12.56..CheckNoUpdate=0..Windows 7=1..Windows 8=1..Windows 8.1=1..Windows 10=1..Windows 11=1..Enab=1..SystemType=0..Internet=0..Archive=0..OpenPrereqLink=0..InstallDir=<SystemDrive>\(BW) BearWare\FOP\..MainExe=<InstallDir>\2010 FOP(ver9.12x32u).accde..ProgramGroup=(BW) BearWare\FOP..Uninstall=1..ShowAddRemove=1..ProductIcon=0..SilentUninstall=0..UninstallForce=0..UninstallRestart=0..UninstallSettings=0..VisitUninstallPage=0..CloseMainExe=1..Updater=1..UpdateURL=https://www.bearware.org/download/IL014/update3210.txt..ActualUpdater=0..LaunchOnStatup=0..SelectFolderMode=0..AltInstal

C:\Users\user\AppData\Local\Temp\AITMP960\aisetup.zip

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	Zip archive data, at least v2.0 to extract, compression method=deflate
Category:	dropped
Size (bytes):	1252705
Entropy (8bit):	7.9982869394400335
Encrypted:	true
SSDEEP:	24576:9l//GoRRjAN2f6Y2LaCgeblcgTX+aYaBEVwlwC5XW39SIyBmE/k:9NTha2L6gebugyUE+lK35amt
MD5:	AD9015C6AD7F5D5B3C93371E026ED86D
SHA1:	E06F1158EED2B90FF587A0607649EE12451F0903
SHA-256:	EBB23010CE6555726727801E32348F8C7A83231701E1D1AD692589140B696F08
SHA-512:	CBB7F794418FA40C611A2A3206D73AE889DAEE8D51791F24B4C27DD7E82781E3D4825FDEBA007F18CCA913511CF1B83B1B52BA6305CA7656E2C741BDDD5B8247
Malicious:	false
Preview:	PK........4iRT8......@"......Englishai.lng.Y.N#...n...G....^....Y...Y.....%..3m..{....g.Hy..B..{z..0...i..3....~U..?..kO.._.-.%.;.n...a"T...W6.N.d.\q...d2...<..:...tR=n.._?..ie..N......vk7......n.%[.\."o...V.o....o.[...Wa.C8.....'.'Vt:.v.(..,...v.8.....pfw'.....&=.u64B.....H.o..%........(..X.,..Z}d....]q5,...=..T..iV......E...f.............HZ6.y.I..Z......E...?..#.;.e....:..IU.m......../...u15r8r._.g..]qS8..z..T(+.c............gF...0.y.'R.....8..(4.f.=...,)...Y.e.....K6..c<ME.m...[......+.....nDG..I....7@..j..,%.o..T.M.w0.{M&.6.A.iZ......Y..W.......S`...=w`..T.#..&....2..y>...D.....#......6U...L.A.!.~..4. .....w?.L..NM......N...Fdl E.YRc...<!.b.S.}bo......v.N;...jz.n.Q....Rm.&... .3S....k~!,..$...L..=..Ha0.....P?.im.B..[4p..2..{..~M...2....HO0..T..'........4..*..z......\i.k...xC..AR{....<.'T_...g.s.........>.L...w.s`a&.....P..4....K3D...>=%......qK......8..-....<.+.B..5..zw..p.D.c.\|.>eP...MF2..B...62T...M.!..@Q.KKg.......UR..R`...

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
Entropy (8bit):	7.998403160733029
TrID:	Win32 Executable (generic) a (10002005/4) 99.63% UPX compressed Win32 Executable (30571/9) 0.30% Win16/32 Executable Delphi generic (2074/23) 0.02% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02%
File name:	file.exe
File size:	21062092
MD5:	1e8ce5705381fdef436f4fae5a30334b
SHA1:	5f0de42379d874d64b2ceb3615e5e8715bcc1880
SHA256:	cc8f23f2566b9bdc9723d0bc664cd65edbf206f096c596c8c749a769567e3c8b
SHA512:	b23d2707abff3f1dc1d7b67d6df03e049710cd3ee50a13bd8f4d0731928a21520939b60fc3d106c1d2949b4303efaccaa96af1d78f543032cff03b42a2bce988
SSDEEP:	393216:ouny2QOlx8ObReD7zx0Er/I8yxcMxQMp9BRgZw2YL:oUyKlN1eD7zx0AvyQQBGZDYL
TLSH:	252733F459E09FE9D2DFB177041D3F77C11020695A509DAEF81A25DB30E2E248ECCAA9
File Content Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................

File Icon


Icon Hash:	2e2e9234e5c94e48

Static PE Info

General

Entrypoint:	0x6e1ee0
Entrypoint Section:	UPX1
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
DLL Characteristics:
Time Stamp:	0x63230091 [Thu Sep 15 10:38:09 2022 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	0
File Version Major:	5
File Version Minor:	0
Subsystem Version Major:	5
Subsystem Version Minor:	0
Import Hash:	9369b8cbf820fedf4c7837b944ee2543

Entrypoint Preview

Instruction
pushad
mov esi, 00626000h
lea edi, dword ptr [esi-00225000h]
mov dword ptr [edi+0027CC38h], C4A11C53h
push edi
or ebp, FFFFFFFFh
jmp 00007F1990745D80h
nop
nop
nop
nop
mov al, byte ptr [esi]
inc esi
mov byte ptr [edi], al
inc edi
add ebx, ebx
jne 00007F1990745D79h
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
jc 00007F1990745D5Fh
mov eax, 00000001h
add ebx, ebx
jne 00007F1990745D79h
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
adc eax, eax
add ebx, ebx
jnc 00007F1990745D7Dh
jne 00007F1990745D9Ah
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
jc 00007F1990745D91h
dec eax
add ebx, ebx
jne 00007F1990745D79h
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
adc eax, eax
jmp 00007F1990745D46h
add ebx, ebx
jne 00007F1990745D79h
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
adc ecx, ecx
jmp 00007F1990745DC4h
xor ecx, ecx
sub eax, 03h
jc 00007F1990745D83h
shl eax, 08h
mov al, byte ptr [esi]
inc esi
xor eax, FFFFFFFFh
je 00007F1990745DE7h
sar eax, 1
mov ebp, eax
jmp 00007F1990745D7Dh
add ebx, ebx
jne 00007F1990745D79h
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
jc 00007F1990745D3Eh
inc ecx
add ebx, ebx
jne 00007F1990745D79h
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
jc 00007F1990745D30h
add ebx, ebx
jne 00007F1990745D79h
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
adc ecx, ecx
add ebx, ebx
jnc 00007F1990745D61h
jne 00007F1990745D7Bh
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
jnc 00007F1990745D56h
add ecx, 02h
cmp ebp, 00000000h

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x292000	0x5b	UPX1
IMAGE_DIRECTORY_ENTRY_IMPORT	0x2e4c18	0x300	.rsrc
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x2e3000	0x1c18	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x2e2098	0x18	UPX1
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x291000	0xa02	UPX1
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
UPX0	0x1000	0x225000	0x0	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
UPX1	0x226000	0xbd000	0xbc200	False	0.9910195182724253	data	7.925921984403315	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x2e3000	0x2000	0x2000	False	0.3343505859375	data	4.360573655069043	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Resources

Name	RVA	Size	Type	Language	Country
RT_CURSOR	0x2ccfb4	0x134	data	English	United States
RT_CURSOR	0x2cd0e8	0x134	data	English	United States
RT_CURSOR	0x2cd21c	0x134	data	English	United States
RT_CURSOR	0x2cd350	0x134	data	English	United States
RT_CURSOR	0x2cd484	0x134	data	English	United States
RT_CURSOR	0x2cd5b8	0x134	data	English	United States
RT_CURSOR	0x2cd6ec	0x134	data	English	United States
RT_BITMAP	0x2cd820	0x1d0	data	English	United States
RT_BITMAP	0x2cd9f0	0x1e4	data	English	United States
RT_BITMAP	0x2cdbd4	0x1d0	data	English	United States
RT_BITMAP	0x2cdda4	0x1d0	data	English	United States
RT_BITMAP	0x2cdf74	0x1d0	OpenPGP Public Key	English	United States
RT_BITMAP	0x2ce144	0x1d0	data	English	United States
RT_BITMAP	0x2ce314	0x1d0	data	English	United States
RT_BITMAP	0x2ce4e4	0x1d0	data	English	United States
RT_BITMAP	0x2ce6b4	0x1d0	OpenPGP Public Key	English	United States
RT_BITMAP	0x2ce884	0x1d0	data	English	United States
RT_BITMAP	0x2cea54	0xc0	data	English	United States
RT_BITMAP	0x2ceb14	0xe0	data	English	United States
RT_BITMAP	0x2cebf4	0xe0	data	English	United States
RT_BITMAP	0x2cecd4	0xe0	data	English	United States
RT_BITMAP	0x2cedb4	0xc0	data	English	United States
RT_BITMAP	0x2cee74	0xc0	data	English	United States
RT_BITMAP	0x2cef34	0xe0	data	English	United States
RT_BITMAP	0x2cf014	0xc0	data	English	United States
RT_BITMAP	0x2cf0d4	0xe0	data	English	United States
RT_BITMAP	0x2cf1b4	0xc0	data	English	United States
RT_BITMAP	0x2cf274	0xe0	OpenPGP Public Key	English	United States
RT_ICON	0x2e3fb8	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 640	English	United States
RT_STRING	0x2cf63c	0x298	data
RT_STRING	0x2cf8d4	0x364	data
RT_STRING	0x2cfc38	0x3fc	data
RT_STRING	0x2d0034	0x24c	data
RT_STRING	0x2d0280	0xc0	data
RT_STRING	0x2d0340	0x100	data
RT_STRING	0x2d0440	0x254	data
RT_STRING	0x2d0694	0x3d0	data
RT_STRING	0x2d0a64	0x3d4	data
RT_STRING	0x2d0e38	0x464	data
RT_STRING	0x2d129c	0x2f4	data
RT_STRING	0x2d1590	0x3bc	data
RT_STRING	0x2d194c	0x438	data
RT_STRING	0x2d1d84	0x504	data
RT_STRING	0x2d2288	0x384	data
RT_STRING	0x2d260c	0x3c0	data
RT_STRING	0x2d29cc	0x450	data
RT_STRING	0x2d2e1c	0x138	data
RT_STRING	0x2d2f54	0xcc	data
RT_STRING	0x2d3020	0x1f8	data
RT_STRING	0x2d3218	0x40c	data
RT_STRING	0x2d3624	0x384	data
RT_STRING	0x2d39a8	0x318	data
RT_STRING	0x2d3cc0	0x31c	data
RT_RCDATA	0x2d3fdc	0x10	data
RT_RCDATA	0x2d3fec	0x690	data
RT_RCDATA	0x2d467c	0x2	Non-ISO extended-ASCII text, with no line terminators	English	United States
RT_RCDATA	0x2d4680	0x7428	data
RT_RCDATA	0x2dbaa8	0x1076	data
RT_RCDATA	0x2dcb20	0x42f	data
RT_GROUP_CURSOR	0x2dcf50	0x14	data	English	United States
RT_GROUP_CURSOR	0x2dcf64	0x14	data	English	United States
RT_GROUP_CURSOR	0x2dcf78	0x14	data	English	United States
RT_GROUP_CURSOR	0x2dcf8c	0x14	data	English	United States
RT_GROUP_CURSOR	0x2dcfa0	0x14	OpenPGP Secret Key	English	United States
RT_GROUP_CURSOR	0x2dcfb4	0x14	data	English	United States
RT_GROUP_CURSOR	0x2dcfc8	0x14	data	English	United States
RT_GROUP_ICON	0x2e42a4	0x14	data	English	United States
RT_VERSION	0x2e42bc	0x2d0	data	English	United States
RT_MANIFEST	0x2e4590	0x686	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States

Imports

DLL	Import
advapi32.dll	FreeSid
comctl32.dll	ImageList_Add
comdlg32.dll	GetSaveFileNameW
gdi32.dll	Pie
KERNEL32.DLL	LoadLibraryA, ExitProcess, GetProcAddress, VirtualProtect
msvcrt.dll	memset
ole32.dll	IsEqualGUID
oleaut32.dll	LoadTypeLib
shell32.dll	SHGetMalloc
user32.dll	GetDC
version.dll	VerQueryValueW
wininet.dll	InternetOpenW
winspool.drv	OpenPrinterW

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Statistics

High Level Behavior Distribution

Click to dive into process behavior distribution

Disassembly

Reset < >

Analysis Process: file.exePID: 4416, Parent PID: 3324COMMON

Execution Graph

Execution Coverage:	2.1%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	5.4%
Total number of Nodes:	606
Total number of Limit Nodes:	22

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 73%

			E0040DA68(char __eax, void* __ebx, intOrPtr* __edx, void* __eflags) {
				char _v8;
				short _v12;
				void* _v16;
				char _v20;
				char _v24;
				void* _t29;
				void* _t40;
				intOrPtr* _t44;
				intOrPtr _t55;
				void* _t61;

				_push(__ebx);
				_v24 = 0;
				_v20 = 0;
				_t44 = __edx;
				_v8 = __eax;
				E0040A7FC(_v8);
				_push(_t61);
				_push(0x40db28);
				_push( *[fs:eax]);
				 *[fs:eax] = _t61 + 0xffffffec;
				_t21 =  &_v16;
				L00404C20();
				GetLocaleInfoW( &_v16 & 0x0000ffff, 3, _t21, 4);
				E0040B424( &_v20, 4,  &_v16);
				E0040B5D4(_t44, _v20, _v8);
				_t29 = E0040D930( *_t44, _t44); // executed
				if(_t29 == 0) {
					_v12 = 0;
					E0040B424( &_v24, 4,  &_v16);
					E0040B5D4(_t44, _v24, _v8);
					_t40 = E0040D930( *_t44, _t44); // executed
					if(_t40 == 0) {
						E0040A718(_t44);
					}
				}
				_pop(_t55);
				 *[fs:eax] = _t55;
				_push(0x40db2f);
				E0040A778( &_v24, 2);
				return E0040A718( &_v8);
			}

0x0040da6e
0x0040da71
0x0040da74
0x0040da77
0x0040da79
0x0040da7f
0x0040da86
0x0040da87
0x0040da8c
0x0040da8f
0x0040da94
0x0040da9a
0x0040daa3
0x0040dab3
0x0040dac0
0x0040dac7
0x0040dace
0x0040dad0
0x0040dae1
0x0040daee
0x0040daf5
0x0040dafc
0x0040db00
0x0040db00
0x0040dafc
0x0040db07
0x0040db0a
0x0040db0d
0x0040db1a
0x0040db27

APIs

GetUserDefaultUILanguage.KERNEL32(00000003,?,00000004,00000000,0040DB28,?,?), ref: 0040DA9A
GetLocaleInfoW.KERNEL32(?,00000003,?,00000004,00000000,0040DB28,?,?), ref: 0040DAA3

Part of subcall function 0040D930: FindFirstFileW.KERNEL32(00000000,?,00000000,0040D98E,?,00000001), ref: 0040D963
Part of subcall function 0040D930: FindClose.KERNEL32(00000000,00000000,?,00000000,0040D98E,?,00000001), ref: 0040D973

Memory Dump Source

Source File: 00000000.00000002.307570236.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.307564146.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.308232089.000000000068B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.308240342.0000000000691000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.308252323.0000000000694000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.308259233.00000000006CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.308298771.00000000006DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.308315265.00000000006E4000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID: Find$CloseDefaultFileFirstInfoLanguageLocaleUser
String ID:
API String ID: 3216391948-0
Opcode ID: 4f84ccc0e38d11220df3ee71ea2be22eb0a80f658bb283e796b9cd3fb8ca87c9
Instruction ID: 8bb8cd45bc3cc2d8255f5900d6fd37103c97f41c90240ab78627dab773147213
Opcode Fuzzy Hash: 4f84ccc0e38d11220df3ee71ea2be22eb0a80f658bb283e796b9cd3fb8ca87c9
Instruction Fuzzy Hash: 90114570A042099BDF14EF95D982AAEB7F4EF44304F51447AB504B73D1DB789E04CA69

Uniqueness

Uniqueness Score: -1.00%

Function 0040D930 Relevance: 3.0, APIs: 2, Instructions: 33
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 46%

			E0040D930(char __eax, signed int __ebx) {
				char _v8;
				struct _WIN32_FIND_DATAW _v600;
				void* _t15;
				intOrPtr _t24;
				void* _t27;

				_push(__ebx);
				_v8 = __eax;
				E0040A7FC(_v8);
				_push(_t27);
				_push(0x40d98e);
				_push( *[fs:eax]);
				 *[fs:eax] = _t27 + 0xfffffdac;
				_t15 = FindFirstFileW(E0040B380(_v8),  &_v600); // executed
				if((__ebx & 0xffffff00 | _t15 != 0xffffffff) != 0) {
					FindClose(_t15);
				}
				_pop(_t24);
				 *[fs:eax] = _t24;
				_push(0x40d995);
				return E0040A718( &_v8);
			}

0x0040d939
0x0040d93a
0x0040d940
0x0040d947
0x0040d948
0x0040d94d
0x0040d950
0x0040d963
0x0040d970
0x0040d973
0x0040d973
0x0040d97a
0x0040d97d
0x0040d980
0x0040d98d

APIs

FindFirstFileW.KERNEL32(00000000,?,00000000,0040D98E,?,00000001), ref: 0040D963
FindClose.KERNEL32(00000000,00000000,?,00000000,0040D98E,?,00000001), ref: 0040D973

Memory Dump Source

Source File: 00000000.00000002.307570236.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.307564146.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.308232089.000000000068B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.308240342.0000000000691000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.308252323.0000000000694000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.308259233.00000000006CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.308298771.00000000006DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.308315265.00000000006E4000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: 11aa61e58ff0a1aacadee510f779cb839228ca0ea622244e219cbf782038ebb8
Instruction ID: d857e8e2939749d090a3ac062e183f0f53bd45b53a96c0af909b4ebbbb34e15a
Opcode Fuzzy Hash: 11aa61e58ff0a1aacadee510f779cb839228ca0ea622244e219cbf782038ebb8
Instruction Fuzzy Hash: 5FF0BEB0900608AEC711FBBACC1295EB3FCEB843107A105B6B800F32D1E638AE149519

Uniqueness

Uniqueness Score: -1.00%

Function 0040D554 Relevance: 28.2, APIs: 12, Strings: 4, Instructions: 173
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 78%

			E0040D554(char __eax, void* __ebx, void* __ecx, void* __edx) {
				char _v8;
				char* _v12;
				void* _v16;
				int _v20;
				short _v542;
				long _t51;
				long _t85;
				long _t87;
				long _t89;
				long _t91;
				long _t93;
				void* _t97;
				intOrPtr _t106;
				intOrPtr _t108;
				void* _t112;
				void* _t113;
				intOrPtr _t114;

				_t112 = _t113;
				_t114 = _t113 + 0xfffffde4;
				_t97 = __edx;
				_v8 = __eax;
				E0040A7FC(_v8);
				_push(_t112);
				_push(0x40d779);
				_push( *[fs:eax]);
				 *[fs:eax] = _t114;
				if(_v8 != 0) {
					E0040CD88( &_v542, E0040B380(_v8), 0x105);
				} else {
					GetModuleFileNameW(0,  &_v542, 0x105);
				}
				if(_v542 == 0) {
					L17:
					_pop(_t106);
					 *[fs:eax] = _t106;
					_push(0x40d780);
					return E0040A718( &_v8);
				} else {
					_v12 = 0;
					_t51 = RegOpenKeyExW(0x80000001, L"Software\\Embarcadero\\Locales", 0, 0xf0019,  &_v16); // executed
					if(_t51 == 0) {
						L10:
						_push(_t112);
						_push(0x40d75c);
						_push( *[fs:eax]);
						 *[fs:eax] = _t114;
						E0040D364( &_v542, 0x105);
						if(RegQueryValueExW(_v16,  &_v542, 0, 0, 0,  &_v20) != 0) {
							if(RegQueryValueExW(_v16, 0x40d86c, 0, 0, 0,  &_v20) == 0) {
								_v12 = E00406834(_v20);
								RegQueryValueExW(_v16, 0x40d86c, 0, 0, _v12,  &_v20);
								E0040B3E8(_t97, _v12);
							}
						} else {
							_v12 = E00406834(_v20);
							RegQueryValueExW(_v16,  &_v542, 0, 0, _v12,  &_v20);
							E0040B3E8(_t97, _v12);
						}
						_pop(_t108);
						 *[fs:eax] = _t108;
						_push(0x40d763);
						if(_v12 != 0) {
							E00406850(_v12);
						}
						return RegCloseKey(_v16);
					} else {
						_t85 = RegOpenKeyExW(0x80000002, L"Software\\Embarcadero\\Locales", 0, 0xf0019,  &_v16); // executed
						if(_t85 == 0) {
							goto L10;
						} else {
							_t87 = RegOpenKeyExW(0x80000001, L"Software\\CodeGear\\Locales", 0, 0xf0019,  &_v16); // executed
							if(_t87 == 0) {
								goto L10;
							} else {
								_t89 = RegOpenKeyExW(0x80000002, L"Software\\CodeGear\\Locales", 0, 0xf0019,  &_v16); // executed
								if(_t89 == 0) {
									goto L10;
								} else {
									_t91 = RegOpenKeyExW(0x80000001, L"Software\\Borland\\Locales", 0, 0xf0019,  &_v16); // executed
									if(_t91 == 0) {
										goto L10;
									} else {
										_t93 = RegOpenKeyExW(0x80000001, L"Software\\Borland\\Delphi\\Locales", 0, 0xf0019,  &_v16); // executed
										if(_t93 != 0) {
											goto L17;
										} else {
											goto L10;
										}
									}
								}
							}
						}
					}
				}
			}

0x0040d555
0x0040d557
0x0040d55e
0x0040d560
0x0040d566
0x0040d56d
0x0040d56e
0x0040d573
0x0040d576
0x0040d57d
0x0040d5a9
0x0040d57f
0x0040d58d
0x0040d58d
0x0040d5b6
0x0040d763
0x0040d765
0x0040d768
0x0040d76b
0x0040d778
0x0040d5bc
0x0040d5be
0x0040d5d6
0x0040d5dd
0x0040d67d
0x0040d67f
0x0040d680
0x0040d685
0x0040d688
0x0040d696
0x0040d6b7
0x0040d706
0x0040d710
0x0040d728
0x0040d732
0x0040d732
0x0040d6b9
0x0040d6c1
0x0040d6db
0x0040d6e5
0x0040d6e5
0x0040d739
0x0040d73c
0x0040d73f
0x0040d748
0x0040d74d
0x0040d74d
0x0040d75b
0x0040d5e3
0x0040d5f8
0x0040d5ff
0x00000000
0x0040d601
0x0040d616
0x0040d61d
0x00000000
0x0040d61f
0x0040d634
0x0040d63b
0x00000000
0x0040d63d
0x0040d652
0x0040d659
0x00000000
0x0040d65b
0x0040d670
0x0040d677
0x00000000
0x00000000
0x00000000
0x00000000
0x0040d677
0x0040d659
0x0040d63b
0x0040d61d
0x0040d5ff
0x0040d5dd

APIs

GetModuleFileNameW.KERNEL32(00000000,?,00000105,00000000,0040D779,?,?), ref: 0040D58D
RegOpenKeyExW.ADVAPI32(80000001,Software\Embarcadero\Locales,00000000,000F0019,?,00000000,0040D779,?,?), ref: 0040D5D6
RegOpenKeyExW.ADVAPI32(80000002,Software\Embarcadero\Locales,00000000,000F0019,?,80000001,Software\Embarcadero\Locales,00000000,000F0019,?,00000000,0040D779,?,?), ref: 0040D5F8
RegOpenKeyExW.ADVAPI32(80000001,Software\CodeGear\Locales,00000000,000F0019,?,80000002,Software\Embarcadero\Locales,00000000,000F0019,?,80000001,Software\Embarcadero\Locales,00000000,000F0019,?,00000000), ref: 0040D616
RegOpenKeyExW.ADVAPI32(80000002,Software\CodeGear\Locales,00000000,000F0019,?,80000001,Software\CodeGear\Locales,00000000,000F0019,?,80000002,Software\Embarcadero\Locales,00000000,000F0019,?,80000001), ref: 0040D634
RegOpenKeyExW.ADVAPI32(80000001,Software\Borland\Locales,00000000,000F0019,?,80000002,Software\CodeGear\Locales,00000000,000F0019,?,80000001,Software\CodeGear\Locales,00000000,000F0019,?,80000002), ref: 0040D652
RegOpenKeyExW.ADVAPI32(80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,80000002,Software\CodeGear\Locales,00000000,000F0019,?,80000001), ref: 0040D670
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,00000000,?,00000000,0040D75C,?,80000001,Software\Embarcadero\Locales,00000000,000F0019,?,00000000,0040D779), ref: 0040D6B0
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,?,00000000,00000000,00000000,?,00000000,0040D75C,?,80000001), ref: 0040D6DB
RegCloseKey.ADVAPI32(?,0040D763,00000000,00000000,?,?,?,00000000,00000000,00000000,?,00000000,0040D75C,?,80000001,Software\Embarcadero\Locales), ref: 0040D756

Strings

Software\CodeGear\Locales, xrefs: 0040D60C, 0040D62A
Software\Borland\Delphi\Locales, xrefs: 0040D666
Software\Embarcadero\Locales, xrefs: 0040D5CC, 0040D5EE
Software\Borland\Locales, xrefs: 0040D648

Memory Dump Source

Source File: 00000000.00000002.307570236.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.307564146.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.308232089.000000000068B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.308240342.0000000000691000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.308252323.0000000000694000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.308259233.00000000006CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.308298771.00000000006DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.308315265.00000000006E4000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID: Open$QueryValue$CloseFileModuleName
String ID: Software\Borland\Delphi\Locales$Software\Borland\Locales$Software\CodeGear\Locales$Software\Embarcadero\Locales
API String ID: 2701450724-3496071916
Opcode ID: 85f1d496d0a3fe80467cc56ef6649c8b814c5699f49ef5177cf36381dd9b657b
Instruction ID: 40ceb2f0d3d1de43b3f155fcec79db973bf5f05b7ad9007f5317bdc16a2a34fc
Opcode Fuzzy Hash: 85f1d496d0a3fe80467cc56ef6649c8b814c5699f49ef5177cf36381dd9b657b
Instruction Fuzzy Hash: DF510175E41208BEEB10EAE5CC82FAE73BCDB48704F61447BBA14F71C1D6789A44CA59

Uniqueness

Uniqueness Score: -1.00%

Function 0040F534 Relevance: 13.8, APIs: 9, Instructions: 258
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 67%

			E0040F534(void* __eflags, intOrPtr _a4, intOrPtr* _a8) {
				long _v8;
				signed int _v12;
				long _v16;
				void* _v20;
				long _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				struct HINSTANCE__** _v48;
				CHAR* _v52;
				void _v56;
				long _v60;
				_Unknown_base(*)()* _v64;
				struct HINSTANCE__* _v68;
				CHAR* _v72;
				signed int _v76;
				CHAR* _v80;
				intOrPtr* _v84;
				void* _v88;
				void _v92;
				signed int _t104;
				signed int _t106;
				signed int _t108;
				long _t113;
				intOrPtr* _t119;
				void* _t124;
				void _t126;
				long _t128;
				struct HINSTANCE__* _t133;
				struct HINSTANCE__* _t142;
				long _t166;
				signed int* _t190;
				_Unknown_base(*)()* _t191;
				void* _t194;
				intOrPtr _t196;

				_push(_a4);
				memcpy( &_v56, 0x67dc64, 8 << 2);
				_pop(_t194);
				_v56 =  *0x67dc64;
				_v52 = E0040F9E4( *0x0067DC68);
				_v48 = E0040F9F4( *0x0067DC6C);
				_v44 = E0040FA04( *0x0067DC70);
				_v40 = E0040FA14( *0x0067DC74);
				_v36 = E0040FA14( *0x0067DC78);
				_v32 = E0040FA14( *0x0067DC7C);
				_v28 =  *0x0067DC80;
				memcpy( &_v92, 0x67dc84, 9 << 2);
				_t196 = _t194;
				_v88 = 0x67dc84;
				_v84 = _a8;
				_v80 = _v52;
				if((_v56 & 0x00000001) == 0) {
					_t166 =  *0x67dca8; // 0x0
					_v8 = _t166;
					_v8 =  &_v92;
					RaiseException(0xc06d0057, 0, 1,  &_v8);
					return 0;
				}
				_t104 = _a8 - _v44;
				_t142 =  *_v48;
				if(_t104 < 0) {
					_t104 = _t104 + 3;
				}
				_v12 = _t104 >> 2;
				_t106 = _v12;
				_t190 = (_t106 << 2) + _v40;
				_t108 = (_t106 & 0xffffff00 | (_t190[0] & 0x00000080) == 0x00000000) & 0x00000001;
				_v76 = _t108;
				if(_t108 == 0) {
					_v72 =  *_t190 & 0x0000ffff;
				} else {
					_v72 = E0040FA24( *_t190) + 2;
				}
				_t191 = 0;
				if( *0x689c5c == 0) {
					L10:
					if(_t142 != 0) {
						L25:
						_v68 = _t142;
						if( *0x689c5c != 0) {
							_t191 =  *0x689c5c(2,  &_v92);
						}
						if(_t191 != 0) {
							L36:
							if(_t191 == 0) {
								_v60 = GetLastError();
								if( *0x689c60 != 0) {
									_t191 =  *0x689c60(4,  &_v92);
								}
								if(_t191 == 0) {
									_t113 =  *0x67dcb0; // 0x0
									_v24 = _t113;
									_v24 =  &_v92;
									RaiseException(0xc06d007f, 0, 1,  &_v24);
									_t191 = _v64;
								}
							}
							goto L41;
						} else {
							if( *((intOrPtr*)(_t196 + 0x14)) == 0 ||  *((intOrPtr*)(_t196 + 0x1c)) == 0) {
								L35:
								_t191 = GetProcAddress(_t142, _v72);
								goto L36;
							} else {
								_t119 =  *((intOrPtr*)(_t142 + 0x3c)) + _t142;
								if( *_t119 != 0x4550 ||  *((intOrPtr*)(_t119 + 8)) != _v28 || (( *(_t119 + 0x34) & 0xffffff00 |  *(_t119 + 0x34) == _t142) & 0x00000001) == 0) {
									goto L35;
								} else {
									_t191 =  *((intOrPtr*)(_v36 + _v12 * 4));
									if(_t191 == 0) {
										goto L35;
									}
									L41:
									 *_a8 = _t191;
									goto L42;
								}
							}
						}
					}
					if( *0x689c5c != 0) {
						_t142 =  *0x689c5c(1,  &_v92);
					}
					if(_t142 == 0) {
						_t133 = LoadLibraryA(_v80); // executed
						_t142 = _t133;
					}
					if(_t142 != 0) {
						L20:
						if(_t142 == E0040F3D8(_v48, _t142)) {
							FreeLibrary(_t142);
						} else {
							if( *((intOrPtr*)(_t196 + 0x18)) != 0) {
								_t124 = LocalAlloc(0x40, 8);
								_v20 = _t124;
								if(_t124 != 0) {
									 *((intOrPtr*)(_v20 + 4)) = _t196;
									_t126 =  *0x67dc60; // 0x0
									 *_v20 = _t126;
									 *0x67dc60 = _v20;
								}
							}
						}
						goto L25;
					} else {
						_v60 = GetLastError();
						if( *0x689c60 != 0) {
							_t142 =  *0x689c60(3,  &_v92);
						}
						if(_t142 != 0) {
							goto L20;
						} else {
							_t128 =  *0x67dcac; // 0x0
							_v16 = _t128;
							_v16 =  &_v92;
							RaiseException(0xc06d007e, 0, 1,  &_v16);
							return _v64;
						}
					}
				} else {
					_t191 =  *0x689c5c(0,  &_v92);
					if(_t191 == 0) {
						goto L10;
					} else {
						L42:
						if( *0x689c5c != 0) {
							_v60 = 0;
							_v68 = _t142;
							_v64 = _t191;
							 *0x689c5c(5,  &_v92);
						}
						return _t191;
					}
				}
			}

0x0040f548
0x0040f54e
0x0040f550
0x0040f553
0x0040f560
0x0040f56d
0x0040f57a
0x0040f587
0x0040f594
0x0040f5a1
0x0040f5aa
0x0040f5b8
0x0040f5ba
0x0040f5bb
0x0040f5c1
0x0040f5c7
0x0040f5ce
0x0040f5d0
0x0040f5d6
0x0040f5dc
0x0040f5ec
0x00000000
0x0040f5f1
0x0040f5fe
0x0040f603
0x0040f605
0x0040f607
0x0040f607
0x0040f60d
0x0040f610
0x0040f618
0x0040f622
0x0040f625
0x0040f62a
0x0040f645
0x0040f62c
0x0040f638
0x0040f638
0x0040f648
0x0040f651
0x0040f66a
0x0040f66c
0x0040f72e
0x0040f72e
0x0040f738
0x0040f746
0x0040f746
0x0040f74a
0x0040f797
0x0040f799
0x0040f7a0
0x0040f7aa
0x0040f7b8
0x0040f7b8
0x0040f7bc
0x0040f7be
0x0040f7c3
0x0040f7c9
0x0040f7d9
0x0040f7de
0x0040f7de
0x0040f7bc
0x00000000
0x0040f74c
0x0040f750
0x0040f78b
0x0040f795
0x00000000
0x0040f758
0x0040f75b
0x0040f763
0x00000000
0x0040f77c
0x0040f782
0x0040f787
0x00000000
0x00000000
0x0040f7e1
0x0040f7e4
0x00000000
0x0040f7e4
0x0040f763
0x0040f750
0x0040f74a
0x0040f679
0x0040f687
0x0040f687
0x0040f68b
0x0040f691
0x0040f696
0x0040f696
0x0040f69a
0x0040f6e7
0x0040f6f3
0x0040f729
0x0040f6f5
0x0040f6f9
0x0040f6ff
0x0040f704
0x0040f709
0x0040f710
0x0040f716
0x0040f71b
0x0040f720
0x0040f720
0x0040f709
0x0040f6f9
0x00000000
0x0040f69c
0x0040f6a1
0x0040f6ab
0x0040f6b9
0x0040f6b9
0x0040f6bd
0x00000000
0x0040f6bf
0x0040f6bf
0x0040f6c4
0x0040f6ca
0x0040f6da
0x00000000
0x0040f6df
0x0040f6bd
0x0040f653
0x0040f65f
0x0040f663
0x00000000
0x0040f665
0x0040f7e6
0x0040f7ed
0x0040f7f1
0x0040f7f4
0x0040f7f7
0x0040f800
0x0040f800
0x00000000
0x0040f806
0x0040f663

APIs

RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0040F5EC

Memory Dump Source

Source File: 00000000.00000002.307570236.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.307564146.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.308232089.000000000068B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.308240342.0000000000691000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.308252323.0000000000694000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.308259233.00000000006CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.308298771.00000000006DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.308315265.00000000006E4000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: 22802e3d80400bc59e84fe4897e8bd7be91f51a50c62063e6ce091f4c415b015
Instruction ID: 8ecbf6c48bb782a999f8424a6a0e4c6299042c27257ee93a6b499c32a53a9851
Opcode Fuzzy Hash: 22802e3d80400bc59e84fe4897e8bd7be91f51a50c62063e6ce091f4c415b015
Instruction Fuzzy Hash: 59A18F75A00209AFDB25DFA8D880BAEB7F5BF48310F14413AE905B77C0DB78A949CB54

Uniqueness

Uniqueness Score: -1.00%

Function 00425434 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 63
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00425434(void* __eax, void* __edx) {
				signed char _t14;
				void* _t21;
				void* _t28;
				long _t29;
				WCHAR* _t32;
				void* _t33;

				_t28 = __edx;
				_t33 = __eax;
				_t32 = E0040B380(__eax);
				_t14 = GetFileAttributesW(_t32); // executed
				if(_t14 == 0xffffffff) {
					_t29 = GetLastError();
					if(_t29 == 2 || _t29 == 3 || _t29 == 0x7b || E004253F4(_t33) == 0) {
						return 0;
					} else {
						return 1;
					}
				}
				if((_t14 & 0x00000004) == 0) {
					return _t14 & 0xffffff00 | (_t14 & 0x00000010) == 0x00000000;
				}
				if(_t28 != 0) {
					if((_t14 & 0x00000010) == 0) {
						_t21 = CreateFileW(_t32, 0x80000000, 1, 0, 3, 0, 0);
						if(_t21 == 0xffffffff) {
							return GetLastError() & 0xffffff00 | _t22 == 0x00000020;
						}
						CloseHandle(_t21);
						return 1;
					}
					return 0;
				}
				return 1;
			}

0x00425437
0x00425439
0x00425442
0x00425445
0x0042544d
0x004254a3
0x004254a8
0x00000000
0x004254c3
0x00000000
0x004254c3
0x004254a8
0x00425452
0x00000000
0x00425499
0x00425456
0x0042545e
0x00425474
0x0042547c
0x00000000
0x00425492
0x0042547f
0x00000000
0x00425484
0x00000000
0x00425460
0x00000000

APIs

GetFileAttributesW.KERNEL32(00000000,?,?,?,00423606), ref: 00425445
GetLastError.KERNEL32(00000000,?,?,?,00423606), ref: 0042549E

Strings

, xrefs: 0042548F
{, xrefs: 004254AF

Memory Dump Source

Source File: 00000000.00000002.307570236.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.307564146.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.308232089.000000000068B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.308240342.0000000000691000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.308252323.0000000000694000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.308259233.00000000006CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.308298771.00000000006DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.308315265.00000000006E4000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID: AttributesErrorFileLast
String ID: ${
API String ID: 1799206407-4046706400
Opcode ID: 1448314dcb769d24d2cbdecd9e303a6e1460b895d21235580d62103592c0643e
Instruction ID: 02759eb294ff7bcef81f2d7904cf81660de3d7a17f5a5dfc15fd3f0c688a4649
Opcode Fuzzy Hash: 1448314dcb769d24d2cbdecd9e303a6e1460b895d21235580d62103592c0643e
Instruction Fuzzy Hash: A501B130341F3025D92439792D867BEC2544F867ABFA40A1BFA59A62D2D57D0CC360AE

Uniqueness

Uniqueness Score: -1.00%

Function 004254CC Relevance: 9.1, APIs: 6, Instructions: 83
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E004254CC(void* __eax, void* __ecx, char __edx) {
				signed int _t15;
				long _t16;
				void* _t18;
				void* _t20;
				signed int _t22;
				signed int _t27;
				WCHAR* _t28;
				char* _t29;

				 *_t29 = __edx;
				_t22 = 0;
				_t28 = E0040B380(__eax);
				_t15 = GetFileAttributesW(_t28); // executed
				_t27 = _t15;
				if(_t27 == 0xffffffff) {
					_t16 = GetLastError();
					if(_t16 == 2 || _t16 == 3 || _t16 == 0xa1 || _t16 == 0x7b || _t16 == 0x35 || _t16 == 0x15 || _t16 == 0x43) {
						_t22 = 0;
					} else {
						_t22 = 1;
					}
				} else {
					if((_t27 & 0x00000400) != 0) {
						if( *_t29 == 0) {
							if((_t27 & 0x00000010) == 0) {
								_t18 = CreateFileW(_t28, 0x80000000, 1, 0, 3, 0x2000000, 0);
								if(_t18 == 0xffffffff) {
									_t22 = 1;
								} else {
									CloseHandle(_t18);
									_t22 = 0;
								}
							} else {
								_t22 = 1;
							}
						} else {
							_t20 = CreateFileW(_t28, 0x80000000, 1, 0, 3, 0x2000000, 0);
							if(_t20 != 0xffffffff) {
								CloseHandle(_t20);
								_t22 = 0 | (_t27 & 0x00000010) != 0x00000000;
							}
						}
					} else {
						_t22 = 0 | (_t27 & 0x00000010) != 0x00000000;
					}
				}
				return _t22;
			}

0x004254d1
0x004254d6
0x004254df
0x004254e2
0x004254e7
0x004254ec
0x00425573
0x0042557b
0x0042559d
0x004255a1
0x004255a1
0x004255a1
0x004254f2
0x004254f8
0x0042550c
0x00425542
0x0042555b
0x00425563
0x0042556f
0x00425565
0x00425566
0x0042556b
0x0042556b
0x00425544
0x00425544
0x00425544
0x0042550e
0x00425521
0x00425529
0x0042552c
0x00425537
0x00425537
0x00425529
0x004254fa
0x00425500
0x00425500
0x004254f8
0x004255aa

APIs

GetFileAttributesW.KERNEL32(00000000,?,?,?,?,?,00424FE5), ref: 004254E2
CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,02000000,00000000,00000000,?,?,?,?,?,00424FE5), ref: 00425521
CloseHandle.KERNEL32(00000000,00000000,80000000,00000001,00000000,00000003,02000000,00000000,00000000,?,?,?,?,?,00424FE5), ref: 0042552C
GetLastError.KERNEL32(00000000,?,?,?,?,?,00424FE5), ref: 00425573

Memory Dump Source

Source File: 00000000.00000002.307570236.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.307564146.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.308232089.000000000068B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.308240342.0000000000691000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.308252323.0000000000694000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.308259233.00000000006CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.308298771.00000000006DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.308315265.00000000006E4000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID: File$AttributesCloseCreateErrorHandleLast
String ID:
API String ID: 2927643983-0
Opcode ID: a1dba66e7b60cc3260d93af7338a8e1655ed4dd475a979101ef2afe40621a04c
Instruction ID: 4e837c2de8b1cc200a8e7df16cd9454324f5d372f1521be2a256d5ae89dd4cba
Opcode Fuzzy Hash: a1dba66e7b60cc3260d93af7338a8e1655ed4dd475a979101ef2afe40621a04c
Instruction Fuzzy Hash: 60110871B56A3439F93411287C85B7F11064B02728FF9052BFA51F62C9D1BC9DD2609E

Uniqueness

Uniqueness Score: -1.00%

Function 0040DB34 Relevance: 3.1, APIs: 2, Instructions: 93
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 72%

			E0040DB34(intOrPtr __eax, void* __ebx, signed int __ecx, signed int __edx, void* __edi, void* __esi) {
				intOrPtr _v8;
				signed int _v12;
				char _v16;
				char _v20;
				char _v24;
				char _v28;
				signed int _t41;
				signed short _t43;
				signed short _t46;
				signed int _t60;
				intOrPtr _t68;
				void* _t79;
				signed int* _t81;
				intOrPtr _t84;

				_t79 = __edi;
				_t61 = __ecx;
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push(__ebx);
				_push(__esi);
				_t81 = __ecx;
				_v12 = __edx;
				_v8 = __eax;
				E0040A7FC(_v8);
				E0040A7FC(_v12);
				_push(_t84);
				_push(0x40dc4b);
				_push( *[fs:eax]);
				 *[fs:eax] = _t84;
				E0040A718(__ecx);
				if(_v12 == 0) {
					L14:
					_pop(_t68);
					 *[fs:eax] = _t68;
					_push(0x40dc52);
					return E0040A778( &_v28, 6);
				} else {
					E0040AB40( &_v20, _v12);
					_t41 = _v12;
					if(_t41 != 0) {
						_t41 =  *(_t41 - 4);
					}
					_t60 = _t41;
					if(_t60 < 1) {
						L7:
						_t43 = E0040D870(_v8, _t60, _t61,  &_v16, _t81); // executed
						_t90 = _v16;
						if(_v16 == 0) {
							L00404C20();
							E0040D220(_t43, _t60,  &_v24, _t79, _t81);
							_t46 = E0040D99C(_v20, _t60, _t81, _v24, _t79, _t81, __eflags); // executed
							__eflags =  *_t81;
							if( *_t81 == 0) {
								__eflags =  *0x689b88;
								if( *0x689b88 == 0) {
									L00404C28();
									E0040D220(_t46, _t60,  &_v28, _t79, _t81);
									E0040D99C(_v20, _t60, _t81, _v28, _t79, _t81, __eflags);
								}
							}
							__eflags =  *_t81;
							if(__eflags == 0) {
								E0040DA68(_v20, _t60, _t81, __eflags); // executed
							}
						} else {
							E0040D99C(_v20, _t60, _t81, _v16, _t79, _t81, _t90);
						}
						goto L14;
					}
					while( *((short*)(_v12 + _t60 * 2 - 2)) != 0x2e) {
						_t60 = _t60 - 1;
						__eflags = _t60;
						if(_t60 != 0) {
							continue;
						}
						goto L7;
					}
					_t61 = _t60;
					E0040B744(_v12, _t60, 1,  &_v20);
					goto L7;
				}
			}

0x0040db34
0x0040db34
0x0040db37
0x0040db39
0x0040db3b
0x0040db3d
0x0040db3f
0x0040db41
0x0040db43
0x0040db44
0x0040db45
0x0040db47
0x0040db4a
0x0040db50
0x0040db58
0x0040db5f
0x0040db60
0x0040db65
0x0040db68
0x0040db6d
0x0040db76
0x0040dc30
0x0040dc32
0x0040dc35
0x0040dc38
0x0040dc4a
0x0040db7c
0x0040db82
0x0040db87
0x0040db8c
0x0040db91
0x0040db91
0x0040db93
0x0040db98
0x0040dbbf
0x0040dbc5
0x0040dbca
0x0040dbce
0x0040dbdf
0x0040dbe7
0x0040dbf4
0x0040dbf9
0x0040dbfc
0x0040dbfe
0x0040dc05
0x0040dc07
0x0040dc0f
0x0040dc1c
0x0040dc1c
0x0040dc05
0x0040dc21
0x0040dc24
0x0040dc2b
0x0040dc2b
0x0040dbd0
0x0040dbd8
0x0040dbd8
0x00000000
0x0040dbce
0x0040db9a
0x0040dbba
0x0040dbbb
0x0040dbbd
0x00000000
0x00000000
0x00000000
0x0040dbbd
0x0040dba9
0x0040dbb3
0x00000000
0x0040dbb3

APIs

GetUserDefaultUILanguage.KERNEL32(00000000,0040DC4B,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,0040DCD2,00000000,?,00000105), ref: 0040DBDF
GetSystemDefaultUILanguage.KERNEL32(00000000,0040DC4B,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,0040DCD2,00000000,?,00000105), ref: 0040DC07

Memory Dump Source

Source File: 00000000.00000002.307570236.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.307564146.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.308232089.000000000068B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.308240342.0000000000691000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.308252323.0000000000694000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.308259233.00000000006CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.308298771.00000000006DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.308315265.00000000006E4000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID: DefaultLanguage$SystemUser
String ID:
API String ID: 384301227-0
Opcode ID: e74092cb306d0d38092d11c7365c4e8d281c736b3191b62904a16910a3858c54
Instruction ID: c18f2e73337b50261c1f163dadb7aa843d5b10ad74515ebf44f6885710460fbb
Opcode Fuzzy Hash: e74092cb306d0d38092d11c7365c4e8d281c736b3191b62904a16910a3858c54
Instruction Fuzzy Hash: F2311C70E142099BDB10EBD9C881AAEB7B5EF48304F51447BE400B32D5D7B8AE89DA59

Uniqueness

Uniqueness Score: -1.00%

Function 0040DC58 Relevance: 3.1, APIs: 2, Instructions: 55
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 58%

			E0040DC58(void* __eax, void* __ebx, void* __edi, void* __esi, void* __eflags) {
				char _v8;
				short _v530;
				char _v536;
				char _v540;
				void* _t44;
				intOrPtr _t45;
				void* _t49;
				void* _t52;

				_v536 = 0;
				_v540 = 0;
				_v8 = 0;
				_t49 = __eax;
				_push(_t52);
				_push(0x40dd12);
				_push( *[fs:eax]);
				 *[fs:eax] = _t52 + 0xfffffde8;
				GetModuleFileNameW(0,  &_v530, 0x105);
				E0040B3E8( &_v536, _t49);
				_push(_v536);
				E0040B424( &_v540, 0x105,  &_v530);
				_pop(_t44); // executed
				E0040DB34(_v540, 0,  &_v8, _t44, __edi, _t49); // executed
				if(_v8 != 0) {
					LoadLibraryExW(E0040B380(_v8), 0, 2);
				}
				_pop(_t45);
				 *[fs:eax] = _t45;
				_push(0x40dd19);
				E0040A778( &_v540, 2);
				return E0040A718( &_v8);
			}

0x0040dc65
0x0040dc6b
0x0040dc71
0x0040dc74
0x0040dc78
0x0040dc79
0x0040dc7e
0x0040dc81
0x0040dc94
0x0040dca1
0x0040dcac
0x0040dcbe
0x0040dccc
0x0040dccd
0x0040dcd6
0x0040dce5
0x0040dcea
0x0040dcee
0x0040dcf1
0x0040dcf4
0x0040dd04
0x0040dd11

APIs

GetModuleFileNameW.KERNEL32(00000000,?,00000105,00000000,0040DD12,?,?,00000000), ref: 0040DC94
LoadLibraryExW.KERNEL32(00000000,00000000,00000002,00000000,?,00000105,00000000,0040DD12,?,?,00000000), ref: 0040DCE5

Memory Dump Source

Source File: 00000000.00000002.307570236.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.307564146.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.308232089.000000000068B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.308240342.0000000000691000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.308252323.0000000000694000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.308259233.00000000006CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.308298771.00000000006DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.308315265.00000000006E4000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID: FileLibraryLoadModuleName
String ID:
API String ID: 1159719554-0
Opcode ID: 213496460697cbf8d288e70c2acfa58e405d7322bfe9bc22397f10bf85799e14
Instruction ID: 2cfbc15814a4ac9e94a1cdf27562f2d95e086eb27899264086880ea2bfaf7be3
Opcode Fuzzy Hash: 213496460697cbf8d288e70c2acfa58e405d7322bfe9bc22397f10bf85799e14
Instruction Fuzzy Hash: B4119474A4421C9BDB10EB54CD96BDD73B8DB44304F5140FAB508B32D1DB789F84CA99

Uniqueness

Uniqueness Score: -1.00%

Function 004251C0 Relevance: 3.0, APIs: 2, Instructions: 33
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E004251C0(void* __eax, long __edx, long _a4, long _a8) {
				long _v8;
				long _v12;
				long _t17;

				_v12 = _a4;
				_v8 = _a8;
				_t17 = SetFilePointer(__eax, _v12,  &_v8, __edx); // executed
				_v12 = _t17;
				if(_v12 == 0xffffffff && GetLastError() != 0) {
					_v8 = 0xffffffff;
				}
				return _v12;
			}

0x004251cf
0x004251d5
0x004251e2
0x004251e7
0x004251ee
0x004251f9
0x004251f9
0x0042520b

APIs

SetFilePointer.KERNEL32(?,?,?), ref: 004251E2
GetLastError.KERNEL32(?,?,?), ref: 004251F0

Memory Dump Source

Source File: 00000000.00000002.307570236.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.307564146.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.308232089.000000000068B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.308240342.0000000000691000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.308252323.0000000000694000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.308259233.00000000006CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.308298771.00000000006DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.308315265.00000000006E4000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID: ErrorFileLastPointer
String ID:
API String ID: 2976181284-0
Opcode ID: abb9c1ecbd6ea518064600d9f9d7af0d36e30ea28a101d05fc7acea46715cb83
Instruction ID: bb2c806d549a2eeaecfa1c63b59dec097b1d8edefc32e344fe3b55f61c493ea3
Opcode Fuzzy Hash: abb9c1ecbd6ea518064600d9f9d7af0d36e30ea28a101d05fc7acea46715cb83
Instruction Fuzzy Hash: E1F0BD75905618EF9B10DEA898818DEB7B8EA19331F6042A6E964E32D1E6309F409B64

Uniqueness

Uniqueness Score: -1.00%

Function 0042C34C Relevance: 1.6, APIs: 1, Instructions: 77
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 43%

			E0042C34C(void* __eax, void* __ebx) {
				char _v8;
				intOrPtr _v12;
				char _v16;
				intOrPtr _v20;
				char _v24;
				char _v28;
				void* _t27;
				void* _t37;
				intOrPtr _t43;
				void* _t48;
				intOrPtr _t55;
				intOrPtr _t56;
				void* _t58;
				void* _t59;
				intOrPtr _t60;

				_t58 = _t59;
				_t60 = _t59 + 0xffffffe8;
				_v8 = 0;
				_push(_t58);
				_push(0x42c422);
				_push( *[fs:eax]);
				 *[fs:eax] = _t60;
				_v12 = 0xffffffff;
				E0040AB40( &_v8, __eax);
				E0040ACE0( &_v8);
				_push( &_v16);
				_t27 = E0040B380(_v8);
				_push(_t27); // executed
				L00413478(); // executed
				_t48 = _t27;
				if(_t48 == 0) {
					_pop(_t55);
					 *[fs:eax] = _t55;
					_push(0x42c429);
					return E0040A718( &_v8);
				} else {
					_v20 = E00406834(_t48);
					_push(_t58);
					_push(0x42c405);
					_push( *[fs:eax]);
					 *[fs:eax] = _t60;
					_push(_v20);
					_push(_t48);
					_push(_v16);
					_t37 = E0040B380(_v8);
					_push(_t37); // executed
					L00413470(); // executed
					if(_t37 != 0) {
						_push( &_v28);
						_push( &_v24);
						_push(0x42c434);
						_t43 = _v20;
						_push(_t43);
						L00413480();
						if(_t43 != 0) {
							_v12 =  *((intOrPtr*)(_v24 + 8));
						}
					}
					_pop(_t56);
					 *[fs:eax] = _t56;
					_push(0x42c40c);
					return E00406850(_v20);
				}
			}

0x0042c34d
0x0042c34f
0x0042c355
0x0042c35c
0x0042c35d
0x0042c362
0x0042c365
0x0042c368
0x0042c374
0x0042c37c
0x0042c384
0x0042c388
0x0042c38d
0x0042c38e
0x0042c393
0x0042c397
0x0042c40e
0x0042c411
0x0042c414
0x0042c421
0x0042c399
0x0042c3a0
0x0042c3a5
0x0042c3a6
0x0042c3ab
0x0042c3ae
0x0042c3b4
0x0042c3b5
0x0042c3b9
0x0042c3bd
0x0042c3c2
0x0042c3c3
0x0042c3ca
0x0042c3cf
0x0042c3d3
0x0042c3d4
0x0042c3d9
0x0042c3dc
0x0042c3dd
0x0042c3e4
0x0042c3ec
0x0042c3ec
0x0042c3e4
0x0042c3f1
0x0042c3f4
0x0042c3f7
0x0042c404
0x0042c404

APIs

73921520.VERSION(?,0042C434,?,?,00000000,?,00000000,?,00000000,0042C405,?,00000000,?,00000000,0042C422), ref: 0042C3DD

Memory Dump Source

Source File: 00000000.00000002.307570236.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.307564146.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.308232089.000000000068B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.308240342.0000000000691000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.308252323.0000000000694000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.308259233.00000000006CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.308298771.00000000006DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.308315265.00000000006E4000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID: 73921520
String ID:
API String ID: 715873059-0
Opcode ID: 81e4d7dac4fcd4f1fb70d787ee5df1dac7f6205191e4afde3280369964978199
Instruction ID: a5740829e845918f5bb3a4d35dc93bd0e623fdedf7a132a9f9f73408207d1196
Opcode Fuzzy Hash: 81e4d7dac4fcd4f1fb70d787ee5df1dac7f6205191e4afde3280369964978199
Instruction Fuzzy Hash: F5211271A04608AFDB11EFA5DC928AFB7FCEB487147914476F900E3291E7389E14C669

Uniqueness

Uniqueness Score: -1.00%

Function 00413E80 Relevance: 1.5, APIs: 1, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00413E80(long __eax, WCHAR* __edx, void* _a4, struct HINSTANCE__* _a8, struct HMENU__* _a12, struct HWND__* _a16, int _a20, int _a24, int _a28, int _a32, long _a36) {
				WCHAR* _v8;
				void* _t13;
				struct HWND__* _t24;
				WCHAR* _t29;
				long _t32;

				_v8 = _t29;
				_t32 = __eax;
				_t13 = E00406D50();
				_t24 = CreateWindowExW(_t32, __edx, _v8, _a36, _a32, _a28, _a24, _a20, _a16, _a12, _a8, _a4); // executed
				E00406D40(_t13);
				return _t24;
			}

0x00413e87
0x00413e8c
0x00413e8e
0x00413ebf
0x00413ec8
0x00413ed4

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00413EBF

Memory Dump Source

Source File: 00000000.00000002.307570236.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.307564146.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.308232089.000000000068B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.308240342.0000000000691000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.308252323.0000000000694000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.308259233.00000000006CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.308298771.00000000006DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.308315265.00000000006E4000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 51ba1ca9e90943a70838391f4b34387480b112f257ba27cc32050915d5e6e4d2
Instruction ID: 349025c59ce22e1f741cbbed939ad751266d2e9929ebcf9e304bc97bd12399f1
Opcode Fuzzy Hash: 51ba1ca9e90943a70838391f4b34387480b112f257ba27cc32050915d5e6e4d2
Instruction Fuzzy Hash: 63F092B2700118BF8B80DE9DDC81EDB77ECEB4D2A4B05412AFA0CE7201D634ED108BA4

Uniqueness

Uniqueness Score: -1.00%

Function 004088EC Relevance: 1.5, APIs: 1, Instructions: 42
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 55%

			E004088EC(void* __eax, void* __ebx, void* __edx, void* __esi, void* __eflags) {
				char _v8;
				int _t12;
				short* _t14;
				int _t16;
				short* _t18;
				int _t19;
				intOrPtr _t31;
				void* _t33;
				intOrPtr _t36;

				_push(0);
				_t33 = __edx;
				_push(_t36);
				_push(0x40895a);
				_push( *[fs:eax]);
				 *[fs:eax] = _t36;
				E00408844(__eax,  &_v8);
				_t12 = E0040AC08(_t33);
				_t14 = E0040B380(_t33);
				_t16 = E0040AC08(_v8);
				_t18 = E0040B380(_v8);
				_t19 =  *0x687908; // 0x7f
				CompareStringW(_t19, 1, _t18, _t16, _t14, _t12); // executed
				_pop(_t31);
				 *[fs:eax] = _t31;
				_push(0x408961);
				return E0040A718( &_v8);
			}

0x004088ef
0x004088f3
0x004088f9
0x004088fa
0x004088ff
0x00408902
0x0040890a
0x00408911
0x00408919
0x00408922
0x0040892b
0x00408933
0x00408939
0x00408946
0x00408949
0x0040894c
0x00408959

APIs

CompareStringW.KERNEL32(0000007F,00000001,00000000,00000000,00000000,00000000,00000000,0040895A,?,?,?,00000000), ref: 00408939

Memory Dump Source

Source File: 00000000.00000002.307570236.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.307564146.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.308232089.000000000068B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.308240342.0000000000691000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.308252323.0000000000694000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.308259233.00000000006CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.308298771.00000000006DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.308315265.00000000006E4000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID: CompareString
String ID:
API String ID: 1825529933-0
Opcode ID: 89a5aefb4fd35858c23083169e63016df0a8001bc93b2b123ed165efc7cf0f5a
Instruction ID: 2d22b72271c734ea8710c737695e30e976104ad8791c623da53e804acfb0126c
Opcode Fuzzy Hash: 89a5aefb4fd35858c23083169e63016df0a8001bc93b2b123ed165efc7cf0f5a
Instruction Fuzzy Hash: 87F06271304704BFE701F66A8D43E5D76ECDB48704B62447AF904F3291DA78AE14865E

Uniqueness

Uniqueness Score: -1.00%

Function 00423DBC Relevance: 1.5, APIs: 1, Instructions: 33
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00423DBC(int __eax, int __edx) {
				short* _t3;
				int _t6;
				int _t11;
				int _t12;
				int _t14;

				_t14 = __edx;
				_t11 = __eax;
				_t8 = __eax;
				if(__eax != 0) {
					_t8 =  *(__eax - 4);
				}
				_t12 = _t14;
				if(_t12 != 0) {
					_t12 =  *(_t12 - 4);
				}
				_t3 = E0040B380(_t14);
				_t6 = CompareStringW(0x400, 1, E0040B380(_t11), _t8, _t3, _t12); // executed
				return _t6 - 2;
			}

0x00423dc0
0x00423dc2
0x00423dc4
0x00423dc8
0x00423dcd
0x00423dcd
0x00423dcf
0x00423dd3
0x00423dd8
0x00423dd8
0x00423ddd
0x00423df3
0x00423dff

APIs

CompareStringW.KERNEL32(00000400,00000001,00000000,?,00000000,?,?,?,?,?,00424C4B), ref: 00423DF3

Memory Dump Source

Source File: 00000000.00000002.307570236.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.307564146.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.308232089.000000000068B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.308240342.0000000000691000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.308252323.0000000000694000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.308259233.00000000006CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.308298771.00000000006DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.308315265.00000000006E4000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID: CompareString
String ID:
API String ID: 1825529933-0
Opcode ID: 4973748dbeffe4ac4b460bfd374ec3278f22ea436078ebad660e16145b6aa0a0
Instruction ID: 83e73f30916c350865cb2a936a449f07260c3a29411926320ccf17e18e4f05d0
Opcode Fuzzy Hash: 4973748dbeffe4ac4b460bfd374ec3278f22ea436078ebad660e16145b6aa0a0
Instruction Fuzzy Hash: 54E0D8B371132927E62068AE1CC1F67765CCF84765F050236FE44F7345C6596C0542BC

Uniqueness

Uniqueness Score: -1.00%

Function 00425150 Relevance: 1.5, APIs: 1, Instructions: 29
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00425150(void* __eax, intOrPtr* __edx, long _a4) {
				long _v8;
				int _t10;
				void* _t13;

				_t10 = ReadFile(__eax,  *__edx + _t13, _a4,  &_v8, 0); // executed
				if(_t10 == 0) {
					_v8 = 0xffffffff;
				}
				return _v8;
			}

0x0042516d
0x00425174
0x00425176
0x00425176
0x00425185

APIs

ReadFile.KERNEL32(?,?,?,?,00000000), ref: 0042516D

Memory Dump Source

Source File: 00000000.00000002.307570236.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.307564146.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.308232089.000000000068B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.308240342.0000000000691000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.308252323.0000000000694000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.308259233.00000000006CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.308298771.00000000006DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.308315265.00000000006E4000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: f9251da39c9182008609b86c96d7486dd20af9a529111d354c0d9581c14ced71
Instruction ID: fbb3cd61f7bc0c5c5e8aec81113becb54241949fb11951e63f6534cd0afa4231
Opcode Fuzzy Hash: f9251da39c9182008609b86c96d7486dd20af9a529111d354c0d9581c14ced71
Instruction Fuzzy Hash: 36E01272604208BFD710DA9EDC81EABB7ECDB44270B100166B514C7280E6709E008764

Uniqueness

Uniqueness Score: -1.00%

Function 00425188 Relevance: 1.5, APIs: 1, Instructions: 28
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00425188(void* __eax, void* __edx, long _a4) {
				long _v8;
				int _t10;
				void* _t13;

				_t10 = WriteFile(__eax, __edx + _t13, _a4,  &_v8, 0); // executed
				if(_t10 == 0) {
					_v8 = 0xffffffff;
				}
				return _v8;
			}

0x004251a4
0x004251ab
0x004251ad
0x004251ad
0x004251bc

APIs

WriteFile.KERNEL32(?,?,?,?,00000000), ref: 004251A4

Memory Dump Source

Source File: 00000000.00000002.307570236.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.307564146.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.308232089.000000000068B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.308240342.0000000000691000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.308252323.0000000000694000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.308259233.00000000006CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.308298771.00000000006DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.308315265.00000000006E4000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: ed5b6c34849ba78b1f3c77a3e88ffa19f98c44064bc4e99bcc92624fdd6a6f38
Instruction ID: 228103375d4071c8011cc7ad43536b06a7d8fcf9d57ef3ec6e2ca4d2678a34bb
Opcode Fuzzy Hash: ed5b6c34849ba78b1f3c77a3e88ffa19f98c44064bc4e99bcc92624fdd6a6f38
Instruction Fuzzy Hash: F8E048B2604208BFA710D99DDC81EEBB7ECDB55275F10422BF914C7240E670AE0087B4

Uniqueness

Uniqueness Score: -1.00%

Function 0040C9E0 Relevance: 1.5, APIs: 1, Instructions: 26
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040C9E0(void* __eax) {
				short _v532;
				void* __ebx;
				void* __esi;
				intOrPtr _t14;
				void* _t16;
				void* _t18;
				void* _t19;
				intOrPtr _t20;
				void* _t21;

				_t16 = __eax;
				_t22 =  *((intOrPtr*)(__eax + 0x10));
				if( *((intOrPtr*)(__eax + 0x10)) == 0) {
					GetModuleFileNameW( *(__eax + 4),  &_v532, 0x20a);
					_t14 = E0040DC58(_t21, _t16, _t18, _t19, _t22); // executed
					_t20 = _t14;
					 *((intOrPtr*)(_t16 + 0x10)) = _t20;
					if(_t20 == 0) {
						 *((intOrPtr*)(_t16 + 0x10)) =  *((intOrPtr*)(_t16 + 4));
					}
				}
				return  *((intOrPtr*)(_t16 + 0x10));
			}

0x0040c9e8
0x0040c9ea
0x0040c9ee
0x0040c9fe
0x0040ca07
0x0040ca0c
0x0040ca0e
0x0040ca13
0x0040ca18
0x0040ca18
0x0040ca13
0x0040ca26

APIs

GetModuleFileNameW.KERNEL32(?,?,0000020A), ref: 0040C9FE

Part of subcall function 0040DC58: GetModuleFileNameW.KERNEL32(00000000,?,00000105,00000000,0040DD12,?,?,00000000), ref: 0040DC94
Part of subcall function 0040DC58: LoadLibraryExW.KERNEL32(00000000,00000000,00000002,00000000,?,00000105,00000000,0040DD12,?,?,00000000), ref: 0040DCE5

Memory Dump Source

Source File: 00000000.00000002.307570236.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.307564146.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.308232089.000000000068B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.308240342.0000000000691000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.308252323.0000000000694000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.308259233.00000000006CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.308298771.00000000006DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.308315265.00000000006E4000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID: FileModuleName$LibraryLoad
String ID:
API String ID: 4113206344-0
Opcode ID: 2a1437fd3b0cfbe6f140459e77695fe2764c052643d02593257b3e54be71f45c
Instruction ID: 717395759cd34bba6161ee8f08917d09733aedd62425c5334a1bcdd867ab1206
Opcode Fuzzy Hash: 2a1437fd3b0cfbe6f140459e77695fe2764c052643d02593257b3e54be71f45c
Instruction Fuzzy Hash: 6FE0C9B1A003149BDB10DF58D8C5A4637A4AB48754F044A66ED28EF386D375D9148BE5

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0040D364 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 140
stringlibraryfileCOMMON

Download Yara Rule

C-Code - Quality: 78%

			E0040D364(short* __eax, intOrPtr __edx) {
				short* _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				void* _v20;
				struct _WIN32_FIND_DATAW _v612;
				short _v1134;
				signed int _t50;
				signed int _t51;
				void* _t55;
				signed int _t88;
				signed int _t89;
				intOrPtr* _t90;
				signed int _t101;
				signed int _t102;
				short* _t112;
				struct HINSTANCE__* _t113;
				short* _t115;
				short* _t116;
				void* _t117;

				_v12 = __edx;
				_v8 = __eax;
				_v16 = _v8;
				_t113 = GetModuleHandleW(L"kernel32.dll");
				if(_t113 == 0) {
					L4:
					if( *_v8 != 0x5c) {
						_t115 = _v8 + 4;
						goto L10;
					} else {
						if( *((short*)(_v8 + 2)) == 0x5c) {
							_t116 = E0040D340(_v8 + 4);
							if( *_t116 != 0) {
								_t14 = _t116 + 2; // 0x2
								_t115 = E0040D340(_t14);
								if( *_t115 != 0) {
									L10:
									_t88 = _t115 - _v8;
									_t89 = _t88 >> 1;
									if(_t88 < 0) {
										asm("adc ebx, 0x0");
									}
									_t43 = _t89 + 1;
									if(_t89 + 1 <= 0x105) {
										E0040CD88( &_v1134, _v8, _t43);
										while( *_t115 != 0) {
											_t112 = E0040D340(_t115 + 2);
											_t50 = _t112 - _t115;
											_t51 = _t50 >> 1;
											if(_t50 < 0) {
												asm("adc eax, 0x0");
											}
											if(_t51 + _t89 + 1 <= 0x105) {
												_t55 =  &_v1134 + _t89 + _t89;
												_t101 = _t112 - _t115;
												_t102 = _t101 >> 1;
												if(_t101 < 0) {
													asm("adc edx, 0x0");
												}
												E0040CD88(_t55, _t115, _t102 + 1);
												_v20 = FindFirstFileW( &_v1134,  &_v612);
												if(_v20 != 0xffffffff) {
													FindClose(_v20);
													if(lstrlenW( &(_v612.cFileName)) + _t89 + 1 + 1 <= 0x105) {
														 *((short*)(_t117 + _t89 * 2 - 0x46a)) = 0x5c;
														E0040CD88( &_v1134 + _t89 + _t89 + 2,  &(_v612.cFileName), 0x105 - _t89 - 1);
														_t89 = _t89 + lstrlenW( &(_v612.cFileName)) + 1;
														_t115 = _t112;
														continue;
													}
												}
											}
											goto L24;
										}
										E0040CD88(_v8,  &_v1134, _v12);
									}
								}
							}
						}
					}
				} else {
					_t90 = GetProcAddress(_t113, "GetLongPathNameW");
					if(_t90 == 0) {
						goto L4;
					} else {
						_push(0x105);
						_push( &_v1134);
						_push(_v8);
						if( *_t90() == 0) {
							goto L4;
						} else {
							E0040CD88(_v8,  &_v1134, _v12);
						}
					}
				}
				L24:
				return _v16;
			}

0x0040d370
0x0040d373
0x0040d379
0x0040d386
0x0040d38a
0x0040d3c9
0x0040d3d0
0x0040d410
0x00000000
0x0040d3d2
0x0040d3da
0x0040d3eb
0x0040d3f1
0x0040d3f7
0x0040d3ff
0x0040d405
0x0040d413
0x0040d415
0x0040d418
0x0040d41a
0x0040d41c
0x0040d41c
0x0040d41f
0x0040d427
0x0040d438
0x0040d4ff
0x0040d44a
0x0040d44e
0x0040d450
0x0040d452
0x0040d454
0x0040d454
0x0040d45f
0x0040d46f
0x0040d473
0x0040d475
0x0040d477
0x0040d479
0x0040d479
0x0040d47f
0x0040d497
0x0040d49e
0x0040d4a4
0x0040d4c0
0x0040d4c2
0x0040d4e9
0x0040d4fb
0x0040d4fd
0x00000000
0x0040d4fd
0x0040d4c0
0x0040d49e
0x00000000
0x0040d45f
0x0040d515
0x0040d515
0x0040d427
0x0040d405
0x0040d3f1
0x0040d3da
0x0040d38c
0x0040d397
0x0040d39b
0x00000000
0x0040d39d
0x0040d39d
0x0040d3a8
0x0040d3ac
0x0040d3b1
0x00000000
0x0040d3b3
0x0040d3bf
0x0040d3bf
0x0040d3b1
0x0040d39b
0x0040d51a
0x0040d523

APIs

GetModuleHandleW.KERNEL32(kernel32.dll,?,?,?), ref: 0040D381
GetProcAddress.KERNEL32(00000000,GetLongPathNameW), ref: 0040D392
FindFirstFileW.KERNEL32(?,?,kernel32.dll,?,?,?), ref: 0040D492
FindClose.KERNEL32(?,?,?,kernel32.dll,?,?,?), ref: 0040D4A4
lstrlenW.KERNEL32(?,?,?,?,kernel32.dll,?,?,?), ref: 0040D4B0
lstrlenW.KERNEL32(?,?,?,?,?,kernel32.dll,?,?,?), ref: 0040D4F5

Strings

kernel32.dll, xrefs: 0040D37C
\, xrefs: 0040D4C2
GetLongPathNameW, xrefs: 0040D38C

Memory Dump Source

Source File: 00000000.00000002.307570236.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.307564146.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.308232089.000000000068B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.308240342.0000000000691000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.308252323.0000000000694000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.308259233.00000000006CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.308298771.00000000006DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.308315265.00000000006E4000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID: Findlstrlen$AddressCloseFileFirstHandleModuleProc
String ID: GetLongPathNameW$\$kernel32.dll
API String ID: 1930782624-3908791685
Opcode ID: aa73196b691b64845caa74e802f6af5cc919a6854eaeddd049b69f814319ce9c
Instruction ID: 4164ea6252582b84054df0056f786c5cfb874f2d32f5f47f335710cc0d1098bb
Opcode Fuzzy Hash: aa73196b691b64845caa74e802f6af5cc919a6854eaeddd049b69f814319ce9c
Instruction Fuzzy Hash: CC418075E006189BCB10EFE4CC85ADEB3B5AF84314F1445B69904F32C5E77CAE4A8A49

Uniqueness

Uniqueness Score: -1.00%

Function 0040CF08 Relevance: 4.6, APIs: 3, Instructions: 99
COMMON

Download Yara Rule

C-Code - Quality: 71%

			E0040CF08(signed short __eax, void* __ebx, intOrPtr* __edx, void* __edi, void* __esi) {
				intOrPtr* _v8;
				intOrPtr _v12;
				short _v182;
				short _v352;
				char _v356;
				char _v360;
				char _v364;
				int _t58;
				signed int _t61;
				intOrPtr _t70;
				signed short _t80;
				void* _t83;
				void* _t85;
				void* _t86;

				_t77 = __edi;
				_push(__edi);
				_v356 = 0;
				_v360 = 0;
				_v364 = 0;
				_v8 = __edx;
				_t80 = __eax;
				_push(_t83);
				_push(0x40d06d);
				_push( *[fs:eax]);
				 *[fs:eax] = _t83 + 0xfffffe98;
				E0040A718(_v8);
				_t85 = _t80 -  *0x67da28; // 0x404
				if(_t85 >= 0) {
					_t86 = _t80 -  *0x67dc28; // 0x7c68
					if(_t86 <= 0) {
						_t77 = 0x40;
						_v12 = 0;
						if(0x40 >= _v12) {
							do {
								_t61 = _t77 + _v12 >> 1;
								if(_t80 >=  *((intOrPtr*)(0x67da28 + _t61 * 8))) {
									__eflags = _t80 -  *((intOrPtr*)(0x67da28 + _t61 * 8));
									if(__eflags <= 0) {
										E0040CE28( *((intOrPtr*)(0x67da2c + _t61 * 8)), _t61, _v8, _t77, _t80, __eflags);
									} else {
										_v12 = _t61 + 1;
										goto L8;
									}
								} else {
									_t77 = _t61 - 1;
									goto L8;
								}
								goto L9;
								L8:
							} while (_t77 >= _v12);
						}
					}
				}
				L9:
				if( *_v8 == 0 && IsValidLocale(_t80 & 0x0000ffff, 2) != 0) {
					_t58 = _t80 & 0x0000ffff;
					GetLocaleInfoW(_t58, 0x59,  &_v182, 0x55);
					GetLocaleInfoW(_t58, 0x5a,  &_v352, 0x55);
					E0040B424( &_v356, 0x55,  &_v182);
					_push(_v356);
					_push(0x40d088);
					E0040B424( &_v360, 0x55,  &_v352);
					_push(_v360);
					_push(0x40d098);
					E0040B424( &_v364, 0x55,  &_v182);
					_push(_v364);
					E0040B65C(_v8, _t58, 5, _t77, _t80);
				}
				_pop(_t70);
				 *[fs:eax] = _t70;
				_push(0x40d074);
				return E0040A778( &_v364, 3);
			}

0x0040cf08
0x0040cf13
0x0040cf16
0x0040cf1c
0x0040cf22
0x0040cf28
0x0040cf2b
0x0040cf2f
0x0040cf30
0x0040cf35
0x0040cf38
0x0040cf3e
0x0040cf43
0x0040cf4a
0x0040cf4c
0x0040cf53
0x0040cf55
0x0040cf5c
0x0040cf62
0x0040cf64
0x0040cf69
0x0040cf73
0x0040cf7a
0x0040cf82
0x0040cf94
0x0040cf84
0x0040cf85
0x00000000
0x0040cf85
0x0040cf75
0x0040cf77
0x00000000
0x0040cf77
0x00000000
0x0040cf9b
0x0040cf9b
0x0040cf64
0x0040cf62
0x0040cf53
0x0040cfa0
0x0040cfa6
0x0040cfca
0x0040cfce
0x0040cfdf
0x0040cff5
0x0040cffa
0x0040d000
0x0040d016
0x0040d01b
0x0040d021
0x0040d037
0x0040d03c
0x0040d04a
0x0040d04a
0x0040d051
0x0040d054
0x0040d057
0x0040d06c

APIs

IsValidLocale.KERNEL32(?,00000002,00000000,0040D06D,?,?,?,00000000), ref: 0040CFB2
GetLocaleInfoW.KERNEL32(00000000,00000059,?,00000055,?,00000002,00000000,0040D06D,?,?,?,00000000), ref: 0040CFCE
GetLocaleInfoW.KERNEL32(00000000,0000005A,?,00000055,00000000,00000059,?,00000055,?,00000002,00000000,0040D06D,?,?,?,00000000), ref: 0040CFDF

Memory Dump Source

Source File: 00000000.00000002.307570236.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.307564146.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.308232089.000000000068B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.308240342.0000000000691000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.308252323.0000000000694000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.308259233.00000000006CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.308298771.00000000006DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.308315265.00000000006E4000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID: Locale$Info$Valid
String ID:
API String ID: 1826331170-0
Opcode ID: 03fbbf5c81af2b512aa59f9691c0d37fa3af0398e4489c77a2f9f16d63ef75af
Instruction ID: 8df6f1b4eecc1afedefd7fab92682c13e9ecd4e9c8d10764207b1011bb8b55b8
Opcode Fuzzy Hash: 03fbbf5c81af2b512aa59f9691c0d37fa3af0398e4489c77a2f9f16d63ef75af
Instruction Fuzzy Hash: FA31E270900608DBDB20DB61DC81B9FB7B6EB88704F5005BBB108B32D1C7385E85CE5A

Uniqueness

Uniqueness Score: -1.00%

Function 00423160 Relevance: 3.1, APIs: 2, Instructions: 93
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E00423160(intOrPtr __eax, void* __ebx, intOrPtr __edx, void* __edi, void* __esi) {
				char _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				short _v540;
				short _v1064;
				char _v1068;
				char _v1072;
				char _t41;
				WCHAR* _t52;
				void* _t60;
				intOrPtr _t62;
				intOrPtr _t70;
				intOrPtr _t75;
				void* _t78;

				_v1068 = 0;
				_v1072 = 0;
				_v8 = 0;
				_v16 = __edx;
				_v12 = __eax;
				_push(_t78);
				_push(0x42328e);
				_push( *[fs:eax]);
				 *[fs:eax] = _t78 + 0xfffffbd4;
				if(GetLogicalDriveStringsW(0x104,  &_v540) > 0) {
					_t52 =  &_v540;
					do {
						_t52[2] = 0;
						if(QueryDosDeviceW(_t52,  &_v1064, 0x104) <= 0) {
							goto L10;
						} else {
							E0040B424( &_v8, 0x106,  &_v1064);
							if(E0040B954(_v8, 1, _v12) <= 0) {
								while(1) {
									L10:
									__eflags =  *_t52;
									if( *_t52 == 0) {
										goto L11;
									}
									_t52 =  &(_t52[1]);
									__eflags = _t52;
								}
								goto L11;
							} else {
								_t41 = _v8;
								if(_t41 != 0) {
									_t41 =  *((intOrPtr*)(_t41 - 4));
								}
								_t75 = _t41;
								_t70 = _v12;
								if(_t70 != 0) {
									_t70 =  *((intOrPtr*)(_t70 - 4));
								}
								E0040B744(_v12, _t70 - _t75, _t75 + 1,  &_v1068);
								_push(_v1068);
								E0040B3E8( &_v1072, _t52);
								_pop(_t60);
								E0040B5D4(_v16, _t60, _v1072);
							}
						}
						goto L14;
						L11:
						_t52 =  &(_t52[2]);
						__eflags = _t52;
						if(__eflags != 0) {
							__eflags =  *_t52;
						}
					} while (__eflags != 0);
				}
				L14:
				_pop(_t62);
				 *[fs:eax] = _t62;
				_push(0x423295);
				E0040A778( &_v1072, 2);
				return E0040A718( &_v8);
			}

0x0042316e
0x00423174
0x0042317a
0x0042317d
0x00423180
0x00423185
0x00423186
0x0042318b
0x0042318e
0x004231a6
0x004231ac
0x004231b2
0x004231b5
0x004231d0
0x00000000
0x004231d2
0x004231e0
0x004231f7
0x00423251
0x00423251
0x00423251
0x00423255
0x00000000
0x00000000
0x0042324e
0x0042324e
0x0042324e
0x00000000
0x004231f9
0x004231f9
0x004231fe
0x00423203
0x00423203
0x00423205
0x00423207
0x0042320c
0x00423211
0x00423211
0x00423224
0x0042322f
0x00423238
0x00423246
0x00423247
0x00423247
0x004231f7
0x00000000
0x00423257
0x00423257
0x0042325a
0x0042325c
0x0042325e
0x0042325e
0x00423262
0x004231b2
0x00423268
0x0042326a
0x0042326d
0x00423270
0x00423280
0x0042328d

APIs

GetLogicalDriveStringsW.KERNEL32(00000104,?,00000000,0042328E), ref: 0042319D
QueryDosDeviceW.KERNEL32(?,?,00000104,00000104,?,00000000,0042328E), ref: 004231C7

Memory Dump Source

Source File: 00000000.00000002.307570236.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.307564146.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.308232089.000000000068B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.308240342.0000000000691000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.308252323.0000000000694000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.308259233.00000000006CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.308298771.00000000006DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.308315265.00000000006E4000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID: DeviceDriveLogicalQueryStrings
String ID:
API String ID: 3173366581-0
Opcode ID: 131661e21df3485e30bd9f3568f8a4cd7533457c878897878c04d7f1780b1f01
Instruction ID: b9ad7ed4f1d0f27c2f78b0f3137fefd1370e4fd8192277fae5845e5c337bcb12
Opcode Fuzzy Hash: 131661e21df3485e30bd9f3568f8a4cd7533457c878897878c04d7f1780b1f01
Instruction Fuzzy Hash: 1E314371B002289BDB20DF55D981A9EB7F9EF48314F9141EAE905A7341D738EF448F58

Uniqueness

Uniqueness Score: -1.00%

Function 00425210 Relevance: 3.0, APIs: 2, Instructions: 24
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00425210(WCHAR* _a4, intOrPtr _a12) {
				struct _WIN32_FIND_DATAW _v596;
				void* _t8;

				_t8 = FindFirstFileW(_a4,  &_v596);
				if(_t8 == 0xffffffff) {
					L3:
					return 0;
				}
				FindClose(_t8);
				if(_a12 == 0) {
					goto L3;
				}
				return E00406A30( &_v596, 0x24, _a12) | 0xffffffff;
			}

0x00425224
0x0042522c
0x00425252
0x00000000
0x00425252
0x0042522f
0x00425238
0x00000000
0x00000000
0x00000000

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00425224
FindClose.KERNEL32(00000000,?,?), ref: 0042522F

Memory Dump Source

Source File: 00000000.00000002.307570236.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.307564146.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.308232089.000000000068B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.308240342.0000000000691000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.308252323.0000000000694000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.308259233.00000000006CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.308298771.00000000006DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.308315265.00000000006E4000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: 91e93da055edba3175ad7dabd13abe8347d46fc6ade8021a07946bfbf48063dd
Instruction ID: e57bae0b37cabec9f1079330eb7b30d4c29fc8dfd8ec8694d80ce04483bbbb64
Opcode Fuzzy Hash: 91e93da055edba3175ad7dabd13abe8347d46fc6ade8021a07946bfbf48063dd
Instruction Fuzzy Hash: 4FE09B3090051887CB14DEB88C89ADB739C7B44365F5007677928D32D0E738D9548AA9

Uniqueness

Uniqueness Score: -1.00%

Function 004253F4 Relevance: 3.0, APIs: 2, Instructions: 23
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004253F4(void* __eax) {
				struct _WIN32_FIND_DATAW _v596;
				void* _t11;

				_t11 = FindFirstFileW(E0040B380(__eax),  &_v596);
				if(_t11 == 0xffffffff) {
					return 0;
				}
				return FindClose(_t11) & 0xffffff00 | (_v596.dwFileAttributes & 0x00000010) == 0x00000000;
			}

0x0042540f
0x00425417
0x00000000
0x0042542b
0x00000000

APIs

FindFirstFileW.KERNEL32(00000000,?,00000000,?,004254BB,00000000,?,?,?,00423606), ref: 0042540F
FindClose.KERNEL32(00000000,00000000,?,00000000,?,004254BB,00000000,?,?,?,00423606), ref: 0042541A

Memory Dump Source

Source File: 00000000.00000002.307570236.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.307564146.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.308232089.000000000068B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.308240342.0000000000691000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.308252323.0000000000694000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.308259233.00000000006CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.308298771.00000000006DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.308315265.00000000006E4000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: ee5ec9b659aabf8b41bc017f9a5aa6a2dc14afa16cdab37f5cc88d73e6f72f1f
Instruction ID: 8304e70fc4aa1f983869526325aa6c29f8fc1296afbb84392ad212f6d35eb559
Opcode Fuzzy Hash: ee5ec9b659aabf8b41bc017f9a5aa6a2dc14afa16cdab37f5cc88d73e6f72f1f
Instruction Fuzzy Hash: 04E0CD7160471C12CB10B5F92CC979BB7CC5B08325F540BA77D5CD11D2FA7C9695019D

Uniqueness

Uniqueness Score: -1.00%

Function 00425F78 Relevance: 1.5, APIs: 1, Instructions: 49
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00425F78(WCHAR* _a4, intOrPtr* _a8, intOrPtr* _a12) {
				long _v8;
				long _v12;
				long _v16;
				long _v20;
				intOrPtr _v24;
				signed int _v28;
				WCHAR* _t25;
				int _t26;
				intOrPtr _t31;
				intOrPtr _t34;
				intOrPtr* _t37;
				intOrPtr* _t38;
				intOrPtr _t46;
				intOrPtr _t48;

				_t25 = _a4;
				if(_t25 == 0) {
					_t25 = 0;
				}
				_t26 = GetDiskFreeSpaceW(_t25,  &_v8,  &_v12,  &_v16,  &_v20);
				_v28 = _v8 * _v12;
				_v24 = 0;
				_t46 = _v24;
				_t31 = E0040C1E8(_v28, _t46, _v16, 0);
				_t37 = _a8;
				 *_t37 = _t31;
				 *((intOrPtr*)(_t37 + 4)) = _t46;
				_t48 = _v24;
				_t34 = E0040C1E8(_v28, _t48, _v20, 0);
				_t38 = _a12;
				 *_t38 = _t34;
				 *((intOrPtr*)(_t38 + 4)) = _t48;
				return _t26;
			}

0x00425f7f
0x00425f84
0x00425f86
0x00425f86
0x00425f99
0x00425fa8
0x00425fab
0x00425fb8
0x00425fbb
0x00425fc0
0x00425fc3
0x00425fc5
0x00425fd2
0x00425fd5
0x00425fda
0x00425fdd
0x00425fdf
0x00425fe8

APIs

GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?), ref: 00425F99

Memory Dump Source

Source File: 00000000.00000002.307570236.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.307564146.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.308232089.000000000068B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.308240342.0000000000691000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.308252323.0000000000694000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.308259233.00000000006CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.308298771.00000000006DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.308315265.00000000006E4000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID: DiskFreeSpace
String ID:
API String ID: 1705453755-0
Opcode ID: c991f92446d57b28b587bd5581a3550e79b97b2b22bd6d3b4b9bb5f41d6c04a8
Instruction ID: 90b3a908c2a72becd4fc13425484a55247665fede4bef255f4c91d700f7c6541
Opcode Fuzzy Hash: c991f92446d57b28b587bd5581a3550e79b97b2b22bd6d3b4b9bb5f41d6c04a8
Instruction Fuzzy Hash: BE1100B5A00209AFDB00CF99C8819AFB7F9EFC8304B54C569A504EB255E6319A018B90

Uniqueness

Uniqueness Score: -1.00%

Function 00429DA4 Relevance: 1.5, APIs: 1, Instructions: 29
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00429DA4(int __eax, void* __ecx, int __edx, intOrPtr _a4) {
				short _v516;
				void* __ebp;
				int _t5;
				intOrPtr _t10;
				void* _t18;

				_t18 = __ecx;
				_t10 = _a4;
				_t5 = GetLocaleInfoW(__eax, __edx,  &_v516, 0x100);
				_t19 = _t5;
				if(_t5 <= 0) {
					return E0040AAF8(_t10, _t18);
				}
				return E0040A8A0(_t10, _t5 - 1,  &_v516, _t19);
			}

0x00429daf
0x00429db1
0x00429dc2
0x00429dc7
0x00429dc9
0x00000000
0x00429de1
0x00000000

APIs

GetLocaleInfoW.KERNEL32(?,?,?,00000100), ref: 00429DC2

Memory Dump Source

Source File: 00000000.00000002.307570236.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.307564146.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.308232089.000000000068B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.308240342.0000000000691000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.308252323.0000000000694000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.308259233.00000000006CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.308298771.00000000006DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.308315265.00000000006E4000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: a892d50e36fed68bcc7cf2f74b628bd8c4f23cdbe3f1fc3f0de09099f4ac6ee6
Instruction ID: 6876b0a2e3c9bc8ac3370cd06db23040b3bb004097cbc50f421c82ca6264d8fa
Opcode Fuzzy Hash: a892d50e36fed68bcc7cf2f74b628bd8c4f23cdbe3f1fc3f0de09099f4ac6ee6
Instruction Fuzzy Hash: 5EE0D83271031817E714A5695C869F7B25C9B48740F80417FB915D7383EDB89E5087E9

Uniqueness

Uniqueness Score: -1.00%

Function 0042D9C8 Relevance: 1.5, APIs: 1, Instructions: 26
COMMON

Download Yara Rule

C-Code - Quality: 72%

			E0042D9C8(void* __edx) {
				intOrPtr _t2;
				intOrPtr _t7;
				void* _t11;
				intOrPtr _t13;
				void* _t14;
				void* _t15;

				_t11 = __edx;
				if(__edx != 0) {
					_t15 = _t15 + 0xfffffff0;
					_t2 = E004090A0(_t2, _t14);
				}
				_t13 = _t2;
				E00408A6C(0);
				 *((intOrPtr*)(E0040F49C() + 8)) = _t13;
				EnumSystemLocalesW(E0042D770, 2);
				_t7 = _t13;
				if(_t11 != 0) {
					E004090F8(_t7);
					_pop( *[fs:0x0]);
				}
				return _t13;
			}

0x0042d9c8
0x0042d9cc
0x0042d9ce
0x0042d9d1
0x0042d9d1
0x0042d9d8
0x0042d9de
0x0042d9e8
0x0042d9f5
0x0042d9fa
0x0042d9fe
0x0042da00
0x0042da05
0x0042da0c
0x0042da13

APIs

EnumSystemLocalesW.KERNEL32(0042D770,00000002,?,?,0042DD49,0042A2B9,?,00000000,0042A2FA,?,?,?,00000000,00000000), ref: 0042D9F5

Memory Dump Source

Source File: 00000000.00000002.307570236.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.307564146.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.308232089.000000000068B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.308240342.0000000000691000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.308252323.0000000000694000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.308259233.00000000006CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.308298771.00000000006DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.308315265.00000000006E4000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID: EnumLocalesSystem
String ID:
API String ID: 2099609381-0
Opcode ID: 7cbca02de1fa3faa9d02e5def664cbca7e2a43d223a96db21f1e5776a8288376
Instruction ID: a5379af288201388453f4d0ab9649a589faa75a4361b48965a85e746a135c9fb
Opcode Fuzzy Hash: 7cbca02de1fa3faa9d02e5def664cbca7e2a43d223a96db21f1e5776a8288376
Instruction Fuzzy Hash: 0BE02652B4056047C220F7AA1C83B863A404F80FE9F488037F984DB7CBDD2E0D0402EE

Uniqueness

Uniqueness Score: -1.00%

Function 00429DF0 Relevance: 1.5, APIs: 1, Instructions: 23
COMMON

Download Yara Rule

C-Code - Quality: 79%

			E00429DF0(int __eax, signed int __ecx, int __edx) {
				short _v16;
				signed int _t5;
				signed int _t10;

				_push(__ecx);
				_t10 = __ecx;
				if(GetLocaleInfoW(__eax, __edx,  &_v16, 2) <= 0) {
					_t5 = _t10;
				} else {
					_t5 = _v16 & 0x0000ffff;
				}
				return _t5;
			}

0x00429df3
0x00429df4
0x00429e0a
0x00429e12
0x00429e0c
0x00429e0c
0x00429e0c
0x00429e18

APIs

GetLocaleInfoW.KERNEL32(?,0000000F,?,00000002,0000002C,?,?,?,00429EF2,?,00000001,00000000,0042A101), ref: 00429E03

Memory Dump Source

Source File: 00000000.00000002.307570236.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.307564146.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.308232089.000000000068B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.308240342.0000000000691000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.308252323.0000000000694000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.308259233.00000000006CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.308298771.00000000006DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.308315265.00000000006E4000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: f026d3dbb3199a2a09b1e892f686b829d28c47e54b68215d665cb22e1b367fb2
Instruction ID: bfb79f9190895894fd00edef25f8a77a8914ed1577bcaa8d71487657350c1056
Opcode Fuzzy Hash: f026d3dbb3199a2a09b1e892f686b829d28c47e54b68215d665cb22e1b367fb2
Instruction Fuzzy Hash: 26D05EB630922036E210915B6D45DB756DCCBC4B62F11443BBA48C7242E614CC059275

Uniqueness

Uniqueness Score: -1.00%

Function 00428158 Relevance: 1.5, APIs: 1, Instructions: 22
timeCOMMON

Download Yara Rule

C-Code - Quality: 72%

			E00428158(long long __fp0) {
				long long _v8;
				struct _SYSTEMTIME _v24;
				void* _t16;
				long long* _t21;
				void* _t22;
				long long _t23;

				_t23 = __fp0;
				GetLocalTime( &_v24);
				E00427F68(_v24.wYear & 0x0000ffff, _v24.wDay & 0x0000ffff, _v24.wMonth & 0x0000ffff, _t22, __fp0);
				_v8 = _t23;
				asm("wait");
				_t16 = E00427DC4(_v24.wHour & 0x0000ffff, _v24.wSecond & 0x0000ffff, _v24.wMinute & 0x0000ffff, _t22, _t23, _v24.wMilliseconds & 0x0000ffff);
				 *_t21 = _t23 + _v24.wSecond;
				asm("wait");
				return _t16;
			}

0x00428158
0x00428160
0x00428174
0x00428179
0x0042817d
0x00428193
0x0042819c
0x0042819f
0x004281a6

APIs

GetLocalTime.KERNEL32(?), ref: 00428160

Memory Dump Source

Source File: 00000000.00000002.307570236.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.307564146.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.308232089.000000000068B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.308240342.0000000000691000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.308252323.0000000000694000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.308259233.00000000006CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.308298771.00000000006DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.308315265.00000000006E4000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID: LocalTime
String ID:
API String ID: 481472006-0
Opcode ID: 3078f7730de2d9ade3f8d8bc4da5cffa7c52bffb446ce4264f16f5ca76316ad3
Instruction ID: 160a78dc1050ea7fb726946d540897a37921f1dc480b93e97303c38c356734fd
Opcode Fuzzy Hash: 3078f7730de2d9ade3f8d8bc4da5cffa7c52bffb446ce4264f16f5ca76316ad3
Instruction Fuzzy Hash: 5BE0596040D631A1C344AF56D84147EFBE5AED5B42F808C5EF8D4401D1EB39C5E8D767

Uniqueness

Uniqueness Score: -1.00%

Function 0042D78C Relevance: 1.5, APIs: 1, Instructions: 17
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0042D78C(int __eax, void* __ecx, int __edx) {
				short _v2052;
				void* _t6;
				void* _t12;

				_t6 = __ecx;
				_v2052 = 0;
				GetLocaleInfoW(__eax, __edx,  &_v2052, 0x400);
				return E0040B424(_t6, 0x400, _t12);
			}

0x0042d793
0x0042d795
0x0042d7a7
0x0042d7c1

APIs

GetLocaleInfoW.KERNEL32(00000000,00000003,?,00000400,?,0042D842,?,00000000,0042D98F), ref: 0042D7A7

Memory Dump Source

Source File: 00000000.00000002.307570236.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.307564146.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.308232089.000000000068B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.308240342.0000000000691000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.308252323.0000000000694000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.308259233.00000000006CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.308298771.00000000006DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.308315265.00000000006E4000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: 232b5520c78cde5751ed0b7c6d045a774ca323a147d222e9a79824ebba566220
Instruction ID: 7d4acfb0af4bbe189dfd62b735837b02fee718e9f8e44887da7710281d766ead
Opcode Fuzzy Hash: 232b5520c78cde5751ed0b7c6d045a774ca323a147d222e9a79824ebba566220
Instruction Fuzzy Hash: B5D0A7E1B1420023E30417548C43B763188DB84704F50403C7784973C2EF7C5D4552AE

Uniqueness

Uniqueness Score: -1.00%

Function 0043E304 Relevance: .4, Instructions: 410
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E0043E304(signed int* __eax, intOrPtr __ecx, signed int __edx) {
				signed int* _v8;
				signed int* _v12;
				intOrPtr _v16;
				char _v20;
				char _v24;
				char _v28;
				unsigned int* _t96;
				unsigned int* _t106;
				signed int* _t108;
				signed int _t109;

				_t109 = __edx;
				_v16 = __ecx;
				_v12 = __eax;
				_t106 =  &_v24;
				_t108 =  &_v28;
				_t96 =  &_v20;
				 *_t96 = __edx + __edx + __edx + __edx + 0xdeadbeef + _v16;
				 *_t106 =  *_t96;
				 *_t108 =  *_t96;
				_v8 = _v12;
				if((_v8 & 0x00000003) != 0) {
					if(__edx <= 0xc) {
						L20:
						if(_t109 > 0xc) {
							L23:
							 *_t108 =  *_t108 + ((_v8[2] & 0x000000ff) << 0x18);
							L24:
							 *_t108 =  *_t108 + ((_v8[2] & 0x000000ff) << 0x10);
							L25:
							 *_t108 =  *_t108 + ((_v8[2] & 0x000000ff) << 8);
							L26:
							 *_t108 =  *_t108 + (_v8[2] & 0x000000ff);
							L27:
							 *_t106 =  *_t106 + ((_v8[1] & 0x000000ff) << 0x18);
							L28:
							 *_t106 =  *_t106 + ((_v8[1] & 0x000000ff) << 0x10);
							L29:
							 *_t106 =  *_t106 + ((_v8[1] & 0x000000ff) << 8);
							L30:
							 *_t106 =  *_t106 + (_v8[1] & 0x000000ff);
							L31:
							 *_t96 =  *_t96 + ((_v8[0] & 0x000000ff) << 0x18);
							L32:
							 *_t96 =  *_t96 + ((_v8[0] & 0x000000ff) << 0x10);
							L33:
							 *_t96 =  *_t96 + ((_v8[0] & 0x000000ff) << 8);
							L34:
							 *_t96 =  *_t96 + ( *_v8 & 0x000000ff);
							L35:
							 *_t108 =  *_t108 ^  *_t106;
							 *_t108 =  *_t108 - ( *_t106 << 0x0000000e |  *_t106 >> 0x00000012);
							 *_t96 =  *_t96 ^  *_t108;
							 *_t96 =  *_t96 - ( *_t108 << 0x0000000b |  *_t108 >> 0x00000015);
							 *_t106 =  *_t106 ^  *_t96;
							 *_t106 =  *_t106 - ( *_t96 << 0x00000019 |  *_t96 >> 0x00000007);
							 *_t108 =  *_t108 ^  *_t106;
							 *_t108 =  *_t108 - ( *_t106 << 0x00000010 |  *_t106 >> 0x00000010);
							 *_t96 =  *_t96 ^  *_t108;
							 *_t96 =  *_t96 - ( *_t108 << 0x00000004 |  *_t108 >> 0x0000001c);
							 *_t106 =  *_t106 ^  *_t96;
							 *_t106 =  *_t106 - ( *_t96 << 0x0000000e |  *_t96 >> 0x00000012);
							 *_t108 =  *_t108 ^  *_t106;
							 *_t108 =  *_t108 - ( *_t106 << 0x00000018 |  *_t106 >> 0x00000008);
							return  *_t108;
						}
						switch( *((intOrPtr*)(_t109 * 4 +  &M0043E675))) {
							case 0:
								return  *_t108;
							case 1:
								goto L34;
							case 2:
								goto L33;
							case 3:
								goto L32;
							case 4:
								goto L31;
							case 5:
								goto L30;
							case 6:
								goto L29;
							case 7:
								goto L28;
							case 8:
								goto L27;
							case 9:
								goto L26;
							case 0xa:
								goto L25;
							case 0xb:
								goto L24;
							case 0xc:
								goto L23;
						}
					} else {
						goto L19;
					}
					do {
						L19:
						 *_t96 =  *_t96 + ( *_v8 & 0x000000ff) + ((_v8[0] & 0x000000ff) << 8) + ((_v8[0] & 0x000000ff) << 0x10) + ((_v8[0] & 0x000000ff) << 0x18);
						 *_t106 =  *_t106 + (_v8[1] & 0x000000ff) + ((_v8[1] & 0x000000ff) << 8) + ((_v8[1] & 0x000000ff) << 0x10) + ((_v8[1] & 0x000000ff) << 0x18);
						 *_t108 =  *_t108 + (_v8[2] & 0x000000ff) + ((_v8[2] & 0x000000ff) << 8) + ((_v8[2] & 0x000000ff) << 0x10) + ((_v8[2] & 0x000000ff) << 0x18);
						 *_t96 =  *_t96 -  *_t108;
						 *_t96 =  *_t96 ^ ( *_t108 << 0x00000004 |  *_t108 >> 0x0000001c);
						 *_t108 =  *_t108 +  *_t106;
						 *_t106 =  *_t106 -  *_t96;
						 *_t106 =  *_t106 ^ ( *_t96 << 0x00000006 |  *_t96 >> 0x0000001a);
						 *_t96 =  *_t96 +  *_t108;
						 *_t108 =  *_t108 -  *_t106;
						 *_t108 =  *_t108 ^ ( *_t106 << 0x00000008 |  *_t106 >> 0x00000018);
						 *_t106 =  *_t106 +  *_t96;
						 *_t96 =  *_t96 -  *_t108;
						 *_t96 =  *_t96 ^ ( *_t108 << 0x00000010 |  *_t108 >> 0x00000010);
						 *_t108 =  *_t108 +  *_t106;
						 *_t106 =  *_t106 -  *_t96;
						 *_t106 =  *_t106 ^ ( *_t96 << 0x00000013 |  *_t96 >> 0x0000000d);
						 *_t96 =  *_t96 +  *_t108;
						 *_t108 =  *_t108 -  *_t106;
						 *_t108 =  *_t108 ^ ( *_t106 << 0x00000004 |  *_t106 >> 0x0000001c);
						 *_t106 =  *_t106 +  *_t96;
						_t109 = _t109 - 0xc;
						_v8 =  &(_v8[3]);
					} while (_t109 > 0xc);
					goto L20;
				}
				if(__edx <= 0xc) {
					L3:
					if(_t109 > 0xc) {
						goto L35;
					}
					switch( *((intOrPtr*)(_t109 * 4 +  &M0043E409))) {
						case 0:
							return  *_t108;
						case 1:
							_v8 =  *_v8;
							__edx =  *_v8 & 0x000000ff;
							 *__eax =  *__eax + ( *_v8 & 0x000000ff);
							goto L35;
						case 2:
							_v8 =  *_v8;
							__edx =  *_v8 & 0x0000ffff;
							 *__eax =  *__eax + ( *_v8 & 0x0000ffff);
							goto L35;
						case 3:
							_v8 =  *_v8;
							__edx =  *_v8 & 0x00ffffff;
							 *__eax =  *__eax + ( *_v8 & 0x00ffffff);
							goto L35;
						case 4:
							_v8 =  *_v8;
							 *__eax =  *__eax +  *_v8;
							goto L35;
						case 5:
							__edx = _v8;
							 *__eax =  *__eax +  *__edx;
							__edx =  *(__edx + 4);
							 *__ebx =  *__ebx + __edx;
							goto L35;
						case 6:
							__edx = _v8;
							 *__eax =  *__eax +  *__edx;
							__edx =  *(__edx + 4);
							 *__ebx =  *__ebx + __edx;
							goto L35;
						case 7:
							__edx = _v8;
							 *__eax =  *__eax +  *__edx;
							__edx =  *(__edx + 4);
							 *__ebx =  *__ebx + __edx;
							goto L35;
						case 8:
							__edx = _v8;
							 *__eax =  *__eax +  *__edx;
							 *__ebx =  *__ebx + __edx;
							goto L35;
						case 9:
							__edx = _v8;
							 *__eax =  *__eax +  *__edx;
							 *__ebx =  *__ebx +  *(__edx + 4);
							__edx =  *(__edx + 8);
							 *__ecx =  *__ecx + __edx;
							goto L35;
						case 0xa:
							__edx = _v8;
							 *__eax =  *__eax +  *__edx;
							 *__ebx =  *__ebx +  *(__edx + 4);
							__edx =  *(__edx + 8);
							 *__ecx =  *__ecx + __edx;
							goto L35;
						case 0xb:
							__edx = _v8;
							 *__eax =  *__eax +  *__edx;
							 *__ebx =  *__ebx +  *(__edx + 4);
							__edx =  *(__edx + 8);
							 *__ecx =  *__ecx + __edx;
							goto L35;
						case 0xc:
							__edx = _v8;
							 *__eax =  *__eax +  *__edx;
							 *__ebx =  *__ebx +  *(__edx + 4);
							 *__ecx =  *__ecx + __edx;
							goto L35;
					}
				} else {
					goto L2;
				}
				do {
					L2:
					 *_t96 =  *_t96 +  *_v8;
					 *_t106 =  *_t106 + _v8[1];
					 *_t108 =  *_t108 + _v8[2];
					 *_t96 =  *_t96 -  *_t108;
					 *_t96 =  *_t96 ^ ( *_t108 << 0x00000004 |  *_t108 >> 0x0000001c);
					 *_t108 =  *_t108 +  *_t106;
					 *_t106 =  *_t106 -  *_t96;
					 *_t106 =  *_t106 ^ ( *_t96 << 0x00000006 |  *_t96 >> 0x0000001a);
					 *_t96 =  *_t96 +  *_t108;
					 *_t108 =  *_t108 -  *_t106;
					 *_t108 =  *_t108 ^ ( *_t106 << 0x00000008 |  *_t106 >> 0x00000018);
					 *_t106 =  *_t106 +  *_t96;
					 *_t96 =  *_t96 -  *_t108;
					 *_t96 =  *_t96 ^ ( *_t108 << 0x00000010 |  *_t108 >> 0x00000010);
					 *_t108 =  *_t108 +  *_t106;
					 *_t106 =  *_t106 -  *_t96;
					 *_t106 =  *_t106 ^ ( *_t96 << 0x00000013 |  *_t96 >> 0x0000000d);
					 *_t96 =  *_t96 +  *_t108;
					 *_t108 =  *_t108 -  *_t106;
					 *_t108 =  *_t108 ^ ( *_t106 << 0x00000004 |  *_t106 >> 0x0000001c);
					 *_t106 =  *_t106 +  *_t96;
					_t109 = _t109 - 0xc;
					_v8 = _v8 + 0xc;
				} while (_t109 > 0xc);
				goto L3;
			}

0x0043e304
0x0043e30d
0x0043e310
0x0043e313
0x0043e316
0x0043e319
0x0043e32b
0x0043e32f
0x0043e333
0x0043e338
0x0043e33f
0x0043e549
0x0043e669
0x0043e66c
0x0043e6b0
0x0043e6ba
0x0043e6bc
0x0043e6c6
0x0043e6c8
0x0043e6d2
0x0043e6d4
0x0043e6db
0x0043e6dd
0x0043e6e7
0x0043e6e9
0x0043e6f3
0x0043e6f5
0x0043e6ff
0x0043e701
0x0043e708
0x0043e70a
0x0043e714
0x0043e716
0x0043e720
0x0043e722
0x0043e72c
0x0043e72e
0x0043e734
0x0043e736
0x0043e738
0x0043e746
0x0043e74a
0x0043e758
0x0043e75c
0x0043e76a
0x0043e76e
0x0043e77c
0x0043e780
0x0043e78e
0x0043e792
0x0043e7a0
0x0043e7a4
0x0043e7b2
0x00000000
0x0043e7b4
0x0043e66e
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x0043e54f
0x0043e54f
0x0043e579
0x0043e5a6
0x0043e5d3
0x0043e5d7
0x0043e5e5
0x0043e5e9
0x0043e5ed
0x0043e5fb
0x0043e5ff
0x0043e603
0x0043e611
0x0043e615
0x0043e619
0x0043e627
0x0043e62b
0x0043e62f
0x0043e63d
0x0043e641
0x0043e645
0x0043e653
0x0043e657
0x0043e659
0x0043e65c
0x0043e660
0x00000000
0x0043e54f
0x0043e348
0x0043e3f9
0x0043e3fc
0x00000000
0x00000000
0x0043e402
0x00000000
0x00000000
0x00000000
0x0043e447
0x0043e449
0x0043e44f
0x00000000
0x00000000
0x0043e459
0x0043e45b
0x0043e461
0x00000000
0x00000000
0x0043e46b
0x0043e46d
0x0043e473
0x00000000
0x00000000
0x0043e47d
0x0043e47f
0x00000000
0x00000000
0x0043e486
0x0043e48b
0x0043e48d
0x0043e496
0x00000000
0x00000000
0x0043e49d
0x0043e4a2
0x0043e4a4
0x0043e4ad
0x00000000
0x00000000
0x0043e4b4
0x0043e4b9
0x0043e4bb
0x0043e4c4
0x00000000
0x00000000
0x0043e4cb
0x0043e4d0
0x0043e4d5
0x00000000
0x00000000
0x0043e4dc
0x0043e4e1
0x0043e4e6
0x0043e4e8
0x0043e4f1
0x00000000
0x00000000
0x0043e4f8
0x0043e4fd
0x0043e502
0x0043e504
0x0043e50d
0x00000000
0x00000000
0x0043e514
0x0043e519
0x0043e51e
0x0043e520
0x0043e529
0x00000000
0x00000000
0x0043e530
0x0043e535
0x0043e53a
0x0043e53f
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x0043e34e
0x0043e34e
0x0043e353
0x0043e35b
0x0043e363
0x0043e367
0x0043e375
0x0043e379
0x0043e37d
0x0043e38b
0x0043e38f
0x0043e393
0x0043e3a1
0x0043e3a5
0x0043e3a9
0x0043e3b7
0x0043e3bb
0x0043e3bf
0x0043e3cd
0x0043e3d1
0x0043e3d5
0x0043e3e3
0x0043e3e7
0x0043e3e9
0x0043e3ec
0x0043e3f0
0x00000000

Memory Dump Source

Source File: 00000000.00000002.307570236.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.307564146.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.308232089.000000000068B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.308240342.0000000000691000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.308252323.0000000000694000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.308259233.00000000006CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.308298771.00000000006DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.308315265.00000000006E4000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c4d07bd644088461b027f8f61d02e9ec1744d42c120322eecccc5c65a834fc11
Instruction ID: fd17065085d04b435c7fdc60f471b412ba0fecd1562cf6ccef7209865f944487
Opcode Fuzzy Hash: c4d07bd644088461b027f8f61d02e9ec1744d42c120322eecccc5c65a834fc11
Instruction Fuzzy Hash: C702C336900235CFDBA2CF6AC140109B7B6FF8A72472A82D6D8546B269D370BD52DFD1

Uniqueness

Uniqueness Score: -1.00%

Function 00433628 Relevance: 42.1, APIs: 1, Strings: 23, Instructions: 141
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00433628() {
				struct HINSTANCE__* _v8;
				intOrPtr _t46;
				void* _t91;

				_v8 = GetModuleHandleW(L"oleaut32.dll");
				 *0x68bf44 = E004335FC("VariantChangeTypeEx", E00433168, _t91);
				 *0x68bf48 = E004335FC("VarNeg", E004331B0, _t91);
				 *0x68bf4c = E004335FC("VarNot", E004331B0, _t91);
				 *0x68bf50 = E004335FC("VarAdd", E004331BC, _t91);
				 *0x68bf54 = E004335FC("VarSub", E004331BC, _t91);
				 *0x68bf58 = E004335FC("VarMul", E004331BC, _t91);
				 *0x68bf5c = E004335FC("VarDiv", E004331BC, _t91);
				 *0x68bf60 = E004335FC("VarIdiv", E004331BC, _t91);
				 *0x68bf64 = E004335FC("VarMod", E004331BC, _t91);
				 *0x68bf68 = E004335FC("VarAnd", E004331BC, _t91);
				 *0x68bf6c = E004335FC("VarOr", E004331BC, _t91);
				 *0x68bf70 = E004335FC("VarXor", E004331BC, _t91);
				 *0x68bf74 = E004335FC("VarCmp", E004331C8, _t91);
				 *0x68bf78 = E004335FC("VarI4FromStr", E004331D4, _t91);
				 *0x68bf7c = E004335FC("VarR4FromStr", E00433240, _t91);
				 *0x68bf80 = E004335FC("VarR8FromStr", E004332B0, _t91);
				 *0x68bf84 = E004335FC("VarDateFromStr", E00433320, _t91);
				 *0x68bf88 = E004335FC("VarCyFromStr", E00433390, _t91);
				 *0x68bf8c = E004335FC("VarBoolFromStr", E00433400, _t91);
				 *0x68bf90 = E004335FC("VarBstrFromCy", E00433480, _t91);
				 *0x68bf94 = E004335FC("VarBstrFromDate", E004334F4, _t91);
				_t46 = E004335FC("VarBstrFromBool", E00433568, _t91);
				 *0x68bf98 = _t46;
				return _t46;
			}

0x00433636
0x0043364a
0x00433660
0x00433676
0x0043368c
0x004336a2
0x004336b8
0x004336ce
0x004336e4
0x004336fa
0x00433710
0x00433726
0x0043373c
0x00433752
0x00433768
0x0043377e
0x00433794
0x004337aa
0x004337c0
0x004337d6
0x004337ec
0x00433802
0x00433812
0x00433818
0x0043381f

APIs

GetModuleHandleW.KERNEL32(oleaut32.dll), ref: 00433631

Part of subcall function 004335FC: GetProcAddress.KERNEL32(00000000), ref: 00433615

Strings

VarDiv, xrefs: 004336C3
VarIdiv, xrefs: 004336D9
VarBstrFromDate, xrefs: 004337F7
VarMul, xrefs: 004336AD
VarBstrFromCy, xrefs: 004337E1
VarI4FromStr, xrefs: 0043375D
VarR8FromStr, xrefs: 00433789
VarDateFromStr, xrefs: 0043379F
VariantChangeTypeEx, xrefs: 0043363F
VarR4FromStr, xrefs: 00433773
VarBstrFromBool, xrefs: 0043380D
VarAdd, xrefs: 00433681
VarNeg, xrefs: 00433655
VarMod, xrefs: 004336EF
VarBoolFromStr, xrefs: 004337CB
VarCyFromStr, xrefs: 004337B5
VarXor, xrefs: 00433731
VarOr, xrefs: 0043371B
oleaut32.dll, xrefs: 0043362C
VarCmp, xrefs: 00433747
VarNot, xrefs: 0043366B
VarSub, xrefs: 00433697
VarAnd, xrefs: 00433705

Memory Dump Source

Source File: 00000000.00000002.307570236.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.307564146.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.308232089.000000000068B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.308240342.0000000000691000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.308252323.0000000000694000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.308259233.00000000006CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.308298771.00000000006DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.308315265.00000000006E4000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID: AddressHandleModuleProc
String ID: VarAdd$VarAnd$VarBoolFromStr$VarBstrFromBool$VarBstrFromCy$VarBstrFromDate$VarCmp$VarCyFromStr$VarDateFromStr$VarDiv$VarI4FromStr$VarIdiv$VarMod$VarMul$VarNeg$VarNot$VarOr$VarR4FromStr$VarR8FromStr$VarSub$VarXor$VariantChangeTypeEx$oleaut32.dll
API String ID: 1646373207-1918263038
Opcode ID: 3e1378bdb5ad7c29fd88770ff4ce091c4541caa31c90fba930871be9f297a12a
Instruction ID: 1c9bae461033125c553dc52154ae996dad5e6ff10bf889698f178fb927107fa1
Opcode Fuzzy Hash: 3e1378bdb5ad7c29fd88770ff4ce091c4541caa31c90fba930871be9f297a12a
Instruction Fuzzy Hash: CE41ABA1604208BA67086F6E6C0242B77DADA4C716B60F17FB5048A765DF3CEB41CF6D

Uniqueness

Uniqueness Score: -1.00%

Function 0041482C Relevance: 35.1, APIs: 1, Strings: 19, Instructions: 132
libraryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041482C() {
				void* __ebx;
				void* _t52;

				if( *0x689c78 != 0) {
					L4:
					return 1;
				} else {
					 *0x689c78 = LoadLibraryW(L"PSAPI.dll");
					if( *0x689c78 >= 0x20) {
						 *0x689c7c = E0041314C(0x689c78, _t52,  *0x689c78, L"EnumProcesses");
						 *0x689c80 = E0041314C(0x689c78, _t52,  *0x689c78, L"EnumProcessModules");
						 *0x689c84 = E0041314C(0x689c78, _t52,  *0x689c78, L"GetModuleBaseNameW");
						 *0x689c88 = E0041314C(0x689c78, _t52,  *0x689c78, L"GetModuleFileNameExW");
						 *0x689c8c = E0041314C(0x689c78, _t52,  *0x689c78, L"GetModuleBaseNameA");
						 *0x689c90 = E0041314C(0x689c78, _t52,  *0x689c78, L"GetModuleFileNameExA");
						 *0x689c94 = E0041314C(0x689c78, _t52,  *0x689c78, L"GetModuleBaseNameW");
						 *0x689c98 = E0041314C(0x689c78, _t52,  *0x689c78, L"GetModuleFileNameExW");
						 *0x689c9c = E0041314C(0x689c78, _t52,  *0x689c78, L"GetModuleInformation");
						 *0x689ca0 = E0041314C(0x689c78, _t52,  *0x689c78, L"EmptyWorkingSet");
						 *0x689ca4 = E0041314C(0x689c78, _t52,  *0x689c78, L"QueryWorkingSet");
						 *0x689ca8 = E0041314C(0x689c78, _t52,  *0x689c78, L"InitializeProcessForWsWatch");
						 *0x689cac = E0041314C(0x689c78, _t52,  *0x689c78, L"GetMappedFileNameW");
						 *0x689cb0 = E0041314C(0x689c78, _t52,  *0x689c78, L"GetDeviceDriverBaseNameW");
						 *0x689cb4 = E0041314C(0x689c78, _t52,  *0x689c78, L"GetDeviceDriverFileNameW");
						 *0x689cb8 = E0041314C(0x689c78, _t52,  *0x689c78, L"GetMappedFileNameA");
						 *0x689cbc = E0041314C(0x689c78, _t52,  *0x689c78, L"GetDeviceDriverBaseNameA");
						 *0x689cc0 = E0041314C(0x689c78, _t52,  *0x689c78, L"GetDeviceDriverFileNameA");
						 *0x689cc4 = E0041314C(0x689c78, _t52,  *0x689c78, L"GetMappedFileNameW");
						 *0x689cc8 = E0041314C(0x689c78, _t52,  *0x689c78, L"GetDeviceDriverBaseNameW");
						 *0x689ccc = E0041314C(0x689c78, _t52,  *0x689c78, L"GetDeviceDriverFileNameW");
						 *0x689cd0 = E0041314C(0x689c78, _t52,  *0x689c78, L"EnumDeviceDrivers");
						 *0x689cd4 = E0041314C(0x689c78, _t52,  *0x689c78, L"GetProcessMemoryInfo");
						goto L4;
					} else {
						 *0x689c78 = 0;
						return 0;
					}
				}
			}

0x00414835
0x004149f2
0x004149f5
0x0041483b
0x00414845
0x0041484a
0x00414861
0x00414873
0x00414885
0x00414897
0x004148a9
0x004148bb
0x004148cd
0x004148df
0x004148f1
0x00414903
0x00414915
0x00414927
0x00414939
0x0041494b
0x0041495d
0x0041496f
0x00414981
0x00414993
0x004149a5
0x004149b7
0x004149c9
0x004149db
0x004149ed
0x00000000
0x0041484c
0x0041484e
0x00414853
0x00414853
0x0041484a

APIs

LoadLibraryW.KERNEL32(PSAPI.dll,?,00414D1D), ref: 00414840

Strings

EnumProcesses, xrefs: 00414854
GetModuleInformation, xrefs: 004148E4
GetModuleFileNameExW, xrefs: 0041488A, 004148D2
GetMappedFileNameA, xrefs: 00414962
GetDeviceDriverFileNameW, xrefs: 00414950, 004149BC
GetMappedFileNameW, xrefs: 0041492C, 00414998
EnumProcessModules, xrefs: 00414866
PSAPI.dll, xrefs: 0041483B
GetModuleBaseNameA, xrefs: 0041489C
GetModuleBaseNameW, xrefs: 00414878, 004148C0
InitializeProcessForWsWatch, xrefs: 0041491A
GetDeviceDriverBaseNameW, xrefs: 0041493E, 004149AA
GetDeviceDriverFileNameA, xrefs: 00414986
EnumDeviceDrivers, xrefs: 004149CE
GetProcessMemoryInfo, xrefs: 004149E0
QueryWorkingSet, xrefs: 00414908
GetModuleFileNameExA, xrefs: 004148AE
GetDeviceDriverBaseNameA, xrefs: 00414974
EmptyWorkingSet, xrefs: 004148F6

Memory Dump Source

Source File: 00000000.00000002.307570236.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.307564146.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.308232089.000000000068B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.308240342.0000000000691000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.308252323.0000000000694000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.308259233.00000000006CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.308298771.00000000006DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.308315265.00000000006E4000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID: EmptyWorkingSet$EnumDeviceDrivers$EnumProcessModules$EnumProcesses$GetDeviceDriverBaseNameA$GetDeviceDriverBaseNameW$GetDeviceDriverFileNameA$GetDeviceDriverFileNameW$GetMappedFileNameA$GetMappedFileNameW$GetModuleBaseNameA$GetModuleBaseNameW$GetModuleFileNameExA$GetModuleFileNameExW$GetModuleInformation$GetProcessMemoryInfo$InitializeProcessForWsWatch$PSAPI.dll$QueryWorkingSet
API String ID: 1029625771-2267155864
Opcode ID: 968f598d4f9e3348f39fa493d0d2d40ebb04196cec9c834471fd8b8ba2efa3a2
Instruction ID: 3b76bffdd280161674fe87eb2c410f9d00aa99154f6eacd96e57ed88be65213a
Opcode Fuzzy Hash: 968f598d4f9e3348f39fa493d0d2d40ebb04196cec9c834471fd8b8ba2efa3a2
Instruction Fuzzy Hash: 3A4174B0A80710BFDF00EFB9DC86AA537E9AB46B05315166AB400DF255DB7DD9808B2D

Uniqueness

Uniqueness Score: -1.00%

Function 0042C070 Relevance: 30.2, APIs: 20, Instructions: 229
COMMON

Download Yara Rule

C-Code - Quality: 47%

			E0042C070(longlong __eax, signed int* __ecx, longlong __edx, longlong* _a4, signed int* _a8) {
				longlong _v8;
				longlong _v12;
				signed int* _v16;
				longlong _v20;
				longlong _v24;
				longlong _v28;
				intOrPtr _v32;
				longlong _v36;
				char _v320;
				longlong _t58;
				longlong _t60;
				longlong _t64;
				longlong _t65;
				longlong _t68;
				longlong _t69;
				longlong _t70;
				longlong _t71;
				long _t88;
				long _t89;
				longlong _t90;
				unsigned int _t91;
				unsigned int _t92;
				struct _OSVERSIONINFOEXW* _t99;
				longlong* _t100;

				_v16 = __ecx;
				_v12 = __edx;
				_v8 = __eax;
				_t100 = _a4;
				_t99 =  &_v320;
				E00407808(_t99, 0x11c);
				_t99->dwOSVersionInfoSize = 0x11c;
				_t58 = _v8;
				 *_t58 = 0;
				_push(1);
				_push(2);
				_push(0);
				_push(0);
				L00413420();
				_v28 = _t58;
				_v24 = 0;
				_t88 = 6;
				while(1) {
					_t99->dwMajorVersion = _t88;
					_push(_v24);
					if(VerifyVersionInfoW(_t99, 2, _v28) != 0) {
						break;
					}
					_t88 = _t88 + 1;
					if(_t88 != 0x15) {
						continue;
					}
					L4:
					_t60 = _v12;
					 *_t60 = 0;
					_push(1);
					_push(1);
					_push(0);
					_push(0);
					L00413420();
					_v28 = _t60;
					_v24 = 0;
					_t89 = 0;
					while(1) {
						_t99->dwMinorVersion = _t89;
						_push(_v24);
						if(VerifyVersionInfoW(_t99, 1, _v28) != 0) {
							break;
						}
						_t89 = _t89 + 1;
						if(_t89 != 0x10) {
							continue;
						}
						L8:
						 *_v16 = 0;
						_t64 =  *_v16 & 0x0000ffff;
						_t99->wServicePackMajor = _t64;
						_push(1);
						_push(0x20);
						_push(0);
						_push(0);
						L00413420();
						_push(0);
						_t65 = VerifyVersionInfoW(_t99, 0x20, _t64);
						if(_t65 == 0) {
							_t92 = 0x80;
							_push(3);
							_push(0x20);
							_push(0);
							_push(0);
							L00413420();
							_v28 = _t65;
							_v24 = 0;
							if(0x80 > 0) {
								do {
									_t99->wServicePackMajor =  *_v16 & 0x0000ffff | _t92;
									_push(_v24);
									if(VerifyVersionInfoW(_t99, 0x20, _v28) != 0) {
										 *_v16 =  *_v16 | _t92;
									}
									_t92 = _t92 >> 1;
								} while (_t92 > 0);
							}
						}
						 *_a8 = 0;
						_t68 =  *_a8 & 0x0000ffff;
						_t99->wServicePackMinor = _t68;
						_push(1);
						_push(0x10);
						_push(0);
						_push(0);
						L00413420();
						_push(0);
						_t69 = VerifyVersionInfoW(_t99, 0x10, _t68);
						if(_t69 == 0) {
							_t91 = 0x80;
							_push(3);
							_push(0x10);
							_push(0);
							_push(0);
							L00413420();
							_v28 = _t69;
							_v24 = 0;
							if(0x80 > 0) {
								do {
									_t99->wServicePackMinor =  *_a8 & 0x0000ffff | _t91;
									_push(_v24);
									if(VerifyVersionInfoW(_t99, 0x10, _v28) != 0) {
										 *_a8 =  *_a8 | _t91;
									}
									_t91 = _t91 >> 1;
								} while (_t91 > 0);
							}
						}
						_t70 =  *_t100;
						_t99->dwBuildNumber = _t70;
						_push(1);
						_push(4);
						_push(0);
						_push(0);
						L00413420();
						_push(0);
						_t71 = VerifyVersionInfoW(_t99, 4, _t70);
						if(_t71 == 0) {
							_t90 =  *_t100;
							_push(4);
							_push(4);
							_push(0);
							_push(0);
							L00413420();
							_push(0);
							_t71 = VerifyVersionInfoW(_t99, 4, _t71);
							if(_t71 != 0) {
								_t90 = 0;
							}
							_v20 = 0x7fff;
							_push(1);
							_push(4);
							_push(0);
							_push(0);
							L00413420();
							_v36 = _t71;
							_v32 = 0;
							_push(2);
							_push(4);
							_push(0);
							_push(0);
							L00413420();
							_v28 = _t71;
							_v24 = 0;
							if(_t90 < _v20) {
								while(1) {
									 *_t100 = _t90 + _v20 >> 1;
									_t99->dwBuildNumber =  *_t100;
									_push(_v32);
									_t71 = VerifyVersionInfoW(_t99, 4, _v36);
									if(_t71 != 0) {
										goto L27;
									}
									_push(_v24);
									_t71 = VerifyVersionInfoW(_t99, 4, _v28);
									if(_t71 == 0) {
										_t71 =  *_t100;
										_v20 = _t71;
									} else {
										_t90 =  *_t100;
									}
									if(_t90 < _v20) {
										continue;
									}
									goto L27;
								}
							}
						}
						L27:
						return _t71;
					}
					 *_v12 = _t89;
					goto L8;
				}
				 *_v8 = _t88;
				goto L4;
			}

0x0042c07c
0x0042c07f
0x0042c082
0x0042c085
0x0042c088
0x0042c097
0x0042c09c
0x0042c0a2
0x0042c0a7
0x0042c0a9
0x0042c0ab
0x0042c0ad
0x0042c0af
0x0042c0b1
0x0042c0b6
0x0042c0b9
0x0042c0bc
0x0042c0c1
0x0042c0c1
0x0042c0c4
0x0042c0d4
0x00000000
0x00000000
0x0042c0dd
0x0042c0e1
0x00000000
0x00000000
0x0042c0e3
0x0042c0e3
0x0042c0e8
0x0042c0ea
0x0042c0ec
0x0042c0ee
0x0042c0f0
0x0042c0f2
0x0042c0f7
0x0042c0fa
0x0042c0fd
0x0042c0ff
0x0042c0ff
0x0042c102
0x0042c112
0x00000000
0x00000000
0x0042c11b
0x0042c11f
0x00000000
0x00000000
0x0042c121
0x0042c124
0x0042c12c
0x0042c12f
0x0042c136
0x0042c138
0x0042c13a
0x0042c13c
0x0042c13e
0x0042c143
0x0042c148
0x0042c14f
0x0042c151
0x0042c156
0x0042c158
0x0042c15a
0x0042c15c
0x0042c15e
0x0042c163
0x0042c166
0x0042c16b
0x0042c16d
0x0042c176
0x0042c17d
0x0042c18d
0x0042c192
0x0042c192
0x0042c195
0x0042c197
0x0042c16d
0x0042c16b
0x0042c19e
0x0042c1a6
0x0042c1a9
0x0042c1b0
0x0042c1b2
0x0042c1b4
0x0042c1b6
0x0042c1b8
0x0042c1bd
0x0042c1c2
0x0042c1c9
0x0042c1cb
0x0042c1d0
0x0042c1d2
0x0042c1d4
0x0042c1d6
0x0042c1d8
0x0042c1dd
0x0042c1e0
0x0042c1e5
0x0042c1e7
0x0042c1f0
0x0042c1f7
0x0042c207
0x0042c20c
0x0042c20c
0x0042c20f
0x0042c211
0x0042c1e7
0x0042c1e5
0x0042c215
0x0042c217
0x0042c21a
0x0042c21c
0x0042c21e
0x0042c220
0x0042c222
0x0042c227
0x0042c22c
0x0042c233
0x0042c239
0x0042c23b
0x0042c23d
0x0042c23f
0x0042c241
0x0042c243
0x0042c248
0x0042c24d
0x0042c254
0x0042c256
0x0042c256
0x0042c258
0x0042c25f
0x0042c261
0x0042c263
0x0042c265
0x0042c267
0x0042c26c
0x0042c26f
0x0042c272
0x0042c274
0x0042c276
0x0042c278
0x0042c27a
0x0042c27f
0x0042c282
0x0042c288
0x0042c28a
0x0042c291
0x0042c295
0x0042c298
0x0042c2a1
0x0042c2a8
0x00000000
0x00000000
0x0042c2aa
0x0042c2b3
0x0042c2ba
0x0042c2c0
0x0042c2c2
0x0042c2bc
0x0042c2bc
0x0042c2bc
0x0042c2c8
0x00000000
0x00000000
0x00000000
0x0042c2c8
0x0042c28a
0x0042c288
0x0042c2d0
0x0042c2d0
0x0042c2d0
0x0042c117
0x00000000
0x0042c117
0x0042c0d9
0x00000000

APIs

VerSetConditionMask.NTDLL(00000000,00000000,00000002,00000001), ref: 0042C0B1
VerifyVersionInfoW.KERNEL32(?,00000002,?,?), ref: 0042C0CD
VerSetConditionMask.NTDLL(00000000,00000000,00000001,00000001), ref: 0042C0F2
VerifyVersionInfoW.KERNEL32(?,00000001,?,?), ref: 0042C10B
VerSetConditionMask.NTDLL(00000000,00000000,00000020,00000001), ref: 0042C13E
VerifyVersionInfoW.KERNEL32(?,00000020,00000000), ref: 0042C148
VerSetConditionMask.NTDLL(00000000,00000000,00000020,00000003), ref: 0042C15E
VerifyVersionInfoW.KERNEL32(?,00000020,?,?), ref: 0042C186
VerSetConditionMask.NTDLL(00000000,00000000,00000010,00000001), ref: 0042C1B8
VerifyVersionInfoW.KERNEL32(?,00000010,00000000), ref: 0042C1C2
VerSetConditionMask.NTDLL(00000000,00000000,00000010,00000003), ref: 0042C1D8
VerifyVersionInfoW.KERNEL32(?,00000010,?,?), ref: 0042C200
VerSetConditionMask.NTDLL(00000000,00000000,00000004,00000001), ref: 0042C222
VerifyVersionInfoW.KERNEL32(?,00000004,00000000), ref: 0042C22C
VerSetConditionMask.NTDLL(00000000,00000000,00000004,00000004), ref: 0042C243
VerifyVersionInfoW.KERNEL32(?,00000004,00000000), ref: 0042C24D
VerSetConditionMask.NTDLL(00000000,00000000,00000004,00000001), ref: 0042C267
VerSetConditionMask.NTDLL(00000000,00000000,00000004,00000002), ref: 0042C27A
VerifyVersionInfoW.KERNEL32(?,00000004,?,?), ref: 0042C2A1
VerifyVersionInfoW.KERNEL32(?,00000004,?,?), ref: 0042C2B3

Memory Dump Source

Source File: 00000000.00000002.307570236.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.307564146.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.308232089.000000000068B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.308240342.0000000000691000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.308252323.0000000000694000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.308259233.00000000006CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.308298771.00000000006DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.308315265.00000000006E4000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID: ConditionInfoMaskVerifyVersion
String ID:
API String ID: 3739615805-0
Opcode ID: b3a0c14e4750d9751342216ffe52c32c20bbd4f44faa4ba43819921045474359
Instruction ID: f2bee8d039723c7fde14d1b898731f51a2fc6a66ccb7e53162264943ea3da8ed
Opcode Fuzzy Hash: b3a0c14e4750d9751342216ffe52c32c20bbd4f44faa4ba43819921045474359
Instruction Fuzzy Hash: F7815470B40315BAEB11DF959C82BFEB7B5EF44B05F10402AFB04BA2C1D7B95A409B69

Uniqueness

Uniqueness Score: -1.00%

Function 0042AF64 Relevance: 19.3, APIs: 8, Strings: 3, Instructions: 97
filewindowCOMMON

Download Yara Rule

C-Code - Quality: 64%

			E0042AF64(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				char* _v8;
				long _v12;
				short _v140;
				short _v2188;
				void* _t15;
				char* _t17;
				intOrPtr _t19;
				intOrPtr _t21;
				intOrPtr _t30;
				long _t48;
				intOrPtr _t56;
				intOrPtr _t57;
				int _t61;
				void* _t64;

				_push(__ebx);
				_push(__esi);
				_v8 = 0;
				_push(_t64);
				_push(0x42b089);
				_push( *[fs:ecx]);
				 *[fs:ecx] = _t64 + 0xfffff778;
				_t61 = E0042AD6C(_t15, __ebx,  &_v2188, __edx, __edi, __esi, 0x400);
				_t17 =  *0x6866f0; // 0x68705c
				if( *_t17 == 0) {
					_t19 =  *0x6862d8; // 0x414574
					_t11 = _t19 + 4; // 0xffd0
					_t21 =  *0x689c54; // 0x400000
					LoadStringW(E0040CA28(_t21),  *_t11,  &_v140, 0x40);
					MessageBoxW(0,  &_v2188,  &_v140, 0x2010);
				} else {
					_t30 =  *0x68637c; // 0x687344
					E004069A8(E004076C8(_t30));
					_t48 = WideCharToMultiByte(1, 0,  &_v2188, _t61, 0, 0, 0, 0);
					_push(_t48);
					E0040C7FC();
					WideCharToMultiByte(1, 0,  &_v2188, _t61, _v8, _t48, 0, 0);
					WriteFile(GetStdHandle(0xfffffff4), _v8, _t48,  &_v12, 0);
					WriteFile(GetStdHandle(0xfffffff4), 0x42b0a4, 2,  &_v12, 0);
				}
				_pop(_t56);
				 *[fs:eax] = _t56;
				_push(0x42b090);
				_t57 =  *0x42af34; // 0x42af38
				return E0040C920( &_v8, _t57);
			}

0x0042af6d
0x0042af6e
0x0042af71
0x0042af76
0x0042af77
0x0042af7c
0x0042af7f
0x0042af92
0x0042af94
0x0042af9c
0x0042b03a
0x0042b03f
0x0042b043
0x0042b04e
0x0042b068
0x0042afa2
0x0042afa2
0x0042afac
0x0042afca
0x0042afcc
0x0042afdb
0x0042aff8
0x0042b010
0x0042b02a
0x0042b02a
0x0042b06f
0x0042b072
0x0042b075
0x0042b07d
0x0042b088

APIs

Part of subcall function 0042AD6C: VirtualQuery.KERNEL32(?,?,0000001C,00000000,0042AF18), ref: 0042AD9F
Part of subcall function 0042AD6C: GetModuleFileNameW.KERNEL32(?,?,00000105), ref: 0042ADC3
Part of subcall function 0042AD6C: GetModuleFileNameW.KERNEL32(MZP,?,00000105), ref: 0042ADDE
Part of subcall function 0042AD6C: LoadStringW.USER32(00000000,0000FFEF,?,00000100), ref: 0042AE79

WideCharToMultiByte.KERNEL32(00000001,00000000,?,00000000,00000000,00000000,00000000,00000000,00000400,00000000,0042B089), ref: 0042AFC5
WideCharToMultiByte.KERNEL32(00000001,00000000,?,00000000,?,00000000,00000000,00000000), ref: 0042AFF8
GetStdHandle.KERNEL32(000000F4,?,00000000,?,00000000,00000001,00000000,?,00000000,?,00000000,00000000,00000000), ref: 0042B00A
WriteFile.KERNEL32(00000000,000000F4,?,00000000,?,00000000,00000001,00000000,?,00000000,?,00000000,00000000,00000000), ref: 0042B010
GetStdHandle.KERNEL32(000000F4,0042B0A4,00000002,?,00000000,00000000,000000F4,?,00000000,?,00000000,00000001,00000000,?,00000000,?), ref: 0042B024
WriteFile.KERNEL32(00000000,000000F4,0042B0A4,00000002,?,00000000,00000000,000000F4,?,00000000,?,00000000,00000001,00000000,?,00000000), ref: 0042B02A
LoadStringW.USER32(00000000,0000FFD0,?,00000040), ref: 0042B04E
MessageBoxW.USER32(00000000,?,?,00002010), ref: 0042B068

Strings

tEA, xrefs: 0042B03A
\ph, xrefs: 0042AF94
Dsh, xrefs: 0042AFA2

Memory Dump Source

Source File: 00000000.00000002.307570236.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.307564146.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.308232089.000000000068B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.308240342.0000000000691000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.308252323.0000000000694000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.308259233.00000000006CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.308298771.00000000006DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.308315265.00000000006E4000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID: File$ByteCharHandleLoadModuleMultiNameStringWideWrite$MessageQueryVirtual
String ID: Dsh$\ph$tEA
API String ID: 135118572-1015491111
Opcode ID: 9f1a1e0aba47a9893679fe55383c3be79ccf9594aadacf387519d54a67d6d921
Instruction ID: c12b232c41c750caa8f08f228b9f8c01ff662e3e41c2e5784c495e4a5c514efa
Opcode Fuzzy Hash: 9f1a1e0aba47a9893679fe55383c3be79ccf9594aadacf387519d54a67d6d921
Instruction Fuzzy Hash: 6A3154B1740218BFE711EB55DC83FDA77ACEB04705F904166B604F61D1DA786E808BA9

Uniqueness

Uniqueness Score: -1.00%

Function 00413ED8 Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 61
registryclipboardwindowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00413ED8(intOrPtr* __eax, int* __edx, intOrPtr* _a4, intOrPtr* _a8) {
				intOrPtr* _v8;
				struct HWND__* _t19;
				int* _t20;
				int* _t26;
				int* _t27;

				_t26 = _t20;
				_t27 = __edx;
				_v8 = __eax;
				_t19 = FindWindowW(L"MouseZ", L"Magellan MSWHEEL");
				 *_v8 = RegisterClipboardFormatW(L"MSWHEEL_ROLLMSG");
				 *_t27 = RegisterClipboardFormatW(L"MSH_WHEELSUPPORT_MSG");
				 *_t26 = RegisterClipboardFormatW(L"MSH_SCROLL_LINES_MSG");
				if( *_t27 == 0 || _t19 == 0) {
					 *_a8 = 0;
				} else {
					 *_a8 = SendMessageW(_t19,  *_t27, 0, 0);
				}
				if( *_t26 == 0 || _t19 == 0) {
					 *_a4 = 3;
				} else {
					 *_a4 = SendMessageW(_t19,  *_t26, 0, 0);
				}
				return _t19;
			}

0x00413edf
0x00413ee1
0x00413ee3
0x00413ef5
0x00413f04
0x00413f10
0x00413f1c
0x00413f21
0x00413f40
0x00413f27
0x00413f37
0x00413f37
0x00413f45
0x00413f62
0x00413f4b
0x00413f5b
0x00413f5b
0x00413f6f

APIs

FindWindowW.USER32(MouseZ,Magellan MSWHEEL), ref: 00413EF0
RegisterClipboardFormatW.USER32(MSWHEEL_ROLLMSG), ref: 00413EFC
RegisterClipboardFormatW.USER32(MSH_WHEELSUPPORT_MSG), ref: 00413F0B
RegisterClipboardFormatW.USER32(MSH_SCROLL_LINES_MSG), ref: 00413F17
SendMessageW.USER32(00000000,00000000,00000000,00000000), ref: 00413F2F
SendMessageW.USER32(00000000,?,00000000,00000000), ref: 00413F53

Strings

MSH_SCROLL_LINES_MSG, xrefs: 00413F12
MouseZ, xrefs: 00413EEB
Magellan MSWHEEL, xrefs: 00413EE6
MSH_WHEELSUPPORT_MSG, xrefs: 00413F06
MSWHEEL_ROLLMSG, xrefs: 00413EF7

Memory Dump Source

Source File: 00000000.00000002.307570236.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.307564146.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.308232089.000000000068B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.308240342.0000000000691000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.308252323.0000000000694000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.308259233.00000000006CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.308298771.00000000006DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.308315265.00000000006E4000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID: ClipboardFormatRegister$MessageSend$FindWindow
String ID: MSH_SCROLL_LINES_MSG$MSH_WHEELSUPPORT_MSG$MSWHEEL_ROLLMSG$Magellan MSWHEEL$MouseZ
API String ID: 1416857345-3736581797
Opcode ID: e532d33ddf96dc5334e0aa3ad5a6a11f2f8e1cec79e79f680b3ca31cd4049c32
Instruction ID: 2f6c18b4a4ebea4bfb0d14626a075c45d223d9afcb43365f572040eaa72d8411
Opcode Fuzzy Hash: e532d33ddf96dc5334e0aa3ad5a6a11f2f8e1cec79e79f680b3ca31cd4049c32
Instruction Fuzzy Hash: 4B110371644305BFE3109F55C841BAABBF8EF45716F20446BF9449B381E6B85FC18798

Uniqueness

Uniqueness Score: -1.00%

Function 0042A68C Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 199
threadCOMMON

Download Yara Rule

C-Code - Quality: 84%

			E0042A68C(void* __eax, void* __ebx, signed int __edx, void* __edi, void* __esi, void* __eflags, long long __fp0) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr* _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				signed int _v28;
				char _v32;
				signed int _v36;
				intOrPtr _v40;
				intOrPtr _t59;
				intOrPtr _t63;
				intOrPtr _t64;
				signed int _t67;
				signed int _t68;
				intOrPtr _t70;
				intOrPtr _t80;
				intOrPtr _t82;
				intOrPtr _t83;
				intOrPtr _t87;
				intOrPtr* _t90;
				intOrPtr* _t91;
				intOrPtr* _t95;
				intOrPtr _t98;
				intOrPtr _t99;
				void* _t105;
				intOrPtr _t106;
				signed int _t107;
				signed int _t110;
				signed int _t111;
				void* _t117;
				intOrPtr _t118;
				intOrPtr _t128;
				intOrPtr _t129;
				intOrPtr _t130;
				intOrPtr _t136;
				intOrPtr _t137;
				long _t139;
				void* _t144;
				void* _t145;
				intOrPtr* _t147;
				void* _t149;
				void* _t150;
				void* _t152;
				void* _t153;
				intOrPtr _t154;
				void* _t155;
				void* _t157;
				long long _t174;

				_t174 = __fp0;
				_t157 = __eflags;
				_t152 = _t153;
				_t154 = _t153 + 0xffffffdc;
				_v32 = 0;
				_v8 = __edx;
				_t105 = __eax;
				_push(_t152);
				_push(0x42a931);
				_push( *[fs:eax]);
				 *[fs:eax] = _t154;
				E00409310();
				E00409478(E004096E0(__edx, _t157), __edx | 0xffffffff, _t157);
				_push(_t152);
				_push(0x42a914);
				_push( *[fs:edx]);
				 *[fs:edx] = _t154;
				 *0x689e38 = 0;
				_push(0);
				E0040C7FC();
				_t155 = _t154 + 4;
				E00429DA4(_t105, 0x42a94c, 0x100b,  &_v32);
				_t139 = E00424AA4(0x42a94c, 1, _t157);
				if(_t139 + 0xfffffffd - 3 >= 0) {
					__eflags = _t139 - 0xffffffffffffffff;
					if(_t139 - 0xffffffffffffffff < 0) {
						 *0x689e38 = 1;
						_push(1);
						E0040C7FC();
						_t155 = _t155 + 4;
						_t80 =  *0x689e3c; // 0x0
						E0040AAF8(_t80, L"B.C.");
						_t82 =  *0x689e3c; // 0x0
						 *((intOrPtr*)(_t82 + 4)) = 0;
						_t83 =  *0x689e3c; // 0x0
						 *((intOrPtr*)(_t83 + 8)) = 0xffc00000;
						 *((intOrPtr*)(_t83 + 0xc)) = 0xc1dfffff;
						E00427F68(1, 1, 1, __eflags, __fp0);
						_v40 = E00407160();
						_v36 = 1;
						asm("fild qword [ebp-0x24]");
						_t87 =  *0x689e3c; // 0x0
						 *((long long*)(_t87 + 0x10)) = _t174;
						asm("wait");
						EnumCalendarInfoW(E0042A550, GetThreadLocale(), _t139, 4);
						_t90 =  *0x689e3c; // 0x0
						_v16 = _t90;
						_t91 = _v16;
						__eflags = _t91;
						if(_t91 != 0) {
							_t95 = _t91 - 4;
							__eflags = _t95;
							_t91 =  *_t95;
						}
						_t147 = _t91 - 1;
						__eflags = _t147;
						if(_t147 > 0) {
							_t110 = 1;
							do {
								_t136 =  *0x689e3c; // 0x0
								 *((intOrPtr*)(_t136 + 4 + (_t110 + _t110 * 2) * 8)) = 0xffffffff;
								_t110 = _t110 + 1;
								_t147 = _t147 - 1;
								__eflags = _t147;
							} while (_t147 != 0);
						}
						EnumCalendarInfoW(E0042A5F4, GetThreadLocale(), _t139, 3);
					}
				} else {
					EnumCalendarInfoW(E0042A550, GetThreadLocale(), _t139, 4);
					_t98 =  *0x689e3c; // 0x0
					_v12 = _t98;
					_t99 = _v12;
					if(_t99 != 0) {
						_t99 =  *((intOrPtr*)(_t99 - 4));
					}
					_t149 = _t99 - 1;
					if(_t149 >= 0) {
						_t150 = _t149 + 1;
						_t111 = 0;
						do {
							_t137 =  *0x689e3c; // 0x0
							 *((intOrPtr*)(_t137 + 4 + (_t111 + _t111 * 2) * 8)) = 0xffffffff;
							_t111 = _t111 + 1;
							_t150 = _t150 - 1;
						} while (_t150 != 0);
					}
					EnumCalendarInfoW(E0042A5F4, GetThreadLocale(), _t139, 3);
				}
				_t59 =  *0x689e3c; // 0x0
				_v20 = _t59;
				_t106 = _v20;
				if(_t106 != 0) {
					_t106 =  *((intOrPtr*)(_t106 - 4));
				}
				_push(_t106);
				E0040C7FC();
				_t63 =  *0x689e3c; // 0x0
				_v24 = _t63;
				_t64 = _v24;
				if(_t64 != 0) {
					_t64 =  *((intOrPtr*)(_t64 - 4));
				}
				_t144 = _t64 - 1;
				if(_t144 >= 0) {
					_t145 = _t144 + 1;
					_t107 = 0;
					do {
						_t130 =  *0x689e3c; // 0x0
						_t118 =  *0x41ef68; // 0x41ef6c
						E0040BF1C( *((intOrPtr*)(_v8 + 0xbc)) + (_t107 + _t107 * 2) * 8, _t118, _t130 + (_t107 + _t107 * 2) * 8, _t174);
						_t107 = _t107 + 1;
						_t145 = _t145 - 1;
					} while (_t145 != 0);
				}
				_t128 =  *0x42a4ac; // 0x42a4b0
				E0040C920(0x689e3c, _t128);
				_t67 =  *0x689e3c; // 0x0
				_v28 = _t67;
				_t68 = _v28;
				if(_t68 != 0) {
					_t68 =  *(_t68 - 4);
				}
				 *0x689e38 = _t68;
				_pop(_t129);
				_pop(_t117);
				 *[fs:eax] = _t129;
				_push(0x42a91b);
				_t70 =  *0x689e40; // 0x25699e0
				return E00409658(_t70, _t117);
			}

0x0042a68c
0x0042a68c
0x0042a68d
0x0042a68f
0x0042a697
0x0042a69a
0x0042a69d
0x0042a6a1
0x0042a6a2
0x0042a6a7
0x0042a6aa
0x0042a6ad
0x0042a6bf
0x0042a6c6
0x0042a6c7
0x0042a6cc
0x0042a6cf
0x0042a6d4
0x0042a6da
0x0042a6eb
0x0042a6f0
0x0042a703
0x0042a715
0x0042a71f
0x0042a782
0x0042a785
0x0042a790
0x0042a796
0x0042a7a7
0x0042a7ac
0x0042a7af
0x0042a7b9
0x0042a7be
0x0042a7c5
0x0042a7c8
0x0042a7cd
0x0042a7d4
0x0042a7e7
0x0042a7f1
0x0042a7f4
0x0042a7f7
0x0042a7fa
0x0042a7ff
0x0042a802
0x0042a811
0x0042a816
0x0042a81b
0x0042a81e
0x0042a821
0x0042a823
0x0042a825
0x0042a825
0x0042a828
0x0042a828
0x0042a82c
0x0042a82d
0x0042a82f
0x0042a831
0x0042a836
0x0042a839
0x0042a83f
0x0042a847
0x0042a848
0x0042a848
0x0042a848
0x0042a836
0x0042a859
0x0042a859
0x0042a721
0x0042a72f
0x0042a734
0x0042a739
0x0042a73c
0x0042a741
0x0042a746
0x0042a746
0x0042a74a
0x0042a74d
0x0042a74f
0x0042a750
0x0042a752
0x0042a755
0x0042a75b
0x0042a763
0x0042a764
0x0042a764
0x0042a752
0x0042a775
0x0042a775
0x0042a85e
0x0042a863
0x0042a866
0x0042a86b
0x0042a870
0x0042a870
0x0042a872
0x0042a886
0x0042a88e
0x0042a893
0x0042a896
0x0042a89b
0x0042a8a0
0x0042a8a0
0x0042a8a4
0x0042a8a7
0x0042a8a9
0x0042a8aa
0x0042a8ac
0x0042a8bb
0x0042a8c4
0x0042a8ca
0x0042a8cf
0x0042a8d0
0x0042a8d0
0x0042a8ac
0x0042a8d8
0x0042a8de
0x0042a8e3
0x0042a8e8
0x0042a8eb
0x0042a8f0
0x0042a8f5
0x0042a8f5
0x0042a8f7
0x0042a8fe
0x0042a900
0x0042a901
0x0042a904
0x0042a909
0x0042a913

APIs

Part of subcall function 00409478: GetTickCount.KERNEL32 ref: 004094AF
Part of subcall function 00409478: GetTickCount.KERNEL32 ref: 004094C7

Part of subcall function 00429DA4: GetLocaleInfoW.KERNEL32(?,?,?,00000100), ref: 00429DC2

GetThreadLocale.KERNEL32(00000000,00000004), ref: 0042A724
EnumCalendarInfoW.KERNEL32(0042A550,00000000,00000000,00000004), ref: 0042A72F
GetThreadLocale.KERNEL32(00000000,00000003,0042A550,00000000,00000000,00000004), ref: 0042A76A
EnumCalendarInfoW.KERNEL32(0042A5F4,00000000,00000000,00000003,0042A550,00000000,00000000,00000004), ref: 0042A775
GetThreadLocale.KERNEL32(00000000,00000004), ref: 0042A806
EnumCalendarInfoW.KERNEL32(0042A550,00000000,00000000,00000004), ref: 0042A811
GetThreadLocale.KERNEL32(00000000,00000003,0042A550,00000000,00000000,00000004), ref: 0042A84E
EnumCalendarInfoW.KERNEL32(0042A5F4,00000000,00000000,00000003,0042A550,00000000,00000000,00000004), ref: 0042A859

Strings

B.C., xrefs: 0042A7B4
lA, xrefs: 0042A8C4

Memory Dump Source

Source File: 00000000.00000002.307570236.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.307564146.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.308232089.000000000068B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.308240342.0000000000691000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.308252323.0000000000694000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.308259233.00000000006CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.308298771.00000000006DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.308315265.00000000006E4000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID: InfoLocale$CalendarEnumThread$CountTick
String ID: B.C.$lA
API String ID: 1601775584-3677877705
Opcode ID: 46a5425ed04cfb374dc0662629fc43145a171ae9a0af06c410190e1d42f3b1a0
Instruction ID: 5920230076df6662ec70906754c4d6877b5e5b8ace32de64f1f797bbaf599e41
Opcode Fuzzy Hash: 46a5425ed04cfb374dc0662629fc43145a171ae9a0af06c410190e1d42f3b1a0
Instruction Fuzzy Hash: 7461C070B002119FDB10EF69DC85AAA7BA5EB49304F54827AEC00D73A1C778DD52DB69

Uniqueness

Uniqueness Score: -1.00%

Function 00429E1C Relevance: 16.0, APIs: 2, Strings: 7, Instructions: 216
threadCOMMON

Download Yara Rule

C-Code - Quality: 71%

			E00429E1C(int __eax, void* __ebx, void* __edx, void* __edi, void* __esi, void* __fp0) {
				char _v8;
				char _v12;
				char _v16;
				char _v20;
				char _v24;
				char _v28;
				char _v32;
				char _v36;
				char _v40;
				char _v44;
				char _v48;
				char _v52;
				char _v56;
				char _v60;
				int _t55;
				void* _t121;
				void* _t128;
				void* _t151;
				void* _t152;
				intOrPtr _t172;
				intOrPtr _t204;
				signed short _t212;
				int _t214;
				intOrPtr _t216;
				intOrPtr _t217;
				void* _t224;

				_t224 = __fp0;
				_t211 = __edi;
				_t216 = _t217;
				_t152 = 7;
				do {
					_push(0);
					_push(0);
					_t152 = _t152 - 1;
				} while (_t152 != 0);
				_push(__edi);
				_t151 = __edx;
				_t214 = __eax;
				_push(_t216);
				_push(0x42a101);
				_push( *[fs:eax]);
				 *[fs:eax] = _t217;
				_t55 = IsValidLocale(__eax, 1);
				_t219 = _t55;
				if(_t55 == 0) {
					_t214 = GetThreadLocale();
				}
				_t172 =  *0x41f0a0; // 0x41f0a4
				E0040C920(_t151 + 0xbc, _t172);
				E0042A68C(_t214, _t151, _t151, _t211, _t214, _t219, _t224);
				E0042A34C(_t214, _t151, _t151, _t211, _t214);
				E0042A408(_t214, _t151, _t151, _t211, _t214);
				E00429DA4(_t214, 0, 0x14,  &_v20);
				E0040AAF8(_t151, _v20);
				E00429DA4(_t214, 0x42a11c, 0x1b,  &_v24);
				 *((char*)(_t151 + 4)) = E00424AA4(0x42a11c, 0, _t219);
				E00429DA4(_t214, 0x42a12c, 0x1c,  &_v28);
				 *((char*)(_t151 + 0xc6)) = E00424AA4(0x42a12c, 0, _t219);
				 *((short*)(_t151 + 0xc0)) = E00429DF0(_t214, 0x2c, 0xf);
				 *((short*)(_t151 + 0xc2)) = E00429DF0(_t214, 0x2e, 0xe);
				E00429DA4(_t214, 0x42a13c, 0x19,  &_v32);
				 *((char*)(_t151 + 5)) = E00424AA4(0x42a13c, 0, _t219);
				_t212 = E00429DF0(_t214, 0x2f, 0x1d);
				 *(_t151 + 6) = _t212;
				_push(_t212);
				E0042A9E8(_t214, _t151, L"m/d/yy", 0x1f, _t212, _t214, _t219,  &_v36);
				E0040AAF8(_t151 + 0xc, _v36);
				_push( *(_t151 + 6) & 0x0000ffff);
				E0042A9E8(_t214, _t151, L"mmmm d, yyyy", 0x20, _t212, _t214, _t219,  &_v40);
				E0040AAF8(_t151 + 0x10, _v40);
				 *((short*)(_t151 + 8)) = E00429DF0(_t214, 0x3a, 0x1e);
				E00429DA4(_t214, 0x42a190, 0x28,  &_v44);
				E0040AAF8(_t151 + 0x14, _v44);
				E00429DA4(_t214, 0x42a1a4, 0x29,  &_v48);
				E0040AAF8(_t151 + 0x18, _v48);
				E0040A718( &_v12);
				E0040A718( &_v16);
				E00429DA4(_t214, 0x42a1b8, 0x25,  &_v52);
				_t121 = E00424AA4(0x42a1b8, 0, _t219);
				_t220 = _t121;
				if(_t121 != 0) {
					E0040AB40( &_v8, 0x42a1d8);
				} else {
					E0040AB40( &_v8, 0x42a1c8);
				}
				E00429DA4(_t214, 0x42a1ec, 0x23,  &_v56);
				_t128 = E00424AA4(0x42a1ec, 0, _t220);
				_t221 = _t128;
				if(_t128 == 0) {
					E00429DA4(_t214, 0x42a1fc, 0x1005,  &_v60);
					if(E00424AA4(0x42a1fc, 0, _t221) != 0) {
						E0040AB40( &_v12, L"AMPM ");
					} else {
						E0040AB40( &_v16, L" AMPM");
					}
				}
				_push(_v12);
				_push(_v8);
				_push(":mm");
				_push(_v16);
				E0040B65C(_t151 + 0x1c, _t151, 4, _t212, _t214);
				_push(_v12);
				_push(_v8);
				_push(L":mm:ss");
				_push(_v16);
				E0040B65C(_t151 + 0x20, _t151, 4, _t212, _t214);
				 *((short*)(_t151 + 0xa)) = E00429DF0(_t214, 0x2c, 0xc);
				 *((short*)(_t151 + 0xc4)) = 0x32;
				_pop(_t204);
				 *[fs:eax] = _t204;
				_push(0x42a108);
				return E0040A778( &_v60, 0xe);
			}

0x00429e1c
0x00429e1c
0x00429e1d
0x00429e1f
0x00429e24
0x00429e24
0x00429e26
0x00429e28
0x00429e28
0x00429e2d
0x00429e2e
0x00429e30
0x00429e34
0x00429e35
0x00429e3a
0x00429e3d
0x00429e43
0x00429e48
0x00429e4a
0x00429e51
0x00429e51
0x00429e59
0x00429e5f
0x00429e68
0x00429e71
0x00429e7a
0x00429e8c
0x00429e96
0x00429eab
0x00429eba
0x00429ecd
0x00429edc
0x00429ef2
0x00429f09
0x00429f20
0x00429f2f
0x00429f42
0x00429f44
0x00429f48
0x00429f59
0x00429f64
0x00429f6d
0x00429f7e
0x00429f89
0x00429f9e
0x00429fb2
0x00429fbd
0x00429fd2
0x00429fdd
0x00429fe5
0x00429fed
0x0042a002
0x0042a00c
0x0042a011
0x0042a013
0x0042a02c
0x0042a015
0x0042a01d
0x0042a01d
0x0042a041
0x0042a04b
0x0042a050
0x0042a052
0x0042a064
0x0042a075
0x0042a08e
0x0042a077
0x0042a07f
0x0042a07f
0x0042a075
0x0042a093
0x0042a096
0x0042a099
0x0042a09e
0x0042a0a9
0x0042a0ae
0x0042a0b1
0x0042a0b4
0x0042a0b9
0x0042a0c4
0x0042a0d9
0x0042a0dd
0x0042a0e8
0x0042a0eb
0x0042a0ee
0x0042a100

APIs

IsValidLocale.KERNEL32(?,00000001,00000000,0042A101,?,?,?,?,00000000,00000000), ref: 00429E43
GetThreadLocale.KERNEL32(?,00000001,00000000,0042A101,?,?,?,?,00000000,00000000), ref: 00429E4C

Part of subcall function 00429DF0: GetLocaleInfoW.KERNEL32(?,0000000F,?,00000002,0000002C,?,?,?,00429EF2,?,00000001,00000000,0042A101), ref: 00429E03

Part of subcall function 00429DA4: GetLocaleInfoW.KERNEL32(?,?,?,00000100), ref: 00429DC2

Strings

:mm:ss, xrefs: 0042A0B4
m/d/yy, xrefs: 00429F4D
:mm, xrefs: 0042A099
AMPM, xrefs: 0042A07A
AMPM , xrefs: 0042A089
2, xrefs: 0042A0DD
mmmm d, yyyy, xrefs: 00429F72

Memory Dump Source

Source File: 00000000.00000002.307570236.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.307564146.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.308232089.000000000068B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.308240342.0000000000691000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.308252323.0000000000694000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.308259233.00000000006CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.308298771.00000000006DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.308315265.00000000006E4000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID: Locale$Info$ThreadValid
String ID: AMPM$2$:mm$:mm:ss$AMPM $m/d/yy$mmmm d, yyyy
API String ID: 233154393-3379564615
Opcode ID: 433e7bbcea3da7a951f95f8ada8180f320cc5c2f9261df8627bc4f73e56459cf
Instruction ID: 5cdf93038edcdcc744e4cdaaedbe345dbb8e45b2beb88814bb0be0cba7e29379
Opcode Fuzzy Hash: 433e7bbcea3da7a951f95f8ada8180f320cc5c2f9261df8627bc4f73e56459cf
Instruction Fuzzy Hash: 857134307101685BDB01EBA5E881A9E73B6DF88704F90807BF904AB246DB3DDD26975E

Uniqueness

Uniqueness Score: -1.00%

Function 0040D220 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 76
COMMON

Download Yara Rule

C-Code - Quality: 59%

			E0040D220(signed short __eax, void* __ebx, intOrPtr* __edx, void* __edi, void* __esi) {
				char _v8;
				void* _t18;
				signed short _t28;
				intOrPtr _t35;
				intOrPtr _t47;

				_t42 = __edi;
				_push(0);
				_push(__ebx);
				_push(__esi);
				_t44 = __edx;
				_t28 = __eax;
				_push(_t47);
				_push(0x40d324);
				_push( *[fs:eax]);
				 *[fs:eax] = _t47;
				_push(0x689b8c);
				L00404B50();
				if(__eax !=  *0x689ba4) {
					_push(0x689b8c);
					L00404B58();
					E0040A718(__edx);
					if(IsValidLocale(_t28 & 0x0000ffff, 2) != 0) {
						if( *0x689b88 == 0) {
							_t18 = E0040CF08(_t28, _t28, _t44, __edi, _t44);
							L00404C28();
							if(_t28 != _t18) {
								if( *_t44 != 0) {
									_t18 = E0040B57C(_t44, 0x40d33c);
								}
								L00404C28();
								E0040CF08(_t18, _t28,  &_v8, _t42, _t44);
								E0040B57C(_t44, _v8);
							}
						} else {
							E0040D104(_t28, _t44);
						}
					}
					_push(0x689b8c);
					L00404B50();
					 *0x689ba4 = _t28;
					E0040CD88(L"en-US,en,", E0040B380( *_t44), 0xaa);
					_push(0x689b8c);
					L00404B58();
				} else {
					E0040B424(__edx, 0x55, L"en-US,en,");
					_push(0x689b8c);
					L00404B58();
				}
				_pop(_t35);
				 *[fs:eax] = _t35;
				_push(0x40d32b);
				return E0040A718( &_v8);
			}

0x0040d220
0x0040d223
0x0040d225
0x0040d226
0x0040d227
0x0040d229
0x0040d22d
0x0040d22e
0x0040d233
0x0040d236
0x0040d239
0x0040d23e
0x0040d24a
0x0040d26c
0x0040d271
0x0040d278
0x0040d28a
0x0040d293
0x0040d2a4
0x0040d2a9
0x0040d2b1
0x0040d2b6
0x0040d2bf
0x0040d2bf
0x0040d2c4
0x0040d2cc
0x0040d2d6
0x0040d2d6
0x0040d295
0x0040d299
0x0040d299
0x0040d293
0x0040d2db
0x0040d2e0
0x0040d2e5
0x0040d2ff
0x0040d304
0x0040d309
0x0040d24c
0x0040d258
0x0040d25d
0x0040d262
0x0040d262
0x0040d310
0x0040d313
0x0040d316
0x0040d323

APIs

RtlEnterCriticalSection.NTDLL(00689B8C), ref: 0040D23E
RtlLeaveCriticalSection.NTDLL(00689B8C), ref: 0040D262
RtlLeaveCriticalSection.NTDLL(00689B8C), ref: 0040D271
IsValidLocale.KERNEL32(00000000,00000002,00000000,0040D324,?,?,?,00000000,?,0040DBEC,00000000,0040DC4B,?,?,00000000,00000000), ref: 0040D283
RtlEnterCriticalSection.NTDLL(00689B8C), ref: 0040D2E0
RtlLeaveCriticalSection.NTDLL(00689B8C), ref: 0040D309

Strings

en-US,en,, xrefs: 0040D24E, 0040D2F5

Memory Dump Source

Source File: 00000000.00000002.307570236.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.307564146.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.308232089.000000000068B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.308240342.0000000000691000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.308252323.0000000000694000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.308259233.00000000006CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.308298771.00000000006DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.308315265.00000000006E4000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID: CriticalSection$Leave$Enter$LocaleValid
String ID: en-US,en,
API String ID: 975949045-3579323720
Opcode ID: ec95dd5791c358f133505a2707e5f6a5cb7e40122d0bb2bd5e2e961e512efb5a
Instruction ID: e2d9fb40c1beb812cf49fde22bdabb460a130652527a51acc51967def731ae03
Opcode Fuzzy Hash: ec95dd5791c358f133505a2707e5f6a5cb7e40122d0bb2bd5e2e961e512efb5a
Instruction Fuzzy Hash: 23219270B40204A7D710B7E69D1272B7596DB89708B66457FB500B72C2DA7DDC0583AE

Uniqueness

Uniqueness Score: -1.00%

Function 004061AC Relevance: 14.3, APIs: 1, Strings: 7, Instructions: 285
windowCOMMON

Download Yara Rule

C-Code - Quality: 98%

			E004061AC(void* __eax, void* __fp0) {
				void* _v8;
				char _v110600;
				char _v112644;
				char _v112645;
				signed int _v112652;
				char _v112653;
				char _v112654;
				char _v112660;
				intOrPtr _v112664;
				intOrPtr _v112668;
				intOrPtr _v112672;
				signed short* _v112676;
				void* _v112680;
				char _v129064;
				char _v131113;
				char _v161832;
				void* _t74;
				int _t80;
				intOrPtr _t83;
				intOrPtr _t94;
				CHAR* _t98;
				intOrPtr _t100;
				void* _t112;
				intOrPtr _t113;
				intOrPtr _t119;
				intOrPtr _t124;
				void* _t134;
				intOrPtr _t135;
				intOrPtr _t139;
				signed int _t149;
				int _t154;
				intOrPtr _t155;
				char* _t157;
				char* _t158;
				char* _t159;
				char* _t160;
				char* _t161;
				char* _t162;
				char* _t164;
				char* _t165;
				char* _t170;
				char* _t171;
				intOrPtr _t203;
				void* _t205;
				void* _t206;
				intOrPtr* _t209;
				void* _t211;
				void* _t212;
				signed int _t217;
				void* _t220;
				void* _t221;
				void* _t234;

				_push(__eax);
				_t74 = 0x27;
				goto L1;
				L12:
				while(_t203 != 0x687a5c) {
					_t80 = E00405CAC(_t203);
					_t154 = _t80;
					__eflags = _t154;
					if(_t154 == 0) {
						L11:
						_t20 = _t203 + 4; // 0x687a5c
						_t203 =  *_t20;
						continue;
					} else {
						goto L4;
					}
					do {
						L4:
						_t217 =  *(_t154 - 4);
						__eflags = _t217 & 0x00000001;
						if((_t217 & 0x00000001) == 0) {
							__eflags = _t217 & 0x00000004;
							if(__eflags == 0) {
								__eflags = _v112652 - 0x1000;
								if(_v112652 < 0x1000) {
									_v112664 = (_t217 & 0xfffffff0) - 4;
									_t149 = E00405F98(_t154);
									__eflags = _t149;
									if(_t149 == 0) {
										_v112645 = 0;
										 *((intOrPtr*)(_t220 + _v112652 * 4 - 0x1f824)) = _v112664;
										_t18 =  &_v112652;
										 *_t18 = _v112652 + 1;
										__eflags =  *_t18;
									}
								}
							} else {
								E00405FF0(_t154, __eflags, _t220);
							}
						}
						_t80 = E00405C88(_t154);
						_t154 = _t80;
						__eflags = _t154;
					} while (_t154 != 0);
					goto L11;
				}
				_t155 =  *0x689b04; // 0x689b00
				while(_t155 != 0x689b00 && _v112652 < 0x1000) {
					_t80 = E00405F98(_t155 + 0x10);
					__eflags = _t80;
					if(_t80 == 0) {
						_v112645 = 0;
						_t22 = _t155 + 0xc; // 0x0
						_t80 = _v112652;
						 *((intOrPtr*)(_t220 + _t80 * 4 - 0x1f824)) = ( *_t22 & 0xfffffff0) - 0xfffffffffffffff4;
						_t27 =  &_v112652;
						 *_t27 = _v112652 + 1;
						__eflags =  *_t27;
					}
					_t29 = _t155 + 4; // 0x689b00
					_t155 =  *_t29;
				}
				if(_v112645 != 0) {
					L54:
					return _t80;
				}
				_v112653 = 0;
				_v112668 = 0;
				_t83 =  *0x67d054; // 0x404d2c
				_t157 = E00405D78(E0040AC20(_t83),  &_v161832);
				_v112660 = 0x37;
				_v112676 = 0x67d07a;
				_v112680 =  &_v110600;
				do {
					_v112672 = ( *_v112676 & 0x0000ffff) - 4;
					_v112654 = 0;
					_t205 = 0xff;
					_t209 = _v112680;
					while(_t157 <=  &_v131113) {
						if( *_t209 > 0) {
							if(_v112653 == 0) {
								_t139 =  *0x67d058; // 0x404d58
								_t157 = E00405D78(E0040AC20(_t139), _t157);
								_v112653 = 1;
							}
							if(_v112654 != 0) {
								 *_t157 = 0x2c;
								_t162 = _t157 + 1;
								 *_t162 = 0x20;
								_t163 = _t162 + 1;
								__eflags = _t162 + 1;
							} else {
								 *_t157 = 0xd;
								 *((char*)(_t157 + 1)) = 0xa;
								_t170 = E00405D28(_v112668 + 1, _t157 + 2);
								 *_t170 = 0x20;
								_t171 = _t170 + 1;
								 *_t171 = 0x2d;
								 *((char*)(_t171 + 1)) = 0x20;
								_t134 = E00405D28(_v112672, _t171 + 2);
								_t135 =  *0x67d060; // 0x404dc0
								_t163 = E00405D78(E0040AC20(_t135), _t134);
								_v112654 = 1;
							}
							_t112 = _t205 - 1;
							_t234 = _t112;
							if(_t234 < 0) {
								_t113 =  *0x67d064; // 0x404dcc
								_t164 = E00405D78(E0040AC20(_t113), _t163);
							} else {
								if(_t234 == 0) {
									_t119 =  *0x67d068; // 0x404dd4
									_t164 = E00405D78(E0040AC20(_t119), _t163);
								} else {
									if(_t112 == 1) {
										_t124 =  *0x67d06c; // 0x404de0
										_t164 = E00405D78(E0040AC20(_t124), _t163);
									} else {
										_t164 = E00405D90( *((intOrPtr*)(_t209 - 4)), _t163);
									}
								}
							}
							 *_t164 = 0x20;
							_t165 = _t164 + 1;
							 *_t165 = 0x78;
							 *((char*)(_t165 + 1)) = 0x20;
							_t157 = E00405D28( *_t209, _t165 + 2);
						}
						_t205 = _t205 - 1;
						_t209 = _t209 - 8;
						if(_t205 != 0xffffffff) {
							continue;
						} else {
							goto L39;
						}
					}
					L39:
					if(_v112654 != 0 ||  *0x687a5a == 0 || (_v112672 + 0x00000004 & 0x0000000f) == 0) {
						_v112668 = _v112672;
					}
					_v112680 = _v112680 + 0x800;
					_v112676 =  &(_v112676[0x10]);
					_t61 =  &_v112660;
					 *_t61 = _v112660 - 1;
				} while ( *_t61 != 0);
				if(_v112652 <= 0) {
					L53:
					_t94 =  *0x67d070; // 0x404df0
					E00405D78(E0040AC20(_t94), _t157);
					_t98 =  *0x67d074; // 0x404df4
					_t80 = MessageBoxA(0,  &_v161832, _t98, 0x2010);
					goto L54;
				}
				if(_v112653 != 0) {
					 *_t157 = 0xd;
					_t159 = _t157 + 1;
					 *_t159 = 0xa;
					_t160 = _t159 + 1;
					 *_t160 = 0xd;
					_t161 = _t160 + 1;
					 *_t161 = 0xa;
					_t157 = _t161 + 1;
				}
				_t100 =  *0x67d05c; // 0x404d80
				_t157 = E00405D78(E0040AC20(_t100), _t157);
				_t211 = _v112652 - 1;
				if(_t211 >= 0) {
					_t212 = _t211 + 1;
					_t206 = 0;
					_v112680 =  &_v129064;
					L49:
					L49:
					if(_t206 != 0) {
						 *_t157 = 0x2c;
						_t158 = _t157 + 1;
						 *_t158 = 0x20;
						_t157 = _t158 + 1;
					}
					_t157 = E00405D28( *_v112680, _t157);
					if(_t157 >  &_v131113) {
						goto L53;
					}
					_t206 = _t206 + 1;
					_v112680 = _v112680 + 4;
					_t212 = _t212 - 1;
					if(_t212 != 0) {
						goto L49;
					}
				}
				L1:
				_t221 = _t221 + 0xfffff004;
				_push(_t74);
				_t74 = _t74 - 1;
				if(_t74 != 0) {
					goto L1;
				} else {
					E00407808( &_v112644, 0x1b800);
					E00407808( &_v129064, 0x4000);
					_t80 = 0;
					_v112652 = 0;
					_v112645 = 1;
					_t203 =  *0x687a60; // 0x687a5c
					goto L12;
				}
			}

0x004061af
0x004061b0
0x004061b0
0x00000000
0x0040628b
0x0040620b
0x00406210
0x00406212
0x00406214
0x00406288
0x00406288
0x00406288
0x00000000
0x00000000
0x00000000
0x00000000
0x00406216
0x00406216
0x0040621b
0x0040621d
0x00406223
0x00406225
0x0040622b
0x00406238
0x00406242
0x0040624a
0x00406252
0x00406257
0x00406259
0x0040625b
0x0040626e
0x00406275
0x00406275
0x00406275
0x00406275
0x00406259
0x0040622d
0x00406230
0x00406235
0x0040622b
0x0040627d
0x00406282
0x00406284
0x00406284
0x00000000
0x00406216
0x00406297
0x004062d6
0x004062a4
0x004062a9
0x004062ab
0x004062ad
0x004062b4
0x004062c0
0x004062c6
0x004062cd
0x004062cd
0x004062cd
0x004062cd
0x004062d3
0x004062d3
0x004062d3
0x004062f1
0x004065a5
0x004065ab
0x004065ab
0x004062f7
0x00406300
0x00406306
0x00406322
0x00406324
0x0040632e
0x0040633e
0x00406344
0x00406350
0x00406356
0x0040635d
0x00406368
0x0040636a
0x0040637b
0x00406388
0x0040638a
0x004063a2
0x004063a4
0x004063a4
0x004063b2
0x0040640a
0x0040640d
0x0040640e
0x00406411
0x00406411
0x004063b4
0x004063b4
0x004063b8
0x004063ca
0x004063cc
0x004063cf
0x004063d0
0x004063d4
0x004063e0
0x004063e7
0x004063ff
0x00406401
0x00406401
0x00406414
0x00406414
0x00406417
0x00406420
0x00406438
0x00406419
0x00406419
0x0040643c
0x00406454
0x0040641b
0x0040641c
0x00406458
0x00406470
0x0040641e
0x0040647e
0x0040647e
0x0040641c
0x00406419
0x00406480
0x00406483
0x00406484
0x00406488
0x00406495
0x00406495
0x00406497
0x00406498
0x0040649e
0x00000000
0x00000000
0x00000000
0x00000000
0x0040649e
0x004064a4
0x004064ab
0x004064c9
0x004064c9
0x004064cf
0x004064d9
0x004064e0
0x004064e0
0x004064e0
0x004064f3
0x00406574
0x00406574
0x00406587
0x00406591
0x004065a0
0x00000000
0x004065a0
0x004064fc
0x004064fe
0x00406501
0x00406502
0x00406505
0x00406506
0x00406509
0x0040650a
0x0040650d
0x0040650d
0x0040650e
0x00406526
0x0040652e
0x00406531
0x00406533
0x00406534
0x0040653c
0x00000000
0x00406542
0x00406544
0x00406546
0x00406549
0x0040654a
0x0040654d
0x0040654d
0x0040655d
0x00406567
0x00000000
0x00000000
0x00406569
0x0040656a
0x00406571
0x00406572
0x00000000
0x00000000
0x00406572
0x004061b5
0x004061b5
0x004061bb
0x004061bc
0x004061bd
0x00000000
0x004061bf
0x004061d8
0x004061ea
0x004061ef
0x004061f1
0x004061f7
0x004061fe
0x00000000
0x004061fe

APIs

MessageBoxA.USER32(00000000,?,00404DF4,00002010), ref: 004065A0

Strings

M@, xrefs: 00406458, 00406466
, xrefs: 004064D9
XM@, xrefs: 0040638A, 00406398
\zh, xrefs: 004061FE
7, xrefs: 00406324
,M@, xrefs: 00406306, 00406318
\zh, xrefs: 0040628B

Memory Dump Source

Source File: 00000000.00000002.307570236.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.307564146.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.308232089.000000000068B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.308240342.0000000000691000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.308252323.0000000000694000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.308259233.00000000006CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.308298771.00000000006DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.308315265.00000000006E4000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID: Message
String ID: $,M@$7$XM@$\zh$\zh$M@
API String ID: 2030045667-2234888863
Opcode ID: 391abef2e9f68de65d83f716f37e87e6fb5e35ef598b843d26137b9c4c423eba
Instruction ID: 0c833a1be1ce6cae6a0836d4aa76ba946d86bcc1112c4c140ef4b74e81b4289d
Opcode Fuzzy Hash: 391abef2e9f68de65d83f716f37e87e6fb5e35ef598b843d26137b9c4c423eba
Instruction Fuzzy Hash: 52B1C330A042548FDB21AB2CDC84B9977F5AF09304F1551FAE44AFB382DB789D86CB59

Uniqueness

Uniqueness Score: -1.00%

Function 0040A3A8 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 40
filewindowCOMMON

Download Yara Rule

C-Code - Quality: 82%

			E0040A3A8(void* __ecx) {
				long _v4;
				int _t3;
				void* _t9;

				if( *0x68705c == 0) {
					if( *0x67d032 == 0) {
						_t3 = MessageBoxA(0, "Runtime error     at 00000000", "Error", 0);
					}
					return _t3;
				} else {
					if( *0x687348 == 0xd7b2 &&  *0x687350 > 0) {
						 *0x687360();
					}
					WriteFile(GetStdHandle(0xfffffff5), "Runtime error     at 00000000", 0x1d,  &_v4, 0);
					_t9 = E0040B024(0x40a43c);
					return WriteFile(GetStdHandle(0xfffffff5), _t9, 2,  &_v4, 0);
				}
			}

0x0040a3b0
0x0040a416
0x0040a426
0x0040a426
0x0040a42c
0x0040a3b2
0x0040a3bb
0x0040a3cb
0x0040a3cb
0x0040a3e7
0x0040a3fa
0x0040a40e
0x0040a40e

APIs

GetStdHandle.KERNEL32(000000F5,Runtime error at 00000000,0000001D,?,00000000,?,0040A45C,?,?,?,?,0040A582,00406943,0040698A), ref: 0040A3E1
WriteFile.KERNEL32(00000000,000000F5,Runtime error at 00000000,0000001D,?,00000000,?,0040A45C,?,?,?,?,0040A582,00406943,0040698A), ref: 0040A3E7
GetStdHandle.KERNEL32(000000F5,00000000,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001D,?,00000000,?,0040A45C,?,?,?), ref: 0040A402
WriteFile.KERNEL32(00000000,000000F5,00000000,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001D,?,00000000,?,0040A45C), ref: 0040A408
MessageBoxA.USER32(00000000,Runtime error at 00000000,Error,00000000), ref: 0040A426

Strings

Runtime error at 00000000, xrefs: 0040A3DA, 0040A41F
Error, xrefs: 0040A41A

Memory Dump Source

Source File: 00000000.00000002.307570236.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.307564146.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.308232089.000000000068B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.308240342.0000000000691000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.308252323.0000000000694000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.308259233.00000000006CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.308298771.00000000006DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.308315265.00000000006E4000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID: FileHandleWrite$Message
String ID: Error$Runtime error at 00000000
API String ID: 1570097196-2970929446
Opcode ID: 1ecb5ac7b7fca4ea47910bc350238413b3652574f7cf13d1881176c95cfb1100
Instruction ID: ca040b8a008277449c66320dff47abc0b8d1c664c8752332d91f3595a9ea3e01
Opcode Fuzzy Hash: 1ecb5ac7b7fca4ea47910bc350238413b3652574f7cf13d1881176c95cfb1100
Instruction Fuzzy Hash: 53F0C2B1688344BAE720B3616C0BF6A322D9B40B15F20573FB724B50D1C6FC9884A72F

Uniqueness

Uniqueness Score: -1.00%

Function 00409478 Relevance: 10.6, APIs: 7, Instructions: 131
threadCOMMON

Download Yara Rule

C-Code - Quality: 88%

			E00409478(signed char* __eax, void* __edx, void* __eflags) {
				void* _t49;
				signed char _t56;
				signed char _t57;
				intOrPtr _t58;
				signed char _t60;
				void* _t71;
				signed char* _t72;
				intOrPtr _t73;
				signed char* _t74;

				_t71 = __edx;
				_t72 = __eax;
				_t73 =  *((intOrPtr*)(__eax + 0x10));
				while(1) {
					L1:
					 *_t74 = E0040985C(_t72);
					if( *_t74 != 0 || _t71 == 0) {
						break;
					}
					_t74[1] = 0;
					if(_t73 <= 0) {
						while(1) {
							L17:
							_t56 =  *_t72;
							if(_t56 == 0) {
								goto L1;
							}
							asm("lock cmpxchg [esi], edx");
							if(_t56 != _t56) {
								continue;
							} else {
								goto L19;
							}
							do {
								L19:
								_t74[4] = GetTickCount();
								E00409670(_t72);
								_t58 =  *0x6878fc; // 0x67f7b4
								 *((intOrPtr*)(_t58 + 0x10))();
								 *_t74 = 0 == 0;
								if(_t71 != 0xffffffff) {
									_t74[8] = GetTickCount();
									if(_t71 <= _t74[8] - _t74[4]) {
										_t71 = 0;
									} else {
										_t71 = _t71 - _t74[8] - _t74[4];
									}
								}
								if( *_t74 == 0) {
									do {
										asm("lock cmpxchg [esi], edx");
									} while ( *_t72 !=  *_t72);
									_t74[1] = 1;
								} else {
									while(1) {
										_t60 =  *_t72;
										if((_t60 & 0x00000001) != 0) {
											goto L29;
										}
										asm("lock cmpxchg [esi], edx");
										if(_t60 != _t60) {
											continue;
										}
										_t74[1] = 1;
										goto L29;
									}
								}
								L29:
							} while (_t74[1] == 0);
							if( *_t74 != 0) {
								_t72[8] = GetCurrentThreadId();
								_t72[4] = 1;
							}
							goto L32;
						}
						continue;
					}
					_t74[4] = GetTickCount();
					_t74[0xc] = 0;
					if(_t73 <= 0) {
						L13:
						if(_t71 == 0xffffffff) {
							goto L17;
						}
						_t74[8] = GetTickCount();
						_t49 = _t74[8] - _t74[4];
						if(_t71 > _t49) {
							_t71 = _t71 - _t49;
							goto L17;
						}
						 *_t74 = 0;
						break;
					}
					L5:
					L5:
					if(_t71 == 0xffffffff || _t71 > GetTickCount() - _t74[4]) {
						goto L8;
					} else {
						 *_t74 = 0;
					}
					break;
					L8:
					_t57 =  *_t72;
					if(_t57 > 1) {
						goto L13;
					}
					if(_t57 != 0) {
						L12:
						E00409158( &(_t74[0xc]));
						_t73 = _t73 - 1;
						if(_t73 > 0) {
							goto L5;
						}
						goto L13;
					}
					asm("lock cmpxchg [esi], edx");
					if(0 != 0) {
						goto L12;
					}
					_t72[8] = GetCurrentThreadId();
					_t72[4] = 1;
					 *_t74 = 1;
					break;
				}
				L32:
				return  *_t74 & 0x000000ff;
			}

0x0040947f
0x00409481
0x00409483
0x00409486
0x00409486
0x0040948d
0x00409494
0x00000000
0x00000000
0x004094a2
0x004094a9
0x00409542
0x00409542
0x00409542
0x00409546
0x00000000
0x00000000
0x00409551
0x00409557
0x00000000
0x00000000
0x00000000
0x00000000
0x00409559
0x00409559
0x0040955e
0x00409564
0x0040956b
0x00409575
0x0040957a
0x00409581
0x00409588
0x00409596
0x004095a4
0x00409598
0x004095a0
0x004095a0
0x00409596
0x004095aa
0x004095cc
0x004095d5
0x004095d9
0x004095dd
0x00000000
0x004095ac
0x004095ac
0x004095b1
0x00000000
0x00000000
0x004095bd
0x004095c3
0x00000000
0x00000000
0x004095c5
0x00000000
0x004095c5
0x004095ac
0x004095e2
0x004095e2
0x004095f1
0x004095f8
0x004095fb
0x004095fb
0x00000000
0x004095f1
0x00000000
0x00409542
0x004094b4
0x004094ba
0x004094c0
0x0040951d
0x00409520
0x00000000
0x00000000
0x00409527
0x0040952f
0x00409535
0x00409540
0x00000000
0x00409540
0x00409537
0x00000000
0x00409537
0x00000000
0x004094c2
0x004094c5
0x00000000
0x004094d4
0x004094d4
0x004094d4
0x00000000
0x004094dd
0x004094dd
0x004094e2
0x00000000
0x00000000
0x004094e6
0x0040950f
0x00409513
0x00409518
0x0040951b
0x00000000
0x00000000
0x00000000
0x0040951b
0x004094ef
0x004094f5
0x00000000
0x00000000
0x004094fc
0x004094ff
0x00409506
0x00000000
0x00409506
0x00409602
0x0040960d

APIs

Part of subcall function 0040985C: GetCurrentThreadId.KERNEL32 ref: 0040985F

GetTickCount.KERNEL32 ref: 004094AF
GetTickCount.KERNEL32 ref: 004094C7
GetCurrentThreadId.KERNEL32 ref: 004094F7
GetTickCount.KERNEL32 ref: 00409522
GetTickCount.KERNEL32 ref: 00409559
GetTickCount.KERNEL32 ref: 00409583
GetCurrentThreadId.KERNEL32 ref: 004095F3

Memory Dump Source

Source File: 00000000.00000002.307570236.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.307564146.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.308232089.000000000068B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.308240342.0000000000691000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.308252323.0000000000694000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.308259233.00000000006CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.308298771.00000000006DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.308315265.00000000006E4000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID: CountTick$CurrentThread
String ID:
API String ID: 3968769311-0
Opcode ID: 99802f8878a0f0d2bc4d4b0196ef149232ca652a91fbff4f99c394dc7510404b
Instruction ID: 5330d71ab69a5ceb943253b29d3ebc0cd6b6735c4198953654d0b3c8b02a31e0
Opcode Fuzzy Hash: 99802f8878a0f0d2bc4d4b0196ef149232ca652a91fbff4f99c394dc7510404b
Instruction Fuzzy Hash: 144180712093416ED722AE39C88531FBAD1AFC0354F15893EE4E8A73C2E679DC81875A

Uniqueness

Uniqueness Score: -1.00%

Function 0042AD6C Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 113
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E0042AD6C(intOrPtr* __eax, void* __ebx, intOrPtr __ecx, void* __edx, void* __edi, void* __esi, void* _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				char _v534;
				short _v1056;
				short _v1568;
				struct _MEMORY_BASIC_INFORMATION _v1596;
				char _v1600;
				intOrPtr _v1604;
				char _v1608;
				intOrPtr _v1612;
				char _v1616;
				intOrPtr _v1620;
				char _v1624;
				char* _v1628;
				char _v1632;
				char _v1636;
				char _v1640;
				struct HINSTANCE__* _t44;
				intOrPtr _t55;
				struct HINSTANCE__* _t57;
				signed int _t76;
				void* _t82;
				intOrPtr _t83;
				intOrPtr _t95;
				intOrPtr _t98;
				intOrPtr _t100;
				intOrPtr* _t102;
				void* _t105;

				_v1640 = 0;
				_v8 = __ecx;
				_t82 = __edx;
				_t102 = __eax;
				_push(_t105);
				_push(0x42af18);
				_push( *[fs:eax]);
				 *[fs:eax] = _t105 + 0xfffff99c;
				VirtualQuery(__edx,  &_v1596, 0x1c);
				if(_v1596.State != 0x1000 || GetModuleFileNameW(_v1596.AllocationBase,  &_v1056, 0x105) == 0) {
					_t44 =  *0x689c54; // 0x400000
					GetModuleFileNameW(_t44,  &_v1056, 0x105);
					_v12 = E0042AD60(_t82);
				} else {
					_v12 = _t82 - _v1596.AllocationBase;
				}
				E0042617C( &_v534, 0x104, E0042C98C() + 2);
				_t83 = 0x42af2c;
				_t100 = 0x42af2c;
				_t95 =  *0x41c9ac; // 0x41ca04
				if(E00408D6C(_t102, _t95) != 0) {
					_t83 = E0040B380( *((intOrPtr*)(_t102 + 4)));
					_t76 = E0040AC34(_t83);
					if(_t76 != 0 &&  *((short*)(_t83 + _t76 * 2 - 2)) != 0x2e) {
						_t100 = 0x42af30;
					}
				}
				_t55 =  *0x6868ac; // 0x41456c
				_t18 = _t55 + 4; // 0xffef
				_t57 =  *0x689c54; // 0x400000
				LoadStringW(E0040CA28(_t57),  *_t18,  &_v1568, 0x100);
				E00408844( *_t102,  &_v1640);
				_v1636 = _v1640;
				_v1632 = 0x11;
				_v1628 =  &_v534;
				_v1624 = 0xa;
				_v1620 = _v12;
				_v1616 = 5;
				_v1612 = _t83;
				_v1608 = 0xa;
				_v1604 = _t100;
				_v1600 = 0xa;
				E00426570(4,  &_v1636);
				E0040AC34(_v8);
				_pop(_t98);
				 *[fs:eax] = _t98;
				_push(0x42af1f);
				return E0040A718( &_v1640);
			}

0x0042ad7a
0x0042ad80
0x0042ad83
0x0042ad85
0x0042ad89
0x0042ad8a
0x0042ad8f
0x0042ad92
0x0042ad9f
0x0042adae
0x0042add8
0x0042adde
0x0042adea
0x0042adef
0x0042adf5
0x0042adf5
0x0042ae17
0x0042ae1c
0x0042ae21
0x0042ae28
0x0042ae35
0x0042ae3f
0x0042ae43
0x0042ae4a
0x0042ae54
0x0042ae54
0x0042ae4a
0x0042ae65
0x0042ae6a
0x0042ae6e
0x0042ae79
0x0042ae86
0x0042ae91
0x0042ae97
0x0042aea4
0x0042aeaa
0x0042aeb4
0x0042aeba
0x0042aec1
0x0042aec7
0x0042aece
0x0042aed4
0x0042aef0
0x0042aef8
0x0042af01
0x0042af04
0x0042af07
0x0042af17

APIs

VirtualQuery.KERNEL32(?,?,0000001C,00000000,0042AF18), ref: 0042AD9F
GetModuleFileNameW.KERNEL32(?,?,00000105), ref: 0042ADC3
GetModuleFileNameW.KERNEL32(MZP,?,00000105), ref: 0042ADDE
LoadStringW.USER32(00000000,0000FFEF,?,00000100), ref: 0042AE79

Strings

lEA, xrefs: 0042AE65
MZP, xrefs: 0042ADDD

Memory Dump Source

Source File: 00000000.00000002.307570236.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.307564146.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.308232089.000000000068B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.308240342.0000000000691000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.308252323.0000000000694000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.308259233.00000000006CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.308298771.00000000006DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.308315265.00000000006E4000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID: FileModuleName$LoadQueryStringVirtual
String ID: MZP$lEA
API String ID: 3990497365-3489591286
Opcode ID: acae4d6559d74eb1e2ee29e96ce321a90d4934d5555002532c56fa15832a1852
Instruction ID: 5e83be3225e9c0d48a110f32f894241814060cbad7f833f9a5e7318a386d2059
Opcode Fuzzy Hash: acae4d6559d74eb1e2ee29e96ce321a90d4934d5555002532c56fa15832a1852
Instruction Fuzzy Hash: 61416570A002689FDB20DF65DD81BC9B7F5AB58304F4140EAE908E7241D7799EA4CF59

Uniqueness

Uniqueness Score: -1.00%

Function 00409214 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 65
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 36%

			E00409214(void* __edx) {
				intOrPtr _v8;
				char _v12;
				char* _t20;
				intOrPtr _t26;
				signed int _t32;
				intOrPtr _t40;
				void* _t42;
				void* _t44;
				intOrPtr _t45;

				_t42 = _t44;
				_t45 = _t44 + 0xfffffff8;
				_v12 = 0;
				if(GetProcAddress(GetModuleHandleW(L"kernel32.dll"), "GetLogicalProcessorInformation") == 0) {
					L9:
					_t32 = 0x40;
					goto L10;
				} else {
					_t20 =  &_v12;
					_push(_t20);
					_push(0);
					L00404CE0();
					if(_t20 != 0 || GetLastError() != 0x7a) {
						goto L9;
					} else {
						_v8 = E00406834(_v12);
						_push(_t42);
						_push("\xef\xbf						_push( *[fs:edx]);
						 *[fs:edx] = _t45;
						_push( &_v12);
						_push(_v8);
						L00404CE0();
						_t26 = _v8;
						if(_v12 <= 0) {
							L8:
							_pop(_t40);
							 *[fs:eax] = _t40;
							_push(0x4092c7);
							return E00406850(_v8);
						} else {
							while( *((short*)(_t26 + 4)) != 2 ||  *((char*)(_t26 + 8)) != 1) {
								_t26 = _t26 + 0x18;
								_v12 = _v12 - 0x18;
								if(_v12 > 0) {
									continue;
								} else {
									goto L8;
								}
								goto L11;
							}
							_t32 =  *(_t26 + 0xa) & 0x0000ffff;
							E00409F08();
							L10:
							return _t32;
						}
					}
				}
				L11:
			}

0x00409215
0x00409217
0x0040921d
0x00409237
0x004092c7
0x004092c7
0x00000000
0x0040923d
0x0040923d
0x00409240
0x00409241
0x00409243
0x0040924a
0x00000000
0x00409256
0x0040925e
0x00409263
0x00409264
0x00409269
0x0040926c
0x00409272
0x00409276
0x00409277
0x0040927c
0x00409283
0x004092aa
0x004092ac
0x004092af
0x004092b2
0x004092bf
0x00409285
0x00409285
0x0040929d
0x004092a0
0x004092a8
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x004092a8
0x00409292
0x00409296
0x004092cc
0x004092d2
0x004092d2
0x00409283
0x0040924a
0x00000000

APIs

GetModuleHandleW.KERNEL32(kernel32.dll,GetLogicalProcessorInformation), ref: 0040922A
GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 00409230
GetLastError.KERNEL32(00000000,?,GetLogicalProcessorInformation), ref: 0040924C

Strings

GetLogicalProcessorInformation, xrefs: 00409220
o, xrefs: 00409264
kernel32.dll, xrefs: 00409225

Memory Dump Source

Source File: 00000000.00000002.307570236.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.307564146.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.308232089.000000000068B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.308240342.0000000000691000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.308252323.0000000000694000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.308259233.00000000006CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.308298771.00000000006DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.308315265.00000000006E4000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID: AddressErrorHandleLastModuleProc
String ID: GetLogicalProcessorInformation$kernel32.dll$o
API String ID: 4275029093-2275120514
Opcode ID: 49b5822234383da799d00ad77111bfcd2b1a717ed5bb6c6b8c4d06f2cab87897
Instruction ID: 34c6b9817baaa69968c7a49bef22af535324d10ac15cb768e9125be8a50ada47
Opcode Fuzzy Hash: 49b5822234383da799d00ad77111bfcd2b1a717ed5bb6c6b8c4d06f2cab87897
Instruction Fuzzy Hash: 121163B5904204BEEB10FBA5D846B5EB7A8EB40318F2148FFF504B25C2D67D9E80D61D

Uniqueness

Uniqueness Score: -1.00%

Function 00423388 Relevance: 9.2, APIs: 6, Instructions: 161
fileCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E00423388(void* __eax, void* __ebx, intOrPtr* __edx, void* __edi, void* __esi) {
				void* _v8;
				intOrPtr* _v12;
				char _v13;
				void* _v20;
				long _v24;
				void* _v28;
				char _v552;
				char _v556;
				char _v560;
				char _v564;
				char _v568;
				char _v572;
				char _v576;
				void* _t98;
				long _t107;
				intOrPtr _t118;
				intOrPtr _t124;
				intOrPtr _t126;
				void* _t137;
				void* _t138;
				intOrPtr _t139;

				_t135 = __esi;
				_t134 = __edi;
				_t137 = _t138;
				_t139 = _t138 + 0xfffffdc4;
				_v576 = 0;
				_v572 = 0;
				_v564 = 0;
				_v568 = 0;
				_v556 = 0;
				_v560 = 0;
				_v12 = __edx;
				_v8 = __eax;
				_push(_t137);
				_push(0x4235c5);
				_push( *[fs:eax]);
				 *[fs:eax] = _t139;
				_v13 = 0;
				E0040A718(_v12);
				_v24 = 0;
				_t107 = GetFileSize(_v8,  &_v24);
				if(_t107 != 0 || _v24 != 0 || E0042C32C(6, 0) == 0) {
					L5:
					if(_t107 != 0 || _v24 != 0) {
						_v20 = CreateFileMappingW(_v8, 0, 2, 0, 1, 0);
						if(_v20 == 0x3ee) {
							goto L13;
						} else {
							_push(_t137);
							_push(0x423554);
							_push( *[fs:eax]);
							 *[fs:eax] = _t139;
							_v28 = MapViewOfFile(_v20, 4, 0, 0, 1);
							if(_v28 == 0) {
								_pop(_t124);
								 *[fs:eax] = _t124;
								_push(0x42355b);
								return CloseHandle(_v20);
							} else {
								_push(_t137);
								_push(0x423536);
								_push( *[fs:eax]);
								 *[fs:eax] = _t139;
								if(E00414D0C(GetCurrentProcess(),  &_v552, _v28, 0x104) > 0) {
									E0040B424( &_v568, 0x106,  &_v552);
									E00423160(_v568, _t107,  &_v564, _t134, _t135);
									E0040AAF8(_v12, _v564);
									_v13 = 1;
								}
								_pop(_t126);
								 *[fs:eax] = _t126;
								_push(0x42353d);
								return UnmapViewOfFile(_v28);
							}
						}
					} else {
						L13:
						if(_v13 == 0) {
							E0042329C(_v8,  &_v572);
							E0040AAF8(_v12, _v572);
							if( *_v12 != 0) {
								E00423160( *_v12, _t107,  &_v576, _t134, _t135);
								E0040AAF8(_v12, _v576);
								_v13 = 1;
							}
						}
						goto L16;
					}
				} else {
					_push(2);
					_push(0x104);
					_push( &_v552);
					_t98 = _v8;
					_push(_t98);
					L00413298();
					if(_t98 <= 0) {
						goto L5;
					} else {
						E0040B424( &_v560, 0x106,  &_v552);
						E00423160(_v560, _t107,  &_v556, __edi, __esi);
						E0040AAF8(_v12, _v556);
						_v13 = 1;
						L16:
						_pop(_t118);
						 *[fs:eax] = _t118;
						_push(0x4235cc);
						return E0040A778( &_v576, 6);
					}
				}
			}

0x00423388
0x00423388
0x00423389
0x0042338b
0x00423394
0x0042339a
0x004233a0
0x004233a6
0x004233ac
0x004233b2
0x004233b8
0x004233bb
0x004233c0
0x004233c1
0x004233c6
0x004233c9
0x004233cc
0x004233d3
0x004233da
0x004233ea
0x004233ee
0x0042345f
0x00423461
0x00423480
0x0042348a
0x00000000
0x00423490
0x00423492
0x00423493
0x00423498
0x0042349b
0x004234af
0x004234b6
0x0042353f
0x00423542
0x00423545
0x00423553
0x004234bc
0x004234be
0x004234bf
0x004234c4
0x004234c7
0x004234e4
0x004234f7
0x00423508
0x00423516
0x0042351b
0x0042351b
0x00423521
0x00423524
0x00423527
0x00423535
0x00423535
0x004234b6
0x0042355b
0x0042355b
0x0042355f
0x0042356a
0x00423578
0x00423583
0x00423590
0x0042359e
0x004235a3
0x004235a3
0x00423583
0x00000000
0x0042355f
0x00423406
0x00423406
0x00423408
0x00423413
0x00423414
0x00423417
0x00423418
0x0042341f
0x00000000
0x00423421
0x00423432
0x00423443
0x00423451
0x00423456
0x004235a7
0x004235a9
0x004235ac
0x004235af
0x004235c4
0x004235c4
0x0042341f

APIs

GetFileSize.KERNEL32(?,?,00000000,004235C5), ref: 004233E5
CreateFileMappingW.KERNEL32(?,00000000,00000002,00000000,00000001,00000000,?,?,00000000,004235C5), ref: 0042347B
MapViewOfFile.KERNEL32(000003EE,00000004,00000000,00000000,00000001,00000000,00423554,?,?,00000000,00000002,00000000,00000001,00000000,?,?), ref: 004234AA
GetCurrentProcess.KERNEL32(00000104,00000000,00423536,?,000003EE,00000004,00000000,00000000,00000001,00000000,00423554,?,?,00000000,00000002,00000000), ref: 004234CF
UnmapViewOfFile.KERNEL32(00000000,0042353D,000003EE,00000004,00000000,00000000,00000001,00000000,00423554,?,?,00000000,00000002,00000000,00000001,00000000), ref: 00423530

Part of subcall function 00423160: GetLogicalDriveStringsW.KERNEL32(00000104,?,00000000,0042328E), ref: 0042319D
Part of subcall function 00423160: QueryDosDeviceW.KERNEL32(?,?,00000104,00000104,?,00000000,0042328E), ref: 004231C7

Memory Dump Source

Source File: 00000000.00000002.307570236.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.307564146.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.308232089.000000000068B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.308240342.0000000000691000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.308252323.0000000000694000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.308259233.00000000006CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.308298771.00000000006DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.308315265.00000000006E4000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID: File$View$CreateCurrentDeviceDriveLogicalMappingProcessQuerySizeStringsUnmap
String ID:
API String ID: 435433801-0
Opcode ID: c5dc783650b3f27074662c9d7dda89aa57cb150ab9a02cafdc5f11f94aaa8c0c
Instruction ID: f6acb9ef060d00638e518fa010a02b70239edb76c6d779adf0e3340dc536acc1
Opcode Fuzzy Hash: c5dc783650b3f27074662c9d7dda89aa57cb150ab9a02cafdc5f11f94aaa8c0c
Instruction Fuzzy Hash: 5F514170B00359ABDB11EFA5D885B9EB7B5EB08704F9044EAE504A7281D77C9F80CF59

Uniqueness

Uniqueness Score: -1.00%

Function 00435678 Relevance: 9.1, APIs: 6, Instructions: 139
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E00435678(short* __eax, intOrPtr __ecx, signed short* __edx) {
				char _v260;
				char _v768;
				char _v772;
				short* _v776;
				intOrPtr _v780;
				char _v784;
				signed int _v788;
				signed short* _v792;
				char _v796;
				char _v800;
				intOrPtr* _v804;
				void* __ebp;
				signed char _t47;
				signed int _t54;
				void* _t62;
				intOrPtr* _t73;
				signed short* _t91;
				void* _t93;
				void* _t95;
				void* _t98;
				void* _t99;
				intOrPtr* _t108;
				void* _t112;
				intOrPtr _t113;
				char* _t114;
				void* _t115;

				_t100 = __ecx;
				_v780 = __ecx;
				_t91 = __edx;
				_v776 = __eax;
				if(( *(__edx + 1) & 0x00000020) == 0) {
					E00434E7C(0x80070057);
				}
				_t47 =  *_t91 & 0x0000ffff;
				if((_t47 & 0x00000fff) != 0xc) {
					_push(_t91);
					_push(_v776);
					L00433158();
					return E00434E7C(_v776);
				} else {
					if((_t47 & 0x00000040) == 0) {
						_v792 = _t91[4];
					} else {
						_v792 =  *(_t91[4]);
					}
					_v788 =  *_v792 & 0x0000ffff;
					_t93 = _v788 - 1;
					if(_t93 < 0) {
						L9:
						_push( &_v772);
						_t54 = _v788;
						_push(_t54);
						_push(0xc);
						L004335DC();
						_t113 = _t54;
						if(_t113 == 0) {
							E00434BD4(_t100);
						}
						E00435118(_v776);
						 *_v776 = 0x200c;
						 *((intOrPtr*)(_v776 + 8)) = _t113;
						_t95 = _v788 - 1;
						if(_t95 < 0) {
							L14:
							_t97 = _v788 - 1;
							if(E004355F0(_v788 - 1, _t115) != 0) {
								L004335F4();
								E00434E7C(_v792);
								L004335F4();
								E00434E7C( &_v260);
								_v780(_t113,  &_v260,  &_v800, _v792,  &_v260,  &_v796);
							}
							_t62 = E00435620(_t97, _t115);
						} else {
							_t98 = _t95 + 1;
							_t73 =  &_v768;
							_t108 =  &_v260;
							do {
								 *_t108 =  *_t73;
								_t108 = _t108 + 4;
								_t73 = _t73 + 8;
								_t98 = _t98 - 1;
							} while (_t98 != 0);
							do {
								goto L14;
							} while (_t62 != 0);
							return _t62;
						}
					} else {
						_t99 = _t93 + 1;
						_t112 = 0;
						_t114 =  &_v772;
						do {
							_v804 = _t114;
							_push(_v804 + 4);
							_t18 = _t112 + 1; // 0x1
							_push(_v792);
							L004335E4();
							E00434E7C(_v792);
							_push( &_v784);
							_t21 = _t112 + 1; // 0x1
							_push(_v792);
							L004335EC();
							E00434E7C(_v792);
							 *_v804 = _v784 -  *((intOrPtr*)(_v804 + 4)) + 1;
							_t112 = _t112 + 1;
							_t114 = _t114 + 8;
							_t99 = _t99 - 1;
						} while (_t99 != 0);
						goto L9;
					}
				}
			}

0x00435678
0x00435684
0x0043568a
0x0043568c
0x00435696
0x0043569d
0x0043569d
0x004356a2
0x004356b0
0x00435829
0x00435830
0x00435831
0x00000000
0x004356b6
0x004356b9
0x004356cb
0x004356bb
0x004356c0
0x004356c0
0x004356da
0x004356e6
0x004356e9
0x00435756
0x0043575c
0x0043575d
0x00435763
0x00435764
0x00435766
0x0043576b
0x0043576f
0x00435771
0x00435771
0x0043577c
0x00435787
0x00435792
0x0043579b
0x0043579e
0x004357ba
0x004357c1
0x004357cc
0x004357e3
0x004357e8
0x004357fc
0x00435801
0x00435814
0x00435814
0x0043581d
0x004357a0
0x004357a0
0x004357a1
0x004357a7
0x004357ad
0x004357af
0x004357b1
0x004357b4
0x004357b7
0x004357b7
0x004357ba
0x00000000
0x00000000
0x00000000
0x004357ba
0x004356eb
0x004356eb
0x004356ec
0x004356ee
0x004356f4
0x004356f6
0x00435705
0x00435706
0x00435710
0x00435711
0x00435716
0x00435721
0x00435722
0x0043572c
0x0043572d
0x00435732
0x0043574d
0x0043574f
0x00435750
0x00435753
0x00435753
0x00000000
0x004356f4
0x004356e9

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 00435711
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 0043572D
SafeArrayCreate.OLEAUT32(0000000C,?,?), ref: 00435766
SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 004357E3
SafeArrayPtrOfIndex.OLEAUT32(00000000,?,?), ref: 004357FC
VariantCopy.OLEAUT32(?,00000004), ref: 00435831

Memory Dump Source

Source File: 00000000.00000002.307570236.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.307564146.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.308232089.000000000068B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.308240342.0000000000691000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.308252323.0000000000694000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.308259233.00000000006CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.308298771.00000000006DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.308315265.00000000006E4000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID: ArraySafe$BoundIndex$CopyCreateVariant
String ID:
API String ID: 351091851-0
Opcode ID: 05920f751598db783a0d0844655f8861431e191fe6507e199aca5bc516904558
Instruction ID: f71056d2eba0592e51a3d041e9c442803ac954098c12d3b0b0ab57dd1bfe700c
Opcode Fuzzy Hash: 05920f751598db783a0d0844655f8861431e191fe6507e199aca5bc516904558
Instruction Fuzzy Hash: 26511DB590062D9BCB22DF59C881BD9B3BCAF4C314F0051DAF508E7212D678AF818F68

Uniqueness

Uniqueness Score: -1.00%

Function 0043B0CC Relevance: 7.8, APIs: 5, Instructions: 349
COMMON

Download Yara Rule

C-Code - Quality: 67%

			E0043B0CC(signed short* __eax, signed int __ecx, signed short* __edx, void* __edi, void* __fp0) {
				signed short* _v8;
				signed int _v12;
				signed char _v13;
				signed int _v16;
				signed int _v18;
				void* _v24;
				void* _v28;
				signed int _v44;
				void* __ebp;
				signed int _t134;
				signed short* _t253;
				intOrPtr _t303;
				intOrPtr _t306;
				intOrPtr _t314;
				intOrPtr _t321;
				intOrPtr _t329;
				signed int _t334;
				void* _t342;
				void* _t344;
				intOrPtr _t345;

				_t349 = __fp0;
				_t342 = _t344;
				_t345 = _t344 + 0xffffffd8;
				_v12 = __ecx;
				_v8 = __edx;
				_t253 = __eax;
				_v13 = 1;
				_t334 =  *__eax & 0x0000ffff;
				if((_t334 & 0x00000fff) >= 0x10f) {
					_t134 =  *_v8 & 0x0000ffff;
					if(_t134 != 0) {
						if(_t134 != 1) {
							if(E0043C1B8(_t334,  &_v24) != 0) {
								_push( &_v18);
								if( *((intOrPtr*)( *_v24 + 8))() == 0) {
									_t337 =  *_v8 & 0x0000ffff;
									if(( *_v8 & 0xfff) >= 0x10f) {
										if(E0043C1B8(_t337,  &_v28) != 0) {
											_push( &_v16);
											if( *((intOrPtr*)( *_v28 + 4))() == 0) {
												E00434A90(0xb);
												goto L41;
											} else {
												if(( *_t253 & 0x0000ffff) == _v16) {
													_v13 =  *(0x67f84e + _v12 * 2 + ( *((intOrPtr*)( *_v28 + 0x34))(_v12) & 0x0000007f) - 0x1c) & 0x000000ff;
													goto L41;
												} else {
													_push( &_v44);
													L00433148();
													_push(_t342);
													_push(0x43b4ac);
													_push( *[fs:eax]);
													 *[fs:eax] = _t345;
													_t265 = _v16 & 0x0000ffff;
													E00435C4C( &_v44, _v16 & 0x0000ffff, _t253, __edi, __fp0);
													if((_v44 & 0x0000ffff) != _v16) {
														E00434998(_t265);
													}
													_v13 =  *(0x67f84e + _v12 * 2 + ( *((intOrPtr*)( *_v28 + 0x34))(_v12) & 0x0000007f) - 0x1c) & 0x000000ff;
													_pop(_t303);
													 *[fs:eax] = _t303;
													_push(0x43b4e0);
													return E00435118( &_v44);
												}
											}
										} else {
											E00434A90(0xb);
											goto L41;
										}
									} else {
										_push( &_v44);
										L00433148();
										_push(_t342);
										_push(0x43b3f8);
										_push( *[fs:eax]);
										 *[fs:eax] = _t345;
										_t270 =  *_v8 & 0x0000ffff;
										E00435C4C( &_v44,  *_v8 & 0x0000ffff, _t253, __edi, __fp0);
										if(( *_v8 & 0x0000ffff) != _v44) {
											E00434998(_t270);
										}
										_v13 = E0043AF14( &_v44, _v12, _v8, _t349);
										_pop(_t306);
										 *[fs:eax] = _t306;
										_push(0x43b4e0);
										return E00435118( &_v44);
									}
								} else {
									if(( *_v8 & 0x0000ffff) == _v18) {
										_v13 =  *(0x67f84e + _v12 * 2 + ( *((intOrPtr*)( *_v24 + 0x34))(_v12) & 0x0000007f) - 0x1c) & 0x000000ff;
										goto L41;
									} else {
										_push( &_v44);
										L00433148();
										_push(_t342);
										_push(0x43b355);
										_push( *[fs:eax]);
										 *[fs:eax] = _t345;
										_t275 = _v18 & 0x0000ffff;
										E00435C4C( &_v44, _v18 & 0x0000ffff, _v8, __edi, __fp0);
										if((_v44 & 0x0000ffff) != _v18) {
											E00434998(_t275);
										}
										_v13 =  *(0x67f84e + _v12 * 2 + ( *((intOrPtr*)( *_v24 + 0x34))(_v12) & 0x0000007f) - 0x1c) & 0x000000ff;
										_pop(_t314);
										 *[fs:eax] = _t314;
										_push(0x43b4e0);
										return E00435118( &_v44);
									}
								}
							} else {
								E00434A90(__ecx);
								goto L41;
							}
						} else {
							_v13 = E0043ACA8(_v12, 2);
							goto L41;
						}
					} else {
						_v13 = E0043AC94(0, 1);
						goto L41;
					}
				} else {
					if(_t334 != 0) {
						if(_t334 != 1) {
							if(E0043C1B8( *_v8 & 0x0000ffff,  &_v28) != 0) {
								_push( &_v16);
								if( *((intOrPtr*)( *_v28 + 4))() == 0) {
									_push( &_v44);
									L00433148();
									_push(_t342);
									_push(0x43b267);
									_push( *[fs:eax]);
									 *[fs:eax] = _t345;
									_t281 =  *_t253 & 0x0000ffff;
									E00435C4C( &_v44,  *_t253 & 0x0000ffff, _v8, __edi, __fp0);
									if((_v44 & 0xfff) !=  *_t253) {
										E00434998(_t281);
									}
									_v13 = E0043AF14(_t253, _v12,  &_v44, _t349);
									_pop(_t321);
									 *[fs:eax] = _t321;
									_push(0x43b4e0);
									return E00435118( &_v44);
								} else {
									if(( *_t253 & 0x0000ffff) == _v16) {
										_v13 =  *(0x67f84e + _v12 * 2 + ( *((intOrPtr*)( *_v28 + 0x34))(_v12) & 0x0000007f) - 0x1c) & 0x000000ff;
										goto L41;
									} else {
										_push( &_v44);
										L00433148();
										_push(_t342);
										_push(0x43b1d8);
										_push( *[fs:eax]);
										 *[fs:eax] = _t345;
										_t286 = _v16 & 0x0000ffff;
										E00435C4C( &_v44, _v16 & 0x0000ffff, _t253, __edi, __fp0);
										if((_v44 & 0xfff) != _v16) {
											E00434998(_t286);
										}
										_v13 =  *(0x67f84e + _v12 * 2 + ( *((intOrPtr*)( *_v28 + 0x34))(_v12) & 0x0000007f) - 0x1c) & 0x000000ff;
										_pop(_t329);
										 *[fs:eax] = _t329;
										_push(0x43b4e0);
										return E00435118( &_v44);
									}
								}
							} else {
								E00434A90(__ecx);
								goto L41;
							}
						} else {
							_v13 = E0043ACA8(_v12, 0);
							goto L41;
						}
					} else {
						_v13 = E0043AC94(1, 0);
						L41:
						return _v13 & 0x000000ff;
					}
				}
			}

0x0043b0cc
0x0043b0cd
0x0043b0cf
0x0043b0d4
0x0043b0d7
0x0043b0da
0x0043b0dc
0x0043b0e0
0x0043b0ed
0x0043b271
0x0043b277
0x0043b28e
0x0043b2b0
0x0043b2bf
0x0043b2d2
0x0043b38a
0x0043b397
0x0043b40b
0x0043b41a
0x0043b42c
0x0043b4db
0x00000000
0x0043b432
0x0043b439
0x0043b4d6
0x00000000
0x0043b43b
0x0043b43e
0x0043b43f
0x0043b446
0x0043b447
0x0043b44c
0x0043b44f
0x0043b452
0x0043b45b
0x0043b468
0x0043b46a
0x0043b46a
0x0043b493
0x0043b498
0x0043b49b
0x0043b49e
0x0043b4ab
0x0043b4ab
0x0043b439
0x0043b40d
0x0043b40d
0x00000000
0x0043b40d
0x0043b399
0x0043b39c
0x0043b39d
0x0043b3a4
0x0043b3a5
0x0043b3aa
0x0043b3ad
0x0043b3b3
0x0043b3bb
0x0043b3ca
0x0043b3cc
0x0043b3cc
0x0043b3df
0x0043b3e4
0x0043b3e7
0x0043b3ea
0x0043b3f7
0x0043b3f7
0x0043b2d8
0x0043b2e2
0x0043b37f
0x00000000
0x0043b2e4
0x0043b2e7
0x0043b2e8
0x0043b2ef
0x0043b2f0
0x0043b2f5
0x0043b2f8
0x0043b2fb
0x0043b305
0x0043b312
0x0043b314
0x0043b314
0x0043b33c
0x0043b341
0x0043b344
0x0043b347
0x0043b354
0x0043b354
0x0043b2e2
0x0043b2b2
0x0043b2b2
0x00000000
0x0043b2b2
0x0043b290
0x0043b29c
0x00000000
0x0043b29c
0x0043b279
0x0043b282
0x00000000
0x0043b282
0x0043b0f3
0x0043b0f6
0x0043b10d
0x0043b133
0x0043b142
0x0043b154
0x0043b20d
0x0043b20e
0x0043b215
0x0043b216
0x0043b21b
0x0043b21e
0x0043b221
0x0043b22a
0x0043b23a
0x0043b23c
0x0043b23c
0x0043b24e
0x0043b253
0x0043b256
0x0043b259
0x0043b266
0x0043b15a
0x0043b161
0x0043b202
0x00000000
0x0043b163
0x0043b166
0x0043b167
0x0043b16e
0x0043b16f
0x0043b174
0x0043b177
0x0043b17a
0x0043b183
0x0043b194
0x0043b196
0x0043b196
0x0043b1bf
0x0043b1c4
0x0043b1c7
0x0043b1ca
0x0043b1d7
0x0043b1d7
0x0043b161
0x0043b135
0x0043b135
0x00000000
0x0043b135
0x0043b10f
0x0043b11b
0x00000000
0x0043b11b
0x0043b0f8
0x0043b101
0x0043b4e0
0x0043b4e9
0x0043b4e9
0x0043b0f6

Memory Dump Source

Source File: 00000000.00000002.307570236.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.307564146.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.308232089.000000000068B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.308240342.0000000000691000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.308252323.0000000000694000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.308259233.00000000006CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.308298771.00000000006DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.308315265.00000000006E4000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7e1398894eb2cf18c8b54bcb52d1ad2bb9a28a47b31d4ad617bd3bc6147c500e
Instruction ID: 2bc3ca9f1904b179b0e72651b1a1a63a3c3294406a01d58e74ed57cea8d69c68
Opcode Fuzzy Hash: 7e1398894eb2cf18c8b54bcb52d1ad2bb9a28a47b31d4ad617bd3bc6147c500e
Instruction Fuzzy Hash: D1D1A435A00108ABCF10EF95C481AFEB7B5EF4D314F5460ABE940A7351D738AE45DBA9

Uniqueness

Uniqueness Score: -1.00%

Function 00424F80 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 119
COMMON

Download Yara Rule

C-Code - Quality: 65%

			E00424F80(void* __eax, void* __ebx, void* __esi) {
				char _v8;
				WCHAR* _v12;
				WCHAR* _v16;
				long _v20;
				long _v24;
				long _v28;
				char _v32;
				char _v36;
				intOrPtr _t48;
				void* _t62;
				void* _t63;
				void* _t64;
				void* _t67;
				signed char _t69;
				intOrPtr _t86;
				intOrPtr _t88;
				intOrPtr _t89;
				void* _t92;
				WCHAR* _t93;
				intOrPtr _t96;

				_t95 = _t96;
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_t92 = __eax;
				_push(_t96);
				_push(0x4250e4);
				_push( *[fs:eax]);
				 *[fs:eax] = _t96;
				_push(0x104);
				E0040C7FC();
				_push(0x104);
				E0040C7FC();
				_t69 =  *0x4250f4 & 0x000000ff;
				if(E004254CC(_t92, 1, 1) != 0) {
					L2:
					E00425D64(_t92, 1,  &_v32, _t100);
					E0042C888(_v32,  &_v8);
					_t93 = E0040B380(_v8);
					if(GetVolumeInformationW(_t93, _v12, 0x104,  &_v20,  &_v28,  &_v24, _v16, 0x104) == 0) {
						E0042D0A4();
						goto L17;
					} else {
						if((_v24 & 0x00000001) != 0) {
							_t69 = _t69 | 0x00000001;
						}
						if((_v24 & 0x00000002) != 0) {
							_t69 = _t69 | 0x00000002;
						}
						if((_v24 & 0x00000080) != 0) {
							_t69 = _t69 | 0x00000020;
						}
						_t62 = GetDriveTypeW(_t93) - 2;
						if(_t62 == 0) {
							L13:
						} else {
							_t63 = _t62 - 1;
							if(_t63 == 0) {
							} else {
								_t64 = _t63 - 1;
								if(_t64 == 0) {
								} else {
									if(_t64 == 1) {
										goto L13;
									}
								}
							}
						}
					}
				} else {
					_t67 = E00425434(_t92, 1);
					_t100 = _t67;
					if(_t67 == 0) {
						L17:
						_t48 =  *0x6867e4; // 0x414edc
						E0040E3F4(_t48,  &_v36, _t95);
						E0042B0B4(_v36, 1);
						E00409E14();
					} else {
						goto L2;
					}
				}
				_pop(_t86);
				 *[fs:eax] = _t86;
				_push(0x4250eb);
				E0040A778( &_v36, 2);
				_t88 =  *0x424f50; // 0x424f54
				E0040C920( &_v16, _t88);
				_t89 =  *0x424f20; // 0x424f24
				E0040C920( &_v12, _t89);
				return E0040A718( &_v8);
			}

0x00424f81
0x00424f85
0x00424f86
0x00424f87
0x00424f88
0x00424f89
0x00424f8a
0x00424f8b
0x00424f8c
0x00424f8f
0x00424f93
0x00424f94
0x00424f99
0x00424f9c
0x00424f9f
0x00424fb2
0x00424fba
0x00424fcd
0x00424fd5
0x00424fe7
0x00424ffa
0x00424fff
0x0042500a
0x00425035
0x0042503f
0x0042507f
0x00000000
0x00425041
0x00425045
0x00425047
0x00425047
0x0042504e
0x00425050
0x00425050
0x00425057
0x00425059
0x00425059
0x00425062
0x00425065
0x00425070
0x00425067
0x00425067
0x00425068
0x0042506a
0x0042506a
0x0042506b
0x0042506d
0x0042506e
0x00000000
0x00000000
0x0042506e
0x0042506b
0x00425068
0x00425065
0x00424fe9
0x00424fed
0x00424ff2
0x00424ff4
0x00425084
0x00425087
0x0042508c
0x0042509b
0x004250a0
0x00000000
0x00000000
0x00000000
0x00424ff4
0x004250a7
0x004250aa
0x004250ad
0x004250ba
0x004250c2
0x004250c8
0x004250d0
0x004250d6
0x004250e3

APIs

Part of subcall function 004254CC: GetFileAttributesW.KERNEL32(00000000,?,?,?,?,?,00424FE5), ref: 004254E2

GetVolumeInformationW.KERNEL32(00000000,?,00000104,00000104,?,?,00000104,00000104), ref: 00425038
GetDriveTypeW.KERNEL32(00000000,00000000,?,00000104,00000104,?), ref: 0042505D

Part of subcall function 00425434: GetFileAttributesW.KERNEL32(00000000,?,?,?,00423606), ref: 00425445

Strings

TOB, xrefs: 00424FC7, 004250C2
$OB, xrefs: 00424FAC, 004250D0

Memory Dump Source

Source File: 00000000.00000002.307570236.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.307564146.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.308232089.000000000068B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.308240342.0000000000691000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.308252323.0000000000694000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.308259233.00000000006CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.308298771.00000000006DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.308315265.00000000006E4000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID: AttributesFile$DriveInformationTypeVolume
String ID: $OB$TOB
API String ID: 2660071179-3514154002
Opcode ID: 39450c79792d628ce2d6ebef8bbdcb8414de733abfba974aa29a0e187ef6057b
Instruction ID: d64ccc6654c3a87626c6c558d132b7bd9796fbc1de0b1a23f974f1d53c71feda
Opcode Fuzzy Hash: 39450c79792d628ce2d6ebef8bbdcb8414de733abfba974aa29a0e187ef6057b
Instruction Fuzzy Hash: 8731F9707005295BDB11EB51ED82BEE77A8EB44308F944177E900A33D2D77CAE05DAD9

Uniqueness

Uniqueness Score: -1.00%

Function 00428568 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 77
threadCOMMON

Download Yara Rule

C-Code - Quality: 75%

			E00428568(void* __eax, void* __ebx, intOrPtr* __edx, void* __esi, intOrPtr _a4) {
				char _v8;
				short _v18;
				short _v22;
				struct _SYSTEMTIME _v24;
				short _v536;
				short* _t32;
				intOrPtr* _t47;
				intOrPtr _t56;
				void* _t61;
				intOrPtr _t63;
				void* _t67;

				_v8 = 0;
				_t47 = __edx;
				_t61 = __eax;
				_push(_t67);
				_push(0x42864b);
				_push( *[fs:eax]);
				 *[fs:eax] = _t67 + 0xfffffdec;
				E0040A718(__edx);
				_v24 =  *(_a4 - 2) & 0x0000ffff;
				_v22 =  *(_a4 - 4) & 0x0000ffff;
				_v18 =  *(_a4 - 6) & 0x0000ffff;
				if(_t61 > 2) {
					E0040AB40( &_v8, L"yyyy");
				} else {
					E0040AB40( &_v8, 0x428664);
				}
				_t32 = E0040B380(_v8);
				if(GetDateFormatW(GetThreadLocale(), 4,  &_v24, _t32,  &_v536, 0x200) != 0) {
					E0040B424(_t47, 0x100,  &_v536);
					if(_t61 == 1 &&  *((short*)( *_t47)) == 0x30) {
						_t63 =  *_t47;
						if(_t63 != 0) {
							_t63 =  *((intOrPtr*)(_t63 - 4));
						}
						E0040B744( *_t47, _t63 - 1, 2, _t47);
					}
				}
				_pop(_t56);
				 *[fs:eax] = _t56;
				_push(0x428652);
				return E0040A718( &_v8);
			}

0x00428575
0x00428578
0x0042857a
0x0042857e
0x0042857f
0x00428584
0x00428587
0x0042858c
0x00428598
0x004285a3
0x004285ae
0x004285b5
0x004285ce
0x004285b7
0x004285bf
0x004285bf
0x004285e2
0x004285fb
0x0042860a
0x00428610
0x0042861a
0x0042861e
0x00428623
0x00428623
0x00428630
0x00428630
0x00428610
0x00428637
0x0042863a
0x0042863d
0x0042864a

APIs

GetThreadLocale.KERNEL32(00000004,?,00000000,?,00000200,00000000,0042864B), ref: 004285EE
GetDateFormatW.KERNEL32(00000000,00000004,?,00000000,?,00000200,00000000,0042864B), ref: 004285F4

Strings

, xrefs: 004285BA
yyyy, xrefs: 004285C9

Memory Dump Source

Source File: 00000000.00000002.307570236.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.307564146.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.308232089.000000000068B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.308240342.0000000000691000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.308252323.0000000000694000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.308259233.00000000006CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.308298771.00000000006DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.308315265.00000000006E4000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID: DateFormatLocaleThread
String ID: $yyyy
API String ID: 3303714858-404527807
Opcode ID: bfdbe04198a6476007af78b2a933193c6539837d0bcb006aae21d5a6836bee4b
Instruction ID: d12b4dc867d39e2fa7ec40af243541cc1ef504330cad59ca26e63d7beb275739
Opcode Fuzzy Hash: bfdbe04198a6476007af78b2a933193c6539837d0bcb006aae21d5a6836bee4b
Instruction Fuzzy Hash: BB2165356012289BDB10EF55D955AAEB7F8EF48700F9140BBF904E7381DB389E40C7AA

Uniqueness

Uniqueness Score: -1.00%

Function 0042525C Relevance: 6.1, APIs: 4, Instructions: 112
timeCOMMON

Download Yara Rule

C-Code - Quality: 79%

			E0042525C(void* __eax, void* __ebx, signed int __ecx, struct _FILETIME* __edx, void* __edi, void* __esi) {
				char _v8;
				struct _FILETIME* _v12;
				signed int _v13;
				FILETIME* _v20;
				char _v36;
				signed char _v55;
				void _v56;
				char _v60;
				char _v64;
				signed int _t40;
				void* _t63;
				void* _t76;
				intOrPtr _t83;
				void* _t90;
				long _t92;
				void* _t95;

				_t78 = __ecx;
				_v60 = 0;
				_v64 = 0;
				_v8 = 0;
				_v13 = __ecx;
				_v12 = __edx;
				_t90 = __eax;
				_push(_t95);
				_push(0x42538e);
				_push( *[fs:eax]);
				 *[fs:eax] = _t95 + 0xffffffc4;
				_t92 = 0;
				_t40 = GetFileAttributesExW(E0040B380(__eax), 0,  &_v56);
				asm("sbb ebx, ebx");
				_t76 = 1;
				if(((_t40 & 0xffffff00 | (_v55 & 0x00000004) != 0x00000000) & _v13) != 0 && E004235D8(_t90,  &_v8) != 0) {
					_t63 = E00425F4C(_v8);
					_t101 = _t63;
					if(_t63 != 0) {
						E00425CAC(_t90, _t78,  &_v64, _t101);
						E0042C888(_v64,  &_v60);
						E0040B5D4( &_v8, _v8, _v60);
					}
					GetFileAttributesExW(E0040B380(_v8), 0,  &_v56);
					asm("sbb ebx, ebx");
					_t76 = _t76 + 1;
				}
				if(_t76 == 0) {
					_t92 = GetLastError();
					if(_t92 + 0xffffffe0 - 2 < 0) {
						if(E00425210(E0040B380(_t90), 0,  &_v56) != 0) {
							_t92 = 0;
							__eflags = 0;
						} else {
							_t92 = 0x20;
						}
					}
				}
				if(_t92 == 0) {
					if((_v56 & 0x00000010) != 0) {
						_t92 = 0x20;
					} else {
						_v20 =  &_v36;
						if(FileTimeToLocalFileTime(_v20, _v12) == 0) {
							_t92 = 0x20;
						}
					}
				}
				_pop(_t83);
				 *[fs:eax] = _t83;
				_push(0x425395);
				E0040A778( &_v64, 2);
				return E0040A718( &_v8);
			}

0x0042525c
0x00425267
0x0042526a
0x0042526d
0x00425270
0x00425273
0x00425276
0x0042527a
0x0042527b
0x00425280
0x00425283
0x00425286
0x00425296
0x0042529e
0x004252a0
0x004252ab
0x004252be
0x004252c3
0x004252c5
0x004252cc
0x004252d7
0x004252e5
0x004252e5
0x004252f9
0x00425301
0x00425303
0x00425303
0x00425306
0x0042530d
0x00425317
0x0042532e
0x00425337
0x00425337
0x00425330
0x00425330
0x00425330
0x0042532e
0x00425317
0x0042533b
0x00425341
0x00425361
0x00425343
0x00425346
0x00425358
0x0042535a
0x0042535a
0x00425358
0x00425341
0x0042536d
0x00425370
0x00425373
0x00425380
0x0042538d

APIs

GetFileAttributesExW.KERNEL32(00000000,00000000,?,00000000,0042538E), ref: 00425296
GetFileAttributesExW.KERNEL32(00000000,00000000,?,00000000,00000000,?,00000000,0042538E), ref: 004252F9
GetLastError.KERNEL32(00000000,00000000,?,00000000,0042538E), ref: 00425308
FileTimeToLocalFileTime.KERNEL32(?,?,00000000,00000000,?,00000000,0042538E), ref: 00425351

Part of subcall function 004235D8: GetFileAttributesW.KERNEL32(00000000), ref: 00423625
Part of subcall function 004235D8: CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000,00000000), ref: 00423657
Part of subcall function 004235D8: CloseHandle.KERNEL32(000000FF,004236A0,00000000,80000000,00000001,00000000,00000003,00000000,00000000,00000000), ref: 00423693

Memory Dump Source

Source File: 00000000.00000002.307570236.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.307564146.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.308232089.000000000068B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.308240342.0000000000691000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.308252323.0000000000694000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.308259233.00000000006CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.308298771.00000000006DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.308315265.00000000006E4000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID: File$Attributes$Time$CloseCreateErrorHandleLastLocal
String ID:
API String ID: 3059364927-0
Opcode ID: ad0a7c0b152506787d82c190d9fc16f6f3d05526fe0b6c6b66bd06477dd7d431
Instruction ID: 3f4d12bf05a058d59af79d92dd65e09c31b8d6818167899990ac941f21725324
Opcode Fuzzy Hash: ad0a7c0b152506787d82c190d9fc16f6f3d05526fe0b6c6b66bd06477dd7d431
Instruction Fuzzy Hash: 0631C871F00728ABDB00EFA5D981BAEB7B9EF04344F94456AFC40E7281D7789E048698

Uniqueness

Uniqueness Score: -1.00%

Function 0040D104 Relevance: 6.1, APIs: 4, Instructions: 95
threadCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E0040D104(signed short __eax, void* __edx) {
				char _v8;
				char _v12;
				intOrPtr _v16;
				signed int _v20;
				short _v22;
				short _v24;
				char _v26;
				char _v32;
				void* __ebp;
				void* _t39;
				void* _t55;
				void* _t59;
				short* _t62;
				signed short _t66;
				void* _t67;
				void* _t68;
				signed short _t79;
				void* _t81;

				_t81 = __edx;
				_t66 = __eax;
				_v16 = 0;
				if(__eax !=  *0x689b84()) {
					_v16 = E0040D0C0( &_v8);
					_t79 = _t66;
					_v20 = 3;
					_t62 =  &_v26;
					do {
						 *_t62 =  *(0xf + "0123456789ABCDEF") & 0x000000ff;
						_t79 = (_t79 & 0x0000ffff) >> 4;
						_v20 = _v20 - 1;
						_t62 = _t62 - 2;
					} while (_v20 != 0xffffffff);
					_v24 = 0;
					_v22 = 0;
					 *0x689b80(4,  &_v32,  &_v20);
				}
				_t39 = E0040D0C0( &_v12);
				_t67 = _t39;
				if(_t67 != 0) {
					_t55 = _v12 - 2;
					if(_t55 >= 0) {
						_t59 = _t55 + 1;
						_v20 = 0;
						do {
							if( *((short*)(_t67 + _v20 * 2)) == 0) {
								 *((short*)(_t67 + _v20 * 2)) = 0x2c;
							}
							_v20 = _v20 + 1;
							_t59 = _t59 - 1;
						} while (_t59 != 0);
					}
					E0040B3E8(_t81, _t67);
					_t39 = E00406850(_t67);
				}
				if(_v16 != 0) {
					 *0x689b80(0, 0,  &_v20);
					_t68 = E0040D0C0( &_v12);
					if(_v8 != _v12 || E0040D09C(_v16, _v12, _t68) != 0) {
						 *0x689b80(8, _v16,  &_v20);
					}
					E00406850(_t68);
					return E00406850(_v16);
				}
				return _t39;
			}

0x0040d10c
0x0040d10e
0x0040d112
0x0040d11e
0x0040d128
0x0040d12b
0x0040d12d
0x0040d134
0x0040d137
0x0040d148
0x0040d14e
0x0040d151
0x0040d154
0x0040d157
0x0040d15d
0x0040d163
0x0040d173
0x0040d173
0x0040d17c
0x0040d181
0x0040d185
0x0040d18a
0x0040d18f
0x0040d191
0x0040d192
0x0040d199
0x0040d1a1
0x0040d1a6
0x0040d1a6
0x0040d1ac
0x0040d1af
0x0040d1af
0x0040d199
0x0040d1b6
0x0040d1bd
0x0040d1bd
0x0040d1c6
0x0040d1d0
0x0040d1de
0x0040d1e6
0x0040d203
0x0040d203
0x0040d20b
0x00000000
0x0040d213
0x0040d21d

APIs

GetThreadUILanguage.KERNEL32(?,00000000), ref: 0040D115
SetThreadPreferredUILanguages.KERNEL32(00000004,?,?), ref: 0040D173
SetThreadPreferredUILanguages.KERNEL32(00000000,00000000,?), ref: 0040D1D0
SetThreadPreferredUILanguages.KERNEL32(00000008,?,?), ref: 0040D203

Part of subcall function 0040D0C0: GetThreadPreferredUILanguages.KERNEL32(00000038,?,00000000,?,?,00000000,?,?,0040D181), ref: 0040D0D7
Part of subcall function 0040D0C0: GetThreadPreferredUILanguages.KERNEL32(00000038,?,00000000,?,?,?,0040D181), ref: 0040D0F4

Memory Dump Source

Source File: 00000000.00000002.307570236.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.307564146.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.308232089.000000000068B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.308240342.0000000000691000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.308252323.0000000000694000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.308259233.00000000006CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.308298771.00000000006DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.308315265.00000000006E4000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID: Thread$LanguagesPreferred$Language
String ID:
API String ID: 2255706666-0
Opcode ID: a70a39a7023ee9a8d89fcc5c4d21d231ace04ff9936f580bc1c80fbc896a182c
Instruction ID: 8e941f8dd317076bb9b69d8eebd55c65a203737f76de99896bc857be53f65706
Opcode Fuzzy Hash: a70a39a7023ee9a8d89fcc5c4d21d231ace04ff9936f580bc1c80fbc896a182c
Instruction Fuzzy Hash: B6314F70E0011A9BDB10EBE9C884AAFB3B5FF48314F04457AE515FB291DB789A09CB94

Uniqueness

Uniqueness Score: -1.00%

Function 0042579C Relevance: 6.0, APIs: 4, Instructions: 45
timeCOMMON

Download Yara Rule

C-Code - Quality: 88%

			E0042579C(void* __eax, signed short __edx) {
				signed short _v6;
				signed short _v8;
				struct _FILETIME _v16;
				struct _FILETIME _v24;
				void* _t13;
				int _t20;
				long _t21;
				void* _t23;

				_v8 = __edx;
				_t23 = __eax;
				_t21 = 0;
				if(DosDateTimeToFileTime(_v6 & 0x0000ffff, _v8 & 0x0000ffff,  &_v16) == 0) {
					_t13 = 0;
				} else {
					_t20 = LocalFileTimeToFileTime( &_v16,  &_v24);
					asm("sbb eax, eax");
					_t13 = _t20 + 1;
				}
				if(_t13 == 0 || SetFileTime(_t23, 0, 0,  &_v24) == 0) {
					_t21 = GetLastError();
				}
				return _t21;
			}

0x004257a4
0x004257a7
0x004257a9
0x004257c0
0x004257d7
0x004257c2
0x004257ca
0x004257d2
0x004257d4
0x004257d4
0x004257db
0x004257f4
0x004257f4
0x004257fd

APIs

DosDateTimeToFileTime.KERNEL32(?,?,?), ref: 004257B9
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 004257CA
SetFileTime.KERNEL32(?,00000000,00000000,?), ref: 004257E6
GetLastError.KERNEL32(?,00000000,00000000,?), ref: 004257EF

Memory Dump Source

Source File: 00000000.00000002.307570236.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.307564146.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.308232089.000000000068B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.308240342.0000000000691000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.308252323.0000000000694000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.308259233.00000000006CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.308298771.00000000006DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.308315265.00000000006E4000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID: Time$File$DateErrorLastLocal
String ID:
API String ID: 4098483309-0
Opcode ID: 3cbd16a25e1fc5ef66dd8517dfe4c6c78911780a495f2d34d70ceaf2b93b1f69
Instruction ID: ec89146a9b7c7793d2883c54a73267918070786147bfa47677ef05a607a1ee9e
Opcode Fuzzy Hash: 3cbd16a25e1fc5ef66dd8517dfe4c6c78911780a495f2d34d70ceaf2b93b1f69
Instruction Fuzzy Hash: B9F06272A41619BACB10DAE95D81FEFB3EC9B08255F500177FA01E2141FA78DF448369

Uniqueness

Uniqueness Score: -1.00%

Function 0042B9F4 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 131
COMMON

Download Yara Rule

C-Code - Quality: 67%

			E0042B9F4(void* __ebx, void* __ecx, void* __edi, void* __esi, intOrPtr _a4) {
				char _v8;
				struct _MEMORY_BASIC_INFORMATION _v36;
				short _v558;
				char _v564;
				intOrPtr _v568;
				char _v572;
				char _v576;
				char _v580;
				intOrPtr _v584;
				char _v588;
				void* _v592;
				char _v596;
				char _v600;
				char _v604;
				char _v608;
				intOrPtr _v612;
				char _v616;
				char _v620;
				char _v624;
				void* _v628;
				char _v632;
				void* _t64;
				intOrPtr _t65;
				intOrPtr _t82;
				intOrPtr _t103;
				intOrPtr _t107;
				intOrPtr _t110;
				intOrPtr _t112;
				intOrPtr _t115;
				intOrPtr _t127;
				void* _t136;
				intOrPtr _t138;
				void* _t141;
				void* _t143;

				_t136 = __edi;
				_t140 = _t141;
				_v632 = 0;
				_v596 = 0;
				_v604 = 0;
				_v600 = 0;
				_v8 = 0;
				_push(_t141);
				_push(0x42bbfa);
				_push( *[fs:eax]);
				 *[fs:eax] = _t141 + 0xfffffd8c;
				_t64 =  *((intOrPtr*)( *((intOrPtr*)(_a4 - 4)) + 0x14)) - 1;
				_t143 = _t64;
				if(_t143 < 0) {
					_t65 =  *0x68691c; // 0x414594
					E0040E3F4(_t65,  &_v8, _t140);
				} else {
					if(_t143 == 0) {
						_t107 =  *0x686634; // 0x41459c
						E0040E3F4(_t107,  &_v8, _t140);
					} else {
						if(_t64 == 7) {
							_t110 =  *0x686260; // 0x4145a4
							E0040E3F4(_t110,  &_v8, _t140);
						} else {
							_t112 =  *0x6864f8; // 0x4145ac
							E0040E3F4(_t112,  &_v8, _t140);
						}
					}
				}
				_t115 =  *((intOrPtr*)( *((intOrPtr*)(_a4 - 4)) + 0x18));
				VirtualQuery( *( *((intOrPtr*)(_a4 - 4)) + 0xc),  &_v36, 0x1c);
				_t138 = _v36.State;
				if(_t138 == 0x1000 || _t138 == 0x10000) {
					if(GetModuleFileNameW(_v36.AllocationBase,  &_v558, 0x105) == 0) {
						goto L12;
					} else {
						_v592 =  *( *((intOrPtr*)(_a4 - 4)) + 0xc);
						_v588 = 5;
						E0040B424( &_v600, 0x105,  &_v558);
						E00425E34(_v600, 0x105,  &_v596);
						_v584 = _v596;
						_v580 = 0x11;
						_v576 = _v8;
						_v572 = 0x11;
						_v568 = _t115;
						_v564 = 5;
						_push( &_v592);
						_t103 =  *0x686730; // 0x414694
						E0040E3F4(_t103,  &_v604, _t140, 3);
						E0042B0F0(_t115, _v604, 1, _t136, _t138);
					}
				} else {
					L12:
					_v628 =  *( *((intOrPtr*)(_a4 - 4)) + 0xc);
					_v624 = 5;
					_v620 = _v8;
					_v616 = 0x11;
					_v612 = _t115;
					_v608 = 5;
					_push( &_v628);
					_t82 =  *0x686648; // 0x414544
					E0040E3F4(_t82,  &_v632, _t140, 2);
					E0042B0F0(_t115, _v632, 1, _t136, _t138);
				}
				_pop(_t127);
				 *[fs:eax] = _t127;
				_push(0x42bc01);
				E0040A718( &_v632);
				E0040A778( &_v604, 3);
				return E0040A718( &_v8);
			}

0x0042b9f4
0x0042b9f5
0x0042ba01
0x0042ba07
0x0042ba0d
0x0042ba13
0x0042ba19
0x0042ba1e
0x0042ba1f
0x0042ba24
0x0042ba27
0x0042ba33
0x0042ba33
0x0042ba36
0x0042ba44
0x0042ba49
0x0042ba38
0x0042ba38
0x0042ba53
0x0042ba58
0x0042ba3a
0x0042ba3d
0x0042ba62
0x0042ba67
0x0042ba3f
0x0042ba71
0x0042ba76
0x0042ba76
0x0042ba3d
0x0042ba38
0x0042ba81
0x0042ba94
0x0042ba99
0x0042baa2
0x0042bac7
0x00000000
0x0042bacd
0x0042bad6
0x0042badc
0x0042baf4
0x0042bb05
0x0042bb10
0x0042bb16
0x0042bb20
0x0042bb26
0x0042bb2d
0x0042bb33
0x0042bb40
0x0042bb49
0x0042bb4e
0x0042bb60
0x0042bb65
0x0042bb69
0x0042bb69
0x0042bb72
0x0042bb78
0x0042bb82
0x0042bb88
0x0042bb8f
0x0042bb95
0x0042bba2
0x0042bbab
0x0042bbb0
0x0042bbc2
0x0042bbc7
0x0042bbcb
0x0042bbce
0x0042bbd1
0x0042bbdc
0x0042bbec
0x0042bbf9

APIs

VirtualQuery.KERNEL32(?,?,0000001C,00000000,0042BBFA), ref: 0042BA94
GetModuleFileNameW.KERNEL32(?,?,00000105,?,?,0000001C,00000000,0042BBFA), ref: 0042BAC0

Part of subcall function 0040E3F4: LoadStringW.USER32(00000000,00010000,?,00001000), ref: 0040E439

Strings

DEA, xrefs: 0042BBAB

Memory Dump Source

Source File: 00000000.00000002.307570236.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.307564146.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.308232089.000000000068B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.308240342.0000000000691000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.308252323.0000000000694000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.308259233.00000000006CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.308298771.00000000006DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.308315265.00000000006E4000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID: FileLoadModuleNameQueryStringVirtual
String ID: DEA
API String ID: 902310565-67581512
Opcode ID: 392a8d25bb5e191178c5250c658fb112353d0190fb13b5a516785b26228338ef
Instruction ID: 910127441a8d3c502764edbfa1adedfdcb7bde4530107102f6071ed445003ac5
Opcode Fuzzy Hash: 392a8d25bb5e191178c5250c658fb112353d0190fb13b5a516785b26228338ef
Instruction Fuzzy Hash: 9A51F834A04668DFCB10DF69DD89A8DBBF4EB08304F4041E6E808A7351D778AE84DF89

Uniqueness

Uniqueness Score: -1.00%

Function 0043584C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 84
COMMON

Download Yara Rule

C-Code - Quality: 72%

			E0043584C(signed short* __eax, void* __ecx, signed short* __edx, void* __ebp) {
				char _v16;
				signed int _t20;
				signed short _t21;
				signed short* _t34;
				signed short _t46;
				signed short* _t47;
				void* _t49;

				_push(__ecx);
				_t47 = __edx;
				_t34 = __eax;
				if(( *__eax & 0x0000bfe8) == 0) {
					__eax[4] = 0;
				} else {
					E00435080(__eax, __ecx);
				}
				_t20 =  *_t47 & 0x0000ffff;
				if(_t20 >= 0x14) {
					if(_t20 != 0x100) {
						if(_t20 != 0x102) {
							_t46 =  *_t47 & 0x0000ffff;
							if(_t46 == 0x4102 || _t46 == 0x4100) {
								 *_t34 = _t46;
								_t21 = _t47[4];
								_t34[4] = _t21;
							} else {
								if(_t46 != 0x101) {
									if((_t46 & 0x00002000) == 0) {
										if(E0043C1B8(_t46, _t49) == 0) {
											_push(_t47);
											_push(_t34);
											L00433158();
											_t21 = E00434E7C(_t23);
										} else {
											_t16 =  &_v16; // 0x435450
											_t21 =  *((intOrPtr*)( *((intOrPtr*)( *_t16)) + 0x28))(0);
										}
									} else {
										_t21 = E00435678(_t34, 0x435844, _t47);
									}
								} else {
									 *_t34 = _t46;
									_t34[4] = _t47[4];
									_t21 =  *0x68bfac();
								}
							}
						} else {
							 *_t34 = 0x102;
							_t34[4] = 0;
							_t21 = E0040AAF8( &(_t34[4]), _t47[4]);
						}
					} else {
						 *_t34 = 0x100;
						_t34[4] = 0;
						_t21 = E0040AB94( &(_t34[4]), _t47[4]);
					}
				} else {
					_push(_t47);
					_push(_t34);
					L00433158();
					_t21 = E00434E7C(_t20);
				}
				return _t21;
			}

0x0043584f
0x00435850
0x00435852
0x00435859
0x00435866
0x0043585b
0x0043585d
0x0043585d
0x00435869
0x00435870
0x00435887
0x004358a7
0x004358c0
0x004358c8
0x004358d1
0x004358d4
0x004358d7
0x004358dc
0x004358e1
0x004358fb
0x00435918
0x0043592b
0x0043592c
0x0043592d
0x00435932
0x0043591a
0x00435920
0x00435926
0x00435926
0x004358fd
0x00435906
0x00435906
0x004358e3
0x004358e3
0x004358e9
0x004358ee
0x004358ee
0x004358e1
0x004358a9
0x004358a9
0x004358b0
0x004358b9
0x004358b9
0x00435889
0x00435889
0x00435890
0x00435899
0x00435899
0x00435872
0x00435872
0x00435873
0x00435874
0x00435879
0x00435879
0x0043593b

APIs

VariantCopy.OLEAUT32(?,00000004), ref: 00435874

Part of subcall function 00435080: VariantClear.OLEAUT32(?), ref: 0043508F

Strings

PTC, xrefs: 00435920

Memory Dump Source

Source File: 00000000.00000002.307570236.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.307564146.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.308232089.000000000068B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.308240342.0000000000691000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.308252323.0000000000694000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.308259233.00000000006CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.308298771.00000000006DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.308315265.00000000006E4000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID: Variant$ClearCopy
String ID: PTC
API String ID: 274517740-2734653400
Opcode ID: a94a1fde48abeee26530205873687c58cebafd00e859be0767412a7ea851ae3e
Instruction ID: c64bdb6c5ecb45572f0e568d49b47868dc1afa3dbe7bc3dfc89b4eb50c6db74a
Opcode Fuzzy Hash: a94a1fde48abeee26530205873687c58cebafd00e859be0767412a7ea851ae3e
Instruction Fuzzy Hash: 27218670700610DADB24AF29C8C166777E5AF4C360F54B46BE88A8B366D73CCC42DB5A

Uniqueness

Uniqueness Score: -1.00%

Function 0042329C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 66
COMMON

Download Yara Rule

C-Code - Quality: 27%

			E0042329C(void* __eax, void* __edx) {
				intOrPtr _v8;
				char _v12;
				void* __ebx;
				void* __esi;
				void* __ebp;
				intOrPtr _t12;
				void* _t27;
				intOrPtr _t35;
				void* _t39;
				void* _t42;
				void* _t44;
				intOrPtr _t45;

				_t42 = _t44;
				_t45 = _t44 + 0xfffffff8;
				_t39 = __edx;
				_t27 = __eax;
				_t12 = E0040A718(__edx);
				if( *0x689e34 == 0) {
					_t12 = E0041314C(_t27, _t39, GetModuleHandleW(L"NTDLL.DLL"), L"NtQueryObject");
					 *0x689e34 = _t12;
				}
				if( *0x689e34 == 0) {
					L7:
					return _t12;
				} else {
					_t12 =  *0x689e34(_t27, 1, 0, 0,  &_v12);
					if(_t12 != 0xc0000004) {
						goto L7;
					} else {
						_v8 = E00406834(_v12);
						_push(_t42);
						_push(0x423348);
						_push( *[fs:edx]);
						 *[fs:edx] = _t45;
						_push( &_v12);
						_push(_v12);
						_push(_v8);
						_push(1);
						_push(_t27);
						if( *0x689e34() == 0) {
							E0040B3E8(_t39,  *((intOrPtr*)(_v8 + 4)));
						}
						_pop(_t35);
						 *[fs:eax] = _t35;
						_push(0x42334f);
						return E00406850(_v8);
					}
				}
			}

0x0042329d
0x0042329f
0x004232a4
0x004232a6
0x004232aa
0x004232b6
0x004232c8
0x004232cd
0x004232cd
0x004232d9
0x0042334f
0x00423354
0x004232db
0x004232e6
0x004232f1
0x00000000
0x004232f3
0x004232fb
0x00423300
0x00423301
0x00423306
0x00423309
0x0042330f
0x00423313
0x00423317
0x00423318
0x0042331a
0x00423323
0x0042332d
0x0042332d
0x00423334
0x00423337
0x0042333a
0x00423347
0x00423347
0x004232f1

APIs

GetModuleHandleW.KERNEL32(NTDLL.DLL,NtQueryObject), ref: 004232C2

Part of subcall function 0041314C: GetProcAddress.KERNEL32(?,?), ref: 00413170

Strings

NtQueryObject, xrefs: 004232B8
NTDLL.DLL, xrefs: 004232BD

Memory Dump Source

Source File: 00000000.00000002.307570236.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.307564146.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.308232089.000000000068B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.308240342.0000000000691000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.308252323.0000000000694000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.308259233.00000000006CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.308298771.00000000006DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.308315265.00000000006E4000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID: AddressHandleModuleProc
String ID: NTDLL.DLL$NtQueryObject
API String ID: 1646373207-3865875859
Opcode ID: c5e33f97bc56de3a4173a261f27c477deded245f31ed6c2d392e1e8871f11f9f
Instruction ID: 08a2c0fef8fd1e6fe430394dd7a3eac312d2a2100abcced04dbeb3945b60cf61
Opcode Fuzzy Hash: c5e33f97bc56de3a4173a261f27c477deded245f31ed6c2d392e1e8871f11f9f
Instruction Fuzzy Hash: FB11E631701314BFDB10EFA5ED46B9AB7BDEB04711F644166F500E2290DA7C9F408758

Uniqueness

Uniqueness Score: -1.00%

Target ID:	0
Start time:	20:25:08
Start date:	14/12/2022
Path:	C:\Users\user\Desktop\file.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\file.exe
Imagebase:	0x400000
File size:	21062092 bytes
MD5 hash:	1E8CE5705381FDEF436F4FAE5A30334B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Yara matches:	Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: 00000000.00000002.307570236.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
Reputation:	low

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in. These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	File monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Name	Source	Malicious	Antivirus Detection	Reputation
https://www.bearware.org/download/IL014/update3210.txtaa	file.exe, 00000000.00000003.306741615.00000000024BD000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t	Remove Old Setup in Start Menu.exe.0.dr, Create (BW) Backend Backup.exe.0.dr, Delete a Folder FOP Export Import.exe.0.dr	false	URL Reputation: safe URL Reputation: safe	unknown
http://www.actualinstaller.com/?r=setupopenU	file.exe, 00000000.00000002.307570236.0000000000401000.00000040.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: safe	unknown
https://sectigo.com/CPS0	Remove Old Setup in Start Menu.exe.0.dr, Create (BW) Backend Backup.exe.0.dr, Delete a Folder FOP Export Import.exe.0.dr	false	URL Reputation: safe URL Reputation: safe	unknown
http://www.google.comU	file.exe, 00000000.00000002.307570236.0000000000401000.00000040.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: safe	unknown
http://ocsp.sectigo.com0	Remove Old Setup in Start Menu.exe.0.dr, Create (BW) Backend Backup.exe.0.dr, Delete a Folder FOP Export Import.exe.0.dr	false	URL Reputation: safe	unknown
http://www.actualinstaller.	file.exe, file.exe, 00000000.00000002.307570236.0000000000401000.00000040.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: safe	unknown
http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#	Remove Old Setup in Start Menu.exe.0.dr, Create (BW) Backend Backup.exe.0.dr, Delete a Folder FOP Export Import.exe.0.dr	false	URL Reputation: safe	unknown
http://home.att.net/~dashish	0, 1	false		high
http://www.actualinstaller.com1q	file.exe, 00000000.00000003.306882963.00000000025AA000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.google.com	file.exe	false		high
http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s	Remove Old Setup in Start Menu.exe.0.dr, Create (BW) Backend Backup.exe.0.dr, Delete a Folder FOP Export Import.exe.0.dr	false	URL Reputation: safe	unknown
https://www.bearware.org/download/IL014/update3210.txt	aisetup.ini.0.dr	false	Avira URL Cloud: safe	unknown
http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#	Remove Old Setup in Start Menu.exe.0.dr, Create (BW) Backend Backup.exe.0.dr, Delete a Folder FOP Export Import.exe.0.dr	false	URL Reputation: safe	unknown
http://www.actualinstaller.com/?r=setup	file.exe	false	Avira URL Cloud: safe	unknown
https://www.bearware.org	0, 1	false	Avira URL Cloud: safe	unknown
http://www.actualinstaller.com	file.exe, file.exe, 00000000.00000002.307570236.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Englishai.lng.0.dr	false	Avira URL Cloud: safe	unknown
http://www.actualinstaller.coma	file.exe, 00000000.00000003.306882963.00000000025AA000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Initial Sample

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\AITMP960\Create (BW) Backend Backup.exe

C:\Users\user\AppData\Local\Temp\AITMP960\Delete a Folder FOP Export Import.exe

C:\Users\user\AppData\Local\Temp\AITMP960\Englishai.lng

C:\Users\user\AppData\Local\Temp\AITMP960\L(Default).rtf

C:\Users\user\AppData\Local\Temp\AITMP960\R_nstarfopv_red.ico

C:\Users\user\AppData\Local\Temp\AITMP960\Remove Old Setup in Start Menu.exe

C:\Users\user\AppData\Local\Temp\AITMP960\Uninstall.exe

C:\Users\user\AppData\Local\Temp\AITMP960\ailogo.bmp

C:\Users\user\AppData\Local\Temp\AITMP960\aisetup.ini

C:\Users\user\AppData\Local\Temp\AITMP960\aisetup.zip

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Statistics

Windows Analysis Report
file.exe

Function 0040DA68 Relevance: 3.1, APIs: 2, Instructions: 63
COMMON

Function 0040D930 Relevance: 3.0, APIs: 2, Instructions: 33
fileCOMMON

Function 0040D554 Relevance: 28.2, APIs: 12, Strings: 4, Instructions: 173
registryCOMMON

Function 0040F534 Relevance: 13.8, APIs: 9, Instructions: 258
COMMON

Function 00425434 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 63
COMMON

Function 004254CC Relevance: 9.1, APIs: 6, Instructions: 83
fileCOMMON

Function 0040DB34 Relevance: 3.1, APIs: 2, Instructions: 93
COMMON

Function 0040DC58 Relevance: 3.1, APIs: 2, Instructions: 55
libraryCOMMON

Function 004251C0 Relevance: 3.0, APIs: 2, Instructions: 33
COMMON

Function 0042C34C Relevance: 1.6, APIs: 1, Instructions: 77
COMMON

Function 00413E80 Relevance: 1.5, APIs: 1, Instructions: 44
COMMON

Function 004088EC Relevance: 1.5, APIs: 1, Instructions: 42
COMMON

Function 00423DBC Relevance: 1.5, APIs: 1, Instructions: 33
COMMON

Function 00425150 Relevance: 1.5, APIs: 1, Instructions: 29
fileCOMMON

Function 00425188 Relevance: 1.5, APIs: 1, Instructions: 28
fileCOMMON

Function 0040C9E0 Relevance: 1.5, APIs: 1, Instructions: 26
COMMON

Function 0040D364 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 140
stringlibraryfileCOMMON

Function 0040CF08 Relevance: 4.6, APIs: 3, Instructions: 99
COMMON

Function 00423160 Relevance: 3.1, APIs: 2, Instructions: 93
COMMON

Function 00425210 Relevance: 3.0, APIs: 2, Instructions: 24
fileCOMMON

Function 004253F4 Relevance: 3.0, APIs: 2, Instructions: 23
fileCOMMON

Function 00425F78 Relevance: 1.5, APIs: 1, Instructions: 49
COMMON

Function 00429DA4 Relevance: 1.5, APIs: 1, Instructions: 29
COMMON

Function 0042D9C8 Relevance: 1.5, APIs: 1, Instructions: 26
COMMON

Function 00429DF0 Relevance: 1.5, APIs: 1, Instructions: 23
COMMON

Function 00428158 Relevance: 1.5, APIs: 1, Instructions: 22
timeCOMMON

Function 0042D78C Relevance: 1.5, APIs: 1, Instructions: 17
COMMON

Function 0043E304 Relevance: .4, Instructions: 410
COMMONCrypto

Function 00433628 Relevance: 42.1, APIs: 1, Strings: 23, Instructions: 141
COMMON

Function 0041482C Relevance: 35.1, APIs: 1, Strings: 19, Instructions: 132
libraryCOMMON

Function 0042C070 Relevance: 30.2, APIs: 20, Instructions: 229
COMMON

Function 0042AF64 Relevance: 19.3, APIs: 8, Strings: 3, Instructions: 97
filewindowCOMMON

Function 00413ED8 Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 61
registryclipboardwindowCOMMON

Function 0042A68C Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 199
threadCOMMON

Function 00429E1C Relevance: 16.0, APIs: 2, Strings: 7, Instructions: 216
threadCOMMON

Function 0040D220 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 76
COMMON

Function 004061AC Relevance: 14.3, APIs: 1, Strings: 7, Instructions: 285
windowCOMMON

Function 0040A3A8 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 40
filewindowCOMMON

Function 00409478 Relevance: 10.6, APIs: 7, Instructions: 131
threadCOMMON

Function 0042AD6C Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 113
COMMON

Function 00409214 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 65
libraryloaderCOMMON