Edit tour

Windows Analysis Report
caffeine.exe

Overview

General Information

Sample Name:	caffeine.exe
Analysis ID:	869046
MD5:	8999221df0fdab60c8d68a04af504e74
SHA1:	2b784b2e5e82ccdab8eeb5a9dbcd3a9a90f3eaf7
SHA256:	31b31604d16b0313417ceb46bb3ad37b9f3549e05e0cdd2586b9eefd0e515352
Infos:

Detection

Score:	2
Range:	0 - 100
Whitelisted:	false
Confidence:	60%

Signatures

Creates a DirectInput object (often for capturing keystrokes)

Uses 32bit PE files

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Program does not show much activity (idle)

Classification

Analysis Advice

Sample may offer command line options, please run it with the 'Execute binary with arguments' cookbook (it's possible that the command line switches require additional characters like: "-", "/", "--")

Sample has functionality to log and monitor keystrokes, analyze it with the 'Simulates keyboard and window changes' cookbook

Process Tree

System is w10x64

caffeine.exe (PID: 7416 cmdline: "C:\Users\user\Desktop\caffeine.exe" -install MD5: 8999221DF0FDAB60C8D68A04AF504E74)

caffeine.exe (PID: 7448 cmdline: "C:\Users\user\Desktop\caffeine.exe" /install MD5: 8999221DF0FDAB60C8D68A04AF504E74)

caffeine.exe (PID: 7472 cmdline: "C:\Users\user\Desktop\caffeine.exe" /load MD5: 8999221DF0FDAB60C8D68A04AF504E74)

cleanup

Malware Configuration

⊘No configs have been found

Yara Signatures

⊘No yara matches

Sigma Signatures

⊘No Sigma rule has matched

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

• Compliance
• Networking
• Key, Mouse, Clipboard, Microphone and Screen Capturing
• System Summary
• Hooking and other Techniques for Hiding and Protection
• Malware Analysis System Evasion
• Anti Debugging
• Language, Device and Operating System Detection

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: caffeine.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: caffeine.exe

String found in binary or memory: http://www.zhornsoftware.co.uk/

Source: caffeine.exe, 00000000.00000002.638963465.00000000007FA000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

Source: C:\Users\user\Desktop\caffeine.exe

Code function: 0_2_00402B10 SetThreadExecutionState,GetAsyncKeyState,SendInput,

0_2_00402B10

Source: caffeine.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: caffeine.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\caffeine.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: caffeine.exe	String found in binary or memory: -startoff
Source: caffeine.exe	String found in binary or memory: -startoff
Source: caffeine.exe	String found in binary or memory: -startoff
Source: caffeine.exe	String found in binary or memory: of memory or resources.openCMainFrameTaskbarCreated-ontaskbar-showdlg-inactivefor:-key:-activefor:-exitafter:-keypress-allowss-useshift-startoffCaffeine-noicon-replace-apptoggle-apptoggleshowdlg-appoff-apponZhornSoftwareCaffeineMain-appexit987654321Caffeine is inactiveCaffeine is activeCaffeine: inactiveCaffeine: activeCaffeine: Will go active in %i minute(s)Caffeine: Will exit in %i minute(s)Caffeine: Will go inactive in %i minute(s)@CSystemTrayActiven by Tomand writtllv Rd to Copyrighthttp://www.zhornsoftware.co.uk/
Source: caffeine.exe	String found in binary or memory: -startoffStart inactive

Source: classification engine

Classification label: clean2.winEXE@3/0@0/0

Source: unknown	Process created: C:\Users\user\Desktop\caffeine.exe "C:\Users\user\Desktop\caffeine.exe" -install
Source: unknown	Process created: C:\Users\user\Desktop\caffeine.exe "C:\Users\user\Desktop\caffeine.exe" /install
Source: unknown	Process created: C:\Users\user\Desktop\caffeine.exe "C:\Users\user\Desktop\caffeine.exe" /load

Source: C:\Users\user\Desktop\caffeine.exe	Code function: 0_2_00401190 IsIconic,#470,SendMessageA,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetClientRect,DrawIcon,#755,#2379,		0_2_00401190
Source: C:\Users\user\Desktop\caffeine.exe	Code function: 1_2_00401190 IsIconic,#470,SendMessageA,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetClientRect,DrawIcon,#755,#2379,		1_2_00401190

Source: C:\Users\user\Desktop\caffeine.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\caffeine.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\caffeine.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\caffeine.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\caffeine.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\caffeine.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\caffeine.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\caffeine.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\caffeine.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\caffeine.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\caffeine.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\caffeine.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\caffeine.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\caffeine.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\caffeine.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\caffeine.exe

Code function: 0_2_00403000 GetVersion,#1233,#2152,_mbscmp,_mbsnbcpy,_mbsnbcpy,_mbsnbcpy,_mbsnbcpy,Shell_NotifyIconA,

0_2_00403000

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	2 Command and Scripting Interpreter	Path Interception	1 Process Injection	1 Process Injection	21 Input Capture	1 Application Window Discovery	Remote Services	21 Input Capture	Exfiltration Over Other Network Medium	Data Obfuscation	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Rootkit	LSASS Memory	2 System Information Discovery	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Junk Data	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Download Video

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
caffeine.exe	0%	ReversingLabs
caffeine.exe	1%	Virustotal		Browse

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link
http://www.zhornsoftware.co.uk/	0%	Virustotal		Browse
http://www.zhornsoftware.co.uk/	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

⊘No contacted domains info

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.zhornsoftware.co.uk/	caffeine.exe	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox Version:	37.1.0 Beryl
Analysis ID:	869046
Start date and time:	2023-05-18 17:21:39 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 6m 45s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
Run name:	Cmdline fuzzy
Number of analysed new started processes analysed:	7
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample file name:	caffeine.exe
Detection:	CLEAN
Classification:	clean2.winEXE@3/0@0/0
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 99.5% (good quality ratio 66.4%) Quality average: 54.7% Quality standard deviation: 42.3%
HCA Information:	Successful, ratio: 100% Number of executed functions: 22 Number of non-executed functions: 38
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, WMIADAP.exe, conhost.exe
Not all processes where analyzed, report is missing behavior information

Simulations

Behavior and APIs

⊘No simulations

Joe Sandbox View / Context

IPs

⊘No context

Domains

⊘No context

ASNs

⊘No context

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

⊘No created / dropped files found

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	4.721472798327748
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	caffeine.exe
File size:	40960
MD5:	8999221df0fdab60c8d68a04af504e74
SHA1:	2b784b2e5e82ccdab8eeb5a9dbcd3a9a90f3eaf7
SHA256:	31b31604d16b0313417ceb46bb3ad37b9f3549e05e0cdd2586b9eefd0e515352
SHA512:	330588acccf6ed3aae96f6983f1cdbb2f912acc0cc96a55def3673d5079fec18fbfbadb22fed5cb399f3b5484c94bdbce6f5a50b90245d2aec92f14f29f75734
SSDEEP:	768:HkfGLwJyfXR48YC3DQmsXBoMdaArhd5V:EfGLw4R48YC3DcXiMIAr
TLSH:	AF03EA536A96C5E5F6625B701C7677B9827BAEE90F214BCF5390FD1C4832990A83230F
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......iqNH-. .-. .-. .....,. .B.+.,. .B.*.&. .B.$./. ..6$./. .-.!.?. ...}.&. ..6+.&. ...&.,. .Rich-. .................PE..L....A.Q...

File Icon


Icon Hash:	03dbb19b9b9b1391

Static PE Info

General

Entrypoint:	0x404786
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:
Time Stamp:	0x51DB4198 [Mon Jul 8 22:47:52 2013 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	56d93e79ece742699520bdd6df1c63de

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
push FFFFFFFFh
push 00405E58h
push 0040490Ch
mov eax, dword ptr fs:[00000000h]
push eax
mov dword ptr fs:[00000000h], esp
sub esp, 68h
push ebx
push esi
push edi
mov dword ptr [ebp-18h], esp
xor ebx, ebx
mov dword ptr [ebp-04h], ebx
push 00000002h
call dword ptr [00405328h]
pop ecx
or dword ptr [0040770Ch], FFFFFFFFh
or dword ptr [00407710h], FFFFFFFFh
call dword ptr [0040532Ch]
mov ecx, dword ptr [00407700h]
mov dword ptr [eax], ecx
call dword ptr [00405330h]
mov ecx, dword ptr [004076FCh]
mov dword ptr [eax], ecx
mov eax, dword ptr [00405334h]
mov eax, dword ptr [eax]
mov dword ptr [00407708h], eax
call 00007FCED4C22A5Bh
cmp dword ptr [004075C0h], ebx
jne 00007FCED4C2294Eh
push 00404908h
call dword ptr [00405338h]
pop ecx
call 00007FCED4C22A2Dh
push 00407024h
push 00407020h
call 00007FCED4C22A18h
mov eax, dword ptr [004076F8h]
mov dword ptr [ebp-6Ch], eax
lea eax, dword ptr [ebp-6Ch]
push eax
push dword ptr [004076F4h]
lea eax, dword ptr [ebp-64h]
push eax
lea eax, dword ptr [ebp-70h]
push eax
lea eax, dword ptr [ebp-60h]
push eax
call dword ptr [00405340h]
push 0040701Ch
push 00407000h
call 00007FCED4C229E5h

Rich Headers

Programming Language:

[C++] VS98 (6.0) SP6 build 8804
[EXP] VC++ 6.0 SP5 build 8804

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x6410	0x8c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x8000	0x1af0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x5000	0x420	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x3df2	0x4000	False	0.47833251953125	data	5.857008627342194	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x5000	0x1d78	0x2000	False	0.3194580078125	data	4.553808025532203	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x7000	0x714	0x1000	False	0.175048828125	data	2.3886547714624777	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x8000	0x1af0	0x2000	False	0.25927734375	data	3.309427083957035	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_ICON	0x8870	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain
RT_ICON	0x8998	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 640	English	Great Britain
RT_ICON	0x8ca8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain
RT_ICON	0x8dd0	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 640	English	Great Britain
RT_MENU	0x90e0	0x152	data	English	Great Britain
RT_DIALOG	0x9238	0x854	data	English	Great Britain
RT_DIALOG	0x9a90	0x5e	data	English	Great Britain
RT_GROUP_ICON	0x8c80	0x22	data	English	Great Britain
RT_GROUP_ICON	0x90b8	0x22	data	English	Great Britain
RT_VERSION	0x82b0	0x35c	data	English	United States
RT_MANIFEST	0x8610	0x25b	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States

Imports

DLL	Import
USER32.dll	RegisterWindowMessageA, SetTimer, FindWindowA, SendInput, GetAsyncKeyState, KillTimer, SetMenuDefaultItem, GetSubMenu, LoadMenuA, GetMenuItemID, PostMessageA, TrackPopupMenu, SetForegroundWindow, GetCursorPos, ModifyMenuA, LoadCursorA, GetDC, ReleaseDC, InflateRect, InvalidateRect, IsWindow, SetWindowLongA, SetCursor, PtInRect, ReleaseCapture, RedrawWindow, SetCapture, MessageBeep, GetSysColor, EnableWindow, IsIconic, GetSystemMetrics, GetClientRect, DrawIcon, SendMessageA, GetParent, GetWindowRect, CopyIcon, LoadIconA
MFC42.DLL
MSVCRT.dll	exit, _controlfp, _except_handler3, __set_app_type, __p__fmode, __p__commode, _adjust_fdiv, __setusermatherr, _initterm, __getmainargs, _acmdln, _setmbcp, _XcptFilter, _exit, _onexit, __dllonexit, _ftol, _mbsnbcpy, _mbscmp, atoi, __CxxFrameHandler
KERNEL32.dll	FreeLibrary, GetStartupInfoA, GetModuleHandleA, GetVersion, SetThreadExecutionState, GetVersionExA, GetWindowsDirectoryA, LoadLibraryA
GDI32.dll	GetStockObject, GetTextExtentPoint32A, GetObjectA, CreateFontIndirectA
SHELL32.dll	Shell_NotifyIconA, ShellExecuteA

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain
English	United States

Network Behavior

⊘No network behavior found

Statistics

Click to jump to process

Memory Usage

• caffeine.exe
• caffeine.exe
• caffeine.exe

Click to jump to process

Behavior

• caffeine.exe
• caffeine.exe
• caffeine.exe

Click to jump to process

System Behavior

Analysis Process: caffeine.exePID: 7416, Parent PID: 3452

Function Logs

General

Target ID:	0
Start time:	17:22:34
Start date:	18/05/2023
Path:	C:\Users\user\Desktop\caffeine.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\caffeine.exe" -install
Imagebase:	0x400000
File size:	40960 bytes
MD5 hash:	8999221DF0FDAB60C8D68A04AF504E74
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Show Windows behavior

File Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Section Activities

Sections loaded by Windows

Show Windows behavior

Registry Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Mutex Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Process Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Thread Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Memory Activities

Memory Usage Statistics

Show Windows behavior

System Activities

Language or Locale ID Queried

Timing Activities

User Timer set

Show Windows behavior

Windows UI Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

LPC Port Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Chronological Activities

Analysis Process: caffeine.exePID: 7448, Parent PID: 3452

Function Logs

General

Target ID:	1
Start time:	17:22:36
Start date:	18/05/2023
Path:	C:\Users\user\Desktop\caffeine.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\caffeine.exe" /install
Imagebase:	0x400000
File size:	40960 bytes
MD5 hash:	8999221DF0FDAB60C8D68A04AF504E74
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Show Windows behavior

File Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Section Activities

Sections loaded by Windows

Show Windows behavior

Registry Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Mutex Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Process Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Thread Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Memory Activities

Memory Usage Statistics

Show Windows behavior

System Activities

Language or Locale ID Queried

Timing Activities

User Timer set

Show Windows behavior

Windows UI Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

LPC Port Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Chronological Activities

Analysis Process: caffeine.exePID: 7472, Parent PID: 3452

Function Logs

General

Target ID:	2
Start time:	17:22:38
Start date:	18/05/2023
Path:	C:\Users\user\Desktop\caffeine.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\caffeine.exe" /load
Imagebase:	0x400000
File size:	40960 bytes
MD5 hash:	8999221DF0FDAB60C8D68A04AF504E74
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Show Windows behavior

File Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Section Activities

Sections loaded by Windows

Show Windows behavior

Registry Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Mutex Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Process Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Thread Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Memory Activities

Memory Usage Statistics

Show Windows behavior

System Activities

Language or Locale ID Queried

Timing Activities

User Timer set

Show Windows behavior

Windows UI Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

LPC Port Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Chronological Activities

Disassembly

Analysis Process: caffeine.exePID: 7416, Parent PID: 3452COMMON

Execution Graph

Execution Coverage

Dynamic/Packed Code Coverage

Signature Coverage

Execution Coverage:	19%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	6.1%
Total number of Nodes:	460
Total number of Limit Nodes:	19

Executed Functions

Function 00403000 Relevance: 10.6, APIs: 7, Instructions: 130
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 17%

			E00403000(void* __ecx) {
				signed int _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				signed int _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				signed int _t50;
				intOrPtr _t52;
				intOrPtr _t53;
				intOrPtr _t54;
				intOrPtr _t56;
				int _t60;
				intOrPtr _t64;
				signed int _t75;
				signed int _t77;
				intOrPtr _t84;
				void* _t87;
				intOrPtr* _t88;
				void* _t91;
				void* _t92;
				intOrPtr _t93;

				_t91 = __ecx;
				_t50 = GetVersion();
				asm("sbb eax, eax");
				_t52 = (_t50 & 0x000000ff) + 1;
				 *((intOrPtr*)(_t91 + 0x22c)) = _t52;
				if(_t52 != 0) {
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_push(0x80000000);
					_push(0x4076e4);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					 *0x407550 = 0x80;
					L004046C4();
					_push(_t52);
					_push(0);
					L004046BE(); // executed
					_t53 = _v56;
					 *(_t91 + 0x41) = 0x1e8;
					if(_t53 == 0) {
						L4:
						_t54 =  *((intOrPtr*)(_t91 + 0x20));
					} else {
						_t54 =  *((intOrPtr*)(_t53 + 0x20));
						if(_t54 == 0) {
							goto L4;
						}
					}
					 *((intOrPtr*)(_t91 + 0x45)) = _t54;
					 *((intOrPtr*)(_t91 + 0x49)) = _v40;
					 *((intOrPtr*)(_t91 + 0x55)) = _v44;
					 *(_t91 + 0x4d) = 7;
					 *((intOrPtr*)(_t91 + 0x51)) = _v52;
					_t56 =  *0x407550; // 0x80
					_t88 = __imp___mbsnbcpy;
					 *_t88(_t91 + 0x59, _v48, _t56 - 1, _t87, _t92);
					_t93 = _v32;
					if( *((intOrPtr*)(_t91 + 0x23c)) != 0 && _t93 != 0) {
						 *(_t91 + 0x4d) =  *(_t91 + 0x4d) | 0x00000010;
						 *_t88(_t91 + 0xe1, _t93, 0xff);
						_t64 = _v28;
						if(_t64 == 0) {
							 *((char*)(_t91 + 0x1e5)) = 0;
						} else {
							 *_t88(_t91 + 0x1e5, _t64, 0x3f);
						}
						 *(_t91 + 0x1e1) = _v20 + _v20 * 4 + (_v20 + _v20 * 4) * 4 + (_v20 + _v20 * 4 + (_v20 + _v20 * 4) * 4) * 4 << 3;
						 *((intOrPtr*)(_t91 + 0x225)) = _v24;
					}
					_t84 =  *((intOrPtr*)(_t91 + 0x23c));
					_t75 = _v36;
					 *(_t91 + 0x230) = _t75;
					_t60 = 1;
					if(_t84 != 0 && _t75 != 0) {
						 *(_t91 + 0x4d) = 8;
						 *((intOrPtr*)(_t91 + 0xd9)) = 1;
						 *((intOrPtr*)(_t91 + 0xdd)) = 1;
					}
					 *(_t91 + 0x27c) =  *(_t91 + 0x4d);
					if(_t75 == 0 || _t84 != 0) {
						_t60 = Shell_NotifyIconA(0, _t91 + 0x41); // executed
						_t77 = 0 | _t60 == 0x00000000;
						 *(_t91 + 0x234) = _t77;
						 *(_t91 + 0x230) = _t77;
						 *(_t91 + 0x238) = _t77;
					}
					if( *((intOrPtr*)(_t91 + 0x23c)) != 0 && _t93 != 0) {
						 *((char*)(_t91 + 0xe1)) = 0;
					}
					return _t60;
				} else {
					return 0;
				}
			}

0x00403001
0x00403003
0x00403011
0x00403013
0x00403014
0x0040301a
0x00403022
0x00403024
0x00403026
0x00403028
0x0040302a
0x0040302c
0x0040302e
0x00403030
0x00403035
0x0040303a
0x0040303c
0x0040303e
0x00403040
0x00403042
0x0040304c
0x00403051
0x00403052
0x00403056
0x0040305b
0x0040305f
0x00403068
0x00403071
0x00403071
0x0040306a
0x0040306a
0x0040306f
0x00000000
0x00000000
0x0040306f
0x0040307c
0x00403083
0x00403086
0x0040308d
0x00403094
0x00403097
0x0040309f
0x004030ab
0x004030b3
0x004030bc
0x004030d5
0x004030d8
0x004030da
0x004030e3
0x004030f6
0x004030e5
0x004030ef
0x004030f1
0x00403111
0x00403117
0x00403117
0x0040311d
0x00403123
0x00403129
0x0040312f
0x00403134
0x0040313a
0x00403141
0x00403147
0x00403147
0x00403152
0x00403158
0x00403164
0x0040316e
0x00403171
0x00403177
0x0040317d
0x0040317d
0x0040318b
0x00403191
0x00403191
0x0040319b
0x0040301c
0x0040301f
0x0040301f

APIs

GetVersion.KERNEL32(?,004023A8,?,0000800A,Caffeine,00000000,00000081,00000000,00000000,00000000,00000000,0000000A,-noicon,-replace,-apptoggle,-apptoggleshowdlg), ref: 00403003
#1233.MFC42(00000000,00000000,00000000,00000000,004076E4,80000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,004023A8), ref: 0040304C
#2152.MFC42(00000000,00000000,00000000,00000000,00000000,00000000,004076E4,80000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00403056
_mbsnbcpy.MSVCRT ref: 004030AB
_mbsnbcpy.MSVCRT ref: 004030D8
_mbsnbcpy.MSVCRT ref: 004030EF

Memory Dump Source

Source File: 00000000.00000002.638872984.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.638861462.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.638886571.0000000000405000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.638898302.0000000000407000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.638907683.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_caffeine.jbxd

Similarity

API ID: _mbsnbcpy$#1233#2152Version
String ID:
API String ID: 494087368-0
Opcode ID: 2369528ade2a96fe857e4a859b874dd018032859b0edd50a1ebb554cdf61770e
Instruction ID: 214fda40c4ab09d81bff82deb3576ea03069259a42121a88c931fbb7d5db7241
Opcode Fuzzy Hash: 2369528ade2a96fe857e4a859b874dd018032859b0edd50a1ebb554cdf61770e
Instruction Fuzzy Hash: 35414C74605B009BD334CF28D840BABBBE9AF88304F04482EE99AA77C0D775F904CB19

Uniqueness

Uniqueness Score: -1.00%

Function 00402B10 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 135
keyboardthreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 76%

			E00402B10(void* __ebx, void* __ecx, void* __edi, void* __ebp, intOrPtr _a4) {
				intOrPtr _v12;
				short _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				char _v52;
				char _v56;
				intOrPtr _v68;
				short _v72;
				intOrPtr _v76;
				intOrPtr _v80;
				short _v82;
				char _v84;
				short _v98;
				short _v100;
				intOrPtr _t54;
				intOrPtr _t56;
				intOrPtr _t57;
				intOrPtr _t58;
				intOrPtr _t82;
				intOrPtr _t91;
				void* _t100;
				short _t103;

				_t54 = _a4;
				_t100 = __ecx;
				if(_t54 !=  *((intOrPtr*)(__ecx + 0x340))) {
					L29:
					return _t54;
				}
				_t56 =  *((intOrPtr*)(__ecx + 0x344)) - 1;
				 *((intOrPtr*)(__ecx + 0x344)) = _t56;
				if(_t56 == 0) {
					 *((intOrPtr*)(__ecx + 0x344)) =  *((intOrPtr*)(__ecx + 0x34c));
					if( *((intOrPtr*)(__ecx + 0x348)) != 0) {
						if( *((intOrPtr*)(__ecx + 0x361)) == 0) {
							if(GetAsyncKeyState(0x10) >= 0) {
								_t91 =  *((intOrPtr*)(_t100 + 0x360));
								_v100 = 0x7e;
								if(_t91 != 0) {
									_v100 = 0x10;
								}
								_t103 =  *((intOrPtr*)(_t100 + 0x364));
								if(_t103 != 0xffffffff) {
									_v100 = _t103;
								}
								_v98 = 0;
								_v84 = 0x7e;
								if(_t91 != 0) {
									_v84 = 0x10;
								}
								if(_t103 != 0xffffffff) {
									_v84 =  *((intOrPtr*)(_t100 + 0x364));
								}
								_v82 = 0;
								if( *((intOrPtr*)(_t100 + 0x349)) == 0 ||  *((intOrPtr*)(_t100 + 0x368)) != 0) {
									_v48 = 0;
									_v20 = 2;
									_v40 = 0;
									_push(0x1c);
									_push( &_v56);
									_v56 = 1;
									_v52 = _v84;
									_v44 = 0;
									_v28 = 1;
									_v24 = _v100;
									_v16 = 0;
									_v12 = 0;
									_push(2); // executed
								} else {
									_v76 = 2;
									_push(0x1c);
									_push( &_v84);
									_v84 = 1;
									_v80 = _v100;
									_v72 = 0;
									_v68 = 0;
									_push(1);
								}
								L00404310(); // executed
							}
						} else {
							__imp__SetThreadExecutionState(1);
						}
					}
				}
				_t82 =  *((intOrPtr*)(_t100 + 0x350)) + 1;
				_t54 = _t82;
				 *((intOrPtr*)(_t100 + 0x350)) = _t82;
				if(_t54 != 0x3c) {
					goto L29;
				}
				_t57 =  *((intOrPtr*)(_t100 + 0x354));
				 *((intOrPtr*)(_t100 + 0x350)) = 0;
				if(_t57 > 0xffffffff) {
					 *((intOrPtr*)(_t100 + 0x354)) = _t57 - 1;
					E00402A30(_t100);
					_t68 =  *((intOrPtr*)(_t100 + 0x354));
					if( *((intOrPtr*)(_t100 + 0x354)) == 0) {
						E004027F0(_t68, _t100);
					}
				}
				_t58 =  *((intOrPtr*)(_t100 + 0x35c));
				if(_t58 > 0xffffffff) {
					 *((intOrPtr*)(_t100 + 0x35c)) = _t58 - 1;
					E00402A30(_t100);
					if( *((intOrPtr*)(_t100 + 0x35c)) == 0) {
						E004026F0(_t100);
					}
				}
				_t54 =  *((intOrPtr*)(_t100 + 0x358));
				if(_t54 <= 0xffffffff) {
					goto L29;
				} else {
					 *((intOrPtr*)(_t100 + 0x358)) = _t54 - 1;
					E00402A30(_t100);
					_t54 =  *((intOrPtr*)(_t100 + 0x358));
					if(_t54 != 0) {
						goto L29;
					}
					return E004027F0(_t54, _t100);
				}
			}

0x00402b10
0x00402b18
0x00402b20
0x00402d09
0x00402d09
0x00402d09
0x00402b2d
0x00402b30
0x00402b36
0x00402b4a
0x00402b50
0x00402b5e
0x00402b78
0x00402b7e
0x00402b84
0x00402b8d
0x00402b8f
0x00402b8f
0x00402b96
0x00402b9f
0x00402ba4
0x00402ba4
0x00402baf
0x00402bb9
0x00402bc0
0x00402bc2
0x00402bc2
0x00402bcc
0x00402bd5
0x00402bd5
0x00402be4
0x00402be9
0x00402c1e
0x00402c24
0x00402c28
0x00402c34
0x00402c36
0x00402c37
0x00402c3f
0x00402c43
0x00402c47
0x00402c4f
0x00402c53
0x00402c57
0x00402c5b
0x00402bf3
0x00402bf7
0x00402bff
0x00402c01
0x00402c02
0x00402c0a
0x00402c0e
0x00402c12
0x00402c16
0x00402c16
0x00402c5d
0x00402c5d
0x00402b60
0x00402b62
0x00402b62
0x00402b5e
0x00402b50
0x00402c69
0x00402c6b
0x00402c6d
0x00402c77
0x00000000
0x00000000
0x00402c7d
0x00402c83
0x00402c90
0x00402c95
0x00402c9b
0x00402ca0
0x00402ca8
0x00402cac
0x00402cac
0x00402ca8
0x00402cb1
0x00402cba
0x00402cbf
0x00402cc5
0x00402cd2
0x00402cd6
0x00402cd6
0x00402cd2
0x00402cdb
0x00402ce4
0x00000000
0x00402ce6
0x00402ce9
0x00402cef
0x00402cf4
0x00402cfc
0x00000000
0x00000000
0x00000000
0x00402d00

APIs

SetThreadExecutionState.KERNEL32 ref: 00402B62
GetAsyncKeyState.USER32(00000010), ref: 00402B6F
SendInput.USER32(00000002,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00402C5D

Strings

~, xrefs: 00402BB9
~, xrefs: 00402B84

Memory Dump Source

Source File: 00000000.00000002.638872984.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.638861462.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.638886571.0000000000405000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.638898302.0000000000407000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.638907683.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_caffeine.jbxd

Similarity

API ID: State$AsyncExecutionInputSendThread
String ID: ~$~
API String ID: 3005571445-3883606485
Opcode ID: cf970ab741a0cd2cbb4f10e44767d8f2130443aa63ff88278c6e8bffd008818b
Instruction ID: 7130108b890031132239ec38ca8d7c972d48cb564a9e12af4e1f8d4db92a3455
Opcode Fuzzy Hash: cf970ab741a0cd2cbb4f10e44767d8f2130443aa63ff88278c6e8bffd008818b
Instruction Fuzzy Hash: 5D51B370608B408BD325DF3585487ABB7E5BF84704F04492EE4E9A73D1D7B9AA45CB0A

Uniqueness

Uniqueness Score: -1.00%

Function 00401F90 Relevance: 180.8, APIs: 84, Strings: 19, Instructions: 510
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 70%

			E00401F90(void* __ecx, signed int _a4) {
				int _v12;
				char _v20;
				signed int _v48;
				char _v84;
				intOrPtr _v92;
				intOrPtr _v100;
				char _v188;
				void* _v196;
				char _v208;
				char _v212;
				void* _v216;
				void* _v220;
				char* _v224;
				char _v228;
				void* _v232;
				void* _v240;
				struct _OSVERSIONINFOA _v252;
				char _v256;
				void* _v260;
				void* _v264;
				char _v268;
				char _v272;
				char _v276;
				int _v280;
				void* _v284;
				void* _v288;
				void* _v296;
				signed int _t132;
				intOrPtr* _t133;
				struct HWND__* _t135;
				int _t138;
				int _t139;
				signed int _t146;
				int _t148;
				char** _t149;
				int _t151;
				char** _t153;
				char** _t155;
				char** _t157;
				struct HWND__* _t160;
				struct HWND__* _t162;
				struct HWND__* _t164;
				struct HWND__* _t166;
				struct HWND__* _t168;
				intOrPtr* _t170;
				intOrPtr* _t174;
				intOrPtr* _t178;
				signed int _t181;
				signed int _t182;
				signed int _t186;
				signed int _t187;
				signed int _t188;
				signed int _t189;
				signed int _t190;
				signed int _t191;
				signed int _t192;
				signed int _t272;
				signed int _t273;
				void* _t281;
				intOrPtr _t283;
				void* _t284;
				void* _t285;

				_push(0xffffffff);
				_push(E00404B83);
				_push( *[fs:0x0]);
				_t132 = _a4;
				 *[fs:0x0] = _t283;
				_t284 = _t283 - 0xc4;
				_push(_t181);
				_t281 = __ecx;
				_push(_t132);
				 *((char*)(__ecx + 0x348)) = 1;
				 *((intOrPtr*)(__ecx + 0x34c)) = 0x3b;
				 *((char*)(__ecx + 0x360)) = 0;
				 *((char*)(__ecx + 0x361)) = 0;
				 *((char*)(__ecx + 0x368)) = 0;
				L004046B2(); // executed
				if(_t132 != 0xffffffff) {
					L004044FC();
					_t133 =  *((intOrPtr*)(_t132 + 4));
					L004046AC();
					_v12 = 0;
					L004046A6();
					L004046A0();
					_t272 = __imp___mbscmp;
					_v20 = 1;
					_t135 =  *_t272( *_t133, "1",  &_v212, 1,  *((intOrPtr*)(_t133 + 0x74)));
					_t285 = _t284 + 8;
					if(_t135 == 0) {
						L11:
						_t182 = 1;
						L12:
						_v20 = 0;
						L00404538();
						if(_t182 != 0) {
							_t135 = atoi(_v224);
							_t285 = _t285 + 4;
							 *(_t281 + 0x34c) = _t135;
						}
						L0040469A();
						_push("-appexit");
						L00404694();
						_t273 = _t272 | 0xffffffff;
						if(_t135 == _t273) {
							_push("-appon");
							L00404694();
							if(_t135 == _t273) {
								_push("-appoff");
								L00404694();
								if(_t135 == _t273) {
									_push("-apptoggleshowdlg");
									L00404694();
									if(_t135 == _t273) {
										_push("-apptoggle");
										L00404694();
										if(_t135 == _t273) {
											_push("-replace");
											L00404694();
											if(_t135 != _t273) {
												_t135 = FindWindowA(0, "ZhornSoftwareCaffeineMain");
												if(_t135 != 0) {
													_t135 = SendMessageA(_t135, 0x10, 0, 0);
												}
											}
											_push("-noicon");
											L00404694();
											if(_t135 != _t273 || E00403000(_t281 + 0xc0, _t281, 0x800a, "Caffeine", 0, 0x81, 0, 0, 0, 0, 0xa) != 0) {
												E00403350(_t281 + 0xc0, 0x80);
												 *((char*)(_t281 + 0x100)) =  *((intOrPtr*)(_t281 + 0x348));
												_t138 = E004034A0(_t281 + 0xc0, 0x8005, 0);
												_push("-startoff");
												L00404694();
												if(_t138 != 0xffffffff) {
													_t138 = E004027F0(_t138, _t281);
												}
												_push("-useshift");
												L00404694();
												if(_t138 != 0xffffffff) {
													 *((char*)(_t281 + 0x360)) = 1;
												}
												_push("-allowss");
												L00404694();
												if(_t138 != 0xffffffff) {
													 *((char*)(_t281 + 0x361)) = 1;
												}
												_push("-keypress");
												L00404694();
												if(_t138 != 0xffffffff) {
													 *((char*)(_t281 + 0x368)) = 1;
												}
												_push("-exitafter:");
												L00404694();
												 *(_t281 + 0x35c) = _t138;
												if(_t138 != 0xffffffff) {
													_t157 = _t138 + 0xb;
													_push(_t157);
													_push( &_v268);
													L0040468E();
													_t138 = atoi( *_t157);
													_t285 = _t285 + 4;
													 *(_t281 + 0x35c) = _t138;
													L00404538();
												}
												_push("-activefor:");
												L00404694();
												 *(_t281 + 0x354) = _t138;
												if(_t138 != 0xffffffff) {
													_t155 = _t138 + 0xb;
													_push(_t155);
													_push( &_v272);
													L0040468E();
													_t138 = atoi( *_t155);
													_t285 = _t285 + 4;
													 *(_t281 + 0x354) = _t138;
													L00404538();
												}
												_push("-key:");
												L00404694();
												 *(_t281 + 0x364) = _t138;
												if(_t138 != 0xffffffff) {
													_push(_t138 + 5);
													_t153 =  &_v276;
													_push(_t153);
													L0040468E();
													_t138 = atoi( *_t153);
													_t285 = _t285 + 4;
													 *(_t281 + 0x364) = _t138;
													L00404538();
												}
												_push("-inactivefor:");
												L00404694();
												 *(_t281 + 0x358) = _t138;
												if(_t138 != 0xffffffff) {
													_t149 = _t138 + 0xd;
													_push(_t149);
													_push( &_v280);
													L0040468E();
													_t151 = atoi( *_t149);
													_t285 = _t285 + 4;
													L00404538();
													_t138 = E004027F0(_t151, _t281);
													 *(_t281 + 0x358) = _t151;
												}
												_push("-showdlg");
												L00404694();
												if(_t138 != 0xffffffff) {
													_push(0x60);
													L00404406();
													_t285 = _t285 + 4;
													_v280 = _t138;
													_v84 = 2;
													if(_t138 == 0) {
														_t148 = 0;
													} else {
														_t148 = E00404200(_t138, 0);
													}
													_push("-ontaskbar");
													_v84 = 0;
													 *((intOrPtr*)(_t281 + 0x36c)) = _t148;
													L00404694();
													if(_t148 == 0xffffffff) {
														_push(_t281);
													} else {
														_push(0);
													}
													_push(0x8b);
													L00404688();
													_push(1);
													L00404682();
													_push(0);
													L0040467C();
												}
												_t139 = SetTimer( *(_t281 + 0x20), 0x4c8, 0x3e8, 0); // executed
												 *(_t281 + 0x340) = _t139;
												 *(_t281 + 0x344) =  *(_t281 + 0x34c);
												memset( &_v252, 0, 0x27 << 2);
												_t285 = _t285 + 0xc;
												 *(_t281 + 0x350) = 0;
												_v252.dwOSVersionInfoSize = 0x9c;
												if(GetVersionExA( &_v252) != 0) {
													L61:
													if(_v252.dwPlatformId != 2 || _v252.dwMajorVersion != 5) {
														goto L64;
													} else {
														 *((char*)(_t281 + 0x349)) = 1;
														goto L65;
													}
												} else {
													_v252.dwOSVersionInfoSize = 0x94;
													if(GetVersionExA( &_v252) == 0) {
														L64:
														 *((char*)(_t281 + 0x349)) = 0;
														L65:
														_push("ZhornSoftwareCaffeineMain");
														L00404586(); // executed
														E00402A30(_t281);
														E004029C0();
														_v92 = 0xffffffff;
														L00404538();
														_t146 = 0;
														goto L66;
													}
													goto L61;
												}
											} else {
												goto L34;
											}
										}
										_t160 = FindWindowA(0, "ZhornSoftwareCaffeineMain");
										if(_t160 != 0) {
											SendMessageA(_t160, 0x111, 0x409, 0);
										}
										goto L34;
									}
									_t162 = FindWindowA(0, "ZhornSoftwareCaffeineMain");
									if(_t162 != 0) {
										SendMessageA(_t162, 0x111, 0x46f, 0);
									}
									goto L34;
								}
								_t164 = FindWindowA(0, "ZhornSoftwareCaffeineMain");
								if(_t164 != 0) {
									SendMessageA(_t164, 0x111, 0x408, 0);
								}
								goto L34;
							}
							_t166 = FindWindowA(0, "ZhornSoftwareCaffeineMain");
							if(_t166 != 0) {
								SendMessageA(_t166, 0x111, 0x465, 0);
							}
							goto L34;
						} else {
							_t168 = FindWindowA(0, "ZhornSoftwareCaffeineMain");
							if(_t168 != 0) {
								SendMessageA(_t168, 0x10, 0, 0);
							}
							L34:
							_v48 = _t273;
							L00404538();
							_t146 = _t273;
							goto L66;
						}
					}
					_t170 =  &_v188;
					L004046A0();
					_t135 =  *_t272( *_t170, "2", _t170, 1);
					_t285 = _t285 + 8;
					_t186 = _t181 & 0xffffff00 | _t135 == 0x00000000;
					L00404538();
					if(_t186 != 0) {
						goto L11;
					}
					L004046A0();
					_t135 =  *_t272(_t135->i, "3",  &_v208, 1);
					_t285 = _t285 + 8;
					_t187 = _t186 & 0xffffff00 | _t135 == 0x00000000;
					L00404538();
					if(_t187 != 0) {
						goto L11;
					}
					L004046A0();
					_t135 =  *_t272(_t135->i, "4",  &_v208, 1);
					_t285 = _t285 + 8;
					_t188 = _t187 & 0xffffff00 | _t135 == 0x00000000;
					L00404538();
					if(_t188 != 0) {
						goto L11;
					}
					_t174 =  &_v228;
					L004046A0();
					_t135 =  *_t272( *_t174, "5", _t174, 1);
					_t285 = _t285 + 8;
					_t189 = _t188 & 0xffffff00 | _t135 == 0x00000000;
					L00404538();
					if(_t189 != 0) {
						goto L11;
					}
					L004046A0();
					_t135 =  *_t272(_t135->i, "6",  &(_v252.dwMinorVersion), 1);
					_t285 = _t285 + 8;
					_t190 = _t189 & 0xffffff00 | _t135 == 0x00000000;
					L00404538();
					if(_t190 != 0) {
						goto L11;
					}
					L004046A0();
					_t135 =  *_t272(_t135->i, "7",  &(_v252.dwPlatformId), 1);
					_t285 = _t285 + 8;
					_t191 = _t190 & 0xffffff00 | _t135 == 0x00000000;
					L00404538();
					if(_t191 != 0) {
						goto L11;
					}
					_t178 =  &_v256;
					L004046A0();
					_t135 =  *_t272( *_t178, "8", _t178, 1);
					_t285 = _t285 + 8;
					_t192 = _t191 & 0xffffff00 | _t135 == 0x00000000;
					L00404538();
					if(_t192 != 0) {
						goto L11;
					}
					L004046A0();
					_t135 =  *_t272(_t135->i, "9",  &_v272, 1);
					_t285 = _t285 + 8;
					_t182 = _t192 & 0xffffff00 | _t135 == 0x00000000;
					L00404538();
					if(_t182 == 0) {
						goto L12;
					}
					goto L11;
				} else {
					_t146 = _t132;
					L66:
					 *[fs:0x0] = _v100;
					return _t146;
				}
			}

0x00401f96
0x00401f98
0x00401f9d
0x00401f9e
0x00401fa2
0x00401fa9
0x00401faf
0x00401fb1
0x00401fb4
0x00401fb5
0x00401fbc
0x00401fc6
0x00401fcd
0x00401fd4
0x00401fdb
0x00401fe3
0x00401fec
0x00401ff1
0x00401ffc
0x00402005
0x00402010
0x00402020
0x00402027
0x00402033
0x0040203b
0x0040203d
0x00402042
0x004021d4
0x004021d4
0x004021d6
0x004021da
0x004021e2
0x004021ef
0x004021f6
0x004021f8
0x004021fb
0x004021fb
0x00402205
0x0040220a
0x00402213
0x00402218
0x0040221d
0x00402246
0x0040224f
0x00402256
0x00402285
0x0040228e
0x00402295
0x004022c4
0x004022cd
0x004022d4
0x00402303
0x0040230c
0x00402313
0x0040233f
0x00402348
0x0040234f
0x00402358
0x00402360
0x00402369
0x00402369
0x00402360
0x0040236f
0x00402378
0x0040237f
0x004023d0
0x004023e4
0x004023ea
0x004023ef
0x004023f8
0x00402400
0x00402404
0x00402404
0x00402409
0x00402412
0x0040241a
0x0040241c
0x0040241c
0x00402423
0x0040242c
0x00402434
0x00402436
0x00402436
0x0040243d
0x00402446
0x0040244e
0x00402450
0x00402450
0x00402457
0x00402460
0x00402468
0x0040246e
0x00402470
0x00402477
0x00402478
0x0040247d
0x00402485
0x00402487
0x0040248e
0x00402494
0x00402494
0x00402499
0x004024a2
0x004024aa
0x004024b0
0x004024b2
0x004024b9
0x004024ba
0x004024bf
0x004024c7
0x004024c9
0x004024d0
0x004024d6
0x004024d6
0x004024db
0x004024e4
0x004024ec
0x004024f2
0x004024fb
0x004024fc
0x00402500
0x00402501
0x00402509
0x0040250b
0x00402512
0x00402518
0x00402518
0x0040251d
0x00402526
0x0040252e
0x00402534
0x00402536
0x0040253d
0x0040253e
0x00402543
0x0040254b
0x0040254d
0x00402556
0x0040255d
0x00402562
0x00402562
0x00402568
0x00402571
0x0040257e
0x00402580
0x00402582
0x00402587
0x0040258a
0x00402590
0x00402597
0x004025a4
0x00402599
0x0040259d
0x0040259d
0x004025a6
0x004025af
0x004025b7
0x004025bd
0x004025cb
0x004025d1
0x004025cd
0x004025cd
0x004025cd
0x004025d2
0x004025d7
0x004025e2
0x004025e4
0x004025ef
0x004025f1
0x004025f1
0x00402606
0x0040260c
0x00402618
0x00402629
0x00402629
0x00402636
0x00402640
0x0040264c
0x00402661
0x00402665
0x00000000
0x0040266e
0x0040266e
0x00000000
0x0040266e
0x0040264e
0x00402652
0x0040265f
0x00402677
0x00402677
0x0040267e
0x0040267e
0x00402685
0x0040268c
0x00402693
0x0040269c
0x004026a7
0x004026ac
0x00000000
0x004026ac
0x00000000
0x0040265f
0x00000000
0x00000000
0x00000000
0x0040237f
0x0040231c
0x00402324
0x00402337
0x00402337
0x00000000
0x00402324
0x004022dd
0x004022e5
0x004022f8
0x004022f8
0x00000000
0x004022e5
0x0040229e
0x004022a6
0x004022b9
0x004022b9
0x00000000
0x004022a6
0x0040225f
0x00402267
0x0040227a
0x0040227a
0x00000000
0x0040221f
0x00402226
0x0040222e
0x0040223b
0x0040223b
0x004023ac
0x004023b0
0x004023b7
0x004023bc
0x00000000
0x004023bc
0x0040221d
0x00402048
0x00402053
0x00402060
0x00402062
0x0040206b
0x0040206e
0x00402075
0x00000000
0x00000000
0x00402086
0x00402093
0x00402095
0x0040209e
0x004020a1
0x004020a8
0x00000000
0x00000000
0x004020b9
0x004020c6
0x004020c8
0x004020d1
0x004020d4
0x004020db
0x00000000
0x00000000
0x004020e1
0x004020ec
0x004020f9
0x004020fb
0x00402104
0x00402107
0x0040210e
0x00000000
0x00000000
0x0040211f
0x0040212c
0x0040212e
0x00402137
0x0040213a
0x00402141
0x00000000
0x00000000
0x00402152
0x0040215f
0x00402161
0x0040216a
0x0040216d
0x00402174
0x00000000
0x00000000
0x00402176
0x00402181
0x0040218e
0x00402190
0x00402199
0x0040219c
0x004021a3
0x00000000
0x00000000
0x004021b0
0x004021bd
0x004021bf
0x004021c8
0x004021cb
0x004021d2
0x00000000
0x00000000
0x00000000
0x00401fe5
0x00401fe5
0x004026ae
0x004026b8
0x004026c5
0x004026c5

APIs

#4457.MFC42 ref: 00401FDB
#1168.MFC42 ref: 00401FEC
#537.MFC42(?), ref: 00401FFC
#6282.MFC42(?), ref: 00402010
#4129.MFC42(?,00000001,?), ref: 00402020
_mbscmp.MSVCRT ref: 0040203B
#4129.MFC42(?,00000001), ref: 00402053
_mbscmp.MSVCRT ref: 00402060
#800.MFC42 ref: 0040206E
#4129.MFC42(?,00000001), ref: 00402086
_mbscmp.MSVCRT ref: 00402093
#800.MFC42 ref: 004020A1
#4129.MFC42(?,00000001), ref: 004020B9
_mbscmp.MSVCRT ref: 004020C6
#800.MFC42 ref: 004020D4
#4129.MFC42(?,00000001), ref: 004020EC
_mbscmp.MSVCRT ref: 004020F9
#800.MFC42 ref: 00402107
#4129.MFC42(?,00000001), ref: 0040211F
_mbscmp.MSVCRT ref: 0040212C

Strings

-ontaskbar, xrefs: 004025A6
-apptoggleshowdlg, xrefs: 004022C4
-startoff, xrefs: 004023EF
-appon, xrefs: 00402246
-appexit, xrefs: 0040220A
-allowss, xrefs: 00402423
-keypress, xrefs: 0040243D
-noicon, xrefs: 0040236F
-useshift, xrefs: 00402409
-appoff, xrefs: 00402285
-replace, xrefs: 0040233F
ZhornSoftwareCaffeineMain, xrefs: 0040221F, 00402258, 00402297, 004022D6, 00402315, 00402351, 0040267E
Caffeine, xrefs: 00402392
-inactivefor:, xrefs: 0040251D
-showdlg, xrefs: 00402568
-activefor:, xrefs: 00402499
-exitafter:, xrefs: 00402457
-apptoggle, xrefs: 00402303
-key:, xrefs: 004024DB

Memory Dump Source

Source File: 00000000.00000002.638872984.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.638861462.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.638886571.0000000000405000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.638898302.0000000000407000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.638907683.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_caffeine.jbxd

Similarity

API ID: #4129_mbscmp$#800$#1168#4457#537#6282
String ID: -activefor:$-allowss$-appexit$-appoff$-appon$-apptoggle$-apptoggleshowdlg$-exitafter:$-inactivefor:$-key:$-keypress$-noicon$-ontaskbar$-replace$-showdlg$-startoff$-useshift$Caffeine$ZhornSoftwareCaffeineMain
API String ID: 391348798-4234960208
Opcode ID: 99ace425fdb636f7f91c8ef20ba56ff12b9d0d4e6daea354cca41ef53e4d0670
Instruction ID: f506843601e50281f4d27f22570277cefe89ea0afaa43e977a867d660fa2b463
Opcode Fuzzy Hash: 99ace425fdb636f7f91c8ef20ba56ff12b9d0d4e6daea354cca41ef53e4d0670
Instruction Fuzzy Hash: D802E3702443406BD614EF74CD86FAB7798AF90704F140D3EFAA5B61D1EBBDA508CA1A

Uniqueness

Uniqueness Score: -1.00%

Function 00404786 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 111
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 80%

			_entry_(void* __ebx, void* __edi, void* __esi) {
				CHAR* _v8;
				intOrPtr* _v24;
				intOrPtr _v28;
				struct _STARTUPINFOA _v96;
				int _v100;
				char** _v104;
				int _v108;
				void _v112;
				char _v116;
				intOrPtr* _v120;
				intOrPtr _v124;
				intOrPtr* _t23;
				intOrPtr* _t24;
				void* _t27;
				void _t29;
				intOrPtr _t36;
				signed int _t38;
				int _t40;
				intOrPtr* _t41;
				intOrPtr _t42;
				intOrPtr _t46;
				intOrPtr _t47;
				intOrPtr _t49;
				intOrPtr* _t55;
				intOrPtr _t58;
				intOrPtr _t61;

				_push(0xffffffff);
				_push(0x405e58);
				_push(0x40490c);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t58;
				_v28 = _t58 - 0x68;
				_v8 = 0;
				__set_app_type(2);
				 *0x40770c =  *0x40770c | 0xffffffff;
				 *0x407710 =  *0x407710 | 0xffffffff;
				_t23 = __p__fmode();
				_t46 =  *0x407700; // 0x0
				 *_t23 = _t46;
				_t24 = __p__commode();
				_t47 =  *0x4076fc; // 0x0
				 *_t24 = _t47;
				 *0x407708 = _adjust_fdiv;
				_t27 = E0040490B( *_adjust_fdiv);
				_t61 =  *0x4075c0; // 0x1
				if(_t61 == 0) {
					__setusermatherr(E00404908);
				}
				E004048F6(_t27);
				_push(0x407024);
				_push(0x407020);
				L004048F0();
				_t29 =  *0x4076f8; // 0x0
				_v112 = _t29;
				_t6 =  &_v116; // 0x407024
				__getmainargs( &_v100, _t6,  &_v104,  *0x4076f4,  &_v112);
				_push(0x40701c);
				_push(0x407000); // executed
				L004048F0(); // executed
				_t55 =  *_acmdln;
				_v120 = _t55;
				if( *_t55 != 0x22) {
					while( *_t55 > 0x20) {
						_t55 = _t55 + 1;
						_v120 = _t55;
					}
				} else {
					do {
						_t55 = _t55 + 1;
						_v120 = _t55;
						_t42 =  *_t55;
					} while (_t42 != 0 && _t42 != 0x22);
					if( *_t55 == 0x22) {
						L6:
						_t55 = _t55 + 1;
						_v120 = _t55;
					}
				}
				_t36 =  *_t55;
				if(_t36 != 0 && _t36 <= 0x20) {
					goto L6;
				}
				_v96.dwFlags = 0;
				GetStartupInfoA( &_v96);
				if((_v96.dwFlags & 0x00000001) == 0) {
					_t38 = 0xa;
				} else {
					_t38 = _v96.wShowWindow & 0x0000ffff;
				}
				_t40 = E00404918(GetModuleHandleA(0), _t39, 0, _t55, _t38);
				_v108 = _t40;
				exit(_t40);
				_t41 = _v24;
				_t49 =  *((intOrPtr*)( *_t41));
				_v124 = _t49;
				_push(_t41);
				_push(_t49);
				L004048EA();
				return _t41;
			}

0x00404789
0x0040478b
0x00404790
0x0040479b
0x0040479c
0x004047a9
0x004047ae
0x004047b3
0x004047ba
0x004047c1
0x004047c8
0x004047ce
0x004047d4
0x004047d6
0x004047dc
0x004047e2
0x004047eb
0x004047f0
0x004047f5
0x004047fb
0x00404802
0x00404808
0x00404809
0x0040480e
0x00404813
0x00404818
0x0040481d
0x00404822
0x00404833
0x0040483b
0x00404841
0x00404846
0x0040484b
0x00404858
0x0040485a
0x00404860
0x0040489c
0x004048a1
0x004048a2
0x004048a2
0x00404862
0x00404862
0x00404862
0x00404863
0x00404866
0x00404868
0x00404873
0x00404875
0x00404875
0x00404876
0x00404876
0x00404873
0x00404879
0x0040487d
0x00000000
0x00000000
0x00404883
0x0040488a
0x00404894
0x004048a9
0x00404896
0x00404896
0x00404896
0x004048b5
0x004048ba
0x004048be
0x004048c4
0x004048c9
0x004048cb
0x004048ce
0x004048cf
0x004048d0
0x004048d7

APIs

__set_app_type.MSVCRT ref: 004047B3
__p__fmode.MSVCRT ref: 004047C8
__p__commode.MSVCRT ref: 004047D6
__setusermatherr.MSVCRT ref: 00404802
_initterm.MSVCRT ref: 00404818
__getmainargs.MSVCRT ref: 0040483B
_initterm.MSVCRT ref: 0040484B
GetStartupInfoA.KERNEL32(?), ref: 0040488A
GetModuleHandleA.KERNEL32(00000000,00000000,?,0000000A), ref: 004048AE
exit.MSVCRT ref: 004048BE
_XcptFilter.MSVCRT ref: 004048D0

Strings

$p@, xrefs: 00404833, 00404836

Memory Dump Source

Source File: 00000000.00000002.638872984.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.638861462.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.638886571.0000000000405000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.638898302.0000000000407000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.638907683.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_caffeine.jbxd

Similarity

API ID: _initterm$FilterHandleInfoModuleStartupXcpt__getmainargs__p__commode__p__fmode__set_app_type__setusermatherrexit
String ID: $p@
API String ID: 801014965-2581991240
Opcode ID: 2737bbf50394ae4e421a855646841bd4d4e14f1d7082e1af04d5c302a0b19e63
Instruction ID: fdab568d6576409bb270f334b5292f4fafa518eed26b3edb5a9e7198efd30a91
Opcode Fuzzy Hash: 2737bbf50394ae4e421a855646841bd4d4e14f1d7082e1af04d5c302a0b19e63
Instruction Fuzzy Hash: E441B1F6C04788AFD720AFA4DD44AAA7BB8EB48710F20453BEA41B72D1C7785840CF59

Uniqueness

Uniqueness Score: -1.00%

Function 00403E90 Relevance: 14.0, APIs: 5, Strings: 3, Instructions: 30
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 47%

			E00403E90() {
				char _v8;
				void* _v16;
				char _v20;
				char _v24;
				char _v32;
				intOrPtr _v40;
				void* _v44;
				intOrPtr _t9;
				char* _t10;
				intOrPtr _t15;

				_push(0xffffffff);
				_push(E00404D50);
				_t9 =  *[fs:0x0];
				_push(_t9);
				 *[fs:0x0] = _t15;
				_push("and writt");
				L004046AC(); // executed
				_push(0x65);
				_push(_t9);
				_t10 =  &_v24;
				_v8 = 0;
				_push(_t10);
				L00404724();
				_push("n by Tom");
				_push(_t10);
				_push("p&[");
				_v20 = 1;
				L0040471E();
				_v32 = 0;
				L00404538();
				_v32 = 0xffffffff;
				L00404538();
				 *[fs:0x0] = _v40;
				return _t10;
			}

0x00403e90
0x00403e92
0x00403e97
0x00403e9d
0x00403e9e
0x00403ea8
0x00403eb1
0x00403eb6
0x00403eb8
0x00403eb9
0x00403ebd
0x00403ec5
0x00403ec6
0x00403ecb
0x00403ed0
0x00403ed1
0x00403ed6
0x00403edb
0x00403ee4
0x00403ee9
0x00403ef2
0x00403efa
0x00403f03
0x00403f0d

APIs

#537.MFC42(and writt), ref: 00403EB1
#923.MFC42(00000065,?,?,?,?,?,?,?,000000FF,00403E85), ref: 00403EC6
#924.MFC42(p&[,00000000,n by Tom,00000065,?,?,?,?,?,?,?,000000FF,00403E85), ref: 00403EDB
#800.MFC42(p&[,00000000,n by Tom,00000065,?,?,?,?,?,?,?,000000FF,00403E85), ref: 00403EE9
#800.MFC42(p&[,00000000,n by Tom,00000065,?,?,?,?,?,?,?,000000FF,00403E85), ref: 00403EFA

Strings

n by Tom, xrefs: 00403ECB
p&[, xrefs: 00403ED1
and writt, xrefs: 00403EA8

Memory Dump Source

Source File: 00000000.00000002.638872984.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.638861462.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.638886571.0000000000405000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.638898302.0000000000407000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.638907683.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_caffeine.jbxd

Similarity

API ID: #800$#537#923#924
String ID: and writt$n by Tom$p&[
API String ID: 1839555536-1179445052
Opcode ID: 8053070067e40581ba23650f3435c37d0ef149bfa70386d904a1f2d84979f54c
Instruction ID: 93ee3cd64a174162421e17872db4e77543d706e5306ed7bdd5ea69b74530bc8b
Opcode Fuzzy Hash: 8053070067e40581ba23650f3435c37d0ef149bfa70386d904a1f2d84979f54c
Instruction Fuzzy Hash: C3F062B0448781BBC304EF14CC46B4ABBD4AB91B15F504A2EB5A5236D1DB7C9108CA5B

Uniqueness

Uniqueness Score: -1.00%

Function 004010B0 Relevance: 4.6, APIs: 3, Instructions: 56
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 57%

			E004010B0(void* __ecx) {
				intOrPtr _v4;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				char _v28;
				intOrPtr _v32;
				intOrPtr _v44;
				intOrPtr _t14;
				intOrPtr _t15;
				void* _t29;
				intOrPtr _t32;

				_push(0xffffffff);
				_push(E0040498A);
				_t14 =  *[fs:0x0];
				_push(_t14);
				 *[fs:0x0] = _t32;
				_t29 = __ecx;
				L0040440C();
				_push(0x370);
				L00404406();
				_v32 = _t14;
				_v4 = 0;
				if(_t14 == 0) {
					_t15 = 0;
				} else {
					_t15 = E00401EB0(_t14);
				}
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push( &_v28);
				_push(0);
				_push(0);
				_push(0);
				_v4 = 0xffffffff;
				 *((intOrPtr*)(_t29 + 0xc4)) = _t15;
				_v28 = 0;
				_v24 = 0;
				_v20 = 0;
				_v16 = 0;
				L00404400(); // executed
				if(_t15 != 0) {
					 *((intOrPtr*)(_t29 + 0x20)) =  *((intOrPtr*)(_t29 + 0xc4));
					 *[fs:0x0] = _v44;
					return 1;
				} else {
					 *[fs:0x0] = _v44;
					return _t15;
				}
			}

0x004010b0
0x004010b2
0x004010b7
0x004010bd
0x004010be
0x004010ca
0x004010cc
0x004010d1
0x004010d6
0x004010de
0x004010e6
0x004010ea
0x004010f5
0x004010ec
0x004010ee
0x004010ee
0x004010f7
0x004010f8
0x004010f9
0x004010fe
0x004010ff
0x00401100
0x00401101
0x00401102
0x00401105
0x0040110d
0x00401113
0x00401117
0x0040111b
0x0040111f
0x00401123
0x0040112a
0x00401147
0x00401151
0x0040115b
0x0040112c
0x00401132
0x0040113c
0x0040113c

APIs

#2621.MFC42 ref: 004010CC
#823.MFC42(00000370), ref: 004010D6
#2092.MFC42 ref: 00401123

Part of subcall function 00401EB0: #366.MFC42(?,00000000,00000000,00404B28,000000FF,004010F3), ref: 00401ECD

Memory Dump Source

Source File: 00000000.00000002.638872984.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.638861462.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.638886571.0000000000405000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.638898302.0000000000407000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.638907683.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_caffeine.jbxd

Similarity

API ID: #2092#2621#366#823
String ID:
API String ID: 2268764163-0
Opcode ID: 683b3c79bd9f6b4bfadf9be907033440c828dad569ab0290086935c78284fe1c
Instruction ID: 02574b38cc50e8d9c1897a6c387a58067b250ed6537a73a29c6a92591854185e
Opcode Fuzzy Hash: 683b3c79bd9f6b4bfadf9be907033440c828dad569ab0290086935c78284fe1c
Instruction Fuzzy Hash: 15115EB1504780ABD324DF2AC941B6BFAE8FBD5B10F404A3FF595937D0D77894028A52

Uniqueness

Uniqueness Score: -1.00%

Function 00403350 Relevance: 4.5, APIs: 3, Instructions: 16
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 64%

			E00403350(void* __ecx, signed int _a4) {
				struct HINSTANCE__* _t3;
				void* _t8;

				_t8 = __ecx;
				L004044FC();
				_t3 = _a4 & 0x0000ffff;
				_push(_t3);
				_push(0xe);
				L004044F6(); // executed
				return E00403320(_t8, LoadIconA(_t3, _t3));
			}

0x00403351
0x00403353
0x0040335c
0x00403361
0x00403362
0x00403365
0x0040337a

APIs

#1168.MFC42(?,004023D5,00000080,-noicon,-replace,-apptoggle,-apptoggleshowdlg,-appoff,-appon,-appexit), ref: 00403353
#1146.MFC42(?,0000000E,?,?,004023D5,00000080,-noicon,-replace,-apptoggle,-apptoggleshowdlg,-appoff,-appon,-appexit), ref: 00403365
LoadIconA.USER32(00000000,?), ref: 0040336B

Memory Dump Source

Source File: 00000000.00000002.638872984.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.638861462.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.638886571.0000000000405000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.638898302.0000000000407000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.638907683.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_caffeine.jbxd

Similarity

API ID: #1146#1168IconLoad
String ID:
API String ID: 1270145794-0
Opcode ID: e27460b68f97278d09c7f8f7ab4d1dc8842c15d5636e7485ee381ab9598b3fc9
Instruction ID: 69aa662458a5f531faae11e4b0eb1e2118290ea9476756fabce9aea489a5acdf
Opcode Fuzzy Hash: e27460b68f97278d09c7f8f7ab4d1dc8842c15d5636e7485ee381ab9598b3fc9
Instruction Fuzzy Hash: C6D0C9B251462226D524B7699C46FAB254C9F84305B01483A7600F71D5CD7CD88156BC

Uniqueness

Uniqueness Score: -1.00%

Function 00403420 Relevance: 3.0, APIs: 2, Instructions: 30
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 37%

			E00403420(void* __ecx, intOrPtr _a4) {
				intOrPtr _t7;
				int _t10;

				if( *((intOrPtr*)(__ecx + 0x22c)) != 0) {
					 *((intOrPtr*)(__ecx + 0x4d)) = 4;
					_t7 =  *0x407550; // 0x80
					__imp___mbsnbcpy(__ecx + 0x59, _a4, _t7 - 1);
					if( *((intOrPtr*)(__ecx + 0x230)) == 0) {
						_t10 = Shell_NotifyIconA(1, __ecx + 0x41); // executed
						return _t10;
					} else {
						return 1;
					}
				} else {
					return 0;
				}
			}

0x0040342b
0x00403437
0x0040343e
0x0040344a
0x0040345b
0x0040346c
0x00403473
0x0040345d
0x00403463
0x00403463
0x0040342d
0x00403430
0x00403430

APIs

_mbsnbcpy.MSVCRT ref: 0040344A

Memory Dump Source

Source File: 00000000.00000002.638872984.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.638861462.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.638886571.0000000000405000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.638898302.0000000000407000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.638907683.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_caffeine.jbxd

Similarity

API ID: _mbsnbcpy
String ID:
API String ID: 1791573619-0
Opcode ID: a54bdd212721f15a9da34ab35c738f99b25ce21e2ce7e2c73faf8e2b84759761
Instruction ID: b1e522a42698a6aae6a07e4e8578c056bb5adab7fa1212d67f14f4c275588573
Opcode Fuzzy Hash: a54bdd212721f15a9da34ab35c738f99b25ce21e2ce7e2c73faf8e2b84759761
Instruction Fuzzy Hash: 35F030B1604710ABD720DF38ED48FD777A8EB54350F05882AFD45D7280E2B5ED40CAA8

Uniqueness

Uniqueness Score: -1.00%

Function 0040473C Relevance: 3.0, APIs: 2, Instructions: 12
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_onexit.KERNELBASE ref: 00404749
__dllonexit.MSVCRT ref: 0040475F

Memory Dump Source

Source File: 00000000.00000002.638872984.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.638861462.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.638886571.0000000000405000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.638898302.0000000000407000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.638907683.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_caffeine.jbxd

Similarity

API ID: __dllonexit_onexit
String ID:
API String ID: 2384194067-0
Opcode ID: 74ab65eb9dca489cea011b4af264b018869b17bba543ccce6cd5d5265cfecb83
Instruction ID: 3560a2a85d8bc6da7f8465911b23706449da8e72a643976eea9633fd7fcdf7d9
Opcode Fuzzy Hash: 74ab65eb9dca489cea011b4af264b018869b17bba543ccce6cd5d5265cfecb83
Instruction Fuzzy Hash: 97C0C975808200AACA012714AD8665A3711E6C0BA2B608B3AF665310E187B96564EA4A

Uniqueness

Uniqueness Score: -1.00%

Function 00403320 Relevance: 1.5, APIs: 1, Instructions: 13
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00403320(void* __ecx, intOrPtr _a4) {
				int _t7;

				if( *((intOrPtr*)(__ecx + 0x22c)) != 0) {
					 *((intOrPtr*)(__ecx + 0x4d)) = 2;
					 *((intOrPtr*)(__ecx + 0x55)) = _a4;
					_t7 = Shell_NotifyIconA(1, __ecx + 0x41); // executed
					return _t7;
				} else {
					return 0;
				}
			}

0x00403328
0x00403333
0x0040333a
0x00403343
0x00403349
0x0040332a
0x0040332c
0x0040332c

APIs

Shell_NotifyIconA.SHELL32(00000001,?,00403379,00000000,?,004023D5,00000080,-noicon,-replace,-apptoggle,-apptoggleshowdlg,-appoff,-appon,-appexit), ref: 00403343

Memory Dump Source

Source File: 00000000.00000002.638872984.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.638861462.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.638886571.0000000000405000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.638898302.0000000000407000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.638907683.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_caffeine.jbxd

Similarity

API ID: IconNotifyShell_
String ID:
API String ID: 1144537725-0
Opcode ID: 6027ecfbcc8562672cd7633f8f7ab8a56b1d2a2eb048df20e9580d3528f68953
Instruction ID: 826fa27bb1a59d9b9be6ff5669ef0ecb807fb1ab48b253733c37398ff525977c
Opcode Fuzzy Hash: 6027ecfbcc8562672cd7633f8f7ab8a56b1d2a2eb048df20e9580d3528f68953
Instruction Fuzzy Hash: 11D092F0641201ABEB14CF61CA49F5776E4AB60749F14807DE9099A282E6B79802CA28

Uniqueness

Uniqueness Score: -1.00%

Function 00404918 Relevance: 1.5, APIs: 1, Instructions: 6
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 16%

			E00404918(void* __eax, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {

				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				L00404970(); // executed
				return __eax;
			}

0x00404918
0x0040491c
0x00404920
0x00404924
0x00404928
0x0040492d

APIs

#1576.MFC42(004048BA,004048BA,004048BA,004048BA,004048BA,00000000,?,0000000A), ref: 00404928

Memory Dump Source

Source File: 00000000.00000002.638872984.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.638861462.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.638886571.0000000000405000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.638898302.0000000000407000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.638907683.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_caffeine.jbxd

Similarity

API ID: #1576
String ID:
API String ID: 1976119259-0
Opcode ID: 371cf650558777b7497c1cc85ae61873b6a5021e63d3067b0ccf166c38b5e6e7
Instruction ID: 230b90cec560b6285ba54e04a4d0fdc70efa034c1d814bec92b4c902bc71f2d7
Opcode Fuzzy Hash: 371cf650558777b7497c1cc85ae61873b6a5021e63d3067b0ccf166c38b5e6e7
Instruction Fuzzy Hash: 27B00276418386ABCB02DF91DC01D2FBAA2BFD8304F484C2DB2E1110B187768438FB56

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00401190 Relevance: 13.6, APIs: 9, Instructions: 71
windowCOMMON

Download Yara Rule

C-Code - Quality: 72%

			E00401190(void* __ecx) {
				signed int _v84;
				void* _v88;
				intOrPtr _v92;
				intOrPtr _v96;
				intOrPtr _v100;
				char _v104;
				int _t16;
				int _t21;
				int _t22;
				int _t37;
				struct tagRECT* _t48;
				void* _t56;

				_t56 = __ecx;
				_t16 = IsIconic( *(__ecx + 0x20));
				if(_t16 == 0) {
					L0040451A();
					return _t16;
				} else {
					_push(_t56);
					L00404526();
					asm("sbb eax, eax");
					SendMessageA( *(_t56 + 0x20), 0x27,  ~( &_v88) & _v84, 0);
					_t21 = GetSystemMetrics(0xb);
					_t22 = GetSystemMetrics(0xc);
					_t48 =  &_v104;
					GetClientRect( *(_t56 + 0x20), _t48);
					asm("cdq");
					asm("cdq");
					_t37 = DrawIcon(_v84, _v96 - _v104 - _t21 + 1 - _v104 >> 1, _v92 - _v100 - _t22 + 1 - _t48 >> 1,  *(_t56 + 0xa0));
					L00404520();
					return _t37;
				}
			}

0x00401194
0x0040119a
0x004011a2
0x0040123c
0x00401245
0x004011a8
0x004011aa
0x004011af
0x004011c3
0x004011cb
0x004011d9
0x004011df
0x004011e6
0x004011ec
0x00401206
0x00401219
0x00401224
0x0040122e
0x00401239
0x00401239

APIs

IsIconic.USER32 ref: 0040119A
#470.MFC42 ref: 004011AF
SendMessageA.USER32 ref: 004011CB
GetSystemMetrics.USER32 ref: 004011D9
GetSystemMetrics.USER32 ref: 004011DF
GetClientRect.USER32 ref: 004011EC
DrawIcon.USER32 ref: 00401224
#755.MFC42 ref: 0040122E
#2379.MFC42 ref: 0040123C

Memory Dump Source

Source File: 00000000.00000002.638872984.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.638861462.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.638886571.0000000000405000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.638898302.0000000000407000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.638907683.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_caffeine.jbxd

Similarity

API ID: MetricsSystem$#2379#470#755ClientDrawIconIconicMessageRectSend
String ID:
API String ID: 1397574227-0
Opcode ID: d3a0457c1f631a3a479a5ca6ed3b3045380df733c0b1965b88c6b3a8a16459ee
Instruction ID: 2e689e1194588269f18afad073dda88d88f281029b2ebf10d158ca71fc05ebc3
Opcode Fuzzy Hash: d3a0457c1f631a3a479a5ca6ed3b3045380df733c0b1965b88c6b3a8a16459ee
Instruction Fuzzy Hash: 9D1181B12047069FC614DF38DD49E9B77E9FBC8305F084A2DF68AD3290DA34E8058B55

Uniqueness

Uniqueness Score: -1.00%

Function 00403F70 Relevance: 73.7, APIs: 38, Strings: 4, Instructions: 176
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 51%

			E00403F70(void* __ecx) {
				int _v36;
				char _v48;
				char _v60;
				intOrPtr _v64;
				char _v72;
				char _v76;
				void* _v84;
				char _v88;
				char _v92;
				char _v100;
				char _v108;
				char _v112;
				char _v124;
				void* _v128;
				void* _v132;
				char _v136;
				char _v140;
				char _v148;
				char _v156;
				char _v160;
				char _v172;
				char _v184;
				char _v188;
				intOrPtr _v196;
				void* _v200;
				char _v204;
				void* _v208;
				void* _v212;
				void* _v216;
				char _v220;
				void* _v224;
				void* _v228;
				void* _v232;
				void* _v236;
				void* _v248;
				intOrPtr _v252;
				void* _v260;
				struct HINSTANCE__* _t64;
				long _t67;
				char* _t68;
				char* _t69;
				char* _t70;
				char* _t71;
				void* _t111;
				intOrPtr _t113;

				_push(0xffffffff);
				_push(E00404DD0);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t113;
				_t111 = __ecx;
				L00404514();
				_t108 = __ecx + 0x60;
				_push(__ecx);
				_push(0x3eb);
				L0040450E();
				_push(__ecx + 0x60);
				_v64 = _t113 - 0x38;
				L004046AC();
				E004016D0(__ecx + 0x60, "http://www.zhornsoftware.co.uk/");
				_t64 = E00401790(_t108, 1);
				L004044FC();
				_push(0x80);
				_push(0xe);
				L004044F6();
				_t67 = SendMessageA( *(_t111 + 0x20), 0x80, 0, LoadIconA(_t64, 0x80));
				_push("Copyright");
				L004046AC();
				_push(0x65);
				_push(_t67);
				_push( &_v92);
				_v36 = 0;
				L00404724();
				_push("d to ");
				_push(_t67);
				_push( &_v108);
				_v48 = 1;
				L0040471E();
				_push("p&[");
				_push(_t67);
				_t68 =  &_v124;
				_v60 = 2;
				_push(_t68);
				L00404736();
				_v72 = 6;
				L00404538();
				_v72 = 5;
				L00404538();
				_v72 = 4;
				L00404538();
				_push(" R");
				L004046AC();
				_push(0x65);
				_push(_t68);
				_push( &_v92);
				_v76 = 7;
				L00404724();
				_v88 = 8;
				_push("v");
				_push(_t68);
				_push( &_v108);
				L0040471E();
				_push(0x65);
				_push(_t68);
				_t69 =  &_v124;
				_v100 = 9;
				_push(_t69);
				L00404724();
				_push("ll");
				_push(_t69);
				_push( &_v140);
				_v112 = 0xa;
				L0040471E();
				_push(0x20);
				_push(_t69);
				_push( &_v156);
				_v124 = 0xb;
				L00404724();
				_push("2");
				_push(_t69);
				_t70 =  &_v172;
				_v136 = 0xc;
				_push(_t70);
				L0040471E();
				_push(0x30);
				_push(_t70);
				_push( &_v188);
				_v148 = 0xd;
				L00404724();
				_push("1");
				_push(_t70);
				_push( &_v204);
				_v160 = 0xe;
				L0040471E();
				_push(0x33);
				_push(_t70);
				_t71 =  &_v220;
				_v172 = 0xf;
				_push(_t71);
				L00404724();
				_push(_t71);
				_v184 = 0x10;
				L00404730();
				_v188 = 0xf;
				L00404538();
				_v188 = 0xe;
				L00404538();
				_v188 = 0xd;
				L00404538();
				_v188 = 0xc;
				L00404538();
				_v188 = 0xb;
				L00404538();
				_v188 = 0xa;
				L00404538();
				_v188 = 9;
				L00404538();
				_v188 = 8;
				L00404538();
				_v188 = 7;
				L00404538();
				_v188 = 4;
				L00404538();
				_push(_v252);
				_push(0x3ec);
				L0040472A();
				L00404586();
				_v196 = 0xffffffff;
				L00404538();
				 *[fs:0x0] = _v204;
				return 1;
			}

0x00403f70
0x00403f72
0x00403f7d
0x00403f7e
0x00403f8a
0x00403f8c
0x00403f91
0x00403f94
0x00403f95
0x00403f9c
0x00403fa1
0x00403fa4
0x00403fad
0x00403fb4
0x00403fbd
0x00403fc2
0x00403fc7
0x00403fcc
0x00403fd3
0x00403feb
0x00403ff1
0x00403ffa
0x00403fff
0x00404005
0x00404006
0x00404007
0x0040400f
0x00404014
0x0040401d
0x0040401e
0x0040401f
0x00404024
0x00404029
0x0040402e
0x0040402f
0x00404033
0x00404038
0x00404039
0x00404042
0x00404047
0x00404050
0x00404055
0x0040405e
0x00404063
0x00404068
0x00404071
0x00404076
0x0040407c
0x0040407d
0x0040407e
0x00404083
0x00404088
0x0040408d
0x00404096
0x00404097
0x00404098
0x0040409d
0x0040409f
0x004040a0
0x004040a4
0x004040a9
0x004040aa
0x004040af
0x004040b8
0x004040b9
0x004040ba
0x004040bf
0x004040c4
0x004040ca
0x004040cb
0x004040cc
0x004040d1
0x004040d6
0x004040db
0x004040dc
0x004040e0
0x004040e5
0x004040e6
0x004040eb
0x004040f1
0x004040f2
0x004040f3
0x004040f8
0x004040fd
0x00404106
0x00404107
0x00404108
0x0040410d
0x00404112
0x00404114
0x00404115
0x00404119
0x0040411e
0x0040411f
0x00404124
0x00404129
0x0040412e
0x00404137
0x0040413c
0x00404145
0x0040414a
0x00404153
0x00404158
0x00404161
0x00404166
0x0040416f
0x00404174
0x0040417d
0x00404182
0x0040418b
0x00404190
0x00404195
0x0040419e
0x004041a7
0x004041ac
0x004041b5
0x004041ba
0x004041c3
0x004041c4
0x004041cb
0x004041d2
0x004041db
0x004041e3
0x004041f2
0x004041fd

APIs

#4710.MFC42 ref: 00403F8C
#6241.MFC42(000003EB), ref: 00403F9C
#537.MFC42(http://www.zhornsoftware.co.uk/,?,000003EB), ref: 00403FAD

Part of subcall function 004016D0: #858.MFC42(?,?,?,00404A48,000000FF), ref: 004016F8
Part of subcall function 004016D0: IsWindow.USER32(?), ref: 00401709
Part of subcall function 004016D0: #6358.MFC42(?,?,00000001,?,?,00404A48,000000FF), ref: 00401725
Part of subcall function 004016D0: #800.MFC42(?,?,00404A48,000000FF), ref: 00401736

Part of subcall function 00401790: IsWindow.USER32(?), ref: 004017A9
Part of subcall function 00401790: SendMessageA.USER32 ref: 004017C5
Part of subcall function 00401790: #2860.MFC42(00000000), ref: 004017C8
Part of subcall function 00401790: GetObjectA.GDI32(?,0000003C,?), ref: 004017D8
Part of subcall function 00401790: #2414.MFC42 ref: 004017EA
Part of subcall function 00401790: CreateFontIndirectA.GDI32(?), ref: 004017F4
Part of subcall function 00401790: #1641.MFC42(00000000), ref: 004017FD
Part of subcall function 00401790: SendMessageA.USER32 ref: 00401812
Part of subcall function 00401790: InvalidateRect.USER32(?,00000000,00000001), ref: 0040181C

#1168.MFC42(?,000003EB), ref: 00403FC2
#1146.MFC42(00000080,0000000E,00000080,?,000003EB), ref: 00403FD3
LoadIconA.USER32(00000000,00000080), ref: 00403FD9
SendMessageA.USER32 ref: 00403FEB
#537.MFC42(Copyright,?,000003EB), ref: 00403FFA
#923.MFC42(?,00000000), ref: 0040400F
#924.MFC42(?,00000000,d to ,?,00000000), ref: 00404024
#922.MFC42(?,00000000,p&[,?,00000000,d to ,?,00000000), ref: 00404039
#800.MFC42(?,00000000,p&[,?,00000000,d to ,?,00000000), ref: 00404047
#800.MFC42(?,00000000,p&[,?,00000000,d to ,?,00000000), ref: 00404055
#800.MFC42(?,00000000,p&[,?,00000000,d to ,?,00000000), ref: 00404063
#537.MFC42(00407588,?,00000000,p&[,?,00000000,d to ,?,00000000), ref: 00404071
#923.MFC42(?,00000000,00000065,00407588,?,00000000,p&[,?,00000000,d to ,?,00000000), ref: 00404083
#924.MFC42(?,00000000,00407584,?,00000000,00000065,00407588,?,00000000,p&[,?,00000000,d to ,?,00000000), ref: 00404098
#923.MFC42(?,00000000,00000065,?,00000000,00407584,?,00000000,00000065,00407588,?,00000000,p&[,?,00000000,d to ), ref: 004040AA
#924.MFC42(?,00000000,00407580,?,00000000,00000065,?,00000000,00407584,?,00000000,00000065,00407588,?,00000000,p&[), ref: 004040BF
#923.MFC42(?,00000000,00000020,?,00000000,00407580,?,00000000,00000065,?,00000000,00407584,?,00000000,00000065,00407588), ref: 004040D1
#924.MFC42(?,00000000,00407478,?,00000000,00000020,?,00000000,00407580,?,00000000,00000065,?,00000000,00407584,?), ref: 004040E6
#923.MFC42(?,00000000,00000030,?,00000000,00407478,?,00000000,00000020,?,00000000,00407580,?,00000000,00000065,?), ref: 004040F8
#924.MFC42(?,00000000,0040747C,?,00000000,00000030,?,00000000,00407478,?,00000000,00000020,?,00000000,00407580,?), ref: 0040410D
#923.MFC42(?,00000000,00000033,?,00000000,0040747C,?,00000000,00000030,?,00000000,00407478,?,00000000,00000020,?), ref: 0040411F
#939.MFC42(00000000,?,00000000,00000033,?,00000000,0040747C,?,00000000,00000030,?,00000000,00407478,?,00000000,00000020), ref: 0040412E
#800.MFC42(00000000,?,00000000,00000033,?,00000000,0040747C,?,00000000,00000030,?,00000000,00407478,?,00000000,00000020), ref: 0040413C
#800.MFC42(00000000,?,00000000,00000033,?,00000000,0040747C,?,00000000,00000030,?,00000000,00407478,?,00000000,00000020), ref: 0040414A
#800.MFC42(00000000,?,00000000,00000033,?,00000000,0040747C,?,00000000,00000030,?,00000000,00407478,?,00000000,00000020), ref: 00404158
#800.MFC42(00000000,?,00000000,00000033,?,00000000,0040747C,?,00000000,00000030,?,00000000,00407478,?,00000000,00000020), ref: 00404166
#800.MFC42(00000000,?,00000000,00000033,?,00000000,0040747C,?,00000000,00000030,?,00000000,00407478,?,00000000,00000020), ref: 00404174
#800.MFC42(00000000,?,00000000,00000033,?,00000000,0040747C,?,00000000,00000030,?,00000000,00407478,?,00000000,00000020), ref: 00404182
#800.MFC42(00000000,?,00000000,00000033,?,00000000,0040747C,?,00000000,00000030,?,00000000,00407478,?,00000000,00000020), ref: 00404190
#800.MFC42(00000000,?,00000000,00000033,?,00000000,0040747C,?,00000000,00000030,?,00000000,00407478,?,00000000,00000020), ref: 0040419E
#800.MFC42(00000000,?,00000000,00000033,?,00000000,0040747C,?,00000000,00000030,?,00000000,00407478,?,00000000,00000020), ref: 004041AC
#800.MFC42(00000000,?,00000000,00000033,?,00000000,0040747C,?,00000000,00000030,?,00000000,00407478,?,00000000,00000020), ref: 004041BA
#3092.MFC42(000003EC,?,00000000,?,00000000,00000033,?,00000000,0040747C,?,00000000,00000030,?,00000000,00407478,?), ref: 004041CB
#6199.MFC42(000003EC,?,00000000,?,00000000,00000033,?,00000000,0040747C,?,00000000,00000030,?,00000000,00407478,?), ref: 004041D2
#800.MFC42(000003EC,?,00000000,?,00000000,00000033,?,00000000,0040747C,?,00000000,00000030,?,00000000,00407478,?), ref: 004041E3

Strings

d to , xrefs: 00404014
p&[, xrefs: 00404029
http://www.zhornsoftware.co.uk/, xrefs: 00403FA8
Copyright, xrefs: 00403FF1

Memory Dump Source

Source File: 00000000.00000002.638872984.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.638861462.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.638886571.0000000000405000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.638898302.0000000000407000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.638907683.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_caffeine.jbxd

Similarity

API ID: #800$#923$#924$#537MessageSend$Window$#1146#1168#1641#2414#2860#3092#4710#6199#6241#6358#858#922#939CreateFontIconIndirectInvalidateLoadObjectRect
String ID: Copyright$d to $http://www.zhornsoftware.co.uk/$p&[
API String ID: 3006126851-1757408980
Opcode ID: 29200f4f85b3c62d76dd857aae978e8929f35be0d2d91fa12cef3c3978bf053e
Instruction ID: d84603b2a0d053dc8d7841b4659286c1ddde81081368e72ce63422313928a5ce
Opcode Fuzzy Hash: 29200f4f85b3c62d76dd857aae978e8929f35be0d2d91fa12cef3c3978bf053e
Instruction Fuzzy Hash: 18612FB01083C0AAD315E765C886B5FBBD8AFD6748F444D2EF685621D2DBBC9508862B

Uniqueness

Uniqueness Score: -1.00%

Function 00401AB0 Relevance: 61.3, APIs: 20, Strings: 15, Instructions: 99
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 67%

			E00401AB0(void* __ecx, char _a4) {
				char _v4;
				void* _v12;
				char _v16;
				char _v20;
				void* _v28;
				intOrPtr _v32;
				intOrPtr _v40;
				void* _v44;
				char* _t32;
				char _t46;
				intOrPtr _t48;

				_push(0xffffffff);
				_push(E00404AB0);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t48;
				L0040454A();
				_t46 = _a4;
				_v4 = 0;
				if(_t46 > 0x20) {
					L15:
					_push(_t46);
					_push("Unknown Error (%d) occurred.");
					_push( &_v16);
					L004045D4();
					_t48 = _t48 + 0xc;
				} else {
					switch( *((intOrPtr*)(0 +  &M00401C4C))) {
						case 0:
							_push("The operating system is out\nof memory or resources.");
							L004045DA();
							goto L16;
						case 1:
							_push("The specified file was not found.");
							__ecx =  &_v16;
							L004045DA();
							goto L16;
						case 2:
							_push("The specified path was not found.");
							__ecx =  &_v16;
							L004045DA();
							goto L16;
						case 3:
							_push("The operating system denied\naccess to the specified file.");
							__ecx =  &_v16;
							L004045DA();
							goto L16;
						case 4:
							_push("There was not enough memory to complete the operation.");
							__ecx =  &_v16;
							L004045DA();
							goto L16;
						case 5:
							_push("The .EXE file is invalid\n(non-Win32 .EXE or error in .EXE image).");
							__ecx =  &_v16;
							L004045DA();
							goto L16;
						case 6:
							_push("A sharing violation occurred. ");
							__ecx =  &_v16;
							L004045DA();
							goto L15;
						case 7:
							_push("The filename association is\nincomplete or invalid.");
							__ecx =  &_v16;
							L004045DA();
							goto L16;
						case 8:
							_push("The DDE transaction could not\nbe completed because the request timed out.");
							__ecx =  &_v16;
							L004045DA();
							goto L16;
						case 9:
							_push("The DDE transaction failed.");
							__ecx =  &_v16;
							L004045DA();
							goto L16;
						case 0xa:
							_push("The DDE transaction could not\nbe completed because other DDE transactions\nwere being processed.");
							__ecx =  &_v16;
							L004045DA();
							goto L16;
						case 0xb:
							_push("There is no application associated\nwith the given filename extension.");
							__ecx =  &_v16;
							L004045DA();
							goto L16;
						case 0xc:
							_push("The specified dynamic-link library was not found.");
							__ecx =  &_v16;
							L004045DA();
							goto L16;
						case 0xd:
							goto L15;
					}
				}
				L16:
				_t32 =  &_a4;
				_push( &_v16);
				_push("Unable to open hyperlink:\n\n");
				_push(_t32);
				L004045CE();
				_push(_t32);
				_v16 = 1;
				L0040459E();
				_v20 = 0;
				L00404538();
				_push(0);
				_push(0x30);
				_push(_v32);
				L004045C8();
				_v32 = 0xffffffff;
				L00404538();
				 *[fs:0x0] = _v40;
				return _t32;
			}

0x00401ab0
0x00401ab2
0x00401abd
0x00401abe
0x00401acb
0x00401ad0
0x00401ad4
0x00401adf
0x00401bd4
0x00401bd4
0x00401bd9
0x00401bde
0x00401bdf
0x00401be4
0x00401ae5
0x00401aed
0x00000000
0x00401af4
0x00401afd
0x00000000
0x00000000
0x00401b1a
0x00401b1f
0x00401b23
0x00000000
0x00000000
0x00401b07
0x00401b0c
0x00401b10
0x00000000
0x00000000
0x00401b40
0x00401b45
0x00401b49
0x00000000
0x00000000
0x00401bb6
0x00401bbb
0x00401bbf
0x00000000
0x00000000
0x00401b2d
0x00401b32
0x00401b36
0x00000000
0x00000000
0x00401bc6
0x00401bcb
0x00401bcf
0x00000000
0x00000000
0x00401b53
0x00401b58
0x00401b5c
0x00000000
0x00000000
0x00401b86
0x00401b8b
0x00401b8f
0x00000000
0x00000000
0x00401b76
0x00401b7b
0x00401b7f
0x00000000
0x00000000
0x00401b66
0x00401b6b
0x00401b6f
0x00000000
0x00000000
0x00401ba6
0x00401bab
0x00401baf
0x00000000
0x00000000
0x00401b96
0x00401b9b
0x00401b9f
0x00000000
0x00000000
0x00000000
0x00000000
0x00401aed
0x00401be7
0x00401beb
0x00401bef
0x00401bf0
0x00401bf5
0x00401bf6
0x00401bfb
0x00401c00
0x00401c05
0x00401c0e
0x00401c13
0x00401c1c
0x00401c1e
0x00401c20
0x00401c21
0x00401c2a
0x00401c32
0x00401c3c
0x00401c46

APIs

#540.MFC42(?,?,00000000,00404AB0,000000FF,00401470,00000000), ref: 00401ACB
#860.MFC42(The operating system is outof memory or resources.,?,?,00000000,00404AB0,000000FF,00401470,00000000), ref: 00401AFD
#860.MFC42(The specified path was not found.,The specified file was not found.), ref: 00401B10
#860.MFC42(The specified file was not found.), ref: 00401B23
#860.MFC42(The .EXE file is invalid(non-Win32 .EXE or error in .EXE image).,There was not enough memory to complete the operation.,The operating system deniedaccess to the specified file.,The specified path was not found.,The specified file was not found.), ref: 00401B36
#860.MFC42(The operating system deniedaccess to the specified file.,The specified path was not found.,The specified file was not found.), ref: 00401B49
#860.MFC42(The filename association isincomplete or invalid.,There was not enough memory to complete the operation.,The operating system deniedaccess to the specified file.,The specified path was not found.,The specified file was not found.), ref: 00401B5C
#860.MFC42(The DDE transaction could notbe completed because other DDE transactionswere being processed.,The DDE transaction failed.,The DDE transaction could notbe completed because the request timed out.,The filename association isincomplete or invalid.,There was not enough memory to complete the operation.,The operating system deniedaccess to the specified file.,The specified path was not found.,The specified file was not found.), ref: 00401B6F
#860.MFC42(The DDE transaction failed.,The DDE transaction could notbe completed because the request timed out.,The filename association isincomplete or invalid.,There was not enough memory to complete the operation.,The operating system deniedaccess to the specified file.,The specified path was not found.,The specified file was not found.), ref: 00401B7F
#860.MFC42(The DDE transaction could notbe completed because the request timed out.,The filename association isincomplete or invalid.,There was not enough memory to complete the operation.,The operating system deniedaccess to the specified file.,The specified path was not found.,The specified file was not found.), ref: 00401B8F
#860.MFC42(The specified dynamic-link library was not found.,There is no application associatedwith the given filename extension.,The DDE transaction could notbe completed because other DDE transactionswere being processed.,The DDE transaction failed.,The DDE transaction could notbe completed because the request timed out.,The filename association isincomplete or invalid.,There was not enough memory to complete the operation.,The operating system deniedaccess to the specified file.,The specified path was not found.,The specified file was not found.), ref: 00401B9F
#860.MFC42(There is no application associatedwith the given filename extension.,The DDE transaction could notbe completed because other DDE transactionswere being processed.,The DDE transaction failed.,The DDE transaction could notbe completed because the request timed out.,The filename association isincomplete or invalid.,There was not enough memory to complete the operation.,The operating system deniedaccess to the specified file.,The specified path was not found.,The specified file was not found.), ref: 00401BAF
#860.MFC42(There was not enough memory to complete the operation.,The operating system deniedaccess to the specified file.,The specified path was not found.,The specified file was not found.), ref: 00401BBF
#860.MFC42(A sharing violation occurred. ,The .EXE file is invalid(non-Win32 .EXE or error in .EXE image).,There was not enough memory to complete the operation.,The operating system deniedaccess to the specified file.,The specified path was not found.,The specified file was not found.), ref: 00401BCF
#2818.MFC42(?,Unknown Error (%d) occurred.,?,?,?,00000000,00404AB0,000000FF,00401470,00000000), ref: 00401BDF
#926.MFC42(?,Unable to open hyperlink:,?), ref: 00401BF6
#858.MFC42(?,?,?,?,?,?,00000000), ref: 00401C05
#800.MFC42(?,?,?,?,?,?,00000000), ref: 00401C13
#1200.MFC42(?,00000030,00000000,?,?,?,?,?,?,00000000), ref: 00401C21
#800.MFC42(?,00000030,00000000,?,?,?,?,?,?,00000000), ref: 00401C32

Strings

The filename association isincomplete or invalid., xrefs: 00401B53
The operating system is outof memory or resources., xrefs: 00401AF4
There was not enough memory to complete the operation., xrefs: 00401BB6
A sharing violation occurred. , xrefs: 00401BC6
The specified path was not found., xrefs: 00401B07
The DDE transaction failed., xrefs: 00401B76
The specified file was not found., xrefs: 00401B1A
Unknown Error (%d) occurred., xrefs: 00401BD9
The .EXE file is invalid(non-Win32 .EXE or error in .EXE image)., xrefs: 00401B2D
The DDE transaction could notbe completed because other DDE transactionswere being processed., xrefs: 00401B66
The operating system deniedaccess to the specified file., xrefs: 00401B40
Unable to open hyperlink:, xrefs: 00401BF0
The specified dynamic-link library was not found., xrefs: 00401B96
There is no application associatedwith the given filename extension., xrefs: 00401BA6
The DDE transaction could notbe completed because the request timed out., xrefs: 00401B86

Memory Dump Source

Source File: 00000000.00000002.638872984.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.638861462.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.638886571.0000000000405000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.638898302.0000000000407000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.638907683.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_caffeine.jbxd

Similarity

API ID: #860$#800$#1200#2818#540#858#926
String ID: A sharing violation occurred. $The .EXE file is invalid(non-Win32 .EXE or error in .EXE image).$The DDE transaction could notbe completed because other DDE transactionswere being processed.$The DDE transaction could notbe completed because the request timed out.$The DDE transaction failed.$The filename association isincomplete or invalid.$The operating system deniedaccess to the specified file.$The operating system is outof memory or resources.$The specified dynamic-link library was not found.$The specified file was not found.$The specified path was not found.$There is no application associatedwith the given filename extension.$There was not enough memory to complete the operation.$Unable to open hyperlink:$Unknown Error (%d) occurred.
API String ID: 346542042-3273680174
Opcode ID: ea7e90c578bf019d686b0e0a1a9cb7f1dbbf8356f100c7c62e7251d023a5f85a
Instruction ID: d05527ecf1c23452e4e09f04e5b27d926ba05525808f6f0cd500f92e65994bfe
Opcode Fuzzy Hash: ea7e90c578bf019d686b0e0a1a9cb7f1dbbf8356f100c7c62e7251d023a5f85a
Instruction Fuzzy Hash: 9A3138B055C241FBC214EA50CC92B6B77A0AB91744F50493FB286361E1EFBCB946869F

Uniqueness

Uniqueness Score: -1.00%

Function 004036F0 Relevance: 52.7, APIs: 27, Strings: 3, Instructions: 221
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 85%

			E004036F0(intOrPtr* __ecx) {
				intOrPtr _t62;
				struct HINSTANCE__* _t68;
				struct HMENU__* _t69;
				struct HMENU__* _t71;
				struct HINSTANCE__* _t76;
				struct HMENU__* _t77;
				struct HMENU__* _t78;
				struct HMENU__* _t132;
				intOrPtr* _t138;
				int _t140;
				void* _t149;
				struct HMENU__* _t157;
				void* _t158;

				_push(0xffffffff);
				_push(E00404CC8);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t157;
				_t158 = _t157 - 0x10;
				_t138 = __ecx;
				if( *((intOrPtr*)(_t158 + 0x20)) ==  *(__ecx + 0x49)) {
					_t128 = 0x405c3c;
					 *(_t158 + 0x10) = 0;
					 *((intOrPtr*)(_t158 + 0xc)) = 0x405c3c;
					 *(_t158 + 0x24) = 0;
					_t149 = E00403480(__ecx);
					if(_t149 != 0) {
						_t62 =  *((intOrPtr*)(_t158 + 0x30));
						if(_t62 != 0x205) {
							if(_t62 != 0x203) {
								goto L21;
							} else {
								SetForegroundWindow( *(_t149 + 0x20));
								if( *(_t138 + 0x278) == 0) {
									_t140 =  *(_t138 + 0x274);
									goto L20;
								} else {
									_t68 =  *(_t138 + 0x49) & 0x0000ffff;
									_push(_t68);
									_push(4);
									L004044F6();
									_t69 = LoadMenuA(_t68, _t68);
									_push(_t69);
									L004046F4();
									if(_t69 != 0) {
										_t71 = GetSubMenu( *(_t158 + 0x10), 0);
										_push(_t71);
										L004046E8();
										if(_t71 != 0) {
											_t140 = GetMenuItemID( *(_t71 + 4),  *(_t138 + 0x274));
											L004046EE();
											L20:
											PostMessageA( *(_t149 + 0x20), 0x111, _t140, 0);
											goto L21;
										} else {
											 *((intOrPtr*)(_t158 + 0xc)) = 0x405c3c;
											 *(_t158 + 0x24) = 5;
											L004046EE();
											 *[fs:0x0] =  *(_t158 + 0x10);
											return 0;
										}
									} else {
										 *((intOrPtr*)(_t158 + 0xc)) = 0x405c3c;
										 *(_t158 + 0x24) = 4;
										L004046EE();
										 *[fs:0x0] =  *(_t158 + 0x10);
										return 0;
									}
								}
							}
						} else {
							_t76 =  *(__ecx + 0x49) & 0x0000ffff;
							_push(_t76);
							_push(4);
							L004044F6();
							_t77 = LoadMenuA(_t76, _t76);
							_push(_t77);
							L004046F4();
							if(_t77 != 0) {
								_t78 = GetSubMenu( *(_t158 + 0x10), 0);
								_push(_t78);
								L004046E8();
								_t132 = _t78;
								if(_t132 != 0) {
									SetMenuDefaultItem( *(_t132 + 4),  *(_t138 + 0x274),  *(_t138 + 0x278));
									 *((intOrPtr*)( *_t138 + 0xc4))(_t132);
									if( *((intOrPtr*)(_t138 + 0x40)) != 0) {
										ModifyMenuA( *(_t132 + 4), 0x8005, 8, 0x8005, "Active");
									}
									GetCursorPos(_t158 + 0x14);
									SetForegroundWindow( *(_t149 + 0x20));
									TrackPopupMenu( *(_t132 + 4), 0,  *(_t158 + 0x14),  *(_t158 + 0x18), 0,  *(_t149 + 0x20), 0);
									PostMessageA( *(_t149 + 0x20), 0, 0, 0);
									L004046EE();
									_t128 = 0x405c3c;
									L21:
									 *((intOrPtr*)(_t158 + 0xc)) = _t128;
									 *(_t158 + 0x24) = 6;
									L004046EE();
									 *[fs:0x0] =  *(_t158 + 0x1c);
									return 1;
								} else {
									 *((intOrPtr*)(_t158 + 0xc)) = 0x405c3c;
									 *(_t158 + 0x24) = 3;
									L004046EE();
									 *[fs:0x0] =  *(_t158 + 0x10);
									return 0;
								}
							} else {
								 *((intOrPtr*)(_t158 + 0xc)) = 0x405c3c;
								 *(_t158 + 0x24) = 2;
								L004046EE();
								 *[fs:0x0] =  *(_t158 + 0x10);
								return 0;
							}
						}
					} else {
						 *((intOrPtr*)(_t158 + 0xc)) = 0x405c3c;
						 *(_t158 + 0x24) = 1;
						L004046EE();
						 *[fs:0x0] =  *(_t158 + 0x10);
						return 0;
					}
				} else {
					 *[fs:0x0] =  *(_t158 + 0x10);
					return 0;
				}
			}

0x004036f6
0x004036f8
0x004036fd
0x004036fe
0x00403705
0x0040370e
0x00403714
0x0040372c
0x00403731
0x00403739
0x0040373f
0x0040374c
0x00403750
0x0040377d
0x00403785
0x004038c3
0x00000000
0x004038c9
0x004038cd
0x004038db
0x00403992
0x00000000
0x004038e1
0x004038e4
0x004038e9
0x004038ea
0x004038ed
0x004038f3
0x004038f9
0x004038fe
0x00403905
0x00403939
0x0040393f
0x00403940
0x00403947
0x00403989
0x0040398b
0x00403998
0x004039a4
0x00000000
0x00403949
0x00403949
0x00403951
0x00403959
0x00403967
0x00403971
0x00403971
0x00403907
0x00403907
0x0040390f
0x00403917
0x00403925
0x0040392f
0x0040392f
0x00403905
0x004038db
0x0040378b
0x0040378e
0x00403793
0x00403794
0x00403797
0x0040379d
0x004037a3
0x004037a8
0x004037af
0x004037e3
0x004037e9
0x004037ea
0x004037ef
0x004037f3
0x00403836
0x00403841
0x0040384c
0x00403863
0x00403863
0x0040386e
0x00403878
0x00403896
0x004038a6
0x004038b0
0x004038b5
0x004039aa
0x004039aa
0x004039b2
0x004039ba
0x004039cb
0x004039d5
0x004037f5
0x004037f5
0x00403801
0x00403809
0x00403817
0x00403821
0x00403821
0x004037b1
0x004037b1
0x004037b9
0x004037c1
0x004037cf
0x004037d9
0x004037d9
0x004037af
0x00403752
0x00403752
0x0040375a
0x00403762
0x00403770
0x0040377a
0x0040377a
0x00403716
0x0040371f
0x00403729
0x00403729

APIs

#2438.MFC42(?,?,?,?,?,?,?,?,?,?,?,?,00404CC8,000000FF), ref: 00403762

Strings

F@, xrefs: 0040372C, 004038B5
<\@, xrefs: 004037FD
Active, xrefs: 00403851

Memory Dump Source

Source File: 00000000.00000002.638872984.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.638861462.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.638886571.0000000000405000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.638898302.0000000000407000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.638907683.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_caffeine.jbxd

Similarity

API ID: #2438
String ID: <\@$Active$F@
API String ID: 3848929793-4083231078
Opcode ID: 52babf0500d360e68296940e0fbd2bbc1b4316878b0c97c08039995788ae0fb5
Instruction ID: 2155ade0938a15048844e7ff29b6153062ed146438ae282cc42f0564ce5c9ae9
Opcode Fuzzy Hash: 52babf0500d360e68296940e0fbd2bbc1b4316878b0c97c08039995788ae0fb5
Instruction Fuzzy Hash: 96817EB6204701AFD310EF25C945B6BB7E8FB84714F00892EF985A7280DB7DE904CB69

Uniqueness

Uniqueness Score: -1.00%

Function 00401580 Relevance: 25.6, APIs: 17, Instructions: 113
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 64%

			E00401580(void* __ecx) {
				int _v4;
				intOrPtr _v56;
				struct tagLOGFONTA _v92;
				intOrPtr _v96;
				struct tagRECT _v116;
				char _v124;
				void* _v144;
				signed char _t26;
				long _t32;
				int _t40;
				intOrPtr* _t43;
				struct HWND__* _t47;
				int _t70;
				void* _t74;
				signed char _t79;

				_t26 =  *[fs:0x0];
				_push(0xffffffff);
				_push(E00404A28);
				_push(_t26);
				 *[fs:0x0] = _t79;
				_t74 = __ecx;
				L00404592();
				if(__ecx != 0) {
					_t47 =  *(__ecx + 0x20);
				} else {
					_t47 = 0;
				}
				SetWindowLongA(_t47, 0xfffffff0, _t26 | 0x00000001);
				_t43 = _t74 + 0x5c;
				if( *((intOrPtr*)( *((intOrPtr*)(_t74 + 0x5c)) - 8)) == 0) {
					_push(_t43);
					L0040458C();
				}
				L0040454A();
				_v4 = 0;
				_push( &_v92);
				L0040458C();
				if( *((intOrPtr*)(_v96 - 8)) == 0) {
					_push( *_t43);
					L00404586();
				}
				_t32 = SendMessageA( *(_t74 + 0x20), 0x31, 0, 0);
				_push(_t32);
				L00404580();
				GetObjectA( *(_t32 + 4), 0x3c,  &(_v92.lfOrientation));
				_v92.lfUnderline =  *((intOrPtr*)(_t74 + 0x54));
				_t70 = _t74 + 0x60;
				_push(CreateFontIndirectA( &_v92));
				L0040457A();
				if(_t70 != 0) {
					_t70 =  *(_t70 + 4);
				}
				SendMessageA( *(_t74 + 0x20), 0x30, _t70, 1);
				E00401830(_t74);
				E004019F0(_t74);
				_t40 = GetClientRect( *(_t74 + 0x20),  &_v116);
				_push(0);
				_push(_t74);
				L00404574();
				_push(1);
				_push( &_v124);
				_push( *_t43);
				_push(_t74);
				L0040456E();
				L004044D2();
				_v56 = 0xffffffff;
				L00404538();
				 *[fs:0x0] = _v92.lfFaceName;
				return _t40;
			}

0x00401580
0x00401586
0x00401588
0x0040158d
0x0040158e
0x0040159c
0x0040159e
0x004015a5
0x004015ab
0x004015a7
0x004015a7
0x004015a7
0x004015b5
0x004015be
0x004015c6
0x004015c8
0x004015cb
0x004015cb
0x004015d4
0x004015dd
0x004015e5
0x004015e8
0x004015f6
0x004015fc
0x004015fd
0x004015fd
0x00401612
0x00401614
0x00401615
0x00401625
0x00401633
0x00401637
0x00401640
0x00401643
0x0040164a
0x0040164c
0x0040164c
0x00401658
0x0040165c
0x00401663
0x00401671
0x0040167a
0x0040167c
0x0040167f
0x0040168a
0x0040168c
0x0040168d
0x0040168e
0x00401691
0x00401698
0x004016a1
0x004016a9
0x004016b6
0x004016c0

APIs

#3797.MFC42 ref: 0040159E
SetWindowLongA.USER32 ref: 004015B5
#3874.MFC42(?), ref: 004015CB
#540.MFC42(?), ref: 004015D4
#3874.MFC42(?), ref: 004015E8
#6199.MFC42(?,?), ref: 004015FD
SendMessageA.USER32 ref: 00401612
#2860.MFC42(00000000), ref: 00401615
GetObjectA.GDI32(?,0000003C,?), ref: 00401625
CreateFontIndirectA.GDI32(?), ref: 0040163A
#1641.MFC42(00000000), ref: 00401643
SendMessageA.USER32 ref: 00401658
GetClientRect.USER32 ref: 00401671
#2122.MFC42(?,00000000), ref: 0040167F
#1088.MFC42(?,?,?,00000001,?,00000000), ref: 00401691
#5265.MFC42(?,?,?,00000001,?,00000000), ref: 00401698
#800.MFC42(?,?,?,00000001,?,00000000), ref: 004016A9

Memory Dump Source

Source File: 00000000.00000002.638872984.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.638861462.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.638886571.0000000000405000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.638898302.0000000000407000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.638907683.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_caffeine.jbxd

Similarity

API ID: #3874MessageSend$#1088#1641#2122#2860#3797#5265#540#6199#800ClientCreateFontIndirectLongObjectRectWindow
String ID:
API String ID: 2227210797-0
Opcode ID: 91c33229316b2e92066e70053cc2469c2e8fe531323fef1549f4e80344806ef5
Instruction ID: 78e91d416b0f403ad5dc09a236e54dfa35207b3635d77c84e58a6aa78756797c
Opcode Fuzzy Hash: 91c33229316b2e92066e70053cc2469c2e8fe531323fef1549f4e80344806ef5
Instruction Fuzzy Hash: 2631A4B1200701ABD624EB25CC91F6FB3A9FBC4B54F000A2DF642672D1CB78E905CB69

Uniqueness

Uniqueness Score: -1.00%

Function 00401830 Relevance: 24.2, APIs: 16, Instructions: 154
COMMON

Download Yara Rule

C-Code - Quality: 74%

			E00401830(void* __ecx) {
				int _v8;
				intOrPtr _v12;
				struct tagRECT _v28;
				char _v32;
				char _v44;
				struct tagRECT _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				void* _v100;
				struct HWND__* _t53;
				int _t54;
				struct HWND__* _t57;
				struct HDC__* _t59;
				void* _t61;
				signed char _t67;
				CHAR* _t70;
				void* _t85;
				signed char _t87;
				long _t100;
				long _t113;
				void* _t120;
				void* _t122;
				struct HDC__* _t123;
				intOrPtr _t125;
				intOrPtr _t128;

				_push(0xffffffff);
				_push(E00404A68);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t128;
				_t120 = __ecx;
				if(__ecx != 0) {
					_t53 =  *(__ecx + 0x20);
				} else {
					_t53 = 0;
				}
				_t54 = IsWindow(_t53);
				if(_t54 != 0) {
					_t54 =  *(_t120 + 0x58);
					if(_t54 != 0) {
						GetWindowRect( *(_t120 + 0x20),  &_v28);
						_t57 = GetParent( *(_t120 + 0x20));
						_push(_t57);
						L00404568();
						if(_t57 != 0) {
							_push( &_v32);
							L004045B0();
						}
						L0040454A();
						_v8 = 0;
						L0040458C();
						_t59 = GetDC( *(_t120 + 0x20));
						L004045AA();
						_t123 = _t59;
						_t61 =  *((intOrPtr*)(_t123->i + 0x30))(_t120 + 0x60, _t59,  &_v44, _t122, _t85);
						GetTextExtentPoint32A( *(_t123 + 8), _v64.right,  *(_v64.right - 8),  &(_v64.bottom));
						 *((intOrPtr*)(_t123->i + 0x30))(_t61);
						_t67 = ReleaseDC( *(_t120 + 0x20),  *(_t123 + 4));
						L00404592();
						_t87 = _t67;
						if((_t87 & 0x00000002) == 0) {
							_t113 = _v68 + _v64.top;
							_v64.bottom.cx = _t113;
						} else {
							asm("cdq");
							InflateRect( &_v64, 0,  ~(_v64.bottom.cx - _v68 - _v64.top - _v64.top >> 1));
							_t113 = _v64.bottom.cx;
						}
						if((_t87 & 0x00000001) == 0) {
							if((_t87 & 0x00000002) == 0) {
								_t100 = _v64.left;
								_t70 = _v72 + _t100;
								_v64.right = _t70;
							} else {
								_t70 = _v64.right;
								_t100 = _t70 - _v72;
								_v64.left = _t100;
							}
						} else {
							asm("cdq");
							InflateRect( &_v64,  ~(_v64.right - _v72 - _v64.left - _v72 >> 1), 0);
							_t70 = _v64.right;
							_t113 = _v64.bottom.cx;
							_t100 = _v64.left;
						}
						_t125 = _v64.top;
						_push(4);
						_t54 = _t70 - _t100;
						_push(_t113 - _t125);
						_push(_t54);
						_push(_t125);
						_push(_t100);
						_push(0);
						L004045A4();
						_v64.left = 0xffffffff;
						L00404538();
					}
				}
				 *[fs:0x0] = _v12;
				return _t54;
			}

0x00401836
0x00401838
0x0040183d
0x0040183e
0x00401849
0x0040184d
0x00401853
0x0040184f
0x0040184f
0x0040184f
0x00401857
0x0040185f
0x00401865
0x0040186a
0x00401879
0x00401883
0x00401889
0x0040188a
0x00401891
0x00401897
0x0040189a
0x0040189a
0x004018a5
0x004018b1
0x004018b9
0x004018c2
0x004018c9
0x004018ce
0x004018d8
0x004018ef
0x004018fa
0x00401905
0x0040190d
0x00401918
0x0040191d
0x0040194e
0x00401951
0x0040191f
0x0040192f
0x0040193e
0x00401940
0x00401940
0x00401958
0x0040198c
0x004019a0
0x004019a8
0x004019aa
0x0040198e
0x0040198e
0x00401998
0x0040199a
0x0040199a
0x0040195a
0x0040196c
0x00401979
0x0040197b
0x0040197f
0x00401983
0x00401983
0x004019ae
0x004019b2
0x004019b6
0x004019b8
0x004019b9
0x004019ba
0x004019bb
0x004019bc
0x004019c0
0x004019c9
0x004019d1
0x004019d7
0x0040186a
0x004019dd
0x004019e7

APIs

IsWindow.USER32(?), ref: 00401857
GetWindowRect.USER32 ref: 00401879
GetParent.USER32(?), ref: 00401883
#2864.MFC42(00000000), ref: 0040188A
#6880.MFC42(?,00000000), ref: 0040189A
#540.MFC42(?,?,00000000), ref: 004018A5
#3874.MFC42 ref: 004018B9
GetDC.USER32(?), ref: 004018C2
#2859.MFC42(00000000), ref: 004018C9
GetTextExtentPoint32A.GDI32(?,?,?,?), ref: 004018EF
ReleaseDC.USER32 ref: 00401905
#3797.MFC42 ref: 0040190D
InflateRect.USER32(?,00000000,?), ref: 0040193E
InflateRect.USER32(?,?,00000000), ref: 00401979
#6197.MFC42(00000000,?,?,?,?,00000004), ref: 004019C0
#800.MFC42(00000000,?,?,?,?,00000004), ref: 004019D1

Memory Dump Source

Source File: 00000000.00000002.638872984.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.638861462.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.638886571.0000000000405000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.638898302.0000000000407000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.638907683.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_caffeine.jbxd

Similarity

API ID: Rect$InflateWindow$#2859#2864#3797#3874#540#6197#6880#800ExtentParentPoint32ReleaseText
String ID:
API String ID: 1229430148-0
Opcode ID: cb737125da13868ce94a8dd5d740498467b0550b8dd73812d20f1135e72424aa
Instruction ID: 083710a63b368be8a5a2e75130603aec36761a7d160585ce5598680cda7501de
Opcode Fuzzy Hash: cb737125da13868ce94a8dd5d740498467b0550b8dd73812d20f1135e72424aa
Instruction Fuzzy Hash: 7A512FB5204702AFD704DF69C995A6BB7E9FBC8700F044A2DF98593390D778E904CB95

Uniqueness

Uniqueness Score: -1.00%

Function 00402A30 Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 61
COMMON

Download Yara Rule

C-Code - Quality: 50%

			E00402A30(void* __ecx) {
				intOrPtr _v4;
				intOrPtr _v12;
				char _v16;
				intOrPtr _v20;
				void* _v24;
				intOrPtr _t17;
				intOrPtr _t18;
				intOrPtr _t19;
				void* _t22;
				void* _t33;
				intOrPtr _t35;

				_push(0xffffffff);
				_push(E00404BF8);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t35;
				_push(__ecx);
				_t33 = __ecx;
				L0040454A();
				_t17 =  *((intOrPtr*)(__ecx + 0x354));
				_v4 = 0;
				if(_t17 == 0xffffffff) {
					_t18 =  *((intOrPtr*)(__ecx + 0x35c));
					if(_t18 == 0xffffffff) {
						_t19 =  *((intOrPtr*)(__ecx + 0x358));
						if(_t19 == 0xffffffff) {
							if( *((intOrPtr*)(__ecx + 0x348)) == 0) {
								_push("Caffeine: inactive");
							} else {
								_push("Caffeine: active");
							}
							L004045DA();
						} else {
							_push(_t19);
							_push("Caffeine: Will go active in %i minute(s)");
							_push( &_v16);
							L004045D4();
							_t35 = _t35 + 0xc;
						}
					} else {
						_push(_t18);
						_push("Caffeine: Will exit in %i minute(s)");
						_push( &_v16);
						L004045D4();
						_t35 = _t35 + 0xc;
					}
				} else {
					_push(_t17);
					_push("Caffeine: Will go inactive in %i minute(s)");
					_push( &_v16);
					L004045D4();
					_t35 = _t35 + 0xc;
				}
				_t22 = E00403420(_t33 + 0xc0, _v20);
				_v12 = 0xffffffff;
				L00404538();
				 *[fs:0x0] = _v20;
				return _t22;
			}

0x00402a30
0x00402a32
0x00402a3d
0x00402a3e
0x00402a45
0x00402a47
0x00402a4d
0x00402a52
0x00402a58
0x00402a63
0x00402a7a
0x00402a83
0x00402a9a
0x00402aa3
0x00402ac2
0x00402acb
0x00402ac4
0x00402ac4
0x00402ac4
0x00402ad4
0x00402aa5
0x00402aa5
0x00402aaa
0x00402aaf
0x00402ab0
0x00402ab5
0x00402ab5
0x00402a85
0x00402a85
0x00402a8a
0x00402a8f
0x00402a90
0x00402a95
0x00402a95
0x00402a65
0x00402a65
0x00402a6a
0x00402a6f
0x00402a70
0x00402a75
0x00402a75
0x00402ae4
0x00402aed
0x00402af5
0x00402aff
0x00402b09

APIs

#540.MFC42(?,?,00000000,00404BF8,000000FF,00402691,ZhornSoftwareCaffeineMain), ref: 00402A4D
#2818.MFC42(?,Caffeine: Will go inactive in %i minute(s),?,?,?,00000000,00404BF8,000000FF,00402691,ZhornSoftwareCaffeineMain), ref: 00402A70
#2818.MFC42(?,Caffeine: Will exit in %i minute(s),?,?,?,00000000,00404BF8,000000FF,00402691,ZhornSoftwareCaffeineMain), ref: 00402A90
#800.MFC42(?,Caffeine: inactive,?,?,00000000,00404BF8,000000FF,00402691,ZhornSoftwareCaffeineMain), ref: 00402AF5

Strings

Caffeine: Will go inactive in %i minute(s), xrefs: 00402A6A
Caffeine: inactive, xrefs: 00402ACB
Caffeine: active, xrefs: 00402AC4
Caffeine: Will go active in %i minute(s), xrefs: 00402AAA
Caffeine: Will exit in %i minute(s), xrefs: 00402A8A

Memory Dump Source

Source File: 00000000.00000002.638872984.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.638861462.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.638886571.0000000000405000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.638898302.0000000000407000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.638907683.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_caffeine.jbxd

Similarity

API ID: #2818$#540#800
String ID: Caffeine: Will exit in %i minute(s)$Caffeine: Will go active in %i minute(s)$Caffeine: Will go inactive in %i minute(s)$Caffeine: active$Caffeine: inactive
API String ID: 2322274623-3634301374
Opcode ID: 30378fbae9d1f71dec1020bdfbd01e6cb2f46df81994ec8b9ff7dd3a1fe2d989
Instruction ID: 4449c43e5b08e88013da19f82a2139671552fd5fc9db86512c79a7bcba6e5130
Opcode Fuzzy Hash: 30378fbae9d1f71dec1020bdfbd01e6cb2f46df81994ec8b9ff7dd3a1fe2d989
Instruction Fuzzy Hash: 2311D571504740BBC220DB24CD45FAB7798EB45724F144B2FB16B722D0DBBCE9458B5A

Uniqueness

Uniqueness Score: -1.00%

Function 004019F0 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 52
librarywindowCOMMON

Download Yara Rule

C-Code - Quality: 67%

			E004019F0(void* __ecx) {
				intOrPtr _v4;
				intOrPtr _v12;
				intOrPtr _v16;
				void* _v20;
				void* _v24;
				CHAR* _v28;
				CHAR* _t13;
				struct HICON__* _t17;
				void* _t27;
				struct HINSTANCE__* _t30;
				intOrPtr _t32;

				_push(0xffffffff);
				_push(E00404A88);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t32;
				_push(__ecx);
				_t27 = __ecx;
				_t13 =  *(__ecx + 0x68);
				if(_t13 == 0) {
					L0040454A();
					_push(0x104);
					_v4 = 0;
					L004045C2();
					GetWindowsDirectoryA(_t13, 0x104);
					_push(0xffffffff);
					L004045BC();
					_push("\\winhlp32.exe");
					L004045B6();
					_t30 = LoadLibraryA(_v28);
					if(_t30 != 0) {
						_t17 = LoadCursorA(_t30, 0x6a);
						if(_t17 != 0) {
							 *((intOrPtr*)(_t27 + 0x68)) = CopyIcon(_t17);
						}
					}
					_t13 = FreeLibrary(_t30);
					_v16 = 0xffffffff;
					L00404538();
				}
				 *[fs:0x0] = _v12;
				return _t13;
			}

0x004019f0
0x004019f2
0x004019fd
0x004019fe
0x00401a05
0x00401a07
0x00401a09
0x00401a0e
0x00401a19
0x00401a1e
0x00401a2c
0x00401a34
0x00401a3a
0x00401a40
0x00401a46
0x00401a4b
0x00401a54
0x00401a64
0x00401a68
0x00401a6d
0x00401a75
0x00401a7e
0x00401a7e
0x00401a75
0x00401a82
0x00401a8c
0x00401a94
0x00401a99
0x00401a9f
0x00401aa9

APIs

#540.MFC42(?,?,?,00000000,00404A88,000000FF,00401668), ref: 00401A19
#2915.MFC42(00000104,00000104,?,?,?,00000000,00404A88,000000FF,00401668), ref: 00401A34
GetWindowsDirectoryA.KERNEL32(00000000,00000104,00000104,?,?,?,00000000,00404A88,000000FF,00401668), ref: 00401A3A
#5572.MFC42(000000FF,?,?,?,00000000,00404A88,000000FF,00401668), ref: 00401A46
#941.MFC42(\winhlp32.exe,000000FF,?,?,?,00000000,00404A88,000000FF,00401668), ref: 00401A54
LoadLibraryA.KERNEL32(?,\winhlp32.exe,000000FF,?,?,?,00000000,00404A88,000000FF,00401668), ref: 00401A5E
LoadCursorA.USER32 ref: 00401A6D
CopyIcon.USER32 ref: 00401A78
FreeLibrary.KERNEL32(00000000,?,?,?,00000000,00404A88,000000FF,00401668), ref: 00401A82
#800.MFC42(?,?,?,00000000,00404A88,000000FF,00401668), ref: 00401A94

Strings

\winhlp32.exe, xrefs: 00401A4B

Memory Dump Source

Source File: 00000000.00000002.638872984.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.638861462.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.638886571.0000000000405000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.638898302.0000000000407000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.638907683.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_caffeine.jbxd

Similarity

API ID: LibraryLoad$#2915#540#5572#800#941CopyCursorDirectoryFreeIconWindows
String ID: \winhlp32.exe
API String ID: 1176994157-695620452
Opcode ID: 05e50b6df430242a8222bd603a04b412f274f73aa4b0da348ae6d99f69430fb9
Instruction ID: a7958fbb4f7cea771c3a4d3836ed45ebcef4260fd507b6672cbc114736bf679a
Opcode Fuzzy Hash: 05e50b6df430242a8222bd603a04b412f274f73aa4b0da348ae6d99f69430fb9
Instruction Fuzzy Hash: D31191B1645702BBD700EF25DC45B5FB7A8FB80720F40462EF651A22E0DB789901CE9A

Uniqueness

Uniqueness Score: -1.00%

Function 004034A0 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 83
windowCOMMON

Download Yara Rule

C-Code - Quality: 79%

			E004034A0(void* __ecx, int _a4, int _a8) {
				int _v4;
				int _v16;
				intOrPtr _v20;
				struct HMENU__* _v24;
				struct HMENU__* _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				int _t29;
				struct HINSTANCE__* _t31;
				struct HMENU__* _t32;
				struct HMENU__* _t34;
				int _t47;
				void* _t58;
				struct HMENU__* _t62;

				_push(0xffffffff);
				_push(E00404C80);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t62;
				_t29 = _a4;
				_t58 = __ecx;
				_t47 = _a8;
				if( *((intOrPtr*)(__ecx + 0x274)) != _t29 ||  *((intOrPtr*)(__ecx + 0x278)) != _t47) {
					 *(_t58 + 0x274) = _t29;
					 *(_t58 + 0x278) = _t47;
					_v20 = 0x405c3c;
					_v16 = 0;
					_v4 = 0;
					_t31 =  *(_t58 + 0x49) & 0x0000ffff;
					_push(_t31);
					_push(4);
					L004044F6();
					_t32 = LoadMenuA(_t31, _t31);
					_push(_t32);
					L004046F4();
					if(_t32 != 0) {
						_t34 = GetSubMenu(_v28, 0);
						_push(_t34);
						L004046E8();
						if(_t34 != 0) {
							SetMenuDefaultItem( *(_t34 + 4),  *(_t58 + 0x274),  *(_t58 + 0x278));
							_v36 = 0x405c3c;
							_v20 = 3;
							L004046EE();
							goto L7;
						} else {
							_v36 = 0x405c3c;
							_v20 = 2;
							L004046EE();
							 *[fs:0x0] = _v28;
							return 0;
						}
					} else {
						_v32 = 0x405c3c;
						_v16 = 1;
						L004046EE();
						 *[fs:0x0] = _v24;
						return 0;
					}
				} else {
					L7:
					 *[fs:0x0] = _v28;
					return 1;
				}
			}

0x004034a6
0x004034a8
0x004034ad
0x004034ae
0x004034b8
0x004034be
0x004034c8
0x004034cc
0x004034df
0x004034e5
0x004034eb
0x004034ef
0x004034fa
0x00403502
0x00403507
0x00403508
0x0040350b
0x00403511
0x00403517
0x0040351c
0x00403523
0x00403556
0x0040355c
0x0040355d
0x00403564
0x004035a2
0x004035a8
0x004035b0
0x004035b8
0x00000000
0x00403566
0x00403566
0x0040356e
0x00403576
0x00403583
0x0040358d
0x0040358d
0x00403525
0x00403525
0x0040352d
0x00403535
0x00403542
0x0040354c
0x0040354c
0x004035bd
0x004035bd
0x004035c8
0x004035d2
0x004035d2

APIs

#1146.MFC42(?,00000004,?), ref: 0040350B
LoadMenuA.USER32 ref: 00403511
#1644.MFC42(00000000), ref: 0040351C
#2438.MFC42(00000000), ref: 00403535
GetSubMenu.USER32 ref: 00403556
#2863.MFC42(00000000), ref: 0040355D
#2438.MFC42(00000000), ref: 00403576
SetMenuDefaultItem.USER32(?,?,?,00000000), ref: 004035A2
#2438.MFC42 ref: 004035B8

Strings

F@, xrefs: 004034DA

Memory Dump Source

Source File: 00000000.00000002.638872984.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.638861462.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.638886571.0000000000405000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.638898302.0000000000407000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.638907683.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_caffeine.jbxd

Similarity

API ID: #2438Menu$#1146#1644#2863DefaultItemLoad
String ID: F@
API String ID: 3207668736-885931407
Opcode ID: 6a6808d4419804ccf2dfa5352aae3fc288f5d8a25165acc8d937bac0ba785d9b
Instruction ID: f1b23a46ef850d4ddc9efb51b11ad5abbcf1e6f706c3b2a33361d5dc44137315
Opcode Fuzzy Hash: 6a6808d4419804ccf2dfa5352aae3fc288f5d8a25165acc8d937bac0ba785d9b
Instruction Fuzzy Hash: 54319CB5508701AFD314EF24C888B5BBBE8FB98750F108D2EF48A93391DB399944CB55

Uniqueness

Uniqueness Score: -1.00%

Function 004028D0 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 62
COMMON

Download Yara Rule

C-Code - Quality: 66%

			E004028D0(void* __ecx, void* __eflags) {
				char _v8;
				intOrPtr _v20;
				void* _v24;
				void* _v36;
				intOrPtr _t20;
				void* _t21;
				intOrPtr _t23;
				intOrPtr _t24;
				void* _t37;
				intOrPtr _t39;
				void* _t40;

				_push(0xffffffff);
				_push(E00404BE2);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t39;
				_t40 = _t39 - 8;
				_t37 = __ecx;
				E004027F0( *[fs:0x0], __ecx);
				_t20 =  *((intOrPtr*)(_t37 + 0x36c));
				if(_t20 == 0) {
					L004044FC();
					_t23 =  *((intOrPtr*)( *((intOrPtr*)(_t20 + 4)) + 0x74));
					_push(_t23);
					L004046AC();
					_v8 = 0;
					L004046A6();
					_push(0x60);
					L00404406();
					_t40 = _t40 + 4;
					_v20 = _t23;
					_v8 = 1;
					if(_t23 == 0) {
						_t24 = 0;
					} else {
						_t24 = E00404200(_t23, 0);
					}
					_push("-ontaskbar");
					_v8 = 0;
					 *((intOrPtr*)(_t37 + 0x36c)) = _t24;
					L00404694();
					if(_t24 == 0xffffffff) {
						_push(_t37);
					} else {
						_push(0);
					}
					_push(0x8b);
					L00404688();
					_v20 = 0xffffffff;
					L00404538();
				}
				_t21 = E004029C0();
				_push(1);
				L00404682();
				_push(0);
				L0040467C();
				 *[fs:0x0] = _v20;
				return _t21;
			}

0x004028d6
0x004028d8
0x004028dd
0x004028de
0x004028e5
0x004028e9
0x004028eb
0x004028f0
0x004028f8
0x004028fe
0x0040290a
0x0040290d
0x0040290e
0x00402917
0x0040291f
0x00402924
0x00402926
0x0040292b
0x0040292e
0x00402934
0x00402939
0x00402946
0x0040293b
0x0040293f
0x0040293f
0x00402948
0x00402951
0x00402956
0x0040295c
0x0040296a
0x00402970
0x0040296c
0x0040296c
0x0040296c
0x00402971
0x00402976
0x0040297f
0x00402987
0x00402987
0x0040298e
0x00402999
0x0040299b
0x004029a6
0x004029a8
0x004029b2
0x004029bc

APIs

#1168.MFC42 ref: 004028FE
#537.MFC42(?), ref: 0040290E
#6282.MFC42(?,?,?,?,?,?,00404BE2,000000FF), ref: 0040291F
#823.MFC42(00000060,?,?,?,?,?,?,00404BE2,000000FF), ref: 00402926
#2764.MFC42(-ontaskbar,?,?,?,?,?,?,?,00404BE2,000000FF), ref: 0040295C
#2086.MFC42(0000008B,?,-ontaskbar,?,?,?,?,?,?,?,00404BE2,000000FF), ref: 00402976
#800.MFC42(0000008B,?,-ontaskbar,?,?,?,?,?,?,?,00404BE2,000000FF), ref: 00402987

Part of subcall function 00404200: #324.MFC42(0000008B,00000000,?,004025A2,00000000), ref: 0040420D

#6215.MFC42(00000001), ref: 0040299B
#1768.MFC42(00000000,00000001), ref: 004029A8

Strings

-ontaskbar, xrefs: 00402948

Memory Dump Source

Source File: 00000000.00000002.638872984.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.638861462.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.638886571.0000000000405000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.638898302.0000000000407000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.638907683.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_caffeine.jbxd

Similarity

API ID: #1168#1768#2086#2764#324#537#6215#6282#800#823
String ID: -ontaskbar
API String ID: 1471377625-536251272
Opcode ID: 9deca449faf96c15c3ba2a658b1fd508d3248a338bf0755341369ed3d05cf83b
Instruction ID: 550b89302cb17e622559643fac98ace275ee8255e36773d07f33510f86576615
Opcode Fuzzy Hash: 9deca449faf96c15c3ba2a658b1fd508d3248a338bf0755341369ed3d05cf83b
Instruction Fuzzy Hash: CB21F3F0208740ABD314EB75C956F6A77D4BB80714F00892EF6A5672C2DBBDE900879B

Uniqueness

Uniqueness Score: -1.00%

Function 00401790 Relevance: 13.6, APIs: 9, Instructions: 61
windowCOMMON

Download Yara Rule

C-Code - Quality: 88%

			E00401790(void* __ecx, intOrPtr _a4) {
				struct tagLOGFONTA _v76;
				struct HWND__* _t15;
				int _t16;
				long _t17;
				int _t36;
				void* _t38;

				_t38 = __ecx;
				 *((intOrPtr*)(__ecx + 0x54)) = _a4;
				if(__ecx != 0) {
					_t15 =  *(__ecx + 0x20);
				} else {
					_t15 = 0;
				}
				_t16 = IsWindow(_t15);
				if(_t16 != 0) {
					_t17 = SendMessageA( *(_t38 + 0x20), 0x31, 0, 0);
					_push(_t17);
					L00404580();
					GetObjectA( *(_t17 + 4), 0x3c,  &(_v76.lfOrientation));
					_t36 = _t38 + 0x60;
					_v76.lfUnderline =  *((intOrPtr*)(_t38 + 0x54));
					L0040455C();
					_push(CreateFontIndirectA( &_v76));
					L0040457A();
					if(_t36 != 0) {
						_t36 =  *(_t36 + 4);
					}
					SendMessageA( *(_t38 + 0x20), 0x30, _t36, 1);
					return InvalidateRect( *(_t38 + 0x20), 0, 1);
				}
				return _t16;
			}

0x00401798
0x0040179c
0x0040179f
0x004017a5
0x004017a1
0x004017a1
0x004017a1
0x004017a9
0x004017b1
0x004017c5
0x004017c7
0x004017c8
0x004017d8
0x004017e1
0x004017e4
0x004017ea
0x004017fa
0x004017fd
0x00401804
0x00401806
0x00401806
0x00401812
0x00000000
0x00401823
0x00401828

APIs

IsWindow.USER32(?), ref: 004017A9
SendMessageA.USER32 ref: 004017C5
#2860.MFC42(00000000), ref: 004017C8
GetObjectA.GDI32(?,0000003C,?), ref: 004017D8
#2414.MFC42 ref: 004017EA
CreateFontIndirectA.GDI32(?), ref: 004017F4
#1641.MFC42(00000000), ref: 004017FD
SendMessageA.USER32 ref: 00401812
InvalidateRect.USER32(?,00000000,00000001), ref: 0040181C

Memory Dump Source

Source File: 00000000.00000002.638872984.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.638861462.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.638886571.0000000000405000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.638898302.0000000000407000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.638907683.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_caffeine.jbxd

Similarity

API ID: MessageSend$#1641#2414#2860CreateFontIndirectInvalidateObjectRectWindow
String ID:
API String ID: 855989780-0
Opcode ID: 1c1d5f3ee057ad1c566bc36f2a895a951414aefe0c2f155b15edef83fe280e77
Instruction ID: 17c36f9b3ab66629e8e9c209f62acfffa902e4eb04eebc2a539ae3cb462d3765
Opcode Fuzzy Hash: 1c1d5f3ee057ad1c566bc36f2a895a951414aefe0c2f155b15edef83fe280e77
Instruction Fuzzy Hash: 7E115476600700ABD720E7749D85F6BB7A9BBC8704F04892DF689B7291D6B4E800CB69

Uniqueness

Uniqueness Score: -1.00%

Function 00403AC0 Relevance: 12.1, APIs: 8, Instructions: 145
COMMON

Download Yara Rule

C-Code - Quality: 83%

			E00403AC0(void* __ecx, intOrPtr _a4) {
				void* _v4;
				void* _v8;
				void* _t51;
				signed int _t52;
				void* _t53;
				void* _t54;
				void* _t56;
				signed int _t60;
				signed int _t61;
				signed int _t64;
				void* _t70;
				void* _t71;
				void* _t72;
				intOrPtr _t75;
				signed int _t78;
				signed int _t79;
				signed int _t95;
				signed int _t96;
				signed int _t103;
				void* _t109;
				signed int _t121;
				void* _t122;
				intOrPtr _t125;
				void* _t126;
				signed int _t127;

				_t125 = _a4;
				_t71 = __ecx;
				_t51 =  !( *(_t125 + 0x14));
				if((_t51 & 0x00000001) == 0) {
					L00404712();
					_t127 = _t51;
					if(_t127 != 0) {
						_t103 =  *(__ecx + 4);
						if(_t103 != 0) {
							_t75 =  *((intOrPtr*)(__ecx + 0xc));
							if(_t127 > _t75) {
								_t52 =  *(__ecx + 0x10);
								if(_t52 == 0) {
									asm("cdq");
									_t52 =  *(__ecx + 8) + (_t103 & 0x00000007) >> 3;
									if(_t52 >= 4) {
										if(_t52 > 0x400) {
											_t52 = 0x400;
										}
									} else {
										_t52 = 4;
									}
								}
								_t53 = _t52 + _t75;
								_v8 = _t53;
								if(_t127 >= _t53) {
									_v8 = _t127;
								}
								_t54 = _v8;
								_push(_t54 * 4);
								L00404406();
								_t126 =  *(_t71 + 4);
								_t78 =  *(_t71 + 8) << 2;
								_t79 = _t78 >> 2;
								_v4 = memcpy(_t54, _t126, _t79 << 2);
								_t56 = memcpy(_t126 + _t79 + _t79, _t126, _t78 & 0x00000003);
								memset(_t56 +  *(_t71 + 8) * 4, 0, _t127 -  *(_t71 + 8) << 2);
								_push( *(_t71 + 4));
								L004043F4();
								_t125 = _a4;
								 *(_t71 + 4) = _v4;
								 *(_t71 + 8) = _t127;
								 *(_t71 + 0xc) = _v8;
							} else {
								_t64 =  *(__ecx + 8);
								if(_t127 > _t64) {
									memset(_t103 + _t64 * 4, 0, _t127 - _t64 << 2);
								}
								 *(_t71 + 8) = _t127;
							}
						} else {
							_t121 = _t127 * 4;
							_push(_t121);
							L00404406();
							_t109 = _t51;
							_t95 = _t121;
							 *(__ecx + 4) = _t109;
							_t122 = _t109;
							_t96 = _t95 >> 2;
							memset(_t122 + _t96, memset(_t122, 0, _t96 << 2), (_t95 & 0x00000003) << 0);
							 *(_t71 + 0xc) = _t127;
							 *(_t71 + 8) = _t127;
						}
					} else {
						_t70 =  *(__ecx + 4);
						if(_t70 != 0) {
							_push(_t70);
							L004043F4();
							 *(__ecx + 4) = 0;
						}
						 *(_t71 + 0xc) = 0;
						 *(_t71 + 8) = 0;
					}
				} else {
					_push( *(__ecx + 8));
					L00404718();
				}
				_t60 =  *(_t71 + 8);
				_t72 =  *(_t71 + 4);
				if(( !( *(_t125 + 0x14)) & 0x00000001) == 0) {
					_t61 = _t60 << 2;
					_push(_t61);
					_push(_t72);
					L00404706();
					return _t61;
				} else {
					_push(_t60 * 4);
					_push(_t72);
					L0040470C();
					return _t60;
				}
			}

0x00403ac6
0x00403acb
0x00403ad0
0x00403ad4
0x00403ae8
0x00403aed
0x00403af3
0x00403b13
0x00403b18
0x00403b4e
0x00403b53
0x00403b6f
0x00403b74
0x00403b79
0x00403b7f
0x00403b85
0x00403b93
0x00403b95
0x00403b95
0x00403b87
0x00403b87
0x00403b87
0x00403b85
0x00403b9a
0x00403b9e
0x00403ba2
0x00403ba4
0x00403ba4
0x00403ba8
0x00403bb3
0x00403bb4
0x00403bbc
0x00403bbf
0x00403bc6
0x00403bcd
0x00403bd4
0x00403be2
0x00403be7
0x00403be8
0x00403bf5
0x00403bfc
0x00403bff
0x00403c02
0x00403b55
0x00403b55
0x00403b5a
0x00403b65
0x00403b65
0x00403b67
0x00403b67
0x00403b1a
0x00403b1a
0x00403b21
0x00403b22
0x00403b27
0x00403b29
0x00403b2b
0x00403b2e
0x00403b34
0x00403b41
0x00403b43
0x00403b46
0x00403b46
0x00403af5
0x00403af5
0x00403afa
0x00403afc
0x00403afd
0x00403b05
0x00403b05
0x00403b08
0x00403b0b
0x00403b0b
0x00403ad6
0x00403ad9
0x00403adc
0x00403adc
0x00403c08
0x00403c0b
0x00403c13
0x00403c2f
0x00403c32
0x00403c33
0x00403c36
0x00403c42
0x00403c15
0x00403c1e
0x00403c1f
0x00403c20
0x00403c2c
0x00403c2c

APIs

#6394.MFC42(?), ref: 00403ADC
#5450.MFC42 ref: 00403AE8
#825.MFC42(?), ref: 00403AFD
#6383.MFC42(?,?), ref: 00403C20
#5440.MFC42(?,?), ref: 00403C36

Memory Dump Source

Source File: 00000000.00000002.638872984.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.638861462.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.638886571.0000000000405000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.638898302.0000000000407000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.638907683.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_caffeine.jbxd

Similarity

API ID: #5440#5450#6383#6394#825
String ID:
API String ID: 2595762273-0
Opcode ID: d82c412e949a9d856617e1908c36ec35f422b00524880e41f7a4d50e0ec12d07
Instruction ID: 0ecedd897538264b9cca93116385a3ae6f853a1af8fba66171701806aa3c2b7c
Opcode Fuzzy Hash: d82c412e949a9d856617e1908c36ec35f422b00524880e41f7a4d50e0ec12d07
Instruction Fuzzy Hash: 6241D6B16046048BCB04DF19D49052ABBE6EBC4315F08C47EE905EF386EB39ED45CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 004014D0 Relevance: 12.0, APIs: 8, Instructions: 47
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E004014D0(void* __ecx, struct tagPOINT _a8, intOrPtr _a12) {
				struct tagRECT _v16;
				struct HWND__* _t15;
				int _t19;
				void* _t28;

				_t28 = __ecx;
				L0040451A();
				if( *((intOrPtr*)(__ecx + 0x4c)) == 0) {
					 *((intOrPtr*)(__ecx + 0x4c)) = 1;
					RedrawWindow( *(__ecx + 0x20), 0, 0, 0x105);
					_t15 = SetCapture( *(_t28 + 0x20));
					_push(_t15);
					L00404568();
					return _t15;
				}
				GetClientRect( *(__ecx + 0x20),  &_v16);
				_push(_a12);
				_t19 = PtInRect( &_v16, _a8);
				if(_t19 != 0) {
					return _t19;
				} else {
					 *(_t28 + 0x4c) = _t19;
					ReleaseCapture();
					return RedrawWindow( *(_t28 + 0x20), 0, 0, 0x105);
				}
			}

0x004014d4
0x004014d6
0x004014e0
0x0040153a
0x00401541
0x0040154b
0x00401551
0x00401552
0x00000000
0x00401552
0x004014eb
0x004014f9
0x00401500
0x00401508
0x0040155b
0x0040150a
0x0040150a
0x0040150d
0x0040152a
0x0040152a

APIs

#2379.MFC42 ref: 004014D6
GetClientRect.USER32 ref: 004014EB
PtInRect.USER32(?,?,?), ref: 00401500
ReleaseCapture.USER32 ref: 0040150D
RedrawWindow.USER32(?,00000000,00000000,00000105), ref: 00401520
RedrawWindow.USER32 ref: 00401541
SetCapture.USER32(00000000), ref: 0040154B
#2864.MFC42(00000000), ref: 00401552

Memory Dump Source

Source File: 00000000.00000002.638872984.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.638861462.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.638886571.0000000000405000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.638898302.0000000000407000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.638907683.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_caffeine.jbxd

Similarity

API ID: CaptureRectRedrawWindow$#2379#2864ClientRelease
String ID:
API String ID: 1374557097-0
Opcode ID: 4b3354277b3a6d51728b9d4079d203378e5318d88eac599256680f4e9192ffd0
Instruction ID: 95f6b93bc0bb27fee9a665966112fcf1a4332077d5cd2568b02e1378cc5f549b
Opcode Fuzzy Hash: 4b3354277b3a6d51728b9d4079d203378e5318d88eac599256680f4e9192ffd0
Instruction Fuzzy Hash: F001ED75200B10ABD320EB65DD59F9777E8FB88744F40491EFA86A6290E6B5E4008F55

Uniqueness

Uniqueness Score: -1.00%

Function 004012A0 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 46
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E004012A0(intOrPtr __ecx) {
				char _v4;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _t34;
				intOrPtr _t36;

				_push(0xffffffff);
				_push(E004049C9);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t36;
				_push(__ecx);
				_t34 = __ecx;
				_v16 = __ecx;
				L00404502();
				 *((intOrPtr*)(__ecx)) = 0x405550;
				_v4 = 0;
				L0040454A();
				 *((intOrPtr*)(__ecx + 0x64)) = 0;
				 *((intOrPtr*)(__ecx + 0x60)) = 0x405750;
				_v4 = 2;
				L00404544();
				_v4 = 3;
				 *((intOrPtr*)(__ecx)) = 0x405690;
				 *((intOrPtr*)(__ecx + 0x68)) = 0;
				 *((intOrPtr*)(__ecx + 0x40)) = 0xee0000;
				 *((intOrPtr*)(__ecx + 0x44)) = 0x8b1a55;
				 *((intOrPtr*)(_t34 + 0x48)) = GetSysColor(0xd);
				 *((intOrPtr*)(_t34 + 0x4c)) = 0;
				 *((intOrPtr*)(_t34 + 0x50)) = 0;
				 *((intOrPtr*)(_t34 + 0x54)) = 1;
				 *((intOrPtr*)(_t34 + 0x58)) = 1;
				L0040453E();
				 *[fs:0x0] = _v12;
				return _t34;
			}

0x004012a0
0x004012a2
0x004012ad
0x004012ae
0x004012b5
0x004012b8
0x004012bb
0x004012bf
0x004012c4
0x004012d1
0x004012d5
0x004012da
0x004012dd
0x004012e7
0x004012ec
0x004012f3
0x004012f8
0x004012fe
0x00401301
0x00401308
0x00401315
0x0040131f
0x00401322
0x00401325
0x00401328
0x0040132b
0x00401339
0x00401343

APIs

#567.MFC42(?,?,?,?,?,004049C9,000000FF), ref: 004012BF
#540.MFC42(?,?,?,?,?,004049C9,000000FF), ref: 004012D5
#556.MFC42 ref: 004012EC
GetSysColor.USER32(0000000D), ref: 0040130F
#2614.MFC42 ref: 0040132B

Strings

PW@, xrefs: 004012DD

Memory Dump Source

Source File: 00000000.00000002.638872984.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.638861462.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.638886571.0000000000405000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.638898302.0000000000407000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.638907683.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_caffeine.jbxd

Similarity

API ID: #2614#540#556#567Color
String ID: PW@
API String ID: 2783311560-282820001
Opcode ID: 4fbf7bed173e3c083643a3f60f934a96f125d2c7531f839a8bc2d6d5cfdf8fb5
Instruction ID: ef9c0c8aec8b64535c9fa0863d4067c97d029a92692f8d97d0ee079fff19e72f
Opcode Fuzzy Hash: 4fbf7bed173e3c083643a3f60f934a96f125d2c7531f839a8bc2d6d5cfdf8fb5
Instruction Fuzzy Hash: 931118B1504B509FC320DF5AC845716FBE4FB84718F904D2EE29697B91C7B9A5048F91

Uniqueness

Uniqueness Score: -1.00%

Function 00401370 Relevance: 7.5, APIs: 5, Instructions: 36
COMMON

Download Yara Rule

C-Code - Quality: 83%

			E00401370(intOrPtr __ecx) {
				char _v4;
				intOrPtr _v12;
				intOrPtr* _v16;
				intOrPtr _v20;
				intOrPtr _t12;
				intOrPtr* _t21;
				intOrPtr _t26;

				_push(0xffffffff);
				_push(E00404A11);
				_t12 =  *[fs:0x0];
				_push(_t12);
				 *[fs:0x0] = _t26;
				_v20 = __ecx;
				 *((intOrPtr*)(__ecx)) = 0x405690;
				_t21 = __ecx + 0x60;
				_v4 = 3;
				L0040455C();
				_v4 = 2;
				L00404532();
				_v16 = _t21;
				 *_t21 = 0x405778;
				_v4 = 4;
				L0040455C();
				 *_t21 = 0x405764;
				_v4 = 0;
				L00404538();
				_v4 = 0xffffffff;
				L004044EA();
				 *[fs:0x0] = _v12;
				return _t12;
			}

0x00401370
0x00401372
0x00401377
0x0040137d
0x0040137e
0x0040138c
0x00401390
0x00401396
0x00401399
0x004013a3
0x004013ab
0x004013b0
0x004013b5
0x004013b9
0x004013c1
0x004013c6
0x004013ce
0x004013d4
0x004013d9
0x004013e0
0x004013e8
0x004013f3
0x004013fd

APIs

#2414.MFC42(?,?,?,?,?,?,?,00401358), ref: 004013A3
#809.MFC42(?,?,?,?,?,?,?,00401358), ref: 004013B0
#2414.MFC42(?,?,?,?,?,?,?,00401358), ref: 004013C6
#800.MFC42(?,?,?,?,?,?,?,00401358), ref: 004013D9
#795.MFC42(?,?,?,?,?,?,?,00401358), ref: 004013E8

Memory Dump Source

Source File: 00000000.00000002.638872984.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.638861462.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.638886571.0000000000405000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.638898302.0000000000407000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.638907683.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_caffeine.jbxd

Similarity

API ID: #2414$#795#800#809
String ID:
API String ID: 1676757150-0
Opcode ID: 65cc593b620e5d9f1a8ab5cee8c577603e1a0d6e86a28034c9e4c18bbc365e14
Instruction ID: 92b3abfa0cec7b13439a0b761979928bcccb7df5d3019cfb02faa8443e058358
Opcode Fuzzy Hash: 65cc593b620e5d9f1a8ab5cee8c577603e1a0d6e86a28034c9e4c18bbc365e14
Instruction Fuzzy Hash: 60019AB1108B829BC300EF19C45131AFBE8ABD5710F94492FE291633D2C7BC91088B96

Uniqueness

Uniqueness Score: -1.00%

Function 004042D0 Relevance: 7.5, APIs: 5, Instructions: 19
windowCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E004042D0(struct HINSTANCE__* __eax, void* __ecx) {
				void* _t8;

				_t8 = __ecx;
				L00404514();
				L004044FC();
				_push(0x80);
				_push(0xe);
				L004044F6();
				SendMessageA( *(_t8 + 0x20), 0x80, 0, LoadIconA(__eax, 0x80));
				return 1;
			}

0x004042d1
0x004042d3
0x004042d8
0x004042dd
0x004042e2
0x004042e9
0x00404301
0x0040430d

APIs

#4710.MFC42 ref: 004042D3
#1168.MFC42 ref: 004042D8
#1146.MFC42(00000080,0000000E,00000080), ref: 004042E9
LoadIconA.USER32(00000000,00000080), ref: 004042EF
SendMessageA.USER32 ref: 00404301

Memory Dump Source

Source File: 00000000.00000002.638872984.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.638861462.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.638886571.0000000000405000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.638898302.0000000000407000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.638907683.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_caffeine.jbxd

Similarity

API ID: #1146#1168#4710IconLoadMessageSend
String ID:
API String ID: 3087420702-0
Opcode ID: a6e8d7354a6fb788052a51492049c9ad08ddd2eee8a687578e35c93babe8cf8a
Instruction ID: b9780452e3883c1789be0e07ebba1858de0fcddbd602aa7a7e2b985b98165bfb
Opcode Fuzzy Hash: a6e8d7354a6fb788052a51492049c9ad08ddd2eee8a687578e35c93babe8cf8a
Instruction Fuzzy Hash: 34D017B164031027E6A077A4AD0AF862148AB88705F00852AB780BA1C18CB8A4810778

Uniqueness

Uniqueness Score: -1.00%

Function 004029C0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 27
COMMON

Download Yara Rule

C-Code - Quality: 89%

			E004029C0() {
				intOrPtr _v4;
				intOrPtr _t7;
				void* _t11;
				void* _t15;
				intOrPtr _t16;

				_t15 = _t11;
				_t7 =  *((intOrPtr*)(_t15 + 0x36c));
				if(_t7 == 0) {
					return _t7;
				} else {
					_push(_t11);
					if( *((intOrPtr*)(_t15 + 0x348)) == 0) {
						_v4 = _t16;
						L004046AC();
						return E00404270("Caffeine is inactive");
					}
					_v4 = _t16;
					L004046AC();
					return E00404270("Caffeine is active");
				}
			}

0x004029c2
0x004029c4
0x004029cc
0x00402a12
0x004029ce
0x004029d4
0x004029d9
0x004029f7
0x00402a00
0x00000000
0x00402a0b
0x004029db
0x004029e4
0x004029f6
0x004029f6

APIs

#537.MFC42(Caffeine is active,?,?,?,00402698,ZhornSoftwareCaffeineMain), ref: 004029E4

Part of subcall function 00404270: #3092.MFC42(000003ED,?,00000000,00404DE8,000000FF,00402A10,Caffeine is inactive,?,?,?,00402698,ZhornSoftwareCaffeineMain), ref: 00404297
Part of subcall function 00404270: #6199.MFC42(000003ED,?,00000000,00404DE8,000000FF,00402A10,Caffeine is inactive,?,?,?,00402698,ZhornSoftwareCaffeineMain), ref: 0040429E
Part of subcall function 00404270: #800.MFC42(000003ED,?,00000000,00404DE8,000000FF,00402A10,Caffeine is inactive,?,?,?,00402698,ZhornSoftwareCaffeineMain), ref: 004042AF

#537.MFC42(Caffeine is inactive,?,?,?,00402698,ZhornSoftwareCaffeineMain), ref: 00402A00

Strings

Caffeine is inactive, xrefs: 004029FB
Caffeine is active, xrefs: 004029DF

Memory Dump Source

Source File: 00000000.00000002.638872984.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.638861462.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.638886571.0000000000405000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.638898302.0000000000407000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.638907683.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_caffeine.jbxd

Similarity

API ID: #537$#3092#6199#800
String ID: Caffeine is active$Caffeine is inactive
API String ID: 2493846336-4123475934
Opcode ID: bacff2c76b40bc7a720514239c4145173142ea6d4cd13c618353066624bcf823
Instruction ID: 2cf897cb16fae248814bd7f2ff6333f04d516c91e21e356077d6e68829abbab9
Opcode Fuzzy Hash: bacff2c76b40bc7a720514239c4145173142ea6d4cd13c618353066624bcf823
Instruction Fuzzy Hash: E8E065A131460027C614AB65E4129EA7BD8ABC1394F20847FF196672D1CA7968509769

Uniqueness

Uniqueness Score: -1.00%

Function 00403C70 Relevance: 6.1, APIs: 4, Instructions: 123
COMMON

Download Yara Rule

C-Code - Quality: 89%

			E00403C70(void* __ecx, void* _a4, void* _a8) {
				void* _t41;
				signed int _t42;
				void* _t43;
				void* _t44;
				void* _t46;
				void* _t49;
				signed int _t52;
				void* _t56;
				void* _t57;
				void* _t58;
				signed int _t60;
				signed int _t63;
				signed int _t64;
				signed int _t76;
				signed int _t77;
				signed int _t82;
				void* _t97;
				void* _t101;
				signed int _t102;
				signed int _t103;

				_t41 = _a8;
				_t58 = __ecx;
				if(_t41 != 0xffffffff) {
					 *(__ecx + 0x10) = _t41;
				}
				_t103 = _a4;
				if(_t103 != 0) {
					_t82 =  *(_t58 + 4);
					if(_t82 != 0) {
						_t60 =  *(_t58 + 0xc);
						if(_t103 > _t60) {
							_t42 =  *(_t58 + 0x10);
							if(_t42 == 0) {
								asm("cdq");
								_t42 =  *(_t58 + 8) + (_t82 & 0x00000007) >> 3;
								if(_t42 >= 4) {
									if(_t42 > 0x400) {
										_t42 = 0x400;
									}
								} else {
									_t42 = 4;
								}
							}
							_t43 = _t42 + _t60;
							_a8 = _t43;
							if(_t103 >= _t43) {
								_a8 = _t103;
							}
							_t44 = _a8;
							_push(_t44 * 4);
							L00404406();
							_t101 =  *(_t58 + 4);
							_t63 =  *(_t58 + 8) << 2;
							_t64 = _t63 >> 2;
							_a4 = memcpy(_t44, _t101, _t64 << 2);
							_t46 = memcpy(_t101 + _t64 + _t64, _t101, _t63 & 0x00000003);
							memset(_t46 +  *(_t58 + 8) * 4, 0, _t103 -  *(_t58 + 8) << 2);
							_t49 =  *(_t58 + 4);
							_push(_t49);
							L004043F4();
							 *(_t58 + 8) = _t103;
							 *(_t58 + 4) = _a4;
							 *(_t58 + 0xc) = _a8;
							return _t49;
						} else {
							_t52 =  *(_t58 + 8);
							if(_t103 > _t52) {
								_t52 = memset(_t82 + _t52 * 4, 0, _t103 - _t52 << 2);
							}
							 *(_t58 + 8) = _t103;
							return _t52;
						}
					} else {
						_t102 = _t103 * 4;
						_push(_t102);
						L00404406();
						_t76 = _t102;
						_t97 = _t41;
						_t77 = _t76 >> 2;
						 *(_t58 + 4) = _t97;
						_t56 = memset(_t97 + _t77, memset(_t97, 0, _t77 << 2), (_t76 & 0x00000003) << 0);
						 *(_t58 + 0xc) = _t103;
						 *(_t58 + 8) = _t103;
						return _t56;
					}
				} else {
					_t57 =  *(_t58 + 4);
					if(_t57 != 0) {
						_push(_t57);
						L004043F4();
						 *(_t58 + 4) = 0;
					}
					 *(_t58 + 0xc) = 0;
					 *(_t58 + 8) = 0;
					return _t57;
				}
			}

0x00403c70
0x00403c7b
0x00403c7d
0x00403c7f
0x00403c7f
0x00403c82
0x00403c8a
0x00403cac
0x00403cb1
0x00403ce7
0x00403cec
0x00403d0a
0x00403d0f
0x00403d14
0x00403d1a
0x00403d20
0x00403d2e
0x00403d30
0x00403d30
0x00403d22
0x00403d22
0x00403d22
0x00403d20
0x00403d35
0x00403d39
0x00403d3d
0x00403d3f
0x00403d3f
0x00403d43
0x00403d4e
0x00403d4f
0x00403d57
0x00403d5a
0x00403d61
0x00403d68
0x00403d6f
0x00403d7d
0x00403d7f
0x00403d82
0x00403d83
0x00403d93
0x00403d96
0x00403d99
0x00403da0
0x00403cee
0x00403cee
0x00403cf3
0x00403cfe
0x00403cfe
0x00403d01
0x00403d07
0x00403d07
0x00403cb3
0x00403cb3
0x00403cba
0x00403cbb
0x00403cc0
0x00403cc2
0x00403cc8
0x00403ccb
0x00403cd8
0x00403cdb
0x00403cde
0x00403ce4
0x00403ce4
0x00403c8c
0x00403c8c
0x00403c91
0x00403c93
0x00403c94
0x00403c9c
0x00403c9c
0x00403c9f
0x00403ca2
0x00403ca9
0x00403ca9

APIs

#825.MFC42(?,?,?,?,?,004031E4,00000000,000000FF,?,?,?,?,?,?,?,00401F18), ref: 00403C94
#823.MFC42(00000000,?,?,?,?,004031E4,00000000,000000FF,?,?,?,?,?,?,?,00401F18), ref: 00403CBB

Memory Dump Source

Source File: 00000000.00000002.638872984.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.638861462.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.638886571.0000000000405000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.638898302.0000000000407000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.638907683.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_caffeine.jbxd

Similarity

API ID: #823#825
String ID:
API String ID: 89657779-0
Opcode ID: 4064fc4933dfd6e780d763aab7e940f0de3a45e2318ed4e373e630547950c6f3
Instruction ID: 62673f645bc794ef7ee5bbd1a96038c10c2e31ae3ef13b856571837ce57a299a
Opcode Fuzzy Hash: 4064fc4933dfd6e780d763aab7e940f0de3a45e2318ed4e373e630547950c6f3
Instruction Fuzzy Hash: AB41BFB27002048BCB04CF58E48052AFB96EB94311F18C57FE905EF38AD636D955CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 004016D0 Relevance: 6.0, APIs: 4, Instructions: 37
COMMON

Download Yara Rule

C-Code - Quality: 60%

			E004016D0(void* __ecx, char _a4) {
				intOrPtr _v0;
				intOrPtr _v4;
				intOrPtr _v8;
				intOrPtr _v16;
				struct HWND__* _t12;
				int _t13;
				void* _t22;
				intOrPtr _t24;

				_push(0xffffffff);
				_push(E00404A48);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t24;
				_t22 = __ecx;
				_push( &_a4);
				_v4 = 0;
				L0040459E();
				if(__ecx != 0) {
					_t12 =  *(__ecx + 0x20);
				} else {
					_t12 = 0;
				}
				_t13 = IsWindow(_t12);
				if(_t13 != 0) {
					_t13 = E00401830(_t22);
					_push(1);
					_push(_t22);
					_push(_v0);
					L00404598();
				}
				_v8 = 0xffffffff;
				L00404538();
				 *[fs:0x0] = _v16;
				return _t13;
			}

0x004016d6
0x004016d8
0x004016dd
0x004016de
0x004016e6
0x004016ef
0x004016f0
0x004016f8
0x004016ff
0x00401705
0x00401701
0x00401701
0x00401701
0x00401709
0x00401711
0x00401715
0x0040171e
0x00401720
0x00401721
0x00401725
0x00401725
0x0040172e
0x00401736
0x00401740
0x0040174a

APIs

#858.MFC42(?,?,?,00404A48,000000FF), ref: 004016F8
IsWindow.USER32(?), ref: 00401709
#6358.MFC42(?,?,00000001,?,?,00404A48,000000FF), ref: 00401725
#800.MFC42(?,?,00404A48,000000FF), ref: 00401736

Memory Dump Source

Source File: 00000000.00000002.638872984.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.638861462.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.638886571.0000000000405000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.638898302.0000000000407000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.638907683.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_caffeine.jbxd

Similarity

API ID: #6358#800#858Window
String ID:
API String ID: 1255164923-0
Opcode ID: b215063bebed34cb2dd63e23776cf0fcd062ce3a55f8ce4d3b70994c218b3255
Instruction ID: 862afb6756be42a8d94f8b33ccddf4295f7495cd55190ff215f828d4c02cf3ce
Opcode Fuzzy Hash: b215063bebed34cb2dd63e23776cf0fcd062ce3a55f8ce4d3b70994c218b3255
Instruction Fuzzy Hash: ED01D1B2504B01ABC325EF54D801B5B77E8FB88B20F004A3EF592A36C0DB7C9805CB66

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: caffeine.exePID: 7448, Parent PID: 3452COMMON

Execution Graph

Execution Coverage

Dynamic/Packed Code Coverage

Signature Coverage

Execution Coverage:	19%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	460
Total number of Limit Nodes:	19

Executed Functions

Function 00401F90 Relevance: 180.8, APIs: 84, Strings: 19, Instructions: 510
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 70%

			E00401F90(void* __ecx, signed int _a4) {
				int _v12;
				char _v20;
				signed int _v48;
				char _v84;
				intOrPtr _v92;
				intOrPtr _v100;
				char _v188;
				void* _v196;
				char _v208;
				char _v212;
				void* _v216;
				void* _v220;
				char* _v224;
				char _v228;
				void* _v232;
				void* _v240;
				struct _OSVERSIONINFOA _v252;
				char _v256;
				void* _v260;
				void* _v264;
				char _v268;
				char _v272;
				char _v276;
				int _v280;
				void* _v284;
				void* _v288;
				void* _v296;
				signed int _t132;
				intOrPtr* _t133;
				struct HWND__* _t135;
				int _t138;
				int _t139;
				signed int _t146;
				int _t148;
				char** _t149;
				int _t151;
				char** _t153;
				char** _t155;
				char** _t157;
				struct HWND__* _t160;
				struct HWND__* _t162;
				struct HWND__* _t164;
				struct HWND__* _t166;
				struct HWND__* _t168;
				intOrPtr* _t170;
				intOrPtr* _t174;
				intOrPtr* _t178;
				signed int _t181;
				signed int _t182;
				signed int _t186;
				signed int _t187;
				signed int _t188;
				signed int _t189;
				signed int _t190;
				signed int _t191;
				signed int _t192;
				signed int _t272;
				signed int _t273;
				void* _t281;
				intOrPtr _t283;
				void* _t284;
				void* _t285;

				_push(0xffffffff);
				_push(E00404B83);
				_push( *[fs:0x0]);
				_t132 = _a4;
				 *[fs:0x0] = _t283;
				_t284 = _t283 - 0xc4;
				_push(_t181);
				_t281 = __ecx;
				_push(_t132);
				 *((char*)(__ecx + 0x348)) = 1;
				 *((intOrPtr*)(__ecx + 0x34c)) = 0x3b;
				 *((char*)(__ecx + 0x360)) = 0;
				 *((char*)(__ecx + 0x361)) = 0;
				 *((char*)(__ecx + 0x368)) = 0;
				L004046B2(); // executed
				if(_t132 != 0xffffffff) {
					L004044FC();
					_t133 =  *((intOrPtr*)(_t132 + 4));
					L004046AC();
					_v12 = 0;
					L004046A6();
					L004046A0();
					_t272 = __imp___mbscmp;
					_v20 = 1;
					_t135 =  *_t272( *_t133, "1",  &_v212, 1,  *((intOrPtr*)(_t133 + 0x74)));
					_t285 = _t284 + 8;
					if(_t135 == 0) {
						L11:
						_t182 = 1;
						L12:
						_v20 = 0;
						L00404538();
						if(_t182 != 0) {
							_t135 = atoi(_v224);
							_t285 = _t285 + 4;
							 *(_t281 + 0x34c) = _t135;
						}
						L0040469A();
						_push("-appexit");
						L00404694();
						_t273 = _t272 | 0xffffffff;
						if(_t135 == _t273) {
							_push("-appon");
							L00404694();
							if(_t135 == _t273) {
								_push("-appoff");
								L00404694();
								if(_t135 == _t273) {
									_push("-apptoggleshowdlg");
									L00404694();
									if(_t135 == _t273) {
										_push("-apptoggle");
										L00404694();
										if(_t135 == _t273) {
											_push("-replace");
											L00404694();
											if(_t135 != _t273) {
												_t135 = FindWindowA(0, "ZhornSoftwareCaffeineMain");
												if(_t135 != 0) {
													_t135 = SendMessageA(_t135, 0x10, 0, 0);
												}
											}
											_push("-noicon");
											L00404694();
											if(_t135 != _t273 || E00403000(_t281 + 0xc0, _t281, 0x800a, "Caffeine", 0, 0x81, 0, 0, 0, 0, 0xa) != 0) {
												E00403350(_t281 + 0xc0, 0x80);
												 *((char*)(_t281 + 0x100)) =  *((intOrPtr*)(_t281 + 0x348));
												_t138 = E004034A0(_t281 + 0xc0, 0x8005, 0);
												_push("-startoff");
												L00404694();
												if(_t138 != 0xffffffff) {
													_t138 = E004027F0(_t138, _t281);
												}
												_push("-useshift");
												L00404694();
												if(_t138 != 0xffffffff) {
													 *((char*)(_t281 + 0x360)) = 1;
												}
												_push("-allowss");
												L00404694();
												if(_t138 != 0xffffffff) {
													 *((char*)(_t281 + 0x361)) = 1;
												}
												_push("-keypress");
												L00404694();
												if(_t138 != 0xffffffff) {
													 *((char*)(_t281 + 0x368)) = 1;
												}
												_push("-exitafter:");
												L00404694();
												 *(_t281 + 0x35c) = _t138;
												if(_t138 != 0xffffffff) {
													_t157 = _t138 + 0xb;
													_push(_t157);
													_push( &_v268);
													L0040468E();
													_t138 = atoi( *_t157);
													_t285 = _t285 + 4;
													 *(_t281 + 0x35c) = _t138;
													L00404538();
												}
												_push("-activefor:");
												L00404694();
												 *(_t281 + 0x354) = _t138;
												if(_t138 != 0xffffffff) {
													_t155 = _t138 + 0xb;
													_push(_t155);
													_push( &_v272);
													L0040468E();
													_t138 = atoi( *_t155);
													_t285 = _t285 + 4;
													 *(_t281 + 0x354) = _t138;
													L00404538();
												}
												_push("-key:");
												L00404694();
												 *(_t281 + 0x364) = _t138;
												if(_t138 != 0xffffffff) {
													_push(_t138 + 5);
													_t153 =  &_v276;
													_push(_t153);
													L0040468E();
													_t138 = atoi( *_t153);
													_t285 = _t285 + 4;
													 *(_t281 + 0x364) = _t138;
													L00404538();
												}
												_push("-inactivefor:");
												L00404694();
												 *(_t281 + 0x358) = _t138;
												if(_t138 != 0xffffffff) {
													_t149 = _t138 + 0xd;
													_push(_t149);
													_push( &_v280);
													L0040468E();
													_t151 = atoi( *_t149);
													_t285 = _t285 + 4;
													L00404538();
													_t138 = E004027F0(_t151, _t281);
													 *(_t281 + 0x358) = _t151;
												}
												_push("-showdlg");
												L00404694();
												if(_t138 != 0xffffffff) {
													_push(0x60);
													L00404406();
													_t285 = _t285 + 4;
													_v280 = _t138;
													_v84 = 2;
													if(_t138 == 0) {
														_t148 = 0;
													} else {
														_t148 = E00404200(_t138, 0);
													}
													_push("-ontaskbar");
													_v84 = 0;
													 *((intOrPtr*)(_t281 + 0x36c)) = _t148;
													L00404694();
													if(_t148 == 0xffffffff) {
														_push(_t281);
													} else {
														_push(0);
													}
													_push(0x8b);
													L00404688();
													_push(1);
													L00404682();
													_push(0);
													L0040467C();
												}
												_t139 = SetTimer( *(_t281 + 0x20), 0x4c8, 0x3e8, 0); // executed
												 *(_t281 + 0x340) = _t139;
												 *(_t281 + 0x344) =  *(_t281 + 0x34c);
												memset( &_v252, 0, 0x27 << 2);
												_t285 = _t285 + 0xc;
												 *(_t281 + 0x350) = 0;
												_v252.dwOSVersionInfoSize = 0x9c;
												if(GetVersionExA( &_v252) != 0) {
													L61:
													if(_v252.dwPlatformId != 2 || _v252.dwMajorVersion != 5) {
														goto L64;
													} else {
														 *((char*)(_t281 + 0x349)) = 1;
														goto L65;
													}
												} else {
													_v252.dwOSVersionInfoSize = 0x94;
													if(GetVersionExA( &_v252) == 0) {
														L64:
														 *((char*)(_t281 + 0x349)) = 0;
														L65:
														_push("ZhornSoftwareCaffeineMain");
														L00404586(); // executed
														E00402A30(_t281);
														E004029C0();
														_v92 = 0xffffffff;
														L00404538();
														_t146 = 0;
														goto L66;
													}
													goto L61;
												}
											} else {
												goto L34;
											}
										}
										_t160 = FindWindowA(0, "ZhornSoftwareCaffeineMain");
										if(_t160 != 0) {
											SendMessageA(_t160, 0x111, 0x409, 0);
										}
										goto L34;
									}
									_t162 = FindWindowA(0, "ZhornSoftwareCaffeineMain");
									if(_t162 != 0) {
										SendMessageA(_t162, 0x111, 0x46f, 0);
									}
									goto L34;
								}
								_t164 = FindWindowA(0, "ZhornSoftwareCaffeineMain");
								if(_t164 != 0) {
									SendMessageA(_t164, 0x111, 0x408, 0);
								}
								goto L34;
							}
							_t166 = FindWindowA(0, "ZhornSoftwareCaffeineMain");
							if(_t166 != 0) {
								SendMessageA(_t166, 0x111, 0x465, 0);
							}
							goto L34;
						} else {
							_t168 = FindWindowA(0, "ZhornSoftwareCaffeineMain");
							if(_t168 != 0) {
								SendMessageA(_t168, 0x10, 0, 0);
							}
							L34:
							_v48 = _t273;
							L00404538();
							_t146 = _t273;
							goto L66;
						}
					}
					_t170 =  &_v188;
					L004046A0();
					_t135 =  *_t272( *_t170, "2", _t170, 1);
					_t285 = _t285 + 8;
					_t186 = _t181 & 0xffffff00 | _t135 == 0x00000000;
					L00404538();
					if(_t186 != 0) {
						goto L11;
					}
					L004046A0();
					_t135 =  *_t272(_t135->i, "3",  &_v208, 1);
					_t285 = _t285 + 8;
					_t187 = _t186 & 0xffffff00 | _t135 == 0x00000000;
					L00404538();
					if(_t187 != 0) {
						goto L11;
					}
					L004046A0();
					_t135 =  *_t272(_t135->i, "4",  &_v208, 1);
					_t285 = _t285 + 8;
					_t188 = _t187 & 0xffffff00 | _t135 == 0x00000000;
					L00404538();
					if(_t188 != 0) {
						goto L11;
					}
					_t174 =  &_v228;
					L004046A0();
					_t135 =  *_t272( *_t174, "5", _t174, 1);
					_t285 = _t285 + 8;
					_t189 = _t188 & 0xffffff00 | _t135 == 0x00000000;
					L00404538();
					if(_t189 != 0) {
						goto L11;
					}
					L004046A0();
					_t135 =  *_t272(_t135->i, "6",  &(_v252.dwMinorVersion), 1);
					_t285 = _t285 + 8;
					_t190 = _t189 & 0xffffff00 | _t135 == 0x00000000;
					L00404538();
					if(_t190 != 0) {
						goto L11;
					}
					L004046A0();
					_t135 =  *_t272(_t135->i, "7",  &(_v252.dwPlatformId), 1);
					_t285 = _t285 + 8;
					_t191 = _t190 & 0xffffff00 | _t135 == 0x00000000;
					L00404538();
					if(_t191 != 0) {
						goto L11;
					}
					_t178 =  &_v256;
					L004046A0();
					_t135 =  *_t272( *_t178, "8", _t178, 1);
					_t285 = _t285 + 8;
					_t192 = _t191 & 0xffffff00 | _t135 == 0x00000000;
					L00404538();
					if(_t192 != 0) {
						goto L11;
					}
					L004046A0();
					_t135 =  *_t272(_t135->i, "9",  &_v272, 1);
					_t285 = _t285 + 8;
					_t182 = _t192 & 0xffffff00 | _t135 == 0x00000000;
					L00404538();
					if(_t182 == 0) {
						goto L12;
					}
					goto L11;
				} else {
					_t146 = _t132;
					L66:
					 *[fs:0x0] = _v100;
					return _t146;
				}
			}

APIs

#4457.MFC42 ref: 00401FDB
#1168.MFC42 ref: 00401FEC
#537.MFC42(?), ref: 00401FFC
#6282.MFC42(?), ref: 00402010
#4129.MFC42(?,00000001,?), ref: 00402020
_mbscmp.MSVCRT ref: 0040203B
#4129.MFC42(?,00000001), ref: 00402053
_mbscmp.MSVCRT ref: 00402060
#800.MFC42 ref: 0040206E
#4129.MFC42(?,00000001), ref: 00402086
_mbscmp.MSVCRT ref: 00402093
#800.MFC42 ref: 004020A1
#4129.MFC42(?,00000001), ref: 004020B9
_mbscmp.MSVCRT ref: 004020C6
#800.MFC42 ref: 004020D4
#4129.MFC42(?,00000001), ref: 004020EC
_mbscmp.MSVCRT ref: 004020F9
#800.MFC42 ref: 00402107
#4129.MFC42(?,00000001), ref: 0040211F
_mbscmp.MSVCRT ref: 0040212C

Strings

-apptoggle, xrefs: 00402303
-appexit, xrefs: 0040220A
-replace, xrefs: 0040233F
-noicon, xrefs: 0040236F
-keypress, xrefs: 0040243D
-useshift, xrefs: 00402409
-inactivefor:, xrefs: 0040251D
-showdlg, xrefs: 00402568
-startoff, xrefs: 004023EF
Caffeine, xrefs: 00402392
-appoff, xrefs: 00402285
-apptoggleshowdlg, xrefs: 004022C4
-allowss, xrefs: 00402423
-appon, xrefs: 00402246
-key:, xrefs: 004024DB
-activefor:, xrefs: 00402499
-ontaskbar, xrefs: 004025A6
-exitafter:, xrefs: 00402457
ZhornSoftwareCaffeineMain, xrefs: 0040221F, 00402258, 00402297, 004022D6, 00402315, 00402351, 0040267E

Memory Dump Source

Source File: 00000001.00000002.638898908.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.638890118.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.638912039.0000000000405000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.638919360.0000000000407000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.638926427.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_caffeine.jbxd

Similarity

API ID: #4129_mbscmp$#800$#1168#4457#537#6282
String ID: -activefor:$-allowss$-appexit$-appoff$-appon$-apptoggle$-apptoggleshowdlg$-exitafter:$-inactivefor:$-key:$-keypress$-noicon$-ontaskbar$-replace$-showdlg$-startoff$-useshift$Caffeine$ZhornSoftwareCaffeineMain
API String ID: 391348798-4234960208
Opcode ID: 99ace425fdb636f7f91c8ef20ba56ff12b9d0d4e6daea354cca41ef53e4d0670
Instruction ID: f506843601e50281f4d27f22570277cefe89ea0afaa43e977a867d660fa2b463
Opcode Fuzzy Hash: 99ace425fdb636f7f91c8ef20ba56ff12b9d0d4e6daea354cca41ef53e4d0670
Instruction Fuzzy Hash: D802E3702443406BD614EF74CD86FAB7798AF90704F140D3EFAA5B61D1EBBDA508CA1A

Uniqueness

Uniqueness Score: -1.00%

Function 00404786 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 111
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 80%

			_entry_(void* __ebx, void* __edi, void* __esi) {
				CHAR* _v8;
				intOrPtr* _v24;
				intOrPtr _v28;
				struct _STARTUPINFOA _v96;
				int _v100;
				char** _v104;
				int _v108;
				void _v112;
				char _v116;
				intOrPtr* _v120;
				intOrPtr _v124;
				intOrPtr* _t23;
				intOrPtr* _t24;
				void* _t27;
				void _t29;
				intOrPtr _t36;
				signed int _t38;
				int _t40;
				intOrPtr* _t41;
				intOrPtr _t42;
				intOrPtr _t46;
				intOrPtr _t47;
				intOrPtr _t49;
				intOrPtr* _t55;
				intOrPtr _t58;
				intOrPtr _t61;

				_push(0xffffffff);
				_push(0x405e58);
				_push(0x40490c);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t58;
				_v28 = _t58 - 0x68;
				_v8 = 0;
				__set_app_type(2);
				 *0x40770c =  *0x40770c | 0xffffffff;
				 *0x407710 =  *0x407710 | 0xffffffff;
				_t23 = __p__fmode();
				_t46 =  *0x407700; // 0x0
				 *_t23 = _t46;
				_t24 = __p__commode();
				_t47 =  *0x4076fc; // 0x0
				 *_t24 = _t47;
				 *0x407708 = _adjust_fdiv;
				_t27 = E0040490B( *_adjust_fdiv);
				_t61 =  *0x4075c0; // 0x1
				if(_t61 == 0) {
					__setusermatherr(E00404908);
				}
				E004048F6(_t27);
				_push(0x407024);
				_push(0x407020);
				L004048F0();
				_t29 =  *0x4076f8; // 0x0
				_v112 = _t29;
				_t6 =  &_v116; // 0x407024
				__getmainargs( &_v100, _t6,  &_v104,  *0x4076f4,  &_v112);
				_push(0x40701c);
				_push(0x407000); // executed
				L004048F0(); // executed
				_t55 =  *_acmdln;
				_v120 = _t55;
				if( *_t55 != 0x22) {
					while( *_t55 > 0x20) {
						_t55 = _t55 + 1;
						_v120 = _t55;
					}
				} else {
					do {
						_t55 = _t55 + 1;
						_v120 = _t55;
						_t42 =  *_t55;
					} while (_t42 != 0 && _t42 != 0x22);
					if( *_t55 == 0x22) {
						L6:
						_t55 = _t55 + 1;
						_v120 = _t55;
					}
				}
				_t36 =  *_t55;
				if(_t36 != 0 && _t36 <= 0x20) {
					goto L6;
				}
				_v96.dwFlags = 0;
				GetStartupInfoA( &_v96);
				if((_v96.dwFlags & 0x00000001) == 0) {
					_t38 = 0xa;
				} else {
					_t38 = _v96.wShowWindow & 0x0000ffff;
				}
				_t40 = E00404918(GetModuleHandleA(0), _t39, 0, _t55, _t38);
				_v108 = _t40;
				exit(_t40);
				_t41 = _v24;
				_t49 =  *((intOrPtr*)( *_t41));
				_v124 = _t49;
				_push(_t41);
				_push(_t49);
				L004048EA();
				return _t41;
			}

APIs

__set_app_type.MSVCRT ref: 004047B3
__p__fmode.MSVCRT ref: 004047C8
__p__commode.MSVCRT ref: 004047D6
__setusermatherr.MSVCRT ref: 00404802
_initterm.MSVCRT ref: 00404818
__getmainargs.MSVCRT ref: 0040483B
_initterm.MSVCRT ref: 0040484B
GetStartupInfoA.KERNEL32(?), ref: 0040488A
GetModuleHandleA.KERNEL32(00000000,00000000,?,0000000A), ref: 004048AE
exit.MSVCRT ref: 004048BE
_XcptFilter.MSVCRT ref: 004048D0

Strings

$p@, xrefs: 00404833, 00404836

Memory Dump Source

Source File: 00000001.00000002.638898908.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.638890118.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.638912039.0000000000405000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.638919360.0000000000407000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.638926427.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_caffeine.jbxd

Similarity

API ID: _initterm$FilterHandleInfoModuleStartupXcpt__getmainargs__p__commode__p__fmode__set_app_type__setusermatherrexit
String ID: $p@
API String ID: 801014965-2581991240
Opcode ID: 2737bbf50394ae4e421a855646841bd4d4e14f1d7082e1af04d5c302a0b19e63
Instruction ID: fdab568d6576409bb270f334b5292f4fafa518eed26b3edb5a9e7198efd30a91
Opcode Fuzzy Hash: 2737bbf50394ae4e421a855646841bd4d4e14f1d7082e1af04d5c302a0b19e63
Instruction Fuzzy Hash: E441B1F6C04788AFD720AFA4DD44AAA7BB8EB48710F20453BEA41B72D1C7785840CF59

Uniqueness

Uniqueness Score: -1.00%

Function 00403E90 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 30
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 47%

			E00403E90() {
				char _v8;
				void* _v16;
				char _v20;
				char _v24;
				char _v32;
				intOrPtr _v40;
				void* _v44;
				intOrPtr _t9;
				char* _t10;
				intOrPtr _t15;

				_push(0xffffffff);
				_push(E00404D50);
				_t9 =  *[fs:0x0];
				_push(_t9);
				 *[fs:0x0] = _t15;
				_push("and writt");
				L004046AC(); // executed
				_push(0x65);
				_push(_t9);
				_t10 =  &_v24;
				_v8 = 0;
				_push(_t10);
				L00404724();
				_push("n by Tom");
				_push(_t10);
				_push(0x4076e8);
				_v20 = 1;
				L0040471E();
				_v32 = 0;
				L00404538();
				_v32 = 0xffffffff;
				L00404538();
				 *[fs:0x0] = _v40;
				return _t10;
			}

APIs

#537.MFC42(and writt), ref: 00403EB1
#923.MFC42(00000065,?,?,?,?,?,?,?,000000FF,00403E85), ref: 00403EC6
#924.MFC42(004076E8,00000000,n by Tom,00000065,?,?,?,?,?,?,?,000000FF,00403E85), ref: 00403EDB
#800.MFC42(004076E8,00000000,n by Tom,00000065,?,?,?,?,?,?,?,000000FF,00403E85), ref: 00403EE9
#800.MFC42(004076E8,00000000,n by Tom,00000065,?,?,?,?,?,?,?,000000FF,00403E85), ref: 00403EFA

Strings

and writt, xrefs: 00403EA8
n by Tom, xrefs: 00403ECB

Memory Dump Source

Source File: 00000001.00000002.638898908.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.638890118.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.638912039.0000000000405000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.638919360.0000000000407000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.638926427.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_caffeine.jbxd

Similarity

API ID: #800$#537#923#924
String ID: and writt$n by Tom
API String ID: 1839555536-394286128
Opcode ID: 8053070067e40581ba23650f3435c37d0ef149bfa70386d904a1f2d84979f54c
Instruction ID: 93ee3cd64a174162421e17872db4e77543d706e5306ed7bdd5ea69b74530bc8b
Opcode Fuzzy Hash: 8053070067e40581ba23650f3435c37d0ef149bfa70386d904a1f2d84979f54c
Instruction Fuzzy Hash: C3F062B0448781BBC304EF14CC46B4ABBD4AB91B15F504A2EB5A5236D1DB7C9108CA5B

Uniqueness

Uniqueness Score: -1.00%

Function 00403000 Relevance: 10.6, APIs: 7, Instructions: 130
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 17%

			E00403000(void* __ecx) {
				signed int _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				signed int _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				signed int _t50;
				intOrPtr _t52;
				intOrPtr _t53;
				intOrPtr _t54;
				intOrPtr _t56;
				int _t60;
				intOrPtr _t64;
				signed int _t75;
				signed int _t77;
				intOrPtr _t84;
				void* _t87;
				intOrPtr* _t88;
				void* _t91;
				void* _t92;
				intOrPtr _t93;

				_t91 = __ecx;
				_t50 = GetVersion();
				asm("sbb eax, eax");
				_t52 = (_t50 & 0x000000ff) + 1;
				 *((intOrPtr*)(_t91 + 0x22c)) = _t52;
				if(_t52 != 0) {
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_push(0x80000000);
					_push(0x4076e4);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					 *0x407550 = 0x80;
					L004046C4();
					_push(_t52);
					_push(0);
					L004046BE(); // executed
					_t53 = _v56;
					 *(_t91 + 0x41) = 0x1e8;
					if(_t53 == 0) {
						L4:
						_t54 =  *((intOrPtr*)(_t91 + 0x20));
					} else {
						_t54 =  *((intOrPtr*)(_t53 + 0x20));
						if(_t54 == 0) {
							goto L4;
						}
					}
					 *((intOrPtr*)(_t91 + 0x45)) = _t54;
					 *((intOrPtr*)(_t91 + 0x49)) = _v40;
					 *((intOrPtr*)(_t91 + 0x55)) = _v44;
					 *(_t91 + 0x4d) = 7;
					 *((intOrPtr*)(_t91 + 0x51)) = _v52;
					_t56 =  *0x407550; // 0x80
					_t88 = __imp___mbsnbcpy;
					 *_t88(_t91 + 0x59, _v48, _t56 - 1, _t87, _t92);
					_t93 = _v32;
					if( *((intOrPtr*)(_t91 + 0x23c)) != 0 && _t93 != 0) {
						 *(_t91 + 0x4d) =  *(_t91 + 0x4d) | 0x00000010;
						 *_t88(_t91 + 0xe1, _t93, 0xff);
						_t64 = _v28;
						if(_t64 == 0) {
							 *((char*)(_t91 + 0x1e5)) = 0;
						} else {
							 *_t88(_t91 + 0x1e5, _t64, 0x3f);
						}
						 *(_t91 + 0x1e1) = _v20 + _v20 * 4 + (_v20 + _v20 * 4) * 4 + (_v20 + _v20 * 4 + (_v20 + _v20 * 4) * 4) * 4 << 3;
						 *((intOrPtr*)(_t91 + 0x225)) = _v24;
					}
					_t84 =  *((intOrPtr*)(_t91 + 0x23c));
					_t75 = _v36;
					 *(_t91 + 0x230) = _t75;
					_t60 = 1;
					if(_t84 != 0 && _t75 != 0) {
						 *(_t91 + 0x4d) = 8;
						 *((intOrPtr*)(_t91 + 0xd9)) = 1;
						 *((intOrPtr*)(_t91 + 0xdd)) = 1;
					}
					 *(_t91 + 0x27c) =  *(_t91 + 0x4d);
					if(_t75 == 0 || _t84 != 0) {
						_t60 = Shell_NotifyIconA(0, _t91 + 0x41); // executed
						_t77 = 0 | _t60 == 0x00000000;
						 *(_t91 + 0x234) = _t77;
						 *(_t91 + 0x230) = _t77;
						 *(_t91 + 0x238) = _t77;
					}
					if( *((intOrPtr*)(_t91 + 0x23c)) != 0 && _t93 != 0) {
						 *((char*)(_t91 + 0xe1)) = 0;
					}
					return _t60;
				} else {
					return 0;
				}
			}

APIs

GetVersion.KERNEL32(?,004023A8,?,0000800A,Caffeine,00000000,00000081,00000000,00000000,00000000,00000000,0000000A,-noicon,-replace,-apptoggle,-apptoggleshowdlg), ref: 00403003
#1233.MFC42(00000000,00000000,00000000,00000000,004076E4,80000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,004023A8), ref: 0040304C
#2152.MFC42(00000000,00000000,00000000,00000000,00000000,00000000,004076E4,80000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00403056
_mbsnbcpy.MSVCRT ref: 004030AB
_mbsnbcpy.MSVCRT ref: 004030D8
_mbsnbcpy.MSVCRT ref: 004030EF

Memory Dump Source

Source File: 00000001.00000002.638898908.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.638890118.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.638912039.0000000000405000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.638919360.0000000000407000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.638926427.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_caffeine.jbxd

Similarity

API ID: _mbsnbcpy$#1233#2152Version
String ID:
API String ID: 494087368-0
Opcode ID: 2369528ade2a96fe857e4a859b874dd018032859b0edd50a1ebb554cdf61770e
Instruction ID: 214fda40c4ab09d81bff82deb3576ea03069259a42121a88c931fbb7d5db7241
Opcode Fuzzy Hash: 2369528ade2a96fe857e4a859b874dd018032859b0edd50a1ebb554cdf61770e
Instruction Fuzzy Hash: 35414C74605B009BD334CF28D840BABBBE9AF88304F04482EE99AA77C0D775F904CB19

Uniqueness

Uniqueness Score: -1.00%

Function 00402B10 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 135
keyboardthreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 76%

			E00402B10(void* __ebx, void* __ecx, void* __edi, void* __ebp, intOrPtr _a4) {
				intOrPtr _v12;
				short _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				char _v52;
				char _v56;
				intOrPtr _v68;
				short _v72;
				intOrPtr _v76;
				intOrPtr _v80;
				short _v82;
				char _v84;
				short _v98;
				short _v100;
				intOrPtr _t54;
				intOrPtr _t56;
				intOrPtr _t57;
				intOrPtr _t58;
				intOrPtr _t82;
				intOrPtr _t91;
				void* _t100;
				short _t103;

				_t54 = _a4;
				_t100 = __ecx;
				if(_t54 !=  *((intOrPtr*)(__ecx + 0x340))) {
					L29:
					return _t54;
				}
				_t56 =  *((intOrPtr*)(__ecx + 0x344)) - 1;
				 *((intOrPtr*)(__ecx + 0x344)) = _t56;
				if(_t56 == 0) {
					 *((intOrPtr*)(__ecx + 0x344)) =  *((intOrPtr*)(__ecx + 0x34c));
					if( *((intOrPtr*)(__ecx + 0x348)) != 0) {
						if( *((intOrPtr*)(__ecx + 0x361)) == 0) {
							if(GetAsyncKeyState(0x10) >= 0) {
								_t91 =  *((intOrPtr*)(_t100 + 0x360));
								_v100 = 0x7e;
								if(_t91 != 0) {
									_v100 = 0x10;
								}
								_t103 =  *((intOrPtr*)(_t100 + 0x364));
								if(_t103 != 0xffffffff) {
									_v100 = _t103;
								}
								_v98 = 0;
								_v84 = 0x7e;
								if(_t91 != 0) {
									_v84 = 0x10;
								}
								if(_t103 != 0xffffffff) {
									_v84 =  *((intOrPtr*)(_t100 + 0x364));
								}
								_v82 = 0;
								if( *((intOrPtr*)(_t100 + 0x349)) == 0 ||  *((intOrPtr*)(_t100 + 0x368)) != 0) {
									_v48 = 0;
									_v20 = 2;
									_v40 = 0;
									_push(0x1c);
									_push( &_v56);
									_v56 = 1;
									_v52 = _v84;
									_v44 = 0;
									_v28 = 1;
									_v24 = _v100;
									_v16 = 0;
									_v12 = 0;
									_push(2); // executed
								} else {
									_v76 = 2;
									_push(0x1c);
									_push( &_v84);
									_v84 = 1;
									_v80 = _v100;
									_v72 = 0;
									_v68 = 0;
									_push(1);
								}
								L00404310(); // executed
							}
						} else {
							__imp__SetThreadExecutionState(1);
						}
					}
				}
				_t82 =  *((intOrPtr*)(_t100 + 0x350)) + 1;
				_t54 = _t82;
				 *((intOrPtr*)(_t100 + 0x350)) = _t82;
				if(_t54 != 0x3c) {
					goto L29;
				}
				_t57 =  *((intOrPtr*)(_t100 + 0x354));
				 *((intOrPtr*)(_t100 + 0x350)) = 0;
				if(_t57 > 0xffffffff) {
					 *((intOrPtr*)(_t100 + 0x354)) = _t57 - 1;
					E00402A30(_t100);
					_t68 =  *((intOrPtr*)(_t100 + 0x354));
					if( *((intOrPtr*)(_t100 + 0x354)) == 0) {
						E004027F0(_t68, _t100);
					}
				}
				_t58 =  *((intOrPtr*)(_t100 + 0x35c));
				if(_t58 > 0xffffffff) {
					 *((intOrPtr*)(_t100 + 0x35c)) = _t58 - 1;
					E00402A30(_t100);
					if( *((intOrPtr*)(_t100 + 0x35c)) == 0) {
						E004026F0(_t100);
					}
				}
				_t54 =  *((intOrPtr*)(_t100 + 0x358));
				if(_t54 <= 0xffffffff) {
					goto L29;
				} else {
					 *((intOrPtr*)(_t100 + 0x358)) = _t54 - 1;
					E00402A30(_t100);
					_t54 =  *((intOrPtr*)(_t100 + 0x358));
					if(_t54 != 0) {
						goto L29;
					}
					return E004027F0(_t54, _t100);
				}
			}

APIs

SetThreadExecutionState.KERNEL32 ref: 00402B62
GetAsyncKeyState.USER32(00000010), ref: 00402B6F
SendInput.USER32(00000002,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00402C5D

Strings

~, xrefs: 00402BB9
~, xrefs: 00402B84

Memory Dump Source

Source File: 00000001.00000002.638898908.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.638890118.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.638912039.0000000000405000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.638919360.0000000000407000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.638926427.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_caffeine.jbxd

Similarity

API ID: State$AsyncExecutionInputSendThread
String ID: ~$~
API String ID: 3005571445-3883606485
Opcode ID: cf970ab741a0cd2cbb4f10e44767d8f2130443aa63ff88278c6e8bffd008818b
Instruction ID: 7130108b890031132239ec38ca8d7c972d48cb564a9e12af4e1f8d4db92a3455
Opcode Fuzzy Hash: cf970ab741a0cd2cbb4f10e44767d8f2130443aa63ff88278c6e8bffd008818b
Instruction Fuzzy Hash: 5D51B370608B408BD325DF3585487ABB7E5BF84704F04492EE4E9A73D1D7B9AA45CB0A

Uniqueness

Uniqueness Score: -1.00%

Function 004010B0 Relevance: 4.6, APIs: 3, Instructions: 56
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 57%

			E004010B0(void* __ecx) {
				intOrPtr _v4;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				char _v28;
				intOrPtr _v32;
				intOrPtr _v44;
				intOrPtr _t14;
				intOrPtr _t15;
				void* _t29;
				intOrPtr _t32;

				_push(0xffffffff);
				_push(E0040498A);
				_t14 =  *[fs:0x0];
				_push(_t14);
				 *[fs:0x0] = _t32;
				_t29 = __ecx;
				L0040440C();
				_push(0x370);
				L00404406();
				_v32 = _t14;
				_v4 = 0;
				if(_t14 == 0) {
					_t15 = 0;
				} else {
					_t15 = E00401EB0(_t14);
				}
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push( &_v28);
				_push(0);
				_push(0);
				_push(0);
				_v4 = 0xffffffff;
				 *((intOrPtr*)(_t29 + 0xc4)) = _t15;
				_v28 = 0;
				_v24 = 0;
				_v20 = 0;
				_v16 = 0;
				L00404400(); // executed
				if(_t15 != 0) {
					 *((intOrPtr*)(_t29 + 0x20)) =  *((intOrPtr*)(_t29 + 0xc4));
					 *[fs:0x0] = _v44;
					return 1;
				} else {
					 *[fs:0x0] = _v44;
					return _t15;
				}
			}

APIs

#2621.MFC42 ref: 004010CC
#823.MFC42(00000370), ref: 004010D6
#2092.MFC42 ref: 00401123

Part of subcall function 00401EB0: #366.MFC42(?,00000000,00000000,00404B28,000000FF,004010F3), ref: 00401ECD

Memory Dump Source

Source File: 00000001.00000002.638898908.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.638890118.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.638912039.0000000000405000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.638919360.0000000000407000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.638926427.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_caffeine.jbxd

Similarity

API ID: #2092#2621#366#823
String ID:
API String ID: 2268764163-0
Opcode ID: 683b3c79bd9f6b4bfadf9be907033440c828dad569ab0290086935c78284fe1c
Instruction ID: 02574b38cc50e8d9c1897a6c387a58067b250ed6537a73a29c6a92591854185e
Opcode Fuzzy Hash: 683b3c79bd9f6b4bfadf9be907033440c828dad569ab0290086935c78284fe1c
Instruction Fuzzy Hash: 15115EB1504780ABD324DF2AC941B6BFAE8FBD5B10F404A3FF595937D0D77894028A52

Uniqueness

Uniqueness Score: -1.00%

Function 00403350 Relevance: 4.5, APIs: 3, Instructions: 16
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 64%

			E00403350(void* __ecx, signed int _a4) {
				struct HINSTANCE__* _t3;
				void* _t8;

				_t8 = __ecx;
				L004044FC();
				_t3 = _a4 & 0x0000ffff;
				_push(_t3);
				_push(0xe);
				L004044F6(); // executed
				return E00403320(_t8, LoadIconA(_t3, _t3));
			}

0x00403351
0x00403353
0x0040335c
0x00403361
0x00403362
0x00403365
0x0040337a

APIs

#1168.MFC42(?,004023D5,00000080,-noicon,-replace,-apptoggle,-apptoggleshowdlg,-appoff,-appon,-appexit), ref: 00403353
#1146.MFC42(?,0000000E,?,?,004023D5,00000080,-noicon,-replace,-apptoggle,-apptoggleshowdlg,-appoff,-appon,-appexit), ref: 00403365
LoadIconA.USER32(00000000,?), ref: 0040336B

Memory Dump Source

Source File: 00000001.00000002.638898908.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.638890118.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.638912039.0000000000405000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.638919360.0000000000407000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.638926427.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_caffeine.jbxd

Similarity

API ID: #1146#1168IconLoad
String ID:
API String ID: 1270145794-0
Opcode ID: e27460b68f97278d09c7f8f7ab4d1dc8842c15d5636e7485ee381ab9598b3fc9
Instruction ID: 69aa662458a5f531faae11e4b0eb1e2118290ea9476756fabce9aea489a5acdf
Opcode Fuzzy Hash: e27460b68f97278d09c7f8f7ab4d1dc8842c15d5636e7485ee381ab9598b3fc9
Instruction Fuzzy Hash: C6D0C9B251462226D524B7699C46FAB254C9F84305B01483A7600F71D5CD7CD88156BC

Uniqueness

Uniqueness Score: -1.00%

Function 00403420 Relevance: 3.0, APIs: 2, Instructions: 30
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 37%

			E00403420(void* __ecx, intOrPtr _a4) {
				intOrPtr _t7;
				int _t10;

				if( *((intOrPtr*)(__ecx + 0x22c)) != 0) {
					 *((intOrPtr*)(__ecx + 0x4d)) = 4;
					_t7 =  *0x407550; // 0x80
					__imp___mbsnbcpy(__ecx + 0x59, _a4, _t7 - 1);
					if( *((intOrPtr*)(__ecx + 0x230)) == 0) {
						_t10 = Shell_NotifyIconA(1, __ecx + 0x41); // executed
						return _t10;
					} else {
						return 1;
					}
				} else {
					return 0;
				}
			}

0x0040342b
0x00403437
0x0040343e
0x0040344a
0x0040345b
0x0040346c
0x00403473
0x0040345d
0x00403463
0x00403463
0x0040342d
0x00403430
0x00403430

APIs

_mbsnbcpy.MSVCRT ref: 0040344A

Memory Dump Source

Source File: 00000001.00000002.638898908.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.638890118.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.638912039.0000000000405000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.638919360.0000000000407000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.638926427.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_caffeine.jbxd

Similarity

API ID: _mbsnbcpy
String ID:
API String ID: 1791573619-0
Opcode ID: a54bdd212721f15a9da34ab35c738f99b25ce21e2ce7e2c73faf8e2b84759761
Instruction ID: b1e522a42698a6aae6a07e4e8578c056bb5adab7fa1212d67f14f4c275588573
Opcode Fuzzy Hash: a54bdd212721f15a9da34ab35c738f99b25ce21e2ce7e2c73faf8e2b84759761
Instruction Fuzzy Hash: 35F030B1604710ABD720DF38ED48FD777A8EB54350F05882AFD45D7280E2B5ED40CAA8

Uniqueness

Uniqueness Score: -1.00%

Function 0040473C Relevance: 3.0, APIs: 2, Instructions: 12
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_onexit.KERNELBASE ref: 00404749
__dllonexit.MSVCRT ref: 0040475F

Memory Dump Source

Source File: 00000001.00000002.638898908.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.638890118.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.638912039.0000000000405000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.638919360.0000000000407000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.638926427.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_caffeine.jbxd

Similarity

API ID: __dllonexit_onexit
String ID:
API String ID: 2384194067-0
Opcode ID: 74ab65eb9dca489cea011b4af264b018869b17bba543ccce6cd5d5265cfecb83
Instruction ID: 3560a2a85d8bc6da7f8465911b23706449da8e72a643976eea9633fd7fcdf7d9
Opcode Fuzzy Hash: 74ab65eb9dca489cea011b4af264b018869b17bba543ccce6cd5d5265cfecb83
Instruction Fuzzy Hash: 97C0C975808200AACA012714AD8665A3711E6C0BA2B608B3AF665310E187B96564EA4A

Uniqueness

Uniqueness Score: -1.00%

Function 00403320 Relevance: 1.5, APIs: 1, Instructions: 13
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00403320(void* __ecx, intOrPtr _a4) {
				int _t7;

				if( *((intOrPtr*)(__ecx + 0x22c)) != 0) {
					 *((intOrPtr*)(__ecx + 0x4d)) = 2;
					 *((intOrPtr*)(__ecx + 0x55)) = _a4;
					_t7 = Shell_NotifyIconA(1, __ecx + 0x41); // executed
					return _t7;
				} else {
					return 0;
				}
			}

0x00403328
0x00403333
0x0040333a
0x00403343
0x00403349
0x0040332a
0x0040332c
0x0040332c

APIs

Shell_NotifyIconA.SHELL32(00000001,?,00403379,00000000,?,004023D5,00000080,-noicon,-replace,-apptoggle,-apptoggleshowdlg,-appoff,-appon,-appexit), ref: 00403343

Memory Dump Source

Source File: 00000001.00000002.638898908.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.638890118.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.638912039.0000000000405000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.638919360.0000000000407000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.638926427.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_caffeine.jbxd

Similarity

API ID: IconNotifyShell_
String ID:
API String ID: 1144537725-0
Opcode ID: 6027ecfbcc8562672cd7633f8f7ab8a56b1d2a2eb048df20e9580d3528f68953
Instruction ID: 826fa27bb1a59d9b9be6ff5669ef0ecb807fb1ab48b253733c37398ff525977c
Opcode Fuzzy Hash: 6027ecfbcc8562672cd7633f8f7ab8a56b1d2a2eb048df20e9580d3528f68953
Instruction Fuzzy Hash: 11D092F0641201ABEB14CF61CA49F5776E4AB60749F14807DE9099A282E6B79802CA28

Uniqueness

Uniqueness Score: -1.00%

Function 00404918 Relevance: 1.5, APIs: 1, Instructions: 6
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 16%

			E00404918(void* __eax, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {

				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				L00404970(); // executed
				return __eax;
			}

0x00404918
0x0040491c
0x00404920
0x00404924
0x00404928
0x0040492d

APIs

#1576.MFC42(004048BA,004048BA,004048BA,004048BA,004048BA,00000000,?,0000000A), ref: 00404928

Memory Dump Source

Source File: 00000001.00000002.638898908.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.638890118.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.638912039.0000000000405000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.638919360.0000000000407000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.638926427.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_caffeine.jbxd

Similarity

API ID: #1576
String ID:
API String ID: 1976119259-0
Opcode ID: 371cf650558777b7497c1cc85ae61873b6a5021e63d3067b0ccf166c38b5e6e7
Instruction ID: 230b90cec560b6285ba54e04a4d0fdc70efa034c1d814bec92b4c902bc71f2d7
Opcode Fuzzy Hash: 371cf650558777b7497c1cc85ae61873b6a5021e63d3067b0ccf166c38b5e6e7
Instruction Fuzzy Hash: 27B00276418386ABCB02DF91DC01D2FBAA2BFD8304F484C2DB2E1110B187768438FB56

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00401190 Relevance: 13.6, APIs: 9, Instructions: 71
windowCOMMON

Download Yara Rule

C-Code - Quality: 72%

			E00401190(void* __ecx) {
				signed int _v84;
				void* _v88;
				intOrPtr _v92;
				intOrPtr _v96;
				intOrPtr _v100;
				char _v104;
				int _t16;
				int _t21;
				int _t22;
				int _t37;
				struct tagRECT* _t48;
				void* _t56;

				_t56 = __ecx;
				_t16 = IsIconic( *(__ecx + 0x20));
				if(_t16 == 0) {
					L0040451A();
					return _t16;
				} else {
					_push(_t56);
					L00404526();
					asm("sbb eax, eax");
					SendMessageA( *(_t56 + 0x20), 0x27,  ~( &_v88) & _v84, 0);
					_t21 = GetSystemMetrics(0xb);
					_t22 = GetSystemMetrics(0xc);
					_t48 =  &_v104;
					GetClientRect( *(_t56 + 0x20), _t48);
					asm("cdq");
					asm("cdq");
					_t37 = DrawIcon(_v84, _v96 - _v104 - _t21 + 1 - _v104 >> 1, _v92 - _v100 - _t22 + 1 - _t48 >> 1,  *(_t56 + 0xa0));
					L00404520();
					return _t37;
				}
			}

APIs

IsIconic.USER32 ref: 0040119A
#470.MFC42 ref: 004011AF
SendMessageA.USER32 ref: 004011CB
GetSystemMetrics.USER32 ref: 004011D9
GetSystemMetrics.USER32 ref: 004011DF
GetClientRect.USER32 ref: 004011EC
DrawIcon.USER32 ref: 00401224
#755.MFC42 ref: 0040122E
#2379.MFC42 ref: 0040123C

Memory Dump Source

Source File: 00000001.00000002.638898908.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.638890118.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.638912039.0000000000405000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.638919360.0000000000407000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.638926427.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_caffeine.jbxd

Similarity

API ID: MetricsSystem$#2379#470#755ClientDrawIconIconicMessageRectSend
String ID:
API String ID: 1397574227-0
Opcode ID: d3a0457c1f631a3a479a5ca6ed3b3045380df733c0b1965b88c6b3a8a16459ee
Instruction ID: 2e689e1194588269f18afad073dda88d88f281029b2ebf10d158ca71fc05ebc3
Opcode Fuzzy Hash: d3a0457c1f631a3a479a5ca6ed3b3045380df733c0b1965b88c6b3a8a16459ee
Instruction Fuzzy Hash: 9D1181B12047069FC614DF38DD49E9B77E9FBC8305F084A2DF68AD3290DA34E8058B55

Uniqueness

Uniqueness Score: -1.00%

Function 00403F70 Relevance: 71.9, APIs: 38, Strings: 3, Instructions: 176
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 51%

			E00403F70(void* __ecx) {
				int _v36;
				char _v48;
				char _v60;
				intOrPtr _v64;
				char _v72;
				char _v76;
				void* _v84;
				char _v88;
				char _v92;
				char _v100;
				char _v108;
				char _v112;
				char _v124;
				void* _v128;
				void* _v132;
				char _v136;
				char _v140;
				char _v148;
				char _v156;
				char _v160;
				char _v172;
				char _v184;
				char _v188;
				intOrPtr _v196;
				void* _v200;
				char _v204;
				void* _v208;
				void* _v212;
				void* _v216;
				char _v220;
				void* _v224;
				void* _v228;
				void* _v232;
				void* _v236;
				void* _v248;
				intOrPtr _v252;
				void* _v260;
				struct HINSTANCE__* _t64;
				long _t67;
				char* _t68;
				char* _t69;
				char* _t70;
				char* _t71;
				void* _t111;
				intOrPtr _t113;

				_push(0xffffffff);
				_push(E00404DD0);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t113;
				_t111 = __ecx;
				L00404514();
				_t108 = __ecx + 0x60;
				_push(__ecx);
				_push(0x3eb);
				L0040450E();
				_push(__ecx + 0x60);
				_v64 = _t113 - 0x38;
				L004046AC();
				E004016D0(__ecx + 0x60, "http://www.zhornsoftware.co.uk/");
				_t64 = E00401790(_t108, 1);
				L004044FC();
				_push(0x80);
				_push(0xe);
				L004044F6();
				_t67 = SendMessageA( *(_t111 + 0x20), 0x80, 0, LoadIconA(_t64, 0x80));
				_push("Copyright");
				L004046AC();
				_push(0x65);
				_push(_t67);
				_push( &_v92);
				_v36 = 0;
				L00404724();
				_push("d to ");
				_push(_t67);
				_push( &_v108);
				_v48 = 1;
				L0040471E();
				_push(0x4076e8);
				_push(_t67);
				_t68 =  &_v124;
				_v60 = 2;
				_push(_t68);
				L00404736();
				_v72 = 6;
				L00404538();
				_v72 = 5;
				L00404538();
				_v72 = 4;
				L00404538();
				_push(" R");
				L004046AC();
				_push(0x65);
				_push(_t68);
				_push( &_v92);
				_v76 = 7;
				L00404724();
				_v88 = 8;
				_push("v");
				_push(_t68);
				_push( &_v108);
				L0040471E();
				_push(0x65);
				_push(_t68);
				_t69 =  &_v124;
				_v100 = 9;
				_push(_t69);
				L00404724();
				_push("ll");
				_push(_t69);
				_push( &_v140);
				_v112 = 0xa;
				L0040471E();
				_push(0x20);
				_push(_t69);
				_push( &_v156);
				_v124 = 0xb;
				L00404724();
				_push("2");
				_push(_t69);
				_t70 =  &_v172;
				_v136 = 0xc;
				_push(_t70);
				L0040471E();
				_push(0x30);
				_push(_t70);
				_push( &_v188);
				_v148 = 0xd;
				L00404724();
				_push("1");
				_push(_t70);
				_push( &_v204);
				_v160 = 0xe;
				L0040471E();
				_push(0x33);
				_push(_t70);
				_t71 =  &_v220;
				_v172 = 0xf;
				_push(_t71);
				L00404724();
				_push(_t71);
				_v184 = 0x10;
				L00404730();
				_v188 = 0xf;
				L00404538();
				_v188 = 0xe;
				L00404538();
				_v188 = 0xd;
				L00404538();
				_v188 = 0xc;
				L00404538();
				_v188 = 0xb;
				L00404538();
				_v188 = 0xa;
				L00404538();
				_v188 = 9;
				L00404538();
				_v188 = 8;
				L00404538();
				_v188 = 7;
				L00404538();
				_v188 = 4;
				L00404538();
				_push(_v252);
				_push(0x3ec);
				L0040472A();
				L00404586();
				_v196 = 0xffffffff;
				L00404538();
				 *[fs:0x0] = _v204;
				return 1;
			}

APIs

#4710.MFC42 ref: 00403F8C
#6241.MFC42(000003EB), ref: 00403F9C
#537.MFC42(http://www.zhornsoftware.co.uk/,?,000003EB), ref: 00403FAD

Part of subcall function 004016D0: #858.MFC42(?,?,?,00404A48,000000FF), ref: 004016F8
Part of subcall function 004016D0: IsWindow.USER32(?), ref: 00401709
Part of subcall function 004016D0: #6358.MFC42(?,?,00000001,?,?,00404A48,000000FF), ref: 00401725
Part of subcall function 004016D0: #800.MFC42(?,?,00404A48,000000FF), ref: 00401736

Part of subcall function 00401790: IsWindow.USER32(?), ref: 004017A9
Part of subcall function 00401790: SendMessageA.USER32 ref: 004017C5
Part of subcall function 00401790: #2860.MFC42(00000000), ref: 004017C8
Part of subcall function 00401790: GetObjectA.GDI32(?,0000003C,?), ref: 004017D8
Part of subcall function 00401790: #2414.MFC42 ref: 004017EA
Part of subcall function 00401790: CreateFontIndirectA.GDI32(?), ref: 004017F4
Part of subcall function 00401790: #1641.MFC42(00000000), ref: 004017FD
Part of subcall function 00401790: SendMessageA.USER32 ref: 00401812
Part of subcall function 00401790: InvalidateRect.USER32(?,00000000,00000001), ref: 0040181C

#1168.MFC42(?,000003EB), ref: 00403FC2
#1146.MFC42(00000080,0000000E,00000080,?,000003EB), ref: 00403FD3
LoadIconA.USER32(00000000,00000080), ref: 00403FD9
SendMessageA.USER32 ref: 00403FEB
#537.MFC42(Copyright,?,000003EB), ref: 00403FFA
#923.MFC42(?,00000000), ref: 0040400F
#924.MFC42(?,00000000,d to ,?,00000000), ref: 00404024
#922.MFC42(?,00000000,004076E8,?,00000000,d to ,?,00000000), ref: 00404039
#800.MFC42(?,00000000,004076E8,?,00000000,d to ,?,00000000), ref: 00404047
#800.MFC42(?,00000000,004076E8,?,00000000,d to ,?,00000000), ref: 00404055
#800.MFC42(?,00000000,004076E8,?,00000000,d to ,?,00000000), ref: 00404063
#537.MFC42(00407588,?,00000000,004076E8,?,00000000,d to ,?,00000000), ref: 00404071
#923.MFC42(?,00000000,00000065,00407588,?,00000000,004076E8,?,00000000,d to ,?,00000000), ref: 00404083
#924.MFC42(?,00000000,00407584,?,00000000,00000065,00407588,?,00000000,004076E8,?,00000000,d to ,?,00000000), ref: 00404098
#923.MFC42(?,00000000,00000065,?,00000000,00407584,?,00000000,00000065,00407588,?,00000000,004076E8,?,00000000,d to ), ref: 004040AA
#924.MFC42(?,00000000,00407580,?,00000000,00000065,?,00000000,00407584,?,00000000,00000065,00407588,?,00000000,004076E8), ref: 004040BF
#923.MFC42(?,00000000,00000020,?,00000000,00407580,?,00000000,00000065,?,00000000,00407584,?,00000000,00000065,00407588), ref: 004040D1
#924.MFC42(?,00000000,00407478,?,00000000,00000020,?,00000000,00407580,?,00000000,00000065,?,00000000,00407584,?), ref: 004040E6
#923.MFC42(?,00000000,00000030,?,00000000,00407478,?,00000000,00000020,?,00000000,00407580,?,00000000,00000065,?), ref: 004040F8
#924.MFC42(?,00000000,0040747C,?,00000000,00000030,?,00000000,00407478,?,00000000,00000020,?,00000000,00407580,?), ref: 0040410D
#923.MFC42(?,00000000,00000033,?,00000000,0040747C,?,00000000,00000030,?,00000000,00407478,?,00000000,00000020,?), ref: 0040411F
#939.MFC42(00000000,?,00000000,00000033,?,00000000,0040747C,?,00000000,00000030,?,00000000,00407478,?,00000000,00000020), ref: 0040412E
#800.MFC42(00000000,?,00000000,00000033,?,00000000,0040747C,?,00000000,00000030,?,00000000,00407478,?,00000000,00000020), ref: 0040413C
#800.MFC42(00000000,?,00000000,00000033,?,00000000,0040747C,?,00000000,00000030,?,00000000,00407478,?,00000000,00000020), ref: 0040414A
#800.MFC42(00000000,?,00000000,00000033,?,00000000,0040747C,?,00000000,00000030,?,00000000,00407478,?,00000000,00000020), ref: 00404158
#800.MFC42(00000000,?,00000000,00000033,?,00000000,0040747C,?,00000000,00000030,?,00000000,00407478,?,00000000,00000020), ref: 00404166
#800.MFC42(00000000,?,00000000,00000033,?,00000000,0040747C,?,00000000,00000030,?,00000000,00407478,?,00000000,00000020), ref: 00404174
#800.MFC42(00000000,?,00000000,00000033,?,00000000,0040747C,?,00000000,00000030,?,00000000,00407478,?,00000000,00000020), ref: 00404182
#800.MFC42(00000000,?,00000000,00000033,?,00000000,0040747C,?,00000000,00000030,?,00000000,00407478,?,00000000,00000020), ref: 00404190
#800.MFC42(00000000,?,00000000,00000033,?,00000000,0040747C,?,00000000,00000030,?,00000000,00407478,?,00000000,00000020), ref: 0040419E
#800.MFC42(00000000,?,00000000,00000033,?,00000000,0040747C,?,00000000,00000030,?,00000000,00407478,?,00000000,00000020), ref: 004041AC
#800.MFC42(00000000,?,00000000,00000033,?,00000000,0040747C,?,00000000,00000030,?,00000000,00407478,?,00000000,00000020), ref: 004041BA
#3092.MFC42(000003EC,?,00000000,?,00000000,00000033,?,00000000,0040747C,?,00000000,00000030,?,00000000,00407478,?), ref: 004041CB
#6199.MFC42(000003EC,?,00000000,?,00000000,00000033,?,00000000,0040747C,?,00000000,00000030,?,00000000,00407478,?), ref: 004041D2
#800.MFC42(000003EC,?,00000000,?,00000000,00000033,?,00000000,0040747C,?,00000000,00000030,?,00000000,00407478,?), ref: 004041E3

Strings

d to , xrefs: 00404014
Copyright, xrefs: 00403FF1
http://www.zhornsoftware.co.uk/, xrefs: 00403FA8

Memory Dump Source

Source File: 00000001.00000002.638898908.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.638890118.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.638912039.0000000000405000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.638919360.0000000000407000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.638926427.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_caffeine.jbxd

Similarity

API ID: #800$#923$#924$#537MessageSend$Window$#1146#1168#1641#2414#2860#3092#4710#6199#6241#6358#858#922#939CreateFontIconIndirectInvalidateLoadObjectRect
String ID: Copyright$d to $http://www.zhornsoftware.co.uk/
API String ID: 3006126851-2185217615
Opcode ID: 29200f4f85b3c62d76dd857aae978e8929f35be0d2d91fa12cef3c3978bf053e
Instruction ID: d84603b2a0d053dc8d7841b4659286c1ddde81081368e72ce63422313928a5ce
Opcode Fuzzy Hash: 29200f4f85b3c62d76dd857aae978e8929f35be0d2d91fa12cef3c3978bf053e
Instruction Fuzzy Hash: 18612FB01083C0AAD315E765C886B5FBBD8AFD6748F444D2EF685621D2DBBC9508862B

Uniqueness

Uniqueness Score: -1.00%

Function 00401AB0 Relevance: 61.3, APIs: 20, Strings: 15, Instructions: 99
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 67%

			E00401AB0(void* __ecx, char _a4) {
				char _v4;
				void* _v12;
				char _v16;
				char _v20;
				void* _v28;
				intOrPtr _v32;
				intOrPtr _v40;
				void* _v44;
				char* _t32;
				char _t46;
				intOrPtr _t48;

				_push(0xffffffff);
				_push(E00404AB0);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t48;
				L0040454A();
				_t46 = _a4;
				_v4 = 0;
				if(_t46 > 0x20) {
					L15:
					_push(_t46);
					_push("Unknown Error (%d) occurred.");
					_push( &_v16);
					L004045D4();
					_t48 = _t48 + 0xc;
				} else {
					switch( *((intOrPtr*)(0 +  &M00401C4C))) {
						case 0:
							_push("The operating system is out\nof memory or resources.");
							L004045DA();
							goto L16;
						case 1:
							_push("The specified file was not found.");
							__ecx =  &_v16;
							L004045DA();
							goto L16;
						case 2:
							_push("The specified path was not found.");
							__ecx =  &_v16;
							L004045DA();
							goto L16;
						case 3:
							_push("The operating system denied\naccess to the specified file.");
							__ecx =  &_v16;
							L004045DA();
							goto L16;
						case 4:
							_push("There was not enough memory to complete the operation.");
							__ecx =  &_v16;
							L004045DA();
							goto L16;
						case 5:
							_push("The .EXE file is invalid\n(non-Win32 .EXE or error in .EXE image).");
							__ecx =  &_v16;
							L004045DA();
							goto L16;
						case 6:
							_push("A sharing violation occurred. ");
							__ecx =  &_v16;
							L004045DA();
							goto L15;
						case 7:
							_push("The filename association is\nincomplete or invalid.");
							__ecx =  &_v16;
							L004045DA();
							goto L16;
						case 8:
							_push("The DDE transaction could not\nbe completed because the request timed out.");
							__ecx =  &_v16;
							L004045DA();
							goto L16;
						case 9:
							_push("The DDE transaction failed.");
							__ecx =  &_v16;
							L004045DA();
							goto L16;
						case 0xa:
							_push("The DDE transaction could not\nbe completed because other DDE transactions\nwere being processed.");
							__ecx =  &_v16;
							L004045DA();
							goto L16;
						case 0xb:
							_push("There is no application associated\nwith the given filename extension.");
							__ecx =  &_v16;
							L004045DA();
							goto L16;
						case 0xc:
							_push("The specified dynamic-link library was not found.");
							__ecx =  &_v16;
							L004045DA();
							goto L16;
						case 0xd:
							goto L15;
					}
				}
				L16:
				_t32 =  &_a4;
				_push( &_v16);
				_push("Unable to open hyperlink:\n\n");
				_push(_t32);
				L004045CE();
				_push(_t32);
				_v16 = 1;
				L0040459E();
				_v20 = 0;
				L00404538();
				_push(0);
				_push(0x30);
				_push(_v32);
				L004045C8();
				_v32 = 0xffffffff;
				L00404538();
				 *[fs:0x0] = _v40;
				return _t32;
			}

APIs

#540.MFC42(?,?,00000000,00404AB0,000000FF,00401470,00000000), ref: 00401ACB
#860.MFC42(The operating system is outof memory or resources.,?,?,00000000,00404AB0,000000FF,00401470,00000000), ref: 00401AFD
#860.MFC42(The specified path was not found.,The specified file was not found.), ref: 00401B10
#860.MFC42(The specified file was not found.), ref: 00401B23
#860.MFC42(The .EXE file is invalid(non-Win32 .EXE or error in .EXE image).,There was not enough memory to complete the operation.,The operating system deniedaccess to the specified file.,The specified path was not found.,The specified file was not found.), ref: 00401B36
#860.MFC42(The operating system deniedaccess to the specified file.,The specified path was not found.,The specified file was not found.), ref: 00401B49
#860.MFC42(The filename association isincomplete or invalid.,There was not enough memory to complete the operation.,The operating system deniedaccess to the specified file.,The specified path was not found.,The specified file was not found.), ref: 00401B5C
#860.MFC42(The DDE transaction could notbe completed because other DDE transactionswere being processed.,The DDE transaction failed.,The DDE transaction could notbe completed because the request timed out.,The filename association isincomplete or invalid.,There was not enough memory to complete the operation.,The operating system deniedaccess to the specified file.,The specified path was not found.,The specified file was not found.), ref: 00401B6F
#860.MFC42(The DDE transaction failed.,The DDE transaction could notbe completed because the request timed out.,The filename association isincomplete or invalid.,There was not enough memory to complete the operation.,The operating system deniedaccess to the specified file.,The specified path was not found.,The specified file was not found.), ref: 00401B7F
#860.MFC42(The DDE transaction could notbe completed because the request timed out.,The filename association isincomplete or invalid.,There was not enough memory to complete the operation.,The operating system deniedaccess to the specified file.,The specified path was not found.,The specified file was not found.), ref: 00401B8F
#860.MFC42(The specified dynamic-link library was not found.,There is no application associatedwith the given filename extension.,The DDE transaction could notbe completed because other DDE transactionswere being processed.,The DDE transaction failed.,The DDE transaction could notbe completed because the request timed out.,The filename association isincomplete or invalid.,There was not enough memory to complete the operation.,The operating system deniedaccess to the specified file.,The specified path was not found.,The specified file was not found.), ref: 00401B9F
#860.MFC42(There is no application associatedwith the given filename extension.,The DDE transaction could notbe completed because other DDE transactionswere being processed.,The DDE transaction failed.,The DDE transaction could notbe completed because the request timed out.,The filename association isincomplete or invalid.,There was not enough memory to complete the operation.,The operating system deniedaccess to the specified file.,The specified path was not found.,The specified file was not found.), ref: 00401BAF
#860.MFC42(There was not enough memory to complete the operation.,The operating system deniedaccess to the specified file.,The specified path was not found.,The specified file was not found.), ref: 00401BBF
#860.MFC42(A sharing violation occurred. ,The .EXE file is invalid(non-Win32 .EXE or error in .EXE image).,There was not enough memory to complete the operation.,The operating system deniedaccess to the specified file.,The specified path was not found.,The specified file was not found.), ref: 00401BCF
#2818.MFC42(?,Unknown Error (%d) occurred.,?,?,?,00000000,00404AB0,000000FF,00401470,00000000), ref: 00401BDF
#926.MFC42(?,Unable to open hyperlink:,?), ref: 00401BF6
#858.MFC42(?,?,?,?,?,?,00000000), ref: 00401C05
#800.MFC42(?,?,?,?,?,?,00000000), ref: 00401C13
#1200.MFC42(?,00000030,00000000,?,?,?,?,?,?,00000000), ref: 00401C21
#800.MFC42(?,00000030,00000000,?,?,?,?,?,?,00000000), ref: 00401C32

Strings

The filename association isincomplete or invalid., xrefs: 00401B53
The operating system is outof memory or resources., xrefs: 00401AF4
The specified file was not found., xrefs: 00401B1A
There is no application associatedwith the given filename extension., xrefs: 00401BA6
The DDE transaction could notbe completed because the request timed out., xrefs: 00401B86
The specified path was not found., xrefs: 00401B07
Unable to open hyperlink:, xrefs: 00401BF0
Unknown Error (%d) occurred., xrefs: 00401BD9
The operating system deniedaccess to the specified file., xrefs: 00401B40
A sharing violation occurred. , xrefs: 00401BC6
There was not enough memory to complete the operation., xrefs: 00401BB6
The DDE transaction failed., xrefs: 00401B76
The specified dynamic-link library was not found., xrefs: 00401B96
The DDE transaction could notbe completed because other DDE transactionswere being processed., xrefs: 00401B66
The .EXE file is invalid(non-Win32 .EXE or error in .EXE image)., xrefs: 00401B2D

Memory Dump Source

Source File: 00000001.00000002.638898908.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.638890118.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.638912039.0000000000405000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.638919360.0000000000407000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.638926427.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_caffeine.jbxd

Similarity

API ID: #860$#800$#1200#2818#540#858#926
String ID: A sharing violation occurred. $The .EXE file is invalid(non-Win32 .EXE or error in .EXE image).$The DDE transaction could notbe completed because other DDE transactionswere being processed.$The DDE transaction could notbe completed because the request timed out.$The DDE transaction failed.$The filename association isincomplete or invalid.$The operating system deniedaccess to the specified file.$The operating system is outof memory or resources.$The specified dynamic-link library was not found.$The specified file was not found.$The specified path was not found.$There is no application associatedwith the given filename extension.$There was not enough memory to complete the operation.$Unable to open hyperlink:$Unknown Error (%d) occurred.
API String ID: 346542042-3273680174
Opcode ID: ea7e90c578bf019d686b0e0a1a9cb7f1dbbf8356f100c7c62e7251d023a5f85a
Instruction ID: d05527ecf1c23452e4e09f04e5b27d926ba05525808f6f0cd500f92e65994bfe
Opcode Fuzzy Hash: ea7e90c578bf019d686b0e0a1a9cb7f1dbbf8356f100c7c62e7251d023a5f85a
Instruction Fuzzy Hash: 9A3138B055C241FBC214EA50CC92B6B77A0AB91744F50493FB286361E1EFBCB946869F

Uniqueness

Uniqueness Score: -1.00%

Function 004036F0 Relevance: 52.7, APIs: 27, Strings: 3, Instructions: 221
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 85%

			E004036F0(intOrPtr* __ecx) {
				intOrPtr _t62;
				struct HINSTANCE__* _t68;
				struct HMENU__* _t69;
				struct HMENU__* _t71;
				struct HINSTANCE__* _t76;
				struct HMENU__* _t77;
				struct HMENU__* _t78;
				struct HMENU__* _t132;
				intOrPtr* _t138;
				int _t140;
				void* _t149;
				struct HMENU__* _t157;
				void* _t158;

				_push(0xffffffff);
				_push(E00404CC8);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t157;
				_t158 = _t157 - 0x10;
				_t138 = __ecx;
				if( *((intOrPtr*)(_t158 + 0x20)) ==  *(__ecx + 0x49)) {
					_t128 = 0x405c3c;
					 *(_t158 + 0x10) = 0;
					 *((intOrPtr*)(_t158 + 0xc)) = 0x405c3c;
					 *(_t158 + 0x24) = 0;
					_t149 = E00403480(__ecx);
					if(_t149 != 0) {
						_t62 =  *((intOrPtr*)(_t158 + 0x30));
						if(_t62 != 0x205) {
							if(_t62 != 0x203) {
								goto L21;
							} else {
								SetForegroundWindow( *(_t149 + 0x20));
								if( *(_t138 + 0x278) == 0) {
									_t140 =  *(_t138 + 0x274);
									goto L20;
								} else {
									_t68 =  *(_t138 + 0x49) & 0x0000ffff;
									_push(_t68);
									_push(4);
									L004044F6();
									_t69 = LoadMenuA(_t68, _t68);
									_push(_t69);
									L004046F4();
									if(_t69 != 0) {
										_t71 = GetSubMenu( *(_t158 + 0x10), 0);
										_push(_t71);
										L004046E8();
										if(_t71 != 0) {
											_t140 = GetMenuItemID( *(_t71 + 4),  *(_t138 + 0x274));
											L004046EE();
											L20:
											PostMessageA( *(_t149 + 0x20), 0x111, _t140, 0);
											goto L21;
										} else {
											 *((intOrPtr*)(_t158 + 0xc)) = 0x405c3c;
											 *(_t158 + 0x24) = 5;
											L004046EE();
											 *[fs:0x0] =  *(_t158 + 0x10);
											return 0;
										}
									} else {
										 *((intOrPtr*)(_t158 + 0xc)) = 0x405c3c;
										 *(_t158 + 0x24) = 4;
										L004046EE();
										 *[fs:0x0] =  *(_t158 + 0x10);
										return 0;
									}
								}
							}
						} else {
							_t76 =  *(__ecx + 0x49) & 0x0000ffff;
							_push(_t76);
							_push(4);
							L004044F6();
							_t77 = LoadMenuA(_t76, _t76);
							_push(_t77);
							L004046F4();
							if(_t77 != 0) {
								_t78 = GetSubMenu( *(_t158 + 0x10), 0);
								_push(_t78);
								L004046E8();
								_t132 = _t78;
								if(_t132 != 0) {
									SetMenuDefaultItem( *(_t132 + 4),  *(_t138 + 0x274),  *(_t138 + 0x278));
									 *((intOrPtr*)( *_t138 + 0xc4))(_t132);
									if( *((intOrPtr*)(_t138 + 0x40)) != 0) {
										ModifyMenuA( *(_t132 + 4), 0x8005, 8, 0x8005, "Active");
									}
									GetCursorPos(_t158 + 0x14);
									SetForegroundWindow( *(_t149 + 0x20));
									TrackPopupMenu( *(_t132 + 4), 0,  *(_t158 + 0x14),  *(_t158 + 0x18), 0,  *(_t149 + 0x20), 0);
									PostMessageA( *(_t149 + 0x20), 0, 0, 0);
									L004046EE();
									_t128 = 0x405c3c;
									L21:
									 *((intOrPtr*)(_t158 + 0xc)) = _t128;
									 *(_t158 + 0x24) = 6;
									L004046EE();
									 *[fs:0x0] =  *(_t158 + 0x1c);
									return 1;
								} else {
									 *((intOrPtr*)(_t158 + 0xc)) = 0x405c3c;
									 *(_t158 + 0x24) = 3;
									L004046EE();
									 *[fs:0x0] =  *(_t158 + 0x10);
									return 0;
								}
							} else {
								 *((intOrPtr*)(_t158 + 0xc)) = 0x405c3c;
								 *(_t158 + 0x24) = 2;
								L004046EE();
								 *[fs:0x0] =  *(_t158 + 0x10);
								return 0;
							}
						}
					} else {
						 *((intOrPtr*)(_t158 + 0xc)) = 0x405c3c;
						 *(_t158 + 0x24) = 1;
						L004046EE();
						 *[fs:0x0] =  *(_t158 + 0x10);
						return 0;
					}
				} else {
					 *[fs:0x0] =  *(_t158 + 0x10);
					return 0;
				}
			}

APIs

#2438.MFC42(?,?,?,?,?,?,?,?,?,?,?,?,00404CC8,000000FF), ref: 00403762

Strings

<\@, xrefs: 004037FD
F@, xrefs: 0040372C, 004038B5
Active, xrefs: 00403851

Memory Dump Source

Source File: 00000001.00000002.638898908.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.638890118.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.638912039.0000000000405000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.638919360.0000000000407000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.638926427.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_caffeine.jbxd

Similarity

API ID: #2438
String ID: <\@$Active$F@
API String ID: 3848929793-4083231078
Opcode ID: 52babf0500d360e68296940e0fbd2bbc1b4316878b0c97c08039995788ae0fb5
Instruction ID: 2155ade0938a15048844e7ff29b6153062ed146438ae282cc42f0564ce5c9ae9
Opcode Fuzzy Hash: 52babf0500d360e68296940e0fbd2bbc1b4316878b0c97c08039995788ae0fb5
Instruction Fuzzy Hash: 96817EB6204701AFD310EF25C945B6BB7E8FB84714F00892EF985A7280DB7DE904CB69

Uniqueness

Uniqueness Score: -1.00%

Function 00401580 Relevance: 25.6, APIs: 17, Instructions: 113
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 64%

			E00401580(void* __ecx) {
				int _v4;
				intOrPtr _v56;
				struct tagLOGFONTA _v92;
				intOrPtr _v96;
				struct tagRECT _v116;
				char _v124;
				void* _v144;
				signed char _t26;
				long _t32;
				int _t40;
				intOrPtr* _t43;
				struct HWND__* _t47;
				int _t70;
				void* _t74;
				signed char _t79;

				_t26 =  *[fs:0x0];
				_push(0xffffffff);
				_push(E00404A28);
				_push(_t26);
				 *[fs:0x0] = _t79;
				_t74 = __ecx;
				L00404592();
				if(__ecx != 0) {
					_t47 =  *(__ecx + 0x20);
				} else {
					_t47 = 0;
				}
				SetWindowLongA(_t47, 0xfffffff0, _t26 | 0x00000001);
				_t43 = _t74 + 0x5c;
				if( *((intOrPtr*)( *((intOrPtr*)(_t74 + 0x5c)) - 8)) == 0) {
					_push(_t43);
					L0040458C();
				}
				L0040454A();
				_v4 = 0;
				_push( &_v92);
				L0040458C();
				if( *((intOrPtr*)(_v96 - 8)) == 0) {
					_push( *_t43);
					L00404586();
				}
				_t32 = SendMessageA( *(_t74 + 0x20), 0x31, 0, 0);
				_push(_t32);
				L00404580();
				GetObjectA( *(_t32 + 4), 0x3c,  &(_v92.lfOrientation));
				_v92.lfUnderline =  *((intOrPtr*)(_t74 + 0x54));
				_t70 = _t74 + 0x60;
				_push(CreateFontIndirectA( &_v92));
				L0040457A();
				if(_t70 != 0) {
					_t70 =  *(_t70 + 4);
				}
				SendMessageA( *(_t74 + 0x20), 0x30, _t70, 1);
				E00401830(_t74);
				E004019F0(_t74);
				_t40 = GetClientRect( *(_t74 + 0x20),  &_v116);
				_push(0);
				_push(_t74);
				L00404574();
				_push(1);
				_push( &_v124);
				_push( *_t43);
				_push(_t74);
				L0040456E();
				L004044D2();
				_v56 = 0xffffffff;
				L00404538();
				 *[fs:0x0] = _v92.lfFaceName;
				return _t40;
			}

APIs

#3797.MFC42 ref: 0040159E
SetWindowLongA.USER32 ref: 004015B5
#3874.MFC42(?), ref: 004015CB
#540.MFC42(?), ref: 004015D4
#3874.MFC42(?), ref: 004015E8
#6199.MFC42(?,?), ref: 004015FD
SendMessageA.USER32 ref: 00401612
#2860.MFC42(00000000), ref: 00401615
GetObjectA.GDI32(?,0000003C,?), ref: 00401625
CreateFontIndirectA.GDI32(?), ref: 0040163A
#1641.MFC42(00000000), ref: 00401643
SendMessageA.USER32 ref: 00401658
GetClientRect.USER32 ref: 00401671
#2122.MFC42(?,00000000), ref: 0040167F
#1088.MFC42(?,?,?,00000001,?,00000000), ref: 00401691
#5265.MFC42(?,?,?,00000001,?,00000000), ref: 00401698
#800.MFC42(?,?,?,00000001,?,00000000), ref: 004016A9

Memory Dump Source

Source File: 00000001.00000002.638898908.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.638890118.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.638912039.0000000000405000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.638919360.0000000000407000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.638926427.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_caffeine.jbxd

Similarity

API ID: #3874MessageSend$#1088#1641#2122#2860#3797#5265#540#6199#800ClientCreateFontIndirectLongObjectRectWindow
String ID:
API String ID: 2227210797-0
Opcode ID: 91c33229316b2e92066e70053cc2469c2e8fe531323fef1549f4e80344806ef5
Instruction ID: 78e91d416b0f403ad5dc09a236e54dfa35207b3635d77c84e58a6aa78756797c
Opcode Fuzzy Hash: 91c33229316b2e92066e70053cc2469c2e8fe531323fef1549f4e80344806ef5
Instruction Fuzzy Hash: 2631A4B1200701ABD624EB25CC91F6FB3A9FBC4B54F000A2DF642672D1CB78E905CB69

Uniqueness

Uniqueness Score: -1.00%

Function 00401830 Relevance: 24.2, APIs: 16, Instructions: 154
COMMON

Download Yara Rule

C-Code - Quality: 74%

			E00401830(void* __ecx) {
				int _v8;
				intOrPtr _v12;
				struct tagRECT _v28;
				char _v32;
				char _v44;
				struct tagRECT _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				void* _v100;
				struct HWND__* _t53;
				int _t54;
				struct HWND__* _t57;
				struct HDC__* _t59;
				void* _t61;
				signed char _t67;
				CHAR* _t70;
				void* _t85;
				signed char _t87;
				long _t100;
				long _t113;
				void* _t120;
				void* _t122;
				struct HDC__* _t123;
				intOrPtr _t125;
				intOrPtr _t128;

				_push(0xffffffff);
				_push(E00404A68);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t128;
				_t120 = __ecx;
				if(__ecx != 0) {
					_t53 =  *(__ecx + 0x20);
				} else {
					_t53 = 0;
				}
				_t54 = IsWindow(_t53);
				if(_t54 != 0) {
					_t54 =  *(_t120 + 0x58);
					if(_t54 != 0) {
						GetWindowRect( *(_t120 + 0x20),  &_v28);
						_t57 = GetParent( *(_t120 + 0x20));
						_push(_t57);
						L00404568();
						if(_t57 != 0) {
							_push( &_v32);
							L004045B0();
						}
						L0040454A();
						_v8 = 0;
						L0040458C();
						_t59 = GetDC( *(_t120 + 0x20));
						L004045AA();
						_t123 = _t59;
						_t61 =  *((intOrPtr*)(_t123->i + 0x30))(_t120 + 0x60, _t59,  &_v44, _t122, _t85);
						GetTextExtentPoint32A( *(_t123 + 8), _v64.right,  *(_v64.right - 8),  &(_v64.bottom));
						 *((intOrPtr*)(_t123->i + 0x30))(_t61);
						_t67 = ReleaseDC( *(_t120 + 0x20),  *(_t123 + 4));
						L00404592();
						_t87 = _t67;
						if((_t87 & 0x00000002) == 0) {
							_t113 = _v68 + _v64.top;
							_v64.bottom.cx = _t113;
						} else {
							asm("cdq");
							InflateRect( &_v64, 0,  ~(_v64.bottom.cx - _v68 - _v64.top - _v64.top >> 1));
							_t113 = _v64.bottom.cx;
						}
						if((_t87 & 0x00000001) == 0) {
							if((_t87 & 0x00000002) == 0) {
								_t100 = _v64.left;
								_t70 = _v72 + _t100;
								_v64.right = _t70;
							} else {
								_t70 = _v64.right;
								_t100 = _t70 - _v72;
								_v64.left = _t100;
							}
						} else {
							asm("cdq");
							InflateRect( &_v64,  ~(_v64.right - _v72 - _v64.left - _v72 >> 1), 0);
							_t70 = _v64.right;
							_t113 = _v64.bottom.cx;
							_t100 = _v64.left;
						}
						_t125 = _v64.top;
						_push(4);
						_t54 = _t70 - _t100;
						_push(_t113 - _t125);
						_push(_t54);
						_push(_t125);
						_push(_t100);
						_push(0);
						L004045A4();
						_v64.left = 0xffffffff;
						L00404538();
					}
				}
				 *[fs:0x0] = _v12;
				return _t54;
			}

APIs

IsWindow.USER32(?), ref: 00401857
GetWindowRect.USER32 ref: 00401879
GetParent.USER32(?), ref: 00401883
#2864.MFC42(00000000), ref: 0040188A
#6880.MFC42(?,00000000), ref: 0040189A
#540.MFC42(?,?,00000000), ref: 004018A5
#3874.MFC42 ref: 004018B9
GetDC.USER32(?), ref: 004018C2
#2859.MFC42(00000000), ref: 004018C9
GetTextExtentPoint32A.GDI32(?,?,?,?), ref: 004018EF
ReleaseDC.USER32 ref: 00401905
#3797.MFC42 ref: 0040190D
InflateRect.USER32(?,00000000,?), ref: 0040193E
InflateRect.USER32(?,?,00000000), ref: 00401979
#6197.MFC42(00000000,?,?,?,?,00000004), ref: 004019C0
#800.MFC42(00000000,?,?,?,?,00000004), ref: 004019D1

Memory Dump Source

Source File: 00000001.00000002.638898908.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.638890118.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.638912039.0000000000405000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.638919360.0000000000407000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.638926427.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_caffeine.jbxd

Similarity

API ID: Rect$InflateWindow$#2859#2864#3797#3874#540#6197#6880#800ExtentParentPoint32ReleaseText
String ID:
API String ID: 1229430148-0
Opcode ID: cb737125da13868ce94a8dd5d740498467b0550b8dd73812d20f1135e72424aa
Instruction ID: 083710a63b368be8a5a2e75130603aec36761a7d160585ce5598680cda7501de
Opcode Fuzzy Hash: cb737125da13868ce94a8dd5d740498467b0550b8dd73812d20f1135e72424aa
Instruction Fuzzy Hash: 7A512FB5204702AFD704DF69C995A6BB7E9FBC8700F044A2DF98593390D778E904CB95

Uniqueness

Uniqueness Score: -1.00%

Function 00402A30 Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 61
COMMON

Download Yara Rule

C-Code - Quality: 50%

			E00402A30(void* __ecx) {
				intOrPtr _v4;
				intOrPtr _v12;
				char _v16;
				intOrPtr _v20;
				void* _v24;
				intOrPtr _t17;
				intOrPtr _t18;
				intOrPtr _t19;
				void* _t22;
				void* _t33;
				intOrPtr _t35;

				_push(0xffffffff);
				_push(E00404BF8);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t35;
				_push(__ecx);
				_t33 = __ecx;
				L0040454A();
				_t17 =  *((intOrPtr*)(__ecx + 0x354));
				_v4 = 0;
				if(_t17 == 0xffffffff) {
					_t18 =  *((intOrPtr*)(__ecx + 0x35c));
					if(_t18 == 0xffffffff) {
						_t19 =  *((intOrPtr*)(__ecx + 0x358));
						if(_t19 == 0xffffffff) {
							if( *((intOrPtr*)(__ecx + 0x348)) == 0) {
								_push("Caffeine: inactive");
							} else {
								_push("Caffeine: active");
							}
							L004045DA();
						} else {
							_push(_t19);
							_push("Caffeine: Will go active in %i minute(s)");
							_push( &_v16);
							L004045D4();
							_t35 = _t35 + 0xc;
						}
					} else {
						_push(_t18);
						_push("Caffeine: Will exit in %i minute(s)");
						_push( &_v16);
						L004045D4();
						_t35 = _t35 + 0xc;
					}
				} else {
					_push(_t17);
					_push("Caffeine: Will go inactive in %i minute(s)");
					_push( &_v16);
					L004045D4();
					_t35 = _t35 + 0xc;
				}
				_t22 = E00403420(_t33 + 0xc0, _v20);
				_v12 = 0xffffffff;
				L00404538();
				 *[fs:0x0] = _v20;
				return _t22;
			}

APIs

#540.MFC42(?,?,00000000,00404BF8,000000FF,00402691,ZhornSoftwareCaffeineMain), ref: 00402A4D
#2818.MFC42(?,Caffeine: Will go inactive in %i minute(s),?,?,?,00000000,00404BF8,000000FF,00402691,ZhornSoftwareCaffeineMain), ref: 00402A70
#2818.MFC42(?,Caffeine: Will exit in %i minute(s),?,?,?,00000000,00404BF8,000000FF,00402691,ZhornSoftwareCaffeineMain), ref: 00402A90
#800.MFC42(?,Caffeine: inactive,?,?,00000000,00404BF8,000000FF,00402691,ZhornSoftwareCaffeineMain), ref: 00402AF5

Strings

Caffeine: Will exit in %i minute(s), xrefs: 00402A8A
Caffeine: active, xrefs: 00402AC4
Caffeine: inactive, xrefs: 00402ACB
Caffeine: Will go active in %i minute(s), xrefs: 00402AAA
Caffeine: Will go inactive in %i minute(s), xrefs: 00402A6A

Memory Dump Source

Source File: 00000001.00000002.638898908.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.638890118.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.638912039.0000000000405000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.638919360.0000000000407000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.638926427.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_caffeine.jbxd

Similarity

API ID: #2818$#540#800
String ID: Caffeine: Will exit in %i minute(s)$Caffeine: Will go active in %i minute(s)$Caffeine: Will go inactive in %i minute(s)$Caffeine: active$Caffeine: inactive
API String ID: 2322274623-3634301374
Opcode ID: 30378fbae9d1f71dec1020bdfbd01e6cb2f46df81994ec8b9ff7dd3a1fe2d989
Instruction ID: 4449c43e5b08e88013da19f82a2139671552fd5fc9db86512c79a7bcba6e5130
Opcode Fuzzy Hash: 30378fbae9d1f71dec1020bdfbd01e6cb2f46df81994ec8b9ff7dd3a1fe2d989
Instruction Fuzzy Hash: 2311D571504740BBC220DB24CD45FAB7798EB45724F144B2FB16B722D0DBBCE9458B5A

Uniqueness

Uniqueness Score: -1.00%

Function 004019F0 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 52
librarywindowCOMMON

Download Yara Rule

C-Code - Quality: 67%

			E004019F0(void* __ecx) {
				intOrPtr _v4;
				intOrPtr _v12;
				intOrPtr _v16;
				void* _v20;
				void* _v24;
				CHAR* _v28;
				CHAR* _t13;
				struct HICON__* _t17;
				void* _t27;
				struct HINSTANCE__* _t30;
				intOrPtr _t32;

				_push(0xffffffff);
				_push(E00404A88);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t32;
				_push(__ecx);
				_t27 = __ecx;
				_t13 =  *(__ecx + 0x68);
				if(_t13 == 0) {
					L0040454A();
					_push(0x104);
					_v4 = 0;
					L004045C2();
					GetWindowsDirectoryA(_t13, 0x104);
					_push(0xffffffff);
					L004045BC();
					_push("\\winhlp32.exe");
					L004045B6();
					_t30 = LoadLibraryA(_v28);
					if(_t30 != 0) {
						_t17 = LoadCursorA(_t30, 0x6a);
						if(_t17 != 0) {
							 *((intOrPtr*)(_t27 + 0x68)) = CopyIcon(_t17);
						}
					}
					_t13 = FreeLibrary(_t30);
					_v16 = 0xffffffff;
					L00404538();
				}
				 *[fs:0x0] = _v12;
				return _t13;
			}

APIs

#540.MFC42(?,?,?,00000000,00404A88,000000FF,00401668), ref: 00401A19
#2915.MFC42(00000104,00000104,?,?,?,00000000,00404A88,000000FF,00401668), ref: 00401A34
GetWindowsDirectoryA.KERNEL32(00000000,00000104,00000104,?,?,?,00000000,00404A88,000000FF,00401668), ref: 00401A3A
#5572.MFC42(000000FF,?,?,?,00000000,00404A88,000000FF,00401668), ref: 00401A46
#941.MFC42(\winhlp32.exe,000000FF,?,?,?,00000000,00404A88,000000FF,00401668), ref: 00401A54
LoadLibraryA.KERNEL32(?,\winhlp32.exe,000000FF,?,?,?,00000000,00404A88,000000FF,00401668), ref: 00401A5E
LoadCursorA.USER32 ref: 00401A6D
CopyIcon.USER32 ref: 00401A78
FreeLibrary.KERNEL32(00000000,?,?,?,00000000,00404A88,000000FF,00401668), ref: 00401A82
#800.MFC42(?,?,?,00000000,00404A88,000000FF,00401668), ref: 00401A94

Strings

\winhlp32.exe, xrefs: 00401A4B

Memory Dump Source

Source File: 00000001.00000002.638898908.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.638890118.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.638912039.0000000000405000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.638919360.0000000000407000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.638926427.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_caffeine.jbxd

Similarity

API ID: LibraryLoad$#2915#540#5572#800#941CopyCursorDirectoryFreeIconWindows
String ID: \winhlp32.exe
API String ID: 1176994157-695620452
Opcode ID: 05e50b6df430242a8222bd603a04b412f274f73aa4b0da348ae6d99f69430fb9
Instruction ID: a7958fbb4f7cea771c3a4d3836ed45ebcef4260fd507b6672cbc114736bf679a
Opcode Fuzzy Hash: 05e50b6df430242a8222bd603a04b412f274f73aa4b0da348ae6d99f69430fb9
Instruction Fuzzy Hash: D31191B1645702BBD700EF25DC45B5FB7A8FB80720F40462EF651A22E0DB789901CE9A

Uniqueness

Uniqueness Score: -1.00%

Function 004034A0 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 83
windowCOMMON

Download Yara Rule

C-Code - Quality: 79%

			E004034A0(void* __ecx, int _a4, int _a8) {
				int _v4;
				int _v16;
				intOrPtr _v20;
				struct HMENU__* _v24;
				struct HMENU__* _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				int _t29;
				struct HINSTANCE__* _t31;
				struct HMENU__* _t32;
				struct HMENU__* _t34;
				int _t47;
				void* _t58;
				struct HMENU__* _t62;

				_push(0xffffffff);
				_push(E00404C80);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t62;
				_t29 = _a4;
				_t58 = __ecx;
				_t47 = _a8;
				if( *((intOrPtr*)(__ecx + 0x274)) != _t29 ||  *((intOrPtr*)(__ecx + 0x278)) != _t47) {
					 *(_t58 + 0x274) = _t29;
					 *(_t58 + 0x278) = _t47;
					_v20 = 0x405c3c;
					_v16 = 0;
					_v4 = 0;
					_t31 =  *(_t58 + 0x49) & 0x0000ffff;
					_push(_t31);
					_push(4);
					L004044F6();
					_t32 = LoadMenuA(_t31, _t31);
					_push(_t32);
					L004046F4();
					if(_t32 != 0) {
						_t34 = GetSubMenu(_v28, 0);
						_push(_t34);
						L004046E8();
						if(_t34 != 0) {
							SetMenuDefaultItem( *(_t34 + 4),  *(_t58 + 0x274),  *(_t58 + 0x278));
							_v36 = 0x405c3c;
							_v20 = 3;
							L004046EE();
							goto L7;
						} else {
							_v36 = 0x405c3c;
							_v20 = 2;
							L004046EE();
							 *[fs:0x0] = _v28;
							return 0;
						}
					} else {
						_v32 = 0x405c3c;
						_v16 = 1;
						L004046EE();
						 *[fs:0x0] = _v24;
						return 0;
					}
				} else {
					L7:
					 *[fs:0x0] = _v28;
					return 1;
				}
			}

APIs

#1146.MFC42(?,00000004,?), ref: 0040350B
LoadMenuA.USER32 ref: 00403511
#1644.MFC42(00000000), ref: 0040351C
#2438.MFC42(00000000), ref: 00403535
GetSubMenu.USER32 ref: 00403556
#2863.MFC42(00000000), ref: 0040355D
#2438.MFC42(00000000), ref: 00403576
SetMenuDefaultItem.USER32(?,?,?,00000000), ref: 004035A2
#2438.MFC42 ref: 004035B8

Strings

F@, xrefs: 004034DA

Memory Dump Source

Source File: 00000001.00000002.638898908.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.638890118.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.638912039.0000000000405000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.638919360.0000000000407000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.638926427.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_caffeine.jbxd

Similarity

API ID: #2438Menu$#1146#1644#2863DefaultItemLoad
String ID: F@
API String ID: 3207668736-885931407
Opcode ID: 6a6808d4419804ccf2dfa5352aae3fc288f5d8a25165acc8d937bac0ba785d9b
Instruction ID: f1b23a46ef850d4ddc9efb51b11ad5abbcf1e6f706c3b2a33361d5dc44137315
Opcode Fuzzy Hash: 6a6808d4419804ccf2dfa5352aae3fc288f5d8a25165acc8d937bac0ba785d9b
Instruction Fuzzy Hash: 54319CB5508701AFD314EF24C888B5BBBE8FB98750F108D2EF48A93391DB399944CB55

Uniqueness

Uniqueness Score: -1.00%

Function 004028D0 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 62
COMMON

Download Yara Rule

C-Code - Quality: 66%

			E004028D0(void* __ecx, void* __eflags) {
				char _v8;
				intOrPtr _v20;
				void* _v24;
				void* _v36;
				intOrPtr _t20;
				void* _t21;
				intOrPtr _t23;
				intOrPtr _t24;
				void* _t37;
				intOrPtr _t39;
				void* _t40;

				_push(0xffffffff);
				_push(E00404BE2);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t39;
				_t40 = _t39 - 8;
				_t37 = __ecx;
				E004027F0( *[fs:0x0], __ecx);
				_t20 =  *((intOrPtr*)(_t37 + 0x36c));
				if(_t20 == 0) {
					L004044FC();
					_t23 =  *((intOrPtr*)( *((intOrPtr*)(_t20 + 4)) + 0x74));
					_push(_t23);
					L004046AC();
					_v8 = 0;
					L004046A6();
					_push(0x60);
					L00404406();
					_t40 = _t40 + 4;
					_v20 = _t23;
					_v8 = 1;
					if(_t23 == 0) {
						_t24 = 0;
					} else {
						_t24 = E00404200(_t23, 0);
					}
					_push("-ontaskbar");
					_v8 = 0;
					 *((intOrPtr*)(_t37 + 0x36c)) = _t24;
					L00404694();
					if(_t24 == 0xffffffff) {
						_push(_t37);
					} else {
						_push(0);
					}
					_push(0x8b);
					L00404688();
					_v20 = 0xffffffff;
					L00404538();
				}
				_t21 = E004029C0();
				_push(1);
				L00404682();
				_push(0);
				L0040467C();
				 *[fs:0x0] = _v20;
				return _t21;
			}

APIs

#1168.MFC42 ref: 004028FE
#537.MFC42(?), ref: 0040290E
#6282.MFC42(?,?,?,?,?,?,00404BE2,000000FF), ref: 0040291F
#823.MFC42(00000060,?,?,?,?,?,?,00404BE2,000000FF), ref: 00402926
#2764.MFC42(-ontaskbar,?,?,?,?,?,?,?,00404BE2,000000FF), ref: 0040295C
#2086.MFC42(0000008B,?,-ontaskbar,?,?,?,?,?,?,?,00404BE2,000000FF), ref: 00402976
#800.MFC42(0000008B,?,-ontaskbar,?,?,?,?,?,?,?,00404BE2,000000FF), ref: 00402987

Part of subcall function 00404200: #324.MFC42(0000008B,00000000,?,004025A2,00000000), ref: 0040420D

#6215.MFC42(00000001), ref: 0040299B
#1768.MFC42(00000000,00000001), ref: 004029A8

Strings

-ontaskbar, xrefs: 00402948

Memory Dump Source

Source File: 00000001.00000002.638898908.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.638890118.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.638912039.0000000000405000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.638919360.0000000000407000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.638926427.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_caffeine.jbxd

Similarity

API ID: #1168#1768#2086#2764#324#537#6215#6282#800#823
String ID: -ontaskbar
API String ID: 1471377625-536251272
Opcode ID: 9deca449faf96c15c3ba2a658b1fd508d3248a338bf0755341369ed3d05cf83b
Instruction ID: 550b89302cb17e622559643fac98ace275ee8255e36773d07f33510f86576615
Opcode Fuzzy Hash: 9deca449faf96c15c3ba2a658b1fd508d3248a338bf0755341369ed3d05cf83b
Instruction Fuzzy Hash: CB21F3F0208740ABD314EB75C956F6A77D4BB80714F00892EF6A5672C2DBBDE900879B

Uniqueness

Uniqueness Score: -1.00%

Function 00401790 Relevance: 13.6, APIs: 9, Instructions: 61
windowCOMMON

Download Yara Rule

C-Code - Quality: 88%

			E00401790(void* __ecx, intOrPtr _a4) {
				struct tagLOGFONTA _v76;
				struct HWND__* _t15;
				int _t16;
				long _t17;
				int _t36;
				void* _t38;

				_t38 = __ecx;
				 *((intOrPtr*)(__ecx + 0x54)) = _a4;
				if(__ecx != 0) {
					_t15 =  *(__ecx + 0x20);
				} else {
					_t15 = 0;
				}
				_t16 = IsWindow(_t15);
				if(_t16 != 0) {
					_t17 = SendMessageA( *(_t38 + 0x20), 0x31, 0, 0);
					_push(_t17);
					L00404580();
					GetObjectA( *(_t17 + 4), 0x3c,  &(_v76.lfOrientation));
					_t36 = _t38 + 0x60;
					_v76.lfUnderline =  *((intOrPtr*)(_t38 + 0x54));
					L0040455C();
					_push(CreateFontIndirectA( &_v76));
					L0040457A();
					if(_t36 != 0) {
						_t36 =  *(_t36 + 4);
					}
					SendMessageA( *(_t38 + 0x20), 0x30, _t36, 1);
					return InvalidateRect( *(_t38 + 0x20), 0, 1);
				}
				return _t16;
			}

APIs

IsWindow.USER32(?), ref: 004017A9
SendMessageA.USER32 ref: 004017C5
#2860.MFC42(00000000), ref: 004017C8
GetObjectA.GDI32(?,0000003C,?), ref: 004017D8
#2414.MFC42 ref: 004017EA
CreateFontIndirectA.GDI32(?), ref: 004017F4
#1641.MFC42(00000000), ref: 004017FD
SendMessageA.USER32 ref: 00401812
InvalidateRect.USER32(?,00000000,00000001), ref: 0040181C

Memory Dump Source

Source File: 00000001.00000002.638898908.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.638890118.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.638912039.0000000000405000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.638919360.0000000000407000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.638926427.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_caffeine.jbxd

Similarity

API ID: MessageSend$#1641#2414#2860CreateFontIndirectInvalidateObjectRectWindow
String ID:
API String ID: 855989780-0
Opcode ID: 1c1d5f3ee057ad1c566bc36f2a895a951414aefe0c2f155b15edef83fe280e77
Instruction ID: 17c36f9b3ab66629e8e9c209f62acfffa902e4eb04eebc2a539ae3cb462d3765
Opcode Fuzzy Hash: 1c1d5f3ee057ad1c566bc36f2a895a951414aefe0c2f155b15edef83fe280e77
Instruction Fuzzy Hash: 7E115476600700ABD720E7749D85F6BB7A9BBC8704F04892DF689B7291D6B4E800CB69

Uniqueness

Uniqueness Score: -1.00%

Function 00403AC0 Relevance: 12.1, APIs: 8, Instructions: 145
COMMON

Download Yara Rule

C-Code - Quality: 83%

			E00403AC0(void* __ecx, intOrPtr _a4) {
				void* _v4;
				void* _v8;
				void* _t51;
				signed int _t52;
				void* _t53;
				void* _t54;
				void* _t56;
				signed int _t60;
				signed int _t61;
				signed int _t64;
				void* _t70;
				void* _t71;
				void* _t72;
				intOrPtr _t75;
				signed int _t78;
				signed int _t79;
				signed int _t95;
				signed int _t96;
				signed int _t103;
				void* _t109;
				signed int _t121;
				void* _t122;
				intOrPtr _t125;
				void* _t126;
				signed int _t127;

				_t125 = _a4;
				_t71 = __ecx;
				_t51 =  !( *(_t125 + 0x14));
				if((_t51 & 0x00000001) == 0) {
					L00404712();
					_t127 = _t51;
					if(_t127 != 0) {
						_t103 =  *(__ecx + 4);
						if(_t103 != 0) {
							_t75 =  *((intOrPtr*)(__ecx + 0xc));
							if(_t127 > _t75) {
								_t52 =  *(__ecx + 0x10);
								if(_t52 == 0) {
									asm("cdq");
									_t52 =  *(__ecx + 8) + (_t103 & 0x00000007) >> 3;
									if(_t52 >= 4) {
										if(_t52 > 0x400) {
											_t52 = 0x400;
										}
									} else {
										_t52 = 4;
									}
								}
								_t53 = _t52 + _t75;
								_v8 = _t53;
								if(_t127 >= _t53) {
									_v8 = _t127;
								}
								_t54 = _v8;
								_push(_t54 * 4);
								L00404406();
								_t126 =  *(_t71 + 4);
								_t78 =  *(_t71 + 8) << 2;
								_t79 = _t78 >> 2;
								_v4 = memcpy(_t54, _t126, _t79 << 2);
								_t56 = memcpy(_t126 + _t79 + _t79, _t126, _t78 & 0x00000003);
								memset(_t56 +  *(_t71 + 8) * 4, 0, _t127 -  *(_t71 + 8) << 2);
								_push( *(_t71 + 4));
								L004043F4();
								_t125 = _a4;
								 *(_t71 + 4) = _v4;
								 *(_t71 + 8) = _t127;
								 *(_t71 + 0xc) = _v8;
							} else {
								_t64 =  *(__ecx + 8);
								if(_t127 > _t64) {
									memset(_t103 + _t64 * 4, 0, _t127 - _t64 << 2);
								}
								 *(_t71 + 8) = _t127;
							}
						} else {
							_t121 = _t127 * 4;
							_push(_t121);
							L00404406();
							_t109 = _t51;
							_t95 = _t121;
							 *(__ecx + 4) = _t109;
							_t122 = _t109;
							_t96 = _t95 >> 2;
							memset(_t122 + _t96, memset(_t122, 0, _t96 << 2), (_t95 & 0x00000003) << 0);
							 *(_t71 + 0xc) = _t127;
							 *(_t71 + 8) = _t127;
						}
					} else {
						_t70 =  *(__ecx + 4);
						if(_t70 != 0) {
							_push(_t70);
							L004043F4();
							 *(__ecx + 4) = 0;
						}
						 *(_t71 + 0xc) = 0;
						 *(_t71 + 8) = 0;
					}
				} else {
					_push( *(__ecx + 8));
					L00404718();
				}
				_t60 =  *(_t71 + 8);
				_t72 =  *(_t71 + 4);
				if(( !( *(_t125 + 0x14)) & 0x00000001) == 0) {
					_t61 = _t60 << 2;
					_push(_t61);
					_push(_t72);
					L00404706();
					return _t61;
				} else {
					_push(_t60 * 4);
					_push(_t72);
					L0040470C();
					return _t60;
				}
			}

APIs

#6394.MFC42(?), ref: 00403ADC
#5450.MFC42 ref: 00403AE8
#825.MFC42(?), ref: 00403AFD
#6383.MFC42(?,?), ref: 00403C20
#5440.MFC42(?,?), ref: 00403C36

Memory Dump Source

Source File: 00000001.00000002.638898908.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.638890118.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.638912039.0000000000405000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.638919360.0000000000407000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.638926427.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_caffeine.jbxd

Similarity

API ID: #5440#5450#6383#6394#825
String ID:
API String ID: 2595762273-0
Opcode ID: d82c412e949a9d856617e1908c36ec35f422b00524880e41f7a4d50e0ec12d07
Instruction ID: 0ecedd897538264b9cca93116385a3ae6f853a1af8fba66171701806aa3c2b7c
Opcode Fuzzy Hash: d82c412e949a9d856617e1908c36ec35f422b00524880e41f7a4d50e0ec12d07
Instruction Fuzzy Hash: 6241D6B16046048BCB04DF19D49052ABBE6EBC4315F08C47EE905EF386EB39ED45CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 004014D0 Relevance: 12.0, APIs: 8, Instructions: 47
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E004014D0(void* __ecx, struct tagPOINT _a8, intOrPtr _a12) {
				struct tagRECT _v16;
				struct HWND__* _t15;
				int _t19;
				void* _t28;

				_t28 = __ecx;
				L0040451A();
				if( *((intOrPtr*)(__ecx + 0x4c)) == 0) {
					 *((intOrPtr*)(__ecx + 0x4c)) = 1;
					RedrawWindow( *(__ecx + 0x20), 0, 0, 0x105);
					_t15 = SetCapture( *(_t28 + 0x20));
					_push(_t15);
					L00404568();
					return _t15;
				}
				GetClientRect( *(__ecx + 0x20),  &_v16);
				_push(_a12);
				_t19 = PtInRect( &_v16, _a8);
				if(_t19 != 0) {
					return _t19;
				} else {
					 *(_t28 + 0x4c) = _t19;
					ReleaseCapture();
					return RedrawWindow( *(_t28 + 0x20), 0, 0, 0x105);
				}
			}

APIs

#2379.MFC42 ref: 004014D6
GetClientRect.USER32 ref: 004014EB
PtInRect.USER32(?,?,?), ref: 00401500
ReleaseCapture.USER32 ref: 0040150D
RedrawWindow.USER32(?,00000000,00000000,00000105), ref: 00401520
RedrawWindow.USER32 ref: 00401541
SetCapture.USER32(00000000), ref: 0040154B
#2864.MFC42(00000000), ref: 00401552

Memory Dump Source

Source File: 00000001.00000002.638898908.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.638890118.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.638912039.0000000000405000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.638919360.0000000000407000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.638926427.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_caffeine.jbxd

Similarity

API ID: CaptureRectRedrawWindow$#2379#2864ClientRelease
String ID:
API String ID: 1374557097-0
Opcode ID: 4b3354277b3a6d51728b9d4079d203378e5318d88eac599256680f4e9192ffd0
Instruction ID: 95f6b93bc0bb27fee9a665966112fcf1a4332077d5cd2568b02e1378cc5f549b
Opcode Fuzzy Hash: 4b3354277b3a6d51728b9d4079d203378e5318d88eac599256680f4e9192ffd0
Instruction Fuzzy Hash: F001ED75200B10ABD320EB65DD59F9777E8FB88744F40491EFA86A6290E6B5E4008F55

Uniqueness

Uniqueness Score: -1.00%

Function 004012A0 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 46
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E004012A0(intOrPtr __ecx) {
				char _v4;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _t34;
				intOrPtr _t36;

				_push(0xffffffff);
				_push(E004049C9);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t36;
				_push(__ecx);
				_t34 = __ecx;
				_v16 = __ecx;
				L00404502();
				 *((intOrPtr*)(__ecx)) = 0x405550;
				_v4 = 0;
				L0040454A();
				 *((intOrPtr*)(__ecx + 0x64)) = 0;
				 *((intOrPtr*)(__ecx + 0x60)) = 0x405750;
				_v4 = 2;
				L00404544();
				_v4 = 3;
				 *((intOrPtr*)(__ecx)) = 0x405690;
				 *((intOrPtr*)(__ecx + 0x68)) = 0;
				 *((intOrPtr*)(__ecx + 0x40)) = 0xee0000;
				 *((intOrPtr*)(__ecx + 0x44)) = 0x8b1a55;
				 *((intOrPtr*)(_t34 + 0x48)) = GetSysColor(0xd);
				 *((intOrPtr*)(_t34 + 0x4c)) = 0;
				 *((intOrPtr*)(_t34 + 0x50)) = 0;
				 *((intOrPtr*)(_t34 + 0x54)) = 1;
				 *((intOrPtr*)(_t34 + 0x58)) = 1;
				L0040453E();
				 *[fs:0x0] = _v12;
				return _t34;
			}

APIs

#567.MFC42(?,?,?,?,?,004049C9,000000FF), ref: 004012BF
#540.MFC42(?,?,?,?,?,004049C9,000000FF), ref: 004012D5
#556.MFC42 ref: 004012EC
GetSysColor.USER32(0000000D), ref: 0040130F
#2614.MFC42 ref: 0040132B

Strings

PW@, xrefs: 004012DD

Memory Dump Source

Source File: 00000001.00000002.638898908.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.638890118.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.638912039.0000000000405000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.638919360.0000000000407000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.638926427.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_caffeine.jbxd

Similarity

API ID: #2614#540#556#567Color
String ID: PW@
API String ID: 2783311560-282820001
Opcode ID: 4fbf7bed173e3c083643a3f60f934a96f125d2c7531f839a8bc2d6d5cfdf8fb5
Instruction ID: ef9c0c8aec8b64535c9fa0863d4067c97d029a92692f8d97d0ee079fff19e72f
Opcode Fuzzy Hash: 4fbf7bed173e3c083643a3f60f934a96f125d2c7531f839a8bc2d6d5cfdf8fb5
Instruction Fuzzy Hash: 931118B1504B509FC320DF5AC845716FBE4FB84718F904D2EE29697B91C7B9A5048F91

Uniqueness

Uniqueness Score: -1.00%

Function 00401370 Relevance: 7.5, APIs: 5, Instructions: 36
COMMON

Download Yara Rule

C-Code - Quality: 83%

			E00401370(intOrPtr __ecx) {
				char _v4;
				intOrPtr _v12;
				intOrPtr* _v16;
				intOrPtr _v20;
				intOrPtr _t12;
				intOrPtr* _t21;
				intOrPtr _t26;

				_push(0xffffffff);
				_push(E00404A11);
				_t12 =  *[fs:0x0];
				_push(_t12);
				 *[fs:0x0] = _t26;
				_v20 = __ecx;
				 *((intOrPtr*)(__ecx)) = 0x405690;
				_t21 = __ecx + 0x60;
				_v4 = 3;
				L0040455C();
				_v4 = 2;
				L00404532();
				_v16 = _t21;
				 *_t21 = 0x405778;
				_v4 = 4;
				L0040455C();
				 *_t21 = 0x405764;
				_v4 = 0;
				L00404538();
				_v4 = 0xffffffff;
				L004044EA();
				 *[fs:0x0] = _v12;
				return _t12;
			}

APIs

#2414.MFC42(?,?,?,?,?,?,?,00401358), ref: 004013A3
#809.MFC42(?,?,?,?,?,?,?,00401358), ref: 004013B0
#2414.MFC42(?,?,?,?,?,?,?,00401358), ref: 004013C6
#800.MFC42(?,?,?,?,?,?,?,00401358), ref: 004013D9
#795.MFC42(?,?,?,?,?,?,?,00401358), ref: 004013E8

Memory Dump Source

Source File: 00000001.00000002.638898908.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.638890118.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.638912039.0000000000405000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.638919360.0000000000407000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.638926427.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_caffeine.jbxd

Similarity

API ID: #2414$#795#800#809
String ID:
API String ID: 1676757150-0
Opcode ID: 65cc593b620e5d9f1a8ab5cee8c577603e1a0d6e86a28034c9e4c18bbc365e14
Instruction ID: 92b3abfa0cec7b13439a0b761979928bcccb7df5d3019cfb02faa8443e058358
Opcode Fuzzy Hash: 65cc593b620e5d9f1a8ab5cee8c577603e1a0d6e86a28034c9e4c18bbc365e14
Instruction Fuzzy Hash: 60019AB1108B829BC300EF19C45131AFBE8ABD5710F94492FE291633D2C7BC91088B96

Uniqueness

Uniqueness Score: -1.00%

Function 004042D0 Relevance: 7.5, APIs: 5, Instructions: 19
windowCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E004042D0(struct HINSTANCE__* __eax, void* __ecx) {
				void* _t8;

				_t8 = __ecx;
				L00404514();
				L004044FC();
				_push(0x80);
				_push(0xe);
				L004044F6();
				SendMessageA( *(_t8 + 0x20), 0x80, 0, LoadIconA(__eax, 0x80));
				return 1;
			}

0x004042d1
0x004042d3
0x004042d8
0x004042dd
0x004042e2
0x004042e9
0x00404301
0x0040430d

APIs

#4710.MFC42 ref: 004042D3
#1168.MFC42 ref: 004042D8
#1146.MFC42(00000080,0000000E,00000080), ref: 004042E9
LoadIconA.USER32(00000000,00000080), ref: 004042EF
SendMessageA.USER32 ref: 00404301

Memory Dump Source

Source File: 00000001.00000002.638898908.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.638890118.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.638912039.0000000000405000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.638919360.0000000000407000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.638926427.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_caffeine.jbxd

Similarity

API ID: #1146#1168#4710IconLoadMessageSend
String ID:
API String ID: 3087420702-0
Opcode ID: a6e8d7354a6fb788052a51492049c9ad08ddd2eee8a687578e35c93babe8cf8a
Instruction ID: b9780452e3883c1789be0e07ebba1858de0fcddbd602aa7a7e2b985b98165bfb
Opcode Fuzzy Hash: a6e8d7354a6fb788052a51492049c9ad08ddd2eee8a687578e35c93babe8cf8a
Instruction Fuzzy Hash: 34D017B164031027E6A077A4AD0AF862148AB88705F00852AB780BA1C18CB8A4810778

Uniqueness

Uniqueness Score: -1.00%

Function 004029C0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 27
COMMON

Download Yara Rule

C-Code - Quality: 89%

			E004029C0() {
				intOrPtr _v4;
				intOrPtr _t7;
				void* _t11;
				void* _t15;
				intOrPtr _t16;

				_t15 = _t11;
				_t7 =  *((intOrPtr*)(_t15 + 0x36c));
				if(_t7 == 0) {
					return _t7;
				} else {
					_push(_t11);
					if( *((intOrPtr*)(_t15 + 0x348)) == 0) {
						_v4 = _t16;
						L004046AC();
						return E00404270("Caffeine is inactive");
					}
					_v4 = _t16;
					L004046AC();
					return E00404270("Caffeine is active");
				}
			}

0x004029c2
0x004029c4
0x004029cc
0x00402a12
0x004029ce
0x004029d4
0x004029d9
0x004029f7
0x00402a00
0x00000000
0x00402a0b
0x004029db
0x004029e4
0x004029f6
0x004029f6

APIs

#537.MFC42(Caffeine is active,?,?,?,00402698,ZhornSoftwareCaffeineMain), ref: 004029E4

Part of subcall function 00404270: #3092.MFC42(000003ED,?,00000000,00404DE8,000000FF,00402A10,Caffeine is inactive,?,?,?,00402698,ZhornSoftwareCaffeineMain), ref: 00404297
Part of subcall function 00404270: #6199.MFC42(000003ED,?,00000000,00404DE8,000000FF,00402A10,Caffeine is inactive,?,?,?,00402698,ZhornSoftwareCaffeineMain), ref: 0040429E
Part of subcall function 00404270: #800.MFC42(000003ED,?,00000000,00404DE8,000000FF,00402A10,Caffeine is inactive,?,?,?,00402698,ZhornSoftwareCaffeineMain), ref: 004042AF

#537.MFC42(Caffeine is inactive,?,?,?,00402698,ZhornSoftwareCaffeineMain), ref: 00402A00

Strings

Caffeine is inactive, xrefs: 004029FB
Caffeine is active, xrefs: 004029DF

Memory Dump Source

Source File: 00000001.00000002.638898908.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.638890118.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.638912039.0000000000405000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.638919360.0000000000407000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.638926427.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_caffeine.jbxd

Similarity

API ID: #537$#3092#6199#800
String ID: Caffeine is active$Caffeine is inactive
API String ID: 2493846336-4123475934
Opcode ID: bacff2c76b40bc7a720514239c4145173142ea6d4cd13c618353066624bcf823
Instruction ID: 2cf897cb16fae248814bd7f2ff6333f04d516c91e21e356077d6e68829abbab9
Opcode Fuzzy Hash: bacff2c76b40bc7a720514239c4145173142ea6d4cd13c618353066624bcf823
Instruction Fuzzy Hash: E8E065A131460027C614AB65E4129EA7BD8ABC1394F20847FF196672D1CA7968509769

Uniqueness

Uniqueness Score: -1.00%

Function 00403C70 Relevance: 6.1, APIs: 4, Instructions: 123
COMMON

Download Yara Rule

C-Code - Quality: 89%

			E00403C70(void* __ecx, void* _a4, void* _a8) {
				void* _t41;
				signed int _t42;
				void* _t43;
				void* _t44;
				void* _t46;
				void* _t49;
				signed int _t52;
				void* _t56;
				void* _t57;
				void* _t58;
				signed int _t60;
				signed int _t63;
				signed int _t64;
				signed int _t76;
				signed int _t77;
				signed int _t82;
				void* _t97;
				void* _t101;
				signed int _t102;
				signed int _t103;

				_t41 = _a8;
				_t58 = __ecx;
				if(_t41 != 0xffffffff) {
					 *(__ecx + 0x10) = _t41;
				}
				_t103 = _a4;
				if(_t103 != 0) {
					_t82 =  *(_t58 + 4);
					if(_t82 != 0) {
						_t60 =  *(_t58 + 0xc);
						if(_t103 > _t60) {
							_t42 =  *(_t58 + 0x10);
							if(_t42 == 0) {
								asm("cdq");
								_t42 =  *(_t58 + 8) + (_t82 & 0x00000007) >> 3;
								if(_t42 >= 4) {
									if(_t42 > 0x400) {
										_t42 = 0x400;
									}
								} else {
									_t42 = 4;
								}
							}
							_t43 = _t42 + _t60;
							_a8 = _t43;
							if(_t103 >= _t43) {
								_a8 = _t103;
							}
							_t44 = _a8;
							_push(_t44 * 4);
							L00404406();
							_t101 =  *(_t58 + 4);
							_t63 =  *(_t58 + 8) << 2;
							_t64 = _t63 >> 2;
							_a4 = memcpy(_t44, _t101, _t64 << 2);
							_t46 = memcpy(_t101 + _t64 + _t64, _t101, _t63 & 0x00000003);
							memset(_t46 +  *(_t58 + 8) * 4, 0, _t103 -  *(_t58 + 8) << 2);
							_t49 =  *(_t58 + 4);
							_push(_t49);
							L004043F4();
							 *(_t58 + 8) = _t103;
							 *(_t58 + 4) = _a4;
							 *(_t58 + 0xc) = _a8;
							return _t49;
						} else {
							_t52 =  *(_t58 + 8);
							if(_t103 > _t52) {
								_t52 = memset(_t82 + _t52 * 4, 0, _t103 - _t52 << 2);
							}
							 *(_t58 + 8) = _t103;
							return _t52;
						}
					} else {
						_t102 = _t103 * 4;
						_push(_t102);
						L00404406();
						_t76 = _t102;
						_t97 = _t41;
						_t77 = _t76 >> 2;
						 *(_t58 + 4) = _t97;
						_t56 = memset(_t97 + _t77, memset(_t97, 0, _t77 << 2), (_t76 & 0x00000003) << 0);
						 *(_t58 + 0xc) = _t103;
						 *(_t58 + 8) = _t103;
						return _t56;
					}
				} else {
					_t57 =  *(_t58 + 4);
					if(_t57 != 0) {
						_push(_t57);
						L004043F4();
						 *(_t58 + 4) = 0;
					}
					 *(_t58 + 0xc) = 0;
					 *(_t58 + 8) = 0;
					return _t57;
				}
			}

APIs

#825.MFC42(?,?,?,?,?,004031E4,00000000,000000FF,?,?,?,?,?,?,?,00401F18), ref: 00403C94
#823.MFC42(00000000,?,?,?,?,004031E4,00000000,000000FF,?,?,?,?,?,?,?,00401F18), ref: 00403CBB

Memory Dump Source

Source File: 00000001.00000002.638898908.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.638890118.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.638912039.0000000000405000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.638919360.0000000000407000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.638926427.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_caffeine.jbxd

Similarity

API ID: #823#825
String ID:
API String ID: 89657779-0
Opcode ID: 4064fc4933dfd6e780d763aab7e940f0de3a45e2318ed4e373e630547950c6f3
Instruction ID: 62673f645bc794ef7ee5bbd1a96038c10c2e31ae3ef13b856571837ce57a299a
Opcode Fuzzy Hash: 4064fc4933dfd6e780d763aab7e940f0de3a45e2318ed4e373e630547950c6f3
Instruction Fuzzy Hash: AB41BFB27002048BCB04CF58E48052AFB96EB94311F18C57FE905EF38AD636D955CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 004016D0 Relevance: 6.0, APIs: 4, Instructions: 37
COMMON

Download Yara Rule

C-Code - Quality: 60%

			E004016D0(void* __ecx, char _a4) {
				intOrPtr _v0;
				intOrPtr _v4;
				intOrPtr _v8;
				intOrPtr _v16;
				struct HWND__* _t12;
				int _t13;
				void* _t22;
				intOrPtr _t24;

				_push(0xffffffff);
				_push(E00404A48);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t24;
				_t22 = __ecx;
				_push( &_a4);
				_v4 = 0;
				L0040459E();
				if(__ecx != 0) {
					_t12 =  *(__ecx + 0x20);
				} else {
					_t12 = 0;
				}
				_t13 = IsWindow(_t12);
				if(_t13 != 0) {
					_t13 = E00401830(_t22);
					_push(1);
					_push(_t22);
					_push(_v0);
					L00404598();
				}
				_v8 = 0xffffffff;
				L00404538();
				 *[fs:0x0] = _v16;
				return _t13;
			}

APIs

#858.MFC42(?,?,?,00404A48,000000FF), ref: 004016F8
IsWindow.USER32(?), ref: 00401709
#6358.MFC42(?,?,00000001,?,?,00404A48,000000FF), ref: 00401725
#800.MFC42(?,?,00404A48,000000FF), ref: 00401736

Memory Dump Source

Source File: 00000001.00000002.638898908.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.638890118.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.638912039.0000000000405000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.638919360.0000000000407000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.638926427.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_caffeine.jbxd

Similarity

API ID: #6358#800#858Window
String ID:
API String ID: 1255164923-0
Opcode ID: b215063bebed34cb2dd63e23776cf0fcd062ce3a55f8ce4d3b70994c218b3255
Instruction ID: 862afb6756be42a8d94f8b33ccddf4295f7495cd55190ff215f828d4c02cf3ce
Opcode Fuzzy Hash: b215063bebed34cb2dd63e23776cf0fcd062ce3a55f8ce4d3b70994c218b3255
Instruction Fuzzy Hash: ED01D1B2504B01ABC325EF54D801B5B77E8FB88B20F004A3EF592A36C0DB7C9805CB66

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of open application windows. Window listings could convey information about how the system is used or give context to information collected by a keylogger.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report caffeine.exe

Overview

General Information

Detection

Signatures

Classification

Analysis Advice

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Statistics

CPU Usage

Memory Usage

Behavior

System Behavior

Analysis Process: caffeine.exePID: 7416, Parent PID: 3452

General

File Activities

File Opened

File Attributes Queried

Volume Information Queried

Device IO

Section Activities

Sections loaded by Windows

Windows Analysis Report
caffeine.exe