Analysis Report Setup.exe

Overview

General Information

Joe Sandbox Version:	25.0.0 Tiger's Eye
Analysis ID:	825331
Start date:	26.03.2019
Start time:	15:20:32
Joe Sandbox Product:	Cloud
Overall analysis duration:	0h 12m 5s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	Setup.exe
Cookbook file name:	defaultwindowsinteractivecookbook.jbs
Analysis system description:	Windows 7 x64 (Office 2003 SP3, Java 1.8.0_40, Flash 16.0.0.305, Acrobat Reader 11.0.08, Internet Explorer 11, Chrome 41, Firefox 36)
Number of analysed new started processes analysed:	19
Number of new started drivers analysed:	1
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies	HCA enabled EGA enabled HDC enabled
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal68.evad.winEXE@13/20@7/2
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 98.9% (good quality ratio 94.9%) Quality average: 82.1% Quality standard deviation: 25.6%
HCA Information:	Failed
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe
Warnings:	Show All Exclude process from analysis (whitelisted): wmpnscfg.exe, dllhost.exe, WMIADAP.exe, conhost.exe, mscorsvw.exe, VSSVC.exe, svchost.exe, mobsync.exe Report size exceeded maximum capacity and may have missing behavior information. Report size getting too big, too many NtAllocateVirtualMemory calls found. Report size getting too big, too many NtCreateFile calls found. Report size getting too big, too many NtDeviceIoControlFile calls found. Report size getting too big, too many NtFsControlFile calls found. Report size getting too big, too many NtOpenFile calls found. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtQueryValueKey calls found. Report size getting too big, too many NtQueryVolumeInformationFile calls found. Report size getting too big, too many NtSetInformationFile calls found. Skipping Hybrid Code Analysis (implementation is based on Java, .Net, VB or Delphi, or parses a document) for: infinstaller.exe

Detection

Strategy	Score	Range	Reporting	Whitelisted	Detection
Threshold	68	0 - 100	Report FP / FN	false

Confidence

Strategy	Score	Range	Further Analysis Required?	Confidence
Threshold	5	0 - 5	false

Classification

Analysis Advice

Sample drops PE files which have not been started, submit dropped PE samples for a secondary analysis to Joe Sandbox

Sample has a GUI, but Joe Sandbox has not found any clickable buttons, likely more UI automation may extend behavior

Sample has functionality to log and monitor keystrokes, analyze it with the 'Simulates keyboard and window changes' cookbook

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control
Valid Accounts	Command-Line Interface1	Bootkit1	Process Injection1	Disabling Security Tools21	Input Capture11	Account Discovery1	Application Deployment Software	Input Capture11	Data Compressed	Standard Cryptographic Protocol1
Replication Through Removable Media	Service Execution	Modify Existing Service2	New Service1	Process Injection1	Network Sniffing	Security Software Discovery21	Remote Services	Clipboard Data1	Exfiltration Over Other Network Medium	Standard Non-Application Layer Protocol1
Drive-by Compromise	Windows Management Instrumentation	New Service1	Path Interception	Obfuscated Files or Information2	Input Capture	Remote System Discovery1	Windows Remote Management	Data from Network Shared Drive	Automated Exfiltration	Standard Application Layer Protocol1
Exploit Public-Facing Application	Scheduled Task	System Firmware	DLL Search Order Hijacking	Obfuscated Files or Information	Credentials in Files	System Information Discovery23	Logon Scripts	Input Capture	Data Encrypted	Multiband Communication

Signature Overview

Click to jump to signature section

AV Detection:

Multi AV Scanner detection for domain / URL

Show sources

Source: asushotfix.com

virustotal: Detection: 13%

Perma Link

Multi AV Scanner detection for submitted file

Show sources

Source: Setup.exe

virustotal: Detection: 41%

Perma Link

Spreading:

Contains functionality to enumerate / list files inside a directory

Show sources

Source: C:\Users\user\Downloads\Setup.exe	Code function: 16_2_01272650 FindFirstFileW,FindClose,		16_2_01272650
Source: C:\Users\user\Downloads\Setup.exe	Code function: 16_2_01272B00 _memset,_memset,SHGetSpecialFolderPathW,wsprintfW,wsprintfW,FindFirstFileW,wsprintfW,CoInitialize,CoCreateInstance,_wcsnlen,GetCurrentProcessId,EnumWindows,SHDeleteValueW,CoUninitialize,DeleteFileW,wsprintfW,RemoveDirectoryW,RemoveDirectoryW,wsprintfW,RemoveDirectoryW,FindClose,SHDeleteKeyW,SHDeleteKeyW,SHDeleteKeyW,		16_2_01272B00

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Show sources

Source: Traffic

Snort IDS: 2027109 ET TROJAN ShadowHammer DNS Lookup 192.168.1.13:61365 -> 8.8.8.8:53

Found strings which match to known social media urls

Show sources

Source: infinstaller.exe, 00000005.00000002.653565680.00000000004AD000.00000004.sdmp	String found in binary or memory: Microsoft.AspNet.Mvc.Facebook equals www.facebook.com (Facebook)
Source: drvinst.exe, 0000000B.00000002.618771824.0000000000108000.00000004.sdmp	String found in binary or memory: login.yahoo.com equals www.yahoo.com (Yahoo)
Source: drvinst.exe, 0000000B.00000002.618771824.0000000000108000.00000004.sdmp	String found in binary or memory: login.yahoo.com0 equals www.yahoo.com (Yahoo)
Source: drvinst.exe, 0000000B.00000002.618771824.0000000000108000.00000004.sdmp	String found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo)

Performs DNS lookups

Show sources

Source: unknown

DNS traffic detected: queries for: dns.msftncsi.com

Urls found in memory or binary data

Show sources

Source: Setup.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: Setup.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: drvinst.exe, 0000000B.00000002.618771824.0000000000108000.00000004.sdmp	String found in binary or memory: http://crl.comodoca.com/UTN-USERFirst-Hardware.crl06
Source: drvinst.exe, 0000000B.00000002.618771824.0000000000108000.00000004.sdmp	String found in binary or memory: http://crl.entrust.net/2048ca.crl0
Source: drvinst.exe, 0000000B.00000002.618771824.0000000000108000.00000004.sdmp	String found in binary or memory: http://crl.entrust.net/server1.crl0
Source: infinstaller.exe, 00000005.00000002.658715071.000000001BED0000.00000004.sdmp, drvinst.exe, 0000000B.00000002.618771824.0000000000108000.00000004.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: drvinst.exe, 0000000B.00000002.618771824.0000000000108000.00000004.sdmp	String found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
Source: drvinst.exe, 0000000B.00000002.618771824.0000000000108000.00000004.sdmp	String found in binary or memory: http://crl.pkioverheid.nl/DomOvLatestCRL.crl0
Source: Setup.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: Setup.exe	String found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: Setup.exe	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: Setup.exe	String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0L
Source: drvinst.exe, 0000000B.00000002.617547657.000000000009E000.00000004.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: drvinst.exe, 0000000B.00000002.617547657.000000000009E000.00000004.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en008R2
Source: drvinst.exe, 0000000B.00000002.618771824.0000000000108000.00000004.sdmp	String found in binary or memory: http://ocsp.comodoca.com0
Source: drvinst.exe, 0000000B.00000002.618771824.0000000000108000.00000004.sdmp	String found in binary or memory: http://ocsp.comodoca.com0%
Source: drvinst.exe, 0000000B.00000002.618771824.0000000000108000.00000004.sdmp	String found in binary or memory: http://ocsp.comodoca.com0-
Source: drvinst.exe, 0000000B.00000002.618771824.0000000000108000.00000004.sdmp	String found in binary or memory: http://ocsp.comodoca.com0/
Source: drvinst.exe, 0000000B.00000002.618771824.0000000000108000.00000004.sdmp	String found in binary or memory: http://ocsp.comodoca.com05
Source: Setup.exe	String found in binary or memory: http://ocsp.digicert.com0C
Source: Setup.exe	String found in binary or memory: http://ocsp.digicert.com0N
Source: drvinst.exe, 0000000B.00000002.618771824.0000000000108000.00000004.sdmp	String found in binary or memory: http://ocsp.entrust.net03
Source: drvinst.exe, 0000000B.00000002.618771824.0000000000108000.00000004.sdmp	String found in binary or memory: http://ocsp.entrust.net0D
Source: drvinst.exe, 0000000B.00000002.618771824.0000000000108000.00000004.sdmp	String found in binary or memory: http://ocsp.ver
Source: drvinst.exe, 0000000B.00000002.618771824.0000000000108000.00000004.sdmp	String found in binary or memory: http://www.digicert.com.my/cps.htm02
Source: drvinst.exe, 0000000B.00000002.618771824.0000000000108000.00000004.sdmp	String found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
Source: Setup.exe, 00000010.00000002.745599656.0000000000691000.00000004.sdmp	String found in binary or memory: https://asushotfix.com/logo2.jpg?3A8EA62E32B4ECBE33DF500A28EBC873
Source: Setup.exe, 00000010.00000002.745599656.0000000000691000.00000004.sdmp	String found in binary or memory: https://asushotfix.com/logo2.jpg?3A8EA62E32B4ECBE33DF500A28EBC873rj
Source: drvinst.exe, 0000000B.00000002.618771824.0000000000108000.00000004.sdmp	String found in binary or memory: https://secure.comodo.com/CPS0
Source: Setup.exe	String found in binary or memory: https://www.digicert.com/CPS0

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Contains functionality for read data from the clipboard

Show sources

Source: C:\Users\user\Downloads\Setup.exe

Code function: 16_2_012E4052 __EH_prolog3_catch_GS,CreateCompatibleDC,CreateCompatibleBitmap,FillRect,OpenClipboard,EmptyClipboard,CloseClipboard,SetClipboardData,CloseClipboard,

16_2_012E4052

Contains functionality to retrieve information about pressed keystrokes

Show sources

Source: C:\Users\user\Downloads\Setup.exe

Code function: 16_2_012DC0F5 GetAsyncKeyState,

16_2_012DC0F5

E-Banking Fraud:

Drops certificate files (DER)

Show sources

Source: C:\Windows\System32\drvinst.exe	File created: C:\Windows\System32\DriverStore\Temp\{63a5b06f-2f1a-44aa-e741-2e65e6af082c}\SETFEB9.tmp	Jump to dropped file
Source: C:\Windows\System32\7za.exe	File created: C:\Users\user\Downloads\net\netvirtnet64.cat	Jump to dropped file
Source: C:\Users\user\Downloads\net\infinstaller.exe	File created: C:\Users\user~1\AppData\Local\Temp\{55b76fcb-15ca-13b2-f5e3-4f2c32e01445}\SETFD71.tmp	Jump to dropped file

System Summary:

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Show sources

Source: C:\Windows\System32\7za.exe	Memory allocated: 776C0000 page execute and read and write	Jump to behavior
Source: C:\Windows\System32\7za.exe	Memory allocated: 775C0000 page execute and read and write	Jump to behavior
Source: C:\Users\user\Downloads\Setup.exe	Memory allocated: 776C0000 page execute and read and write	Jump to behavior
Source: C:\Users\user\Downloads\Setup.exe	Memory allocated: 775C0000 page execute and read and write	Jump to behavior

Creates driver files

Show sources

Source: C:\Windows\System32\7za.exe

File created: C:\Users\user\Downloads\net\virtnet.sys

Jump to behavior

Creates files inside the driver directory

Show sources

Source: C:\Windows\System32\drvinst.exe

File created: C:\Windows\System32\DriverStore\Temp\{63a5b06f-2f1a-44aa-e741-2e65e6af082c}

Jump to behavior

Creates files inside the system directory

Show sources

Source: C:\Windows\System32\drvinst.exe

File created: C:\Windows\System32\DriverStore\Temp\{63a5b06f-2f1a-44aa-e741-2e65e6af082c}

Jump to behavior

Creates mutexes

Show sources

Source: C:\Windows\System32\drvinst.exe

Mutant created: \BaseNamedObjects\DrvInst.exe_mutex_{5B10AC83-4F13-4fde-8C0B-B85681BA8D73}

Deletes files inside the Windows folder

Show sources

Source: C:\Windows\System32\drvinst.exe

File deleted: C:\Windows\System32\DriverStore\Temp\{63a5b06f-2f1a-44aa-e741-2e65e6af082c}\SETFEB9.tmp

Jump to behavior

Detected potential crypto function

Show sources

Source: C:\Users\user\Downloads\Setup.exe	Code function: 16_2_01273800	16_2_01273800
Source: C:\Users\user\Downloads\Setup.exe	Code function: 16_2_0136C3B9	16_2_0136C3B9
Source: C:\Users\user\Downloads\Setup.exe	Code function: 16_2_012D674A	16_2_012D674A
Source: C:\Users\user\Downloads\Setup.exe	Code function: 16_2_012A29FD	16_2_012A29FD
Source: C:\Users\user\Downloads\Setup.exe	Code function: 16_2_012D4B8A	16_2_012D4B8A
Source: C:\Users\user\Downloads\Setup.exe	Code function: 16_2_012FCEB8	16_2_012FCEB8

Enables driver privileges

Show sources

Source: C:\Users\user\Downloads\net\infinstaller.exe

Process token adjusted: Load Driver

Jump to behavior

Found potential string decryption / allocating functions

Show sources

Source: C:\Users\user\Downloads\Setup.exe	Code function: String function: 0136966A appears 74 times
Source: C:\Users\user\Downloads\Setup.exe	Code function: String function: 01271680 appears 33 times
Source: C:\Users\user\Downloads\Setup.exe	Code function: String function: 01369601 appears 200 times

PE file contains strange resources

Show sources

Source: Setup.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Setup.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Setup.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

PE file does not import any functions

Show sources

Source: infinstaller.exe.4.dr

Static PE information: No import functions for PE file found

Reads the hosts file

Show sources

Source: C:\Users\user\Downloads\Setup.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Downloads\Setup.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Downloads\Setup.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Sample file is different than original file name gathered from version info

Show sources

Source: Setup.exe, 00000010.00000001.737819959.00000000013DE000.00000002.sdmp	Binary or memory string: OriginalFilenameSelfUpdt.EXE vs Setup.exe
Source: Setup.exe, 00000010.00000002.745148975.0000000000150000.00000008.sdmp	Binary or memory string: OriginalFilenameSETUPAPI.DLL.MUIj% vs Setup.exe
Source: Setup.exe	Binary or memory string: OriginalFilenameSelfUpdt.EXE vs Setup.exe

Spawns drivers

Show sources

Source: unknown

Driver loaded: C:\Windows\system32\DRIVERS\virtnet.sys

Binary contains device paths (device paths are often used for kernel mode <-> user mode communication)

Show sources

Source: metadata-2.6.dr	Binary string: buttonup_off.png22\\?\Volume{4d4a291d-7dbc-11e1-a697-806e6f6e6963}\QQprogramdata\microsoft\device stage\device\{113527a4-45d4-4b6f-b567-97838f1b04b0}
Source: metadata-2.6.dr	Binary string: scenes_intro_bg_pal.wmv22\\?\Volume{4d4a291d-7dbc-11e1-a697-806e6f6e6963}\QQprogramdata\microsoft\device stage\device\{113527a4-45d4-4b6f-b567-97838f1b04b0}
Source: metadata-2.6.dr	Binary string: acxtrnal.dll22\\?\Volume{4d4a291d-7dbc-11e1-a697-806e6f6e6963}\((windows\diagnostics\system\device\en-us
Source: metadata-2.6.dr	Binary string: sbdrop.dll22\\?\Volume{4d4a291d-7dbc-11e1-a697-806e6f6e6963}\QQprogramdata\microsoft\device stage\device\{113527a4-45d4-4b6f-b567-97838f1b04b0}
Source: metadata-2.6.dr	Binary string: system.web.dynamicdata.dll22\\?\Volume{4d4a291d-7dbc-11e1-a697-806e6f6e6963}\BBprogram files (x86)\windows sidebar\gadgets\weather.gadget\images33docked_black_moon-waxing-gibbous_partly-cloudy.png22\\?\Volume{4d4a291d-7dbc-11e1-a697-806e6f6e6963}\QQprogramdata\microsoft\device stage\device\{8702d817-5aad-4674-9ef3-4d3decd87120}
Source: metadata-2.6.dr	Binary string: system.addin.contract.dll22\\?\Volume{4d4a291d-7dbc-11e1-a697-806e6f6e6963}\QQprogramdata\microsoft\device stage\device\{113527a4-45d4-4b6f-b567-97838f1b04b0}
Source: metadata-2.6.dr	Binary string: wmplayer.exe.mui22\\?\Volume{4d4a291d-7dbc-11e1-a697-806e6f6e6963}\BBprogram files (x86)\windows sidebar\gadgets\weather.gadget\images**undocked_black_moon-new_partly-cloudy.png22\\?\Volume{4d4a291d-7dbc-11e1-a697-806e6f6e6963}\((windows\diagnostics\system\device\en-us

Classification label

Show sources

Source: classification engine

Classification label: mal68.evad.winEXE@13/20@7/2

Contains functionality to adjust token privileges (e.g. debug / backup)

Show sources

Source: C:\Users\user\Downloads\Setup.exe

Code function: 16_2_01274480 SetFileAttributesW,InitializeSecurityDescriptor,GetCurrentProcess,OpenProcessToken,AdjustTokenPrivileges,GetLastError,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,GetTokenInformation,SetSecurityDescriptorOwner,SetFileSecurityW,AdjustTokenPrivileges,GetLastError,

16_2_01274480

Contains functionality to instantiate COM classes

Show sources

Source: C:\Users\user\Downloads\Setup.exe

Code function: 16_2_0127E37E CoInitialize,CoCreateInstance,

16_2_0127E37E

Contains functionality to load and extract PE file embedded resources

Show sources

Source: C:\Users\user\Downloads\Setup.exe

Code function: 16_2_012865DC FindResourceW,LoadResource,LockResource,FreeResource,

16_2_012865DC

Creates files inside the user directory

Show sources

Source: C:\Windows\System32\7za.exe

File created: C:\Users\user\Downloads\net

Jump to behavior

Creates temporary files

Show sources

Source: C:\Users\user\Downloads\net\infinstaller.exe

File created: C:\Users\user~1\AppData\Local\Temp\{55b76fcb-15ca-13b2-f5e3-4f2c32e01445}

Jump to behavior

Found command line output

Show sources

Source: C:\Windows\System32\cmd.exe	Console Write: ..................<J............M.i.c.r.o.s.o.f.t. .W.i.n.d.o.w.s. .[.V.e.r.s.i.o.n. .6...1...7.6.0.1.]. .,.......,.....H.........,.............	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................x...............................d16.......................MD............`{?J......?J............X.,...............,.............	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................x...............................d16.......................MD............`{?J......?J....................~.........,.............	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................x...............................d16.......................MD............`{?J......?J............X.,...............,.............	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................x...............................X.......................0.MD....@..O......?J......?J..............,.............................	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................x...............C.:.\.W.i.n.d.o.w.s.\.s.y.s.t.e.m.3.2.>.........H.........>J.... .@J..............,.....(.................>J....	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................x.................................N.....................0.MD..............?J......?J..............,.............................	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................x...............C.:.\.W.i.n.d.o.w.s.>...........................H.......t.>J.... .@J..............,.......................>J....	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................x...............C.:.\.>.........f.>J............................H.......f.>J.... .@J..............,.......................>J....	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................................c.d. .U.s.e.r.s......... ...............>.......................................8.,.............2l>J......N.....	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................x...............C.:.\.U.s.e.r.s.>.>J............................H.......p.>J.... .@J..............,.......................>J....	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................................c.d. .h.a.n.s.p.e.t.e.r. .......................................................8.,.............2l>J......N.....	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................x...............C.:.\.U.s.e.r.s.\.h.a.n.s.p.e.t.e.r.>...........H.........>J.... .@J..............,.....&.................>J....	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................................c.d. .D.o.w.n.l.o.a.d.s. .......................................................8.,.............2l>J......O.....	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................x...............C.:.\.U.s.e.r.s.\.h.a.n.s.p.e.t.e.r.\.D.o.w.n.l.o.a.d.s.>.>J.... .@J..............,.....:.................>J....	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ..................<J....................................@c@J..... ........,..............qRw............0.,.............X.......................	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................X.................................N.....................0.MD..............?J......?J..............,.............................	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................X...............C.:.\.U.s.e.r.s.\.h.a.n.s.p.e.t.e.r.\.D.o.w.n.l.o.a.d.s.>.>J.... .@J..............,.....:.................>J....	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................................7.z.a. .x. .n.e.t...z.i.p.......................................................8.,.............2l>J......O.....	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................X...............C.:.\.U.s.e.r.s.\.h.a.n.s.p.e.t.e.r.\.D.o.w.n.l.o.a.d.s.>.>J.... .@J..............,.....:.................>J....	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................................c.d. .n.e.t.......&..... .......................................................8.,.............2l>J......O.....	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................X...............C.:.\.U.s.e.r.s.\.h.a.n.s.p.e.t.e.r.\.D.o.w.n.l.o.a.d.s.\.n.e.t.>.@J..............,.....B.................>J....	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................................i.n.f.i.n.s.t.a.l.l.e.r...e.x.e.................................................8.,..... .......2l>J......O.....	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................................i.n.f.i.n.s.t.a.l.l.e.r...e.x.e. .C.:.\.U.s.e.r.s...............................8.,.....2.......2l>J......O.....	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................................i.n.f.i.n.s.t.a.l.l.e.r...e.x.e. .".C.:.\.U.s.e.r.s.\.A.l.l. .U.s.e.r.s.".......8.,.....J.......2l>J......O.....	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................................i.n.f.i.n.s.t.a.l.l.e.r...e.x.e. .C.:.\.U.s.e.r.s.\.D.e.f.a.u.l.t.(.............8.,.....B.......2l>J......(.....	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................................i.n.f.i.n.s.t.a.l.l.e.r...e.x.e. .C.:.\.U.s.e.r.s.\.h.a.n.s.p.e.t.e.r...........8.,.....F.......2l>J......O.....	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................................................!.(..... ...(...........................................................Z.......2l>J......O.....	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................................................!.(..... ...0...........f...............................................b.......2l>J......O.....	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................................................!.(..... ...3...................................!...............................2l>J......O.....	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................................................!.(..... ...C........... .......................!.(.............................2l>J......(.....	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................,.................................N.....................0.MD..............?J......?J..............,.............................	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................,...............C.:.\.U.s.e.r.s.\.h.a.n.s.p.e.t.e.r.\.D.o.w.n.l.o.a.d.s.\.n.e.t.>.@J..............,.....B.................>J....	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................L.................................N.....................0.MD..............?J......?J..............,.............................	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................L...............C.:.\.U.s.e.r.s.\.h.a.n.s.p.e.t.e.r.\.D.o.w.n.l.o.a.d.s.\.n.e.t.>.@J..............,.....B.................>J....	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................l...............C.:.\.U.s.e.r.s.\.h.a.n.s.p.e.t.e.r.\.D.o.w.n.l.o.a.d.s.\.n.e.t.>.@J..............,.....B.................>J....	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ..................<J....................................@c@J..... ........,..............qRw............ .,.....................................	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................l.................................N.....................0.MD..............?J......?J..............,.............................	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................l...............C.:.\.U.s.e.r.s.\.h.a.n.s.p.e.t.e.r.\.D.o.w.n.l.o.a.d.s.\.n.e.t.>.@J..............,.....B.................>J....	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ..................................................N.....................0.MD..............?J......?J..............,.............................	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................................C.:.\.U.s.e.r.s.\.h.a.n.s.p.e.t.e.r.\.D.o.w.n.l.o.a.d.s.\.n.e.t.>.@J..............,.....B.................>J....	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ..................................................N.....................0.MD..............?J......?J..............,.............................	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................................C.:.\.U.s.e.r.s.\.h.a.n.s.p.e.t.e.r.\.D.o.w.n.l.o.a.d.s.>.>J.... .@J..............,.....:.................>J....	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................................S.e.t.u.p...e.x.e....... ................C......................................8.,.............2l>J......O.....	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ..................................................N.....................0.MD..............?J......?J..............,.............................	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................................C.:.\.U.s.e.r.s.\.h.a.n.s.p.e.t.e.r.\.D.o.w.n.l.o.a.d.s.>.>J.... .@J..............,.....:.................>J....	Jump to behavior
Source: C:\Windows\System32\ipconfig.exe	Console Write: ....................................W.i.n.d.o.w.s. .I.P. .C.o.n.f.i.g.u.r.a.t.i.o.n.....................................<.......x...............	Jump to behavior
Source: C:\Windows\System32\ipconfig.exe	Console Write: ................X...............0.6.....(.P..............................3..............................................^.......................	Jump to behavior
Source: C:\Windows\System32\ipconfig.exe	Console Write: ................X...............0.6.....(.P..............................4..............................................R.......................	Jump to behavior
Source: C:\Windows\System32\ipconfig.exe	Console Write: ................X...............0.6.....(.P.............................#4..............................................^.......................	Jump to behavior
Source: C:\Windows\System32\ipconfig.exe	Console Write: ................X...............0.6.....(.P.............................+4..............................................V.......................	Jump to behavior
Source: C:\Windows\System32\ipconfig.exe	Console Write: ................X...............0.6.....(.P.............................14..............................................V.......................	Jump to behavior
Source: C:\Windows\System32\ipconfig.exe	Console Write: ..................................7.....(.P.............................b4..............................................^.......(...............	Jump to behavior
Source: C:\Windows\System32\ipconfig.exe	Console Write: ..................................7.....(.P.............................h4..............................................R.......(...............	Jump to behavior
Source: C:\Windows\System32\ipconfig.exe	Console Write: ..................................7.....(.P.............................n4......................................................(...............	Jump to behavior
Source: C:\Windows\System32\ipconfig.exe	Console Write: ..................................7.....(.P.............................t4..............................................t.......(...............	Jump to behavior
Source: C:\Windows\System32\ipconfig.exe	Console Write: ..................................7.....(.P.............................z4..............................................X.......(...............	Jump to behavior
Source: C:\Windows\System32\ipconfig.exe	Console Write: ..................................7.....(.P..............................4..............................................X.......(...............	Jump to behavior
Source: C:\Windows\System32\ipconfig.exe	Console Write: ..................................7.....(.P..............................4......................................................(...............	Jump to behavior
Source: C:\Windows\System32\ipconfig.exe	Console Write: ..................................7.....(.P..............................4......................................................(...............	Jump to behavior
Source: C:\Windows\System32\ipconfig.exe	Console Write: ..................................7.....(.P..............................4..............................................h.......(...............	Jump to behavior
Source: C:\Windows\System32\ipconfig.exe	Console Write: ..................................7.....(.P..............................4..............................................R.......(...............	Jump to behavior
Source: C:\Windows\System32\ipconfig.exe	Console Write: ................................0.6.....(.P..............................4..........................2.E.................d.......(...............	Jump to behavior
Source: C:\Windows\System32\ipconfig.exe	Console Write: ..................................7.....(.P..............................4......................................................(...............	Jump to behavior
Source: C:\Windows\System32\ipconfig.exe	Console Write: ..................................7.....(.P..............................4..............................................v.......(...............	Jump to behavior
Source: C:\Windows\System32\ipconfig.exe	Console Write: ..................................7.....(.P..............................4..............................................v.......(...............	Jump to behavior
Source: C:\Windows\System32\ipconfig.exe	Console Write: ..................................7.....(.P..............................4..............................................v.......(...............	Jump to behavior
Source: C:\Windows\System32\ipconfig.exe	Console Write: ................................0.6.....(.P..............................4..............................................`.......(...............	Jump to behavior
Source: C:\Windows\System32\ipconfig.exe	Console Write: ..................................7.....(.P..............................4..............................................Z.......(...............	Jump to behavior
Source: C:\Windows\System32\ipconfig.exe	Console Write: ..................................7.....(.P..............................4..............................................R.......(...............	Jump to behavior
Source: C:\Windows\System32\ipconfig.exe	Console Write: ..................................7.....(.P..............................4......................................................(...............	Jump to behavior
Source: C:\Windows\System32\ipconfig.exe	Console Write: ..................................7.....(.P..............................4..............................................t.......(...............	Jump to behavior
Source: C:\Windows\System32\ipconfig.exe	Console Write: ..................................7.....(.P..............................4..............................................V.......(...............	Jump to behavior
Source: C:\Windows\System32\ipconfig.exe	Console Write: ..................................7.....(.P..............................4..............................................X.......(...............	Jump to behavior
Source: C:\Windows\System32\ipconfig.exe	Console Write: ................................0.6.....(.P..............................4......................................................(...............	Jump to behavior
Source: C:\Windows\System32\ipconfig.exe	Console Write: ................................0.6.....(.P..............................4..............................................l.......(...............	Jump to behavior
Source: C:\Windows\System32\ipconfig.exe	Console Write: ................................0.6.....(.P..............................4..............................................h.......(...............	Jump to behavior
Source: C:\Windows\System32\ipconfig.exe	Console Write: ................................0.6.....(.P..............................4..........................D.5.................`.......(...............	Jump to behavior
Source: C:\Windows\System32\ipconfig.exe	Console Write: ................................0.6.....(.P..............................4..........................D.5.................`.......(...............	Jump to behavior
Source: C:\Windows\System32\ipconfig.exe	Console Write: ..................................7.....(.P..............................5..........................D.5.........................(...............	Jump to behavior
Source: C:\Windows\System32\ipconfig.exe	Console Write: ................................0.6.....(.P..............................5..........................D.5.................v.......(...............	Jump to behavior
Source: C:\Windows\System32\ipconfig.exe	Console Write: ................................0.6.....(.P..............................5..........................D.5.................R.......(...............	Jump to behavior
Source: C:\Windows\System32\ipconfig.exe	Console Write: ................................0.6.....(.P..............................5..........................D.5.........................(...............	Jump to behavior
Source: C:\Windows\System32\ipconfig.exe	Console Write: ................................0.6.....(.P..............................5..........................D.5.........................(...............	Jump to behavior
Source: C:\Windows\System32\ipconfig.exe	Console Write: ................................0.6.....(.P.............................#5..........................D.5.................V.......(...............	Jump to behavior
Source: C:\Windows\System32\ipconfig.exe	Console Write: ................................0.6.....(.P.............................)5..........................D.5.................X.......(...............	Jump to behavior
Source: C:\Windows\System32\ipconfig.exe	Console Write: ..................................7.....(.P............................./5..........................D.5.................n.......(...............	Jump to behavior
Source: C:\Windows\System32\ipconfig.exe	Console Write: ................................0.6.....(.P.............................55..........................D.5.................v.......(...............	Jump to behavior
Source: C:\Windows\System32\ipconfig.exe	Console Write: ................................0.6.....(.P.............................@5..........................D.5.................R.......(...............	Jump to behavior
Source: C:\Windows\System32\ipconfig.exe	Console Write: ................................0.6.....(.P.............................F5..........................D.5.........................(...............	Jump to behavior
Source: C:\Windows\System32\ipconfig.exe	Console Write: ................................0.6.....(.P.............................L5..........................D.5.........................(...............	Jump to behavior
Source: C:\Windows\System32\ipconfig.exe	Console Write: ................................0.6.....(.P.............................R5..........................D.5.................V.......(...............	Jump to behavior
Source: C:\Windows\System32\ipconfig.exe	Console Write: ................................0.6.....(.P.............................X5..........................D.5.................X.......(...............	Jump to behavior
Source: C:\Windows\System32\ipconfig.exe	Console Write: ..................................7.....(.P.............................^5..........................D.5.........................(...............	Jump to behavior
Source: C:\Windows\System32\ipconfig.exe	Console Write: ................................0.6.....(.P.............................d5..........................D.5.................v.......(...............	Jump to behavior
Source: C:\Windows\System32\ipconfig.exe	Console Write: ................................0.6.....(.P.............................j5..........................D.5.................R.......(...............	Jump to behavior
Source: C:\Windows\System32\ipconfig.exe	Console Write: ................................0.6.....(.P.............................p5..........................D.5.........................(...............	Jump to behavior
Source: C:\Windows\System32\ipconfig.exe	Console Write: ................................0.6.....(.P.............................v5..........................D.5.........................(...............	Jump to behavior
Source: C:\Windows\System32\ipconfig.exe	Console Write: ................................0.6.....(.P.............................\|5..........................D.5.................V.......(...............	Jump to behavior
Source: C:\Windows\System32\ipconfig.exe	Console Write: ................................0.6.....(.P..............................5..........................D.5.................X.......(...............	Jump to behavior

PE file has an executable .text section and no other executable section

Show sources

Source: Setup.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Parts of this applications are using the .NET runtime (Probably coded in C#)

Show sources

Source: C:\Users\user\Downloads\net\infinstaller.exe

Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\f89061884b75dab0e3967d7221e5290d\mscorlib.ni.dll

Jump to behavior

Reads ini files

Show sources

Source: C:\Users\user\Downloads\Setup.exe

File read: C:\Users\desktop.ini

Jump to behavior

Reads software policies

Show sources

Source: C:\Windows\System32\7za.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Runs a DLL by calling functions

Show sources

Source: unknown

Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Windows\system32\pnpui.dll,InstallSecurityPromptRunDllW 10 Global\{5d5a63fc-7ebe-5905-74c9-9936171bf316} Global\{0a6852b4-0342-09c6-94d5-2f292fdc7b02} C:\Windows\System32\DriverStore\Temp\{63a5b06f-2f1a-44aa-e741-2e65e6af082c}\netvirtnet1.inf C:\Windows\System32\DriverStore\Temp\{63a5b06f-2f1a-44aa-e741-2e65e6af082c}\netvirtnet64.cat

Sample is known by Antivirus

Show sources

Source: Setup.exe

virustotal: Detection: 41%

Spawns processes

Show sources

Source: unknown	Process created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe'
Source: unknown	Process created: C:\Windows\System32\7za.exe 7za x net.zip
Source: unknown	Process created: C:\Users\user\Downloads\net\infinstaller.exe infinstaller.exe C:\Users\user\Downloads\net\netVirtNet1.inf
Source: unknown	Process created: C:\Windows\System32\drvinst.exe DrvInst.exe '4' '0' 'C:\Users\user~1\AppData\Local\Temp\{55b76fcb-15ca-13b2-f5e3-4f2c32e01445}\netvirtnet1.inf' '9' '6cfbba9e7' '00000000000003E4' 'WinSta0\Default' '00000000000005C8' '208' 'c:\users\user\downloads\net'
Source: unknown	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Windows\system32\pnpui.dll,InstallSecurityPromptRunDllW 10 Global\{5d5a63fc-7ebe-5905-74c9-9936171bf316} Global\{0a6852b4-0342-09c6-94d5-2f292fdc7b02} C:\Windows\System32\DriverStore\Temp\{63a5b06f-2f1a-44aa-e741-2e65e6af082c}\netvirtnet1.inf C:\Windows\System32\DriverStore\Temp\{63a5b06f-2f1a-44aa-e741-2e65e6af082c}\netvirtnet64.cat
Source: unknown	Process created: C:\Windows\System32\drvinst.exe DrvInst.exe '2' '211' 'ROOT\NET\0000' 'C:\Windows\INF\oem4.inf' 'netvirtnet1.inf:NTKR.NTAMD64:virtnet.ndi:1.0.0.0:nm_virtnet' '6cfbba9e7' '00000000000003E4' '00000000000005D0' '0000000000000570'
Source: unknown	Process created: C:\Windows\System32\ipconfig.exe ipconfig /all
Source: unknown	Process created: C:\Users\user\Downloads\Setup.exe Setup.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\7za.exe 7za x net.zip	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\Downloads\net\infinstaller.exe infinstaller.exe C:\Users\user\Downloads\net\netVirtNet1.inf	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\ipconfig.exe ipconfig /all	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\Downloads\Setup.exe Setup.exe	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Windows\system32\pnpui.dll,InstallSecurityPromptRunDllW 10 Global\{5d5a63fc-7ebe-5905-74c9-9936171bf316} Global\{0a6852b4-0342-09c6-94d5-2f292fdc7b02} C:\Windows\System32\DriverStore\Temp\{63a5b06f-2f1a-44aa-e741-2e65e6af082c}\netvirtnet1.inf C:\Windows\System32\DriverStore\Temp\{63a5b06f-2f1a-44aa-e741-2e65e6af082c}\netvirtnet64.cat	Jump to behavior

Uses an in-process (OLE) Automation server

Show sources

Source: C:\Windows\System32\drvinst.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4B966436-6781-4906-8035-9AF94B32C3F7}\InprocServer32

Jump to behavior

Found graphical window changes (likely an installer)

Show sources

Source: Window Recorder

Window detected: More than 3 window changes detected

PE file has a big code size

Show sources

Source: Setup.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Submission file is bigger than most known malware samples

Show sources

Source: Setup.exe

Static file information: File size 3333936 > 1048576

PE file has a big raw section

Show sources

Source: Setup.exe	Static PE information: Raw size of .text is bigger than: 0x100000 < 0x11aa00
Source: Setup.exe	Static PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x1a0600

PE file imports many functions

Show sources

Source: Setup.exe

Static PE information: More than 200 imports for USER32.dll

Contains modern PE file flags such as dynamic base (ASLR) or NX

Show sources

Source: Setup.exe

Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Binary contains paths to debug symbols

Show sources

Source:	Binary string: D:\projects\VirtNet\bin\amd64\virtnet.pdb source: 7za.exe, 00000004.00000003.382744292.0000000000100000.00000004.sdmp, SETE957.tmp.11.dr
Source:	Binary string: c:\Users\admin\Documents\SharpDevelop Projects\test1\test1\obj\Debug\test1.pdb source: infinstaller.exe, 00000005.00000001.459151771.0000000001092000.00000020.sdmp, infinstaller.exe.4.dr

Data Obfuscation:

Uses code obfuscation techniques (call, push, ret)

Show sources

Source: C:\Users\user\Downloads\Setup.exe

Code function: 16_2_012DE296 push 3BFFFFFFh; iretd

16_2_012DE29B

Persistence and Installation Behavior:

Uses ipconfig to lookup or modify the Windows network settings

Show sources

Source: unknown

Process created: C:\Windows\System32\ipconfig.exe ipconfig /all

Drops PE files

Show sources

Source: C:\Windows\System32\7za.exe	File created: C:\Users\user\Downloads\net\virtnet.sys	Jump to dropped file
Source: C:\Users\user\Downloads\net\infinstaller.exe	File created: C:\Users\user~1\AppData\Local\Temp\{55b76fcb-15ca-13b2-f5e3-4f2c32e01445}\SETFD81.tmp	Jump to dropped file
Source: C:\Windows\System32\7za.exe	File created: C:\Users\user\Downloads\net\infinstaller.exe	Jump to dropped file
Source: C:\Windows\System32\drvinst.exe	File created: C:\Windows\System32\DriverStore\Temp\{63a5b06f-2f1a-44aa-e741-2e65e6af082c}\SETFED9.tmp	Jump to dropped file
Source: C:\Windows\System32\drvinst.exe	File created: C:\Windows\System32\drivers\SETE957.tmp	Jump to dropped file

Drops PE files to the windows directory (C:\Windows)

Show sources

Source: C:\Windows\System32\drvinst.exe	File created: C:\Windows\System32\DriverStore\Temp\{63a5b06f-2f1a-44aa-e741-2e65e6af082c}\SETFED9.tmp			Jump to dropped file
Source: C:\Windows\System32\drvinst.exe	File created: C:\Windows\System32\drivers\SETE957.tmp			Jump to dropped file

May use bcdedit to modify the Windows boot settings

Show sources

Source: metadata-2.6.dr

Binary or memory string: bcdedit.exe22\\?\Volume{4d4a291d-7dbc-11e1-a697-806e6f6e6963}\

Contains functionality to read ini properties file for application configuration

Show sources

Source: C:\Users\user\Downloads\Setup.exe

Code function: 16_2_01273800 _memset,_memset,_memset,PathFileExistsW,PathFileExistsW,PathFileExistsW,_memset,DeleteFileW,_memset,GetPrivateProfileStringW,_memset,_memset,GetWindowsDirectoryW,lstrcatW,GetModuleFileNameW,_wcsnlen,_wcsrchr,GetVersion,ShellExecuteW,

16_2_01273800

Boot Survival:

Creates or modifies windows services

Show sources

Source: C:\Windows\System32\drvinst.exe

Registry key created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssapiPublisher

Jump to behavior

Modifies existing windows services

Show sources

Source: C:\Windows\System32\drvinst.exe

Registry key value modified: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SystemRestore

Jump to behavior

Hooking and other Techniques for Hiding and Protection:

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Show sources

Source: C:\Users\user\Downloads\Setup.exe	Code function: 16_2_012AE06E GetClientRect,IsRectEmpty,IsIconic,BeginDeferWindowPos,GetClientRect,IsRectEmpty,IsRectEmpty,EqualRect,GetWindowRect,GetParent,EndDeferWindowPos,	16_2_012AE06E
Source: C:\Users\user\Downloads\Setup.exe	Code function: 16_2_012C831C GetParent,GetParent,IsIconic,GetParent,	16_2_012C831C
Source: C:\Users\user\Downloads\Setup.exe	Code function: 16_2_012B2290 IsWindowVisible,IsIconic,	16_2_012B2290
Source: C:\Users\user\Downloads\Setup.exe	Code function: 16_2_012C240F IsIconic,PostMessageW,	16_2_012C240F
Source: C:\Users\user\Downloads\Setup.exe	Code function: 16_2_012C04F4 IsWindow,GetFocus,IsChild,SendMessageW,IsChild,SendMessageW,IsIconic,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,IsWindowVisible,	16_2_012C04F4
Source: C:\Users\user\Downloads\Setup.exe	Code function: 16_2_01298DD7 SetRectEmpty,RedrawWindow,ReleaseCapture,SetCapture,ReleaseCapture,SetCapture,SendMessageW,UpdateWindow,SendMessageW,IsWindow,IsIconic,IsZoomed,IsWindow,UpdateWindow,	16_2_01298DD7
Source: C:\Users\user\Downloads\Setup.exe	Code function: 16_2_012C0F83 GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,IsIconic,GetWindowRect,IsIconic,GetSystemMetrics,OffsetRect,GetSystemMetrics,IsIconic,GetSystemMetrics,GetSystemMetrics,	16_2_012C0F83
Source: C:\Users\user\Downloads\Setup.exe	Code function: 16_2_012C0F83 GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,IsIconic,GetWindowRect,IsIconic,GetSystemMetrics,OffsetRect,GetSystemMetrics,IsIconic,GetSystemMetrics,GetSystemMetrics,	16_2_012C0F83
Source: C:\Users\user\Downloads\Setup.exe	Code function: 16_2_012C0F83 GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,IsIconic,GetWindowRect,IsIconic,GetSystemMetrics,OffsetRect,GetSystemMetrics,IsIconic,GetSystemMetrics,GetSystemMetrics,	16_2_012C0F83

Extensive use of GetProcAddress (often used to hide API calls)

Show sources

Source: C:\Users\user\Downloads\Setup.exe

Code function: 16_2_0127F4B4 __EH_prolog3_GS,GetDeviceCaps,DeleteObject,DeleteObject,DeleteObject,DeleteObject,DeleteObject,DeleteObject,DeleteObject,DeleteObject,DeleteObject,DeleteObject,DeleteObject,_memset,GetTextCharsetInfo,lstrcpyW,lstrcpyW,EnumFontFamiliesW,EnumFontFamiliesW,lstrcpyW,EnumFontFamiliesW,lstrcpyW,CreateFontIndirectW,CreateFontIndirectW,CreateFontIndirectW,CreateFontIndirectW,CreateFontIndirectW,CreateFontIndirectW,GetSystemMetrics,lstrcpyW,CreateFontIndirectW,GetStockObject,GetStockObject,GetObjectW,GetObjectW,lstrcpyW,CreateFontIndirectW,CreateFontIndirectW,GetStockObject,GetObjectW,CreateFontIndirectW,CreateFontIndirectW,__EH_prolog3_GS,GetVersionExW,KiUserCallbackDispatcher,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

16_2_0127F4B4

Stores large binary data to the registry

Show sources

Source: C:\Windows\System32\drvinst.exe

Key value created or modified: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Network Config

Jump to behavior

Disables application error messsages (SetErrorMode)

Show sources

Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Downloads\net\infinstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Downloads\net\infinstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Downloads\net\infinstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Downloads\net\infinstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Downloads\net\infinstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Downloads\net\infinstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Downloads\net\infinstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Downloads\net\infinstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Downloads\net\infinstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Downloads\net\infinstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Downloads\net\infinstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Downloads\net\infinstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Downloads\net\infinstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Downloads\net\infinstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Downloads\net\infinstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Downloads\net\infinstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Downloads\Setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Downloads\Setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Downloads\Setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Checks the free space of harddrives

Show sources

Source: C:\Windows\System32\drvinst.exe

File Volume queried: C:\ FullSizeInformation

Jump to behavior

Contains long sleeps (>= 3 min)

Show sources

Source: C:\Users\user\Downloads\net\infinstaller.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Found dropped PE file which has not been started or loaded

Show sources

Source: C:\Users\user\Downloads\net\infinstaller.exe	Dropped PE file which has not been started: C:\Users\user~1\AppData\Local\Temp\{55b76fcb-15ca-13b2-f5e3-4f2c32e01445}\SETFD81.tmp			Jump to dropped file
Source: C:\Windows\System32\drvinst.exe	Dropped PE file which has not been started: C:\Windows\System32\DriverStore\Temp\{63a5b06f-2f1a-44aa-e741-2e65e6af082c}\SETFED9.tmp			Jump to dropped file

Found evasive API chain (may stop execution after checking a module file name)

Show sources

Source: C:\Users\user\Downloads\Setup.exe

Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess

graph_16-31877

Found large amount of non-executed APIs

Show sources

Source: C:\Users\user\Downloads\Setup.exe

API coverage: 5.7 %

May sleep (evasive loops) to hinder dynamic analysis

Show sources

Source: C:\Users\user\Downloads\net\infinstaller.exe TID: 2412	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\System32\drvinst.exe TID: 2476	Thread sleep count: 39 > 30	Jump to behavior
Source: C:\Windows\System32\drvinst.exe TID: 2476	Thread sleep time: -2340000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\ipconfig.exe TID: 1556	Thread sleep time: -120000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\ipconfig.exe TID: 1556	Thread sleep time: -60000s >= -30000s	Jump to behavior
Source: C:\Users\user\Downloads\Setup.exe TID: 1572	Thread sleep time: -1500000s >= -30000s	Jump to behavior
Source: C:\Users\user\Downloads\Setup.exe TID: 1572	Thread sleep time: -60000s >= -30000s	Jump to behavior

Contains functionality to enumerate / list files inside a directory

Show sources

Source: C:\Users\user\Downloads\Setup.exe	Code function: 16_2_01272650 FindFirstFileW,FindClose,		16_2_01272650
Source: C:\Users\user\Downloads\Setup.exe	Code function: 16_2_01272B00 _memset,_memset,SHGetSpecialFolderPathW,wsprintfW,wsprintfW,FindFirstFileW,wsprintfW,CoInitialize,CoCreateInstance,_wcsnlen,GetCurrentProcessId,EnumWindows,SHDeleteValueW,CoUninitialize,DeleteFileW,wsprintfW,RemoveDirectoryW,RemoveDirectoryW,wsprintfW,RemoveDirectoryW,FindClose,SHDeleteKeyW,SHDeleteKeyW,SHDeleteKeyW,		16_2_01272B00

Contains functionality to query system information

Show sources

Source: C:\Users\user\Downloads\Setup.exe

Code function: 16_2_0136CB07 VirtualQuery,GetSystemInfo,GetModuleHandleW,GetProcAddress,VirtualAlloc,VirtualProtect,

16_2_0136CB07

May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)

Show sources

Source: infinstaller.exe, 00000005.00000002.654051633.0000000000502000.00000004.sdmp	Binary or memory string: ROOT\LEGACY_VMWAREAUTH\0000
Source: drvinst.exe, 00000006.00000003.508886036.00000000017BC000.00000004.sdmp	Binary or memory string: microsoft-hyper-v-migration-replacement.man
Source: metadata-2.6.dr	Binary or memory string: lsm.exe22\\?\Volume{4d4a291d-7dbc-11e1-a697-806e6f6e6963}\--windows\system32\migwiz\replacementmanifests,,microsoft-hyper-v-migration-replacement.man22\\?\Volume{4d4a291d-7dbc-11e1-a697-806e6f6e6963}\
Source: metadata-2.6.dr	Binary or memory string: iasmigplugin-dl.man22\\?\Volume{4d4a291d-7dbc-11e1-a697-806e6f6e6963}\--windows\system32\migwiz\replacementmanifests33microsoft-hyper-v-client-migration-replacement.man22\\?\Volume{4d4a291d-7dbc-11e1-a697-806e6f6e6963}\##windows\system32\spp\tokens\ppdlic
Source: metadata-2.6.dr	Binary or memory string: iasmigplugin-dl.man22\\?\Volume{4d4a291d-7dbc-11e1-a697-806e6f6e6963}\--windows\syswow64\migwiz\replacementmanifests33microsoft-hyper-v-client-migration-replacement.man22\\?\Volume{4d4a291d-7dbc-11e1-a697-806e6f6e6963}\,,program files (x86)\internet explorer\en-us

Program exit points

Show sources

Source: C:\Users\user\Downloads\Setup.exe

API call chain: ExitProcess graph end node

graph_16-31876

Anti Debugging:

Checks for kernel debuggers (NtQuerySystemInformation(SystemKernelDebuggerInformation))

Show sources

Source: C:\Users\user\Downloads\net\infinstaller.exe

System information queried: KernelDebuggerInformation

Jump to behavior

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Show sources

Source: C:\Users\user\Downloads\Setup.exe

Code function: 16_2_0136EA27 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

16_2_0136EA27

Contains functionality to create guard pages, often used to hinder reverse engineering and debugging

Show sources

Source: C:\Users\user\Downloads\Setup.exe

Code function: 16_2_0136CB07 VirtualProtect ?,-00000001,00000104,?

16_2_0136CB07

Contains functionality to register its own exception handler

Show sources

Source: C:\Users\user\Downloads\Setup.exe

Code function: 16_2_0136EA27 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

16_2_0136EA27

Creates guard pages, often used to prevent reverse engineering and debugging

Show sources

Source: C:\Users\user\Downloads\net\infinstaller.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

Creates a process in suspended mode (likely to inject code)

Show sources

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\7za.exe 7za x net.zip	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\Downloads\net\infinstaller.exe infinstaller.exe C:\Users\user\Downloads\net\netVirtNet1.inf	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\ipconfig.exe ipconfig /all	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\Downloads\Setup.exe Setup.exe	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Windows\system32\pnpui.dll,InstallSecurityPromptRunDllW 10 Global\{5d5a63fc-7ebe-5905-74c9-9936171bf316} Global\{0a6852b4-0342-09c6-94d5-2f292fdc7b02} C:\Windows\System32\DriverStore\Temp\{63a5b06f-2f1a-44aa-e741-2e65e6af082c}\netvirtnet1.inf C:\Windows\System32\DriverStore\Temp\{63a5b06f-2f1a-44aa-e741-2e65e6af082c}\netvirtnet64.cat	Jump to behavior

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Show sources

Source: unknown	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Windows\system32\pnpui.dll,InstallSecurityPromptRunDllW 10 Global\{5d5a63fc-7ebe-5905-74c9-9936171bf316} Global\{0a6852b4-0342-09c6-94d5-2f292fdc7b02} C:\Windows\System32\DriverStore\Temp\{63a5b06f-2f1a-44aa-e741-2e65e6af082c}\netvirtnet1.inf C:\Windows\System32\DriverStore\Temp\{63a5b06f-2f1a-44aa-e741-2e65e6af082c}\netvirtnet64.cat
Source: C:\Windows\System32\drvinst.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Windows\system32\pnpui.dll,InstallSecurityPromptRunDllW 10 Global\{5d5a63fc-7ebe-5905-74c9-9936171bf316} Global\{0a6852b4-0342-09c6-94d5-2f292fdc7b02} C:\Windows\System32\DriverStore\Temp\{63a5b06f-2f1a-44aa-e741-2e65e6af082c}\netvirtnet1.inf C:\Windows\System32\DriverStore\Temp\{63a5b06f-2f1a-44aa-e741-2e65e6af082c}\netvirtnet64.cat			Jump to behavior

Contains functionality to add an ACL to a security descriptor

Show sources

Source: C:\Users\user\Downloads\Setup.exe

Code function: 16_2_012745E0 _memset,_memset,InitializeSecurityDescriptor,LookupAccountNameW,SetFileAttributesW,GetLengthSid,InitializeAcl,AddAccessAllowedAce,SetSecurityDescriptorDacl,SetFileSecurityW,

16_2_012745E0

Language, Device and Operating System Detection:

Contains functionality locales information (e.g. system language)

Show sources

Source: C:\Users\user\Downloads\Setup.exe

Code function: GetLocaleInfoW,__snwprintf_s,LoadLibraryW,

16_2_01274D46

Queries the volume information (name, serial number etc) of a device

Show sources

Source: C:\Users\user\Downloads\net\infinstaller.exe	Queries volume information: C:\Users\user\Downloads\net\infinstaller.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Downloads\net\infinstaller.exe	Queries volume information: C:\Users\user\Downloads\net\netvirtnet64.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\Downloads\net\infinstaller.exe	Queries volume information: C:\Users\user\Downloads\net\netvirtnet64.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\Downloads\net\infinstaller.exe	Queries volume information: C:\Windows\System32\DriverStore\FileRepository\netvirtnet1.inf_amd64_neutral_55f5524394231d93\netvirtnet64.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\Downloads\net\infinstaller.exe	Queries volume information: C:\Windows\System32\DriverStore\FileRepository\netvirtnet1.inf_amd64_neutral_55f5524394231d93\netvirtnet64.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Queries volume information: C:\Windows\System32\DriverStore\FileRepository\netvirtnet1.inf_amd64_neutral_55f5524394231d93\netvirtnet64.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Queries volume information: C:\Windows\System32\DriverStore\FileRepository\netvirtnet1.inf_amd64_neutral_55f5524394231d93\netvirtnet64.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Queries volume information: C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\oem4.CAT VolumeInformation	Jump to behavior

Contains functionality to query local / system time

Show sources

Source: C:\Users\user\Downloads\Setup.exe

Code function: 16_2_0136C70D GetSystemTimeAsFileTime,__aulldiv,

16_2_0136C70D

Contains functionality to query the account / user name

Show sources

Source: C:\Users\user\Downloads\Setup.exe

16_2_012745E0

Contains functionality to query windows version

Show sources

Source: C:\Users\user\Downloads\Setup.exe

16_2_0127F4B4

Queries the cryptographic machine GUID

Show sources

Source: C:\Users\user\Downloads\net\infinstaller.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings:

Adds / modifies Windows certificates

Show sources

Source: C:\Windows\System32\drvinst.exe

Registry key created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43 Blob

Jump to behavior

Signature Similarity

Sample Distance (10 = nearest)

10 9 8 7 6 5 4 3 2 1

Similar Samples

Samplename	Analysis ID	SHA256	Similarity

Behavior Graph

Simulations

Behavior and APIs

Time	Type	Description
15:22:34	API Interceptor	1x Sleep call for process: 7za.exe modified
15:23:07	API Interceptor	1x Sleep call for process: infinstaller.exe modified
15:23:08	API Interceptor	327x Sleep call for process: drvinst.exe modified
15:23:09	API Interceptor	1x Sleep call for process: rundll32.exe modified
15:24:38	API Interceptor	5x Sleep call for process: ipconfig.exe modified
15:25:03	API Interceptor	34x Sleep call for process: Setup.exe modified

Antivirus Detection

Initial Sample

Source	Detection	Scanner	Label	Link
Setup.exe	41%	virustotal		Browse

Dropped Files

Source	Detection	Scanner	Link
C:\Users\user~1\AppData\Local\Temp\{55b76fcb-15ca-13b2-f5e3-4f2c32e01445}\SETFD81.tmp	0%	virustotal	Browse
C:\Users\user~1\AppData\Local\Temp\{55b76fcb-15ca-13b2-f5e3-4f2c32e01445}\SETFD81.tmp	0%	metadefender	Browse
C:\Users\user\Downloads\net\virtnet.sys	0%	metadefender	Browse
C:\Windows\System32\DriverStore\Temp\{63a5b06f-2f1a-44aa-e741-2e65e6af082c}\SETFED9.tmp	0%	metadefender	Browse
C:\Windows\System32\drivers\SETE957.tmp	0%	metadefender	Browse

Unpacked PE Files

No Antivirus matches

Domains

Source	Detection	Scanner	Label	Link
asushotfix.com	13%	virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
https://asushotfix.com/logo2.jpg?3A8EA62E32B4ECBE33DF500A28EBC873	0%	Avira URL Cloud	safe
https://asushotfix.com/logo2.jpg?3A8EA62E32B4ECBE33DF500A28EBC873rj	0%	Avira URL Cloud	safe

Yara Overview

Initial Sample

No yara matches

PCAP (Network Traffic)

No yara matches

Dropped Files

No yara matches

Memory Dumps

No yara matches

Unpacked PEs

No yara matches

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link
1.0.0.0	VHHyfEe6kw.rtf	Get hash	malicious	Browse
	VHHyfEe6kw.rtf	Get hash	malicious	Browse
	oWwsW39bEi.exe	Get hash	malicious	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
dns.msftncsi.com	42Order Sample Picture.exe	Get hash	malicious	Browse	131.107.255.255
	5NEW PO.exe	Get hash	malicious	Browse	131.107.255.255
	61redacted@threatwav.exe	Get hash	malicious	Browse	131.107.255.255
	37pobrien@orbtec.exe	Get hash	malicious	Browse	131.107.255.255
	25edgegloba.exe	Get hash	malicious	Browse	131.107.255.255
	103srd.exe	Get hash	malicious	Browse	131.107.255.255
	46Bestellung-0857893850.scr	Get hash	malicious	Browse	131.107.255.255
	78bmuxgvmkey.exe	Get hash	malicious	Browse	131.107.255.255
	25transcrip.exe	Get hash	malicious	Browse	131.107.255.255
	25transcrip.exe	Get hash	malicious	Browse	131.107.255.255
	39transcrip.exe	Get hash	malicious	Browse	131.107.255.255
	ACH form.doc	Get hash	malicious	Browse	131.107.255.255
	69PO#32893489339222.scr	Get hash	malicious	Browse	131.107.255.255
	79Purchase Enquiry.pdf.exe	Get hash	malicious	Browse	131.107.255.255
	17Transfer Copy.jar.jar	Get hash	malicious	Browse	131.107.255.255
	109gkcotcntx.exe	Get hash	malicious	Browse	131.107.255.255
	109gkcotcntx.exe	Get hash	malicious	Browse	131.107.255.255
	101iemand@voorbeel.exe	Get hash	malicious	Browse	131.107.255.255
	25edgegloba.exe	Get hash	malicious	Browse	131.107.255.255
	73PO# JUL20170714 (2).exe	Get hash	malicious	Browse	131.107.255.255

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
unknown	Invoice0186.pdf	Get hash	malicious	Browse	192.168.0.40
	P_2038402.xlsx	Get hash	malicious	Browse	192.168.0.44
	bad.pdf	Get hash	malicious	Browse	192.168.0.44
	RFQ.pdf	Get hash	malicious	Browse	192.168.0.44
	100323.pdf	Get hash	malicious	Browse	192.168.0.44
	Copy.pdf	Get hash	malicious	Browse	127.0.0.1
	2.exe	Get hash	malicious	Browse	192.168.0.40
	UPPB502981.doc	Get hash	malicious	Browse	192.168.0.44
	Adm_Boleto.via2.com	Get hash	malicious	Browse	192.168.0.40
	00ECF4AD.exe	Get hash	malicious	Browse	192.168.0.40
	PDF_100987464500.exe	Get hash	malicious	Browse	192.168.0.40
	filedata.exe	Get hash	malicious	Browse	192.168.0.40
	.exe	Get hash	malicious	Browse	192.168.1.60
	33redacted@threatwave.com	Get hash	malicious	Browse	192.168.1.71
unknown	Invoice0186.pdf	Get hash	malicious	Browse	192.168.0.40
	P_2038402.xlsx	Get hash	malicious	Browse	192.168.0.44
	bad.pdf	Get hash	malicious	Browse	192.168.0.44
	RFQ.pdf	Get hash	malicious	Browse	192.168.0.44
	100323.pdf	Get hash	malicious	Browse	192.168.0.44
	Copy.pdf	Get hash	malicious	Browse	127.0.0.1
	2.exe	Get hash	malicious	Browse	192.168.0.40
	UPPB502981.doc	Get hash	malicious	Browse	192.168.0.44
	Adm_Boleto.via2.com	Get hash	malicious	Browse	192.168.0.40
	00ECF4AD.exe	Get hash	malicious	Browse	192.168.0.40
	PDF_100987464500.exe	Get hash	malicious	Browse	192.168.0.40
	filedata.exe	Get hash	malicious	Browse	192.168.0.40
	.exe	Get hash	malicious	Browse	192.168.1.60
	33redacted@threatwave.com	Get hash	malicious	Browse	192.168.1.71

JA3 Fingerprints

No context

Dropped Files

No context

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Startup

System is w7x64

cmd.exe (PID: 1488 cmdline: 'C:\Windows\System32\cmd.exe' MD5: 5746BD7E255DD6A8AFA06F7C42C1BA41)

7za.exe (PID: 2908 cmdline: 7za x net.zip MD5: 77E556CDFDC5C592F5C46DB4127C6F4C)

infinstaller.exe (PID: 2324 cmdline: infinstaller.exe C:\Users\user\Downloads\net\netVirtNet1.inf MD5: D3807948AF7572C58FFBF532DEA4E6C4)

ipconfig.exe (PID: 2772 cmdline: ipconfig /all MD5: CF45949CDBB39C953331CDCB9CEC20F8)

Setup.exe (PID: 2860 cmdline: Setup.exe MD5: 55A7AA5F0E52BA4D78C145811C830107)

drvinst.exe (PID: 1452 cmdline: DrvInst.exe '4' '0' 'C:\Users\user~1\AppData\Local\Temp\{55b76fcb-15ca-13b2-f5e3-4f2c32e01445}\netvirtnet1.inf' '9' '6cfbba9e7' '00000000000003E4' 'WinSta0\Default' '00000000000005C8' '208' 'c:\users\user\downloads\net' MD5: 2DBA1472BDF847EAE358A4B9FA9AB0C1)

rundll32.exe (PID: 1976 cmdline: rundll32.exe C:\Windows\system32\pnpui.dll,InstallSecurityPromptRunDllW 10 Global\{5d5a63fc-7ebe-5905-74c9-9936171bf316} Global\{0a6852b4-0342-09c6-94d5-2f292fdc7b02} C:\Windows\System32\DriverStore\Temp\{63a5b06f-2f1a-44aa-e741-2e65e6af082c}\netvirtnet1.inf C:\Windows\System32\DriverStore\Temp\{63a5b06f-2f1a-44aa-e741-2e65e6af082c}\netvirtnet64.cat MD5: DD81D91FF3B0763C392422865C9AC12E)

drvinst.exe (PID: 2344 cmdline: DrvInst.exe '2' '211' 'ROOT\NET\0000' 'C:\Windows\INF\oem4.inf' 'netvirtnet1.inf:NTKR.NTAMD64:*virtnet.ndi:1.0.0.0:*nm_virtnet' '6cfbba9e7' '00000000000003E4' '00000000000005D0' '0000000000000570' MD5: 2DBA1472BDF847EAE358A4B9FA9AB0C1)

virtnet.sys (PID: 4 cmdline: unknown MD5: 03971EBE3A44C376775B9B8379596D37)

cleanup

Created / dropped Files

C:\System Volume Information\SPP\OnlineMetadataCache\{5a09dc67-7c6a-4b93-a2d6-1d1015663466}_OnDiskSnapshotProp Download File
Process:	C:\Windows\System32\drvinst.exe
File Type:	data
Size (bytes):	1680
Entropy (8bit):	3.794130244868423
Encrypted:	false
MD5:	27447620A1E276F8DB727001513913D7
SHA1:	1CD0A52CE2726D5C4146F84BC1FF342E02D1789A
SHA-256:	1B2F32656AC3183033F76631C4DA8BF3EAD0C69BC1F8CAE8D8535AC6D1131703
SHA-512:	4C0C8CB8BF4B34670C6ED7FB35ABBC862D183185D796B5F9DFA3748F42D046942D5CC7250C2061FECEB2CF5EC32462AFDB719968309233D7507ED564681A800F
Malicious:	false
Reputation:	low

C:\System Volume Information\SPP\metadata-2 Download File
Process:	C:\Windows\System32\drvinst.exe
File Type:	SysEx File - Twister
Size (bytes):	8697024
Entropy (8bit):	3.671807434960589
Encrypted:	false
MD5:	3B435A9265689328BC2CDC1AD52F6D52
SHA1:	FAFEFBDB18B1EC565D6FBAF695D99A8F8B75913B
SHA-256:	F414D8732194F66C7F8B5B179CC4450754BE0C15D043C5B9F88E63D49C545A8B
SHA-512:	3D7403D80364292088E180733F5F1709E6FB677EE7E9E5F0675F10033BE08CF004FC242756BFCE0747BF45577DA4F48C145D72C6B4C3BBB26BE122A3BB8C8895
Malicious:	false
Reputation:	low

C:\System Volume Information\SPP\snapshot-2 Download File
Process:	C:\Windows\System32\drvinst.exe
File Type:	data
Size (bytes):	1680
Entropy (8bit):	3.794130244868423
Encrypted:	false
MD5:	27447620A1E276F8DB727001513913D7
SHA1:	1CD0A52CE2726D5C4146F84BC1FF342E02D1789A
SHA-256:	1B2F32656AC3183033F76631C4DA8BF3EAD0C69BC1F8CAE8D8535AC6D1131703
SHA-512:	4C0C8CB8BF4B34670C6ED7FB35ABBC862D183185D796B5F9DFA3748F42D046942D5CC7250C2061FECEB2CF5EC32462AFDB719968309233D7507ED564681A800F
Malicious:	false
Reputation:	low

C:\Users\user~1\AppData\Local\Temp\{55b76fcb-15ca-13b2-f5e3-4f2c32e01445}\SETFD71.tmp Download File
Process:	C:\Users\user\Downloads\net\infinstaller.exe
File Type:	data
Size (bytes):	7848
Entropy (8bit):	7.13275648209528
Encrypted:	false
MD5:	8A078A581344830B36985CC662371CC6
SHA1:	F82D726BBE112A963C19196BE416B68DE90BFFDA
SHA-256:	4A402DFE7398904CF0936423B643EB6C3500AE6A03C64BCC97CF9B0DBB913666
SHA-512:	15179178F30D931BD95E201831DC596F5549FCE145CB8C67C0BDFBE2F771D4AF0204A61489F905ED0F0D9ED4ADBEC2D3A19F78E6003BCA3C9C83DA043B321992
Malicious:	false
Reputation:	low

C:\Users\user~1\AppData\Local\Temp\{55b76fcb-15ca-13b2-f5e3-4f2c32e01445}\SETFD81.tmp Download File
Process:	C:\Users\user\Downloads\net\infinstaller.exe
File Type:	PE32+ executable (native) x86-64, for MS Windows
Size (bytes):	13408
Entropy (8bit):	5.89147713460407
Encrypted:	false
MD5:	03971EBE3A44C376775B9B8379596D37
SHA1:	B837C4093DCFF47E9DA496D938A17C554E7B1876
SHA-256:	887FB361C639DFE437210C45EDABA55055E036C70659FD137F078B102BE9E13C
SHA-512:	B26EA8189094677255D9D1064CD074D872588D4240994EA5BD5F0BBE028A5A74902EDE9C879A662CE328C0491896D69D823FADA2EEC744097DBEB98E1009D3F1
Malicious:	false
Antivirus:	Antivirus: virustotal, Detection: 0%, Browse Antivirus: metadefender, Detection: 0%, Browse
Reputation:	low

C:\Users\user~1\AppData\Local\Temp\{55b76fcb-15ca-13b2-f5e3-4f2c32e01445}\SETFD92.tmp Download File
Process:	C:\Users\user\Downloads\net\infinstaller.exe
File Type:	Windows setup INFormation, ASCII text, with CRLF line terminators
Size (bytes):	4814
Entropy (8bit):	5.1374201276410565
Encrypted:	false
MD5:	189769D5A8EFEBBCB7C75C1F85AC6C0B
SHA1:	ABA8DCBA523A9C71AABEAF8D319B11273C627013
SHA-256:	5694AA37047A39850952C4FE785A2C9BDA12B8E4E07A19DAF9B0B8D903C06D4E
SHA-512:	7EBBF7C1996BE49413656C7FDD46CC065BC504E3E193A0ED32A4CE9C0FF9B0376DA4861C589292BADD6E7406C122727CD7044820492A86A4E169597432B01BAE
Malicious:	false
Reputation:	low

C:\Users\user\Downloads\net\infinstaller.exe Download File
Process:	C:\Windows\System32\7za.exe
File Type:	PE32+ executable (console) x86-64 Mono/.Net assembly, for MS Windows
Size (bytes):	16384
Entropy (8bit):	2.2914319886794576
Encrypted:	false
MD5:	D3807948AF7572C58FFBF532DEA4E6C4
SHA1:	0FAC58243C9A8283867BD27EA68CD9B5AE7DEDC9
SHA-256:	E9BDBD1DB863C0ABF4C9204C4BA179BE211C542139830CD2FD2E1518D11859E1
SHA-512:	59A76D4FF1757A247516A9DC9396100E46533E1A984ACC87AB6C950FC1FA950B2EB1DF3CF8BADDA6FECF7B383A5C0A8DC414A5C3413745CA54AE94E91BC22361
Malicious:	false
Reputation:	low

C:\Users\user\Downloads\net\netVirtNet1.inf Download File
Process:	C:\Windows\System32\7za.exe
File Type:	Windows setup INFormation, ASCII text, with CRLF line terminators
Size (bytes):	4814
Entropy (8bit):	5.1374201276410565
Encrypted:	false
MD5:	189769D5A8EFEBBCB7C75C1F85AC6C0B
SHA1:	ABA8DCBA523A9C71AABEAF8D319B11273C627013
SHA-256:	5694AA37047A39850952C4FE785A2C9BDA12B8E4E07A19DAF9B0B8D903C06D4E
SHA-512:	7EBBF7C1996BE49413656C7FDD46CC065BC504E3E193A0ED32A4CE9C0FF9B0376DA4861C589292BADD6E7406C122727CD7044820492A86A4E169597432B01BAE
Malicious:	false
Reputation:	low

C:\Users\user\Downloads\net\netvirtnet64.cat Download File
Process:	C:\Windows\System32\7za.exe
File Type:	data
Size (bytes):	7848
Entropy (8bit):	7.13275648209528
Encrypted:	false
MD5:	8A078A581344830B36985CC662371CC6
SHA1:	F82D726BBE112A963C19196BE416B68DE90BFFDA
SHA-256:	4A402DFE7398904CF0936423B643EB6C3500AE6A03C64BCC97CF9B0DBB913666
SHA-512:	15179178F30D931BD95E201831DC596F5549FCE145CB8C67C0BDFBE2F771D4AF0204A61489F905ED0F0D9ED4ADBEC2D3A19F78E6003BCA3C9C83DA043B321992
Malicious:	false
Reputation:	low

C:\Users\user\Downloads\net\virtnet.sys Download File
Process:	C:\Windows\System32\7za.exe
File Type:	PE32+ executable (native) x86-64, for MS Windows
Size (bytes):	13408
Entropy (8bit):	5.89147713460407
Encrypted:	false
MD5:	03971EBE3A44C376775B9B8379596D37
SHA1:	B837C4093DCFF47E9DA496D938A17C554E7B1876
SHA-256:	887FB361C639DFE437210C45EDABA55055E036C70659FD137F078B102BE9E13C
SHA-512:	B26EA8189094677255D9D1064CD074D872588D4240994EA5BD5F0BBE028A5A74902EDE9C879A662CE328C0491896D69D823FADA2EEC744097DBEB98E1009D3F1
Malicious:	false
Antivirus:	Antivirus: metadefender, Detection: 0%, Browse
Reputation:	low

C:\Windows\System32\DriverStore\FileRepository\netvirtnet1.inf_amd64_neutral_55f5524394231d93\netvirtnet1.PNF Download File
Process:	C:\Windows\System32\drvinst.exe
File Type:	data
Size (bytes):	11032
Entropy (8bit):	3.585488421436561
Encrypted:	false
MD5:	B943D813E8A0A27D314710BAC9D16792
SHA1:	298D74B1ECB05342ACD7DC1659A48B4541A7C910
SHA-256:	01EB5782CB4201CE82758BEB6B06C6897ED97BD2CBB03BF9B4159F181C4B9289
SHA-512:	0EAB484725DA42A98C4EB05F6BB7CD1EF0A93C08F258C557D2CA45DE619CF8822DA1CFBDDFE312D818B2BA617CD199D546A046B00AA6F3E2DCAFDBB544869EF4
Malicious:	false
Reputation:	low

C:\Windows\System32\DriverStore\INFCACHE.0 Download File
Process:	C:\Windows\System32\drvinst.exe
File Type:	data
Size (bytes):	1475584
Entropy (8bit):	4.355889521389985
Encrypted:	false
MD5:	8B36704D29A029D5D699C0ABCC7A2591
SHA1:	5376D928F841B6219DB0C0160802E93A8E7DE94B
SHA-256:	082598809BE3606CBF351AC77D541C7D2EAB0DBD376A3C4C836864EB8F4D9E5B
SHA-512:	49D203732181E2F87A3555F4E8C38CE63BF5E02805B136285EE43DA379E9F2FF760C15438CD62E8466F704633EAFD6133AD2098383317F7E4DBCBBC2E18248CB
Malicious:	false
Reputation:	low

C:\Windows\System32\DriverStore\Temp\{63a5b06f-2f1a-44aa-e741-2e65e6af082c}\SETFEB9.tmp Download File
Process:	C:\Windows\System32\drvinst.exe
File Type:	data
Size (bytes):	7848
Entropy (8bit):	7.13275648209528
Encrypted:	false
MD5:	8A078A581344830B36985CC662371CC6
SHA1:	F82D726BBE112A963C19196BE416B68DE90BFFDA
SHA-256:	4A402DFE7398904CF0936423B643EB6C3500AE6A03C64BCC97CF9B0DBB913666
SHA-512:	15179178F30D931BD95E201831DC596F5549FCE145CB8C67C0BDFBE2F771D4AF0204A61489F905ED0F0D9ED4ADBEC2D3A19F78E6003BCA3C9C83DA043B321992
Malicious:	false
Reputation:	low

C:\Windows\System32\DriverStore\Temp\{63a5b06f-2f1a-44aa-e741-2e65e6af082c}\SETFED9.tmp Download File
Process:	C:\Windows\System32\drvinst.exe
File Type:	PE32+ executable (native) x86-64, for MS Windows
Size (bytes):	13408
Entropy (8bit):	5.89147713460407
Encrypted:	false
MD5:	03971EBE3A44C376775B9B8379596D37
SHA1:	B837C4093DCFF47E9DA496D938A17C554E7B1876
SHA-256:	887FB361C639DFE437210C45EDABA55055E036C70659FD137F078B102BE9E13C
SHA-512:	B26EA8189094677255D9D1064CD074D872588D4240994EA5BD5F0BBE028A5A74902EDE9C879A662CE328C0491896D69D823FADA2EEC744097DBEB98E1009D3F1
Malicious:	false
Antivirus:	Antivirus: metadefender, Detection: 0%, Browse
Reputation:	low

C:\Windows\System32\DriverStore\Temp\{63a5b06f-2f1a-44aa-e741-2e65e6af082c}\SETFEF9.tmp Download File
Process:	C:\Windows\System32\drvinst.exe
File Type:	Windows setup INFormation, ASCII text, with CRLF line terminators
Size (bytes):	4814
Entropy (8bit):	5.1374201276410565
Encrypted:	false
MD5:	189769D5A8EFEBBCB7C75C1F85AC6C0B
SHA1:	ABA8DCBA523A9C71AABEAF8D319B11273C627013
SHA-256:	5694AA37047A39850952C4FE785A2C9BDA12B8E4E07A19DAF9B0B8D903C06D4E
SHA-512:	7EBBF7C1996BE49413656C7FDD46CC065BC504E3E193A0ED32A4CE9C0FF9B0376DA4861C589292BADD6E7406C122727CD7044820492A86A4E169597432B01BAE
Malicious:	false
Reputation:	low

C:\Windows\System32\catroot2\dberr.txt Download File
Process:	C:\Users\user\Downloads\net\infinstaller.exe
File Type:	ASCII text, with CRLF line terminators
Size (bytes):	135
Entropy (8bit):	4.787853287614332
Encrypted:	false
MD5:	12A16E641F7E0667AAF2966DD7077625
SHA1:	1E8BACCBF6400B3607DFC695BE210B659E653BF3
SHA-256:	A3D12D1847636A90735CD9FFF451D57FE1F8CCA6B2C4396B092D950C0C780464
SHA-512:	B45BBFBBD93B28026E77915BC29F001679A791EF2CDFAA7CAA93220850120D1F923F2B552F993A028563DF414864AA178E6053C92583EA07BA4DE4F2C1592F97
Malicious:	false
Reputation:	low

C:\Windows\System32\drivers\SETE957.tmp Download File
Process:	C:\Windows\System32\drvinst.exe
File Type:	PE32+ executable (native) x86-64, for MS Windows
Size (bytes):	13408
Entropy (8bit):	5.89147713460407
Encrypted:	false
MD5:	03971EBE3A44C376775B9B8379596D37
SHA1:	B837C4093DCFF47E9DA496D938A17C554E7B1876
SHA-256:	887FB361C639DFE437210C45EDABA55055E036C70659FD137F078B102BE9E13C
SHA-512:	B26EA8189094677255D9D1064CD074D872588D4240994EA5BD5F0BBE028A5A74902EDE9C879A662CE328C0491896D69D823FADA2EEC744097DBEB98E1009D3F1
Malicious:	false
Antivirus:	Antivirus: metadefender, Detection: 0%, Browse
Reputation:	low

C:\Windows\inf\oem4.PNF Download File
Process:	C:\Windows\System32\drvinst.exe
File Type:	data
Size (bytes):	11032
Entropy (8bit):	3.584824680499446
Encrypted:	false
MD5:	32CD30FD68F2FF1B3635481FF7039108
SHA1:	C75AA2EF007625FBD0E7FE8D2CE5B038C17DA1AE
SHA-256:	97F933D2E5C3ABFE7C6E6DB2019ABBB66C0F8FE4A0E282C5DC65969C4CC3E3CC
SHA-512:	6692C9BC3EC632EE5D65F154152E4579B9B74B1734DF8BD5C7168ED2F3DAE0A449DCBB2C3841037696263385EAC50B6ADB3B83C1EAC96239C687C3D323EC58ED
Malicious:	false
Reputation:	low

C:\Windows\inf\oem4.inf Download File
Process:	C:\Windows\System32\drvinst.exe
File Type:	Windows setup INFormation, ASCII text, with CRLF line terminators
Size (bytes):	4814
Entropy (8bit):	5.1374201276410565
Encrypted:	false
MD5:	189769D5A8EFEBBCB7C75C1F85AC6C0B
SHA1:	ABA8DCBA523A9C71AABEAF8D319B11273C627013
SHA-256:	5694AA37047A39850952C4FE785A2C9BDA12B8E4E07A19DAF9B0B8D903C06D4E
SHA-512:	7EBBF7C1996BE49413656C7FDD46CC065BC504E3E193A0ED32A4CE9C0FF9B0376DA4861C589292BADD6E7406C122727CD7044820492A86A4E169597432B01BAE
Malicious:	false

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
dns.msftncsi.com	131.107.255.255	true	false		high
ipv6.msftncsi.com	unknown	unknown	false		high
asushotfix.com	unknown	unknown	true	13%, virustotal, Browse	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0	drvinst.exe, 0000000B.00000002.618771824.0000000000108000.00000004.sdmp	false		high
http://crl.pkioverheid.nl/DomOvLatestCRL.crl0	drvinst.exe, 0000000B.00000002.618771824.0000000000108000.00000004.sdmp	false		high
http://www.diginotar.nl/cps/pkioverheid0	drvinst.exe, 0000000B.00000002.618771824.0000000000108000.00000004.sdmp	false		high
https://asushotfix.com/logo2.jpg?3A8EA62E32B4ECBE33DF500A28EBC873	Setup.exe, 00000010.00000002.745599656.0000000000691000.00000004.sdmp	true	Avira URL Cloud: safe	unknown
http://crl.entrust.net/server1.crl0	drvinst.exe, 0000000B.00000002.618771824.0000000000108000.00000004.sdmp	false		high
https://asushotfix.com/logo2.jpg?3A8EA62E32B4ECBE33DF500A28EBC873rj	Setup.exe, 00000010.00000002.745599656.0000000000691000.00000004.sdmp	true	Avira URL Cloud: safe	unknown
http://ocsp.entrust.net0D	drvinst.exe, 0000000B.00000002.618771824.0000000000108000.00000004.sdmp	false		high
http://ocsp.ver	drvinst.exe, 0000000B.00000002.618771824.0000000000108000.00000004.sdmp	false		high
http://ocsp.entrust.net03	drvinst.exe, 0000000B.00000002.618771824.0000000000108000.00000004.sdmp	false		high
https://secure.comodo.com/CPS0	drvinst.exe, 0000000B.00000002.618771824.0000000000108000.00000004.sdmp	false		high
http://crl.entrust.net/2048ca.crl0	drvinst.exe, 0000000B.00000002.618771824.0000000000108000.00000004.sdmp	false		high

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Country	Flag	ASN	ASN Name	Malicious
169.254.255.255	Reserved		6966	unknown	false
1.0.0.0	Australia		13335	unknown	false

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.418347806415894
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	Setup.exe
File size:	3333936
MD5:	55a7aa5f0e52ba4d78c145811c830107
SHA1:	e005c58331eb7db04782fdf9089111979ce1406f
SHA256:	9a72f971944fcb7a143017bc5c6c2db913bbb59f923110198ebd5a78809ea5fc
SHA512:	9fec51b649374095fa6cd26bdec02cf8fbbd1381f1895f478ebc8c339c08609c50261a7d9f09e2242ce7e911d8e4b7e09b221065e63fb6e3e0065c5c6bf1796d
SSDEEP:	98304:QzVRcdYETHvs4d9VeL2TKvrYhBjXrToaFmWMyDnV1K+e1Fw6qtnLD7UEnBgbAZJb:HdjsmUexXrToaFmS+bFYD7UIfwyiJiKO
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........\|.SO...O...O.......N...Fe'.B...Fe7.j...O...Q... k:.d... k...... k..0... k>.N... k9.N...RichO...................PE..L...X..U...

Static PE Info

General
Entrypoint:	0x4f7a01
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE
DLL Characteristics:	TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x5510B658 [Tue Mar 24 00:56:56 2015 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	a22d038fcd8e82d4cc8f31fa49212724

Authenticode Signature

Signature Valid:
Signature Issuer:
Signature Validation Error:
Error Number:
Not Before, Not After
Subject Chain
Version:
Thumbprint:
Serial:

Entrypoint Preview

Instruction
call 00007F3430CE2F47h
jmp 00007F3430CDC04Eh
mov edi, edi
push ebp
mov ebp, esp
cmp dword ptr [ebp+08h], 00000000h
je 00007F3430CDC1EFh
push dword ptr [ebp+08h]
push 00000000h
push dword ptr [0056BFBCh]
call dword ptr [0051C2ACh]
test eax, eax
jne 00007F3430CDC1DAh
push esi
call 00007F3430CDE2AFh
mov esi, eax
call dword ptr [0051C40Ch]
push eax
call 00007F3430CDE25Fh
pop ecx
mov dword ptr [esi], eax
pop esi
pop ebp
ret
mov edi, edi
push ebp
mov ebp, esp
push ecx
push ecx
mov eax, dword ptr [ebp+0Ch]
push edi
mov edi, dword ptr [ebp+08h]
test eax, eax
je 00007F3430CDC1C4h
mov dword ptr [eax], edi
test edi, edi
jne 00007F3430CDC1D9h
call 00007F3430CDE27Eh
mov dword ptr [eax], 00000016h
call 00007F3430CE32FAh
xor eax, eax
jmp 00007F3430CDC355h
cmp dword ptr [ebp+10h], 00000000h
je 00007F3430CDC1CEh
cmp dword ptr [ebp+10h], 02h
jl 00007F3430CDC19Fh
cmp dword ptr [ebp+10h], 24h
jnle 00007F3430CDC199h
and dword ptr [ebp-04h], 00000000h
push ebx
push esi
push 00000008h
pop ebx
movzx esi, word ptr [edi]
push ebx
push esi
add edi, 02h
call 00007F3430CE30ECh
pop ecx
pop ecx
test eax, eax
jne 00007F3430CDC1AFh
cmp si, 002Dh
jne 00007F3430CDC1C8h
or dword ptr [ebp+14h], 02h
jmp 00007F3430CDC1C8h
cmp si, 002Bh
jne 00007F3430CDC1C8h
movzx esi, word ptr [edi]
add edi, 02h
cmp dword ptr [ebp+10h], 00000000h
jne 00007F3430CDC1EFh

Rich Headers

Programming Language:

[ C ] VS2008 SP1 build 30729
[C++] VS98 (6.0) build 8168
[ASM] VS2010 build 30319
[ C ] VS2010 build 30319
[C++] VS2010 build 30319
[RES] VS2010 build 30319
[IMP] VS2008 SP1 build 30729
[LNK] VS2010 build 30319

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x15b0c0	0x168	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x16e000	0x1a0404	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x32d200	0xd30	.reloc
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x30f000	0x19aa0	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x11c000	0x974	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x11a801	0x11aa00	False	0.562455944549	data	6.51869111979	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata	0x11c000	0x4245e	0x42600	False	0.26286634887	data	4.96681481395	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x15f000	0xe79c	0x6000	False	0.279663085938	data	4.65659126249	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0x16e000	0x1a0404	0x1a0600	False	0.491047639598	data	6.44912683193	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x30f000	0x29684	0x29800	False	0.260265672063	data	4.88242030139	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
EXE	0x16ec78	0x195e00	data	English	United States
RT_CURSOR	0x304a78	0x134	data	English	United States
RT_CURSOR	0x304bac	0xb4	data	English	United States
RT_CURSOR	0x304c60	0x134	AmigaOS bitmap font	English	United States
RT_CURSOR	0x304d94	0x134	data	English	United States
RT_CURSOR	0x304ec8	0x134	data	English	United States
RT_CURSOR	0x304ffc	0x134	data	English	United States
RT_CURSOR	0x305130	0x134	data	English	United States
RT_CURSOR	0x305264	0x134	data	English	United States
RT_CURSOR	0x305398	0x134	data	English	United States
RT_CURSOR	0x3054cc	0x134	data	English	United States
RT_CURSOR	0x305600	0x134	data	English	United States
RT_CURSOR	0x305734	0x134	data	English	United States
RT_CURSOR	0x305868	0x134	AmigaOS bitmap font	English	United States
RT_CURSOR	0x30599c	0x134	data	English	United States
RT_CURSOR	0x305ad0	0x134	data	English	United States
RT_CURSOR	0x305c04	0x134	data	English	United States
RT_BITMAP	0x305d38	0xb8	data	English	United States
RT_BITMAP	0x305df0	0x144	data	English	United States
RT_ICON	0x305f34	0x668	data	Chinese	Taiwan
RT_ICON	0x30659c	0x2e8	data	Chinese	Taiwan
RT_ICON	0x306884	0x128	GLS_BINARY_LSB_FIRST	Chinese	Taiwan
RT_ICON	0x3069ac	0xea8	data	Chinese	Taiwan
RT_ICON	0x307854	0x8a8	data	Chinese	Taiwan
RT_ICON	0x3080fc	0x568	GLS_BINARY_LSB_FIRST	Chinese	Taiwan
RT_ICON	0x308664	0x25a8	data	Chinese	Taiwan
RT_ICON	0x30ac0c	0x10a8	data	Chinese	Taiwan
RT_ICON	0x30bcb4	0x468	GLS_BINARY_LSB_FIRST	Chinese	Taiwan
RT_DIALOG	0x30c11c	0xe8	data	English	United States
RT_DIALOG	0x30c204	0x34	data	English	United States
RT_STRING	0x30c238	0x82	data	English	United States
RT_STRING	0x30c2bc	0x2a	data	English	United States
RT_STRING	0x30c2e8	0x184	data	English	United States
RT_STRING	0x30c46c	0x4e6	data	English	United States
RT_STRING	0x30c954	0x264	data	English	United States
RT_STRING	0x30cbb8	0x2da	data	English	United States
RT_STRING	0x30ce94	0x8a	data	English	United States
RT_STRING	0x30cf20	0xac	data	English	United States
RT_STRING	0x30cfcc	0xde	data	English	United States
RT_STRING	0x30d0ac	0x4a8	data	English	United States
RT_STRING	0x30d554	0x228	data	English	United States
RT_STRING	0x30d77c	0x2c	data	English	United States
RT_STRING	0x30d7a8	0x53c	data	English	United States
RT_GROUP_CURSOR	0x30dce4	0x22	Lotus unknown worksheet or configuration, revision 0x2	English	United States
RT_GROUP_CURSOR	0x30dd08	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States
RT_GROUP_CURSOR	0x30dd1c	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States
RT_GROUP_CURSOR	0x30dd30	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States
RT_GROUP_CURSOR	0x30dd44	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States
RT_GROUP_CURSOR	0x30dd58	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States
RT_GROUP_CURSOR	0x30dd6c	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States
RT_GROUP_CURSOR	0x30dd80	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States
RT_GROUP_CURSOR	0x30dd94	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States
RT_GROUP_CURSOR	0x30dda8	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States
RT_GROUP_CURSOR	0x30ddbc	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States
RT_GROUP_CURSOR	0x30ddd0	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States
RT_GROUP_CURSOR	0x30dde4	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States
RT_GROUP_CURSOR	0x30ddf8	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States
RT_GROUP_CURSOR	0x30de0c	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States
RT_GROUP_ICON	0x30de20	0x84	data	Chinese	Taiwan
RT_VERSION	0x30dea4	0x2f4	data	English	United States
RT_MANIFEST	0x30e198	0x26a	ASCII text, with very long lines, with no line terminators	Chinese	Taiwan

Imports

DLL	Import
KERNEL32.dll	SetEnvironmentVariableA, WriteConsoleW, GetTimeZoneInformation, LCMapStringW, IsValidCodePage, GetOEMCP, GetACP, GetCPInfo, GetConsoleMode, GetConsoleCP, IsProcessorFeaturePresent, IsDebuggerPresent, CloseHandle, UnhandledExceptionFilter, GetStringTypeW, QueryPerformanceCounter, HeapCreate, SetHandleCount, GetEnvironmentStringsW, FreeEnvironmentStringsW, GetStdHandle, SetUnhandledExceptionFilter, GetFileType, SetStdHandle, VirtualQuery, GetSystemInfo, VirtualAlloc, HeapSize, HeapQueryInformation, HeapReAlloc, RaiseException, ExitThread, ExitProcess, HeapAlloc, GetSystemTimeAsFileTime, DecodePointer, EncodePointer, RtlUnwind, HeapFree, GetStartupInfoW, HeapSetInformation, GetCommandLineW, FindResourceExW, VirtualProtect, GetNumberFormatW, SearchPathW, GetProfileIntW, GetTickCount, InitializeCriticalSectionAndSpinCount, GetTempFileNameW, GetFileTime, GetFileSizeEx, GetFileAttributesW, FileTimeToLocalFileTime, GetFileAttributesExW, SetErrorMode, FileTimeToSystemTime, lstrlenA, GlobalGetAtomNameW, GetFullPathNameW, GetVolumeInformationW, DuplicateHandle, SetEndOfFile, UnlockFile, LockFile, GlobalFindAtomW, InterlockedIncrement, TlsFree, DeleteCriticalSection, GetExitCodeThread, TlsSetValue, TlsAlloc, InitializeCriticalSection, GlobalHandle, GlobalReAlloc, EnterCriticalSection, TlsGetValue, LeaveCriticalSection, LocalAlloc, CompareStringW, GlobalFlags, InterlockedDecrement, ReleaseActCtx, CreateActCtxW, GetCurrentDirectoryW, GlobalFree, CopyFileW, GlobalSize, GlobalUnlock, FormatMessageW, LocalFree, MulDiv, GlobalAddAtomW, WritePrivateProfileStringW, GetPrivateProfileIntW, ResumeThread, SetThreadPriority, lstrcmpA, GlobalDeleteAtom, GetCurrentThread, GetCurrentThreadId, GetUserDefaultUILanguage, ConvertDefaultLocale, GetSystemDefaultUILanguage, GetLocaleInfoW, ActivateActCtx, DeactivateActCtx, SetLastError, WideCharToMultiByte, GlobalLock, GlobalAlloc, InterlockedExchange, ReadFile, GetVersionExW, GetCurrentProcess, MultiByteToWideChar, CreateThread, LoadLibraryW, FreeLibrary, GetProcAddress, SetFilePointer, FlushFileBuffers, SetFileAttributesW, FindNextFileW, GetModuleHandleW, GetFileSize, GetLastError, GetPrivateProfileStringW, GetWindowsDirectoryW, lstrcatW, GetVersion, GetTempPathW, Sleep, GetModuleFileNameW, lstrcpyW, lstrcmpW, lstrcpynW, GetCurrentProcessId, DeleteFileW, RemoveDirectoryW, FindFirstFileW, FindClose, lstrlenW, CreateFileW, WriteFile, FreeResource, lstrcmpiW, OpenProcess, OutputDebugStringW, FindResourceW, LoadResource, LockResource, SizeofResource, WaitForSingleObject, TerminateProcess, LocalReAlloc
USER32.dll	IsClipboardFormatAvailable, SetMenuDefaultItem, PostThreadMessageW, CreateMenu, IsMenu, UpdateLayeredWindow, EnableScrollBar, UnionRect, MonitorFromPoint, TranslateMDISysAccel, DrawMenuBar, DefMDIChildProcW, DefFrameProcW, CreateDialogIndirectParamW, GetNextDlgTabItem, EndDialog, UnpackDDElParam, ReuseDDElParam, LoadImageW, InsertMenuItemW, TranslateAcceleratorW, LockWindowUpdate, BringWindowToTop, SetCursorPos, SetRect, CreateAcceleratorTableW, LoadAcceleratorsW, GetKeyboardState, GetKeyboardLayout, MapVirtualKeyW, ToUnicodeEx, CopyAcceleratorTableW, DrawFocusRect, DrawFrameControl, DrawEdge, DrawIconEx, DrawStateW, MessageBeep, GetSystemMenu, LoadMenuW, SetClassLongW, GetAsyncKeyState, NotifyWinEvent, CreatePopupMenu, DestroyAcceleratorTable, SetParent, RedrawWindow, SetWindowRgn, IsZoomed, OffsetRect, IsRectEmpty, IntersectRect, UnregisterClassW, DestroyMenu, GetMenuItemInfoW, InflateRect, CharUpperW, DestroyIcon, IsIconic, ShowWindow, MoveWindow, IsDialogMessageW, CheckDlgButton, RegisterWindowMessageW, LoadIconW, SendDlgItemMessageW, SendDlgItemMessageA, WinHelpW, IsChild, GetClassLongW, SetPropW, GetPropW, CopyIcon, IsWindow, SetFocus, GetWindowTextLengthW, SetActiveWindow, BeginDeferWindowPos, EndDeferWindowPos, GetDlgItem, GetTopWindow, DestroyWindow, GetMessageTime, GetMessagePos, MonitorFromWindow, ScrollWindow, TrackPopupMenu, SetMenu, SetScrollRange, GetScrollRange, SetScrollPos, TranslateMessage, DispatchMessageW, PeekMessageW, PostMessageW, GetWindowThreadProcessId, GetScrollPos, SetForegroundWindow, ShowScrollBar, CreateWindowExW, GetClassInfoExW, RegisterClassW, AdjustWindowRectEx, EqualRect, DeferWindowPos, GetScrollInfo, SetScrollInfo, SetWindowPlacement, GetWindowPlacement, CallWindowProcW, GetMenu, SetWindowLongW, SetWindowPos, WaitMessage, ReleaseCapture, GetCapture, WindowFromPoint, SetCapture, GetSysColorBrush, GetClassInfoW, DefWindowProcW, MapWindowPoints, GetClientRect, LoadCursorW, SetLayeredWindowAttributes, GetSystemMetrics, EnumDisplayMonitors, SystemParametersInfoW, GetMonitorInfoW, SetRectEmpty, CopyRect, KillTimer, SetTimer, InvalidateRect, UpdateWindow, CharUpperBuffW, GetDoubleClickTime, GetIconInfo, IsCharLowerW, GetKeyNameTextW, MapVirtualKeyExW, SubtractRect, HideCaret, GetNextDlgGroupItem, MapDialogRect, DrawIcon, DestroyCursor, GetWindowRgn, GetDesktopWindow, RealChildWindowFromPoint, GetWindow, GetDlgCtrlID, GetWindowRect, GetClassNameW, PtInRect, SetWindowTextW, GetSysColor, EndPaint, FrameRect, GetUpdateRect, GetMenuDefaultItem, OpenClipboard, CopyImage, SetClipboardData, CloseClipboard, EmptyClipboard, GetForegroundWindow, RegisterClipboardFormatW, GetWindowTextW, EnumWindows, wsprintfW, PostQuitMessage, CheckMenuItem, EnableMenuItem, GetMenuState, RemovePropW, ModifyMenuW, SendMessageW, GetParent, GetFocus, LoadBitmapW, GetMenuCheckMarkDimensions, SetMenuItemBitmaps, ValidateRect, GetCursorPos, GetKeyState, IsWindowVisible, GetActiveWindow, GetMessageW, CallNextHookEx, SetWindowsHookExW, SetCursor, ShowOwnedPopups, MessageBoxW, EnableWindow, IsWindowEnabled, GetLastActivePopup, GetWindowLongW, RemoveMenu, GetSubMenu, GetMenuItemCount, InsertMenuW, GetMenuItemID, AppendMenuW, GetMenuStringW, DeleteMenu, UnhookWindowsHookEx, FillRect, TabbedTextOutW, DrawTextW, DrawTextExW, GrayStringW, ScreenToClient, ClientToScreen, GetDC, ReleaseDC, GetWindowDC, BeginPaint, InvertRect
GDI32.dll	SetDIBColorTable, RealizePalette, StretchBlt, SetPixel, Rectangle, CreatePalette, GetPaletteEntries, GetNearestPaletteIndex, GetSystemPaletteEntries, LPtoDP, GetWindowOrgEx, GetViewportOrgEx, PtInRegion, FillRgn, FrameRgn, GetBoundsRect, ExtFloodFill, SetPaletteEntries, EnumFontFamiliesExW, GetTextFaceW, SetPixelV, ScaleViewportExtEx, SetViewportExtEx, OffsetViewportOrgEx, GetRgnBox, OffsetRgn, Polygon, Ellipse, Polyline, CreateEllipticRgn, GetTextColor, GetBkColor, CreatePolygonRgn, CreateRoundRectRgn, CreateDIBSection, DPtoLP, PatBlt, CombineRgn, SetRectRgn, GetTextExtentPoint32W, GetTextCharsetInfo, EnumFontFamiliesW, GetTextMetricsW, CreateRectRgnIndirect, CreateCompatibleBitmap, CreateFontIndirectW, CreateDIBitmap, CreateHatchBrush, CreateSolidBrush, CreatePen, GetObjectType, SelectPalette, GetStockObject, CreateCompatibleDC, CreatePatternBrush, DeleteDC, ExtSelectClipRgn, ScaleWindowExtEx, SetWindowExtEx, OffsetWindowOrgEx, SetViewportOrgEx, SelectObject, Escape, ExtTextOutW, TextOutW, RectVisible, PtVisible, GetPixel, BitBlt, GetWindowExtEx, GetViewportExtEx, GetObjectW, CreateRectRgn, SelectClipRgn, DeleteObject, SetLayout, GetLayout, SetTextAlign, MoveToEx, LineTo, IntersectClipRect, ExcludeClipRect, GetClipBox, SetMapMode, CreateBitmap, GetDeviceCaps, CopyMetaFileW, CreateDCW, SaveDC, RestoreDC, SetBkColor, SetTextColor, SetBkMode, SetPolyFillMode, SetROP2, SetWindowOrgEx
MSIMG32.dll	TransparentBlt, AlphaBlend
COMDLG32.dll	GetFileTitleW
WINSPOOL.DRV	DocumentPropertiesW, ClosePrinter, OpenPrinterW
ADVAPI32.dll	RegSetValueExW, RegQueryValueExW, RegFlushKey, RegOpenKeyExW, RegCreateKeyExW, RegEnumKeyExW, RegEnumValueW, RegQueryValueW, RegEnumKeyW, RegDeleteKeyW, RegDeleteValueW, LookupAccountNameW, GetLengthSid, InitializeAcl, AddAccessAllowedAce, SetSecurityDescriptorDacl, InitializeSecurityDescriptor, OpenProcessToken, GetTokenInformation, SetSecurityDescriptorOwner, SetFileSecurityW, LookupPrivilegeValueW, AdjustTokenPrivileges, AllocateAndInitializeSid, LookupAccountSidW, FreeSid, RegCloseKey
SHELL32.dll	SHGetSpecialFolderLocation, SHGetPathFromIDListW, SHGetDesktopFolder, SHAppBarMessage, DragQueryFileW, DragFinish, SHGetFileInfoW, ShellExecuteW, SHGetSpecialFolderPathW, ShellExecuteExW, SHBrowseForFolderW
COMCTL32.dll	ImageList_GetIconSize
SHLWAPI.dll	PathIsUNCW, PathStripToRootW, PathFindFileNameW, PathFindExtensionW, PathFileExistsW, SHDeleteValueW, SHDeleteKeyW, PathRemoveFileSpecW
ole32.dll	DoDragDrop, CreateStreamOnHGlobal, OleLockRunning, IsAccelerator, OleTranslateAccelerator, OleDestroyMenuDescriptor, OleCreateMenuDescriptor, RegisterDragDrop, OleDuplicateData, CoTaskMemAlloc, ReleaseStgMedium, OleGetClipboard, RevokeDragDrop, CoLockObjectExternal, CoTaskMemFree, CoCreateGuid, CoInitializeEx, CoInitialize, CoCreateInstance, CoUninitialize, CoInitializeSecurity
OLEAUT32.dll	SysStringLen, SysAllocStringLen, VariantChangeType, SysAllocString, VariantTimeToSystemTime, SystemTimeToVariantTime, VarBstrFromDate, SysFreeString, VariantInit, VariantClear, GetErrorInfo
PSAPI.DLL	EnumProcessModules, EnumProcesses, GetModuleBaseNameW
gdiplus.dll	GdipGetImageGraphicsContext, GdipBitmapUnlockBits, GdipBitmapLockBits, GdipCreateBitmapFromScan0, GdipCreateBitmapFromStream, GdipGetImagePalette, GdipGetImagePaletteSize, GdipGetImagePixelFormat, GdipGetImageHeight, GdipGetImageWidth, GdipCloneImage, GdipDrawImageRectI, GdipSetInterpolationMode, GdipCreateFromHDC, GdiplusShutdown, GdiplusStartup, GdipCreateBitmapFromHBITMAP, GdipDisposeImage, GdipDeleteGraphics, GdipAlloc, GdipFree, GdipDrawImageI
OLEACC.dll	LresultFromObject, AccessibleObjectFromWindow, CreateStdAccessibleObject
IMM32.dll	ImmReleaseContext, ImmGetContext, ImmGetOpenStatus
WINMM.dll	PlaySoundW

Version Infos

Description	Data
LegalCopyright	ASUSTek Computer Inc.
InternalName	Setup
FileVersion	1, 0, 0, 10
CompanyName	ASUSTek Computer Inc.
ProductName	Installer Application
ProductVersion	1, 0, 0, 10
FileDescription	Installer Application
OriginalFilename	Setup.exe
Translation	0x0409 0x04b0

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States
Chinese	Taiwan

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
03/26/19-15:25:07.514580	UDP	2027109	ET TROJAN ShadowHammer DNS Lookup	61365	53	192.168.1.13	8.8.8.8

Network Port Distribution

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 26, 2019 15:21:52.257849932 CET	53386	53	192.168.1.13	8.8.8.8
Mar 26, 2019 15:21:52.268517017 CET	53	53386	8.8.8.8	192.168.1.13
Mar 26, 2019 15:21:52.275887966 CET	63725	53	192.168.1.13	8.8.8.8
Mar 26, 2019 15:21:52.286128998 CET	53	63725	8.8.8.8	192.168.1.13
Mar 26, 2019 15:22:33.422046900 CET	59340	53	192.168.1.13	8.8.8.8
Mar 26, 2019 15:22:33.432804108 CET	53	59340	8.8.8.8	192.168.1.13
Mar 26, 2019 15:22:33.435288906 CET	58292	53	192.168.1.13	8.8.8.8
Mar 26, 2019 15:22:33.445652008 CET	53	58292	8.8.8.8	192.168.1.13
Mar 26, 2019 15:22:38.758208990 CET	52543	53	192.168.1.13	8.8.8.8
Mar 26, 2019 15:22:38.770014048 CET	53	52543	8.8.8.8	192.168.1.13
Mar 26, 2019 15:22:38.772763014 CET	62096	53	192.168.1.13	8.8.8.8
Mar 26, 2019 15:22:38.815845013 CET	53	62096	8.8.8.8	192.168.1.13
Mar 26, 2019 15:24:25.205219984 CET	62242	53	192.168.1.13	8.8.8.8
Mar 26, 2019 15:24:25.215670109 CET	53	62242	8.8.8.8	192.168.1.13
Mar 26, 2019 15:24:25.302186966 CET	55321	53	192.168.1.13	8.8.8.8
Mar 26, 2019 15:24:25.320440054 CET	53	55321	8.8.8.8	192.168.1.13
Mar 26, 2019 15:25:07.514580011 CET	61365	53	192.168.1.13	8.8.8.8
Mar 26, 2019 15:25:07.548046112 CET	53	61365	8.8.8.8	192.168.1.13
Mar 26, 2019 15:25:20.957607031 CET	54978	53	192.168.1.13	8.8.8.8
Mar 26, 2019 15:25:20.968616962 CET	53	54978	8.8.8.8	192.168.1.13
Mar 26, 2019 15:25:20.973297119 CET	57189	53	192.168.1.13	8.8.8.8
Mar 26, 2019 15:25:20.985099077 CET	53	57189	8.8.8.8	192.168.1.13
Mar 26, 2019 15:26:22.070965052 CET	51402	53	192.168.1.13	8.8.8.8
Mar 26, 2019 15:26:22.089310884 CET	53	51402	8.8.8.8	192.168.1.13
Mar 26, 2019 15:26:22.094293118 CET	52135	53	192.168.1.13	8.8.8.8
Mar 26, 2019 15:26:22.104480982 CET	53	52135	8.8.8.8	192.168.1.13

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Mar 26, 2019 15:24:25.205219984 CET	192.168.1.13	8.8.8.8	0x1133	Standard query (0)	dns.msftncsi.com	A (IP address)	IN (0x0001)
Mar 26, 2019 15:24:25.302186966 CET	192.168.1.13	8.8.8.8	0xada9	Standard query (0)	ipv6.msftncsi.com	A (IP address)	IN (0x0001)
Mar 26, 2019 15:25:07.514580011 CET	192.168.1.13	8.8.8.8	0xbd61	Standard query (0)	asushotfix.com	A (IP address)	IN (0x0001)
Mar 26, 2019 15:25:20.957607031 CET	192.168.1.13	8.8.8.8	0x439b	Standard query (0)	dns.msftncsi.com	A (IP address)	IN (0x0001)
Mar 26, 2019 15:25:20.973297119 CET	192.168.1.13	8.8.8.8	0x3407	Standard query (0)	ipv6.msftncsi.com	A (IP address)	IN (0x0001)
Mar 26, 2019 15:26:22.070965052 CET	192.168.1.13	8.8.8.8	0x34a8	Standard query (0)	dns.msftncsi.com	A (IP address)	IN (0x0001)
Mar 26, 2019 15:26:22.094293118 CET	192.168.1.13	8.8.8.8	0xc56	Standard query (0)	ipv6.msftncsi.com	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Mar 26, 2019 15:24:25.215670109 CET	8.8.8.8	192.168.1.13	0x1133	No error (0)	dns.msftncsi.com		131.107.255.255	A (IP address)	IN (0x0001)
Mar 26, 2019 15:24:25.320440054 CET	8.8.8.8	192.168.1.13	0xada9	No error (0)	ipv6.msftncsi.com	ipv6.msftncsi.com.edgesuite.net		CNAME (Canonical name)	IN (0x0001)
Mar 26, 2019 15:25:07.548046112 CET	8.8.8.8	192.168.1.13	0xbd61	Name error (3)	asushotfix.com	none	none	A (IP address)	IN (0x0001)
Mar 26, 2019 15:25:20.968616962 CET	8.8.8.8	192.168.1.13	0x439b	No error (0)	dns.msftncsi.com		131.107.255.255	A (IP address)	IN (0x0001)
Mar 26, 2019 15:25:20.985099077 CET	8.8.8.8	192.168.1.13	0x3407	No error (0)	ipv6.msftncsi.com	ipv6.msftncsi.com.edgesuite.net		CNAME (Canonical name)	IN (0x0001)
Mar 26, 2019 15:26:22.089310884 CET	8.8.8.8	192.168.1.13	0x34a8	No error (0)	dns.msftncsi.com		131.107.255.255	A (IP address)	IN (0x0001)
Mar 26, 2019 15:26:22.104480982 CET	8.8.8.8	192.168.1.13	0xc56	No error (0)	ipv6.msftncsi.com	ipv6.msftncsi.com.edgesuite.net		CNAME (Canonical name)	IN (0x0001)

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: cmd.exe PID: 1488 Parent PID: 1092

General

Start time:	15:22:15
Start date:	26/03/2019
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	'C:\Windows\System32\cmd.exe'
Imagebase:	0x4a3c0000
File size:	345088 bytes
MD5 hash:	5746BD7E255DD6A8AFA06F7C42C1BA41
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Chronological Activities

Analysis Process: 7za.exe PID: 2908 Parent PID: 1488

General

Start time:	15:22:34
Start date:	26/03/2019
Path:	C:\Windows\System32\7za.exe
Wow64 process (32bit):	true
Commandline:	7za x net.zip
Imagebase:	0xb50000
File size:	289792 bytes
MD5 hash:	77E556CDFDC5C592F5C46DB4127C6F4C
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Chronological Activities

Analysis Process: infinstaller.exe PID: 2324 Parent PID: 1488

General

Start time:	15:23:06
Start date:	26/03/2019
Path:	C:\Users\user\Downloads\net\infinstaller.exe
Wow64 process (32bit):	false
Commandline:	infinstaller.exe C:\Users\user\Downloads\net\netVirtNet1.inf
Imagebase:	0x1090000
File size:	16384 bytes
MD5 hash:	D3807948AF7572C58FFBF532DEA4E6C4
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	low

Chronological Activities

Analysis Process: drvinst.exe PID: 1452 Parent PID: 544

General

Start time:	15:23:08
Start date:	26/03/2019
Path:	C:\Windows\System32\drvinst.exe
Wow64 process (32bit):	false
Commandline:	DrvInst.exe '4' '0' 'C:\Users\user~1\AppData\Local\Temp\{55b76fcb-15ca-13b2-f5e3-4f2c32e01445}\netvirtnet1.inf' '9' '6cfbba9e7' '00000000000003E4' 'WinSta0\Default' '00000000000005C8' '208' 'c:\users\user\downloads\net'
Imagebase:	0xffbe0000
File size:	102912 bytes
MD5 hash:	2DBA1472BDF847EAE358A4B9FA9AB0C1
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: rundll32.exe PID: 1976 Parent PID: 1452

General

Start time:	15:23:09
Start date:	26/03/2019
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32.exe C:\Windows\system32\pnpui.dll,InstallSecurityPromptRunDllW 10 Global\{5d5a63fc-7ebe-5905-74c9-9936171bf316} Global\{0a6852b4-0342-09c6-94d5-2f292fdc7b02} C:\Windows\System32\DriverStore\Temp\{63a5b06f-2f1a-44aa-e741-2e65e6af082c}\netvirtnet1.inf C:\Windows\System32\DriverStore\Temp\{63a5b06f-2f1a-44aa-e741-2e65e6af082c}\netvirtnet64.cat
Imagebase:	0xff640000
File size:	45568 bytes
MD5 hash:	DD81D91FF3B0763C392422865C9AC12E
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Chronological Activities

Analysis Process: drvinst.exe PID: 2344 Parent PID: 544

General

Start time:	15:24:07
Start date:	26/03/2019
Path:	C:\Windows\System32\drvinst.exe
Wow64 process (32bit):	false
Commandline:	DrvInst.exe '2' '211' 'ROOT\NET\0000' 'C:\Windows\INF\oem4.inf' 'netvirtnet1.inf:NTKR.NTAMD64:virtnet.ndi:1.0.0.0:nm_virtnet' '6cfbba9e7' '00000000000003E4' '00000000000005D0' '0000000000000570'
Imagebase:	0xffb10000
File size:	102912 bytes
MD5 hash:	2DBA1472BDF847EAE358A4B9FA9AB0C1
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: virtnet.sys PID: 4 Parent PID: -1

General

Start time:	15:24:12
Start date:	26/03/2019
Path:	C:\Windows\system32\DRIVERS\virtnet.sys
Wow64 process (32bit):
Commandline:	unknown
Imagebase:
File size:	13408 bytes
MD5 hash:	03971EBE3A44C376775B9B8379596D37
Has administrator privileges:
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: ipconfig.exe PID: 2772 Parent PID: 1488

General

Start time:	15:24:38
Start date:	26/03/2019
Path:	C:\Windows\System32\ipconfig.exe
Wow64 process (32bit):	false
Commandline:	ipconfig /all
Imagebase:	0xffa30000
File size:	58368 bytes
MD5 hash:	CF45949CDBB39C953331CDCB9CEC20F8
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: Setup.exe PID: 2860 Parent PID: 1488

General

Start time:	15:25:02
Start date:	26/03/2019
Path:	C:\Users\user\Downloads\Setup.exe
Wow64 process (32bit):	true
Commandline:	Setup.exe
Imagebase:	0x1270000
File size:	3333936 bytes
MD5 hash:	55A7AA5F0E52BA4D78C145811C830107
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: Setup.exe PID: 2860 Parent PID: 1488 Setup.exeUNIQUE

Execution Graph

Execution Coverage:	2.8%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	11.8%
Total number of Nodes:	431
Total number of Limit Nodes:	11

Executed Functions

Function 0127F4B4, Relevance: 103.8, APIs: 48, Strings: 11, Instructions: 557
stringUNIQUE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 92%

			E0127F4B4(void* __ebx, signed int __ecx, signed int __edx, void* __edi, void* __esi, void* __eflags, signed int __fp0) {
				signed char _t258;
				void* _t268;
				struct tagLOGFONTW _t269;
				struct tagLOGFONTW _t278;
				struct HFONT__* _t303;
				void* _t305;
				struct HFONT__* _t310;
				signed int _t316;
				int _t325;
				intOrPtr _t328;
				struct HINSTANCE__* _t330;
				struct HINSTANCE__* _t331;
				intOrPtr _t334;
				struct HFONT__* _t367;
				int _t369;
				signed int _t370;
				WCHAR* _t371;
				intOrPtr* _t396;
				char _t397;
				void* _t399;
				void* _t402;
				intOrPtr _t403;
				intOrPtr _t404;
				void* _t405;
				intOrPtr _t406;
				void* _t407;
				void* _t408;
				void* _t409;
				intOrPtr _t410;
				void* _t411;
				signed int _t424;
				void* _t426;
				signed int _t435;
				void* _t438;
				signed int _t440;
				void* _t444;
				signed int _t445;
				signed int _t446;
				void* _t448;
				void* _t451;
				intOrPtr _t482;
				signed long long _t486;

				_t451 = __eflags;
				_t435 = __edx;
				_push(0x488);
				L0136966A(0x137f7e4, __ebx, __edi, __esi);
				_t396 = __ecx;
				_push(0);
				 *(_t448 - 0x460) = __ecx;
				L01279EEC(__ecx, _t448 - 0x494, __edx, __edi, 0, _t451);
				 *(_t448 - 4) = 0;
				_t258 = GetDeviceCaps( *(_t448 - 0x48c), 0x58);
				 *(_t448 - 0x464) = _t258;
				asm("fild dword [ebp-0x464]");
				_t486 = __fp0 /  *0x138f8c0;
				asm("fst qword [ebx+0x1dc]");
				asm("fld1");
				asm("fcom st0, st1");
				asm("fnstsw ax");
				if((_t258 & 0x00000005) != 0) {
					st0 = _t486;
					L4:
					st0 = _t486;
				} else {
					_t486 =  *0x138f8b0;
					asm("fcomp st0, st2");
					asm("fnstsw ax");
					st1 = _t486;
					if((_t258 & 0x00000041) != 0) {
						goto L4;
					} else {
						 *(_t396 + 0x1dc) = _t486;
					}
				}
				_t402 = _t396 + 0x114;
				if(_t402 != 0 &&  *((intOrPtr*)(_t402 + 4)) != 0) {
					DeleteObject(E0127A0C5(_t396, _t402, _t435));
				}
				_t403 = _t396 + 0x11c;
				 *((intOrPtr*)(_t448 - 0x478)) = _t403;
				if(_t403 != 0 &&  *((intOrPtr*)(_t403 + 4)) != 0) {
					DeleteObject(E0127A0C5(_t396, _t403, _t435));
				}
				_t404 = _t396 + 0x124;
				 *((intOrPtr*)(_t448 - 0x470)) = _t404;
				if(_t404 != 0 &&  *((intOrPtr*)(_t404 + 4)) != 0) {
					DeleteObject(E0127A0C5(_t396, _t404, _t435));
				}
				_t405 = _t396 + 0x12c;
				if(_t405 != 0 &&  *((intOrPtr*)(_t405 + 4)) != 0) {
					DeleteObject(E0127A0C5(_t396, _t405, _t435));
				}
				_t406 = _t396 + 0x134;
				 *((intOrPtr*)(_t448 - 0x474)) = _t406;
				if(_t406 != 0 &&  *((intOrPtr*)(_t406 + 4)) != 0) {
					DeleteObject(E0127A0C5(_t396, _t406, _t435));
				}
				_t407 = _t396 + 0x13c;
				if(_t407 != 0 &&  *((intOrPtr*)(_t407 + 4)) != 0) {
					DeleteObject(E0127A0C5(_t396, _t407, _t435));
				}
				_t408 = _t396 + 0x144;
				if(_t408 != 0 &&  *((intOrPtr*)(_t408 + 4)) != 0) {
					DeleteObject(E0127A0C5(_t396, _t408, _t435));
				}
				_t409 = _t396 + 0x14c;
				if(_t409 != 0 &&  *((intOrPtr*)(_t409 + 4)) != 0) {
					DeleteObject(E0127A0C5(_t396, _t409, _t435));
				}
				_t410 = _t396 + 0x15c;
				 *((intOrPtr*)(_t448 - 0x480)) = _t410;
				if(_t410 != 0 &&  *((intOrPtr*)(_t410 + 4)) != 0) {
					DeleteObject(E0127A0C5(_t396, _t410, _t435));
				}
				_t411 = _t396 + 0x154;
				if(_t411 != 0) {
					_t473 =  *((intOrPtr*)(_t411 + 4));
					if( *((intOrPtr*)(_t411 + 4)) != 0) {
						DeleteObject(E0127A0C5(_t396, _t411, _t435));
					}
				}
				E0127E219(_t396, _t473, _t448 - 0x264);
				L01367D50(_t448 - 0x6c, 0, 0x5c);
				 *((char*)(_t448 - 0x55)) = GetTextCharsetInfo( *(_t448 - 0x490), 0, 0);
				 *(_t448 - 0x5c) =  *(_t448 - 0x174);
				 *((char*)(_t448 - 0x58)) =  *((intOrPtr*)(_t448 - 0x170));
				asm("cdq");
				_t268 = ( *(_t448 - 0x184) ^ _t435) - _t435;
				if(_t268 > 0xc) {
					_t269 = _t268 - 1;
					__eflags = _t269;
				} else {
					_t269 = 0xb;
				}
				if( *(_t448 - 0x184) < 0) {
					_t269 =  ~_t269;
				}
				_t438 = lstrcpyW;
				 *(_t448 - 0x6c) = _t269;
				lstrcpyW(_t448 - 0x50, _t448 - 0x168);
				if( *_t396 == 0 &&  *((char*)(_t448 - 0x16d)) <= 2) {
					_t369 = EnumFontFamiliesW( *(_t448 - 0x490), 0, E0127F46B,  *0x13d63d4); // executed
					if(_t369 != 0) {
						_t370 = EnumFontFamiliesW( *(_t448 - 0x490), 0, E0127F46B,  *0x13d63d0);
						__eflags = _t370;
						_t371 = _t448 - 0x50;
						if(_t370 != 0) {
							_push( *0x13d63d8);
						} else {
							_push( *0x13d63d0);
						}
						lstrcpyW(_t371, ??);
					} else {
						lstrcpyW(_t448 - 0x50,  *0x13d63d4);
						 *((char*)(_t448 - 0x52)) = 5;
					}
				}
				_t444 = CreateFontIndirectW;
				E0127A097(_t396, _t396 + 0x114, _t435, _t438, CreateFontIndirectW(_t448 - 0x6c));
				 *(_t448 - 0x464) =  *(_t448 - 0x6c);
				 *((intOrPtr*)(_t448 - 0x47c)) = L0136B5DE(_t435,  *(_t448 - 0x6c));
				asm("fild dword [ebp-0x47c]");
				_t489 = (_t486 +  *0x138f8b8 + st0) /  *0x138f8a8;
				_t278 = L0136BAB0(_t277, (_t486 +  *0x138f8b8 + st0) /  *0x138f8a8);
				_t479 =  *(_t448 - 0x464);
				 *(_t448 - 0x6c) = _t278;
				if( *(_t448 - 0x464) < 0) {
					 *(_t448 - 0x6c) =  ~( *(_t448 - 0x6c));
				}
				E0127A097(_t396, _t396 + 0x154, _t435, _t438, CreateFontIndirectW(_t448 - 0x6c));
				 *(_t448 - 0x6c) =  *(_t448 - 0x464);
				E0127E219(_t396, _t479, _t448 - 0x45c);
				 *((char*)(_t448 - 0x58)) =  *((intOrPtr*)(_t448 - 0x30c));
				 *(_t448 - 0x5c) =  *(_t448 - 0x310);
				E0127A097(_t396,  *((intOrPtr*)(_t448 - 0x478)), _t435, _t438, CreateFontIndirectW(_t448 - 0x6c));
				 *((char*)(_t448 - 0x58)) =  *((intOrPtr*)(_t448 - 0x170));
				 *(_t448 - 0x5c) =  *(_t448 - 0x174);
				 *((char*)(_t448 - 0x57)) = 1;
				E0127A097(_t396,  *((intOrPtr*)(_t448 - 0x474)), _t435, _t438, CreateFontIndirectW(_t448 - 0x6c));
				 *((char*)(_t448 - 0x57)) = 0;
				 *(_t448 - 0x5c) = 0x2bc;
				E0127A097(_t396,  *((intOrPtr*)(_t448 - 0x470)), _t435, _t438, CreateFontIndirectW(_t448 - 0x6c));
				_t397 =  *((intOrPtr*)(_t448 - 0x55));
				 *(_t448 - 0x5c) =  *(_t448 - 0x5c) & 0x00000000;
				 *((char*)(_t448 - 0x55)) = 2;
				 *(_t448 - 0x6c) = GetSystemMetrics(0x48) - 1;
				lstrcpyW(_t448 - 0x50,  *0x13d63e0);
				_t303 = CreateFontIndirectW(_t448 - 0x6c);
				_t420 =  *((intOrPtr*)(_t448 - 0x480));
				E0127A097(_t397,  *((intOrPtr*)(_t448 - 0x480)), _t435, _t438, _t303);
				 *(_t448 - 0x468) =  *(_t448 - 0x468) & 0x00000000;
				 *((char*)(_t448 - 0x55)) = _t397;
				 *((intOrPtr*)(_t448 - 0x46c)) = 0x138f884;
				_t439 = GetStockObject;
				 *(_t448 - 4) = 1;
				_t305 = GetStockObject(0x11);
				_t398 = GetObjectW;
				 *(_t448 - 0x468) = _t305;
				if(_t305 != 0 && GetObjectW( *(_t448 - 0x468), 0x5c, _t448 - 0x6c) != 0) {
					 *(_t448 - 0x6c) =  *(_t448 - 0x184);
					 *(_t448 - 0x5c) =  *(_t448 - 0x174);
					 *((char*)(_t448 - 0x58)) =  *((intOrPtr*)(_t448 - 0x170));
					 *((intOrPtr*)(_t448 - 0x60)) = 0x384;
					 *((intOrPtr*)(_t448 - 0x64)) = 0xa8c;
					lstrcpyW(_t448 - 0x50,  *0x13d63dc);
					E0127A097(GetObjectW,  *(_t448 - 0x460) + 0x144, _t435, GetStockObject, CreateFontIndirectW(_t448 - 0x6c));
					 *((intOrPtr*)(_t448 - 0x64)) = 0x384;
					_t367 = CreateFontIndirectW(_t448 - 0x6c);
					_t420 =  *(_t448 - 0x460) + 0x14c;
					_t482 =  *(_t448 - 0x460) + 0x14c;
					E0127A097(GetObjectW,  *(_t448 - 0x460) + 0x14c, _t435, GetStockObject, _t367);
				}
				GetObjectW( *(E0127A083(_t398, _t420, _t435, _t439, _t444, _t482, GetStockObject(0x11)) + 4), 0x5c, _t448 - 0x6c);
				 *((char*)(_t448 - 0x57)) = 1;
				_t310 = CreateFontIndirectW(_t448 - 0x6c);
				_t440 =  *(_t448 - 0x460);
				E0127A097(_t398, _t440 + 0x13c, _t435, _t440, _t310);
				 *((char*)(_t448 - 0x57)) = 0;
				 *(_t448 - 0x5c) = 0x2bc;
				E0127A097(_t398, _t440 + 0x12c, _t435, _t440, CreateFontIndirectW(_t448 - 0x6c));
				_t424 = _t440;
				E0127E2B5(_t398, _t424, _t435, _t440, _t444, _t482);
				_t445 =  *0x13d8440; // 0x0
				while(1) {
					_t483 = _t445;
					if(_t445 == 0) {
						break;
					}
					_t316 = _t445;
					__eflags = _t445;
					if(_t445 == 0) {
						L60:
						L01277AC9(_t424);
						asm("int3");
						_push(0x11c);
						L0136966A(0x137f971, _t398, _t440, _t445);
						_t446 = _t424;
						 *(_t448 - 0x128) = _t446;
						 *((intOrPtr*)(_t446 + 0x94)) = 0;
						 *((intOrPtr*)(_t446 + 0x90)) = 0x138f578;
						 *(_t448 - 4) = 0;
						 *((intOrPtr*)(_t446 + 0x9c)) = 0;
						 *((intOrPtr*)(_t446 + 0x98)) = 0x138f578;
						 *((intOrPtr*)(_t446 + 0xa4)) = 0;
						 *((intOrPtr*)(_t446 + 0xa0)) = 0x138f578;
						 *((intOrPtr*)(_t446 + 0xac)) = 0;
						 *((intOrPtr*)(_t446 + 0xa8)) = 0x138f578;
						 *((intOrPtr*)(_t446 + 0xb4)) = 0;
						 *((intOrPtr*)(_t446 + 0xb0)) = 0x138f578;
						 *((intOrPtr*)(_t446 + 0xbc)) = 0;
						 *((intOrPtr*)(_t446 + 0xb8)) = 0x138f578;
						 *((intOrPtr*)(_t446 + 0xc4)) = 0;
						 *((intOrPtr*)(_t446 + 0xc0)) = 0x138f578;
						 *((intOrPtr*)(_t446 + 0xcc)) = 0;
						 *((intOrPtr*)(_t446 + 0xc8)) = 0x138f578;
						 *((intOrPtr*)(_t446 + 0xd4)) = 0;
						 *((intOrPtr*)(_t446 + 0xd0)) = 0x138f598;
						 *((intOrPtr*)(_t446 + 0xdc)) = 0;
						 *((intOrPtr*)(_t446 + 0xd8)) = 0x138f598;
						 *((intOrPtr*)(_t446 + 0xe4)) = 0;
						 *((intOrPtr*)(_t446 + 0xe0)) = 0x138f598;
						 *((intOrPtr*)(_t446 + 0x10c)) = 0;
						 *((intOrPtr*)(_t446 + 0x110)) = 0;
						 *((intOrPtr*)(_t446 + 0x118)) = 0;
						 *((intOrPtr*)(_t446 + 0x114)) = 0x138f884;
						 *((intOrPtr*)(_t446 + 0x120)) = 0;
						 *((intOrPtr*)(_t446 + 0x11c)) = 0x138f884;
						 *((intOrPtr*)(_t446 + 0x128)) = 0;
						 *((intOrPtr*)(_t446 + 0x124)) = 0x138f884;
						 *((intOrPtr*)(_t446 + 0x130)) = 0;
						 *((intOrPtr*)(_t446 + 0x12c)) = 0x138f884;
						 *((intOrPtr*)(_t446 + 0x138)) = 0;
						 *((intOrPtr*)(_t446 + 0x134)) = 0x138f884;
						 *((intOrPtr*)(_t446 + 0x140)) = 0;
						 *((intOrPtr*)(_t446 + 0x13c)) = 0x138f884;
						 *((intOrPtr*)(_t446 + 0x148)) = 0;
						 *((intOrPtr*)(_t446 + 0x144)) = 0x138f884;
						 *((intOrPtr*)(_t446 + 0x150)) = 0;
						 *((intOrPtr*)(_t446 + 0x14c)) = 0x138f884;
						 *((intOrPtr*)(_t446 + 0x158)) = 0;
						 *((intOrPtr*)(_t446 + 0x154)) = 0x138f884;
						 *((intOrPtr*)(_t446 + 0x160)) = 0;
						 *((intOrPtr*)(_t446 + 0x15c)) = 0x138f884;
						 *(_t448 - 4) = 0x14;
						 *((intOrPtr*)(_t446 + 0x164)) = 0;
						 *((intOrPtr*)(_t446 + 0x168)) = 0;
						 *((intOrPtr*)(_t446 + 0x16c)) = 0;
						 *((intOrPtr*)(_t446 + 0x170)) = 0;
						 *(_t448 - 0x124) = 0x114;
						GetVersionExW(_t448 - 0x124);
						_t325 = GetSystemMetrics(0x1000); // executed
						__eflags =  *((intOrPtr*)(_t448 - 0x120)) - 6;
						 *((intOrPtr*)(_t446 + 0x180)) = _t325;
						asm("sbb eax, eax");
						__eflags =  *((intOrPtr*)(_t448 - 0x120)) - 6;
						 *((intOrPtr*)(_t446 + 0x174)) = _t325 + 1;
						if(__eflags != 0) {
							L63:
							if(__eflags > 0) {
								goto L65;
							} else {
								_t328 = 0;
							}
						} else {
							__eflags =  *((intOrPtr*)(_t448 - 0x11c)) - 1;
							if( *((intOrPtr*)(_t448 - 0x11c)) >= 1) {
								L65:
								_t328 = 1;
								__eflags = 1;
							} else {
								__eflags =  *((intOrPtr*)(_t448 - 0x120)) - 6;
								goto L63;
							}
						}
						 *((intOrPtr*)(_t446 + 0x178)) = _t328;
						 *((intOrPtr*)(_t446 + 0x17c)) = 0;
						 *((intOrPtr*)(_t446 + 0x1e4)) = 1;
						 *((intOrPtr*)(_t446 + 0xc)) = 0;
						 *((intOrPtr*)(_t446 + 8)) = 0;
						 *((intOrPtr*)(_t446 + 0x10)) = 0;
						E0127EF34(_t398, _t446, _t435, 0, _t446, __eflags);
						_push(L"UxTheme.dll");
						_t330 = E01274CA7(_t446, _t446, __eflags);
						_t399 = GetProcAddress;
						_pop(_t426);
						 *(_t446 + 0x1ec) = _t330;
						__eflags = _t330;
						if(__eflags == 0) {
							 *((intOrPtr*)(_t446 + 0x1f4)) = 0;
							 *((intOrPtr*)(_t446 + 0x1f8)) = 0;
							 *((intOrPtr*)(_t446 + 0x1fc)) = 0;
							 *((intOrPtr*)(_t446 + 0x200)) = 0;
							 *((intOrPtr*)(_t446 + 0x204)) = 0;
							 *((intOrPtr*)(_t446 + 0x208)) = 0;
						} else {
							 *((intOrPtr*)(_t446 + 0x1f4)) = GetProcAddress(_t330, "DrawThemeParentBackground");
							 *((intOrPtr*)(_t446 + 0x1f8)) = GetProcAddress( *(_t446 + 0x1ec), "DrawThemeTextEx");
							 *((intOrPtr*)(_t446 + 0x1fc)) = GetProcAddress( *(_t446 + 0x1ec), "BufferedPaintInit");
							 *((intOrPtr*)(_t446 + 0x200)) = GetProcAddress( *(_t446 + 0x1ec), "BufferedPaintUnInit");
							 *((intOrPtr*)(_t446 + 0x204)) = GetProcAddress( *(_t446 + 0x1ec), "BeginBufferedPaint");
							 *((intOrPtr*)(_t446 + 0x208)) = GetProcAddress( *(_t446 + 0x1ec), "EndBufferedPaint");
						}
						_push(L"dwmapi.dll");
						_t331 = E01274CA7(_t426, _t446, __eflags);
						 *(_t446 + 0x1f0) = _t331;
						__eflags = _t331;
						if(__eflags == 0) {
							 *((intOrPtr*)(_t446 + 0x20c)) = 0;
							 *((intOrPtr*)(_t446 + 0x210)) = 0;
							 *((intOrPtr*)(_t446 + 0x214)) = 0;
						} else {
							 *((intOrPtr*)(_t446 + 0x20c)) = GetProcAddress(_t331, "DwmExtendFrameIntoClientArea");
							 *((intOrPtr*)(_t446 + 0x210)) = GetProcAddress( *(_t446 + 0x1f0), "DwmDefWindowProc");
							 *((intOrPtr*)(_t446 + 0x214)) = GetProcAddress( *(_t446 + 0x1f0), "DwmIsCompositionEnabled");
						}
						 *((intOrPtr*)(_t446 + 0xe8)) = 0;
						 *((intOrPtr*)(_t446 + 0xec)) = 0;
						 *((intOrPtr*)(_t446 + 0xf0)) = 0;
						 *((intOrPtr*)(_t446 + 0xf4)) = 0;
						 *((intOrPtr*)(_t446 + 0x100)) = 0;
						 *((intOrPtr*)(_t446 + 0x104)) = 0;
						 *((intOrPtr*)(_t446 + 0x108)) = 0;
						 *((intOrPtr*)(_t446 + 0xf8)) = 0;
						 *((intOrPtr*)(_t446 + 0xfc)) = 0;
						 *_t446 = 0;
						 *((intOrPtr*)(_t446 + 4)) = 0;
						E0127F4B4(_t399, _t446, _t435, 0, _t446, __eflags, _t489); // executed
						L0127DEC7(_t446);
						 *(_t446 + 0x1c4) =  *(_t446 + 0x1c4) | 0xffffffff;
						_t334 = 4;
						 *((intOrPtr*)(_t446 + 0x1b0)) = _t334;
						 *((intOrPtr*)(_t446 + 0x1bc)) = _t334;
						__eflags = 1;
						 *((intOrPtr*)(_t446 + 0x18c)) = 1;
						 *((intOrPtr*)(_t446 + 0x21c)) = 1;
						 *((intOrPtr*)(_t446 + 0x19c)) = 1;
						 *((intOrPtr*)(_t446 + 0x198)) = 0;
						 *((intOrPtr*)(_t446 + 0x1e8)) = 0;
						 *((intOrPtr*)(_t446 + 0x1b4)) = 3;
						 *((intOrPtr*)(_t446 + 0x1b8)) = 0xe;
						 *((intOrPtr*)(_t446 + 0x1c0)) = 0x32;
						 *((intOrPtr*)(_t446 + 0x184)) = 0;
						 *((intOrPtr*)(_t446 + 0x188)) = 0;
						 *((intOrPtr*)(_t446 + 0x218)) = 0;
						 *((intOrPtr*)(_t446 + 0x220)) = 0;
						 *((intOrPtr*)(_t446 + 0x224)) = 0;
						return L013696ED(_t399, 0, _t446);
					} else {
						_t440 =  *(_t316 + 8);
						_t445 =  *_t445;
						__eflags = _t440;
						__eflags = 0 | _t440 != 0x00000000;
						if(__eflags == 0) {
							goto L60;
						} else {
							__eflags = E01282D31(_t398, _t424, _t435, _t440, _t445, __eflags,  *((intOrPtr*)(_t440 + 0x20)));
							if(__eflags != 0) {
								_t424 = _t440;
								 *((intOrPtr*)( *_t440 + 0x3a8))();
							}
							continue;
						}
					}
					L73:
				}
				 *(_t448 - 4) = 0;
				 *((intOrPtr*)(_t448 - 0x46c)) = 0x138f884;
				E0127A27E(_t398, _t448 - 0x46c, _t440, _t445, _t483);
				 *(_t448 - 4) =  *(_t448 - 4) | 0xffffffff;
				L01279F40(_t398, _t448 - 0x494, _t435, _t440, _t445,  *(_t448 - 4));
				return L013696ED(_t398, _t440, _t445);
				goto L73;
			}

0x0127f4b4
0x0127f4b4
0x0127f4b4
0x0127f4be
0x0127f4c3
0x0127f4c7
0x0127f4ce
0x0127f4d4
0x0127f4e1
0x0127f4e4
0x0127f4ea
0x0127f4f0
0x0127f4f6
0x0127f4fc
0x0127f502
0x0127f504
0x0127f506
0x0127f50b
0x0127f526
0x0127f528
0x0127f528
0x0127f50d
0x0127f50d
0x0127f513
0x0127f515
0x0127f517
0x0127f51c
0x00000000
0x0127f51e
0x0127f51e
0x0127f51e
0x0127f51c
0x0127f530
0x0127f538
0x0127f545
0x0127f545
0x0127f547
0x0127f54d
0x0127f555
0x0127f562
0x0127f562
0x0127f564
0x0127f56a
0x0127f572
0x0127f57f
0x0127f57f
0x0127f581
0x0127f589
0x0127f596
0x0127f596
0x0127f598
0x0127f59e
0x0127f5a6
0x0127f5b3
0x0127f5b3
0x0127f5b5
0x0127f5bd
0x0127f5ca
0x0127f5ca
0x0127f5cc
0x0127f5d4
0x0127f5e1
0x0127f5e1
0x0127f5e3
0x0127f5eb
0x0127f5f8
0x0127f5f8
0x0127f5fa
0x0127f600
0x0127f608
0x0127f615
0x0127f615
0x0127f617
0x0127f61f
0x0127f621
0x0127f624
0x0127f62c
0x0127f62c
0x0127f624
0x0127f637
0x0127f643
0x0127f659
0x0127f662
0x0127f66b
0x0127f674
0x0127f677
0x0127f67c
0x0127f683
0x0127f683
0x0127f67e
0x0127f680
0x0127f680
0x0127f68a
0x0127f68c
0x0127f68c
0x0127f68e
0x0127f694
0x0127f6a2
0x0127f6a6
0x0127f6c9
0x0127f6cd
0x0127f6f4
0x0127f6f6
0x0127f6f8
0x0127f6fb
0x0127f705
0x0127f6fd
0x0127f6fd
0x0127f6fd
0x0127f70c
0x0127f6cf
0x0127f6d9
0x0127f6db
0x0127f6db
0x0127f6cd
0x0127f70e
0x0127f721
0x0127f72a
0x0127f735
0x0127f73b
0x0127f74a
0x0127f750
0x0127f755
0x0127f75c
0x0127f75f
0x0127f761
0x0127f761
0x0127f771
0x0127f77c
0x0127f788
0x0127f793
0x0127f79c
0x0127f7ac
0x0127f7b7
0x0127f7c0
0x0127f7c7
0x0127f7d4
0x0127f7dd
0x0127f7e1
0x0127f7f1
0x0127f7f6
0x0127f7f9
0x0127f7ff
0x0127f810
0x0127f817
0x0127f81d
0x0127f81f
0x0127f826
0x0127f82b
0x0127f832
0x0127f835
0x0127f83f
0x0127f847
0x0127f84b
0x0127f84d
0x0127f853
0x0127f85b
0x0127f87f
0x0127f888
0x0127f891
0x0127f898
0x0127f89f
0x0127f8a6
0x0127f8bf
0x0127f8c8
0x0127f8cf
0x0127f8d8
0x0127f8d8
0x0127f8de
0x0127f8de
0x0127f8f6
0x0127f8fc
0x0127f900
0x0127f902
0x0127f90f
0x0127f918
0x0127f91c
0x0127f92c
0x0127f931
0x0127f933
0x0127f938
0x0127f96c
0x0127f96c
0x0127f96e
0x00000000
0x00000000
0x0127f940
0x0127f942
0x0127f944
0x0127f99e
0x0127f99e
0x0127f9a3
0x0127f9a4
0x0127f9ae
0x0127f9b3
0x0127f9bc
0x0127f9c2
0x0127f9c8
0x0127f9ce
0x0127f9d1
0x0127f9d7
0x0127f9dd
0x0127f9e3
0x0127f9e9
0x0127f9ef
0x0127f9f5
0x0127f9fb
0x0127fa01
0x0127fa07
0x0127fa0d
0x0127fa13
0x0127fa19
0x0127fa1f
0x0127fa2a
0x0127fa30
0x0127fa36
0x0127fa3c
0x0127fa42
0x0127fa48
0x0127fa4e
0x0127fa54
0x0127fa5f
0x0127fa65
0x0127fa6b
0x0127fa71
0x0127fa77
0x0127fa7d
0x0127fa83
0x0127fa89
0x0127fa8f
0x0127fa95
0x0127fa9b
0x0127faa1
0x0127faa7
0x0127faad
0x0127fab3
0x0127fab9
0x0127fabf
0x0127fac5
0x0127facb
0x0127fad1
0x0127fade
0x0127fae2
0x0127fae8
0x0127faee
0x0127faf4
0x0127fafa
0x0127fb04
0x0127fb0f
0x0127fb15
0x0127fb1c
0x0127fb22
0x0127fb25
0x0127fb2c
0x0127fb32
0x0127fb44
0x0127fb44
0x00000000
0x0127fb46
0x0127fb46
0x0127fb46
0x0127fb34
0x0127fb34
0x0127fb3b
0x0127fb4a
0x0127fb4c
0x0127fb4c
0x0127fb3d
0x0127fb3d
0x00000000
0x0127fb3d
0x0127fb3b
0x0127fb4f
0x0127fb55
0x0127fb5b
0x0127fb65
0x0127fb68
0x0127fb6b
0x0127fb6e
0x0127fb73
0x0127fb78
0x0127fb7d
0x0127fb83
0x0127fb84
0x0127fb8a
0x0127fb8c
0x0127fbfd
0x0127fc03
0x0127fc09
0x0127fc0f
0x0127fc15
0x0127fc1b
0x0127fb8e
0x0127fba1
0x0127fbb4
0x0127fbc7
0x0127fbda
0x0127fbed
0x0127fbf5
0x0127fbf5
0x0127fc21
0x0127fc26
0x0127fc2c
0x0127fc32
0x0127fc34
0x0127fc6c
0x0127fc72
0x0127fc78
0x0127fc36
0x0127fc49
0x0127fc5c
0x0127fc64
0x0127fc64
0x0127fc80
0x0127fc86
0x0127fc8c
0x0127fc92
0x0127fc98
0x0127fc9e
0x0127fca4
0x0127fcaa
0x0127fcb0
0x0127fcb6
0x0127fcb8
0x0127fcbb
0x0127fcc2
0x0127fcc7
0x0127fcd0
0x0127fcd1
0x0127fcd7
0x0127fcdf
0x0127fce0
0x0127fce6
0x0127fcec
0x0127fcf2
0x0127fcf8
0x0127fcfe
0x0127fd08
0x0127fd12
0x0127fd1c
0x0127fd22
0x0127fd28
0x0127fd2e
0x0127fd34
0x0127fd41
0x0127f946
0x0127f946
0x0127f949
0x0127f94d
0x0127f952
0x0127f954
0x00000000
0x0127f956
0x0127f95e
0x0127f960
0x0127f964
0x0127f966
0x0127f966
0x00000000
0x0127f960
0x0127f954
0x00000000
0x0127f944
0x0127f976
0x0127f97a
0x0127f984
0x0127f989
0x0127f993
0x0127f99d
0x00000000

APIs

__EH_prolog3_GS.LIBCMT ref: 0127F4BE

Part of subcall function 01279EEC: __EH_prolog3.LIBCMT ref: 01279EF3
Part of subcall function 01279EEC: GetWindowDC.USER32(00000000), ref: 01279F1F

GetDeviceCaps.GDI32(?,00000058), ref: 0127F4E4

Part of subcall function 0127E219: SystemParametersInfoW.USER32 ref: 0127E23D

_memset.LIBCMT ref: 0127F643
GetTextCharsetInfo.GDI32(?,00000000,00000000), ref: 0127F653
lstrcpyW.KERNEL32(?,?), ref: 0127F6A2
CreateFontIndirectW.GDI32(?), ref: 0127F718
CreateFontIndirectW.GDI32(?), ref: 0127F768
CreateFontIndirectW.GDI32(?), ref: 0127F7A3
CreateFontIndirectW.GDI32(?), ref: 0127F7CB
CreateFontIndirectW.GDI32(?), ref: 0127F7E8
GetSystemMetrics.USER32 ref: 0127F803
lstrcpyW.KERNEL32(?), ref: 0127F817
CreateFontIndirectW.GDI32(?), ref: 0127F81D
GetStockObject.GDI32(00000011), ref: 0127F84B
GetStockObject.GDI32(00000011), ref: 0127F8E5
GetObjectW.GDI32(?,0000005C,?), ref: 0127F8F6
CreateFontIndirectW.GDI32(?), ref: 0127F900
CreateFontIndirectW.GDI32(?), ref: 0127F923

Part of subcall function 0127E2B5: __EH_prolog3_GS.LIBCMT ref: 0127E2BC
Part of subcall function 0127E2B5: GetTextMetricsW.GDI32(?,?), ref: 0127E2FF
Part of subcall function 0127E2B5: GetTextMetricsW.GDI32(?,?), ref: 0127E33C

Part of subcall function 01277AC9: __CxxThrowException@8.LIBCMT ref: 01277ADF

__EH_prolog3_GS.LIBCMT ref: 0127F9AE
GetVersionExW.KERNEL32(?,0000011C), ref: 0127FB04
KiUserCallbackDispatcher.NTDLL ref: 0127FB0F

Part of subcall function 0127EF34: __EH_prolog3.LIBCMT ref: 0127EF3B
Part of subcall function 0127EF34: GetSysColor.USER32 ref: 0127EF4A
Part of subcall function 0127EF34: GetSysColor.USER32 ref: 0127EF57
Part of subcall function 0127EF34: GetSysColor.USER32 ref: 0127EF6A
Part of subcall function 0127EF34: GetSysColor.USER32 ref: 0127EF72
Part of subcall function 0127EF34: GetDeviceCaps.GDI32(?,0000000C), ref: 0127EF98
Part of subcall function 0127EF34: GetSysColor.USER32 ref: 0127EFA6
Part of subcall function 0127EF34: GetSysColor.USER32 ref: 0127EFB0
Part of subcall function 0127EF34: GetSysColor.USER32 ref: 0127EFBA
Part of subcall function 0127EF34: GetSysColor.USER32 ref: 0127EFC4
Part of subcall function 0127EF34: GetSysColor.USER32 ref: 0127EFCE
Part of subcall function 0127EF34: GetSysColor.USER32 ref: 0127EFD8
Part of subcall function 0127EF34: GetSysColor.USER32 ref: 0127EFE2
Part of subcall function 0127EF34: GetSysColor.USER32 ref: 0127EFE9
Part of subcall function 0127EF34: GetSysColor.USER32 ref: 0127EFF0
Part of subcall function 0127EF34: GetSysColor.USER32 ref: 0127EFF7
Part of subcall function 0127EF34: GetSysColor.USER32 ref: 0127EFFE
Part of subcall function 0127EF34: GetSysColor.USER32 ref: 0127F008
Part of subcall function 0127EF34: GetSysColor.USER32 ref: 0127F00F
Part of subcall function 0127EF34: GetSysColor.USER32 ref: 0127F016
Part of subcall function 0127EF34: GetSysColor.USER32 ref: 0127F01D
Part of subcall function 0127EF34: GetSysColor.USER32 ref: 0127F024
Part of subcall function 0127EF34: GetSysColor.USER32 ref: 0127F02B
Part of subcall function 0127EF34: GetSysColor.USER32 ref: 0127F035
Part of subcall function 0127EF34: GetSysColor.USER32 ref: 0127F03F
Part of subcall function 0127EF34: GetSysColor.USER32 ref: 0127F049
Part of subcall function 0127EF34: GetSysColor.USER32 ref: 0127F053
Part of subcall function 0127EF34: GetSysColor.USER32 ref: 0127F06D
Part of subcall function 0127EF34: GetSysColorBrush.USER32(00000010), ref: 0127F088
Part of subcall function 0127EF34: GetSysColorBrush.USER32(00000014), ref: 0127F09F
Part of subcall function 0127EF34: GetSysColorBrush.USER32(00000005), ref: 0127F0B1
Part of subcall function 0127EF34: CreateSolidBrush.GDI32(?), ref: 0127F0D5
Part of subcall function 0127EF34: CreateSolidBrush.GDI32(?), ref: 0127F0F1
Part of subcall function 0127EF34: CreateSolidBrush.GDI32(?), ref: 0127F10D
Part of subcall function 0127EF34: CreateSolidBrush.GDI32(?), ref: 0127F129
Part of subcall function 0127EF34: CreateSolidBrush.GDI32(?), ref: 0127F145
Part of subcall function 0127EF34: CreateSolidBrush.GDI32(?), ref: 0127F161
Part of subcall function 0127EF34: CreateSolidBrush.GDI32(?), ref: 0127F17D
Part of subcall function 0127EF34: CreatePen.GDI32(00000000,00000001), ref: 0127F1A6
Part of subcall function 0127EF34: CreatePen.GDI32(00000000,00000001), ref: 0127F1C9
Part of subcall function 0127EF34: CreatePen.GDI32(00000000,00000001), ref: 0127F1EC
Part of subcall function 0127EF34: CreateSolidBrush.GDI32(?), ref: 0127F270
Part of subcall function 0127EF34: CreatePatternBrush.GDI32(00000000), ref: 0127F2B1

Part of subcall function 01274CA7: ActivateActCtx.KERNEL32(?,?), ref: 01274CC7
Part of subcall function 01274CA7: LoadLibraryW.KERNEL32(?), ref: 01274CDE

Part of subcall function 0127F4B4: DeleteObject.GDI32(00000000), ref: 0127F545
Part of subcall function 0127F4B4: DeleteObject.GDI32(00000000), ref: 0127F562
Part of subcall function 0127F4B4: DeleteObject.GDI32(00000000), ref: 0127F57F
Part of subcall function 0127F4B4: DeleteObject.GDI32(00000000), ref: 0127F596
Part of subcall function 0127F4B4: DeleteObject.GDI32(00000000), ref: 0127F5B3
Part of subcall function 0127F4B4: DeleteObject.GDI32(00000000), ref: 0127F5CA
Part of subcall function 0127F4B4: DeleteObject.GDI32(00000000), ref: 0127F5E1
Part of subcall function 0127F4B4: DeleteObject.GDI32(00000000), ref: 0127F5F8
Part of subcall function 0127F4B4: DeleteObject.GDI32(00000000), ref: 0127F615
Part of subcall function 0127F4B4: DeleteObject.GDI32(00000000), ref: 0127F62C
Part of subcall function 0127F4B4: EnumFontFamiliesW.GDI32(?,00000000,Function_0000F46B), ref: 0127F6C9
Part of subcall function 0127F4B4: lstrcpyW.KERNEL32(?), ref: 0127F6D9
Part of subcall function 0127F4B4: EnumFontFamiliesW.GDI32(?,00000000,Function_0000F46B), ref: 0127F6F4
Part of subcall function 0127F4B4: lstrcpyW.KERNEL32(?), ref: 0127F70C
Part of subcall function 0127F4B4: GetObjectW.GDI32(?,0000005C,?), ref: 0127F86D
Part of subcall function 0127F4B4: lstrcpyW.KERNEL32(?), ref: 0127F8A6
Part of subcall function 0127F4B4: CreateFontIndirectW.GDI32(?), ref: 0127F8B0
Part of subcall function 0127F4B4: CreateFontIndirectW.GDI32(?), ref: 0127F8CF
Part of subcall function 0127F4B4: GetProcAddress.KERNEL32(00000000,DrawThemeParentBackground), ref: 0127FB94
Part of subcall function 0127F4B4: GetProcAddress.KERNEL32(?,DrawThemeTextEx), ref: 0127FBA7
Part of subcall function 0127F4B4: GetProcAddress.KERNEL32(?,BufferedPaintInit), ref: 0127FBBA
Part of subcall function 0127F4B4: GetProcAddress.KERNEL32(?,BufferedPaintUnInit), ref: 0127FBCD
Part of subcall function 0127F4B4: GetProcAddress.KERNEL32(?,BeginBufferedPaint), ref: 0127FBE0
Part of subcall function 0127F4B4: GetProcAddress.KERNEL32(?,EndBufferedPaint), ref: 0127FBF3
Part of subcall function 0127F4B4: GetProcAddress.KERNEL32(00000000,DwmExtendFrameIntoClientArea), ref: 0127FC3C
Part of subcall function 0127F4B4: GetProcAddress.KERNEL32(?,DwmDefWindowProc), ref: 0127FC4F
Part of subcall function 0127F4B4: GetProcAddress.KERNEL32(?,DwmIsCompositionEnabled), ref: 0127FC62

Strings

BufferedPaintInit, xrefs: 0127FBA9
DrawThemeParentBackground, xrefs: 0127FB8E
DwmIsCompositionEnabled, xrefs: 0127FC51
DwmDefWindowProc, xrefs: 0127FC3E
EndBufferedPaint, xrefs: 0127FBE2
UxTheme.dll, xrefs: 0127FB73
BufferedPaintUnInit, xrefs: 0127FBBC
BeginBufferedPaint, xrefs: 0127FBCF
dwmapi.dll, xrefs: 0127FC21
DwmExtendFrameIntoClientArea, xrefs: 0127FC36
DrawThemeTextEx, xrefs: 0127FB96

Memory Dump Source

Source File: 00000010.00000002.746388412.0000000001271000.00000020.sdmp, Offset: 01270000, based on PE: true

Associated: 00000010.00000002.746374753.0000000001270000.00000002.sdmp Download File
Associated: 00000010.00000002.746578910.000000000138C000.00000002.sdmp Download File
Associated: 00000010.00000002.746752878.00000000013CF000.00000004.sdmp Download File
Associated: 00000010.00000002.746788870.00000000013D6000.00000004.sdmp Download File
Associated: 00000010.00000002.746832288.00000000013DE000.00000002.sdmp Download File
Associated: 00000010.00000002.747668141.0000000001574000.00000002.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1270000_Setup.jbxd

Similarity

API ID: Color$Create$Object$BrushFont$DeleteIndirect$AddressProc$Solid$lstrcpy$H_prolog3_MetricsText$CapsDeviceEnumFamiliesH_prolog3InfoStockSystem$ActivateCallbackCharsetDispatcherException@8LibraryLoadParametersPatternThrowUserVersionWindow_memset
String ID: BeginBufferedPaint$BufferedPaintInit$BufferedPaintUnInit$DrawThemeParentBackground$DrawThemeTextEx$DwmDefWindowProc$DwmExtendFrameIntoClientArea$DwmIsCompositionEnabled$EndBufferedPaint$UxTheme.dll$dwmapi.dll
API String ID: 3885222056-1174303547
Opcode ID: 249fe8a8247653287664323ca939a6fece32c43ede282febc18348e3ed5058b5
Instruction ID: 1c1e13471d39e94fbe9f42bf92b93ac1125342f1c4bc8066529cf1589a976cab
Opcode Fuzzy Hash: 249fe8a8247653287664323ca939a6fece32c43ede282febc18348e3ed5058b5
Instruction Fuzzy Hash: A63255B081571A9FDB21AFB9C944BEEFBF8AF58304F04485ED6AAA7214DB706540CF50

Uniqueness

Uniqueness Score: 100.00%

Function 01273800, Relevance: 65.2, APIs: 18, Strings: 19, Instructions: 489
filestringUNIQUECrypto

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 58%

			E01273800(void* __ebx, intOrPtr __ecx, intOrPtr* __edi, intOrPtr _a4) {
				void* _v8;
				signed int _v12;
				char _v16;
				signed int _v20;
				intOrPtr _v32;
				signed int _v44;
				char _v532;
				char _v538;
				char _v540;
				char _v562;
				short _v564;
				char _v1058;
				short _v1060;
				char _v1314;
				short _v1316;
				char _v2090;
				short _v2092;
				char _v2866;
				short _v2868;
				char _v3642;
				short _v3644;
				char _v5690;
				char _v5692;
				WCHAR* _v5696;
				char _v5700;
				char _v5704;
				short* _v5708;
				char _v5712;
				intOrPtr _v5716;
				void* __esi;
				signed int _t127;
				short _t131;
				int _t141;
				signed int _t142;
				signed int _t143;
				signed int _t147;
				signed int _t151;
				signed int _t153;
				signed int _t156;
				signed int _t165;
				signed int _t174;
				void* _t176;
				signed int _t178;
				signed int _t179;
				signed int _t180;
				void* _t181;
				intOrPtr* _t184;
				signed char _t185;
				signed int _t187;
				signed int** _t192;
				signed int** _t193;
				signed int** _t195;
				signed int** _t197;
				signed int _t219;
				void* _t246;
				intOrPtr _t252;
				void* _t254;
				intOrPtr* _t256;
				short* _t285;
				void* _t313;
				signed int _t327;
				signed int _t331;
				signed int _t333;
				signed int _t335;
				intOrPtr _t346;
				WCHAR* _t348;
				void* _t349;
				void* _t350;
				WCHAR* _t353;
				intOrPtr _t354;
				void* _t355;
				short* _t356;
				void* _t357;
				signed int _t358;
				signed int _t359;
				void* _t360;
				void* _t361;
				void* _t362;
				void* _t363;
				void* _t364;
				signed int _t365;
				void* _t374;
				intOrPtr* _t375;
				intOrPtr _t380;

				_t347 = __edi;
				_push(0xffffffff);
				_push(0x137eb17);
				_push( *[fs:0x0]);
				E01368890(0x1644);
				_t127 =  *0x13d3570; // 0x99b5b578
				_v20 = _t127 ^ _t358;
				_push(__ebx);
				_push(_t350);
				_push(__edi);
				 *[fs:0x0] =  &_v16;
				_t252 = __ecx;
				_v5716 = __ecx;
				E01271680(__ecx, __edi, _t350, L"Start MSIStarter\n", _t127 ^ _t358); // executed
				_t131 =  *((intOrPtr*)(_t252 + 0x48));
				_t361 = _t360 + 4;
				_t256 = L"-s";
				while(1) {
					_t313 =  *_t131;
					if(_t313 !=  *_t256) {
						break;
					}
					if(_t313 == 0) {
						L5:
						_t131 = 0;
					} else {
						_t346 =  *((intOrPtr*)(_t131 + 2));
						_t6 = _t256 + 2; // 0x73
						if(_t346 !=  *_t6) {
							break;
						} else {
							_t131 = _t131 + 4;
							_t256 = _t256 + 4;
							if(_t346 != 0) {
								continue;
							} else {
								goto L5;
							}
						}
					}
					L7:
					if(_t131 == 0) {
						L01271A50(_t252);
					}
					_v540 = 0;
					L01367D50( &_v538, 0, 0x206);
					_push(0x104);
					_push( &_v540);
					L56();
					_v2868 = 0;
					L01367D50( &_v2866, 0, 0x306);
					_v2092 = 0;
					L01367D50( &_v2090, 0, 0x306);
					L01271230(0x184,  &_v2868, L"%spatch.exe",  &_v540);
					L01271230(0x184,  &_v2092, L"%spatch.ini",  &_v540);
					_t351 = PathFileExistsW;
					_t362 = _t361 + 0x44;
					_t319 =  &_v2868;
					_t141 = PathFileExistsW( &_v2868); // executed
					if(_t141 == 0 || PathFileExistsW( &_v2092) == 0) {
						L14:
						_t142 = E012732A0(); // executed
						__eflags = _t142;
						if(_t142 == 0) {
							_t143 = E0127859A();
							__eflags = _t143;
							_t262 = 0 | __eflags != 0x00000000;
							if(__eflags == 0) {
								_push(0x80004005);
								_t143 = L012713A0(_t252, _t262, _t347, _t351);
							}
							_v5700 =  *((intOrPtr*)( *((intOrPtr*)( *_t143 + 0xc))))() + 0x10;
							_v8 = 0;
							_t147 = E0127859A();
							__eflags = _t147;
							_t265 = 0 | __eflags != 0x00000000;
							__eflags = __eflags != 0;
							if(__eflags == 0) {
								_push(0x80004005);
								_t147 = L012713A0(_t252, _t265, _t347, _t351);
							}
							_v5704 =  *((intOrPtr*)( *((intOrPtr*)( *_t147 + 0xc))))() + 0x10;
							_v8 = 1;
							_t352 = 0; // executed
							_t151 = E01272F00(__eflags,  &_v5700,  &_v5704); // executed
							_t363 = _t362 + 8;
							__eflags = _t151;
							if(_t151 != 0) {
								_push(L"Need to remove previous version\n");
								E01271680(_t252, _t347, 0);
								L01271D10(_t252, _t252, _t347, __eflags);
								_t352 = 1;
								_v5692 = 0;
								L01367D50( &_v5690, 0, 0x7fe);
								_t374 = _t363 + 0x10;
								L01271C80(_t252,  &_v5692, 0x400);
								_t339 = _v5700;
								_t306 =  *(_v5700 - 8) | 0x00000001 -  *((intOrPtr*)(_v5700 - 4));
								__eflags = _t306;
								if(_t306 < 0) {
									_t306 =  &_v5700;
									E012724D0( &_v5700, 0);
									_t339 = _v5700;
								}
								_t219 = L01271000(_t306, _t339, L"3.0.0");
								_t375 = _t374 + 8;
								__eflags = _t219;
								if(_t219 == 0) {
									__eflags = 0;
									_v1060 = 0;
									L01367D50( &_v1058, 0, 0x206);
									GetWindowsDirectoryW( &_v1060, 0x104);
									lstrcatW( &_v1060, L"\\system32");
									L01271120( &_v1060, L"msiexec.exe", L"/uninstall {FA540E67-095C-4A1B-97BA-4D547DEC9AF4} /qn /norestart");
									_t363 = _t375 + 0x18;
								} else {
									_v5712 = _t375;
									_t347 = _t375;
									 *_t375 = E01272530(_v5704 + 0xfffffff0) + 0x10;
									E01272B00(_t252, _t352, _t306);
									_t363 = _t375 + 8;
								}
								__eflags = _v5692;
								if(_v5692 != 0) {
									L01273EF0(_t252, _t347,  &_v5692);
									_t363 = _t363 + 4;
								}
							}
							_push(L"Install new version\n"); // executed
							E01271680(_t252, _t347, _t352); // executed
							_t364 = _t363 + 4;
							__eflags = _t352 - 1;
							if(_t352 == 1) {
								E012720E0(_t252);
							}
							_t153 = E0127859A();
							__eflags = _t153;
							_t269 = 0 | __eflags != 0x00000000;
							if(__eflags == 0) {
								_push(0x80004005);
								_t153 = L012713A0(_t252, _t269, _t347, _t352);
							}
							_t66 =  *((intOrPtr*)( *((intOrPtr*)( *_t153 + 0xc))))() + 0x10; // 0x10
							_t353 = _t66;
							_v5696 = _t353;
							_v8 = 2;
							_t156 = E0127859A();
							__eflags = _t156;
							_t272 = 0 | __eflags != 0x00000000;
							if(__eflags == 0) {
								_push(0x80004005);
								_t156 = L012713A0(_t252, _t272, _t347, _t353);
							}
							_v5708 =  *((intOrPtr*)( *((intOrPtr*)( *_t156 + 0xc))))() + 0x10;
							_t275 = 1 -  *((intOrPtr*)(_t353 - 4));
							__eflags =  *((intOrPtr*)(_t353 - 8)) - 0x00000400 | 0x00000001 -  *((intOrPtr*)(_t353 - 4));
							_v8 = 3;
							if(( *((intOrPtr*)(_t353 - 8)) - 0x00000400 | 0x00000001 -  *((intOrPtr*)(_t353 - 4))) < 0) {
								_t275 =  &_v5696;
								E012724D0( &_v5696, 0x400); // executed
								_t353 = _v5696;
							}
							GetModuleFileNameW(0, _t353, 0x400);
							_t165 = E013682E5(_t353,  *((intOrPtr*)(_t353 - 8)));
							_t365 = _t364 + 8;
							__eflags = _t165;
							if(_t165 < 0) {
								L55:
								_push(0x80070057);
								L012713A0(3, _t275, _t347, _t353);
								asm("int3");
								asm("int3");
								asm("int3");
								asm("int3");
								asm("int3");
								asm("int3");
								asm("int3");
								asm("int3");
								asm("int3");
								asm("int3");
								asm("int3");
								asm("int3");
								asm("int3");
								asm("int3");
								asm("int3");
								_push(_t358);
								_t359 = _t365;
								_v44 =  *0x13d3570 ^ _t359;
								_push(_t353);
								_t354 = _v32;
								_v564 = 0;
								L01367D50( &_v562, 0, 0x206);
								GetModuleFileNameW(GetModuleHandleW(0),  &_v564, 0x104);
								_t174 = L01367DCA( &_v564, 0x5c);
								__eflags = _t174;
								if(_t174 != 0) {
									__eflags = 0;
									 *((short*)(_t174 + 2)) = 0;
								}
								_t176 = E01368C6F(_t354,  &_v532, _a4);
								__eflags = _v12 ^ _t359;
								_pop(_t355);
								return L01367D3E(_t176, 3, _v12 ^ _t359, _a4, _t347, _t355);
							} else {
								__eflags = _t165 -  *((intOrPtr*)(_t353 - 8));
								if(_t165 >  *((intOrPtr*)(_t353 - 8))) {
									goto L55;
								} else {
									 *(_t353 - 0xc) = _t165;
									_t353[_t165] = 0;
									_t178 = L01367DCA(_t353, 0x5c);
									__eflags = _t178;
									if(_t178 != 0) {
										_t179 = _t178 - _t353;
										__eflags = _t179;
										_t180 = _t179 >> 1;
									} else {
										_t180 = _t178 | 0xffffffff;
									}
									_t327 =  &_v5712;
									_t181 = E01272940( &_v5696, _t327, _t180);
									_v8 = 4;
									E01272A30( &_v5696, _t181);
									_t184 = _v5712 + 0xfffffff0;
									_v8 = 3;
									asm("lock xadd [ecx], edx");
									__eflags = (_t327 | 0xffffffff) - 1;
									if((_t327 | 0xffffffff) - 1 <= 0) {
										 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *_t184)) + 4))))(_t184);
									}
									_t185 = GetVersion();
									_t187 = _t185 >> 0x00000008 & 0x000000ff;
									__eflags = (_t185 & 0x000000ff) - 6;
									if((_t185 & 0x000000ff) != 6) {
										L46:
										_t348 = _v5696;
										_push(_t348);
										_push(L"%s\\data\\419.msi");
										_push( &_v5708);
									} else {
										__eflags = _t187 - 2;
										if(_t187 < 2) {
											goto L46;
										} else {
											_t348 = _v5696;
											_push(_t348);
											_push(L"%s\\data_win8\\419.msi");
											_push( &_v5708);
										}
									}
									E01272AE0();
									_t356 = _v5708;
									E01271680(3, _t348, _t356, L"Try to launch %s\n", _t356); // executed
									_t285 =  *(_v5716 + 0x48);
									ShellExecuteW(0, L"open", _t356, _t285, 0, 5); // executed
									_t192 = _t356 - 0x10;
									_v8 = 2;
									_t331 =  &(_t192[3]);
									asm("lock xadd [edx], ecx");
									__eflags = (_t285 | 0xffffffff) - 1;
									if((_t285 | 0xffffffff) - 1 <= 0) {
										_t331 =  *( *_t192);
										 *((intOrPtr*)( *((intOrPtr*)(_t331 + 4))))(_t192);
									}
									_t193 = _t348 - 0x10;
									_v8 = 1;
									asm("lock xadd [ecx], edx");
									_t333 = (_t331 | 0xffffffff) - 1;
									__eflags = _t333;
									if(_t333 <= 0) {
										_t333 =  *( *_t193);
										 *((intOrPtr*)( *((intOrPtr*)(_t333 + 4))))(_t193);
									}
									_t195 = _v5704 + 0xfffffff0;
									_v8 = 0;
									asm("lock xadd [ecx], edx");
									_t335 = (_t333 | 0xffffffff) - 1;
									__eflags = _t335;
									if(_t335 <= 0) {
										_t335 =  *( *_t195);
										 *((intOrPtr*)( *((intOrPtr*)(_t335 + 4))))(_t195);
									}
									_t197 = _v5700 + 0xfffffff0;
									_v8 = 0xffffffff;
									asm("lock xadd [ecx], edx");
									_t319 = (_t335 | 0xffffffff) - 1;
									__eflags = (_t335 | 0xffffffff) - 1;
									if((_t335 | 0xffffffff) - 1 <= 0) {
										_t319 =  *( *_t197);
										 *((intOrPtr*)( *((intOrPtr*)( *( *_t197) + 4))))(_t197);
									}
									goto L13;
								}
							}
						} else {
							_push(L"Self updating in process. Quit now.\n");
							E01271680(_t252, _t347, _t351);
							goto L13;
						}
					} else {
						_push(L"<Patch>Found patch.exe & patch.ini\n");
						E01271680(_t252, _t347, PathFileExistsW);
						_v1316 = 0;
						L01367D50( &_v1314, 0, 0x306);
						L01271230(0x184,  &_v1316, L"%s..\\..\\log.xml",  &_v540);
						DeleteFileW( &_v1316);
						_v3644 = 0;
						L01367D50( &_v3642, 0, 0x306);
						_t380 = _t362 + 0x28;
						GetPrivateProfileStringW(L"FileToPatch", L"SourceDir", 0x138e210,  &_v3644, 0x184,  &_v2092);
						_t319 =  &_v3644;
						_v5704 = _t380;
						E01273740(_t252,  &_v3644);
						_t246 = E01272650( &_v3642);
						_t362 = _t380 + 4;
						if(_t246 != 1) {
							goto L14;
						} else {
							_push(L"<Patch>Found patched files\n");
							E01271680(_t252, _t347, PathFileExistsW);
							L01271280(0,  &_v2868, 0);
							L13:
							 *[fs:0x0] = _v16;
							_pop(_t349);
							_pop(_t357);
							_pop(_t254);
							return L01367D3E(1, _t254, _v20 ^ _t358, _t319, _t349, _t357); // executed
						}
					}
				}
				asm("sbb eax, eax");
				asm("sbb eax, 0xffffffff");
				goto L7;
			}

0x01273800
0x01273803
0x01273805
0x01273810
0x01273816
0x0127381b
0x01273822
0x01273825
0x01273826
0x01273827
0x0127382c
0x01273832
0x01273839
0x0127383f
0x01273844
0x01273847
0x0127384a
0x01273850
0x01273850
0x01273856
0x00000000
0x00000000
0x0127385b
0x01273872
0x01273872
0x0127385d
0x0127385d
0x01273861
0x01273865
0x00000000
0x01273867
0x01273867
0x0127386a
0x01273870
0x00000000
0x00000000
0x00000000
0x00000000
0x01273870
0x01273865
0x0127387b
0x0127387d
0x0127387f
0x0127387f
0x01273893
0x0127389a
0x012738a5
0x012738aa
0x012738ab
0x012738bf
0x012738c6
0x012738da
0x012738e1
0x012738fe
0x0127391b
0x01273920
0x01273926
0x01273929
0x01273930
0x01273934
0x01273a43
0x01273a43
0x01273a48
0x01273a4a
0x01273a5b
0x01273a62
0x01273a64
0x01273a69
0x01273a6b
0x01273a70
0x01273a70
0x01273a81
0x01273a87
0x01273a8e
0x01273a95
0x01273a97
0x01273a9a
0x01273a9c
0x01273a9e
0x01273aa3
0x01273aa3
0x01273ab4
0x01273ac8
0x01273acc
0x01273ace
0x01273ad3
0x01273ad6
0x01273ad8
0x01273ade
0x01273ae3
0x01273aed
0x01273b01
0x01273b06
0x01273b0d
0x01273b12
0x01273b23
0x01273b28
0x01273b36
0x01273b36
0x01273b38
0x01273b3c
0x01273b42
0x01273b47
0x01273b47
0x01273b53
0x01273b58
0x01273b5b
0x01273b5d
0x01273b89
0x01273b98
0x01273b9f
0x01273bb3
0x01273bc5
0x01273bdc
0x01273be1
0x01273b5f
0x01273b69
0x01273b6f
0x01273b7d
0x01273b7f
0x01273b84
0x01273b84
0x01273be4
0x01273bec
0x01273bf5
0x01273bfa
0x01273bfa
0x01273bec
0x01273bfd
0x01273c02
0x01273c07
0x01273c0a
0x01273c0d
0x01273c11
0x01273c11
0x01273c16
0x01273c1d
0x01273c1f
0x01273c24
0x01273c26
0x01273c2b
0x01273c2b
0x01273c39
0x01273c39
0x01273c3c
0x01273c42
0x01273c46
0x01273c4d
0x01273c4f
0x01273c54
0x01273c56
0x01273c5b
0x01273c5b
0x01273c6c
0x01273c7a
0x01273c82
0x01273c86
0x01273c89
0x01273c90
0x01273c96
0x01273c9b
0x01273c9b
0x01273ca9
0x01273cb4
0x01273cb9
0x01273cbc
0x01273cbe
0x01273e47
0x01273e47
0x01273e4c
0x01273e51
0x01273e52
0x01273e53
0x01273e54
0x01273e55
0x01273e56
0x01273e57
0x01273e58
0x01273e59
0x01273e5a
0x01273e5b
0x01273e5c
0x01273e5d
0x01273e5e
0x01273e5f
0x01273e60
0x01273e61
0x01273e70
0x01273e73
0x01273e74
0x01273e86
0x01273e8d
0x01273eaa
0x01273eb9
0x01273ec1
0x01273ec3
0x01273ec5
0x01273ec7
0x01273ec7
0x01273ed7
0x01273ee2
0x01273ee4
0x01273eed
0x01273cc4
0x01273cc4
0x01273cc7
0x00000000
0x01273ccd
0x01273cd1
0x01273cd5
0x01273cd9
0x01273ce1
0x01273ce3
0x01273cea
0x01273cea
0x01273cec
0x01273ce5
0x01273ce5
0x01273ce5
0x01273cef
0x01273cfc
0x01273d08
0x01273d0c
0x01273d17
0x01273d1a
0x01273d23
0x01273d28
0x01273d2a
0x01273d34
0x01273d34
0x01273d36
0x01273d42
0x01273d45
0x01273d48
0x01273d64
0x01273d64
0x01273d6a
0x01273d6b
0x01273d76
0x01273d4a
0x01273d4a
0x01273d4d
0x00000000
0x01273d4f
0x01273d4f
0x01273d55
0x01273d56
0x01273d61
0x01273d61
0x01273d4d
0x01273d77
0x01273d7c
0x01273d8b
0x01273d96
0x01273da9
0x01273daf
0x01273db2
0x01273db6
0x01273dbc
0x01273dc1
0x01273dc3
0x01273dc7
0x01273dcd
0x01273dcd
0x01273dcf
0x01273dd2
0x01273ddc
0x01273de0
0x01273de1
0x01273de3
0x01273de7
0x01273ded
0x01273ded
0x01273df5
0x01273df8
0x01273e02
0x01273e06
0x01273e07
0x01273e09
0x01273e0d
0x01273e13
0x01273e13
0x01273e1b
0x01273e1e
0x01273e2b
0x01273e2f
0x01273e30
0x01273e32
0x01273e3a
0x01273e40
0x01273e40
0x00000000
0x01273e32
0x01273cc7
0x01273a4c
0x01273a4c
0x01273a51
0x00000000
0x01273a56
0x0127394b
0x0127394b
0x01273950
0x01273964
0x0127396b
0x01273988
0x01273997
0x012739ac
0x012739b3
0x012739b8
0x012739dd
0x012739e4
0x012739ec
0x012739f3
0x012739f8
0x012739fd
0x01273a03
0x00000000
0x01273a05
0x01273a05
0x01273a0a
0x01273a1a
0x01273a22
0x01273a2a
0x01273a32
0x01273a33
0x01273a34
0x01273a42
0x01273a42
0x01273a03
0x01273934
0x01273876
0x01273878
0x00000000

APIs

Part of subcall function 01271680: _memset.LIBCMT ref: 012716A9
Part of subcall function 01271680: __swprintf.LIBCMT ref: 012716BA
Part of subcall function 01271680: __vswprintf.LIBCMT ref: 012716CF
Part of subcall function 01271680: OutputDebugStringW.KERNEL32(?), ref: 012716DE

ShellExecuteW.SHELL32(00000000,open,?,?,00000000,00000005), ref: 01273DA9

Part of subcall function 01271A50: RegOpenKeyExW.ADVAPI32 ref: 01271A78
Part of subcall function 01271A50: _memset.LIBCMT ref: 01271AA5
Part of subcall function 01271A50: _memset.LIBCMT ref: 01271AB7
Part of subcall function 01271A50: _memset.LIBCMT ref: 01271AD2
Part of subcall function 01271A50: RegFlushKey.ADVAPI32(?), ref: 01271AEB
Part of subcall function 01271A50: RegQueryValueExW.ADVAPI32(?,DisplayVersion,00000000,?,?,00000040), ref: 01271B17
Part of subcall function 01271A50: RegQueryValueExW.ADVAPI32(?,SelfUpdating,00000000,?,?,00000040), ref: 01271B5A
Part of subcall function 01271A50: lstrlenW.KERNEL32(?), ref: 01271B8A
Part of subcall function 01271A50: RegSetValueExW.ADVAPI32 ref: 01271BD8
Part of subcall function 01271A50: RegQueryValueExW.ADVAPI32(?,Source,00000000,?,?,00000040), ref: 01271BFD
Part of subcall function 01271A50: lstrlenW.KERNEL32(?), ref: 01271C27
Part of subcall function 01271A50: RegSetValueExW.ADVAPI32 ref: 01271C5C
Part of subcall function 01271A50: RegCloseKey.ADVAPI32(?), ref: 01271C65

_memset.LIBCMT ref: 0127389A

Part of subcall function 01273E60: _memset.LIBCMT ref: 01273E8D
Part of subcall function 01273E60: GetModuleHandleW.KERNEL32(00000000,?,00000104), ref: 01273EA3
Part of subcall function 01273E60: GetModuleFileNameW.KERNEL32(00000000), ref: 01273EAA
Part of subcall function 01273E60: _wcsrchr.LIBCMT ref: 01273EB9
Part of subcall function 01273E60: _wcsncpy.LIBCMT ref: 01273ED7

_memset.LIBCMT ref: 012738C6
_memset.LIBCMT ref: 012738E1

Part of subcall function 01271230: __vswprintf_c_l.LIBCMT ref: 01271242

PathFileExistsW.SHLWAPI(?), ref: 01273930
PathFileExistsW.SHLWAPI(?), ref: 01273941
_memset.LIBCMT ref: 0127396B
DeleteFileW.KERNEL32(?), ref: 01273997
_memset.LIBCMT ref: 012739B3
GetPrivateProfileStringW.KERNEL32(FileToPatch,SourceDir,0138E210,?,00000184,?), ref: 012739DD

Part of subcall function 01272650: FindFirstFileW.KERNEL32(?,?), ref: 01272671
Part of subcall function 01272650: FindClose.KERNEL32(00000000), ref: 0127268B

Part of subcall function 01271280: _memset.LIBCMT ref: 0127128E
Part of subcall function 01271280: ShellExecuteExW.SHELL32(?), ref: 012712CF
Part of subcall function 01271280: WaitForSingleObject.KERNEL32(?,000000FF), ref: 012712E3
Part of subcall function 01271280: CloseHandle.KERNEL32(?), ref: 012712ED

Part of subcall function 01367D3E: IsDebuggerPresent.KERNEL32 ref: 0136EC6D
Part of subcall function 01367D3E: SetUnhandledExceptionFilter.KERNEL32 ref: 0136EC82
Part of subcall function 01367D3E: UnhandledExceptionFilter.KERNEL32 ref: 0136EC8D
Part of subcall function 01367D3E: GetCurrentProcess.KERNEL32(C0000409), ref: 0136ECA9
Part of subcall function 01367D3E: TerminateProcess.KERNEL32(00000000), ref: 0136ECB0

Part of subcall function 01271D10: RegOpenKeyExW.ADVAPI32 ref: 01271D3F
Part of subcall function 01271D10: RegQueryValueExW.ADVAPI32(00000000,SelfUpdating,00000000,?,?,?), ref: 01271D75
Part of subcall function 01271D10: RegQueryValueExW.ADVAPI32(00000000,Frequency,00000000,?,?,000000C8), ref: 01271DB1
Part of subcall function 01271D10: RegQueryValueExW.ADVAPI32(00000000,LastUpdateTime,00000000,?,?,00000004), ref: 01271DF0
Part of subcall function 01271D10: RegQueryValueExW.ADVAPI32(00000000,Critical_Update,00000000,?,?,00000004), ref: 01271E2F
Part of subcall function 01271D10: RegQueryValueExW.ADVAPI32(00000000,Recommended_Update,00000000,?,?,00000004), ref: 01271E6E
Part of subcall function 01271D10: RegQueryValueExW.ADVAPI32(00000000,Day,00000000,?,?,00000004), ref: 01271EAD
Part of subcall function 01271D10: RegQueryValueExW.ADVAPI32(00000000,Time,00000000,?,?,00000004), ref: 01271EEC
Part of subcall function 01271D10: RegQueryValueExW.ADVAPI32(00000000,TotalItemCount,00000000,?,?,00000004), ref: 01271F2B
Part of subcall function 01271D10: RegQueryValueExW.ADVAPI32(00000000,UpdateCount,00000000,?,?,00000004), ref: 01271F6A
Part of subcall function 01271D10: RegQueryValueExW.ADVAPI32(00000000,SelectCount,00000000,?,?,00000004), ref: 01271FA9
Part of subcall function 01271D10: RegQueryValueExW.ADVAPI32(00000000,Mode,00000000,?,?,00000004), ref: 01271FEE
Part of subcall function 01271D10: RegQueryValueExW.ADVAPI32(00000000,SelfUpdtPath,00000000,?,?,00000004), ref: 0127203A
Part of subcall function 01271D10: RegQueryValueExW.ADVAPI32(00000000,Source,00000000,?,?,00000800), ref: 01272076
Part of subcall function 01271D10: RegQueryValueExW.ADVAPI32(00000000,UIMode,00000000,?,?,00000800), ref: 012720B2
Part of subcall function 01271D10: RegCloseKey.ADVAPI32(00000000), ref: 012720C9

Part of subcall function 012732A0: RegOpenKeyExW.KERNEL32 ref: 012732EE
Part of subcall function 012732A0: _memset.LIBCMT ref: 01273313
Part of subcall function 012732A0: RegFlushKey.ADVAPI32 ref: 0127332C
Part of subcall function 012732A0: RegQueryValueExW.ADVAPI32(?,SelfUpdating,00000000,?,?,00000040), ref: 01273357
Part of subcall function 012732A0: lstrlenW.KERNEL32(?,?,?), ref: 01273389
Part of subcall function 012732A0: _memset.LIBCMT ref: 012733AD
Part of subcall function 012732A0: RegQueryValueExW.ADVAPI32(?,SelfUpdtPath,00000000,?,?,?), ref: 01273405
Part of subcall function 012732A0: Sleep.KERNEL32(00000BB8,?,?,?,SelfUpdating key length > 0,?,00000000,000007FE,?,?), ref: 0127344C
Part of subcall function 012732A0: _memset.LIBCMT ref: 01273468
Part of subcall function 012732A0: _memset.LIBCMT ref: 01273483
Part of subcall function 012732A0: GetTempPathW.KERNEL32(00000104,?), ref: 01273497
Part of subcall function 012732A0: DeleteFileW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,SelfUpdating key length > 0,?,00000000), ref: 012734C0
Part of subcall function 012732A0: SHDeleteValueW.SHLWAPI(80000002,SOFTWARE\ASUS\ASUS Live Update,SelfUpdtPath), ref: 012734D5
Part of subcall function 012732A0: _memset.LIBCMT ref: 0127354D
Part of subcall function 012732A0: GetModuleFileNameW.KERNEL32(00000000,?,00000400,?,?,?,?,?,?,?,?,SelfUpdating key length > 0,?,00000000,000007FE), ref: 01273563
Part of subcall function 012732A0: _wcsrchr.LIBCMT ref: 01273572
Part of subcall function 012732A0: lstrlenW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,SelfUpdating key length > 0,?,00000000), ref: 0127359E
Part of subcall function 012732A0: RegSetValueExW.ADVAPI32 ref: 012735BE
Part of subcall function 012732A0: RegCloseKey.ADVAPI32(?), ref: 01273600
Part of subcall function 012732A0: GetCurrentProcessId.KERNEL32(?), ref: 0127361B
Part of subcall function 012732A0: _memset.LIBCMT ref: 0127365C
Part of subcall function 012732A0: _memset.LIBCMT ref: 01273677
Part of subcall function 012732A0: GetTempPathW.KERNEL32(00000104,?), ref: 0127368B
Part of subcall function 012732A0: ShellExecuteW.SHELL32(00000000,open,selfupdt.exe,00000000,?,00000000), ref: 012736FE

Part of subcall function 01272F00: RegOpenKeyExW.KERNEL32 ref: 01272F4E
Part of subcall function 01272F00: _memset.LIBCMT ref: 01272F73
Part of subcall function 01272F00: _memset.LIBCMT ref: 01272F8E
Part of subcall function 01272F00: RegEnumKeyExW.KERNEL32 ref: 01272FCE
Part of subcall function 01272F00: _memset.LIBCMT ref: 01273019
Part of subcall function 01272F00: wsprintfW.USER32 ref: 01273031
Part of subcall function 01272F00: RegOpenKeyExW.KERNEL32 ref: 01273050
Part of subcall function 01272F00: RegQueryValueExW.KERNEL32 ref: 01273090
Part of subcall function 01272F00: lstrcmpiW.KERNEL32(?,ASUS Live Updata), ref: 012730C0
Part of subcall function 01272F00: _memset.LIBCMT ref: 012730F7
Part of subcall function 01272F00: RegQueryValueExW.ADVAPI32 ref: 01273128
Part of subcall function 01272F00: RegOpenKeyExW.ADVAPI32 ref: 01273155
Part of subcall function 01272F00: _memset.LIBCMT ref: 01273179
Part of subcall function 01272F00: lstrcpyW.KERNEL32 ref: 01273194
Part of subcall function 01272F00: RegEnumKeyExW.ADVAPI32 ref: 012731BA
Part of subcall function 01272F00: lstrcmpW.KERNEL32(?,?), ref: 012731CC
Part of subcall function 01272F00: lstrcpynW.KERNEL32(?,?,0000003B), ref: 012731E3
Part of subcall function 01272F00: RegEnumKeyExW.ADVAPI32 ref: 01273213
Part of subcall function 01272F00: RegCloseKey.ADVAPI32(?), ref: 01273220
Part of subcall function 01272F00: RegCloseKey.ADVAPI32(?), ref: 0127323C
Part of subcall function 01272F00: RegEnumKeyExW.KERNEL32 ref: 01273268
Part of subcall function 01272F00: RegCloseKey.ADVAPI32(?), ref: 01273279

_memset.LIBCMT ref: 01273B0D

Part of subcall function 01271C80: RegOpenKeyExW.ADVAPI32 ref: 01271C9D
Part of subcall function 01271C80: RegQueryValueExW.ADVAPI32(00000000,InstallLocation,00000000,?,?,?), ref: 01271CC5
Part of subcall function 01271C80: RegCloseKey.ADVAPI32(00000000), ref: 01271CD8
Part of subcall function 01271C80: RegCloseKey.ADVAPI32(00000000), ref: 01271CF7

Part of subcall function 01271000: _memset.LIBCMT ref: 0127103B
Part of subcall function 01271000: __wcsdup.LIBCMT ref: 01271055
Part of subcall function 01271000: _wcstok.LIBCMT ref: 0127107D
Part of subcall function 01271000: __fassign.LIBCMT ref: 0127109C
Part of subcall function 01271000: _wcstok.LIBCMT ref: 012710B6
Part of subcall function 01271000: _free.LIBCMT ref: 012710C3

_memset.LIBCMT ref: 01273B9F
GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 01273BB3
lstrcatW.KERNEL32(?,\system32), ref: 01273BC5

Part of subcall function 01271120: _memset.LIBCMT ref: 01271130
Part of subcall function 01271120: ShellExecuteExW.SHELL32(?), ref: 01271170
Part of subcall function 01271120: WaitForSingleObject.KERNEL32(?,00000064), ref: 0127118C
Part of subcall function 01271120: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 012711C2
Part of subcall function 01271120: TranslateMessage.USER32 ref: 012711CC
Part of subcall function 01271120: DispatchMessageW.USER32 ref: 012711D2
Part of subcall function 01271120: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 012711E0
Part of subcall function 01271120: WaitForSingleObject.KERNEL32(?,00000064), ref: 012711EF
Part of subcall function 01271120: TerminateProcess.KERNEL32(?,00000000), ref: 01271208
Part of subcall function 01271120: CloseHandle.KERNEL32(?), ref: 01271214

Part of subcall function 012720E0: RegCreateKeyExW.ADVAPI32(80000002,SOFTWARE\Asus\ASUS Live Update,00000000,00000000,00000000,000F003F,00000000,?,?), ref: 01272108
Part of subcall function 012720E0: RegSetValueExW.ADVAPI32 ref: 01272133
Part of subcall function 012720E0: RegSetValueExW.ADVAPI32 ref: 0127215B
Part of subcall function 012720E0: RegSetValueExW.ADVAPI32 ref: 01272183
Part of subcall function 012720E0: RegSetValueExW.ADVAPI32 ref: 012721AB
Part of subcall function 012720E0: RegSetValueExW.ADVAPI32 ref: 012721D3
Part of subcall function 012720E0: RegSetValueExW.ADVAPI32 ref: 012721EB

Part of subcall function 01273EF0: _memset.LIBCMT ref: 01273F1D
Part of subcall function 01273EF0: FindFirstFileW.KERNEL32(?,?,?,?,7633E061,?,?,?), ref: 01273F8A
Part of subcall function 01273EF0: _memset.LIBCMT ref: 01273FD6
Part of subcall function 01273EF0: _memset.LIBCMT ref: 01273FF1
Part of subcall function 01273EF0: AllocateAndInitializeSid.ADVAPI32(00000000,00000001,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0127402A
Part of subcall function 01273EF0: LookupAccountSidW.ADVAPI32(00000000,00000000,?,?,?,?,?), ref: 01274060
Part of subcall function 01273EF0: FreeSid.ADVAPI32(00000000,?,?,?,?,?,?,?,?,7633E061,?,?,?), ref: 0127406D
Part of subcall function 01273EF0: SetFileAttributesW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,7633E061), ref: 012740EC
Part of subcall function 01273EF0: DeleteFileW.KERNEL32(?,?,?,?,?,?,?,?,?), ref: 0127415B
Part of subcall function 01273EF0: FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 01274169
Part of subcall function 01273EF0: FindClose.KERNEL32(00000000,?,?,?,?,?,?,?,?), ref: 01274178
Part of subcall function 01273EF0: SetFileAttributesW.KERNEL32(01272D89,?,?,?,?,?,?,?,?,?), ref: 0127418D
Part of subcall function 01273EF0: RemoveDirectoryW.KERNEL32(01272D89,?,?,?,?,?,?,?,?,?,?,?,?), ref: 012741AB

Part of subcall function 01272530: _memcpy_s.LIBCMT ref: 0127258F

Part of subcall function 01272B00: _memset.LIBCMT ref: 01272B49
Part of subcall function 01272B00: _memset.LIBCMT ref: 01272B64
Part of subcall function 01272B00: SHGetSpecialFolderPathW.SHELL32(00000000,?,00000017,00000000), ref: 01272B77
Part of subcall function 01272B00: wsprintfW.USER32 ref: 01272B9E
Part of subcall function 01272B00: FindFirstFileW.KERNEL32(?,?), ref: 01272BB1
Part of subcall function 01272B00: wsprintfW.USER32 ref: 01272BE0
Part of subcall function 01272B00: CoInitialize.OLE32(00000000), ref: 01272BE6
Part of subcall function 01272B00: CoCreateInstance.OLE32(013B6A44,00000000,00000001,013B69D4,?), ref: 01272C36
Part of subcall function 01272B00: _wcsnlen.LIBCMT ref: 01272CDC
Part of subcall function 01272B00: GetCurrentProcessId.KERNEL32 ref: 01272D3D
Part of subcall function 01272B00: EnumWindows.USER32(Function_00001700,00000000), ref: 01272D4F
Part of subcall function 01272B00: SHDeleteValueW.SHLWAPI(80000002,SOFTWARE\Microsoft\Windows\CurrentVersion\Run,ASUS Live Updata), ref: 01272D77
Part of subcall function 01272B00: CoUninitialize.OLE32 ref: 01272DA2
Part of subcall function 01272B00: DeleteFileW.KERNEL32(?), ref: 01272DAF
Part of subcall function 01272B00: wsprintfW.USER32 ref: 01272DC8
Part of subcall function 01272B00: RemoveDirectoryW.KERNEL32(?), ref: 01272DDA
Part of subcall function 01272B00: wsprintfW.USER32 ref: 01272DEF
Part of subcall function 01272B00: RemoveDirectoryW.KERNEL32(?), ref: 01272DFB
Part of subcall function 01272B00: FindClose.KERNEL32(?), ref: 01272E04
Part of subcall function 01272B00: SHDeleteKeyW.SHLWAPI(80000002,?), ref: 01272E4F
Part of subcall function 01272B00: SHDeleteKeyW.SHLWAPI(80000002,SOFTWARE\Asus\ASUS Live Update), ref: 01272E5B

GetModuleFileNameW.KERNEL32(00000000,00000010,00000400), ref: 01273CA9
_wcsnlen.LIBCMT ref: 01273CB4
_wcsrchr.LIBCMT ref: 01273CD9
GetVersion.KERNEL32 ref: 01273D36

Strings

Install new version, xrefs: 01273BFD
%s\data_win8\419.msi, xrefs: 01273D56
FileToPatch, xrefs: 012739D8
<Patch>Found patched files, xrefs: 01273A05
SourceDir, xrefs: 012739D3
/uninstall {FA540E67-095C-4A1B-97BA-4D547DEC9AF4} /qn /norestart, xrefs: 01273BCB
%spatch.ini, xrefs: 01273910
%spatch.exe, xrefs: 012738F3
3.0.0, xrefs: 01273B4D
msiexec.exe, xrefs: 01273BD6
Try to launch %s, xrefs: 01273D86
%s..\..\log.xml, xrefs: 0127397D
Need to remove previous version, xrefs: 01273ADE
\system32, xrefs: 01273BB9
%s\data\419.msi, xrefs: 01273D6B
<Patch>Found patch.exe & patch.ini, xrefs: 0127394B
Start MSIStarter, xrefs: 01273834
open, xrefs: 01273DA2
Self updating in process. Quit now., xrefs: 01273A4C

Memory Dump Source

Source File: 00000010.00000002.746388412.0000000001271000.00000020.sdmp, Offset: 01270000, based on PE: true

Associated: 00000010.00000002.746374753.0000000001270000.00000002.sdmp Download File
Associated: 00000010.00000002.746578910.000000000138C000.00000002.sdmp Download File
Associated: 00000010.00000002.746752878.00000000013CF000.00000004.sdmp Download File
Associated: 00000010.00000002.746788870.00000000013D6000.00000004.sdmp Download File
Associated: 00000010.00000002.746832288.00000000013DE000.00000002.sdmp Download File
Associated: 00000010.00000002.747668141.0000000001574000.00000002.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1270000_Setup.jbxd

Similarity

API ID: Value$_memset$Query$File$Close$Delete$FindOpen$EnumPathProcesswsprintf$DirectoryExecuteMessageModuleShelllstrlen$CurrentFirstHandleNameObjectRemoveSingleWait_wcsrchr$AttributesCreateExceptionExistsFilterFlushInitializePeekStringTempTerminateUnhandledWindows_wcsnlen_wcstok$AccountAllocateDebugDebuggerDispatchFolderFreeInstanceLookupNextOutputPresentPrivateProfileSleepSpecialTranslateUninitializeVersion__fassign__swprintf__vswprintf__vswprintf_c_l__wcsdup_free_memcpy_s_wcsncpylstrcatlstrcmplstrcmpilstrcpylstrcpyn
String ID: %s..\..\log.xml$%s\data\419.msi$%s\data_win8\419.msi$%spatch.exe$%spatch.ini$/uninstall {FA540E67-095C-4A1B-97BA-4D547DEC9AF4} /qn /norestart$3.0.0$<Patch>Found patch.exe & patch.ini$<Patch>Found patched files$FileToPatch$Install new version$Need to remove previous version$Self updating in process. Quit now.$SourceDir$Start MSIStarter$Try to launch %s$\system32$msiexec.exe$open
API String ID: 1894909544-3078690184
Opcode ID: a7c0d5039be6448f239bd6cbd376b7b1e89bdd9ae4f350f1d65de3b930b20455
Instruction ID: a080591afbc8fabbb8e9fea0666279341a940cc87cb03b86c5dc61dbe184ad8a
Opcode Fuzzy Hash: a7c0d5039be6448f239bd6cbd376b7b1e89bdd9ae4f350f1d65de3b930b20455
Instruction Fuzzy Hash: 8F02EAB1A202169FDB14EB69CC41FEFB3B8FF54314F0446ACE615A7291EB719A40CB91

Uniqueness

Uniqueness Score: 100.00%

Function 012732A0, Relevance: 84.3, APIs: 24, Strings: 24, Instructions: 308
registrystringsleepUNIQUE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 67%

			E012732A0() {
				int _v8;
				char _v16;
				signed int _v20;
				char _v82;
				short _v84;
				char _v602;
				short _v604;
				char _v1122;
				short _v1124;
				char _v3174;
				char _v3176;
				char _v5222;
				char _v5224;
				void* _v5228;
				int _v5232;
				int _v5236;
				int* _v5240;
				char _v5244;
				char _v5248;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t70;
				signed int _t71;
				long _t74;
				long _t82;
				long _t86;
				intOrPtr _t107;
				long _t113;
				long _t118;
				int _t121;
				long _t123;
				intOrPtr* _t127;
				int _t141;
				void* _t142;
				intOrPtr _t164;
				void* _t176;
				void* _t180;
				void* _t181;
				void* _t183;
				void* _t184;
				signed int _t186;
				void* _t187;
				void* _t188;
				void* _t189;
				void* _t194;
				void* _t196;
				void* _t198;

				_push(0xffffffff);
				_push(0x137ea86);
				_push( *[fs:0x0]);
				E01368890(0x1470);
				_t70 =  *0x13d3570; // 0x99b5b578
				_t71 = _t70 ^ _t186;
				_v20 = _t71;
				_push(_t183);
				_push(_t180);
				_push(_t71);
				 *[fs:0x0] =  &_v16;
				_t141 = 0;
				_v5240 = 0;
				_t74 = RegOpenKeyExW(0x80000002, L"SOFTWARE\\ASUS\\ASUS Live Update", 0, 3,  &_v5228); // executed
				if(_t74 != 0) {
					L26:
					 *[fs:0x0] = _v16;
					_pop(_t181);
					_pop(_t184);
					_pop(_t142);
					return L01367D3E(_t141, _t142, _v20 ^ _t186, _t166, _t181, _t184);
				}
				_push(L"opened SOFTWARE\\ASUS\\ASUS Live Update\n");
				E01271680(0, _t180, _t183);
				_v84 = 0;
				L01367D50( &_v82, 0, 0x3e);
				_t188 = _t187 + 0x10;
				_v5236 = 0x40;
				RegFlushKey(_v5228);
				_t185 = RegQueryValueExW;
				_t149 = _v5228;
				_t166 =  &_v84;
				_t82 = RegQueryValueExW(_v5228, L"SelfUpdating", 0,  &_v5232,  &_v84,  &_v5236);
				_t182 = GetTempPathW;
				if(_t82 != 0 || _v5232 != 1) {
					L20:
					RegCloseKey(_v5228);
					if(_t141 != 0) {
						_push(L"blSelfUpdateRequest = true\n");
						E01271680(_t141, _t182, _t185);
						_t189 = _t188 + 4;
						_t86 = GetCurrentProcessId();
						_t211 = _v5240 - 1;
						 *0x13d4f00 = _t86;
						if(_v5240 == 1) {
							_push(L"Current version less than 3.3.4\n");
							E01271680(_t141, _t182, _t185);
							E01274240(_t149, _t182, _t211, L"LiveUpdate.exe ALU.exe LiveUpdt.exe");
							_t189 = _t189 + 8;
						}
						_v1124 = 0;
						L01367D50( &_v1122, 0, 0x206);
						_v604 = 0;
						L01367D50( &_v602, 0, 0x206);
						GetTempPathW(0x104,  &_v1124);
						L01271230(0x104,  &_v604, L"%sselfupdt.exe",  &_v1124);
						_t166 =  &_v604;
						E01271680(_t141, _t182, _t185, L"Path to save: %s\n",  &_v604);
						if(L01271810(_t211, 0,  &_v604, 0x88, L"EXE") != 0) {
							_push(L"ExtractFile OK!\n");
							E01271680(_t141, _t182, _t185);
							if(ShellExecuteW(0, L"open", L"selfupdt.exe", 0,  &_v1124, 0) > 0x20) {
								_push(L"ShellExecute OK!\n");
								E01271680(_t141, _t182, _t185);
							}
						}
					}
					goto L26;
				} else {
					_t166 =  &_v84;
					E01271680(0, GetTempPathW, RegQueryValueExW, L"Detected SelfUpdating registry key, content = %s\n",  &_v84);
					_t188 = _t188 + 8;
					if(lstrlenW( &_v84) > 0) {
						_v5224 = 0;
						L01367D50( &_v5222, 0, 0x7fe);
						_push(L"SelfUpdating key length > 0\n");
						_v5236 = 0x800;
						E01271680(0, GetTempPathW, RegQueryValueExW);
						_t107 = L01271000(0,  &_v84, L"3.3.4");
						_t194 = _t188 + 0x18;
						if(_t107 == 1) {
							_v5240 = _t107;
						}
						if(RegQueryValueExW(_v5228, L"SelfUpdtPath", 0,  &_v5232,  &_v5224,  &_v5236) != 0 || _v5232 != 1) {
							L12:
							_push(L"SelfUpdtPath registry key not existed\n");
							E01271680(_t141, _t182, _t185);
							E012725E0( &_v5248);
							_v8 = 0;
							E012725E0( &_v5244);
							_v8 = 1;
							_t113 = E01272F00(__eflags,  &_v5248,  &_v5244);
							_t196 = _t194 + 0xc;
							__eflags = _t113;
							if(_t113 != 0) {
								_t141 = 1;
								_v3176 = 0;
								L01367D50( &_v3174, 0, 0x800);
								GetModuleFileNameW(0,  &_v3176, 0x400);
								_t118 = L01367DCA( &_v3176, 0x5c);
								_t198 = _t196 + 0x14;
								__eflags = _t118;
								if(_t118 != 0) {
									__eflags = 0;
									 *_t118 = 0;
								}
								E01271680(_t141, _t182, _t185, L"Data to write to registry as SelfUpdtPath key: %s\n",  &_v3176);
								_t196 = _t198 + 8;
								_t121 = lstrlenW( &_v3176);
								_t166 = _v5228;
								_t123 = RegSetValueExW(_v5228, L"SelfUpdtPath", 0, 1,  &_v3176, _t121 + _t121);
								__eflags = _t123;
								if(_t123 != 0) {
									_push(L"Failed to set SelfUpdtPath registry key\n");
								} else {
									_push(L"Set SelfUpdtPath registry key\n");
								}
							} else {
								_push(L"Unable to find previous version. Go normal setup\n");
							}
							E01271680(_t141, _t182, _t185);
							_t188 = _t196 + 4;
							E01272440( &_v5244, _t166);
							_t149 =  &_v5248;
							_v8 = 0xffffffff;
							E01272440( &_v5248, _t166);
						} else {
							_t127 =  &_v5224;
							_t176 = _t127 + 2;
							do {
								_t164 =  *_t127;
								_t127 = _t127 + 2;
							} while (_t164 != 0);
							if(_t127 == _t176) {
								goto L12;
							}
							_push(L"SelfUpdtPath registry key existed, try to delete selfupdt.exe\n");
							E01271680(_t141, _t182, _t185);
							Sleep(0xbb8);
							_v1124 = 0;
							L01367D50( &_v1122, 0, 0x206);
							_v604 = 0;
							L01367D50( &_v602, 0, 0x206);
							GetTempPathW(0x104,  &_v1124);
							_t149 =  &_v1124;
							_t166 = 0x104;
							L01271230(0x104,  &_v604, L"%sselfupdt.exe",  &_v1124);
							_t188 = _t194 + 0x28;
							DeleteFileW( &_v604);
							SHDeleteValueW(0x80000002, L"SOFTWARE\\ASUS\\ASUS Live Update", L"SelfUpdtPath");
						}
					}
					goto L20;
				}
			}

0x012732a3
0x012732a5
0x012732b0
0x012732b6
0x012732bb
0x012732c0
0x012732c2
0x012732c6
0x012732c7
0x012732c8
0x012732cc
0x012732db
0x012732e8
0x012732ee
0x012732f6
0x01273716
0x0127371b
0x01273723
0x01273724
0x01273725
0x01273733
0x01273733
0x012732fc
0x01273301
0x0127330f
0x01273313
0x0127331e
0x01273322
0x0127332c
0x01273332
0x0127333f
0x01273345
0x01273357
0x01273359
0x01273361
0x012735f9
0x01273600
0x01273608
0x0127360e
0x01273613
0x01273618
0x0127361b
0x01273621
0x01273628
0x0127362d
0x0127362f
0x01273634
0x0127363e
0x01273643
0x01273643
0x01273655
0x0127365c
0x01273670
0x01273677
0x0127368b
0x012736a5
0x012736aa
0x012736b6
0x012736d8
0x012736da
0x012736df
0x01273707
0x01273709
0x0127370e
0x01273713
0x01273707
0x012736d8
0x00000000
0x01273374
0x01273374
0x0127337d
0x01273382
0x01273391
0x012733a6
0x012733ad
0x012733b2
0x012733b7
0x012733c1
0x012733cf
0x012733d4
0x012733da
0x012733dc
0x012733dc
0x01273409
0x012734e0
0x012734e0
0x012734e5
0x012734f3
0x012734fe
0x01273505
0x01273518
0x0127351c
0x01273521
0x01273524
0x01273526
0x01273541
0x01273546
0x0127354d
0x01273563
0x01273572
0x01273577
0x0127357a
0x0127357c
0x0127357e
0x01273580
0x01273580
0x0127358f
0x01273594
0x0127359e
0x012735a4
0x012735be
0x012735c4
0x012735c6
0x012735cf
0x012735c8
0x012735c8
0x012735c8
0x01273528
0x01273528
0x01273528
0x012735d4
0x012735d9
0x012735e2
0x012735e7
0x012735ed
0x012735f4
0x0127341c
0x0127341c
0x01273422
0x01273425
0x01273425
0x01273428
0x0127342b
0x01273434
0x00000000
0x00000000
0x0127343a
0x0127343f
0x0127344c
0x01273461
0x01273468
0x0127347c
0x01273483
0x01273497
0x01273499
0x012734ac
0x012734b1
0x012734b6
0x012734c0
0x012734d5
0x012734d5
0x01273409
0x00000000
0x01273391

APIs

RegOpenKeyExW.KERNEL32 ref: 012732EE
_memset.LIBCMT ref: 01273313
RegFlushKey.ADVAPI32 ref: 0127332C
RegQueryValueExW.ADVAPI32(?,SelfUpdating,00000000,?,?,00000040), ref: 01273357
lstrlenW.KERNEL32(?,?,?), ref: 01273389
_memset.LIBCMT ref: 012733AD

Part of subcall function 01271000: _memset.LIBCMT ref: 0127103B
Part of subcall function 01271000: __wcsdup.LIBCMT ref: 01271055
Part of subcall function 01271000: _wcstok.LIBCMT ref: 0127107D
Part of subcall function 01271000: __fassign.LIBCMT ref: 0127109C
Part of subcall function 01271000: _wcstok.LIBCMT ref: 012710B6
Part of subcall function 01271000: _free.LIBCMT ref: 012710C3

RegQueryValueExW.ADVAPI32(?,SelfUpdtPath,00000000,?,?,?), ref: 01273405
Sleep.KERNEL32(00000BB8,?,?,?,SelfUpdating key length > 0,?,00000000,000007FE,?,?), ref: 0127344C
_memset.LIBCMT ref: 01273468
_memset.LIBCMT ref: 01273483
GetTempPathW.KERNEL32(00000104,?), ref: 01273497
DeleteFileW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,SelfUpdating key length > 0,?,00000000), ref: 012734C0
SHDeleteValueW.SHLWAPI(80000002,SOFTWARE\ASUS\ASUS Live Update,SelfUpdtPath), ref: 012734D5

Part of subcall function 01272F00: RegOpenKeyExW.KERNEL32 ref: 01272F4E
Part of subcall function 01272F00: _memset.LIBCMT ref: 01272F73
Part of subcall function 01272F00: _memset.LIBCMT ref: 01272F8E
Part of subcall function 01272F00: RegEnumKeyExW.KERNEL32 ref: 01272FCE
Part of subcall function 01272F00: _memset.LIBCMT ref: 01273019
Part of subcall function 01272F00: wsprintfW.USER32 ref: 01273031
Part of subcall function 01272F00: RegOpenKeyExW.KERNEL32 ref: 01273050
Part of subcall function 01272F00: RegQueryValueExW.KERNEL32 ref: 01273090
Part of subcall function 01272F00: lstrcmpiW.KERNEL32(?,ASUS Live Updata), ref: 012730C0
Part of subcall function 01272F00: _memset.LIBCMT ref: 012730F7
Part of subcall function 01272F00: RegQueryValueExW.ADVAPI32 ref: 01273128
Part of subcall function 01272F00: RegOpenKeyExW.ADVAPI32 ref: 01273155
Part of subcall function 01272F00: _memset.LIBCMT ref: 01273179
Part of subcall function 01272F00: lstrcpyW.KERNEL32 ref: 01273194
Part of subcall function 01272F00: RegEnumKeyExW.ADVAPI32 ref: 012731BA
Part of subcall function 01272F00: lstrcmpW.KERNEL32(?,?), ref: 012731CC
Part of subcall function 01272F00: lstrcpynW.KERNEL32(?,?,0000003B), ref: 012731E3
Part of subcall function 01272F00: RegEnumKeyExW.ADVAPI32 ref: 01273213
Part of subcall function 01272F00: RegCloseKey.ADVAPI32(?), ref: 01273220
Part of subcall function 01272F00: RegCloseKey.ADVAPI32(?), ref: 0127323C
Part of subcall function 01272F00: RegEnumKeyExW.KERNEL32 ref: 01273268
Part of subcall function 01272F00: RegCloseKey.ADVAPI32(?), ref: 01273279

_memset.LIBCMT ref: 0127354D
GetModuleFileNameW.KERNEL32(00000000,?,00000400,?,?,?,?,?,?,?,?,SelfUpdating key length > 0,?,00000000,000007FE), ref: 01273563
_wcsrchr.LIBCMT ref: 01273572
lstrlenW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,SelfUpdating key length > 0,?,00000000), ref: 0127359E
RegSetValueExW.ADVAPI32 ref: 012735BE
RegCloseKey.ADVAPI32(?), ref: 01273600
GetCurrentProcessId.KERNEL32(?), ref: 0127361B
ShellExecuteW.SHELL32(00000000,open,selfupdt.exe,00000000,?,00000000), ref: 012736FE

Part of subcall function 01274240: _memset.LIBCMT ref: 01274271
Part of subcall function 01274240: __wcsdup.LIBCMT ref: 01274288
Part of subcall function 01274240: EnumProcesses.PSAPI(?,00001000,?), ref: 012742BC
Part of subcall function 01274240: _memset.LIBCMT ref: 01274346
Part of subcall function 01274240: OpenProcess.KERNEL32(00000411,00000000,?,?,00001000,?), ref: 01274355
Part of subcall function 01274240: EnumProcessModules.PSAPI(00000000,?,00000004,?), ref: 01274382
Part of subcall function 01274240: GetModuleBaseNameW.PSAPI(00000000,?,?,00000104,00000000,?,00000004,?), ref: 0127439F
Part of subcall function 01274240: TerminateProcess.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,00000000,?,00000004,?), ref: 012743F9
Part of subcall function 01274240: CloseHandle.KERNEL32(00000000), ref: 01274418
Part of subcall function 01274240: _free.LIBCMT ref: 01274434
Part of subcall function 01274240: CloseHandle.KERNEL32(00000000), ref: 01274462

_memset.LIBCMT ref: 0127365C
_memset.LIBCMT ref: 01273677
GetTempPathW.KERNEL32(00000104,?), ref: 0127368B

Part of subcall function 01271230: __vswprintf_c_l.LIBCMT ref: 01271242

Part of subcall function 01271810: FindResourceW.KERNEL32(00000000,?,?), ref: 0127187B
Part of subcall function 01271810: LoadResource.KERNEL32(00000000,00000000), ref: 0127189A
Part of subcall function 01271810: LockResource.KERNEL32(00000000), ref: 012718BB
Part of subcall function 01271810: CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 012718EF
Part of subcall function 01271810: SizeofResource.KERNEL32(00000000,00000000,00000000,00000000), ref: 01271904
Part of subcall function 01271810: WriteFile.KERNEL32(00000000,?,00000000), ref: 01271910
Part of subcall function 01271810: CloseHandle.KERNEL32(00000000), ref: 0127192C
Part of subcall function 01271810: FreeResource.KERNEL32(?), ref: 0127193D
Part of subcall function 01271810: FreeResource.KERNEL32(?), ref: 01271962
Part of subcall function 01271810: FreeResource.KERNEL32(00000000), ref: 01271980

Part of subcall function 01367D3E: IsDebuggerPresent.KERNEL32 ref: 0136EC6D
Part of subcall function 01367D3E: SetUnhandledExceptionFilter.KERNEL32 ref: 0136EC82
Part of subcall function 01367D3E: UnhandledExceptionFilter.KERNEL32 ref: 0136EC8D
Part of subcall function 01367D3E: GetCurrentProcess.KERNEL32(C0000409), ref: 0136ECA9
Part of subcall function 01367D3E: TerminateProcess.KERNEL32(00000000), ref: 0136ECB0

Part of subcall function 01271680: _memset.LIBCMT ref: 012716A9
Part of subcall function 01271680: __swprintf.LIBCMT ref: 012716BA
Part of subcall function 01271680: __vswprintf.LIBCMT ref: 012716CF
Part of subcall function 01271680: OutputDebugStringW.KERNEL32(?), ref: 012716DE

Strings

Path to save: %s, xrefs: 012736B1
Failed to set SelfUpdtPath registry key, xrefs: 012735CF
%sselfupdt.exe, xrefs: 012734A6, 0127369A
LiveUpdate.exe ALU.exe LiveUpdt.exe, xrefs: 01273639
SelfUpdtPath registry key not existed, xrefs: 012734E0
Detected SelfUpdating registry key, content = %s, xrefs: 01273378
SelfUpdating key length > 0, xrefs: 012733B2
SOFTWARE\ASUS\ASUS Live Update, xrefs: 012732DE, 012734CB
EXE, xrefs: 012736BB
blSelfUpdateRequest = true, xrefs: 0127360E
3.3.4, xrefs: 012733C9
SelfUpdating, xrefs: 01273351
ShellExecute OK!, xrefs: 01273709
Current version less than 3.3.4, xrefs: 0127362F
SelfUpdtPath registry key existed, try to delete selfupdt.exe, xrefs: 0127343A
opened SOFTWARE\ASUS\ASUS Live Update, xrefs: 012732FC
selfupdt.exe, xrefs: 012736F2
ExtractFile OK!, xrefs: 012736DA
Set SelfUpdtPath registry key, xrefs: 012735C8
Unable to find previous version. Go normal setup, xrefs: 01273528
SelfUpdtPath, xrefs: 012733FF, 012734C6, 012735B8
@, xrefs: 01273322
open, xrefs: 012736F7
Data to write to registry as SelfUpdtPath key: %s, xrefs: 0127358A

Memory Dump Source

Source File: 00000010.00000002.746388412.0000000001271000.00000020.sdmp, Offset: 01270000, based on PE: true

Associated: 00000010.00000002.746374753.0000000001270000.00000002.sdmp Download File
Associated: 00000010.00000002.746578910.000000000138C000.00000002.sdmp Download File
Associated: 00000010.00000002.746752878.00000000013CF000.00000004.sdmp Download File
Associated: 00000010.00000002.746788870.00000000013D6000.00000004.sdmp Download File
Associated: 00000010.00000002.746832288.00000000013DE000.00000002.sdmp Download File
Associated: 00000010.00000002.747668141.0000000001574000.00000002.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1270000_Setup.jbxd

Similarity

API ID: _memset$CloseResource$EnumProcessValue$Open$FileQuery$FreeHandle$CurrentDeleteExceptionFilterModuleNamePathTempTerminateUnhandled__wcsdup_free_wcstoklstrlen$BaseCreateDebugDebuggerExecuteFindFlushLoadLockModulesOutputPresentProcessesShellSizeofSleepStringWrite__fassign__swprintf__vswprintf__vswprintf_c_l_wcsrchrlstrcmplstrcmpilstrcpylstrcpynwsprintf
String ID: %sselfupdt.exe$3.3.4$@$Current version less than 3.3.4$Data to write to registry as SelfUpdtPath key: %s$Detected SelfUpdating registry key, content = %s$EXE$ExtractFile OK!$Failed to set SelfUpdtPath registry key$LiveUpdate.exe ALU.exe LiveUpdt.exe$Path to save: %s$SOFTWARE\ASUS\ASUS Live Update$SelfUpdating$SelfUpdating key length > 0$SelfUpdtPath$SelfUpdtPath registry key existed, try to delete selfupdt.exe$SelfUpdtPath registry key not existed$Set SelfUpdtPath registry key$ShellExecute OK!$Unable to find previous version. Go normal setup$blSelfUpdateRequest = true$open$opened SOFTWARE\ASUS\ASUS Live Update$selfupdt.exe
API String ID: 696880479-3266390662
Opcode ID: dc2e5bf0ef883716ffee436afc6c2d4116df672b246339d78e97f73416036ff3
Instruction ID: 22de2142ba5d5e160fbeddf52a8c375357f2f2b2d62e0d2a27be74507a058526
Opcode Fuzzy Hash: dc2e5bf0ef883716ffee436afc6c2d4116df672b246339d78e97f73416036ff3
Instruction Fuzzy Hash: 0CB1D5B1910319ABDB24EBA4DC46FEB7378EF5474CF004599E609A2191EBB05A44CF62

Uniqueness

Uniqueness Score: 100.00%

Function 01272F00, Relevance: 52.8, APIs: 22, Strings: 8, Instructions: 257
registrystringUNIQUE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 95%

			E01272F00(void* __eflags, intOrPtr* _a4, intOrPtr _a8) {
				signed int _v8;
				char _v66;
				short _v68;
				char _v266;
				short _v268;
				char _v786;
				short _v788;
				char _v2834;
				short _v2836;
				char _v4882;
				short _v4884;
				void* _v4888;
				void* _v4892;
				void* _v4896;
				int _v4900;
				int _v4904;
				intOrPtr* _v4908;
				int _v4912;
				int _v4916;
				int* _v4920;
				intOrPtr _v4924;
				int _v4928;
				struct _FILETIME _v4936;
				struct _FILETIME _v4944;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t83;
				long _t87;
				long _t96;
				long _t102;
				long _t105;
				long _t107;
				int _t109;
				long _t116;
				void* _t130;
				int _t174;
				signed int _t176;
				void* _t177;
				void* _t178;

				E01368890(0x134c);
				_t83 =  *0x13d3570; // 0x99b5b578
				_v8 = _t83 ^ _t176;
				_t173 = _a4;
				_v4908 = _a4;
				_v4924 = _a8;
				E01272460(_t173);
				_v4892 = 0;
				_t87 = RegOpenKeyExW(0x80000002, L"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall", 0, 8,  &_v4892); // executed
				if(_t87 == 0) {
					_push(_t130);
					_v268 = 0;
					L01367D50( &_v266, 0, 0xc6);
					_v2836 = 0;
					L01367D50( &_v2834, 0, 0x7fe);
					_t178 = _t177 + 0x18;
					_v4900 = 0x800;
					_v4920 = 0;
					_t174 = 0; // executed
					_t96 = RegEnumKeyExW(_v4892, 0,  &_v2836,  &_v4900, 0, 0, 0,  &_v4944); // executed
					if(_t96 == 0) {
						while(1) {
							_t174 = _t174 + 1;
							_v4928 = _t174;
							if(_v4920 != 0) {
								goto L20;
							}
							_v4900 = 0x800;
							_v4888 = 0;
							_v4884 = 0;
							L01367D50( &_v4882, 0, 0x7fe);
							wsprintfW( &_v4884, L"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\%s",  &_v2836);
							_t178 = _t178 + 0x18;
							_t102 = RegOpenKeyExW(0x80000002,  &_v4884, 0, 1,  &_v4888); // executed
							if(_t102 == 0) {
								_t175 = RegQueryValueExW;
								_v4904 = 0xc8;
								_t107 = RegQueryValueExW(_v4888, L"DisplayName", 0,  &_v4916,  &_v268,  &_v4904); // executed
								if(_t107 == 0 && _v4916 == 1 && _v268 != 0) {
									_t109 = lstrcmpiW( &_v268, L"ASUS Live Updata"); // executed
									if(_t109 == 0) {
										_v4920 = 1;
										E01272EB0(_v4924, RegQueryValueExW,  &_v4884);
										_v68 = 0;
										L01367D50( &_v66, 0, 0x3a);
										_t178 = _t178 + 0xc;
										_v4904 = 0x3c;
										if(RegQueryValueExW(_v4888, L"DisplayVersion", 0,  &_v4916,  &_v68,  &_v4904) != 0 || _v4916 != 1) {
											_v4896 = 0;
											_t116 = RegOpenKeyExW(0x80000002, L"SOFTWARE\\Asus\\ASUS Live Update", 0, 8,  &_v4896);
											if(_t116 == 0) {
												_t175 = 0;
												_v788 = _t116;
												L01367D50( &_v786, 0, 0x206);
												_t178 = _t178 + 0xc;
												_v4912 = 0x208;
												lstrcpyW( &_v68, L"0.0");
												if(RegEnumKeyExW(_v4896, 0,  &_v788,  &_v4912, 0, 0, 0,  &_v4936) == 0) {
													do {
														_t175 = _t175 + 1;
														if(lstrcmpW( &_v68,  &_v788) < 0) {
															lstrcpynW( &_v68,  &_v788, 0x3b);
														}
														_v4912 = 0x208;
													} while (RegEnumKeyExW(_v4896, _t175,  &_v788,  &_v4912, 0, 0, 0,  &_v4936) == 0);
												}
												RegCloseKey(_v4896);
												goto L17;
											}
										} else {
											L17:
											E01272EB0(_v4908, _t175,  &_v68);
										}
									}
								}
								RegCloseKey(_v4888);
								_t174 = _v4928;
							}
							_t105 = RegEnumKeyExW(_v4892, _t174,  &_v2836,  &_v4900, 0, 0, 0,  &_v4944); // executed
							if(_t105 == 0) {
								continue;
							}
							goto L20;
						}
					}
					L20:
					RegCloseKey(_v4892);
					_t173 = _v4908;
					_pop(_t130);
				}
				return L01367D3E(0 |  *((intOrPtr*)( *_t173 - 0xc)) != 0x00000000, _t130, _v8 ^ _t176,  *_t173, 0, _t173);
			}

0x01272f08
0x01272f0d
0x01272f14
0x01272f1b
0x01272f21
0x01272f27
0x01272f2d
0x01272f48
0x01272f4e
0x01272f56
0x01272f5c
0x01272f6c
0x01272f73
0x01272f87
0x01272f8e
0x01272f99
0x01272fbc
0x01272fc6
0x01272fcc
0x01272fce
0x01272fd2
0x01272fe0
0x01272fe0
0x01272fe1
0x01272fed
0x00000000
0x00000000
0x01273002
0x0127300c
0x01273012
0x01273019
0x01273031
0x01273037
0x01273050
0x01273058
0x0127305e
0x01273086
0x01273090
0x01273094
0x012730c0
0x012730c8
0x012730db
0x012730e5
0x012730f3
0x012730f7
0x012730fc
0x0127311e
0x0127312c
0x0127314f
0x01273155
0x0127315d
0x01273170
0x01273172
0x01273179
0x0127317e
0x0127318a
0x01273194
0x012731be
0x012731c0
0x012731cb
0x012731d4
0x012731e3
0x012731e3
0x01273209
0x01273215
0x012731c0
0x01273220
0x00000000
0x01273220
0x01273226
0x01273226
0x01273230
0x01273230
0x0127312c
0x012730c8
0x0127323c
0x01273242
0x01273242
0x01273268
0x0127326c
0x00000000
0x00000000
0x00000000
0x0127326c
0x01272fe0
0x01273272
0x01273279
0x0127327f
0x01273285
0x01273285
0x0127329f

APIs

RegOpenKeyExW.KERNEL32 ref: 01272F4E
_memset.LIBCMT ref: 01272F73
_memset.LIBCMT ref: 01272F8E
RegEnumKeyExW.KERNEL32 ref: 01272FCE
_memset.LIBCMT ref: 01273019
wsprintfW.USER32 ref: 01273031
RegOpenKeyExW.KERNEL32 ref: 01273050
RegQueryValueExW.KERNEL32 ref: 01273090
lstrcmpiW.KERNEL32(?,ASUS Live Updata), ref: 012730C0
_memset.LIBCMT ref: 012730F7
RegQueryValueExW.ADVAPI32 ref: 01273128
RegOpenKeyExW.ADVAPI32 ref: 01273155
_memset.LIBCMT ref: 01273179
lstrcpyW.KERNEL32 ref: 01273194
RegEnumKeyExW.ADVAPI32 ref: 012731BA
lstrcmpW.KERNEL32(?,?), ref: 012731CC
lstrcpynW.KERNEL32(?,?,0000003B), ref: 012731E3
RegEnumKeyExW.ADVAPI32 ref: 01273213
RegCloseKey.ADVAPI32(?), ref: 01273220
RegCloseKey.ADVAPI32(?), ref: 0127323C
RegEnumKeyExW.KERNEL32 ref: 01273268
RegCloseKey.ADVAPI32(?), ref: 01273279

Part of subcall function 01367D3E: IsDebuggerPresent.KERNEL32 ref: 0136EC6D
Part of subcall function 01367D3E: SetUnhandledExceptionFilter.KERNEL32 ref: 0136EC82
Part of subcall function 01367D3E: UnhandledExceptionFilter.KERNEL32 ref: 0136EC8D
Part of subcall function 01367D3E: GetCurrentProcess.KERNEL32(C0000409), ref: 0136ECA9
Part of subcall function 01367D3E: TerminateProcess.KERNEL32(00000000), ref: 0136ECB0

Strings

DisplayName, xrefs: 01273080
SOFTWARE\Asus\ASUS Live Update, xrefs: 01273145
<, xrefs: 0127311E
0.0, xrefs: 01273181
ASUS Live Updata, xrefs: 012730B4
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall, xrefs: 01272F3E
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\%s, xrefs: 0127302B
DisplayVersion, xrefs: 01273118

Memory Dump Source

Source File: 00000010.00000002.746388412.0000000001271000.00000020.sdmp, Offset: 01270000, based on PE: true

Associated: 00000010.00000002.746374753.0000000001270000.00000002.sdmp Download File
Associated: 00000010.00000002.746578910.000000000138C000.00000002.sdmp Download File
Associated: 00000010.00000002.746752878.00000000013CF000.00000004.sdmp Download File
Associated: 00000010.00000002.746788870.00000000013D6000.00000004.sdmp Download File
Associated: 00000010.00000002.746832288.00000000013DE000.00000002.sdmp Download File
Associated: 00000010.00000002.747668141.0000000001574000.00000002.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1270000_Setup.jbxd

Similarity

API ID: _memset$Enum$CloseOpen$ExceptionFilterProcessQueryUnhandledValue$CurrentDebuggerPresentTerminatelstrcmplstrcmpilstrcpylstrcpynwsprintf
String ID: 0.0$<$ASUS Live Updata$DisplayName$DisplayVersion$SOFTWARE\Asus\ASUS Live Update$SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall$SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\%s
API String ID: 3638188573-1468564131
Opcode ID: 0044d6a5b7bcbbdbacad32109955a568626012811d76a2dfc4cdcc9ad3bb941c
Instruction ID: 9f1dd51117e6efcd91e7bfee75809cb17dcbf304a6246b5349ac2e60c035dd18
Opcode Fuzzy Hash: 0044d6a5b7bcbbdbacad32109955a568626012811d76a2dfc4cdcc9ad3bb941c
Instruction Fuzzy Hash: BFA116B1910229ABDB24DB69CC44EEBB7BCFB88B44F4045CDF509A6544E770AB85CF60

Uniqueness

Uniqueness Score: 23.02%

Function 0127AF7B, Relevance: 16.6, APIs: 11, Instructions: 106
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 88%

			E0127AF7B(void* __ecx) {
				struct _CRITICAL_SECTION* _v8;
				void* _v12;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				struct _CRITICAL_SECTION* _t34;
				void* _t35;
				void* _t36;
				long _t38;
				void* _t39;
				long _t51;
				signed char* _t53;
				signed int _t56;
				signed int _t57;
				void* _t61;
				signed int _t68;
				void* _t72;

				_t59 = __ecx;
				_push(__ecx);
				_push(__ecx);
				_t72 = __ecx;
				_t1 = _t72 + 0x1c; // 0x1c
				_t34 = _t1;
				_v8 = _t34;
				EnterCriticalSection(_t34);
				_t56 =  *(_t72 + 4);
				_t68 =  *(_t72 + 8);
				if(_t68 >= _t56 || ( *( *(_t72 + 0x10) + _t68 * 8) & 0x00000001) != 0) {
					_t68 = 1;
					if(_t56 <= 1) {
						L7:
						_t35 =  *(_t72 + 0x10);
						_t57 = _t56 + 0x20;
						_t83 = _t35;
						if(_t35 != 0) {
							_t36 = GlobalHandle(_t35);
							_v12 = _t36;
							GlobalUnlock(_t36);
							_t38 = E01278611(_t57, _t59, _t68, _t72, __eflags, _t57, 8);
							_t61 = 0x2002;
							_t39 = GlobalReAlloc(_v12, _t38, ??);
						} else {
							_t51 = E01278611(_t57, _t59, _t68, _t72, _t83, _t57, 8);
							_pop(_t61);
							_t39 = GlobalAlloc(2, _t51); // executed
						}
						if(_t39 == 0) {
							_t72 =  *(_t72 + 0x10);
							if(_t72 != 0) {
								GlobalLock(GlobalHandle(_t72));
							}
							LeaveCriticalSection(_v8);
							_t39 = L01277A91(_t61);
						}
						_v12 = GlobalLock(_t39);
						L01367D50(_t40 +  *(_t72 + 4) * 8, 0, _t57 -  *(_t72 + 4) << 3);
						 *(_t72 + 4) = _t57;
						 *(_t72 + 0x10) = _v12;
					} else {
						_t53 =  *(_t72 + 0x10) + 8;
						while(( *_t53 & 0x00000001) != 0) {
							_t68 = _t68 + 1;
							_t53 =  &(_t53[8]);
							if(_t68 < _t56) {
								continue;
							}
							break;
						}
						if(_t68 >= _t56) {
							goto L7;
						}
					}
				}
				if(_t68 >=  *((intOrPtr*)(_t72 + 0xc))) {
					 *((intOrPtr*)(_t72 + 0xc)) = _t68 + 1;
				}
				 *( *(_t72 + 0x10) + _t68 * 8) =  *( *(_t72 + 0x10) + _t68 * 8) | 0x00000001;
				 *(_t72 + 8) = _t68 + 1;
				LeaveCriticalSection(_v8);
				return _t68;
			}

0x0127af7b
0x0127af80
0x0127af81
0x0127af84
0x0127af86
0x0127af86
0x0127af8b
0x0127af8e
0x0127af94
0x0127af97
0x0127af9c
0x0127afad
0x0127afb0
0x0127afcd
0x0127afcd
0x0127afd0
0x0127afd3
0x0127afd5
0x0127afed
0x0127aff4
0x0127aff7
0x0127b005
0x0127b00b
0x0127b010
0x0127afd7
0x0127afda
0x0127afe0
0x0127afe4
0x0127afe4
0x0127b018
0x0127b01a
0x0127b01f
0x0127b029
0x0127b029
0x0127b032
0x0127b038
0x0127b038
0x0127b04f
0x0127b058
0x0127b063
0x0127b066
0x0127afb2
0x0127afb5
0x0127afb8
0x0127afbd
0x0127afbe
0x0127afc3
0x00000000
0x00000000
0x00000000
0x0127afc3
0x0127afc7
0x00000000
0x00000000
0x0127afc7
0x0127afb0
0x0127b06c
0x0127b071
0x0127b071
0x0127b07d
0x0127b083
0x0127b086
0x0127b092

APIs

EnterCriticalSection.KERNEL32(0000001C,?,?,?,00000000,00000000,?,0127B3B6,00000004,012792FE,01276293,01275CFA,?,0127641E,00000004,01275291), ref: 0127AF8E
GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,00000000,00000000,?,0127B3B6,00000004,012792FE,01276293,01275CFA,?,0127641E,00000004), ref: 0127AFE4
GlobalHandle.KERNEL32(?), ref: 0127AFED
GlobalUnlock.KERNEL32(00000000,?,?,?,00000000,00000000,?,0127B3B6,00000004,012792FE,01276293,01275CFA,?,0127641E,00000004,01275291), ref: 0127AFF7
GlobalReAlloc.KERNEL32(?,00000000,00002002), ref: 0127B010
GlobalHandle.KERNEL32(?), ref: 0127B022
GlobalLock.KERNEL32 ref: 0127B029
LeaveCriticalSection.KERNEL32(?,?,?,?,00000000,00000000,?,0127B3B6,00000004,012792FE,01276293,01275CFA,?,0127641E,00000004,01275291), ref: 0127B032

Part of subcall function 01277A91: __CxxThrowException@8.LIBCMT ref: 01277AA7

GlobalLock.KERNEL32 ref: 0127B03E
_memset.LIBCMT ref: 0127B058
LeaveCriticalSection.KERNEL32(?), ref: 0127B086

Memory Dump Source

Source File: 00000010.00000002.746388412.0000000001271000.00000020.sdmp, Offset: 01270000, based on PE: true

Associated: 00000010.00000002.746374753.0000000001270000.00000002.sdmp Download File
Associated: 00000010.00000002.746578910.000000000138C000.00000002.sdmp Download File
Associated: 00000010.00000002.746752878.00000000013CF000.00000004.sdmp Download File
Associated: 00000010.00000002.746788870.00000000013D6000.00000004.sdmp Download File
Associated: 00000010.00000002.746832288.00000000013DE000.00000002.sdmp Download File
Associated: 00000010.00000002.747668141.0000000001574000.00000002.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1270000_Setup.jbxd

Similarity

API ID: Global$CriticalSection$AllocHandleLeaveLock$EnterException@8ThrowUnlock_memset
String ID:
API String ID: 519972396-0
Opcode ID: 1bcffcd22b01c128af19a6eeb41724a29fb4e51829c9ea6d9c04f39814aed49e
Instruction ID: 5a4dbce7f31b274555b54c54544f6d2256a780095dff5fffcca8d34b1c4be337
Opcode Fuzzy Hash: 1bcffcd22b01c128af19a6eeb41724a29fb4e51829c9ea6d9c04f39814aed49e
Instruction Fuzzy Hash: FF31AF71A10702AFD7319F78D889AAFBBF9EF44700F044929E652D3650DB75EA418B60

Uniqueness

Uniqueness Score: 2.38%

Function 01278A87, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 18%

			E01278A87(void* __ecx) {
				signed int _v8;
				short _v10;
				short _v12;
				short _v532;
				struct HINSTANCE__* _v536;
				intOrPtr _v544;
				WCHAR* _v556;
				intOrPtr _v560;
				char _v564;
				void* __edi;
				void* __esi;
				signed int _t25;
				void* _t35;
				void* _t39;
				struct HINSTANCE__* _t41;
				void* _t42;
				intOrPtr* _t43;
				void* _t45;
				void* _t46;
				signed int _t50;

				_t48 = _t50;
				_t25 =  *0x13d3570; // 0x99b5b578
				_v8 = _t25 ^ _t50;
				_v10 = 0;
				_v12 = 0;
				_t45 = __ecx;
				_t41 =  *(__ecx + 8);
				if(GetModuleFileNameW(_t41,  &_v532, 0x105) != 0) {
					if(_v12 == 0) {
						_v556 =  &_v532;
						_v536 = _t41;
						_t43 = __imp__CreateActCtxW;
						_v564 = 0x20;
						_v560 = 0x88;
						_v544 = 2;
						_t29 =  *_t43( &_v564); // executed
						 *(_t45 + 0x80) = _t29;
						if(_t29 == 0xffffffff) {
							_v544 = 3;
							_t29 =  *_t43( &_v564); // executed
							 *(_t45 + 0x80) = _t29;
						}
						if( *(_t45 + 0x80) == 0xffffffff) {
							_v544 = 1;
							_t29 =  *_t43( &_v564); // executed
							 *(_t45 + 0x80) = _t29;
							if(_t29 == 0xffffffff) {
								 *(_t45 + 0x80) =  *(_t45 + 0x80) & 0x00000000;
							}
						}
					} else {
						SetLastError(0x6f);
					}
				}
				_pop(_t42);
				_pop(_t46);
				return L01367D3E(_t29, _t35, _v8 ^ _t48, _t39, _t42, _t46);
			}

0x01278a8a
0x01278a92
0x01278a99
0x01278aa0
0x01278aa4
0x01278aad
0x01278aaf
0x01278ac2
0x01278acd
0x01278ae2
0x01278aee
0x01278af4
0x01278afb
0x01278b05
0x01278b0f
0x01278b19
0x01278b1b
0x01278b24
0x01278b2d
0x01278b37
0x01278b39
0x01278b39
0x01278b46
0x01278b4f
0x01278b59
0x01278b5b
0x01278b64
0x01278b66
0x01278b66
0x01278b64
0x01278acf
0x01278ad1
0x01278ad1
0x01278acd
0x01278b70
0x01278b73
0x01278b7a

APIs

GetModuleFileNameW.KERNEL32(?,?,00000105), ref: 01278ABA
SetLastError.KERNEL32(0000006F), ref: 01278AD1
CreateActCtxW.KERNEL32(?), ref: 01278B19
CreateActCtxW.KERNEL32(00000020), ref: 01278B37
CreateActCtxW.KERNEL32(00000020), ref: 01278B59

Part of subcall function 01367D3E: IsDebuggerPresent.KERNEL32 ref: 0136EC6D
Part of subcall function 01367D3E: SetUnhandledExceptionFilter.KERNEL32 ref: 0136EC82
Part of subcall function 01367D3E: UnhandledExceptionFilter.KERNEL32 ref: 0136EC8D
Part of subcall function 01367D3E: GetCurrentProcess.KERNEL32(C0000409), ref: 0136ECA9
Part of subcall function 01367D3E: TerminateProcess.KERNEL32(00000000), ref: 0136ECB0

Strings

, xrefs: 01278AFB

Memory Dump Source

Source File: 00000010.00000002.746388412.0000000001271000.00000020.sdmp, Offset: 01270000, based on PE: true

Associated: 00000010.00000002.746374753.0000000001270000.00000002.sdmp Download File
Associated: 00000010.00000002.746578910.000000000138C000.00000002.sdmp Download File
Associated: 00000010.00000002.746752878.00000000013CF000.00000004.sdmp Download File
Associated: 00000010.00000002.746788870.00000000013D6000.00000004.sdmp Download File
Associated: 00000010.00000002.746832288.00000000013DE000.00000002.sdmp Download File
Associated: 00000010.00000002.747668141.0000000001574000.00000002.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1270000_Setup.jbxd

Similarity

API ID: Create$ExceptionFilterProcessUnhandled$CurrentDebuggerErrorFileLastModuleNamePresentTerminate
String ID:
API String ID: 3905524640-3916222277
Opcode ID: 4ab7e5cf000a784597d2452073e9298f9c9f2f9bedfd83f1fc7a9a2f5e37d48d
Instruction ID: c9a0dd75cef5c99d373d390d1577f9e03d45ae4d81ac946fa08adbc34aefa66b
Opcode Fuzzy Hash: 4ab7e5cf000a784597d2452073e9298f9c9f2f9bedfd83f1fc7a9a2f5e37d48d
Instruction Fuzzy Hash: 36216AB091021C9EDB20DF69D84C7EEB7F8BF04324F50469AD169E3180EBB45A85CF60

Uniqueness

Uniqueness Score: 2.84%

Function 012F84E5, Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 39
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 95%

			E012F84E5(void* __ebx, intOrPtr __ecx, void* __edi, void* __esi, void* __eflags) {
				int _t18;
				int _t19;
				WCHAR* _t21;
				intOrPtr _t27;
				void* _t28;
				void* _t29;
				intOrPtr _t30;

				_t29 = __eflags;
				_push(4);
				L01369601(0x137ebfd, __ebx, __edi, __esi);
				_t27 = __ecx;
				 *((intOrPtr*)(_t28 - 0x10)) = __ecx;
				L01275CF0(__ecx, _t29);
				 *((intOrPtr*)(__ecx)) = 0x139cd5c;
				 *((intOrPtr*)(__ecx + 0x20)) = 0x139cd18;
				 *((intOrPtr*)(__ecx + 0x24)) = 0;
				 *((intOrPtr*)(__ecx + 0x28)) = 0;
				 *((intOrPtr*)(__ecx + 0x2c)) = 0;
				 *((intOrPtr*)(__ecx + 0x30)) = 0;
				 *((intOrPtr*)(_t28 - 4)) = 0;
				 *((intOrPtr*)(__ecx + 0x34)) = 0;
				 *((intOrPtr*)(__ecx + 0x38)) = 0;
				 *((intOrPtr*)(__ecx + 0x3c)) = 0;
				E012866AF(3);
				_t30 =  *0x13d9f30; // 0x1
				if(_t30 == 0) {
					_t21 = L"windows";
					_t18 = GetProfileIntW(_t21, L"DragMinDist", 2); // executed
					 *0x13d9f28 = _t18; // executed
					_t19 = GetProfileIntW(_t21, L"DragDelay", 0xc8); // executed
					 *0x13d9f2c = _t19;
					 *0x13d9f30 = 1;
				}
				E01286721(3);
				return L013696D9(_t27);
			}

0x012f84e5
0x012f84e5
0x012f84ec
0x012f84f1
0x012f84f3
0x012f84f6
0x012f84fd
0x012f8503
0x012f850a
0x012f850d
0x012f8510
0x012f8513
0x012f8518
0x012f851b
0x012f851e
0x012f8521
0x012f8524
0x012f8529
0x012f852f
0x012f853e
0x012f8544
0x012f8551
0x012f8556
0x012f8558
0x012f855d
0x012f855d
0x012f8569
0x012f8575

APIs

__EH_prolog3.LIBCMT ref: 012F84EC

Part of subcall function 012866AF: EnterCriticalSection.KERNEL32(013D81D8,?,?,?,?,0127AEA4,00000010,00000008,0127931D,012792B4,01276293,01275CFA,?,0127641E,00000004,01275291), ref: 012866E9
Part of subcall function 012866AF: InitializeCriticalSection.KERNEL32(?,?,?,?,?,0127AEA4,00000010,00000008,0127931D,012792B4,01276293,01275CFA,?,0127641E,00000004,01275291), ref: 012866FB
Part of subcall function 012866AF: LeaveCriticalSection.KERNEL32(013D81D8,?,?,?,?,0127AEA4,00000010,00000008,0127931D,012792B4,01276293,01275CFA,?,0127641E,00000004,01275291), ref: 01286708
Part of subcall function 012866AF: EnterCriticalSection.KERNEL32(?,?,?,?,?,0127AEA4,00000010,00000008,0127931D,012792B4,01276293,01275CFA,?,0127641E,00000004,01275291), ref: 01286718

GetProfileIntW.KERNEL32 ref: 012F8544
GetProfileIntW.KERNEL32 ref: 012F8556

Part of subcall function 01286721: LeaveCriticalSection.KERNEL32(?,?,0127AEBE,00000010,00000010,00000008,0127931D,012792B4,01276293,01275CFA,?,0127641E,00000004,01275291,00000004,0127126A), ref: 0128673C

Strings

DragDelay, xrefs: 012F854B
windows, xrefs: 012F853E, 012F8543, 012F8550
DragMinDist, xrefs: 012F8539

Memory Dump Source

Source File: 00000010.00000002.746388412.0000000001271000.00000020.sdmp, Offset: 01270000, based on PE: true

Associated: 00000010.00000002.746374753.0000000001270000.00000002.sdmp Download File
Associated: 00000010.00000002.746578910.000000000138C000.00000002.sdmp Download File
Associated: 00000010.00000002.746752878.00000000013CF000.00000004.sdmp Download File
Associated: 00000010.00000002.746788870.00000000013D6000.00000004.sdmp Download File
Associated: 00000010.00000002.746832288.00000000013DE000.00000002.sdmp Download File
Associated: 00000010.00000002.747668141.0000000001574000.00000002.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1270000_Setup.jbxd

Similarity

API ID: CriticalSection$EnterLeaveProfile$H_prolog3Initialize
String ID: DragDelay$DragMinDist$windows
API String ID: 2709446506-2101198082
Opcode ID: e5244625de75834b1c818fcff662035858fc9bb032fb55394faa1ac2bda543b7
Instruction ID: 51c9cdea31b0bbd0cff1cf906b8a361cd5ede29a2ab79dab561fff3ef2b9231e
Opcode Fuzzy Hash: e5244625de75834b1c818fcff662035858fc9bb032fb55394faa1ac2bda543b7
Instruction Fuzzy Hash: 7B0178B09117018FDB20AF6A9980B0AFEECFFA8718F80154FE1469BA94C7B4A504CF44

Uniqueness

Uniqueness Score: 1.34%

Function 01271680, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 34
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 62%

			E01271680(void* __ebx, void* __edi, void* __esi, intOrPtr _a4, char _a8) {
				signed int _v8;
				char _v518;
				short _v520;
				signed int _t12;
				void* _t18;
				signed int _t30;

				_t12 =  *0x13d3570; // 0x99b5b578
				_v8 = _t12 ^ _t30;
				_v520 = 0;
				L01367D50( &_v518, 0, 0x1fe);
				_push(L"<alvupdt><MSIstarter> ");
				_t18 = E0136815E(_t30 + E013683CD() * 2 - 0x204, _a4,  &_a8);
				OutputDebugStringW( &_v520); // executed
				return L01367D3E(_t18, __ebx, _v8 ^ _t30, _a4, __edi, __esi,  &_v520);
			}

0x01271689
0x01271690
0x012716a2
0x012716a9
0x012716b4
0x012716cf
0x012716de
0x012716f1

APIs

_memset.LIBCMT ref: 012716A9
__swprintf.LIBCMT ref: 012716BA

Part of subcall function 013683CD: __woutput_l.LIBCMT ref: 01368428
Part of subcall function 013683CD: __flsbuf.LIBCMT ref: 01368446
Part of subcall function 013683CD: __flsbuf.LIBCMT ref: 0136845E

__vswprintf.LIBCMT ref: 012716CF

Part of subcall function 0136815E: __vswprintf_l.LIBCMT ref: 0136816E

OutputDebugStringW.KERNEL32(?), ref: 012716DE

Part of subcall function 01367D3E: IsDebuggerPresent.KERNEL32 ref: 0136EC6D
Part of subcall function 01367D3E: SetUnhandledExceptionFilter.KERNEL32 ref: 0136EC82
Part of subcall function 01367D3E: UnhandledExceptionFilter.KERNEL32 ref: 0136EC8D
Part of subcall function 01367D3E: GetCurrentProcess.KERNEL32(C0000409), ref: 0136ECA9
Part of subcall function 01367D3E: TerminateProcess.KERNEL32(00000000), ref: 0136ECB0

Strings

<alvupdt><MSIstarter> , xrefs: 012716B4

Memory Dump Source

Source File: 00000010.00000002.746388412.0000000001271000.00000020.sdmp, Offset: 01270000, based on PE: true

Associated: 00000010.00000002.746374753.0000000001270000.00000002.sdmp Download File
Associated: 00000010.00000002.746578910.000000000138C000.00000002.sdmp Download File
Associated: 00000010.00000002.746752878.00000000013CF000.00000004.sdmp Download File
Associated: 00000010.00000002.746788870.00000000013D6000.00000004.sdmp Download File
Associated: 00000010.00000002.746832288.00000000013DE000.00000002.sdmp Download File
Associated: 00000010.00000002.747668141.0000000001574000.00000002.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1270000_Setup.jbxd

Similarity

API ID: ExceptionFilterProcessUnhandled__flsbuf$CurrentDebugDebuggerOutputPresentStringTerminate__swprintf__vswprintf__vswprintf_l__woutput_l_memset
String ID: <alvupdt><MSIstarter>
API String ID: 777505412-3604757744
Opcode ID: d6e8e04d17a9be767935e15e45ac4f59589883e9d76541a238fd912a55058265
Instruction ID: b1e4cd5af8f076fc99d38b3b082d75ca0aed3910ef0d8b5138b11bb0cb4cccc2
Opcode Fuzzy Hash: d6e8e04d17a9be767935e15e45ac4f59589883e9d76541a238fd912a55058265
Instruction Fuzzy Hash: D2F096F591030DEBCB14FFB8DD49DEE73BCAF18304F40C599A91957245EA30AA448B60

Uniqueness

Uniqueness Score: 12.89%

Function 0127B425, Relevance: 7.5, APIs: 5, Instructions: 36
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E0127B425(long* __ecx) {
				intOrPtr _t4;
				long _t5;
				void* _t6;
				void* _t13;
				intOrPtr _t14;
				long* _t15;

				_t15 = __ecx;
				_t4 =  *((intOrPtr*)(__ecx + 0x14));
				if(_t4 != 0) {
					do {
						_t14 =  *((intOrPtr*)(_t4 + 4));
						L0127B26F(__ecx, _t4, 0);
						_t4 = _t14;
					} while (_t14 != 0);
				}
				_t5 =  *_t15;
				if(_t5 != 0xffffffff) {
					TlsFree(_t5); // executed
				}
				_t6 = _t15[4];
				if(_t6 != 0) {
					_t13 = GlobalHandle(_t6);
					GlobalUnlock(_t13);
					_t6 = GlobalFree(_t13);
				}
				DeleteCriticalSection( &(_t15[7]));
				return _t6;
			}

0x0127b428
0x0127b42a
0x0127b430
0x0127b432
0x0127b432
0x0127b43a
0x0127b43f
0x0127b441
0x0127b432
0x0127b445
0x0127b44a
0x0127b44d
0x0127b44d
0x0127b453
0x0127b458
0x0127b461
0x0127b464
0x0127b46b
0x0127b46b
0x0127b475
0x0127b47d

APIs

TlsFree.KERNEL32(?), ref: 0127B44D
GlobalHandle.KERNEL32(?), ref: 0127B45B
GlobalUnlock.KERNEL32(00000000), ref: 0127B464
GlobalFree.KERNEL32(00000000), ref: 0127B46B
DeleteCriticalSection.KERNEL32 ref: 0127B475

Part of subcall function 0127B26F: EnterCriticalSection.KERNEL32(?), ref: 0127B2CE
Part of subcall function 0127B26F: LeaveCriticalSection.KERNEL32(?), ref: 0127B2DE
Part of subcall function 0127B26F: LocalFree.KERNEL32(?), ref: 0127B2E7
Part of subcall function 0127B26F: TlsSetValue.KERNEL32(?,00000000), ref: 0127B2F9

Memory Dump Source

Source File: 00000010.00000002.746388412.0000000001271000.00000020.sdmp, Offset: 01270000, based on PE: true

Associated: 00000010.00000002.746374753.0000000001270000.00000002.sdmp Download File
Associated: 00000010.00000002.746578910.000000000138C000.00000002.sdmp Download File
Associated: 00000010.00000002.746752878.00000000013CF000.00000004.sdmp Download File
Associated: 00000010.00000002.746788870.00000000013D6000.00000004.sdmp Download File
Associated: 00000010.00000002.746832288.00000000013DE000.00000002.sdmp Download File
Associated: 00000010.00000002.747668141.0000000001574000.00000002.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1270000_Setup.jbxd

Similarity

API ID: CriticalFreeGlobalSection$DeleteEnterHandleLeaveLocalUnlockValue
String ID:
API String ID: 1549993015-0
Opcode ID: 916fe7a89db8156b58fca2951b9f9f776fe522eaba573109ca72b37ba8964203
Instruction ID: 9dcae4472824e7d3c5e874836a9edb34daedbf91dde1e0c966e55e5d363da897
Opcode Fuzzy Hash: 916fe7a89db8156b58fca2951b9f9f776fe522eaba573109ca72b37ba8964203
Instruction Fuzzy Hash: 2BF05E322007119BDA319F7CA85CE6F3ABDEF89B61B190618F655D3644CB78D9038B71

Uniqueness

Uniqueness Score: 0.31%

Function 0138B908, Relevance: 6.1, APIs: 4, Instructions: 76
memoryUNIQUELIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E0138B908() {
				intOrPtr* _t1;

				 *_t1 =  *_t1 + _t1;
			}

0x0138b908

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 0138B910
VirtualAlloc.KERNEL32(00000000,00000020,00001000,00000040), ref: 0138B938
VirtualAlloc.KERNEL32(00000000,-00000010,00001000,00000040,?,00000010,?), ref: 0138B982
ExitProcess.KERNEL32(00000000), ref: 0138B9CE

Memory Dump Source

Source File: 00000010.00000002.746388412.0000000001271000.00000020.sdmp, Offset: 01270000, based on PE: true

Associated: 00000010.00000002.746374753.0000000001270000.00000002.sdmp Download File
Associated: 00000010.00000002.746578910.000000000138C000.00000002.sdmp Download File
Associated: 00000010.00000002.746752878.00000000013CF000.00000004.sdmp Download File
Associated: 00000010.00000002.746788870.00000000013D6000.00000004.sdmp Download File
Associated: 00000010.00000002.746832288.00000000013DE000.00000002.sdmp Download File
Associated: 00000010.00000002.747668141.0000000001574000.00000002.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1270000_Setup.jbxd

Similarity

API ID: AllocVirtual$ExitHandleModuleProcess
String ID:
API String ID: 217507693-0
Opcode ID: e69029d9467ab09bc6aaf40a12505a1e3662255c9c7e231a1a434fb8706ab995
Instruction ID: df45f4fdd16594d49e417bb865d68e61a4c45d04b55fde4e8d851826c3e46464
Opcode Fuzzy Hash: e69029d9467ab09bc6aaf40a12505a1e3662255c9c7e231a1a434fb8706ab995
Instruction Fuzzy Hash: B3218471E4030AAFEB10EBA8CC41BAFB7B9EF84744F148564D644BB385D670AD5187A4

Uniqueness

Uniqueness Score: 37.75%

Function 0127478D, Relevance: 4.6, APIs: 3, Instructions: 70
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E0127478D(intOrPtr __ecx) {
				void* _v8;
				char _v12;
				int _v16;
				intOrPtr _v20;
				int _v24;
				long _t29;
				short* _t30;
				long _t31;
				intOrPtr _t32;
				short** _t34;
				signed int _t39;
				short** _t43;
				short* _t45;

				 *((intOrPtr*)(__ecx + 0xa8)) = 0;
				_v20 = __ecx;
				_v8 = 0;
				_v12 = 0;
				_v24 = 4;
				_v16 = 0;
				_t34 = 0x13cf090;
				_t45 =  *0x13cf090; // 0x138e608
				if(_t45 == 0) {
					L14:
					return 1;
				}
				do {
					_t29 = RegOpenKeyExW(0x80000001,  *_t34, 0, 1,  &_v8); // executed
					if(_t29 != 0) {
						goto L12;
					}
					_t8 =  &(_t34[1]); // 0x13cf0b0
					_t43 =  *_t8;
					while(1) {
						_t30 =  *_t43;
						if(_t30 == 0) {
							break;
						}
						_t31 = RegQueryValueExW(_v8, _t30, 0,  &_v16,  &_v12,  &_v24); // executed
						if(_t31 == 0 && _v16 == 4) {
							_t14 =  &(_t43[1]); // 0x1
							_t39 =  *_t14;
							_t32 = _v20;
							if(_v12 == 0) {
								 *(_t32 + 0xa8) =  *(_t32 + 0xa8) &  !_t39;
							} else {
								 *(_t32 + 0xa8) =  *(_t32 + 0xa8) | _t39;
							}
						}
						_v12 = 0;
						_v24 = 4;
						_v16 = 0;
						_t43 =  &(_t43[2]);
					}
					RegCloseKey(_v8);
					_v8 = 0;
					L12:
					_t34 =  &(_t34[2]);
				} while ( *_t34 != 0);
				goto L14;
			}

0x01274799
0x0127479f
0x012747a2
0x012747a5
0x012747a8
0x012747af
0x012747b2
0x012747b7
0x012747bd
0x0127484b
0x01274851
0x01274851
0x012747c4
0x012747d2
0x012747da
0x00000000
0x00000000
0x012747dc
0x012747dc
0x0127482d
0x0127482d
0x01274831
0x00000000
0x00000000
0x012747f2
0x012747fa
0x01274802
0x01274802
0x01274805
0x0127480b
0x01274817
0x0127480d
0x0127480d
0x0127480d
0x0127480b
0x0127481d
0x01274820
0x01274827
0x0127482a
0x0127482a
0x01274836
0x0127483c
0x0127483f
0x0127483f
0x01274842
0x00000000

APIs

RegOpenKeyExW.KERNEL32 ref: 012747D2
RegQueryValueExW.KERNEL32(?,00000000,00000000,?,?,00000004), ref: 012747F2
RegCloseKey.ADVAPI32(?), ref: 01274836

Memory Dump Source

Source File: 00000010.00000002.746388412.0000000001271000.00000020.sdmp, Offset: 01270000, based on PE: true

Associated: 00000010.00000002.746374753.0000000001270000.00000002.sdmp Download File
Associated: 00000010.00000002.746578910.000000000138C000.00000002.sdmp Download File
Associated: 00000010.00000002.746752878.00000000013CF000.00000004.sdmp Download File
Associated: 00000010.00000002.746788870.00000000013D6000.00000004.sdmp Download File
Associated: 00000010.00000002.746832288.00000000013DE000.00000002.sdmp Download File
Associated: 00000010.00000002.747668141.0000000001574000.00000002.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1270000_Setup.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID:
API String ID: 3677997916-0
Opcode ID: 4a43b89fb0325c071ac05dd6cd5809b76b9a8d9e0a6ad32a729a820a1eb950f6
Instruction ID: 320c9b776532164a03872bbf42cba4baad72b5dba19468767106faf13b75a3b0
Opcode Fuzzy Hash: 4a43b89fb0325c071ac05dd6cd5809b76b9a8d9e0a6ad32a729a820a1eb950f6
Instruction Fuzzy Hash: CF213AB1D10249EFDF15DF99C885AAEBBB8EF81704F2080AEE515A6211D7715A44CF21

Uniqueness

Uniqueness Score: 0.05%

Function 01272810, Relevance: 3.1, APIs: 2, Instructions: 73
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_memmove_s.LIBCMT ref: 0127288A

Part of subcall function 0136837A: _memmove.LIBCMT ref: 013683C0

_memcpy_s.LIBCMT ref: 01272897

Part of subcall function 01368305: _memmove.LIBCMT ref: 01368341
Part of subcall function 01368305: _memset.LIBCMT ref: 01368353

Memory Dump Source

Source File: 00000010.00000002.746388412.0000000001271000.00000020.sdmp, Offset: 01270000, based on PE: true

Associated: 00000010.00000002.746374753.0000000001270000.00000002.sdmp Download File
Associated: 00000010.00000002.746578910.000000000138C000.00000002.sdmp Download File
Associated: 00000010.00000002.746752878.00000000013CF000.00000004.sdmp Download File
Associated: 00000010.00000002.746788870.00000000013D6000.00000004.sdmp Download File
Associated: 00000010.00000002.746832288.00000000013DE000.00000002.sdmp Download File
Associated: 00000010.00000002.747668141.0000000001574000.00000002.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1270000_Setup.jbxd

Similarity

API ID: _memmove$_memcpy_s_memmove_s_memset
String ID:
API String ID: 1216431377-0
Opcode ID: c53391e536c9bc95cdc8aa5fdb416b82d9b043c7db9e61d80a2f6c9ba3c8f741
Instruction ID: 7f4b9761e32b17cdadff50c9273583f375c2c5897d9f9a64c306c3efba81cd85
Opcode Fuzzy Hash: c53391e536c9bc95cdc8aa5fdb416b82d9b043c7db9e61d80a2f6c9ba3c8f741
Instruction Fuzzy Hash: C921A232A1050AEFCB00DF6CC898C6FF3A9EF94214B10819DF9046B324DA72BD10CBA4

Uniqueness

Uniqueness Score: 10.55%

Function 01288E58, Relevance: 3.0, APIs: 2, Instructions: 36
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 94%

			E01288E58(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __eflags, intOrPtr _a4, intOrPtr _a12, intOrPtr _a16) {
				void* __esi;
				void* __ebp;
				signed int _t11;
				void* _t14;
				intOrPtr _t17;
				void* _t18;
				void* _t29;
				intOrPtr _t33;
				void* _t34;
				void* _t35;

				_t35 = __eflags;
				_t30 = __edi;
				_t29 = __edx;
				_t23 = __ebx;
				_t11 = SetErrorMode(0); // executed
				SetErrorMode(_t11 | 0x00008001); // executed
				_t14 = E012792EF(__ebx, __edi, SetErrorMode, _t35);
				_t33 = _a4;
				 *((intOrPtr*)(_t14 + 8)) = _t33;
				 *((intOrPtr*)(_t14 + 0xc)) = _t33;
				E01278A87(_t14); // executed
				_t17 =  *((intOrPtr*)(E012792EF(__ebx, __edi, _t33, _t35) + 4));
				_t36 = _t17;
				if(_t17 != 0) {
					 *((intOrPtr*)(_t17 + 0x48)) = _a12;
					 *((intOrPtr*)(_t17 + 0x4c)) = _a16;
					 *((intOrPtr*)(_t17 + 0x44)) = _t33;
					E01288C7C(_t17, _t29, _t36);
				}
				_t18 = E012792EF(_t23, _t30, _t33, _t36);
				_t37 =  *((char*)(_t18 + 0x14));
				_pop(_t34);
				if( *((char*)(_t18 + 0x14)) == 0) {
					E01276674(_t34, _t37);
				}
				return 1;
			}

0x01288e58
0x01288e58
0x01288e58
0x01288e58
0x01288e66
0x01288e6e
0x01288e70
0x01288e75
0x01288e7a
0x01288e7d
0x01288e80
0x01288e8a
0x01288e8d
0x01288e8f
0x01288e94
0x01288e9a
0x01288e9f
0x01288ea2
0x01288ea2
0x01288ea7
0x01288eac
0x01288eb0
0x01288eb1
0x01288eb3
0x01288eb3
0x01288ebc

APIs

SetErrorMode.KERNEL32(00000000), ref: 01288E66
SetErrorMode.KERNEL32(00000000), ref: 01288E6E

Part of subcall function 01278A87: GetModuleFileNameW.KERNEL32(?,?,00000105), ref: 01278ABA
Part of subcall function 01278A87: SetLastError.KERNEL32(0000006F), ref: 01278AD1
Part of subcall function 01278A87: CreateActCtxW.KERNEL32(?), ref: 01278B19
Part of subcall function 01278A87: CreateActCtxW.KERNEL32(00000020), ref: 01278B37
Part of subcall function 01278A87: CreateActCtxW.KERNEL32(00000020), ref: 01278B59

Part of subcall function 01276674: GetCurrentThreadId.KERNEL32 ref: 01276687
Part of subcall function 01276674: SetWindowsHookExW.USER32(000000FF,Function_000064D9,00000000,00000000), ref: 01276697

Part of subcall function 01288C7C: GetModuleFileNameW.KERNEL32(?,?,00000104), ref: 01288CB9
Part of subcall function 01288C7C: PathFindExtensionW.SHLWAPI(?), ref: 01288CD3
Part of subcall function 01288C7C: __wcsdup.LIBCMT ref: 01288D1D
Part of subcall function 01288C7C: __wcsdup.LIBCMT ref: 01288D5B
Part of subcall function 01288C7C: __wcsdup.LIBCMT ref: 01288D8F
Part of subcall function 01288C7C: __wcsdup.LIBCMT ref: 01288DF5
Part of subcall function 01288C7C: __wcsdup.LIBCMT ref: 01288E36

Memory Dump Source

Source File: 00000010.00000002.746388412.0000000001271000.00000020.sdmp, Offset: 01270000, based on PE: true

Associated: 00000010.00000002.746374753.0000000001270000.00000002.sdmp Download File
Associated: 00000010.00000002.746578910.000000000138C000.00000002.sdmp Download File
Associated: 00000010.00000002.746752878.00000000013CF000.00000004.sdmp Download File
Associated: 00000010.00000002.746788870.00000000013D6000.00000004.sdmp Download File
Associated: 00000010.00000002.746832288.00000000013DE000.00000002.sdmp Download File
Associated: 00000010.00000002.747668141.0000000001574000.00000002.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1270000_Setup.jbxd

Similarity

API ID: __wcsdup$CreateError$FileModeModuleName$CurrentExtensionFindHookLastPathThreadWindows
String ID:
API String ID: 4100829453-0
Opcode ID: cdd60cea8f1a145934141c741596e956d3bbbd6d144502fee024f8d45af17f3e
Instruction ID: 3c864e37ae175c266deae27981b9cabba251e51b08958b495e344c7853106091
Opcode Fuzzy Hash: cdd60cea8f1a145934141c741596e956d3bbbd6d144502fee024f8d45af17f3e
Instruction Fuzzy Hash: 4FF096719303164FDB25FFA8D444AAE3BD9AF54720F45405AE5489B391DB34D840CBA6

Uniqueness

Uniqueness Score: 0.02%

Function 01276674, Relevance: 3.0, APIs: 2, Instructions: 15
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 86%

			E01276674(void* __esi, void* __eflags) {
				void* _t3;
				void* _t4;
				struct HHOOK__* _t6;
				void* _t7;
				void* _t8;

				_t3 = E012792EF(_t7, _t8, __esi, __eflags);
				_t13 =  *((char*)(_t3 + 0x14));
				if( *((char*)(_t3 + 0x14)) == 0) {
					_push(__esi);
					_t4 = E01278D20(_t7, _t8, __esi, _t13);
					_t6 = SetWindowsHookExW(0xffffffff, E012764D9, 0, GetCurrentThreadId()); // executed
					 *(_t4 + 0x2c) = _t6;
					return _t6;
				}
				return _t3;
			}

0x01276674
0x01276679
0x0127667d
0x0127667f
0x01276680
0x01276697
0x0127669d
0x00000000
0x012766a0
0x012766a1

APIs

GetCurrentThreadId.KERNEL32 ref: 01276687
SetWindowsHookExW.USER32(000000FF,Function_000064D9,00000000,00000000), ref: 01276697

Memory Dump Source

Source File: 00000010.00000002.746388412.0000000001271000.00000020.sdmp, Offset: 01270000, based on PE: true

Associated: 00000010.00000002.746374753.0000000001270000.00000002.sdmp Download File
Associated: 00000010.00000002.746578910.000000000138C000.00000002.sdmp Download File
Associated: 00000010.00000002.746752878.00000000013CF000.00000004.sdmp Download File
Associated: 00000010.00000002.746788870.00000000013D6000.00000004.sdmp Download File
Associated: 00000010.00000002.746832288.00000000013DE000.00000002.sdmp Download File
Associated: 00000010.00000002.747668141.0000000001574000.00000002.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1270000_Setup.jbxd

Similarity

API ID: CurrentHookThreadWindows
String ID:
API String ID: 1904029216-0
Opcode ID: a2495e934cee6a1a15425de55b551c28927f3c7bc37dbca19307d90834f368ee
Instruction ID: 315e8eaad8de80c37656f3dc212180c3a2a74a6933e9d18c6bf16298c3dc21e9
Opcode Fuzzy Hash: a2495e934cee6a1a15425de55b551c28927f3c7bc37dbca19307d90834f368ee
Instruction Fuzzy Hash: 57D0A7718247502EEF313B70BC0CB9B3E489B11334F102249F111950C4CA74488187A9

Uniqueness

Uniqueness Score: 0.15%

Function 01279154, Relevance: 1.6, APIs: 1, Instructions: 85
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 94%

			E01279154(void* __ebx, intOrPtr __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t51;
				intOrPtr _t53;
				intOrPtr _t55;
				intOrPtr _t64;
				intOrPtr _t66;
				intOrPtr _t68;
				void* _t70;
				intOrPtr _t74;
				void* _t75;
				intOrPtr* _t76;
				void* _t77;

				_t77 = __eflags;
				_t70 = __edx;
				_push(0xc);
				L01369634(0x137eea3, __ebx, __edi, __esi);
				_t74 = __ecx;
				 *((intOrPtr*)(_t75 - 0x14)) = __ecx;
				 *((intOrPtr*)(__ecx)) = 0x138f04c;
				 *((intOrPtr*)(__ecx + 0x1c)) = 0;
				 *((intOrPtr*)(__ecx + 0x20)) = 0;
				 *((intOrPtr*)(__ecx + 0x24)) = 0;
				 *((intOrPtr*)(__ecx + 0x28)) = 0;
				E01272410(__ecx + 0x34, E0127859A());
				 *((intOrPtr*)(__ecx + 0x40)) = 0;
				 *((intOrPtr*)(__ecx + 0x44)) = 0;
				 *(__ecx + 0x50) =  *(__ecx + 0x50) | 0xffffffff;
				 *((intOrPtr*)(_t75 - 4)) = 0;
				 *((intOrPtr*)(__ecx + 0x54)) = 0;
				 *((intOrPtr*)(__ecx + 0x68)) = 0;
				 *((intOrPtr*)(__ecx + 0x6c)) = 0;
				 *((intOrPtr*)(__ecx + 0x28)) = 0x20;
				 *((intOrPtr*)(__ecx + 0x20)) = 0x14;
				 *((intOrPtr*)(__ecx + 0x18)) = 0;
				 *((char*)(__ecx + 0x14)) =  *((intOrPtr*)(_t75 + 8));
				 *((char*)(_t75 - 4)) = 2;
				E01272610(__ebx, __ecx + 0x34, 0, 0x1000); // executed
				 *((intOrPtr*)(_t75 - 4)) = 1;
				 *((intOrPtr*)(_t74 + 0x30)) = 1;
				 *((intOrPtr*)(_t74 + 0x44)) = 0x18;
				 *((intOrPtr*)(_t74 + 0x78)) = E01274753(_t77, 0xc);
				 *_t76 = 0x188;
				_t64 = E0127ADEA();
				 *((intOrPtr*)(_t75 + 8)) = _t64;
				 *((char*)(_t75 - 4)) = 4;
				_t78 = _t64;
				if(_t64 == 0) {
					_t51 = 0;
					__eflags = 0;
				} else {
					_t51 = E01278E66(1, _t64, _t70, 0, _t74, _t78);
				}
				 *((char*)(_t75 - 4)) = 1;
				 *((intOrPtr*)( *((intOrPtr*)(_t74 + 0x78)))) = _t51;
				_t66 = E0127ADEA(0x64);
				 *((intOrPtr*)(_t75 + 8)) = _t66;
				 *((char*)(_t75 - 4)) = 5;
				_t79 = _t66;
				if(_t66 == 0) {
					_t53 = 0;
					__eflags = 0;
				} else {
					_t53 = L0127908A(1, _t66, _t70, 0, _t74, _t79);
				}
				 *((char*)(_t75 - 4)) = 1;
				 *((intOrPtr*)( *((intOrPtr*)(_t74 + 0x78)) + 4)) = _t53;
				_t68 = E0127ADEA(0x14);
				 *((intOrPtr*)(_t75 + 8)) = _t68;
				 *((char*)(_t75 - 4)) = 6;
				_t80 = _t68;
				if(_t68 == 0) {
					_t55 = 0;
					__eflags = 0;
				} else {
					_t55 = L0127910D(1, _t68, _t70, 0, _t74, _t80);
				}
				 *((intOrPtr*)( *((intOrPtr*)(_t74 + 0x78)) + 8)) = _t55;
				 *((intOrPtr*)(_t74 + 0x7c)) = 1;
				 *((intOrPtr*)(_t74 + 0x80)) = 0;
				 *((intOrPtr*)(_t74 + 0x84)) = 0;
				 *((intOrPtr*)(_t74 + 0x88)) = 0;
				return L013696D9(_t74);
			}

0x01279154
0x01279154
0x01279154
0x0127915b
0x01279160
0x01279162
0x01279165
0x0127916d
0x01279170
0x01279173
0x01279176
0x01279182
0x01279187
0x0127918a
0x0127918d
0x01279191
0x01279194
0x01279197
0x0127919a
0x012791a8
0x012791af
0x012791b6
0x012791b9
0x012791bc
0x012791c0
0x012791c8
0x012791f0
0x012791f3
0x012791ff
0x01279202
0x0127920e
0x01279210
0x01279213
0x01279217
0x01279219
0x01279222
0x01279222
0x0127921b
0x0127921b
0x0127921b
0x01279229
0x0127922c
0x01279233
0x01279235
0x01279238
0x0127923c
0x0127923e
0x01279247
0x01279247
0x01279240
0x01279240
0x01279240
0x0127924e
0x01279251
0x01279259
0x0127925b
0x0127925e
0x01279262
0x01279264
0x0127926d
0x0127926d
0x01279266
0x01279266
0x01279266
0x01279272
0x01279275
0x01279278
0x0127927e
0x01279284
0x01279291

APIs

__EH_prolog3_catch.LIBCMT ref: 0127915B

Part of subcall function 01274753: _malloc.LIBCMT ref: 01274771

Part of subcall function 0127ADEA: LocalAlloc.KERNEL32(00000040,?,?,0127B1B6,00000010,?,?,00000000,?,00000004,012792FE,01276293,01275CFA,?,0127641E,00000004), ref: 0127ADF4

Part of subcall function 0127910D: __EH_prolog3.LIBCMT ref: 01279114

Part of subcall function 0127908A: __EH_prolog3.LIBCMT ref: 01279091

Part of subcall function 01278E66: __EH_prolog3.LIBCMT ref: 01278E6D

Memory Dump Source

Source File: 00000010.00000002.746388412.0000000001271000.00000020.sdmp, Offset: 01270000, based on PE: true

Associated: 00000010.00000002.746374753.0000000001270000.00000002.sdmp Download File
Associated: 00000010.00000002.746578910.000000000138C000.00000002.sdmp Download File
Associated: 00000010.00000002.746752878.00000000013CF000.00000004.sdmp Download File
Associated: 00000010.00000002.746788870.00000000013D6000.00000004.sdmp Download File
Associated: 00000010.00000002.746832288.00000000013DE000.00000002.sdmp Download File
Associated: 00000010.00000002.747668141.0000000001574000.00000002.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1270000_Setup.jbxd

Similarity

API ID: H_prolog3$AllocH_prolog3_catchLocal_malloc
String ID:
API String ID: 309467882-0
Opcode ID: d2e4dc48f32eb5dca7a961d0ae0d3446ee5691f8ba6171a797f4f09e6e542bee
Instruction ID: 3deed7dd762c3e0735de54defd2c07dc1efa63f2c70efa1d62886e5391c45cef
Opcode Fuzzy Hash: d2e4dc48f32eb5dca7a961d0ae0d3446ee5691f8ba6171a797f4f09e6e542bee
Instruction Fuzzy Hash: E8316CB0915B41CFDB61EF6981502ABFFF4BF65314F20895EC29A87BA0C7B1A644CB11

Uniqueness

Uniqueness Score: 0.04%

Function 012715A0, Relevance: 1.6, APIs: 1, Instructions: 68
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 16%

			E012715A0(intOrPtr __ecx, void* __eflags, signed int _a4) {
				intOrPtr _v0;
				signed int* _v8;
				intOrPtr _v12;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t18;
				void* _t19;
				void* _t23;
				void* _t26;
				intOrPtr _t27;
				intOrPtr* _t32;
				signed int _t33;
				void* _t44;
				void* _t45;
				void* _t47;
				intOrPtr _t48;
				intOrPtr* _t49;
				void* _t51;

				L012713A0(_t26, __ecx, _t44, _t47);
				asm("int3");
				asm("int3");
				asm("int3");
				asm("int3");
				asm("int3");
				asm("int3");
				_t48 =  *((intOrPtr*)(__ecx));
				_t27 =  *((intOrPtr*)(_t48 - 0xc));
				_t49 = _t48 - 0x10;
				_v12 = __ecx;
				_t18 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *_t49)) + 0x10))))(_t44, _t47, _t26, __ecx, _t51, 0x8007000e);
				_t32 = _t18; // executed
				_t19 =  *((intOrPtr*)( *((intOrPtr*)( *_t18))))(_v0, 2); // executed
				_t45 = _t19;
				_t58 = _t45;
				if(_t45 == 0) {
					E012715A0(_t32, _t58);
				}
				_t20 = _a4;
				if(_t27 < _a4) {
					_t20 = _t27;
				}
				_t9 = _t45 + 0x10; // 0x10
				_t33 = _t9;
				_a4 = _t33;
				E01368305(_t33, _t20 + _t20 + 2, _t49 + 0x10, _t20 + _t20 + 2);
				 *((intOrPtr*)(_t45 + 4)) = _t27;
				_t23 = _t49 + 0xc;
				asm("lock xadd [eax], ecx");
				if((_t33 | 0xffffffff) - 1 <= 0) {
					_t23 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *_t49)) + 4))))(_t49);
				}
				 *_v8 = _a4;
				return _t23;
			}

0x012715a5
0x012715aa
0x012715ab
0x012715ac
0x012715ad
0x012715ae
0x012715af
0x012715b6
0x012715b8
0x012715bb
0x012715be
0x012715c9
0x012715d5
0x012715d7
0x012715d9
0x012715db
0x012715dd
0x012715df
0x012715df
0x012715e4
0x012715e9
0x012715eb
0x012715eb
0x012715f6
0x012715f6
0x012715fb
0x012715fe
0x01271606
0x01271609
0x0127160f
0x01271616
0x01271620
0x01271620
0x0127162a
0x01271630

APIs

_memcpy_s.LIBCMT ref: 012715FE

Part of subcall function 01368305: _memmove.LIBCMT ref: 01368341
Part of subcall function 01368305: _memset.LIBCMT ref: 01368353

Memory Dump Source

Source File: 00000010.00000002.746388412.0000000001271000.00000020.sdmp, Offset: 01270000, based on PE: true

Associated: 00000010.00000002.746374753.0000000001270000.00000002.sdmp Download File
Associated: 00000010.00000002.746578910.000000000138C000.00000002.sdmp Download File
Associated: 00000010.00000002.746752878.00000000013CF000.00000004.sdmp Download File
Associated: 00000010.00000002.746788870.00000000013D6000.00000004.sdmp Download File
Associated: 00000010.00000002.746832288.00000000013DE000.00000002.sdmp Download File
Associated: 00000010.00000002.747668141.0000000001574000.00000002.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1270000_Setup.jbxd

Similarity

API ID: _memcpy_s_memmove_memset
String ID:
API String ID: 4034675494-0
Opcode ID: ab3a7f9b07113e3e71acea58f890ff8e893e4ab0888939f1e872505e76f3ffa6
Instruction ID: 3f6d5de4d0ed79dac6eb470612678ae0757681490cf75bfc29d7144019962644
Opcode Fuzzy Hash: ab3a7f9b07113e3e71acea58f890ff8e893e4ab0888939f1e872505e76f3ffa6
Instruction Fuzzy Hash: F5116D76600605AFC719DFACD880CABB3A9FF89250725865EE6598B350EB31ED00CBD0

Uniqueness

Uniqueness Score: 3.53%

Function 01376E77, Relevance: 1.6, APIs: 1, Instructions: 52
memoryCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 86%

			E01376E77(signed int _a4, signed int _a8, long _a12) {
				void* _t10;
				long _t11;
				long _t12;
				signed int _t13;
				signed int _t17;
				long _t19;
				long _t24;

				_t17 = _a4;
				if(_t17 == 0) {
					L3:
					_t24 = _t17 * _a8;
					__eflags = _t24;
					if(_t24 == 0) {
						_t24 = _t24 + 1;
						__eflags = _t24;
					}
					goto L5;
					L6:
					_t10 = RtlAllocateHeap( *0x13dbfbc, 8, _t24); // executed
					__eflags = 0;
					if(0 == 0) {
						goto L7;
					}
					L14:
					return _t10;
					goto L15;
					L7:
					__eflags =  *0x13dc324;
					if( *0x13dc324 == 0) {
						_t19 = _a12;
						__eflags = _t19;
						if(_t19 != 0) {
							 *_t19 = 0xc;
						}
					} else {
						_t11 = L01373BCA(_t10, _t24);
						__eflags = _t11;
						if(_t11 != 0) {
							L5:
							_t10 = 0;
							__eflags = _t24 - 0xffffffe0;
							if(_t24 > 0xffffffe0) {
								goto L7;
							} else {
								goto L6;
							}
						} else {
							_t12 = _a12;
							__eflags = _t12;
							if(_t12 != 0) {
								 *_t12 = 0xc;
							}
							_t10 = 0;
						}
					}
					goto L14;
				} else {
					_t13 = 0xffffffe0;
					_t27 = _t13 / _t17 - _a8;
					if(_t13 / _t17 >= _a8) {
						goto L3;
					} else {
						 *((intOrPtr*)(L01369B1B(_t27))) = 0xc;
						return 0;
					}
				}
				L15:
			}

0x01376e7c
0x01376e81
0x01376e9e
0x01376ea3
0x01376ea5
0x01376ea7
0x01376ea9
0x01376ea9
0x01376ea9
0x00000000
0x01376eb1
0x01376eba
0x01376ec0
0x01376ec2
0x00000000
0x00000000
0x01376ef6
0x01376ef8
0x00000000
0x01376ec4
0x01376ec4
0x01376ecb
0x01376ee9
0x01376eec
0x01376eee
0x01376ef0
0x01376ef0
0x01376ecd
0x01376ece
0x01376ed4
0x01376ed6
0x01376eaa
0x01376eaa
0x01376eac
0x01376eaf
0x00000000
0x00000000
0x00000000
0x00000000
0x01376ed8
0x01376ed8
0x01376edb
0x01376edd
0x01376edf
0x01376edf
0x01376ee5
0x01376ee5
0x01376ed6
0x00000000
0x01376e83
0x01376e87
0x01376e8a
0x01376e8d
0x00000000
0x01376e8f
0x01376e94
0x01376e9d
0x01376e9d
0x01376e8d
0x00000000

APIs

RtlAllocateHeap.NTDLL(00000008,?,00000000,?,01371997,?,?,00000000,00000000,00000000,?,0136E3EA,00000001,00000214,?,01369B20), ref: 01376EBA

Part of subcall function 01373BCA: DecodePointer.KERNEL32(?,013695F0,?,?,?,01274776,?,?,?,01277D41,0000000C,00000004,012713B8,?,?,01272720), ref: 01373BD5

Part of subcall function 01369B1B: __getptd_noexit.LIBCMT ref: 01369B1B

Memory Dump Source

Source File: 00000010.00000002.746388412.0000000001271000.00000020.sdmp, Offset: 01270000, based on PE: true

Associated: 00000010.00000002.746374753.0000000001270000.00000002.sdmp Download File
Associated: 00000010.00000002.746578910.000000000138C000.00000002.sdmp Download File
Associated: 00000010.00000002.746752878.00000000013CF000.00000004.sdmp Download File
Associated: 00000010.00000002.746788870.00000000013D6000.00000004.sdmp Download File
Associated: 00000010.00000002.746832288.00000000013DE000.00000002.sdmp Download File
Associated: 00000010.00000002.747668141.0000000001574000.00000002.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1270000_Setup.jbxd

Similarity

API ID: AllocateDecodeHeapPointer__getptd_noexit
String ID:
API String ID: 2551771081-0
Opcode ID: 15b5a7f2c3390ee6f07a12ce9f232a431926f0c352fa4d8d9cd0d160c8a11907
Instruction ID: e7c4c3d5e872ff038e8e3237bafe639c9816585901485ef93e5bffac6d879d4d
Opcode Fuzzy Hash: 15b5a7f2c3390ee6f07a12ce9f232a431926f0c352fa4d8d9cd0d160c8a11907
Instruction Fuzzy Hash: 6201B171201B15DBFB358E2CDE65BAB3799AF81768F044929E80D8B9D4DB38D800C760

Uniqueness

Uniqueness Score: 0.01%

Function 0127B362, Relevance: 1.5, APIs: 1, Instructions: 43
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 89%

			E0127B362(void* __ebx, intOrPtr* __ecx, void* __edi, void* __esi, void* __eflags) {
				void* _t17;
				intOrPtr _t19;
				intOrPtr _t21;
				long* _t24;
				intOrPtr _t25;
				intOrPtr* _t30;
				void* _t31;

				_t23 = __ecx;
				_t22 = __ebx;
				_push(4);
				L01369601(0x137f035, __ebx, __edi, __esi);
				_t30 = __ecx;
				if((0 |  *((intOrPtr*)(_t31 + 8)) != 0x00000000) == 0) {
					L1:
					L01277AC9(_t23);
				}
				if( *_t30 == 0) {
					_t23 =  *0x13d6350; // 0x0
					if(_t23 != 0) {
						L5:
						_t19 = E0127AF7B(_t23); // executed
						 *_t30 = _t19;
						if(_t19 == 0) {
							goto L1;
						}
					} else {
						 *((intOrPtr*)(_t31 - 0x10)) = 0x13d6354;
						 *(_t31 - 4) =  *(_t31 - 4) & 0x00000000;
						_t21 = L0127B093(0x13d6354);
						 *(_t31 - 4) =  *(_t31 - 4) | 0xffffffff;
						_t23 = _t21;
						 *0x13d6350 = _t21;
						if(_t21 == 0) {
							goto L1;
						} else {
							goto L5;
						}
					}
				}
				_t24 =  *0x13d6350; // 0x0
				_t28 = E0127AE1D(_t24,  *_t30);
				_t39 = _t28;
				if(_t28 == 0) {
					_t17 =  *((intOrPtr*)(_t31 + 8))();
					_t25 =  *0x13d6350; // 0x0
					_t28 = _t17;
					_push(_t17);
					_push( *_t30);
					L0127B13A(_t22, _t25, _t17, _t30, _t39);
				}
				return L013696D9(_t28);
			}

0x0127b362
0x0127b362
0x0127b362
0x0127b369
0x0127b36e
0x0127b37a
0x0127b37c
0x0127b37c
0x0127b37c
0x0127b384
0x0127b386
0x0127b38e
0x0127b3b1
0x0127b3b1
0x0127b3b6
0x0127b3ba
0x00000000
0x00000000
0x0127b390
0x0127b395
0x0127b398
0x0127b39c
0x0127b3a1
0x0127b3a5
0x0127b3a7
0x0127b3af
0x00000000
0x00000000
0x00000000
0x00000000
0x0127b3af
0x0127b38e
0x0127b3be
0x0127b3c9
0x0127b3cb
0x0127b3cd
0x0127b3cf
0x0127b3d2
0x0127b3d8
0x0127b3da
0x0127b3db
0x0127b3dd
0x0127b3dd
0x0127b3e9

APIs

__EH_prolog3.LIBCMT ref: 0127B369

Part of subcall function 01277AC9: __CxxThrowException@8.LIBCMT ref: 01277ADF

Part of subcall function 0127B093: TlsAlloc.KERNEL32(?,0127B3A1,00000004,012792FE,01276293,01275CFA,?,0127641E,00000004,01275291,00000004,0127126A,00000000), ref: 0127B0B2
Part of subcall function 0127B093: InitializeCriticalSection.KERNEL32(013D6370,?,0127B3A1,00000004,012792FE,01276293,01275CFA,?,0127641E,00000004,01275291,00000004,0127126A,00000000), ref: 0127B0C8

Part of subcall function 0127AF7B: EnterCriticalSection.KERNEL32(0000001C,?,?,?,00000000,00000000,?,0127B3B6,00000004,012792FE,01276293,01275CFA,?,0127641E,00000004,01275291), ref: 0127AF8E
Part of subcall function 0127AF7B: GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,00000000,00000000,?,0127B3B6,00000004,012792FE,01276293,01275CFA,?,0127641E,00000004), ref: 0127AFE4
Part of subcall function 0127AF7B: GlobalHandle.KERNEL32(?), ref: 0127AFED
Part of subcall function 0127AF7B: GlobalUnlock.KERNEL32(00000000,?,?,?,00000000,00000000,?,0127B3B6,00000004,012792FE,01276293,01275CFA,?,0127641E,00000004,01275291), ref: 0127AFF7
Part of subcall function 0127AF7B: GlobalReAlloc.KERNEL32(?,00000000,00002002), ref: 0127B010
Part of subcall function 0127AF7B: GlobalHandle.KERNEL32(?), ref: 0127B022
Part of subcall function 0127AF7B: GlobalLock.KERNEL32 ref: 0127B029
Part of subcall function 0127AF7B: LeaveCriticalSection.KERNEL32(?,?,?,?,00000000,00000000,?,0127B3B6,00000004,012792FE,01276293,01275CFA,?,0127641E,00000004,01275291), ref: 0127B032
Part of subcall function 0127AF7B: GlobalLock.KERNEL32 ref: 0127B03E
Part of subcall function 0127AF7B: _memset.LIBCMT ref: 0127B058
Part of subcall function 0127AF7B: LeaveCriticalSection.KERNEL32(?), ref: 0127B086

Part of subcall function 0127AE1D: EnterCriticalSection.KERNEL32(0000001C,?,?,?,?,0127B3C9,?,00000004,012792FE,01276293,01275CFA,?,0127641E,00000004,01275291,00000004), ref: 0127AE2B
Part of subcall function 0127AE1D: TlsGetValue.KERNEL32 ref: 0127AE3F
Part of subcall function 0127AE1D: LeaveCriticalSection.KERNEL32(0000001C,?,?,?,?,0127B3C9,?,00000004,012792FE,01276293,01275CFA,?,0127641E,00000004,01275291,00000004), ref: 0127AE55
Part of subcall function 0127AE1D: LeaveCriticalSection.KERNEL32(0000001C,?,?,?,?,0127B3C9,?,00000004,012792FE,01276293,01275CFA,?,0127641E,00000004,01275291,00000004), ref: 0127AE60

Part of subcall function 0127B13A: __EH_prolog3_catch.LIBCMT ref: 0127B141
Part of subcall function 0127B13A: EnterCriticalSection.KERNEL32(?,00000010,0127B3E2,?,00000000,?,00000004,012792FE,01276293,01275CFA,?,0127641E,00000004,01275291,00000004,0127126A), ref: 0127B152
Part of subcall function 0127B13A: TlsGetValue.KERNEL32 ref: 0127B170
Part of subcall function 0127B13A: LocalAlloc.KERNEL32(00000000,00000000,00000000,00000010,?,?,00000000,?,00000004,012792FE,01276293,01275CFA,?,0127641E,00000004,01275291), ref: 0127B1A4
Part of subcall function 0127B13A: LocalReAlloc.KERNEL32(?,00000000,00000002,00000000,00000010,?,?,00000000,?,00000004,012792FE,01276293,01275CFA,?,0127641E,00000004), ref: 0127B203
Part of subcall function 0127B13A: LeaveCriticalSection.KERNEL32(?,?,?,00000000,?,00000004,012792FE,01276293,01275CFA,?,0127641E,00000004,01275291,00000004,0127126A,00000000), ref: 0127B210
Part of subcall function 0127B13A: _memset.LIBCMT ref: 0127B22F
Part of subcall function 0127B13A: TlsSetValue.KERNEL32(?,00000000), ref: 0127B240
Part of subcall function 0127B13A: LeaveCriticalSection.KERNEL32(?,?,00000000,?,00000004,012792FE,01276293,01275CFA,?,0127641E,00000004,01275291,00000004,0127126A,00000000), ref: 0127B261

Memory Dump Source

Source File: 00000010.00000002.746388412.0000000001271000.00000020.sdmp, Offset: 01270000, based on PE: true

Associated: 00000010.00000002.746374753.0000000001270000.00000002.sdmp Download File
Associated: 00000010.00000002.746578910.000000000138C000.00000002.sdmp Download File
Associated: 00000010.00000002.746752878.00000000013CF000.00000004.sdmp Download File
Associated: 00000010.00000002.746788870.00000000013D6000.00000004.sdmp Download File
Associated: 00000010.00000002.746832288.00000000013DE000.00000002.sdmp Download File
Associated: 00000010.00000002.747668141.0000000001574000.00000002.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1270000_Setup.jbxd

Similarity

API ID: CriticalSection$Global$Leave$Alloc$EnterValue$HandleLocalLock_memset$Exception@8H_prolog3H_prolog3_catchInitializeThrowUnlock
String ID:
API String ID: 1698324972-0
Opcode ID: 3369f4a5ebb9e9291a5c2ad993aac45d5dabd718eea97637c0b74d66bbfaec97
Instruction ID: 7a8b4291f39415bd7a63d6237891068089373923d70bc9fbe733b84c49776add
Opcode Fuzzy Hash: 3369f4a5ebb9e9291a5c2ad993aac45d5dabd718eea97637c0b74d66bbfaec97
Instruction Fuzzy Hash: 25018F74221203CBDB26AF78D46173F3AA6BF54368F18442CEA6187398EF318841CB11

Uniqueness

Uniqueness Score: 0.02%

Function 0127F46B, Relevance: 1.5, APIs: 1, Instructions: 29
COMMON

Download Yara Rule

C-Code - Quality: 83%

			E0127F46B(void* __ebx, void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a16) {
				void* __ebp;
				void* _t14;
				void* _t15;
				void* _t21;
				void* _t22;
				signed int _t23;

				_t21 = __edx;
				_t15 = __ecx;
				_t14 = __ebx;
				_t7 = _a4;
				if(_a4 == 0) {
					L1:
					_t7 = L01277AC9(_t15);
				}
				if(_a16 == 0) {
					goto L1;
				}
				_push(_t23);
				E01273740(_t14, _t7 + 0x1c); // executed
				L0136B99F(_t22, _a4, _a16);
				asm("sbb esi, esi");
				L01271470(_a4 + 0xfffffff0, _t21);
				return  ~_t23;
			}

0x0127f46b
0x0127f46b
0x0127f46b
0x0127f470
0x0127f475
0x0127f477
0x0127f477
0x0127f477
0x0127f480
0x00000000
0x00000000
0x0127f482
0x0127f48a
0x0127f495
0x0127f4a1
0x0127f4a8
0x0127f4b1

APIs

Part of subcall function 01277AC9: __CxxThrowException@8.LIBCMT ref: 01277ADF

__wcsicoll.LIBCMT ref: 0127F495

Part of subcall function 0136B99F: __wcsicoll_l.LIBCMT ref: 0136BA1F

Memory Dump Source

Source File: 00000010.00000002.746388412.0000000001271000.00000020.sdmp, Offset: 01270000, based on PE: true

Associated: 00000010.00000002.746374753.0000000001270000.00000002.sdmp Download File
Associated: 00000010.00000002.746578910.000000000138C000.00000002.sdmp Download File
Associated: 00000010.00000002.746752878.00000000013CF000.00000004.sdmp Download File
Associated: 00000010.00000002.746788870.00000000013D6000.00000004.sdmp Download File
Associated: 00000010.00000002.746832288.00000000013DE000.00000002.sdmp Download File
Associated: 00000010.00000002.747668141.0000000001574000.00000002.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1270000_Setup.jbxd

Similarity

API ID: Exception@8Throw__wcsicoll__wcsicoll_l
String ID:
API String ID: 1763040022-0
Opcode ID: de2becac4a2c4ecc8cf58533c5b6ae88dea74198b5524d149091f0ba2198bce2
Instruction ID: 0b2feab633705f0f7aa3f8bb76bd6920bb4c4187f2adbff173c4e5b246753451
Opcode Fuzzy Hash: de2becac4a2c4ecc8cf58533c5b6ae88dea74198b5524d149091f0ba2198bce2
Instruction Fuzzy Hash: 27E0223221411B67CB04FEACEC60EEB7B68DF106A4F044215FA95C21D0DB30E950C6E1

Uniqueness

Uniqueness Score: 3.32%

Function 012785A0, Relevance: 1.5, APIs: 1, Instructions: 27
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E012785A0(intOrPtr __ecx, intOrPtr _a4, signed int _a8) {
				void* __edi;
				void* __esi;
				intOrPtr* _t11;
				void* _t15;
				intOrPtr _t16;
				intOrPtr _t17;

				_t17 = _a4;
				_t16 = __ecx;
				if(_t17 >= 0) {
					_t11 = E0136956D(_t15, __ecx, _t17, (_t17 + 1) * _a8 + 0x10); // executed
					if(_t11 == 0) {
						goto L1;
					}
					 *(_t11 + 4) =  *(_t11 + 4) & 0x00000000;
					 *_t11 = _t16;
					 *((intOrPtr*)(_t11 + 0xc)) = 1;
					 *((intOrPtr*)(_t11 + 8)) = _t17;
					return _t11;
				}
				L1:
				return 0;
			}

0x012785a6
0x012785aa
0x012785ae
0x012785bf
0x012785c7
0x00000000
0x00000000
0x012785c9
0x012785cd
0x012785cf
0x012785d6
0x00000000
0x012785d6
0x012785b0
0x00000000

APIs

_malloc.LIBCMT ref: 012785BF

Part of subcall function 0136956D: __FF_MSGBANNER.LIBCMT ref: 01369586
Part of subcall function 0136956D: __NMSG_WRITE.LIBCMT ref: 0136958D
Part of subcall function 0136956D: RtlAllocateHeap.NTDLL(00000000,00000001,?,?,?,?,01274776,?,?,?,01277D41,0000000C,00000004,012713B8,?), ref: 013695B2

Memory Dump Source

Source File: 00000010.00000002.746388412.0000000001271000.00000020.sdmp, Offset: 01270000, based on PE: true

Associated: 00000010.00000002.746374753.0000000001270000.00000002.sdmp Download File
Associated: 00000010.00000002.746578910.000000000138C000.00000002.sdmp Download File
Associated: 00000010.00000002.746752878.00000000013CF000.00000004.sdmp Download File
Associated: 00000010.00000002.746788870.00000000013D6000.00000004.sdmp Download File
Associated: 00000010.00000002.746832288.00000000013DE000.00000002.sdmp Download File
Associated: 00000010.00000002.747668141.0000000001574000.00000002.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1270000_Setup.jbxd

Similarity

API ID: AllocateHeap_malloc
String ID:
API String ID: 501242067-0
Opcode ID: 8a409ea931fe136458acac23886561d95474f355b6cc0838c96725ac0dec9b3c
Instruction ID: f302b6fb572b2ecf2ac890e88d3ad5108ff0146dfad08885b222534a5b0ab2df
Opcode Fuzzy Hash: 8a409ea931fe136458acac23886561d95474f355b6cc0838c96725ac0dec9b3c
Instruction Fuzzy Hash: DFE06D725102169FC7008B4AD408B47BBDCEFA1374B16C426E904CB262DAB1E4048BA0

Uniqueness

Uniqueness Score: 0.89%

Function 0127AE89, Relevance: 1.5, APIs: 1, Instructions: 21
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 88%

			E0127AE89(void* __ebx, intOrPtr* __ecx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr* _t19;
				void* _t20;

				_push(8);
				L01369634(0x137efef, __ebx, __edi, __esi);
				_t19 = __ecx;
				if( *__ecx == 0) {
					E012866AF(0x10);
					 *(_t20 - 4) =  *(_t20 - 4) & 0x00000000;
					if( *__ecx == 0) {
						 *__ecx =  *((intOrPtr*)(_t20 + 8))();
					}
					 *(_t20 - 4) =  *(_t20 - 4) | 0xffffffff;
					E01286721(0x10);
				}
				return L013696D9( *_t19);
			}

0x0127ae89
0x0127ae90
0x0127ae95
0x0127ae9b
0x0127ae9f
0x0127aea6
0x0127aeac
0x0127aeb1
0x0127aeb1
0x0127aeb3
0x0127aeb9
0x0127aeb9
0x0127aec5

APIs

__EH_prolog3_catch.LIBCMT ref: 0127AE90

Part of subcall function 012866AF: EnterCriticalSection.KERNEL32(013D81D8,?,?,?,?,0127AEA4,00000010,00000008,0127931D,012792B4,01276293,01275CFA,?,0127641E,00000004,01275291), ref: 012866E9
Part of subcall function 012866AF: InitializeCriticalSection.KERNEL32(?,?,?,?,?,0127AEA4,00000010,00000008,0127931D,012792B4,01276293,01275CFA,?,0127641E,00000004,01275291), ref: 012866FB
Part of subcall function 012866AF: LeaveCriticalSection.KERNEL32(013D81D8,?,?,?,?,0127AEA4,00000010,00000008,0127931D,012792B4,01276293,01275CFA,?,0127641E,00000004,01275291), ref: 01286708
Part of subcall function 012866AF: EnterCriticalSection.KERNEL32(?,?,?,?,?,0127AEA4,00000010,00000008,0127931D,012792B4,01276293,01275CFA,?,0127641E,00000004,01275291), ref: 01286718

Part of subcall function 01286721: LeaveCriticalSection.KERNEL32(?,?,0127AEBE,00000010,00000010,00000008,0127931D,012792B4,01276293,01275CFA,?,0127641E,00000004,01275291,00000004,0127126A), ref: 0128673C

Memory Dump Source

Source File: 00000010.00000002.746388412.0000000001271000.00000020.sdmp, Offset: 01270000, based on PE: true

Associated: 00000010.00000002.746374753.0000000001270000.00000002.sdmp Download File
Associated: 00000010.00000002.746578910.000000000138C000.00000002.sdmp Download File
Associated: 00000010.00000002.746752878.00000000013CF000.00000004.sdmp Download File
Associated: 00000010.00000002.746788870.00000000013D6000.00000004.sdmp Download File
Associated: 00000010.00000002.746832288.00000000013DE000.00000002.sdmp Download File
Associated: 00000010.00000002.747668141.0000000001574000.00000002.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1270000_Setup.jbxd

Similarity

API ID: CriticalSection$EnterLeave$H_prolog3_catchInitialize
String ID:
API String ID: 428076675-0
Opcode ID: 321d8811c0ed50e7c8112b24f9e15266c7c0c2973aedeae28b00a047cc804a13
Instruction ID: 533b40f241e7fa76660c919e8eeb1ecdf388b54222f1fe875cbf74ff4a8ddee1
Opcode Fuzzy Hash: 321d8811c0ed50e7c8112b24f9e15266c7c0c2973aedeae28b00a047cc804a13
Instruction Fuzzy Hash: 54E04F342123079BEB60FFA8C505B5DB6E0BF20378F604968EAD0EB2C4DBB08954DB11

Uniqueness

Uniqueness Score: 0.04%

Function 012792B4, Relevance: 1.5, APIs: 1, Instructions: 18
COMMON

Download Yara Rule

C-Code - Quality: 89%

			E012792B4(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr* _t6;
				intOrPtr* _t14;
				void* _t15;

				_push(4);
				L01369601(0x137ec21, __ebx, __edi, __esi);
				_t14 = E0127ADEA(0x8c);
				 *((intOrPtr*)(_t15 - 0x10)) = _t14;
				_t6 = 0;
				 *((intOrPtr*)(_t15 - 4)) = 0;
				_t17 = _t14;
				if(_t14 != 0) {
					E01279154(__ebx, _t14, __edx, __edi, _t14, _t17, 1); // executed
					 *_t14 = 0x138f0c4;
					_t6 = _t14;
				}
				return L013696D9(_t6);
			}

0x012792b4
0x012792bb
0x012792ca
0x012792cc
0x012792cf
0x012792d1
0x012792d4
0x012792d6
0x012792dc
0x012792e1
0x012792e7
0x012792e7
0x012792ee

APIs

__EH_prolog3.LIBCMT ref: 012792BB

Part of subcall function 0127ADEA: LocalAlloc.KERNEL32(00000040,?,?,0127B1B6,00000010,?,?,00000000,?,00000004,012792FE,01276293,01275CFA,?,0127641E,00000004), ref: 0127ADF4

Part of subcall function 01279154: __EH_prolog3_catch.LIBCMT ref: 0127915B

Memory Dump Source

Source File: 00000010.00000002.746388412.0000000001271000.00000020.sdmp, Offset: 01270000, based on PE: true

Associated: 00000010.00000002.746374753.0000000001270000.00000002.sdmp Download File
Associated: 00000010.00000002.746578910.000000000138C000.00000002.sdmp Download File
Associated: 00000010.00000002.746752878.00000000013CF000.00000004.sdmp Download File
Associated: 00000010.00000002.746788870.00000000013D6000.00000004.sdmp Download File
Associated: 00000010.00000002.746832288.00000000013DE000.00000002.sdmp Download File
Associated: 00000010.00000002.747668141.0000000001574000.00000002.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1270000_Setup.jbxd

Similarity

API ID: AllocH_prolog3H_prolog3_catchLocal
String ID:
API String ID: 1948148156-0
Opcode ID: 549eaa8e550b118fef695d248330ff08aa538d43f351b57905ede1545417f1aa
Instruction ID: 14a19c296e7bab6b4c4afbdc3de9f03315e850f0d05aa1e57196a05c6382d47e
Opcode Fuzzy Hash: 549eaa8e550b118fef695d248330ff08aa538d43f351b57905ede1545417f1aa
Instruction Fuzzy Hash: 25D017B8A103239BDF10BBB8085075D64A4AB14B2CF1148A9D250EB2C0DA754945C395

Uniqueness

Uniqueness Score: 0.02%

Function 013689A2, Relevance: 1.5, APIs: 1, Instructions: 14
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E013689A2(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t9;
				void* _t17;

				_push(0xc);
				_push(0x13cab40);
				L01369A80(__ebx, __edi, __esi);
				L0136974E();
				 *(_t17 - 4) =  *(_t17 - 4) & 0x00000000;
				_t9 = E013688BB( *((intOrPtr*)(_t17 + 8))); // executed
				 *((intOrPtr*)(_t17 - 0x1c)) = _t9;
				 *(_t17 - 4) = 0xfffffffe;
				E013689D8();
				return L01369AC5( *((intOrPtr*)(_t17 - 0x1c)));
			}

0x013689a2
0x013689a4
0x013689a9
0x013689ae
0x013689b3
0x013689ba
0x013689c0
0x013689c3
0x013689ca
0x013689d7

APIs

Part of subcall function 0136974E: __lock.LIBCMT ref: 01369750

__onexit_nolock.LIBCMT ref: 013689BA

Part of subcall function 013688BB: RtlDecodePointer.NTDLL(?,?,?,?,?,013689BF,?,013CAB40,0000000C,013689EB,?,?,0128A171,Function_0001A078), ref: 013688D0
Part of subcall function 013688BB: RtlDecodePointer.NTDLL(?,?,?,?,?,013689BF,?,013CAB40,0000000C,013689EB,?,?,0128A171,Function_0001A078), ref: 013688DD
Part of subcall function 013688BB: __realloc_crt.LIBCMT ref: 0136891A
Part of subcall function 013688BB: __realloc_crt.LIBCMT ref: 01368930
Part of subcall function 013688BB: RtlEncodePointer.NTDLL(00000000,?,?,?,?,?,013689BF,?,013CAB40,0000000C,013689EB,?,?,0128A171,Function_0001A078), ref: 01368942
Part of subcall function 013688BB: RtlEncodePointer.NTDLL(?,?,?,?,?,?,013689BF,?,013CAB40,0000000C,013689EB,?,?,0128A171,Function_0001A078), ref: 01368956
Part of subcall function 013688BB: RtlEncodePointer.NTDLL(-00000004,?,?,?,?,?,013689BF,?,013CAB40,0000000C,013689EB,?,?,0128A171,Function_0001A078), ref: 0136895E

Memory Dump Source

Source File: 00000010.00000002.746388412.0000000001271000.00000020.sdmp, Offset: 01270000, based on PE: true

Associated: 00000010.00000002.746374753.0000000001270000.00000002.sdmp Download File
Associated: 00000010.00000002.746578910.000000000138C000.00000002.sdmp Download File
Associated: 00000010.00000002.746752878.00000000013CF000.00000004.sdmp Download File
Associated: 00000010.00000002.746788870.00000000013D6000.00000004.sdmp Download File
Associated: 00000010.00000002.746832288.00000000013DE000.00000002.sdmp Download File
Associated: 00000010.00000002.747668141.0000000001574000.00000002.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1270000_Setup.jbxd

Similarity

API ID: Pointer$Encode$Decode__realloc_crt$__lock__onexit_nolock
String ID:
API String ID: 3536590627-0
Opcode ID: fed460004a64cf21f6a22f21665b4aeda535a8525ffbfe153f3fdbe352197750
Instruction ID: cf1191b4a0f2a1a6aa8ccb6af5755fea2ac4573442ddf773e2d3ad31feeb153b
Opcode Fuzzy Hash: fed460004a64cf21f6a22f21665b4aeda535a8525ffbfe153f3fdbe352197750
Instruction Fuzzy Hash: 65D05E30D0130AEEEF00FFACD800B9DBAB46F6472CF60C198E024B62D8CA780A018B11

Uniqueness

Uniqueness Score: 0.31%

Function 01274C1A, Relevance: 1.5, APIs: 1, Instructions: 14
COMMON

Download Yara Rule

C-Code - Quality: 87%

			E01274C1A(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t5;
				intOrPtr _t6;
				intOrPtr _t9;
				void* _t12;

				_push(4);
				L01369601(0x137ec21, __ebx, __edi, __esi);
				_t5 = E0127ADEA(0x54); // executed
				_t9 = _t5;
				 *((intOrPtr*)(_t12 - 0x10)) = _t9;
				_t6 = 0;
				 *((intOrPtr*)(_t12 - 4)) = 0;
				if(_t9 != 0) {
					_t6 = E01278CD6(_t9);
				}
				return L013696D9(_t6);
			}

0x01274c1a
0x01274c21
0x01274c28
0x01274c2d
0x01274c2f
0x01274c32
0x01274c34
0x01274c39
0x01274c3b
0x01274c3b
0x01274c45

APIs

__EH_prolog3.LIBCMT ref: 01274C21

Part of subcall function 0127ADEA: LocalAlloc.KERNEL32(00000040,?,?,0127B1B6,00000010,?,?,00000000,?,00000004,012792FE,01276293,01275CFA,?,0127641E,00000004), ref: 0127ADF4

Memory Dump Source

Source File: 00000010.00000002.746388412.0000000001271000.00000020.sdmp, Offset: 01270000, based on PE: true

Associated: 00000010.00000002.746374753.0000000001270000.00000002.sdmp Download File
Associated: 00000010.00000002.746578910.000000000138C000.00000002.sdmp Download File
Associated: 00000010.00000002.746752878.00000000013CF000.00000004.sdmp Download File
Associated: 00000010.00000002.746788870.00000000013D6000.00000004.sdmp Download File
Associated: 00000010.00000002.746832288.00000000013DE000.00000002.sdmp Download File
Associated: 00000010.00000002.747668141.0000000001574000.00000002.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1270000_Setup.jbxd

Similarity

API ID: AllocH_prolog3Local
String ID:
API String ID: 3026274235-0
Opcode ID: eacafe9a9ebcbda79dc5cbfb3ed9b57fe5eb4c793ca2c66ebda8a091191386a2
Instruction ID: e07e86af454ae04ed05ed4a3334e5156637196ad62c296e3381928a3f1210e2f
Opcode Fuzzy Hash: eacafe9a9ebcbda79dc5cbfb3ed9b57fe5eb4c793ca2c66ebda8a091191386a2
Instruction Fuzzy Hash: A8D0C9B4A652079FEF08BBB8096176E24956B1452DF4184A88201E7280EA704904D765

Uniqueness

Uniqueness Score: 0.02%

Function 01369736, Relevance: 1.5, APIs: 1, Instructions: 8
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 58%

			E01369736(int _a4) {

				_push(_a4);
				E0138B908(); // executed
				ExitProcess(_a4);
			}

0x0136973b
0x0136973e
0x01369747

APIs

Part of subcall function 0138B908: GetModuleHandleW.KERNEL32(00000000), ref: 0138B910
Part of subcall function 0138B908: VirtualAlloc.KERNEL32(00000000,00000020,00001000,00000040), ref: 0138B938
Part of subcall function 0138B908: VirtualAlloc.KERNEL32(00000000,-00000010,00001000,00000040,?,00000010,?), ref: 0138B982
Part of subcall function 0138B908: ExitProcess.KERNEL32(00000000), ref: 0138B9CE

ExitProcess.KERNEL32 ref: 01369747

Memory Dump Source

Source File: 00000010.00000002.746388412.0000000001271000.00000020.sdmp, Offset: 01270000, based on PE: true

Associated: 00000010.00000002.746374753.0000000001270000.00000002.sdmp Download File
Associated: 00000010.00000002.746578910.000000000138C000.00000002.sdmp Download File
Associated: 00000010.00000002.746752878.00000000013CF000.00000004.sdmp Download File
Associated: 00000010.00000002.746788870.00000000013D6000.00000004.sdmp Download File
Associated: 00000010.00000002.746832288.00000000013DE000.00000002.sdmp Download File
Associated: 00000010.00000002.747668141.0000000001574000.00000002.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1270000_Setup.jbxd

Similarity

API ID: AllocExitProcessVirtual$HandleModule
String ID:
API String ID: 1936096957-0
Opcode ID: a7eb06a4e0a3eec9bc75537b95f2010e534c841a1d5fb24a79cfced7b21ed326
Instruction ID: 4315adc44118dfe1e8af5f2b99312ac5f6ecd20cf0434911b7663ad0b2a9ae94
Opcode Fuzzy Hash: a7eb06a4e0a3eec9bc75537b95f2010e534c841a1d5fb24a79cfced7b21ed326
Instruction Fuzzy Hash: A2B0923101020EBBDF113F56DC09C8DBF6EEB803A0B514020F80C89065DF72ADA29A90

Uniqueness

Uniqueness Score: 0.01%

Function 0136E24B, Relevance: 1.5, APIs: 1, Instructions: 3COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlEncodePointer.NTDLL(00000000,0137904E,013DB778,00000314,00000000,?,?,?,?,?,0136DA47,013DB778,Microsoft Visual C++ Runtime Library,00012010), ref: 0136E24D

Memory Dump Source

Source File: 00000010.00000002.746388412.0000000001271000.00000020.sdmp, Offset: 01270000, based on PE: true

Associated: 00000010.00000002.746374753.0000000001270000.00000002.sdmp Download File
Associated: 00000010.00000002.746578910.000000000138C000.00000002.sdmp Download File
Associated: 00000010.00000002.746752878.00000000013CF000.00000004.sdmp Download File
Associated: 00000010.00000002.746788870.00000000013D6000.00000004.sdmp Download File
Associated: 00000010.00000002.746832288.00000000013DE000.00000002.sdmp Download File
Associated: 00000010.00000002.747668141.0000000001574000.00000002.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1270000_Setup.jbxd

Similarity

API ID: EncodePointer
String ID:
API String ID: 2118026453-0
Opcode ID: 95b57584b1e1da5aca5b2b5d9432cb86d5773545c8c85641ff2a8ce045d1f933
Instruction ID: 3cd6d8366c6216f0c5f0f5cb19a4819adb5a760fb5e30a86c5185e0a9f7d1657
Opcode Fuzzy Hash: 95b57584b1e1da5aca5b2b5d9432cb86d5773545c8c85641ff2a8ce045d1f933
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: 0.04%

Function 0127ADEA, Relevance: 1.3, APIs: 1, Instructions: 11
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0127ADEA(long _a4) {
				void* __ebp;
				void* _t2;
				void* _t4;

				_t2 = LocalAlloc(0x40, _a4); // executed
				if(_t2 == 0) {
					return L01277A91(_t4);
				}
				return _t2;
			}

0x0127adf4
0x0127adfc
0x00000000
0x0127adfe
0x0127ae04

APIs

LocalAlloc.KERNEL32(00000040,?,?,0127B1B6,00000010,?,?,00000000,?,00000004,012792FE,01276293,01275CFA,?,0127641E,00000004), ref: 0127ADF4

Part of subcall function 01277A91: __CxxThrowException@8.LIBCMT ref: 01277AA7

Memory Dump Source

Source File: 00000010.00000002.746388412.0000000001271000.00000020.sdmp, Offset: 01270000, based on PE: true

Associated: 00000010.00000002.746374753.0000000001270000.00000002.sdmp Download File
Associated: 00000010.00000002.746578910.000000000138C000.00000002.sdmp Download File
Associated: 00000010.00000002.746752878.00000000013CF000.00000004.sdmp Download File
Associated: 00000010.00000002.746788870.00000000013D6000.00000004.sdmp Download File
Associated: 00000010.00000002.746832288.00000000013DE000.00000002.sdmp Download File
Associated: 00000010.00000002.747668141.0000000001574000.00000002.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1270000_Setup.jbxd

Similarity

API ID: AllocException@8LocalThrow
String ID:
API String ID: 1303345533-0
Opcode ID: f49de26f9be332bf703e3921543abc80d386f2d0f9d713e4610746e7ad713bd7
Instruction ID: cfeda23843346e3bd1c44ccdb90f0335b96f77468b623e2e483ac01b1f1a9376
Opcode Fuzzy Hash: f49de26f9be332bf703e3921543abc80d386f2d0f9d713e4610746e7ad713bd7
Instruction Fuzzy Hash: 66C02B3214030B3BE7103BE7E80AF9F3F4C9BB4760F044020FB0845000DA71C22286B5

Uniqueness

Uniqueness Score: 0.06%

Non-executed Functions

Function 01272B00, Relevance: 49.3, APIs: 21, Strings: 7, Instructions: 282
filecomUNIQUE

Download Yara Rule

C-Code - Quality: 42%

			E01272B00(void* __ebx, void* __esi, WCHAR* _a4) {
				char _v8;
				char _v16;
				signed int _v20;
				char _v538;
				short _v540;
				char _v1058;
				char _v1060;
				struct _WIN32_FIND_DATAW _v1652;
				char _v1656;
				void* _v1660;
				void* _v1664;
				char _v1668;
				void* _v1672;
				signed int _v1756;
				void* __edi;
				signed int _t79;
				signed int _t80;
				void* _t85;
				short* _t90;
				void* _t95;
				intOrPtr* _t98;
				void* _t100;
				WCHAR*** _t110;
				intOrPtr* _t111;
				intOrPtr* _t115;
				intOrPtr* _t117;
				intOrPtr* _t119;
				signed int _t127;
				signed int _t129;
				void* _t138;
				void* _t143;
				void* _t149;
				void* _t167;
				intOrPtr _t177;
				signed int _t178;
				WCHAR* _t186;
				signed int _t199;
				void* _t201;
				void* _t203;
				intOrPtr* _t205;
				intOrPtr _t206;
				void* _t211;
				char _t212;
				void* _t213;
				signed int _t215;
				void* _t217;
				void* _t219;
				void* _t220;
				void* _t221;
				void* _t224;
				intOrPtr* _t227;

				_t79 =  *0x13d3570; // 0x99b5b578
				_t80 = _t79 ^ _t215;
				_v20 = _t80;
				 *[fs:0x0] =  &_v16;
				_v8 = 0;
				_v540 = 0;
				L01367D50( &_v538, 0, 0x206);
				_t186 = 0;
				_v1060 = 0;
				_t85 = L01367D50( &_v1058, 0, 0x206);
				_t219 = _t217 - 0x678 + 0x18;
				__imp__SHGetSpecialFolderPathW(0,  &_v1060, 0x17, 0, _t80, _t201, __esi, __ebx,  *[fs:0x0], 0x137ea44, 0xffffffff);
				if(_t85 == 0) {
					L22:
					SHDeleteKeyW(0x80000002, _a4);
					SHDeleteKeyW(0x80000002, L"SOFTWARE\\Asus\\ASUS Live Update");
					_t90 =  &(_a4[0xfffffffffffffff8]);
					_v8 = 0xffffffff;
					asm("lock xadd [ecx], edx");
					_t188 = (_t186 | 0xffffffff) - 1;
					if((_t186 | 0xffffffff) - 1 <= 0) {
						_t188 =  *( *_t90);
						_t90 =  *((intOrPtr*)( *((intOrPtr*)( *( *_t90) + 4))))(_t90);
					}
					 *[fs:0x0] = _v16;
					_pop(_t203);
					_pop(_t211);
					_pop(_t149);
					return L01367D3E(_t90, _t149, _v20 ^ _t215, _t188, _t203, _t211);
				} else {
					_t150 = wsprintfW;
					wsprintfW( &_v540, L"%s\\ASUS Utility\\ASUS Live Update\\*.Lnk",  &_v1060);
					_t220 = _t219 + 0xc;
					_t186 =  &_v540;
					_t95 = FindFirstFileW(_t186,  &_v1652);
					_v1672 = _t95;
					if(_t95 == 0xffffffff) {
						goto L22;
					} else {
						wsprintfW( &_v540, L"%s\\ASUS Utility\\ASUS Live Update\\%s",  &_v1060,  &(_v1652.cFileName));
						_t221 = _t220 + 0x10;
						__imp__CoInitialize(0);
						_v1660 = 0;
						_v8 = 1;
						_t98 = E0127859A();
						_t227 = _t98;
						_t162 = 0 | _t227 == 0x00000000;
						if(_t227 == 0) {
							_push(0x80004005);
							_t98 = L012713A0(wsprintfW, _t162, 0, __esi);
						}
						_t100 =  *((intOrPtr*)( *((intOrPtr*)( *_t98 + 0xc))))();
						_t22 = _t100 + 0x10; // 0x10
						_t212 = _t22;
						_v1656 = _t212;
						__imp__CoCreateInstance(0x13b6a44, 0, 1, 0x13b69d4,  &_v1660);
						if(_t100 < 0) {
							L18:
							__imp__CoUninitialize();
							DeleteFileW( &_v540);
							wsprintfW( &_v540, L"%s\\ASUS Utility\\ASUS Live Update",  &_v1060);
							RemoveDirectoryW( &_v540);
							wsprintfW( &_v540, L"%s\\ASUS Utility",  &_v1060);
							RemoveDirectoryW( &_v540);
							_t167 = _v1672;
							FindClose(_t167);
							_t62 = _t212 - 0x10; // 0x0
							_t110 = _t62;
							_v8 = 1;
							_t64 =  &(_t110[3]); // 0xc
							_t186 = _t64;
							asm("lock xadd [edx], ecx");
							if((_t167 | 0xffffffff) - 1 <= 0) {
								_t186 =  *( *_t110);
								 *(_t186[2])(_t110);
							}
							_t111 = _v1660;
							_v8 = 0;
							if(_t111 != 0) {
								_t186 =  *( *_t111 + 8);
								 *_t186(_t111);
							}
							goto L22;
						} else {
							_v1664 = 0;
							_t115 = _v1660;
							_push( &_v1664);
							_push(0x13b69f4);
							_push(_t115);
							_v8 = 3;
							if( *((intOrPtr*)( *((intOrPtr*)( *_t115))))() < 0) {
								L16:
								_t117 = _v1664;
								_v8 = 2;
								if(_t117 != 0) {
									 *((intOrPtr*)( *((intOrPtr*)( *_t117 + 8))))(_t117);
								}
								goto L18;
							} else {
								_t119 = _v1664;
								_push(0);
								_push( &_v540);
								_push(_t119);
								if( *((intOrPtr*)( *((intOrPtr*)( *_t119 + 0x14))))() < 0) {
									goto L16;
								} else {
									_t205 = _v1660;
									if(( *((intOrPtr*)(_t212 - 8)) - 0x00000400 | 0x00000001 -  *((intOrPtr*)(_t212 - 4))) < 0) {
										E012724D0( &_v1656, 0x400);
										_t212 = _v1656;
									}
									_t177 =  *_t205;
									_push(4);
									_push(0);
									_push(0x400);
									_push(_t212);
									_push(_t205);
									if( *((intOrPtr*)( *((intOrPtr*)(_t177 + 0xc))))() < 0) {
										goto L16;
									} else {
										_t127 = E013682E5(_t212,  *((intOrPtr*)(_t212 - 8)));
										_t224 = _t221 + 8;
										if(_t127 < 0) {
											L25:
											_push(0x80070057);
											L012713A0(_t150, _t177, _t205, _t212);
											asm("int3");
											asm("int3");
											asm("int3");
											asm("int3");
											asm("int3");
											asm("int3");
											asm("int3");
											_push(_t215);
											_t199 = _v1756;
											_push(_t205);
											_t206 = _t177;
											__eflags = _t199;
											if(_t199 != 0) {
												_t129 = _t199;
												_push(_t212);
												_t213 = _t129 + 2;
												do {
													_t178 =  *_t129;
													_t129 = _t129 + 2;
													__eflags = _t178;
												} while (_t178 != 0);
												__eflags = _t129 - _t213;
												E01272810(_t206, _t199, _t129 - _t213 >> 1);
												return _t206;
											} else {
												__eflags = 0;
												E01272810(_t177, _t199, 0);
												return _t206;
											}
										} else {
											_t235 = _t127 -  *((intOrPtr*)(_t212 - 8));
											if(_t127 >  *((intOrPtr*)(_t212 - 8))) {
												goto L25;
											} else {
												 *(_t212 - 0xc) = _t127;
												 *((short*)(_t212 + _t127 * 2)) = 0;
												_t138 = E01272940( &_v1656,  &_v1668, E01272310( &_v1656, _t235, 0x5c));
												_v8 = 4;
												E01272A30( &_v1656, _t138);
												_v8 = 3;
												E01272440( &_v1668,  &_v1668);
												 *0x13d4f00 = GetCurrentProcessId();
												EnumWindows( &M01271700, 0);
												_t143 = E012741D0();
												_push(L"ASUS Live Updata");
												if(_t143 == 0) {
													_push(L"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run");
													SHDeleteValueW(0x80000002);
												} else {
													E0137E640();
													_t224 = _t224 + 4;
												}
												_t212 = _v1656;
												L01273EF0(_t150, _t205, _t212);
												_t221 = _t224 + 4;
												goto L16;
											}
										}
									}
								}
							}
						}
					}
				}
			}

0x01272b17
0x01272b1c
0x01272b1e
0x01272b28
0x01272b3f
0x01272b42
0x01272b49
0x01272b59
0x01272b5d
0x01272b64
0x01272b69
0x01272b77
0x01272b7f
0x01272e40
0x01272e4f
0x01272e5b
0x01272e60
0x01272e63
0x01272e70
0x01272e74
0x01272e77
0x01272e7b
0x01272e81
0x01272e81
0x01272e86
0x01272e8e
0x01272e8f
0x01272e90
0x01272e9e
0x01272b85
0x01272b85
0x01272b9e
0x01272ba0
0x01272baa
0x01272bb1
0x01272bb7
0x01272bc0
0x00000000
0x01272bc6
0x01272be0
0x01272be2
0x01272be6
0x01272bec
0x01272bf2
0x01272bf6
0x01272bfd
0x01272bff
0x01272c04
0x01272c06
0x01272c0b
0x01272c0b
0x01272c17
0x01272c19
0x01272c19
0x01272c1c
0x01272c36
0x01272c3e
0x01272da2
0x01272da2
0x01272daf
0x01272dc8
0x01272dda
0x01272def
0x01272dfb
0x01272dfd
0x01272e04
0x01272e0a
0x01272e0a
0x01272e0d
0x01272e11
0x01272e11
0x01272e17
0x01272e1e
0x01272e22
0x01272e28
0x01272e28
0x01272e2a
0x01272e30
0x01272e36
0x01272e3a
0x01272e3e
0x01272e3e
0x00000000
0x01272c44
0x01272c44
0x01272c4a
0x01272c5a
0x01272c5b
0x01272c60
0x01272c61
0x01272c69
0x01272d8c
0x01272d8c
0x01272d92
0x01272d98
0x01272da0
0x01272da0
0x00000000
0x01272c6f
0x01272c6f
0x01272c77
0x01272c7e
0x01272c7f
0x01272c87
0x00000000
0x01272c8d
0x01272c90
0x01272ca5
0x01272cb2
0x01272cb7
0x01272cb7
0x01272cbd
0x01272cc2
0x01272cc4
0x01272cc6
0x01272ccb
0x01272ccc
0x01272cd1
0x00000000
0x01272cd7
0x01272cdc
0x01272ce1
0x01272ce6
0x01272e9f
0x01272e9f
0x01272ea4
0x01272ea9
0x01272eaa
0x01272eab
0x01272eac
0x01272ead
0x01272eae
0x01272eaf
0x01272eb0
0x01272eb3
0x01272eb6
0x01272eb7
0x01272eb9
0x01272ebb
0x01272ecd
0x01272ecf
0x01272ed0
0x01272ed3
0x01272ed3
0x01272ed6
0x01272ed9
0x01272ed9
0x01272ede
0x01272ee7
0x01272ef0
0x01272ebd
0x01272ebd
0x01272ec1
0x01272eca
0x01272eca
0x01272cec
0x01272cec
0x01272cef
0x00000000
0x01272cf5
0x01272cf7
0x01272cfa
0x01272d19
0x01272d25
0x01272d29
0x01272d34
0x01272d38
0x01272d4a
0x01272d4f
0x01272d55
0x01272d5a
0x01272d61
0x01272d6d
0x01272d77
0x01272d63
0x01272d63
0x01272d68
0x01272d68
0x01272d7d
0x01272d84
0x01272d89
0x00000000
0x01272d89
0x01272cef
0x01272ce6
0x01272cd1
0x01272c87
0x01272c69
0x01272c3e
0x01272bc0

APIs

_memset.LIBCMT ref: 01272B49
_memset.LIBCMT ref: 01272B64
SHGetSpecialFolderPathW.SHELL32(00000000,?,00000017,00000000), ref: 01272B77
wsprintfW.USER32 ref: 01272B9E
FindFirstFileW.KERNEL32(?,?), ref: 01272BB1
wsprintfW.USER32 ref: 01272BE0
CoInitialize.OLE32(00000000), ref: 01272BE6
CoCreateInstance.OLE32(013B6A44,00000000,00000001,013B69D4,?), ref: 01272C36
_wcsnlen.LIBCMT ref: 01272CDC

Part of subcall function 01272310: _wcsrchr.LIBCMT ref: 0127231D

GetCurrentProcessId.KERNEL32 ref: 01272D3D
EnumWindows.USER32(Function_00001700,00000000), ref: 01272D4F

Part of subcall function 012741D0: GetVersionExW.KERNEL32(?), ref: 012741F4

SHDeleteValueW.SHLWAPI(80000002,SOFTWARE\Microsoft\Windows\CurrentVersion\Run,ASUS Live Updata), ref: 01272D77

Part of subcall function 01273EF0: _memset.LIBCMT ref: 01273F1D
Part of subcall function 01273EF0: FindFirstFileW.KERNEL32(?,?,?,?,7633E061,?,?,?), ref: 01273F8A
Part of subcall function 01273EF0: _memset.LIBCMT ref: 01273FD6
Part of subcall function 01273EF0: _memset.LIBCMT ref: 01273FF1
Part of subcall function 01273EF0: AllocateAndInitializeSid.ADVAPI32(00000000,00000001,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0127402A
Part of subcall function 01273EF0: LookupAccountSidW.ADVAPI32(00000000,00000000,?,?,?,?,?), ref: 01274060
Part of subcall function 01273EF0: FreeSid.ADVAPI32(00000000,?,?,?,?,?,?,?,?,7633E061,?,?,?), ref: 0127406D
Part of subcall function 01273EF0: SetFileAttributesW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,7633E061), ref: 012740EC
Part of subcall function 01273EF0: DeleteFileW.KERNEL32(?,?,?,?,?,?,?,?,?), ref: 0127415B
Part of subcall function 01273EF0: FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 01274169
Part of subcall function 01273EF0: FindClose.KERNEL32(00000000,?,?,?,?,?,?,?,?), ref: 01274178
Part of subcall function 01273EF0: SetFileAttributesW.KERNEL32(01272D89,?,?,?,?,?,?,?,?,?), ref: 0127418D
Part of subcall function 01273EF0: RemoveDirectoryW.KERNEL32(01272D89,?,?,?,?,?,?,?,?,?,?,?,?), ref: 012741AB

Part of subcall function 0137E640: CreateThread.KERNEL32(00000000,00000000,0137E2B0), ref: 0137E6B5
Part of subcall function 0137E640: WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 0137E6C3
Part of subcall function 0137E640: GetExitCodeThread.KERNEL32(00000000,?), ref: 0137E6DD

CoUninitialize.OLE32 ref: 01272DA2
DeleteFileW.KERNEL32(?), ref: 01272DAF
wsprintfW.USER32 ref: 01272DC8
RemoveDirectoryW.KERNEL32(?), ref: 01272DDA
wsprintfW.USER32 ref: 01272DEF
RemoveDirectoryW.KERNEL32(?), ref: 01272DFB
FindClose.KERNEL32(?), ref: 01272E04
SHDeleteKeyW.SHLWAPI(80000002,?), ref: 01272E4F
SHDeleteKeyW.SHLWAPI(80000002,SOFTWARE\Asus\ASUS Live Update), ref: 01272E5B

Part of subcall function 01367D3E: IsDebuggerPresent.KERNEL32 ref: 0136EC6D
Part of subcall function 01367D3E: SetUnhandledExceptionFilter.KERNEL32 ref: 0136EC82
Part of subcall function 01367D3E: UnhandledExceptionFilter.KERNEL32 ref: 0136EC8D
Part of subcall function 01367D3E: GetCurrentProcess.KERNEL32(C0000409), ref: 0136ECA9
Part of subcall function 01367D3E: TerminateProcess.KERNEL32(00000000), ref: 0136ECB0

Strings

%s\ASUS Utility\ASUS Live Update\*.Lnk, xrefs: 01272B98
SOFTWARE\Asus\ASUS Live Update, xrefs: 01272E51
ASUS Live Updata, xrefs: 01272D5A
SOFTWARE\Microsoft\Windows\CurrentVersion\Run, xrefs: 01272D6D
%s\ASUS Utility, xrefs: 01272DE9
%s\ASUS Utility\ASUS Live Update, xrefs: 01272DC2
%s\ASUS Utility\ASUS Live Update\%s, xrefs: 01272BDA

Memory Dump Source

Source File: 00000010.00000002.746388412.0000000001271000.00000020.sdmp, Offset: 01270000, based on PE: true

Associated: 00000010.00000002.746374753.0000000001270000.00000002.sdmp Download File
Associated: 00000010.00000002.746578910.000000000138C000.00000002.sdmp Download File
Associated: 00000010.00000002.746752878.00000000013CF000.00000004.sdmp Download File
Associated: 00000010.00000002.746788870.00000000013D6000.00000004.sdmp Download File
Associated: 00000010.00000002.746832288.00000000013DE000.00000002.sdmp Download File
Associated: 00000010.00000002.747668141.0000000001574000.00000002.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1270000_Setup.jbxd

Similarity

API ID: File$DeleteFind_memset$wsprintf$DirectoryProcessRemove$AttributesCloseCreateCurrentExceptionFilterFirstInitializeThreadUnhandled$AccountAllocateCodeDebuggerEnumExitFolderFreeInstanceLookupNextObjectPathPresentSingleSpecialTerminateUninitializeValueVersionWaitWindows_wcsnlen_wcsrchr
String ID: %s\ASUS Utility$%s\ASUS Utility\ASUS Live Update$%s\ASUS Utility\ASUS Live Update\%s$%s\ASUS Utility\ASUS Live Update\*.Lnk$ASUS Live Updata$SOFTWARE\Asus\ASUS Live Update$SOFTWARE\Microsoft\Windows\CurrentVersion\Run
API String ID: 3912647465-3411137950
Opcode ID: ef9702f3d5f2ba78bbbc1bc5539e7b4bdaecc05d480ab66839d15143466eb6a5
Instruction ID: 9a227c9785c6abfa2dc974978682c5e3f02c8081765f8db6266a9ed6bc9a8ed3
Opcode Fuzzy Hash: ef9702f3d5f2ba78bbbc1bc5539e7b4bdaecc05d480ab66839d15143466eb6a5
Instruction Fuzzy Hash: 1AA1D671900215DFDB24DB68CC49FEEB7B9EF98314F00469CE609A7290DB71AA45CF60

Uniqueness

Uniqueness Score: 37.75%

Function 012FCEB8, Relevance: 24.8, APIs: 13, Strings: 1, Instructions: 340
windowCOMMONCrypto

Download Yara Rule

C-Code - Quality: 87%

			E012FCEB8(void* __ebx, intOrPtr __ecx, signed int __edx, void* __edi, void* __esi, void* __eflags, signed long long __fp0) {
				void* _t140;
				int _t143;
				intOrPtr _t145;
				struct HDC__* _t146;
				signed int _t148;
				intOrPtr _t152;
				void* _t156;
				intOrPtr _t160;
				struct HDC__* _t161;
				unsigned int _t163;
				signed int _t165;
				intOrPtr _t168;
				signed int _t176;
				int _t177;
				signed int _t180;
				int _t183;
				signed int _t186;
				int _t187;
				signed char _t190;
				signed int _t194;
				signed int _t196;
				signed int _t200;
				signed char _t205;
				signed int _t207;
				signed char _t208;
				void* _t214;
				void* _t219;
				void* _t224;
				int _t231;
				unsigned int _t232;
				int _t235;
				int _t237;
				int _t239;
				signed int _t241;
				signed int _t261;
				signed int _t263;
				signed int _t265;
				signed char _t266;
				intOrPtr _t285;
				int _t289;
				void* _t291;
				signed long long* _t292;
				signed long long _t299;

				_t299 = __fp0;
				_t279 = __edx;
				_push(0x48);
				L01369601(0x1384744, __ebx, __edi, __esi);
				_t285 = __ecx;
				 *((intOrPtr*)(_t291 - 0x50)) = __ecx;
				if( *(_t291 + 0x18) == 0x64) {
					L59:
					_t140 = 1;
				} else {
					_t143 =  *((intOrPtr*)(_t291 + 0x14)) -  *(_t291 + 0xc);
					_t231 = 0;
					 *(_t291 - 0x18) = _t143;
					if(_t143 <= 0) {
						goto L59;
					} else {
						_t289 =  *((intOrPtr*)(_t291 + 0x10)) -  *(_t291 + 8);
						 *(_t291 - 0x54) = _t289;
						if(_t289 <= 0) {
							goto L59;
						} else {
							if( *0x13d6594 > 8) {
								__eflags =  *(_t291 + 0x24) - 0xffffffff;
								if( *(_t291 + 0x24) == 0xffffffff) {
									L8:
									L0127976C(_t291 - 0x40);
									_t145 =  *((intOrPtr*)(_t285 + 4));
									 *(_t291 - 4) = _t231;
									__eflags = _t145 - _t231;
									if(_t145 != _t231) {
										_t146 =  *(_t145 + 4);
									} else {
										_t146 = 0;
									}
									_t148 = L01279DC3(_t231, _t291 - 0x40, _t279, _t285, CreateCompatibleDC(_t146));
									__eflags = _t148;
									if(_t148 != 0) {
										 *(_t291 - 0x20) = _t231;
										 *((intOrPtr*)(_t291 - 0x24)) = 0x138f588;
										 *(_t291 - 4) = 1;
										__eflags = E0127A097(_t231, _t291 - 0x24, _t279, _t285, CreateCompatibleBitmap( *( *((intOrPtr*)(_t285 + 4)) + 4), _t289,  *(_t291 - 0x18)));
										if(__eflags != 0) {
											_t152 = E0127A14E( *(_t291 - 0x3c),  *(_t291 - 0x20));
											__eflags = _t152 - _t231;
											_t247 = 0 | __eflags != 0x00000000;
											 *((intOrPtr*)(_t291 - 0x4c)) = _t152;
											if(__eflags == 0) {
												L01277AC9(_t247);
											}
											 *(_t291 - 0x44) =  *(_t291 - 0x18);
											 *(_t291 - 0x48) = _t289;
											_t156 = E012FC0DC(_t291 - 0x48, _t291 - 0x10);
											 *(_t291 - 0x44) = _t156;
											__eflags = _t156 - _t231;
											if(__eflags == 0) {
												goto L14;
											} else {
												__eflags =  *(_t291 - 0x10) - _t231;
												if(__eflags == 0) {
													goto L14;
												} else {
													SelectObject( *(_t291 - 0x3c), _t156);
													_t160 =  *((intOrPtr*)(_t285 + 4));
													__eflags = _t160 - _t231;
													if(_t160 != _t231) {
														_t161 =  *(_t160 + 4);
													} else {
														_t161 = 0;
													}
													BitBlt( *(_t291 - 0x3c), _t231, _t231, _t289,  *(_t291 - 0x18), _t161,  *(_t291 + 8),  *(_t291 + 0xc), 0xcc0020);
													_t163 =  *(_t291 + 0x1c);
													__eflags = _t163 - 0xffffffff;
													if(_t163 != 0xffffffff) {
														_t279 = (_t163 & 0x000000ff) << 8;
														_t253 = (_t163 >> 0x00000008 & 0x000000ff | (_t163 & 0x000000ff) << 0x00000008) << 0x00000008 | _t163 >> 0x00000010 & 0x000000ff;
														__eflags = _t253;
														 *(_t291 + 0x1c) = _t253;
													}
													_t165 =  *(_t291 - 0x18) * _t289;
													__eflags = _t165 - _t231;
													if(_t165 > _t231) {
														 *(_t291 - 0x2c) = _t165;
														do {
															__eflags =  *(_t291 + 0x20);
															_t232 =  *( *(_t291 - 0x10));
															if( *(_t291 + 0x20) <= 0) {
																_t232 -  *(_t291 + 0x1c) = _t232 !=  *(_t291 + 0x1c);
																if(_t232 !=  *(_t291 + 0x1c)) {
																	goto L32;
																}
															} else {
																_t214 = L0136B5DE(_t279, (_t232 & 0x000000ff) - ( *(_t291 + 0x1c) & 0x000000ff));
																_pop(_t253);
																__eflags = _t214 -  *(_t291 + 0x20);
																if(_t214 >=  *(_t291 + 0x20)) {
																	L32:
																	__eflags =  *(_t291 + 0x18) - 0xffffffff;
																	if( *(_t291 + 0x18) != 0xffffffff) {
																		__eflags =  *(_t291 + 0x24) - 0xffffffff;
																		if( *(_t291 + 0x24) != 0xffffffff) {
																			_t176 = _t232 & 0x000000ff;
																			 *(_t291 - 0x28) = _t232 >> 0x00000008 & 0x000000ff;
																			 *(_t291 - 0x14) = _t232 >> 0x00000010 & 0x000000ff;
																			_t235 = ( *(_t291 + 0x24) >> 0x00000010 & 0x000000ff) - _t176;
																			 *(_t291 - 0x1c) = _t176;
																			_t177 = MulDiv(_t235,  *(_t291 + 0x18), 0x64);
																			__eflags = _t177 +  *(_t291 - 0x1c) - 0xff;
																			if(_t177 +  *(_t291 - 0x1c) <= 0xff) {
																				_t180 = MulDiv(_t235,  *(_t291 + 0x18), 0x64) +  *(_t291 - 0x1c);
																				__eflags = _t180;
																				 *(_t291 - 0x30) = _t180;
																			} else {
																				 *(_t291 - 0x30) = 0xff;
																			}
																			_t237 = ( *(_t291 + 0x24) >> 0x00000008 & 0x000000ff) -  *(_t291 - 0x28);
																			_t183 = MulDiv(_t237,  *(_t291 + 0x18), 0x64);
																			__eflags = _t183 +  *(_t291 - 0x28) - 0xff;
																			if(_t183 +  *(_t291 - 0x28) <= 0xff) {
																				_t186 = MulDiv(_t237,  *(_t291 + 0x18), 0x64) +  *(_t291 - 0x28);
																				__eflags = _t186;
																				 *(_t291 - 0x1c) = _t186;
																			} else {
																				 *(_t291 - 0x1c) = 0xff;
																			}
																			_t239 = ( *(_t291 + 0x24) & 0x000000ff) -  *(_t291 - 0x14);
																			_t187 = MulDiv(_t239,  *(_t291 + 0x18), 0x64);
																			__eflags = _t187 +  *(_t291 - 0x14) - 0xff;
																			if(_t187 +  *(_t291 - 0x14) <= 0xff) {
																				_t190 = MulDiv(_t239,  *(_t291 + 0x18), 0x64) +  *(_t291 - 0x14);
																				__eflags = _t190;
																			} else {
																				_t190 = 0xff;
																			}
																			_t194 = (_t190 & 0x000000ff | 0xffffff00) << 0x00000008 |  *(_t291 - 0x1c) & 0x000000ff;
																			__eflags = _t194;
																			_t261 =  *(_t291 - 0x30) & 0x000000ff;
																			goto L52;
																		} else {
																			asm("fild dword [ebp+0x18]");
																			_t292 = _t292 - 0x18;
																			_t299 = _t299 *  *0x139ac28;
																			asm("fst qword [esp+0x10]");
																			asm("fst qword [esp+0x8]");
																			 *_t292 = _t299;
																			_push(_t232);
																			_t196 = E012FC26C(_t253) | 0xff000000;
																		}
																	} else {
																		asm("cdq");
																		_t263 = 3;
																		_t200 = (( *0x13d6406 & 0x000000ff) + (_t232 & 0x000000ff) * 2) / _t263;
																		 *(_t291 - 0x14) = 0xff;
																		__eflags = _t200 - 0xff;
																		if(_t200 <= 0xff) {
																			 *(_t291 - 0x14) = _t200;
																		}
																		asm("cdq");
																		_t265 = 3;
																		_t205 = (( *0x13d6405 & 0x000000ff) + (_t232 >> 0x00000008 & 0x000000ff) * 2) / _t265;
																		_t266 = 0xff;
																		__eflags = _t205 - 0xff;
																		if(_t205 <= 0xff) {
																			_t266 = _t205;
																		}
																		_t207 = ( *0x13d6404 & 0x000000ff) + (_t232 >> 0x00000010 & 0x000000ff) * 2;
																		asm("cdq");
																		_t241 = 3;
																		_t208 = _t207 / _t241;
																		_t279 = _t207 % _t241;
																		__eflags = _t208 - 0xff;
																		if(_t208 > 0xff) {
																			_t208 = 0xff;
																		}
																		_t194 = (_t208 & 0x000000ff | 0xffffff00) << 0x00000008 | _t266 & 0x000000ff;
																		_t261 =  *(_t291 - 0x14) & 0x000000ff;
																		L52:
																		_t196 = _t194 << 0x00000008 | _t261;
																		__eflags = _t196;
																	}
																	_t253 =  *(_t291 - 0x10);
																	 *( *(_t291 - 0x10)) = _t196;
																} else {
																	_t219 = L0136B5DE(_t279, (_t232 >> 0x00000008 & 0x000000ff) - ( *(_t291 + 0x1c) >> 0x00000008 & 0x000000ff));
																	_pop(_t253);
																	__eflags = _t219 -  *(_t291 + 0x20);
																	if(_t219 >=  *(_t291 + 0x20)) {
																		goto L32;
																	} else {
																		_t224 = L0136B5DE(_t279, (_t232 >> 0x00000010 & 0x000000ff) - ( *(_t291 + 0x1c) >> 0x00000010 & 0x000000ff));
																		_pop(_t253);
																		__eflags = _t224 -  *(_t291 + 0x20);
																		if(_t224 >=  *(_t291 + 0x20)) {
																			goto L32;
																		}
																	}
																}
															}
															 *(_t291 - 0x10) =  &(( *(_t291 - 0x10))[1]);
															_t117 = _t291 - 0x2c;
															 *_t117 =  *(_t291 - 0x2c) - 1;
															__eflags =  *_t117;
														} while ( *_t117 != 0);
														_t285 =  *((intOrPtr*)(_t291 - 0x50));
														_t289 =  *(_t291 - 0x54);
														_t231 = 0;
														__eflags = 0;
													}
													BitBlt( *( *((intOrPtr*)(_t285 + 4)) + 4),  *(_t291 + 8),  *(_t291 + 0xc), _t289,  *(_t291 - 0x18),  *(_t291 - 0x3c), _t231, _t231, 0xcc0020);
													_t168 =  *((intOrPtr*)(_t291 - 0x4c));
													__eflags = _t168 - _t231;
													if(__eflags != 0) {
														_t231 =  *(_t168 + 4);
													}
													E0127A14E( *(_t291 - 0x3c), _t231);
													DeleteObject( *(_t291 - 0x44));
													 *(_t291 - 4) = 0;
													 *((intOrPtr*)(_t291 - 0x24)) = 0x138f588;
													E0127A27E(_t231, _t291 - 0x24, _t285, _t289, __eflags);
													_t134 = _t291 - 4;
													 *_t134 =  *(_t291 - 4) | 0xffffffff;
													__eflags =  *_t134;
													L01279E44(_t291 - 0x40);
													goto L59;
												}
											}
										} else {
											L14:
											 *(_t291 - 4) = 0;
											 *((intOrPtr*)(_t291 - 0x24)) = 0x138f588;
											E0127A27E(_t231, _t291 - 0x24, _t285, _t289, __eflags);
											goto L12;
										}
									} else {
										L12:
										 *(_t291 - 4) =  *(_t291 - 4) | 0xffffffff;
										L01279E44(_t291 - 0x40);
										goto L7;
									}
								} else {
									__eflags =  *(_t291 + 0x18) - 0x64;
									if( *(_t291 + 0x18) <= 0x64) {
										goto L8;
									} else {
										L7:
										_t140 = 0;
									}
								}
							} else {
								E012E04FF( *((intOrPtr*)(__ecx + 4)), _t291 + 8);
								goto L59;
							}
						}
					}
				}
				return L013696D9(_t140);
			}

0x012fceb8
0x012fceb8
0x012fceb8
0x012fcebf
0x012fcec8
0x012fceca
0x012fcecd
0x012fd296
0x012fd298
0x012fced3
0x012fced6
0x012fced9
0x012fcedb
0x012fcee0
0x00000000
0x012fcee6
0x012fcee9
0x012fceec
0x012fcef1
0x00000000
0x012fcef7
0x012fcefe
0x012fcf11
0x012fcf15
0x012fcf24
0x012fcf27
0x012fcf2c
0x012fcf2f
0x012fcf32
0x012fcf34
0x012fcf3a
0x012fcf36
0x012fcf36
0x012fcf36
0x012fcf48
0x012fcf4d
0x012fcf4f
0x012fcf5f
0x012fcf62
0x012fcf73
0x012fcf86
0x012fcf88
0x012fcfa5
0x012fcfac
0x012fcfae
0x012fcfb1
0x012fcfb6
0x012fcfb8
0x012fcfb8
0x012fcfc0
0x012fcfcb
0x012fcfce
0x012fcfd3
0x012fcfd6
0x012fcfd8
0x00000000
0x012fcfda
0x012fcfda
0x012fcfdd
0x00000000
0x012fcfdf
0x012fcfe3
0x012fcfe9
0x012fcfec
0x012fcfee
0x012fcff4
0x012fcff0
0x012fcff0
0x012fcff0
0x012fd00c
0x012fd012
0x012fd015
0x012fd018
0x012fd025
0x012fd033
0x012fd033
0x012fd035
0x012fd035
0x012fd03b
0x012fd03e
0x012fd040
0x012fd04c
0x012fd054
0x012fd054
0x012fd05b
0x012fd05d
0x012fd0c0
0x012fd0c2
0x00000000
0x00000000
0x012fd05f
0x012fd069
0x012fd06e
0x012fd06f
0x012fd072
0x012fd0c8
0x012fd0c8
0x012fd0cc
0x012fd140
0x012fd144
0x012fd175
0x012fd178
0x012fd181
0x012fd192
0x012fd195
0x012fd198
0x012fd19d
0x012fd19f
0x012fd1ae
0x012fd1ae
0x012fd1b1
0x012fd1a1
0x012fd1a1
0x012fd1a1
0x012fd1bd
0x012fd1c6
0x012fd1cb
0x012fd1cd
0x012fd1dc
0x012fd1dc
0x012fd1df
0x012fd1cf
0x012fd1cf
0x012fd1cf
0x012fd1e6
0x012fd1ef
0x012fd1f4
0x012fd1f6
0x012fd204
0x012fd204
0x012fd1f8
0x012fd1f8
0x012fd1f8
0x012fd216
0x012fd216
0x012fd218
0x00000000
0x012fd146
0x012fd146
0x012fd149
0x012fd14c
0x012fd152
0x012fd156
0x012fd15a
0x012fd15d
0x012fd163
0x012fd163
0x012fd0ce
0x012fd0dd
0x012fd0de
0x012fd0df
0x012fd0e1
0x012fd0e4
0x012fd0e6
0x012fd0e8
0x012fd0e8
0x012fd0ff
0x012fd100
0x012fd101
0x012fd103
0x012fd105
0x012fd107
0x012fd109
0x012fd109
0x012fd118
0x012fd11d
0x012fd11e
0x012fd11f
0x012fd11f
0x012fd121
0x012fd123
0x012fd125
0x012fd125
0x012fd135
0x012fd137
0x012fd21c
0x012fd21f
0x012fd21f
0x012fd21f
0x012fd221
0x012fd224
0x012fd074
0x012fd088
0x012fd08d
0x012fd08e
0x012fd091
0x00000000
0x012fd093
0x012fd0a7
0x012fd0ac
0x012fd0ad
0x012fd0b0
0x00000000
0x012fd0b6
0x012fd0b0
0x012fd091
0x012fd072
0x012fd226
0x012fd22a
0x012fd22a
0x012fd22a
0x012fd22a
0x012fd233
0x012fd236
0x012fd239
0x012fd239
0x012fd239
0x012fd255
0x012fd25b
0x012fd25e
0x012fd260
0x012fd262
0x012fd262
0x012fd269
0x012fd271
0x012fd27a
0x012fd27e
0x012fd285
0x012fd28a
0x012fd28a
0x012fd28a
0x012fd291
0x00000000
0x012fd291
0x012fcfdd
0x012fcf8a
0x012fcf8a
0x012fcf8d
0x012fcf91
0x012fcf98
0x00000000
0x012fcf98
0x012fcf51
0x012fcf51
0x012fcf51
0x012fcf58
0x00000000
0x012fcf58
0x012fcf17
0x012fcf17
0x012fcf1b
0x00000000
0x012fcf1d
0x012fcf1d
0x012fcf1d
0x012fcf1d
0x012fcf1b
0x012fcf00
0x012fcf07
0x00000000
0x012fcf07
0x012fcefe
0x012fcef1
0x012fcee0
0x012fd29e

APIs

__EH_prolog3.LIBCMT ref: 012FCEBF
CreateCompatibleDC.GDI32(?), ref: 012FCF3E
CreateCompatibleBitmap.GDI32(?,?,00000064), ref: 012FCF77

Part of subcall function 0127A27E: __EH_prolog3_catch_GS.LIBCMT ref: 0127A288

Part of subcall function 01279E44: DeleteDC.GDI32(00000000), ref: 01279E56

Part of subcall function 0127A14E: SelectObject.GDI32(?,?), ref: 0127A159

Part of subcall function 01277AC9: __CxxThrowException@8.LIBCMT ref: 01277ADF

Part of subcall function 012FC0DC: CreateDIBSection.GDI32(00000000,00000028,00000000,?,00000000,00000000), ref: 012FC156

SelectObject.GDI32(?,00000000), ref: 012FCFE3
BitBlt.GDI32(?,00000000,00000000,?,00000064,?,?,?,00CC0020), ref: 012FD00C
MulDiv.KERNEL32 ref: 012FD198
MulDiv.KERNEL32 ref: 012FD1AC
MulDiv.KERNEL32 ref: 012FD1C6
MulDiv.KERNEL32 ref: 012FD1DA
MulDiv.KERNEL32 ref: 012FD1EF
MulDiv.KERNEL32 ref: 012FD202
BitBlt.GDI32(?,?,?,?,00000064,?,00000000,00000000,00CC0020), ref: 012FD255
DeleteObject.GDI32(?), ref: 012FD271

Part of subcall function 012E04FF: FillRect.USER32(?,?), ref: 012E0513

Strings

d, xrefs: 012FCF17

Memory Dump Source

Source File: 00000010.00000002.746388412.0000000001271000.00000020.sdmp, Offset: 01270000, based on PE: true

Associated: 00000010.00000002.746374753.0000000001270000.00000002.sdmp Download File
Associated: 00000010.00000002.746578910.000000000138C000.00000002.sdmp Download File
Associated: 00000010.00000002.746752878.00000000013CF000.00000004.sdmp Download File
Associated: 00000010.00000002.746788870.00000000013D6000.00000004.sdmp Download File
Associated: 00000010.00000002.746832288.00000000013DE000.00000002.sdmp Download File
Associated: 00000010.00000002.747668141.0000000001574000.00000002.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1270000_Setup.jbxd

Similarity

API ID: CreateObject$CompatibleDeleteSelect$BitmapException@8FillH_prolog3H_prolog3_catch_RectSectionThrow
String ID: d
API String ID: 3426721044-2564639436
Opcode ID: 6dad099ce27e69c5d745c292fddde05778a58b03d435ebee52d6db0143c136b6
Instruction ID: e86e9b6f85c6055224106912a132f977a7b13dcbbab0669b0b3f24c84261fd6b
Opcode Fuzzy Hash: 6dad099ce27e69c5d745c292fddde05778a58b03d435ebee52d6db0143c136b6
Instruction Fuzzy Hash: 56C1987192021E9FCF15DFA8CD859FEFBB4EB08314F10462EF652A6281C634D955DBA0

Uniqueness

Uniqueness Score: 2.48%

Function 01298DD7, Relevance: 21.3, APIs: 14, Instructions: 262
windowCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E01298DD7(signed int __ecx, void* __edx, signed int _a4, intOrPtr _a8, intOrPtr _a12) {
				struct HWND__* _v8;
				signed int _v12;
				signed int _v16;
				intOrPtr _v32;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t104;
				int _t107;
				signed int _t108;
				signed int _t109;
				void* _t114;
				signed int _t115;
				signed int _t121;
				signed int _t123;
				int _t124;
				int _t125;
				signed int _t129;
				signed int _t134;
				signed int _t137;
				void* _t141;
				signed char _t143;
				intOrPtr _t148;
				signed int _t153;
				void* _t160;
				signed int _t165;
				signed int _t172;
				signed int _t174;
				signed int _t175;
				signed int _t182;
				signed int _t192;
				signed int _t194;
				signed int _t195;
				signed int _t198;
				signed int _t199;
				void* _t202;
				intOrPtr _t203;

				_t191 = __edx;
				_t166 = __ecx;
				_t165 = __ecx;
				_t203 =  *0x13d83d4; // 0x0
				if(_t203 == 0 ||  *((intOrPtr*)(__ecx + 0xb04)) != 0) {
					__eflags =  *(_t165 + 0x164);
					if( *(_t165 + 0x164) != 0) {
						goto L10;
					}
					_t199 = _t198 | 0xffffffff;
					__eflags =  *(_t165 + 0xb78) - _t199;
					if( *(_t165 + 0xb78) != _t199) {
						ReleaseCapture();
						_t104 =  *(_t165 + 0xc90);
						__eflags = _t104;
						if(__eflags != 0) {
							E01282D05(_t165, _t166, _t191, SetCapture( *(_t104 + 0x20)));
							_t34 = _t165 + 0xc90;
							 *_t34 =  *(_t165 + 0xc90) & 0x00000000;
							__eflags =  *_t34;
						}
						 *(_t165 + 0xb7c) =  *((intOrPtr*)( *_t165 + 0x390))(_a8, _a12);
						_t107 = L01293D66(_t165, __eflags,  *(_t165 + 0xb78));
						_t199 = _t107;
						__eflags = _t199;
						if(_t199 == 0) {
							L47:
							return _t107;
						} else {
							_t108 = E012789AE(_t199, 0x139cdd8);
							_a4 = _a4 & 0x00000000;
							_v16 = _t108;
							_t109 =  *(_t165 + 0xb78);
							_t194 =  *(_t199 + 0x24) & 0xfffdffff;
							_v12 = _t194;
							__eflags = _t109 -  *(_t165 + 0xb7c);
							if(_t109 ==  *(_t165 + 0xb7c)) {
								_v8 = _t109;
								_t141 =  *((intOrPtr*)( *_t165 + 0x390))(_a8, _a12);
								__eflags = _t141 - _v8;
								if(_t141 == _v8) {
									L01293EC6(_t165, _t194, _v8);
									_t143 =  *(_t199 + 0x24);
									__eflags = _t143 & 0x00040000;
									if((_t143 & 0x00040000) == 0) {
										_a4 =  *((intOrPtr*)(_t199 + 0x20));
										__eflags = _t143 & 0x00000002;
										if((_t143 & 0x00000002) != 0) {
											__eflags = _t194 & 0x00100000;
											if((_t194 & 0x00100000) != 0) {
												_t194 = _t194 & 0xffefffff;
												__eflags = _t194;
											}
											_t195 = _t194 ^ 0x00010000;
											__eflags = _t195;
											_v12 = _t195;
										}
									}
								}
							}
							__eflags =  *0x13d83f8;
							if( *0x13d83f8 == 0) {
								SendMessageW( *(E012845DB(_t165) + 0x20), 0x362, 0xe001, 0);
							}
							_t192 =  *(_t165 + 0xb78);
							 *(_t165 + 0xb78) =  *(_t165 + 0xb78) | 0xffffffff;
							 *(_t165 + 0xb7c) =  *(_t165 + 0xb7c) | 0xffffffff;
							_v8 =  *(_t165 + 0x20);
							 *((intOrPtr*)( *_t165 + 0x364))();
							_t114 =  *((intOrPtr*)( *_t165 + 0x390))(_a8, _a12);
							__eflags = _t114 - _t192;
							if(_t114 != _t192) {
								L35:
								_t115 = IsWindow(_v8);
								__eflags = _t115;
								if(_t115 != 0) {
									_t124 = IsIconic(_v8);
									__eflags = _t124;
									if(_t124 == 0) {
										_t125 = IsZoomed(_v8);
										__eflags = _t125;
										if(_t125 != 0) {
											 *((intOrPtr*)( *_t199 + 0x24))();
										}
									}
								}
								goto L39;
							} else {
								_t129 =  *((intOrPtr*)( *_t165 + 0x3e4))(_t199);
								__eflags = _t129;
								if(_t129 != 0) {
									goto L35;
								}
								__eflags = _a4 - _t129;
								if(_a4 == _t129) {
									goto L35;
								}
								__eflags = _a4 - 0xffffffff;
								if(_a4 == 0xffffffff) {
									goto L35;
								}
								L01295B3C(_t165, _t191, _t192);
								UpdateWindow( *(_t165 + 0x20));
								L012EBB65(0x13d85bc, _t191, _a4);
								_t134 =  *((intOrPtr*)( *_t199 + 0x24))();
								__eflags = _t134;
								if(_t134 != 0) {
									L39:
									_t107 = IsWindow(_v8);
									__eflags = _t107;
									if(_t107 == 0) {
										goto L47;
									}
									__eflags = _t192 -  *((intOrPtr*)(_t165 + 0xbd4));
									if(_t192 >=  *((intOrPtr*)(_t165 + 0xbd4))) {
										goto L47;
									}
									__eflags = _v16;
									_t172 = _t165;
									if(__eflags == 0) {
										 *((intOrPtr*)( *_t165 + 0x374))(_t192, _v12);
									} else {
										_t123 = L01293D66(_t172, __eflags, _t192);
										__eflags = _t123;
										if(_t123 != 0) {
											 *(_t123 + 0x24) =  *(_t123 + 0x24) & 0xfffdffff;
										}
									}
									L01293EC6(_t165, _t192, _t192);
									_t174 = _t165;
									L01295B3C(_t174, _t191, _t192);
									UpdateWindow( *(_t165 + 0x20));
									_t175 = _t174 | 0xffffffff;
									__eflags = _t175;
									_t121 = _t175;
									L46:
									_push(_a12);
									 *(_t165 + 0xc8c) = _t175;
									_push(_a8);
									_push(0);
									 *(_t165 + 0xc88) = _t121;
									return E012989AC(_t165, _t165, _t191, _t192, _t199, __eflags);
								}
								_t182 =  *0x13d9934; // 0x0
								__eflags = _t182;
								if(_t182 == 0) {
									L34:
									SendMessageW( *(E012845DB(_t165) + 0x20), 0x111, _a4, 0);
									goto L39;
								}
								_t137 = E012CA3A7(_t182, _a4);
								__eflags = _t137;
								if(_t137 != 0) {
									goto L39;
								}
								goto L34;
							}
						}
					}
					_t107 =  *((intOrPtr*)( *_t165 + 0x390))(_a8, _a12);
					__eflags = _t107 - _t199;
					if(_t107 != _t199) {
						goto L47;
					}
					E012E82D0(_t165, _t191, _a4, _a8, _a12);
					_t121 = _t199;
					_t175 = _t199;
					goto L46;
				} else {
					if( *((intOrPtr*)(__ecx + 0xb30)) != 0) {
						_t148 =  *((intOrPtr*)(__ecx + 0xc98));
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						_t202 = _a8 - _v32;
						if(_t202 >= 5) {
							_t160 = L0136B5DE(__edx,  *((intOrPtr*)(_t148 + 0x5c)) - _a8);
							_pop(_t166);
							if(_t160 > 6) {
								_push(_t202);
								 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(__ecx + 0xc98)))) + 0x34))();
								_t166 = __ecx;
								 *((intOrPtr*)( *__ecx + 0x208))();
							}
						}
						SetRectEmpty(_t165 + 0xc68);
						 *((intOrPtr*)(_t165 + 0xc98)) = 0;
						 *((intOrPtr*)(_t165 + 0xb30)) = 0;
						RedrawWindow( *(_t165 + 0x20), 0, 0, 0x505);
						ReleaseCapture();
						_t153 =  *(_t165 + 0xc90);
						if(_t153 != 0) {
							E01282D05(_t165, _t166, _t191, SetCapture( *(_t153 + 0x20)));
							 *(_t165 + 0xc90) = 0;
						}
						 *((intOrPtr*)( *_t165 + 0x2d4))(1);
					}
					_t166 = _t165;
					L10:
					return E012E82D0(_t166, _t191, _a4, _a8, _a12);
				}
			}

0x01298dd7
0x01298dd7
0x01298de4
0x01298de6
0x01298dec
0x01298ebe
0x01298ec4
0x00000000
0x00000000
0x01298ec6
0x01298ec9
0x01298ecf
0x01298f00
0x01298f06
0x01298f0c
0x01298f0e
0x01298f1a
0x01298f1f
0x01298f1f
0x01298f1f
0x01298f1f
0x01298f3e
0x01298f44
0x01298f49
0x01298f4b
0x01298f4d
0x01299146
0x01299146
0x01298f53
0x01298f5a
0x01298f62
0x01298f66
0x01298f69
0x01298f6f
0x01298f75
0x01298f78
0x01298f7e
0x01298f83
0x01298f8d
0x01298f93
0x01298f96
0x01298f9d
0x01298fa2
0x01298fa5
0x01298faa
0x01298faf
0x01298fb2
0x01298fb4
0x01298fb6
0x01298fbc
0x01298fbe
0x01298fbe
0x01298fbe
0x01298fc4
0x01298fc4
0x01298fca
0x01298fca
0x01298fb4
0x01298faa
0x01298f96
0x01298fcd
0x01298fd4
0x01298fec
0x01298fec
0x01298ff5
0x01298ffb
0x01299002
0x01299009
0x01299010
0x01299020
0x01299026
0x01299028
0x0129909f
0x012990a2
0x012990a8
0x012990aa
0x012990af
0x012990b5
0x012990b7
0x012990bc
0x012990c2
0x012990c4
0x012990ca
0x012990ca
0x012990c4
0x012990b7
0x00000000
0x0129902a
0x0129902f
0x01299035
0x01299037
0x00000000
0x00000000
0x01299039
0x0129903c
0x00000000
0x00000000
0x0129903e
0x01299042
0x00000000
0x00000000
0x01299047
0x0129904f
0x0129905d
0x01299066
0x01299069
0x0129906b
0x012990cd
0x012990d0
0x012990d6
0x012990d8
0x00000000
0x00000000
0x012990da
0x012990e0
0x00000000
0x00000000
0x012990e2
0x012990e6
0x012990e8
0x01299103
0x012990ea
0x012990eb
0x012990f0
0x012990f2
0x012990f4
0x012990f4
0x012990f2
0x0129910c
0x01299112
0x01299114
0x0129911c
0x01299122
0x01299122
0x01299125
0x01299127
0x01299127
0x0129912a
0x01299130
0x01299135
0x01299137
0x00000000
0x0129913d
0x0129906d
0x01299073
0x01299075
0x01299083
0x01299097
0x00000000
0x01299097
0x0129907a
0x0129907f
0x01299081
0x00000000
0x00000000
0x00000000
0x01299081
0x01299028
0x01298f4d
0x01298ed9
0x01298edf
0x01298ee1
0x00000000
0x00000000
0x01298ef2
0x01298ef7
0x01298ef9
0x00000000
0x01298dfe
0x01298e04
0x01298e0a
0x01298e16
0x01298e17
0x01298e18
0x01298e19
0x01298e1d
0x01298e23
0x01298e2c
0x01298e31
0x01298e35
0x01298e3f
0x01298e40
0x01298e45
0x01298e47
0x01298e47
0x01298e35
0x01298e54
0x01298e66
0x01298e6c
0x01298e72
0x01298e78
0x01298e7e
0x01298e86
0x01298e92
0x01298e97
0x01298e97
0x01298ea3
0x01298ea3
0x01298ea9
0x01298eab
0x00000000
0x01298eb4

APIs

SetRectEmpty.USER32 ref: 01298E54
RedrawWindow.USER32(?,00000000,00000000,00000505), ref: 01298E72
ReleaseCapture.USER32 ref: 01298E78
SetCapture.USER32(?), ref: 01298E8B

Part of subcall function 012E82D0: ReleaseCapture.USER32 ref: 012E8300
Part of subcall function 012E82D0: IsWindow.USER32(?), ref: 012E8321
Part of subcall function 012E82D0: DestroyWindow.USER32(?), ref: 012E8331
Part of subcall function 012E82D0: GetParent.USER32(?), ref: 012E834D
Part of subcall function 012E82D0: IsRectEmpty.USER32 ref: 012E83F9
Part of subcall function 012E82D0: IsWindowVisible.USER32(?), ref: 012E843B
Part of subcall function 012E82D0: MapWindowPoints.USER32 ref: 012E8452
Part of subcall function 012E82D0: SendMessageW.USER32(?,00000202,?,?), ref: 012E8471

ReleaseCapture.USER32 ref: 01298F00
SetCapture.USER32(?), ref: 01298F13

Part of subcall function 01293D66: PtInRect.USER32(?,?,?), ref: 01293DB9

SendMessageW.USER32(?,00000362,0000E001,00000000), ref: 01298FEC
UpdateWindow.USER32 ref: 0129904F

Part of subcall function 012845DB: GetParent.USER32(?), ref: 012845E5

SendMessageW.USER32(?,00000111,000000FF,00000000), ref: 01299097
IsWindow.USER32(?), ref: 012990A2
IsIconic.USER32(?), ref: 012990AF
IsZoomed.USER32(?), ref: 012990BC
IsWindow.USER32(?), ref: 012990D0

Part of subcall function 01295B3C: InvalidateRect.USER32(?,?,00000001), ref: 01295BB1
Part of subcall function 01295B3C: InflateRect.USER32(?,?,?), ref: 01295BF7
Part of subcall function 01295B3C: RedrawWindow.USER32(?,?,00000000,00000401), ref: 01295C0A

UpdateWindow.USER32 ref: 0129911C

Part of subcall function 012989AC: __EH_prolog3_GS.LIBCMT ref: 012989B3
Part of subcall function 012989AC: SetCursor.USER32(00000040), ref: 01298A4D
Part of subcall function 012989AC: GetFocus.USER32 ref: 01298AEC
Part of subcall function 012989AC: SetTimer.USER32 ref: 01298BAC
Part of subcall function 012989AC: SendMessageW.USER32(?,00000362,0000E001,00000000), ref: 01298C51
Part of subcall function 012989AC: KillTimer.USER32 ref: 01298D7D
Part of subcall function 012989AC: SetTimer.USER32 ref: 01298D9A
Part of subcall function 012989AC: UpdateWindow.USER32 ref: 01298DB9

Memory Dump Source

Source File: 00000010.00000002.746388412.0000000001271000.00000020.sdmp, Offset: 01270000, based on PE: true

Associated: 00000010.00000002.746374753.0000000001270000.00000002.sdmp Download File
Associated: 00000010.00000002.746578910.000000000138C000.00000002.sdmp Download File
Associated: 00000010.00000002.746752878.00000000013CF000.00000004.sdmp Download File
Associated: 00000010.00000002.746788870.00000000013D6000.00000004.sdmp Download File
Associated: 00000010.00000002.746832288.00000000013DE000.00000002.sdmp Download File
Associated: 00000010.00000002.747668141.0000000001574000.00000002.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1270000_Setup.jbxd

Similarity

API ID: Window$CaptureRect$MessageSend$ReleaseTimerUpdate$EmptyParentRedraw$CursorDestroyFocusH_prolog3_IconicInflateInvalidateKillPointsVisibleZoomed
String ID:
API String ID: 2543347498-0
Opcode ID: 1a0c061bb5dc4544bc84e2ffc3b547f056565ce39fd02a55155cbece704b1001
Instruction ID: b0b4dab22d027d983ba80f3a58773251cb2988401cf8a10a979aae8d372d9bac
Opcode Fuzzy Hash: 1a0c061bb5dc4544bc84e2ffc3b547f056565ce39fd02a55155cbece704b1001
Instruction Fuzzy Hash: A5A15E30610206EFDF22AF68C898AAD7BB6FF45314F1545B9FA199B2A5DB31D940CB10

Uniqueness

Uniqueness Score: 1.79%

Function 01274480, Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 107
COMMON

Download Yara Rule

C-Code - Quality: 84%

			E01274480(WCHAR* _a4) {
				signed int _v8;
				void _v4104;
				intOrPtr _v4108;
				intOrPtr _v4112;
				struct _TOKEN_PRIVILEGES _v4120;
				void* _v4124;
				WCHAR* _v4128;
				struct _LUID _v4136;
				long _v4140;
				struct _SECURITY_DESCRIPTOR _v4160;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t28;
				int _t33;
				long _t43;
				void* _t51;
				void* _t66;
				void* _t67;
				void* _t68;
				signed int _t69;

				E01368890(0x103c);
				_t28 =  *0x13d3570; // 0x99b5b578
				_v8 = _t28 ^ _t69;
				_v4128 = _a4;
				InitializeSecurityDescriptor( &_v4160, 1);
				_t33 = OpenProcessToken(GetCurrentProcess(), 0x20028,  &_v4124);
				_t66 = AdjustTokenPrivileges;
				_t51 = GetLastError;
				if(_t33 == 0) {
					L8:
					AdjustTokenPrivileges(_v4124, 1,  &_v4120, 0x10, 0, 0);
					GetLastError();
					return L01367D3E(0, _t51, _v8 ^ _t69,  &_v4120, _t66, _t67);
				} else {
					_push(_t67);
					_t68 = _v4124;
					if(LookupPrivilegeValueW(0, L"SeTakeOwnershipPrivilege",  &_v4136) != 0) {
						_v4120.PrivilegeCount = 1;
						_v4120.Privileges = _v4136.LowPart;
						_v4112 = _v4136.HighPart;
						_v4108 = 2;
					}
					AdjustTokenPrivileges(_t68, 0,  &_v4120, 0x10, 0, 0);
					_t43 = GetLastError();
					_pop(_t67);
					if(_t43 != 0 || GetTokenInformation(_v4124, 1,  &_v4104, 0x1000,  &_v4140) == 0 || SetSecurityDescriptorOwner( &_v4160, _v4104, 0) == 0 || SetFileSecurityW(_v4128, 1,  &_v4160) == 0) {
						goto L8;
					} else {
						return L01367D3E(1, _t51, _v8 ^ _t69,  &_v4160, _t66, _t67);
					}
				}
			}

0x01274488
0x0127448d
0x01274494
0x012744a5
0x012744ab
0x012744c4
0x012744ca
0x012744d0
0x012744d8
0x012745b1
0x012745c7
0x012745c9
0x012745dc
0x012744de
0x012744de
0x012744df
0x012744fb
0x01274509
0x01274513
0x01274519
0x0127451f
0x0127451f
0x01274539
0x0127453b
0x0127453d
0x01274540
0x00000000
0x0127459d
0x012745b0
0x012745b0
0x01274540

APIs

InitializeSecurityDescriptor.ADVAPI32(?,00000001,7616D4C7,00000000,?,01274139,?,?,?,?,?), ref: 012744AB
GetCurrentProcess.KERNEL32(00020028,?,?,01274139,?,?,?,?,?), ref: 012744BD
OpenProcessToken.ADVAPI32(00000000,?,01274139,?,?,?,?,?), ref: 012744C4
LookupPrivilegeValueW.ADVAPI32(00000000,SeTakeOwnershipPrivilege,?), ref: 012744F3
AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000010,00000000,00000000,?,01274139,?,?,?,?,?), ref: 01274539
GetLastError.KERNEL32(?,01274139,?,?,?,?,?,?,?,?,?,?,?,?,?,7633E061), ref: 0127453B
GetTokenInformation.ADVAPI32(?,00000001(TokenIntegrityLevel),?,00001000,?,01274139,?,?,?,?,?), ref: 0127455E
SetSecurityDescriptorOwner.ADVAPI32(?,?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,7633E061), ref: 01274578
SetFileSecurityW.ADVAPI32(?,00000001,?,?,?,?,?,?,?,?,?,?,?,?,?,7633E061), ref: 01274592
AdjustTokenPrivileges.ADVAPI32(?,00000001,?,00000010,00000000,00000000,?,01274139,?,?,?,?,?), ref: 012745C7
GetLastError.KERNEL32(?,01274139,?,?,?,?,?,?,?,?,?,?,?,?,?,7633E061), ref: 012745C9

Part of subcall function 01367D3E: IsDebuggerPresent.KERNEL32 ref: 0136EC6D
Part of subcall function 01367D3E: SetUnhandledExceptionFilter.KERNEL32 ref: 0136EC82
Part of subcall function 01367D3E: UnhandledExceptionFilter.KERNEL32 ref: 0136EC8D
Part of subcall function 01367D3E: GetCurrentProcess.KERNEL32(C0000409), ref: 0136ECA9
Part of subcall function 01367D3E: TerminateProcess.KERNEL32(00000000), ref: 0136ECB0

Strings

SeTakeOwnershipPrivilege, xrefs: 012744EC

Memory Dump Source

Source File: 00000010.00000002.746388412.0000000001271000.00000020.sdmp, Offset: 01270000, based on PE: true

Associated: 00000010.00000002.746374753.0000000001270000.00000002.sdmp Download File
Associated: 00000010.00000002.746578910.000000000138C000.00000002.sdmp Download File
Associated: 00000010.00000002.746752878.00000000013CF000.00000004.sdmp Download File
Associated: 00000010.00000002.746788870.00000000013D6000.00000004.sdmp Download File
Associated: 00000010.00000002.746832288.00000000013DE000.00000002.sdmp Download File
Associated: 00000010.00000002.747668141.0000000001574000.00000002.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1270000_Setup.jbxd

Similarity

API ID: ProcessToken$Security$AdjustCurrentDescriptorErrorExceptionFilterLastPrivilegesUnhandled$DebuggerFileInformationInitializeLookupOpenOwnerPresentPrivilegeTerminateValue
String ID: SeTakeOwnershipPrivilege
API String ID: 2076343184-3375656754
Opcode ID: 7dc18c6e8506da1f82ded5208d7f32adfcf3b36c8be5beb2e71887407ef9cf7c
Instruction ID: eef13283ad11b3ca17c45d29ed4d9b8e4ed0dcd4a8c82bd67608991f22ea3c61
Opcode Fuzzy Hash: 7dc18c6e8506da1f82ded5208d7f32adfcf3b36c8be5beb2e71887407ef9cf7c
Instruction Fuzzy Hash: 48415FB1A40359ABEB30DB64DC85FEE73BCAB48744F004095F648E6284D6F4AAC59F60

Uniqueness

Uniqueness Score: 16.53%

Function 012A29FD, Relevance: 20.8, APIs: 13, Instructions: 1300
COMMONCrypto

Download Yara Rule

C-Code - Quality: 89%

			E012A29FD(void* __ebx, intOrPtr __ecx, int __edx, void* __edi, void* __esi, void* __eflags) {
				signed int _t652;
				void* _t656;
				void* _t657;
				int _t662;
				int _t663;
				signed int _t671;
				int _t675;
				struct tagRECT _t676;
				struct tagRECT _t685;
				intOrPtr _t686;
				void* _t687;
				POINT* _t688;
				struct tagRECT _t726;
				int _t727;
				void* _t736;
				struct tagRECT _t742;
				int _t758;
				signed int _t760;
				int _t762;
				signed int _t763;
				int _t765;
				int _t767;
				signed int _t770;
				signed int _t790;
				intOrPtr _t791;
				int _t805;
				int _t810;
				intOrPtr _t819;
				intOrPtr _t827;
				int _t830;
				int _t836;
				POINT* _t840;
				intOrPtr _t841;
				intOrPtr _t847;
				intOrPtr _t862;
				POINT* _t890;
				void* _t906;
				void* _t912;
				int _t915;
				int _t923;
				int _t926;
				int _t934;
				int _t941;
				signed int _t946;
				int _t964;
				signed int _t971;
				void* _t987;
				void* _t989;
				void* _t991;
				int _t994;
				POINT* _t998;
				void* _t999;
				signed int _t1001;
				int* _t1010;
				void* _t1021;
				void* _t1049;
				int _t1066;
				int _t1109;
				struct tagPOINT _t1111;
				intOrPtr _t1112;
				struct tagRECT _t1114;
				struct tagRECT* _t1117;
				struct tagRECT* _t1121;
				int _t1134;
				int _t1135;
				int _t1138;
				int _t1161;
				int* _t1162;
				int _t1165;
				int _t1166;
				struct tagRECT _t1188;
				struct tagRECT _t1189;
				int _t1195;
				intOrPtr _t1199;
				int _t1200;
				signed int _t1205;
				int _t1206;
				struct tagPOINT _t1213;
				int _t1217;
				intOrPtr _t1219;
				int _t1222;
				int _t1228;
				void* _t1230;
				int _t1233;
				void* _t1235;
				int _t1237;
				int _t1239;
				int _t1241;
				int _t1247;
				int _t1249;
				int _t1250;
				void* _t1251;
				intOrPtr _t1252;

				_t1196 = __edx;
				L0136966A(0x13810dd, __ebx, __edi, __esi);
				_t1233 =  *(_t1251 + 0x24);
				_t1010 =  *(_t1251 + 8);
				 *((intOrPtr*)(_t1251 - 0xd4)) = __ecx;
				 *(_t1251 - 0xdc) = _t1233;
				_t652 =  *((intOrPtr*)( *_t1233 + 0x1d8))( *(_t1251 + 0x1c), 0x108);
				_t1217 = 0;
				 *(_t1251 - 0xc8) = _t652;
				 *(_t1251 - 0xc0) = 0;
				 *((intOrPtr*)(_t1251 - 0xbc)) = 0;
				 *((intOrPtr*)(_t1251 - 0xb8)) = 0;
				 *((intOrPtr*)(_t1251 - 0xb4)) = 0;
				 *((intOrPtr*)( *_t1010 + 0x50))(_t1251 - 0xc0);
				_t656 =  *((intOrPtr*)( *_t1233 + 0x27c))();
				_t657 =  *_t1233;
				if(_t656 == 0) {
					__eflags =  *((intOrPtr*)(_t657 + 0x28c))();
					if(__eflags == 0) {
						 *(_t1251 - 0xf8) = 0;
						 *((intOrPtr*)(_t1251 - 0xfc)) = 0x138f894;
						 *(_t1251 - 4) = 5;
						 *((intOrPtr*)(_t1251 - 0xa0)) = 0;
						 *((intOrPtr*)(_t1251 - 0x9c)) = 0;
						 *(_t1251 - 0x98) = 0;
						 *((intOrPtr*)(_t1251 - 0x94)) = 0;
						 *((intOrPtr*)( *_t1233 + 0x17c))(_t1251 - 0xa0);
						 *(_t1251 - 0xcc) = 0;
						_t662 =  *((intOrPtr*)( *_t1233 + 0x284))();
						__eflags = _t662;
						if(_t662 != 0) {
							L65:
							 *(_t1251 - 0xc4) = 1;
							__eflags =  *(_t1251 + 0x1c) - _t1217;
							if( *(_t1251 + 0x1c) == _t1217) {
								L45:
								_t663 = 0;
								__eflags = 0;
								L46:
								__eflags = _t663 +  *(_t1251 + 0xc) + 0xa -  *(_t1251 - 0x98);
								if(__eflags > 0) {
									L161:
									 *((intOrPtr*)(_t1251 - 0xfc)) = 0x138f894;
									_t1021 = _t1251 - 0xfc;
									goto L162;
								}
								__eflags =  *(_t1251 + 0x14) + 0xfffffff6 -  *((intOrPtr*)(_t1251 - 0xa0));
								if(__eflags <= 0) {
									goto L161;
								}
								 *(_t1251 - 0xd8) =  *((intOrPtr*)( *_t1233 + 0x288))();
								__eflags =  *(_t1251 + 0x20) - _t1217;
								if( *(_t1251 + 0x20) == _t1217) {
									L52:
									_t671 =  *(_t1251 - 0xc8);
									__eflags = _t671 - 0xffffffff;
									if(_t671 != 0xffffffff) {
										L55:
										 *(_t1251 - 0xe8) = _t1217;
										 *((intOrPtr*)(_t1251 - 0xec)) = 0x138f894;
										 *(_t1251 - 4) = 6;
										__eflags = _t671 - 0xffffffff;
										if(__eflags == 0) {
											_t671 =  *0x13d63fc; // 0xf0f0f0
										}
										_push(_t671);
										E0127A3A8(_t1010, _t1251 - 0xf4, _t1196, _t1217, _t1233, __eflags);
										__eflags =  *(_t1251 - 0xc4);
										asm("movsd");
										asm("movsd");
										asm("movsd");
										 *(_t1251 - 4) = 7;
										asm("movsd");
										if( *(_t1251 - 0xc4) == 0) {
											InflateRect(_t1251 - 0x80, 0xffffffff, 0);
											_t675 =  *(_t1251 - 0xdc);
											__eflags =  *(_t675 + 0x84);
											if( *(_t675 + 0x84) != 0) {
												_t344 = _t1251 - 0x7c;
												 *_t344 =  *(_t1251 - 0x7c) + 1;
												__eflags =  *_t344;
											} else {
												 *((intOrPtr*)(_t1251 - 0x74)) =  *((intOrPtr*)(_t1251 - 0x74)) - 1;
											}
											_t676 =  *(_t1251 - 0x98);
											__eflags =  *(_t1251 - 0x78) - _t676;
											if( *(_t1251 - 0x78) >= _t676) {
												 *(_t1251 - 0x78) = _t676;
											}
											goto L74;
										} else {
											_t915 =  *(_t1251 + 0x18);
											_t1241 =  *(_t1251 + 0x10);
											_t1111 =  *(_t1251 + 0xc);
											 *(_t1251 - 0x70) = _t1111;
											 *(_t1251 - 0x68) = _t1111;
											_t1112 = _t1111 + _t915 - _t1241;
											 *((intOrPtr*)(_t1251 - 0x58)) = _t1112;
											_t295 = _t1251 - 0xc8;
											 *_t295 =  *(_t1251 - 0xc8) & 0x00000000;
											__eflags =  *_t295;
											 *((intOrPtr*)(_t1251 - 0x50)) = _t1112 + 4;
											_t1114 =  *(_t1251 + 0x14);
											_t1199 = _t1241 + 2;
											 *((intOrPtr*)(_t1251 - 0x60)) = _t1111 + 2;
											 *(_t1251 - 0x40) = _t1114;
											 *(_t1251 - 0x38) = _t1114;
											 *((intOrPtr*)(_t1251 - 0x54)) = _t1199;
											 *((intOrPtr*)(_t1251 - 0x3c)) = _t1199;
											_t1200 =  *( *(_t1251 - 0xdc) + 0x84);
											 *(_t1251 - 0x6c) = _t915;
											 *(_t1251 - 0x64) = _t915;
											 *(_t1251 - 0x5c) = _t915;
											 *(_t1251 - 0x4c) = _t1241;
											 *((intOrPtr*)(_t1251 - 0x48)) = _t1114 - 2;
											 *(_t1251 - 0x44) = _t1241;
											 *(_t1251 - 0x34) = _t915;
											do {
												_t1226 =  *(_t1251 - 0x98);
												_t1117 = _t1251 +  *(_t1251 - 0xc8) * 8 - 0x70;
												__eflags = _t1117->left - _t1226;
												if(_t1117->left > _t1226) {
													 *_t1117 = _t1226;
													 *(_t1251 - 0xcc) = 1;
												}
												__eflags = _t1200;
												if(_t1200 == 0) {
													_t1121 = _t1251 +  *(_t1251 - 0xc8) * 8 - 0x6c;
													_t1228 = _t1241 - _t1121->left;
													__eflags = _t1228;
													_t1226 = _t1228 + _t915 - 1;
													 *_t1121 = _t1228 + _t915 - 1;
												}
												 *(_t1251 - 0xc8) =  *(_t1251 - 0xc8) + 1;
												__eflags =  *(_t1251 - 0xc8) - 8;
											} while ( *(_t1251 - 0xc8) < 8);
											E0127A097(_t1010, _t1251 - 0xec, _t1200, _t1226, CreatePolygonRgn(_t1251 - 0x70, 8, 2));
											L01279B4B(_t1010, _t1251 - 0xec);
											L74:
											_t1196 = _t1251 - 0xf4;
											_t1252 = _t1252 - 0x10;
											_t1219 = _t1252;
											_t1235 = _t1251 - 0x80;
											asm("movsd");
											asm("movsd");
											asm("movsd");
											asm("movsd");
											 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t1251 - 0xd4)))) + 0xf8))(_t1010, _t1196,  *(_t1251 + 0x1c),  *(_t1251 + 0x20),  *(_t1251 - 0xdc));
											L01279B4B(_t1010, 0);
											__eflags =  *(_t1251 - 0xc4);
											if(__eflags != 0) {
												_t1239 =  *(_t1251 - 0xdc);
												_t1222 = 0;
												 *(_t1251 - 0xb0) = 0;
												 *((intOrPtr*)(_t1251 - 0xac)) = 0;
												 *((intOrPtr*)(_t1251 - 0xa8)) = 0;
												 *((intOrPtr*)(_t1251 - 0xa4)) = 0;
												GetClientRect( *(_t1239 + 0x20), _t1251 - 0xb0);
												 *((intOrPtr*)(_t1251 - 0xa8)) =  *((intOrPtr*)(_t1251 - 0xa0)) - 1;
												L01279552(_t1010, _t1251 - 0xb0);
												__eflags =  *(_t1251 + 0x1c);
												if( *(_t1251 + 0x1c) > 0) {
													__eflags =  *(_t1251 + 0x20);
													if( *(_t1251 + 0x20) == 0) {
														_t906 =  *((intOrPtr*)( *_t1239 + 0x298))();
														__eflags =  *(_t1251 + 0x1c) - _t906;
														if( *(_t1251 + 0x1c) != _t906) {
															asm("movsd");
															asm("movsd");
															asm("movsd");
															_t1109 =  *(_t1251 - 0xdc);
															asm("movsd");
															 *((intOrPtr*)(_t1251 - 0x88)) =  *(_t1251 - 0x80) -  *(_t1251 - 0x7c) +  *((intOrPtr*)(_t1251 - 0x74)) - 0xa;
															__eflags =  *(_t1251 - 0xd8);
															_t912 = (0 |  *(_t1251 - 0xd8) != 0x00000000) + 1;
															__eflags =  *(_t1109 + 0x84);
															if( *(_t1109 + 0x84) != 0) {
																_t386 = _t1251 - 0x84;
																 *_t386 =  *(_t1251 - 0x84) + _t912;
																__eflags =  *_t386;
															} else {
																 *((intOrPtr*)(_t1251 - 0x8c)) =  *((intOrPtr*)(_t1251 - 0x8c)) - _t912;
															}
															L01279552(_t1010, _t1251 - 0x90);
															_t1222 = 0;
															__eflags = 0;
														}
													}
												}
												Polyline(_t1010[1], _t1251 - 0x70, 8);
												__eflags =  *(_t1251 - 0xcc) - _t1222;
												if( *(_t1251 - 0xcc) != _t1222) {
													L01279B90(_t1010, _t1251 - 0x88,  *(_t1251 - 0x98),  *(_t1251 + 0x10));
													L012795E0(_t1010,  *(_t1251 - 0x98),  *(_t1251 + 0x18));
												}
												_t1235 = _t1251 - 0xa0;
												_t1219 = _t1251 - 0x20;
												asm("movsd");
												asm("movsd");
												asm("movsd");
												asm("movsd");
												 *(_t1251 - 0x20) =  *(_t1251 - 0x78);
												L01279552(_t1010, _t1251 - 0x20);
											}
											 *(_t1251 - 4) = 6;
											 *(_t1251 - 0xf4) = 0x138f578;
											E0127A27E(_t1010, _t1251 - 0xf4, _t1219, _t1235, __eflags);
											 *(_t1251 - 4) = 5;
											 *((intOrPtr*)(_t1251 - 0xec)) = 0x138f894;
											E0127A27E(_t1010, _t1251 - 0xec, _t1219, _t1235, __eflags);
											_t1233 =  *(_t1251 - 0xdc);
											_t1217 = 0;
											__eflags = 0;
											L86:
											_push( *0x13d643c);
											_push(1);
											_push(_t1217);
											E0127A354(_t1010, _t1251 - 0x10c, _t1196, _t1217, _t1233, __eflags);
											_push( *0x13d6438);
											_push(1);
											_push(_t1217);
											 *(_t1251 - 4) = 8;
											E0127A354(_t1010, _t1251 - 0x104, _t1196, _t1217, _t1233, __eflags);
											_push( *0x13d6440);
											_push(1);
											_push(_t1217);
											 *(_t1251 - 4) = 9;
											E0127A354(_t1010, _t1251 - 0xe4, _t1196, _t1217, _t1233, __eflags);
											 *(_t1251 - 4) = 0xa;
											__eflags =  *(_t1251 - 0xc4) - _t1217;
											if( *(_t1251 - 0xc4) == _t1217) {
												_t685 =  *(_t1251 - 0x98);
												__eflags =  *(_t1251 + 0x14) - _t685;
												if( *(_t1251 + 0x14) > _t685) {
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													 *(_t1251 - 0x18) = _t685;
													E0127A097(_t1010, _t1251 - 0xfc, _t1196, _t1251 - 0x20, CreateRectRgnIndirect(_t1251 - 0x20));
													L01279B4B(_t1010, _t1251 - 0xfc);
													_t1233 =  *(_t1251 - 0xdc);
													_t1217 = 0;
													__eflags = 0;
												}
												__eflags =  *((intOrPtr*)(_t1233 + 0x84)) - _t1217;
												if( *((intOrPtr*)(_t1233 + 0x84)) != _t1217) {
													_t686 =  *((intOrPtr*)(_t1251 - 0xd4));
													__eflags =  *((intOrPtr*)(_t686 + 0x94)) - _t1217;
													_t687 = _t1251 - 0xe4;
													if( *((intOrPtr*)(_t686 + 0x94)) == _t1217) {
														_t687 = _t1251 - 0x104;
													}
													_t688 = E0127A1AA(_t1010, _t687);
													__eflags = _t688 - _t1217;
													_t1033 = 0 | __eflags != 0x00000000;
													 *(_t1251 - 0xd0) = _t688;
													if(__eflags == 0) {
														goto L88;
													} else {
														_t810 =  *(_t1251 + 0x18);
														__eflags =  *(_t1251 + 0x20) - _t1217;
														if( *(_t1251 + 0x20) == _t1217) {
															__eflags = _t810;
														}
														L01279B90(_t1010, _t1251 - 0x88,  *(_t1251 + 0x14), _t810);
														L012795E0(_t1010,  *(_t1251 + 0x14),  *(_t1251 + 0x10) + 2);
														L012795E0(_t1010,  *(_t1251 + 0x14) + 0xfffffffe,  *(_t1251 + 0x10));
														_t819 =  *((intOrPtr*)(_t1251 - 0xd4));
														__eflags =  *((intOrPtr*)(_t819 + 0x94)) - _t1217;
														if( *((intOrPtr*)(_t819 + 0x94)) != _t1217) {
															E0127A1AA(_t1010, _t1251 - 0x10c);
														}
														L012795E0(_t1010,  *(_t1251 + 0xc) + 2,  *(_t1251 + 0x10));
														L012795E0(_t1010,  *(_t1251 + 0xc),  *(_t1251 + 0x10) + 2);
														L012795E0(_t1010,  *(_t1251 + 0xc),  *(_t1251 + 0x18));
														_t827 =  *((intOrPtr*)(_t1251 - 0xd4));
														__eflags =  *((intOrPtr*)(_t827 + 0x94)) - _t1217;
														if( *((intOrPtr*)(_t827 + 0x94)) == _t1217) {
															goto L123;
														} else {
															E0127A1AA(_t1010, _t1251 - 0x104);
															_t830 =  *(_t1251 + 0x18);
															__eflags =  *(_t1251 + 0x20) - _t1217;
															if( *(_t1251 + 0x20) == _t1217) {
																__eflags = _t830;
															}
															L01279B90(_t1010, _t1251 - 0x88,  *(_t1251 + 0x14) - 1, _t830);
															_t836 =  *(_t1251 + 0x10) + 1;
															__eflags = _t836;
															goto L121;
														}
													}
												} else {
													_t840 = E0127A1AA(_t1010, _t1251 - 0x10c);
													__eflags = _t840 - _t1217;
													_t1033 = 0 | __eflags != 0x00000000;
													 *(_t1251 - 0xd0) = _t840;
													if(__eflags == 0) {
														L88:
														L01277AC9(_t1033);
														L89:
														__eflags =  *((intOrPtr*)(_t1233 + 0x84)) - _t1217;
														if( *((intOrPtr*)(_t1233 + 0x84)) != _t1217) {
															L01279B90(_t1010, _t1251 - 0x88,  *((intOrPtr*)(_t1251 - 0x60)) + 1,  *(_t1251 - 0x5c));
															L012795E0(_t1010,  *((intOrPtr*)(_t1251 - 0x58)) + 1,  *((intOrPtr*)(_t1251 - 0x54)));
															L01279B90(_t1010, _t1251 - 0x88,  *((intOrPtr*)(_t1251 - 0x58)) + 1,  *((intOrPtr*)(_t1251 - 0x54)));
															L012795E0(_t1010,  *((intOrPtr*)(_t1251 - 0x58)) + 2,  *((intOrPtr*)(_t1251 - 0x54)));
															L01279B90(_t1010, _t1251 - 0x88,  *((intOrPtr*)(_t1251 - 0x58)) + 2,  *((intOrPtr*)(_t1251 - 0x54)));
															L012795E0(_t1010,  *((intOrPtr*)(_t1251 - 0x58)) + 3,  *((intOrPtr*)(_t1251 - 0x54)));
															L01279B90(_t1010, _t1251 - 0x88,  *((intOrPtr*)(_t1251 - 0x50)) - 1,  *(_t1251 - 0x4c) + 1);
															L012795E0(_t1010,  *((intOrPtr*)(_t1251 - 0x48)) + 1,  *(_t1251 - 0x44) + 1);
															__eflags =  *(_t1251 + 0x20) - _t1217;
															if( *(_t1251 + 0x20) == _t1217) {
																__eflags =  *(_t1251 - 0xcc) - _t1217;
																if( *(_t1251 - 0xcc) == _t1217) {
																	_t791 =  *((intOrPtr*)(_t1251 - 0xd4));
																	__eflags =  *((intOrPtr*)(_t791 + 0x94)) - _t1217;
																	if( *((intOrPtr*)(_t791 + 0x94)) != _t1217) {
																		E0127A1AA(_t1010, _t1251 - 0x104);
																		L01279B90(_t1010, _t1251 - 0x88,  *(_t1251 - 0x40) + 0xfffffffe,  *((intOrPtr*)(_t1251 - 0x3c)) - 1);
																		__eflags =  *(_t1251 - 0x40) - 1;
																		L012795E0(_t1010,  *(_t1251 - 0x40) - 1,  *((intOrPtr*)(_t1251 - 0x3c)) - 1);
																	}
																}
															}
															L01279B90(_t1010, _t1251 - 0x88,  *(_t1251 - 0x40) - 1,  *((intOrPtr*)(_t1251 - 0x3c)));
															_push( *(_t1251 - 0x34));
															L94:
															_t726 =  *(_t1251 - 0x38);
															L122:
															_t727 = _t726 - 1;
															__eflags = _t727;
															_push(_t727);
															L012795E0(_t1010);
															L123:
															__eflags =  *(_t1251 + 0x20) - _t1217;
															if( *(_t1251 + 0x20) == _t1217) {
																L136:
																E0127A1AA(_t1010,  *(_t1251 - 0xd0));
																__eflags =  *(_t1251 - 0xc4) - _t1217;
																if( *(_t1251 - 0xc4) == _t1217) {
																	L149:
																	L01279B4B(_t1010, _t1217);
																	_t1236 = 0x138f598;
																	 *(_t1251 - 4) = 9;
																	 *((intOrPtr*)(_t1251 - 0xe4)) = 0x138f598;
																	E0127A27E(_t1010, _t1251 - 0xe4, _t1217, 0x138f598, __eflags);
																	 *(_t1251 - 4) = 8;
																	 *((intOrPtr*)(_t1251 - 0x104)) = 0x138f598;
																	E0127A27E(_t1010, _t1251 - 0x104, _t1217, 0x138f598, __eflags);
																	 *(_t1251 - 4) = 5;
																	 *((intOrPtr*)(_t1251 - 0x10c)) = 0x138f598;
																	E0127A27E(_t1010, _t1251 - 0x10c, _t1217, 0x138f598, __eflags);
																	 *((intOrPtr*)(_t1251 - 0xfc)) = 0x138f894;
																	_t1049 = _t1251 - 0xfc;
																	goto L150;
																}
																_t758 =  *((intOrPtr*)( *_t1233 + 0x288))();
																__eflags = _t758;
																if(_t758 == 0) {
																	L140:
																	_t760 =  *(_t1251 + 0x18) -  *(_t1251 + 0x10);
																	__eflags = _t760;
																	L141:
																	 *(_t1251 - 0xc8) = _t760;
																	_t762 =  *((intOrPtr*)( *_t1233 + 0x288))();
																	__eflags = _t762;
																	if(_t762 == 0) {
																		L144:
																		_t763 =  *0x13d1340; // 0x4
																		L145:
																		 *(_t1251 + 0xc) =  *(_t1251 + 0xc) +  *(_t1251 - 0xc8);
																		 *(_t1251 + 0x14) =  *(_t1251 + 0x14) - _t763;
																		_t765 =  *((intOrPtr*)( *_t1233 + 0x288))();
																		__eflags = _t765;
																		if(_t765 != 0) {
																			__eflags =  *(_t1251 + 0x20) - _t1217;
																			if( *(_t1251 + 0x20) != _t1217) {
																				_t767 =  *((intOrPtr*)( *_t1233 + 0x23c))( *(_t1251 + 0x1c));
																				__eflags = _t767;
																				if(_t767 != 0) {
																					OffsetRect(_t1251 + 0xc,  *0x13d1340, _t1217);
																				}
																			}
																		}
																		goto L149;
																	}
																	__eflags =  *(_t1251 + 0x20) - _t1217;
																	if( *(_t1251 + 0x20) == _t1217) {
																		goto L144;
																	}
																	_t770 =  *0x13d1340; // 0x4
																	asm("cdq");
																	_t763 = _t770 * 3 + _t1196 >> 2;
																	goto L145;
																}
																__eflags =  *(_t1251 + 0x20) - _t1217;
																if( *(_t1251 + 0x20) == _t1217) {
																	goto L140;
																}
																asm("cdq");
																_t1196 = _t1196 & 0x00000003;
																_t760 = ( *(_t1251 + 0x18) -  *(_t1251 + 0x10)) * 3 + _t1196 >> 2;
																goto L141;
															}
															__eflags =  *((intOrPtr*)(_t1233 + 0x84)) - _t1217;
															if( *((intOrPtr*)(_t1233 + 0x84)) != _t1217) {
																_t1066 =  *(_t1251 + 0x18);
															} else {
																_t1066 =  *(_t1251 + 0x10) + 0xfffffffe;
															}
															_t1196 =  *(_t1251 + 0xc);
															 *(_t1251 - 0x7c) = _t1066;
															 *(_t1251 - 0x78) =  *(_t1251 + 0x14) - _t1196 + _t1196;
															 *((intOrPtr*)(_t1251 - 0x74)) = _t1066 + 2;
															 *(_t1251 - 0x80) = _t1196;
															 *(_t1251 - 0xc8) =  *((intOrPtr*)( *_t1233 + 0x1d8))( *(_t1251 + 0x1c));
															__eflags =  *(_t1251 - 0xc4) - _t1217;
															if( *(_t1251 - 0xc4) == _t1217) {
																L133:
																__eflags =  *(_t1251 - 0xc8) - 0xffffffff;
																if(__eflags == 0) {
																	FillRect(_t1010[1], _t1251 - 0x80,  *0x13d64b4);
																	goto L136;
																}
																goto L134;
															} else {
																__eflags =  *(_t1251 - 0xd8) - _t1217;
																if( *(_t1251 - 0xd8) == _t1217) {
																	OffsetRect(_t1251 - 0x80, 1, _t1217);
																	_t559 = _t1251 - 0x80;
																	 *_t559 =  *(_t1251 - 0x80) + 1;
																	__eflags =  *_t559;
																} else {
																	 *(_t1251 - 0x80) =  *(_t1251 - 0x80) + 3;
																}
																__eflags =  *(_t1251 - 0xc8) - 0xffffffff;
																if(__eflags != 0) {
																	L134:
																	_push( *(_t1251 - 0xc8));
																	E0127A3A8(_t1010, _t1251 - 0xf4, _t1196, _t1217, _t1233, __eflags);
																	FillRect(_t1010[1], _t1251 - 0x80,  *(_t1251 - 0xf0));
																	 *(_t1251 - 0xf4) = 0x138f578;
																	E0127A27E(_t1010, _t1251 - 0xf4, _t1217, _t1233, __eflags);
																	goto L136;
																} else {
																	_t790 =  *0x13d644c; // 0xffffff
																	 *(_t1251 - 0xc8) = _t790;
																	goto L133;
																}
															}
														}
														__eflags =  *(_t1251 - 0xcc) - _t1217;
														if( *(_t1251 - 0xcc) != _t1217) {
															goto L123;
														}
														_t805 =  *(_t1251 - 0x34);
														__eflags =  *(_t1251 + 0x20) - _t1217;
														if( *(_t1251 + 0x20) != _t1217) {
															_t805 = _t805 - 1;
															__eflags = _t805;
														}
														 *(_t1251 - 0xc8) = _t805;
														__eflags =  *(_t1251 - 0x40) - 1;
														L01279B90(_t1010, _t1251 - 0x88,  *(_t1251 - 0x40) - 1,  *((intOrPtr*)(_t1251 - 0x3c)));
														_push( *(_t1251 - 0xc8));
														goto L94;
													}
													_t841 =  *((intOrPtr*)(_t1251 - 0xd4));
													__eflags =  *((intOrPtr*)(_t841 + 0x94)) - _t1217;
													if( *((intOrPtr*)(_t841 + 0x94)) == _t1217) {
														E0127A1AA(_t1010, _t1251 - 0x104);
													}
													L01279B90(_t1010, _t1251 - 0x88,  *(_t1251 + 0xc),  *(_t1251 + 0x10));
													L012795E0(_t1010,  *(_t1251 + 0xc),  *(_t1251 + 0x18) + 0xfffffffe);
													_t847 =  *((intOrPtr*)(_t1251 - 0xd4));
													__eflags =  *((intOrPtr*)(_t847 + 0x94)) - _t1217;
													if( *((intOrPtr*)(_t847 + 0x94)) != _t1217) {
														E0127A1AA(_t1010, _t1251 - 0xe4);
													}
													L012795E0(_t1010,  *(_t1251 + 0xc) + 2,  *(_t1251 + 0x18));
													L012795E0(_t1010,  *(_t1251 + 0x14) + 0xfffffffe,  *(_t1251 + 0x18));
													L012795E0(_t1010,  *(_t1251 + 0x14),  *(_t1251 + 0x18) + 0xfffffffe);
													L012795E0(_t1010,  *(_t1251 + 0x14),  *(_t1251 + 0x10) - 1);
													E0127A1AA(_t1010, _t1251 - 0x104);
													_t862 =  *((intOrPtr*)(_t1251 - 0xd4));
													__eflags =  *((intOrPtr*)(_t862 + 0x94)) - _t1217;
													if( *((intOrPtr*)(_t862 + 0x94)) == _t1217) {
														goto L123;
													} else {
														L01279B90(_t1010, _t1251 - 0x88,  *(_t1251 + 0xc) + 3,  *(_t1251 + 0x18) - 1);
														L012795E0(_t1010,  *(_t1251 + 0x14) + 0xfffffffe,  *(_t1251 + 0x18) - 1);
														L012795E0(_t1010,  *(_t1251 + 0x14) - 1,  *(_t1251 + 0x18) + 0xfffffffe);
														_t836 =  *(_t1251 + 0x10) - 1;
														L121:
														_push(_t836);
														_t726 =  *(_t1251 + 0x14);
														goto L122;
													}
												}
											}
											_t890 = E0127A1AA(_t1010, _t1251 - 0x10c);
											__eflags = _t890 - _t1217;
											_t1033 = 0 | __eflags != 0x00000000;
											 *(_t1251 - 0xd0) = _t890;
											if(__eflags != 0) {
												goto L89;
											}
											goto L88;
										}
									}
									__eflags =  *(_t1251 - 0xc4) - _t1217;
									if( *(_t1251 - 0xc4) != _t1217) {
										goto L55;
									}
									__eflags =  *((intOrPtr*)( *((intOrPtr*)(_t1251 - 0xd4)) + 0x90)) - _t1217;
									if(__eflags == 0) {
										goto L86;
									}
									goto L55;
								}
								__eflags =  *(_t1251 - 0xc4) - _t1217;
								if( *(_t1251 - 0xc4) != _t1217) {
									goto L52;
								}
								_t671 =  *(_t1251 - 0xc8);
								__eflags = _t671 - 0xffffffff;
								if(_t671 != 0xffffffff) {
									goto L55;
								}
								__eflags =  *((intOrPtr*)( *((intOrPtr*)(_t1251 - 0xd4)) + 0x90)) - _t1217;
								if(__eflags == 0) {
									goto L86;
								}
								goto L52;
							}
							__eflags =  *(_t1251 + 0x20) - _t1217;
							if( *(_t1251 + 0x20) != _t1217) {
								goto L45;
							}
							_t923 =  *((intOrPtr*)( *_t1233 + 0x288))();
							__eflags = _t923;
							if(_t923 != 0) {
								goto L45;
							}
							_t663 =  *(_t1251 + 0x18) -  *(_t1251 + 0x10);
							goto L46;
						}
						_t926 =  *((intOrPtr*)( *_t1233 + 0x288))();
						__eflags = _t926;
						if(_t926 != 0) {
							goto L65;
						}
						 *(_t1251 - 0xc4) = 0;
						goto L45;
					}
					 *(_t1251 - 0x2c) = 0x13930ec;
					 *(_t1251 - 0x20) = 0;
					 *(_t1251 - 0x1c) = 0;
					 *(_t1251 - 0x24) = 0;
					 *(_t1251 - 0x28) = 0;
					 *(_t1251 - 0x18) = 0;
					 *(_t1251 - 0x14) = 0xa;
					 *(_t1251 - 4) = 1;
					 *(_t1251 - 0xd8) = L012A13A4(_t1251 - 0x2c, L012A12F2(_t1251 - 0x2c, __eflags,  *(_t1251 + 0xc),  *(_t1251 + 0x10)),  *(_t1251 + 0xc),  *(_t1251 + 0x10) + 2);
					 *(_t1251 - 0xd0) = L012A135B(_t1251 - 0x2c, L012A1327(_t1251 - 0x2c, __eflags,  *(_t1251 + 0x14),  *(_t1251 + 0x10)),  *(_t1251 + 0x14),  *(_t1251 + 0x10) + 2);
					_t934 =  *(_t1251 + 0x18);
					_t1230 =  *(_t1251 + 0xc) + 1;
					_t1134 =  *(_t1251 + 0x10) + 2;
					_t1243 =  *(_t1251 + 0x14) - 1;
					 *(_t1251 - 0xc4) = _t1134;
					__eflags = _t1134 - _t934 - 4;
					if(_t1134 >= _t934 - 4) {
						L14:
						_t1135 =  *(_t1251 - 0xdc);
						__eflags =  *((intOrPtr*)(_t1135 + 0x84)) - 1;
						if( *((intOrPtr*)(_t1135 + 0x84)) == 1) {
							_t1230 = _t1230 - 1;
							_t1243 = _t1243 + 1;
							__eflags = _t1243;
						}
						 *(_t1251 - 0xf8) = _t1230 - 1;
						_t110 = _t1243 + 1; // 0xa
						 *(_t1251 - 0x100) = _t110;
						_t1138 =  *(_t1251 - 0xc4);
						__eflags = _t1138 - _t934 - 1;
						if(_t1138 >= _t934 - 1) {
							L21:
							L012A13A4(_t1251 - 0x2c,  *(_t1251 - 0xd8), _t1230 + 2, _t934);
							_t160 = _t1243 - 2; // 0x7
							L012A135B(_t1251 - 0x2c,  *(_t1251 - 0xd0), _t160,  *(_t1251 + 0x18));
							_t1205 = 8;
							_t1196 =  *(_t1251 - 0x20) * _t1205 >> 0x20;
							 *(_t1251 - 0xd0) = E01274753(__eflags,  ~(0 | __eflags > 0x00000000) |  *(_t1251 - 0x20) * _t1205);
							_t941 =  *(_t1251 - 0x28);
							__eflags = _t941;
							if(_t941 == 0) {
								L26:
								 *(_t1251 - 0xe8) =  *(_t1251 - 0xe8) & 0x00000000;
								 *((intOrPtr*)(_t1251 - 0xec)) = 0x138f894;
								 *(_t1251 - 4) = 2;
								E0127A097(_t1010, _t1251 - 0xec, _t1196, _t1230, CreatePolygonRgn( *(_t1251 - 0xd0),  *(_t1251 - 0x20), 2));
								L01279B4B(_t1010, _t1251 - 0xec);
								_t946 =  *(_t1251 - 0xc8);
								__eflags = _t946 - 0xffffffff;
								if(__eflags == 0) {
									_t946 =  *0x13d63fc; // 0xf0f0f0
								}
								E0127A3A8(_t1010, _t1251 - 0xf4, _t1196, _t1230, _t1243, __eflags);
								_t1252 = _t1252 - 0x10;
								_t1231 = _t1252;
								asm("movsd");
								asm("movsd");
								asm("movsd");
								 *(_t1251 - 4) = 3;
								asm("movsd");
								 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t1251 - 0xd4)))) + 0xf8))(_t1010, _t1251 - 0xf4,  *(_t1251 + 0x1c),  *(_t1251 + 0x20),  *(_t1251 - 0xdc), _t946);
								L01279B4B(_t1010, 0);
								_push( *0x13d6438);
								_push(1);
								_push(0);
								E0127A354(_t1010, _t1251 - 0xe4, _t1196, _t1252, 0, __eflags);
								 *(_t1251 - 4) = 4;
								 *((intOrPtr*)(_t1251 - 0x108)) = E0127A1AA(_t1010, _t1251 - 0xe4);
								 *(_t1251 - 0xc8) = 0;
								__eflags =  *(_t1251 - 0x20);
								if( *(_t1251 - 0x20) <= 0) {
									L41:
									_push( *(_t1251 - 0xd0));
									E01274782();
									E0127A1AA(_t1010,  *((intOrPtr*)(_t1251 - 0x108)));
									 *(_t1251 + 0xc) =  *(_t1251 - 0xf8);
									 *(_t1251 + 0x14) =  *(_t1251 - 0x100);
									 *(_t1251 - 4) = 3;
									 *((intOrPtr*)(_t1251 - 0xe4)) = 0x138f598;
									E0127A27E(_t1010, _t1251 - 0xe4, _t1231, 0, __eflags);
									 *(_t1251 - 4) = 2;
									 *(_t1251 - 0xf4) = 0x138f578;
									E0127A27E(_t1010, _t1251 - 0xf4, _t1231, 0, __eflags);
									 *(_t1251 - 4) = 1;
									 *((intOrPtr*)(_t1251 - 0xec)) = 0x138f894;
									E0127A27E(_t1010, _t1251 - 0xec, _t1231, 0, __eflags);
									 *(_t1251 - 4) =  *(_t1251 - 4) | 0xffffffff;
									 *(_t1251 - 0x2c) = 0x13930ec;
									E0133286E(_t1251 - 0x2c);
									goto L151;
								} else {
									_t1247 =  *(_t1251 - 0xd0) + 0xfffffffc;
									__eflags = _t1247;
									do {
										_t964 =  *(_t1251 - 0xc8) & 0x80000001;
										__eflags = _t964;
										if(__eflags < 0) {
											__eflags = (_t964 - 0x00000001 | 0xfffffffe) + 1;
										}
										if(__eflags != 0) {
											_t1231 =  *((intOrPtr*)(_t1247 - 4));
											_t1161 =  *_t1247;
											 *(_t1251 - 0xcc) =  *(_t1247 + 4);
											 *(_t1251 - 0xd8) =  *(_t1247 + 8);
											 *(_t1251 - 0xc4) = _t1161;
											asm("cdq");
											_t971 =  *(_t1251 + 0xc) +  *(_t1251 + 0x14) - _t1196 >> 1;
											__eflags = _t1231 - _t971;
											if(_t1231 > _t971) {
												__eflags =  *(_t1251 - 0xcc) - _t971;
												if( *(_t1251 - 0xcc) > _t971) {
													_t1231 = _t1231 - 1;
													_t216 = _t1251 - 0xcc;
													 *_t216 =  *(_t1251 - 0xcc) - 1;
													__eflags =  *_t216;
												}
											}
											__eflags =  *(_t1251 - 0xd8) - _t1161;
											_t1162 = _t1010;
											if( *(_t1251 - 0xd8) < _t1161) {
												L01279B90(_t1162, _t1251 - 0x88,  *(_t1251 - 0xcc),  *(_t1251 - 0xd8));
												_push( *(_t1251 - 0xc4));
												_push(_t1231);
											} else {
												L01279B90(_t1162, _t1251 - 0x98, _t1231,  *(_t1251 - 0xc4));
												_push( *(_t1251 - 0xd8));
												_push( *(_t1251 - 0xcc));
											}
											L012795E0(_t1010);
										}
										 *(_t1251 - 0xc8) =  *(_t1251 - 0xc8) + 1;
										_t1247 = _t1247 + 8;
										__eflags =  *(_t1251 - 0xc8) -  *(_t1251 - 0x20);
									} while ( *(_t1251 - 0xc8) <  *(_t1251 - 0x20));
									goto L41;
								}
							}
							_t1165 =  &( *(_t1251 - 0xd0)->y);
							__eflags = _t1165;
							do {
								_t1206 = _t941;
								_t1243 =  *(_t1206 + 8);
								_t941 =  *_t941;
								 *(_t1165 - 4) =  *(_t1206 + 8);
								 *_t1165 =  *((intOrPtr*)(_t1206 + 0xc));
								_t1196 =  *(_t1251 - 0xdc);
								__eflags =  *((intOrPtr*)(_t1196 + 0x84)) - 1;
								if( *((intOrPtr*)(_t1196 + 0x84)) == 1) {
									_t1196 =  *(_t1251 + 0x10) -  *_t1165 +  *(_t1251 + 0x18);
									__eflags = _t1196;
									 *_t1165 = _t1196;
								}
								_t1165 = _t1165 + 8;
								__eflags = _t941;
							} while (_t941 != 0);
							goto L26;
						} else {
							_t1166 = _t1138 + 1;
							__eflags = _t1166;
							 *(_t1251 - 0xc4) = _t1166;
							 *(_t1251 - 0xcc) = _t1230 + 1;
							do {
								 *(_t1251 - 0xd8) = L012A13A4(_t1251 - 0x2c, L012A13A4(_t1251 - 0x2c,  *(_t1251 - 0xd8), _t1230,  *(_t1251 - 0xc4) - 1),  *(_t1251 - 0xcc),  *(_t1251 - 0xc4));
								_t987 = L012A135B(_t1251 - 0x2c,  *(_t1251 - 0xd0), _t1243,  *(_t1251 - 0xc4) - 1);
								_t128 = _t1243 - 1; // 0x8
								 *(_t1251 - 0xd0) = L012A135B(_t1251 - 0x2c, _t987, _t128,  *(_t1251 - 0xc4));
								_t934 =  *(_t1251 + 0x18);
								__eflags =  *(_t1251 - 0xc4) - 1 - _t934 - 2;
								if( *(_t1251 - 0xc4) - 1 == _t934 - 2) {
									_t989 = L012A13A4(_t1251 - 0x2c,  *(_t1251 - 0xd8),  *(_t1251 - 0xcc),  *(_t1251 - 0xc4));
									__eflags =  *(_t1251 - 0xcc) + 2;
									 *(_t1251 - 0xd8) = L012A13A4(_t1251 - 0x2c, _t989,  *(_t1251 - 0xcc) + 2,  *(_t1251 - 0xc4));
									_t991 = L012A135B(_t1251 - 0x2c,  *(_t1251 - 0xd0), _t1243,  *(_t1251 - 0xc4));
									_t146 = _t1243 - 2; // 0x7
									 *(_t1251 - 0xd0) = L012A135B(_t1251 - 0x2c, _t991, _t146,  *(_t1251 - 0xc4));
									_t934 =  *(_t1251 + 0x18);
								}
								_t1230 = _t1230 + 1;
								 *(_t1251 - 0xcc) =  *(_t1251 - 0xcc) + 1;
								_t1243 = _t1243 - 1;
								 *(_t1251 - 0xc4) =  *(_t1251 - 0xc4) + 1;
								__eflags =  *(_t1251 - 0xc4) - 1 - _t934 - 1;
							} while ( *(_t1251 - 0xc4) - 1 < _t934 - 1);
							goto L21;
						}
					} else {
						_t994 = _t1134 + 2;
						__eflags = _t994;
						 *(_t1251 - 0xcc) = _t994;
						do {
							 *(_t1251 - 0xd8) = L012A13A4(_t1251 - 0x2c, L012A13A4(_t1251 - 0x2c,  *(_t1251 - 0xd8), _t1230,  *(_t1251 - 0xc4)), _t1230,  *(_t1251 - 0xcc));
							_t998 = L012A135B(_t1251 - 0x2c, L012A135B(_t1251 - 0x2c,  *(_t1251 - 0xd0), _t1243,  *(_t1251 - 0xc4)), _t1243,  *(_t1251 - 0xcc));
							 *(_t1251 - 0xc4) =  *(_t1251 - 0xc4) + 2;
							 *(_t1251 - 0xcc) =  *(_t1251 - 0xcc) + 2;
							 *(_t1251 - 0xd0) = _t998;
							_t934 =  *(_t1251 + 0x18);
							_t1230 = _t1230 + 1;
							_t1243 = _t1243 - 1;
							__eflags =  *(_t1251 - 0xc4) - _t934 - 4;
						} while ( *(_t1251 - 0xc4) < _t934 - 4);
						goto L14;
					}
				} else {
					_t999 =  *((intOrPtr*)(_t657 + 0x178))();
					asm("cdq");
					_t1001 = _t999 - __edx >> 1;
					_t1256 =  *((intOrPtr*)(_t1233 + 0x84));
					if( *((intOrPtr*)(_t1233 + 0x84)) != 0) {
						_t1188 =  *(_t1251 + 0xc);
						 *(_t1251 - 0x28) = _t1188;
						_t1189 =  *(_t1251 + 0x14);
						_t1196 =  *(_t1251 + 0x10) + 1;
						 *(_t1251 - 0x30) = _t1188 + _t1001;
						_t1249 =  *(_t1251 + 0x18);
						 *(_t1251 - 0x20) = _t1189;
						_t39 = _t1251 + 0xc;
						 *_t39 =  *(_t1251 + 0xc) + 2;
						__eflags =  *_t39;
						 *(_t1251 + 0x10) = _t1196;
						 *(_t1251 - 0x2c) = _t1196;
						 *(_t1251 - 0x24) = _t1249;
						 *(_t1251 - 0x1c) = _t1249;
						 *(_t1251 - 0x18) = _t1189 - _t1001;
						 *(_t1251 - 0x14) = _t1196;
					} else {
						_t1213 =  *(_t1251 + 0xc);
						_t1250 =  *(_t1251 + 0x10);
						 *(_t1251 - 0x30) = _t1213;
						_t1195 =  *(_t1251 + 0x18) - 1;
						 *(_t1251 - 0x28) = _t1213 + _t1001;
						_t1196 =  *(_t1251 + 0x14) - _t1001;
						 *(_t1251 + 0x18) = _t1195;
						 *(_t1251 - 0x2c) = _t1250;
						 *(_t1251 - 0x24) = _t1195;
						 *(_t1251 - 0x20) =  *(_t1251 + 0x14) - _t1001;
						 *(_t1251 - 0x1c) = _t1195;
						 *(_t1251 - 0x18) =  *(_t1251 + 0x14);
						 *(_t1251 - 0x14) = _t1250;
					}
					_push( *(_t1251 - 0xc8));
					_t1236 = 0;
					E0127A3A8(_t1010, _t1251 - 0xe4, _t1196, _t1217, 0, _t1256);
					 *(_t1251 - 4) = _t1217;
					if( *(_t1251 + 0x20) == _t1217 &&  *(_t1251 - 0xc8) != 0xffffffff) {
						_t1236 = E0127A1AA(_t1010, _t1251 - 0xe4);
					}
					Polygon(_t1010[1], _t1251 - 0x30, 4);
					if(_t1236 != _t1217) {
						E0127A1AA(_t1010, _t1236);
					}
					 *((intOrPtr*)(_t1251 - 0xe4)) = 0x138f578;
					_t1049 = _t1251 - 0xe4;
					L150:
					 *(_t1251 - 4) =  *(_t1251 - 4) | 0xffffffff;
					E0127A27E(_t1010, _t1049, _t1217, _t1236,  *(_t1251 - 4));
					L151:
					_t1237 =  *(_t1251 - 0xdc);
					_t736 =  *((intOrPtr*)( *_t1237 + 0x1e0))( *(_t1251 + 0x1c));
					 *(_t1251 - 0xc8) =  *(_t1251 - 0xc8) | 0xffffffff;
					if( *(_t1251 + 0x20) == 0 && _t736 != 0xffffffff) {
						_t1196 =  *_t1010;
						 *(_t1251 - 0xc8) =  *((intOrPtr*)( *_t1010 + 0x30))(_t736);
					}
					if( *((intOrPtr*)( *_t1237 + 0x284))() != 0 ||  *((intOrPtr*)( *_t1237 + 0x288))() != 0) {
						 *(_t1251 - 0xb0) = 0;
						 *((intOrPtr*)(_t1251 - 0xac)) = 0;
						 *((intOrPtr*)(_t1251 - 0xa8)) = 0;
						 *((intOrPtr*)(_t1251 - 0xa4)) = 0;
						 *((intOrPtr*)( *_t1237 + 0x17c))(_t1251 - 0xb0);
						_t742 =  *((intOrPtr*)(_t1251 - 0xa8)) + 0xfffffffe;
						if( *(_t1251 + 0x14) >= _t742) {
							 *(_t1251 + 0x14) = _t742;
						}
					}
					 *(_t1251 - 0x110) =  *(_t1251 - 0x110) & 0;
					 *((intOrPtr*)(_t1251 - 0x114)) = 0x138f894;
					 *(_t1251 - 4) = 0xb;
					E0127A097(_t1010, _t1251 - 0x114, _t1196, 0, CreateRectRgnIndirect(_t1251 - 0xc0));
					L01279B4B(_t1010, _t1251 - 0x114);
					_t1233 = _t1251 + 0xc;
					_t1217 = _t1252 - 0x10;
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t1251 - 0xd4)))) + 0xfc))(_t1010,  *(_t1251 + 0x1c),  *(_t1251 + 0x20),  *(_t1251 - 0xdc), 0xffffffff);
					if( *(_t1251 - 0xc8) != 0xffffffff) {
						 *((intOrPtr*)( *_t1010 + 0x30))( *(_t1251 - 0xc8));
					}
					L01279B4B(_t1010, 0);
					 *((intOrPtr*)(_t1251 - 0x114)) = 0x138f894;
					_t1021 = _t1251 - 0x114;
					L162:
					 *(_t1251 - 4) =  *(_t1251 - 4) | 0xffffffff;
					E0127A27E(_t1010, _t1021, _t1217, _t1233,  *(_t1251 - 4));
					return L013696ED(_t1010, _t1217, _t1233);
				}
			}

0x012a29fd
0x012a2a07
0x012a2a0c
0x012a2a14
0x012a2a17
0x012a2a1f
0x012a2a25
0x012a2a2b
0x012a2a33
0x012a2a3e
0x012a2a44
0x012a2a4a
0x012a2a50
0x012a2a56
0x012a2a5d
0x012a2a65
0x012a2a69
0x012a2b4e
0x012a2b50
0x012a305d
0x012a3063
0x012a3078
0x012a307f
0x012a3085
0x012a308b
0x012a3091
0x012a3097
0x012a30a1
0x012a30a7
0x012a30ad
0x012a30af
0x012a326a
0x012a326a
0x012a3274
0x012a3277
0x012a30cd
0x012a30cd
0x012a30cd
0x012a30cf
0x012a30d6
0x012a30dc
0x012a3be1
0x012a3be1
0x012a3beb
0x00000000
0x012a3beb
0x012a30e8
0x012a30ee
0x00000000
0x00000000
0x012a30fe
0x012a3104
0x012a3107
0x012a312e
0x012a312e
0x012a3134
0x012a3137
0x012a3153
0x012a3153
0x012a3159
0x012a3163
0x012a3167
0x012a316a
0x012a316c
0x012a316c
0x012a3171
0x012a3178
0x012a317d
0x012a318a
0x012a318b
0x012a318c
0x012a318d
0x012a3191
0x012a3192
0x012a32ab
0x012a32b1
0x012a32b7
0x012a32be
0x012a32c5
0x012a32c5
0x012a32c5
0x012a32c0
0x012a32c0
0x012a32c0
0x012a32c8
0x012a32ce
0x012a32d1
0x012a32d3
0x012a32d3
0x00000000
0x012a3198
0x012a3198
0x012a319b
0x012a319e
0x012a31a8
0x012a31ab
0x012a31ae
0x012a31b0
0x012a31b6
0x012a31b6
0x012a31b6
0x012a31bd
0x012a31c0
0x012a31c3
0x012a31c6
0x012a31cc
0x012a31cf
0x012a31d8
0x012a31db
0x012a31de
0x012a31e4
0x012a31e7
0x012a31ea
0x012a31ed
0x012a31f0
0x012a31f3
0x012a31f6
0x012a31f9
0x012a31ff
0x012a3205
0x012a3209
0x012a320b
0x012a320d
0x012a320f
0x012a320f
0x012a3219
0x012a321b
0x012a3223
0x012a3229
0x012a3229
0x012a322b
0x012a322f
0x012a322f
0x012a3231
0x012a3237
0x012a3237
0x012a3255
0x012a3263
0x012a32d6
0x012a32ea
0x012a32f1
0x012a32f4
0x012a32f6
0x012a32f9
0x012a32fa
0x012a32fb
0x012a32fd
0x012a32fe
0x012a3308
0x012a330d
0x012a3314
0x012a331a
0x012a3326
0x012a332c
0x012a3332
0x012a3338
0x012a333e
0x012a3344
0x012a3351
0x012a3360
0x012a3365
0x012a3368
0x012a336a
0x012a336d
0x012a3373
0x012a3379
0x012a337c
0x012a3393
0x012a3394
0x012a3395
0x012a339a
0x012a33a0
0x012a33a1
0x012a33a9
0x012a33b2
0x012a33b3
0x012a33ba
0x012a33c4
0x012a33c4
0x012a33c4
0x012a33bc
0x012a33bc
0x012a33bc
0x012a33d3
0x012a33d8
0x012a33d8
0x012a33d8
0x012a337c
0x012a336d
0x012a33e3
0x012a33e9
0x012a33ef
0x012a3403
0x012a3413
0x012a3413
0x012a341b
0x012a3421
0x012a3424
0x012a3425
0x012a3426
0x012a3427
0x012a3428
0x012a3431
0x012a3431
0x012a343c
0x012a3440
0x012a344a
0x012a3455
0x012a3459
0x012a3463
0x012a3468
0x012a346e
0x012a346e
0x012a3470
0x012a3470
0x012a347c
0x012a347e
0x012a347f
0x012a3484
0x012a3490
0x012a3492
0x012a3493
0x012a3497
0x012a349c
0x012a34a8
0x012a34aa
0x012a34ab
0x012a34af
0x012a34b4
0x012a34b8
0x012a34be
0x012a363f
0x012a3645
0x012a3648
0x012a3650
0x012a3651
0x012a3652
0x012a3653
0x012a3654
0x012a3668
0x012a3676
0x012a367b
0x012a3681
0x012a3681
0x012a3681
0x012a3683
0x012a3689
0x012a37ba
0x012a37c0
0x012a37c6
0x012a37cc
0x012a37ce
0x012a37ce
0x012a37d7
0x012a37de
0x012a37e0
0x012a37e3
0x012a37eb
0x00000000
0x012a37f1
0x012a37f1
0x012a37f4
0x012a37f7
0x012a37f9
0x012a37f9
0x012a3807
0x012a3818
0x012a3829
0x012a382e
0x012a3834
0x012a383a
0x012a3845
0x012a3845
0x012a3856
0x012a3867
0x012a3874
0x012a3879
0x012a387f
0x012a3885
0x00000000
0x012a3887
0x012a3890
0x012a3895
0x012a3898
0x012a389b
0x012a389d
0x012a389d
0x012a38ad
0x012a38b5
0x012a38b5
0x00000000
0x012a38b5
0x012a3885
0x012a368f
0x012a3698
0x012a369f
0x012a36a1
0x012a36a4
0x012a36ac
0x012a34e3
0x012a34e3
0x012a34e8
0x012a34e8
0x012a34ee
0x012a3540
0x012a354f
0x012a3565
0x012a3576
0x012a358e
0x012a359f
0x012a35b7
0x012a35c8
0x012a35cd
0x012a35d0
0x012a35d2
0x012a35d8
0x012a35da
0x012a35e0
0x012a35e6
0x012a35f1
0x012a360b
0x012a3618
0x012a361c
0x012a361c
0x012a35e6
0x012a35d8
0x012a3632
0x012a3637
0x012a3527
0x012a3527
0x012a38ba
0x012a38ba
0x012a38ba
0x012a38bb
0x012a38be
0x012a38c3
0x012a38c3
0x012a38c6
0x012a399c
0x012a39a4
0x012a39a9
0x012a39af
0x012a3a54
0x012a3a57
0x012a3a5c
0x012a3a67
0x012a3a6b
0x012a3a71
0x012a3a7c
0x012a3a80
0x012a3a86
0x012a3a91
0x012a3a95
0x012a3a9b
0x012a3aa0
0x012a3aaa
0x00000000
0x012a3aaa
0x012a39b9
0x012a39bf
0x012a39c1
0x012a39dc
0x012a39df
0x012a39df
0x012a39e2
0x012a39e2
0x012a39ec
0x012a39f2
0x012a39f4
0x012a3a0e
0x012a3a0e
0x012a3a13
0x012a3a19
0x012a3a1c
0x012a3a23
0x012a3a29
0x012a3a2b
0x012a3a2d
0x012a3a30
0x012a3a39
0x012a3a3f
0x012a3a41
0x012a3a4e
0x012a3a4e
0x012a3a41
0x012a3a30
0x00000000
0x012a3a2b
0x012a39f6
0x012a39f9
0x00000000
0x00000000
0x012a39fb
0x012a3a03
0x012a3a09
0x00000000
0x012a3a09
0x012a39c3
0x012a39c6
0x00000000
0x00000000
0x012a39d1
0x012a39d2
0x012a39d7
0x00000000
0x012a39d7
0x012a38cc
0x012a38d2
0x012a38dc
0x012a38d4
0x012a38d7
0x012a38d7
0x012a38df
0x012a38ea
0x012a38f2
0x012a38f7
0x012a38fc
0x012a3905
0x012a390b
0x012a3911
0x012a3945
0x012a3945
0x012a394c
0x012a3996
0x00000000
0x012a3996
0x00000000
0x012a3913
0x012a3913
0x012a3919
0x012a3928
0x012a392e
0x012a392e
0x012a392e
0x012a391b
0x012a391b
0x012a391b
0x012a3931
0x012a3938
0x012a394e
0x012a394e
0x012a395a
0x012a396c
0x012a3978
0x012a3982
0x00000000
0x012a393a
0x012a393a
0x012a393f
0x00000000
0x012a393f
0x012a3938
0x012a3911
0x012a34f0
0x012a34f6
0x00000000
0x00000000
0x012a34fc
0x012a34ff
0x012a3502
0x012a3504
0x012a3504
0x012a3504
0x012a3508
0x012a3511
0x012a351c
0x012a3521
0x00000000
0x012a3521
0x012a36b2
0x012a36b8
0x012a36be
0x012a36c9
0x012a36c9
0x012a36dd
0x012a36ee
0x012a36f3
0x012a36f9
0x012a36ff
0x012a370a
0x012a370a
0x012a371b
0x012a372c
0x012a373d
0x012a374c
0x012a375a
0x012a375f
0x012a3765
0x012a376b
0x00000000
0x012a3771
0x012a3786
0x012a3799
0x012a37ac
0x012a37b4
0x012a38b6
0x012a38b6
0x012a38b7
0x00000000
0x012a38b7
0x012a376b
0x012a3689
0x012a34cd
0x012a34d4
0x012a34d6
0x012a34d9
0x012a34e1
0x00000000
0x00000000
0x00000000
0x012a34e1
0x012a3192
0x012a3139
0x012a313f
0x00000000
0x00000000
0x012a3147
0x012a314d
0x00000000
0x00000000
0x00000000
0x012a314d
0x012a3109
0x012a310f
0x00000000
0x00000000
0x012a3111
0x012a3117
0x012a311a
0x00000000
0x00000000
0x012a3122
0x012a3128
0x00000000
0x00000000
0x00000000
0x012a3128
0x012a327d
0x012a3280
0x00000000
0x00000000
0x012a328a
0x012a3290
0x012a3292
0x00000000
0x00000000
0x012a329b
0x00000000
0x012a329b
0x012a30b9
0x012a30bf
0x012a30c1
0x00000000
0x00000000
0x012a30c7
0x00000000
0x012a30c7
0x012a2b58
0x012a2b5f
0x012a2b62
0x012a2b65
0x012a2b68
0x012a2b6b
0x012a2b6e
0x012a2b7f
0x012a2ba2
0x012a2bd1
0x012a2bd7
0x012a2bda
0x012a2bdb
0x012a2be1
0x012a2be2
0x012a2be8
0x012a2bea
0x012a2c6b
0x012a2c6b
0x012a2c71
0x012a2c78
0x012a2c7a
0x012a2c7b
0x012a2c7b
0x012a2c7b
0x012a2c7f
0x012a2c85
0x012a2c88
0x012a2c8e
0x012a2c97
0x012a2c99
0x012a2dac
0x012a2dba
0x012a2dc2
0x012a2dcf
0x012a2ddb
0x012a2ddc
0x012a2deb
0x012a2df1
0x012a2df5
0x012a2df7
0x012a2e31
0x012a2e31
0x012a2e38
0x012a2e47
0x012a2e5e
0x012a2e6c
0x012a2e71
0x012a2e77
0x012a2e7a
0x012a2e7c
0x012a2e7c
0x012a2e88
0x012a2eae
0x012a2eb1
0x012a2eb6
0x012a2eb7
0x012a2eb8
0x012a2eba
0x012a2ebe
0x012a2ebf
0x012a2eca
0x012a2ecf
0x012a2edb
0x012a2edd
0x012a2ede
0x012a2eec
0x012a2ef5
0x012a2efb
0x012a2f01
0x012a2f04
0x012a2fcf
0x012a2fcf
0x012a2fd5
0x012a2fe3
0x012a2fee
0x012a2ffd
0x012a3000
0x012a3004
0x012a300e
0x012a3019
0x012a301d
0x012a3027
0x012a3032
0x012a3036
0x012a3040
0x012a3045
0x012a304c
0x012a3053
0x00000000
0x012a2f0a
0x012a2f10
0x012a2f10
0x012a2f13
0x012a2f19
0x012a2f19
0x012a2f1e
0x012a2f24
0x012a2f24
0x012a2f25
0x012a2f2e
0x012a2f31
0x012a2f33
0x012a2f3c
0x012a2f48
0x012a2f4e
0x012a2f51
0x012a2f53
0x012a2f55
0x012a2f57
0x012a2f5d
0x012a2f5f
0x012a2f60
0x012a2f60
0x012a2f60
0x012a2f60
0x012a2f5d
0x012a2f66
0x012a2f6c
0x012a2f6e
0x012a2fa4
0x012a2fa9
0x012a2faf
0x012a2f70
0x012a2f7e
0x012a2f83
0x012a2f89
0x012a2f89
0x012a2fb2
0x012a2fb2
0x012a2fb7
0x012a2fc3
0x012a2fc6
0x012a2fc6
0x00000000
0x012a2f13
0x012a2f04
0x012a2dff
0x012a2dff
0x012a2e02
0x012a2e02
0x012a2e04
0x012a2e07
0x012a2e09
0x012a2e0f
0x012a2e11
0x012a2e17
0x012a2e1e
0x012a2e25
0x012a2e25
0x012a2e28
0x012a2e28
0x012a2e2a
0x012a2e2d
0x012a2e2d
0x00000000
0x012a2c9f
0x012a2c9f
0x012a2c9f
0x012a2ca3
0x012a2ca9
0x012a2caf
0x012a2cdb
0x012a2cf3
0x012a2cfe
0x012a2d11
0x012a2d17
0x012a2d1e
0x012a2d20
0x012a2d37
0x012a2d48
0x012a2d65
0x012a2d6b
0x012a2d76
0x012a2d83
0x012a2d89
0x012a2d89
0x012a2d8c
0x012a2d8d
0x012a2d93
0x012a2d94
0x012a2da4
0x012a2da4
0x00000000
0x012a2caf
0x012a2bec
0x012a2bee
0x012a2bee
0x012a2bf1
0x012a2bf7
0x012a2c2c
0x012a2c42
0x012a2c47
0x012a2c4e
0x012a2c55
0x012a2c5b
0x012a2c5e
0x012a2c62
0x012a2c63
0x012a2c63
0x00000000
0x012a2bf7
0x012a2a6f
0x012a2a6f
0x012a2a75
0x012a2a78
0x012a2a7a
0x012a2a80
0x012a2ab3
0x012a2abc
0x012a2abf
0x012a2ac2
0x012a2ac3
0x012a2ac6
0x012a2ac9
0x012a2ace
0x012a2ace
0x012a2ace
0x012a2ad2
0x012a2ad5
0x012a2ad8
0x012a2adb
0x012a2ade
0x012a2ae1
0x012a2a82
0x012a2a82
0x012a2a88
0x012a2a8b
0x012a2a90
0x012a2a91
0x012a2a97
0x012a2a9c
0x012a2a9f
0x012a2aa2
0x012a2aa5
0x012a2aa8
0x012a2aab
0x012a2aae
0x012a2aae
0x012a2ae4
0x012a2af0
0x012a2af2
0x012a2af7
0x012a2afd
0x012a2b16
0x012a2b16
0x012a2b21
0x012a2b29
0x012a2b2e
0x012a2b2e
0x012a2b33
0x012a2b3d
0x012a3ab0
0x012a3ab0
0x012a3ab4
0x012a3ab9
0x012a3ab9
0x012a3ac6
0x012a3acc
0x012a3ad8
0x012a3adf
0x012a3ae7
0x012a3ae7
0x012a3af9
0x012a3b14
0x012a3b1a
0x012a3b20
0x012a3b26
0x012a3b2c
0x012a3b38
0x012a3b3e
0x012a3b40
0x012a3b40
0x012a3b3e
0x012a3b43
0x012a3b49
0x012a3b5a
0x012a3b6e
0x012a3b7c
0x012a3b9d
0x012a3ba3
0x012a3ba5
0x012a3ba6
0x012a3ba7
0x012a3ba9
0x012a3baa
0x012a3bb7
0x012a3bc3
0x012a3bc3
0x012a3bca
0x012a3bcf
0x012a3bd9
0x012a3bf1
0x012a3bf1
0x012a3bf5
0x012a3bff
0x012a3bff

APIs

__EH_prolog3_GS.LIBCMT ref: 012A2A07
Polygon.GDI32(?,?,00000004), ref: 012A2B21

Part of subcall function 01274753: _malloc.LIBCMT ref: 01274771

CreatePolygonRgn.GDI32(?,?,00000002), ref: 012A2E51

Part of subcall function 0127A3A8: __EH_prolog3.LIBCMT ref: 0127A3AF
Part of subcall function 0127A3A8: CreateSolidBrush.GDI32(?), ref: 0127A3CA

CreatePolygonRgn.GDI32(?,00000008,00000002), ref: 012A3248
InflateRect.USER32(?,000000FF,00000000), ref: 012A32AB

Part of subcall function 01279B4B: SelectClipRgn.GDI32(?,00000000), ref: 01279B71
Part of subcall function 01279B4B: SelectClipRgn.GDI32(?,?), ref: 01279B87

GetClientRect.USER32 ref: 012A3344

Part of subcall function 01279552: ExcludeClipRect.GDI32(?,?,?,?,?), ref: 0127957B
Part of subcall function 01279552: ExcludeClipRect.GDI32(?,?,?,?,?), ref: 01279590

Polyline.GDI32(00000007,?,00000008), ref: 012A33E3

Part of subcall function 0127A354: __EH_prolog3.LIBCMT ref: 0127A35B
Part of subcall function 0127A354: CreatePen.GDI32(?,?,?), ref: 0127A37C

Part of subcall function 01277AC9: __CxxThrowException@8.LIBCMT ref: 01277ADF

Part of subcall function 01279B90: MoveToEx.GDI32(?,?,?,?), ref: 01279BBA
Part of subcall function 01279B90: MoveToEx.GDI32(?,?,?,?), ref: 01279BCB

Part of subcall function 012795E0: MoveToEx.GDI32(?,?,?,00000000), ref: 012795FD
Part of subcall function 012795E0: LineTo.GDI32(?,?,?), ref: 0127960C

CreateRectRgnIndirect.GDI32(?), ref: 012A365B

Part of subcall function 0127A1AA: SelectObject.GDI32(?,00000000), ref: 0127A1D0
Part of subcall function 0127A1AA: SelectObject.GDI32(?,?), ref: 0127A1E6

OffsetRect.USER32 ref: 012A3928
FillRect.USER32(0000000A,?,?), ref: 012A396C
FillRect.USER32(0000000A,?), ref: 012A3996
OffsetRect.USER32 ref: 012A3A4E
CreateRectRgnIndirect.GDI32(?), ref: 012A3B61

Part of subcall function 0127A27E: __EH_prolog3_catch_GS.LIBCMT ref: 0127A288

Memory Dump Source

Source File: 00000010.00000002.746388412.0000000001271000.00000020.sdmp, Offset: 01270000, based on PE: true

Associated: 00000010.00000002.746374753.0000000001270000.00000002.sdmp Download File
Associated: 00000010.00000002.746578910.000000000138C000.00000002.sdmp Download File
Associated: 00000010.00000002.746752878.00000000013CF000.00000004.sdmp Download File
Associated: 00000010.00000002.746788870.00000000013D6000.00000004.sdmp Download File
Associated: 00000010.00000002.746832288.00000000013DE000.00000002.sdmp Download File
Associated: 00000010.00000002.747668141.0000000001574000.00000002.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1270000_Setup.jbxd

Similarity

API ID: Rect$Create$ClipSelect$MovePolygon$ExcludeFillH_prolog3IndirectObjectOffset$BrushClientException@8H_prolog3_H_prolog3_catch_InflateLinePolylineSolidThrow_malloc
String ID:
API String ID: 2716901141-0
Opcode ID: d5c108936dbea6671c93ecd821a494424912a442d8cf58d54cbe7e19d7414852
Instruction ID: a97e47fecb55fd0d3eb7bcb104d444c0d29a8a5b18b0e1c3f933237212508704
Opcode Fuzzy Hash: d5c108936dbea6671c93ecd821a494424912a442d8cf58d54cbe7e19d7414852
Instruction Fuzzy Hash: 70C2167091022ADFDF25DF68CC84BEEBBB5BF58314F5481A9E50AA7250DB319A84CF50

Uniqueness

Uniqueness Score: 8.94%

Function 012D4B8A, Relevance: 16.9, APIs: 11, Instructions: 446
COMMONCrypto

Download Yara Rule

C-Code - Quality: 66%

			E012D4B8A(intOrPtr* __ecx) {
				struct tagRECT _v20;
				char _v24;
				struct tagRECT _v40;
				struct tagRECT _v56;
				long _v60;
				struct tagRECT _v76;
				intOrPtr _v80;
				signed int _v84;
				int _v88;
				char _v92;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t209;
				void* _t217;
				void* _t221;
				signed int _t224;
				signed int _t225;
				struct tagRECT _t227;
				struct tagRECT _t234;
				RECT* _t237;
				struct tagRECT _t246;
				intOrPtr _t255;
				void* _t267;
				struct tagRECT _t282;
				int _t284;
				signed int _t286;
				signed int _t287;
				long _t288;
				intOrPtr* _t292;
				intOrPtr* _t293;
				intOrPtr* _t295;
				int _t300;
				intOrPtr* _t306;
				struct tagRECT _t315;
				int _t317;
				void* _t325;
				int _t330;
				signed int _t341;
				void* _t348;
				long _t359;
				struct tagRECT _t363;
				signed int _t366;
				struct tagRECT _t369;
				struct tagRECT _t370;
				signed int _t375;

				_t209 =  *0x13d3570; // 0x99b5b578
				_t210 = _t209 ^ _t375;
				_v20.bottom = _t209 ^ _t375;
				_t306 = __ecx;
				_t359 = 0;
				if(__ecx == 0 ||  *((intOrPtr*)(__ecx + 0x20)) == 0) {
					L101:
					return L01367D3E(_t210, _t306, _v20.bottom ^ _t375, _t342, _t348, _t359);
				} else {
					_v80 =  *((intOrPtr*)( *__ecx + 0x178))();
					_v76.left =  *((intOrPtr*)( *__ecx + 0x244))();
					_t217 =  *((intOrPtr*)( *__ecx + 0x1a0))();
					if( *((intOrPtr*)(__ecx + 0x10c)) == 0 || _t217 > 1) {
						if( *((intOrPtr*)(_t306 + 0x238)) == _t359 || _t217 != _t359) {
							_v84 = _t359;
							goto L8;
						} else {
							goto L6;
						}
					} else {
						L6:
						_v84 = 1;
						L8:
						_push(_t348);
						_v76.top.left = _t359;
						_v76.right = _t359;
						_v76.bottom = _t359;
						_v60 = _t359;
						GetClientRect( *(_t306 + 0x20),  &(_v76.top));
						_t221 =  *((intOrPtr*)(_t306 + 0x27e4)) - 1;
						if(_t221 == 0) {
							asm("movsd");
							asm("movsd");
							asm("movsd");
							asm("movsd");
							_v76.bottom = _v76.bottom - 6;
							_t315 = _v76.bottom + 1;
							__eflags = _t315;
							 *(_t306 + 0x2b0) = _t315;
						} else {
							if(_t221 == 1) {
								asm("movsd");
								asm("movsd");
								asm("movsd");
								asm("movsd");
								_v60 = _v60 - 6;
								 *((intOrPtr*)(_t306 + 0x2b4)) = _v60 + 1;
							} else {
								SetRectEmpty(_t306 + 0x2b0);
							}
						}
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						InflateRect(_t306 + 0x290, 0xfffffffe, 0);
						_t351 = 0;
						_t224 = 0;
						_v88 = 0;
						_v20.right = 0;
						_t384 =  *((intOrPtr*)(_t306 + 0x218));
						if( *((intOrPtr*)(_t306 + 0x218)) == 0) {
							_t342 = 0;
							__eflags = 0;
							L25:
							if( *(_t306 + 0x204) == _t342) {
								__eflags =  *(_t306 + 0x84) - _t342;
								if( *(_t306 + 0x84) != _t342) {
									_t317 =  *(_t306 + 0x294) + _v80;
									__eflags = _t317;
									 *(_t306 + 0x29c) = _t317;
								} else {
									 *(_t306 + 0x294) =  *(_t306 + 0x29c) - _v80;
								}
								__eflags =  *((intOrPtr*)(_t306 + 0x218)) - _t342;
								if( *((intOrPtr*)(_t306 + 0x218)) == _t342) {
									L56:
									asm("movsd");
									asm("movsd");
									asm("movsd");
									asm("movsd");
									_t225 = GetSystemMetrics(2);
									_t363 = _v76.left;
									_t319 =  *((intOrPtr*)(_t306 + 0x298)) - _t225;
									 *((intOrPtr*)(_t306 + 0x254)) =  *((intOrPtr*)(_t306 + 0x298)) - _t225;
									if(_t363 > 0) {
										InflateRect(_t306 + 0x2a0, (_t225 | 0xffffffff) - _t363, (_t225 | 0xffffffff) - _t363);
										_t267 =  *((intOrPtr*)(_t306 + 0x27e4)) - 1;
										if(_t267 == 0) {
											_t130 = _t306 + 0x2a8;
											_t130->left =  *(_t306 + 0x2a8) + _t363 + 2;
											__eflags =  *_t130;
										} else {
											if(_t267 == 1) {
												 *(_t306 + 0x2ac) =  *(_t306 + 0x2ac) + _t363 + 2;
											}
										}
									}
									if( *(_t306 + 0x204) == 0) {
										__eflags =  *(_t306 + 0x84);
										if( *(_t306 + 0x84) != 0) {
											_t227 =  *(_t306 + 0x29c) + _t363;
											__eflags = _t227;
											 *(_t306 + 0x2a4) = _t227;
										} else {
											 *(_t306 + 0x2ac) =  *(_t306 + 0x294) - _t363;
										}
										goto L71;
									} else {
										if( *(_t306 + 0x84) != 0) {
											 *(_t306 + 0x2a4) =  *(_t306 + 0x29c) + _t363;
											__eflags = _t363;
											if(_t363 != 0) {
												L71:
												if( *((intOrPtr*)(_t306 + 0x228)) == 0) {
													L80:
													 *((intOrPtr*)( *_t306 + 0x2d4))();
													 *((intOrPtr*)( *_t306 + 0x2cc))();
													 *((intOrPtr*)( *_t306 + 0x2d0))();
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													if(_v76.left != 0) {
														_t234 =  *(_t306 + 0x204);
														__eflags = _t234;
														if(_t234 == 0) {
															__eflags =  *(_t306 + 0x84);
															if( *(_t306 + 0x84) != 0) {
																_t342 =  *(_t306 + 0x29c);
																_v40.top =  *(_t306 + 0x29c);
															} else {
																_t342 =  *(_t306 + 0x294);
																_v40.bottom =  *(_t306 + 0x294);
															}
														}
														__eflags =  *(_t306 + 0x224);
														if( *(_t306 + 0x224) == 0) {
															InflateRect( &_v40, 0xffffffff, 0xffffffff);
															L96:
															_t237 =  &_v40;
															goto L97;
														} else {
															asm("movsd");
															asm("movsd");
															asm("movsd");
															asm("movsd");
															__eflags = _t234;
															if(_t234 != 0) {
																__eflags =  *(_t306 + 0x84);
																if( *(_t306 + 0x84) != 0) {
																	_t246 =  *(_t306 + 0x29c) - 1;
																	__eflags = _t246;
																	_v20 = _t246;
																} else {
																	_v20.right =  *(_t306 + 0x294) + 1;
																}
															}
															_t237 =  &_v24;
															L97:
															InvalidateRect( *(_t306 + 0x20), _t237, 1);
															_t359 = 0;
															_v56.left = 0;
															_v56.top.left = 0;
															_v56.right = 0;
															_v56.bottom = 0;
															GetClientRect( *(_t306 + 0x20),  &_v56);
															_pop(_t348);
															if( *(_t306 + 0x84) == 0) {
																_v56.top =  *(_t306 + 0x2a4);
															} else {
																_v56.bottom =  *(_t306 + 0x2ac);
															}
															InvalidateRect( *(_t306 + 0x20),  &_v56, 1);
															_t210 = UpdateWindow( *(_t306 + 0x20));
															goto L101;
														}
													}
													if( *(_t306 + 0x84) != 0) {
														L84:
														_v40.top =  *(_t306 + 0x29c) - 1;
														goto L96;
													}
													_v40.bottom =  *(_t306 + 0x294) + 1;
													goto L96;
												}
												_t366 = 0;
												if( *((intOrPtr*)(_t306 + 0x9c)) <= 0) {
													goto L80;
												}
												while(_t366 >= 0 && _t366 <  *((intOrPtr*)(_t306 + 0x90))) {
													_t255 =  *((intOrPtr*)( *((intOrPtr*)(_t306 + 0x8c)) + _t366 * 4));
													if( *((intOrPtr*)(_t255 + 0x34)) != 0) {
														_t319 =  *((intOrPtr*)(_t255 + 0x20));
														if(_t319 != 0 &&  *((intOrPtr*)(_t319 + 0x20)) != 0) {
															_t342 =  *(_t306 + 0x2a8) -  *(_t306 + 0x2a0);
															E01286A31(_t319, 0,  *(_t306 + 0x2a0),  *(_t306 + 0x2a4),  *(_t306 + 0x2a8) -  *(_t306 + 0x2a0),  *(_t306 + 0x2ac) -  *(_t306 + 0x2a4), 0x14);
														}
													}
													_t366 = _t366 + 1;
													if(_t366 <  *((intOrPtr*)(_t306 + 0x9c))) {
														continue;
													} else {
														goto L80;
													}
												}
												L01277AC9(_t319);
												goto L84;
											}
											_t140 = _t306 + 0x2ac;
											_t140->left =  *(_t306 + 0x2ac) - 1;
											__eflags =  *_t140;
											L67:
											 *(_t306 + 0x2a0) =  *(_t306 + 0x2a0) + 1;
											goto L71;
										}
										 *(_t306 + 0x2ac) =  *(_t306 + 0x294);
										if(_t363 != 0) {
											goto L71;
										}
										 *(_t306 + 0x2a4) =  *(_t306 + 0x2a4) + 1;
										goto L67;
									}
								} else {
									 *((intOrPtr*)(_t306 + 0x298)) =  *((intOrPtr*)(_t306 + 0x298)) - _t224;
									__eflags =  *((intOrPtr*)(_t306 + 0x208)) - _t342;
									if( *((intOrPtr*)(_t306 + 0x208)) != _t342) {
										L52:
										__eflags =  *((intOrPtr*)(_t306 + 0x244)) - _t342;
										if( *((intOrPtr*)(_t306 + 0x244)) == _t342) {
											OffsetRect(_t306 + 0x290, _t351, _t342);
										}
										L54:
										_push(_v20.right);
										_push(_v84);
										asm("cdq");
										asm("cdq");
										_push(_t351);
										_t325 =  *((intOrPtr*)(_t306 + 0x298)) + 1;
										_t369 = ( *(_t306 + 0x29c) +  *(_t306 + 0x294) - _t342 >> 1) - (_t351 - _t342 >> 1);
										__eflags = _t369;
										_push(_t351);
										_push(_t369);
										L55:
										_push(_t325);
										E012D4272(_t306, _t306, _t351);
										goto L56;
									}
									__eflags =  *((intOrPtr*)(_t306 + 0x20c)) - _t342;
									if( *((intOrPtr*)(_t306 + 0x20c)) != _t342) {
										goto L52;
									}
									__eflags =  *((intOrPtr*)(_t306 + 0x210)) - _t342;
									if( *((intOrPtr*)(_t306 + 0x210)) == _t342) {
										goto L54;
									}
									goto L52;
								}
							}
							_t370 = _v76;
							if( *(_t306 + 0x84) != _t342) {
								__eflags = _t370 - 1;
								if(_t370 > 1) {
									_t64 = _t306 + 0x294;
									_t64->left =  *(_t306 + 0x294) + _t370 - 1;
									__eflags =  *_t64;
								}
								_t330 =  *(_t306 + 0x294) + _v80;
								__eflags = _t330;
								 *(_t306 + 0x29c) = _t330;
							} else {
								if(_t370 > 1) {
									 *(_t306 + 0x29c) =  *(_t306 + 0x29c) + 1 - _t370;
								}
								 *(_t306 + 0x294) =  *(_t306 + 0x29c) - _v80;
							}
							 *(_t306 + 0x290) =  *(_t306 + 0x290) + _t224 + 1;
							 *((intOrPtr*)(_t306 + 0x298)) =  *((intOrPtr*)(_t306 + 0x298)) - 1;
							_t282 = _v76.top.left;
							if( *((intOrPtr*)(_t306 + 0x298)) <  *(_t306 + 0x290)) {
								if(_t370 <= _t342) {
									 *(_t306 + 0x290) = _t282;
									_t288 = _v76.bottom;
								} else {
									 *(_t306 + 0x290) = _t282 + _t370 + 1;
									_t288 = _v76.bottom - _t370 - 1;
								}
								 *((intOrPtr*)(_t306 + 0x298)) = _t288;
							}
							_t284 =  *(_t306 + 0x29c) -  *(_t306 + 0x294);
							_t342 = _v60 - _v76.right;
							if(_t284 + _t370 > _t342) {
								_t284 = 0;
								 *(_t306 + 0x290) = 0;
								 *((intOrPtr*)(_t306 + 0x298)) = 0;
							}
							_t351 =  *(_t306 + 0x294);
							if(_t284 != 0) {
								asm("cdq");
								_t286 = _t284 - _v88 - _t342;
								_t287 = _t286 >> 1;
								if(_t286 < 0) {
									_t287 = 0;
								}
								_t351 = _t351 + _t287;
								_t284 = _v88;
							}
							_push(_v20.right);
							_push(_v84);
							_t325 = _v76.top.left + _t370 + 1;
							_push(_t284);
							_push(_v88);
							_push(_t351);
							goto L55;
						}
						_t292 = E0128C2A4(_t306, 0,  &(_v76.top), _t384);
						_t293 =  *((intOrPtr*)( *_t292 + 0x13c))( &(_v20.top));
						_t295 = L012A5655( &_v92, _t306,  &_v92);
						_t342 = 0;
						_t351 =  *_t293 +  *_t295 + 4;
						_v88 = _t351;
						if( *(_t306 + 0x204) == 0) {
							_t300 = _t351 + 2;
							_t351 = _v80 + 0xfffffffc;
							if(_t351 >= _t300) {
								_t351 = _t300;
								_v88 = _t300;
							} else {
								_v88 = _t351;
							}
						}
						_t341 =  *(_t306 + 0x27f4);
						if( *((intOrPtr*)(_t306 + 0x21c)) == _t342 ||  *((intOrPtr*)(_t306 + 0x240)) != _t342) {
							_t341 = _t341 - 1;
						}
						if( *((intOrPtr*)(_t306 + 0x244)) != _t342) {
							_t341 = _t341 - 1;
						}
						asm("sbb eax, eax");
						_v20.right = 3;
						_t224 =  !( ~_v84) & (_t351 + 0x00000003) * _t341;
						goto L25;
					}
				}
			}

0x012d4b92
0x012d4b97
0x012d4b99
0x012d4b9e
0x012d4ba0
0x012d4ba4
0x012d510f
0x012d511c
0x012d4bb3
0x012d4bbb
0x012d4bc8
0x012d4bcf
0x012d4bde
0x012d4bea
0x012d4bf5
0x00000000
0x00000000
0x00000000
0x00000000
0x012d4bf0
0x012d4bf0
0x012d4bf0
0x012d4bf8
0x012d4bf8
0x012d4c00
0x012d4c03
0x012d4c06
0x012d4c09
0x012d4c0c
0x012d4c18
0x012d4c19
0x012d4c53
0x012d4c54
0x012d4c55
0x012d4c56
0x012d4c57
0x012d4c5e
0x012d4c5e
0x012d4c5f
0x012d4c1b
0x012d4c1c
0x012d4c36
0x012d4c37
0x012d4c38
0x012d4c39
0x012d4c3a
0x012d4c42
0x012d4c1e
0x012d4c25
0x012d4c25
0x012d4c1c
0x012d4c70
0x012d4c71
0x012d4c74
0x012d4c78
0x012d4c79
0x012d4c7f
0x012d4c81
0x012d4c83
0x012d4c86
0x012d4c89
0x012d4c8f
0x012d4d19
0x012d4d19
0x012d4d1b
0x012d4d21
0x012d4e0c
0x012d4e12
0x012d4e2b
0x012d4e2b
0x012d4e2e
0x012d4e14
0x012d4e1d
0x012d4e1d
0x012d4e34
0x012d4e3a
0x012d4ea5
0x012d4eae
0x012d4eaf
0x012d4eb0
0x012d4eb3
0x012d4eb4
0x012d4ec0
0x012d4ec3
0x012d4ec5
0x012d4ecd
0x012d4edd
0x012d4ee9
0x012d4eea
0x012d4efd
0x012d4efd
0x012d4efd
0x012d4eec
0x012d4eed
0x012d4ef2
0x012d4ef2
0x012d4eed
0x012d4eea
0x012d4f0b
0x012d4f4d
0x012d4f53
0x012d4f6b
0x012d4f6b
0x012d4f6d
0x012d4f55
0x012d4f5d
0x012d4f5d
0x00000000
0x012d4f0d
0x012d4f13
0x012d4f35
0x012d4f3b
0x012d4f3d
0x012d4f73
0x012d4f79
0x012d4fea
0x012d4fee
0x012d4ff8
0x012d5002
0x012d5012
0x012d5013
0x012d5014
0x012d5015
0x012d5016
0x012d5041
0x012d5049
0x012d504b
0x012d504d
0x012d5053
0x012d5060
0x012d5066
0x012d5055
0x012d5055
0x012d505b
0x012d505b
0x012d5053
0x012d5069
0x012d506f
0x012d50aa
0x012d50b0
0x012d50b0
0x00000000
0x012d5071
0x012d5077
0x012d5078
0x012d5079
0x012d507a
0x012d507b
0x012d507d
0x012d507f
0x012d5085
0x012d5099
0x012d5099
0x012d509a
0x012d5087
0x012d508e
0x012d508e
0x012d5085
0x012d509d
0x012d50b3
0x012d50b9
0x012d50c2
0x012d50c8
0x012d50cb
0x012d50ce
0x012d50d1
0x012d50d4
0x012d50da
0x012d50e1
0x012d50f4
0x012d50e3
0x012d50e9
0x012d50e9
0x012d5100
0x012d5109
0x00000000
0x012d5109
0x012d506f
0x012d501f
0x012d5035
0x012d503c
0x00000000
0x012d503c
0x012d5028
0x00000000
0x012d5028
0x012d4f7b
0x012d4f83
0x00000000
0x00000000
0x012d4f85
0x012d4f9f
0x012d4fa5
0x012d4fa7
0x012d4fac
0x012d4fc8
0x012d4fdc
0x012d4fdc
0x012d4fac
0x012d4fe1
0x012d4fe8
0x00000000
0x00000000
0x00000000
0x00000000
0x012d4fe8
0x012d5030
0x00000000
0x012d5030
0x012d4f3f
0x012d4f3f
0x012d4f3f
0x012d4f45
0x012d4f45
0x00000000
0x012d4f45
0x012d4f1b
0x012d4f23
0x00000000
0x00000000
0x012d4f25
0x00000000
0x012d4f25
0x012d4e3c
0x012d4e3c
0x012d4e42
0x012d4e48
0x012d4e5a
0x012d4e5a
0x012d4e60
0x012d4e6b
0x012d4e6b
0x012d4e71
0x012d4e7d
0x012d4e86
0x012d4e89
0x012d4e90
0x012d4e93
0x012d4e98
0x012d4e99
0x012d4e99
0x012d4e9b
0x012d4e9c
0x012d4e9d
0x012d4e9d
0x012d4ea0
0x00000000
0x012d4ea0
0x012d4e4a
0x012d4e50
0x00000000
0x00000000
0x012d4e52
0x012d4e58
0x00000000
0x00000000
0x00000000
0x012d4e58
0x012d4e3a
0x012d4d27
0x012d4d30
0x012d4d53
0x012d4d56
0x012d4d5b
0x012d4d5b
0x012d4d5b
0x012d4d5b
0x012d4d67
0x012d4d67
0x012d4d6a
0x012d4d32
0x012d4d35
0x012d4d3c
0x012d4d3c
0x012d4d4b
0x012d4d4b
0x012d4d71
0x012d4d7d
0x012d4d89
0x012d4d8c
0x012d4d90
0x012d4da4
0x012d4daa
0x012d4d92
0x012d4d96
0x012d4da1
0x012d4da1
0x012d4dad
0x012d4dad
0x012d4db9
0x012d4dc2
0x012d4dca
0x012d4dcc
0x012d4dce
0x012d4dd4
0x012d4dd4
0x012d4dda
0x012d4de2
0x012d4de7
0x012d4de8
0x012d4dea
0x012d4dec
0x012d4dee
0x012d4dee
0x012d4df0
0x012d4df2
0x012d4df2
0x012d4df5
0x012d4dfb
0x012d4dfe
0x012d4e02
0x012d4e03
0x012d4e06
0x00000000
0x012d4e06
0x012d4c95
0x012d4ca2
0x012d4cae
0x012d4cb7
0x012d4cb9
0x012d4cbd
0x012d4cc6
0x012d4cc8
0x012d4cce
0x012d4cd3
0x012d4cda
0x012d4cdc
0x012d4cd5
0x012d4cd5
0x012d4cd5
0x012d4cd3
0x012d4cdf
0x012d4ceb
0x012d4cf5
0x012d4cf5
0x012d4cfc
0x012d4cfe
0x012d4cfe
0x012d4d0a
0x012d4d0e
0x012d4d15
0x00000000
0x012d4d15
0x012d4bde

APIs

GetClientRect.USER32 ref: 012D4C0C
SetRectEmpty.USER32 ref: 012D4C25
InflateRect.USER32(?,000000FE,00000000), ref: 012D4C79
UpdateWindow.USER32 ref: 012D5109

Part of subcall function 0128C2A4: __EH_prolog3.LIBCMT ref: 0128C2AB

OffsetRect.USER32 ref: 012D4E6B

Part of subcall function 012D4272: SetWindowPos.USER32(?,00000000,?,?,?,?,00000014), ref: 012D4328
Part of subcall function 012D4272: SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000014), ref: 012D435E
Part of subcall function 012D4272: InvalidateRect.USER32(?,00000000,00000001), ref: 012D4368
Part of subcall function 012D4272: UpdateWindow.USER32 ref: 012D436F

GetSystemMetrics.USER32 ref: 012D4EB4
InflateRect.USER32(?,00000000,00000000), ref: 012D4EDD

Part of subcall function 01286A31: SetWindowPos.USER32(?,000000FF,000000FF,?,?,00000000,012827B4), ref: 01286A59

Part of subcall function 01277AC9: __CxxThrowException@8.LIBCMT ref: 01277ADF

InflateRect.USER32(?,000000FF,000000FF), ref: 012D50AA
InvalidateRect.USER32(?,?,00000001), ref: 012D50B9
GetClientRect.USER32 ref: 012D50D4
InvalidateRect.USER32(?,?,00000001), ref: 012D5100

Part of subcall function 01367D3E: IsDebuggerPresent.KERNEL32 ref: 0136EC6D
Part of subcall function 01367D3E: SetUnhandledExceptionFilter.KERNEL32 ref: 0136EC82
Part of subcall function 01367D3E: UnhandledExceptionFilter.KERNEL32 ref: 0136EC8D
Part of subcall function 01367D3E: GetCurrentProcess.KERNEL32(C0000409), ref: 0136ECA9
Part of subcall function 01367D3E: TerminateProcess.KERNEL32(00000000), ref: 0136ECB0

Memory Dump Source

Source File: 00000010.00000002.746388412.0000000001271000.00000020.sdmp, Offset: 01270000, based on PE: true

Associated: 00000010.00000002.746374753.0000000001270000.00000002.sdmp Download File
Associated: 00000010.00000002.746578910.000000000138C000.00000002.sdmp Download File
Associated: 00000010.00000002.746752878.00000000013CF000.00000004.sdmp Download File
Associated: 00000010.00000002.746788870.00000000013D6000.00000004.sdmp Download File
Associated: 00000010.00000002.746832288.00000000013DE000.00000002.sdmp Download File
Associated: 00000010.00000002.747668141.0000000001574000.00000002.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1270000_Setup.jbxd

Similarity

API ID: Rect$Window$InflateInvalidate$ClientExceptionFilterProcessUnhandledUpdate$CurrentDebuggerEmptyException@8H_prolog3MetricsOffsetPresentSystemTerminateThrow
String ID:
API String ID: 3952741097-0
Opcode ID: 555214766f7df856394564ad354f8e4f8c103b65f957533bb76559e4bb63941d
Instruction ID: 81227ce5144d885ac2e1404fdef9da0b83f7425ccd5a1e7a6f8911b5cbca925d
Opcode Fuzzy Hash: 555214766f7df856394564ad354f8e4f8c103b65f957533bb76559e4bb63941d
Instruction Fuzzy Hash: 94020571920256DFCF15DF68C5C8AA97BB5FF48301F2841BAED09AF64ADB709841CB60

Uniqueness

Uniqueness Score: 7.75%

Function 012AE06E, Relevance: 16.9, APIs: 11, Instructions: 430
windowCOMMON

Download Yara Rule

C-Code - Quality: 76%

			E012AE06E(RECT* __ecx, int _a4) {
				signed int _v8;
				struct tagRECT _v24;
				struct tagRECT _v40;
				struct tagRECT _v56;
				void* _v60;
				struct HDWP__* _v64;
				signed int _v68;
				RECT* _v72;
				RECT* _v76;
				RECT* _v80;
				intOrPtr _v84;
				intOrPtr _v88;
				intOrPtr _v92;
				char _v96;
				intOrPtr _v100;
				char _v104;
				intOrPtr _v108;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t167;
				long _t172;
				intOrPtr* _t180;
				RECT* _t181;
				RECT* _t183;
				intOrPtr _t193;
				void* _t247;
				intOrPtr _t248;
				intOrPtr* _t251;
				long _t255;
				RECT* _t256;
				RECT* _t260;
				RECT* _t262;
				RECT* _t292;
				void* _t294;
				RECT* _t299;
				void* _t300;
				void* _t308;
				RECT* _t312;
				RECT* _t315;
				signed int _t316;

				_t167 =  *0x13d3570; // 0x99b5b578
				_v8 = _t167 ^ _t316;
				_t169 = _a4;
				_t256 = __ecx;
				_v72 = __ecx;
				_v64 = _a4;
				if( *0x13d9670 != 0 ||  *((intOrPtr*)(__ecx + 0x154)) != 0) {
					L85:
					return L01367D3E(_t169, _t256, _v8 ^ _t316, _t293, _t294, _t308);
				} else {
					_t169 =  *(__ecx + 0xe4);
					if(_t169 == 0) {
						goto L85;
					} else {
						_push(_t308);
						_push(_t294);
						GetClientRect( *(_t169 + 0x20), __ecx + 0xf8);
						if(IsRectEmpty(_t256 + 0x10) == 0) {
							asm("movsd");
							asm("movsd");
							asm("movsd");
							asm("movsd");
						}
						if(_t256->top == 0 ||  *(_t256 + 0x2c) == 0) {
							L84:
							_pop(_t294);
							_pop(_t308);
							goto L85;
						} else {
							_t293 =  *0x13d98fc; // 0x0
							_t260 =  *(_t256 + 0xe4);
							if(_t293 != 0) {
								_t172 = _t293;
							} else {
								_t172 = L01283CE7(_t260);
								_t293 =  *0x13d98fc; // 0x0
							}
							if(_t172 == 0) {
								L15:
								asm("movsd");
								asm("movsd");
								asm("movsd");
								 *(_t256 + 0x154) = 1;
								asm("movsd");
								_v80 = 0;
								if(_v64 == 0 &&  *((intOrPtr*)(_t256 + 0x130)) == 0) {
									_v64 = BeginDeferWindowPos( *(_t256 + 0x2c));
									_v80 = 1;
								}
								asm("movsd");
								asm("movsd");
								asm("movsd");
								asm("movsd");
								GetClientRect( *( *(_t256 + 0xe4) + 0x20),  &_v24);
								_t312 = _t256 + 0x10;
								if(IsRectEmpty(_t312) == 0) {
									asm("movsd");
									asm("movsd");
									asm("movsd");
									asm("movsd");
								}
								_t261 =  *(_t256 + 0xe4);
								L01279C17( *(_t256 + 0xe4),  &_v24);
								_t180 =  *((intOrPtr*)(_t256 + 0x28));
								_v56.left = 0;
								_v56.top = 0;
								_v56.right = 0;
								_v56.bottom = 0;
								_v60 = _t180;
								if(_t180 == 0) {
									L28:
									_t181 =  *(_t256 + 0x24);
									if(_t181 != 0) {
										while(_t181 != 0) {
											_t256 = _t181->right;
											_v76 = _t181->left;
											if((E01286848(_t256) & 0x10000000) != 0) {
												L44:
												GetWindowRect( *(_t256 + 0x20),  &_v56);
												_v68 =  *((intOrPtr*)(_t256->left + 0x190))();
												_t300 =  *((intOrPtr*)(_t256->left + 0x160))();
												_t193 =  *((intOrPtr*)(_t256->left + 0x174))();
												_t312 = 0x13d0f0c;
												_v108 = _t193;
												if(E012789AE(_t256, 0x13d0f0c) == 0) {
													L46:
													 *((intOrPtr*)(_t256->left + 0x25c))( &_v104, 0, _t300);
													if(_t300 == 0) {
														if((_v68 & 0x00001000) == 0) {
															_v56.left = _v56.right - _v104;
														} else {
															_v56.right = _v104 + _v56.left;
														}
													} else {
														if((_v68 & 0x00002000) == 0) {
															_v56.top = _v56.bottom - _v100;
														} else {
															_v56.bottom = _v100 + _v56.top;
														}
													}
													L012AB938( &_v24,  &_v56, _v68, _t300, _v108);
													_t312 =  &_v56;
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													if(E012789AE(_t256, 0x139bed8) == 0) {
														L60:
														_t273 = _t256;
														if(E012789AE(_t256, 0x1398be0) == 0) {
															L01279BD6(E01282D05(_t256, _t273, _t293, GetParent( *(_t256 + 0x20))),  &_v56);
															_t293 = _t256->left;
															_t261 = _t256;
															_v64 =  *((intOrPtr*)(_t256->left + 0x234))(0, _v56.left, _v56.top, _v56.right - _v56.left, _v56.bottom - _v56.top, 0x14, _v64);
														} else {
															_t261 = _t256;
															 *((intOrPtr*)(_t256->left + 0x280))( &_v56,  &_v64);
														}
														if((_v68 & 0x00002000) == 0) {
															if((_v68 & 0x00008000) == 0) {
																if((_v68 & 0x00001000) == 0) {
																	_v24.right = _v24.right + _v96 - _v88;
																} else {
																	_v24.left = _v24.left + _v88 - _v96;
																}
															} else {
																_v24.bottom = _v24.bottom + _v92 - _v84;
															}
														} else {
															_v24.top = _v24.top + _v84 - _v92;
														}
														if(_v60 == _v76) {
															_t312 =  &_v24;
															asm("movsd");
															asm("movsd");
															asm("movsd");
															asm("movsd");
														}
														L72:
														if(_v76 != 0) {
															_t181 = _v76;
															continue;
														}
														_t256 = _v72;
														goto L29;
													} else {
														L01279BD6(_t256,  &_v56);
														if( *((intOrPtr*)(_t256->left + 0x160))() == 0 || _v56.right - _v56.left <= 0) {
															if( *((intOrPtr*)(_t256->left + 0x160))() != 0 || _v56.bottom - _v56.top <= 0) {
																goto L59;
															} else {
																goto L58;
															}
														} else {
															L58:
															 *((intOrPtr*)(_t256->left + 0x294))( &_v56);
															L59:
															_t312 =  &_v96;
															asm("movsd");
															asm("movsd");
															asm("movsd");
															asm("movsd");
															goto L60;
														}
													}
												}
												_t261 = E012789CC(0x13d0f0c, _t256);
												if(E012D83B6(_t256, _t242, _t293, _t300, 0x13d0f0c) != 0) {
													goto L72;
												}
												goto L46;
											}
											_t261 = _t256;
											if(E012789AE(_t256, 0x139ada0) != 0) {
												goto L72;
											}
											_t261 = _t256;
											if(E012789AE(_t256, 0x1398be0) != 0) {
												goto L72;
											}
											_t261 = _t256;
											if(E012789AE(_t256, 0x139bed8) == 0) {
												goto L44;
											}
											_t312 = _v72;
											if( *((intOrPtr*)(_t312 + 0x130)) != 0) {
												goto L72;
											}
											_t261 = _t312;
											_t247 = E0128C825(_t312);
											if(_t247 != 0 ||  *((intOrPtr*)(_t312 + 0x1e4)) != _t247) {
												goto L72;
											} else {
												goto L44;
											}
										}
										L74:
										L01277AC9(_t261);
										L75:
										_t183 = _t312;
										if(_t312 == 0) {
											goto L74;
										}
										_t299 = _t183->right;
										_t312 = _t312->left;
										_t261 = _t299;
										if(E012789AE(_t299, 0x13a3fc4) != 0) {
											 *(_t299 + 0x13c) =  *(_t299 + 0x13c) & 0x00000000;
											 *(_t299 + 0x140) =  *(_t299 + 0x140) & 0x00000000;
											_t261 = _t256;
											_t169 = E012ACD03(_t256, _t256, _t293, _t299);
										}
										L78:
										if(_t312 != 0) {
											goto L75;
										}
										if(_v80 != _t312) {
											_t169 = EndDeferWindowPos(_v64);
										}
										_t262 =  *(_t256 + 0xe4);
										if( *((intOrPtr*)(_t262 + 0xa0)) != _t312) {
											_t169 =  *((intOrPtr*)(_t262->left + 0x174))(1);
										}
										 *(_t256 + 0x154) = _t312;
										goto L84;
									}
									L29:
									asm("movsd");
									asm("movsd");
									asm("movsd");
									asm("movsd");
									if(IsRectEmpty(_t256 + 0x108) != 0 || E0128C825(_t256) != 0) {
										asm("movsd");
										asm("movsd");
										asm("movsd");
										asm("movsd");
									}
									L01279BD6( *(_t256 + 0xe4), _t256 + 0xf8);
									_t261 =  *(_t256 + 0xe4);
									_t315 = _t256 + 0x108;
									L01279BD6( *(_t256 + 0xe4), _t315);
									if(EqualRect(_t315,  &_v40) == 0) {
										_t261 = _t256;
										_t169 = L012AB799(_t256, _t169, 1);
									}
									_t312 =  *(_t256 + 0x24);
									goto L78;
								} else {
									while(1) {
										_t312 =  *(_t180 + 8);
										_t248 =  *((intOrPtr*)(_t180 + 4));
										_v60 = _t248;
										if(_t248 == 0) {
											goto L28;
										}
										_t261 = _t312;
										if(E012789AE(_t312, 0x139bed8) != 0) {
											L26:
											_t251 =  *_v60;
											_v60 = _t251;
											if(_t251 != 0) {
												_v60 =  *_t251;
											}
											goto L28;
										}
										_t261 = _t312;
										if(E012789AE(_t312, 0x13a3fc4) == 0) {
											_t180 = _v60;
											continue;
										}
										goto L26;
									}
									goto L28;
								}
							}
							_t292 =  *(_t256 + 0xe4);
							if(_t293 != 0) {
								_t255 = _t293;
							} else {
								_t255 = L01283CE7(_t292);
							}
							if(IsIconic( *(_t255 + 0x20)) != 0) {
								goto L84;
							} else {
								goto L15;
							}
						}
					}
				}
			}

0x012ae076
0x012ae07d
0x012ae087
0x012ae08b
0x012ae08d
0x012ae090
0x012ae093
0x012ae57c
0x012ae588
0x012ae0a6
0x012ae0a6
0x012ae0ae
0x00000000
0x012ae0b4
0x012ae0b4
0x012ae0b5
0x012ae0c0
0x012ae0d2
0x012ae0d4
0x012ae0d5
0x012ae0d6
0x012ae0d7
0x012ae0d7
0x012ae0dc
0x012ae57a
0x012ae57a
0x012ae57b
0x00000000
0x012ae0ec
0x012ae0ec
0x012ae0f2
0x012ae0fa
0x012ae109
0x012ae0fc
0x012ae0fc
0x012ae101
0x012ae101
0x012ae10d
0x012ae133
0x012ae13c
0x012ae13d
0x012ae13e
0x012ae141
0x012ae14b
0x012ae14c
0x012ae152
0x012ae165
0x012ae168
0x012ae168
0x012ae178
0x012ae179
0x012ae17a
0x012ae185
0x012ae189
0x012ae18f
0x012ae19b
0x012ae1a0
0x012ae1a1
0x012ae1a2
0x012ae1a3
0x012ae1a3
0x012ae1a4
0x012ae1ae
0x012ae1b3
0x012ae1b8
0x012ae1bb
0x012ae1be
0x012ae1c1
0x012ae1c4
0x012ae1c9
0x012ae20e
0x012ae20e
0x012ae213
0x012ae28d
0x012ae297
0x012ae29a
0x012ae2a9
0x012ae30e
0x012ae315
0x012ae325
0x012ae332
0x012ae338
0x012ae33e
0x012ae346
0x012ae350
0x012ae36a
0x012ae375
0x012ae37d
0x012ae3a5
0x012ae3b8
0x012ae3a7
0x012ae3ad
0x012ae3ad
0x012ae37f
0x012ae386
0x012ae399
0x012ae388
0x012ae38e
0x012ae38e
0x012ae386
0x012ae3cd
0x012ae3d2
0x012ae3d8
0x012ae3d9
0x012ae3da
0x012ae3e2
0x012ae3ea
0x012ae43f
0x012ae444
0x012ae44d
0x012ae478
0x012ae48c
0x012ae495
0x012ae4a2
0x012ae44f
0x012ae459
0x012ae45b
0x012ae45b
0x012ae4ac
0x012ae4c0
0x012ae4d4
0x012ae4e7
0x012ae4d6
0x012ae4dc
0x012ae4dc
0x012ae4c2
0x012ae4c8
0x012ae4c8
0x012ae4ae
0x012ae4b4
0x012ae4b4
0x012ae4f0
0x012ae4fb
0x012ae4fe
0x012ae4ff
0x012ae500
0x012ae501
0x012ae501
0x012ae502
0x012ae506
0x012ae28a
0x00000000
0x012ae28a
0x012ae50c
0x00000000
0x012ae3ec
0x012ae3f2
0x012ae403
0x012ae41b
0x00000000
0x00000000
0x00000000
0x00000000
0x012ae427
0x012ae427
0x012ae42f
0x012ae435
0x012ae435
0x012ae43b
0x012ae43c
0x012ae43d
0x012ae43e
0x00000000
0x012ae43e
0x012ae403
0x012ae3ea
0x012ae35b
0x012ae364
0x00000000
0x00000000
0x00000000
0x012ae364
0x012ae2b0
0x012ae2b9
0x00000000
0x00000000
0x012ae2c4
0x012ae2cd
0x00000000
0x00000000
0x012ae2d8
0x012ae2e1
0x00000000
0x00000000
0x012ae2e3
0x012ae2ed
0x00000000
0x00000000
0x012ae2f3
0x012ae2f5
0x012ae2fc
0x00000000
0x00000000
0x00000000
0x00000000
0x012ae2fc
0x012ae514
0x012ae514
0x012ae519
0x012ae519
0x012ae51d
0x00000000
0x00000000
0x012ae51f
0x012ae522
0x012ae529
0x012ae532
0x012ae534
0x012ae53b
0x012ae543
0x012ae545
0x012ae545
0x012ae54a
0x012ae54c
0x00000000
0x00000000
0x012ae551
0x012ae556
0x012ae556
0x012ae55c
0x012ae568
0x012ae56e
0x012ae56e
0x012ae574
0x00000000
0x012ae574
0x012ae215
0x012ae21e
0x012ae21f
0x012ae220
0x012ae221
0x012ae231
0x012ae241
0x012ae242
0x012ae243
0x012ae244
0x012ae244
0x012ae252
0x012ae257
0x012ae25d
0x012ae264
0x012ae276
0x012ae27b
0x012ae27d
0x012ae27d
0x012ae282
0x00000000
0x012ae1cb
0x012ae1d0
0x012ae1d0
0x012ae1d3
0x012ae1d6
0x012ae1db
0x00000000
0x00000000
0x012ae1e2
0x012ae1eb
0x012ae1fd
0x012ae200
0x012ae202
0x012ae207
0x012ae20b
0x012ae20b
0x00000000
0x012ae207
0x012ae1f2
0x012ae1fb
0x012ae1cd
0x00000000
0x012ae1cd
0x00000000
0x012ae1fb
0x00000000
0x012ae1d0
0x012ae1c9
0x012ae10f
0x012ae117
0x012ae120
0x012ae119
0x012ae119
0x012ae119
0x012ae12d
0x00000000
0x00000000
0x00000000
0x00000000
0x012ae12d
0x012ae0dc
0x012ae0ae

APIs

GetClientRect.USER32 ref: 012AE0C0
IsRectEmpty.USER32 ref: 012AE0CA
IsIconic.USER32(?), ref: 012AE125
BeginDeferWindowPos.USER32 ref: 012AE15F
GetClientRect.USER32 ref: 012AE189
IsRectEmpty.USER32 ref: 012AE193

Part of subcall function 01279C17: ClientToScreen.USER32(?,?), ref: 01279C28
Part of subcall function 01279C17: ClientToScreen.USER32(?,?), ref: 01279C35

IsRectEmpty.USER32 ref: 012AE229
EqualRect.USER32 ref: 012AE26E
EndDeferWindowPos.USER32(?), ref: 012AE556

Part of subcall function 01286848: GetWindowLongW.USER32(?,000000F0), ref: 01286853

GetWindowRect.USER32 ref: 012AE315
GetParent.USER32(?), ref: 012AE46A

Part of subcall function 01279BD6: ScreenToClient.USER32(?,?), ref: 01279BE7
Part of subcall function 01279BD6: ScreenToClient.USER32(?,?), ref: 01279BF4

Part of subcall function 01277AC9: __CxxThrowException@8.LIBCMT ref: 01277ADF

Part of subcall function 012ACD03: GetWindowRect.USER32 ref: 012ACD3F
Part of subcall function 012ACD03: GetWindowRect.USER32 ref: 012ACDDC
Part of subcall function 012ACD03: IsRectEmpty.USER32 ref: 012ACDE6

Part of subcall function 01367D3E: IsDebuggerPresent.KERNEL32 ref: 0136EC6D
Part of subcall function 01367D3E: SetUnhandledExceptionFilter.KERNEL32 ref: 0136EC82
Part of subcall function 01367D3E: UnhandledExceptionFilter.KERNEL32 ref: 0136EC8D
Part of subcall function 01367D3E: GetCurrentProcess.KERNEL32(C0000409), ref: 0136ECA9
Part of subcall function 01367D3E: TerminateProcess.KERNEL32(00000000), ref: 0136ECB0

Memory Dump Source

Source File: 00000010.00000002.746388412.0000000001271000.00000020.sdmp, Offset: 01270000, based on PE: true

Associated: 00000010.00000002.746374753.0000000001270000.00000002.sdmp Download File
Associated: 00000010.00000002.746578910.000000000138C000.00000002.sdmp Download File
Associated: 00000010.00000002.746752878.00000000013CF000.00000004.sdmp Download File
Associated: 00000010.00000002.746788870.00000000013D6000.00000004.sdmp Download File
Associated: 00000010.00000002.746832288.00000000013DE000.00000002.sdmp Download File
Associated: 00000010.00000002.747668141.0000000001574000.00000002.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1270000_Setup.jbxd

Similarity

API ID: Rect$ClientWindow$EmptyScreen$DeferExceptionFilterProcessUnhandled$BeginCurrentDebuggerEqualException@8IconicLongParentPresentTerminateThrow
String ID:
API String ID: 1687834107-0
Opcode ID: 101d17eb28c2f38b14840beb025c538dd3ed8d8bb00f35fcc1605c09e35d0018
Instruction ID: 739df7eccdb51bfca7523ba8652966b71bc47e911841e93756e7ba57d5e4bca4
Opcode Fuzzy Hash: 101d17eb28c2f38b14840beb025c538dd3ed8d8bb00f35fcc1605c09e35d0018
Instruction Fuzzy Hash: 96F18431A1060ADFDF15DFA8D984BEE77B6FF48304F450468EA06AB255EB70AD06CB50

Uniqueness

Uniqueness Score: 6.84%

Function 012C04F4, Relevance: 16.7, APIs: 11, Instructions: 220
windowkeyboardCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E012C04F4(intOrPtr* __ecx, intOrPtr __edx, int _a4, int* _a8) {
				signed int _v5;
				signed int _v12;
				intOrPtr* _v16;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr* _t52;
				intOrPtr _t53;
				signed int _t55;
				signed short _t59;
				signed short _t60;
				signed short _t61;
				signed int _t62;
				signed int _t63;
				int* _t64;
				signed int _t65;
				int _t67;
				signed int _t69;
				signed int _t72;
				signed int _t74;
				intOrPtr* _t76;
				signed int _t77;
				void* _t81;
				void* _t85;
				intOrPtr _t86;
				void* _t88;
				signed int _t89;
				intOrPtr _t90;
				int _t91;
				intOrPtr _t92;
				struct HWND__* _t94;
				intOrPtr _t95;
				int _t97;
				signed int _t102;
				intOrPtr* _t105;
				intOrPtr* _t106;
				struct HWND__* _t110;
				intOrPtr* _t113;
				int _t115;
				intOrPtr* _t117;
				intOrPtr* _t119;
				intOrPtr _t120;
				void* _t121;
				struct HWND__* _t123;
				struct HWND__* _t124;

				_t111 = __edx;
				_t100 = __ecx;
				_t52 = _a8;
				_t97 = 0;
				_t117 = __ecx;
				_v16 = __ecx;
				if(_t52 != 0) {
					 *_t52 = 1;
				}
				_t53 =  *0x13d97c0; // 0x0
				if(_t53 == _t97 || IsWindow( *(_t53 + 0x20)) == 0) {
					_t55 = IsIconic( *( *((intOrPtr*)(_t117 + 0xb0)) + 0x20));
					__eflags = _t55;
					if(_t55 != 0) {
						goto L19;
					}
					__eflags =  *0x13d83d4 - _t97; // 0x0
					if(__eflags != 0) {
						goto L12;
					}
					_t113 =  *0x13d8440; // 0x0
					_v12 = _t97;
					while(1) {
						__eflags = _t113 - _t97;
						if(_t113 == _t97) {
							break;
						}
						_t119 =  *((intOrPtr*)(_t113 + 8));
						_t115 =  *_t113;
						__eflags = _t119 - _t97;
						if(__eflags == 0) {
							L01277AC9(_t100);
							L51:
							__eflags = _v5 - 0x10;
							if(_v5 != 0x10) {
								L54:
								__eflags = _v12 - _t97;
								if(_v12 != _t97) {
									_t64 = _a8;
									__eflags = _t64 - _t97;
									if(_t64 != _t97) {
										 *_t64 = _t97;
									}
								}
								L57:
								_t63 = 0;
								__eflags = 0;
								L58:
								return _t63;
							}
							_t65 = L012BFE12(_t97, _t119, _t111, _t115);
							__eflags = _t65;
							if(_t65 == 0) {
								goto L54;
							}
							L53:
							_t63 = 1;
							goto L58;
						}
						_t74 = E01282D31(_t97, _t100, _t111, _t115, _t119, __eflags,  *((intOrPtr*)(_t119 + 0x20)));
						__eflags = _t74;
						if(_t74 == 0) {
							L34:
							_t97 = 0;
							__eflags = _v12;
							if(_v12 == 0) {
								continue;
							}
							break;
						}
						_t100 = _t119;
						__eflags = E01294430(_t119);
						if(__eflags <= 0) {
							goto L34;
						} else {
							goto L30;
						}
						while(1) {
							L30:
							_t76 = L01293D66(_t119, __eflags, _t97);
							_t111 =  *_t76;
							_t100 = _t76;
							_t77 =  *((intOrPtr*)( *_t76 + 0xa4))();
							__eflags = _t77;
							if(_t77 != 0) {
								break;
							}
							_t100 = _t119;
							_t97 = _t97 + 1;
							__eflags = _t97 - E01294430(_t119);
							if(__eflags < 0) {
								continue;
							}
							goto L34;
						}
						_v12 = 1;
						goto L34;
					}
					_v5 = 0;
					_t59 = GetAsyncKeyState(0x11);
					__eflags = 0x00008000 & _t59;
					if((0x00008000 & _t59) != 0) {
						_v5 = 8;
					}
					_t60 = GetAsyncKeyState(0x12);
					__eflags = 0x00008000 & _t60;
					if((0x00008000 & _t60) != 0) {
						_t30 =  &_v5;
						 *_t30 = _v5 | 0x00000010;
						__eflags =  *_t30;
					}
					_t61 = GetAsyncKeyState(0x10);
					__eflags = 0x00008000 & _t61;
					if((0x00008000 & _t61) != 0) {
						_t34 =  &_v5;
						 *_t34 = _v5 | 0x00000004;
						__eflags =  *_t34;
					}
					_t115 = _a4;
					__eflags = _v12 - _t97;
					if(_v12 != _t97) {
						L44:
						_t119 = _v16;
						_t62 =  *(_t119 + 0xfc);
						_t97 = 0;
						__eflags = _t62;
						if(_t62 == 0) {
							goto L51;
						}
						_t67 = IsWindowVisible( *(_t62 + 0x20));
						__eflags = _t67;
						if(_t67 == 0) {
							goto L51;
						}
						__eflags = _v5 - 8;
						if(_v5 != 8) {
							goto L51;
						}
						__eflags = _t115 - 0x70;
						if(_t115 != 0x70) {
							goto L54;
						}
						_t102 =  *(_t119 + 0xfc);
						__eflags =  *(_t102 + 0x710);
						if( *(_t102 + 0x710) == 0) {
							goto L54;
						}
						E012CCF30(_t102);
						goto L53;
					} else {
						_t120 = _v16;
						_t99 = _v5 & 0x000000ff | 0x00000001;
						_t69 = E012A4E38(_t115, _v5 & 0x000000ff | 0x00000001,  *((intOrPtr*)(_t120 + 0xb0)), 1);
						__eflags = _t69;
						if(_t69 != 0) {
							goto L57;
						}
						_t72 = E012A4E38(_t115, _t99,  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t120 + 0xb0)))) + 0x16c))(), _t69);
						__eflags = _t72;
						if(_t72 != 0) {
							goto L57;
						}
						goto L44;
					}
				} else {
					_t81 = E01282D05(_t97, _t100, _t111, GetFocus());
					_t105 =  *0x13d97c0; // 0x0
					_t121 = _t81;
					if( *((intOrPtr*)( *_t105 + 0x200))() == 0) {
						__eflags = _t121 - _t97;
						if(_t121 == _t97) {
							L18:
							_t106 =  *0x13d97c0; // 0x0
							_t85 =  *((intOrPtr*)( *_t106 + 0x1c0))();
							_t86 =  *0x13d97c0; // 0x0
							SendMessageW( *(_t86 + 0x20), 0x100, _a4, _t97);
							__eflags =  *((intOrPtr*)(_t85 + 0xd08)) - _t97;
							if( *((intOrPtr*)(_t85 + 0xd08)) != _t97) {
								_t88 = E012789CC(0x13a9580,  *0x13d97c0);
								__eflags = _t88 - _t97;
								if(_t88 == _t97) {
									goto L19;
								}
								_t89 = E012C00FC(_t88);
								__eflags = _t89;
								if(_t89 == 0) {
									goto L19;
								}
								L12:
								return 0;
							}
							L19:
							return 1;
						}
						_t123 =  *(_t121 + 0x20);
						__eflags = _t123 - _t97;
						if(_t123 == _t97) {
							goto L18;
						}
						_t90 =  *0x13d97c0; // 0x0
						_t91 = IsChild( *(_t90 + 0x20), _t123);
						__eflags = _t91;
						if(_t91 != 0) {
							goto L12;
						}
						goto L18;
					}
					if(_t121 == _t97) {
						L13:
						_t92 =  *0x13d97c0; // 0x0
						L14:
						SendMessageW( *(_t92 + 0x20), 0x10, _t97, _t97);
						goto L12;
					}
					_t94 =  *(_t121 + 0x20);
					if(_t94 == _t97) {
						goto L13;
					}
					_t95 =  *0x13d97c0; // 0x0
					if(IsChild( *(_t95 + 0x20), _t94) != 0) {
						goto L12;
					}
					_t92 =  *0x13d97c0; // 0x0
					_t124 =  *(_t121 + 0x20);
					if(_t92 != _t97) {
						_t110 =  *(_t92 + 0x20);
					} else {
						_t110 = 0;
					}
					if(_t124 != _t110) {
						goto L14;
					} else {
						goto L12;
					}
				}
			}

0x012c04f4
0x012c04f4
0x012c04fc
0x012c0501
0x012c0503
0x012c0505
0x012c050a
0x012c050c
0x012c050c
0x012c0512
0x012c0519
0x012c0624
0x012c062a
0x012c062c
0x00000000
0x00000000
0x012c062e
0x012c0634
0x00000000
0x00000000
0x012c063b
0x012c0641
0x012c0644
0x012c0644
0x012c0646
0x00000000
0x00000000
0x012c0648
0x012c064b
0x012c064d
0x012c064f
0x012c0754
0x012c0759
0x012c0759
0x012c075d
0x012c0770
0x012c0770
0x012c0773
0x012c0775
0x012c0778
0x012c077a
0x012c077c
0x012c077c
0x012c077a
0x012c077e
0x012c077e
0x012c077e
0x012c0780
0x00000000
0x012c0780
0x012c0762
0x012c0767
0x012c0769
0x00000000
0x00000000
0x012c076b
0x012c076d
0x00000000
0x012c076d
0x012c0658
0x012c065d
0x012c065f
0x012c0697
0x012c0697
0x012c0699
0x012c069c
0x00000000
0x00000000
0x00000000
0x012c069c
0x012c0661
0x012c0668
0x012c066a
0x00000000
0x00000000
0x00000000
0x00000000
0x012c066c
0x012c066c
0x012c066f
0x012c0674
0x012c0676
0x012c0678
0x012c067e
0x012c0680
0x00000000
0x00000000
0x012c0682
0x012c0684
0x012c068a
0x012c068c
0x00000000
0x00000000
0x00000000
0x012c068e
0x012c0690
0x00000000
0x012c0690
0x012c06a6
0x012c06aa
0x012c06b1
0x012c06b4
0x012c06b6
0x012c06b6
0x012c06bc
0x012c06be
0x012c06c1
0x012c06c3
0x012c06c3
0x012c06c3
0x012c06c3
0x012c06c9
0x012c06cb
0x012c06ce
0x012c06d0
0x012c06d0
0x012c06d0
0x012c06d0
0x012c06d4
0x012c06d7
0x012c06da
0x012c0718
0x012c0718
0x012c071b
0x012c0721
0x012c0723
0x012c0725
0x00000000
0x00000000
0x012c072a
0x012c0730
0x012c0732
0x00000000
0x00000000
0x012c0734
0x012c0738
0x00000000
0x00000000
0x012c073a
0x012c073d
0x00000000
0x00000000
0x012c073f
0x012c0745
0x012c074b
0x00000000
0x00000000
0x012c074d
0x00000000
0x012c06dc
0x012c06e0
0x012c06eb
0x012c06f0
0x012c06f5
0x012c06f7
0x00000000
0x00000000
0x012c070f
0x012c0714
0x012c0716
0x00000000
0x00000000
0x00000000
0x012c0716
0x012c0530
0x012c0537
0x012c053c
0x012c0542
0x012c054e
0x012c05a0
0x012c05a2
0x012c05be
0x012c05be
0x012c05c6
0x012c05d2
0x012c05e3
0x012c05e9
0x012c05eb
0x012c0600
0x012c0607
0x012c0609
0x00000000
0x00000000
0x012c060d
0x012c0612
0x012c0614
0x00000000
0x00000000
0x012c0585
0x00000000
0x012c0585
0x012c05ed
0x00000000
0x012c05ef
0x012c05a4
0x012c05a7
0x012c05a9
0x00000000
0x00000000
0x012c05ab
0x012c05b4
0x012c05ba
0x012c05bc
0x00000000
0x00000000
0x00000000
0x012c05bc
0x012c0552
0x012c058c
0x012c058c
0x012c0591
0x012c0598
0x00000000
0x012c0598
0x012c0554
0x012c0559
0x00000000
0x00000000
0x012c055c
0x012c056c
0x00000000
0x00000000
0x012c056e
0x012c0573
0x012c0578
0x012c057e
0x012c057a
0x012c057a
0x012c057a
0x012c0583
0x00000000
0x00000000
0x00000000
0x00000000
0x012c0583

APIs

IsWindow.USER32(?), ref: 012C0522
GetFocus.USER32 ref: 012C0530
IsChild.USER32 ref: 012C0564
SendMessageW.USER32(?,00000010,00000000,00000000), ref: 012C0598
IsChild.USER32 ref: 012C05B4
SendMessageW.USER32(?,00000100,?,00000000), ref: 012C05E3

Part of subcall function 012C00FC: GetFocus.USER32 ref: 012C010E

IsIconic.USER32(?), ref: 012C0624

Part of subcall function 01293D66: PtInRect.USER32(?,?,?), ref: 01293DB9

GetAsyncKeyState.USER32 ref: 012C06AA
GetAsyncKeyState.USER32 ref: 012C06BC
GetAsyncKeyState.USER32 ref: 012C06C9
IsWindowVisible.USER32(?), ref: 012C072A

Part of subcall function 012CCF30: RedrawWindow.USER32(?,00000000,00000000,00000105), ref: 012CCF5D

Part of subcall function 01277AC9: __CxxThrowException@8.LIBCMT ref: 01277ADF

Memory Dump Source

Source File: 00000010.00000002.746388412.0000000001271000.00000020.sdmp, Offset: 01270000, based on PE: true

Associated: 00000010.00000002.746374753.0000000001270000.00000002.sdmp Download File
Associated: 00000010.00000002.746578910.000000000138C000.00000002.sdmp Download File
Associated: 00000010.00000002.746752878.00000000013CF000.00000004.sdmp Download File
Associated: 00000010.00000002.746788870.00000000013D6000.00000004.sdmp Download File
Associated: 00000010.00000002.746832288.00000000013DE000.00000002.sdmp Download File
Associated: 00000010.00000002.747668141.0000000001574000.00000002.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1270000_Setup.jbxd

Similarity

API ID: AsyncStateWindow$ChildFocusMessageSend$Exception@8IconicRectRedrawThrowVisible
String ID:
API String ID: 2903762497-0
Opcode ID: e42e83090fbc382ce8454a2ad874023bfd1ec48acf5a23f93efd812cdcf54614
Instruction ID: 6bdeab8f6d880a476e269f28d04dffbf62a775071c89765162b740d3caf31285
Opcode Fuzzy Hash: e42e83090fbc382ce8454a2ad874023bfd1ec48acf5a23f93efd812cdcf54614
Instruction Fuzzy Hash: ED71C23A620242DFEF259FA8D884BAD7BB9BF04B48F15026CFB4197151D771A844CB58

Uniqueness

Uniqueness Score: 3.15%

Function 012C0F83, Relevance: 16.6, APIs: 11, Instructions: 99
windowCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E012C0F83(void* __ecx, void* __edx, intOrPtr* _a4) {
				signed int _v8;
				struct tagRECT _v24;
				int _v28;
				int _v32;
				int _v36;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t49;
				int _t66;
				int _t69;
				void* _t79;
				void* _t93;
				void* _t94;
				intOrPtr* _t95;
				signed int _t96;

				_t93 = __edx;
				_t49 =  *0x13d3570; // 0x99b5b578
				_v8 = _t49 ^ _t96;
				_t95 = _a4;
				_t94 = GetSystemMetrics;
				_t79 = __ecx;
				_v36 = GetSystemMetrics(0x21);
				_v32 = GetSystemMetrics(0x20);
				_v28 = _v36;
				if(IsIconic( *( *((intOrPtr*)(_t79 + 0xb0)) + 0x20)) != 0 || (E01286848( *((intOrPtr*)(_t79 + 0xb0))) & 0x01000000) != 0) {
					_v32 = 0;
					_v28 = 0;
				}
				_v24.left = 0;
				_v24.top = 0;
				_v24.right = 0;
				_v24.bottom = 0;
				GetWindowRect( *( *((intOrPtr*)(_t79 + 0xb0)) + 0x20),  &_v24);
				L01279BD6( *((intOrPtr*)(_t79 + 0xb0)),  &_v24);
				_v36 = _v28;
				if(IsIconic( *( *((intOrPtr*)(_t79 + 0xb0)) + 0x20)) != 0) {
					_t66 = _v36;
				} else {
					_t66 = GetSystemMetrics(4) + _v28;
				}
				OffsetRect( &_v24, _v32, _t66);
				_t69 = GetSystemMetrics(4);
				 *_t95 = _v24.left + _v32;
				 *((intOrPtr*)(_t95 + 4)) = _v24.top + _v28;
				 *((intOrPtr*)(_t95 + 0xc)) = _t69 + _v24.top + _v28;
				 *((intOrPtr*)(_t95 + 8)) = _v24.right - _v32;
				_t80 =  *((intOrPtr*)(_t79 + 0xb0));
				if(IsIconic( *( *((intOrPtr*)(_t79 + 0xb0)) + 0x20)) != 0) {
					 *((intOrPtr*)(_t95 + 4)) =  *((intOrPtr*)(_t95 + 4)) + GetSystemMetrics(0x21);
					 *((intOrPtr*)(_t95 + 8)) =  *((intOrPtr*)(_t95 + 8)) - GetSystemMetrics(0x20);
				}
				return L01367D3E(_t95, _t80, _v8 ^ _t96, _t93, _t94, _t95);
			}

0x012c0f83
0x012c0f8b
0x012c0f92
0x012c0f97
0x012c0f9b
0x012c0fa3
0x012c0fa9
0x012c0fae
0x012c0fb4
0x012c0fc8
0x012c0fe0
0x012c0fe3
0x012c0fe3
0x012c0fe8
0x012c0feb
0x012c0fee
0x012c0ff1
0x012c1001
0x012c1011
0x012c1019
0x012c102d
0x012c1038
0x012c102f
0x012c1033
0x012c1033
0x012c1043
0x012c104b
0x012c1056
0x012c1061
0x012c106a
0x012c106d
0x012c1070
0x012c1081
0x012c1087
0x012c108e
0x012c108e
0x012c10a1

APIs

GetSystemMetrics.USER32 ref: 012C0FA5
GetSystemMetrics.USER32 ref: 012C0FAC
IsIconic.USER32(?), ref: 012C0FC0
GetWindowRect.USER32 ref: 012C1001

Part of subcall function 01279BD6: ScreenToClient.USER32(?,?), ref: 01279BE7
Part of subcall function 01279BD6: ScreenToClient.USER32(?,?), ref: 01279BF4

IsIconic.USER32(?), ref: 012C1025
GetSystemMetrics.USER32 ref: 012C1031
OffsetRect.USER32 ref: 012C1043
GetSystemMetrics.USER32 ref: 012C104B
IsIconic.USER32(?), ref: 012C1079
GetSystemMetrics.USER32 ref: 012C1085
GetSystemMetrics.USER32 ref: 012C108C

Part of subcall function 01367D3E: IsDebuggerPresent.KERNEL32 ref: 0136EC6D
Part of subcall function 01367D3E: SetUnhandledExceptionFilter.KERNEL32 ref: 0136EC82
Part of subcall function 01367D3E: UnhandledExceptionFilter.KERNEL32 ref: 0136EC8D
Part of subcall function 01367D3E: GetCurrentProcess.KERNEL32(C0000409), ref: 0136ECA9
Part of subcall function 01367D3E: TerminateProcess.KERNEL32(00000000), ref: 0136ECB0

Part of subcall function 01286848: GetWindowLongW.USER32(?,000000F0), ref: 01286853

Memory Dump Source

Source File: 00000010.00000002.746388412.0000000001271000.00000020.sdmp, Offset: 01270000, based on PE: true

Associated: 00000010.00000002.746374753.0000000001270000.00000002.sdmp Download File
Associated: 00000010.00000002.746578910.000000000138C000.00000002.sdmp Download File
Associated: 00000010.00000002.746752878.00000000013CF000.00000004.sdmp Download File
Associated: 00000010.00000002.746788870.00000000013D6000.00000004.sdmp Download File
Associated: 00000010.00000002.746832288.00000000013DE000.00000002.sdmp Download File
Associated: 00000010.00000002.747668141.0000000001574000.00000002.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1270000_Setup.jbxd

Similarity

API ID: MetricsSystem$Iconic$ClientExceptionFilterProcessRectScreenUnhandledWindow$CurrentDebuggerLongOffsetPresentTerminate
String ID:
API String ID: 515154100-0
Opcode ID: 749de0cd252cf16e5882f1c60fbdb8edd1884bb23631a020749fbc1f8858c592
Instruction ID: 8caba84e59ac260922923ff486b62c82606ead067875765f147de8eb770d4dd1
Opcode Fuzzy Hash: 749de0cd252cf16e5882f1c60fbdb8edd1884bb23631a020749fbc1f8858c592
Instruction Fuzzy Hash: 3E41F5B1A0030A9FCF14DFA9D885AAEBBB9FF08304F044069EA09E7251D734A940CF61

Uniqueness

Uniqueness Score: 2.71%

Function 012E4052, Relevance: 13.6, APIs: 9, Instructions: 141
clipboardwindowCOMMON

Download Yara Rule

C-Code - Quality: 66%

			E012E4052(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags, void* __fp0) {
				void* _t58;
				intOrPtr _t59;
				intOrPtr* _t63;
				void* _t70;
				intOrPtr _t71;
				int _t101;
				void* _t116;
				void* _t117;
				intOrPtr* _t118;
				void* _t119;

				_t119 = __eflags;
				_t112 = __edx;
				_push(0x58);
				L013696A0(0x1383358, __ebx, __edi, __esi);
				_t116 = __ecx;
				_push(0);
				 *((intOrPtr*)(_t117 - 4)) = 0;
				L01279EEC(0, _t117 - 0x54, __edx, __edi, __ecx, _t119);
				 *((char*)(_t117 - 4)) = 1;
				L0127976C(_t117 - 0x3c);
				 *((char*)(_t117 - 4)) = 2;
				L01279DC3(0, _t117 - 0x3c, __edx, __edi, CreateCompatibleDC(0));
				 *((intOrPtr*)(_t117 - 0x28)) = 0;
				 *((intOrPtr*)(_t117 - 0x2c)) = 0x138f588;
				 *((char*)(_t117 - 4)) = 3;
				_t58 = E0127A097(0, _t117 - 0x2c, __edx, 0x138f588, CreateCompatibleBitmap( *(_t117 - 0x50),  *(_t116 + 0x50),  *(_t116 + 0x54)));
				_t120 = _t58;
				if(_t58 != 0) {
					_t59 = E0127A14E( *(_t117 - 0x38),  *((intOrPtr*)(_t117 - 0x28)));
					_t101 =  *(_t116 + 0x50);
					 *((intOrPtr*)(_t117 - 0x40)) = _t59;
					 *(_t117 - 0x18) =  *(_t116 + 0x54);
					 *(_t117 - 0x24) = 0;
					 *((intOrPtr*)(_t117 - 0x20)) = 0;
					 *(_t117 - 0x1c) = _t101;
					FillRect( *(_t117 - 0x38), _t117 - 0x24,  *0x13d647c);
					_push(0);
					_push(_t101);
					_push(_t101);
					_t63 = _t118;
					 *_t63 = 0;
					 *((intOrPtr*)(_t63 + 4)) = 0;
					 *((intOrPtr*)(_t117 - 0x58)) = _t118;
					_push(_t117 - 0x64);
					L012E1AE5(0, _t116, __edx, 0x138f588, _t116, __eflags, __fp0);
					_push(0xff);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_push( *((intOrPtr*)(_t117 + 8)));
					_push(0);
					_push(0);
					_push(_t117 - 0x3c);
					L012E34D0(0, _t116, 0x138f588, _t116, __eflags, __fp0);
					E012E0426(_t116, _t112, _t117 - 0x64);
					_t70 =  *((intOrPtr*)(_t117 - 0x40));
					__eflags = _t70;
					if(_t70 != 0) {
						_t71 =  *((intOrPtr*)(_t70 + 4));
					} else {
						_t71 = 0;
					}
					E0127A14E( *(_t117 - 0x38), _t71);
					__eflags = OpenClipboard( *(E01274D2D() + 0x20));
					if(__eflags == 0) {
						goto L1;
					} else {
						__eflags = EmptyClipboard();
						if(__eflags != 0) {
							__eflags = SetClipboardData(2, E0127A0C5(0, _t117 - 0x2c, _t112));
							if(__eflags == 0) {
								_push(0xffffffff);
								_push(0);
								_push(0x3e8a);
								L0127795F(0, _t112, 0x138f588, _t116, __eflags);
							}
							CloseClipboard();
							 *((char*)(_t117 - 4)) = 2;
							 *((intOrPtr*)(_t117 - 0x2c)) = 0x138f588;
							E0127A27E(0, _t117 - 0x2c, 0x138f588, _t116, __eflags);
							 *((char*)(_t117 - 4)) = 1;
							L01279E44(_t117 - 0x3c);
							 *((char*)(_t117 - 4)) = 0;
							L01279F40(0, _t117 - 0x54, _t112, 0x138f588, _t116, __eflags);
							L3:
							return L013696FC(0, 0x138f588, _t116);
						}
						_push(0xffffffff);
						_push(0);
						_push(0x3e8a);
						L0127795F(0, _t112, 0x138f588, _t116, __eflags);
						CloseClipboard();
						L2:
						 *((char*)(_t117 - 4)) = 2;
						 *((intOrPtr*)(_t117 - 0x2c)) = 0x138f588;
						E0127A27E(0, _t117 - 0x2c, 0x138f588, _t116, _t120);
						 *((char*)(_t117 - 4)) = 1;
						L01279E44(_t117 - 0x3c);
						 *((char*)(_t117 - 4)) = 0;
						L01279F40(0, _t117 - 0x54, _t112, 0x138f588, _t116, _t120);
						goto L3;
					}
				}
				L1:
				_push(0xffffffff);
				_push(0);
				_push(0x3e8a);
				L0127795F(0, _t112, 0x138f588, _t116, _t120);
				goto L2;
			}

0x012e4052
0x012e4052
0x012e4052
0x012e4059
0x012e4060
0x012e4062
0x012e4066
0x012e4069
0x012e4071
0x012e4075
0x012e407b
0x012e4089
0x012e4093
0x012e4096
0x012e40a4
0x012e40b2
0x012e40b7
0x012e40b9
0x012e40fe
0x012e4109
0x012e410c
0x012e4112
0x012e411c
0x012e411f
0x012e4122
0x012e4125
0x012e412b
0x012e412c
0x012e412d
0x012e412e
0x012e4130
0x012e4132
0x012e4138
0x012e413b
0x012e413e
0x012e4143
0x012e4148
0x012e4149
0x012e414a
0x012e414b
0x012e414c
0x012e414d
0x012e4153
0x012e4154
0x012e4155
0x012e4158
0x012e4163
0x012e4168
0x012e416b
0x012e416d
0x012e4173
0x012e416f
0x012e416f
0x012e416f
0x012e417a
0x012e418d
0x012e418f
0x00000000
0x012e4195
0x012e419b
0x012e419d
0x012e41c8
0x012e41ca
0x012e41cc
0x012e41ce
0x012e41cf
0x012e41d4
0x012e41d4
0x012e41d9
0x012e41e2
0x012e41e6
0x012e41e9
0x012e41f1
0x012e41f5
0x012e41fd
0x012e4200
0x012e40f0
0x012e40f5
0x012e40f5
0x012e419f
0x012e41a1
0x012e41a2
0x012e41a7
0x012e41ac
0x012e40c8
0x012e40cb
0x012e40cf
0x012e40d2
0x012e40da
0x012e40de
0x012e40e6
0x012e40e9
0x00000000
0x012e40ee
0x012e418f
0x012e40bb
0x012e40bb
0x012e40bd
0x012e40be
0x012e40c3
0x00000000

APIs

__EH_prolog3_catch_GS.LIBCMT ref: 012E4059

Part of subcall function 01279EEC: __EH_prolog3.LIBCMT ref: 01279EF3
Part of subcall function 01279EEC: GetWindowDC.USER32(00000000), ref: 01279F1F

CreateCompatibleDC.GDI32(00000000), ref: 012E407F
CreateCompatibleBitmap.GDI32(?,?,?), ref: 012E40A8

Part of subcall function 0127795F: __EH_prolog3.LIBCMT ref: 01277966

Part of subcall function 0127A27E: __EH_prolog3_catch_GS.LIBCMT ref: 0127A288

Part of subcall function 01279E44: DeleteDC.GDI32(00000000), ref: 01279E56

Part of subcall function 01279F40: __EH_prolog3.LIBCMT ref: 01279F47
Part of subcall function 01279F40: ReleaseDC.USER32(?,00000000), ref: 01279F64

Part of subcall function 0127A14E: SelectObject.GDI32(?,?), ref: 0127A159

FillRect.USER32(?,?), ref: 012E4125

Part of subcall function 012E0426: SelectObject.GDI32(?,00000000), ref: 012E044C
Part of subcall function 012E0426: SelectObject.GDI32(?,00000000), ref: 012E0462
Part of subcall function 012E0426: DeleteObject.GDI32(00000000), ref: 012E04CD
Part of subcall function 012E0426: DeleteDC.GDI32(00000000), ref: 012E04DC
Part of subcall function 012E0426: LeaveCriticalSection.KERNEL32(013D9CB8), ref: 012E04F5

OpenClipboard.USER32(?), ref: 012E4187
EmptyClipboard.USER32 ref: 012E4195
CloseClipboard.USER32 ref: 012E41AC
SetClipboardData.USER32 ref: 012E41C2
CloseClipboard.USER32 ref: 012E41D9

Memory Dump Source

Source File: 00000010.00000002.746388412.0000000001271000.00000020.sdmp, Offset: 01270000, based on PE: true

Associated: 00000010.00000002.746374753.0000000001270000.00000002.sdmp Download File
Associated: 00000010.00000002.746578910.000000000138C000.00000002.sdmp Download File
Associated: 00000010.00000002.746752878.00000000013CF000.00000004.sdmp Download File
Associated: 00000010.00000002.746788870.00000000013D6000.00000004.sdmp Download File
Associated: 00000010.00000002.746832288.00000000013DE000.00000002.sdmp Download File
Associated: 00000010.00000002.747668141.0000000001574000.00000002.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1270000_Setup.jbxd

Similarity

API ID: Clipboard$Object$DeleteH_prolog3Select$CloseCompatibleCreateH_prolog3_catch_$BitmapCriticalDataEmptyFillLeaveOpenRectReleaseSectionWindow
String ID:
API String ID: 1170800138-0
Opcode ID: fa6d6a28977228d271089aec46e9aa52266745df4374b905fd29a934550a117e
Instruction ID: a55d6384dd20d050da5f352b06c3eb61229040dbe8198f28c29e0abf8fee9002
Opcode Fuzzy Hash: fa6d6a28977228d271089aec46e9aa52266745df4374b905fd29a934550a117e
Instruction Fuzzy Hash: 5851607091024AEFDF05FFE8D988AFEBBF8AF28314F504159E511A7290DB745A08CB21

Uniqueness

Uniqueness Score: 3.53%

Function 012745E0, Relevance: 13.6, APIs: 9, Instructions: 110
COMMON

Download Yara Rule

C-Code - Quality: 81%

			E012745E0(void* __edi, WCHAR* _a4, WCHAR* _a8, long _a12) {
				signed int _v8;
				char _v2054;
				short _v2056;
				char _v6148;
				void _v6152;
				long _v6156;
				long _v6160;
				union _SID_NAME_USE _v6164;
				struct _SECURITY_DESCRIPTOR _v6184;
				void* __ebx;
				void* __esi;
				signed int _t26;
				int _t34;
				int _t41;
				WCHAR* _t49;
				long _t63;
				signed int _t65;

				_t62 = __edi;
				E01368890(0x1824);
				_t26 =  *0x13d3570; // 0x99b5b578
				_v8 = _t26 ^ _t65;
				_t49 = _a4;
				_t64 = _a8;
				_v6152 = 0;
				L01367D50( &_v6148, 0, 0xffc);
				_v2056 = 0;
				L01367D50( &_v2054, 0, 0x7fe);
				_v6160 = 0x400;
				_v6156 = 0x1000;
				InitializeSecurityDescriptor( &_v6184, 1);
				_t61 =  &_v6152;
				_t34 = LookupAccountNameW(0, _a8,  &_v6152,  &_v6156,  &_v2056,  &_v6160,  &_v6164);
				_t71 = _t34;
				if(_t34 == 0) {
					L7:
					__eflags = 0;
					return L01367D3E(0, _t49, _v8 ^ _t65, _t61, _t62, _t64);
				} else {
					_push(__edi);
					_t17 = GetLengthSid( &_v6152) + 0x10; // 0x10
					_t63 = _t17;
					_t64 = E01274753(_t71, _t63);
					InitializeAcl(_t64, _t63, 2);
					_t61 = _a12;
					_t41 = AddAccessAllowedAce(_t64, 2, _a12,  &_v6152);
					_pop(_t62);
					if(_t41 == 0 || SetSecurityDescriptorDacl( &_v6184, 1, _t64, 0) == 0 || SetFileSecurityW(_t49, 4,  &_v6184) == 0) {
						__eflags = _t64;
						if(_t64 != 0) {
							_push(_t64);
							E01274782();
						}
						goto L7;
					} else {
						E01274782();
						return L01367D3E(1, _t49, _v8 ^ _t65, _t61, __edi, _t64, _t64);
					}
				}
			}

0x012745e0
0x012745e8
0x012745ed
0x012745f4
0x012745f8
0x012745fc
0x0127460d
0x01274617
0x0127462b
0x01274632
0x01274643
0x0127464d
0x01274657
0x01274679
0x01274683
0x01274689
0x0127468b
0x01274725
0x0127472b
0x01274736
0x01274691
0x01274691
0x0127469f
0x0127469f
0x012746ad
0x012746b1
0x012746b7
0x012746c5
0x012746cb
0x012746ce
0x01274718
0x0127471a
0x0127471c
0x0127471d
0x01274722
0x00000000
0x012746fa
0x012746fb
0x01274717
0x01274717
0x012746ce

APIs

_memset.LIBCMT ref: 01274617
_memset.LIBCMT ref: 01274632
InitializeSecurityDescriptor.ADVAPI32 ref: 01274657
LookupAccountNameW.ADVAPI32(00000000,?,?,00001000,?,00000400,?), ref: 01274683
GetLengthSid.ADVAPI32(?,7616D4C7), ref: 01274699

Part of subcall function 01274753: _malloc.LIBCMT ref: 01274771

InitializeAcl.ADVAPI32(00000000,00000010,00000002,00000001,?,01274151,?,?,10000000,?,?,?,?,?), ref: 012746B1
AddAccessAllowedAce.ADVAPI32(00000000,00000002,?,?,?,01274151,?,?,10000000,?,?,?,?,?), ref: 012746C5
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,00000000,00000000,01274151,?,?,10000000,?,?,?,?,?), ref: 012746DC
SetFileSecurityW.ADVAPI32(10000000,00000004,?,?,?,?,?,?,?,?,?,?,?,?,?,7633E061), ref: 012746F0

Part of subcall function 01367D3E: IsDebuggerPresent.KERNEL32 ref: 0136EC6D
Part of subcall function 01367D3E: SetUnhandledExceptionFilter.KERNEL32 ref: 0136EC82
Part of subcall function 01367D3E: UnhandledExceptionFilter.KERNEL32 ref: 0136EC8D
Part of subcall function 01367D3E: GetCurrentProcess.KERNEL32(C0000409), ref: 0136ECA9
Part of subcall function 01367D3E: TerminateProcess.KERNEL32(00000000), ref: 0136ECB0

Memory Dump Source

Source File: 00000010.00000002.746388412.0000000001271000.00000020.sdmp, Offset: 01270000, based on PE: true

Associated: 00000010.00000002.746374753.0000000001270000.00000002.sdmp Download File
Associated: 00000010.00000002.746578910.000000000138C000.00000002.sdmp Download File
Associated: 00000010.00000002.746752878.00000000013CF000.00000004.sdmp Download File
Associated: 00000010.00000002.746788870.00000000013D6000.00000004.sdmp Download File
Associated: 00000010.00000002.746832288.00000000013DE000.00000002.sdmp Download File
Associated: 00000010.00000002.747668141.0000000001574000.00000002.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1270000_Setup.jbxd

Similarity

API ID: Security$DescriptorExceptionFilterInitializeProcessUnhandled_memset$AccessAccountAllowedCurrentDaclDebuggerFileLengthLookupNamePresentTerminate_malloc
String ID:
API String ID: 1047844480-0
Opcode ID: a6fbe6fb3e2758433d4b111c65731f350aefac9a0e480e6e91e7f944726040f8
Instruction ID: 8f9ffa74c25a0ba1df6518a386ce4cf2cfeb22e2c2959a41e73412775515d882
Opcode Fuzzy Hash: a6fbe6fb3e2758433d4b111c65731f350aefac9a0e480e6e91e7f944726040f8
Instruction Fuzzy Hash: 7031D6B2900219ABDB21DB64DC45FEF73FCEF59745F008099E60996184EA709B458BA1

Uniqueness

Uniqueness Score: 12.89%

Function 01274D46, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 73
libraryCOMMON

Download Yara Rule

C-Code - Quality: 69%

			E01274D46(void* __ecx, void* __edx, int _a4) {
				signed int _v8;
				short _v16;
				short _v564;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t9;
				struct HINSTANCE__* _t13;
				intOrPtr* _t20;
				void* _t28;
				void* _t29;
				void* _t30;
				void* _t36;
				signed int _t37;
				void* _t39;
				void* _t40;
				signed int _t45;
				void* _t46;

				_t35 = __edx;
				_t43 = _t45;
				_t46 = _t45 - 0x230;
				_t9 =  *0x13d3570; // 0x99b5b578
				_v8 = _t9 ^ _t45;
				_t49 = _a4 - 0x800;
				_t39 = __ecx;
				_t28 = __edx;
				if(_a4 != 0x800) {
					__eflags = GetLocaleInfoW(_a4, 3,  &_v16, 4);
					if(__eflags == 0) {
						goto L10;
					} else {
						goto L4;
					}
				} else {
					_push(L013699F6( &_v16, 4, L"LOC"));
					L01271310();
					_t46 = _t46 + 0x10;
					L4:
					_push(_t36);
					_t37 =  *(L01369B1B(_t49));
					 *(L01369B1B(_t49)) =  *_t16 & 0x00000000;
					_push( &_v16);
					_t30 = E0136848A( &_v564, 0x112, 0x111, _t39, _t28);
					_t20 = L01369B1B(_t49);
					_t50 =  *_t20;
					if( *_t20 == 0) {
						 *(L01369B1B(__eflags)) = _t37;
					} else {
						E01274C46( *((intOrPtr*)(L01369B1B(_t50))));
					}
					_pop(_t36);
					if(_t30 == 0xffffffff || _t30 >= 0x112) {
						L10:
						_t13 = 0;
						__eflags = 0;
					} else {
						_t13 = LoadLibraryW( &_v564);
					}
				}
				_pop(_t40);
				_pop(_t29);
				return L01367D3E(_t13, _t29, _v8 ^ _t43, _t35, _t36, _t40);
			}

0x01274d46
0x01274d49
0x01274d4b
0x01274d51
0x01274d58
0x01274d5b
0x01274d64
0x01274d66
0x01274d6b
0x01274d93
0x01274d95
0x00000000
0x00000000
0x00000000
0x00000000
0x01274d6d
0x01274d7a
0x01274d7b
0x01274d80
0x01274d97
0x01274d97
0x01274d9d
0x01274da4
0x01274daa
0x01274dc7
0x01274dc9
0x01274dce
0x01274dd1
0x01274de7
0x01274dd3
0x01274dda
0x01274ddf
0x01274de9
0x01274ded
0x01274e02
0x01274e02
0x01274e02
0x01274df3
0x01274dfa
0x01274dfa
0x01274ded
0x01274e07
0x01274e0a
0x01274e11

APIs

GetLocaleInfoW.KERNEL32(00000800,00000003,?,00000004), ref: 01274D8D
__snwprintf_s.LIBCMT ref: 01274DBF
LoadLibraryW.KERNEL32(?), ref: 01274DFA

Part of subcall function 01367D3E: IsDebuggerPresent.KERNEL32 ref: 0136EC6D
Part of subcall function 01367D3E: SetUnhandledExceptionFilter.KERNEL32 ref: 0136EC82
Part of subcall function 01367D3E: UnhandledExceptionFilter.KERNEL32 ref: 0136EC8D
Part of subcall function 01367D3E: GetCurrentProcess.KERNEL32(C0000409), ref: 0136ECA9
Part of subcall function 01367D3E: TerminateProcess.KERNEL32(00000000), ref: 0136ECB0

Part of subcall function 01369B1B: __getptd_noexit.LIBCMT ref: 01369B1B

Strings

LOC, xrefs: 01274D6D

Memory Dump Source

Source File: 00000010.00000002.746388412.0000000001271000.00000020.sdmp, Offset: 01270000, based on PE: true

Associated: 00000010.00000002.746374753.0000000001270000.00000002.sdmp Download File
Associated: 00000010.00000002.746578910.000000000138C000.00000002.sdmp Download File
Associated: 00000010.00000002.746752878.00000000013CF000.00000004.sdmp Download File
Associated: 00000010.00000002.746788870.00000000013D6000.00000004.sdmp Download File
Associated: 00000010.00000002.746832288.00000000013DE000.00000002.sdmp Download File
Associated: 00000010.00000002.747668141.0000000001574000.00000002.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1270000_Setup.jbxd

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerInfoLibraryLoadLocalePresentTerminate__getptd_noexit__snwprintf_s
String ID: LOC
API String ID: 2066080353-519433814
Opcode ID: 132c644ded5f8bd9697422f70959e19c6379dd25016c2f7687ce64a3638e0016
Instruction ID: 8085a50b8c9cc4037ae43926bc1206faf924c3542d9d014f2918ad7425c9f396
Opcode Fuzzy Hash: 132c644ded5f8bd9697422f70959e19c6379dd25016c2f7687ce64a3638e0016
Instruction Fuzzy Hash: 7F110A71A10319AFD710BB68CC85BAF3BACAF01328F5448A5E60197198DAB49E01C7A1

Uniqueness

Uniqueness Score: 1.51%

Function 012D674A, Relevance: 6.3, APIs: 4, Instructions: 348
UNIQUECrypto

Download Yara Rule

C-Code - Quality: 88%

			E012D674A(intOrPtr* __ebx, intOrPtr* __ecx, void* __edx, signed int __edi, void* __esi, void* __eflags) {
				signed int _t100;
				intOrPtr _t140;
				void* _t144;
				void* _t145;
				void* _t147;
				void* _t148;
				void* _t151;
				void* _t152;
				intOrPtr* _t167;
				intOrPtr _t168;
				intOrPtr* _t169;
				intOrPtr _t170;
				intOrPtr* _t171;
				intOrPtr _t172;
				signed int _t173;
				intOrPtr _t174;
				intOrPtr* _t230;
				void* _t231;
				void* _t232;

				_t232 = __eflags;
				_t228 = __edi;
				_t220 = __edx;
				_t166 = __ebx;
				_push(0x18);
				L0136966A(0x13820b7, __ebx, __edi, __esi);
				_t230 = __ecx;
				if(L012F3B57(__ebx, __ecx, __edx, __edi, _t232,  *((intOrPtr*)(_t231 + 8))) != 0xffffffff) {
					_t228 = 0;
					 *((intOrPtr*)(_t231 - 0x20)) = 0;
					 *((intOrPtr*)(_t231 - 0x1c)) = 0;
					 *((intOrPtr*)(_t231 - 0x18)) = 0;
					 *((intOrPtr*)(_t231 - 0x14)) = 0;
					__eflags =  *(__ecx + 0x218);
					if( *(__ecx + 0x218) == 0) {
						L59:
						__eflags =  *((intOrPtr*)(_t230 + 0x214)) - _t228;
						if( *((intOrPtr*)(_t230 + 0x214)) != _t228) {
							_t220 = _t231 - 0x20;
							 *((intOrPtr*)( *((intOrPtr*)(_t230 + 0x2e0)) + 0x160))(0x50000000, _t231 - 0x20, _t230, 0xffffffff);
						}
						__eflags =  *(_t230 + 0x204) - _t228;
						if(__eflags == 0) {
							_push(4);
							_push(_t230);
							_t166 = _t230 + 0xd8;
							_push(_t230 + 0xd8);
							_t100 = E012EA539(_t230 + 0xd8, _t220, _t228, _t230, __eflags);
							__eflags = _t100;
							if(__eflags != 0) {
								_t115 = _t100 | 0xffffffff;
								__eflags = _t100 | 0xffffffff;
								E01286A31( *_t166, 0x13d7e28, _t100 | 0xffffffff, _t100 | 0xffffffff, _t115, _t115, 0x13);
							}
						} else {
							E0127A097(_t166, _t230 + 0x124, _t220, _t228, CreateSolidBrush( *((intOrPtr*)( *_t230 + 0x22c))()));
						}
						_push(4);
						_push(_t230);
						_push(_t230 + 0xdc);
						E012EA539(_t166, _t220, _t228, _t230, __eflags);
						_t166 = LoadCursorW;
						__eflags =  *0x13d64d0 - _t228; // 0x0
						if(__eflags == 0) {
							E012792EF(LoadCursorW, _t228, _t230, __eflags);
							 *0x13d64d0 = LoadCursorW( *(E012792EF(LoadCursorW, _t228, _t230, __eflags) + 0xc), 0x7904);
						}
						__eflags =  *0x13d64d4 - _t228; // 0x0
						if(__eflags == 0) {
							E012792EF(_t166, _t228, _t230, __eflags);
							 *0x13d64d4 = LoadCursorW( *(E012792EF(_t166, _t228, _t230, __eflags) + 0xc), 0x7905);
						}
						 *((intOrPtr*)( *_t230 + 0x174))();
						__eflags = 0;
						goto L70;
					}
					__eflags =  *(__ecx + 0x204);
					if( *(__ecx + 0x204) != 0) {
						_t173 = __ecx + 0x11f4;
						 *((intOrPtr*)( *_t173 + 0x160))(0x138e210, 0x50000000, _t231 - 0x20, __ecx, 0xffffffff);
						E0133C5EE(_t173, 0x12, 0, 0);
						 *((intOrPtr*)(__ecx + 0x127c)) = 0;
						 *((intOrPtr*)(__ecx + 0x1268)) = 1;
						__eflags = _t173;
						if(__eflags != 0) {
							_t174 =  *((intOrPtr*)(_t173 + 0x20));
						} else {
							_t174 = 0;
						}
						L013316F2(_t230 + 0x27e8, __eflags, _t174);
					}
					_t167 = _t230 + 0x354;
					 *((intOrPtr*)( *_t167 + 0x160))(0x138e210, 0x50000000, _t231 - 0x20, _t230, 0xffffffff);
					__eflags =  *((intOrPtr*)(_t230 + 0x208)) - _t228;
					if( *((intOrPtr*)(_t230 + 0x208)) != _t228) {
						L12:
						__eflags = 0;
						goto L13;
					} else {
						__eflags =  *((intOrPtr*)(_t230 + 0x20c)) - _t228;
						if( *((intOrPtr*)(_t230 + 0x20c)) != _t228) {
							goto L12;
						}
						__eflags =  *(_t230 + 0x204) - _t228;
						if( *(_t230 + 0x204) != _t228) {
							goto L12;
						}
						_push(4);
						_pop(0);
						L13:
						asm("sbb edx, edx");
						__eflags =  *(_t230 + 0x204) - _t228;
						E0133C5EE(_t167, 0x11 + (0 |  *(_t230 + 0x204) == _t228) * 4, 0, ( ~( *(_t230 + 0x204)) & 0xffffffe9) + 0x17);
						 *(_t230 + 0x3dc) = _t228;
						 *((intOrPtr*)(_t230 + 0x3c8)) = 1;
						__eflags =  *((intOrPtr*)(_t230 + 0x208)) - _t228;
						if( *((intOrPtr*)(_t230 + 0x208)) == _t228) {
							__eflags =  *((intOrPtr*)(_t230 + 0x20c)) - _t228;
							if( *((intOrPtr*)(_t230 + 0x20c)) == _t228) {
								E0133C71F(_t167, 0x32);
							}
						}
						__eflags = _t167 - _t228;
						if(__eflags != 0) {
							_t168 =  *((intOrPtr*)(_t167 + 0x20));
						} else {
							_t168 = 0;
						}
						L013316F2(_t230 + 0x27e8, __eflags, _t168);
						_t169 = _t230 + 0xaa4;
						 *((intOrPtr*)( *_t169 + 0x160))(0x138e210, 0x50000000, _t231 - 0x20, _t230, 0xffffffff);
						__eflags =  *((intOrPtr*)(_t230 + 0x208)) - _t228;
						if( *((intOrPtr*)(_t230 + 0x208)) != _t228) {
							L23:
							__eflags = 0;
							goto L24;
						} else {
							__eflags =  *((intOrPtr*)(_t230 + 0x20c)) - _t228;
							if( *((intOrPtr*)(_t230 + 0x20c)) != _t228) {
								goto L23;
							}
							__eflags =  *(_t230 + 0x204) - _t228;
							if( *(_t230 + 0x204) != _t228) {
								goto L23;
							}
							_push(4);
							_pop(0);
							L24:
							asm("sbb edx, edx");
							_t220 = ( ~( *(_t230 + 0x204)) & 0xffffffea) + 0x16;
							asm("sbb eax, eax");
							E0133C5EE(_t169, ( ~( *(_t230 + 0x204)) & 0xfffffffa) + 0x14, 0, ( ~( *(_t230 + 0x204)) & 0xffffffea) + 0x16);
							 *(_t230 + 0xb2c) = _t228;
							 *((intOrPtr*)(_t230 + 0xb18)) = 1;
							__eflags =  *((intOrPtr*)(_t230 + 0x208)) - _t228;
							if( *((intOrPtr*)(_t230 + 0x208)) == _t228) {
								__eflags =  *((intOrPtr*)(_t230 + 0x20c)) - _t228;
								if( *((intOrPtr*)(_t230 + 0x20c)) == _t228) {
									E0133C71F(_t169, 0x32);
								}
							}
							__eflags = _t169 - _t228;
							if(__eflags != 0) {
								_t170 =  *((intOrPtr*)(_t169 + 0x20));
							} else {
								_t170 = 0;
							}
							L013316F2(_t230 + 0x27e8, __eflags, _t170);
							__eflags =  *(_t230 + 0x204) - _t228;
							if( *(_t230 + 0x204) != _t228) {
								_t171 = _t230 + 0x1944;
								 *((intOrPtr*)( *_t171 + 0x160))(0x138e210, 0x50000000, _t231 - 0x20, _t230, 0xffffffff);
								E0133C5EE(_t171, 0x13, _t228, _t228);
								 *(_t230 + 0x19cc) = _t228;
								 *((intOrPtr*)(_t230 + 0x19b8)) = 1;
								__eflags = _t171 - _t228;
								if(__eflags != 0) {
									_t172 =  *((intOrPtr*)(_t171 + 0x20));
								} else {
									_t172 = 0;
								}
								L013316F2(_t230 + 0x27e8, __eflags, _t172);
							}
							_t166 = _t230 + 0x2094;
							 *((intOrPtr*)( *_t166 + 0x160))(0x138e210, 0x50000000, _t231 - 0x20, _t230, 0xffffffff);
							__eflags =  *((intOrPtr*)(_t230 + 0x208)) - _t228;
							if( *((intOrPtr*)(_t230 + 0x208)) != _t228) {
								L39:
								__eflags = 0;
								goto L40;
							} else {
								__eflags =  *((intOrPtr*)(_t230 + 0x20c)) - _t228;
								if( *((intOrPtr*)(_t230 + 0x20c)) != _t228) {
									goto L39;
								}
								__eflags =  *(_t230 + 0x204) - _t228;
								if( *(_t230 + 0x204) != _t228) {
									goto L39;
								}
								_push(4);
								_pop(0);
								L40:
								E0133C5EE(_t166, 5, 0, _t228);
								 *(_t230 + 0x211c) = _t228;
								 *((intOrPtr*)(_t230 + 0x2108)) = 1;
								__eflags = _t166 - _t228;
								if(__eflags != 0) {
									_t140 =  *((intOrPtr*)(_t166 + 0x20));
								} else {
									_t140 = 0;
								}
								L013316F2(_t230 + 0x27e8, __eflags, _t140);
								__eflags =  *(_t230 + 0x204) - _t228;
								if( *(_t230 + 0x204) != _t228) {
									goto L59;
								} else {
									__eflags =  *((intOrPtr*)(_t230 + 0x218)) - _t228;
									if( *((intOrPtr*)(_t230 + 0x218)) == _t228) {
										goto L59;
									}
									E01272410(_t231 - 0x24, E0127859A());
									_push(0x3ea0);
									 *(_t231 - 4) = _t228;
									_t144 = E01278490();
									__eflags = _t144 - _t228;
									if(_t144 != _t228) {
										_t145 = L012726D0(_t231 - 0x24, _t144, 0x3ea0);
									} else {
										_t145 = 0;
									}
									__eflags = _t145 - _t228;
									_t201 = 0 | __eflags != 0x00000000;
									if(__eflags != 0) {
										L50:
										L0133D3AD(_t166, _t220,  *((intOrPtr*)(_t231 - 0x24)));
										_t166 = 0x3ea2;
										_push(0x3ea2);
										_t147 = E01278490();
										__eflags = _t147 - _t228;
										if(_t147 != _t228) {
											_t148 = L012726D0(_t231 - 0x24, _t147, 0x3ea2);
										} else {
											_t148 = 0;
										}
										__eflags = _t148 - _t228;
										_t201 = 0 | __eflags != 0x00000000;
										if(__eflags == 0) {
											goto L49;
										} else {
											L0133D3AD(_t230 + 0x354, _t220,  *((intOrPtr*)(_t231 - 0x24)));
											_t166 = 0x3ea3;
											_push(0x3ea3);
											_t151 = E01278490();
											__eflags = _t151 - _t228;
											if(_t151 != _t228) {
												_t152 = L012726D0(_t231 - 0x24, _t151, 0x3ea3);
											} else {
												_t152 = 0;
											}
											__eflags = _t152 - _t228;
											_t201 = 0 | __eflags != 0x00000000;
											if(__eflags == 0) {
												goto L49;
											} else {
												_t166 =  *((intOrPtr*)(_t231 - 0x24));
												L0133D3AD(_t230 + 0xaa4, _t220,  *((intOrPtr*)(_t231 - 0x24)));
												_t81 = _t231 - 4;
												 *_t81 =  *(_t231 - 4) | 0xffffffff;
												__eflags =  *_t81;
												L01271470( *((intOrPtr*)(_t231 - 0x24)) - 0x10, _t220);
												goto L59;
											}
										}
									} else {
										L49:
										L01277AC9(_t201);
										goto L50;
									}
								}
							}
						}
					}
				} else {
					L70:
					return L013696ED(_t166, _t228, _t230);
				}
			}

0x012d674a
0x012d674a
0x012d674a
0x012d674a
0x012d674a
0x012d6751
0x012d675a
0x012d6764
0x012d676d
0x012d676f
0x012d6772
0x012d6775
0x012d6778
0x012d677b
0x012d6781
0x012d6adb
0x012d6adb
0x012d6ae1
0x012d6ae6
0x012d6af7
0x012d6af7
0x012d6afd
0x012d6b03
0x012d6b24
0x012d6b26
0x012d6b27
0x012d6b2d
0x012d6b2e
0x012d6b33
0x012d6b35
0x012d6b3b
0x012d6b3b
0x012d6b47
0x012d6b47
0x012d6b05
0x012d6b1d
0x012d6b1d
0x012d6b4c
0x012d6b4e
0x012d6b55
0x012d6b56
0x012d6b5b
0x012d6b61
0x012d6b67
0x012d6b69
0x012d6b7e
0x012d6b7e
0x012d6b83
0x012d6b89
0x012d6b8b
0x012d6ba0
0x012d6ba0
0x012d6ba9
0x012d6baf
0x00000000
0x012d6baf
0x012d6787
0x012d678d
0x012d6796
0x012d67aa
0x012d67b6
0x012d67bb
0x012d67c1
0x012d67cb
0x012d67cd
0x012d67d3
0x012d67cf
0x012d67cf
0x012d67cf
0x012d67dd
0x012d67dd
0x012d67e9
0x012d67fd
0x012d6803
0x012d6809
0x012d6820
0x012d6820
0x00000000
0x012d680b
0x012d680b
0x012d6811
0x00000000
0x00000000
0x012d6813
0x012d6819
0x00000000
0x00000000
0x012d681b
0x012d681d
0x012d6822
0x012d682c
0x012d6838
0x012d6847
0x012d684c
0x012d6852
0x012d685c
0x012d6862
0x012d6864
0x012d686a
0x012d6870
0x012d6870
0x012d686a
0x012d6875
0x012d6877
0x012d687d
0x012d6879
0x012d6879
0x012d6879
0x012d6887
0x012d6893
0x012d68a7
0x012d68ad
0x012d68b3
0x012d68ca
0x012d68ca
0x00000000
0x012d68b5
0x012d68b5
0x012d68bb
0x00000000
0x00000000
0x012d68bd
0x012d68c3
0x00000000
0x00000000
0x012d68c5
0x012d68c7
0x012d68cc
0x012d68d6
0x012d68db
0x012d68e0
0x012d68ed
0x012d68f2
0x012d68f8
0x012d6902
0x012d6908
0x012d690a
0x012d6910
0x012d6916
0x012d6916
0x012d6910
0x012d691b
0x012d691d
0x012d6923
0x012d691f
0x012d691f
0x012d691f
0x012d692d
0x012d6932
0x012d6938
0x012d6941
0x012d6955
0x012d6961
0x012d6966
0x012d696c
0x012d6976
0x012d6978
0x012d697e
0x012d697a
0x012d697a
0x012d697a
0x012d6988
0x012d6988
0x012d6994
0x012d69a8
0x012d69ae
0x012d69b4
0x012d69cb
0x012d69cb
0x00000000
0x012d69b6
0x012d69b6
0x012d69bc
0x00000000
0x00000000
0x012d69be
0x012d69c4
0x00000000
0x00000000
0x012d69c6
0x012d69c8
0x012d69cd
0x012d69d3
0x012d69d8
0x012d69de
0x012d69e8
0x012d69ea
0x012d69f0
0x012d69ec
0x012d69ec
0x012d69ec
0x012d69fa
0x012d69ff
0x012d6a05
0x00000000
0x012d6a0b
0x012d6a0b
0x012d6a11
0x00000000
0x00000000
0x012d6a20
0x012d6a25
0x012d6a2a
0x012d6a2d
0x012d6a32
0x012d6a34
0x012d6a43
0x012d6a36
0x012d6a36
0x012d6a36
0x012d6a4a
0x012d6a4c
0x012d6a51
0x012d6a58
0x012d6a5d
0x012d6a62
0x012d6a67
0x012d6a68
0x012d6a6d
0x012d6a6f
0x012d6a7a
0x012d6a71
0x012d6a71
0x012d6a71
0x012d6a81
0x012d6a83
0x012d6a88
0x00000000
0x012d6a8a
0x012d6a93
0x012d6a98
0x012d6a9d
0x012d6a9e
0x012d6aa3
0x012d6aa5
0x012d6ab0
0x012d6aa7
0x012d6aa7
0x012d6aa7
0x012d6ab7
0x012d6ab9
0x012d6abe
0x00000000
0x012d6ac0
0x012d6ac0
0x012d6aca
0x012d6acf
0x012d6acf
0x012d6acf
0x012d6ad6
0x00000000
0x012d6ad6
0x012d6abe
0x012d6a53
0x012d6a53
0x012d6a53
0x00000000
0x012d6a53
0x012d6a51
0x012d6a05
0x012d69b4
0x012d68b3
0x012d6766
0x012d6bb1
0x012d6bb6
0x012d6bb6

APIs

__EH_prolog3_GS.LIBCMT ref: 012D6751

Part of subcall function 01277AC9: __CxxThrowException@8.LIBCMT ref: 01277ADF

Part of subcall function 0133D3AD: SendMessageW.USER32(?,00000401,00000000,00000000), ref: 0133D3E4
Part of subcall function 0133D3AD: SendMessageW.USER32(?,00000401,00000001,00000000), ref: 0133D43A

CreateSolidBrush.GDI32(00000000), ref: 012D6B10

Part of subcall function 012EA539: __EH_prolog3.LIBCMT ref: 012EA540
Part of subcall function 012EA539: SendMessageW.USER32(?,00000401,00000001,00000000), ref: 012EA5ED
Part of subcall function 012EA539: SendMessageW.USER32(?,00000418,00000000,FFFFFFFF), ref: 012EA606

LoadCursorW.USER32 ref: 012D6B9E

Part of subcall function 01286A31: SetWindowPos.USER32(?,000000FF,000000FF,?,?,00000000,012827B4), ref: 01286A59

LoadCursorW.USER32 ref: 012D6B7C

Memory Dump Source

Source File: 00000010.00000002.746388412.0000000001271000.00000020.sdmp, Offset: 01270000, based on PE: true

Associated: 00000010.00000002.746374753.0000000001270000.00000002.sdmp Download File
Associated: 00000010.00000002.746578910.000000000138C000.00000002.sdmp Download File
Associated: 00000010.00000002.746752878.00000000013CF000.00000004.sdmp Download File
Associated: 00000010.00000002.746788870.00000000013D6000.00000004.sdmp Download File
Associated: 00000010.00000002.746832288.00000000013DE000.00000002.sdmp Download File
Associated: 00000010.00000002.747668141.0000000001574000.00000002.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1270000_Setup.jbxd

Similarity

API ID: MessageSend$CursorLoad$BrushCreateException@8H_prolog3H_prolog3_SolidThrowWindow
String ID:
API String ID: 404550814-0
Opcode ID: 289cdecb6197f4d6ddaeb9ce357970223924ed9aff5fb9fde1f6800a0e86f724
Instruction ID: c0d73d419570d076e395297293618a7583a81947184cf0a9120576edb0817fc3
Opcode Fuzzy Hash: 289cdecb6197f4d6ddaeb9ce357970223924ed9aff5fb9fde1f6800a0e86f724
Instruction Fuzzy Hash: 50C1C7B16607029FCB26EB78CC95EFB73E8EF94314F104A2EE267961C5EA706544CB11

Uniqueness

Uniqueness Score: 23.02%

Function 012865DC, Relevance: 6.0, APIs: 4, Instructions: 45
COMMON

Download Yara Rule

C-Code - Quality: 90%

			E012865DC(intOrPtr __ecx, void* __edx, void* __fp0, WCHAR* _a4) {
				intOrPtr _v8;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t7;
				struct HRSRC__* _t10;
				void* _t13;
				void* _t17;
				void* _t19;
				struct HINSTANCE__* _t21;
				void* _t22;
				void* _t29;

				_t29 = __fp0;
				_t17 = __edx;
				_push(__ecx);
				_push(_t21);
				_t13 = 0;
				_t19 = 0;
				_v8 = __ecx;
				_t24 = _a4;
				if(_a4 == 0) {
					L4:
					_t22 = E012860DC(_t13, _v8, _t17, _t19, _t21, _t26, _t29, _t19);
					if(_t19 != 0 && _t13 != 0) {
						FreeResource(_t13);
					}
					_t7 = _t22;
				} else {
					_t21 =  *(E012792EF(0, 0, _t21, _t24) + 0xc);
					_t10 = FindResourceW(_t21, _a4, 0xf0);
					if(_t10 == 0) {
						goto L4;
					} else {
						_t7 = LoadResource(_t21, _t10);
						_t13 = _t7;
						_t26 = _t13;
						if(_t13 != 0) {
							_t19 = LockResource(_t13);
							goto L4;
						}
					}
				}
				return _t7;
			}

0x012865dc
0x012865dc
0x012865e1
0x012865e3
0x012865e5
0x012865e7
0x012865e9
0x012865ec
0x012865ef
0x01286623
0x0128662c
0x01286630
0x01286637
0x01286637
0x0128663d
0x012865f1
0x012865f6
0x01286602
0x0128660a
0x00000000
0x0128660c
0x0128660e
0x01286614
0x01286616
0x01286618
0x01286621
0x00000000
0x01286621
0x01286618
0x0128660a
0x01286643

APIs

FindResourceW.KERNEL32(?,?,000000F0), ref: 01286602
LoadResource.KERNEL32(?,00000000), ref: 0128660E
LockResource.KERNEL32(00000000), ref: 0128661B

Part of subcall function 012860DC: __EH_prolog3.LIBCMT ref: 012860E3
Part of subcall function 012860DC: SendDlgItemMessageW.USER32(?,?,0000040B,00000000,?), ref: 012861BB
Part of subcall function 012860DC: SendDlgItemMessageW.USER32(?,?,0000037C,?,?), ref: 012861ED
Part of subcall function 012860DC: SendDlgItemMessageA.USER32(?,?,?,00000000,?), ref: 0128622F

FreeResource.KERNEL32(00000000), ref: 01286637

Memory Dump Source

Source File: 00000010.00000002.746388412.0000000001271000.00000020.sdmp, Offset: 01270000, based on PE: true

Associated: 00000010.00000002.746374753.0000000001270000.00000002.sdmp Download File
Associated: 00000010.00000002.746578910.000000000138C000.00000002.sdmp Download File
Associated: 00000010.00000002.746752878.00000000013CF000.00000004.sdmp Download File
Associated: 00000010.00000002.746788870.00000000013D6000.00000004.sdmp Download File
Associated: 00000010.00000002.746832288.00000000013DE000.00000002.sdmp Download File
Associated: 00000010.00000002.747668141.0000000001574000.00000002.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1270000_Setup.jbxd

Similarity

API ID: Resource$ItemMessageSend$FindFreeH_prolog3LoadLock
String ID:
API String ID: 158579098-0
Opcode ID: 7a9853f8643e7739ca8a6977ad584e0c1ca2fd4706693fea04040668055a4bba
Instruction ID: 1edffd4c17ce096690546ced2681671e48f456d4d1f2592a64bfab94679ae585
Opcode Fuzzy Hash: 7a9853f8643e7739ca8a6977ad584e0c1ca2fd4706693fea04040668055a4bba
Instruction Fuzzy Hash: 1AF0AF32211367AFE7216FA99888DBFBB6CAB95664B084038BB05A3240DE74D9418774

Uniqueness

Uniqueness Score: 0.09%

Function 012C831C, Relevance: 4.5, APIs: 3, Instructions: 43
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E012C831C(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8) {
				void* __ebx;
				void* __ebp;
				void* _t15;
				void* _t16;
				void* _t19;
				intOrPtr _t20;

				_t19 = __edx;
				_t17 = __ecx;
				_t20 = _a4;
				if(_t20 == 0) {
					L01277AC9(__ecx);
				}
				_t16 = E01282D05(_t15, _t17, _t19, GetParent( *(_t20 + 0x20)));
				_t18 = _t16;
				if(E012789AE(_t16, 0x1396968) != 0) {
					if(_a8 != 0) {
						L8:
						return _t16;
					}
					while(1) {
						_t20 = E01282D05(_t16, _t18, _t19, GetParent( *(_t20 + 0x20)));
						if(_t20 == 0) {
							goto L8;
						}
						if(IsIconic( *(_t20 + 0x20)) != 0) {
							goto L3;
						}
					}
					goto L8;
				} else {
					L3:
					return 0;
				}
			}

0x012c831c
0x012c831c
0x012c8324
0x012c8329
0x012c832b
0x012c832b
0x012c8341
0x012c8348
0x012c8351
0x012c835b
0x012c837d
0x00000000
0x012c837d
0x012c836c
0x012c8377
0x012c837b
0x00000000
0x00000000
0x012c836a
0x00000000
0x00000000
0x012c836a
0x00000000
0x012c8353
0x012c8353
0x00000000
0x012c8353

APIs

GetParent.USER32(?), ref: 012C8339
IsIconic.USER32(?), ref: 012C8362
GetParent.USER32(?), ref: 012C836F

Part of subcall function 01277AC9: __CxxThrowException@8.LIBCMT ref: 01277ADF

Memory Dump Source

Source File: 00000010.00000002.746388412.0000000001271000.00000020.sdmp, Offset: 01270000, based on PE: true

Associated: 00000010.00000002.746374753.0000000001270000.00000002.sdmp Download File
Associated: 00000010.00000002.746578910.000000000138C000.00000002.sdmp Download File
Associated: 00000010.00000002.746752878.00000000013CF000.00000004.sdmp Download File
Associated: 00000010.00000002.746788870.00000000013D6000.00000004.sdmp Download File
Associated: 00000010.00000002.746832288.00000000013DE000.00000002.sdmp Download File
Associated: 00000010.00000002.747668141.0000000001574000.00000002.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1270000_Setup.jbxd

Similarity

API ID: Parent$Exception@8IconicThrow
String ID:
API String ID: 2923462127-0
Opcode ID: fad01bbd0770094f2b525b7bd8decadef41b7a998cb6854fcd9196b488879fe0
Instruction ID: 09e7ad0f9636ee63435ab0b9008e9fb86b4babc52718e420bffc2f57a08f8c66
Opcode Fuzzy Hash: fad01bbd0770094f2b525b7bd8decadef41b7a998cb6854fcd9196b488879fe0
Instruction Fuzzy Hash: B5F0C832230206BBCB127F75DC0492B7E99FB849A4B059229E64883131EB30D8008650

Uniqueness

Uniqueness Score: 1.55%

Function 012C240F, Relevance: 3.1, APIs: 2, Instructions: 57
windowCOMMON

Download Yara Rule

C-Code - Quality: 91%

			E012C240F(void* __ecx, void* __eflags) {
				void* _t10;
				int _t11;
				int _t12;
				signed int _t14;
				signed int _t20;
				intOrPtr _t24;
				void* _t26;
				void* _t27;
				intOrPtr _t34;
				void* _t36;

				_t36 = __ecx;
				_t10 = E0128C316(__ecx, __eflags);
				if(_t10 == 0 ||  *((intOrPtr*)(_t36 + 0x1c)) != 0) {
					return _t10;
				} else {
					_t34 =  *((intOrPtr*)(_t36 + 0x14));
					if(_t34 == 0x13) {
						L4:
						_t24 =  *((intOrPtr*)(_t36 + 0x10));
						_t11 = L012C1F69(_t36);
						if(_t24 == _t34) {
							_t12 = 0;
							_t26 = _t24 - 0x13;
							if(_t26 == 0) {
								_t12 = 0xf060;
							} else {
								_t27 = _t26 - 7;
								if(_t27 == 0) {
									_t14 = E01286848( *((intOrPtr*)(_t36 + 0xb0)));
									asm("sbb eax, eax");
									_t12 = ( ~((_t14 & 0x01000000) - 0x1000000) & 0xffffff10) + 0xf120;
								} else {
									if(_t27 == 1) {
										_t20 = IsIconic( *( *((intOrPtr*)(_t36 + 0xb0)) + 0x20));
										asm("sbb eax, eax");
										_t12 = ( ~_t20 & 0x00000100) + 0xf020;
									}
								}
							}
							_t11 = PostMessageW( *( *((intOrPtr*)(_t36 + 0xb0)) + 0x20), 0x112, _t12, 0);
						}
						L13:
						return _t11;
					}
					_t11 = _t34 - 0x1a;
					if(_t11 > 1) {
						goto L13;
					}
					goto L4;
				}
			}

0x012c2412
0x012c2414
0x012c241b
0x012c24bc
0x012c242b
0x012c242c
0x012c2432
0x012c243c
0x012c243d
0x012c2442
0x012c2449
0x012c244b
0x012c244d
0x012c2450
0x012c249d
0x012c2452
0x012c2452
0x012c2455
0x012c247f
0x012c248f
0x012c2496
0x012c2457
0x012c2458
0x012c2463
0x012c246b
0x012c2472
0x012c2472
0x012c2458
0x012c2455
0x012c24b3
0x012c24b3
0x012c24ba
0x00000000
0x012c24ba
0x012c2434
0x012c243a
0x00000000
0x00000000
0x00000000
0x012c243a

APIs

Part of subcall function 012C1F69: ReleaseCapture.USER32 ref: 012C1F89
Part of subcall function 012C1F69: ReleaseCapture.USER32 ref: 012C1FB0

IsIconic.USER32(?), ref: 012C2463

Part of subcall function 01286848: GetWindowLongW.USER32(?,000000F0), ref: 01286853

PostMessageW.USER32 ref: 012C24B3

Memory Dump Source

Source File: 00000010.00000002.746388412.0000000001271000.00000020.sdmp, Offset: 01270000, based on PE: true

Associated: 00000010.00000002.746374753.0000000001270000.00000002.sdmp Download File
Associated: 00000010.00000002.746578910.000000000138C000.00000002.sdmp Download File
Associated: 00000010.00000002.746752878.00000000013CF000.00000004.sdmp Download File
Associated: 00000010.00000002.746788870.00000000013D6000.00000004.sdmp Download File
Associated: 00000010.00000002.746832288.00000000013DE000.00000002.sdmp Download File
Associated: 00000010.00000002.747668141.0000000001574000.00000002.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1270000_Setup.jbxd

Similarity

API ID: CaptureRelease$IconicLongMessagePostWindow
String ID:
API String ID: 991923422-0
Opcode ID: 607833f5ea57ca00865c8c8be62a4c6659ca85c360ad8748eb0505caa2c30c09
Instruction ID: 377840436def10c64312862b998bcc1f20214669e8c3f12c0a45b0498476ce89
Opcode Fuzzy Hash: 607833f5ea57ca00865c8c8be62a4c6659ca85c360ad8748eb0505caa2c30c09
Instruction Fuzzy Hash: B0116177270B02CBE7359A3CD945B6AB6BAFB54B10F080B3DE791C25D1CB68E8109651

Uniqueness

Uniqueness Score: 1.11%

Function 01272650, Relevance: 3.0, APIs: 2, Instructions: 41
fileCOMMON

Download Yara Rule

C-Code - Quality: 79%

			E01272650(WCHAR* _a4) {
				signed int _v8;
				struct _WIN32_FIND_DATAW _v600;
				void* __esi;
				signed int _t11;
				void* _t14;
				short* _t17;
				void* _t22;
				WCHAR* _t23;
				void* _t30;
				void* _t31;
				signed int _t32;

				_t11 =  *0x13d3570; // 0x99b5b578
				_v8 = _t11 ^ _t32;
				_t23 = _a4;
				_t31 = 0;
				_t14 = FindFirstFileW(_t23,  &_v600);
				if(_t14 != 0xffffffff && (_v600.dwFileAttributes & 0x00000010) != 0) {
					_t31 = 1;
				}
				FindClose(_t14);
				_t17 =  &(_a4[0xfffffffffffffff8]);
				_t29 =  &(_t17[6]);
				asm("lock xadd [edx], ecx");
				if((_t23 | 0xffffffff) - 1 <= 0) {
					_t29 =  *( *_t17);
					 *(( *( *_t17))[2])(_t17);
				}
				return L01367D3E(_t31, _t22, _v8 ^ _t32, _t29, _t30, _t31);
			}

0x01272659
0x01272660
0x01272663
0x0127266f
0x01272671
0x0127267a
0x01272685
0x01272685
0x0127268b
0x01272694
0x01272697
0x0127269d
0x012726a4
0x012726a8
0x012726ae
0x012726ae
0x012726c0

APIs

FindFirstFileW.KERNEL32(?,?), ref: 01272671
FindClose.KERNEL32(00000000), ref: 0127268B

Part of subcall function 01367D3E: IsDebuggerPresent.KERNEL32 ref: 0136EC6D
Part of subcall function 01367D3E: SetUnhandledExceptionFilter.KERNEL32 ref: 0136EC82
Part of subcall function 01367D3E: UnhandledExceptionFilter.KERNEL32 ref: 0136EC8D
Part of subcall function 01367D3E: GetCurrentProcess.KERNEL32(C0000409), ref: 0136ECA9
Part of subcall function 01367D3E: TerminateProcess.KERNEL32(00000000), ref: 0136ECB0

Memory Dump Source

Source File: 00000010.00000002.746388412.0000000001271000.00000020.sdmp, Offset: 01270000, based on PE: true

Associated: 00000010.00000002.746374753.0000000001270000.00000002.sdmp Download File
Associated: 00000010.00000002.746578910.000000000138C000.00000002.sdmp Download File
Associated: 00000010.00000002.746752878.00000000013CF000.00000004.sdmp Download File
Associated: 00000010.00000002.746788870.00000000013D6000.00000004.sdmp Download File
Associated: 00000010.00000002.746832288.00000000013DE000.00000002.sdmp Download File
Associated: 00000010.00000002.747668141.0000000001574000.00000002.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1270000_Setup.jbxd

Similarity

API ID: ExceptionFilterFindProcessUnhandled$CloseCurrentDebuggerFileFirstPresentTerminate
String ID:
API String ID: 3520361141-0
Opcode ID: 2b3d6d799ab6ba0dba5381b43e491419d00764fc1b83469bd4f8e583fbc29e13
Instruction ID: e904ff177c87a512fb47e46e5ca9b53e66573c3a0b609daec3edea84412d408e
Opcode Fuzzy Hash: 2b3d6d799ab6ba0dba5381b43e491419d00764fc1b83469bd4f8e583fbc29e13
Instruction Fuzzy Hash: 1B01F2316016098FC714DF6CCC48BAAB7A8EF45324F104398E929C72D0CB309E85CBD0

Uniqueness

Uniqueness Score: 0.03%

Function 012B2290, Relevance: 3.0, APIs: 2, Instructions: 37
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E012B2290(void* __ecx, intOrPtr _a4) {
				void* _t4;
				intOrPtr _t13;
				void* _t15;

				_t13 = _a4;
				_t15 = __ecx;
				if(_t13 == 0xffffffff) {
					if(IsWindowVisible( *(__ecx + 0x20)) != 0) {
						if(IsIconic( *(_t15 + 0x20)) != 0) {
							_t13 = 9;
						}
					} else {
						_t13 = 1;
					}
				}
				_t4 = E012B0A7D(_t15, _t13);
				if(_t13 == 0xffffffff) {
					return _t4;
				}
				E0128699F(_t15, _t13);
				return E012B0A7D(_t15, _t13);
			}

0x012b2297
0x012b229a
0x012b229f
0x012b22ac
0x012b22be
0x012b22c2
0x012b22c2
0x012b22ae
0x012b22b0
0x012b22b0
0x012b22ac
0x012b22c6
0x012b22ce
0x012b22e3
0x012b22e3
0x012b22d3
0x00000000

APIs

IsWindowVisible.USER32(?), ref: 012B22A4
IsIconic.USER32(?), ref: 012B22B6

Part of subcall function 012B0A7D: GetLastActivePopup.USER32(?), ref: 012B0AA0
Part of subcall function 012B0A7D: BringWindowToTop.USER32 ref: 012B0AA7

Part of subcall function 0128699F: ShowWindow.USER32(00000000,?), ref: 012869B0

Memory Dump Source

Source File: 00000010.00000002.746388412.0000000001271000.00000020.sdmp, Offset: 01270000, based on PE: true

Associated: 00000010.00000002.746374753.0000000001270000.00000002.sdmp Download File
Associated: 00000010.00000002.746578910.000000000138C000.00000002.sdmp Download File
Associated: 00000010.00000002.746752878.00000000013CF000.00000004.sdmp Download File
Associated: 00000010.00000002.746788870.00000000013D6000.00000004.sdmp Download File
Associated: 00000010.00000002.746832288.00000000013DE000.00000002.sdmp Download File
Associated: 00000010.00000002.747668141.0000000001574000.00000002.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1270000_Setup.jbxd

Similarity

API ID: Window$ActiveBringIconicLastPopupShowVisible
String ID:
API String ID: 1768811940-0
Opcode ID: b7c0985ad8e65f641a27d02400aa88708c2e00a09434b715beb9ba170e6a3b51
Instruction ID: ca694d4ba92120499dd5a1cd4fb0f5c1788e66b6138abe7f53f014d3df2808af
Opcode Fuzzy Hash: b7c0985ad8e65f641a27d02400aa88708c2e00a09434b715beb9ba170e6a3b51
Instruction Fuzzy Hash: 93F0893232071197C721263EEC54EAFB96DABD1BF07001729E655D21E09A60B50245B5

Uniqueness

Uniqueness Score: 0.46%

Function 0127E37E, Relevance: 3.0, APIs: 2, Instructions: 34comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 0127E3AC
CoCreateInstance.OLE32(013B6A54,00000000,00000001,0138F74C,?), ref: 0127E3CA

Memory Dump Source

Source File: 00000010.00000002.746388412.0000000001271000.00000020.sdmp, Offset: 01270000, based on PE: true

Associated: 00000010.00000002.746374753.0000000001270000.00000002.sdmp Download File
Associated: 00000010.00000002.746578910.000000000138C000.00000002.sdmp Download File
Associated: 00000010.00000002.746752878.00000000013CF000.00000004.sdmp Download File
Associated: 00000010.00000002.746788870.00000000013D6000.00000004.sdmp Download File
Associated: 00000010.00000002.746832288.00000000013DE000.00000002.sdmp Download File
Associated: 00000010.00000002.747668141.0000000001574000.00000002.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1270000_Setup.jbxd

Similarity

API ID: CreateInitializeInstance
String ID:
API String ID: 3519745914-0
Opcode ID: a9cb8e4200833c95132453456df0f4dd9544c59008bc8114b50cb43ae63d38fe
Instruction ID: 5b3290bc3ef8538cee6c71604a3de2d6f36b3145fdfb3e82c1dd551467467f41
Opcode Fuzzy Hash: a9cb8e4200833c95132453456df0f4dd9544c59008bc8114b50cb43ae63d38fe
Instruction Fuzzy Hash: 55F0B471150206EBD720DF4698C89FB37A9E780705F2504BDF3059A041C3B148828B20

Uniqueness

Uniqueness Score: 1.23%

Function 012DC0F5, Relevance: 1.6, APIs: 1, Instructions: 77
keyboardCOMMON

Download Yara Rule

C-Code - Quality: 97%

			E012DC0F5(intOrPtr* __ecx, intOrPtr* _a8) {
				void* __ebp;
				intOrPtr _t13;
				void* _t16;
				intOrPtr _t20;
				void* _t23;
				signed short _t24;
				signed int _t26;
				intOrPtr* _t31;
				intOrPtr* _t33;

				_t31 = __ecx;
				if(( *0x13d9ba8 & 0x00000001) == 0) {
					 *0x13d9ba8 =  *0x13d9ba8 | 0x00000001;
					E01272410(0x13d9ba4, E0127859A());
					E013689DE( *0x13d9ba8, 0x138b3c5);
				}
				_t33 = _a8;
				if(_t33 != 0) {
					L4:
					_t13 =  *((intOrPtr*)(_t31 + 0x338));
					if(_t13 == 0 ||  *((intOrPtr*)(_t13 + 0x20)) == 0) {
						L20:
						__eflags = 0;
						return 0;
					} else {
						if(_t13 != 0) {
							_t13 =  *((intOrPtr*)(_t13 + 0x20));
						}
						if( *_t33 != _t13) {
							goto L20;
						} else {
							_t16 =  *((intOrPtr*)(_t33 + 4)) - 1;
							if(_t16 == 0) {
								_t38 = 0x3ea0;
								L17:
								_push(_t38);
								if(E01278490() == 0) {
									goto L3;
								}
								_t33 = 0x13d9ba4;
								if(L012726D0(0x13d9ba4, _t17, _t38) == 0) {
									goto L3;
								}
								_t20 =  *0x13d9ba4; // 0x0
								 *((intOrPtr*)(_a8 + 0xc)) = _t20;
								return 1;
							}
							_t23 = _t16 - 1;
							if(_t23 == 0) {
								_t38 = 0x3ea1;
								_t24 = GetAsyncKeyState(0x11);
								_t33 = 0x8000;
								__eflags = 0x00008000 & _t24;
								if((0x00008000 & _t24) != 0) {
									_t33 = _t31;
									_t26 =  *((intOrPtr*)( *_t31 + 0x340))();
									__eflags = _t26;
									if(_t26 != 0) {
										_t38 = 0x3ea4;
									}
								}
								goto L17;
							}
							if(_t23 != 1) {
								goto L20;
							}
							_t38 = 0x428e;
							goto L17;
						}
					}
				}
				L3:
				L01277AC9(_t33);
				goto L4;
			}

0x012dc104
0x012dc10b
0x012dc10d
0x012dc11c
0x012dc126
0x012dc12b
0x012dc12c
0x012dc131
0x012dc138
0x012dc138
0x012dc140
0x012dc1bc
0x012dc1bc
0x00000000
0x012dc148
0x012dc14a
0x012dc14c
0x012dc14c
0x012dc151
0x00000000
0x012dc153
0x012dc156
0x012dc157
0x012dc190
0x012dc195
0x012dc195
0x012dc19d
0x00000000
0x00000000
0x012dc1a1
0x012dc1aa
0x00000000
0x00000000
0x012dc1ac
0x012dc1b4
0x00000000
0x012dc1b9
0x012dc159
0x012dc15a
0x012dc168
0x012dc16d
0x012dc173
0x012dc178
0x012dc17b
0x012dc17f
0x012dc181
0x012dc187
0x012dc189
0x012dc18b
0x012dc18b
0x012dc189
0x00000000
0x012dc17b
0x012dc15d
0x00000000
0x00000000
0x012dc15f
0x00000000
0x012dc15f
0x012dc151
0x012dc140
0x012dc133
0x012dc133
0x00000000

APIs

Part of subcall function 01277AC9: __CxxThrowException@8.LIBCMT ref: 01277ADF

GetAsyncKeyState.USER32 ref: 012DC16D

Memory Dump Source

Source File: 00000010.00000002.746388412.0000000001271000.00000020.sdmp, Offset: 01270000, based on PE: true

Associated: 00000010.00000002.746374753.0000000001270000.00000002.sdmp Download File
Associated: 00000010.00000002.746578910.000000000138C000.00000002.sdmp Download File
Associated: 00000010.00000002.746752878.00000000013CF000.00000004.sdmp Download File
Associated: 00000010.00000002.746788870.00000000013D6000.00000004.sdmp Download File
Associated: 00000010.00000002.746832288.00000000013DE000.00000002.sdmp Download File
Associated: 00000010.00000002.747668141.0000000001574000.00000002.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1270000_Setup.jbxd

Similarity

API ID: AsyncException@8StateThrow
String ID:
API String ID: 1394916488-0
Opcode ID: c9a371406709077da8e7c374cac8ab6d23ae408f38dc97c6a0012a9162efbb82
Instruction ID: b737208844368c92b807b47081a62c66765868dc29cd816a07e822e9b80f995b
Opcode Fuzzy Hash: c9a371406709077da8e7c374cac8ab6d23ae408f38dc97c6a0012a9162efbb82
Instruction Fuzzy Hash: 2221C3313202239BEB25AA7DD854B767B9AAF45258F09406DEB09CB281DE71D811C761

Uniqueness

Uniqueness Score: 0.95%

Function 012720E0, Relevance: 70.2, APIs: 20, Strings: 20, Instructions: 201
registrystringUNIQUE

Download Yara Rule

C-Code - Quality: 100%

			E012720E0(void* __ecx) {
				void* _v8;
				int _v12;
				void* __ebx;
				void* __edi;
				void* __esi;
				int _t37;
				WCHAR* _t74;
				void* _t111;

				_t111 = __ecx;
				_t37 = RegCreateKeyExW(0x80000002, L"SOFTWARE\\Asus\\ASUS Live Update", 0, 0, 0, 0xf003f, 0,  &_v8,  &_v12);
				if(_t37 == 0) {
					_t109 = RegSetValueExW;
					_t83 = _t111 + 0x11bc;
					RegSetValueExW(_v8, L"Critical_Update", _t37, 4, _t111 + 0x11bc, 4);
					E01271680(_t111 + 0x11bc, RegSetValueExW, _t111, L"Write m_dwCriticalUpdate %u\n",  *_t83);
					_t84 = _t111 + 0x11c0;
					RegSetValueExW(_v8, L"Recommended_Update", 0, 4, _t111 + 0x11c0, 4);
					E01271680(_t111 + 0x11c0, RegSetValueExW, _t111, L"Write m_dwRecommUpdate %u\n",  *_t84);
					_t85 = _t111 + 0x11c4;
					RegSetValueExW(_v8, L"Day", 0, 4, _t111 + 0x11c4, 4);
					E01271680(_t111 + 0x11c4, RegSetValueExW, _t111, L"Write m_dwDay %u\n",  *_t85);
					_t86 = _t111 + 0x11c8;
					RegSetValueExW(_v8, L"Time", 0, 4, _t111 + 0x11c8, 4);
					E01271680(_t111 + 0x11c8, _t109, _t111, L"Write m_dwTime %u\n",  *_t86);
					RegSetValueExW(_v8, L"TotalItemCount", 0, 4, _t111 + 0x11e0, 4);
					RegSetValueExW(_v8, L"UpdateCount", 0, 4, _t111 + 0x11d8, 4);
					RegSetValueExW(_v8, L"SelectCount", 0, 4, _t111 + 0x11dc, 4);
					RegSetValueExW(_v8, L"LastUpdateTime", 0, 4, _t111 + 0x11d0, 4);
					_t87 = _t111 + 0x11cc;
					RegSetValueExW(_v8, L"Frequency", 0, 4, _t111 + 0x11cc, 4);
					E01271680(_t111 + 0x11cc, _t109, _t111, L"Write m_dwFrequency %u\n",  *_t87);
					RegSetValueExW(_v8, L"SelfUpdating", 0, 1, _t111 + 0x8b8, lstrlenW(_t111 + 0x8b8) + _t59);
					RegSetValueExW(_v8, L"SelfUpdtPath", 0, 1, _t111 + 0xb8, lstrlenW(_t111 + 0xb8) + _t64);
					RegSetValueExW(_v8, L"Source", 0, 1, _t111 + 0x980, lstrlenW(_t111 + 0x980) + _t70);
					_t74 = _t111 + 0x1180;
					if( *(_t111 + 0x1180) != 0) {
						RegSetValueExW(_v8, L"UIMode", 0, 1, _t111 + 0x1180, lstrlenW(_t74) + _t78);
					}
					RegSetValueExW(_v8, L"Mode", 0, 4, _t111 + 0x11d4, 4);
					return RegCloseKey(_v8);
				}
				return _t37;
			}

0x012720eb
0x01272108
0x01272110
0x0127211b
0x01272123
0x01272133
0x0127213d
0x0127214a
0x0127215b
0x01272165
0x01272172
0x01272183
0x0127218d
0x0127219a
0x012721ab
0x012721b5
0x012721d3
0x012721eb
0x01272203
0x0127221b
0x01272222
0x01272233
0x0127223d
0x0127226b
0x0127228d
0x012722af
0x012722b9
0x012722bf
0x012722db
0x012722db
0x012722f3
0x00000000
0x01272300
0x01272305

APIs

RegCreateKeyExW.ADVAPI32(80000002,SOFTWARE\Asus\ASUS Live Update,00000000,00000000,00000000,000F003F,00000000,?,?), ref: 01272108
RegSetValueExW.ADVAPI32 ref: 01272133

Part of subcall function 01271680: _memset.LIBCMT ref: 012716A9
Part of subcall function 01271680: __swprintf.LIBCMT ref: 012716BA
Part of subcall function 01271680: __vswprintf.LIBCMT ref: 012716CF
Part of subcall function 01271680: OutputDebugStringW.KERNEL32(?), ref: 012716DE

RegSetValueExW.ADVAPI32 ref: 0127215B
RegSetValueExW.ADVAPI32 ref: 01272183
RegSetValueExW.ADVAPI32 ref: 012721AB
RegSetValueExW.ADVAPI32 ref: 012721D3
RegSetValueExW.ADVAPI32 ref: 012721EB
RegSetValueExW.ADVAPI32 ref: 01272203
RegSetValueExW.ADVAPI32 ref: 0127221B
RegSetValueExW.ADVAPI32 ref: 01272233
lstrlenW.KERNEL32(?), ref: 01272252
RegSetValueExW.ADVAPI32 ref: 0127226B
lstrlenW.KERNEL32(?), ref: 01272274
RegSetValueExW.ADVAPI32 ref: 0127228D
lstrlenW.KERNEL32(?), ref: 01272296
RegSetValueExW.ADVAPI32 ref: 012722AF
lstrlenW.KERNEL32(00000000), ref: 012722C2
RegSetValueExW.ADVAPI32 ref: 012722DB
RegSetValueExW.ADVAPI32 ref: 012722F3
RegCloseKey.ADVAPI32(?), ref: 012722F9

Strings

TotalItemCount, xrefs: 012721CD
SOFTWARE\Asus\ASUS Live Update, xrefs: 012720FE
Write m_dwRecommUpdate %u, xrefs: 01272160
Critical_Update, xrefs: 0127212D
Frequency, xrefs: 0127222D
Recommended_Update, xrefs: 01272155
Write m_dwFrequency %u, xrefs: 01272238
UIMode, xrefs: 012722D5
SelectCount, xrefs: 012721FD
SelfUpdating, xrefs: 01272265
Write m_dwDay %u, xrefs: 01272188
Source, xrefs: 012722A9
LastUpdateTime, xrefs: 01272215
UpdateCount, xrefs: 012721E5
Write m_dwCriticalUpdate %u, xrefs: 01272138
SelfUpdtPath, xrefs: 01272287
Mode, xrefs: 012722ED
Day, xrefs: 0127217D
Write m_dwTime %u, xrefs: 012721B0
Time, xrefs: 012721A5

Memory Dump Source

Source File: 00000010.00000002.746388412.0000000001271000.00000020.sdmp, Offset: 01270000, based on PE: true

Associated: 00000010.00000002.746374753.0000000001270000.00000002.sdmp Download File
Associated: 00000010.00000002.746578910.000000000138C000.00000002.sdmp Download File
Associated: 00000010.00000002.746752878.00000000013CF000.00000004.sdmp Download File
Associated: 00000010.00000002.746788870.00000000013D6000.00000004.sdmp Download File
Associated: 00000010.00000002.746832288.00000000013DE000.00000002.sdmp Download File
Associated: 00000010.00000002.747668141.0000000001574000.00000002.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1270000_Setup.jbxd

Similarity

API ID: Value$lstrlen$CloseCreateDebugOutputString__swprintf__vswprintf_memset
String ID: Critical_Update$Day$Frequency$LastUpdateTime$Mode$Recommended_Update$SOFTWARE\Asus\ASUS Live Update$SelectCount$SelfUpdating$SelfUpdtPath$Source$Time$TotalItemCount$UIMode$UpdateCount$Write m_dwCriticalUpdate %u$Write m_dwDay %u$Write m_dwFrequency %u$Write m_dwRecommUpdate %u$Write m_dwTime %u
API String ID: 3249078683-3956896675
Opcode ID: 03c55c99c511c645e3c4f221dfd071ccedc0797ef505db731a921881812eaee1
Instruction ID: 93312a160b92b279816e8b474c4e9232c2943939b4df1251815e22f0727915b1
Opcode Fuzzy Hash: 03c55c99c511c645e3c4f221dfd071ccedc0797ef505db731a921881812eaee1
Instruction Fuzzy Hash: 3051F3B1780308BAE724F7A5DC82FEBB3ACAF54B58F104519F715A71C0D6B0BA048B65

Uniqueness

Uniqueness Score: 100.00%

Function 0127EF34, Relevance: 64.8, APIs: 43, Instructions: 304
COMMON

Download Yara Rule

C-Code - Quality: 95%

			E0127EF34(void* __ebx, intOrPtr __ecx, signed int __edx, void* __edi, void* __esi, void* __eflags) {
				signed int _t109;
				signed int _t111;
				long _t114;
				long _t115;
				long _t116;
				long _t117;
				long _t118;
				long _t119;
				long _t124;
				long _t135;
				struct HBRUSH__* _t136;
				struct HBRUSH__* _t137;
				struct HBRUSH__* _t139;
				void* _t169;
				long _t198;
				long _t200;
				signed int _t203;
				signed char _t237;
				void* _t252;
				void* _t257;
				void* _t264;
				void* _t266;
				void* _t268;

				_t245 = __edx;
				_push(0x20);
				L01369601(0x137f790, __ebx, __edi, __esi);
				_t256 = __ecx;
				_t252 = GetSysColor;
				if(GetSysColor(0x16) != 0xffffff) {
					L3:
					_t109 = 0;
					__eflags = 0;
				} else {
					_t200 = GetSysColor(0xf);
					if(_t200 != 0) {
						goto L3;
					} else {
						_t109 = _t200 + 1;
					}
				}
				 *((intOrPtr*)(_t256 + 0x184)) = _t109;
				if(GetSysColor(0x15) != 0) {
					L7:
					_t111 = 0;
					__eflags = 0;
				} else {
					_t198 = GetSysColor(0xf);
					_t262 = _t198 - 0xffffff;
					if(_t198 != 0xffffff) {
						goto L7;
					} else {
						_t111 = 1;
					}
				}
				_t203 = 0;
				_push(0);
				 *((intOrPtr*)(_t256 + 0x188)) = _t111;
				L01279EEC(0, _t257 - 0x2c, _t245, _t252, _t256, _t262);
				 *(_t257 - 4) = 0;
				 *((intOrPtr*)(_t256 + 0x1ac)) = GetDeviceCaps( *(_t257 - 0x24), 0xc);
				_t114 = GetSysColor(0xf);
				 *(_t256 + 0x14) = _t114;
				 *(_t256 + 0x4c) = _t114;
				_t115 = GetSysColor(0x10);
				 *(_t256 + 0x18) = _t115;
				 *(_t256 + 0x50) = _t115;
				_t116 = GetSysColor(0x15);
				 *(_t256 + 0x28) = _t116;
				 *(_t256 + 0x58) = _t116;
				_t117 = GetSysColor(0x16);
				 *(_t256 + 0x2c) = _t117;
				 *(_t256 + 0x5c) = _t117;
				_t118 = GetSysColor(0x14);
				 *(_t256 + 0x1c) = _t118;
				 *(_t256 + 0x54) = _t118;
				_t119 = GetSysColor(0x12);
				 *(_t256 + 0x20) = _t119;
				 *(_t256 + 0x60) = _t119;
				 *((intOrPtr*)(_t256 + 0x30)) = GetSysColor(0x11);
				 *((intOrPtr*)(_t256 + 0x24)) = GetSysColor(6);
				 *(_t256 + 0x34) = GetSysColor(0xd);
				 *((intOrPtr*)(_t256 + 0x38)) = GetSysColor(0xe);
				_t124 = GetSysColor(5);
				 *(_t256 + 0x64) = _t124;
				 *(_t256 + 0x48) = _t124;
				 *(_t256 + 0x68) = GetSysColor(8);
				 *((intOrPtr*)(_t256 + 0x6c)) = GetSysColor(9);
				 *((intOrPtr*)(_t256 + 0x70)) = GetSysColor(7);
				 *(_t256 + 0x74) = GetSysColor(2);
				 *(_t256 + 0x78) = GetSysColor(3);
				 *((intOrPtr*)(_t256 + 0x80)) = GetSysColor(0x1b);
				 *((intOrPtr*)(_t256 + 0x84)) = GetSysColor(0x1c);
				 *((intOrPtr*)(_t256 + 0x88)) = GetSysColor(0xa);
				 *((intOrPtr*)(_t256 + 0x8c)) = GetSysColor(0xb);
				 *((intOrPtr*)(_t256 + 0x7c)) = GetSysColor(0x13);
				if( *((intOrPtr*)(_t256 + 0x184)) == 0) {
					_t135 = GetSysColor(0x1a);
					 *(_t256 + 0x40) = 0xff0000;
					 *(_t256 + 0x44) = 0x800080;
				} else {
					_t135 =  *(_t256 + 0x68);
					 *(_t256 + 0x40) = _t135;
					 *(_t256 + 0x44) = _t135;
				}
				 *(_t256 + 0x3c) = _t135;
				_t136 = GetSysColorBrush(0x10);
				_t264 = _t136 - _t203;
				_t208 = 0 | _t264 != 0x00000000;
				 *(_t256 + 0xc) = _t136;
				if(_t264 != 0 == _t203) {
					L12:
					L01277AC9(_t208);
				}
				_t137 = GetSysColorBrush(0x14);
				_t266 = _t137 - _t203;
				_t208 = 0 | _t266 != 0x00000000;
				 *(_t256 + 8) = _t137;
				if(_t266 != 0 == _t203) {
					goto L12;
				}
				_t139 = GetSysColorBrush(5);
				_t268 = _t139 - _t203;
				_t208 = 0 | _t268 != 0x00000000;
				 *(_t256 + 0x10) = _t139;
				if(_t268 != 0 == _t203) {
					goto L12;
				}
				E0127A0F1(_t139, _t256 + 0x90);
				_t254 = CreateSolidBrush;
				E0127A0F1(E0127A097(_t203, _t256 + 0x90, _t245, CreateSolidBrush, CreateSolidBrush( *(_t256 + 0x14))), _t256 + 0xc8);
				E0127A0F1(E0127A097(_t203, _t256 + 0xc8, _t245, CreateSolidBrush, CreateSolidBrush( *(_t256 + 0x4c))), _t256 + 0xb0);
				E0127A0F1(E0127A097(_t203, _t256 + 0xb0, _t245, _t254, CreateSolidBrush( *(_t256 + 0x74))), _t256 + 0xb8);
				E0127A0F1(E0127A097(_t203, _t256 + 0xb8, _t245, _t254, CreateSolidBrush( *(_t256 + 0x78))), _t256 + 0x98);
				E0127A0F1(E0127A097(_t203, _t256 + 0x98, _t245, _t254, CreateSolidBrush( *(_t256 + 0x34))), _t256 + 0xa8);
				E0127A0F1(E0127A097(_t203, _t256 + 0xa8, _t245, _t254, CreateSolidBrush( *(_t256 + 0x28))), _t256 + 0xc0);
				E0127A0F1(E0127A097(_t203, _t256 + 0xc0, _t245, _t254, CreateSolidBrush( *(_t256 + 0x64))), _t256 + 0xd0);
				_t204 = CreatePen;
				E0127A0F1(E0127A097(CreatePen, _t256 + 0xd0, _t245, _t254, CreatePen(0, 1,  *0x13d641c)), _t256 + 0xd8);
				E0127A0F1(E0127A097(CreatePen, _t256 + 0xd8, _t245, _t254, CreatePen(0, 1,  *0x13d6434)), _t256 + 0xe0);
				_t169 = E0127A097(_t204, _t256 + 0xe0, _t245, _t254, CreatePen(0, 1,  *0x13d6438));
				_t203 = _t256 + 0xa0;
				if(_t203 != 0 &&  *((intOrPtr*)(_t203 + 4)) != 0) {
					E0127A0F1(_t169, _t203);
				}
				if( *((intOrPtr*)(_t256 + 0x1ac)) <= 8) {
					__eflags = L0127DF8F(_t203,  *((intOrPtr*)(_t257 - 0x28)));
					_t208 = 0 | __eflags != 0x00000000;
					if(__eflags == 0) {
						goto L12;
					} else {
						_t94 = _t257 - 0x14;
						 *_t94 =  *(_t257 - 0x14) & 0x00000000;
						__eflags =  *_t94;
						_t256 = 0x138f588;
						 *((intOrPtr*)(_t257 - 0x18)) = 0x138f588;
						 *(_t257 - 4) = 1;
						E0127A097(_t203, _t257 - 0x18, _t245, _t254, _t170);
						E0127A097(_t203, _t203, _t245, _t254, CreatePatternBrush( *(_t257 - 0x14)));
						 *(_t257 - 4) = 0;
						 *((intOrPtr*)(_t257 - 0x18)) = 0x138f588;
						E0127A27E(_t203, _t257 - 0x18, _t254, 0x138f588, __eflags);
					}
				} else {
					_t237 =  *((intOrPtr*)(_t256 + 0x16));
					 *(_t257 - 0xd) =  *(_t256 + 0x14);
					_t246 = _t237 & 0x000000ff;
					asm("cdq");
					_t247 =  *(_t256 + 0x15) & 0x000000ff;
					asm("cdq");
					_t245 =  *(_t257 - 0xd) & 0x000000ff;
					asm("cdq");
					E0127A097(_t203, _t203, _t245, _t254, CreateSolidBrush((((( *(_t256 + 0x1e) & 0x000000ff) - (_t237 & 0x000000ff) - _t246 >> 0x00000001) + _t237 & 0x000000ff) << 0x00000008 | (( *(_t256 + 0x1d) & 0x000000ff) - ( *(_t256 + 0x15) & 0x000000ff) - _t247 >> 0x00000001) + ( *(_t256 + 0x15) & 0x000000ff) & 0x000000ff) << 0x00000008 | (( *(_t256 + 0x1c) & 0x000000ff) - ( *(_t257 - 0xd) & 0x000000ff) - _t245 >> 0x00000001) +  *(_t257 - 0xd) & 0x000000ff));
				}
				L012A5469();
				_t103 = _t257 - 4;
				 *(_t257 - 4) =  *(_t257 - 4) | 0xffffffff;
				 *0x13d967c = 1;
				return L013696D9(L01279F40(_t203, _t257 - 0x2c, _t245, _t254, _t256,  *_t103));
			}

0x0127ef34
0x0127ef34
0x0127ef3b
0x0127ef40
0x0127ef42
0x0127ef53
0x0127ef60
0x0127ef60
0x0127ef60
0x0127ef55
0x0127ef57
0x0127ef5b
0x00000000
0x0127ef5d
0x0127ef5d
0x0127ef5d
0x0127ef5b
0x0127ef64
0x0127ef6e
0x0127ef7d
0x0127ef7d
0x0127ef7d
0x0127ef70
0x0127ef72
0x0127ef74
0x0127ef76
0x00000000
0x0127ef78
0x0127ef7a
0x0127ef7a
0x0127ef76
0x0127ef7f
0x0127ef81
0x0127ef85
0x0127ef8b
0x0127ef95
0x0127efa0
0x0127efa6
0x0127efaa
0x0127efad
0x0127efb0
0x0127efb4
0x0127efb7
0x0127efba
0x0127efbe
0x0127efc1
0x0127efc4
0x0127efc8
0x0127efcb
0x0127efce
0x0127efd2
0x0127efd5
0x0127efd8
0x0127efdc
0x0127efdf
0x0127efe6
0x0127efed
0x0127eff4
0x0127effb
0x0127effe
0x0127f002
0x0127f005
0x0127f00c
0x0127f013
0x0127f01a
0x0127f021
0x0127f028
0x0127f02f
0x0127f039
0x0127f043
0x0127f04d
0x0127f055
0x0127f05e
0x0127f06d
0x0127f06f
0x0127f076
0x0127f060
0x0127f060
0x0127f063
0x0127f066
0x0127f066
0x0127f085
0x0127f088
0x0127f08c
0x0127f08e
0x0127f091
0x0127f096
0x0127f098
0x0127f098
0x0127f098
0x0127f09f
0x0127f0a3
0x0127f0a5
0x0127f0a8
0x0127f0ad
0x00000000
0x00000000
0x0127f0b1
0x0127f0b5
0x0127f0b7
0x0127f0ba
0x0127f0bf
0x00000000
0x00000000
0x0127f0c7
0x0127f0cf
0x0127f0e9
0x0127f105
0x0127f121
0x0127f13d
0x0127f159
0x0127f175
0x0127f191
0x0127f19c
0x0127f1ba
0x0127f1dd
0x0127f1f5
0x0127f1fa
0x0127f202
0x0127f20c
0x0127f20c
0x0127f218
0x0127f288
0x0127f28a
0x0127f28f
0x00000000
0x0127f295
0x0127f295
0x0127f295
0x0127f295
0x0127f299
0x0127f29e
0x0127f2a5
0x0127f2a9
0x0127f2ba
0x0127f2c2
0x0127f2c6
0x0127f2c9
0x0127f2c9
0x0127f21a
0x0127f21a
0x0127f220
0x0127f227
0x0127f22c
0x0127f22f
0x0127f240
0x0127f250
0x0127f25f
0x0127f275
0x0127f275
0x0127f2ce
0x0127f2d3
0x0127f2d3
0x0127f2da
0x0127f2ee

APIs

__EH_prolog3.LIBCMT ref: 0127EF3B
GetSysColor.USER32 ref: 0127EF4A
GetSysColor.USER32 ref: 0127EF57
GetSysColor.USER32 ref: 0127EF6A
GetSysColor.USER32 ref: 0127EF72

Part of subcall function 01279EEC: __EH_prolog3.LIBCMT ref: 01279EF3
Part of subcall function 01279EEC: GetWindowDC.USER32(00000000), ref: 01279F1F

GetDeviceCaps.GDI32(?,0000000C), ref: 0127EF98
GetSysColor.USER32 ref: 0127EFA6
GetSysColor.USER32 ref: 0127EFB0
GetSysColor.USER32 ref: 0127EFBA
GetSysColor.USER32 ref: 0127EFC4
GetSysColor.USER32 ref: 0127EFCE
GetSysColor.USER32 ref: 0127EFD8
GetSysColor.USER32 ref: 0127EFE2
GetSysColor.USER32 ref: 0127EFE9
GetSysColor.USER32 ref: 0127EFF0
GetSysColor.USER32 ref: 0127EFF7
GetSysColor.USER32 ref: 0127EFFE
GetSysColor.USER32 ref: 0127F008
GetSysColor.USER32 ref: 0127F00F
GetSysColor.USER32 ref: 0127F016
GetSysColor.USER32 ref: 0127F01D
GetSysColor.USER32 ref: 0127F024
GetSysColor.USER32 ref: 0127F02B
GetSysColor.USER32 ref: 0127F035
GetSysColor.USER32 ref: 0127F03F
GetSysColor.USER32 ref: 0127F049
GetSysColor.USER32 ref: 0127F053
GetSysColor.USER32 ref: 0127F06D
GetSysColorBrush.USER32(00000010), ref: 0127F088

Part of subcall function 01277AC9: __CxxThrowException@8.LIBCMT ref: 01277ADF

GetSysColorBrush.USER32(00000014), ref: 0127F09F
GetSysColorBrush.USER32(00000005), ref: 0127F0B1

Part of subcall function 0127A0F1: DeleteObject.GDI32(00000000), ref: 0127A100

CreateSolidBrush.GDI32(?), ref: 0127F0D5
CreateSolidBrush.GDI32(?), ref: 0127F0F1
CreateSolidBrush.GDI32(?), ref: 0127F10D
CreateSolidBrush.GDI32(?), ref: 0127F129
CreateSolidBrush.GDI32(?), ref: 0127F145
CreateSolidBrush.GDI32(?), ref: 0127F161
CreateSolidBrush.GDI32(?), ref: 0127F17D
CreatePen.GDI32(00000000,00000001), ref: 0127F1A6
CreatePen.GDI32(00000000,00000001), ref: 0127F1C9
CreatePen.GDI32(00000000,00000001), ref: 0127F1EC

Part of subcall function 0127DF8F: _memset.LIBCMT ref: 0127DFB4
Part of subcall function 0127DF8F: GetSysColor.USER32 ref: 0127DFFE
Part of subcall function 0127DF8F: CreateDIBitmap.GDI32(?,00000028,00000004,?,00000028,00000000), ref: 0127E051

CreatePatternBrush.GDI32(00000000), ref: 0127F2B1

Part of subcall function 0127A27E: __EH_prolog3_catch_GS.LIBCMT ref: 0127A288

CreateSolidBrush.GDI32(?), ref: 0127F270

Part of subcall function 01279F40: __EH_prolog3.LIBCMT ref: 01279F47
Part of subcall function 01279F40: ReleaseDC.USER32(?,00000000), ref: 01279F64

Memory Dump Source

Source File: 00000010.00000002.746388412.0000000001271000.00000020.sdmp, Offset: 01270000, based on PE: true

Associated: 00000010.00000002.746374753.0000000001270000.00000002.sdmp Download File
Associated: 00000010.00000002.746578910.000000000138C000.00000002.sdmp Download File
Associated: 00000010.00000002.746752878.00000000013CF000.00000004.sdmp Download File
Associated: 00000010.00000002.746788870.00000000013D6000.00000004.sdmp Download File
Associated: 00000010.00000002.746832288.00000000013DE000.00000002.sdmp Download File
Associated: 00000010.00000002.747668141.0000000001574000.00000002.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1270000_Setup.jbxd

Similarity

API ID: Color$Create$Brush$Solid$H_prolog3$BitmapCapsDeleteDeviceException@8H_prolog3_catch_ObjectPatternReleaseThrowWindow_memset
String ID:
API String ID: 2483515963-0
Opcode ID: 8b783f7afb3360fa5ed425e1f15b208d31594b68e02a2f1fc24d7fc4bf55fe05
Instruction ID: f47ef73a4782fff9ff6a96cb508f1b1dd6ed8b3a125f9db1cb67962ac5c232bc
Opcode Fuzzy Hash: 8b783f7afb3360fa5ed425e1f15b208d31594b68e02a2f1fc24d7fc4bf55fe05
Instruction Fuzzy Hash: 90B18B70910B469FDB32AF75CC89BAFBAE4AF50300F04492DE29797690DE71A548CF21

Uniqueness

Uniqueness Score: 1.64%

Function 0129834E, Relevance: 41.0, APIs: 27, Instructions: 457
keyboardCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E0129834E(void* __ebx, RECT* __ecx, signed int __edi, void* __esi, void* __eflags) {
				RECT* _t162;
				signed int _t174;
				signed int _t179;
				signed int _t184;
				struct HWND__* _t186;
				RECT* _t188;
				signed int _t189;
				signed int _t193;
				signed int _t195;
				signed int _t207;
				signed int _t212;
				RECT* _t218;
				RECT* _t221;
				signed int _t222;
				void* _t231;
				signed int _t239;
				void* _t250;
				signed int _t252;
				signed int _t261;
				signed short _t262;
				void* _t274;
				signed int _t280;
				signed int _t304;
				signed int _t305;
				void* _t323;
				signed int _t327;
				struct HWND__* _t328;
				RECT* _t331;
				void* _t333;
				void* _t336;
				void* _t339;
				void* _t342;

				_t327 = __edi;
				_t281 = __ecx;
				_push(0x58);
				L0136966A(0x1380744, __ebx, __edi, __esi);
				_push( *(_t333 + 0x10));
				_t280 = __ecx;
				_push( *(_t333 + 0xc));
				 *(_t333 - 0x24) =  *((intOrPtr*)( *__ecx + 0x390))();
				_t162 =  *0x13d8404; // 0x0
				_t331 = 0;
				if(_t162 == __ecx) {
					L4:
					_t339 =  *0x13d83d4 - _t331; // 0x0
					if(_t339 != 0) {
						L7:
						if( *(_t333 - 0x24) >= _t331) {
							_t328 = L01293D66(_t280, __eflags,  *(_t333 - 0x24));
							__eflags = _t328 - _t331;
							if(_t328 == _t331) {
								goto L76;
							}
							 *((intOrPtr*)( *_t280 + 0x258))( *(_t333 - 0x24));
							 *0x13d83d8 = _t331;
							__eflags =  *0x13d8400 - _t331; // 0x0
							if(__eflags == 0) {
								L22:
								__eflags =  *0x13d83d4 - _t331; // 0x0
								if(__eflags != 0) {
									L24:
									__eflags =  *((intOrPtr*)(_t280 + 0xb04)) - _t331;
									if( *((intOrPtr*)(_t280 + 0xb04)) != _t331) {
										L66:
										 *(_t280 + 0xb78) =  *(_t333 - 0x24);
										L01293EC6(_t280, _t328,  *(_t333 - 0x24));
										__eflags =  *(_t328 + 0x24) & 0x00040000;
										if(( *(_t328 + 0x24) & 0x00040000) == 0) {
											L69:
											 *(_t328 + 0x24) =  *(_t328 + 0x24) | 0x00020000;
											L01295B3C(_t280, _t325,  *(_t333 - 0x24));
											UpdateWindow( *(_t280 + 0x20));
											 *((intOrPtr*)( *_t280 + 0x414))( *((intOrPtr*)(_t328 + 0x20)));
											_t287 = _t328;
											_t174 =  *((intOrPtr*)(_t328->i + 0x20))(_t280, _t331);
											__eflags = _t174;
											if(_t174 == 0) {
												 *((intOrPtr*)(_t280 + 0xc90)) = E01282D05(_t280, _t287, _t325, SetCapture( *(_t280 + 0x20)));
											} else {
												_t179 = L012E779D(_t280 + 0xbc8, _t328, _t331);
												__eflags = _t179;
												if(_t179 != 0) {
													_t146 = _t328 + 0x24;
													 *_t146 =  *(_t328 + 0x24) & 0xfffdffff;
													__eflags =  *_t146;
												}
												 *(_t280 + 0xb78) =  *(_t280 + 0xb78) | 0xffffffff;
												 *(_t280 + 0xb7c) =  *(_t280 + 0xb7c) | 0xffffffff;
												 *((intOrPtr*)( *_t280 + 0x3b0))(0xffffffff);
												_t287 = _t280;
												L01295B3C(_t280, _t325,  *(_t333 - 0x24));
												UpdateWindow( *(_t280 + 0x20));
											}
											L74:
											__eflags =  *0x13d83d8 - _t331; // 0x0
											if(__eflags != 0) {
												 *0x13d83d8 = _t331;
												 *0x13d8404 = _t331;
												E012962C7(_t287, _t325, _t331);
												RedrawWindow( *(_t280 + 0x20), _t331, _t331, 0x505);
											}
											goto L76;
										}
										_t184 = E012789AE(_t328, 0x13d1234);
										__eflags = _t184;
										if(_t184 != 0) {
											goto L69;
										}
										 *(_t280 + 0xb78) =  *(_t280 + 0xb78) | 0xffffffff;
										goto L76;
									}
									__eflags =  *((intOrPtr*)(_t280 + 0xb44)) - _t331;
									if( *((intOrPtr*)(_t280 + 0xb44)) != _t331) {
										goto L66;
									}
									_t326 =  *_t280;
									 *(_t333 - 0x28) =  *(_t280 + 0xb80);
									_t186 =  *(_t333 - 0x24);
									 *(_t280 + 0xb80) = _t186;
									 *(_t333 - 0x20) = _t331;
									 *(_t333 - 0x1c) = _t331;
									 *(_t333 - 0x18) = _t331;
									 *(_t333 - 0x14) = _t331;
									 *((intOrPtr*)( *_t280 + 0x36c))(_t186, _t333 - 0x20);
									__eflags =  *(_t333 - 0x28) - 0xffffffff;
									if(__eflags != 0) {
										L01295B3C(_t280, _t326,  *(_t333 - 0x28));
									}
									_t188 = L01293D66(_t280, __eflags,  *(_t280 + 0xb80));
									__eflags = _t188 - _t331;
									_t295 = 0 | __eflags != 0x00000000;
									 *(_t280 + 0xc98) = _t188;
									if(__eflags == 0) {
										_t188 = L01277AC9(_t295);
									}
									 *(_t280 + 0xb2c) =  *(_t333 + 8) & 0x00000008;
									_t325 = _t188->left;
									_t189 =  *((intOrPtr*)(_t188->left + 0x60))();
									__eflags = _t189;
									if(_t189 != 0) {
										L01295B3C(_t280, _t325,  *(_t333 - 0x24));
										UpdateWindow( *(_t280 + 0x20));
										_t193 =  *((intOrPtr*)( *( *(_t280 + 0xc98)) + 0x3c))();
										__eflags = _t193;
										if(_t193 == 0) {
											L39:
											_t287 =  *(_t280 + 0xc98);
											_t195 =  *((intOrPtr*)( *( *(_t280 + 0xc98)) + 0x50))();
											__eflags = _t195;
											if(_t195 == 0) {
												L65:
												 *(_t280 + 0xc98) = _t331;
												goto L74;
											}
											_t287 =  *(_t280 + 0xc98);
											__eflags =  *((intOrPtr*)( *( *(_t280 + 0xc98)) + 0x74))();
											if(__eflags == 0) {
												goto L65;
											}
											E012F8238(_t333 - 0x64, __eflags);
											_t325 = _t333 - 0x64;
											 *(_t333 - 4) = _t331;
											 *((intOrPtr*)( *( *(_t280 + 0xc98)) + 0xc))(_t333 - 0x64);
											 *((intOrPtr*)( *_t280 + 0x414))( *((intOrPtr*)(_t328 + 0x20)));
											 *0x13d84a0 = _t331;
											_t328 =  *(_t280 + 0x20);
											 *(_t280 + 0xc80) =  *(_t333 + 0xc);
											 *(_t280 + 0xc84) =  *(_t333 + 0x10);
											__eflags =  *0x13d83d8 - _t331; // 0x0
											if(__eflags != 0) {
												 *0x13d83d4 = 1;
											}
											_push(0x13d8458);
											_push(_t333 - 0x20);
											_push(3);
											_t304 = _t333 - 0x64;
											 *(_t333 - 0x28) = E012F8597(_t280, _t304, _t328, _t331, __eflags);
											_t207 = IsWindow(_t328);
											__eflags = _t207;
											if(_t207 != 0) {
												 *(_t333 - 0x30) = _t331;
												 *(_t333 - 0x2c) = _t331;
												GetCursorPos(_t333 - 0x30);
												ScreenToClient( *(_t280 + 0x20), _t333 - 0x30);
												__eflags =  *0x13d84a0 - _t331; // 0x0
												if(__eflags == 0) {
													L63:
													_t212 =  *(_t333 - 0x24);
													_t325 =  *_t280;
													_t304 = _t280;
													 *(_t280 + 0xb7c) = _t212;
													 *((intOrPtr*)( *_t280 + 0x3b0))(_t212);
													L64:
													_t305 = _t304 | 0xffffffff;
													 *(_t280 + 0xc84) = _t305;
													 *(_t333 - 4) = _t305;
													_t287 = _t333 - 0x64;
													 *(_t280 + 0xc98) = _t331;
													 *(_t280 + 0xc80) = _t305;
													E012F8265(_t280, _t333 - 0x64, _t328, _t331, __eflags);
													goto L74;
												}
												_push( *(_t333 - 0x2c));
												__eflags = PtInRect(_t333 - 0x20,  *(_t333 - 0x30));
												if(__eflags != 0) {
													goto L63;
												}
												__eflags =  *(_t333 - 0x28) - 1;
												if( *(_t333 - 0x28) == 1) {
													L61:
													_t218 =  *(_t280 + 0xc98);
													__eflags = _t218 - _t331;
													if(__eflags != 0) {
														InvalidateRect( *(_t280 + 0x20), _t218 + 0x54, 1);
													}
													goto L64;
												}
												_t221 =  *(_t280 + 0xc98);
												__eflags = _t221 - _t331;
												if(_t221 == _t331) {
													goto L61;
												}
												__eflags =  *0x13d849c - _t331; // 0x0
												if(__eflags != 0) {
													goto L61;
												}
												_t325 =  *_t280;
												_t304 = _t280;
												_t222 =  *((intOrPtr*)( *_t280 + 0x37c))(_t221,  *(_t333 - 0x28));
												__eflags = _t222;
												if(_t222 == 0) {
													goto L61;
												}
												 *((intOrPtr*)( *_t280 + 0x34c))(L01293C10(_t280,  *(_t280 + 0xc98)));
												 *((intOrPtr*)( *_t280 + 0x3e0))();
												RedrawWindow( *(_t280 + 0x20), _t331, _t331, 0x505);
												_t309 = _t280;
												 *((intOrPtr*)( *_t280 + 0x2d4))(1);
												_t328 = GetParent;
												_t231 = E01282D05(_t280, _t280, _t325, GetParent( *(_t280 + 0x20)));
												__eflags = _t231 - _t331;
												if(_t231 != _t331) {
													__eflags =  *((intOrPtr*)(_t231 + 0x20)) - _t331;
													if( *((intOrPtr*)(_t231 + 0x20)) != _t331) {
														RedrawWindow( *(E01282D05(_t280, _t309, _t325, GetParent( *(_t280 + 0x20))) + 0x20), _t331, _t331, 0x505);
													}
												}
												__eflags =  *0x13d83d8 - _t331; // 0x0
												if(__eflags == 0) {
													_t309 = _t280;
													 *((intOrPtr*)( *_t280 + 0x208))();
													RedrawWindow( *(_t280 + 0x20), _t331, _t331, 0x505);
												}
												_t304 = E01282D05(_t280, _t309, _t325, GetParent( *(_t280 + 0x20)));
												__eflags = E012789AE(_t304, 0x139900c);
												if(__eflags != 0) {
													_t239 = E012789CC(0x13d0280, E01282D05(_t280, _t304, _t325, GetParent( *(E01282D05(_t280, _t304, _t325, GetParent( *(_t280 + 0x20))) + 0x20))));
													_pop(_t304);
													__eflags = _t239 - _t331;
													if(__eflags != 0) {
														_t325 =  *_t239;
														_t304 = _t239;
														 *((intOrPtr*)( *_t239 + 0x20c))();
													}
												}
												goto L64;
											} else {
												__eflags =  *0x13d83d8 - _t331; // 0x0
												if(__eflags != 0) {
													 *0x13d83d4 = _t331;
													 *0x13d83d8 = _t331;
													 *0x13d8404 = _t331;
												}
												 *(_t333 - 4) =  *(_t333 - 4) | 0xffffffff;
												E012F8265(_t280, _t333 - 0x64, _t328, _t331, __eflags);
												goto L76;
											}
										}
										_t250 = L0136B5DE(_t325,  *(_t333 + 0xc) -  *(_t333 - 0x18));
										__eflags = _t250 - 6;
										if(_t250 > 6) {
											goto L39;
										}
										__eflags =  *0x13d83d8 - _t331; // 0x0
										if(__eflags != 0) {
											goto L39;
										}
										_t287 =  *(_t280 + 0xc98);
										 *(_t280 + 0xb30) = 1;
										_t328 = _t280 + 0xc68;
										asm("movsd");
										asm("movsd");
										asm("movsd");
										asm("movsd");
										_t252 =  *((intOrPtr*)( *( *(_t280 + 0xc98)) + 0x38))();
										__eflags = _t252;
										if(_t252 != 0) {
											InflateRect(_t280 + 0xc68, 2, 2);
										}
										 *((intOrPtr*)(_t280 + 0xc90)) = E01282D05(_t280, _t287, _t325, SetCapture( *(_t280 + 0x20)));
										SetCursor( *0x13d64d0);
										_t331 = 0;
										goto L74;
									} else {
										 *(_t280 + 0xb80) =  *(_t280 + 0xb80) | 0xffffffff;
										__eflags =  *(_t333 - 0x28) - 0xffffffff;
										 *(_t280 + 0xc98) = _t331;
										if( *(_t333 - 0x28) != 0xffffffff) {
											L01295B3C(_t280, _t325,  *(_t333 - 0x28));
										}
										goto L76;
									}
								}
								__eflags =  *0x13d83d8 - _t331; // 0x0
								if(__eflags == 0) {
									goto L66;
								}
								goto L24;
							}
							_t261 =  *((intOrPtr*)( *_t280 + 0x41c))();
							__eflags = _t261;
							if(_t261 == 0) {
								goto L22;
							}
							__eflags =  *0x13d83d4 - _t331; // 0x0
							if(__eflags != 0) {
								goto L24;
							}
							_t262 = GetAsyncKeyState(0x12);
							__eflags = 0x00008000 & _t262;
							if((0x00008000 & _t262) != 0) {
								 *0x13d83d8 = 1;
								_t28 = _t280 + 0xb7c;
								 *_t28 =  *(_t280 + 0xb7c) | 0xffffffff;
								__eflags =  *_t28;
								 *(_t280 + 0xb80) =  *(_t333 - 0x24);
								 *0x13d8404 = _t280;
							}
							goto L22;
						} else {
							_t328 = _t327 | 0xffffffff;
							 *(_t280 + 0xb78) = _t328;
							_t342 =  *0x13d83d4 - _t331; // 0x0
							if(_t342 != 0 &&  *((intOrPtr*)(_t280 + 0xb04)) == _t331) {
								_t319 =  *(_t280 + 0xb80);
								 *(_t280 + 0xb80) = _t328;
								if( *(_t280 + 0xb80) != _t328) {
									L01295B3C(_t280, _t325, _t319);
									UpdateWindow( *(_t280 + 0x20));
								}
								 *((intOrPtr*)( *_t280 + 0x3b0))(_t328);
							}
							if( *((intOrPtr*)( *_t280 + 0x1c8))() != 0) {
								SetCursor( *0x13d64dc);
							}
							E012E81E9(_t280,  *(_t333 + 8),  *(_t333 + 0xc),  *(_t333 + 0x10));
							L76:
							return L013696ED(_t280, _t328, _t331);
						}
					}
					L5:
					_t327 = GetParent;
					_t274 = E012789CC(0x139ada0, E01282D05(_t280, _t281, _t325, GetParent( *(_t280 + 0x20))));
					_pop(_t323);
					if(_t274 != 0) {
						E01286A6F(_t280, E01282D05(_t280, _t323, _t325, GetParent( *(_t280 + 0x20))), _t325);
					}
					goto L7;
				}
				_t336 =  *0x13d83d4 - _t331; // 0x0
				if(_t336 == 0) {
					goto L5;
				} else {
					_t281 = _t162;
					 *0x13d8404 = __ecx;
					if(_t281 != 0) {
						_t325 =  *(_t281 + 0xb80);
						 *(_t281 + 0xb80) =  *(_t281 + 0xb80) | 0xffffffff;
						L01295B3C(_t281,  *(_t281 + 0xb80),  *(_t281 + 0xb80));
					}
					goto L4;
				}
			}

0x0129834e
0x0129834e
0x0129834e
0x01298355
0x0129835a
0x0129835d
0x0129835f
0x0129836a
0x0129836d
0x01298372
0x01298376
0x0129839f
0x0129839f
0x012983a5
0x012983db
0x012983de
0x0129845e
0x01298460
0x01298462
0x00000000
0x00000000
0x0129846f
0x01298475
0x0129847b
0x01298481
0x012984cb
0x012984cb
0x012984d1
0x012984df
0x012984df
0x012984e5
0x012988b4
0x012988ba
0x012988c0
0x012988c5
0x012988cc
0x012988ea
0x012988ed
0x012988f6
0x012988fe
0x0129890b
0x01298915
0x01298917
0x0129891a
0x0129891c
0x01298974
0x0129891e
0x01298926
0x0129892b
0x0129892d
0x0129892f
0x0129892f
0x0129892f
0x0129892f
0x01298938
0x0129893f
0x0129894a
0x01298953
0x01298955
0x0129895d
0x0129895d
0x0129897a
0x0129897a
0x01298980
0x01298983
0x01298989
0x0129898f
0x0129899e
0x0129899e
0x00000000
0x01298980
0x012988d5
0x012988da
0x012988dc
0x00000000
0x00000000
0x012988de
0x00000000
0x012988de
0x012984eb
0x012984f1
0x00000000
0x00000000
0x012984fd
0x01298502
0x01298505
0x0129850c
0x01298512
0x01298515
0x01298518
0x0129851b
0x0129851e
0x01298524
0x01298528
0x0129852f
0x0129852f
0x0129853c
0x01298543
0x01298545
0x01298548
0x01298550
0x01298552
0x01298552
0x0129855d
0x01298563
0x01298567
0x0129856a
0x0129856c
0x01298599
0x012985a1
0x012985af
0x012985b2
0x012985b4
0x0129862f
0x0129862f
0x01298637
0x0129863a
0x0129863c
0x012988a9
0x012988a9
0x00000000
0x012988a9
0x01298642
0x0129864d
0x0129864f
0x00000000
0x00000000
0x01298658
0x01298665
0x01298669
0x0129866c
0x01298676
0x0129867f
0x01298685
0x01298688
0x01298691
0x01298697
0x0129869d
0x0129869f
0x0129869f
0x012986a9
0x012986b1
0x012986b2
0x012986b4
0x012986bd
0x012986c0
0x012986c6
0x012986c8
0x012986f9
0x012986fc
0x012986ff
0x0129870c
0x01298712
0x01298718
0x0129886e
0x0129886e
0x01298871
0x01298874
0x01298876
0x0129887c
0x01298882
0x01298882
0x01298887
0x0129888d
0x01298890
0x01298893
0x01298899
0x0129889f
0x00000000
0x0129889f
0x0129871e
0x0129872e
0x01298730
0x00000000
0x00000000
0x01298736
0x0129873a
0x01298853
0x01298853
0x01298859
0x0129885b
0x01298866
0x01298866
0x00000000
0x0129885b
0x01298740
0x01298746
0x01298748
0x00000000
0x00000000
0x0129874e
0x01298754
0x00000000
0x00000000
0x0129875d
0x01298760
0x01298762
0x01298768
0x0129876a
0x00000000
0x00000000
0x01298782
0x0129878c
0x0129879c
0x012987a6
0x012987a8
0x012987b1
0x012987ba
0x012987bf
0x012987c1
0x012987c3
0x012987c6
0x012987dd
0x012987dd
0x012987c6
0x012987e3
0x012987e9
0x012987ed
0x012987ef
0x012987ff
0x012987ff
0x01298815
0x0129881c
0x0129881e
0x0129883c
0x01298842
0x01298843
0x01298845
0x01298847
0x01298849
0x0129884b
0x0129884b
0x01298845
0x00000000
0x012986ca
0x012986ca
0x012986d0
0x012986d2
0x012986d8
0x012986de
0x012986de
0x012986e4
0x012986eb
0x00000000
0x012986eb
0x012986c8
0x012985bd
0x012985c3
0x012985c6
0x00000000
0x00000000
0x012985c8
0x012985ce
0x00000000
0x00000000
0x012985d0
0x012985d6
0x012985e3
0x012985e9
0x012985ea
0x012985eb
0x012985ec
0x012985ef
0x012985f2
0x012985f4
0x01298601
0x01298601
0x01298616
0x01298622
0x01298628
0x00000000
0x0129856e
0x0129856e
0x01298575
0x01298579
0x0129857f
0x0129858a
0x0129858a
0x00000000
0x0129857f
0x0129856c
0x012984d3
0x012984d9
0x00000000
0x00000000
0x00000000
0x012984d9
0x01298487
0x0129848d
0x0129848f
0x00000000
0x00000000
0x01298491
0x01298497
0x00000000
0x00000000
0x0129849b
0x012984a6
0x012984a9
0x012984ae
0x012984b8
0x012984b8
0x012984b8
0x012984bf
0x012984c5
0x012984c5
0x00000000
0x012983e0
0x012983e0
0x012983e3
0x012983e9
0x012983ef
0x012983f9
0x012983ff
0x01298407
0x0129840c
0x01298414
0x01298414
0x0129841f
0x0129841f
0x01298431
0x01298439
0x01298439
0x0129844a
0x012989a4
0x012989a9
0x012989a9
0x012983de
0x012983a7
0x012983aa
0x012983be
0x012983c4
0x012983c7
0x012983d6
0x012983d6
0x00000000
0x012983c7
0x01298378
0x0129837e
0x00000000
0x01298380
0x01298380
0x01298382
0x0129838a
0x0129838c
0x01298392
0x0129839a
0x0129839a
0x00000000
0x0129838a

APIs

__EH_prolog3_GS.LIBCMT ref: 01298355
GetParent.USER32(?), ref: 012983B0
GetParent.USER32(?), ref: 012983CC

Part of subcall function 01286A6F: GetParent.USER32(?), ref: 01286A84
Part of subcall function 01286A6F: GetParent.USER32(?), ref: 01286A93
Part of subcall function 01286A6F: GetParent.USER32(?), ref: 01286AA9
Part of subcall function 01286A6F: SetFocus.USER32 ref: 01286ABF

UpdateWindow.USER32 ref: 01298414
SetCursor.USER32 ref: 01298439

Part of subcall function 012E81E9: MapWindowPoints.USER32 ref: 012E828D
Part of subcall function 012E81E9: SendMessageW.USER32(?,00000201,?,?), ref: 012E82AC

Part of subcall function 01293D66: PtInRect.USER32(?,?,?), ref: 01293DB9

GetAsyncKeyState.USER32 ref: 0129849B
UpdateWindow.USER32 ref: 012985A1
InflateRect.USER32(?,00000002,00000002), ref: 01298601
SetCapture.USER32(?), ref: 0129860A
SetCursor.USER32(00000000), ref: 01298622

Part of subcall function 012F8597: __EH_prolog3_GS.LIBCMT ref: 012F859E
Part of subcall function 012F8597: CopyRect.USER32(?,?), ref: 012F85CC
Part of subcall function 012F8597: GetCursorPos.USER32(?), ref: 012F85DE
Part of subcall function 012F8597: SetRect.USER32(?,?,?,?,?), ref: 012F85F4
Part of subcall function 012F8597: IsRectEmpty.USER32 ref: 012F860F
Part of subcall function 012F8597: InflateRect.USER32(?,00000002,00000002), ref: 012F8621
Part of subcall function 012F8597: DoDragDrop.OLE32(00000000,00000000,?,00000000), ref: 012F8678

IsWindow.USER32(?), ref: 012986C0
GetCursorPos.USER32(?), ref: 012986FF
ScreenToClient.USER32(?,?), ref: 0129870C
PtInRect.USER32(?,?,?), ref: 01298728
RedrawWindow.USER32(?,00000000,00000000,00000505), ref: 0129879C
GetParent.USER32(?), ref: 012987B7
GetParent.USER32(?), ref: 012987CB
RedrawWindow.USER32(?,00000000,00000000,00000505), ref: 012987DD
RedrawWindow.USER32(?,00000000,00000000,00000505), ref: 012987FF
GetParent.USER32(?), ref: 01298808
GetParent.USER32(?), ref: 01298823
GetParent.USER32(?), ref: 0129882E
InvalidateRect.USER32(?,?,00000001), ref: 01298866

Part of subcall function 012F8265: __EH_prolog3.LIBCMT ref: 012F826C

Part of subcall function 01277AC9: __CxxThrowException@8.LIBCMT ref: 01277ADF

Part of subcall function 01295B3C: InvalidateRect.USER32(?,?,00000001), ref: 01295BB1
Part of subcall function 01295B3C: InflateRect.USER32(?,?,?), ref: 01295BF7
Part of subcall function 01295B3C: RedrawWindow.USER32(?,?,00000000,00000401), ref: 01295C0A

UpdateWindow.USER32 ref: 012988FE
UpdateWindow.USER32 ref: 0129895D
SetCapture.USER32(?), ref: 01298968

Part of subcall function 012962C7: RedrawWindow.USER32(?,00000000,00000000,00000585), ref: 012963E5

RedrawWindow.USER32(?,00000000,00000000,00000505), ref: 0129899E

Memory Dump Source

Source File: 00000010.00000002.746388412.0000000001271000.00000020.sdmp, Offset: 01270000, based on PE: true

Associated: 00000010.00000002.746374753.0000000001270000.00000002.sdmp Download File
Associated: 00000010.00000002.746578910.000000000138C000.00000002.sdmp Download File
Associated: 00000010.00000002.746752878.00000000013CF000.00000004.sdmp Download File
Associated: 00000010.00000002.746788870.00000000013D6000.00000004.sdmp Download File
Associated: 00000010.00000002.746832288.00000000013DE000.00000002.sdmp Download File
Associated: 00000010.00000002.747668141.0000000001574000.00000002.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1270000_Setup.jbxd

Similarity

API ID: Window$ParentRect$Redraw$CursorUpdate$Inflate$CaptureH_prolog3_Invalidate$AsyncClientCopyDragDropEmptyException@8FocusH_prolog3MessagePointsScreenSendStateThrow
String ID:
API String ID: 2727045825-0
Opcode ID: 6fecfe0697c066390efe104a366aa9e58a4c2e4330997da6079a9e6914a7b4a8
Instruction ID: 8b4a560f15668f313b77fe5da700239490637ada18505d582ce5492da52a12d4
Opcode Fuzzy Hash: 6fecfe0697c066390efe104a366aa9e58a4c2e4330997da6079a9e6914a7b4a8
Instruction Fuzzy Hash: F0028370621205DFDF25AF68D888AAD7BB9FF49714F18017DE9099F2A9DB309804CF60

Uniqueness

Uniqueness Score: 10.55%

Function 012BCF18, Relevance: 40.8, APIs: 27, Instructions: 344
COMMON

Download Yara Rule

C-Code - Quality: 41%

			E012BCF18(intOrPtr* __ecx, void* __edx, void* __edi, RECT* _a4) {
				signed int _v8;
				struct tagRECT _v24;
				struct tagRECT _v40;
				struct tagRECT _v56;
				struct tagRECT _v72;
				struct tagRECT _v88;
				struct tagRECT _v104;
				struct tagRECT _v120;
				struct tagRECT _v136;
				struct tagRECT _v152;
				RECT* _v156;
				intOrPtr _v160;
				signed int _v164;
				signed int _v168;
				intOrPtr _v172;
				void* __ebx;
				void* __esi;
				signed int _t147;
				signed int _t157;
				long _t158;
				intOrPtr _t160;
				signed int _t203;
				intOrPtr* _t241;
				void* _t242;
				void* _t247;
				void* _t248;
				intOrPtr* _t255;
				void* _t268;
				void* _t282;
				long _t285;
				intOrPtr _t289;
				intOrPtr _t290;
				signed int _t297;
				void* _t310;

				_t269 = __edi;
				_t268 = __edx;
				_t295 = _t297;
				_t147 =  *0x13d3570; // 0x99b5b578
				_v8 = _t147 ^ _t297;
				_t149 = _a4;
				_t241 = __ecx;
				_v156 = _a4;
				if( *((intOrPtr*)(__ecx + 0xfc0)) > 0) {
					_t149 = E012848D5(__ecx, __edi);
					_v160 = _t149;
					if(_t149 != 0 &&  *((intOrPtr*)(_t149 + 0x20)) != 0) {
						_push(__edi);
						_v168 = E01286862(__ecx) & 0x00400000;
						_v24.left = 0;
						_v24.top = 0;
						_v24.right = 0;
						_v24.bottom = 0;
						GetClientRect( *(__ecx + 0x20),  &_v24);
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						_t285 = 0;
						if(_v156 == 0) {
							L15:
							_v136.left = _t285;
							_v136.top = _t285;
							_v136.right = _t285;
							_v136.bottom = _t285;
							GetWindowRect( *(_t241 + 0x20),  &_v136);
							_t310 =  *0x13d088c - _t285; // 0x1
							if(_t310 != 0) {
								L17:
								_t157 =  *(_t241 + 0xfc0);
								_t71 = _t241 + 0xfc4; // 0xfc4
								_t247 = _t71;
								_v164 = _t157;
								 *(_t241 + 0xfc0) = _t285;
								if(_t247 != _t285 &&  *((intOrPtr*)(_t247 + 4)) != _t285) {
									_t157 = E0127A0F1(_t157, _t247);
								}
								_t75 = _t241 + 0xfcc; // 0xfcc
								_t248 = _t75;
								if(_t248 != _t285 &&  *((intOrPtr*)(_t248 + 4)) != _t285) {
									_t157 = E0127A0F1(_t157, _t248);
								}
								_t158 = _t157 | 0xffffffff;
								_v104.left = _t158;
								_v104.top = _t158;
								_v104.right = _t158;
								_v104.bottom = _t158;
								_v156 = 0x41c;
								_t160 =  *((intOrPtr*)( *_t241 + 0x1c0))();
								_v172 = _t160;
								 *(_t160 + 0xb68) = 1;
								if(_v168 == _t285) {
									_push(0x41e);
									_v156 = 0x41e;
									_push(_v24.bottom - _v24.top - _v164);
									_push(_v24.right - _v24.left - _v164);
									_push(0xffffffff);
									_push(0xffffffff);
								} else {
									GetWindowRect( *(_t241 + 0x20),  &_v104);
									_t203 = _v164;
									_push(0x41c);
									_push(_v24.bottom - _v24.top - _t203);
									_push(_v24.right - _v24.left - _t203);
									_push(_v104.top);
									_push(_v104.left + _t203);
								}
								_push(_t285);
								E01286A31(_t241);
								asm("movsd");
								asm("movsd");
								asm("movsd");
								asm("movsd");
								if(IsRectEmpty( &_v56) == 0) {
									_t290 = _v160;
									MapWindowPoints( *(_t241 + 0x20),  *(_t290 + 0x20),  &_v120, 2);
									RedrawWindow( *(_t290 + 0x20),  &_v120, 0, 0x185);
								}
								asm("movsd");
								asm("movsd");
								asm("movsd");
								asm("movsd");
								if(IsRectEmpty( &_v88) == 0 && EqualRect( &_v56,  &_v88) == 0) {
									_t289 = _v160;
									MapWindowPoints( *(_t241 + 0x20),  *(_t289 + 0x20),  &_v120, 2);
									RedrawWindow( *(_t289 + 0x20),  &_v120, 0, 0x185);
								}
								UpdateWindow( *(_v160 + 0x20));
								_push(_v156);
								_push(_v24.bottom - _v24.top);
								 *(_t241 + 0xfc0) = _v164;
								_push(_v24.right - _v24.left);
								_t255 = _t241;
								if(_v168 == 0) {
									_push(0xffffffff);
									_push(0xffffffff);
								} else {
									_push(_v104.top);
									_push(_v104.left);
								}
								_push(0);
								E01286A31(_t255);
								if(IsRectEmpty( &_v56) == 0) {
									InvalidateRect( *(_t241 + 0x20),  &_v56, 1);
								}
								if(IsRectEmpty( &_v88) == 0 && EqualRect( &_v56,  &_v88) == 0) {
									InvalidateRect( *(_t241 + 0x20),  &_v88, 1);
								}
								UpdateWindow( *(_t241 + 0x20));
								 *(_v172 + 0xb68) =  *(_v172 + 0xb68) & 0x00000000;
							} else {
								_v40.left = _t285;
								_v40.top = _t285;
								_v40.right = _t285;
								_v40.bottom = _t285;
								GetWindowRect( *(_v160 + 0x20),  &_v40);
								_v72.left = _t285;
								_v72.top = _t285;
								_v72.right = _t285;
								_v72.bottom = _t285;
								UnionRect( &_v72,  &_v136,  &_v40);
								if(EqualRect( &_v72,  &_v40) != 0) {
									goto L17;
								}
							}
						} else {
							CopyRect( &_v40, _v156);
							L01279BD6(_t241,  &_v40);
							asm("movsd");
							asm("movsd");
							asm("movsd");
							asm("movsd");
							if(_v168 == 0) {
								_v72.left = _v24.right -  *(_t241 + 0xfc0) - 1;
							} else {
								_t28 =  *(_t241 + 0xfc0) + 1; // 0x1
								_v72.right = _v24.left + _t28;
							}
							if(IntersectRect( &_v56,  &_v40,  &_v72) == 0) {
								SetRectEmpty( &_v56);
							}
							asm("movsd");
							asm("movsd");
							asm("movsd");
							asm("movsd");
							_v152.top = _v24.bottom -  *(_t241 + 0xfc0) - 1;
							if(IntersectRect( &_v88,  &_v40,  &_v152) == 0) {
								SetRectEmpty( &_v88);
							}
							if(IsRectEmpty( &_v56) == 0 || IsRectEmpty( &_v88) == 0) {
								_t285 = 0;
								goto L15;
							}
						}
						_pop(_t269);
					}
				}
				_pop(_t282);
				_pop(_t242);
				return L01367D3E(_t149, _t242, _v8 ^ _t295, _t268, _t269, _t282);
			}

0x012bcf18
0x012bcf18
0x012bcf1b
0x012bcf23
0x012bcf2a
0x012bcf2d
0x012bcf32
0x012bcf36
0x012bcf42
0x012bcf48
0x012bcf4d
0x012bcf55
0x012bcf64
0x012bcf71
0x012bcf7e
0x012bcf81
0x012bcf84
0x012bcf87
0x012bcf8a
0x012bcf96
0x012bcf97
0x012bcf98
0x012bcf99
0x012bcfa0
0x012bcfa1
0x012bcfa2
0x012bcfa3
0x012bcfa4
0x012bcfac
0x012bd07f
0x012bd08f
0x012bd095
0x012bd098
0x012bd09b
0x012bd09e
0x012bd0a0
0x012bd0a6
0x012bd0fa
0x012bd0fa
0x012bd100
0x012bd100
0x012bd106
0x012bd10c
0x012bd114
0x012bd11b
0x012bd11b
0x012bd120
0x012bd120
0x012bd128
0x012bd12f
0x012bd12f
0x012bd134
0x012bd137
0x012bd13a
0x012bd13d
0x012bd140
0x012bd14c
0x012bd152
0x012bd158
0x012bd15e
0x012bd16e
0x012bd1a6
0x012bd1a7
0x012bd1b9
0x012bd1c6
0x012bd1c7
0x012bd1c9
0x012bd170
0x012bd177
0x012bd183
0x012bd18b
0x012bd18c
0x012bd195
0x012bd199
0x012bd19e
0x012bd19e
0x012bd1cb
0x012bd1ce
0x012bd1d9
0x012bd1da
0x012bd1db
0x012bd1e0
0x012bd1e9
0x012bd1eb
0x012bd1fe
0x012bd212
0x012bd212
0x012bd21e
0x012bd21f
0x012bd220
0x012bd224
0x012bd230
0x012bd244
0x012bd257
0x012bd26b
0x012bd26b
0x012bd280
0x012bd288
0x012bd294
0x012bd29b
0x012bd2a3
0x012bd2a4
0x012bd2ac
0x012bd2b6
0x012bd2b8
0x012bd2ae
0x012bd2ae
0x012bd2b1
0x012bd2b1
0x012bd2ba
0x012bd2bb
0x012bd2ce
0x012bd2d9
0x012bd2d9
0x012bd2e7
0x012bd304
0x012bd304
0x012bd309
0x012bd311
0x012bd0a8
0x012bd0b5
0x012bd0b8
0x012bd0bb
0x012bd0be
0x012bd0c1
0x012bd0d2
0x012bd0d5
0x012bd0d8
0x012bd0db
0x012bd0de
0x012bd0f4
0x00000000
0x00000000
0x012bd0f4
0x012bcfb2
0x012bcfbc
0x012bcfc8
0x012bcfda
0x012bcfdb
0x012bcfdc
0x012bcfdd
0x012bcfde
0x012bcffc
0x012bcfe0
0x012bcfe9
0x012bcfed
0x012bcfed
0x012bd013
0x012bd019
0x012bd019
0x012bd031
0x012bd032
0x012bd033
0x012bd035
0x012bd036
0x012bd053
0x012bd059
0x012bd059
0x012bd06d
0x012bd07d
0x00000000
0x012bd07d
0x012bd06d
0x012bd318
0x012bd318
0x012bcf55
0x012bd31c
0x012bd31f
0x012bd326

APIs

GetClientRect.USER32 ref: 012BCF8A
CopyRect.USER32(?,?), ref: 012BCFBC

Part of subcall function 01279BD6: ScreenToClient.USER32(?,?), ref: 01279BE7
Part of subcall function 01279BD6: ScreenToClient.USER32(?,?), ref: 01279BF4

IntersectRect.USER32(?,?,?), ref: 012BD00B
SetRectEmpty.USER32 ref: 012BD019
IntersectRect.USER32(?,?,?), ref: 012BD04B
SetRectEmpty.USER32 ref: 012BD059
IsRectEmpty.USER32 ref: 012BD069
IsRectEmpty.USER32 ref: 012BD073
GetWindowRect.USER32 ref: 012BD09E
GetWindowRect.USER32 ref: 012BD0C1
UnionRect.USER32(?,?,?), ref: 012BD0DE
EqualRect.USER32 ref: 012BD0EC
UpdateWindow.USER32 ref: 012BD309

Part of subcall function 0127A0F1: DeleteObject.GDI32(00000000), ref: 0127A100

GetWindowRect.USER32 ref: 012BD177

Part of subcall function 01286A31: SetWindowPos.USER32(?,000000FF,000000FF,?,?,00000000,012827B4), ref: 01286A59

IsRectEmpty.USER32 ref: 012BD1E1
MapWindowPoints.USER32 ref: 012BD1FE
RedrawWindow.USER32(?,?,00000000,00000185), ref: 012BD212
IsRectEmpty.USER32 ref: 012BD22C
EqualRect.USER32 ref: 012BD23A
MapWindowPoints.USER32 ref: 012BD257
RedrawWindow.USER32(?,?,00000000,00000185), ref: 012BD26B
UpdateWindow.USER32 ref: 012BD280
IsRectEmpty.USER32 ref: 012BD2C4
InvalidateRect.USER32(?,?,00000001), ref: 012BD2D9
IsRectEmpty.USER32 ref: 012BD2DF
EqualRect.USER32 ref: 012BD2F1
InvalidateRect.USER32(?,?,00000001), ref: 012BD304

Part of subcall function 01367D3E: IsDebuggerPresent.KERNEL32 ref: 0136EC6D
Part of subcall function 01367D3E: SetUnhandledExceptionFilter.KERNEL32 ref: 0136EC82
Part of subcall function 01367D3E: UnhandledExceptionFilter.KERNEL32 ref: 0136EC8D
Part of subcall function 01367D3E: GetCurrentProcess.KERNEL32(C0000409), ref: 0136ECA9
Part of subcall function 01367D3E: TerminateProcess.KERNEL32(00000000), ref: 0136ECB0

Part of subcall function 01286862: GetWindowLongW.USER32(?,000000EC), ref: 0128686D

Memory Dump Source

Source File: 00000010.00000002.746388412.0000000001271000.00000020.sdmp, Offset: 01270000, based on PE: true

Associated: 00000010.00000002.746374753.0000000001270000.00000002.sdmp Download File
Associated: 00000010.00000002.746578910.000000000138C000.00000002.sdmp Download File
Associated: 00000010.00000002.746752878.00000000013CF000.00000004.sdmp Download File
Associated: 00000010.00000002.746788870.00000000013D6000.00000004.sdmp Download File
Associated: 00000010.00000002.746832288.00000000013DE000.00000002.sdmp Download File
Associated: 00000010.00000002.747668141.0000000001574000.00000002.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1270000_Setup.jbxd

Similarity

API ID: Rect$Window$Empty$ClientEqual$ExceptionFilterIntersectInvalidatePointsProcessRedrawScreenUnhandledUpdate$CopyCurrentDebuggerDeleteLongObjectPresentTerminateUnion
String ID:
API String ID: 204189844-0
Opcode ID: e8eec3b1e88ebe8c5bb276e2cc7c88de58eb9450b8bca94cbb573cae02968854
Instruction ID: f7ff90493f77922a73d154f88dc1a2444594042dc3c317c22812fcc8088b26f3
Opcode Fuzzy Hash: e8eec3b1e88ebe8c5bb276e2cc7c88de58eb9450b8bca94cbb573cae02968854
Instruction Fuzzy Hash: 1FD1077291121E9FDF21DFA8C984AEEBBB9FF08304F10416AE909E7145D771AA45CF60

Uniqueness

Uniqueness Score: 2.38%

Function 012E4722, Relevance: 40.7, APIs: 22, Strings: 1, Instructions: 421
COMMON

Download Yara Rule

C-Code - Quality: 87%

			E012E4722(void* __ebx, void* __ecx, intOrPtr __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr* _t218;
				intOrPtr _t228;
				struct HDC__* _t234;
				struct HDC__* _t237;
				int _t238;
				int _t250;
				void* _t252;
				int _t253;
				void* _t254;
				void* _t258;
				long _t266;
				long _t267;
				void* _t274;
				void* _t280;
				void* _t281;
				void* _t285;
				intOrPtr _t292;
				int _t302;
				signed int _t308;
				intOrPtr _t313;
				void _t315;
				int* _t319;
				int* _t320;
				intOrPtr* _t321;
				int _t325;
				void* _t331;
				void* _t339;
				long long _t342;

				_t318 = __edi;
				_t310 = __edx;
				_push(0x84);
				_t209 = L01369601(0x13833de, __ebx, __edi, __esi);
				_t280 = __ecx;
				_t325 = 0;
				if( *((intOrPtr*)(__ecx + 0x24)) != 0) {
					L14:
					return L013696D9(_t209);
				} else {
					asm("fld1");
					_t342 = st0;
					asm("fucomp st2");
					asm("fnstsw ax");
					st1 = _t342;
					if((_t209 & 0x00000044) != 0) {
						st0 = _t342;
					} else {
						_t308 =  *(__ecx + 0xa8);
						 *((long long*)(__ecx + 0xb0)) = _t342;
						 *((intOrPtr*)(__ecx + 8)) = 0;
						if(_t308 != 0xffffffff) {
							 *(__ecx + 0xa8) =  *(__ecx + 0xa8) | 0xffffffff;
							 *(__ecx + 0xa4) = _t308;
						}
						 *(_t331 - 0x30) = _t325;
						 *(_t331 - 0x2c) = _t325;
						 *(_t331 - 0x28) = _t325;
						 *(_t331 - 0x24) = _t325;
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						 *((intOrPtr*)(_t280 + 0x50)) =  *((intOrPtr*)(_t280 + 0x58));
						 *((intOrPtr*)(_t280 + 0x54)) =  *((intOrPtr*)(_t280 + 0x5c));
						 *(_t331 - 0x30) = 0;
						 *(_t331 - 0x2c) = 0;
						 *(_t331 - 0x28) = 0;
						 *(_t331 - 0x24) = 0;
						_t318 = _t280 + 0x78;
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						 *((intOrPtr*)(_t280 + 0x58)) = 0;
						 *((intOrPtr*)(_t280 + 0x5c)) = 0;
						 *((intOrPtr*)(_t280 + 0x60)) = 0;
						 *((intOrPtr*)(_t280 + 0x64)) = 0;
						_t325 = 0;
					}
					_t209 = _t280 + 0x88;
					if( *(_t280 + 0x88) == _t325) {
						L9:
						L012DFCEB(_t280);
						_t339 =  *0x13d9ca4 - _t325; // 0x0
						if(_t339 != 0) {
							_push( *((intOrPtr*)(_t280 + 0x50)));
							_push(_t280 + 0x88);
							L012E0E08(_t280, _t318, _t325, _t339);
						}
						_t319 = _t280 + 0x8c;
						E0127AA90(_t319);
						 *_t319 = _t325;
						_t320 = _t280 + 0x90;
						E0127AA90(_t320);
						 *_t320 = _t325;
						_t340 =  *((intOrPtr*)(_t280 + 0x2c)) - _t325;
						if( *((intOrPtr*)(_t280 + 0x2c)) != _t325) {
							_push( *((intOrPtr*)(_t280 + 0xc)));
							E012E09E4(_t280, _t280, _t310, _t320, _t325, _t340, _t342);
						}
						_t209 =  *0x13d6400; // 0xa0a0a0
						 *(_t280 + 0xac) = _t209;
						goto L14;
					} else {
						_t338 =  *((intOrPtr*)(_t280 + 0x14)) - _t325;
						if( *((intOrPtr*)(_t280 + 0x14)) == _t325) {
							__eflags =  *((intOrPtr*)(_t280 + 0xc4)) - _t325;
							if( *((intOrPtr*)(_t280 + 0xc4)) == _t325) {
								goto L14;
							} else {
								E0127AA90(_t209);
								_t285 =  *(_t280 + 0xbc);
								_t218 =  *((intOrPtr*)(_t280 + 0xd8));
								__eflags = _t285 - _t325;
								if(_t285 == _t325) {
									goto L9;
								} else {
									_t318 = SelectObject;
									while(1) {
										_t218 - _t325 = (_t218 != _t325) - _t325;
										if(_t218 != _t325 == _t325) {
											break;
										}
										_t315 =  *_t285;
										_t285 =  *(_t285 + 8);
										 *(_t331 - 0x4c) = _t315;
										__eflags = 0 - _t285;
										asm("sbb edx, edx");
										if(0 == _t285) {
											break;
										} else {
											_t310 =  *_t218;
											 *((intOrPtr*)(_t331 - 0x5c)) =  *_t218;
											 *(_t331 - 0x20) =  *(_t218 + 8);
											 *(_t331 - 0x54) = _t325;
											 *((intOrPtr*)(_t331 - 0x58)) = 0x139ac58;
											 *(_t331 - 0x1c) = _t285 & 0x0000ffff;
											 *(_t331 - 4) = _t325;
											_t237 = L012E2A27(_t280, _t331 - 0x58,  *_t218, _t285 & 0x0000ffff,  *(_t218 + 8));
											__eflags = _t237;
											if(_t237 == 0) {
												L23:
												_t238 = 0x2000;
												__eflags =  *((intOrPtr*)(_t280 + 0x30)) - _t325;
												if( *((intOrPtr*)(_t280 + 0x30)) != _t325) {
													__eflags =  *0x13d6570 - _t325; // 0x0
													if(__eflags == 0) {
														__eflags =  *0x13d656c - _t325; // 0x0
														if(__eflags == 0) {
															_t238 = 0x3000;
														}
													}
												}
												 *(_t331 - 0x10) = LoadImageW( *(_t331 - 0x20),  *(_t331 - 0x1c), _t325, _t325, _t325, _t238);
											} else {
												_t274 = E0127A0C5(_t280, _t331 - 0x58, _t310);
												 *(_t331 - 0x10) = _t274;
												__eflags = _t274 - _t325;
												if(_t274 == _t325) {
													goto L23;
												}
											}
											GetObjectW( *(_t331 - 0x10), 0x18, _t331 - 0x78);
											__eflags =  *(_t331 - 0x66) - 0x20;
											 *(_t280 + 8) =  *(_t331 - 0x66) & 0x0000ffff;
											if( *(_t331 - 0x66) < 0x20) {
												__eflags =  *(_t331 - 0x66) - 8;
												if( *(_t331 - 0x66) <= 8) {
													L32:
													__eflags =  *0x13d656c - _t325; // 0x0
													if(__eflags != 0) {
														goto L33;
													}
												} else {
													__eflags =  *((intOrPtr*)(_t280 + 0x30)) - _t325;
													if( *((intOrPtr*)(_t280 + 0x30)) != _t325) {
														L33:
														__eflags =  *(_t331 - 0x10) - _t325;
														if(__eflags != 0) {
															L0127976C(_t331 - 0x48);
															 *(_t331 - 4) = 1;
															L01279DC3(_t280, _t331 - 0x48, _t310, _t318, CreateCompatibleDC(_t325));
															_t250 = GetObjectW( *(_t331 - 0x10), 0x18, _t331 - 0x90);
															__eflags = _t250;
															if(_t250 != 0) {
																_t252 = SelectObject( *(_t331 - 0x44),  *(_t331 - 0x10));
																 *(_t331 - 0x20) = _t252;
																__eflags = _t252 - _t325;
																if(_t252 != _t325) {
																	_t302 =  *(_t331 - 0x88);
																	_t253 =  *(_t331 - 0x8c);
																	 *(_t331 - 0x34) = _t253;
																	 *(_t331 - 0x38) = _t302;
																	_t254 = CreateCompatibleBitmap( *(_t331 - 0x44), _t253, _t302);
																	 *(_t331 - 0x1c) = _t254;
																	__eflags = _t254 - _t325;
																	if(_t254 != _t325) {
																		L0127976C(_t331 - 0x30);
																		 *(_t331 - 4) = 2;
																		L01279DC3(_t280, _t331 - 0x30, _t310, _t318, CreateCompatibleDC( *(_t331 - 0x44)));
																		_t258 = SelectObject( *(_t331 - 0x2c),  *(_t331 - 0x1c));
																		 *(_t331 - 0x50) = _t258;
																		__eflags = _t258 - _t325;
																		if(_t258 != _t325) {
																			BitBlt( *(_t331 - 0x2c), _t325, _t325,  *(_t331 - 0x34),  *(_t331 - 0x38),  *(_t331 - 0x44), _t325, _t325, 0xcc0020);
																			 *(_t331 - 0x14) = _t325;
																			__eflags =  *(_t331 - 0x34) - _t325;
																			if( *(_t331 - 0x34) > _t325) {
																				do {
																					 *(_t331 - 0x18) = _t325;
																					__eflags =  *(_t331 - 0x38) - _t325;
																					if( *(_t331 - 0x38) > _t325) {
																						do {
																							_t266 = GetPixel( *(_t331 - 0x2c),  *(_t331 - 0x14),  *(_t331 - 0x18));
																							__eflags =  *((short*)(_t331 - 0x7e)) - 0x18;
																							 *(_t331 - 0x60) = _t266;
																							if( *((short*)(_t331 - 0x7e)) != 0x18) {
																								L45:
																								_t267 = L012DFD24(_t280, _t318, _t325, _t266, _t325);
																							} else {
																								__eflags =  *0x13d1028 - _t325; // 0x1
																								if(__eflags != 0) {
																									goto L45;
																								} else {
																									_t267 = L012DFDA6(_t310, __eflags, _t266);
																								}
																							}
																							__eflags =  *(_t331 - 0x60) - _t267;
																							if( *(_t331 - 0x60) != _t267) {
																								SetPixel( *(_t331 - 0x2c),  *(_t331 - 0x14),  *(_t331 - 0x18), _t267);
																							}
																							 *(_t331 - 0x18) =  *(_t331 - 0x18) + 1;
																							__eflags =  *(_t331 - 0x18) -  *(_t331 - 0x38);
																						} while ( *(_t331 - 0x18) <  *(_t331 - 0x38));
																					}
																					 *(_t331 - 0x14) =  *(_t331 - 0x14) + 1;
																					__eflags =  *(_t331 - 0x14) -  *(_t331 - 0x34);
																				} while ( *(_t331 - 0x14) <  *(_t331 - 0x34));
																			}
																			SelectObject( *(_t331 - 0x2c),  *(_t331 - 0x50));
																			SelectObject( *(_t331 - 0x44),  *(_t331 - 0x20));
																			DeleteObject( *(_t331 - 0x10));
																			 *(_t331 - 0x10) =  *(_t331 - 0x1c);
																		} else {
																			SelectObject( *(_t331 - 0x44),  *(_t331 - 0x20));
																			DeleteObject( *(_t331 - 0x1c));
																		}
																		 *(_t331 - 4) = 1;
																		L01279E44(_t331 - 0x30);
																	} else {
																		SelectObject( *(_t331 - 0x44),  *(_t331 - 0x20));
																	}
																}
															}
															 *(_t331 - 4) = 0;
															L01279E44(_t331 - 0x48);
														}
													} else {
														goto L32;
													}
												}
											} else {
												L012DFECD(_t280, _t310, _t318, _t325,  *(_t331 - 0x10),  *((intOrPtr*)(_t280 + 0x38)));
											}
											_push(_t325);
											_push( *(_t331 - 0x10));
											L012E4C8E(_t280, _t280, _t318, _t325, __eflags, _t342);
											DeleteObject( *(_t331 - 0x10));
											 *(_t331 - 4) =  *(_t331 - 4) | 0xffffffff;
											 *((intOrPtr*)(_t331 - 0x58)) = 0x138f588;
											E0127A27E(_t280, _t331 - 0x58, _t318, _t325, __eflags);
											__eflags =  *(_t331 - 0x4c) - _t325;
											if( *(_t331 - 0x4c) != _t325) {
												_t218 =  *((intOrPtr*)(_t331 - 0x5c));
												_t285 =  *(_t331 - 0x4c);
												continue;
											} else {
												goto L9;
											}
										}
										goto L63;
									}
									L01277AC9(_t285);
									asm("int3");
									_push(0x14);
									L01369601(0x138344d, _t280, _t318, _t325);
									_t281 = _t285;
									 *(_t331 - 0x10) = _t281;
									 *_t281 = 0x139ac48;
									L0127976C(_t281 + 0x40);
									 *((intOrPtr*)(_t281 + 0x50)) = 0;
									 *((intOrPtr*)(_t281 + 0x54)) = 0;
									 *((intOrPtr*)(_t281 + 0x58)) = 0;
									 *((intOrPtr*)(_t281 + 0x5c)) = 0;
									 *((intOrPtr*)(_t281 + 0x60)) = 0;
									 *((intOrPtr*)(_t281 + 0x64)) = 0;
									_t321 = _t281 + 0x68;
									 *_t321 = 0;
									 *((intOrPtr*)(_t321 + 4)) = 0;
									 *((intOrPtr*)(_t321 + 8)) = 0;
									 *((intOrPtr*)(_t321 + 0xc)) = 0;
									 *(_t331 - 4) = 0;
									 *((intOrPtr*)(_t281 + 0x78)) = 0;
									 *((intOrPtr*)(_t281 + 0x7c)) = 0;
									 *((intOrPtr*)(_t281 + 0x80)) = 0;
									 *((intOrPtr*)(_t281 + 0x84)) = 0;
									E01272410(_t281 + 0x94, E0127859A());
									 *((intOrPtr*)(_t281 + 0x9c)) = 0;
									 *((intOrPtr*)(_t281 + 0x98)) = 0x138f588;
									L012950BC(_t281 + 0xb8, 0xa);
									L012DFFA9(_t281 + 0xd4, 0xa);
									_t290 = _t281 + 0xf0;
									L012950EF(_t281 + 0xf0, 0xa);
									 *(_t331 - 4) = 5;
									 *((intOrPtr*)(_t281 + 0x18)) = 0;
									 *((intOrPtr*)(_t281 + 0x20)) = 0;
									 *((intOrPtr*)(_t281 + 0x24)) = 0;
									 *((intOrPtr*)(_t281 + 4)) = 0;
									 *((intOrPtr*)(_t281 + 0x2c)) = 0;
									 *((intOrPtr*)(_t281 + 0xc)) = 0;
									 *((intOrPtr*)(_t281 + 0x88)) = 0;
									 *((intOrPtr*)(_t281 + 0x8c)) = 0;
									 *((intOrPtr*)(_t281 + 0x90)) = 0;
									 *((intOrPtr*)(_t281 + 0x14)) = 0;
									__eflags =  *0x13d9ce4; // 0x1
									if(__eflags != 0) {
										_t292 = 1;
										__eflags = 1;
									} else {
										 *0x13d9ca8 = CreateCompatibleDC(0);
										_t234 = CreateCompatibleDC(0);
										 *0x13d9cac = _t234;
										__eflags =  *0x13d9ca8; // 0x0
										if(__eflags == 0) {
											L59:
											L012796BD(_t290);
										} else {
											__eflags = _t234;
											if(_t234 == 0) {
												goto L59;
											}
										}
										_t292 = 1;
										 *0x13d9ce4 = 1;
									}
									 *(_t331 - 0x20) = 0;
									asm("fld1");
									 *(_t331 - 0x1c) = 0;
									 *((long long*)(_t281 + 0xb0)) = _t342;
									 *(_t331 - 0x18) = 0;
									 *(_t331 - 0x14) = 0;
									asm("movsd");
									asm("movsd");
									asm("movsd");
									 *(_t281 + 0xa4) =  *(_t281 + 0xa4) | 0xffffffff;
									 *(_t281 + 0xa8) =  *(_t281 + 0xa8) | 0xffffffff;
									asm("movsd");
									_t228 = 0x10;
									 *((intOrPtr*)(_t281 + 0x50)) = _t228;
									 *(_t331 - 0x20) = 0;
									 *(_t331 - 0x1c) = 0;
									 *(_t331 - 0x18) = 0;
									 *(_t331 - 0x14) = 0;
									asm("movsd");
									asm("movsd");
									_t313 = 0xf;
									asm("movsd");
									 *((intOrPtr*)(_t281 + 0x54)) = _t313;
									__eflags = 0;
									 *((intOrPtr*)(_t281 + 0x30)) = _t292;
									 *((intOrPtr*)(_t281 + 0x3c)) = _t292;
									 *((intOrPtr*)(_t281 + 0x58)) = 0;
									 *((intOrPtr*)(_t281 + 0x5c)) = 0;
									 *((intOrPtr*)(_t281 + 0x60)) = 0;
									 *((intOrPtr*)(_t281 + 0x64)) = 0;
									asm("movsd");
									 *((intOrPtr*)(_t281 + 0x1c)) = 0;
									 *((intOrPtr*)(_t281 + 0xa0)) = 0;
									 *((intOrPtr*)(_t281 + 0x28)) = 0;
									 *((intOrPtr*)(_t281 + 8)) = 0;
									 *((intOrPtr*)(_t281 + 0x10)) = 0x82;
									 *((intOrPtr*)(_t281 + 0x34)) = 0;
									 *((intOrPtr*)(_t281 + 0x38)) = 0;
									E012E4722(_t281, _t281, 0, _t281 + 0x78, _t331 - 0x20, 0);
									return L013696D9(_t281);
								}
							}
						} else {
							_push(_t325);
							_push( *((intOrPtr*)(_t280 + 0x94)));
							L012E4221(_t280, _t280, _t310, _t318, _t325, _t338);
							goto L9;
						}
					}
				}
				L63:
			}

0x012e4722
0x012e4722
0x012e4722
0x012e472c
0x012e4731
0x012e4733
0x012e4738
0x012e4833
0x012e4838
0x012e473e
0x012e4744
0x012e4746
0x012e4748
0x012e474a
0x012e474c
0x012e4751
0x012e47c0
0x012e4753
0x012e4753
0x012e4759
0x012e475f
0x012e4765
0x012e4767
0x012e476e
0x012e476e
0x012e4777
0x012e477a
0x012e477d
0x012e4780
0x012e4789
0x012e478a
0x012e478b
0x012e478c
0x012e478d
0x012e4793
0x012e4798
0x012e479b
0x012e479e
0x012e47a1
0x012e47a4
0x012e47aa
0x012e47ab
0x012e47ac
0x012e47af
0x012e47b0
0x012e47b3
0x012e47b6
0x012e47b9
0x012e47bc
0x012e47bc
0x012e47c2
0x012e47ca
0x012e47df
0x012e47e1
0x012e47e6
0x012e47ec
0x012e47ee
0x012e47f7
0x012e47f8
0x012e47f8
0x012e47fd
0x012e4804
0x012e4809
0x012e480b
0x012e4812
0x012e4817
0x012e4819
0x012e481c
0x012e481e
0x012e4823
0x012e4823
0x012e4828
0x012e482d
0x00000000
0x012e47cc
0x012e47cc
0x012e47cf
0x012e4839
0x012e483f
0x00000000
0x012e4841
0x012e4842
0x012e4847
0x012e484d
0x012e4853
0x012e4855
0x00000000
0x012e4857
0x012e4857
0x012e4865
0x012e486c
0x012e486e
0x00000000
0x00000000
0x012e4874
0x012e4876
0x012e4879
0x012e487e
0x012e4880
0x012e4884
0x00000000
0x012e488a
0x012e488a
0x012e488f
0x012e4892
0x012e4895
0x012e4898
0x012e48a3
0x012e48aa
0x012e48ad
0x012e48b2
0x012e48b4
0x012e48c5
0x012e48c5
0x012e48ca
0x012e48cd
0x012e48cf
0x012e48d5
0x012e48d7
0x012e48dd
0x012e48df
0x012e48df
0x012e48dd
0x012e48d5
0x012e48f4
0x012e48b6
0x012e48b9
0x012e48be
0x012e48c1
0x012e48c3
0x00000000
0x00000000
0x012e48c3
0x012e4900
0x012e4906
0x012e490f
0x012e4912
0x012e4924
0x012e4929
0x012e4930
0x012e4930
0x012e4936
0x00000000
0x00000000
0x012e492b
0x012e492b
0x012e492e
0x012e493c
0x012e493c
0x012e493f
0x012e4948
0x012e494e
0x012e495c
0x012e496d
0x012e4973
0x012e4975
0x012e4981
0x012e4983
0x012e4986
0x012e4988
0x012e498e
0x012e4994
0x012e499f
0x012e49a2
0x012e49a5
0x012e49ab
0x012e49ae
0x012e49b0
0x012e49c2
0x012e49ca
0x012e49d8
0x012e49e3
0x012e49e5
0x012e49e8
0x012e49ea
0x012e4a17
0x012e4a1d
0x012e4a20
0x012e4a23
0x012e4a25
0x012e4a25
0x012e4a28
0x012e4a2b
0x012e4a2d
0x012e4a36
0x012e4a3c
0x012e4a41
0x012e4a44
0x012e4a56
0x012e4a58
0x012e4a46
0x012e4a46
0x012e4a4c
0x00000000
0x012e4a4e
0x012e4a4f
0x012e4a4f
0x012e4a4c
0x012e4a5d
0x012e4a60
0x012e4a6c
0x012e4a6c
0x012e4a72
0x012e4a78
0x012e4a78
0x012e4a2d
0x012e4a7d
0x012e4a83
0x012e4a83
0x012e4a25
0x012e4a8e
0x012e4a96
0x012e4a9b
0x012e4aa4
0x012e49ec
0x012e49f2
0x012e49f7
0x012e49f7
0x012e4aaa
0x012e4aae
0x012e49b2
0x012e49b8
0x012e49b8
0x012e49b0
0x012e4988
0x012e4ab6
0x012e4aba
0x012e4aba
0x00000000
0x00000000
0x00000000
0x012e492e
0x012e4914
0x012e491a
0x012e491a
0x012e4abf
0x012e4ac0
0x012e4ac5
0x012e4acd
0x012e4ad3
0x012e4ada
0x012e4ae1
0x012e4ae6
0x012e4ae9
0x012e485f
0x012e4862
0x00000000
0x012e4aef
0x00000000
0x012e4aef
0x012e4ae9
0x00000000
0x012e4884
0x012e4af4
0x012e4af9
0x012e4afa
0x012e4b01
0x012e4b06
0x012e4b08
0x012e4b0e
0x012e4b14
0x012e4b1b
0x012e4b1e
0x012e4b21
0x012e4b24
0x012e4b27
0x012e4b2a
0x012e4b2d
0x012e4b30
0x012e4b32
0x012e4b35
0x012e4b38
0x012e4b3b
0x012e4b3e
0x012e4b41
0x012e4b44
0x012e4b4a
0x012e4b5c
0x012e4b61
0x012e4b67
0x012e4b79
0x012e4b86
0x012e4b8d
0x012e4b93
0x012e4b98
0x012e4b9c
0x012e4b9f
0x012e4ba2
0x012e4ba5
0x012e4ba8
0x012e4bab
0x012e4bae
0x012e4bb4
0x012e4bba
0x012e4bc0
0x012e4bc3
0x012e4bc9
0x012e4c01
0x012e4c01
0x012e4bcb
0x012e4bd3
0x012e4bd8
0x012e4bde
0x012e4be3
0x012e4be9
0x012e4bef
0x012e4bef
0x012e4beb
0x012e4beb
0x012e4bed
0x00000000
0x00000000
0x012e4bed
0x012e4bf6
0x012e4bf7
0x012e4bf7
0x012e4c02
0x012e4c05
0x012e4c07
0x012e4c0a
0x012e4c10
0x012e4c13
0x012e4c19
0x012e4c1a
0x012e4c1b
0x012e4c1c
0x012e4c23
0x012e4c2a
0x012e4c2d
0x012e4c2e
0x012e4c33
0x012e4c36
0x012e4c39
0x012e4c3c
0x012e4c45
0x012e4c46
0x012e4c49
0x012e4c4a
0x012e4c4b
0x012e4c4e
0x012e4c50
0x012e4c53
0x012e4c58
0x012e4c5b
0x012e4c5e
0x012e4c61
0x012e4c64
0x012e4c65
0x012e4c68
0x012e4c6e
0x012e4c71
0x012e4c74
0x012e4c7b
0x012e4c7e
0x012e4c81
0x012e4c8d
0x012e4c8d
0x012e4855
0x012e47d1
0x012e47d1
0x012e47d2
0x012e47da
0x00000000
0x012e47da
0x012e47cf
0x012e47ca
0x00000000

APIs

__EH_prolog3.LIBCMT ref: 012E472C

Part of subcall function 012DFCEB: GetObjectW.GDI32(?,00000018,012B3FA6), ref: 012DFD0D

Part of subcall function 0127AA90: DeleteObject.GDI32 ref: 0127AAA9

Part of subcall function 012E09E4: __EH_prolog3_GS.LIBCMT ref: 012E09EE
Part of subcall function 012E09E4: CreateCompatibleDC.GDI32(00000000), ref: 012E0A23
Part of subcall function 012E09E4: GetObjectW.GDI32(?,00000018,?), ref: 012E0A44
Part of subcall function 012E09E4: SelectObject.GDI32(?,?), ref: 012E0A96
Part of subcall function 012E09E4: CreateCompatibleDC.GDI32(?), ref: 012E0AC3
Part of subcall function 012E09E4: CreateDIBSection.GDI32(?,?,00000000,?,00000000,00000000), ref: 012E0B2B
Part of subcall function 012E09E4: SelectObject.GDI32(?,?), ref: 012E0B47
Part of subcall function 012E09E4: SelectObject.GDI32(?,00000000), ref: 012E0B64
Part of subcall function 012E09E4: SelectObject.GDI32(?,?), ref: 012E0B7C
Part of subcall function 012E09E4: DeleteObject.GDI32(?), ref: 012E0B84
Part of subcall function 012E09E4: BitBlt.GDI32(?,00000000,00000000,?,000000FF,?,00000000,00000000,00CC0020), ref: 012E0BAD
Part of subcall function 012E09E4: GetObjectW.GDI32(?,00000054,?), ref: 012E0BE3
Part of subcall function 012E09E4: SelectObject.GDI32(?,?), ref: 012E0DD8
Part of subcall function 012E09E4: SelectObject.GDI32(?,?), ref: 012E0DE6
Part of subcall function 012E09E4: DeleteObject.GDI32(?), ref: 012E0DEE

Part of subcall function 01277AC9: __CxxThrowException@8.LIBCMT ref: 01277ADF

__EH_prolog3.LIBCMT ref: 012E4B01

Part of subcall function 012E4722: LoadImageW.USER32 ref: 012E48EE
Part of subcall function 012E4722: GetObjectW.GDI32(00000082,00000018,?), ref: 012E4900
Part of subcall function 012E4722: CreateCompatibleDC.GDI32(00000000), ref: 012E4952
Part of subcall function 012E4722: GetObjectW.GDI32(00000082,00000018,?), ref: 012E496D
Part of subcall function 012E4722: SelectObject.GDI32(?,00000082), ref: 012E4981
Part of subcall function 012E4722: CreateCompatibleBitmap.GDI32(?,?,?), ref: 012E49A5
Part of subcall function 012E4722: SelectObject.GDI32(?,00000000), ref: 012E49B8
Part of subcall function 012E4722: CreateCompatibleDC.GDI32(?), ref: 012E49CE
Part of subcall function 012E4722: SelectObject.GDI32(?,?), ref: 012E49E3
Part of subcall function 012E4722: SelectObject.GDI32(?,00000000), ref: 012E49F2
Part of subcall function 012E4722: DeleteObject.GDI32(?), ref: 012E49F7
Part of subcall function 012E4722: BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,00CC0020), ref: 012E4A17
Part of subcall function 012E4722: GetPixel.GDI32(?,?,?), ref: 012E4A36
Part of subcall function 012E4722: SetPixel.GDI32(?,?,?,00000000), ref: 012E4A6C
Part of subcall function 012E4722: SelectObject.GDI32(?,?), ref: 012E4A8E
Part of subcall function 012E4722: SelectObject.GDI32(?,00000000), ref: 012E4A96
Part of subcall function 012E4722: DeleteObject.GDI32(00000082), ref: 012E4A9B
Part of subcall function 012E4722: DeleteObject.GDI32(00000082), ref: 012E4ACD
Part of subcall function 012E4722: CreateCompatibleDC.GDI32(00000000), ref: 012E4BCC
Part of subcall function 012E4722: CreateCompatibleDC.GDI32(00000000), ref: 012E4BD8

Strings

, xrefs: 012E4906

Memory Dump Source

Source File: 00000010.00000002.746388412.0000000001271000.00000020.sdmp, Offset: 01270000, based on PE: true

Associated: 00000010.00000002.746374753.0000000001270000.00000002.sdmp Download File
Associated: 00000010.00000002.746578910.000000000138C000.00000002.sdmp Download File
Associated: 00000010.00000002.746752878.00000000013CF000.00000004.sdmp Download File
Associated: 00000010.00000002.746788870.00000000013D6000.00000004.sdmp Download File
Associated: 00000010.00000002.746832288.00000000013DE000.00000002.sdmp Download File
Associated: 00000010.00000002.747668141.0000000001574000.00000002.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1270000_Setup.jbxd

Similarity

API ID: Object$Select$Create$Compatible$Delete$H_prolog3Pixel$BitmapException@8H_prolog3_ImageLoadSectionThrow
String ID:
API String ID: 1228394960-3916222277
Opcode ID: 140d47cc206c06713804bb068238029599250046d660a39d1393ff2618503927
Instruction ID: ccb8e49fc0317eb98b0c26f4877f4768a13aa02ac0318756acea0679cf0e358d
Opcode Fuzzy Hash: 140d47cc206c06713804bb068238029599250046d660a39d1393ff2618503927
Instruction Fuzzy Hash: 1C025970D2025ADFCF15EFA8D884AAEBBB5FF08710F50416AE905EB25AD7704945CFA0

Uniqueness

Uniqueness Score: 1.25%

Function 012825CD, Relevance: 31.7, APIs: 17, Strings: 1, Instructions: 191
windowCOMMON

Download Yara Rule

C-Code - Quality: 78%

			E012825CD(intOrPtr __ecx, void* __edx, intOrPtr _a4) {
				signed int _v8;
				struct tagRECT _v24;
				struct tagRECT _v40;
				struct tagRECT _v56;
				struct tagRECT _v76;
				char _v96;
				signed int _v100;
				intOrPtr _v104;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t70;
				signed int _t72;
				struct tagMONITORINFO* _t73;
				struct HMONITOR__* _t103;
				void* _t108;
				struct HMONITOR__* _t109;
				signed int _t117;
				struct tagMONITORINFO* _t118;
				intOrPtr _t119;
				struct tagMONITORINFO* _t120;
				long _t121;
				long _t126;
				void* _t130;
				intOrPtr _t131;
				struct HWND__* _t132;
				void* _t134;
				struct tagMONITORINFO* _t136;
				struct tagMONITORINFO* _t140;
				signed int _t144;

				_t130 = __edx;
				_t70 =  *0x13d3570; // 0x99b5b578
				_v8 = _t70 ^ _t144;
				_t119 = _a4;
				_t131 = __ecx;
				_v104 = __ecx;
				_t72 = E01286848(__ecx);
				_t136 = 0;
				_v100 = _t72;
				if(_t119 == 0) {
					if((_t72 & 0x40000000) == 0) {
						_t73 = GetWindow( *(__ecx + 0x20), 4);
					} else {
						_t73 = GetParent( *(__ecx + 0x20));
					}
					_t120 = _t73;
					if(_t120 != _t136) {
						_t118 = SendMessageW(_t120, 0x36b, _t136, _t136);
						if(_t118 != _t136) {
							_t120 = _t118;
						}
					}
				} else {
					_t5 = _t119 + 0x20; // 0x1276293
					_t120 =  *_t5;
				}
				_v56.left = _t136;
				_v56.top = _t136;
				_v56.right = _t136;
				_v56.bottom = _t136;
				GetWindowRect( *(_t131 + 0x20),  &_v56);
				_v24.left = _t136;
				_v24.top = _t136;
				_v24.right = _t136;
				_v24.bottom = _t136;
				_v40.left = _t136;
				_v40.top = _t136;
				_v40.right = _t136;
				_v40.bottom = _t136;
				if((_v100 & 0x40000000) != 0) {
					_t132 = GetParent( *(_t131 + 0x20));
					GetClientRect(_t132,  &_v24);
					GetClientRect(_t120,  &_v40);
					MapWindowPoints(_t120, _t132,  &_v40, 2);
				} else {
					if(_t120 != _t136) {
						_t117 = GetWindowLongW(_t120, 0xfffffff0);
						if((_t117 & 0x10000000) == 0 || (_t117 & 0x20000000) != 0) {
							_t120 = 0;
						}
					}
					_v96 = 0x28;
					if(_t120 != _t136) {
						GetWindowRect(_t120,  &_v40);
						_t103 =  &_v96;
						__imp__MonitorFromWindow(2, _t103);
						GetMonitorInfoW(_t103, _t120);
						CopyRect( &_v24,  &_v76);
					} else {
						_t108 = E01274D2D();
						if(_t108 != _t136) {
							_t136 =  *(_t108 + 0x20);
						}
						_t109 =  &_v96;
						__imp__MonitorFromWindow(1, _t109);
						GetMonitorInfoW(_t109, _t136);
						CopyRect( &_v40,  &_v76);
						CopyRect( &_v24,  &_v76);
					}
				}
				_t121 = _v56.left;
				asm("cdq");
				_t134 = _v56.right - _t121;
				asm("cdq");
				_t126 = (_v40.right + _v40.left - _t130 >> 1) - (_t134 - _t130 >> 1);
				_t135 = _t134 + _t126;
				_v100 = _v56.bottom - _v56.top;
				asm("cdq");
				asm("cdq");
				_t140 = (_v40.top + _v40.bottom - _t130 >> 1) - (_v100 - _t130 >> 1);
				if(_t134 + _t126 > _v24.right) {
					_t126 = _t121;
				}
				if(_t126 < _v24.left) {
					_t126 = _v24.left;
				}
				if(_t140 + _v100 > _v24.bottom) {
					_t140 = _v56.top - _v56.bottom + _v24.bottom;
				}
				if(_t140 < _v24.top) {
					_t140 = _v24.top;
				}
				return L01367D3E(E01286A31(_v104, 0, _t126, _t140, 0xffffffff, 0xffffffff, 0x15), _t121, _v8 ^ _t144, _t130, _t135, _t140);
			}

0x012825cd
0x012825d5
0x012825dc
0x012825e0
0x012825e5
0x012825e7
0x012825ea
0x012825ef
0x012825f1
0x012825f6
0x01282602
0x01282614
0x01282604
0x01282607
0x01282607
0x0128261a
0x0128261e
0x01282628
0x01282630
0x01282632
0x01282632
0x01282630
0x012825f8
0x012825f8
0x012825f8
0x012825f8
0x0128263b
0x0128263e
0x01282641
0x01282644
0x01282647
0x01282654
0x01282657
0x0128265a
0x0128265d
0x01282660
0x01282663
0x01282666
0x01282669
0x0128266c
0x01282714
0x0128271b
0x01282722
0x0128272c
0x01282672
0x01282674
0x01282679
0x01282684
0x0128268d
0x0128268d
0x01282684
0x0128268f
0x01282698
0x012826db
0x012826e1
0x012826e8
0x012826ef
0x012826fd
0x0128269a
0x0128269a
0x012826a1
0x012826a3
0x012826a3
0x012826a6
0x012826ad
0x012826b4
0x012826c8
0x012826d2
0x012826d2
0x01282698
0x0128273b
0x0128273e
0x01282743
0x01282747
0x0128274e
0x01282756
0x01282758
0x01282761
0x01282769
0x01282770
0x01282775
0x0128277d
0x0128277d
0x01282782
0x01282784
0x01282784
0x0128278f
0x01282797
0x01282797
0x0128279d
0x0128279f
0x0128279f
0x012827c2

APIs

Part of subcall function 01286848: GetWindowLongW.USER32(?,000000F0), ref: 01286853

GetParent.USER32(?), ref: 01282607
GetWindow.USER32(?,00000004), ref: 01282614
SendMessageW.USER32(00000000,0000036B,00000000,00000000), ref: 01282628
GetWindowRect.USER32 ref: 01282647
GetWindowLongW.USER32(00000000,000000F0), ref: 01282679
MonitorFromWindow.USER32(00000000,00000001), ref: 012826AD
GetMonitorInfoW.USER32(00000000), ref: 012826B4
CopyRect.USER32(?,?), ref: 012826C8
CopyRect.USER32(?,?), ref: 012826D2
GetWindowRect.USER32 ref: 012826DB
MonitorFromWindow.USER32(00000000,00000002), ref: 012826E8
GetMonitorInfoW.USER32(00000000), ref: 012826EF
CopyRect.USER32(?,?), ref: 012826FD
GetParent.USER32(?), ref: 01282708
GetClientRect.USER32 ref: 0128271B
GetClientRect.USER32 ref: 01282722
MapWindowPoints.USER32 ref: 0128272C

Part of subcall function 01286A31: SetWindowPos.USER32(?,000000FF,000000FF,?,?,00000000,012827B4), ref: 01286A59

Part of subcall function 01367D3E: IsDebuggerPresent.KERNEL32 ref: 0136EC6D
Part of subcall function 01367D3E: SetUnhandledExceptionFilter.KERNEL32 ref: 0136EC82
Part of subcall function 01367D3E: UnhandledExceptionFilter.KERNEL32 ref: 0136EC8D
Part of subcall function 01367D3E: GetCurrentProcess.KERNEL32(C0000409), ref: 0136ECA9
Part of subcall function 01367D3E: TerminateProcess.KERNEL32(00000000), ref: 0136ECB0

Strings

(, xrefs: 0128268F

Memory Dump Source

Source File: 00000010.00000002.746388412.0000000001271000.00000020.sdmp, Offset: 01270000, based on PE: true

Associated: 00000010.00000002.746374753.0000000001270000.00000002.sdmp Download File
Associated: 00000010.00000002.746578910.000000000138C000.00000002.sdmp Download File
Associated: 00000010.00000002.746752878.00000000013CF000.00000004.sdmp Download File
Associated: 00000010.00000002.746788870.00000000013D6000.00000004.sdmp Download File
Associated: 00000010.00000002.746832288.00000000013DE000.00000002.sdmp Download File
Associated: 00000010.00000002.747668141.0000000001574000.00000002.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1270000_Setup.jbxd

Similarity

API ID: Window$Rect$Monitor$Copy$ClientExceptionFilterFromInfoLongParentProcessUnhandled$CurrentDebuggerMessagePointsPresentSendTerminate
String ID: (
API String ID: 3112532154-3887548279
Opcode ID: 5a11797a558c659e74930a9781707995d7f52d6be1b08ccb5a7c542df73f18ec
Instruction ID: 4f22c8f2e85769969d24841c2ef1502e4d4886780fb234b69ab109b24b0faee8
Opcode Fuzzy Hash: 5a11797a558c659e74930a9781707995d7f52d6be1b08ccb5a7c542df73f18ec
Instruction Fuzzy Hash: 506119B1911229EFDB15EFA8D9889EEBBB9FF08714F145116F505F3284C770A904CBA0

Uniqueness

Uniqueness Score: 1.59%

Function 01274240, Relevance: 31.7, APIs: 11, Strings: 7, Instructions: 152
UNIQUE

Download Yara Rule

C-Code - Quality: 74%

			E01274240(void* __ecx, void* __edi, void* __eflags, intOrPtr _a4) {
				signed int _v8;
				char _v508;
				intOrPtr _v512;
				intOrPtr _v516;
				intOrPtr _v520;
				intOrPtr _v524;
				char _v528;
				char _v4620;
				char _v4624;
				void* _v4628;
				unsigned int _v4632;
				void* _v4636;
				int _v4640;
				void* _v4644;
				void* __ebx;
				void* __esi;
				signed int _t42;
				void* _t49;
				unsigned int _t52;
				char _t53;
				intOrPtr _t54;
				char* _t57;
				void* _t61;
				intOrPtr _t76;
				intOrPtr _t77;
				char _t83;
				signed int _t87;
				void* _t89;
				long _t90;
				signed int _t91;
				void* _t92;
				void* _t93;
				void* _t95;

				_t86 = __edi;
				E01368890(0x1220);
				_t42 =  *0x13d3570; // 0x99b5b578
				_v8 = _t42 ^ _t91;
				_t88 = _a4;
				_v4624 = 0;
				L01367D50( &_v4620, 0, 0xffc);
				_v4640 = 0;
				E01271680(0, __edi, _a4, L"Original input list: %s\n", _a4);
				_t89 = L01367CE9(_t88);
				_v4628 = _t89;
				L01369505(_t89);
				_t49 = E01271680(0, __edi, _t89, L"Input list of process to be killed: %s\n", _t89);
				_t93 = _t92 + 0x24;
				_push( &_v4640);
				_push(0x1000);
				_t82 =  &_v4624;
				_push( &_v4624);
				L0137E280();
				if(_t49 != 0) {
					_t52 = _v4640 >> 2;
					_push(__edi);
					_t87 = 0;
					_v4632 = _t52;
					if(_t52 <= 0) {
						L14:
						_push(_t89);
					} else {
						do {
							_t90 =  *(_t91 + _t87 * 4 - 0x120c);
							if(_t90 == 0) {
								goto L12;
							} else {
								_t83 = L"nown>"; // 0x6f006e
								_t53 = L"<unknown>"; // 0x75003c
								_t76 = M0138E41C; // 0x6b006e
								_v520 = _t83;
								_v528 = _t53;
								_t54 =  *0x138e424; // 0x6e0077
								_v524 = _t76;
								_t77 =  *0x138e428; // 0x3e
								_t82 =  &_v508;
								_v516 = _t54;
								_v512 = _t77;
								L01367D50( &_v508, 0, 0x1f4);
								_t93 = _t93 + 0xc;
								_t89 = OpenProcess(0x411, 0, _t90);
								if(_t89 == 0) {
									L11:
									_t52 = _v4632;
									goto L12;
								} else {
									_t57 =  &_v4644;
									_push(_t57);
									_push(4);
									_push( &_v4636);
									_push(_t89);
									_v4636 = 0;
									_v4644 = 0;
									L0137E27A();
									if(_t57 != 0) {
										_push(0x104);
										_push( &_v528);
										_push(_v4636);
										_push(_t89);
										L0137E274();
									}
									_push( *(_t91 + _t87 * 4 - 0x120c));
									E01271680(0, _t87, _t89, L"%s  (PID: %u)\n",  &_v528);
									L01369505( &_v528);
									_t82 = _v4628;
									_t61 = L013692EB(_v4628,  &_v528);
									_t93 = _t93 + 0x18;
									if(_t61 == 0) {
										L10:
										CloseHandle(_t89);
										goto L11;
									} else {
										E01271680(0, _t87, _t89, L"Found %s\n",  &_v528);
										_t95 = _t93 + 8;
										if(TerminateProcess(_t89, 0) != 0) {
											_t82 =  &_v528;
											E01271680(0, _t87, _t89, L"Terminated %s\n",  &_v528);
											_t93 = _t95 + 8;
											CloseHandle(_t89);
											_push(_v4628);
										} else {
											E01271680(0, _t87, _t89, L"Failed to terminate %s\n",  &_v528);
											_t93 = _t95 + 8;
											goto L10;
										}
									}
								}
							}
							goto L15;
							L12:
							_t87 = _t87 + 1;
						} while (_t87 < _t52);
						_t89 = _v4628;
						goto L14;
					}
					L15:
					_t49 = L01367A0B();
					_pop(_t86);
				}
				return L01367D3E(_t49, 0, _v8 ^ _t91, _t82, _t86, _t89);
			}

0x01274240
0x01274248
0x0127424d
0x01274254
0x01274259
0x0127426b
0x01274271
0x0127427c
0x01274282
0x0127428d
0x01274290
0x01274296
0x012742a1
0x012742a6
0x012742af
0x012742b0
0x012742b5
0x012742bb
0x012742bc
0x012742c3
0x012742cf
0x012742d2
0x012742d3
0x012742d5
0x012742dd
0x01274433
0x01274433
0x012742e3
0x012742f0
0x012742f0
0x012742f9
0x00000000
0x012742ff
0x012742ff
0x01274305
0x0127430a
0x01274315
0x0127431b
0x01274321
0x01274326
0x0127432c
0x01274332
0x0127433a
0x01274340
0x01274346
0x0127434b
0x0127435b
0x0127435f
0x0127441e
0x0127441e
0x00000000
0x01274365
0x01274365
0x0127436b
0x0127436c
0x01274374
0x01274375
0x01274376
0x0127437c
0x01274382
0x01274389
0x01274391
0x0127439c
0x0127439d
0x0127439e
0x0127439f
0x0127439f
0x012743ab
0x012743b8
0x012743c4
0x012743c9
0x012743d7
0x012743dc
0x012743e1
0x01274417
0x01274418
0x00000000
0x012743e3
0x012743ef
0x012743f4
0x01274401
0x0127444d
0x01274459
0x0127445e
0x01274462
0x0127446e
0x01274403
0x0127440f
0x01274414
0x00000000
0x01274414
0x01274401
0x012743e1
0x0127435f
0x00000000
0x01274424
0x01274424
0x01274425
0x0127442d
0x00000000
0x0127442d
0x01274434
0x01274434
0x0127443c
0x0127443c
0x0127444c

APIs

_memset.LIBCMT ref: 01274271

Part of subcall function 01271680: _memset.LIBCMT ref: 012716A9
Part of subcall function 01271680: __swprintf.LIBCMT ref: 012716BA
Part of subcall function 01271680: __vswprintf.LIBCMT ref: 012716CF
Part of subcall function 01271680: OutputDebugStringW.KERNEL32(?), ref: 012716DE

__wcsdup.LIBCMT ref: 01274288

Part of subcall function 01367CE9: _wcslen.LIBCMT ref: 01367CFF
Part of subcall function 01367CE9: _calloc.LIBCMT ref: 01367D0A
Part of subcall function 01367CE9: __invoke_watson.LIBCMT ref: 01367D32

Part of subcall function 01369505: __wcsupr_s_l.LIBCMT ref: 01369560

EnumProcesses.PSAPI(?,00001000,?), ref: 012742BC
_memset.LIBCMT ref: 01274346
OpenProcess.KERNEL32(00000411,00000000,?,?,00001000,?), ref: 01274355
EnumProcessModules.PSAPI(00000000,?,00000004,?), ref: 01274382
GetModuleBaseNameW.PSAPI(00000000,?,?,00000104,00000000,?,00000004,?), ref: 0127439F
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,00000000,?,00000004,?), ref: 012743F9
CloseHandle.KERNEL32(00000000), ref: 01274418
_free.LIBCMT ref: 01274434

Part of subcall function 01367A0B: HeapFree.KERNEL32(00000000,00000000), ref: 01367A21
Part of subcall function 01367A0B: GetLastError.KERNEL32(00000000,?,0136E429,00000000,?,01369B20,013695F6,?,?,01274776,?,?,?,01277D41,0000000C,00000004), ref: 01367A33

Part of subcall function 01367D3E: IsDebuggerPresent.KERNEL32 ref: 0136EC6D
Part of subcall function 01367D3E: SetUnhandledExceptionFilter.KERNEL32 ref: 0136EC82
Part of subcall function 01367D3E: UnhandledExceptionFilter.KERNEL32 ref: 0136EC8D
Part of subcall function 01367D3E: GetCurrentProcess.KERNEL32(C0000409), ref: 0136ECA9
Part of subcall function 01367D3E: TerminateProcess.KERNEL32(00000000), ref: 0136ECB0

CloseHandle.KERNEL32(00000000), ref: 01274462

Strings

%s (PID: %u), xrefs: 012743B3
Found %s, xrefs: 012743EA
Original input list: %s, xrefs: 01274277
<unknown>, xrefs: 01274305
Input list of process to be killed: %s, xrefs: 0127429C
Terminated %s, xrefs: 01274454
Failed to terminate %s, xrefs: 0127440A

Memory Dump Source

Source File: 00000010.00000002.746388412.0000000001271000.00000020.sdmp, Offset: 01270000, based on PE: true

Associated: 00000010.00000002.746374753.0000000001270000.00000002.sdmp Download File
Associated: 00000010.00000002.746578910.000000000138C000.00000002.sdmp Download File
Associated: 00000010.00000002.746752878.00000000013CF000.00000004.sdmp Download File
Associated: 00000010.00000002.746788870.00000000013D6000.00000004.sdmp Download File
Associated: 00000010.00000002.746832288.00000000013DE000.00000002.sdmp Download File
Associated: 00000010.00000002.747668141.0000000001574000.00000002.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1270000_Setup.jbxd

Similarity

API ID: Process$_memset$CloseEnumExceptionFilterHandleTerminateUnhandled$BaseCurrentDebugDebuggerErrorFreeHeapLastModuleModulesNameOpenOutputPresentProcessesString__invoke_watson__swprintf__vswprintf__wcsdup__wcsupr_s_l_calloc_free_wcslen
String ID: %s (PID: %u)$<unknown>$Failed to terminate %s$Found %s$Input list of process to be killed: %s$Original input list: %s$Terminated %s
API String ID: 1455510789-266562846
Opcode ID: 725eca3fbd6b2b1c51e9cb24320d326ab5f8592e4c4eea32b4990a09c7b9ea6a
Instruction ID: bae4b32dec29fe0a642ee7f28c1e68f2e087b4b5b91c003470df9c131224b07d
Opcode Fuzzy Hash: 725eca3fbd6b2b1c51e9cb24320d326ab5f8592e4c4eea32b4990a09c7b9ea6a
Instruction Fuzzy Hash: CF5183B5951229AFDB20EF69DC859EE73BCEF18348F0445E8E518A3205D7705E908FA1

Uniqueness

Uniqueness Score: 100.00%

Function 012E09E4, Relevance: 30.0, APIs: 15, Strings: 2, Instructions: 263
windowCOMMON

Download Yara Rule

C-Code - Quality: 77%

			E012E09E4(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags, signed long long __fp0) {
				void* _t149;
				signed int _t155;
				void* _t158;
				void* _t159;
				unsigned int _t161;
				intOrPtr _t164;
				void* _t165;
				signed int _t175;
				intOrPtr _t177;
				void* _t186;
				signed char _t188;
				signed int _t200;
				void* _t209;
				signed int _t217;
				short _t240;
				int _t247;
				signed char* _t250;
				void* _t251;
				long long* _t252;
				signed long long _t259;
				signed long long _t263;

				_t259 = __fp0;
				_t244 = __edi;
				_t237 = __edx;
				_push(0xfc);
				L0136966A(0x1383096, __ebx, __edi, __esi);
				_t209 = __ecx;
				_t247 = 0;
				 *((intOrPtr*)(__ecx + 0x2c)) = 1;
				 *((intOrPtr*)(__ecx + 0xc)) =  *((intOrPtr*)(_t251 + 8));
				if( *((intOrPtr*)(__ecx + 0x88)) == 0 ||  *0x13d6594 <= 8) {
					L4:
					return L013696ED(_t209, _t244, _t247);
				} else {
					L0127976C(_t251 - 0xb8);
					 *(_t251 - 4) = 0;
					L01279DC3(__ecx, _t251 - 0xb8, __edx, __edi, CreateCompatibleDC(0));
					if(GetObjectW( *(_t209 + 0x88), 0x18, _t251 - 0x108) != 0) {
						_t244 = SelectObject;
						 *(_t251 - 0x94) =  *(_t251 - 0x104);
						 *(_t251 - 0xa4) =  *(_t251 - 0x100);
						_t149 =  *(_t209 + 0x88);
						__eflags = _t149;
						if(_t149 == 0) {
							 *(_t251 - 0x9c) = 0;
						} else {
							 *(_t251 - 0x9c) = SelectObject( *(_t251 - 0xb4), _t149);
						}
						__eflags =  *(_t251 - 0x9c) - _t247;
						if( *(_t251 - 0x9c) == _t247) {
							goto L3;
						} else {
							L0127976C(_t251 - 0xc8);
							 *(_t251 - 4) = 1;
							L01279DC3(_t209, _t251 - 0xc8, _t237, _t244, CreateCompatibleDC( *(_t251 - 0xb4)));
							_t155 =  *(_t251 - 0x94);
							_t217 =  *(_t251 - 0xa4);
							 *((short*)(_t251 - 0x30)) = 1;
							_t240 = 0x20;
							 *(_t251 - 0x38) = _t155;
							 *(_t251 - 0x34) = _t217;
							 *(_t251 - 0x3c) = 0x28;
							 *((short*)(_t251 - 0x2e)) = _t240;
							 *(_t251 - 0x2c) = _t247;
							 *(_t251 - 0x28) = _t217 * _t155;
							 *(_t251 - 0x24) = _t247;
							 *(_t251 - 0x20) = _t247;
							 *(_t251 - 0x1c) = _t247;
							 *(_t251 - 0x18) = _t247;
							 *(_t251 - 0xd4) = _t247;
							_t158 = CreateDIBSection( *(_t251 - 0xc4), _t251 - 0x3c, _t247, _t251 - 0xd4, _t247, _t247);
							 *(_t251 - 0xa0) = _t158;
							__eflags = _t158 - _t247;
							if(_t158 != _t247) {
								_t159 = SelectObject( *(_t251 - 0xc4), _t158);
								 *(_t251 - 0xd8) = _t159;
								__eflags = _t159 - _t247;
								if(_t159 != _t247) {
									BitBlt( *(_t251 - 0xc4), _t247, _t247,  *(_t251 - 0x94),  *(_t251 - 0xa4),  *(_t251 - 0xb4), _t247, _t247, 0xcc0020);
									_t161 =  *(_t209 + 0xc);
									 *(_t251 - 0x98) = 0x82;
									__eflags = _t161 - _t247;
									if(_t161 > _t247) {
										 *(_t251 - 0x98) = _t161;
									}
									__eflags =  *((intOrPtr*)(_t209 + 8)) - 0x20;
									if( *((intOrPtr*)(_t209 + 8)) != 0x20) {
										E012FC185(_t251 - 0xd0, _t251 - 0xc8);
										_t164 =  *((intOrPtr*)(_t209 + 0xa4));
										 *(_t251 - 4) = 2;
										__eflags = _t164 - 0xffffffff;
										if(__eflags == 0) {
											_t164 =  *0x13d63fc; // 0xf0f0f0
										}
										_push(0xffffffff);
										_push(_t164);
										_push( *(_t251 - 0x98));
										 *(_t251 - 0xe0) =  *(_t251 - 0x94);
										 *(_t251 - 0xe8) = _t247;
										 *(_t251 - 0xe4) = _t247;
										 *(_t251 - 0xdc) =  *(_t251 - 0xa4);
										asm("movsd");
										asm("movsd");
										asm("movsd");
										asm("movsd");
										_t165 = L012FD559(_t209, _t251 - 0xd0, _t240, _t252 - 0x10, _t251 - 0xe8, __eflags, _t259);
										 *(_t251 - 4) = 1;
										L012FC19C(_t165, _t251 - 0xd0);
										_t244 = SelectObject;
										goto L28;
									} else {
										_t175 = GetObjectW( *(_t251 - 0xa0), 0x54, _t251 - 0x90);
										__eflags = _t175;
										if(_t175 == 0) {
											L11:
											 *(_t251 - 4) = 0;
											L01279E44(_t251 - 0xc8);
											goto L3;
										}
										__eflags =  *((short*)(_t251 - 0x7e)) - 0x20;
										if( *((short*)(_t251 - 0x7e)) != 0x20) {
											goto L11;
										}
										_t177 =  *((intOrPtr*)(_t251 - 0x7c));
										__eflags = _t177 - _t247;
										if(_t177 != _t247) {
											 *(_t251 - 0x94) = _t247;
											__eflags =  *(_t251 - 0x88) *  *(_t251 - 0x8c);
											if( *(_t251 - 0x88) *  *(_t251 - 0x8c) <= 0) {
												L28:
												SelectObject( *(_t251 - 0xc4),  *(_t251 - 0xd8));
												SelectObject( *(_t251 - 0xb4),  *(_t251 - 0x9c));
												DeleteObject( *(_t209 + 0x88));
												 *(_t209 + 0x88) =  *(_t251 - 0xa0);
												_t247 = 1;
												goto L20;
											}
											asm("fild dword [ebp-0x98]");
											_t250 = _t177 + 1;
											 *(_t251 - 0xa8) = _t259 *  *0x139ac28;
											do {
												_t186 = L012FC6B9((( *(_t250 - 1) & 0x000000ff) << 0x00000008 |  *_t250 & 0x000000ff) << 0x00000008 | _t250[1] & 0x000000ff, _t251 - 0xf0, _t251 - 0xe0, _t251 - 0xd0);
												_t252 = _t252 - 0x30;
												 *(_t252 + 0x28) =  *(_t251 - 0xa8);
												 *(_t252 + 0x20) =  *(_t251 - 0xa8);
												_t263 =  *(_t251 - 0xa8);
												 *(_t252 + 0x18) = _t263;
												asm("fldz");
												 *(_t252 + 0x10) = _t263;
												 *((long long*)(_t252 + 8)) =  *((long long*)(_t251 - 0xd0));
												 *_t252 =  *((long long*)(_t251 - 0xf0));
												_push(L012FC48D(_t186));
												_t188 = E012FC26C(_t250[1] & 0x000000ff);
												 *(_t251 - 0x98) = _t188;
												asm("cdq");
												_t250[1] = (_t188 & 0x000000ff) * (_t250[2] & 0x000000ff) / 0xff;
												asm("cdq");
												 *_t250 = ( *(_t251 - 0x98) >> 0x00000008 & 0x000000ff) * (_t250[2] & 0x000000ff) / 0xff;
												_t200 = ( *(_t251 - 0x98) >> 0x00000010 & 0x000000ff) * (_t250[2] & 0x000000ff);
												asm("cdq");
												 *(_t251 - 0x94) =  *(_t251 - 0x94) + 1;
												_t250 =  &(_t250[4]);
												 *((char*)(_t250 - 5)) = _t200 / 0xff;
												__eflags =  *(_t251 - 0x94) -  *(_t251 - 0x88) *  *(_t251 - 0x8c);
											} while ( *(_t251 - 0x94) <  *(_t251 - 0x88) *  *(_t251 - 0x8c));
											goto L28;
										}
										L20:
										 *(_t251 - 4) = 0;
										L01279E44(_t251 - 0xc8);
										 *(_t251 - 4) =  *(_t251 - 4) | 0xffffffff;
										L01279E44(_t251 - 0xb8);
										goto L4;
									}
								}
								SelectObject( *(_t251 - 0xb4),  *(_t251 - 0x9c));
								DeleteObject( *(_t251 - 0xa0));
								goto L11;
							}
							SelectObject( *(_t251 - 0xb4),  *(_t251 - 0x9c));
							goto L11;
						}
					}
					L3:
					 *(_t251 - 4) =  *(_t251 - 4) | 0xffffffff;
					L01279E44(_t251 - 0xb8);
					goto L4;
				}
			}

0x012e09e4
0x012e09e4
0x012e09e4
0x012e09e4
0x012e09ee
0x012e09f3
0x012e09fb
0x012e09fd
0x012e0a00
0x012e0a09
0x012e0a5f
0x012e0a64
0x012e0a14
0x012e0a1a
0x012e0a20
0x012e0a30
0x012e0a4c
0x012e0a6d
0x012e0a73
0x012e0a7f
0x012e0a85
0x012e0a8b
0x012e0a8d
0x012e0aa0
0x012e0a8f
0x012e0a98
0x012e0a98
0x012e0aa6
0x012e0aac
0x00000000
0x012e0aae
0x012e0ab4
0x012e0abf
0x012e0ad0
0x012e0ad5
0x012e0adb
0x012e0ae6
0x012e0aea
0x012e0aed
0x012e0af0
0x012e0b08
0x012e0b0f
0x012e0b13
0x012e0b16
0x012e0b19
0x012e0b1c
0x012e0b1f
0x012e0b22
0x012e0b25
0x012e0b2b
0x012e0b31
0x012e0b37
0x012e0b39
0x012e0b64
0x012e0b66
0x012e0b6c
0x012e0b6e
0x012e0bad
0x012e0bb3
0x012e0bb6
0x012e0bc0
0x012e0bc2
0x012e0bc4
0x012e0bc4
0x012e0bca
0x012e0bce
0x012e0d57
0x012e0d5c
0x012e0d62
0x012e0d66
0x012e0d69
0x012e0d6b
0x012e0d6b
0x012e0d76
0x012e0d78
0x012e0d79
0x012e0d7f
0x012e0d8b
0x012e0d91
0x012e0d97
0x012e0da8
0x012e0da9
0x012e0daa
0x012e0db1
0x012e0db2
0x012e0dbd
0x012e0dc1
0x012e0dc6
0x00000000
0x012e0bd4
0x012e0be3
0x012e0be9
0x012e0beb
0x012e0b49
0x012e0b4f
0x012e0b53
0x00000000
0x012e0b53
0x012e0bf1
0x012e0bf6
0x00000000
0x00000000
0x012e0bfc
0x012e0bff
0x012e0c01
0x012e0c35
0x012e0c3b
0x012e0c3d
0x012e0dcc
0x012e0dd8
0x012e0de6
0x012e0dee
0x012e0dfc
0x012e0e02
0x00000000
0x012e0e02
0x012e0c43
0x012e0c49
0x012e0c52
0x012e0c58
0x012e0c83
0x012e0c88
0x012e0c91
0x012e0c9b
0x012e0c9f
0x012e0ca5
0x012e0ca9
0x012e0cab
0x012e0cb5
0x012e0cbf
0x012e0cc7
0x012e0cc8
0x012e0cd1
0x012e0cdd
0x012e0ce9
0x012e0cfb
0x012e0d07
0x012e0d15
0x012e0d18
0x012e0d20
0x012e0d26
0x012e0d29
0x012e0d39
0x012e0d39
0x00000000
0x012e0d45
0x012e0c03
0x012e0c09
0x012e0c0d
0x012e0c12
0x012e0c1c
0x00000000
0x012e0c21
0x012e0bce
0x012e0b7c
0x012e0b84
0x00000000
0x012e0b84
0x012e0b47
0x00000000
0x012e0b47
0x012e0aac
0x012e0a4e
0x012e0a4e
0x012e0a58
0x00000000
0x012e0a5d

APIs

__EH_prolog3_GS.LIBCMT ref: 012E09EE
CreateCompatibleDC.GDI32(00000000), ref: 012E0A23
GetObjectW.GDI32(?,00000018,?), ref: 012E0A44

Part of subcall function 01279E44: DeleteDC.GDI32(00000000), ref: 01279E56

SelectObject.GDI32(?,?), ref: 012E0A96
CreateCompatibleDC.GDI32(?), ref: 012E0AC3
CreateDIBSection.GDI32(?,?,00000000,?,00000000,00000000), ref: 012E0B2B
SelectObject.GDI32(?,?), ref: 012E0B47
SelectObject.GDI32(?,00000000), ref: 012E0B64
SelectObject.GDI32(?,?), ref: 012E0B7C
DeleteObject.GDI32(?), ref: 012E0B84
BitBlt.GDI32(?,00000000,00000000,?,000000FF,?,00000000,00000000,00CC0020), ref: 012E0BAD
GetObjectW.GDI32(?,00000054,?), ref: 012E0BE3
SelectObject.GDI32(?,?), ref: 012E0DD8
SelectObject.GDI32(?,?), ref: 012E0DE6
DeleteObject.GDI32(?), ref: 012E0DEE

Strings

, xrefs: 012E0BF1
(, xrefs: 012E0B08

Memory Dump Source

Source File: 00000010.00000002.746388412.0000000001271000.00000020.sdmp, Offset: 01270000, based on PE: true

Associated: 00000010.00000002.746374753.0000000001270000.00000002.sdmp Download File
Associated: 00000010.00000002.746578910.000000000138C000.00000002.sdmp Download File
Associated: 00000010.00000002.746752878.00000000013CF000.00000004.sdmp Download File
Associated: 00000010.00000002.746788870.00000000013D6000.00000004.sdmp Download File
Associated: 00000010.00000002.746832288.00000000013DE000.00000002.sdmp Download File
Associated: 00000010.00000002.747668141.0000000001574000.00000002.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1270000_Setup.jbxd

Similarity

API ID: Object$Select$CreateDelete$Compatible$H_prolog3_Section
String ID: $(
API String ID: 3135011285-55695022
Opcode ID: 4b267b01f7da51c5132325034fd1899209986f9a9131f3afa2a2e5424cfe6806
Instruction ID: 30a2076b0067e03523a2482fc5651efb0351e1e1ca033e7495afcd19b72b8511
Opcode Fuzzy Hash: 4b267b01f7da51c5132325034fd1899209986f9a9131f3afa2a2e5424cfe6806
Instruction Fuzzy Hash: 06C15970910229DFDF21DF64CC84BEDBBB9AF09300F4081EAE68DA6251DB704A85CF60

Uniqueness

Uniqueness Score: 2.98%

Function 01284F19, Relevance: 28.2, APIs: 14, Strings: 2, Instructions: 150
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E01284F19(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				signed int _t52;
				void _t59;
				long _t61;
				void* _t67;
				void* _t68;
				void* _t70;
				signed int _t76;
				int _t78;
				signed int _t81;
				int _t85;
				void* _t93;
				void* _t96;
				void* _t98;
				long _t100;
				signed int _t101;
				WCHAR* _t103;
				intOrPtr _t104;
				void* _t106;
				void* _t109;

				_t109 = __eflags;
				_t96 = __edx;
				_push(0x248);
				L0136966A(0x137fb1d, __ebx, __edi, __esi);
				_t100 =  *(_t106 + 0x10);
				_t85 =  *(_t106 + 0xc);
				_push(E01276293);
				 *(_t106 - 0x21c) = _t100;
				_t98 = E0127B362(_t85, 0x13d6118, __edi, _t100, _t109);
				if((0 | _t98 != 0x00000000) == 0) {
					L01277AC9(0x13d6118);
				}
				if( *(_t106 + 8) == 3) {
					_t101 =  *(_t98 + 0x14);
					 *(_t106 - 0x214) =  *_t100;
					_t52 =  *(E012792EF(_t85, _t98, _t101, __eflags) + 0x14) & 0x000000ff;
					 *(_t106 - 0x218) = _t52;
					__eflags = _t101;
					if(__eflags != 0) {
						L01279339(_t106 - 0x224, __eflags,  *((intOrPtr*)(_t101 + 0x1c)));
						 *(_t106 - 4) =  *(_t106 - 4) & 0x00000000;
						E01282D52(_t101, _t96, _t85);
						 *((intOrPtr*)( *_t101 + 0x50))();
						 *(_t106 - 0x214) =  *((intOrPtr*)( *_t101 + 0xfc))();
						_t59 = SetWindowLongW(_t85, 0xfffffffc, 0x1283b14);
						__eflags = _t59 - 0x1283b14;
						if(_t59 != 0x1283b14) {
							 *( *(_t106 - 0x214)) = _t59;
						}
						 *(_t98 + 0x14) =  *(_t98 + 0x14) & 0x00000000;
						 *(_t106 - 4) =  *(_t106 - 4) | 0xffffffff;
						E01278A71(_t59, _t106 - 0x224);
						L20:
						_t61 = CallNextHookEx( *(_t98 + 0x28), 3, _t85,  *(_t106 - 0x21c));
						__eflags =  *(_t106 - 0x218);
						_t100 = _t61;
						if( *(_t106 - 0x218) != 0) {
							UnhookWindowsHookEx( *(_t98 + 0x28));
							_t43 = _t98 + 0x28;
							 *_t43 =  *(_t98 + 0x28) & 0x00000000;
							__eflags =  *_t43;
						}
						goto L23;
					}
					_t93 =  *(_t106 - 0x214);
					__eflags =  *(_t93 + 0x20) & 0x40000000;
					if(( *(_t93 + 0x20) & 0x40000000) != 0) {
						goto L20;
					}
					__eflags = _t52;
					if(_t52 != 0) {
						goto L20;
					}
					__eflags =  *0x13d8034 - _t101; // 0x0
					if(__eflags != 0) {
						L9:
						__eflags = (GetClassLongW(_t85, 0xffffffe0) & 0x0000ffff) -  *0x13d8034; // 0x0
						if(__eflags != 0) {
							L16:
							_t67 = GetWindowLongW(_t85, 0xfffffffc);
							 *(_t106 - 0x214) = _t67;
							__eflags = _t67;
							if(_t67 != 0) {
								_t103 = L"AfxOldWndProc423";
								_t68 = GetPropW(_t85, _t103);
								__eflags = _t68;
								if(_t68 == 0) {
									SetPropW(_t85, _t103,  *(_t106 - 0x214));
									_t70 = GetPropW(_t85, _t103);
									__eflags = _t70 -  *(_t106 - 0x214);
									if(_t70 ==  *(_t106 - 0x214)) {
										GlobalAddAtomW(_t103);
										SetWindowLongW(_t85, 0xfffffffc, E01284DB2);
									}
								}
							}
							goto L20;
						}
						goto L20;
					}
					_t104 = 0x30;
					L01367D50(_t106 - 0x254, _t52, _t104);
					 *((intOrPtr*)(_t106 - 0x254)) = _t104;
					_push(_t106 - 0x254);
					_t105 = L"#32768";
					_push(L"#32768");
					_push(0);
					_t76 = L01281C50(_t93, L"#32768", __eflags);
					 *0x13d8034 = _t76;
					__eflags = _t76;
					if(_t76 == 0) {
						_t78 = GetClassNameW(_t85, _t106 - 0x210, 0x100);
						__eflags = _t78;
						if(_t78 == 0) {
							goto L16;
						}
						 *((short*)(_t106 - 0x12)) = 0;
						_t81 = L0136B709(_t106 - 0x210, _t105);
						__eflags = _t81;
						if(_t81 == 0) {
							goto L20;
						}
						goto L16;
					}
					goto L9;
				} else {
					CallNextHookEx( *(_t98 + 0x28),  *(_t106 + 8), _t85, _t100);
					L23:
					return L013696ED(_t85, _t98, _t100);
				}
			}

0x01284f19
0x01284f19
0x01284f19
0x01284f23
0x01284f28
0x01284f2b
0x01284f2e
0x01284f38
0x01284f43
0x01284f4e
0x01284f50
0x01284f50
0x01284f59
0x01284f70
0x01284f73
0x01284f7e
0x01284f82
0x01284f88
0x01284f8a
0x01285014
0x01285019
0x01285020
0x01285029
0x0128503f
0x01285045
0x0128504b
0x0128504d
0x01285055
0x01285055
0x01285057
0x0128505b
0x01285065
0x012850f6
0x01285102
0x01285108
0x0128510f
0x01285111
0x01285116
0x0128511c
0x0128511c
0x0128511c
0x0128511c
0x00000000
0x01285120
0x01284f8c
0x01284f92
0x01284f99
0x00000000
0x00000000
0x01284f9f
0x01284fa1
0x00000000
0x00000000
0x01284fa7
0x01284fae
0x01284fed
0x01284ff9
0x01285000
0x0128509f
0x012850a2
0x012850a8
0x012850ae
0x012850b0
0x012850b2
0x012850b9
0x012850bf
0x012850c1
0x012850cb
0x012850d3
0x012850d9
0x012850df
0x012850e2
0x012850f0
0x012850f0
0x012850df
0x012850c1
0x00000000
0x012850b0
0x00000000
0x01285006
0x01284fb2
0x01284fbc
0x01284fc7
0x01284fcd
0x01284fce
0x01284fd3
0x01284fd4
0x01284fd6
0x01284fde
0x01284fe4
0x01284fe7
0x0128507c
0x01285082
0x01285084
0x00000000
0x00000000
0x01285088
0x01285094
0x0128509b
0x0128509d
0x00000000
0x00000000
0x00000000
0x0128509d
0x00000000
0x01284f5b
0x01284f63
0x01285122
0x01285127
0x01285127

APIs

__EH_prolog3_GS.LIBCMT ref: 01284F23

Part of subcall function 0127B362: __EH_prolog3.LIBCMT ref: 0127B369

CallNextHookEx.USER32 ref: 01284F63
_memset.LIBCMT ref: 01284FBC

Part of subcall function 01281C50: ActivateActCtx.KERNEL32(?,?), ref: 01281C70
Part of subcall function 01281C50: GetClassInfoExW.USER32 ref: 01281C8D

GetClassLongW.USER32 ref: 01284FF0

Part of subcall function 01279339: ActivateActCtx.KERNEL32(?), ref: 0127935C

SetWindowLongW.USER32 ref: 01285045

Part of subcall function 01278A71: DeactivateActCtx.KERNEL32(00000000), ref: 01278A7B

GetClassNameW.USER32(?,?,00000100), ref: 0128507C
GetWindowLongW.USER32(?,000000FC), ref: 012850A2
GetPropW.USER32(?,AfxOldWndProc423), ref: 012850B9
SetPropW.USER32(?,AfxOldWndProc423,?), ref: 012850CB
GetPropW.USER32(?,AfxOldWndProc423), ref: 012850D3
GlobalAddAtomW.KERNEL32(AfxOldWndProc423), ref: 012850E2
SetWindowLongW.USER32 ref: 012850F0
CallNextHookEx.USER32 ref: 01285102
UnhookWindowsHookEx.USER32(?), ref: 01285116

Part of subcall function 01277AC9: __CxxThrowException@8.LIBCMT ref: 01277ADF

Strings

AfxOldWndProc423, xrefs: 012850B2, 012850B7, 012850C9, 012850D1, 012850E1
#32768, xrefs: 01284FCE, 01284FD3, 01285092

Memory Dump Source

Source File: 00000010.00000002.746388412.0000000001271000.00000020.sdmp, Offset: 01270000, based on PE: true

Associated: 00000010.00000002.746374753.0000000001270000.00000002.sdmp Download File
Associated: 00000010.00000002.746578910.000000000138C000.00000002.sdmp Download File
Associated: 00000010.00000002.746752878.00000000013CF000.00000004.sdmp Download File
Associated: 00000010.00000002.746788870.00000000013D6000.00000004.sdmp Download File
Associated: 00000010.00000002.746832288.00000000013DE000.00000002.sdmp Download File
Associated: 00000010.00000002.747668141.0000000001574000.00000002.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1270000_Setup.jbxd

Similarity

API ID: Long$ClassHookPropWindow$ActivateCallNext$AtomDeactivateException@8GlobalH_prolog3H_prolog3_InfoNameThrowUnhookWindows_memset
String ID: #32768$AfxOldWndProc423
API String ID: 3556505459-2141921550
Opcode ID: b09a7dfb2688143a1cfe4910cbe757c00a23a98f5b1e3f059c9defc9ca3ce477
Instruction ID: 17d315ec0b386d73441c905476290208564aea5f1b7c8b18689c780bd3780c2a
Opcode Fuzzy Hash: b09a7dfb2688143a1cfe4910cbe757c00a23a98f5b1e3f059c9defc9ca3ce477
Instruction Fuzzy Hash: 32518171912227ABDB31BF24DC4CBEE7BBCBF18364F001194E509A61C1DB349A41CBA0

Uniqueness

Uniqueness Score: 6.84%

Function 0127E4FF, Relevance: 28.1, APIs: 7, Strings: 9, Instructions: 72
libraryloaderUNIQUE

Download Yara Rule

C-Code - Quality: 85%

			E0127E4FF(void* __ecx, void* __edx, void* __eflags) {
				void* __ebx;
				void* __edi;
				void* __esi;
				struct HINSTANCE__* _t21;
				intOrPtr* _t22;
				intOrPtr _t24;
				struct HINSTANCE__* _t27;
				void* _t37;
				void* _t38;
				void* _t39;
				void* _t40;
				void* _t41;

				_t39 = __edx;
				_push(L"UxTheme.dll");
				_t41 = __ecx;
				_t21 = E01274CA7(__ecx, __ecx, __eflags);
				_t40 = GetProcAddress;
				_pop(_t37);
				 *(__ecx + 0x1ec) = _t21;
				if(_t21 == 0) {
					 *((intOrPtr*)(__ecx + 0x1f4)) = 0;
					 *((intOrPtr*)(__ecx + 0x1f8)) = 0;
					 *((intOrPtr*)(__ecx + 0x204)) = 0;
					 *((intOrPtr*)(__ecx + 0x208)) = 0;
				} else {
					 *((intOrPtr*)(_t41 + 0x1f4)) = GetProcAddress(_t21, "DrawThemeParentBackground");
					 *((intOrPtr*)(_t41 + 0x1f8)) = GetProcAddress( *(_t41 + 0x1ec), "DrawThemeTextEx");
					 *((intOrPtr*)(_t41 + 0x204)) = GetProcAddress( *(_t41 + 0x1ec), "BeginBufferedPaint");
					 *((intOrPtr*)(_t41 + 0x208)) = GetProcAddress( *(_t41 + 0x1ec), "EndBufferedPaint");
				}
				_t46 =  *(_t41 + 0x1f0);
				if( *(_t41 + 0x1f0) != 0) {
					_push(L"dwmapi.dll");
					_t27 = E01274CA7(_t37, _t41, _t46);
					_pop(_t38);
					 *(_t41 + 0x1f0) = _t27;
					if(_t27 == 0) {
						_t27 = L01277AC9(_t38);
					}
					 *((intOrPtr*)(_t41 + 0x20c)) = GetProcAddress(_t27, "DwmExtendFrameIntoClientArea");
					 *((intOrPtr*)(_t41 + 0x210)) = GetProcAddress( *(_t41 + 0x1f0), "DwmDefWindowProc");
					 *((intOrPtr*)(_t41 + 0x214)) = GetProcAddress( *(_t41 + 0x1f0), "DwmIsCompositionEnabled");
				}
				_t22 = _t41 + 0x19c;
				if( *_t22 != 0) {
					 *_t22 = 1;
				}
				L0129D88E();
				_t24 =  *0x13d8dd0; // 0x0
				if(_t24 != 0) {
					L012A14C7(0, _t39, _t40, _t24);
				}
				return 1;
			}

0x0127e4ff
0x0127e504
0x0127e509
0x0127e50b
0x0127e510
0x0127e518
0x0127e519
0x0127e521
0x0127e56c
0x0127e572
0x0127e578
0x0127e57e
0x0127e523
0x0127e536
0x0127e549
0x0127e55c
0x0127e564
0x0127e564
0x0127e584
0x0127e58a
0x0127e58c
0x0127e591
0x0127e596
0x0127e597
0x0127e59f
0x0127e5a1
0x0127e5a1
0x0127e5b9
0x0127e5cc
0x0127e5d4
0x0127e5d4
0x0127e5da
0x0127e5e5
0x0127e5e7
0x0127e5e7
0x0127e5e9
0x0127e5ee
0x0127e5f5
0x0127e5f8
0x0127e5f8
0x0127e602

APIs

Part of subcall function 01274CA7: ActivateActCtx.KERNEL32(?,?), ref: 01274CC7
Part of subcall function 01274CA7: LoadLibraryW.KERNEL32(?), ref: 01274CDE

GetProcAddress.KERNEL32(00000000,DrawThemeParentBackground), ref: 0127E529
GetProcAddress.KERNEL32(?,DrawThemeTextEx), ref: 0127E53C
GetProcAddress.KERNEL32(?,BeginBufferedPaint), ref: 0127E54F
GetProcAddress.KERNEL32(?,EndBufferedPaint), ref: 0127E562
GetProcAddress.KERNEL32(?,DwmIsCompositionEnabled), ref: 0127E5D2

Part of subcall function 01277AC9: __CxxThrowException@8.LIBCMT ref: 01277ADF

GetProcAddress.KERNEL32(00000000,DwmExtendFrameIntoClientArea), ref: 0127E5AC
GetProcAddress.KERNEL32(?,DwmDefWindowProc), ref: 0127E5BF

Part of subcall function 0129D88E: FreeLibrary.KERNEL32(00000000,0127E5EE), ref: 0129D8A2

Strings

DrawThemeParentBackground, xrefs: 0127E523
DwmIsCompositionEnabled, xrefs: 0127E5C1
DwmDefWindowProc, xrefs: 0127E5AE
UxTheme.dll, xrefs: 0127E504
EndBufferedPaint, xrefs: 0127E551
BeginBufferedPaint, xrefs: 0127E53E
dwmapi.dll, xrefs: 0127E58C
DwmExtendFrameIntoClientArea, xrefs: 0127E5A6
DrawThemeTextEx, xrefs: 0127E52B

Memory Dump Source

Source File: 00000010.00000002.746388412.0000000001271000.00000020.sdmp, Offset: 01270000, based on PE: true

Associated: 00000010.00000002.746374753.0000000001270000.00000002.sdmp Download File
Associated: 00000010.00000002.746578910.000000000138C000.00000002.sdmp Download File
Associated: 00000010.00000002.746752878.00000000013CF000.00000004.sdmp Download File
Associated: 00000010.00000002.746788870.00000000013D6000.00000004.sdmp Download File
Associated: 00000010.00000002.746832288.00000000013DE000.00000002.sdmp Download File
Associated: 00000010.00000002.747668141.0000000001574000.00000002.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1270000_Setup.jbxd

Similarity

API ID: AddressProc$Library$ActivateException@8FreeLoadThrow
String ID: BeginBufferedPaint$DrawThemeParentBackground$DrawThemeTextEx$DwmDefWindowProc$DwmExtendFrameIntoClientArea$DwmIsCompositionEnabled$EndBufferedPaint$UxTheme.dll$dwmapi.dll
API String ID: 140002669-3875329446
Opcode ID: 9573c64207fed9f188b9145237cd296726743e592f8a0aff4d5763d7a052ef63
Instruction ID: e18141969f1b203702e21789e33e93d2feb99868a50a185599f8aa531913e6e7
Opcode Fuzzy Hash: 9573c64207fed9f188b9145237cd296726743e592f8a0aff4d5763d7a052ef63
Instruction Fuzzy Hash: 2D211DB19507469BD731BFB69889DDBBAE8EF94708F12493EE5BAD3201D6706040CB90

Uniqueness

Uniqueness Score: 100.00%

Function 012E0761, Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 207
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E012E0761(void* __eax, signed int __ebx, void* __edx, void* __edi, void* __esi, void* __fp0) {
				void* _t108;
				void* _t109;

				_t109 = __esi;
				_t108 = __edi;
				 *(__esi - 0xe) =  *(__esi - 0xe) | __ebx;
			}

0x012e0761
0x012e0761
0x012e0766

APIs

CreateCompatibleDC.GDI32 ref: 012E0775
GetObjectW.GDI32(?,00000018,?), ref: 012E0793

Part of subcall function 01279E44: DeleteDC.GDI32(00000000), ref: 01279E56

SelectObject.GDI32(?,?), ref: 012E07D1
CreateCompatibleDC.GDI32(?), ref: 012E07EF
CreateDIBSection.GDI32 ref: 012E0845
SelectObject.GDI32(?,?), ref: 012E085A
SelectObject.GDI32(?,00000000), ref: 012E0870
SelectObject.GDI32(?,?), ref: 012E087F
DeleteObject.GDI32(?), ref: 012E0886
BitBlt.GDI32(?,?,?,?,?,?,?,?,00CC0020), ref: 012E08D8

Part of subcall function 012FCEB8: __EH_prolog3.LIBCMT ref: 012FCEBF
Part of subcall function 012FCEB8: CreateCompatibleDC.GDI32(?), ref: 012FCF3E
Part of subcall function 012FCEB8: CreateCompatibleBitmap.GDI32(?,?,00000064), ref: 012FCF77
Part of subcall function 012FCEB8: SelectObject.GDI32(?,00000000), ref: 012FCFE3
Part of subcall function 012FCEB8: BitBlt.GDI32(?,00000000,00000000,?,00000064,?,?,?,00CC0020), ref: 012FD00C
Part of subcall function 012FCEB8: MulDiv.KERNEL32 ref: 012FD198
Part of subcall function 012FCEB8: MulDiv.KERNEL32 ref: 012FD1AC
Part of subcall function 012FCEB8: MulDiv.KERNEL32 ref: 012FD1C6
Part of subcall function 012FCEB8: MulDiv.KERNEL32 ref: 012FD1DA
Part of subcall function 012FCEB8: MulDiv.KERNEL32 ref: 012FD1EF
Part of subcall function 012FCEB8: MulDiv.KERNEL32 ref: 012FD202
Part of subcall function 012FCEB8: BitBlt.GDI32(?,?,?,?,00000064,?,00000000,00000000,00CC0020), ref: 012FD255
Part of subcall function 012FCEB8: DeleteObject.GDI32(?), ref: 012FD271

Part of subcall function 0128C2A4: __EH_prolog3.LIBCMT ref: 0128C2AB

GetPixel.GDI32(?,?,00000000), ref: 012E09A0
SetPixel.GDI32(?,?,00000000,?), ref: 012E09B5
SelectObject.GDI32(?,?), ref: 012E09D2
SelectObject.GDI32(?,?), ref: 012E09DA

Strings

(, xrefs: 012E0825

Memory Dump Source

Source File: 00000010.00000002.746388412.0000000001271000.00000020.sdmp, Offset: 01270000, based on PE: true

Associated: 00000010.00000002.746374753.0000000001270000.00000002.sdmp Download File
Associated: 00000010.00000002.746578910.000000000138C000.00000002.sdmp Download File
Associated: 00000010.00000002.746752878.00000000013CF000.00000004.sdmp Download File
Associated: 00000010.00000002.746788870.00000000013D6000.00000004.sdmp Download File
Associated: 00000010.00000002.746832288.00000000013DE000.00000002.sdmp Download File
Associated: 00000010.00000002.747668141.0000000001574000.00000002.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1270000_Setup.jbxd

Similarity

API ID: Object$Select$Create$Compatible$Delete$H_prolog3Pixel$BitmapSection
String ID: (
API String ID: 2001289350-3887548279
Opcode ID: 170016f18e8f6eb1ee6112ba646d39a5f81a62b2581a5ab5aebac11fc82a42e9
Instruction ID: 695c9615dc3f7025811a5a07a3db972af987ec742cdcbe1f542232a49d37e077
Opcode Fuzzy Hash: 170016f18e8f6eb1ee6112ba646d39a5f81a62b2581a5ab5aebac11fc82a42e9
Instruction Fuzzy Hash: E3910071D10219EFDF25EFA8C8889EDFBB9BF09310F604129E556A72A1DB705A46CF10

Uniqueness

Uniqueness Score: 16.53%

Function 01274E12, Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 132
libraryloaderUNIQUE

Download Yara Rule

C-Code - Quality: 73%

			E01274E12(void* __ecx, void* __eflags, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				char _v210;
				char _v212;
				short _v214;
				short _v216;
				short _v736;
				int _v840;
				intOrPtr _v844;
				char _v848;
				intOrPtr _v852;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t49;
				struct HINSTANCE__* _t53;
				signed int _t54;
				signed short _t58;
				signed int _t59;
				void* _t79;
				intOrPtr _t80;
				signed int _t84;
				signed int _t86;
				void* _t95;
				signed int _t96;
				struct HINSTANCE__* _t97;
				short* _t98;
				signed int _t100;
				void* _t101;
				void* _t102;
				signed int _t104;
				signed int _t106;
				void* _t107;
				void* _t109;

				_t104 = _t106;
				_t107 = _t106 - 0x350;
				_t49 =  *0x13d3570; // 0x99b5b578
				_v8 = _t49 ^ _t104;
				_v844 = _a4;
				_push(L"KERNEL32.DLL");
				_v852 = _a8;
				_t100 = 0;
				_t53 = E01274CA7(__ecx, 0, __eflags);
				if(_t53 != 0) {
					_t53 = GetProcAddress(_t53, "GetThreadPreferredUILanguages");
					_t97 = _t53;
					if(_t97 != 0) {
						_v212 = 0;
						_v848 = 0;
						L01367D50( &_v210, 0, 0xc8);
						_t109 = _t107 + 0xc;
						_v840 = 0x65;
						_t53 = _t97->i(0x34,  &_v848,  &_v212,  &_v840);
						if(_t53 != 0) {
							_t98 =  &_v212;
							if(_v212 != 0) {
								while(_t100 < 0x14) {
									_t80 = L01367C21(_t98, 0, 0x10);
									_t109 = _t109 + 0xc;
									_t116 = _t80;
									if(_t80 != 0 &&  *((intOrPtr*)(L01369B1B(_t116))) != 0x22) {
										 *((intOrPtr*)(_t104 + _t100 * 4 - 0x340)) = _t80;
										_t100 = _t100 + 1;
									}
									_t53 = L01369A59(_t98);
									_t98 = _t98 + 2 + _t53 * 2;
									if( *_t98 != 0) {
										continue;
									}
									goto L10;
								}
							}
						}
					}
				}
				L10:
				__imp__GetUserDefaultUILanguage();
				_t54 = _t53 & 0x0000ffff;
				_t84 = _t54 & 0x000003ff;
				_v840 = _t84;
				 *((intOrPtr*)(_t104 + _t100 * 4 - 0x340)) = ConvertDefaultLocale(_t54 & 0x0000fc00 | _t84);
				_t58 = ConvertDefaultLocale(_v840);
				 *(_t104 + _t100 * 4 - 0x33c) = _t58;
				__imp__GetSystemDefaultUILanguage();
				_t59 = _t58 & 0x0000ffff;
				_t86 = _t59 & 0x000003ff;
				_v840 = _t86;
				 *((intOrPtr*)(_t104 + _t100 * 4 - 0x338)) = ConvertDefaultLocale(_t59 & 0x0000fc00 | _t86);
				 *((intOrPtr*)(_t104 + _t100 * 4 - 0x334)) = ConvertDefaultLocale(_v840);
				_v214 = 0;
				_v216 = 0;
				 *((intOrPtr*)(_t104 + _t100 * 4 - 0x330)) = 0x800;
				_t101 = _t100 + 5;
				if(GetModuleFileNameW(0x1270000,  &_v736, 0x105) == 0) {
					L14:
				} else {
					_t96 = 0;
					if(_t101 <= 0) {
						goto L14;
					} else {
						while(1) {
							_t92 = _v852;
							if(E01274D46(_v844, _v852,  *((intOrPtr*)(_t104 + _t96 * 4 - 0x340))) != 0) {
								goto L15;
							}
							_t96 = _t96 + 1;
							if(_t96 < _t101) {
								continue;
							} else {
								goto L14;
							}
							goto L15;
						}
					}
				}
				L15:
				_pop(_t95);
				_pop(_t102);
				_pop(_t79);
				return L01367D3E(0, _t79, _v8 ^ _t104, _t92, _t95, _t102);
			}

0x01274e15
0x01274e17
0x01274e1d
0x01274e24
0x01274e2c
0x01274e36
0x01274e3b
0x01274e41
0x01274e43
0x01274e4b
0x01274e57
0x01274e5d
0x01274e61
0x01274e6e
0x01274e7d
0x01274e83
0x01274e88
0x01274ea2
0x01274eac
0x01274eb0
0x01274eb2
0x01274ebf
0x01274ec1
0x01274ed0
0x01274ed2
0x01274ed5
0x01274ed7
0x01274ee3
0x01274eea
0x01274eea
0x01274eec
0x01274ef1
0x01274efa
0x00000000
0x00000000
0x00000000
0x01274efa
0x01274ec1
0x01274ebf
0x01274eb0
0x01274e61
0x01274efc
0x01274efc
0x01274f08
0x01274f0d
0x01274f1d
0x01274f2b
0x01274f32
0x01274f34
0x01274f3b
0x01274f41
0x01274f46
0x01274f51
0x01274f5f
0x01274f68
0x01274f71
0x01274f78
0x01274f8b
0x01274f9b
0x01274fa6
0x01274fd0
0x01274fa8
0x01274fa8
0x01274fac
0x00000000
0x00000000
0x01274fae
0x01274fb5
0x01274fc9
0x00000000
0x00000000
0x01274fcb
0x01274fce
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x01274fce
0x01274fae
0x01274fac
0x01274fd2
0x01274fd5
0x01274fd6
0x01274fd9
0x01274fe0

APIs

Part of subcall function 01274CA7: ActivateActCtx.KERNEL32(?,?), ref: 01274CC7
Part of subcall function 01274CA7: LoadLibraryW.KERNEL32(?), ref: 01274CDE

GetProcAddress.KERNEL32(00000000,GetThreadPreferredUILanguages), ref: 01274E57
_memset.LIBCMT ref: 01274E83
_wcstoul.LIBCMT ref: 01274ECB

Part of subcall function 01367C21: wcstoxl.LIBCMT ref: 01367C31

Part of subcall function 01369B1B: __getptd_noexit.LIBCMT ref: 01369B1B

_wcslen.LIBCMT ref: 01274EEC
GetUserDefaultUILanguage.KERNEL32 ref: 01274EFC
ConvertDefaultLocale.KERNEL32(?), ref: 01274F23
ConvertDefaultLocale.KERNEL32(?), ref: 01274F32
GetSystemDefaultUILanguage.KERNEL32 ref: 01274F3B
ConvertDefaultLocale.KERNEL32(?), ref: 01274F57
ConvertDefaultLocale.KERNEL32(?), ref: 01274F66
GetModuleFileNameW.KERNEL32(01270000,?,00000105), ref: 01274F9E

Part of subcall function 01367D3E: IsDebuggerPresent.KERNEL32 ref: 0136EC6D
Part of subcall function 01367D3E: SetUnhandledExceptionFilter.KERNEL32 ref: 0136EC82
Part of subcall function 01367D3E: UnhandledExceptionFilter.KERNEL32 ref: 0136EC8D
Part of subcall function 01367D3E: GetCurrentProcess.KERNEL32(C0000409), ref: 0136ECA9
Part of subcall function 01367D3E: TerminateProcess.KERNEL32(00000000), ref: 0136ECB0

Part of subcall function 01274D46: GetLocaleInfoW.KERNEL32(00000800,00000003,?,00000004), ref: 01274D8D
Part of subcall function 01274D46: __snwprintf_s.LIBCMT ref: 01274DBF
Part of subcall function 01274D46: LoadLibraryW.KERNEL32(?), ref: 01274DFA

Strings

GetThreadPreferredUILanguages, xrefs: 01274E51
e, xrefs: 01274EA2
KERNEL32.DLL, xrefs: 01274E36

Memory Dump Source

Source File: 00000010.00000002.746388412.0000000001271000.00000020.sdmp, Offset: 01270000, based on PE: true

Associated: 00000010.00000002.746374753.0000000001270000.00000002.sdmp Download File
Associated: 00000010.00000002.746578910.000000000138C000.00000002.sdmp Download File
Associated: 00000010.00000002.746752878.00000000013CF000.00000004.sdmp Download File
Associated: 00000010.00000002.746788870.00000000013D6000.00000004.sdmp Download File
Associated: 00000010.00000002.746832288.00000000013DE000.00000002.sdmp Download File
Associated: 00000010.00000002.747668141.0000000001574000.00000002.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1270000_Setup.jbxd

Similarity

API ID: Default$Locale$Convert$ExceptionFilterLanguageLibraryLoadProcessUnhandled$ActivateAddressCurrentDebuggerFileInfoModuleNamePresentProcSystemTerminateUser__getptd_noexit__snwprintf_s_memset_wcslen_wcstoulwcstoxl
String ID: GetThreadPreferredUILanguages$KERNEL32.DLL$e
API String ID: 2596483995-2285706205
Opcode ID: eaf8cbc0ea29499b09530c00b254dc67d1cfd88d2f7c7d517fbe2b4d652a9710
Instruction ID: 7f06b3014fd7969804ea20ffde03079a5914190cbc06739626c27bf0cbcfcc4b
Opcode Fuzzy Hash: eaf8cbc0ea29499b09530c00b254dc67d1cfd88d2f7c7d517fbe2b4d652a9710
Instruction Fuzzy Hash: 9041B571A103699BDB21AFA8DC44BAE77BCAF44714F4104BAE90DE7140D7749B818F51

Uniqueness

Uniqueness Score: 23.02%

Function 01322019, Relevance: 24.4, APIs: 16, Instructions: 368
COMMON

Download Yara Rule

C-Code - Quality: 84%

			E01322019(void* __ebx, void* __ecx, int __edx, void* __edi, struct tagRECT* __esi, void* __eflags) {
				intOrPtr _t137;
				int _t138;
				struct tagRECT* _t155;
				int _t163;
				struct tagRECT* _t164;
				int _t166;
				int _t172;
				int _t179;
				void* _t190;
				intOrPtr _t198;
				int _t200;
				int _t205;
				int _t206;
				struct tagRECT* _t207;
				int* _t215;
				intOrPtr _t216;
				void* _t220;
				intOrPtr _t224;
				int _t250;
				int _t256;
				intOrPtr _t259;
				struct tagPOINT _t265;
				RECT* _t269;
				struct tagRECT* _t273;
				int _t274;
				intOrPtr* _t278;
				int* _t280;
				void* _t282;

				_t270 = __esi;
				_t262 = __edx;
				_push(0x68);
				L0136966A(0x1385e7f, __ebx, __edi, __esi);
				_t220 = __ecx;
				_t265 = 0;
				 *((intOrPtr*)(__ecx + 0x38)) = 0;
				if( *((intOrPtr*)(__ecx + 0x44)) == 0 ||  *((intOrPtr*)(__ecx + 0x48)) == 0) {
					L60:
					return L013696ED(_t220, _t265, _t270);
				} else {
					_t286 =  *((intOrPtr*)(__ecx + 0x50));
					if( *((intOrPtr*)(__ecx + 0x50)) == 0) {
						_t280 = E01274753(_t286, 0x350);
						 *(_t282 - 0x68) = _t280;
						 *(_t282 - 4) = 0;
						_t287 = _t280;
						if(_t280 == 0) {
							_t215 = 0;
							__eflags = 0;
						} else {
							E012D85CD(_t220, _t280, __edx, 0, _t280, _t287);
							 *_t280 = 0x13a2f0c;
							_t215 = _t280;
						}
						 *(_t282 - 4) =  *(_t282 - 4) | 0xffffffff;
						_t259 =  *((intOrPtr*)(_t220 + 0x44));
						 *(_t220 + 0x50) = _t215;
						_t216 =  *0x13d98fc; // 0x0
						 *(_t282 - 0x40) = _t265;
						 *(_t282 - 0x3c) = _t265;
						 *(_t282 - 0x38) = _t265;
						 *(_t282 - 0x34) = _t265;
						if(_t216 == _t265) {
							_t216 = L01283CE7(_t259);
						}
						_t262 =  *( *(_t220 + 0x50));
						 *((intOrPtr*)(_t262 + 0x328))(_t265, 0x138e210, _t216, _t282 - 0x40, _t265,  *0x13d1f68, 0x40000000, 0x20, 0xf, _t265);
					}
					_t137 =  *0x13d9b94; // 0x4
					 *((intOrPtr*)(_t282 - 0x6c)) = _t137;
					_t138 =  *0x13d9b98; // 0x4
					 *(_t282 - 0x68) = _t138;
					 *(_t282 - 0x5c) = _t265;
					 *(_t282 - 0x58) = _t265;
					GetCursorPos(_t282 - 0x5c);
					_t270 =  *(_t282 - 0x58) -  *(_t220 + 8);
					 *(_t282 - 0x74) =  *(_t282 - 0x5c) -  *(_t220 + 4);
					 *(_t282 - 0x70) =  *(_t282 - 0x58) -  *(_t220 + 8);
					if(L0136B5DE(_t262,  *(_t282 - 0x5c) -  *(_t220 + 4)) >=  *((intOrPtr*)(_t282 - 0x6c)) || L0136B5DE(_t262, _t270) >=  *(_t282 - 0x68) || IsRectEmpty(_t220 + 0xc) == 0 ||  *((intOrPtr*)(_t282 + 8)) != _t265) {
						 *((intOrPtr*)(_t220 + 0x30)) = 1;
						L012ADB22(1);
						if(IsRectEmpty(_t220 + 0x1c) != 0) {
						}
						 *(_t282 - 0x60) =  *(_t282 - 0x60) & 0x00000000;
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						_t273 = _t220 + 0xc;
						if(IsRectEmpty(_t273) != 0) {
							if(E012789AE( *((intOrPtr*)(_t220 + 0x44)), 0x13d04b0) == 0) {
								_t200 = E012789AE( *((intOrPtr*)(_t220 + 0x44)), 0x139ada0);
								__eflags = _t200;
								if(_t200 != 0) {
									_t278 = E012789CC(0x139ada0,  *((intOrPtr*)(_t220 + 0x44)));
									_t269 = _t220 + 0xc;
									GetWindowRect( *( *((intOrPtr*)(_t220 + 0x44)) + 0x20), _t269);
									_t205 =  *((intOrPtr*)( *_t278 + 0x224))(0);
									__eflags = _t205;
									if(_t205 == 0) {
										 *((intOrPtr*)(_t220 + 0x14)) =  *((intOrPtr*)(_t278 + 0x1e0)) -  *((intOrPtr*)(_t278 + 0x1d8)) + _t269->left;
										_t256 =  *((intOrPtr*)(_t278 + 0x1e4)) -  *((intOrPtr*)(_t278 + 0x1dc)) +  *((intOrPtr*)(_t220 + 0x10));
										__eflags = _t256;
										 *(_t220 + 0x18) = _t256;
									}
									_push( *(_t220 + 8));
									_t206 = PtInRect(_t269,  *(_t220 + 4));
									__eflags = _t206;
									if(_t206 == 0) {
										_t207 = _t220 + 0xc;
										_t250 =  *(_t220 + 4) - _t207->left - 5;
										__eflags = _t250;
										OffsetRect(_t207, _t250, _t206);
									}
								}
							} else {
								GetWindowRect( *( *((intOrPtr*)(_t220 + 0x44)) + 0x20), _t273);
							}
							 *(_t282 - 0x60) = 1;
						}
						 *(_t282 - 0x64) =  *(_t282 - 0x64) & 0x00000000;
						_t265 = _t220 + 0x4c;
						 *(_t282 - 0x54) =  *_t265;
						_t274 = 0;
						 *(_t282 - 0x20) = 0;
						 *((intOrPtr*)(_t282 - 0x1c)) = 0;
						 *((intOrPtr*)(_t282 - 0x18)) = 0;
						 *((intOrPtr*)(_t282 - 0x14)) = 0;
						SetRectEmpty(_t282 - 0x20);
						_t224 =  *((intOrPtr*)(_t220 + 0x48));
						 *(_t282 - 0x68) = 0;
						if(_t224 != 0) {
							_t198 =  *((intOrPtr*)(_t224 + 0x1b8));
							if(_t198 != 0 &&  *((intOrPtr*)(_t198 + 8)) != 0 &&  *((intOrPtr*)(_t198 + 4)) != 0) {
								 *(_t282 - 0x68) = 1;
							}
						}
						E012AC565(_t224,  *((intOrPtr*)(_t220 + 0x44)),  *(_t282 - 0x5c),  *(_t282 - 0x58), _t282 - 0x20, _t282 - 0x64, _t265);
						_t155 =  *(_t282 - 0x54);
						if(_t155 != _t274 &&  *(_t220 + 0x34) != 0xffffffff && (_t155 !=  *_t265 ||  *(_t282 - 0x64) == _t274)) {
							L01321C0E(_t220, _t265, _t155);
							 *(_t282 - 0x60) = 1;
						}
						 *(_t282 - 0x54) = 1;
						if(E012789AE( *((intOrPtr*)(_t220 + 0x44)), 0x13d04b0) == 0) {
							if(E012789AE( *((intOrPtr*)(_t220 + 0x44)), 0x139ada0) != 0) {
								_t262 =  *(E012789CC(0x139ada0,  *((intOrPtr*)(_t220 + 0x44))));
								 *(_t282 - 0x54) =  *((intOrPtr*)(_t262 + 0x188))();
							}
							_t274 = 0;
						}
						_t157 =  *_t265;
						if( *_t265 == _t274 ||  *(_t282 - 0x54) == _t274) {
							L52:
							OffsetRect(_t220 + 0xc,  *(_t282 - 0x74),  *(_t282 - 0x70));
							 *(_t220 + 4) =  *(_t282 - 0x5c);
							 *(_t220 + 8) =  *(_t282 - 0x58);
							asm("movsd");
							asm("movsd");
							asm("movsd");
							asm("movsd");
							_t163 = IsRectEmpty(_t220 + 0x1c);
							__eflags = _t163;
							_t164 =  *0x13d6598; // 0x4
							if(_t163 == 0) {
								_t164 =  *0x13d659c; // 0x3
							}
							 *(_t282 - 0x54) = _t164;
							_t270 = _t220 + 0x1c;
							 *(_t282 - 0x30) = 0;
							 *((intOrPtr*)(_t282 - 0x2c)) = 0;
							 *((intOrPtr*)(_t282 - 0x28)) = 0;
							 *((intOrPtr*)(_t282 - 0x24)) = 0;
							_t166 = IsRectEmpty(_t220 + 0x1c);
							__eflags = _t166;
							if(_t166 != 0) {
								_push( *(_t282 - 0x58));
								_t270 = _t220 + 0xc;
								_t172 = PtInRect(_t270,  *(_t282 - 0x5c));
								__eflags = _t172;
								if(_t172 == 0) {
									asm("cdq");
									_t262 =  *(_t282 - 0x5c) - (_t270->right - _t270->left - _t262 >> 1) + _t270->left;
									_t179 =  *(_t282 - 0x58) -  *((intOrPtr*)(_t220 + 0x10)) + 5;
									__eflags = _t179;
									OffsetRect(_t270, _t262, _t179);
								}
							}
							__eflags =  *(_t282 - 0x68);
							_t265 = _t282 - 0x30;
							asm("movsd");
							asm("movsd");
							asm("movsd");
							asm("movsd");
							if(__eflags == 0) {
								L59:
								_push( *(_t220 + 0x40));
								_t270 =  *(_t282 - 0x54);
								_push(_t270);
								_push( *(_t282 - 0x60));
								_push(_t282 - 0x30);
								_push(_t282 - 0x50);
								L013219E6(_t220, _t220, _t262, _t265, _t270, __eflags);
								 *(_t220 + 0x40) = _t270;
								goto L60;
							} else {
								__eflags = IsRectEmpty(_t220 + 0x1c);
								if(__eflags != 0) {
									goto L60;
								}
								goto L59;
							}
						} else {
							_t270 = E012789CC(0x13a32dc, _t157);
							if(_t270 == 0) {
								L47:
								__eflags =  *(_t282 - 0x64);
								if( *(_t282 - 0x64) == 0) {
									goto L52;
								}
								__eflags =  *(_t220 + 0x34) - 0xffffffff;
								if( *(_t220 + 0x34) == 0xffffffff) {
									__eflags =  *(_t282 - 0x60);
									if( *(_t282 - 0x60) == 0) {
										L01321D14(_t220, _t262, 0);
									}
									L01321A7A(_t220,  *_t265, 0);
									 *(_t220 + 0x34) = 1;
								}
								goto L60;
							}
							if( *(_t282 - 0x64) == 0) {
								goto L52;
							}
							if( *((intOrPtr*)(_t270->left + 0x3ac))() <= 1 ||  *((intOrPtr*)(_t270->left + 0x3b0))() == 0) {
								if( *((intOrPtr*)(_t270->left + 0x3ac))() <= 0) {
									goto L47;
								}
								_t190 =  *((intOrPtr*)(_t270->left + 0x3b0))();
								_t314 = _t190;
								if(_t190 != 0) {
									goto L47;
								}
								goto L46;
							} else {
								L46:
								_push( *(_t282 - 0x60));
								_push(_t270);
								L01321E09(_t220, _t220, _t262, _t265, _t270, _t314);
								goto L60;
							}
						}
					} else {
						goto L60;
					}
				}
			}

0x01322019
0x01322019
0x01322019
0x01322020
0x01322025
0x01322027
0x01322029
0x0132202f
0x01322444
0x01322449
0x0132203e
0x0132203e
0x01322041
0x0132204d
0x01322050
0x01322053
0x01322056
0x01322058
0x0132206b
0x0132206b
0x0132205a
0x0132205c
0x01322061
0x01322067
0x01322067
0x0132206d
0x01322071
0x01322074
0x01322077
0x0132207c
0x0132207f
0x01322082
0x01322085
0x0132208a
0x0132208c
0x0132208c
0x01322094
0x013220b2
0x013220b2
0x013220b8
0x013220bd
0x013220c0
0x013220c5
0x013220cc
0x013220cf
0x013220d2
0x013220e1
0x013220e5
0x013220e8
0x013220f4
0x01322120
0x01322123
0x01322134
0x01322134
0x01322139
0x01322140
0x01322141
0x01322142
0x01322143
0x01322144
0x01322150
0x01322165
0x01322182
0x01322187
0x01322189
0x01322196
0x0132219b
0x013221a2
0x013221ae
0x013221b4
0x013221b6
0x013221c6
0x013221d5
0x013221d5
0x013221d8
0x013221d8
0x013221db
0x013221e2
0x013221e8
0x013221ea
0x013221f0
0x013221f5
0x013221f5
0x013221fa
0x013221fa
0x013221ea
0x01322167
0x0132216e
0x0132216e
0x01322200
0x01322200
0x01322207
0x0132220b
0x01322210
0x01322213
0x01322219
0x0132221c
0x0132221f
0x01322222
0x01322225
0x0132222b
0x0132222e
0x01322233
0x01322235
0x0132223d
0x01322249
0x01322249
0x0132223d
0x01322262
0x01322267
0x0132226c
0x01322280
0x01322285
0x01322285
0x01322294
0x013222a2
0x013222b4
0x013222bf
0x013222cb
0x013222cb
0x013222ce
0x013222ce
0x013222d0
0x013222d4
0x0132237a
0x01322384
0x0132238d
0x01322393
0x0132239e
0x0132239f
0x013223a0
0x013223a1
0x013223a9
0x013223ab
0x013223ad
0x013223b2
0x013223b4
0x013223b4
0x013223b9
0x013223be
0x013223c2
0x013223c5
0x013223c8
0x013223cb
0x013223ce
0x013223d0
0x013223d2
0x013223d4
0x013223d7
0x013223de
0x013223e4
0x013223e6
0x013223f0
0x013223fd
0x01322402
0x01322402
0x01322407
0x01322407
0x013223e6
0x0132240d
0x01322411
0x01322414
0x01322415
0x01322416
0x01322417
0x01322418
0x01322428
0x01322428
0x0132242b
0x0132242e
0x0132242f
0x01322435
0x01322439
0x0132243c
0x01322441
0x00000000
0x0132241a
0x01322424
0x01322426
0x00000000
0x00000000
0x00000000
0x01322426
0x013222e3
0x013222ee
0x013222f4
0x01322345
0x01322347
0x0132234a
0x00000000
0x00000000
0x0132234c
0x01322350
0x01322356
0x01322359
0x0132235e
0x0132235e
0x01322369
0x0132236e
0x0132236e
0x00000000
0x01322350
0x013222fa
0x00000000
0x00000000
0x01322309
0x01322325
0x00000000
0x00000000
0x0132232b
0x01322331
0x01322333
0x00000000
0x00000000
0x00000000
0x01322335
0x01322335
0x01322335
0x0132233a
0x0132233b
0x00000000
0x0132233b
0x01322309
0x00000000
0x00000000
0x00000000
0x013220f4

APIs

__EH_prolog3_GS.LIBCMT ref: 01322020
GetCursorPos.USER32(?), ref: 013220D2
IsRectEmpty.USER32 ref: 01322106

Part of subcall function 012ADB22: LockWindowUpdate.USER32(00000000), ref: 012ADB63
Part of subcall function 012ADB22: ValidateRect.USER32 ref: 012ADB98
Part of subcall function 012ADB22: UpdateWindow.USER32 ref: 012ADB9D
Part of subcall function 012ADB22: LockWindowUpdate.USER32(00000000), ref: 012ADBB0
Part of subcall function 012ADB22: ValidateRect.USER32 ref: 012ADBD7
Part of subcall function 012ADB22: UpdateWindow.USER32 ref: 012ADBDC
Part of subcall function 012ADB22: LockWindowUpdate.USER32(00000000), ref: 012ADBEF

IsRectEmpty.USER32 ref: 0132212C
IsRectEmpty.USER32 ref: 01322148
GetWindowRect.USER32 ref: 0132216E
GetWindowRect.USER32 ref: 013221A2
PtInRect.USER32(?,?,?), ref: 013221E2
OffsetRect.USER32 ref: 013221FA
SetRectEmpty.USER32 ref: 01322225

Part of subcall function 012AC565: SetRectEmpty.USER32 ref: 012AC591
Part of subcall function 012AC565: GetKeyState.USER32 ref: 012AC599
Part of subcall function 012AC565: IsRectEmpty.USER32 ref: 012AC5F6
Part of subcall function 012AC565: GetWindowRect.USER32 ref: 012AC773

Part of subcall function 01321E09: __EH_prolog3_GS.LIBCMT ref: 01321E10

Part of subcall function 01321A7A: GetWindowRect.USER32 ref: 01321AAC
Part of subcall function 01321A7A: SetRectEmpty.USER32 ref: 01321B3E
Part of subcall function 01321A7A: SetRect.USER32(?,0000000A,?,?), ref: 01321B75
Part of subcall function 01321A7A: CopyRect.USER32(?,?), ref: 01321BAE

Part of subcall function 01321D14: SetRectEmpty.USER32 ref: 01321D6A
Part of subcall function 01321D14: IsRectEmpty.USER32 ref: 01321D74
Part of subcall function 01321D14: SetRectEmpty.USER32 ref: 01321DCB
Part of subcall function 01321D14: SetRectEmpty.USER32 ref: 01321DD1

OffsetRect.USER32 ref: 01322384
IsRectEmpty.USER32 ref: 013223A9
IsRectEmpty.USER32 ref: 013223CE
PtInRect.USER32(?,?,?), ref: 013223DE
OffsetRect.USER32 ref: 01322407
IsRectEmpty.USER32 ref: 0132241E

Part of subcall function 013219E6: __EH_prolog3.LIBCMT ref: 013219ED
Part of subcall function 013219E6: GetDesktopWindow.USER32 ref: 013219F4
Part of subcall function 013219E6: CopyRect.USER32(?,?), ref: 01321A3B

Part of subcall function 01274753: _malloc.LIBCMT ref: 01274771

Part of subcall function 012D85CD: __EH_prolog3.LIBCMT ref: 012D85D4
Part of subcall function 012D85CD: SetRectEmpty.USER32 ref: 012D86DB
Part of subcall function 012D85CD: SetRectEmpty.USER32 ref: 012D86E4

Memory Dump Source

Source File: 00000010.00000002.746388412.0000000001271000.00000020.sdmp, Offset: 01270000, based on PE: true

Associated: 00000010.00000002.746374753.0000000001270000.00000002.sdmp Download File
Associated: 00000010.00000002.746578910.000000000138C000.00000002.sdmp Download File
Associated: 00000010.00000002.746752878.00000000013CF000.00000004.sdmp Download File
Associated: 00000010.00000002.746788870.00000000013D6000.00000004.sdmp Download File
Associated: 00000010.00000002.746832288.00000000013DE000.00000002.sdmp Download File
Associated: 00000010.00000002.747668141.0000000001574000.00000002.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1270000_Setup.jbxd

Similarity

API ID: Rect$Empty$Window$Update$LockOffset$CopyH_prolog3H_prolog3_Validate$CursorDesktopState_malloc
String ID:
API String ID: 2437384332-0
Opcode ID: 39fd239d7eb519795d09b5ca8b08313b8646cfb312372c99d3f3ebee05d4d84a
Instruction ID: 7865f8681c36ff97d952d1b6db98f9aa95fb1e5a8aba53943d327d0ee3bb9ad0
Opcode Fuzzy Hash: 39fd239d7eb519795d09b5ca8b08313b8646cfb312372c99d3f3ebee05d4d84a
Instruction Fuzzy Hash: 1AE16D71A00225DFDF25EFA8CC84AAEBBB9FF08718F144159E905EB259D731E941CB90

Uniqueness

Uniqueness Score: 2.38%

Function 012DC1C5, Relevance: 24.3, APIs: 16, Instructions: 283
windowUNIQUE

Download Yara Rule

C-Code - Quality: 88%

			E012DC1C5(void* __ebx, intOrPtr* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				int _t162;
				intOrPtr* _t165;
				intOrPtr _t178;
				intOrPtr _t179;
				signed int _t196;
				signed int _t199;
				intOrPtr* _t217;
				intOrPtr* _t241;
				void* _t250;
				intOrPtr* _t256;
				RECT* _t259;
				void* _t263;
				void* _t264;
				void* _t266;
				intOrPtr _t269;
				void* _t278;

				_t252 = __edi;
				_t250 = __edx;
				_push(0x8c);
				L0136966A(0x1382e9c, __ebx, __edi, __esi);
				_t217 = __ecx;
				_t269 =  *0x13d99a8; // 0x0
				if(_t269 != 0) {
					EnterCriticalSection(0x13d99b8);
				}
				_push(_t217);
				L01279EEC(_t217, _t263 - 0x88, _t250, _t252, 0, _t269);
				 *(_t263 - 4) = 0;
				 *(_t263 - 0x50) = 0;
				 *((intOrPtr*)(_t263 - 0x4c)) = 0;
				 *((intOrPtr*)(_t263 - 0x48)) = 0;
				 *((intOrPtr*)(_t263 - 0x44)) = 0;
				GetUpdateRect( *(_t217 + 0x20), _t263 - 0x50, 0);
				 *(_t263 - 0x40) = 0;
				 *((intOrPtr*)(_t263 - 0x3c)) = 0;
				 *((intOrPtr*)(_t263 - 0x38)) = 0;
				 *((intOrPtr*)(_t263 - 0x34)) = 0;
				 *(_t263 - 0x20) = 0;
				 *(_t263 - 0x1c) = 0;
				 *((intOrPtr*)(_t263 - 0x18)) = 0;
				 *((intOrPtr*)(_t263 - 0x14)) = 0;
				GetClientRect( *(_t217 + 0x20), _t263 - 0x40);
				L01279C17(_t217, _t263 - 0x40);
				GetWindowRect( *(_t217 + 0x20), _t263 - 0x20);
				_t253 = OffsetRect;
				OffsetRect(_t263 - 0x40,  ~( *(_t263 - 0x20)),  ~( *(_t263 - 0x1c)));
				OffsetRect(_t263 - 0x20,  ~( *(_t263 - 0x20)),  ~( *(_t263 - 0x1c)));
				 *((intOrPtr*)(_t263 - 0x54)) = _t263 - 0x88;
				 *(_t263 - 0x68) = 0;
				L0127976C(_t263 - 0x98);
				 *((intOrPtr*)(_t263 - 0x60)) = 0;
				 *((intOrPtr*)(_t263 - 0x64)) = 0x138f588;
				 *(_t263 - 4) = 2;
				 *((intOrPtr*)(_t263 - 0x74)) = 0;
				if(L01279DC3(_t217, _t263 - 0x98, _t250, OffsetRect, CreateCompatibleDC( *(_t263 - 0x84))) != 0 && E0127A097(_t217, _t263 - 0x64, _t250, OffsetRect, CreateCompatibleBitmap( *(_t263 - 0x84),  *((intOrPtr*)(_t263 - 0x18)) -  *(_t263 - 0x20),  *((intOrPtr*)(_t263 - 0x14)) -  *(_t263 - 0x1c))) != 0) {
					 *(_t263 - 0x68) = 1;
					 *((intOrPtr*)(_t263 - 0x74)) = E0127A14E( *(_t263 - 0x94),  *((intOrPtr*)(_t263 - 0x60)));
					 *((intOrPtr*)(_t263 - 0x54)) = _t263 - 0x98;
				}
				L01279552(_t263 - 0x88, _t263 - 0x40);
				 *((intOrPtr*)(_t263 - 0x6c)) = 0;
				 *((intOrPtr*)(_t263 - 0x70)) = 0x138f894;
				_t259 = _t217 + 0x2d4;
				 *(_t263 - 4) = 3;
				_t162 = IsRectEmpty(_t259);
				_t272 = _t162;
				if(_t162 == 0) {
					E0127A097(_t217, _t263 - 0x70, _t250, _t253, CreateRectRgnIndirect(_t259));
					L01279B4B(_t263 - 0x88, _t263 - 0x70);
				}
				L01279599(_t263 - 0x88, _t263 - 0x20);
				_t165 = E0128C2A4(_t217, _t253, _t259, _t272);
				asm("movsd");
				asm("movsd");
				_t251 =  *_t165;
				asm("movsd");
				asm("movsd");
				_t266 = _t264;
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				 *((intOrPtr*)( *_t165 + 0x34))( *((intOrPtr*)(_t263 - 0x54)), _t217, 1);
				_t262 =  *((intOrPtr*)( *_t217 + 0x1a0))();
				_t256 = 0;
				if(_t262 <= 0) {
					L10:
					if( *(_t263 - 0x68) == _t256) {
						goto L25;
					}
					BitBlt( *(_t263 - 0x84),  *(_t263 - 0x20),  *(_t263 - 0x1c),  *((intOrPtr*)(_t263 - 0x18)) -  *(_t263 - 0x20),  *((intOrPtr*)(_t263 - 0x14)) -  *(_t263 - 0x1c),  *(_t263 - 0x94),  *(_t263 - 0x20),  *(_t263 - 0x1c), 0xcc0020);
					_t178 =  *((intOrPtr*)(_t263 - 0x74));
					if(_t178 != _t256) {
						goto L23;
					}
					_t179 = 0;
					goto L24;
				} else {
					 *(_t263 - 0x30) = 0;
					 *(_t263 - 0x2c) = 0;
					 *((intOrPtr*)(_t263 - 0x28)) = 0;
					 *((intOrPtr*)(_t263 - 0x24)) = 0;
					GetWindowRect( *(_t217 + 0x20), _t263 - 0x30);
					L01279BD6(_t217, _t263 - 0x30);
					OffsetRect(_t263 - 0x30,  ~( *(_t263 - 0x30)),  ~( *(_t263 - 0x2c)));
					InflateRect(_t263 - 0x30, 0, 0xffffffff);
					 *(_t263 - 0x2c) =  *(_t263 - 0x2c) - 1;
					 *(_t263 - 0x30) =  *(_t263 - 0x40);
					 *((intOrPtr*)(_t263 - 0x24)) =  *(_t263 - 0x2c) + _t262 - 2;
					_t256 = _t266 - 0x10;
					_t262 = _t263 - 0x30;
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_t241 = _t217;
					asm("movsd");
					 *((intOrPtr*)( *_t217 + 0x384))( *((intOrPtr*)(_t263 - 0x54)));
					_t196 = 0;
					 *(_t263 - 0x58) = 0;
					if( *((intOrPtr*)(_t217 + 0x328)) > 0) {
						while(1) {
							__eflags = _t196;
							if(_t196 < 0) {
								break;
							}
							__eflags = _t196 -  *((intOrPtr*)(_t217 + 0x328));
							if(_t196 >=  *((intOrPtr*)(_t217 + 0x328))) {
								break;
							}
							 *(_t263 - 0x5c) =  *(_t263 - 0x5c) & 0x00000000;
							_t256 =  *((intOrPtr*)( *((intOrPtr*)(_t217 + 0x324)) + _t196 * 4));
							_t199 = E01318FE3(_t256) - 8;
							__eflags = _t199;
							if(_t199 == 0) {
								 *(_t263 - 0x5c) = 1;
							} else {
								__eflags = _t199 == 1;
								if(_t199 == 1) {
									 *(_t263 - 0x5c) =  *(_t217 + 0x2e4);
								}
							}
							_t262 =  *_t256;
							_t241 = _t256;
							 *((intOrPtr*)( *_t256 + 0x10))( *((intOrPtr*)(_t263 - 0x54)),  *((intOrPtr*)(_t217 + 0x2c8)),  *((intOrPtr*)( *_t217 + 0x160))( *(_t263 - 0x5c), 0));
							 *(_t256 + 0x20) =  *(_t256 + 0x20) | 0xffffffff;
							 *(_t263 - 0x58) =  *(_t263 - 0x58) + 1;
							__eflags =  *(_t263 - 0x58) -  *((intOrPtr*)(_t217 + 0x328));
							if( *(_t263 - 0x58) <  *((intOrPtr*)(_t217 + 0x328))) {
								_t196 =  *(_t263 - 0x58);
								continue;
							} else {
								goto L9;
							}
						}
						_t178 = L01277AC9(_t241);
						L23:
						_t179 =  *((intOrPtr*)(_t178 + 4));
						L24:
						E0127A14E( *(_t263 - 0x94), _t179);
						L25:
						L01279B4B(_t263 - 0x88, _t256);
						_t278 =  *0x13d99a8 - _t256; // 0x0
						if(_t278 != 0) {
							LeaveCriticalSection(0x13d99b8);
						}
						 *(_t263 - 4) = 2;
						 *((intOrPtr*)(_t263 - 0x70)) = 0x138f894;
						E0127A27E(_t217, _t263 - 0x70, _t256, _t262, _t278);
						 *(_t263 - 4) = 1;
						 *((intOrPtr*)(_t263 - 0x64)) = 0x138f588;
						E0127A27E(_t217, _t263 - 0x64, _t256, _t262, _t278);
						 *(_t263 - 4) = 0;
						L01279E44(_t263 - 0x98);
						 *(_t263 - 4) =  *(_t263 - 4) | 0xffffffff;
						L01279F40(_t217, _t263 - 0x88, _t251, _t256, _t262,  *(_t263 - 4));
						return L013696ED(_t217, _t256, _t262);
					}
					L9:
					_t256 = 0;
					goto L10;
				}
			}

0x012dc1c5
0x012dc1c5
0x012dc1c5
0x012dc1cf
0x012dc1d6
0x012dc1d8
0x012dc1de
0x012dc1e5
0x012dc1e5
0x012dc1eb
0x012dc1f2
0x012dc1ff
0x012dc202
0x012dc205
0x012dc208
0x012dc20b
0x012dc20e
0x012dc21b
0x012dc21e
0x012dc221
0x012dc224
0x012dc227
0x012dc22a
0x012dc22d
0x012dc230
0x012dc233
0x012dc23f
0x012dc24b
0x012dc257
0x012dc267
0x012dc279
0x012dc287
0x012dc28a
0x012dc28d
0x012dc292
0x012dc295
0x012dc2a2
0x012dc2a6
0x012dc2bd
0x012dc2e9
0x012dc2fb
0x012dc304
0x012dc304
0x012dc311
0x012dc316
0x012dc319
0x012dc320
0x012dc327
0x012dc32b
0x012dc331
0x012dc333
0x012dc340
0x012dc34f
0x012dc34f
0x012dc35e
0x012dc363
0x012dc372
0x012dc373
0x012dc374
0x012dc376
0x012dc377
0x012dc378
0x012dc380
0x012dc381
0x012dc382
0x012dc389
0x012dc38a
0x012dc397
0x012dc399
0x012dc39d
0x012dc425
0x012dc428
0x00000000
0x00000000
0x012dc459
0x012dc45f
0x012dc464
0x00000000
0x00000000
0x012dc466
0x00000000
0x012dc3a3
0x012dc3aa
0x012dc3ad
0x012dc3b0
0x012dc3b3
0x012dc3b6
0x012dc3c2
0x012dc3d7
0x012dc3e4
0x012dc3ea
0x012dc3f0
0x012dc3fa
0x012dc402
0x012dc407
0x012dc40a
0x012dc40b
0x012dc40c
0x012dc40d
0x012dc40f
0x012dc410
0x012dc416
0x012dc418
0x012dc421
0x012dc46d
0x012dc46d
0x012dc46f
0x00000000
0x00000000
0x012dc471
0x012dc477
0x00000000
0x00000000
0x012dc47f
0x012dc486
0x012dc48f
0x012dc48f
0x012dc492
0x012dc4a2
0x012dc494
0x012dc494
0x012dc495
0x012dc49d
0x012dc49d
0x012dc495
0x012dc4ab
0x012dc4c1
0x012dc4c6
0x012dc4c9
0x012dc4cd
0x012dc4d3
0x012dc4d9
0x012dc46a
0x00000000
0x012dc4db
0x00000000
0x012dc4db
0x012dc4d9
0x012dc4e0
0x012dc4e5
0x012dc4e5
0x012dc4e8
0x012dc4ef
0x012dc4f4
0x012dc4fb
0x012dc500
0x012dc506
0x012dc50d
0x012dc50d
0x012dc516
0x012dc51a
0x012dc521
0x012dc529
0x012dc52d
0x012dc534
0x012dc53f
0x012dc543
0x012dc548
0x012dc552
0x012dc55c
0x012dc55c
0x012dc423
0x012dc423
0x00000000
0x012dc423

APIs

__EH_prolog3_GS.LIBCMT ref: 012DC1CF
EnterCriticalSection.KERNEL32(013D99B8,0000008C), ref: 012DC1E5

Part of subcall function 01279EEC: __EH_prolog3.LIBCMT ref: 01279EF3
Part of subcall function 01279EEC: GetWindowDC.USER32(00000000), ref: 01279F1F

GetUpdateRect.USER32(?,?,00000000), ref: 012DC20E
GetClientRect.USER32 ref: 012DC233

Part of subcall function 01279C17: ClientToScreen.USER32(?,?), ref: 01279C28
Part of subcall function 01279C17: ClientToScreen.USER32(?,?), ref: 01279C35

GetWindowRect.USER32 ref: 012DC24B
OffsetRect.USER32 ref: 012DC267
OffsetRect.USER32 ref: 012DC279
CreateCompatibleDC.GDI32(?), ref: 012DC2A9
CreateCompatibleBitmap.GDI32(?,?,?), ref: 012DC2D3

Part of subcall function 01279552: ExcludeClipRect.GDI32(?,?,?,?,?), ref: 0127957B
Part of subcall function 01279552: ExcludeClipRect.GDI32(?,?,?,?,?), ref: 01279590

IsRectEmpty.USER32 ref: 012DC32B
CreateRectRgnIndirect.GDI32(?), ref: 012DC336

Part of subcall function 01279599: IntersectClipRect.GDI32(?,?,?,?,?), ref: 012795C2
Part of subcall function 01279599: IntersectClipRect.GDI32(?,?,?,?,?), ref: 012795D7

Part of subcall function 0128C2A4: __EH_prolog3.LIBCMT ref: 0128C2AB

GetWindowRect.USER32 ref: 012DC3B6

Part of subcall function 01279BD6: ScreenToClient.USER32(?,?), ref: 01279BE7
Part of subcall function 01279BD6: ScreenToClient.USER32(?,?), ref: 01279BF4

OffsetRect.USER32 ref: 012DC3D7
InflateRect.USER32(?,00000000,000000FF), ref: 012DC3E4
BitBlt.GDI32(?,?,?,?,?,?,?,?,00CC0020), ref: 012DC459

Part of subcall function 01277AC9: __CxxThrowException@8.LIBCMT ref: 01277ADF

Part of subcall function 0127A14E: SelectObject.GDI32(?,?), ref: 0127A159

Part of subcall function 01279B4B: SelectClipRgn.GDI32(?,00000000), ref: 01279B71
Part of subcall function 01279B4B: SelectClipRgn.GDI32(?,?), ref: 01279B87

LeaveCriticalSection.KERNEL32(013D99B8), ref: 012DC50D

Part of subcall function 0127A27E: __EH_prolog3_catch_GS.LIBCMT ref: 0127A288

Part of subcall function 01279E44: DeleteDC.GDI32(00000000), ref: 01279E56

Part of subcall function 01279F40: __EH_prolog3.LIBCMT ref: 01279F47
Part of subcall function 01279F40: ReleaseDC.USER32(?,00000000), ref: 01279F64

Memory Dump Source

Source File: 00000010.00000002.746388412.0000000001271000.00000020.sdmp, Offset: 01270000, based on PE: true

Associated: 00000010.00000002.746374753.0000000001270000.00000002.sdmp Download File
Associated: 00000010.00000002.746578910.000000000138C000.00000002.sdmp Download File
Associated: 00000010.00000002.746752878.00000000013CF000.00000004.sdmp Download File
Associated: 00000010.00000002.746788870.00000000013D6000.00000004.sdmp Download File
Associated: 00000010.00000002.746832288.00000000013DE000.00000002.sdmp Download File
Associated: 00000010.00000002.747668141.0000000001574000.00000002.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1270000_Setup.jbxd

Similarity

API ID: Rect$Clip$Client$Screen$CreateH_prolog3OffsetSelectWindow$CompatibleCriticalExcludeIntersectSection$BitmapDeleteEmptyEnterException@8H_prolog3_H_prolog3_catch_IndirectInflateLeaveObjectReleaseThrowUpdate
String ID:
API String ID: 3137215906-0
Opcode ID: 672e692235bb0fd600c84431400e7b6cf70df8f1ca162bf8479135bef61b8699
Instruction ID: 6f01e19861c097ab8f286b9d9dcd130cebd976ce6f45b9a067ab2410310675d5
Opcode Fuzzy Hash: 672e692235bb0fd600c84431400e7b6cf70df8f1ca162bf8479135bef61b8699
Instruction Fuzzy Hash: 8BC15871D1022ADFDF11EFA8C884AEEBBB9FF18314F14415AE905AB254DB705A45CF60

Uniqueness

Uniqueness Score: 23.02%

Function 0128A293, Relevance: 24.2, APIs: 16, Instructions: 245
windowCOMMON

Download Yara Rule

C-Code - Quality: 98%

			E0128A293(void* __ebx, intOrPtr* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				RECT* _t114;
				void* _t140;
				void* _t160;
				RECT* _t193;
				void* _t194;
				intOrPtr _t204;
				intOrPtr* _t234;
				void* _t237;

				_t231 = __edx;
				_push(0x48);
				L0136966A(0x137ffbf, __ebx, __edi, __esi);
				_t114 =  *(_t237 + 8);
				_t193 =  *(_t237 + 0x14);
				_t234 = __ecx;
				 *((intOrPtr*)(_t237 - 0x24)) =  *((intOrPtr*)(_t237 + 0x20));
				 *((intOrPtr*)(_t237 - 0x28)) =  *((intOrPtr*)(_t237 + 0x24));
				 *(_t237 - 0x54) = _t114;
				 *((intOrPtr*)(_t237 - 0x4c)) = 0;
				 *((intOrPtr*)(_t237 - 0x50)) = 0x138f894;
				 *(_t237 - 4) = 0;
				 *(_t237 - 0x34) = 0;
				 *((intOrPtr*)(_t237 - 0x38)) = 0x138f894;
				 *(_t237 - 0x3c) = 0;
				 *((intOrPtr*)(_t237 - 0x40)) = 0x138f894;
				 *(_t237 - 4) = 2;
				E0127A097(_t193, _t237 - 0x38, __edx, __ecx, CreateRectRgnIndirect(_t114));
				CopyRect(_t237 - 0x20,  *(_t237 - 0x54));
				InflateRect(_t237 - 0x20,  ~( *(_t237 + 0xc)),  ~( *(_t237 + 0x10)));
				IntersectRect(_t237 - 0x20, _t237 - 0x20,  *(_t237 - 0x54));
				E0127A097(_t193, _t237 - 0x40, _t231, _t234, CreateRectRgnIndirect(_t237 - 0x20));
				E0127A097(_t193, _t237 - 0x50, _t231, _t234, CreateRectRgn(0, 0, 0, 0));
				E0128A0C6(_t237 - 0x50, _t237 - 0x38, _t237 - 0x40, 3);
				_t239 =  *((intOrPtr*)(_t237 - 0x24));
				if( *((intOrPtr*)(_t237 - 0x24)) == 0) {
					 *((intOrPtr*)(_t237 - 0x24)) = E0128A0F5(_t193, _t234, 0x138f894, _t239);
				}
				_t204 =  *((intOrPtr*)(_t237 - 0x24));
				if((0 | _t204 != 0x00000000) == 0) {
					L01277AC9(_t204);
				}
				if( *((intOrPtr*)(_t237 - 0x28)) == 0) {
					 *((intOrPtr*)(_t237 - 0x28)) = _t204;
				}
				 *((intOrPtr*)(_t237 - 0x2c)) = 0;
				 *((intOrPtr*)(_t237 - 0x30)) = 0x138f894;
				 *((intOrPtr*)(_t237 - 0x44)) = 0;
				 *((intOrPtr*)(_t237 - 0x48)) = 0x138f894;
				 *(_t237 - 4) = 4;
				if(_t193 != 0) {
					E0127A097(_t193, _t237 - 0x30, 0, _t234, CreateRectRgn(0, 0, 0, 0));
					SetRectRgn( *(_t237 - 0x34),  *_t193, _t193->top, _t193->right, _t193->bottom);
					CopyRect(_t237 - 0x20, _t193);
					InflateRect(_t237 - 0x20,  ~( *(_t237 + 0x18)),  ~( *(_t237 + 0x1c)));
					IntersectRect(_t237 - 0x20, _t237 - 0x20, _t193);
					SetRectRgn( *(_t237 - 0x3c),  *(_t237 - 0x20),  *(_t237 - 0x1c),  *(_t237 - 0x18),  *(_t237 - 0x14));
					E0128A0C6(_t237 - 0x30, _t237 - 0x38, _t237 - 0x40, 3);
					if( *((intOrPtr*)( *((intOrPtr*)(_t237 - 0x24)) + 4)) ==  *((intOrPtr*)( *((intOrPtr*)(_t237 - 0x28)) + 4))) {
						E0127A097(_t193, _t237 - 0x48, 0, _t234, CreateRectRgn(0, 0, 0, 0));
						E0128A0C6(_t237 - 0x48, _t237 - 0x30, _t237 - 0x50, 3);
					}
				}
				if( *((intOrPtr*)( *((intOrPtr*)(_t237 - 0x24)) + 4)) !=  *((intOrPtr*)( *((intOrPtr*)(_t237 - 0x28)) + 4)) && _t193 != 0) {
					L01279B4B(_t234, _t237 - 0x30);
					 *((intOrPtr*)( *_t234 + 0x50))(_t237 - 0x20);
					_t160 = E0127A1AA(_t234,  *((intOrPtr*)(_t237 - 0x28)));
					PatBlt( *(_t234 + 4),  *(_t237 - 0x20),  *(_t237 - 0x1c),  *(_t237 - 0x18) -  *(_t237 - 0x20),  *(_t237 - 0x14) -  *(_t237 - 0x1c), 0x5a0049);
					E0127A1AA(_t234, _t160);
				}
				_t140 = _t237 - 0x48;
				if( *((intOrPtr*)(_t237 - 0x44)) == 0) {
					_t140 = _t237 - 0x50;
				}
				L01279B4B(_t234, _t140);
				 *((intOrPtr*)( *_t234 + 0x50))(_t237 - 0x20);
				_t194 = E0127A1AA(_t234,  *((intOrPtr*)(_t237 - 0x24)));
				PatBlt( *(_t234 + 4),  *(_t237 - 0x20),  *(_t237 - 0x1c),  *(_t237 - 0x18) -  *(_t237 - 0x20),  *(_t237 - 0x14) -  *(_t237 - 0x1c), 0x5a0049);
				_t250 = _t194;
				if(_t194 != 0) {
					E0127A1AA(_t234, _t194);
				}
				L01279B4B(_t234, 0);
				 *(_t237 - 4) = 3;
				 *((intOrPtr*)(_t237 - 0x48)) = 0x138f894;
				E0127A27E(_t194, _t237 - 0x48, _t234, 0x138f894, _t250);
				 *(_t237 - 4) = 2;
				 *((intOrPtr*)(_t237 - 0x30)) = 0x138f894;
				E0127A27E(_t194, _t237 - 0x30, _t234, 0x138f894, _t250);
				 *(_t237 - 4) = 1;
				 *((intOrPtr*)(_t237 - 0x40)) = 0x138f894;
				E0127A27E(_t194, _t237 - 0x40, _t234, 0x138f894, _t250);
				 *(_t237 - 4) = 0;
				 *((intOrPtr*)(_t237 - 0x38)) = 0x138f894;
				E0127A27E(_t194, _t237 - 0x38, _t234, 0x138f894, _t250);
				 *(_t237 - 4) =  *(_t237 - 4) | 0xffffffff;
				 *((intOrPtr*)(_t237 - 0x50)) = 0x138f894;
				E0127A27E(_t194, _t237 - 0x50, _t234, 0x138f894,  *(_t237 - 4));
				return L013696ED(_t194, _t234, 0x138f894);
			}

0x0128a293
0x0128a293
0x0128a29a
0x0128a29f
0x0128a2a2
0x0128a2a5
0x0128a2aa
0x0128a2b0
0x0128a2ba
0x0128a2bd
0x0128a2c0
0x0128a2c3
0x0128a2c6
0x0128a2c9
0x0128a2cc
0x0128a2cf
0x0128a2d3
0x0128a2e1
0x0128a2ed
0x0128a303
0x0128a311
0x0128a325
0x0128a33a
0x0128a34c
0x0128a351
0x0128a355
0x0128a35c
0x0128a35c
0x0128a35f
0x0128a36d
0x0128a36f
0x0128a36f
0x0128a377
0x0128a379
0x0128a379
0x0128a37c
0x0128a37f
0x0128a382
0x0128a385
0x0128a388
0x0128a38e
0x0128a3a2
0x0128a3b5
0x0128a3c0
0x0128a3d6
0x0128a3e2
0x0128a3f7
0x0128a40a
0x0128a41b
0x0128a42d
0x0128a43f
0x0128a43f
0x0128a41b
0x0128a450
0x0128a45c
0x0128a469
0x0128a471
0x0128a494
0x0128a49d
0x0128a49d
0x0128a4a6
0x0128a4a9
0x0128a4ab
0x0128a4ab
0x0128a4b1
0x0128a4be
0x0128a4d1
0x0128a4e9
0x0128a4ef
0x0128a4f1
0x0128a4f6
0x0128a4f6
0x0128a4ff
0x0128a507
0x0128a50b
0x0128a50e
0x0128a516
0x0128a51a
0x0128a51d
0x0128a525
0x0128a529
0x0128a52c
0x0128a534
0x0128a538
0x0128a53b
0x0128a540
0x0128a547
0x0128a54a
0x0128a554

APIs

__EH_prolog3_GS.LIBCMT ref: 0128A29A
CreateRectRgnIndirect.GDI32(?), ref: 0128A2D7
CopyRect.USER32(?,?), ref: 0128A2ED
InflateRect.USER32(?,?,?), ref: 0128A303
IntersectRect.USER32(?,?,?), ref: 0128A311
CreateRectRgnIndirect.GDI32(?), ref: 0128A31B
CreateRectRgn.GDI32(00000000,00000000,00000000,00000000), ref: 0128A330

Part of subcall function 0128A0C6: CombineRgn.GDI32(?,?,?,?), ref: 0128A0EB

CreateRectRgn.GDI32(00000000,00000000,00000000,00000000), ref: 0128A398
SetRectRgn.GDI32(?,?,00000004,?,?), ref: 0128A3B5
CopyRect.USER32(?,?), ref: 0128A3C0
InflateRect.USER32(?,?,?), ref: 0128A3D6
IntersectRect.USER32(?,?,?), ref: 0128A3E2
SetRectRgn.GDI32(?,?,?,?,?), ref: 0128A3F7
CreateRectRgn.GDI32(00000000,00000000,00000000,00000000), ref: 0128A423
PatBlt.GDI32(00000004,?,?,?,?,005A0049), ref: 0128A494

Part of subcall function 01279B4B: SelectClipRgn.GDI32(?,00000000), ref: 01279B71
Part of subcall function 01279B4B: SelectClipRgn.GDI32(?,?), ref: 01279B87

Part of subcall function 0127A1AA: SelectObject.GDI32(?,00000000), ref: 0127A1D0
Part of subcall function 0127A1AA: SelectObject.GDI32(?,?), ref: 0127A1E6

PatBlt.GDI32(00000004,?,?,?,?,005A0049), ref: 0128A4E9

Part of subcall function 0127A27E: __EH_prolog3_catch_GS.LIBCMT ref: 0127A288

Part of subcall function 01277AC9: __CxxThrowException@8.LIBCMT ref: 01277ADF

Part of subcall function 0128A0F5: CreateBitmap.GDI32(00000008,00000008,00000001,00000001,?), ref: 0128A13E
Part of subcall function 0128A0F5: CreatePatternBrush.GDI32(00000000), ref: 0128A14B
Part of subcall function 0128A0F5: DeleteObject.GDI32(00000000), ref: 0128A157

Memory Dump Source

Source File: 00000010.00000002.746388412.0000000001271000.00000020.sdmp, Offset: 01270000, based on PE: true

Associated: 00000010.00000002.746374753.0000000001270000.00000002.sdmp Download File
Associated: 00000010.00000002.746578910.000000000138C000.00000002.sdmp Download File
Associated: 00000010.00000002.746752878.00000000013CF000.00000004.sdmp Download File
Associated: 00000010.00000002.746788870.00000000013D6000.00000004.sdmp Download File
Associated: 00000010.00000002.746832288.00000000013DE000.00000002.sdmp Download File
Associated: 00000010.00000002.747668141.0000000001574000.00000002.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1270000_Setup.jbxd

Similarity

API ID: Rect$Create$Select$Object$ClipCopyIndirectInflateIntersect$BitmapBrushCombineDeleteException@8H_prolog3_H_prolog3_catch_PatternThrow
String ID:
API String ID: 4131791088-0
Opcode ID: 5122dc53527861cde8a3b84f124f2c12f00dfbbca52ab814e7862dcfa6679593
Instruction ID: 51c98f96c2790245910f1509c2ee3463fb3d2103cd7194dffc2329923420f6bd
Opcode Fuzzy Hash: 5122dc53527861cde8a3b84f124f2c12f00dfbbca52ab814e7862dcfa6679593
Instruction Fuzzy Hash: 8CA1F471910219AFDF15EFE8D894DFEBBB9FF18310F18401AE606A7240DB359A05CB60

Uniqueness

Uniqueness Score: 2.12%

Function 0127A66B, Relevance: 24.2, APIs: 16, Instructions: 245
windowCOMMON

Download Yara Rule

C-Code - Quality: 98%

			E0127A66B(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t144;
				long _t146;
				intOrPtr _t151;
				intOrPtr _t152;
				intOrPtr _t153;
				intOrPtr _t154;
				void* _t201;
				void* _t202;

				_t196 = __edx;
				_push(0x78);
				L0136966A(0x137efc7, __ebx, __edi, __esi);
				_t198 =  *(_t202 + 8);
				 *((intOrPtr*)(_t202 - 0x24)) =  *((intOrPtr*)(_t202 + 0xc));
				 *((intOrPtr*)(_t202 - 0x4c)) = 0x138f30c;
				 *(_t202 - 0x48) = 0;
				 *((intOrPtr*)(_t202 - 0x44)) = 0;
				 *((intOrPtr*)(_t202 - 0x40)) = 0;
				 *(_t202 - 4) = 0;
				 *((intOrPtr*)(_t202 - 0x7c)) = 0x138f30c;
				 *(_t202 - 0x78) = 0;
				 *((intOrPtr*)(_t202 - 0x74)) = 0;
				 *((intOrPtr*)(_t202 - 0x70)) = 0;
				 *((intOrPtr*)(_t202 - 0x3c)) = 0x138f30c;
				 *(_t202 - 0x38) = 0;
				 *((intOrPtr*)(_t202 - 0x34)) = 0;
				 *((intOrPtr*)(_t202 - 0x30)) = 0;
				 *(_t202 - 0x28) = 0;
				 *((intOrPtr*)(_t202 - 0x2c)) = 0x138f588;
				 *(_t202 - 0x50) = 0;
				 *((intOrPtr*)(_t202 - 0x54)) = 0x138f578;
				_t201 = CreateCompatibleDC;
				 *(_t202 - 4) = 4;
				if(L01279DC3(0, _t202 - 0x4c, __edx, _t198, CreateCompatibleDC(0)) != 0 && L01279DC3(0, _t202 - 0x7c, __edx, _t198, CreateCompatibleDC(0)) != 0 && L01279DC3(0, _t202 - 0x3c, __edx, _t198, CreateCompatibleDC(0)) != 0 && GetObjectW( *(_t198 + 4), 0x18, _t202 - 0x6c) != 0) {
					E0127A0F1(_t131,  *((intOrPtr*)(_t202 - 0x24)));
					_t201 = CreateBitmap;
					if(E0127A097(0,  *((intOrPtr*)(_t202 - 0x24)), _t196, _t198, CreateBitmap( *(_t202 - 0x68),  *(_t202 - 0x64),  *(_t202 - 0x5c) & 0x0000ffff,  *(_t202 - 0x5a) & 0x0000ffff, 0)) != 0) {
						E0127A097(0, _t202 - 0x2c, _t196, _t198, CreateBitmap(8, 8, 1, 1, 0x138f5a4));
						E0127A0F1(E0127A097(0, _t202 - 0x54, _t196, _t198, CreatePatternBrush( *(_t202 - 0x28))), _t202 - 0x2c);
						E0127A097(0, _t202 - 0x2c, _t196, _t198, CreateBitmap( *(_t202 - 0x68),  *(_t202 - 0x64), 1, 1, 0));
						 *((intOrPtr*)(_t202 - 0x80)) = E0127A14E( *(_t202 - 0x48),  *(_t198 + 4));
						_t144 = E0127A14E( *(_t202 - 0x78),  *(_t202 - 0x28));
						 *((intOrPtr*)(_t202 - 0x84)) = _t144;
						if( *((intOrPtr*)(_t202 - 0x80)) != 0 && _t144 != 0) {
							_t146 = L0127940F(GetPixel( *(_t202 - 0x48), 0, 0), _t202 - 0x4c, _t145);
							_t201 = BitBlt;
							_t198 = _t146;
							L0127940F(BitBlt( *(_t202 - 0x78), 0, 0,  *(_t202 - 0x68),  *(_t202 - 0x64),  *(_t202 - 0x48), 0, 0, 0xcc0020), _t202 - 0x4c, 0xffffff);
							L0127940F(BitBlt( *(_t202 - 0x78), 0, 0,  *(_t202 - 0x68),  *(_t202 - 0x64),  *(_t202 - 0x48), 0, 0, 0xee0086), _t202 - 0x4c, _t146);
							_t151 =  *((intOrPtr*)(_t202 - 0x24));
							if(_t151 != 0) {
								_t152 =  *((intOrPtr*)(_t151 + 4));
							} else {
								_t152 = 0;
							}
							_t153 = E0127A14E( *(_t202 - 0x38), _t152);
							 *((intOrPtr*)(_t202 - 0x24)) = _t153;
							_t212 = _t153;
							if(_t153 == 0) {
								_t154 = 0;
							} else {
								 *((intOrPtr*)(_t202 + 0x14)) = L0127940F(L012794D8(_t153, _t202 - 0x3c,  *((intOrPtr*)(_t202 + 0x10))), _t202 - 0x3c,  *((intOrPtr*)(_t202 + 0x14)));
								 *(_t202 - 0x18) =  *(_t202 - 0x68);
								 *(_t202 - 0x14) =  *(_t202 - 0x64);
								 *(_t202 - 0x20) = 0;
								 *((intOrPtr*)(_t202 - 0x1c)) = 0;
								L0127940F(L012794D8(FillRect( *(_t202 - 0x38), _t202 - 0x20,  *(_t202 - 0x50)), _t202 - 0x3c, _t160), _t202 - 0x3c,  *((intOrPtr*)(_t202 + 0x14)));
								_t198 = 0x660046;
								BitBlt( *(_t202 - 0x38), 0, 0,  *(_t202 - 0x68),  *(_t202 - 0x64),  *(_t202 - 0x48), 0, 0, 0x660046);
								BitBlt( *(_t202 - 0x38), 0, 0,  *(_t202 - 0x68),  *(_t202 - 0x64),  *(_t202 - 0x78), 0, 0, 0x8800c6);
								BitBlt( *(_t202 - 0x38), 0, 0,  *(_t202 - 0x68),  *(_t202 - 0x64),  *(_t202 - 0x48), 0, 0, 0x660046);
								_t154 =  *((intOrPtr*)( *((intOrPtr*)(_t202 - 0x24)) + 4));
							}
							E0127A14E( *(_t202 - 0x38), _t154);
							E0127A14E( *(_t202 - 0x78),  *((intOrPtr*)( *((intOrPtr*)(_t202 - 0x84)) + 4)));
							E0127A14E( *(_t202 - 0x48),  *((intOrPtr*)( *((intOrPtr*)(_t202 - 0x80)) + 4)));
						}
					}
				}
				 *(_t202 - 4) = 3;
				 *((intOrPtr*)(_t202 - 0x54)) = 0x138f578;
				E0127A27E(0, _t202 - 0x54, _t198, _t201, _t212);
				 *(_t202 - 4) = 2;
				 *((intOrPtr*)(_t202 - 0x2c)) = 0x138f588;
				E0127A27E(0, _t202 - 0x2c, _t198, _t201, _t212);
				 *(_t202 - 4) = 1;
				L01279E44(_t202 - 0x3c);
				 *(_t202 - 4) = 0;
				L01279E44(_t202 - 0x7c);
				 *(_t202 - 4) =  *(_t202 - 4) | 0xffffffff;
				L01279E44(_t202 - 0x4c);
				return L013696ED(0, _t198, _t201);
			}

0x0127a66b
0x0127a66b
0x0127a672
0x0127a67a
0x0127a67f
0x0127a687
0x0127a68a
0x0127a68d
0x0127a690
0x0127a693
0x0127a696
0x0127a699
0x0127a69c
0x0127a69f
0x0127a6a2
0x0127a6a5
0x0127a6a8
0x0127a6ab
0x0127a6ae
0x0127a6b1
0x0127a6b8
0x0127a6bb
0x0127a6c2
0x0127a6c9
0x0127a6da
0x0127a722
0x0127a72f
0x0127a74b
0x0127a764
0x0127a77e
0x0127a794
0x0127a7a7
0x0127a7ad
0x0127a7b2
0x0127a7bb
0x0127a7d8
0x0127a7dd
0x0127a7ed
0x0127a804
0x0127a824
0x0127a829
0x0127a82e
0x0127a834
0x0127a830
0x0127a830
0x0127a830
0x0127a83b
0x0127a840
0x0127a843
0x0127a845
0x0127a95d
0x0127a84b
0x0127a866
0x0127a86c
0x0127a872
0x0127a87c
0x0127a87f
0x0127a897
0x0127a89c
0x0127a8b2
0x0127a8c9
0x0127a8dc
0x0127a8e1
0x0127a8e1
0x0127a8e8
0x0127a8f9
0x0127a907
0x0127a907
0x0127a7bb
0x0127a74b
0x0127a90f
0x0127a913
0x0127a91a
0x0127a922
0x0127a926
0x0127a92d
0x0127a935
0x0127a939
0x0127a941
0x0127a944
0x0127a949
0x0127a950
0x0127a95a

APIs

__EH_prolog3_GS.LIBCMT ref: 0127A672
CreateCompatibleDC.GDI32(00000000), ref: 0127A6CD
CreateCompatibleDC.GDI32(00000000), ref: 0127A6E1
CreateCompatibleDC.GDI32(00000000), ref: 0127A6F5
GetObjectW.GDI32(00000004,00000018,?), ref: 0127A711

Part of subcall function 0127A0F1: DeleteObject.GDI32(00000000), ref: 0127A100

CreateBitmap.GDI32(?,?,?,?,00000000), ref: 0127A73E
CreateBitmap.GDI32(00000008,00000008,00000001,00000001,0138F5A4), ref: 0127A75E
CreatePatternBrush.GDI32(?), ref: 0127A76C
CreateBitmap.GDI32(?,?,00000001,00000001,00000000), ref: 0127A78E

Part of subcall function 0127A14E: SelectObject.GDI32(?,?), ref: 0127A159

GetPixel.GDI32(?,00000000,00000000), ref: 0127A7CE

Part of subcall function 0127940F: SetBkColor.GDI32(?,?), ref: 0127942D
Part of subcall function 0127940F: SetBkColor.GDI32(?,?), ref: 0127943A

BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,00CC0020), ref: 0127A7FA
BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,00EE0086), ref: 0127A81E

Part of subcall function 012794D8: SetTextColor.GDI32(?,?), ref: 012794F6
Part of subcall function 012794D8: SetTextColor.GDI32(?,?), ref: 01279503

FillRect.USER32(?,?,?), ref: 0127A882
BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,00660046), ref: 0127A8B2
BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,008800C6), ref: 0127A8C9
BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,00660046), ref: 0127A8DC

Part of subcall function 0127A27E: __EH_prolog3_catch_GS.LIBCMT ref: 0127A288

Part of subcall function 01279E44: DeleteDC.GDI32(00000000), ref: 01279E56

Memory Dump Source

Source File: 00000010.00000002.746388412.0000000001271000.00000020.sdmp, Offset: 01270000, based on PE: true

Associated: 00000010.00000002.746374753.0000000001270000.00000002.sdmp Download File
Associated: 00000010.00000002.746578910.000000000138C000.00000002.sdmp Download File
Associated: 00000010.00000002.746752878.00000000013CF000.00000004.sdmp Download File
Associated: 00000010.00000002.746788870.00000000013D6000.00000004.sdmp Download File
Associated: 00000010.00000002.746832288.00000000013DE000.00000002.sdmp Download File
Associated: 00000010.00000002.747668141.0000000001574000.00000002.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1270000_Setup.jbxd

Similarity

API ID: Create$Color$BitmapCompatibleObject$DeleteText$BrushFillH_prolog3_H_prolog3_catch_PatternPixelRectSelect
String ID:
API String ID: 4007908622-0
Opcode ID: d74c5f392befbbf6632b3c376c6601936e683bd876cf72a7b6ce4b03a4e562fb
Instruction ID: dbbfdeb7a17dbe875d4a23c3f729b5be336f62bed6407c0eeb3a46861b0eb3a9
Opcode Fuzzy Hash: d74c5f392befbbf6632b3c376c6601936e683bd876cf72a7b6ce4b03a4e562fb
Instruction Fuzzy Hash: C891C0B1C1020EAEDF11AFE9DD849EEBFB9FF18364F248029E605A7160DA315D55DB20

Uniqueness

Uniqueness Score: 2.71%

Function 01280027, Relevance: 24.2, APIs: 16, Instructions: 182
windowCOMMON

Download Yara Rule

C-Code - Quality: 76%

			E01280027(intOrPtr* __ecx, void* __edx, struct tagMSG* _a4, intOrPtr* _a8) {
				intOrPtr* _v8;
				struct tagPOINT _v16;
				struct tagMSG _v44;
				void* __ebx;
				int _t31;
				struct HWND__* _t34;
				int _t47;
				long _t61;
				intOrPtr _t65;
				int _t66;
				void* _t69;
				struct HWND__* _t70;
				void* _t78;
				struct tagMSG* _t80;

				_t78 = __edx;
				_t80 = _a4;
				_t31 = _t80->message;
				_v8 = __ecx;
				if(_t31 == 0x367 || _t31 == 0x100 && _t80->wParam == 0x1b) {
					_push(1);
					_push(_t31);
					_push(_t31);
					_push(0);
					goto L37;
				} else {
					_v16.x = 0;
					_v16.y = 0;
					if(_t31 < 0x200 || _t31 > 0x209) {
						if(_t31 < 0xa0 || _t31 > 0xa9) {
							if(_t31 == 0x112 || _t31 >= 0x100 && _t31 <= 0x109) {
								_t34 = GetCapture();
								_t70 = PeekMessageW;
								if(_t34 == 0) {
									L29:
									if(PeekMessageW(_t80, 0, _t80->message, _t80->message, 0) == 0) {
										goto L35;
									}
									GetMessageW(_t80, 0, _t80->message, _t80->message);
									_push(_t80);
									if( *((intOrPtr*)( *_v8 + 0x10c))() != 0) {
										goto L35;
									}
									TranslateMessage(_t80);
									_t47 = _t80->message;
									if(_t47 == 0x112 || _t47 >= 0x104 && _t47 <= 0x107) {
										goto L34;
									} else {
										goto L35;
									}
								}
								ReleaseCapture();
								do {
								} while (PeekMessageW( &_v44, 0, 0x200, 0x209, 3) != 0);
								goto L29;
							} else {
								if(PeekMessageW(_t80, 0, _t31, _t31, 1) == 0) {
									goto L8;
								}
								goto L20;
							}
						} else {
							goto L7;
						}
					} else {
						L7:
						_t70 = L0127FF0C(_t69, _v8, _t78, _t80->pt, _t80->pt.y,  &_a4);
						if(_t70 != 0) {
							if(_a4 == 0) {
								PeekMessageW(_t80, 0, _t80->message, _t80->message, 1);
								L20:
								DispatchMessageW(_t80);
								goto L8;
							}
							if(_t80->message == 0x201) {
								_t61 = SendMessageW(_t70, 0x84, 0, (_t80->pt.y & 0x0000ffff) << 0x00000010 | _t80->pt & 0x0000ffff);
								if(_t61 == 5 || _t61 == 3) {
									ReleaseCapture();
									GetMessageW(_t80, 0, 0xa1, 0xa1);
									L34:
									DispatchMessageW(_t80);
									L35:
									GetCursorPos( &_v16);
									L0127FF0C(_t70, _v8, _t78, _v16.x, _v16.y, 0);
									goto L8;
								} else {
									if(_t61 != 1) {
										_t65 = L0127FDB2(_t61);
									} else {
										_t65 = L0127FD42(_t70, _t80->pt, _t80->pt.y);
									}
									_push(1);
									 *_a8 = _t65;
									_t66 = _t80->message;
									_push(_t66);
									_push(_t66);
									_push(0);
									L37:
									PeekMessageW(_t80, ??, ??, ??, ??);
									return 0;
								}
							}
							PeekMessageW(_t80, 0, _t80->message, _t80->message, 1);
						}
						L8:
						return 1;
					}
				}
			}

0x01280027
0x01280031
0x01280034
0x01280038
0x01280040
0x01280211
0x01280213
0x01280214
0x01280215
0x00000000
0x01280059
0x0128005b
0x0128005e
0x01280066
0x01280074
0x01280152
0x01280175
0x0128017b
0x01280183
0x012801a2
0x012801ae
0x00000000
0x00000000
0x012801b7
0x012801c2
0x012801cb
0x00000000
0x00000000
0x012801ce
0x012801d4
0x012801dc
0x00000000
0x00000000
0x00000000
0x00000000
0x012801dc
0x01280185
0x0128018b
0x0128019e
0x00000000
0x0128015f
0x0128016d
0x00000000
0x00000000
0x00000000
0x01280173
0x00000000
0x00000000
0x00000000
0x01280085
0x01280085
0x01280097
0x0128009b
0x012800a8
0x0128013b
0x01280141
0x01280142
0x00000000
0x01280142
0x012800b5
0x012800dd
0x012800e6
0x01280118
0x01280127
0x012801ec
0x012801ed
0x012801f3
0x012801f7
0x01280207
0x00000000
0x012800ed
0x012800f0
0x01280111
0x012800f2
0x012800f9
0x012800f9
0x01280101
0x01280103
0x01280105
0x01280108
0x01280109
0x0128010a
0x01280217
0x01280218
0x00000000
0x0128021e
0x012800e6
0x012800c0
0x012800c0
0x0128009d
0x00000000
0x0128009f
0x01280066

APIs

PeekMessageW.USER32(?,00000000,00000201,00000201,00000001), ref: 012800C0
SendMessageW.USER32(00000000,00000084,00000000,?), ref: 012800DD
GetMessageW.USER32(?,00000000,000000A1,000000A1), ref: 01280127

Part of subcall function 0127FD42: ScreenToClient.USER32(?,?), ref: 0127FD51
Part of subcall function 0127FD42: SendMessageW.USER32(?,00000366,00000000,?), ref: 0127FD6D
Part of subcall function 0127FD42: ClientToScreen.USER32(?,?), ref: 0127FD7A
Part of subcall function 0127FD42: GetWindowLongW.USER32(?,000000F0), ref: 0127FD83
Part of subcall function 0127FD42: GetParent.USER32(?), ref: 0127FD91

ReleaseCapture.USER32 ref: 01280118
PeekMessageW.USER32(?,00000000,?,?,00000001), ref: 0128013B
DispatchMessageW.USER32 ref: 01280142
PeekMessageW.USER32(?,00000000,?,?,00000001), ref: 01280165
GetCapture.USER32 ref: 01280175
ReleaseCapture.USER32 ref: 01280185
PeekMessageW.USER32(?,00000000,00000200,00000209,00000003), ref: 0128019C
PeekMessageW.USER32(?,00000000,?,?,00000000), ref: 012801AA
GetMessageW.USER32(?,00000000,?,?), ref: 012801B7
TranslateMessage.USER32 ref: 012801CE
DispatchMessageW.USER32 ref: 012801ED
GetCursorPos.USER32(?), ref: 012801F7

Part of subcall function 0127FF0C: GetCapture.USER32 ref: 0127FF2A
Part of subcall function 0127FF0C: WindowFromPoint.USER32(?,?), ref: 0127FF39
Part of subcall function 0127FF0C: GetActiveWindow.USER32 ref: 0127FF5B
Part of subcall function 0127FF0C: GetCurrentThreadId.KERNEL32(00000000,?,00000000), ref: 0127FF73
Part of subcall function 0127FF0C: GetWindowThreadProcessId.USER32(?,00000000), ref: 0127FF82
Part of subcall function 0127FF0C: GetDesktopWindow.USER32 ref: 0127FF8E
Part of subcall function 0127FF0C: SetCapture.USER32(00000000), ref: 0127FFCD
Part of subcall function 0127FF0C: ReleaseCapture.USER32 ref: 0127FFED
Part of subcall function 0127FF0C: ReleaseCapture.USER32 ref: 01280000
Part of subcall function 0127FF0C: SetCursor.USER32(00000000), ref: 0128000C

PeekMessageW.USER32(?,00000000,?,?,00000001), ref: 01280218

Memory Dump Source

Source File: 00000010.00000002.746388412.0000000001271000.00000020.sdmp, Offset: 01270000, based on PE: true

Associated: 00000010.00000002.746374753.0000000001270000.00000002.sdmp Download File
Associated: 00000010.00000002.746578910.000000000138C000.00000002.sdmp Download File
Associated: 00000010.00000002.746752878.00000000013CF000.00000004.sdmp Download File
Associated: 00000010.00000002.746788870.00000000013D6000.00000004.sdmp Download File
Associated: 00000010.00000002.746832288.00000000013DE000.00000002.sdmp Download File
Associated: 00000010.00000002.747668141.0000000001574000.00000002.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1270000_Setup.jbxd

Similarity

API ID: Message$Capture$Peek$Window$Release$ClientCursorDispatchScreenSendThread$ActiveCurrentDesktopFromLongParentPointProcessTranslate
String ID:
API String ID: 2349713346-0
Opcode ID: 3c0a205063513f8c15fe01829c4d920ed0b14f5a7b39e65a36af42598239aaef
Instruction ID: 74c96cdfcbbdcca935b21ef24e3c0c6a327b960a7b9013eac8579895c27306f5
Opcode Fuzzy Hash: 3c0a205063513f8c15fe01829c4d920ed0b14f5a7b39e65a36af42598239aaef
Instruction Fuzzy Hash: 3051BE70622305BFEB316B68CC89EBF7ABCEB45711F104429F652D2181C6B4E9898779

Uniqueness

Uniqueness Score: 1.74%

Function 012BC4E2, Relevance: 23.1, APIs: 12, Strings: 1, Instructions: 335
windowCOMMON

Download Yara Rule

C-Code - Quality: 99%

			E012BC4E2(void* __ebx, int __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t158;
				struct HDC__* _t159;
				void* _t164;
				signed int _t166;
				signed int _t167;
				void* _t180;
				intOrPtr _t181;
				intOrPtr _t183;
				struct HDC__* _t184;
				void* _t189;
				intOrPtr _t190;
				void* _t208;
				intOrPtr _t209;
				void* _t213;
				void* _t215;
				intOrPtr _t216;
				int _t218;
				void* _t221;
				intOrPtr _t222;
				signed int _t225;
				struct HBITMAP__* _t231;
				intOrPtr* _t237;
				void* _t238;
				intOrPtr _t239;
				intOrPtr _t241;
				short _t247;
				int _t260;
				void* _t266;
				int _t268;
				void* _t271;
				int _t274;
				int _t276;
				void* _t277;

				_t266 = __edx;
				_push(0x84);
				L0136966A(0x1381ed5, __ebx, __edi, __esi);
				 *((intOrPtr*)(_t277 - 0x78)) =  *((intOrPtr*)(_t277 + 8));
				_t276 = __ecx;
				_t274 = 0;
				 *(_t277 - 0x20) = 0;
				 *(_t277 - 0x1c) = 0;
				 *((intOrPtr*)(_t277 - 0x18)) = 0;
				 *((intOrPtr*)(_t277 - 0x14)) = 0;
				GetClientRect( *(__ecx + 0x20), _t277 - 0x20);
				_t241 =  *((intOrPtr*)(_t276 + 0xfc0));
				_t236 =  *((intOrPtr*)(_t276 + 0x138)) + _t241;
				 *(_t277 - 0x7c) = _t236;
				 *(_t277 - 0x74) =  *((intOrPtr*)(_t276 + 0x13c)) + _t241;
				L0127976C(_t277 - 0x6c);
				_t158 =  *((intOrPtr*)(_t277 - 0x78));
				 *(_t277 - 4) = 0;
				if(_t158 != 0) {
					_t159 =  *(_t158 + 4);
				} else {
					_t159 = 0;
				}
				if(L01279DC3(_t236, _t277 - 0x6c, _t266, _t274, CreateCompatibleDC(_t159)) == 0) {
					L56:
					 *(_t277 - 4) =  *(_t277 - 4) | 0xffffffff;
					L01279E44(_t277 - 0x6c);
					return L013696ED(_t236, _t274, _t276);
				} else {
					_t164 = _t276 + 0xfa4;
					if(_t164 == _t274 ||  *((intOrPtr*)(_t164 + 4)) == _t274) {
						if(L01293699(_t274) == 3 ||  *0x13d6594 > 8) {
							_t166 =  *(_t277 - 0x74);
							 *(_t277 - 0x50) = _t166;
							_t167 = _t166 * _t236;
							 *((short*)(_t277 - 0x4c)) = 1;
							_t247 = 0x20;
							 *(_t277 - 0x70) = _t167;
							 *(_t277 - 0x44) = _t167;
							 *(_t277 - 0x54) = _t236;
							_t236 = CreateDIBSection;
							 *(_t277 - 0x58) = 0x28;
							 *((short*)(_t277 - 0x4a)) = _t247;
							 *(_t277 - 0x48) = _t274;
							 *(_t277 - 0x40) = _t274;
							 *(_t277 - 0x3c) = _t274;
							 *(_t277 - 0x38) = _t274;
							 *(_t277 - 0x34) = _t274;
							if(CreateDIBSection( *(_t277 - 0x68), _t277 - 0x58, _t274, _t276 + 0xfb4, _t274, _t274) == _t274 ||  *(_t276 + 0xfb4) == _t274) {
								goto L56;
							} else {
								E0127A097(CreateDIBSection, _t276 + 0xf9c, _t266, _t274, _t170);
								if(CreateDIBSection( *(_t277 - 0x68), _t277 - 0x58, _t274, _t276 + 0xfb8, _t274, _t274) == _t274 ||  *(_t276 + 0xfb8) == _t274) {
									goto L56;
								} else {
									E0127A097(CreateDIBSection, _t276 + 0xfa4, _t266, _t274, _t174);
									if(CreateDIBSection( *(_t277 - 0x68), _t277 - 0x58, _t274, _t276 + 0xfbc, _t274, _t274) == _t274 ||  *(_t276 + 0xfbc) == _t274) {
										goto L56;
									} else {
										E0127A097(CreateDIBSection, _t276 + 0xfac, _t266, _t274, _t178);
										_t180 = _t276 + 0xf9c;
										if(_t180 != _t274) {
											_t181 =  *((intOrPtr*)(_t180 + 4));
										} else {
											_t181 = 0;
										}
										 *(_t277 - 0x5c) = E0127A14E( *(_t277 - 0x68), _t181);
										_t183 =  *((intOrPtr*)(_t277 - 0x78));
										if(_t183 != _t274) {
											_t184 =  *(_t183 + 4);
										} else {
											_t184 = 0;
										}
										BitBlt( *(_t277 - 0x68), _t274, _t274,  *(_t277 - 0x7c),  *(_t277 - 0x74), _t184,  *(_t277 - 0x20),  *(_t277 - 0x1c), 0xcc0020);
										E01368CC0( *(_t276 + 0xfb8),  *(_t276 + 0xfb4),  *(_t277 - 0x70) << 2);
										_t189 = _t276 + 0xfa4;
										if(_t189 != _t274) {
											_t190 =  *((intOrPtr*)(_t189 + 4));
										} else {
											_t190 = 0;
										}
										E0127A14E( *(_t277 - 0x68), _t190);
										goto L28;
									}
								}
							}
						} else {
							_t231 = CreateCompatibleBitmap( *( *((intOrPtr*)(_t277 - 0x78)) + 4), _t236,  *(_t277 - 0x74));
							_t238 = _t276 + 0xfa4;
							E0127A097(_t238, _t238, _t266, _t274, _t231);
							if(_t238 != _t274) {
								_t239 =  *((intOrPtr*)(_t238 + 4));
							} else {
								_t239 = 0;
							}
							 *(_t277 - 0x5c) = E0127A14E( *(_t277 - 0x68), _t239);
							L28:
							 *(_t277 - 0x30) = _t274;
							 *(_t277 - 0x2c) = _t274;
							 *(_t277 - 0x28) = _t274;
							 *(_t277 - 0x24) = _t274;
							 *((intOrPtr*)( *_t276 + 0x1e4))(_t277 - 0x6c);
							_t237 =  *((intOrPtr*)( *_t276 + 0x1c0))();
							GetWindowRect( *(_t237 + 0x20), _t277 - 0x30);
							L01279BD6(_t276, _t277 - 0x30);
							 *((intOrPtr*)( *((intOrPtr*)(_t277 - 0x6c)) + 0x38))(_t277 - 0x88,  *(_t277 - 0x30),  *(_t277 - 0x2c));
							 *((intOrPtr*)( *_t237 + 0x260))(_t277 - 0x6c);
							 *((intOrPtr*)( *((intOrPtr*)(_t277 - 0x6c)) + 0x38))(_t277 - 0x90, _t274, _t274);
							_t208 =  *(_t277 - 0x5c);
							if(_t208 != _t274) {
								_t209 =  *((intOrPtr*)(_t208 + 4));
							} else {
								_t209 = 0;
							}
							E0127A14E( *(_t277 - 0x68), _t209);
							goto L32;
						}
					} else {
						L32:
						_t236 =  *(_t276 + 0xfb8);
						 *(_t277 - 0x70) =  *(_t276 + 0xfb4);
						 *(_t277 - 0x5c) =  *(_t276 + 0xfbc);
						_t213 = L01293699(_t274);
						if(_t213 <= _t274) {
							L55:
							E0127A14E( *(_t277 - 0x68), _t274);
							goto L56;
						}
						if(_t213 <= 2) {
							_t215 = _t276 + 0xfa4;
							if(_t215 != _t274) {
								_t216 =  *((intOrPtr*)(_t215 + 4));
							} else {
								_t216 = 0;
							}
							_t236 = E0127A14E( *(_t277 - 0x68), _t216);
							if( *((intOrPtr*)(_t276 + 0xee4)) == _t274) {
								_t268 =  *((intOrPtr*)(_t277 - 0x14)) -  *(_t276 + 0xedc);
							} else {
								_t268 =  *(_t277 - 0x1c);
							}
							if( *((intOrPtr*)(_t276 + 0xee0)) == _t274) {
								_t260 =  *((intOrPtr*)(_t277 - 0x18)) -  *((intOrPtr*)(_t276 + 0xed8));
							} else {
								_t260 =  *(_t277 - 0x20);
							}
							_t218 =  *(_t276 + 0xedc);
							BitBlt( *( *((intOrPtr*)(_t277 - 0x78)) + 4), _t260, _t268, _t276, _t218,  *(_t277 - 0x68), _t274, _t274, 0xcc0020);
							L53:
							if(_t236 != _t274) {
								_t274 =  *(_t236 + 4);
							}
							goto L55;
						}
						if(_t213 != 3) {
							goto L55;
						}
						_t221 = _t276 + 0xfac;
						if(_t221 != _t274) {
							_t222 =  *((intOrPtr*)(_t221 + 4));
						} else {
							_t222 = 0;
						}
						 *(_t277 - 0x84) = E0127A14E( *(_t277 - 0x68), _t222);
						_t225 =  *(_t277 - 0x74) *  *(_t277 - 0x7c);
						if(_t225 <= _t274) {
							L42:
							BitBlt( *( *((intOrPtr*)(_t277 - 0x78)) + 4),  *(_t277 - 0x20),  *(_t277 - 0x1c),  *(_t277 - 0x7c),  *(_t277 - 0x74),  *(_t277 - 0x68), _t274, _t274, 0xcc0020);
							_t236 =  *(_t277 - 0x84);
							goto L53;
						} else {
							_t262 =  *(_t277 - 0x70) - _t236;
							 *(_t277 - 0x70) =  *(_t277 - 0x70) - _t236;
							 *((intOrPtr*)(_t277 - 0x80)) =  *(_t277 - 0x5c) - _t236;
							 *(_t277 - 0x5c) = _t225;
							while(1) {
								_t271 = 0x64;
								 *((intOrPtr*)( *((intOrPtr*)(_t277 - 0x80)) + _t236)) = E012FC2CA( *((intOrPtr*)(_t262 + _t236)),  *_t236, _t271 -  *((intOrPtr*)(_t276 + 0xf24)));
								_t236 = _t236 + 4;
								_t119 = _t277 - 0x5c;
								 *_t119 =  *(_t277 - 0x5c) - 1;
								if( *_t119 == 0) {
									goto L42;
								}
								_t262 =  *(_t277 - 0x70);
							}
							goto L42;
						}
					}
				}
			}

0x012bc4e2
0x012bc4e2
0x012bc4ec
0x012bc4f4
0x012bc4fa
0x012bc4fc
0x012bc502
0x012bc505
0x012bc508
0x012bc50b
0x012bc50e
0x012bc514
0x012bc526
0x012bc52d
0x012bc530
0x012bc533
0x012bc538
0x012bc53b
0x012bc540
0x012bc546
0x012bc542
0x012bc542
0x012bc542
0x012bc55b
0x012bc8e6
0x012bc8e6
0x012bc8ed
0x012bc8f7
0x012bc561
0x012bc561
0x012bc569
0x012bc57d
0x012bc5c2
0x012bc5c5
0x012bc5c8
0x012bc5d0
0x012bc5d4
0x012bc5d7
0x012bc5da
0x012bc5ec
0x012bc5ef
0x012bc5f5
0x012bc5fc
0x012bc600
0x012bc603
0x012bc606
0x012bc609
0x012bc60c
0x012bc613
0x00000000
0x012bc625
0x012bc62c
0x012bc646
0x00000000
0x012bc658
0x012bc65f
0x012bc679
0x00000000
0x012bc68b
0x012bc692
0x012bc697
0x012bc69f
0x012bc6a5
0x012bc6a1
0x012bc6a1
0x012bc6a1
0x012bc6b1
0x012bc6b4
0x012bc6b9
0x012bc6bf
0x012bc6bb
0x012bc6bb
0x012bc6bb
0x012bc6d9
0x012bc6f2
0x012bc6f7
0x012bc702
0x012bc708
0x012bc704
0x012bc704
0x012bc704
0x012bc70f
0x00000000
0x012bc70f
0x012bc679
0x012bc646
0x012bc588
0x012bc592
0x012bc598
0x012bc5a1
0x012bc5a8
0x012bc5ae
0x012bc5aa
0x012bc5aa
0x012bc5aa
0x012bc5ba
0x012bc714
0x012bc71c
0x012bc71f
0x012bc722
0x012bc725
0x012bc728
0x012bc738
0x012bc741
0x012bc74d
0x012bc765
0x012bc770
0x012bc785
0x012bc788
0x012bc78d
0x012bc793
0x012bc78f
0x012bc78f
0x012bc78f
0x012bc79a
0x00000000
0x012bc79a
0x012bc79f
0x012bc79f
0x012bc7a5
0x012bc7ab
0x012bc7b5
0x012bc7b8
0x012bc7bf
0x012bc8dd
0x012bc8e1
0x00000000
0x012bc8e1
0x012bc7c8
0x012bc868
0x012bc870
0x012bc876
0x012bc872
0x012bc872
0x012bc872
0x012bc882
0x012bc88a
0x012bc894
0x012bc88c
0x012bc88c
0x012bc88c
0x012bc8a0
0x012bc8aa
0x012bc8a2
0x012bc8a2
0x012bc8a2
0x012bc8b0
0x012bc8d0
0x012bc8d6
0x012bc8d8
0x012bc8da
0x012bc8da
0x00000000
0x012bc8d8
0x012bc7d1
0x00000000
0x00000000
0x012bc7d7
0x012bc7df
0x012bc7e5
0x012bc7e1
0x012bc7e1
0x012bc7e1
0x012bc7f1
0x012bc7fa
0x012bc800
0x012bc83e
0x012bc85a
0x012bc860
0x00000000
0x012bc802
0x012bc808
0x012bc80c
0x012bc80f
0x012bc812
0x012bc81a
0x012bc821
0x012bc833
0x012bc836
0x012bc839
0x012bc839
0x012bc83c
0x00000000
0x00000000
0x012bc817
0x012bc817
0x00000000
0x012bc81a
0x012bc800
0x012bc569

APIs

__EH_prolog3_GS.LIBCMT ref: 012BC4EC
GetClientRect.USER32 ref: 012BC50E
CreateCompatibleDC.GDI32(?), ref: 012BC54A
CreateCompatibleBitmap.GDI32(?,?,?), ref: 012BC592
CreateDIBSection.GDI32 ref: 012BC60F
CreateDIBSection.GDI32(?,00000028,00000000,?,00000000,00000000), ref: 012BC642
CreateDIBSection.GDI32(?,00000028,00000000,?,00000000,00000000), ref: 012BC675

Part of subcall function 0127A14E: SelectObject.GDI32(?,?), ref: 0127A159

BitBlt.GDI32(?,00000000,00000000,?,?,?,?,?,00CC0020), ref: 012BC6D9
_memmove.LIBCMT ref: 012BC6F2
GetWindowRect.USER32 ref: 012BC741

Part of subcall function 01279BD6: ScreenToClient.USER32(?,?), ref: 01279BE7
Part of subcall function 01279BD6: ScreenToClient.USER32(?,?), ref: 01279BF4

BitBlt.GDI32(?,?,00000000,?,?,?,00000000,00000000,00CC0020), ref: 012BC85A
BitBlt.GDI32(?,?,?,?,?,?,00000000,00000000,00CC0020), ref: 012BC8D0

Part of subcall function 01279E44: DeleteDC.GDI32(00000000), ref: 01279E56

Strings

(, xrefs: 012BC5F5

Memory Dump Source

Source File: 00000010.00000002.746388412.0000000001271000.00000020.sdmp, Offset: 01270000, based on PE: true

Associated: 00000010.00000002.746374753.0000000001270000.00000002.sdmp Download File
Associated: 00000010.00000002.746578910.000000000138C000.00000002.sdmp Download File
Associated: 00000010.00000002.746752878.00000000013CF000.00000004.sdmp Download File
Associated: 00000010.00000002.746788870.00000000013D6000.00000004.sdmp Download File
Associated: 00000010.00000002.746832288.00000000013DE000.00000002.sdmp Download File
Associated: 00000010.00000002.747668141.0000000001574000.00000002.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1270000_Setup.jbxd

Similarity

API ID: Create$ClientSection$CompatibleRectScreen$BitmapDeleteH_prolog3_ObjectSelectWindow_memmove
String ID: (
API String ID: 1243543549-3887548279
Opcode ID: d55932225671723d8649c47a54b08bbc18ab801cf8d2ede68615cebdf6dd5978
Instruction ID: 178e5880efcee00373676083ffbef02b5fffe6b43b1b46d51d9f7a683c44c19c
Opcode Fuzzy Hash: d55932225671723d8649c47a54b08bbc18ab801cf8d2ede68615cebdf6dd5978
Instruction Fuzzy Hash: 3CD1077191060ADFDB22DFA8C884DEEFBB9FF88350F14452AE61AA7215D730A851DF10

Uniqueness

Uniqueness Score: 16.53%

Function 012C4871, Relevance: 22.8, APIs: 15, Instructions: 328
COMMON

Download Yara Rule

C-Code - Quality: 87%

			E012C4871(struct HWND__* __ecx, long __edx, RECT* _a4, intOrPtr _a8) {
				signed int _v8;
				struct tagRECT _v24;
				struct tagRECT _v40;
				struct tagRECT _v56;
				struct tagRECT _v72;
				struct tagRECT _v88;
				struct HWND__* _v92;
				struct HWND__* _v96;
				intOrPtr* _v100;
				int _v104;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t174;
				intOrPtr _t223;
				void* _t226;
				struct HWND__* _t227;
				signed int _t228;
				struct HWND__* _t235;
				RECT* _t264;
				struct HWND__* _t268;
				struct HWND__* _t303;
				signed int _t305;

				_t295 = __edx;
				_t174 =  *0x13d3570; // 0x99b5b578
				_t175 = _t174 ^ _t305;
				_v8 = _t174 ^ _t305;
				_t264 = _a4;
				_t301 = __ecx;
				_t303 = 0;
				_v92 = __ecx;
				if( *((intOrPtr*)(__ecx + 0x2910)) != 0) {
					L33:
					return L01367D3E(_t175, _t264, _v8 ^ _t305, _t295, _t301, _t303);
				}
				if( *((intOrPtr*)(__ecx + 0x2908)) == 0) {
					_t268 = __ecx + 0x74;
					_v96 = _t268;
					if(_t268 == 0 ||  *((intOrPtr*)(_t268 + 0x20)) == 0) {
						L19:
						E01280DD4(_t301, _t264, _a8);
						_t301 = _v96;
						_v104 =  *((intOrPtr*)( *_t301 + 0x208))();
						_v92 = _t303;
						if( *((intOrPtr*)( *_t301 + 0x1a8))() <= 0) {
							goto L33;
						}
						while(1) {
							_t301 =  *((intOrPtr*)( *_t301 + 0x1ac))(_v92);
							if(_t301 == _t303 ||  *(_t301 + 0x20) == _t303) {
								goto L32;
							}
							if((E01286848(_t301) & 0x20000000) != 0 && (E01286848(_t301) & 0x00080000) == 0) {
								E0128699F(_t301, 9);
							}
							_v100 = 0x10;
							if(_v92 != _v104) {
								_v100 = 0x1c;
							}
							_v24.left = _t303;
							_v24.right = _t264->right - _t264->left;
							_v24.top = _t303;
							_v24.bottom = _t264->bottom - _t264->top;
							_v40.left = _t303;
							_v40.top = _t303;
							_v40.right = _t303;
							_v40.bottom = _t303;
							GetClientRect( *(_t301 + 0x20),  &_v40);
							L01279C17(_t301,  &_v40);
							_v56.left = _t303;
							_v56.top = _t303;
							_v56.right = _t303;
							_v56.bottom = _t303;
							GetWindowRect( *(_t301 + 0x20),  &_v56);
							_v24.left = _v24.left + _v56.left - _v40.left;
							_v24.top = _v24.top + _v56.top - _v40.top;
							_v24.right = _v24.right + _v56.right - _v40.right;
							_v24.bottom = _v24.bottom + _v56.bottom - _v40.bottom;
							if(EqualRect( &_v40,  &_v24) != 0) {
								goto L33;
							} else {
								if((E01286848(_t301) & 0x00080000) == 0) {
									E01286A31(_t301, 0x13d7e28, _v24.left, _v24.top, _v24.right - _v24.left, _v24.bottom - _v24.top, _v100);
								}
							}
							L32:
							_v92 =  &(_v92->i);
							if(_v92 <  *((intOrPtr*)( *_v96 + 0x1a8))()) {
								_t301 = _v96;
								continue;
							}
							goto L33;
						}
					} else {
						if( *((intOrPtr*)(__ecx + 0x2878)) == 0) {
							E0128699F(_t268, 0);
						} else {
							_v72.left = 0;
							_v72.top = 0;
							_v72.right = 0;
							_v72.bottom = 0;
							GetWindowRect( *(__ecx + 0x94),  &_v72);
							E01286A31(_v96, 0, _t264->left, _t264->top, _t264->right - _t264->left, _t264->bottom - _t264->top, 0x14);
							_v40.left = 0;
							_v40.top = 0;
							_v40.right = 0;
							_v40.bottom = 0;
							GetClientRect( *(_t301 + 0x94),  &_v40);
							asm("movsd");
							asm("movsd");
							asm("movsd");
							asm("movsd");
							_t264->top = _t264->top + _v88.top - _v40.top;
							_t264->bottom = _t264->bottom + _v88.bottom - _v40.bottom;
							_t264->left = _t264->left + _v88.left - _v40.left;
							_t264->right = _t264->right + _v88.right - _v40.right;
							E0128699F(_v96, 8);
							_v24.left = 0;
							_v24.top = 0;
							_v24.right = 0;
							_v24.bottom = 0;
							GetWindowRect( *(_v92 + 0x94),  &_v24);
							EqualRect( &_v72,  &_v24);
							_t301 = _v92;
							_t303 = 0;
						}
						_v56.left = _t303;
						_v56.top = _t303;
						_v56.right = _t303;
						_v56.bottom = _t303;
						GetWindowRect( *(_t301 + 0x20),  &_v56);
						_t295 = _t264->top;
						_v104 = _t264->bottom - _t264->top - _v56.bottom + _v56.top;
						E01286A31(_t301, _t303, _t264->left, _t264->top, _t264->right - _t264->left, _t264->bottom - _t264->top, 0x14);
						_t223 = E012789CC(0x1391888, L01283CA8(_t301));
						_v100 = _t223;
						if(_t223 != _t303) {
							CopyRect( &_v88, _t264);
							_t295 =  &_v56;
							 *((intOrPtr*)( *_v100 + 0x1f8))( &_v56,  &_v88);
						}
						if( *((intOrPtr*)(_t301 + 0x2878)) == _t303) {
							_v72.left = _t303;
							_v72.top = _t303;
							_v72.right = _t303;
							_v72.bottom = _t303;
							GetClientRect( *(_t301 + 0x20),  &_v72);
							_t226 = L01283CA8(_t301);
							_push(5);
							_push( *((intOrPtr*)(_t226 + 0x110)));
							while(1) {
								_t227 = GetWindow();
								_v92 = _t227;
								if(_t227 == _t303) {
									goto L19;
								}
								_t228 = GetWindowLongW(_v92, 0xfffffff0);
								if((_t228 & 0x01000000) != 0) {
									goto L19;
								}
								if((_t228 & 0x20000000) != 0) {
									_v24.left = _t303;
									_v24.top = _t303;
									_v24.right = _t303;
									_v24.bottom = _t303;
									GetWindowRect(_v92,  &_v24);
									L01279BD6(_t301,  &_v24);
									OffsetRect( &_v24, _t303, _v104);
									_t235 = _v72.top;
									if(_v24.top < _t235) {
										_v24.top = _t235;
									}
									SetWindowPos(_v92, _t303, _v24, _v24.top, _t303, _t303, 0x15);
								}
								_push(2);
								_push(_v92);
							}
						}
						goto L19;
					}
				}
				_push(_a8);
				E012C41BF(__ecx, _t264);
				_t175 = E01280DD4(__ecx, _t264, _a8);
				goto L33;
			}

0x012c4871
0x012c4879
0x012c487e
0x012c4880
0x012c4884
0x012c4889
0x012c488b
0x012c488d
0x012c4896
0x012c4c3a
0x012c4c48
0x012c4c48
0x012c48a2
0x012c48bd
0x012c48c0
0x012c48c5
0x012c4ad8
0x012c4ade
0x012c4ae3
0x012c4af0
0x012c4af7
0x012c4b02
0x00000000
0x00000000
0x012c4b0d
0x012c4b1a
0x012c4b1e
0x00000000
0x00000000
0x012c4b39
0x012c4b4d
0x012c4b4d
0x012c4b55
0x012c4b5f
0x012c4b61
0x012c4b61
0x012c4b6d
0x012c4b70
0x012c4b79
0x012c4b7c
0x012c4b83
0x012c4b86
0x012c4b89
0x012c4b8c
0x012c4b92
0x012c4b9e
0x012c4ba7
0x012c4baa
0x012c4bad
0x012c4bb0
0x012c4bb6
0x012c4bc2
0x012c4bcb
0x012c4bd4
0x012c4bdd
0x012c4bf0
0x00000000
0x012c4bf2
0x012c4bfe
0x012c4c1e
0x012c4c1e
0x012c4bfe
0x012c4c23
0x012c4c28
0x012c4c34
0x012c4b0a
0x00000000
0x012c4b0a
0x00000000
0x012c4c34
0x012c48d4
0x012c48da
0x012c49a7
0x012c48e0
0x012c48ea
0x012c48ed
0x012c48f0
0x012c48f3
0x012c48f6
0x012c4915
0x012c4924
0x012c4927
0x012c492a
0x012c492d
0x012c4930
0x012c493f
0x012c4940
0x012c4941
0x012c4945
0x012c494e
0x012c4957
0x012c4960
0x012c4968
0x012c496b
0x012c4972
0x012c4975
0x012c4978
0x012c497b
0x012c498b
0x012c4999
0x012c499f
0x012c49a2
0x012c49a2
0x012c49b3
0x012c49b6
0x012c49b9
0x012c49bc
0x012c49bf
0x012c49c5
0x012c49db
0x012c49e8
0x012c49fa
0x012c4a01
0x012c4a06
0x012c4a0d
0x012c4a1c
0x012c4a20
0x012c4a20
0x012c4a2c
0x012c4a39
0x012c4a3c
0x012c4a3f
0x012c4a42
0x012c4a45
0x012c4a4d
0x012c4a52
0x012c4a54
0x012c4acb
0x012c4acb
0x012c4ad1
0x012c4ad6
0x00000000
0x00000000
0x012c4a61
0x012c4a6c
0x00000000
0x00000000
0x012c4a73
0x012c4a7c
0x012c4a7f
0x012c4a82
0x012c4a85
0x012c4a88
0x012c4a94
0x012c4aa1
0x012c4aa7
0x012c4aad
0x012c4aaf
0x012c4aaf
0x012c4ac0
0x012c4ac0
0x012c4ac6
0x012c4ac8
0x012c4ac8
0x012c4acb
0x00000000
0x012c4a2c
0x012c48c5
0x012c48a4
0x012c48a8
0x012c48b3
0x00000000

APIs

GetWindowRect.USER32 ref: 012C48F6
GetClientRect.USER32 ref: 012C4930
GetWindowRect.USER32 ref: 012C498B
EqualRect.USER32 ref: 012C4999
GetWindowRect.USER32 ref: 012C49BF

Part of subcall function 01283CA8: GetParent.USER32(?), ref: 01283CD2

CopyRect.USER32(?,?), ref: 012C4A0D
GetClientRect.USER32 ref: 012C4A45
GetWindowLongW.USER32(?,000000F0), ref: 012C4A61
GetWindowRect.USER32 ref: 012C4A88

Part of subcall function 01279BD6: ScreenToClient.USER32(?,?), ref: 01279BE7
Part of subcall function 01279BD6: ScreenToClient.USER32(?,?), ref: 01279BF4

OffsetRect.USER32 ref: 012C4AA1
SetWindowPos.USER32(?,00000000,?,?,00000000,00000000,00000015), ref: 012C4AC0
GetWindow.USER32(?,00000005), ref: 012C4ACB

Part of subcall function 01280DD4: AdjustWindowRectEx.USER32(?,00000000,00000000,00000000), ref: 01280DFA

Part of subcall function 01286848: GetWindowLongW.USER32(?,000000F0), ref: 01286853

GetClientRect.USER32 ref: 012C4B92

Part of subcall function 01279C17: ClientToScreen.USER32(?,?), ref: 01279C28
Part of subcall function 01279C17: ClientToScreen.USER32(?,?), ref: 01279C35

GetWindowRect.USER32 ref: 012C4BB6
EqualRect.USER32 ref: 012C4BE8

Part of subcall function 01286A31: SetWindowPos.USER32(?,000000FF,000000FF,?,?,00000000,012827B4), ref: 01286A59

Part of subcall function 0128699F: ShowWindow.USER32(00000000,?), ref: 012869B0

Part of subcall function 012C41BF: GetWindowRect.USER32 ref: 012C428D
Part of subcall function 012C41BF: GetWindowRect.USER32 ref: 012C4365

Part of subcall function 01367D3E: IsDebuggerPresent.KERNEL32 ref: 0136EC6D
Part of subcall function 01367D3E: SetUnhandledExceptionFilter.KERNEL32 ref: 0136EC82
Part of subcall function 01367D3E: UnhandledExceptionFilter.KERNEL32 ref: 0136EC8D
Part of subcall function 01367D3E: GetCurrentProcess.KERNEL32(C0000409), ref: 0136ECA9
Part of subcall function 01367D3E: TerminateProcess.KERNEL32(00000000), ref: 0136ECB0

Memory Dump Source

Source File: 00000010.00000002.746388412.0000000001271000.00000020.sdmp, Offset: 01270000, based on PE: true

Associated: 00000010.00000002.746374753.0000000001270000.00000002.sdmp Download File
Associated: 00000010.00000002.746578910.000000000138C000.00000002.sdmp Download File
Associated: 00000010.00000002.746752878.00000000013CF000.00000004.sdmp Download File
Associated: 00000010.00000002.746788870.00000000013D6000.00000004.sdmp Download File
Associated: 00000010.00000002.746832288.00000000013DE000.00000002.sdmp Download File
Associated: 00000010.00000002.747668141.0000000001574000.00000002.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1270000_Setup.jbxd

Similarity

API ID: Rect$Window$Client$Screen$EqualExceptionFilterLongProcessUnhandled$AdjustCopyCurrentDebuggerOffsetParentPresentShowTerminate
String ID:
API String ID: 442688275-0
Opcode ID: a16395588f19ab11022b6fff694af3d59d6277ad90a61230a858e8dbb57e3952
Instruction ID: 2cfe7853e83d7b086b5a9cac7f443fe55ba7de02054bccdfc5f989f1fe148956
Opcode Fuzzy Hash: a16395588f19ab11022b6fff694af3d59d6277ad90a61230a858e8dbb57e3952
Instruction Fuzzy Hash: EAD11671E1021AEFCF15EFA8C9949EEBBB9FF48700F14411AE615A7254D770AA41CFA0

Uniqueness

Uniqueness Score: 3.32%

Function 012C44B9, Relevance: 22.8, APIs: 15, Instructions: 259
COMMON

Download Yara Rule

C-Code - Quality: 73%

			E012C44B9(void* __ecx, signed int __edx, void* __eflags, unsigned int _a8) {
				signed int _v8;
				struct tagRECT _v24;
				signed int _v36;
				char _v40;
				struct tagRECT _v56;
				struct tagRECT _v72;
				struct HINSTANCE__* _v76;
				struct tagPOINT _v84;
				signed int _v88;
				long _v92;
				struct tagPOINT _v100;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t95;
				unsigned int _t100;
				signed int _t102;
				struct HINSTANCE__* _t115;
				struct HINSTANCE__* _t118;
				signed int _t121;
				long _t123;
				int _t129;
				void* _t168;
				void* _t169;
				long _t173;
				struct HINSTANCE__* _t181;
				signed int _t182;
				intOrPtr* _t183;
				struct HINSTANCE__* _t199;
				intOrPtr* _t203;
				signed int _t206;

				_t190 = __edx;
				_t170 = __ecx;
				_t95 =  *0x13d3570; // 0x99b5b578
				_v8 = _t95 ^ _t206;
				_t169 = __ecx;
				_t194 = E012789CC(0x139900c, E01282D05(_t169, _t170, _t190, GetCapture()));
				_t199 = 0;
				_v100.y = _t194;
				if(_t194 != 0) {
					__eflags =  *((intOrPtr*)(_t169 + 0x28dc)) - 1;
					if( *((intOrPtr*)(_t169 + 0x28dc)) != 1) {
						L4:
						_t100 = _a8;
						_t190 = _t194->left;
						_t173 = _t100;
						_t102 = _t100 >> 0x10;
						_v92 = _t173;
						_v88 = _t102;
						__eflags =  *((intOrPtr*)(_t194->left + 0x160))(_t173, _t102);
						if(__eflags == 0) {
							_v84.x = _v92;
							_v84.y = _v88;
							ClientToScreen( *(_t194 + 0x20),  &_v84);
							_v56.left = _t199;
							_v56.top = _t199;
							_v56.right = _t199;
							_v56.bottom = _t199;
							GetClientRect( *(_t169 + 0x20),  &_v56);
							L01279C17(_t169,  &_v56);
							__eflags =  *0x13d64e0 - _t199; // 0x0
							if(__eflags == 0) {
								E012792EF(_t169, _t194, _t199, __eflags);
								 *0x13d64e0 = LoadCursorW( *(E012792EF(_t169, _t194, _t199, __eflags) + 0xc), 0x4297);
								E012792EF(_t169, LoadCursorW, _t199, __eflags);
								 *0x13d64e4 = LoadCursorW( *(E012792EF(_t169, LoadCursorW, _t199, __eflags) + 0xc), 0x4298);
							}
							_push(_v84.y);
							__eflags = PtInRect( &_v56, _v84.x);
							if(__eflags != 0) {
								SetCursor( *0x13d64e0);
								_t115 = L012C3CD1(_t169, _t169, _t190, _v84.x, _v84.y);
								_v76 = _t115;
								__eflags = _t115 - _t199;
								if(__eflags == 0) {
									goto L6;
								} else {
									_v24.left = _t199;
									_v24.top = _t199;
									_v24.right = _t199;
									_v24.bottom = _t199;
									GetWindowRect( *(_t115 + 0x20),  &_v24);
									_t121 =  *(_t169 + 0x2968);
									_t181 = _v24.bottom;
									asm("movsd");
									asm("movsd");
									asm("movsd");
									asm("movsd");
									__eflags = _t121;
									if(_t121 != 0) {
										__eflags = _t121 - 1;
										_t51 = _t121 == 1;
										__eflags = _t51;
										_t190 = 0 | _t51;
									} else {
										__eflags = _v24.right - _v84.x - _t181 - _v84.y;
										_t190 = 0 | _v24.right - _v84.x - _t181 - _v84.y < 0x00000000;
										_t121 =  *(_t169 + 0x2968);
									}
									__eflags = _t121 - 1;
									if(_t121 == 1) {
										L19:
										_t123 = _v24.right -  *((intOrPtr*)(_t169 + 0x2934));
										__eflags = _t123;
										_v88 = 1;
										_v72.left = _t123;
									} else {
										__eflags = _t190;
										if(_t190 != 0) {
											goto L19;
										} else {
											_v88 = _v88 & _t190;
											_v72.top = _t181 -  *((intOrPtr*)(_t169 + 0x2934));
										}
									}
									__eflags = _v88;
									_t203 =  &_v24;
									asm("movsd");
									asm("movsd");
									asm("movsd");
									asm("movsd");
									if(_v88 == 0) {
										asm("cdq");
										_t182 = _t181 - (_t181 - _v24.top - _t190 >> 1);
										__eflags = _t182;
										_v36 = _t182;
									} else {
										asm("cdq");
										_v40 = _v24.right - (_v24.right - _v24.left - _t190 >> 1);
									}
									_push(_v84.y);
									_t129 = PtInRect( &_v72, _v84.x);
									__eflags = _t129;
									if(_t129 != 0) {
										_t183 = _v100.y;
										__eflags = _v76 - _t183;
										if(__eflags == 0) {
											__eflags =  *((intOrPtr*)( *_t183 + 0x1a8))() - 1;
											if(__eflags == 0) {
												goto L29;
											}
										}
									} else {
										_t203 = _v76;
										__eflags = _t203 - _v100.y;
										if(__eflags == 0) {
											L29:
											_push( &_v40);
											goto L30;
										} else {
											_v100.x = _v84;
											_v100.y = _v84.y;
											ScreenToClient( *(_t203 + 0x20),  &_v100);
											__eflags =  *((intOrPtr*)( *_t203 + 0x160))(_v100.x, _v100.y);
											_push( &_v40);
											if(__eflags == 0) {
												L30:
												SetRectEmpty();
											} else {
												_t203 = _t203 + 0x2a0;
												asm("movsd");
												asm("movsd");
												asm("movsd");
												asm("movsd");
												L01279C17(_v76);
											}
										}
									}
									_t194 = _t169 + 0x293c;
									_push(_t169 + 0x293c);
									_push( &_v40);
									L012C3D56(_t169, _t169, _t190, _t169 + 0x293c, _t203, __eflags);
									_t199 =  &_v40;
									asm("movsd");
									asm("movsd");
									asm("movsd");
									 *(_t169 + 0x290c) = _v88;
									asm("movsd");
									_t118 = 1;
									__eflags = 1;
								}
							} else {
								SetCursor( *0x13d64e4);
								_v76 = 1;
								goto L7;
							}
						} else {
							E012792EF(_t169, _t194, _t199, __eflags);
							SetCursor(LoadCursorW(_t199, 0x7f00));
							L6:
							_v76 = _t199;
							L7:
							_t194 = _t169 + 0x293c;
							_push(_t194);
							_push(_t199);
							L012C3D56(_t169, _t169, _t190, _t194, _t199, __eflags);
							SetRectEmpty(_t194);
							_t118 = _v76;
						}
					} else {
						_t168 =  *((intOrPtr*)(_t194->left + 0x1a8))();
						__eflags = _t168 - 1;
						if(_t168 == 1) {
							goto L1;
						} else {
							goto L4;
						}
					}
				} else {
					L1:
					_t118 = 0;
				}
				return L01367D3E(_t118, _t169, _v8 ^ _t206, _t190, _t194, _t199);
			}

0x012c44b9
0x012c44b9
0x012c44c1
0x012c44c8
0x012c44ce
0x012c44e7
0x012c44e9
0x012c44ed
0x012c44f2
0x012c44fb
0x012c4502
0x012c4513
0x012c4513
0x012c4516
0x012c4518
0x012c451e
0x012c4520
0x012c4526
0x012c452f
0x012c4531
0x012c456f
0x012c4575
0x012c457f
0x012c458c
0x012c458f
0x012c4592
0x012c4595
0x012c4598
0x012c45a4
0x012c45a9
0x012c45af
0x012c45b1
0x012c45cc
0x012c45d1
0x012c45e6
0x012c45e6
0x012c45eb
0x012c45fb
0x012c45fd
0x012c461d
0x012c462b
0x012c4630
0x012c4633
0x012c4635
0x00000000
0x012c463b
0x012c463f
0x012c4642
0x012c4645
0x012c4648
0x012c464e
0x012c4654
0x012c465a
0x012c4663
0x012c4664
0x012c4665
0x012c4666
0x012c4667
0x012c4669
0x012c4689
0x012c468c
0x012c468c
0x012c468c
0x012c466b
0x012c4678
0x012c467d
0x012c467f
0x012c467f
0x012c4692
0x012c4694
0x012c46aa
0x012c46ad
0x012c46ad
0x012c46b3
0x012c46b6
0x012c4696
0x012c4696
0x012c4698
0x00000000
0x012c469a
0x012c46a2
0x012c46a5
0x012c46a5
0x012c4698
0x012c46b9
0x012c46bd
0x012c46c3
0x012c46c4
0x012c46c5
0x012c46c6
0x012c46c7
0x012c46e5
0x012c46ea
0x012c46ea
0x012c46ec
0x012c46c9
0x012c46cf
0x012c46db
0x012c46db
0x012c46ef
0x012c46f9
0x012c46ff
0x012c4701
0x012c4752
0x012c4755
0x012c4758
0x012c4762
0x012c4765
0x00000000
0x00000000
0x012c4765
0x012c4703
0x012c4703
0x012c4706
0x012c4709
0x012c4767
0x012c476a
0x00000000
0x012c470b
0x012c470e
0x012c4714
0x012c471e
0x012c4734
0x012c4739
0x012c473a
0x012c476b
0x012c476b
0x012c473c
0x012c473f
0x012c4747
0x012c4748
0x012c4749
0x012c474a
0x012c474b
0x012c474b
0x012c473a
0x012c4709
0x012c4771
0x012c4777
0x012c477b
0x012c477e
0x012c4786
0x012c4789
0x012c478a
0x012c478b
0x012c478c
0x012c4794
0x012c4795
0x012c4795
0x012c4795
0x012c45ff
0x012c4605
0x012c460b
0x00000000
0x012c460b
0x012c4533
0x012c4533
0x012c4545
0x012c454b
0x012c454b
0x012c454e
0x012c454e
0x012c4554
0x012c4555
0x012c4558
0x012c455e
0x012c4564
0x012c4564
0x012c4504
0x012c4508
0x012c450e
0x012c4511
0x00000000
0x00000000
0x00000000
0x00000000
0x012c4511
0x012c44f4
0x012c44f4
0x012c44f4
0x012c44f4
0x012c47a4

APIs

GetCapture.USER32 ref: 012C44D0
LoadCursorW.USER32 ref: 012C453E
SetCursor.USER32(00000000), ref: 012C4545

Part of subcall function 012C3D56: __EH_prolog3_GS.LIBCMT ref: 012C3D5D
Part of subcall function 012C3D56: GetDesktopWindow.USER32 ref: 012C3D6B
Part of subcall function 012C3D56: SetRectEmpty.USER32 ref: 012C3DA2
Part of subcall function 012C3D56: SetRectEmpty.USER32 ref: 012C3DB4
Part of subcall function 012C3D56: CopyRect.USER32(?,?), ref: 012C3DBF
Part of subcall function 012C3D56: CopyRect.USER32(?,?), ref: 012C3DDB

ClientToScreen.USER32(?,?), ref: 012C457F
GetClientRect.USER32 ref: 012C4598

Part of subcall function 01279C17: ClientToScreen.USER32(?,?), ref: 01279C28
Part of subcall function 01279C17: ClientToScreen.USER32(?,?), ref: 01279C35

LoadCursorW.USER32 ref: 012C45CA
LoadCursorW.USER32 ref: 012C45E4
PtInRect.USER32(?,?,?), ref: 012C45F5
SetCursor.USER32 ref: 012C4605
SetCursor.USER32 ref: 012C461D

Part of subcall function 012C3CD1: GetWindowRect.USER32 ref: 012C3D1D
Part of subcall function 012C3CD1: PtInRect.USER32(00000000,00000000,00000000), ref: 012C3D2D

GetWindowRect.USER32 ref: 012C464E
PtInRect.USER32(?,?,?), ref: 012C46F9
ScreenToClient.USER32(?,?), ref: 012C471E
SetRectEmpty.USER32 ref: 012C476B
SetRectEmpty.USER32 ref: 012C455E

Part of subcall function 01367D3E: IsDebuggerPresent.KERNEL32 ref: 0136EC6D
Part of subcall function 01367D3E: SetUnhandledExceptionFilter.KERNEL32 ref: 0136EC82
Part of subcall function 01367D3E: UnhandledExceptionFilter.KERNEL32 ref: 0136EC8D
Part of subcall function 01367D3E: GetCurrentProcess.KERNEL32(C0000409), ref: 0136ECA9
Part of subcall function 01367D3E: TerminateProcess.KERNEL32(00000000), ref: 0136ECB0

Memory Dump Source

Source File: 00000010.00000002.746388412.0000000001271000.00000020.sdmp, Offset: 01270000, based on PE: true

Associated: 00000010.00000002.746374753.0000000001270000.00000002.sdmp Download File
Associated: 00000010.00000002.746578910.000000000138C000.00000002.sdmp Download File
Associated: 00000010.00000002.746752878.00000000013CF000.00000004.sdmp Download File
Associated: 00000010.00000002.746788870.00000000013D6000.00000004.sdmp Download File
Associated: 00000010.00000002.746832288.00000000013DE000.00000002.sdmp Download File
Associated: 00000010.00000002.747668141.0000000001574000.00000002.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1270000_Setup.jbxd

Similarity

API ID: Rect$Cursor$Client$EmptyScreen$LoadWindow$CopyExceptionFilterProcessUnhandled$CaptureCurrentDebuggerDesktopH_prolog3_PresentTerminate
String ID:
API String ID: 2711685663-0
Opcode ID: b1142c05465998330e9b384552b951f7c77d66c086f5e7c7640d06659e8d0745
Instruction ID: dc1d50f97333f718c85bf56794583671ec9551e3224b67756b18ab2dc36fa421
Opcode Fuzzy Hash: b1142c05465998330e9b384552b951f7c77d66c086f5e7c7640d06659e8d0745
Instruction Fuzzy Hash: 4BA13971E11259DFCF15EFA8D9888EEBBBAFF48700F144129EA05EB208D771A905CB50

Uniqueness

Uniqueness Score: 12.89%

Function 012BC93E, Relevance: 22.7, APIs: 15, Instructions: 232
timeCOMMON

Download Yara Rule

C-Code - Quality: 74%

			E012BC93E(intOrPtr* __ecx, int __edx, intOrPtr _a4) {
				signed int _v8;
				struct tagRECT _v24;
				struct tagRECT _v40;
				struct tagRECT _v56;
				int _v60;
				intOrPtr _v64;
				intOrPtr* _v68;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t114;
				signed int _t121;
				intOrPtr _t126;
				int _t144;
				intOrPtr _t169;
				void* _t176;
				void* _t178;
				intOrPtr _t182;
				intOrPtr* _t183;
				intOrPtr _t194;
				RECT* _t200;
				RECT* _t201;
				void* _t202;
				int _t210;
				void* _t211;
				signed int _t214;
				intOrPtr _t215;

				_t196 = __edx;
				_t114 =  *0x13d3570; // 0x99b5b578
				_v8 = _t114 ^ _t214;
				_t183 = __ecx;
				_v68 =  *((intOrPtr*)( *__ecx + 0x1c0))();
				_v24.left = 0;
				_v24.top = 0;
				_v24.right = 0;
				_v24.bottom = 0;
				GetClientRect( *(__ecx + 0x20),  &_v24);
				_t215 =  *0x13d83d4; // 0x0
				if(_t215 == 0) {
					_t182 =  *((intOrPtr*)(_t183 + 0xfc0));
					_v24.right = _v24.right - _t182;
					_v24.bottom = _v24.bottom - _t182;
				}
				_t121 =  *((intOrPtr*)( *_t183 + 0x204))();
				_v60 = _t121;
				InflateRect( &_v24,  ~_t121,  ~_t121);
				_t126 =  *((intOrPtr*)(_t183 + 0xed4));
				if(_t126 == 0) {
					_v24.left = _v24.left +  *((intOrPtr*)(_t183 + 0xecc));
				} else {
					_t176 = _t126 - 1;
					if(_t176 == 0) {
						_v24.right = _v24.right -  *((intOrPtr*)(_t183 + 0xecc));
					} else {
						_t178 = _t176 - 1;
						if(_t178 == 0) {
							_v24.top = _v24.top +  *((intOrPtr*)(_t183 + 0xecc));
						} else {
							if(_t178 == 1) {
								_v24.bottom = _v24.bottom -  *((intOrPtr*)(_t183 + 0xecc));
							}
						}
					}
				}
				_v24.top = _v24.top +  *((intOrPtr*)(_t183 + 0xfec)) -  *((intOrPtr*)(_t183 + 0xfe4));
				if( *((intOrPtr*)(_t183 + 0x1088)) == 0) {
					_v24.bottom = _v24.bottom +  *((intOrPtr*)(_t183 + 0x10a4)) -  *((intOrPtr*)(_t183 + 0x10ac));
				} else {
					_v24.top = _v24.top +  *((intOrPtr*)(_t183 + 0x10ac)) -  *((intOrPtr*)(_t183 + 0x10a4));
				}
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				SetRectEmpty(_t183 + 0xef8);
				SetRectEmpty(_t183 + 0xf08);
				_t210 = 0;
				_v64 = 0x14;
				if( *((intOrPtr*)(_t183 + 0xef0)) == 0) {
					if( *((intOrPtr*)(_t183 + 0xee8)) == 0) {
						_v64 = 0x1c;
						KillTimer( *(_t183 + 0x20), 2);
						 *((intOrPtr*)(_t183 + 0xf18)) = 0;
					}
				} else {
					if( *((intOrPtr*)(_t183 + 0xef4)) == 0) {
						if( *((intOrPtr*)( *_t183 + 0x1dc))() != 0) {
							_t196 = _v60;
							_t194 =  *((intOrPtr*)(_t183 + 0xf1c));
							asm("movsd");
							asm("movsd");
							asm("movsd");
							asm("movsd");
							 *((intOrPtr*)(_t183 + 0xefc)) =  *((intOrPtr*)(_t183 + 0xefc)) + _t196;
							_v24.top = _v24.top + _t194 + _t196;
							 *((intOrPtr*)(_t183 + 0xf04)) =  *((intOrPtr*)(_t183 + 0xefc)) + _t194;
							_t210 = 0;
						}
						if( *((intOrPtr*)( *_t183 + 0x1e0))() != 0) {
							_t169 =  *((intOrPtr*)(_t183 + 0xf1c));
							asm("movsd");
							asm("movsd");
							asm("movsd");
							asm("movsd");
							 *((intOrPtr*)(_t183 + 0xf0c)) =  *((intOrPtr*)(_t183 + 0xf14)) - _t169;
							_v24.bottom = _v24.bottom - _t169 + _v60;
							_t210 = 0;
						}
					} else {
						_v24.right = _v24.right - GetSystemMetrics(2);
					}
				}
				if(_a4 != _t210 || EqualRect( &_v56, _t183 + 0xef8) == 0 || EqualRect( &_v40, _t183 + 0xf08) == 0) {
					_t196 =  *_v68;
					 *((intOrPtr*)( *_v68 + 0x234))(_t210, _v24.left, _v24.top, _v24.right - _v24.left, _v24.bottom - _v24.top, _v64, _t210);
					 *((intOrPtr*)(_t183 + 0xec4)) = _v24.bottom - _v24.top;
				} else {
					 *((intOrPtr*)( *_v68 + 0x208))();
				}
				_t200 = _t183 + 0xef8;
				_v60 = _t210;
				_t144 = EqualRect( &_v56, _t200);
				_t211 = InvalidateRect;
				if(_t144 == 0) {
					InvalidateRect( *(_t183 + 0x20),  &_v56, 1);
					InvalidateRect( *(_t183 + 0x20), _t200, 1);
					_v60 = 1;
				}
				_t201 = _t183 + 0xf08;
				if(EqualRect( &_v40, _t201) == 0) {
					InvalidateRect( *(_t183 + 0x20),  &_v40, 1);
					InvalidateRect( *(_t183 + 0x20), _t201, 1);
					_v60 = 1;
				}
				_pop(_t202);
				if(_v60 != 0) {
					UpdateWindow( *(_t183 + 0x20));
				}
				return L01367D3E(_v60, _t183, _v8 ^ _t214, _t196, _t202, _t211);
			}

0x012bc93e
0x012bc946
0x012bc94d
0x012bc951
0x012bc95c
0x012bc968
0x012bc96b
0x012bc96e
0x012bc971
0x012bc974
0x012bc97a
0x012bc980
0x012bc982
0x012bc988
0x012bc98b
0x012bc98b
0x012bc992
0x012bc998
0x012bc9a3
0x012bc9af
0x012bc9b1
0x012bc9e3
0x012bc9b3
0x012bc9b3
0x012bc9b4
0x012bc9d8
0x012bc9b6
0x012bc9b6
0x012bc9b7
0x012bc9cd
0x012bc9b9
0x012bc9ba
0x012bc9c2
0x012bc9c2
0x012bc9ba
0x012bc9b7
0x012bc9b4
0x012bc9f2
0x012bc9fb
0x012bca1a
0x012bc9fd
0x012bca09
0x012bca09
0x012bca29
0x012bca2a
0x012bca2b
0x012bca2c
0x012bca36
0x012bca37
0x012bca38
0x012bca39
0x012bca41
0x012bca4a
0x012bca4c
0x012bca4e
0x012bca5b
0x012bcaf7
0x012bcafe
0x012bcb05
0x012bcb0b
0x012bcb0b
0x012bca61
0x012bca67
0x012bca85
0x012bca87
0x012bca8a
0x012bca99
0x012bca9a
0x012bca9b
0x012bca9c
0x012bca9d
0x012bcaad
0x012bcab0
0x012bcab6
0x012bcab6
0x012bcac4
0x012bcac6
0x012bcad5
0x012bcad6
0x012bcad7
0x012bcad8
0x012bcae4
0x012bcaea
0x012bcaed
0x012bcaed
0x012bca69
0x012bca71
0x012bca71
0x012bca67
0x012bcb14
0x012bcb54
0x012bcb69
0x012bcb75
0x012bcb3e
0x012bcb43
0x012bcb43
0x012bcb7b
0x012bcb86
0x012bcb89
0x012bcb8f
0x012bcb97
0x012bcba2
0x012bcbaa
0x012bcbac
0x012bcbac
0x012bcbb3
0x012bcbc6
0x012bcbd1
0x012bcbd9
0x012bcbdb
0x012bcbdb
0x012bcbe6
0x012bcbe7
0x012bcbec
0x012bcbec
0x012bcc02

APIs

GetClientRect.USER32 ref: 012BC974
InflateRect.USER32(?,00000000,00000000), ref: 012BC9A3
SetRectEmpty.USER32 ref: 012BCA41
SetRectEmpty.USER32 ref: 012BCA4A
GetSystemMetrics.USER32 ref: 012BCA6B
KillTimer.USER32 ref: 012BCB05
EqualRect.USER32 ref: 012BCB27
EqualRect.USER32 ref: 012BCB38
EqualRect.USER32 ref: 012BCB89
InvalidateRect.USER32(?,?,00000001), ref: 012BCBA2
InvalidateRect.USER32(?,?,00000001), ref: 012BCBAA
EqualRect.USER32 ref: 012BCBBE
InvalidateRect.USER32(?,?,00000001), ref: 012BCBD1
InvalidateRect.USER32(?,?,00000001), ref: 012BCBD9
UpdateWindow.USER32 ref: 012BCBEC

Part of subcall function 01367D3E: IsDebuggerPresent.KERNEL32 ref: 0136EC6D
Part of subcall function 01367D3E: SetUnhandledExceptionFilter.KERNEL32 ref: 0136EC82
Part of subcall function 01367D3E: UnhandledExceptionFilter.KERNEL32 ref: 0136EC8D
Part of subcall function 01367D3E: GetCurrentProcess.KERNEL32(C0000409), ref: 0136ECA9
Part of subcall function 01367D3E: TerminateProcess.KERNEL32(00000000), ref: 0136ECB0

Memory Dump Source

Source File: 00000010.00000002.746388412.0000000001271000.00000020.sdmp, Offset: 01270000, based on PE: true

Associated: 00000010.00000002.746374753.0000000001270000.00000002.sdmp Download File
Associated: 00000010.00000002.746578910.000000000138C000.00000002.sdmp Download File
Associated: 00000010.00000002.746752878.00000000013CF000.00000004.sdmp Download File
Associated: 00000010.00000002.746788870.00000000013D6000.00000004.sdmp Download File
Associated: 00000010.00000002.746832288.00000000013DE000.00000002.sdmp Download File
Associated: 00000010.00000002.747668141.0000000001574000.00000002.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1270000_Setup.jbxd

Similarity

API ID: Rect$EqualInvalidate$EmptyExceptionFilterProcessUnhandled$ClientCurrentDebuggerInflateKillMetricsPresentSystemTerminateTimerUpdateWindow
String ID:
API String ID: 2355691963-0
Opcode ID: 8d214ff3d8ae3d55c4f0659c087a078f729f0e4d45bd9f92988f2f86ff87b44f
Instruction ID: be47a2d40df3e1de7c8c6b052118485750a08fcfda271091ce10736efbc4eb0c
Opcode Fuzzy Hash: 8d214ff3d8ae3d55c4f0659c087a078f729f0e4d45bd9f92988f2f86ff87b44f
Instruction Fuzzy Hash: D291F77291021ADFDF11CFA8C9C4AEE7BB9BF08340F1445B5ED09AB249D7B1A945CB60

Uniqueness

Uniqueness Score: 5.06%

Function 01292766, Relevance: 21.3, APIs: 14, Instructions: 280
keyboardwindowCOMMON

Download Yara Rule

C-Code - Quality: 85%

			E01292766(signed int __ecx, signed int _a4) {
				signed int _v8;
				signed int _v12;
				struct tagPOINT _v20;
				void* __ebx;
				void* __edi;
				void* __esi;
				struct HWND__* _t72;
				signed int _t75;
				void* _t76;
				signed int _t82;
				signed int _t83;
				signed int _t86;
				signed int _t87;
				signed int _t94;
				signed int _t95;
				signed int _t96;
				struct HWND__* _t97;
				void* _t99;
				signed int _t101;
				signed int _t102;
				signed int _t103;
				signed int _t107;
				signed int _t112;
				signed int _t114;
				int _t115;
				signed int _t116;
				signed int _t118;
				signed int _t125;
				signed int _t127;
				signed int _t138;
				void* _t147;
				signed int _t149;
				struct HWND__** _t150;
				void* _t151;

				_t150 = _a4;
				_t72 = _t150[1];
				_t149 = __ecx;
				_t129 = 0x105;
				_v8 = 1;
				_t151 = _t72 - 0x105;
				if(_t151 > 0) {
					__eflags = _t72 - 0x200;
					if(_t72 == 0x200) {
						_v20.x = _t150[3];
						_v20.y = _t150[3];
						_t75 = E01282D05(1, 0x105, _t147,  *_t150);
						__eflags = _t75;
						if(_t75 != 0) {
							ClientToScreen( *(_t75 + 0x20),  &_v20);
						}
						_t76 = E012C0787(_t149 + 0x124, _t147, _v20.x, _v20.y);
						L9:
						if(_t76 != 0) {
							L44:
							return 1;
						}
						L10:
						return E012B059C(_t149, _t150);
					}
					__eflags = _t72 - 0x201;
					if(_t72 == 0x201) {
						L71:
						_v20.x = _t150[3];
						_v20.y = _t150[3];
						_t82 = E01282D05(1, _t129, _t147,  *_t150);
						_a4 = _t82;
						__eflags = _t82;
						if(_t82 != 0) {
							_t87 = IsWindow( *_t150);
							__eflags = _t87;
							if(_t87 != 0) {
								ClientToScreen( *(_a4 + 0x20),  &_v20);
							}
						}
						_t83 = L012C184A(_t149 + 0x124, _t147, _t150[1], _v20.x, _v20.y,  *_t150);
						__eflags = _t83;
						if(_t83 != 0) {
							L16:
							return 1;
						} else {
							_t86 = IsWindow( *_t150);
							__eflags = _t86;
							if(_t86 != 0) {
								goto L10;
							}
							goto L16;
						}
					}
					__eflags = _t72 - 0x203;
					if(_t72 <= 0x203) {
						goto L10;
					}
					__eflags = _t72 - 0x205;
					if(_t72 <= 0x205) {
						goto L71;
					}
					__eflags = _t72 - 0x206;
					if(_t72 <= 0x206) {
						goto L10;
					}
					__eflags = _t72 - 0x208;
					if(_t72 <= 0x208) {
						goto L71;
					}
					__eflags = _t72 - 0x20a;
					if(_t72 != 0x20a) {
						goto L10;
					}
					_t76 = E012C087D(__ecx + 0x124, _t150[2], _t150[3]);
					goto L9;
				}
				if(_t151 == 0) {
					_t135 =  *(__ecx + 0x220);
					__eflags =  *(__ecx + 0x220);
					if( *(__ecx + 0x220) == 0) {
						L45:
						_v20.y = GetKeyState(0x11) >> 0x0000000f & 0x00000001;
						_t94 = GetKeyState(0x10);
						_push( *((intOrPtr*)(_t149 + 0x20)));
						_t125 = (_t94 & 0x0000ffff) >> 0x0000000f & 0x00000001;
						L0137E964();
						_a4 = _t94;
						__eflags = _t94;
						if(_t94 == 0) {
							L48:
							_t34 =  &_v12;
							 *_t34 = _v12 & 0x00000000;
							__eflags =  *_t34;
							L49:
							__eflags = _a4;
							if(_a4 != 0) {
								_push(_a4);
								_push( *((intOrPtr*)(_t149 + 0x20)));
								L0137E958();
							}
							__eflags =  *(_t149 + 0x1d0);
							if( *(_t149 + 0x1d0) == 0) {
								L61:
								_t95 =  *0x13d97c0; // 0x0
								__eflags = _t95;
								if(_t95 == 0) {
									goto L10;
								}
								_t96 = IsWindow( *(_t95 + 0x20));
								L27:
								__eflags = _t96;
								if(_t96 == 0) {
									goto L10;
								}
								goto L16;
							} else {
								_t97 = _t150[2];
								__eflags = _t97 - 0x12;
								if(_t97 == 0x12) {
									L57:
									_t99 = E01282D05(_t125, 0, _t147, GetFocus());
									_t137 =  *(_t149 + 0x1d0);
									__eflags =  *(_t149 + 0x1d0) - _t99;
									if( *(_t149 + 0x1d0) != _t99) {
										__eflags = _t150[3] & 0x20000000;
										if((_t150[3] & 0x20000000) != 0) {
											goto L16;
										}
										L60:
										E01286A6F(_t125, _t137, _t147);
										goto L16;
									}
									_t137 = _t149;
									goto L60;
								}
								__eflags = _t97 - 0x79;
								if(_t97 != 0x79) {
									goto L61;
								}
								__eflags = _v20.y;
								if(_v20.y != 0) {
									goto L61;
								}
								__eflags = _t125;
								if(_t125 != 0) {
									goto L61;
								}
								__eflags = _v12;
								if(_v12 != 0) {
									goto L61;
								}
								goto L57;
							}
						}
						_push(_t94);
						L0137E95E();
						__eflags = _t94;
						if(_t94 == 0) {
							goto L48;
						}
						_v12 = 1;
						goto L49;
					}
					_push(_t150[3]);
					_t101 = E012CCF65(_t135, __ecx, _t150[2]);
					__eflags = _t101;
					if(_t101 == 0) {
						goto L45;
					}
					goto L44;
				}
				if(_t72 > 0xa8) {
					_t102 = _t72 - 0x100;
					__eflags = _t102;
					if(_t102 == 0) {
						_t103 = L012BFF29(_t150);
						__eflags = _t103;
						if(_t103 != 0) {
							L31:
							__eflags = _t150[2] - 0x1b;
							if(_t150[2] != 0x1b) {
								L40:
								__eflags = _v8;
								if(_v8 != 0) {
									goto L10;
								}
								return 0;
							}
							__eflags =  *(_t149 + 0x1f4);
							if( *(_t149 + 0x1f4) != 0) {
								E012BA068(0, _t149 + 0x1dc, _t149);
							}
							_t138 =  *(_t149 + 0x3e0);
							__eflags = _t138;
							if(_t138 != 0) {
								__eflags =  *(_t138 + 8);
								if( *(_t138 + 8) != 0) {
									__eflags =  *(_t138 + 4);
									if( *(_t138 + 4) != 0) {
										E012D2831(_t138);
									}
								}
							}
							_t107 = E012789CC(0x1398be0, E01282D05(0, _t138, _t147, GetCapture()));
							__eflags = _t107;
							if(_t107 == 0) {
								goto L40;
							} else {
								_push(0);
								_push(0);
								_push(0x1f);
								_push( *((intOrPtr*)(_t107 + 0x20)));
								L25:
								SendMessageW();
								goto L16;
							}
						}
						_t112 = E012C04F4(_t149 + 0x124, _t147, _t150[2],  &_v8);
						__eflags = _t112;
						if(_t112 != 0) {
							goto L44;
						}
						goto L31;
					}
					__eflags = _t102 != 4;
					if(_t102 != 4) {
						goto L10;
					}
					_t129 =  *(__ecx + 0x220);
					_t127 = 0;
					__eflags =  *(__ecx + 0x220);
					if( *(__ecx + 0x220) == 0) {
						L18:
						__eflags =  *0x13d658c - _t127; // 0x0
						if(__eflags == 0) {
							__eflags =  *0x13d6588 - _t127; // 0x0
							if(__eflags == 0) {
								 *0x13d6588 = 1;
								E0129A74C(_t127, _t129, _t147, _t149);
							}
						}
						_t114 =  *0x13d97c0; // 0x0
						__eflags = _t114 - _t127;
						if(_t114 == _t127) {
							L26:
							_t96 = E012C04F4(_t149 + 0x124, _t147, _t150[2], _t127);
							goto L27;
						}
						_t115 = IsWindow( *(_t114 + 0x20));
						__eflags = _t115;
						if(_t115 == 0) {
							goto L26;
						}
						__eflags = _t150[2] - 0x12;
						if(_t150[2] != 0x12) {
							goto L26;
						} else {
							_t116 =  *0x13d97c0; // 0x0
							_push(_t127);
							_push(_t127);
							_push(0x10);
							_push( *((intOrPtr*)(_t116 + 0x20)));
							goto L25;
						}
					}
					_t118 = L012CD902(_t129, _t147, __ecx, _t150, __ecx, _t150[2], _t150[3]);
					__eflags = _t118;
					if(_t118 == 0) {
						goto L18;
					}
					goto L16;
				}
				if(_t72 >= 0xa7) {
					L8:
					_t76 = L012C184A(_t149 + 0x124, _t150[3], _t72, _t150[3], _t150[3],  *_t150);
					goto L9;
				}
				if(_t72 == 0x7b) {
					_t127 = 0;
					__eflags = 0;
					goto L18;
				}
				if(_t72 <= 0xa0 || _t72 > 0xa2 && _t72 - 0xa4 > 1) {
					goto L10;
				} else {
					goto L8;
				}
			}

0x01292770
0x01292773
0x01292779
0x0129277c
0x01292781
0x01292784
0x01292786
0x01292a02
0x01292a07
0x01292ac8
0x01292acf
0x01292ad2
0x01292ad7
0x01292ad9
0x01292ae2
0x01292ae2
0x01292af4
0x012927d5
0x012927d7
0x01292933
0x00000000
0x01292933
0x012927dd
0x00000000
0x012927e0
0x01292a0d
0x01292a12
0x01292a59
0x01292a5f
0x01292a66
0x01292a69
0x01292a74
0x01292a77
0x01292a79
0x01292a7d
0x01292a7f
0x01292a81
0x01292a8d
0x01292a8d
0x01292a81
0x01292aa4
0x01292aa9
0x01292aab
0x01292818
0x00000000
0x01292ab1
0x01292ab3
0x01292ab5
0x01292ab7
0x00000000
0x00000000
0x00000000
0x01292abd
0x01292aab
0x01292a14
0x01292a19
0x00000000
0x00000000
0x01292a1f
0x01292a24
0x00000000
0x00000000
0x01292a26
0x01292a2b
0x00000000
0x00000000
0x01292a31
0x01292a36
0x00000000
0x00000000
0x01292a38
0x01292a3d
0x00000000
0x00000000
0x01292a4f
0x00000000
0x01292a4f
0x0129278c
0x01292919
0x0129291f
0x01292921
0x0129293a
0x0129294c
0x0129294f
0x01292951
0x0129295a
0x0129295d
0x01292962
0x01292965
0x01292967
0x0129297c
0x0129297c
0x0129297c
0x0129297c
0x01292980
0x01292980
0x01292984
0x01292986
0x01292989
0x0129298c
0x0129298c
0x01292993
0x01292999
0x012929e7
0x012929e7
0x012929ec
0x012929ee
0x00000000
0x00000000
0x012929f7
0x0129287d
0x0129287d
0x0129287f
0x00000000
0x00000000
0x00000000
0x0129299b
0x0129299b
0x0129299e
0x012929a1
0x012929b6
0x012929bd
0x012929c2
0x012929c8
0x012929ca
0x012929d0
0x012929d7
0x00000000
0x00000000
0x012929dd
0x012929dd
0x00000000
0x012929dd
0x012929cc
0x00000000
0x012929cc
0x012929a3
0x012929a6
0x00000000
0x00000000
0x012929a8
0x012929ab
0x00000000
0x00000000
0x012929ad
0x012929af
0x00000000
0x00000000
0x012929b1
0x012929b4
0x00000000
0x00000000
0x00000000
0x012929b4
0x01292999
0x01292969
0x0129296a
0x0129296f
0x01292971
0x00000000
0x00000000
0x01292973
0x00000000
0x01292973
0x01292923
0x0129292a
0x0129292f
0x01292931
0x00000000
0x00000000
0x00000000
0x01292931
0x01292797
0x012927ec
0x012927ec
0x012927f1
0x01292888
0x0129288d
0x0129288f
0x012928ab
0x012928ad
0x012928b1
0x01292909
0x01292909
0x0129290c
0x00000000
0x00000000
0x00000000
0x01292912
0x012928b3
0x012928b9
0x012928c2
0x012928c2
0x012928c7
0x012928cd
0x012928cf
0x012928d1
0x012928d4
0x012928d6
0x012928d9
0x012928db
0x012928db
0x012928d9
0x012928d4
0x012928f2
0x012928f9
0x012928fb
0x00000000
0x012928fd
0x012928fd
0x012928fe
0x012928ff
0x01292901
0x01292866
0x01292866
0x00000000
0x01292866
0x012928fb
0x0129289e
0x012928a3
0x012928a5
0x00000000
0x00000000
0x00000000
0x012928a5
0x012927f7
0x012927fa
0x00000000
0x00000000
0x012927fc
0x01292802
0x01292804
0x01292806
0x0129281f
0x0129281f
0x01292825
0x01292827
0x0129282d
0x0129282f
0x01292839
0x01292839
0x0129282d
0x0129283e
0x01292843
0x01292845
0x0129286e
0x01292878
0x00000000
0x01292878
0x0129284a
0x01292850
0x01292852
0x00000000
0x00000000
0x01292854
0x01292858
0x00000000
0x0129285a
0x0129285a
0x0129285f
0x01292860
0x01292861
0x01292863
0x00000000
0x01292863
0x01292858
0x0129280f
0x01292814
0x01292816
0x00000000
0x00000000
0x00000000
0x01292816
0x0129279e
0x012927bd
0x012927d0
0x00000000
0x012927d0
0x012927a3
0x0129281d
0x0129281d
0x00000000
0x0129281d
0x012927aa
0x00000000
0x00000000
0x00000000
0x00000000

APIs

Part of subcall function 012B059C: TranslateAcceleratorW.USER32(?,00000000,?), ref: 012B0718

Part of subcall function 012CD902: GetWindowRect.USER32 ref: 012CD938
Part of subcall function 012CD902: GetKeyState.USER32 ref: 012CD994
Part of subcall function 012CD902: GetKeyState.USER32 ref: 012CD9A1
Part of subcall function 012CD902: KillTimer.USER32 ref: 012CD9BB
Part of subcall function 012CD902: GetFocus.USER32 ref: 012CD9F8
Part of subcall function 012CD902: SetTimer.USER32 ref: 012CDA3E

Part of subcall function 0129A74C: InvalidateRect.USER32(?,-00000054,00000001), ref: 0129A7D8
Part of subcall function 0129A74C: UpdateWindow.USER32 ref: 0129A7F2

IsWindow.USER32(?), ref: 0129284A
SendMessageW.USER32(?,0000001F,00000000,00000000), ref: 01292866

Part of subcall function 012BFF29: GetKeyState.USER32 ref: 012BFF54
Part of subcall function 012BFF29: GetKeyState.USER32 ref: 012BFF5D
Part of subcall function 012BFF29: GetKeyState.USER32 ref: 012BFF66

Part of subcall function 012C04F4: IsWindow.USER32(?), ref: 012C0522
Part of subcall function 012C04F4: GetFocus.USER32 ref: 012C0530
Part of subcall function 012C04F4: IsChild.USER32 ref: 012C0564
Part of subcall function 012C04F4: SendMessageW.USER32(?,00000010,00000000,00000000), ref: 012C0598
Part of subcall function 012C04F4: IsChild.USER32 ref: 012C05B4
Part of subcall function 012C04F4: SendMessageW.USER32(?,00000100,?,00000000), ref: 012C05E3
Part of subcall function 012C04F4: IsIconic.USER32(?), ref: 012C0624
Part of subcall function 012C04F4: GetAsyncKeyState.USER32 ref: 012C06AA
Part of subcall function 012C04F4: GetAsyncKeyState.USER32 ref: 012C06BC
Part of subcall function 012C04F4: GetAsyncKeyState.USER32 ref: 012C06C9
Part of subcall function 012C04F4: IsWindowVisible.USER32(?), ref: 012C072A

Part of subcall function 012BA068: SendMessageW.USER32(?,0000000B,00000000,00000000), ref: 012BA104
Part of subcall function 012BA068: SendMessageW.USER32(?,0000000B,00000001,00000000), ref: 012BA14A
Part of subcall function 012BA068: RedrawWindow.USER32(?,00000000,00000000,00000185), ref: 012BA15A
Part of subcall function 012BA068: IsWindowVisible.USER32(?), ref: 012BA1FF

Part of subcall function 012D2831: SendMessageW.USER32(01290A00,0000001F,00000000,00000000), ref: 012D2842

Part of subcall function 012CCF65: KillTimer.USER32 ref: 012CCF8C
Part of subcall function 012CCF65: GetFocus.USER32 ref: 012CCF98
Part of subcall function 012CCF65: RedrawWindow.USER32(?,00000000,00000000,00000105), ref: 012CCFC9

GetCapture.USER32 ref: 012928E0
GetKeyState.USER32 ref: 01292942
GetKeyState.USER32 ref: 0129294F
ImmGetContext.IMM32(?), ref: 0129295D
ImmGetOpenStatus.IMM32(00000000,?), ref: 0129296A
ImmReleaseContext.IMM32(?,00000000,?), ref: 0129298C
GetFocus.USER32 ref: 012929B6

Part of subcall function 01286A6F: GetParent.USER32(?), ref: 01286A84
Part of subcall function 01286A6F: GetParent.USER32(?), ref: 01286A93
Part of subcall function 01286A6F: GetParent.USER32(?), ref: 01286AA9
Part of subcall function 01286A6F: SetFocus.USER32 ref: 01286ABF

IsWindow.USER32(?), ref: 012929F7

Part of subcall function 012C087D: IsWindow.USER32(?), ref: 012C0895
Part of subcall function 012C087D: SendMessageW.USER32(?,0000020A,?,?), ref: 012C08C7
Part of subcall function 012C087D: GetFocus.USER32 ref: 012C08DB
Part of subcall function 012C087D: IsChild.USER32 ref: 012C08FD
Part of subcall function 012C087D: SendMessageW.USER32(?,00000010,00000000,00000000), ref: 012C092E
Part of subcall function 012C087D: IsWindowVisible.USER32(?), ref: 012C0943
Part of subcall function 012C087D: SendMessageW.USER32(?,0000020A,?,?), ref: 012C0961

IsWindow.USER32(?), ref: 01292A7D
ClientToScreen.USER32(?,?), ref: 01292A8D

Part of subcall function 012C184A: IsWindowVisible.USER32(?), ref: 012C187F
Part of subcall function 012C184A: GetWindowRect.USER32 ref: 012C18A2
Part of subcall function 012C184A: PtInRect.USER32(?,?,?), ref: 012C18B0
Part of subcall function 012C184A: GetAsyncKeyState.USER32 ref: 012C18D5
Part of subcall function 012C184A: ScreenToClient.USER32(?,?), ref: 012C1923
Part of subcall function 012C184A: IsWindow.USER32(?), ref: 012C196A
Part of subcall function 012C184A: IsWindow.USER32(?), ref: 012C19AD
Part of subcall function 012C184A: GetWindowRect.USER32 ref: 012C19CD
Part of subcall function 012C184A: PtInRect.USER32(?,?,?), ref: 012C19DD
Part of subcall function 012C184A: SendMessageW.USER32(?,00000010,00000000,00000000), ref: 012C1A12
Part of subcall function 012C184A: PtInRect.USER32(-00000054,?,?), ref: 012C1A5D
Part of subcall function 012C184A: SendMessageW.USER32(?,00000010,00000000,00000000), ref: 012C1A82
Part of subcall function 012C184A: ScreenToClient.USER32(?,?), ref: 012C1ADA
Part of subcall function 012C184A: PtInRect.USER32(?,?,?), ref: 012C1AEA
Part of subcall function 012C184A: GetParent.USER32(?), ref: 012C1B74
Part of subcall function 012C184A: SendMessageW.USER32(?,00000010,00000000,00000000), ref: 012C1C07
Part of subcall function 012C184A: GetFocus.USER32 ref: 012C1C0D
Part of subcall function 012C184A: WindowFromPoint.USER32(?,?), ref: 012C1C45
Part of subcall function 012C184A: SendMessageW.USER32(?,00000010,00000000,00000000), ref: 012C1C8F
Part of subcall function 012C184A: GetSystemMenu.USER32 ref: 012C1D18
Part of subcall function 012C184A: IsMenu.USER32(?), ref: 012C1D3A
Part of subcall function 012C184A: EnableMenuItem.USER32 ref: 012C1D57
Part of subcall function 012C184A: EnableMenuItem.USER32 ref: 012C1D62
Part of subcall function 012C184A: IsZoomed.USER32(?), ref: 012C1D70
Part of subcall function 012C184A: IsIconic.USER32(?), ref: 012C1D8F
Part of subcall function 012C184A: EnableMenuItem.USER32 ref: 012C1DA3
Part of subcall function 012C184A: TrackPopupMenu.USER32(?,00000100,?,?,00000000,?,00000000), ref: 012C1DCB
Part of subcall function 012C184A: SendMessageW.USER32(?,00000112,00000000,00000000), ref: 012C1DE5

IsWindow.USER32(?), ref: 01292AB3
ClientToScreen.USER32(?,?), ref: 01292AE2

Part of subcall function 012C0787: IsWindow.USER32(?), ref: 012C07E0
Part of subcall function 012C0787: GetWindowRect.USER32 ref: 012C0803
Part of subcall function 012C0787: PtInRect.USER32(?,?,?), ref: 012C080F
Part of subcall function 012C0787: GetWindowRect.USER32 ref: 012C082D
Part of subcall function 012C0787: PtInRect.USER32(?,?,?), ref: 012C083A

Memory Dump Source

Source File: 00000010.00000002.746388412.0000000001271000.00000020.sdmp, Offset: 01270000, based on PE: true

Associated: 00000010.00000002.746374753.0000000001270000.00000002.sdmp Download File
Associated: 00000010.00000002.746578910.000000000138C000.00000002.sdmp Download File
Associated: 00000010.00000002.746752878.00000000013CF000.00000004.sdmp Download File
Associated: 00000010.00000002.746788870.00000000013D6000.00000004.sdmp Download File
Associated: 00000010.00000002.746832288.00000000013DE000.00000002.sdmp Download File
Associated: 00000010.00000002.747668141.0000000001574000.00000002.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1270000_Setup.jbxd

Similarity

API ID: Window$MessageSend$Rect$State$Focus$Menu$AsyncClientParentScreenVisible$ChildEnableItemTimer$ContextIconicKillRedraw$AcceleratorCaptureFromInvalidateOpenPointPopupReleaseStatusSystemTrackTranslateUpdateZoomed
String ID:
API String ID: 1620739098-0
Opcode ID: 7bbbc26b4e0f6779de72068b43908fcb4ef41ba6a55288722ba3446874b44d00
Instruction ID: 189bdb82ce383bacfcce622610c93ab9ec64c5e07c53f23e8356d8fdfeb6257f
Opcode Fuzzy Hash: 7bbbc26b4e0f6779de72068b43908fcb4ef41ba6a55288722ba3446874b44d00
Instruction Fuzzy Hash: 29A1A131520207FBEF39AF6CC885ABE7BA9FF04344F108529E756A6491D735D890CB61

Uniqueness

Uniqueness Score: 2.12%

Function 0129088B, Relevance: 21.3, APIs: 14, Instructions: 268
keyboardwindowCOMMON

Download Yara Rule

C-Code - Quality: 85%

			E0129088B(signed int __ecx, signed int _a4) {
				signed int _v8;
				struct tagPOINT _v16;
				void* __ebx;
				void* __edi;
				void* __esi;
				struct HWND__* _t69;
				signed int _t72;
				int _t73;
				signed int _t80;
				signed int _t81;
				signed int _t82;
				signed int _t83;
				signed int _t90;
				signed int _t91;
				struct HWND__* _t92;
				void* _t94;
				signed int _t96;
				signed int _t97;
				signed int _t98;
				void* _t101;
				signed int _t105;
				signed int _t107;
				int _t108;
				signed int _t109;
				signed int _t111;
				signed int _t112;
				intOrPtr _t126;
				void* _t135;
				signed int _t137;
				struct HWND__** _t138;
				void* _t139;

				_t138 = _a4;
				_t69 = _t138[1];
				_t137 = __ecx;
				_t117 = 0x105;
				_t139 = _t69 - 0x105;
				if(_t139 > 0) {
					__eflags = _t69 - 0x200;
					if(_t69 == 0x200) {
						_v16.x = _t138[3];
						_v16.y = _t138[3];
						_t72 = E01282D05(_t112, 0x105, _t135,  *_t138);
						__eflags = _t72;
						if(_t72 != 0) {
							ClientToScreen( *(_t72 + 0x20),  &_v16);
						}
						_t73 = E012C0787(_t137 + 0x33c, _t135, _v16.x, _v16.y);
						L24:
						if(_t73 != 0) {
							L13:
							return 1;
						}
						L25:
						return L012B9549(_t112, _t137, _t138);
					}
					__eflags = _t69 - 0x201;
					if(_t69 == 0x201) {
						L66:
						_v16.x = _t138[3];
						_v16.y = _t138[3];
						_t80 = E01282D05(_t112, _t117, _t135,  *_t138);
						_t112 = IsWindow;
						_a4 = _t80;
						__eflags = _t80;
						if(_t80 != 0) {
							_t83 = IsWindow( *_t138);
							__eflags = _t83;
							if(_t83 != 0) {
								ClientToScreen( *(_a4 + 0x20),  &_v16);
							}
						}
						_t81 = L012C184A(_t137 + 0x33c, _t135, _t138[1], _v16.x, _v16.y,  *_t138);
						__eflags = _t81;
						if(_t81 == 0) {
							_t82 = IsWindow( *_t138);
							__eflags = _t82;
							if(_t82 != 0) {
								goto L25;
							}
						}
						goto L13;
					}
					__eflags = _t69 - 0x203;
					if(_t69 <= 0x203) {
						goto L25;
					}
					__eflags = _t69 - 0x205;
					if(_t69 <= 0x205) {
						goto L66;
					}
					__eflags = _t69 - 0x206;
					if(_t69 <= 0x206) {
						goto L25;
					}
					__eflags = _t69 - 0x208;
					if(_t69 <= 0x208) {
						goto L66;
					}
					__eflags = _t69 - 0x20a;
					if(_t69 != 0x20a) {
						goto L25;
					}
					_t73 = E012C087D(__ecx + 0x33c, _t138[2], _t138[3]);
					goto L24;
				}
				if(_t139 == 0) {
					_t123 =  *(__ecx + 0x438);
					__eflags =  *(__ecx + 0x438);
					if( *(__ecx + 0x438) == 0) {
						L40:
						_v16.y = GetKeyState(0x11) >> 0x0000000f & 0x00000001;
						_t90 = GetKeyState(0x10);
						_push( *((intOrPtr*)(_t137 + 0x20)));
						_t112 = (_t90 & 0x0000ffff) >> 0x0000000f & 0x00000001;
						L0137E964();
						_a4 = _t90;
						__eflags = _t90;
						if(_t90 == 0) {
							L43:
							_t31 =  &_v8;
							 *_t31 = _v8 & 0x00000000;
							__eflags =  *_t31;
							L44:
							__eflags = _a4;
							if(_a4 != 0) {
								_push(_a4);
								_push( *((intOrPtr*)(_t137 + 0x20)));
								L0137E958();
							}
							__eflags =  *(_t137 + 0x3e8);
							if( *(_t137 + 0x3e8) == 0) {
								L56:
								_t91 =  *0x13d97c0; // 0x0
								__eflags = _t91;
								if(_t91 == 0) {
									goto L25;
								}
								_t73 = IsWindow( *(_t91 + 0x20));
								goto L24;
							} else {
								_t92 = _t138[2];
								__eflags = _t92 - 0x12;
								if(_t92 == 0x12) {
									L52:
									_t94 = E01282D05(_t112, 0, _t135, GetFocus());
									_t125 =  *(_t137 + 0x3e8);
									__eflags =  *(_t137 + 0x3e8) - _t94;
									if( *(_t137 + 0x3e8) != _t94) {
										__eflags = _t138[3] & 0x20000000;
										if((_t138[3] & 0x20000000) != 0) {
											goto L13;
										}
										L55:
										E01286A6F(_t112, _t125, _t135);
										goto L13;
									}
									_t125 = _t137;
									goto L55;
								}
								__eflags = _t92 - 0x79;
								if(_t92 != 0x79) {
									goto L56;
								}
								__eflags = _v16.y;
								if(_v16.y != 0) {
									goto L56;
								}
								__eflags = _t112;
								if(_t112 != 0) {
									goto L56;
								}
								__eflags = _v8;
								if(_v8 != 0) {
									goto L56;
								}
								goto L52;
							}
						}
						_push(_t90);
						L0137E95E();
						__eflags = _t90;
						if(_t90 == 0) {
							goto L43;
						}
						_v8 = 1;
						goto L44;
					}
					_push(_t138[3]);
					_t96 = E012CCF65(_t123, __ecx, _t138[2]);
					__eflags = _t96;
					if(_t96 != 0) {
						goto L13;
					}
					goto L40;
				}
				if(_t69 > 0xa8) {
					_t97 = _t69 - 0x100;
					__eflags = _t97;
					if(_t97 == 0) {
						_t98 = L012BFF29(_t138);
						_t112 = 0;
						__eflags = _t98;
						if(_t98 != 0) {
							L29:
							__eflags = _t138[2] - 0x1b;
							if(_t138[2] != 0x1b) {
								goto L25;
							}
							__eflags =  *((intOrPtr*)(_t137 + 0x40c)) - _t112;
							if( *((intOrPtr*)(_t137 + 0x40c)) != _t112) {
								E012BA068(_t112, _t137 + 0x3f4, _t137);
							}
							_t126 =  *((intOrPtr*)(_t137 + 0x304));
							__eflags = _t126 - _t112;
							if(_t126 != _t112) {
								__eflags =  *((intOrPtr*)(_t126 + 8)) - _t112;
								if( *((intOrPtr*)(_t126 + 8)) != _t112) {
									__eflags =  *((intOrPtr*)(_t126 + 4)) - _t112;
									if( *((intOrPtr*)(_t126 + 4)) != _t112) {
										E012D2831(_t126);
									}
								}
							}
							_t101 = E012789CC(0x1398be0, E01282D05(_t112, _t126, _t135, GetCapture()));
							__eflags = _t101 - _t112;
							if(_t101 == _t112) {
								goto L25;
							} else {
								_push(_t112);
								_push(_t112);
								_push(0x1f);
								_push( *((intOrPtr*)(_t101 + 0x20)));
								L22:
								SendMessageW();
								goto L13;
							}
						}
						_t105 = E012C04F4(_t137 + 0x33c, _t135, _t138[2], 0);
						__eflags = _t105;
						if(_t105 != 0) {
							goto L13;
						}
						goto L29;
					}
					__eflags = _t97 != 4;
					if(_t97 != 4) {
						goto L25;
					}
					_t117 =  *(__ecx + 0x438);
					_t112 = 0;
					__eflags =  *(__ecx + 0x438);
					if( *(__ecx + 0x438) == 0) {
						L15:
						__eflags =  *0x13d658c - _t112; // 0x0
						if(__eflags == 0) {
							__eflags =  *0x13d6588 - _t112; // 0x0
							if(__eflags == 0) {
								 *0x13d6588 = 1;
								E0129A74C(_t112, _t117, _t135, _t137);
							}
						}
						_t107 =  *0x13d97c0; // 0x0
						__eflags = _t107 - _t112;
						if(_t107 == _t112) {
							L23:
							_t73 = E012C04F4(_t137 + 0x33c, _t135, _t138[2], _t112);
							goto L24;
						}
						_t108 = IsWindow( *(_t107 + 0x20));
						__eflags = _t108;
						if(_t108 == 0) {
							goto L23;
						}
						__eflags = _t138[2] - 0x12;
						if(_t138[2] != 0x12) {
							goto L23;
						} else {
							_t109 =  *0x13d97c0; // 0x0
							_push(_t112);
							_push(_t112);
							_push(0x10);
							_push( *((intOrPtr*)(_t109 + 0x20)));
							goto L22;
						}
					}
					_t111 = L012CD902(_t117, _t135, __ecx, _t138, __ecx, _t138[2], _t138[3]);
					__eflags = _t111;
					if(_t111 == 0) {
						goto L15;
					}
					goto L13;
				}
				if(_t69 >= 0xa7) {
					L8:
					_t73 = L012C184A(_t137 + 0x33c, _t138[3], _t69, _t138[3], _t138[3],  *_t138);
					goto L24;
				}
				if(_t69 == 0x7b) {
					_t112 = 0;
					__eflags = 0;
					goto L15;
				}
				if(_t69 <= 0xa0 || _t69 > 0xa2 && _t69 - 0xa4 > 1) {
					goto L25;
				} else {
					goto L8;
				}
			}

0x01290895
0x01290898
0x0129089c
0x0129089e
0x012908a3
0x012908a5
0x01290b13
0x01290b18
0x01290bd9
0x01290be0
0x01290be3
0x01290be8
0x01290bea
0x01290bf3
0x01290bf3
0x01290c05
0x01290997
0x01290999
0x01290932
0x00000000
0x01290934
0x0129099b
0x00000000
0x0129099e
0x01290b1e
0x01290b23
0x01290b6a
0x01290b70
0x01290b77
0x01290b7a
0x01290b7f
0x01290b85
0x01290b88
0x01290b8a
0x01290b8e
0x01290b90
0x01290b92
0x01290b9e
0x01290b9e
0x01290b92
0x01290bb5
0x01290bba
0x01290bbc
0x01290bc4
0x01290bc6
0x01290bc8
0x00000000
0x00000000
0x01290bce
0x00000000
0x01290bbc
0x01290b25
0x01290b2a
0x00000000
0x00000000
0x01290b30
0x01290b35
0x00000000
0x00000000
0x01290b37
0x01290b3c
0x00000000
0x00000000
0x01290b42
0x01290b47
0x00000000
0x00000000
0x01290b49
0x01290b4e
0x00000000
0x00000000
0x01290b60
0x00000000
0x01290b60
0x012908ab
0x01290a2d
0x01290a33
0x01290a35
0x01290a4b
0x01290a5d
0x01290a60
0x01290a62
0x01290a6b
0x01290a6e
0x01290a73
0x01290a76
0x01290a78
0x01290a8d
0x01290a8d
0x01290a8d
0x01290a8d
0x01290a91
0x01290a91
0x01290a95
0x01290a97
0x01290a9a
0x01290a9d
0x01290a9d
0x01290aa4
0x01290aaa
0x01290af8
0x01290af8
0x01290afd
0x01290aff
0x00000000
0x00000000
0x01290b08
0x00000000
0x01290aac
0x01290aac
0x01290aaf
0x01290ab2
0x01290ac7
0x01290ace
0x01290ad3
0x01290ad9
0x01290adb
0x01290ae1
0x01290ae8
0x00000000
0x00000000
0x01290aee
0x01290aee
0x00000000
0x01290aee
0x01290add
0x00000000
0x01290add
0x01290ab4
0x01290ab7
0x00000000
0x00000000
0x01290ab9
0x01290abc
0x00000000
0x00000000
0x01290abe
0x01290ac0
0x00000000
0x00000000
0x01290ac2
0x01290ac5
0x00000000
0x00000000
0x00000000
0x01290ac5
0x01290aaa
0x01290a7a
0x01290a7b
0x01290a80
0x01290a82
0x00000000
0x00000000
0x01290a84
0x00000000
0x01290a84
0x01290a37
0x01290a3e
0x01290a43
0x01290a45
0x00000000
0x00000000
0x00000000
0x01290a45
0x012908b6
0x01290902
0x01290902
0x01290907
0x012909ab
0x012909b0
0x012909b2
0x012909b4
0x012909cd
0x012909cd
0x012909d1
0x00000000
0x00000000
0x012909d3
0x012909d9
0x012909e2
0x012909e2
0x012909e7
0x012909ed
0x012909ef
0x012909f1
0x012909f4
0x012909f6
0x012909f9
0x012909fb
0x012909fb
0x012909f9
0x012909f4
0x01290a12
0x01290a19
0x01290a1b
0x00000000
0x01290a21
0x01290a21
0x01290a22
0x01290a23
0x01290a25
0x01290980
0x01290980
0x00000000
0x01290980
0x01290a1b
0x012909c0
0x012909c5
0x012909c7
0x00000000
0x00000000
0x00000000
0x012909c7
0x0129090d
0x01290910
0x00000000
0x00000000
0x01290916
0x0129091c
0x0129091e
0x01290920
0x01290939
0x01290939
0x0129093f
0x01290941
0x01290947
0x01290949
0x01290953
0x01290953
0x01290947
0x01290958
0x0129095d
0x0129095f
0x01290988
0x01290992
0x00000000
0x01290992
0x01290964
0x0129096a
0x0129096c
0x00000000
0x00000000
0x0129096e
0x01290972
0x00000000
0x01290974
0x01290974
0x01290979
0x0129097a
0x0129097b
0x0129097d
0x00000000
0x0129097d
0x01290972
0x01290929
0x0129092e
0x01290930
0x00000000
0x00000000
0x00000000
0x01290930
0x012908bd
0x012908e5
0x012908f8
0x00000000
0x012908f8
0x012908c2
0x01290937
0x01290937
0x00000000
0x01290937
0x012908c9
0x00000000
0x00000000
0x00000000
0x00000000

APIs

Part of subcall function 012CD902: GetWindowRect.USER32 ref: 012CD938
Part of subcall function 012CD902: GetKeyState.USER32 ref: 012CD994
Part of subcall function 012CD902: GetKeyState.USER32 ref: 012CD9A1
Part of subcall function 012CD902: KillTimer.USER32 ref: 012CD9BB
Part of subcall function 012CD902: GetFocus.USER32 ref: 012CD9F8
Part of subcall function 012CD902: SetTimer.USER32 ref: 012CDA3E

SendMessageW.USER32(?,0000001F,00000000,00000000), ref: 01290980

Part of subcall function 0129A74C: InvalidateRect.USER32(?,-00000054,00000001), ref: 0129A7D8
Part of subcall function 0129A74C: UpdateWindow.USER32 ref: 0129A7F2

IsWindow.USER32(?), ref: 01290964

Part of subcall function 012B9549: TranslateAcceleratorW.USER32(012909A3,?,?), ref: 012B95DB
Part of subcall function 012B9549: TranslateMDISysAccel.USER32(?,?), ref: 012B9605

Part of subcall function 012BFF29: GetKeyState.USER32 ref: 012BFF54
Part of subcall function 012BFF29: GetKeyState.USER32 ref: 012BFF5D
Part of subcall function 012BFF29: GetKeyState.USER32 ref: 012BFF66

Part of subcall function 012C04F4: IsWindow.USER32(?), ref: 012C0522
Part of subcall function 012C04F4: GetFocus.USER32 ref: 012C0530
Part of subcall function 012C04F4: IsChild.USER32 ref: 012C0564
Part of subcall function 012C04F4: SendMessageW.USER32(?,00000010,00000000,00000000), ref: 012C0598
Part of subcall function 012C04F4: IsChild.USER32 ref: 012C05B4
Part of subcall function 012C04F4: SendMessageW.USER32(?,00000100,?,00000000), ref: 012C05E3
Part of subcall function 012C04F4: IsIconic.USER32(?), ref: 012C0624
Part of subcall function 012C04F4: GetAsyncKeyState.USER32 ref: 012C06AA
Part of subcall function 012C04F4: GetAsyncKeyState.USER32 ref: 012C06BC
Part of subcall function 012C04F4: GetAsyncKeyState.USER32 ref: 012C06C9
Part of subcall function 012C04F4: IsWindowVisible.USER32(?), ref: 012C072A

Part of subcall function 012BA068: SendMessageW.USER32(?,0000000B,00000000,00000000), ref: 012BA104
Part of subcall function 012BA068: SendMessageW.USER32(?,0000000B,00000001,00000000), ref: 012BA14A
Part of subcall function 012BA068: RedrawWindow.USER32(?,00000000,00000000,00000185), ref: 012BA15A
Part of subcall function 012BA068: IsWindowVisible.USER32(?), ref: 012BA1FF

Part of subcall function 012D2831: SendMessageW.USER32(01290A00,0000001F,00000000,00000000), ref: 012D2842

Part of subcall function 012CCF65: KillTimer.USER32 ref: 012CCF8C
Part of subcall function 012CCF65: GetFocus.USER32 ref: 012CCF98
Part of subcall function 012CCF65: RedrawWindow.USER32(?,00000000,00000000,00000105), ref: 012CCFC9

GetCapture.USER32 ref: 01290A00
GetKeyState.USER32 ref: 01290A53
GetKeyState.USER32 ref: 01290A60
ImmGetContext.IMM32(?), ref: 01290A6E
ImmGetOpenStatus.IMM32(00000000,?), ref: 01290A7B
ImmReleaseContext.IMM32(00000000,00000000,?), ref: 01290A9D
GetFocus.USER32 ref: 01290AC7

Part of subcall function 01286A6F: GetParent.USER32(?), ref: 01286A84
Part of subcall function 01286A6F: GetParent.USER32(?), ref: 01286A93
Part of subcall function 01286A6F: GetParent.USER32(?), ref: 01286AA9
Part of subcall function 01286A6F: SetFocus.USER32 ref: 01286ABF

IsWindow.USER32(?), ref: 01290B08

Part of subcall function 012C087D: IsWindow.USER32(?), ref: 012C0895
Part of subcall function 012C087D: SendMessageW.USER32(?,0000020A,?,?), ref: 012C08C7
Part of subcall function 012C087D: GetFocus.USER32 ref: 012C08DB
Part of subcall function 012C087D: IsChild.USER32 ref: 012C08FD
Part of subcall function 012C087D: SendMessageW.USER32(?,00000010,00000000,00000000), ref: 012C092E
Part of subcall function 012C087D: IsWindowVisible.USER32(?), ref: 012C0943
Part of subcall function 012C087D: SendMessageW.USER32(?,0000020A,?,?), ref: 012C0961

IsWindow.USER32(?), ref: 01290B8E
ClientToScreen.USER32(?,?), ref: 01290B9E

Part of subcall function 012C184A: IsWindowVisible.USER32(?), ref: 012C187F
Part of subcall function 012C184A: GetWindowRect.USER32 ref: 012C18A2
Part of subcall function 012C184A: PtInRect.USER32(?,?,?), ref: 012C18B0
Part of subcall function 012C184A: GetAsyncKeyState.USER32 ref: 012C18D5
Part of subcall function 012C184A: ScreenToClient.USER32(?,?), ref: 012C1923
Part of subcall function 012C184A: IsWindow.USER32(?), ref: 012C196A
Part of subcall function 012C184A: IsWindow.USER32(?), ref: 012C19AD
Part of subcall function 012C184A: GetWindowRect.USER32 ref: 012C19CD
Part of subcall function 012C184A: PtInRect.USER32(?,?,?), ref: 012C19DD
Part of subcall function 012C184A: SendMessageW.USER32(?,00000010,00000000,00000000), ref: 012C1A12
Part of subcall function 012C184A: PtInRect.USER32(-00000054,?,?), ref: 012C1A5D
Part of subcall function 012C184A: SendMessageW.USER32(?,00000010,00000000,00000000), ref: 012C1A82
Part of subcall function 012C184A: ScreenToClient.USER32(?,?), ref: 012C1ADA
Part of subcall function 012C184A: PtInRect.USER32(?,?,?), ref: 012C1AEA
Part of subcall function 012C184A: GetParent.USER32(?), ref: 012C1B74
Part of subcall function 012C184A: SendMessageW.USER32(?,00000010,00000000,00000000), ref: 012C1C07
Part of subcall function 012C184A: GetFocus.USER32 ref: 012C1C0D
Part of subcall function 012C184A: WindowFromPoint.USER32(?,?), ref: 012C1C45
Part of subcall function 012C184A: SendMessageW.USER32(?,00000010,00000000,00000000), ref: 012C1C8F
Part of subcall function 012C184A: GetSystemMenu.USER32 ref: 012C1D18
Part of subcall function 012C184A: IsMenu.USER32(?), ref: 012C1D3A
Part of subcall function 012C184A: EnableMenuItem.USER32 ref: 012C1D57
Part of subcall function 012C184A: EnableMenuItem.USER32 ref: 012C1D62
Part of subcall function 012C184A: IsZoomed.USER32(?), ref: 012C1D70
Part of subcall function 012C184A: IsIconic.USER32(?), ref: 012C1D8F
Part of subcall function 012C184A: EnableMenuItem.USER32 ref: 012C1DA3
Part of subcall function 012C184A: TrackPopupMenu.USER32(?,00000100,?,?,00000000,?,00000000), ref: 012C1DCB
Part of subcall function 012C184A: SendMessageW.USER32(?,00000112,00000000,00000000), ref: 012C1DE5

IsWindow.USER32(?), ref: 01290BC4
ClientToScreen.USER32(?,?), ref: 01290BF3

Part of subcall function 012C0787: IsWindow.USER32(?), ref: 012C07E0
Part of subcall function 012C0787: GetWindowRect.USER32 ref: 012C0803
Part of subcall function 012C0787: PtInRect.USER32(?,?,?), ref: 012C080F
Part of subcall function 012C0787: GetWindowRect.USER32 ref: 012C082D
Part of subcall function 012C0787: PtInRect.USER32(?,?,?), ref: 012C083A

Memory Dump Source

Source File: 00000010.00000002.746388412.0000000001271000.00000020.sdmp, Offset: 01270000, based on PE: true

Associated: 00000010.00000002.746374753.0000000001270000.00000002.sdmp Download File
Associated: 00000010.00000002.746578910.000000000138C000.00000002.sdmp Download File
Associated: 00000010.00000002.746752878.00000000013CF000.00000004.sdmp Download File
Associated: 00000010.00000002.746788870.00000000013D6000.00000004.sdmp Download File
Associated: 00000010.00000002.746832288.00000000013DE000.00000002.sdmp Download File
Associated: 00000010.00000002.747668141.0000000001574000.00000002.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1270000_Setup.jbxd

Similarity

API ID: Window$MessageSend$Rect$State$Focus$Menu$AsyncClientParentScreenVisible$ChildEnableItemTimer$ContextIconicKillRedrawTranslate$AccelAcceleratorCaptureFromInvalidateOpenPointPopupReleaseStatusSystemTrackUpdateZoomed
String ID:
API String ID: 454598001-0
Opcode ID: ec24789bc5c01fed0f47dfc78473fdb141b933ef5e865afaa8882683fc929154
Instruction ID: 536eda52cd7a0a1beaf9cbe091745d4cd892fe9c46b39b1df965ca84241f2923
Opcode Fuzzy Hash: ec24789bc5c01fed0f47dfc78473fdb141b933ef5e865afaa8882683fc929154
Instruction Fuzzy Hash: 7791BE3192020BEBFF259F6CC890A7EBBADEF04B04F108529F7A692051D735D980CB59

Uniqueness

Uniqueness Score: 2.12%

Function 012F4139, Relevance: 21.2, APIs: 14, Instructions: 197
windowCOMMON

Download Yara Rule

C-Code - Quality: 96%

			E012F4139(intOrPtr* __ecx, intOrPtr __edx, struct tagPOINT _a8, intOrPtr _a12) {
				signed int _v8;
				struct tagRECT _v24;
				struct tagRECT _v40;
				signed int _v41;
				signed int _v48;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t82;
				signed int _t86;
				long _t89;
				int _t94;
				signed int _t102;
				signed int _t105;
				signed int _t109;
				intOrPtr _t110;
				signed int _t112;
				signed int _t115;
				signed int _t117;
				signed int _t119;
				signed int _t120;
				signed int _t122;
				long _t136;
				RECT* _t148;
				intOrPtr* _t149;
				signed int _t150;

				_t147 = __edx;
				_t127 = __ecx;
				_t82 =  *0x13d3570; // 0x99b5b578
				_v8 = _t82 ^ _t150;
				_t149 = __ecx;
				if( *((intOrPtr*)(__ecx + 0x1ec)) == 0) {
					L4:
					__eflags =  *(_t149 + 0xa4) -  *(_t149 + 0xa0);
					if( *(_t149 + 0xa4) ==  *(_t149 + 0xa0)) {
						L9:
						__eflags =  *(_t149 + 0x148);
						if( *(_t149 + 0x148) != 0) {
							 *(_t149 + 0x148) = 0;
							ReleaseCapture();
							_t115 =  *((intOrPtr*)( *_t149 + 0x2c8))();
							__eflags = _t115;
							if(_t115 == 0) {
								 *(_t149 + 0xf8) =  *(_t149 + 0xf8) | 0xffffffff;
								_t29 = _t149 + 0xf4;
								 *_t29 =  *(_t149 + 0xf4) | 0xffffffff;
								__eflags =  *_t29;
							}
						}
						_t86 =  *((intOrPtr*)( *_t149 + 0x2c8))();
						__eflags = _t86;
						if(_t86 == 0) {
							L26:
							__eflags =  *((intOrPtr*)( *_t149 + 0x284))();
							if(__eflags != 0) {
								_v24.left = 0;
								_v24.top = 0;
								_v24.right = 0;
								_v24.bottom = 0;
								_v40.left = 0;
								_v40.top = 0;
								_v40.right = 0;
								_v40.bottom = 0;
								 *((intOrPtr*)( *_t149 + 0x164))( &_v24,  &_v40);
								_t94 = IsRectEmpty( &_v24);
								_t148 = InvalidateRect;
								__eflags = _t94;
								if(_t94 == 0) {
									InvalidateRect( *(_t149 + 0x20),  &_v24, 0);
								}
								__eflags = IsRectEmpty( &_v40);
								if(__eflags == 0) {
									InvalidateRect( *(_t149 + 0x20),  &_v40, 0);
								}
								UpdateWindow( *(_t149 + 0x20));
							}
							_t89 = E01282C5F(0, _t149, _t148, __eflags);
							goto L33;
						} else {
							_t102 =  *(_t149 + 0xf4);
							_t136 =  *(_t149 + 0xa0);
							__eflags = _t136 - _t102;
							_v41 = _t136 != _t102;
							__eflags = _t102 -  *(_t149 + 0xf8);
							if(_t102 !=  *(_t149 + 0xf8)) {
								L21:
								_t148 =  *(_t149 + 0xf4);
								 *(_t149 + 0xf8) =  *(_t149 + 0xf8) | 0xffffffff;
								_v48 =  *(_t149 + 0xf8);
								_t105 =  *((intOrPtr*)( *_t149 + 0x284))();
								__eflags = _t105;
								if(_t105 == 0) {
									_t57 = _t149 + 0xf4;
									 *_t57 =  *(_t149 + 0xf4) | 0xffffffff;
									__eflags =  *_t57;
								}
								ReleaseCapture();
								__eflags = _v41;
								if(_v41 != 0) {
									L012F3749(_t149, _t148);
									__eflags = _v48 - _t148;
									if(_v48 != _t148) {
										L012F3749(_t149, _v48);
									}
								}
								goto L26;
							}
							__eflags = _t102;
							if(_t102 < 0) {
								goto L21;
							}
							__eflags = _t102 - _t136;
							if(_t102 == _t136) {
								goto L21;
							}
							_t147 =  *_t149;
							 *(_t149 + 0x1d4) = _t136;
							 *((intOrPtr*)(_t149 + 0x1e0)) = 1;
							 *((intOrPtr*)(_t149 + 0x200)) = 0;
							_t109 =  *((intOrPtr*)( *_t149 + 0x210))(_t102);
							__eflags = _t109;
							_t110 =  *_t149;
							if(_t109 != 0) {
								 *((intOrPtr*)(_t110 + 0x26c))( *(_t149 + 0xa0));
								 *((intOrPtr*)(_t149 + 0x1e0)) = 0;
								 *((intOrPtr*)(_t149 + 0x200)) = 0;
								goto L21;
							} else {
								 *(_t149 + 0xf8) =  *(_t149 + 0xf8) | 0xffffffff;
								 *((intOrPtr*)(_t149 + 0x1e0)) = 0;
								 *((intOrPtr*)(_t149 + 0x200)) = 0;
								_t112 =  *((intOrPtr*)(_t110 + 0x284))();
								__eflags = _t112;
								if(_t112 == 0) {
									_t45 = _t149 + 0xf4;
									 *_t45 =  *(_t149 + 0xf4) | 0xffffffff;
									__eflags =  *_t45;
								}
								_t89 = ReleaseCapture();
								L33:
								return L01367D3E(_t89, 0, _v8 ^ _t150, _t147, _t148, _t149);
							}
						}
					}
					_t117 = E01282D05(0, _t127, _t147, GetParent( *(_t149 + 0x20)));
					_t148 = SendMessageW;
					_v48 = _t117;
					SendMessageW( *(_t117 + 0x20),  *0x13d9ec8,  *(_t149 + 0xa4),  *(_t149 + 0xa0));
					_t119 = E012789AE(_v48, 0x13a32dc);
					__eflags = _t119;
					if(_t119 != 0) {
						L7:
						_t120 = E0127E493(0, _t147, _v48);
						__eflags = _t120;
						if(_t120 != 0) {
							SendMessageW( *(_t120 + 0x20),  *0x13d9ec8,  *(_t149 + 0xa4),  *(_t149 + 0xa0));
						}
						goto L9;
					}
					_t122 = E012789AE(_v48, 0x139651c);
					__eflags = _t122;
					if(_t122 == 0) {
						goto L9;
					}
					goto L7;
				}
				_t148 = __ecx + 0x1f0;
				 *((intOrPtr*)(__ecx + 0x1ec)) = 0;
				 *((intOrPtr*)(__ecx + 0x1e8)) = 0;
				RedrawWindow( *(__ecx + 0x20), _t148, 0, 0x105);
				_push(_a12);
				if(PtInRect(_t148, _a8) == 0) {
					goto L4;
				} else {
					_t89 =  *((intOrPtr*)( *_t149 + 0x20c))();
					if(_t89 != 0) {
						_t89 = SendMessageW( *(_t89 + 0x20), 0x10, 0, 0);
					}
					goto L33;
				}
			}

0x012f4139
0x012f4139
0x012f4141
0x012f4148
0x012f414d
0x012f4158
0x012f41b1
0x012f41b7
0x012f41bd
0x012f4234
0x012f4234
0x012f423a
0x012f423c
0x012f4242
0x012f424c
0x012f4252
0x012f4254
0x012f4256
0x012f425d
0x012f425d
0x012f425d
0x012f425d
0x012f4254
0x012f4268
0x012f426e
0x012f4270
0x012f4355
0x012f435f
0x012f4361
0x012f436f
0x012f4372
0x012f4375
0x012f4378
0x012f437b
0x012f437e
0x012f4381
0x012f4384
0x012f4387
0x012f4391
0x012f4397
0x012f439d
0x012f439f
0x012f43a9
0x012f43a9
0x012f43b5
0x012f43b7
0x012f43c1
0x012f43c1
0x012f43c6
0x012f43c6
0x012f43ce
0x00000000
0x012f4276
0x012f4276
0x012f427c
0x012f4282
0x012f4284
0x012f4288
0x012f428e
0x012f4308
0x012f430e
0x012f4314
0x012f431b
0x012f4322
0x012f4328
0x012f432a
0x012f432c
0x012f432c
0x012f432c
0x012f432c
0x012f4333
0x012f4339
0x012f433c
0x012f4341
0x012f4346
0x012f4349
0x012f4350
0x012f4350
0x012f4349
0x00000000
0x012f433c
0x012f4290
0x012f4292
0x00000000
0x00000000
0x012f4294
0x012f4296
0x00000000
0x00000000
0x012f4298
0x012f429a
0x012f42a3
0x012f42ad
0x012f42b3
0x012f42b9
0x012f42bb
0x012f42bf
0x012f42f6
0x012f42fc
0x012f4302
0x00000000
0x012f42c1
0x012f42c1
0x012f42c8
0x012f42ce
0x012f42d4
0x012f42da
0x012f42dc
0x012f42de
0x012f42de
0x012f42de
0x012f42de
0x012f42e5
0x012f43d3
0x012f43e1
0x012f43e1
0x012f42bf
0x012f4270
0x012f41c9
0x012f41d4
0x012f41e0
0x012f41ec
0x012f41f6
0x012f41fb
0x012f41fd
0x012f4210
0x012f4213
0x012f4219
0x012f421b
0x012f4232
0x012f4232
0x00000000
0x012f421b
0x012f4207
0x012f420c
0x012f420e
0x00000000
0x00000000
0x00000000
0x012f420e
0x012f4160
0x012f416a
0x012f4170
0x012f4176
0x012f417c
0x012f418b
0x00000000
0x012f418d
0x012f4191
0x012f4199
0x012f41a6
0x012f41a6
0x00000000
0x012f4199

APIs

RedrawWindow.USER32(?,?,00000000,00000105), ref: 012F4176
PtInRect.USER32(?,?,?), ref: 012F4183
SendMessageW.USER32(?,00000010,00000000,00000000), ref: 012F41A6
GetParent.USER32(?), ref: 012F41C2
SendMessageW.USER32(?,?,?,00000000), ref: 012F41EC

Part of subcall function 0127E493: GetParent.USER32(00000000), ref: 0127E4D5

SendMessageW.USER32(?,?,?,013A32DC), ref: 012F4232
ReleaseCapture.USER32 ref: 012F4242
ReleaseCapture.USER32 ref: 012F42E5
ReleaseCapture.USER32 ref: 012F4333

Part of subcall function 012F3749: InvalidateRect.USER32(?,?,00000001), ref: 012F378F
Part of subcall function 012F3749: UpdateWindow.USER32 ref: 012F3798

IsRectEmpty.USER32 ref: 012F4391
InvalidateRect.USER32(?,?,00000000), ref: 012F43A9
IsRectEmpty.USER32 ref: 012F43AF
InvalidateRect.USER32(?,?,00000000), ref: 012F43C1
UpdateWindow.USER32 ref: 012F43C6

Part of subcall function 01367D3E: IsDebuggerPresent.KERNEL32 ref: 0136EC6D
Part of subcall function 01367D3E: SetUnhandledExceptionFilter.KERNEL32 ref: 0136EC82
Part of subcall function 01367D3E: UnhandledExceptionFilter.KERNEL32 ref: 0136EC8D
Part of subcall function 01367D3E: GetCurrentProcess.KERNEL32(C0000409), ref: 0136ECA9
Part of subcall function 01367D3E: TerminateProcess.KERNEL32(00000000), ref: 0136ECB0

Memory Dump Source

Source File: 00000010.00000002.746388412.0000000001271000.00000020.sdmp, Offset: 01270000, based on PE: true

Associated: 00000010.00000002.746374753.0000000001270000.00000002.sdmp Download File
Associated: 00000010.00000002.746578910.000000000138C000.00000002.sdmp Download File
Associated: 00000010.00000002.746752878.00000000013CF000.00000004.sdmp Download File
Associated: 00000010.00000002.746788870.00000000013D6000.00000004.sdmp Download File
Associated: 00000010.00000002.746832288.00000000013DE000.00000002.sdmp Download File
Associated: 00000010.00000002.747668141.0000000001574000.00000002.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1270000_Setup.jbxd

Similarity

API ID: Rect$CaptureInvalidateMessageReleaseSendWindow$EmptyExceptionFilterParentProcessUnhandledUpdate$CurrentDebuggerPresentRedrawTerminate
String ID:
API String ID: 2287684419-0
Opcode ID: 8b7450b1ec436a3e0f9674d45247a34cc046de3d4906d540b251cae2aa2cd884
Instruction ID: 8c9464931b87b7b7f75bc5c5d2de9d18dec6d25dca9e973a7126dd6766a6e281
Opcode Fuzzy Hash: 8b7450b1ec436a3e0f9674d45247a34cc046de3d4906d540b251cae2aa2cd884
Instruction Fuzzy Hash: 82814D716107469FDB25AF68C888AEFBBF9FF48310F14493DE6AA92250D770A940CF10

Uniqueness

Uniqueness Score: 8.94%

Function 0127A3EB, Relevance: 19.7, APIs: 13, Instructions: 209
windowCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E0127A3EB(void* __ebx, void* __edx, long __edi, void* __esi, void* __eflags) {
				intOrPtr _t121;
				int _t124;
				intOrPtr _t127;
				intOrPtr _t128;
				void* _t129;
				intOrPtr _t137;
				void* _t167;
				void* _t175;
				void* _t176;

				_t176 = __eflags;
				_t168 = __edi;
				_t167 = __edx;
				_push(0x58);
				L01369601(0x137ef84, __ebx, __edi, __esi);
				 *((intOrPtr*)(_t175 - 0x3c)) = 0x138f30c;
				 *(_t175 - 0x38) = 0;
				 *((intOrPtr*)(_t175 - 0x34)) = 0;
				 *((intOrPtr*)(_t175 - 0x30)) = 0;
				 *(_t175 - 4) = 0;
				 *((intOrPtr*)(_t175 - 0x4c)) = 0x138f30c;
				 *(_t175 - 0x48) = 0;
				 *((intOrPtr*)(_t175 - 0x44)) = 0;
				 *((intOrPtr*)(_t175 - 0x40)) = 0;
				 *((intOrPtr*)(_t175 - 0x18)) = 0;
				 *((intOrPtr*)(_t175 - 0x1c)) = 0x138f588;
				 *(_t175 - 4) = 2;
				_push(GetSysColor(0x14));
				E0127A3A8(0, _t175 - 0x2c, _t167, __edi, GetSysColor, _t176);
				 *(_t175 - 4) = 3;
				_push(GetSysColor(0x10));
				E0127A3A8(0, _t175 - 0x24, _t167, __edi, GetSysColor, _t176);
				 *(_t175 - 4) = 4;
				if(L01279DC3(0, _t175 - 0x3c, _t167, _t168, CreateCompatibleDC(0)) != 0 && L01279DC3(0, _t175 - 0x4c, _t167, _t168, CreateCompatibleDC(0)) != 0) {
					_t168 =  *(_t175 + 8);
					E0127A0F1(GetObjectW( *( *(_t175 + 8) + 4), 0x18, _t175 - 0x64),  *((intOrPtr*)(_t175 + 0xc)));
					if(E0127A097(0,  *((intOrPtr*)(_t175 + 0xc)), _t167,  *(_t175 + 8), CreateBitmap( *(_t175 - 0x60),  *(_t175 - 0x5c),  *(_t175 - 0x54) & 0x0000ffff,  *(_t175 - 0x52) & 0x0000ffff, 0)) != 0 && E0127A097(0, _t175 - 0x1c, _t167, _t168, CreateBitmap( *(_t175 - 0x60),  *(_t175 - 0x5c), 1, 1, 0)) != 0) {
						 *(_t175 + 8) = E0127A14E( *(_t175 - 0x38),  *((intOrPtr*)(_t168 + 4)));
						_t121 = E0127A14E( *(_t175 - 0x48),  *((intOrPtr*)(_t175 - 0x18)));
						 *((intOrPtr*)(_t175 - 0x14)) = _t121;
						if( *(_t175 + 8) != 0 && _t121 != 0) {
							 *((intOrPtr*)(_t175 - 0x10)) = L0127940F(GetPixel( *(_t175 - 0x38), 0, 0), _t175 - 0x3c, _t122);
							_t124 = BitBlt( *(_t175 - 0x48), 0, 0,  *(_t175 - 0x60),  *(_t175 - 0x5c),  *(_t175 - 0x38), 0, 0, 0xcc0020);
							_t168 = 0xffffff;
							L0127940F(_t124, _t175 - 0x3c, 0xffffff);
							BitBlt( *(_t175 - 0x48), 0, 0,  *(_t175 - 0x60),  *(_t175 - 0x5c),  *(_t175 - 0x38), 0, 0, 0x1100a6);
							_t127 =  *((intOrPtr*)(_t175 + 0xc));
							if(_t127 != 0) {
								_t128 =  *((intOrPtr*)(_t127 + 4));
							} else {
								_t128 = 0;
							}
							_t129 = E0127A14E( *(_t175 - 0x38), _t128);
							_t184 = _t129;
							if(_t129 != 0) {
								L0127940F(E0128A19B(_t175 - 0x3c, 0, 0,  *(_t175 - 0x60),  *(_t175 - 0x5c),  *((intOrPtr*)(_t175 + 0x10))), _t175 - 0x3c, _t168);
								_t137 = E0127A1AA(_t175 - 0x3c, _t175 - 0x2c);
								_t168 = 0xe20746;
								 *((intOrPtr*)(_t175 + 0xc)) = _t137;
								BitBlt( *(_t175 - 0x38), 1, 1,  *(_t175 - 0x60),  *(_t175 - 0x5c),  *(_t175 - 0x48), 0, 0, 0xe20746);
								E0127A1AA(_t175 - 0x3c, _t175 - 0x24);
								BitBlt( *(_t175 - 0x38), 0, 0,  *(_t175 - 0x60),  *(_t175 - 0x5c),  *(_t175 - 0x48), 0, 0, 0xe20746);
								L0127940F(E0127A1AA(_t175 - 0x3c,  *((intOrPtr*)(_t175 + 0xc))), _t175 - 0x3c,  *((intOrPtr*)(_t175 - 0x10)));
							}
							E0127A14E( *(_t175 - 0x48),  *((intOrPtr*)( *((intOrPtr*)(_t175 - 0x14)) + 4)));
							E0127A14E( *(_t175 - 0x38),  *( *(_t175 + 8) + 4));
						}
					}
				}
				 *(_t175 - 4) = 3;
				 *((intOrPtr*)(_t175 - 0x24)) = 0x138f578;
				E0127A27E(0, _t175 - 0x24, _t168, 0x138f578, _t184);
				 *(_t175 - 4) = 2;
				 *((intOrPtr*)(_t175 - 0x2c)) = 0x138f578;
				E0127A27E(0, _t175 - 0x2c, _t168, 0x138f578, _t184);
				 *(_t175 - 4) = 1;
				 *((intOrPtr*)(_t175 - 0x1c)) = 0x138f588;
				E0127A27E(0, _t175 - 0x1c, _t168, 0x138f578, _t184);
				 *(_t175 - 4) = 0;
				L01279E44(_t175 - 0x4c);
				 *(_t175 - 4) =  *(_t175 - 4) | 0xffffffff;
				return L013696D9(L01279E44(_t175 - 0x3c));
			}

0x0127a3eb
0x0127a3eb
0x0127a3eb
0x0127a3eb
0x0127a3f2
0x0127a3fe
0x0127a401
0x0127a404
0x0127a407
0x0127a40a
0x0127a40d
0x0127a410
0x0127a413
0x0127a416
0x0127a419
0x0127a41c
0x0127a42b
0x0127a431
0x0127a435
0x0127a43c
0x0127a442
0x0127a446
0x0127a452
0x0127a463
0x0127a47d
0x0127a492
0x0127a4bb
0x0127a4ed
0x0127a4f3
0x0127a4f8
0x0127a4fe
0x0127a530
0x0127a53e
0x0127a540
0x0127a549
0x0127a563
0x0127a565
0x0127a56a
0x0127a570
0x0127a56c
0x0127a56c
0x0127a56c
0x0127a577
0x0127a57c
0x0127a57e
0x0127a597
0x0127a5a3
0x0127a5a8
0x0127a5b3
0x0127a5c3
0x0127a5cc
0x0127a5e2
0x0127a5f5
0x0127a5f5
0x0127a603
0x0127a611
0x0127a611
0x0127a4fe
0x0127a4bb
0x0127a61e
0x0127a622
0x0127a625
0x0127a62d
0x0127a631
0x0127a634
0x0127a63c
0x0127a640
0x0127a647
0x0127a64f
0x0127a652
0x0127a657
0x0127a668

APIs

__EH_prolog3.LIBCMT ref: 0127A3F2
GetSysColor.USER32 ref: 0127A42F

Part of subcall function 0127A3A8: __EH_prolog3.LIBCMT ref: 0127A3AF
Part of subcall function 0127A3A8: CreateSolidBrush.GDI32(?), ref: 0127A3CA

GetSysColor.USER32 ref: 0127A440
CreateCompatibleDC.GDI32(00000000), ref: 0127A456
CreateCompatibleDC.GDI32(00000000), ref: 0127A46A
GetObjectW.GDI32(00000004,00000018,?), ref: 0127A489

Part of subcall function 0127A0F1: DeleteObject.GDI32(00000000), ref: 0127A100

CreateBitmap.GDI32(?,?,?,?,00000000), ref: 0127A4AE
CreateBitmap.GDI32(?,?,00000001,00000001,00000000), ref: 0127A4CC

Part of subcall function 0127A14E: SelectObject.GDI32(?,?), ref: 0127A159

GetPixel.GDI32(?,00000000,00000000), ref: 0127A511

Part of subcall function 0127940F: SetBkColor.GDI32(?,?), ref: 0127942D
Part of subcall function 0127940F: SetBkColor.GDI32(?,?), ref: 0127943A

BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,00CC0020), ref: 0127A53E
BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,001100A6), ref: 0127A563

Part of subcall function 0128A19B: SetBkColor.GDI32(?,754D5EA6), ref: 0128A1B6
Part of subcall function 0128A19B: ExtTextOutW.GDI32(?,00000000,00000000,00000002,?,00000000,00000000,00000000), ref: 0128A1E4

Part of subcall function 0127A1AA: SelectObject.GDI32(?,00000000), ref: 0127A1D0
Part of subcall function 0127A1AA: SelectObject.GDI32(?,?), ref: 0127A1E6

BitBlt.GDI32(?,00000001,00000001,?,?,?,00000000,00000000,00E20746), ref: 0127A5C3
BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,00E20746), ref: 0127A5E2

Part of subcall function 0127A27E: __EH_prolog3_catch_GS.LIBCMT ref: 0127A288

Part of subcall function 01279E44: DeleteDC.GDI32(00000000), ref: 01279E56

Memory Dump Source

Source File: 00000010.00000002.746388412.0000000001271000.00000020.sdmp, Offset: 01270000, based on PE: true

Associated: 00000010.00000002.746374753.0000000001270000.00000002.sdmp Download File
Associated: 00000010.00000002.746578910.000000000138C000.00000002.sdmp Download File
Associated: 00000010.00000002.746752878.00000000013CF000.00000004.sdmp Download File
Associated: 00000010.00000002.746788870.00000000013D6000.00000004.sdmp Download File
Associated: 00000010.00000002.746832288.00000000013DE000.00000002.sdmp Download File
Associated: 00000010.00000002.747668141.0000000001574000.00000002.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1270000_Setup.jbxd

Similarity

API ID: ColorCreateObject$Select$BitmapCompatibleDeleteH_prolog3$BrushH_prolog3_catch_PixelSolidText
String ID:
API String ID: 2999931288-0
Opcode ID: 6215d0468ca22923b87d635ea01eeddde313d4760d4c854c02c79322412fbe6f
Instruction ID: c7ebb45ccfdc1e7defb6b419c14debe1cb0708cc3c1535a140c1faabdbd3f0ff
Opcode Fuzzy Hash: 6215d0468ca22923b87d635ea01eeddde313d4760d4c854c02c79322412fbe6f
Instruction Fuzzy Hash: 9281E271C1020EAEDF11AFE4DC849EEBFB9EF18364F148029F615A71A0DA315E55DB60

Uniqueness

Uniqueness Score: 2.98%

Function 012A4A32, Relevance: 19.4, APIs: 5, Strings: 6, Instructions: 154
UNIQUE

Download Yara Rule

C-Code - Quality: 63%

			E012A4A32(void* __ebx, intOrPtr __ecx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr* _t62;
				void* _t72;
				intOrPtr _t81;
				intOrPtr* _t83;
				void* _t99;
				intOrPtr _t110;
				void* _t112;

				_push(0x614);
				L0136966A(0x13812f0, __ebx, __edi, __esi);
				 *((short*)(_t112 - 0x210)) = 0;
				_t110 = 0;
				_t81 = __ecx;
				L01367D50(_t112 - 0x20e, 0, 0x1fe);
				 *((short*)(_t112 - 0x410)) = 0;
				L01367D50(_t112 - 0x40e, 0, 0x1fe);
				_t83 =  *((intOrPtr*)(_t81 + 0x64));
				if(_t83 != 0) {
					_push(0);
					_push(0);
					_push(0xff);
					_t106 = _t112 - 0x410;
					_push(_t112 - 0x410);
					_push(0xff);
					_push(_t112 - 0x210);
					if( *_t83() != 0) {
						goto L19;
					} else {
						E01273740(_t81, _t112 - 0x210);
						 *((intOrPtr*)(_t112 - 4)) = 0;
						E01273740(_t81, _t112 - 0x410);
						 *((char*)(_t112 - 4)) = 1;
						E0136C3B9(_t112 - 0x618,  *((intOrPtr*)(_t112 - 0x614)), 0, 0, 0, 0, _t112 - 0x610, 0x100, 0, 0);
						E01272810(_t112 - 0x614, _t112 - 0x610, L01369A59(_t112 - 0x610));
						if(L0127B8DE(_t81, _t112 - 0x614, 0x1fe, 0, L"Luna") == 0 || L0127B8DE(_t81, _t112 - 0x614, 0x1fe, 0, L"Aero") == 0) {
							_t62 =  *((intOrPtr*)(_t81 + 0x5c));
							if(_t62 == _t110) {
								L10:
								if(L0127B8DE(_t81, _t112 - 0x618, 0x1fe, _t110, L"normalcolor") != 0) {
									if(L0127B8DE(_t81, _t112 - 0x618, 0x1fe, _t110, L"homestead") != 0) {
										if(L0127B8DE(_t81, _t112 - 0x618, 0x1fe, _t110, L"metallic") != 0) {
											goto L4;
										} else {
											E01273740(_t81, _t112 - 0x210);
											 *((char*)(_t112 - 4)) = 2;
											L012A1F94(_t81, _t112 - 0x61c);
											_t72 = L0127523F(_t112 - 0x61c, L"royale", _t110);
											_t99 =  *((intOrPtr*)(_t112 - 0x61c)) + 0xfffffff0;
											if(_t72 < 0) {
												L01271470(_t99, _t106);
												_push(3);
												goto L14;
											} else {
												L01271470(_t99, _t106);
												goto L9;
											}
											L21:
										}
									} else {
										_push(2);
										L14:
										_pop(_t110);
										goto L9;
									}
								} else {
									_t110 = 1;
									goto L9;
								}
							} else {
								_t81 =  *((intOrPtr*)(_t81 + 0x10));
								if(_t81 == _t110) {
									goto L10;
								} else {
									_push(_t112 - 0x620);
									_push(0xeef);
									_push(_t110);
									_push(1);
									_push(_t81);
									 *((intOrPtr*)(_t112 - 0x620)) = _t110;
									if( *_t62() != 0 ||  *((intOrPtr*)(_t112 - 0x620)) == 1) {
										L9:
										L01271470( *((intOrPtr*)(_t112 - 0x618)) + 0xfffffff0, _t106);
										L01271470( *((intOrPtr*)(_t112 - 0x614)) + 0xfffffff0, _t106);
									} else {
										goto L10;
									}
								}
							}
						} else {
							L4:
							L01271470( *((intOrPtr*)(_t112 - 0x618)) + 0xfffffff0, _t106);
							L01271470( *((intOrPtr*)(_t112 - 0x614)) + 0xfffffff0, _t106);
						}
					}
				}
				return L013696ED(_t81, 0x1fe, _t110);
				goto L21;
			}

0x012a4a32
0x012a4a3c
0x012a4a49
0x012a4a50
0x012a4a5a
0x012a4a5c
0x012a4a64
0x012a4a73
0x012a4a78
0x012a4a80
0x012a4a86
0x012a4a87
0x012a4a8d
0x012a4a8e
0x012a4a94
0x012a4a95
0x012a4a9c
0x012a4aa1
0x00000000
0x012a4aa7
0x012a4ab4
0x012a4ac6
0x012a4ac9
0x012a4ae6
0x012a4aea
0x012a4b0c
0x012a4b23
0x012a4b5c
0x012a4b61
0x012a4bb2
0x012a4bc4
0x012a4bdd
0x012a4bf6
0x00000000
0x012a4bfc
0x012a4c09
0x012a4c14
0x012a4c18
0x012a4c29
0x012a4c34
0x012a4c39
0x012a4c45
0x012a4c4a
0x00000000
0x012a4c3b
0x012a4c3b
0x00000000
0x012a4c3b
0x00000000
0x012a4c39
0x012a4bdf
0x012a4bdf
0x012a4be1
0x012a4be1
0x00000000
0x012a4be1
0x012a4bc6
0x012a4bc8
0x00000000
0x012a4bc8
0x012a4b63
0x012a4b63
0x012a4b68
0x00000000
0x012a4b6a
0x012a4b70
0x012a4b71
0x012a4b76
0x012a4b77
0x012a4b79
0x012a4b7a
0x012a4b84
0x012a4b8f
0x012a4b98
0x012a4ba6
0x00000000
0x00000000
0x00000000
0x012a4b84
0x012a4b68
0x012a4b39
0x012a4b39
0x012a4b42
0x012a4b50
0x012a4b55
0x012a4b23
0x012a4aa1
0x012a4c56
0x00000000

APIs

__EH_prolog3_GS.LIBCMT ref: 012A4A3C
_memset.LIBCMT ref: 012A4A5C
_memset.LIBCMT ref: 012A4A73
__wsplitpath_s.LIBCMT ref: 012A4AEA
_wcslen.LIBCMT ref: 012A4AF6

Part of subcall function 01272810: _memmove_s.LIBCMT ref: 0127288A
Part of subcall function 01272810: _memcpy_s.LIBCMT ref: 01272897

Part of subcall function 0127B8DE: __wcsicoll.LIBCMT ref: 0127B8F9

Strings

Luna, xrefs: 012A4B11
homestead, xrefs: 012A4BCB
Aero, xrefs: 012A4B25
metallic, xrefs: 012A4BE4
royale, xrefs: 012A4C1E
normalcolor, xrefs: 012A4BB2

Memory Dump Source

Source File: 00000010.00000002.746388412.0000000001271000.00000020.sdmp, Offset: 01270000, based on PE: true

Associated: 00000010.00000002.746374753.0000000001270000.00000002.sdmp Download File
Associated: 00000010.00000002.746578910.000000000138C000.00000002.sdmp Download File
Associated: 00000010.00000002.746752878.00000000013CF000.00000004.sdmp Download File
Associated: 00000010.00000002.746788870.00000000013D6000.00000004.sdmp Download File
Associated: 00000010.00000002.746832288.00000000013DE000.00000002.sdmp Download File
Associated: 00000010.00000002.747668141.0000000001574000.00000002.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1270000_Setup.jbxd

Similarity

API ID: _memset$H_prolog3___wcsicoll__wsplitpath_s_memcpy_s_memmove_s_wcslen
String ID: Aero$Luna$homestead$metallic$normalcolor$royale
API String ID: 2820096495-2881773410
Opcode ID: 3a115d5e13eb0a7796d934870eedf666b1f377c93b79a85e9c349873fc4fdcd0
Instruction ID: e910066ded84061620b853f63008d4ab5c9f3e52045b9bc7cf524489dfa594e7
Opcode Fuzzy Hash: 3a115d5e13eb0a7796d934870eedf666b1f377c93b79a85e9c349873fc4fdcd0
Instruction Fuzzy Hash: C351067092012A9BCB24EA65CC44FFFB67DAF64314F4805D5E21993180EFB0DA90CBA5

Uniqueness

Uniqueness Score: 23.02%

Function 012742E5, Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 97
UNIQUE

Download Yara Rule

C-Code - Quality: 68%

			E012742E5(int __ebx, signed int __edi) {
				intOrPtr _t30;
				char _t31;
				intOrPtr _t32;
				void* _t35;
				void* _t39;
				void* _t47;
				int _t51;
				void* _t52;
				intOrPtr _t53;
				intOrPtr _t54;
				char _t62;
				signed int _t65;
				void* _t66;
				long _t67;
				intOrPtr _t68;
				void* _t69;
				void* _t70;
				signed int _t71;
				void* _t73;
				void* _t76;

				_t65 = __edi;
				_t51 = __ebx;
				do {
					_t67 =  *(_t71 + _t65 * 4 - 0x120c);
					if(_t67 == _t51) {
						goto L10;
					} else {
						_t62 = L"nown>"; // 0x6f006e
						_t31 = L"<unknown>"; // 0x75003c
						_t53 = M0138E41C; // 0x6b006e
						 *((intOrPtr*)(_t71 - 0x204)) = _t62;
						 *((intOrPtr*)(_t71 - 0x20c)) = _t31;
						_t32 =  *0x138e424; // 0x6e0077
						 *((intOrPtr*)(_t71 - 0x208)) = _t53;
						_t54 =  *0x138e428; // 0x3e
						_t61 = _t71 - 0x1f8;
						 *((intOrPtr*)(_t71 - 0x200)) = _t32;
						 *((intOrPtr*)(_t71 - 0x1fc)) = _t54;
						L01367D50(_t71 - 0x1f8, _t51, 0x1f4);
						_t73 = _t73 + 0xc;
						_t70 = OpenProcess(0x411, _t51, _t67);
						if(_t70 == _t51) {
							L9:
							_t30 =  *((intOrPtr*)(_t71 - 0x1214));
							goto L10;
						} else {
							_t35 = _t71 - 0x1220;
							_push(_t35);
							_push(4);
							_push(_t71 - 0x1218);
							_push(_t70);
							 *(_t71 - 0x1218) = _t51;
							 *(_t71 - 0x1220) = _t51;
							L0137E27A();
							if(_t35 != 0) {
								_push(0x104);
								_push(_t71 - 0x20c);
								_push( *(_t71 - 0x1218));
								_push(_t70);
								L0137E274();
							}
							_push( *(_t71 + _t65 * 4 - 0x120c));
							E01271680(_t51, _t65, _t70, L"%s  (PID: %u)\n", _t71 - 0x20c);
							L01369505(_t71 - 0x20c);
							_t61 =  *((intOrPtr*)(_t71 - 0x1210));
							_t39 = L013692EB( *((intOrPtr*)(_t71 - 0x1210)), _t71 - 0x20c);
							_t73 = _t73 + 0x18;
							if(_t39 == 0) {
								L8:
								CloseHandle(_t70);
								goto L9;
							} else {
								E01271680(_t51, _t65, _t70, L"Found %s\n", _t71 - 0x20c);
								_t76 = _t73 + 8;
								if(TerminateProcess(_t70, _t51) != 0) {
									_t61 = _t71 - 0x20c;
									E01271680(_t51, _t65, _t70, L"Terminated %s\n", _t71 - 0x20c);
									_t73 = _t76 + 8;
									CloseHandle(_t70);
									_push( *((intOrPtr*)(_t71 - 0x1210)));
								} else {
									E01271680(_t51, _t65, _t70, L"Failed to terminate %s\n", _t71 - 0x20c);
									_t73 = _t76 + 8;
									goto L8;
								}
							}
						}
					}
					L13:
					_t47 = L01367A0B();
					_pop(_t66);
					_pop(_t69);
					_pop(_t52);
					return L01367D3E(_t47, _t52,  *(_t71 - 4) ^ _t71, _t61, _t66, _t69);
					L10:
					_t65 = _t65 + 1;
				} while (_t65 < _t30);
				_t68 =  *((intOrPtr*)(_t71 - 0x1210));
				_push(_t68);
				goto L13;
			}

0x012742e5
0x012742e5
0x012742f0
0x012742f0
0x012742f9
0x00000000
0x012742ff
0x012742ff
0x01274305
0x0127430a
0x01274315
0x0127431b
0x01274321
0x01274326
0x0127432c
0x01274332
0x0127433a
0x01274340
0x01274346
0x0127434b
0x0127435b
0x0127435f
0x0127441e
0x0127441e
0x00000000
0x01274365
0x01274365
0x0127436b
0x0127436c
0x01274374
0x01274375
0x01274376
0x0127437c
0x01274382
0x01274389
0x01274391
0x0127439c
0x0127439d
0x0127439e
0x0127439f
0x0127439f
0x012743ab
0x012743b8
0x012743c4
0x012743c9
0x012743d7
0x012743dc
0x012743e1
0x01274417
0x01274418
0x00000000
0x012743e3
0x012743ef
0x012743f4
0x01274401
0x0127444d
0x01274459
0x0127445e
0x01274462
0x0127446e
0x01274403
0x0127440f
0x01274414
0x00000000
0x01274414
0x01274401
0x012743e1
0x0127435f
0x01274434
0x01274434
0x0127443c
0x01274440
0x01274443
0x0127444c
0x01274424
0x01274424
0x01274425
0x0127442d
0x01274433
0x00000000

APIs

_memset.LIBCMT ref: 01274346
OpenProcess.KERNEL32(00000411,00000000,?,?,00001000,?), ref: 01274355
EnumProcessModules.PSAPI(00000000,?,00000004,?), ref: 01274382
GetModuleBaseNameW.PSAPI(00000000,?,?,00000104,00000000,?,00000004,?), ref: 0127439F

Part of subcall function 01271680: _memset.LIBCMT ref: 012716A9
Part of subcall function 01271680: __swprintf.LIBCMT ref: 012716BA
Part of subcall function 01271680: __vswprintf.LIBCMT ref: 012716CF
Part of subcall function 01271680: OutputDebugStringW.KERNEL32(?), ref: 012716DE

Part of subcall function 01369505: __wcsupr_s_l.LIBCMT ref: 01369560

TerminateProcess.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,00000000,?,00000004,?), ref: 012743F9
CloseHandle.KERNEL32(00000000), ref: 01274418
_free.LIBCMT ref: 01274434

Part of subcall function 01367A0B: HeapFree.KERNEL32(00000000,00000000), ref: 01367A21
Part of subcall function 01367A0B: GetLastError.KERNEL32(00000000,?,0136E429,00000000,?,01369B20,013695F6,?,?,01274776,?,?,?,01277D41,0000000C,00000004), ref: 01367A33

Part of subcall function 01367D3E: IsDebuggerPresent.KERNEL32 ref: 0136EC6D
Part of subcall function 01367D3E: SetUnhandledExceptionFilter.KERNEL32 ref: 0136EC82
Part of subcall function 01367D3E: UnhandledExceptionFilter.KERNEL32 ref: 0136EC8D
Part of subcall function 01367D3E: GetCurrentProcess.KERNEL32(C0000409), ref: 0136ECA9
Part of subcall function 01367D3E: TerminateProcess.KERNEL32(00000000), ref: 0136ECB0

CloseHandle.KERNEL32(00000000), ref: 01274462

Strings

%s (PID: %u), xrefs: 012743B3
Found %s, xrefs: 012743EA
<unknown>, xrefs: 01274305
Failed to terminate %s, xrefs: 0127440A

Memory Dump Source

Source File: 00000010.00000002.746388412.0000000001271000.00000020.sdmp, Offset: 01270000, based on PE: true

Associated: 00000010.00000002.746374753.0000000001270000.00000002.sdmp Download File
Associated: 00000010.00000002.746578910.000000000138C000.00000002.sdmp Download File
Associated: 00000010.00000002.746752878.00000000013CF000.00000004.sdmp Download File
Associated: 00000010.00000002.746788870.00000000013D6000.00000004.sdmp Download File
Associated: 00000010.00000002.746832288.00000000013DE000.00000002.sdmp Download File
Associated: 00000010.00000002.747668141.0000000001574000.00000002.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1270000_Setup.jbxd

Similarity

API ID: Process$CloseExceptionFilterHandleTerminateUnhandled_memset$BaseCurrentDebugDebuggerEnumErrorFreeHeapLastModuleModulesNameOpenOutputPresentString__swprintf__vswprintf__wcsupr_s_l_free
String ID: %s (PID: %u)$<unknown>$Failed to terminate %s$Found %s
API String ID: 2849792834-388142874
Opcode ID: 1f080f813a225bee98ab0c3a9974ba41568060c76067c983cbe8cf3ddcb3790d
Instruction ID: 47f49cb6cfa31c96747c9108c8489cf8f6ac0cb2e1fd75c18de6d0b1cb6b27b6
Opcode Fuzzy Hash: 1f080f813a225bee98ab0c3a9974ba41568060c76067c983cbe8cf3ddcb3790d
Instruction Fuzzy Hash: 0A3155B5940329AFDB20EF58DC85AEE737CEF58348F0445E9E618A3205D7306E948FA1

Uniqueness

Uniqueness Score: 100.00%

Function 012FE046, Relevance: 18.4, APIs: 12, Instructions: 433
windowCOMMON

Download Yara Rule

C-Code - Quality: 45%

			E012FE046(void* __ebx, struct HDC__* __ecx, void* __edi, void* __esi, void* __eflags) {
				void* _t251;
				int _t257;
				struct HDC__* _t259;
				int _t261;
				int _t265;
				void* _t271;
				int _t275;
				signed int _t279;
				int _t282;
				int _t292;
				int _t302;
				intOrPtr _t310;
				intOrPtr _t311;
				intOrPtr _t312;
				intOrPtr _t313;
				int _t317;
				int _t333;
				struct tagRECT _t335;
				int _t339;
				int _t344;
				struct HDC__* _t345;
				intOrPtr _t346;
				int _t347;
				struct HDC__* _t355;
				intOrPtr _t358;
				int _t359;
				signed int _t360;
				intOrPtr _t375;
				struct tagRECT _t376;
				struct HDC__* _t378;
				int _t379;
				intOrPtr _t386;
				void* _t387;
				void* _t394;
				void* _t395;

				_push(0x80);
				L01369601(0x1384842, __ebx, __edi, __esi);
				_t333 =  *(_t394 + 0x18);
				 *(_t394 - 0x18) =  *(_t394 + 0x24);
				_t378 = __ecx;
				 *(_t394 - 0x4c) = __ecx;
				 *(_t394 - 0x2c) =  *(_t394 + 0x28);
				if(_t333 == 0 || IsRectEmpty(_t394 + 8) != 0) {
					L64:
					_t251 = 1;
				} else {
					_t335 =  *(_t394 + 8);
					_t386 =  *(_t394 + 0x14) -  *(_t394 + 0xc);
					 *((intOrPtr*)(_t394 - 0x24)) =  *(_t394 + 0x10) - _t335;
					_t257 = 0;
					 *((intOrPtr*)(_t394 - 0x48)) = _t386;
					 *(_t394 - 0x14) = 0 |  *((intOrPtr*)(_t394 + 0x30)) == 0x00000000;
					_t366 =  *(_t394 - 0x2c);
					if(_t366 == 0) {
						L14:
						_t336 =  *(_t394 - 0x18);
						__eflags = _t336 - _t257;
						if(_t336 != _t257) {
							__eflags =  *((intOrPtr*)(_t336 + 4)) - _t257;
							if( *((intOrPtr*)(_t336 + 4)) != _t257) {
								goto L13;
							}
						}
						L0127976C(_t394 - 0x70);
						_t259 =  *(_t378 + 4);
						 *(_t394 - 4) =  *(_t394 - 4) & 0x00000000;
						__eflags = _t259;
						if(_t259 != 0) {
							_t259 =  *(_t259 + 4);
						}
						_t261 = L01279DC3(_t333, _t394 - 0x70, _t366, _t378, CreateCompatibleDC(_t259));
						__eflags = _t261;
						if(_t261 != 0) {
							 *(_t394 - 0x50) =  *(_t394 - 0x50) & 0x00000000;
							 *((intOrPtr*)(_t394 - 0x54)) = 0x138f588;
							_t339 = _t333 + _t386;
							_t366 =  *((intOrPtr*)(_t394 - 0x24)) + _t333;
							 *(_t394 - 4) = 1;
							 *(_t394 - 0x30) = _t339;
							 *(_t394 - 0x20) = _t366;
							__eflags = E0127A097(_t333, _t394 - 0x54, _t366, _t378, CreateCompatibleBitmap( *( *(_t378 + 4) + 4), _t366, _t339));
							if(__eflags != 0) {
								_t265 = E0127A14E( *(_t394 - 0x6c),  *(_t394 - 0x50));
								__eflags = _t265;
								_t336 = 0 | __eflags != 0x00000000;
								 *(_t394 - 0x84) = _t265;
								if(__eflags == 0) {
									goto L13;
								} else {
									 *(_t394 - 0x80) =  *(_t394 - 0x20);
									 *(_t394 - 0x7c) =  *(_t394 - 0x30);
									_t271 = E012FC0DC(_t394 - 0x80, _t394 - 0x28);
									 *(_t394 - 0x7c) = _t271;
									__eflags = _t271;
									if(__eflags == 0) {
										goto L21;
									} else {
										__eflags =  *(_t394 - 0x28);
										if(__eflags == 0) {
											goto L21;
										} else {
											SelectObject( *(_t394 - 0x6c), _t271);
											_t275 =  *(_t394 + 8);
											__eflags =  *(_t394 - 0x14);
											if( *(_t394 - 0x14) != 0) {
												_t275 = _t275 - _t333;
												__eflags = _t275;
											}
											_t344 =  *(_t378 + 4);
											__eflags = _t344;
											if(_t344 != 0) {
												_t345 =  *(_t344 + 4);
											} else {
												_t345 = 0;
											}
											BitBlt( *(_t394 - 0x6c), 0, 0,  *(_t394 - 0x20),  *(_t394 - 0x30), _t345, _t275,  *(_t394 + 0xc), 0xcc0020);
											_t346 =  *((intOrPtr*)(_t394 + 0x20));
											asm("cdq");
											_t279 = (_t346 -  *((intOrPtr*)(_t394 + 0x1c))) / _t333;
											 *(_t394 - 0x74) = _t279;
											__eflags = _t333;
											if(_t333 > 0) {
												 *(_t394 - 0x60) = _t279;
												 *(_t394 - 0x60) =  ~( *(_t394 - 0x60));
												 *(_t394 - 0x34) =  *(_t394 - 0x20);
												 *((intOrPtr*)(_t394 - 0x1c)) =  *((intOrPtr*)(_t394 - 0x24));
												 *((intOrPtr*)(_t394 - 0x38)) = _t386 + 1;
												 *((intOrPtr*)(_t394 - 0x3c)) = _t346;
												 *((intOrPtr*)(_t394 - 0x44)) = _t333 + _t333;
												 *((intOrPtr*)(_t394 - 0x40)) = _t346 - _t333 *  *(_t394 - 0x74);
												_t375 = _t386 -  *((intOrPtr*)(_t394 - 0x24));
												_t358 = _t333 -  *((intOrPtr*)(_t394 - 0x24));
												 *((intOrPtr*)(_t394 - 0x8c)) = _t375;
												 *((intOrPtr*)(_t394 - 0x78)) = _t358;
												 *(_t394 - 0x58) = _t333;
												while(1) {
													_t310 =  *(_t394 - 0x34) + _t375;
													 *((intOrPtr*)(_t394 - 0x10)) = _t386;
													 *((intOrPtr*)(_t394 - 0x88)) = _t310;
													__eflags = _t386 - _t310;
													if(_t386 >= _t310) {
														goto L37;
													}
													_t359 = _t358 +  *((intOrPtr*)(_t394 - 0x1c));
													__eflags = _t359;
													 *(_t394 - 0x5c) = _t359;
													do {
														_push( *(_t394 - 0x14));
														_push( *((intOrPtr*)(_t394 + 0x2c)));
														_push(_t333);
														_push( *((intOrPtr*)(_t394 - 0x40)));
														_push( *((intOrPtr*)(_t394 - 0x10)));
														_push( *(_t394 - 0x5c));
														_t395 = _t395 - 0x10;
														_push( *(_t394 - 0x28));
														asm("movsd");
														asm("movsd");
														asm("movsd");
														asm("movsd");
														E012FCD92(_t375);
														 *((intOrPtr*)(_t394 - 0x10)) =  *((intOrPtr*)(_t394 - 0x10)) + 1;
														__eflags =  *((intOrPtr*)(_t394 - 0x10)) -  *((intOrPtr*)(_t394 - 0x88));
													} while ( *((intOrPtr*)(_t394 - 0x10)) <  *((intOrPtr*)(_t394 - 0x88)));
													_t386 =  *((intOrPtr*)(_t394 - 0x48));
													_t378 =  *(_t394 - 0x4c);
													L37:
													_t311 =  *((intOrPtr*)(_t394 - 0x44));
													 *((intOrPtr*)(_t394 - 0x10)) = _t311;
													__eflags = _t311 -  *((intOrPtr*)(_t394 - 0x1c));
													if(_t311 <  *((intOrPtr*)(_t394 - 0x1c))) {
														do {
															_push( *(_t394 - 0x14));
															_push( *((intOrPtr*)(_t394 + 0x2c)));
															_push(_t333);
															_push( *((intOrPtr*)(_t394 - 0x3c)));
															_push( *((intOrPtr*)(_t394 - 0x38)) - 1);
															_push( *((intOrPtr*)(_t394 - 0x10)));
															_t395 = _t395 - 0x10;
															_push( *(_t394 - 0x28));
															asm("movsd");
															asm("movsd");
															asm("movsd");
															asm("movsd");
															E012FCD92(_t375);
															 *((intOrPtr*)(_t394 - 0x10)) =  *((intOrPtr*)(_t394 - 0x10)) + 1;
															__eflags =  *((intOrPtr*)(_t394 - 0x10)) -  *((intOrPtr*)(_t394 - 0x1c));
														} while ( *((intOrPtr*)(_t394 - 0x10)) <  *((intOrPtr*)(_t394 - 0x1c)));
														_t386 =  *((intOrPtr*)(_t394 - 0x48));
														_t378 =  *(_t394 - 0x4c);
													}
													_t312 =  *((intOrPtr*)(_t394 - 0x44));
													 *((intOrPtr*)(_t394 - 0x10)) = _t312;
													__eflags = _t312 -  *((intOrPtr*)(_t394 - 0x38));
													if(_t312 <  *((intOrPtr*)(_t394 - 0x38))) {
														do {
															_push( *(_t394 - 0x14));
															_push( *((intOrPtr*)(_t394 + 0x2c)));
															_push(_t333);
															_push( *((intOrPtr*)(_t394 - 0x3c)));
															_push( *((intOrPtr*)(_t394 - 0x10)));
															_push( *((intOrPtr*)(_t394 - 0x1c)));
															_t395 = _t395 - 0x10;
															_push( *(_t394 - 0x28));
															asm("movsd");
															asm("movsd");
															asm("movsd");
															asm("movsd");
															E012FCD92(_t375);
															 *((intOrPtr*)(_t394 - 0x10)) =  *((intOrPtr*)(_t394 - 0x10)) + 1;
															__eflags =  *((intOrPtr*)(_t394 - 0x10)) -  *((intOrPtr*)(_t394 - 0x38));
														} while ( *((intOrPtr*)(_t394 - 0x10)) <  *((intOrPtr*)(_t394 - 0x38)));
														_t386 =  *((intOrPtr*)(_t394 - 0x48));
														_t378 =  *(_t394 - 0x4c);
													}
													_t313 =  *((intOrPtr*)(_t394 - 0x24));
													 *((intOrPtr*)(_t394 - 0x10)) = _t313;
													__eflags = _t313 -  *(_t394 - 0x34);
													if(_t313 <  *(_t394 - 0x34)) {
														_t317 =  *((intOrPtr*)(_t394 - 0x78)) +  *((intOrPtr*)(_t394 - 0x1c));
														__eflags = _t317;
														 *(_t394 - 0x5c) = _t317;
														do {
															_push( *(_t394 - 0x14));
															_push( *((intOrPtr*)(_t394 + 0x2c)));
															_push(_t333);
															_push( *((intOrPtr*)(_t394 - 0x40)));
															_push( *(_t394 - 0x5c));
															_push( *((intOrPtr*)(_t394 - 0x10)));
															_t395 = _t395 - 0x10;
															_push( *(_t394 - 0x28));
															asm("movsd");
															asm("movsd");
															asm("movsd");
															asm("movsd");
															E012FCD92(_t375);
															 *((intOrPtr*)(_t394 - 0x10)) =  *((intOrPtr*)(_t394 - 0x10)) + 1;
															__eflags =  *((intOrPtr*)(_t394 - 0x10)) -  *(_t394 - 0x34);
														} while ( *((intOrPtr*)(_t394 - 0x10)) <  *(_t394 - 0x34));
														_t386 =  *((intOrPtr*)(_t394 - 0x48));
														_t378 =  *(_t394 - 0x4c);
													}
													 *((intOrPtr*)(_t394 - 0x3c)) =  *((intOrPtr*)(_t394 - 0x3c)) +  *(_t394 - 0x60);
													 *((intOrPtr*)(_t394 - 0x38)) =  *((intOrPtr*)(_t394 - 0x38)) + 1;
													 *((intOrPtr*)(_t394 - 0x1c)) =  *((intOrPtr*)(_t394 - 0x1c)) + 1;
													 *((intOrPtr*)(_t394 - 0x40)) =  *((intOrPtr*)(_t394 - 0x40)) +  *(_t394 - 0x74);
													 *((intOrPtr*)(_t394 - 0x44)) =  *((intOrPtr*)(_t394 - 0x44)) - 1;
													 *(_t394 - 0x34) =  *(_t394 - 0x34) - 1;
													_t194 = _t394 - 0x58;
													 *_t194 =  *(_t394 - 0x58) - 1;
													__eflags =  *_t194;
													if( *_t194 != 0) {
														_t358 =  *((intOrPtr*)(_t394 - 0x78));
														_t375 =  *((intOrPtr*)(_t394 - 0x8c));
														continue;
													}
													goto L48;
												}
											}
											L48:
											_t347 =  *(_t394 + 8);
											__eflags =  *(_t394 - 0x14);
											if( *(_t394 - 0x14) != 0) {
												_t347 = _t347 - _t333;
												__eflags = _t347;
											}
											_t387 = BitBlt;
											BitBlt( *( *(_t378 + 4) + 4), _t347,  *(_t394 + 0xc),  *(_t394 - 0x20),  *(_t394 - 0x30),  *(_t394 - 0x6c), 0, 0, 0xcc0020);
											__eflags =  *(_t394 - 0x2c);
											if( *(_t394 - 0x2c) != 0) {
												_t207 = _t333 + 1; // 0x81
												E0127A097(_t333,  *(_t394 - 0x2c), 0, _t378, CreateCompatibleBitmap( *( *(_t378 + 4) + 4), _t207,  *(_t394 - 0x30)));
												E0127A14E( *(_t394 - 0x6c),  *((intOrPtr*)( *(_t394 - 0x2c) + 4)));
												_t355 =  *(_t378 + 4);
												asm("sbb eax, eax");
												_t302 =  !( ~( *(_t394 - 0x14))) &  *(_t394 + 0x10);
												__eflags = _t355;
												if(_t355 != 0) {
													_t355 =  *(_t355 + 4);
												}
												BitBlt( *(_t394 - 0x6c), 0, 0, _t333,  *(_t394 - 0x30), _t355, _t302,  *(_t394 + 0xc), 0xcc0020);
											}
											__eflags =  *(_t394 - 0x18);
											if( *(_t394 - 0x18) != 0) {
												_t222 = _t333 + 1; // 0x81
												E0127A097(_t333,  *(_t394 - 0x18), 0, _t378, CreateCompatibleBitmap( *( *(_t378 + 4) + 4),  *(_t394 - 0x20), _t222));
												E0127A14E( *(_t394 - 0x6c),  *((intOrPtr*)( *(_t394 - 0x18) + 4)));
												_t292 =  *(_t394 + 8);
												__eflags =  *(_t394 - 0x14);
												if( *(_t394 - 0x14) != 0) {
													_t292 = _t292 - _t333;
													__eflags = _t292;
												}
												_t379 =  *(_t378 + 4);
												__eflags = _t379;
												if(_t379 != 0) {
													_t378 =  *(_t379 + 4);
												} else {
													_t378 = 0;
												}
												BitBlt( *(_t394 - 0x6c), 0, 0,  *(_t394 - 0x20), _t333, _t378, _t292,  *(_t394 + 0x14), 0xcc0020);
											}
											_t282 =  *(_t394 - 0x84);
											__eflags = _t282;
											if(__eflags != 0) {
												_t282 =  *(_t282 + 4);
											}
											E0127A14E( *(_t394 - 0x6c), _t282);
											DeleteObject( *(_t394 - 0x7c));
											 *(_t394 - 4) = 0;
											 *((intOrPtr*)(_t394 - 0x54)) = 0x138f588;
											E0127A27E(_t333, _t394 - 0x54, _t378, _t387, __eflags);
											_t243 = _t394 - 4;
											 *_t243 =  *(_t394 - 4) | 0xffffffff;
											__eflags =  *_t243;
											L01279E44(_t394 - 0x70);
											goto L64;
										}
									}
								}
							} else {
								L21:
								 *(_t394 - 4) = 0;
								 *((intOrPtr*)(_t394 - 0x54)) = 0x138f588;
								E0127A27E(_t333, _t394 - 0x54, _t378, _t386, __eflags);
								goto L19;
							}
						} else {
							L19:
							 *(_t394 - 4) =  *(_t394 - 4) | 0xffffffff;
							L01279E44(_t394 - 0x70);
							_t251 = 0;
						}
					} else {
						_t366 =  *(_t366 + 4);
						 *(_t394 - 0x58) = _t366;
						if(_t366 == 0 ||  *(_t394 - 0x18) == 0) {
							L12:
							__eflags =  *(_t394 - 0x58) - _t257;
							if( *(_t394 - 0x58) != _t257) {
								L13:
								_t257 = L01277AC9(_t336);
							}
							goto L14;
						} else {
							_t366 =  *(_t394 - 0x18);
							if( *((intOrPtr*)( *(_t394 - 0x18) + 4)) == 0) {
								goto L12;
							} else {
								if( *(_t394 - 0x14) == 0) {
									_t360 =  *(_t394 + 0x10);
								} else {
									_t360 = _t335 - _t333;
								}
								E012FCA77( *(_t378 + 4), _t360,  *(_t394 + 0xc), _t333, _t386 + _t333,  *(_t394 - 0x2c), _t257, _t257);
								_t376 =  *(_t394 + 8);
								if( *(_t394 - 0x14) != 0) {
									_t376 = _t376 - _t333;
								}
								E012FCA77( *(_t378 + 4), _t376,  *(_t394 + 0x14),  *((intOrPtr*)(_t394 - 0x24)) + _t333, _t333,  *(_t394 - 0x18), 0, 0);
								goto L64;
							}
						}
					}
				}
				return L013696D9(_t251);
			}

0x012fe046
0x012fe050
0x012fe058
0x012fe05b
0x012fe061
0x012fe063
0x012fe066
0x012fe06b
0x012fe500
0x012fe502
0x012fe083
0x012fe086
0x012fe08c
0x012fe093
0x012fe096
0x012fe09b
0x012fe0a1
0x012fe0a4
0x012fe0a9
0x012fe117
0x012fe117
0x012fe11a
0x012fe11c
0x012fe11e
0x012fe121
0x00000000
0x00000000
0x012fe121
0x012fe126
0x012fe12b
0x012fe12e
0x012fe132
0x012fe134
0x012fe136
0x012fe136
0x012fe144
0x012fe149
0x012fe14b
0x012fe160
0x012fe164
0x012fe171
0x012fe174
0x012fe17b
0x012fe17f
0x012fe182
0x012fe194
0x012fe196
0x012fe1b3
0x012fe1ba
0x012fe1bc
0x012fe1bf
0x012fe1c9
0x00000000
0x012fe1cf
0x012fe1d2
0x012fe1d8
0x012fe1e3
0x012fe1e8
0x012fe1eb
0x012fe1ed
0x00000000
0x012fe1ef
0x012fe1ef
0x012fe1f3
0x00000000
0x012fe1f5
0x012fe1f9
0x012fe1ff
0x012fe204
0x012fe207
0x012fe209
0x012fe209
0x012fe209
0x012fe20b
0x012fe20e
0x012fe210
0x012fe216
0x012fe212
0x012fe212
0x012fe212
0x012fe22e
0x012fe234
0x012fe23c
0x012fe23d
0x012fe23f
0x012fe242
0x012fe244
0x012fe24d
0x012fe253
0x012fe256
0x012fe25f
0x012fe265
0x012fe268
0x012fe270
0x012fe273
0x012fe27b
0x012fe282
0x012fe285
0x012fe28b
0x012fe28e
0x012fe29c
0x012fe29f
0x012fe2a1
0x012fe2a4
0x012fe2aa
0x012fe2ac
0x00000000
0x00000000
0x012fe2ae
0x012fe2ae
0x012fe2b1
0x012fe2b4
0x012fe2b4
0x012fe2ba
0x012fe2bd
0x012fe2be
0x012fe2c1
0x012fe2c4
0x012fe2c7
0x012fe2cc
0x012fe2cf
0x012fe2d0
0x012fe2d1
0x012fe2d2
0x012fe2d3
0x012fe2d8
0x012fe2de
0x012fe2de
0x012fe2e6
0x012fe2e9
0x012fe2ec
0x012fe2ec
0x012fe2ef
0x012fe2f2
0x012fe2f5
0x012fe2f7
0x012fe2f7
0x012fe2fd
0x012fe301
0x012fe302
0x012fe308
0x012fe309
0x012fe30c
0x012fe311
0x012fe314
0x012fe315
0x012fe316
0x012fe317
0x012fe318
0x012fe31d
0x012fe323
0x012fe323
0x012fe328
0x012fe32b
0x012fe32b
0x012fe32e
0x012fe331
0x012fe334
0x012fe337
0x012fe339
0x012fe339
0x012fe33f
0x012fe342
0x012fe343
0x012fe346
0x012fe349
0x012fe34c
0x012fe351
0x012fe354
0x012fe355
0x012fe356
0x012fe357
0x012fe358
0x012fe35d
0x012fe363
0x012fe363
0x012fe368
0x012fe36b
0x012fe36b
0x012fe36e
0x012fe371
0x012fe374
0x012fe377
0x012fe37c
0x012fe37c
0x012fe37f
0x012fe382
0x012fe382
0x012fe388
0x012fe38b
0x012fe38c
0x012fe38f
0x012fe392
0x012fe395
0x012fe39a
0x012fe39d
0x012fe39e
0x012fe39f
0x012fe3a0
0x012fe3a1
0x012fe3a6
0x012fe3ac
0x012fe3ac
0x012fe3b1
0x012fe3b4
0x012fe3b4
0x012fe3ba
0x012fe3bd
0x012fe3c0
0x012fe3c6
0x012fe3c9
0x012fe3cc
0x012fe3cf
0x012fe3cf
0x012fe3cf
0x012fe3d2
0x012fe293
0x012fe296
0x00000000
0x012fe296
0x00000000
0x012fe3d2
0x012fe29c
0x012fe3d8
0x012fe3d8
0x012fe3dd
0x012fe3e0
0x012fe3e2
0x012fe3e2
0x012fe3e2
0x012fe3e7
0x012fe404
0x012fe406
0x012fe40a
0x012fe412
0x012fe423
0x012fe431
0x012fe439
0x012fe43e
0x012fe442
0x012fe445
0x012fe447
0x012fe449
0x012fe449
0x012fe461
0x012fe461
0x012fe463
0x012fe467
0x012fe46c
0x012fe480
0x012fe48e
0x012fe493
0x012fe498
0x012fe49b
0x012fe49d
0x012fe49d
0x012fe49d
0x012fe49f
0x012fe4a2
0x012fe4a4
0x012fe4aa
0x012fe4a6
0x012fe4a6
0x012fe4a6
0x012fe4c0
0x012fe4c0
0x012fe4c2
0x012fe4c8
0x012fe4ca
0x012fe4cc
0x012fe4cc
0x012fe4d3
0x012fe4db
0x012fe4e4
0x012fe4e8
0x012fe4ef
0x012fe4f4
0x012fe4f4
0x012fe4f4
0x012fe4fb
0x00000000
0x012fe4fb
0x012fe1f3
0x012fe1ed
0x012fe198
0x012fe198
0x012fe19b
0x012fe19f
0x012fe1a6
0x00000000
0x012fe1a6
0x012fe14d
0x012fe14d
0x012fe14d
0x012fe154
0x012fe159
0x012fe159
0x012fe0ab
0x012fe0ab
0x012fe0ae
0x012fe0b3
0x012fe10d
0x012fe10d
0x012fe110
0x012fe112
0x012fe112
0x012fe112
0x00000000
0x012fe0ba
0x012fe0ba
0x012fe0c0
0x00000000
0x012fe0c2
0x012fe0c5
0x012fe0cb
0x012fe0c7
0x012fe0c7
0x012fe0c7
0x012fe0de
0x012fe0e3
0x012fe0eb
0x012fe0ed
0x012fe0ed
0x012fe103
0x00000000
0x012fe103
0x012fe0c0
0x012fe0b3
0x012fe0a9
0x012fe508

APIs

__EH_prolog3.LIBCMT ref: 012FE050
IsRectEmpty.USER32 ref: 012FE075

Part of subcall function 012FCA77: DrawStateW.USER32 ref: 012FCAB6

Part of subcall function 01277AC9: __CxxThrowException@8.LIBCMT ref: 01277ADF

CreateCompatibleDC.GDI32(00000000), ref: 012FE13A

Part of subcall function 01279E44: DeleteDC.GDI32(00000000), ref: 01279E56

Part of subcall function 0127A27E: __EH_prolog3_catch_GS.LIBCMT ref: 0127A288

Part of subcall function 012FC0DC: CreateDIBSection.GDI32(00000000,00000028,00000000,?,00000000,00000000), ref: 012FC156

CreateCompatibleBitmap.GDI32(?,?), ref: 012FE185

Part of subcall function 0127A14E: SelectObject.GDI32(?,?), ref: 0127A159

SelectObject.GDI32(?,00000000), ref: 012FE1F9
BitBlt.GDI32(?,00000000,00000000,?,?,?,?,?,00CC0020), ref: 012FE22E
BitBlt.GDI32(?,?,?,?,?,?,00000000,00000000,00CC0020), ref: 012FE404
CreateCompatibleBitmap.GDI32(?,00000081,?), ref: 012FE419
BitBlt.GDI32(?,00000000,00000000,00000080,?,00000001,?,?,00CC0020), ref: 012FE461
CreateCompatibleBitmap.GDI32(?,?,00000081), ref: 012FE476
BitBlt.GDI32(?,00000000,00000000,?,00000080,?,?,?,00CC0020), ref: 012FE4C0
DeleteObject.GDI32(?), ref: 012FE4DB

Memory Dump Source

Source File: 00000010.00000002.746388412.0000000001271000.00000020.sdmp, Offset: 01270000, based on PE: true

Associated: 00000010.00000002.746374753.0000000001270000.00000002.sdmp Download File
Associated: 00000010.00000002.746578910.000000000138C000.00000002.sdmp Download File
Associated: 00000010.00000002.746752878.00000000013CF000.00000004.sdmp Download File
Associated: 00000010.00000002.746788870.00000000013D6000.00000004.sdmp Download File
Associated: 00000010.00000002.746832288.00000000013DE000.00000002.sdmp Download File
Associated: 00000010.00000002.747668141.0000000001574000.00000002.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1270000_Setup.jbxd

Similarity

API ID: Create$Compatible$BitmapObject$DeleteSelect$DrawEmptyException@8H_prolog3H_prolog3_catch_RectSectionStateThrow
String ID:
API String ID: 2775792040-0
Opcode ID: 73661053a785a68036f59c9d4358d8175fd41593a1542f49e052ff3e5688e48c
Instruction ID: 8f71b91a4a9584618d7a3ef0fbe8f861d2c39becc717f07784e9cb3c7454de62
Opcode Fuzzy Hash: 73661053a785a68036f59c9d4358d8175fd41593a1542f49e052ff3e5688e48c
Instruction Fuzzy Hash: AA02137591020AEFDF16DFA8C9849EEFBB6FF08314F158129EA15A7260D731A911CF60

Uniqueness

Uniqueness Score: 5.54%

Function 012B615D, Relevance: 18.3, APIs: 12, Instructions: 345
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E012B615D(void* __ebx, void* __ecx, void* __edi, void* __esi, void* __eflags) {
				void* _t179;
				intOrPtr* _t181;
				void* _t182;
				WCHAR* _t191;
				intOrPtr* _t202;
				intOrPtr* _t204;
				intOrPtr* _t206;
				intOrPtr* _t208;
				intOrPtr* _t210;
				intOrPtr* _t212;
				intOrPtr* _t214;
				short _t219;
				short* _t220;
				short _t221;
				void* _t222;
				short _t223;
				intOrPtr _t225;
				intOrPtr _t226;
				intOrPtr _t228;
				intOrPtr _t229;
				intOrPtr* _t237;
				short* _t238;
				signed int _t247;
				signed int _t254;
				intOrPtr* _t256;
				WCHAR* _t259;
				WCHAR* _t276;
				signed int _t279;
				WCHAR* _t280;
				signed int _t283;
				signed int _t309;
				signed int _t310;
				short* _t318;
				intOrPtr _t355;
				signed int _t356;
				void* _t358;
				void* _t359;
				void* _t360;

				_push(0x28);
				_t179 = L01369601(0x1381d3d, __ebx, __edi, __esi);
				_t358 = __ecx;
				_t354 = 1;
				if( *((intOrPtr*)(__ecx + 0x98)) != 1) {
					L42:
					return L013696D9(_t179);
				}
				_t181 =  *((intOrPtr*)(__ecx + 0xa4));
				_t182 =  *((intOrPtr*)( *_t181 + 0x50))(_t181, _t359 - 0x24);
				_t279 = 0;
				if(_t182 < 0) {
					__eflags =  *( *((intOrPtr*)(__ecx + 0x94)) + 0x34) & 0x00000200;
					if(__eflags == 0) {
						L36:
						_push(_t359 - 0x1c);
						L012B5F90(_t279, _t358, _t354, _t358, 0);
						 *(_t359 - 4) = 2;
						E01272410(_t359 - 0x34, E0127859A());
						 *(_t359 - 4) = 3;
						if(PathFindFileNameW( *(_t359 - 0x1c)) != _t279) {
							E01272AA0(_t354, _t188);
						}
						E01272410(_t359 - 0x30, E0127859A());
						 *(_t359 - 4) = 4;
						_t191 = PathFindExtensionW( *(_t359 - 0x1c));
						if(_t191 != _t279 &&  *_t191 == 0x2e) {
							E01272AA0(_t354,  &(_t191[1]));
						}
						_t355 =  *((intOrPtr*)(_t359 - 0x34));
						 *((short*)( *((intOrPtr*)(_t358 + 0x94)) + 0x38)) =  *((intOrPtr*)( *(_t359 - 0x1c) - 0xc)) -  *((intOrPtr*)(_t355 - 0xc));
						 *((short*)( *((intOrPtr*)(_t358 + 0x94)) + 0x3a)) =  *((intOrPtr*)( *(_t359 - 0x1c) - 0xc)) -  *((intOrPtr*)( *((intOrPtr*)(_t359 - 0x30)) - 0xc));
						L01271470( *((intOrPtr*)(_t359 - 0x30)) - 0x10,  *((intOrPtr*)(_t358 + 0x94)));
						_t176 = _t355 - 0x10; // 0x1f0
						L01271470(_t176,  *((intOrPtr*)(_t358 + 0x94)));
						_t179 = L01271470( &(( *(_t359 - 0x1c))[0xfffffffffffffff8]),  *((intOrPtr*)(_t358 + 0x94)));
						goto L42;
					}
					_t202 =  *((intOrPtr*)(__ecx + 0xa4));
					 *((intOrPtr*)(_t359 - 0x30)) = 0;
					__eflags =  *((intOrPtr*)( *_t202))(_t202, 0x1395174, _t359 - 0x30);
					if(__eflags < 0) {
						goto L36;
					}
					_t204 =  *((intOrPtr*)(_t359 - 0x30));
					 *((intOrPtr*)(_t359 - 0x2c)) = 0;
					__eflags =  *((intOrPtr*)( *_t204 + 0x6c))(_t204, _t359 - 0x2c);
					if(__eflags < 0) {
						L34:
						_t206 =  *((intOrPtr*)(_t359 - 0x30));
						L35:
						 *((intOrPtr*)( *_t206 + 8))(_t206);
						goto L36;
					}
					_t208 =  *((intOrPtr*)(_t359 - 0x2c));
					__eflags =  *((intOrPtr*)( *_t208 + 0x24))(_t208, _t359 - 0x28);
					if(__eflags < 0) {
						L33:
						_t210 =  *((intOrPtr*)(_t359 - 0x2c));
						 *((intOrPtr*)( *_t210 + 8))(_t210);
						goto L34;
					}
					_t212 =  *((intOrPtr*)(_t359 - 0x28));
					 *((intOrPtr*)(_t359 - 0x34)) = 0;
					__eflags =  *((intOrPtr*)( *_t212 + 0xc))(_t212, 1, _t359 - 0x20, _t359 - 0x34);
					if(__eflags != 0) {
						L32:
						_t214 =  *((intOrPtr*)(_t359 - 0x28));
						 *((intOrPtr*)( *_t214 + 8))(_t214);
						goto L33;
					}
					E01272410(_t359 - 0x14, E0127859A());
					 *(_t359 - 4) = 1;
					_t354 =  *((intOrPtr*)( *((intOrPtr*)(__ecx + 0x94)) + 0x1c));
					_t219 =  *(_t359 - 0x20);
					 *(_t359 - 0x10) = 0;
					_t220 =  *((intOrPtr*)( *_t219 + 0x14))(_t219, 0x80058000, _t359 - 0x10);
					__eflags = _t220;
					if(_t220 >= 0) {
						PathRemoveFileSpecW( *(_t359 - 0x10));
						__eflags =  *( *((intOrPtr*)(_t358 + 0x94)) + 0x20) - 1;
						L0136B25B(_t354,  *( *((intOrPtr*)(_t358 + 0x94)) + 0x20) - 1,  *(_t359 - 0x10), 0xffffffff);
						_t254 = L01369A59( *(_t359 - 0x10));
						_t360 = _t360 + 0x14;
						_t354 = _t354 + 2 + _t254 * 2;
						__imp__CoTaskMemFree( *(_t359 - 0x10));
					}
					while(1) {
						_t221 =  *(_t359 - 0x20);
						_t348 = _t359 - 0x10;
						 *(_t359 - 0x10) = _t279;
						_t222 =  *((intOrPtr*)( *_t221 + 0x14))(_t221, 0x80058000, _t359 - 0x10);
						__eflags = _t222 - _t279;
						if(_t222 >= _t279) {
							E01272AA0(_t354,  *(_t359 - 0x10));
							_t280 =  *(_t359 - 0x14);
							__eflags =  *((intOrPtr*)(_t280 - 4)) - 1;
							if( *((intOrPtr*)(_t280 - 4)) > 1) {
								L012715B0(_t359 - 0x14,  *(_t280 - 0xc));
								_t280 =  *(_t359 - 0x14);
							}
							PathRemoveFileSpecW(_t280);
							E012723C0(_t280, _t359 - 0x14, _t354, 0xffffffff);
							_t318 =  *(_t280 - 0xc);
							_t348 =  *(_t359 - 0x10);
							__eflags = _t348[_t318] - 0x5c;
							if(_t348[_t318] == 0x5c) {
								__eflags = _t318;
							}
							L0136B25B(_t354,  *( *((intOrPtr*)(_t358 + 0x94)) + 0x20) - (_t354 -  *((intOrPtr*)( *((intOrPtr*)(_t358 + 0x94)) + 0x1c)) >> 1) - 1, _t318 + _t318 + _t348, 0xffffffff);
							_t247 = L01369A59(_t318 + _t318 +  *(_t359 - 0x10));
							_t360 = _t360 + 0x14;
							_t354 = _t354 + 2 + _t247 * 2;
							__imp__CoTaskMemFree( *(_t359 - 0x10));
							_t279 = 0;
							__eflags = 0;
						}
						_t223 =  *(_t359 - 0x20);
						 *((intOrPtr*)( *_t223 + 8))(_t223);
						_t225 =  *((intOrPtr*)(_t358 + 0x94));
						_t309 =  *(_t225 + 0x20);
						_t226 =  *((intOrPtr*)(_t225 + 0x1c));
						__eflags = _t354 - _t226 + _t309 * 2 - 2;
						if(_t354 >= _t226 + _t309 * 2 - 2) {
							break;
						}
						_t237 =  *((intOrPtr*)(_t359 - 0x28));
						_t348 = _t359 - 0x20;
						_t238 =  *((intOrPtr*)( *_t237 + 0xc))(_t237, 1, _t359 - 0x20, _t359 - 0x34);
						__eflags = _t238;
						if(_t238 == 0) {
							continue;
						}
						break;
					}
					_t228 =  *((intOrPtr*)(_t358 + 0x94));
					_t310 =  *(_t228 + 0x20);
					_t229 =  *((intOrPtr*)(_t228 + 0x1c));
					__eflags = _t354 - _t229 + _t310 * 2 - 2;
					if(_t354 >= _t229 + _t310 * 2 - 2) {
						_t348 = 0;
						__eflags = 0;
						 *((short*)( *((intOrPtr*)( *((intOrPtr*)(_t358 + 0x94)) + 0x1c)) +  *( *((intOrPtr*)(_t358 + 0x94)) + 0x20) * 2 - 4)) = 0;
						 *((short*)( *((intOrPtr*)( *((intOrPtr*)(_t358 + 0x94)) + 0x1c)) +  *( *((intOrPtr*)(_t358 + 0x94)) + 0x20) * 2 - 2)) = 0;
					} else {
						 *_t354 = 0;
					}
					 *(_t359 - 4) =  *(_t359 - 4) | 0xffffffff;
					__eflags =  &(( *(_t359 - 0x14))[0xfffffffffffffff8]);
					L01271470( &(( *(_t359 - 0x14))[0xfffffffffffffff8]), _t348);
					goto L32;
				}
				_t354 = E012B4DF9(__ecx);
				if(_t354 != 0) {
					_push(_t359 - 0x14);
					_push(_t354);
					 *(_t359 - 0x14) = 0;
					if( *((intOrPtr*)( *_t354 + 0x78))() >= 0) {
						 *((intOrPtr*)( *_t354 + 0x7c))(_t354,  *((intOrPtr*)(_t359 - 0x24)),  *(_t359 - 0x14),  *((intOrPtr*)(__ecx + 0x20)), 0);
						_t276 =  *(_t359 - 0x14);
						 *((intOrPtr*)( *_t276 + 8))(_t276);
					}
					 *((intOrPtr*)( *_t354 + 8))(_t354);
				}
				_t256 =  *((intOrPtr*)(_t359 - 0x24));
				_push(_t359 - 0x18);
				_push(0x80058000);
				 *(_t359 - 0x18) = _t279;
				_push(_t256);
				if( *((intOrPtr*)( *_t256 + 0x14))() >= _t279) {
					E01273740(_t279,  *(_t359 - 0x18));
					_t259 =  *(_t359 - 0x14);
					 *(_t359 - 4) = _t279;
					if( *((intOrPtr*)(_t259 - 4)) > 1) {
						L012715B0(_t359 - 0x14,  *((intOrPtr*)(_t259 - 0xc)));
						_t259 =  *(_t359 - 0x14);
					}
					PathRemoveFileSpecW(_t259);
					_t283 = _t279 | 0xffffffff;
					E012723C0(_t283, _t359 - 0x14, _t354, _t283);
					_t356 =  *( *(_t359 - 0x14) - 0xc);
					_t328 =  *(_t359 - 0x18);
					if( *((short*)( *(_t359 - 0x18) + _t356 * 2)) == 0x5c) {
						_t356 = _t356 + 1;
					}
					L0136B25B( *((intOrPtr*)( *((intOrPtr*)(_t358 + 0x94)) + 0x1c)),  *( *((intOrPtr*)(_t358 + 0x94)) + 0x20) - 1, _t328, _t283);
					L0136B25B( *((intOrPtr*)( *((intOrPtr*)(_t358 + 0x94)) + 0x24)),  *((intOrPtr*)( *((intOrPtr*)(_t358 + 0x94)) + 0x28)),  *(_t359 - 0x18) + _t356 * 2, _t283);
					_t354 =  *((intOrPtr*)(_t358 + 0x94));
					 *((short*)( *((intOrPtr*)(_t354 + 0x1c)) + 2 + L01369A59( *((intOrPtr*)(_t354 + 0x1c))) * 2)) = 0;
					__imp__CoTaskMemFree( *(_t359 - 0x18));
					 *(_t359 - 4) = _t283;
					L01271470( &(( *(_t359 - 0x14))[0xfffffffffffffff8]), 0);
					_t279 = 0;
				}
				_t206 =  *((intOrPtr*)(_t359 - 0x24));
				goto L35;
			}

0x012b615d
0x012b6164
0x012b6169
0x012b616d
0x012b6174
0x012b6577
0x012b657c
0x012b657c
0x012b617a
0x012b6187
0x012b618a
0x012b618e
0x012b62a8
0x012b62af
0x012b64c1
0x012b64c4
0x012b64c7
0x012b64cc
0x012b64dc
0x012b64e4
0x012b64f0
0x012b64f6
0x012b64f6
0x012b6504
0x012b650c
0x012b6510
0x012b6518
0x012b6527
0x012b6527
0x012b6539
0x012b6540
0x012b6558
0x012b655f
0x012b6564
0x012b6567
0x012b6572
0x00000000
0x012b6572
0x012b62b5
0x012b62c4
0x012b62cc
0x012b62ce
0x00000000
0x00000000
0x012b62d4
0x012b62db
0x012b62e4
0x012b62e6
0x012b64b8
0x012b64b8
0x012b64bb
0x012b64be
0x00000000
0x012b64be
0x012b62ec
0x012b62f9
0x012b62fb
0x012b64af
0x012b64af
0x012b64b5
0x00000000
0x012b64b5
0x012b6301
0x012b630d
0x012b6316
0x012b6318
0x012b64a6
0x012b64a6
0x012b64ac
0x00000000
0x012b64ac
0x012b6327
0x012b6336
0x012b6339
0x012b633c
0x012b6344
0x012b634a
0x012b634d
0x012b634f
0x012b6354
0x012b6368
0x012b636b
0x012b6373
0x012b6378
0x012b637e
0x012b6382
0x012b6382
0x012b6388
0x012b6388
0x012b638b
0x012b6394
0x012b639a
0x012b639d
0x012b639f
0x012b63a7
0x012b63ac
0x012b63af
0x012b63b3
0x012b63bb
0x012b63c0
0x012b63c0
0x012b63c4
0x012b63cf
0x012b63d4
0x012b63d7
0x012b63da
0x012b63df
0x012b63e1
0x012b63e1
0x012b6400
0x012b6409
0x012b640e
0x012b6414
0x012b6418
0x012b641e
0x012b641e
0x012b641e
0x012b6420
0x012b6426
0x012b6429
0x012b642f
0x012b6432
0x012b6439
0x012b643b
0x00000000
0x00000000
0x012b643d
0x012b6446
0x012b644d
0x012b6450
0x012b6452
0x00000000
0x00000000
0x00000000
0x012b6452
0x012b6458
0x012b645e
0x012b6461
0x012b6468
0x012b646a
0x012b647f
0x012b647f
0x012b6481
0x012b6492
0x012b646c
0x012b646e
0x012b646e
0x012b649a
0x012b649e
0x012b64a1
0x00000000
0x012b64a1
0x012b619b
0x012b619f
0x012b61a6
0x012b61a7
0x012b61a8
0x012b61b0
0x012b61c0
0x012b61c3
0x012b61c9
0x012b61c9
0x012b61cf
0x012b61cf
0x012b61d2
0x012b61d8
0x012b61d9
0x012b61de
0x012b61e3
0x012b61e9
0x012b61f5
0x012b61fa
0x012b6201
0x012b6204
0x012b620c
0x012b6211
0x012b6211
0x012b6215
0x012b621b
0x012b6222
0x012b622a
0x012b622d
0x012b6235
0x012b6237
0x012b6237
0x012b6248
0x012b6261
0x012b6266
0x012b627c
0x012b6284
0x012b6290
0x012b6293
0x012b6298
0x012b6298
0x012b629a
0x00000000

APIs

__EH_prolog3.LIBCMT ref: 012B6164
PathRemoveFileSpecW.SHLWAPI(?), ref: 012B6215
_wcslen.LIBCMT ref: 012B626F
CoTaskMemFree.OLE32(?), ref: 012B6284
PathRemoveFileSpecW.SHLWAPI(?), ref: 012B6354
_wcslen.LIBCMT ref: 012B6373
CoTaskMemFree.OLE32(?), ref: 012B6382
PathRemoveFileSpecW.SHLWAPI(?), ref: 012B63C4

Part of subcall function 012723C0: _wcsnlen.LIBCMT ref: 012723D9

_wcslen.LIBCMT ref: 012B6409
CoTaskMemFree.OLE32(?), ref: 012B6418

Part of subcall function 012715A0: _memcpy_s.LIBCMT ref: 012715FE

Part of subcall function 012B5F90: __EH_prolog3.LIBCMT ref: 012B5F97
Part of subcall function 012B5F90: CoTaskMemFree.OLE32(?), ref: 012B603D
Part of subcall function 012B5F90: GetParent.USER32(?), ref: 012B60B6
Part of subcall function 012B5F90: SendMessageW.USER32(?,00000464,00000104,?), ref: 012B60CA
Part of subcall function 012B5F90: GetParent.USER32(?), ref: 012B60FD
Part of subcall function 012B5F90: SendMessageW.USER32(?,00000465,00000104,?), ref: 012B6111

PathFindFileNameW.SHLWAPI(?), ref: 012B64E8
PathFindExtensionW.SHLWAPI(?), ref: 012B6510

Memory Dump Source

Source File: 00000010.00000002.746388412.0000000001271000.00000020.sdmp, Offset: 01270000, based on PE: true

Associated: 00000010.00000002.746374753.0000000001270000.00000002.sdmp Download File
Associated: 00000010.00000002.746578910.000000000138C000.00000002.sdmp Download File
Associated: 00000010.00000002.746752878.00000000013CF000.00000004.sdmp Download File
Associated: 00000010.00000002.746788870.00000000013D6000.00000004.sdmp Download File
Associated: 00000010.00000002.746832288.00000000013DE000.00000002.sdmp Download File
Associated: 00000010.00000002.747668141.0000000001574000.00000002.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1270000_Setup.jbxd

Similarity

API ID: Path$FileFreeTask$RemoveSpec_wcslen$FindH_prolog3MessageParentSend$ExtensionName_memcpy_s_wcsnlen
String ID:
API String ID: 1649649895-0
Opcode ID: 364ab310eca504565c479cf84474829b3aa24b45c551d08067e2f1935c399df1
Instruction ID: f82e17d036a6dd1f96d3909ada2f7c37b9d05760e26a14aaef7af32909b8d38f
Opcode Fuzzy Hash: 364ab310eca504565c479cf84474829b3aa24b45c551d08067e2f1935c399df1
Instruction Fuzzy Hash: 09E13E70A10206DFCB14DFA8C9D8DFEB7B6FF98314B144558E516AB2A1DB31A906CB60

Uniqueness

Uniqueness Score: 8.94%

Function 01280227, Relevance: 18.2, APIs: 12, Instructions: 150
windowCOMMON

Download Yara Rule

C-Code - Quality: 91%

			E01280227(intOrPtr* __ecx, void* __edx) {
				int _v8;
				int _v12;
				int _v16;
				intOrPtr* _v20;
				struct tagPOINT _v28;
				struct tagMSG _v56;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				int _t47;
				int _t50;
				long _t51;
				int _t57;
				int _t59;
				int _t65;
				int _t74;
				int _t84;
				int _t86;
				void* _t88;
				intOrPtr* _t91;
				intOrPtr* _t94;

				_t88 = __edx;
				_t94 = __ecx;
				if( *((intOrPtr*)(__ecx + 0x88)) == 1) {
					L26:
					return _t47;
				}
				_t47 = L0127FEAF(__ecx);
				if(_t47 == 0) {
					goto L26;
				}
				_t47 = PeekMessageW( &_v56,  *(_t94 + 0x20), 0x367, 0x367, 3);
				if(_t47 != 0) {
					goto L26;
				}
				_t50 =  *(_t94 + 0x88);
				_v16 = _t50;
				 *(_t94 + 0x88) = 1;
				if(_t50 == 2) {
					L7:
					_push(0);
					__eflags = _v16;
					if(_v16 != 0) {
						_t51 = SendMessageW( *(_t94 + 0x20), 0x362, 0xe002, ??);
						_v16 = _t51;
						__eflags = _t51;
						if(_t51 == 0) {
							_v16 = 0xe001;
						}
						_v12 = 0;
						GetCursorPos( &_v28);
						L0127FF0C(0, _t94, _t88, _v28.x, _v28.y, 0);
						_v8 = 0;
						_t91 =  *((intOrPtr*)(E012792EF(0, 1, _t94, __eflags) + 4));
						_v20 = _t91;
						while(1) {
							__eflags =  *(_t94 + 0x88);
							if( *(_t94 + 0x88) == 0) {
								break;
							}
							_t57 = PeekMessageW( &_v56, 0, 0, 0, 0);
							__eflags = _t57;
							if(_t57 == 0) {
								_t83 = _t91;
								_t59 =  *((intOrPtr*)( *_t91 + 0x60))(_v8);
								_v8 = _v8 + 1;
								__eflags = _t59;
								if(_t59 == 0) {
									_v8 = 0;
									WaitMessage();
								}
								continue;
							}
							_t83 = _t94;
							_t74 = E01280027(_t94, _t88,  &_v56,  &_v12);
							__eflags = _t74;
							if(_t74 == 0) {
								break;
							}
						}
						 *(_t94 + 0x88) = 0;
						ReleaseCapture();
						E01282D05(0, _t83, _t88, SetCapture( *(_t94 + 0x20)));
						ReleaseCapture();
						SendMessageW( *(_t94 + 0x20), 0x362, _v16, 0);
						_t84 =  *(_t94 + 0xa0);
						__eflags = _t84;
						if(_t84 != 0) {
							 *((intOrPtr*)( *_t84 + 0x60))(0);
						}
						__eflags = _v12;
						if(_v12 != 0) {
							__eflags = _v12 - 0xffffffff;
							if(_v12 != 0xffffffff) {
								 *((intOrPtr*)( *_v20 + 0xc8))(_v12, 1);
							} else {
								SendMessageW( *(_t94 + 0x20), 0x111, 0xe147, 0);
							}
						}
						_t65 = PostMessageW( *(_t94 + 0x20), 0x36a, 0, 0);
						L25:
						return _t65;
					}
					_t65 = PostMessageW( *(_t94 + 0x20), 0x111, 0xe145, ??);
					 *(_t94 + 0x88) = 2;
					goto L25;
				}
				_t86 =  *(_t94 + 0xa0);
				if(_t86 == 0) {
					goto L7;
				}
				_push(1);
				if( *((intOrPtr*)( *_t86 + 0x60))() != 0) {
					goto L7;
				} else {
					_t65 =  *((intOrPtr*)( *( *(_t94 + 0xa0)) + 0x60))(0);
					 *(_t94 + 0x88) = 0;
					goto L25;
				}
			}

0x01280227
0x01280233
0x0128023c
0x012803f0
0x012803f0
0x012803f0
0x01280242
0x01280249
0x00000000
0x00000000
0x0128025f
0x01280267
0x00000000
0x00000000
0x0128026d
0x01280276
0x01280279
0x01280282
0x012802af
0x012802af
0x012802b0
0x012802b3
0x012802e4
0x012802ea
0x012802ed
0x012802ef
0x012802f1
0x012802f1
0x012802fc
0x012802ff
0x0128030e
0x01280313
0x0128031b
0x0128031e
0x01280364
0x01280364
0x0128036a
0x00000000
0x00000000
0x0128032b
0x01280331
0x01280333
0x0128034f
0x01280351
0x01280354
0x01280357
0x01280359
0x0128035b
0x0128035e
0x0128035e
0x00000000
0x01280359
0x0128033d
0x0128033f
0x01280344
0x01280346
0x00000000
0x00000000
0x01280348
0x01280372
0x01280378
0x01280384
0x01280389
0x0128039d
0x0128039f
0x012803a5
0x012803a7
0x012803ac
0x012803ac
0x012803af
0x012803b2
0x012803b4
0x012803b8
0x012803d6
0x012803ba
0x012803c8
0x012803c8
0x012803b8
0x012803e6
0x012803ec
0x00000000
0x012803ec
0x012802c2
0x012802c8
0x00000000
0x012802c8
0x01280284
0x0128028c
0x00000000
0x00000000
0x01280290
0x01280296
0x00000000
0x01280298
0x012802a1
0x012802a4
0x00000000
0x012802a4

APIs

Part of subcall function 0127FEAF: LoadCursorW.USER32 ref: 0127FED0
Part of subcall function 0127FEAF: LoadCursorW.USER32 ref: 0127FEE9

PeekMessageW.USER32(?,?,00000367,00000367,00000003), ref: 0128025F
PostMessageW.USER32 ref: 012802C2
SendMessageW.USER32(?,00000362,0000E002,00000000), ref: 012802E4
GetCursorPos.USER32(?), ref: 012802FF

Part of subcall function 0127FF0C: GetCapture.USER32 ref: 0127FF2A
Part of subcall function 0127FF0C: WindowFromPoint.USER32(?,?), ref: 0127FF39
Part of subcall function 0127FF0C: GetActiveWindow.USER32 ref: 0127FF5B
Part of subcall function 0127FF0C: GetCurrentThreadId.KERNEL32(00000000,?,00000000), ref: 0127FF73
Part of subcall function 0127FF0C: GetWindowThreadProcessId.USER32(?,00000000), ref: 0127FF82
Part of subcall function 0127FF0C: GetDesktopWindow.USER32 ref: 0127FF8E
Part of subcall function 0127FF0C: SetCapture.USER32(00000000), ref: 0127FFCD
Part of subcall function 0127FF0C: ReleaseCapture.USER32 ref: 0127FFED
Part of subcall function 0127FF0C: ReleaseCapture.USER32 ref: 01280000
Part of subcall function 0127FF0C: SetCursor.USER32(00000000), ref: 0128000C

PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 0128032B
PostMessageW.USER32 ref: 012803E6

Part of subcall function 01280027: PeekMessageW.USER32(?,00000000,00000201,00000201,00000001), ref: 012800C0
Part of subcall function 01280027: SendMessageW.USER32(00000000,00000084,00000000,?), ref: 012800DD
Part of subcall function 01280027: ReleaseCapture.USER32 ref: 01280118
Part of subcall function 01280027: GetMessageW.USER32(?,00000000,000000A1,000000A1), ref: 01280127
Part of subcall function 01280027: PeekMessageW.USER32(?,00000000,?,?,00000001), ref: 0128013B
Part of subcall function 01280027: DispatchMessageW.USER32 ref: 01280142
Part of subcall function 01280027: PeekMessageW.USER32(?,00000000,?,?,00000001), ref: 01280165
Part of subcall function 01280027: GetCapture.USER32 ref: 01280175
Part of subcall function 01280027: ReleaseCapture.USER32 ref: 01280185
Part of subcall function 01280027: PeekMessageW.USER32(?,00000000,00000200,00000209,00000003), ref: 0128019C
Part of subcall function 01280027: PeekMessageW.USER32(?,00000000,?,?,00000000), ref: 012801AA
Part of subcall function 01280027: GetMessageW.USER32(?,00000000,?,?), ref: 012801B7
Part of subcall function 01280027: TranslateMessage.USER32 ref: 012801CE
Part of subcall function 01280027: DispatchMessageW.USER32 ref: 012801ED
Part of subcall function 01280027: GetCursorPos.USER32(?), ref: 012801F7
Part of subcall function 01280027: PeekMessageW.USER32(?,00000000,?,?,00000001), ref: 01280218

WaitMessage.USER32 ref: 0128035E
ReleaseCapture.USER32 ref: 01280378
SetCapture.USER32(?), ref: 0128037D
ReleaseCapture.USER32 ref: 01280389
SendMessageW.USER32(?,00000362,?,00000000), ref: 0128039D
SendMessageW.USER32(?,00000111,0000E147,00000000), ref: 012803C8

Memory Dump Source

Source File: 00000010.00000002.746388412.0000000001271000.00000020.sdmp, Offset: 01270000, based on PE: true

Associated: 00000010.00000002.746374753.0000000001270000.00000002.sdmp Download File
Associated: 00000010.00000002.746578910.000000000138C000.00000002.sdmp Download File
Associated: 00000010.00000002.746752878.00000000013CF000.00000004.sdmp Download File
Associated: 00000010.00000002.746788870.00000000013D6000.00000004.sdmp Download File
Associated: 00000010.00000002.746832288.00000000013DE000.00000002.sdmp Download File
Associated: 00000010.00000002.747668141.0000000001574000.00000002.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1270000_Setup.jbxd

Similarity

API ID: Message$Capture$Peek$Release$Cursor$SendWindow$DispatchLoadPostThread$ActiveCurrentDesktopFromPointProcessTranslateWait
String ID:
API String ID: 778692151-0
Opcode ID: e26dc05d7b8091450d437e903fdc8f0844641ed64a8e755dea4ea24686645be7
Instruction ID: 6ce71305be5f529a60cfdc4a21520f0a2e4067972ba976579127cb7bb70a69e7
Opcode Fuzzy Hash: e26dc05d7b8091450d437e903fdc8f0844641ed64a8e755dea4ea24686645be7
Instruction Fuzzy Hash: E9517071A2170AEFDB21BFA4CC84AAFBBBDFF44304F108469F656A6191DB709944DB10

Uniqueness

Uniqueness Score: 1.74%

Function 012E058F, Relevance: 18.1, APIs: 12, Instructions: 129
windowCOMMON

Download Yara Rule

C-Code - Quality: 88%

			E012E058F(void* __eax, void* __ebx, void* __edx, intOrPtr* __edi, void* __esi) {
				int _t70;
				int _t72;
				int _t73;
				int _t77;
				long _t87;
				void* _t88;
				void* _t95;
				int _t97;
				void* _t103;
				intOrPtr* _t104;
				int _t105;
				long _t106;
				void* _t108;
				void* _t109;

				_t104 = __edi;
				_t103 = __edx;
				_t95 = __ebx;
				_t108 = SelectObject;
				if(__eax == __esi) {
					_t6 = _t109 - 0x18;
					 *_t6 =  *(_t109 - 0x18) & 0x00000000;
					__eflags =  *_t6;
				} else {
					 *((intOrPtr*)(__ebp - 0x18)) = __eax;
				}
				__eflags =  *(_t109 - 0x18);
				if( *(_t109 - 0x18) == 0) {
					L2:
					 *(_t109 - 4) =  *(_t109 - 4) | 0xffffffff;
					L01279E44(_t109 - 0x38);
					_t70 = 0;
				} else {
					_t97 =  *(_t109 - 0x58);
					_t72 =  *(_t109 - 0x5c);
					 *(_t109 - 0x20) = _t72;
					 *(_t109 - 0x1c) = _t97;
					_t73 = CreateCompatibleBitmap( *(_t109 - 0x34), _t72, _t97);
					 *(_t109 - 0x24) = _t73;
					__eflags = _t73;
					if(_t73 != 0) {
						L0127976C(_t109 - 0x48);
						 *(_t109 - 4) = 1;
						L01279DC3(_t95, _t109 - 0x48, _t103, _t104,  *_t104( *(_t109 - 0x34)));
						_t77 = SelectObject( *(_t109 - 0x44),  *(_t109 - 0x24));
						_t105 = 0;
						 *(_t109 - 0x28) = _t77;
						__eflags = _t77;
						if(_t77 != 0) {
							BitBlt( *(_t109 - 0x44), 0, 0,  *(_t109 - 0x20),  *(_t109 - 0x1c),  *(_t109 - 0x34), 0, 0, 0xcc0020);
							 *(_t109 - 0x14) = 0;
							__eflags =  *(_t109 - 0x20);
							if( *(_t109 - 0x20) > 0) {
								do {
									 *(_t109 - 0x10) = _t105;
									__eflags =  *(_t109 - 0x1c) - _t105;
									if( *(_t109 - 0x1c) > _t105) {
										do {
											_t87 = GetPixel( *(_t109 - 0x44),  *(_t109 - 0x14),  *(_t109 - 0x10));
											__eflags =  *((intOrPtr*)(_t109 + 0xc)) - 0xffffffff;
											_t106 = _t87;
											if( *((intOrPtr*)(_t109 + 0xc)) == 0xffffffff) {
												__eflags =  *((short*)(_t109 - 0x4e)) - 0x18;
												if( *((short*)(_t109 - 0x4e)) != 0x18) {
													L18:
													_t88 = L012DFD24(_t95, _t106, _t108, _t106,  *((intOrPtr*)(_t109 + 8)));
												} else {
													__eflags =  *0x13d1028;
													if(__eflags != 0) {
														goto L18;
													} else {
														_t88 = L012DFDA6(_t103, __eflags, _t106);
													}
												}
												__eflags = _t106 - _t88;
												if(_t106 != _t88) {
													_push(_t88);
													goto L21;
												}
											} else {
												__eflags = _t106 -  *((intOrPtr*)(_t109 + 0xc));
												if(_t106 ==  *((intOrPtr*)(_t109 + 0xc))) {
													_push( *((intOrPtr*)(_t109 + 0x10)));
													L21:
													SetPixel( *(_t109 - 0x44),  *(_t109 - 0x14),  *(_t109 - 0x10), ??);
												}
											}
											 *(_t109 - 0x10) =  *(_t109 - 0x10) + 1;
											__eflags =  *(_t109 - 0x10) -  *(_t109 - 0x1c);
										} while ( *(_t109 - 0x10) <  *(_t109 - 0x1c));
										_t105 = 0;
										__eflags = 0;
									}
									 *(_t109 - 0x14) =  *(_t109 - 0x14) + 1;
									__eflags =  *(_t109 - 0x14) -  *(_t109 - 0x20);
								} while ( *(_t109 - 0x14) <  *(_t109 - 0x20));
							}
							SelectObject( *(_t109 - 0x44),  *(_t109 - 0x28));
							SelectObject( *(_t109 - 0x34),  *(_t109 - 0x18));
							DeleteObject( *(_t95 + 0x88));
							 *(_t95 + 0x88) =  *(_t109 - 0x24);
							 *(_t109 - 4) = 0;
							L01279E44(_t109 - 0x48);
							 *(_t109 - 4) =  *(_t109 - 4) | 0xffffffff;
							L01279E44(_t109 - 0x38);
							_t70 = 1;
							__eflags = 1;
						} else {
							SelectObject( *(_t109 - 0x34),  *(_t109 - 0x18));
							DeleteObject( *(_t109 - 0x24));
							 *(_t109 - 4) = 0;
							L01279E44(_t109 - 0x48);
							goto L2;
						}
					} else {
						SelectObject( *(_t109 - 0x34),  *(_t109 - 0x18));
						goto L2;
					}
				}
				return L013696D9(_t70);
			}

0x012e058f
0x012e058f
0x012e058f
0x012e0591
0x012e0597
0x012e05a4
0x012e05a4
0x012e05a4
0x012e0599
0x012e059f
0x012e059f
0x012e05a8
0x012e05ac
0x012e057b
0x012e057b
0x012e0582
0x012e0535
0x012e05ae
0x012e05ae
0x012e05b1
0x012e05b9
0x012e05bc
0x012e05bf
0x012e05c5
0x012e05c8
0x012e05ca
0x012e05d9
0x012e05e1
0x012e05eb
0x012e05f6
0x012e05f8
0x012e05fa
0x012e05fd
0x012e05ff
0x012e0638
0x012e063e
0x012e0641
0x012e0644
0x012e0646
0x012e0646
0x012e0649
0x012e064c
0x012e064e
0x012e0657
0x012e065d
0x012e0661
0x012e0663
0x012e066f
0x012e0674
0x012e0687
0x012e068b
0x012e0676
0x012e0676
0x012e067d
0x00000000
0x012e067f
0x012e0680
0x012e0680
0x012e067d
0x012e0690
0x012e0692
0x012e0694
0x00000000
0x012e0694
0x012e0665
0x012e0665
0x012e0668
0x012e066a
0x012e0695
0x012e069e
0x012e069e
0x012e0668
0x012e06a4
0x012e06aa
0x012e06aa
0x012e06af
0x012e06af
0x012e06af
0x012e06b1
0x012e06b7
0x012e06b7
0x012e0646
0x012e06c2
0x012e06ca
0x012e06d2
0x012e06de
0x012e06e4
0x012e06e8
0x012e06ed
0x012e06f4
0x012e06fb
0x012e06fb
0x012e0601
0x012e0607
0x012e060c
0x012e0615
0x012e0619
0x00000000
0x012e0619
0x012e05cc
0x012e05d2
0x00000000
0x012e05d2
0x012e05ca
0x012e0701

APIs

Part of subcall function 01279E44: DeleteDC.GDI32(00000000), ref: 01279E56

SelectObject.GDI32(?), ref: 012E059D
CreateCompatibleBitmap.GDI32(?,?,?), ref: 012E05BF
SelectObject.GDI32(?,00000000), ref: 012E05D2
SelectObject.GDI32(?,?), ref: 012E05F6
SelectObject.GDI32(?,00000000), ref: 012E0607
DeleteObject.GDI32(?), ref: 012E060C
BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,00CC0020), ref: 012E0638
GetPixel.GDI32(?,?,?), ref: 012E0657
SetPixel.GDI32(?,?,?,00000000), ref: 012E069E
SelectObject.GDI32(?,?), ref: 012E06C2
SelectObject.GDI32(?,00000000), ref: 012E06CA
DeleteObject.GDI32(?), ref: 012E06D2

Memory Dump Source

Source File: 00000010.00000002.746388412.0000000001271000.00000020.sdmp, Offset: 01270000, based on PE: true

Associated: 00000010.00000002.746374753.0000000001270000.00000002.sdmp Download File
Associated: 00000010.00000002.746578910.000000000138C000.00000002.sdmp Download File
Associated: 00000010.00000002.746752878.00000000013CF000.00000004.sdmp Download File
Associated: 00000010.00000002.746788870.00000000013D6000.00000004.sdmp Download File
Associated: 00000010.00000002.746832288.00000000013DE000.00000002.sdmp Download File
Associated: 00000010.00000002.747668141.0000000001574000.00000002.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1270000_Setup.jbxd

Similarity

API ID: Object$Select$Delete$Pixel$BitmapCompatibleCreate
String ID:
API String ID: 2855657095-0
Opcode ID: 9d74236b8e31d72c205aa8ac63acc8385bb465e2433fe4cc13d93ac604f4cb3d
Instruction ID: 6d0c40d43b892879c1ab219523b05d7efb368de8bf954f663ac26fe76013372a
Opcode Fuzzy Hash: 9d74236b8e31d72c205aa8ac63acc8385bb465e2433fe4cc13d93ac604f4cb3d
Instruction Fuzzy Hash: 6851E231D1020AEFCF12ABA4D949AEEBFB6FF59314F600015F115B2160D7B15A92DF64

Uniqueness

Uniqueness Score: 12.89%

Function 012CEB44, Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 199
windowUNIQUE

Download Yara Rule

C-Code - Quality: 97%

			E012CEB44(void* __ebx, intOrPtr* __ecx, intOrPtr __edx, int __edi, void* __esi, void* __eflags) {
				intOrPtr _t100;
				signed int _t104;
				signed int _t114;
				intOrPtr _t116;
				signed int _t125;
				void* _t126;
				void* _t129;
				signed int _t132;
				void* _t133;
				signed int _t138;
				struct HMENU__* _t140;
				signed int _t141;
				signed int _t142;
				int _t144;
				void* _t151;
				intOrPtr* _t169;
				void* _t170;

				_t167 = __edi;
				_t166 = __edx;
				_push(0x214);
				L0136966A(0x13828d4, __ebx, __edi, __esi);
				_t100 =  *((intOrPtr*)(_t170 + 8));
				_t144 =  *(_t170 + 0xc);
				_t169 = __ecx;
				if( *((intOrPtr*)(__ecx + 0xcf8)) == _t100) {
					L40:
					return L013696ED(_t144, _t167, _t169);
				}
				_t167 = 0;
				if(_t100 == 0) {
					 *((intOrPtr*)(__ecx + 0xcf0)) =  *((intOrPtr*)(__ecx + 0xcec));
					__eflags =  *(__ecx + 0xcdc);
					if( *(__ecx + 0xcdc) != 0) {
						_push(0);
						 *((intOrPtr*)( *__ecx + 0x34c))();
					}
					_t104 =  *((intOrPtr*)(_t169 + 0xbd4)) - 1;
					__eflags =  *((intOrPtr*)(_t169 + 0xca0)) - _t167;
					if( *((intOrPtr*)(_t169 + 0xca0)) != _t167) {
						_t104 = _t104 - 1;
						__eflags = _t104;
					}
					_t144 = 0;
					__eflags =  *(_t169 + 0xcec) - _t167;
					if( *(_t169 + 0xcec) <= _t167) {
						L34:
						 *(_t169 + 0xcec) = _t167;
						L35:
						 *((intOrPtr*)(_t169 + 0xcf8)) =  *((intOrPtr*)(_t170 + 8));
						if( *((intOrPtr*)(_t170 + 0x10)) != _t167) {
							 *((intOrPtr*)( *_t169 + 0x208))();
						}
						if( *((intOrPtr*)(_t169 + 0x168)) == _t167 &&  *((intOrPtr*)(_t170 + 0x10)) != _t167) {
							 *((intOrPtr*)( *_t169 + 0x2d4))( *((intOrPtr*)(_t170 + 0x10)));
						}
						goto L40;
					} else {
						 *(_t170 - 0x1ec) = _t104;
						do {
							 *((intOrPtr*)( *_t169 + 0x34c))( *(_t170 - 0x1ec));
							_t144 = _t144 + 1;
							 *(_t170 - 0x1ec) =  *(_t170 - 0x1ec) - 1;
							__eflags = _t144 -  *(_t169 + 0xcec);
						} while (_t144 <  *(_t169 + 0xcec));
						goto L34;
					}
				}
				if(_t144 != 0) {
					_t114 = E012789CC(0x1393e4c, _t144);
					_pop(_t151);
					__eflags = _t114;
					if(__eflags == 0) {
						L6:
						 *(_t170 - 0x1ec) = _t167;
						L7:
						 *(_t169 + 0xcdc) = _t167;
						_t116 = L01289341(_t144, _t151, _t166, _t167, _t169, __eflags, GetSystemMenu( *(_t144 + 0x20), _t167));
						 *((intOrPtr*)(_t170 - 0x1f0)) = _t116;
						__eflags = _t116 - _t167;
						if(_t116 == _t167) {
							L13:
							__eflags =  *(_t169 + 0xcdc) - _t167;
							if( *(_t169 + 0xcdc) != _t167) {
								_t132 = SendMessageW( *(_t144 + 0x20), 0x7f, _t167, _t167);
								 *(_t169 + 0xce0) = _t132;
								__eflags = _t132;
								if(_t132 == 0) {
									 *(_t169 + 0xce0) = GetClassLongW( *(_t144 + 0x20), 0xffffffde);
								}
								_t133 = L012F1B90(_t170 - 0x1e8,  *(_t169 + 0xcdc),  *(_t169 + 0xce0));
								_t166 =  *_t169;
								 *(_t170 - 4) =  *(_t170 - 4) & 0x00000000;
								 *((intOrPtr*)( *_t169 + 0x344))(_t133, 0);
								 *(_t170 - 4) =  *(_t170 - 4) | 0xffffffff;
								L012F1BC6(_t144, _t170 - 0x1e8,  *_t169, _t167, _t169, __eflags);
								_t167 = 0;
								__eflags = 0;
							}
							_t144 = GetWindowLongW( *(_t144 + 0x20), 0xfffffff0);
							 *(_t169 + 0xcec) = _t167;
							__eflags =  *(_t169 + 0xcdc) - _t167;
							if( *(_t169 + 0xcdc) == _t167) {
								goto L35;
							} else {
								__eflags = _t144 & 0x00020000;
								if((_t144 & 0x00020000) != 0) {
									_t129 = E012F8766(_t170 - 0xf8, 0xf020);
									_t166 =  *_t169;
									 *(_t170 - 4) = 1;
									 *((intOrPtr*)( *_t169 + 0x344))(_t129, 0xffffffff);
									 *(_t170 - 4) =  *(_t170 - 4) | 0xffffffff;
									E012F8786(_t170 - 0xf8,  *_t169);
									_t44 = _t169 + 0xcec;
									 *_t44 =  *(_t169 + 0xcec) + 1;
									__eflags =  *_t44;
								}
								__eflags = _t144 & 0x00010000;
								if((_t144 & 0x00010000) != 0) {
									_t126 = E012F8766(_t170 - 0xf8, 0xf120);
									_t166 =  *_t169;
									 *(_t170 - 4) = 2;
									 *((intOrPtr*)( *_t169 + 0x344))(_t126, 0xffffffff);
									 *(_t170 - 4) =  *(_t170 - 4) | 0xffffffff;
									E012F8786(_t170 - 0xf8,  *_t169);
									_t54 = _t169 + 0xcec;
									 *_t54 =  *(_t169 + 0xcec) + 1;
									__eflags =  *_t54;
								}
								_t144 = 0xf060;
								E012F8766(_t170 - 0x84, 0xf060);
								 *(_t170 - 4) = 3;
								__eflags =  *(_t169 + 0xcdc) - _t167;
								if( *(_t169 + 0xcdc) == _t167) {
									L26:
									 *((intOrPtr*)( *_t169 + 0x344))(_t170 - 0x84, 0xffffffff);
									 *(_t169 + 0xcec) =  *(_t169 + 0xcec) + 1;
									 *(_t170 - 4) =  *(_t170 - 4) | 0xffffffff;
									E012F8786(_t170 - 0x84, _t166);
									goto L35;
								} else {
									L01367D50(_t170 - 0x220, _t167, 0x30);
									 *(_t170 - 0x220) = 0x30;
									 *(_t170 - 0x21c) = 1;
									_t125 = GetMenuItemInfoW( *(_t169 + 0xcdc), 0xf060, _t167, _t170 - 0x220);
									__eflags = _t125;
									if(_t125 == 0) {
										L25:
										_t67 = _t170 - 0x60;
										 *_t67 =  *(_t170 - 0x60) | 0x00040000;
										__eflags =  *_t67;
										goto L26;
									}
									__eflags =  *(_t170 - 0x214) & 0x00000003;
									if(( *(_t170 - 0x214) & 0x00000003) == 0) {
										goto L26;
									}
									goto L25;
								}
							}
						}
						_t138 = IsMenu( *(_t116 + 4));
						__eflags = _t138;
						if(_t138 == 0) {
							goto L13;
						}
						_t140 =  *( *((intOrPtr*)(_t170 - 0x1f0)) + 4);
						 *(_t169 + 0xcdc) = _t140;
						_t141 = IsMenu(_t140);
						__eflags = _t141;
						if(_t141 == 0) {
							L12:
							 *(_t169 + 0xcdc) = _t167;
							goto L13;
						}
						_t142 = E01286848(_t144);
						__eflags = _t142 & 0x00080000;
						if((_t142 & 0x00080000) != 0) {
							goto L13;
						}
						__eflags =  *(_t170 - 0x1ec) - _t167;
						if( *(_t170 - 0x1ec) != _t167) {
							goto L13;
						}
						goto L12;
					}
					 *(_t170 - 0x1ec) = 1;
					__eflags =  *(_t114 + 0xa0);
					if(__eflags != 0) {
						goto L7;
					}
					goto L6;
				}
				 *((intOrPtr*)(_t170 + 8)) = 0;
				goto L35;
			}

0x012ceb44
0x012ceb44
0x012ceb44
0x012ceb4e
0x012ceb53
0x012ceb56
0x012ceb59
0x012ceb61
0x012cee42
0x012cee47
0x012cee47
0x012ceb67
0x012ceb6b
0x012cedb4
0x012cedba
0x012cedc0
0x012cedc4
0x012cedc5
0x012cedc5
0x012cedd1
0x012cedd2
0x012cedd8
0x012cedda
0x012cedda
0x012cedda
0x012ceddb
0x012ceddd
0x012cede3
0x012cee0a
0x012cee0a
0x012cee10
0x012cee13
0x012cee1c
0x012cee22
0x012cee22
0x012cee2e
0x012cee3c
0x012cee3c
0x00000000
0x012cede5
0x012cede5
0x012cedeb
0x012cedf5
0x012cedfb
0x012cedfc
0x012cee02
0x012cee02
0x00000000
0x012cedeb
0x012cede3
0x012ceb73
0x012ceb83
0x012ceb89
0x012ceb8a
0x012ceb8c
0x012ceba0
0x012ceba0
0x012ceba6
0x012ceba7
0x012cebb7
0x012cebbc
0x012cebc2
0x012cebc4
0x012cec09
0x012cec09
0x012cec0f
0x012cec18
0x012cec1e
0x012cec24
0x012cec26
0x012cec34
0x012cec34
0x012cec4c
0x012cec51
0x012cec53
0x012cec5c
0x012cec62
0x012cec6c
0x012cec71
0x012cec71
0x012cec71
0x012cec7f
0x012cec81
0x012cec87
0x012cec8d
0x00000000
0x012cec93
0x012cec93
0x012cec99
0x012ceca6
0x012cecab
0x012cecb2
0x012cecb9
0x012cecbf
0x012cecc9
0x012cecce
0x012cecce
0x012cecce
0x012cecce
0x012cecd4
0x012cecda
0x012cece7
0x012cecec
0x012cecf3
0x012cecfa
0x012ced00
0x012ced0a
0x012ced0f
0x012ced0f
0x012ced0f
0x012ced0f
0x012ced15
0x012ced21
0x012ced26
0x012ced2d
0x012ced33
0x012ced84
0x012ced91
0x012ced97
0x012ced9d
0x012ceda7
0x00000000
0x012ced35
0x012ced3f
0x012ced56
0x012ced60
0x012ced6a
0x012ced70
0x012ced72
0x012ced7d
0x012ced7d
0x012ced7d
0x012ced7d
0x00000000
0x012ced7d
0x012ced74
0x012ced7b
0x00000000
0x00000000
0x00000000
0x012ced7b
0x012ced33
0x012cec8d
0x012cebc9
0x012cebcf
0x012cebd1
0x00000000
0x00000000
0x012cebd9
0x012cebdd
0x012cebe3
0x012cebe9
0x012cebeb
0x012cec03
0x012cec03
0x00000000
0x012cec03
0x012cebef
0x012cebf4
0x012cebf9
0x00000000
0x00000000
0x012cebfb
0x012cec01
0x00000000
0x00000000
0x00000000
0x012cec01
0x012ceb8e
0x012ceb98
0x012ceb9e
0x00000000
0x00000000
0x00000000
0x012ceb9e
0x012ceb75
0x00000000

APIs

__EH_prolog3_GS.LIBCMT ref: 012CEB4E
GetSystemMenu.USER32 ref: 012CEBB0
IsMenu.USER32(?), ref: 012CEBC9
IsMenu.USER32(?), ref: 012CEBE3

Part of subcall function 01286848: GetWindowLongW.USER32(?,000000F0), ref: 01286853

SendMessageW.USER32(?,0000007F,00000000,00000000), ref: 012CEC18
GetClassLongW.USER32 ref: 012CEC2E
GetWindowLongW.USER32(?,000000F0), ref: 012CEC79
_memset.LIBCMT ref: 012CED3F
GetMenuItemInfoW.USER32 ref: 012CED6A

Strings

0, xrefs: 012CED56

Memory Dump Source

Source File: 00000010.00000002.746388412.0000000001271000.00000020.sdmp, Offset: 01270000, based on PE: true

Associated: 00000010.00000002.746374753.0000000001270000.00000002.sdmp Download File
Associated: 00000010.00000002.746578910.000000000138C000.00000002.sdmp Download File
Associated: 00000010.00000002.746752878.00000000013CF000.00000004.sdmp Download File
Associated: 00000010.00000002.746788870.00000000013D6000.00000004.sdmp Download File
Associated: 00000010.00000002.746832288.00000000013DE000.00000002.sdmp Download File
Associated: 00000010.00000002.747668141.0000000001574000.00000002.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1270000_Setup.jbxd

Similarity

API ID: Menu$Long$Window$ClassH_prolog3_InfoItemMessageSendSystem_memset
String ID: 0
API String ID: 4291085479-4108050209
Opcode ID: fd26bbda716f2c5c16053632aeaccb2feb1a3190050cf39664926f51bab65a0d
Instruction ID: 9d8f368223c50f3c995da3be3057882d6be41d820128c7db59534d5687eb22c0
Opcode Fuzzy Hash: fd26bbda716f2c5c16053632aeaccb2feb1a3190050cf39664926f51bab65a0d
Instruction Fuzzy Hash: 67815E70510706DFDB21DF68C888BAEBBB8FF44710F25476ED66A96191DB305A81CF50

Uniqueness

Uniqueness Score: 37.75%

Function 01288C7C, Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 148
COMMON

Download Yara Rule

C-Code - Quality: 55%

			E01288C7C(void* __ecx, void* __edx, void* __eflags) {
				signed int _v8;
				short _v528;
				char _v1048;
				char _v1560;
				char _v2072;
				WCHAR* _v2076;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t42;
				long _t48;
				WCHAR* _t51;
				intOrPtr _t66;
				intOrPtr _t69;
				intOrPtr _t77;
				intOrPtr _t79;
				void* _t82;
				void* _t83;
				void* _t84;
				void* _t91;
				void* _t92;
				void* _t93;
				void* _t95;
				void* _t97;
				void* _t98;
				signed int _t102;
				void* _t103;

				_t92 = __edx;
				_t85 = __ecx;
				_t100 = _t102;
				_t103 = _t102 - 0x818;
				_t42 =  *0x13d3570; // 0x99b5b578
				_v8 = _t42 ^ _t102;
				_push(_t82);
				_push(_t93);
				_t97 = __ecx;
				_t83 = E012792EF(_t82, _t93, __ecx, __eflags);
				 *(_t83 + 8) =  *(_t97 + 0x44);
				 *(_t83 + 0xc) =  *(_t97 + 0x44);
				_t48 = GetModuleFileNameW( *(_t97 + 0x44),  &_v528, 0x104);
				if(_t48 == 0 || _t48 == 0x104) {
					L012796D9(_t85);
				}
				_t51 = PathFindExtensionW( &_v528);
				_v2076 = _t51;
				if(_t51 == 0) {
					L012796D9(_t85);
				}
				_t86 = _v2076;
				 *_v2076 = 0;
				if(E01288C36( &_v528,  &_v1048, 0x104) != 0) {
					L012796D9(_t86);
				}
				if( *((intOrPtr*)(_t97 + 0x64)) == 0) {
					_t79 = L01367CE9( &_v1048);
					_pop(_t86);
					 *((intOrPtr*)(_t97 + 0x64)) = _t79;
					if(_t79 == 0) {
						L10:
						L01277A91(_t86);
					}
				}
				if( *((intOrPtr*)(_t97 + 0x50)) == 0) {
					if(E01278428(_t83, _t86, 0x104, _t97, 0xe000,  &_v2072, 0x100) == 0) {
						_push( *((intOrPtr*)(_t97 + 0x64)));
					} else {
						_push( &_v2072);
					}
					_t69 = L01367CE9();
					 *((intOrPtr*)(_t97 + 0x50)) = _t69;
					_pop(_t86);
					if(_t69 == 0) {
						goto L10;
					}
				}
				if( *((intOrPtr*)(_t97 + 0x54)) == 0) {
					if(E01278428(_t83, _t86, 0x104, _t97, 0xe006,  &_v1560, 0x100) == 0) {
						 *((intOrPtr*)(_t97 + 0x54)) = 0x138e210;
					} else {
						_t66 = L01367CE9( &_v1560);
						_pop(_t86);
						 *((intOrPtr*)(_t97 + 0x54)) = _t66;
					}
					if( *((intOrPtr*)(_t97 + 0x54)) == 0) {
						goto L10;
					}
				}
				_t56 =  *((intOrPtr*)(_t97 + 0x50));
				 *((intOrPtr*)(_t83 + 0x10)) =  *((intOrPtr*)(_t97 + 0x50));
				if( *((intOrPtr*)(_t97 + 0x68)) == 0) {
					_t91 = 0x104 - (_v2076 -  &_v528 >> 1);
					if( *((intOrPtr*)(_t97 + 0x70)) != 1) {
						_push(L".HLP");
					} else {
						_push(L".CHM");
					}
					_push(_t91);
					_push(_v2076);
					_push(L013699F6());
					L01271310();
					_t103 = _t103 + 0x10;
					_t77 = L01367CE9( &_v528);
					_pop(_t86);
					 *((intOrPtr*)(_t97 + 0x68)) = _t77;
					if(_t77 == 0) {
						goto L10;
					} else {
						_t86 = _v2076;
						_t56 = 0;
						 *_v2076 = 0;
					}
				}
				if( *((intOrPtr*)(_t97 + 0x6c)) == 0) {
					_push(L01369B64( &_v1048, 0x104, L".INI"));
					L01271310();
					_t56 = L01367CE9( &_v1048);
					_t103 = _t103 + 0x14;
					 *((intOrPtr*)(_t97 + 0x6c)) = _t56;
					if(_t56 == 0) {
						goto L10;
					}
				}
				_pop(_t95);
				_pop(_t98);
				_pop(_t84);
				return L01367D3E(_t56, _t84, _v8 ^ _t100, _t92, _t95, _t98);
			}

0x01288c7c
0x01288c7c
0x01288c7f
0x01288c81
0x01288c87
0x01288c8e
0x01288c91
0x01288c93
0x01288c94
0x01288c9b
0x01288ca0
0x01288ca6
0x01288cb9
0x01288cc1
0x01288cc7
0x01288cc7
0x01288cd3
0x01288cd9
0x01288ce1
0x01288ce3
0x01288ce3
0x01288ce8
0x01288cf0
0x01288d09
0x01288d0b
0x01288d0b
0x01288d14
0x01288d1d
0x01288d22
0x01288d23
0x01288d28
0x01288d2a
0x01288d2a
0x01288d2a
0x01288d28
0x01288d33
0x01288d4d
0x01288d58
0x01288d4f
0x01288d55
0x01288d55
0x01288d5b
0x01288d60
0x01288d63
0x01288d66
0x00000000
0x00000000
0x01288d66
0x01288d6c
0x01288d86
0x01288d9a
0x01288d88
0x01288d8f
0x01288d94
0x01288d95
0x01288d95
0x01288da5
0x00000000
0x00000000
0x01288da5
0x01288da7
0x01288daa
0x01288db1
0x01288dc5
0x01288dcb
0x01288dd4
0x01288dcd
0x01288dcd
0x01288dcd
0x01288dd9
0x01288dda
0x01288de5
0x01288de6
0x01288df1
0x01288df5
0x01288dfa
0x01288dfb
0x01288e00
0x00000000
0x01288e06
0x01288e06
0x01288e0c
0x01288e0e
0x01288e0e
0x01288e00
0x01288e15
0x01288e29
0x01288e2a
0x01288e36
0x01288e3b
0x01288e3e
0x01288e43
0x00000000
0x00000000
0x01288e43
0x01288e4c
0x01288e4d
0x01288e50
0x01288e57

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104), ref: 01288CB9

Part of subcall function 012796D9: __CxxThrowException@8.LIBCMT ref: 012796EF

PathFindExtensionW.SHLWAPI(?), ref: 01288CD3

Part of subcall function 01288C36: PathFindFileNameW.SHLWAPI(00000000), ref: 01288C49
Part of subcall function 01288C36: lstrlenW.KERNEL32(00000000,?,00000000,013C007C,00000008,0128816D,00000002,?,000000FF,?,0128841B,000000FF,?,?), ref: 01288C56

__wcsdup.LIBCMT ref: 01288D1D

Part of subcall function 01277A91: __CxxThrowException@8.LIBCMT ref: 01277AA7

__wcsdup.LIBCMT ref: 01288D5B
__wcsdup.LIBCMT ref: 01288D8F
__wcsdup.LIBCMT ref: 01288DF5
__wcsdup.LIBCMT ref: 01288E36

Part of subcall function 01367CE9: _wcslen.LIBCMT ref: 01367CFF
Part of subcall function 01367CE9: _calloc.LIBCMT ref: 01367D0A
Part of subcall function 01367CE9: __invoke_watson.LIBCMT ref: 01367D32

Part of subcall function 01367D3E: IsDebuggerPresent.KERNEL32 ref: 0136EC6D
Part of subcall function 01367D3E: SetUnhandledExceptionFilter.KERNEL32 ref: 0136EC82
Part of subcall function 01367D3E: UnhandledExceptionFilter.KERNEL32 ref: 0136EC8D
Part of subcall function 01367D3E: GetCurrentProcess.KERNEL32(C0000409), ref: 0136ECA9
Part of subcall function 01367D3E: TerminateProcess.KERNEL32(00000000), ref: 0136ECB0

Strings

.CHM, xrefs: 01288DCD
.HLP, xrefs: 01288DD4
.INI, xrefs: 01288E17

Memory Dump Source

Source File: 00000010.00000002.746388412.0000000001271000.00000020.sdmp, Offset: 01270000, based on PE: true

Associated: 00000010.00000002.746374753.0000000001270000.00000002.sdmp Download File
Associated: 00000010.00000002.746578910.000000000138C000.00000002.sdmp Download File
Associated: 00000010.00000002.746752878.00000000013CF000.00000004.sdmp Download File
Associated: 00000010.00000002.746788870.00000000013D6000.00000004.sdmp Download File
Associated: 00000010.00000002.746832288.00000000013DE000.00000002.sdmp Download File
Associated: 00000010.00000002.747668141.0000000001574000.00000002.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1270000_Setup.jbxd

Similarity

API ID: __wcsdup$ExceptionException@8FileFilterFindNamePathProcessThrowUnhandled$CurrentDebuggerExtensionModulePresentTerminate__invoke_watson_calloc_wcslenlstrlen
String ID: .CHM$.HLP$.INI
API String ID: 2139955102-4017452060
Opcode ID: 85e6f15cbbb059bcbbcd4df4123cbf8e131b7482042c3a47d9167d24f2a4fd77
Instruction ID: 0ce875b10d234ca3f7113e2e80259adc70904c915351f92f5499635327e6fca9
Opcode Fuzzy Hash: 85e6f15cbbb059bcbbcd4df4123cbf8e131b7482042c3a47d9167d24f2a4fd77
Instruction Fuzzy Hash: F4518EB192170A9FDF30EF79C944BAA73ECEF14318F804869D645D2184EB70E984CB61

Uniqueness

Uniqueness Score: 10.55%

Function 012BC00A, Relevance: 16.9, APIs: 11, Instructions: 442
windowCOMMON

Download Yara Rule

C-Code - Quality: 72%

			E012BC00A(void* __ebx, intOrPtr* __ecx, void* __edx, intOrPtr __edi, void* __esi, void* __eflags) {
				intOrPtr* _t176;
				signed int _t179;
				intOrPtr _t183;
				int _t184;
				signed int _t185;
				intOrPtr* _t188;
				void* _t192;
				void* _t196;
				intOrPtr* _t197;
				int _t199;
				signed int _t202;
				intOrPtr* _t209;
				intOrPtr* _t211;
				signed int _t214;
				signed int _t215;
				intOrPtr* _t217;
				signed int _t223;
				signed int _t224;
				struct tagPOINT** _t227;
				intOrPtr* _t229;
				void* _t245;
				void* _t247;
				intOrPtr _t248;
				intOrPtr _t251;
				intOrPtr* _t254;
				intOrPtr _t272;
				void* _t286;
				void* _t290;
				intOrPtr _t312;
				void* _t317;
				void* _t329;
				signed int _t331;
				int _t339;
				intOrPtr _t347;
				void* _t351;
				intOrPtr _t352;
				void* _t353;
				void* _t358;
				void* _t375;

				_t328 = __edi;
				_t317 = __edx;
				_push(0x68);
				L0136966A(0x1381ea8, __ebx, __edi, __esi);
				 *((intOrPtr*)(_t351 - 0x54)) =  *((intOrPtr*)(_t351 + 8));
				_t254 = __ecx;
				_t339 = 0;
				 *(_t351 - 0x20) = 0;
				 *((intOrPtr*)(_t351 - 0x1c)) = 0;
				 *(_t351 - 0x18) = 0;
				 *((intOrPtr*)(_t351 - 0x14)) = 0;
				GetClientRect( *(__ecx + 0x20), _t351 - 0x20);
				if( *(_t254 + 0xfc0) == 0) {
					L26:
					_t176 = E0128C2A4(_t254, _t328, _t339, _t379);
					_t353 = _t352 - 0x10;
					_t329 = _t353;
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					 *((intOrPtr*)( *_t176 + 0x3c))( *((intOrPtr*)(_t351 - 0x54)), _t254);
					_t179 =  *((intOrPtr*)( *_t254 + 0x204))();
					 *(_t351 - 0x58) = _t179;
					InflateRect(_t351 - 0x20,  ~_t179,  ~_t179);
					_t183 =  *((intOrPtr*)(_t254 + 0xecc));
					if(_t183 <= 0) {
						L43:
						_t341 = _t254 + 0xfe0;
						_t184 = IsRectEmpty(_t254 + 0xfe0);
						_t388 = _t184;
						if(_t184 == 0) {
							_t211 = E0128C2A4(_t254, _t329, _t341, _t388);
							_t353 = _t353 - 0x10;
							asm("movsd");
							asm("movsd");
							asm("movsd");
							asm("movsd");
							 *((intOrPtr*)( *_t211 + 0x78))( *((intOrPtr*)(_t351 - 0x54)),  *((intOrPtr*)(_t254 + 0xfdc)));
						}
						_t330 = 0;
						if( *((intOrPtr*)(_t254 + 0xef0)) != 0) {
							_t192 =  *((intOrPtr*)( *_t254 + 0x1dc))();
							_t390 = _t192;
							if(_t192 != 0) {
								_t209 = E0128C2A4(_t254, 0, _t341, _t390);
								_t341 = _t254 + 0xef8;
								_t353 = _t353 - 0x10;
								asm("movsd");
								asm("movsd");
								asm("movsd");
								asm("movsd");
								 *((intOrPtr*)( *_t209 + 0x80))( *((intOrPtr*)(_t351 - 0x54)), 0, 0 |  *((intOrPtr*)(_t254 + 0xf18)) < 0x00000000, 0, 0);
								_t330 = 0;
							}
							if( *((intOrPtr*)( *_t254 + 0x1e0))() != 0) {
								_t196 =  *((intOrPtr*)( *_t254 + 0x1c0))();
								_t394 = _t196;
								if(_t196 != 0) {
									_t199 =  *(_t254 + 0xf0c);
									asm("movsd");
									asm("movsd");
									asm("movsd");
									asm("movsd");
									 *(_t351 - 0x24) = _t199;
									 *(_t351 - 0x2c) = _t199 -  *(_t351 - 0x58) - 1;
									_t202 = E0128C2A4(_t254, _t351 - 0x30, _t351 - 0x20, _t394);
									asm("movsd");
									asm("movsd");
									asm("movsd");
									asm("movsd");
									_t353 = _t353;
									_t341 = _t351 - 0x30;
									asm("movsd");
									asm("movsd");
									 *(_t351 - 0x58) = _t202;
									asm("movsd");
									 *((intOrPtr*)(_t351 - 0x5c)) =  *_t202 + 0x34;
									asm("movsd");
									 *((intOrPtr*)( *((intOrPtr*)(_t351 - 0x5c))))( *((intOrPtr*)(_t351 - 0x54)),  *((intOrPtr*)( *_t254 + 0x1c0))(0));
									_t330 = 0;
								}
								_t197 = E0128C2A4(_t254, _t330, _t341, 0);
								_t353 = _t353 - 0x10;
								asm("movsd");
								asm("movsd");
								asm("movsd");
								asm("movsd");
								 *((intOrPtr*)( *_t197 + 0x80))( *((intOrPtr*)(_t351 - 0x54)), 1, 0 |  *((intOrPtr*)(_t254 + 0xf18)) - _t330 > 0x00000000, _t330, _t330);
								_t330 = 0;
							}
						}
						_t342 = _t254 + 0x10a0;
						_t185 = IsRectEmpty(_t254 + 0x10a0);
						if(_t185 == 0) {
							if( *((intOrPtr*)(_t254 + 0x1088)) == _t330) {
								__eflags =  *((intOrPtr*)(_t254 + 0x1090)) - _t330;
								_t167 =  *((intOrPtr*)(_t254 + 0x1090)) - _t330 > 0;
								__eflags = _t167;
								_t331 = _t185 & 0xffffff00 | _t167;
							} else {
								_t400 =  *((intOrPtr*)(_t254 + 0x1090)) - _t330;
								_t164 = (_t185 & 0xffffff00 |  *((intOrPtr*)(_t254 + 0x1090)) - _t330 > 0x00000000) + 2; // 0x2
								_t331 = _t164;
							}
							_t188 = E0128C2A4(_t254, _t331, _t342, _t400);
							_t330 = _t353 - 0x10;
							asm("movsd");
							asm("movsd");
							asm("movsd");
							asm("movsd");
							 *((intOrPtr*)( *_t188 + 0x7c))( *((intOrPtr*)(_t351 - 0x54)), _t331);
						}
						 *((intOrPtr*)(_t254 + 0xebc)) = 1;
						return L013696ED(_t254, _t330, _t342);
					}
					_t272 =  *((intOrPtr*)(_t254 + 0xed4));
					_t329 = _t351 - 0x50;
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					if(_t272 == 0) {
						_t214 = _t183 +  *(_t351 - 0x58) +  *(_t351 - 0x20);
						__eflags = _t214;
						 *(_t351 - 0x48) = _t214;
					} else {
						_t286 = _t272 - 1;
						if(_t286 == 0) {
							 *(_t351 - 0x50) =  *(_t351 - 0x18) - _t183 -  *(_t351 - 0x58);
						} else {
							_t290 = _t286 - 1;
							if(_t290 == 0) {
								 *((intOrPtr*)(_t351 - 0x44)) = _t183 +  *((intOrPtr*)(_t351 - 0x1c)) +  *(_t351 - 0x58);
							} else {
								if(_t290 == 1) {
									 *(_t351 - 0x4c) =  *((intOrPtr*)(_t351 - 0x14)) - _t183 -  *(_t351 - 0x58);
								}
							}
						}
					}
					_t347 =  *0x13d98fc; // 0x0
					if(_t347 == 0) {
						_t347 = L01283CE7(_t254);
					}
					_t215 = E012789CC(0x1391888, _t347);
					if(_t215 != 0) {
						L42:
						 *((intOrPtr*)( *_t215 + 0x1fc))( *((intOrPtr*)(_t351 - 0x54)), _t254, _t351 - 0x50);
					} else {
						_t217 = E012789CC(0x1391eac, _t347);
						if(_t217 == 0) {
							_t215 = E012789CC(0x13914dc, _t347);
							__eflags = _t215;
							if(__eflags != 0) {
								goto L42;
							}
							_t215 = E012789CC(0x1391128, _t347);
							__eflags = _t215;
							if(__eflags == 0) {
								goto L43;
							}
							goto L42;
						}
						 *((intOrPtr*)( *_t217 + 0x1e0))( *((intOrPtr*)(_t351 - 0x54)), _t254, _t351 - 0x50);
					}
					goto L43;
				}
				_t358 =  *0x13d83d4 - _t339; // 0x0
				if(_t358 == 0) {
					_t223 = E01286862(_t254) & 0x00400000;
					 *(_t351 - 0x58) = _t223;
					_t224 =  *(_t254 + 0xfc0);
					if(_t223 == 0) {
						_t14 = _t351 - 0x18;
						 *_t14 =  *(_t351 - 0x18) - _t224;
						__eflags =  *_t14;
					} else {
						 *(_t351 - 0x20) =  *(_t351 - 0x20) + _t224;
					}
					 *((intOrPtr*)(_t351 - 0x14)) =  *((intOrPtr*)(_t351 - 0x14)) - _t224;
					 *(_t351 - 0x40) = _t339;
					 *(_t351 - 0x3c) = _t339;
					 *(_t351 - 0x38) = _t339;
					 *(_t351 - 0x34) = _t339;
					SetRectEmpty(_t351 - 0x40);
					if( *((intOrPtr*)(_t254 + 0x148)) != _t339 && E012BA661(_t254, _t254, _t317) == 0) {
						_t251 =  *((intOrPtr*)( *((intOrPtr*)(_t254 + 0x148)) + 0x6c));
						if(_t251 != _t339 &&  *(_t251 + 0x20) != _t339) {
							_t328 = _t351 - 0x40;
							asm("movsd");
							asm("movsd");
							asm("movsd");
							asm("movsd");
							 *(_t351 - 0x38) =  *(_t351 - 0x38) - 1;
							 *(_t351 - 0x34) =  *(_t351 - 0x34) - 1;
							MapWindowPoints( *(_t251 + 0x20),  *(_t254 + 0x20), _t351 - 0x40, 2);
							_t339 = 0;
						}
					}
					_t227 = E0128C2A4(_t254, _t328, _t339, 0);
					_t325 =  *_t227;
					if( *((intOrPtr*)( *_t227 + 0x2e4))() != 0) {
						_t247 = E012BA661(_t254, _t254, _t325);
						if(_t247 != _t339) {
							_t312 =  *((intOrPtr*)(_t254 + 0x148));
							if(_t312 != _t339 &&  *((intOrPtr*)(_t312 + 0xb4)) != _t339 &&  *((intOrPtr*)(_t247 + 0x10b0)) != _t339 &&  *((intOrPtr*)(_t254 + 0x10b0)) == _t339 &&  *((intOrPtr*)(_t254 + 0xea4)) == 4) {
								_t248 =  *((intOrPtr*)(_t312 + 0x6c));
								if(_t248 != _t339 &&  *(_t248 + 0x20) != _t339) {
									_t328 = _t351 - 0x40;
									asm("movsd");
									asm("movsd");
									asm("movsd");
									_t325 = _t351 - 0x40;
									asm("movsd");
									 *(_t351 - 0x34) =  *(_t351 - 0x34) + 2;
									MapWindowPoints( *(_t248 + 0x20),  *(_t254 + 0x20), _t351 - 0x40, 2);
									_t339 = 0;
								}
							}
						}
					}
					_t375 =  *0x13d655c - _t339; // 0x1
					if(_t375 != 0) {
						_push(_t339);
						L01279E5D(_t254, _t351 - 0x74, _t325, _t328, _t339, _t375);
						 *(_t351 - 4) = _t339;
						 *(_t351 - 0x30) = _t339;
						 *(_t351 - 0x2c) = _t339;
						 *(_t351 - 0x28) = _t339;
						 *(_t351 - 0x24) = _t339;
						GetWindowRect( *(_t254 + 0x20), _t351 - 0x30);
						_t328 =  *((intOrPtr*)(_t351 - 0x54));
						BitBlt( *( *((intOrPtr*)(_t351 - 0x54)) + 4), _t339, _t339,  *(_t351 - 0x28) -  *(_t351 - 0x30),  *(_t351 - 0x24) -  *(_t351 - 0x2c),  *(_t351 - 0x70),  *(_t351 - 0x30),  *(_t351 - 0x2c), 0xcc0020);
						_t376 =  *(_t351 - 0x58) - _t339;
						if( *(_t351 - 0x58) != _t339) {
							E012FC185(_t351 - 0x60, _t328);
							 *(_t351 - 0x50) = _t339;
							 *(_t351 - 0x4c) = _t339;
							_push(1);
							 *(_t351 - 0x48) =  *(_t351 - 0x28) -  *(_t351 - 0x30);
							 *((intOrPtr*)(_t351 - 0x44)) =  *(_t351 - 0x24) -  *(_t351 - 0x2c);
							_t352 = _t352 - 0x10;
							_t328 = _t352;
							asm("movsd");
							asm("movsd");
							asm("movsd");
							 *(_t351 - 4) = 1;
							asm("movsd");
							_t245 = L012FD2A1(_t254, _t351 - 0x60, _t352, _t351 - 0x50, _t376);
							 *(_t351 - 4) = 0;
							L012FC19C(_t245, _t351 - 0x60);
							_t339 = 0;
						}
						_t83 = _t351 - 4;
						 *_t83 =  *(_t351 - 4) | 0xffffffff;
						_t378 =  *_t83;
						L01279EB1(_t254, _t351 - 0x74, _t325, _t328, _t339,  *_t83);
					}
					_t229 = E0128C2A4(_t254, _t328, _t339, _t378);
					 *((intOrPtr*)( *_t229 + 0x40))( *((intOrPtr*)(_t351 - 0x54)), _t351 - 0x20, _t351 - 0x40,  *(_t254 + 0xfc0), 0x64, 0x41, _t254 + 0xfcc, _t254 + 0xfc4,  *(_t351 - 0x58));
					_t379 =  *(_t351 - 0x58) - _t339;
					if( *(_t351 - 0x58) != _t339) {
						OffsetRect(_t351 - 0x20,  ~( *(_t254 + 0xfc0)), _t339);
					}
				}
			}

0x012bc00a
0x012bc00a
0x012bc00a
0x012bc011
0x012bc019
0x012bc01f
0x012bc021
0x012bc027
0x012bc02a
0x012bc02d
0x012bc030
0x012bc033
0x012bc03f
0x012bc24b
0x012bc24b
0x012bc252
0x012bc255
0x012bc25a
0x012bc25b
0x012bc25c
0x012bc263
0x012bc264
0x012bc26b
0x012bc271
0x012bc27c
0x012bc282
0x012bc28a
0x012bc359
0x012bc359
0x012bc360
0x012bc366
0x012bc368
0x012bc36a
0x012bc377
0x012bc37f
0x012bc380
0x012bc381
0x012bc384
0x012bc385
0x012bc385
0x012bc388
0x012bc390
0x012bc39a
0x012bc3a0
0x012bc3a2
0x012bc3a4
0x012bc3b8
0x012bc3c0
0x012bc3c8
0x012bc3c9
0x012bc3ca
0x012bc3cd
0x012bc3ce
0x012bc3d4
0x012bc3d4
0x012bc3e2
0x012bc3ec
0x012bc3f2
0x012bc3f4
0x012bc3f6
0x012bc402
0x012bc403
0x012bc404
0x012bc405
0x012bc406
0x012bc40d
0x012bc410
0x012bc41f
0x012bc420
0x012bc421
0x012bc422
0x012bc423
0x012bc428
0x012bc42b
0x012bc42c
0x012bc42d
0x012bc435
0x012bc436
0x012bc43d
0x012bc44e
0x012bc450
0x012bc450
0x012bc452
0x012bc46f
0x012bc477
0x012bc478
0x012bc479
0x012bc47c
0x012bc47d
0x012bc483
0x012bc483
0x012bc3e2
0x012bc485
0x012bc48c
0x012bc494
0x012bc49c
0x012bc4ac
0x012bc4b2
0x012bc4b2
0x012bc4b5
0x012bc49e
0x012bc49e
0x012bc4a7
0x012bc4a7
0x012bc4a7
0x012bc4b7
0x012bc4c2
0x012bc4c7
0x012bc4c8
0x012bc4c9
0x012bc4cc
0x012bc4cd
0x012bc4cd
0x012bc4d0
0x012bc4df
0x012bc4df
0x012bc296
0x012bc29c
0x012bc29f
0x012bc2a0
0x012bc2a1
0x012bc2a2
0x012bc2a3
0x012bc2d6
0x012bc2d6
0x012bc2d9
0x012bc2a5
0x012bc2a5
0x012bc2a6
0x012bc2ce
0x012bc2a8
0x012bc2a8
0x012bc2a9
0x012bc2c1
0x012bc2ab
0x012bc2ac
0x012bc2b6
0x012bc2b6
0x012bc2ac
0x012bc2a9
0x012bc2a6
0x012bc2dc
0x012bc2e4
0x012bc2ed
0x012bc2ed
0x012bc2f5
0x012bc2fe
0x012bc347
0x012bc353
0x012bc300
0x012bc306
0x012bc30f
0x012bc32b
0x012bc332
0x012bc334
0x00000000
0x00000000
0x012bc33c
0x012bc343
0x012bc345
0x00000000
0x00000000
0x00000000
0x012bc345
0x012bc31d
0x012bc31d
0x00000000
0x012bc2fe
0x012bc045
0x012bc04b
0x012bc058
0x012bc05d
0x012bc060
0x012bc066
0x012bc06d
0x012bc06d
0x012bc06d
0x012bc068
0x012bc068
0x012bc068
0x012bc070
0x012bc077
0x012bc07a
0x012bc07d
0x012bc080
0x012bc083
0x012bc08f
0x012bc0a2
0x012bc0a7
0x012bc0b4
0x012bc0b7
0x012bc0b8
0x012bc0b9
0x012bc0bf
0x012bc0c0
0x012bc0c3
0x012bc0cb
0x012bc0d1
0x012bc0d1
0x012bc0a7
0x012bc0d3
0x012bc0d8
0x012bc0e4
0x012bc0e8
0x012bc0ef
0x012bc0f1
0x012bc0f9
0x012bc11c
0x012bc121
0x012bc12e
0x012bc131
0x012bc132
0x012bc133
0x012bc136
0x012bc13a
0x012bc13b
0x012bc143
0x012bc149
0x012bc149
0x012bc121
0x012bc0f9
0x012bc0ef
0x012bc14b
0x012bc151
0x012bc157
0x012bc15b
0x012bc167
0x012bc16a
0x012bc16d
0x012bc170
0x012bc173
0x012bc176
0x012bc188
0x012bc1a0
0x012bc1a6
0x012bc1a9
0x012bc1af
0x012bc1c0
0x012bc1c3
0x012bc1c6
0x012bc1c8
0x012bc1cb
0x012bc1ce
0x012bc1d1
0x012bc1d6
0x012bc1d7
0x012bc1d8
0x012bc1dc
0x012bc1e0
0x012bc1e1
0x012bc1e9
0x012bc1ed
0x012bc1f2
0x012bc1f2
0x012bc1f4
0x012bc1f4
0x012bc1f4
0x012bc1fb
0x012bc1fb
0x012bc200
0x012bc22f
0x012bc232
0x012bc235
0x012bc245
0x012bc245
0x012bc235

APIs

__EH_prolog3_GS.LIBCMT ref: 012BC011
GetClientRect.USER32 ref: 012BC033
SetRectEmpty.USER32 ref: 012BC083
MapWindowPoints.USER32 ref: 012BC0CB
MapWindowPoints.USER32 ref: 012BC143
OffsetRect.USER32 ref: 012BC245

Part of subcall function 01279E5D: __EH_prolog3.LIBCMT ref: 01279E64
Part of subcall function 01279E5D: GetDC.USER32(00000000), ref: 01279E90

GetWindowRect.USER32 ref: 012BC176
BitBlt.GDI32(?,00000000,00000000,?,?,?,?,?,00CC0020), ref: 012BC1A0

Part of subcall function 01279EB1: __EH_prolog3.LIBCMT ref: 01279EB8
Part of subcall function 01279EB1: ReleaseDC.USER32(?,00000000), ref: 01279ED5

Part of subcall function 012FD2A1: __EH_prolog3_GS.LIBCMT ref: 012FD2A8
Part of subcall function 012FD2A1: UnionRect.USER32(?,?,?), ref: 012FD300
Part of subcall function 012FD2A1: EqualRect.USER32 ref: 012FD30E
Part of subcall function 012FD2A1: CreateCompatibleDC.GDI32(?), ref: 012FD345
Part of subcall function 012FD2A1: CreateCompatibleBitmap.GDI32(?,?,?), ref: 012FD375
Part of subcall function 012FD2A1: SelectObject.GDI32(?,00000000), ref: 012FD3D5
Part of subcall function 012FD2A1: BitBlt.GDI32(?,00000000,00000000,?,?,?,?,?,00CC0020), ref: 012FD3FF
Part of subcall function 012FD2A1: BitBlt.GDI32(?,?,?,?,?,?,00000000,00000000,00CC0020), ref: 012FD50D
Part of subcall function 012FD2A1: DeleteObject.GDI32(?), ref: 012FD52D

Part of subcall function 0128C2A4: __EH_prolog3.LIBCMT ref: 0128C2AB

InflateRect.USER32(?,00000000,00000000), ref: 012BC27C
IsRectEmpty.USER32 ref: 012BC360
IsRectEmpty.USER32 ref: 012BC48C

Part of subcall function 01286862: GetWindowLongW.USER32(?,000000EC), ref: 0128686D

Memory Dump Source

Source File: 00000010.00000002.746388412.0000000001271000.00000020.sdmp, Offset: 01270000, based on PE: true

Associated: 00000010.00000002.746374753.0000000001270000.00000002.sdmp Download File
Associated: 00000010.00000002.746578910.000000000138C000.00000002.sdmp Download File
Associated: 00000010.00000002.746752878.00000000013CF000.00000004.sdmp Download File
Associated: 00000010.00000002.746788870.00000000013D6000.00000004.sdmp Download File
Associated: 00000010.00000002.746832288.00000000013DE000.00000002.sdmp Download File
Associated: 00000010.00000002.747668141.0000000001574000.00000002.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1270000_Setup.jbxd

Similarity

API ID: Rect$Window$EmptyH_prolog3$CompatibleCreateH_prolog3_ObjectPoints$BitmapClientDeleteEqualInflateLongOffsetReleaseSelectUnion
String ID:
API String ID: 2190227972-0
Opcode ID: db2131295cf35c66e6006909370824f02c8db9267dd22d3f6737dcabcd128c4a
Instruction ID: ee0740ace2036e031a0ac2f0087259574962757d40f003eb5384ef8eb37bf352
Opcode Fuzzy Hash: db2131295cf35c66e6006909370824f02c8db9267dd22d3f6737dcabcd128c4a
Instruction Fuzzy Hash: 5CF1DD7191021ADFDF11DFA8C884AEEBBB6FF49340F144169E905AF249CB71A915CFA0

Uniqueness

Uniqueness Score: 5.06%

Function 012D47D2, Relevance: 16.6, APIs: 11, Instructions: 142
windowCOMMON

Download Yara Rule

C-Code - Quality: 82%

			E012D47D2(int __ecx, void* __edx, void* __edi, int _a4, struct tagPOINT _a8, signed int _a12) {
				signed int _v8;
				struct tagRECT _v24;
				struct tagRECT _v40;
				long _v44;
				void* __ebx;
				void* __esi;
				signed int _t48;
				long _t61;
				int _t66;
				int _t72;
				int _t83;
				RECT* _t103;
				signed int _t104;

				_t100 = __edi;
				_t99 = __edx;
				_t84 = __ecx;
				_t48 =  *0x13d3570; // 0x99b5b578
				_v8 = _t48 ^ _t104;
				_push(_a12);
				_t103 = PtInRect;
				_t83 = __ecx;
				if(PtInRect(__ecx + 0x270, _a8.x) == 0) {
					__eflags =  *(_t83 + 0x27e4);
					_push(__edi);
					if( *(_t83 + 0x27e4) == 0) {
						L7:
						__eflags =  *((intOrPtr*)( *_t83 + 0x2e0))();
						if(__eflags != 0) {
							__eflags =  *((intOrPtr*)( *_t83 + 0x214))( &_a8) -  *((intOrPtr*)(_t83 + 0xa0));
							if(__eflags == 0) {
								E012D4627(_t83, _t63);
							}
						}
						_t54 = L012F3F97(_t83, _t99, __eflags, _a4, _a8.x, _a12);
						__eflags =  *(_t83 + 0x148);
						if( *(_t83 + 0x148) == 0) {
							_t103 =  *((intOrPtr*)( *_t83 + 0x248))( &_a8);
							__eflags = _t103;
							if(_t103 != 0) {
								MapWindowPoints( *(_t83 + 0x20),  *(_t103 + 0x20),  &_a8, 1);
								_t61 = (_a12 & 0x0000ffff) << 0x00000010 | _a8.x & 0x0000ffff;
								__eflags = _t61;
								_t54 = SendMessageW( *(_t103 + 0x20), 0x201, _a4, _t61);
							}
						}
						L13:
						_pop(_t100);
						goto L14;
					}
					_push(_a12);
					_t66 = PtInRect(_t83 + 0x2b0, _a8);
					__eflags = _t66;
					if(_t66 == 0) {
						goto L7;
					}
					_v44 = SendMessageW( *(E01282D05(_t83, _t84, _t99, GetParent( *(_t83 + 0x20))) + 0x20),  *0x13d9b3c, _t83,  &_v40);
					_t103 = _t83 + 0x2d0;
					CopyRect(_t103,  &_v40);
					__eflags = _v44;
					if(_v44 == 0) {
						goto L7;
					}
					_t72 = IsRectEmpty(_t103);
					__eflags = _t72;
					if(_t72 != 0) {
						goto L7;
					} else {
						 *(_t83 + 0x250) = 1;
						E01282D05(_t83,  &_v40, _t99, SetCapture( *(_t83 + 0x20)));
						_t103 = _t83 + 0x2b0;
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						L01279C17(_t83, _t83 + 0x2c0);
						_v24.left = 0;
						_v24.top = 0;
						_v24.right = 0;
						_v24.bottom = 0;
						SetRectEmpty( &_v24);
						_t99 =  *_t83;
						_t54 =  *((intOrPtr*)( *_t83 + 0x2ec))(_t83 + 0x2c0,  &_v24);
						goto L13;
					}
				} else {
					 *(_t83 + 0x220) = 1;
					_t54 = E01282D05(_t83, _t84, _t99, SetCapture( *(_t83 + 0x20)));
					L14:
					return L01367D3E(_t54, _t83, _v8 ^ _t104, _t99, _t100, _t103);
				}
			}

0x012d47d2
0x012d47d2
0x012d47d2
0x012d47da
0x012d47e1
0x012d47e6
0x012d47e9
0x012d47f2
0x012d47ff
0x012d481f
0x012d4826
0x012d482d
0x012d48f3
0x012d48fd
0x012d48ff
0x012d490f
0x012d4915
0x012d491a
0x012d491a
0x012d4915
0x012d492a
0x012d492f
0x012d4936
0x012d4946
0x012d4948
0x012d494a
0x012d4959
0x012d496a
0x012d496a
0x012d4978
0x012d4978
0x012d494a
0x012d497a
0x012d497a
0x00000000
0x012d497a
0x012d4833
0x012d4840
0x012d4842
0x012d4844
0x00000000
0x00000000
0x012d4869
0x012d4870
0x012d4877
0x012d487d
0x012d4881
0x00000000
0x00000000
0x012d4884
0x012d488a
0x012d488c
0x00000000
0x012d488e
0x012d4891
0x012d48a2
0x012d48af
0x012d48b5
0x012d48b6
0x012d48b7
0x012d48bb
0x012d48bc
0x012d48c3
0x012d48c6
0x012d48c9
0x012d48cc
0x012d48d3
0x012d48d9
0x012d48e8
0x00000000
0x012d48e8
0x012d4801
0x012d4804
0x012d4815
0x012d497b
0x012d4988
0x012d4988

APIs

PtInRect.USER32(?,?,?), ref: 012D47FB
SetCapture.USER32 ref: 012D480E
PtInRect.USER32(?,?,?), ref: 012D4840
GetParent.USER32(?), ref: 012D484D
SendMessageW.USER32(?,?,?,00000000), ref: 012D4867
CopyRect.USER32(?,?), ref: 012D4877
IsRectEmpty.USER32 ref: 012D4884
SetCapture.USER32(?), ref: 012D489B

Part of subcall function 01279C17: ClientToScreen.USER32(?,?), ref: 01279C28
Part of subcall function 01279C17: ClientToScreen.USER32(?,?), ref: 01279C35

SetRectEmpty.USER32 ref: 012D48D3

Part of subcall function 012F3F97: PtInRect.USER32(?,?,?), ref: 012F3FBC
Part of subcall function 012F3F97: RedrawWindow.USER32(?,?,00000000,00000105), ref: 012F3FDA
Part of subcall function 012F3F97: ReleaseCapture.USER32 ref: 012F40F2

MapWindowPoints.USER32 ref: 012D4959
SendMessageW.USER32(?,00000201,?,?), ref: 012D4978

Part of subcall function 01367D3E: IsDebuggerPresent.KERNEL32 ref: 0136EC6D
Part of subcall function 01367D3E: SetUnhandledExceptionFilter.KERNEL32 ref: 0136EC82
Part of subcall function 01367D3E: UnhandledExceptionFilter.KERNEL32 ref: 0136EC8D
Part of subcall function 01367D3E: GetCurrentProcess.KERNEL32(C0000409), ref: 0136ECA9
Part of subcall function 01367D3E: TerminateProcess.KERNEL32(00000000), ref: 0136ECB0

Part of subcall function 012D4627: GetParent.USER32(?), ref: 012D4670
Part of subcall function 012D4627: SendMessageW.USER32(?,00000222,?,00000000), ref: 012D4687

Memory Dump Source

Source File: 00000010.00000002.746388412.0000000001271000.00000020.sdmp, Offset: 01270000, based on PE: true

Associated: 00000010.00000002.746374753.0000000001270000.00000002.sdmp Download File
Associated: 00000010.00000002.746578910.000000000138C000.00000002.sdmp Download File
Associated: 00000010.00000002.746752878.00000000013CF000.00000004.sdmp Download File
Associated: 00000010.00000002.746788870.00000000013D6000.00000004.sdmp Download File
Associated: 00000010.00000002.746832288.00000000013DE000.00000002.sdmp Download File
Associated: 00000010.00000002.747668141.0000000001574000.00000002.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1270000_Setup.jbxd

Similarity

API ID: Rect$CaptureMessageSend$ClientEmptyExceptionFilterParentProcessScreenUnhandledWindow$CopyCurrentDebuggerPointsPresentRedrawReleaseTerminate
String ID:
API String ID: 2740831255-0
Opcode ID: b77dadeeb67aaf761390966cdb2b051d7f6edc372b02df9d5c29ee5f9f77bc6f
Instruction ID: ecfefcf2223ea2931c83ea587be9156b3d60abbb96f64ec8fa8e2ba2f6a5caa1
Opcode Fuzzy Hash: b77dadeeb67aaf761390966cdb2b051d7f6edc372b02df9d5c29ee5f9f77bc6f
Instruction Fuzzy Hash: 3F51F57151024AAFDF11AFA4D888AEE7BB9FF08340F044579FA0ADA159DB719A04CB60

Uniqueness

Uniqueness Score: 10.55%

Function 012B49D0, Relevance: 16.6, APIs: 11, Instructions: 139
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E012B49D0(void* __ebx, signed int __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				signed int _t54;
				void* _t58;
				signed int _t59;
				signed int _t63;
				signed int _t71;
				signed int _t84;
				void* _t94;
				struct HINSTANCE__* _t96;
				signed int _t97;
				void* _t98;
				signed int _t100;
				void* _t101;
				void* _t102;

				_t102 = __eflags;
				_t94 = __edx;
				_push(0x24);
				L01369634(0x1381c1f, __ebx, __edi, __esi);
				_t100 = __ecx;
				 *((intOrPtr*)(_t101 - 0x20)) = __ecx;
				 *(_t101 - 0x1c) =  *(__ecx + 0x80);
				 *(_t101 - 0x18) =  *(__ecx + 0x7c);
				_t54 = E012792EF(__ebx, __edi, __ecx, _t102);
				_t96 =  *(_t54 + 0xc);
				_t84 = 0;
				_t103 =  *(_t100 + 0x78);
				if( *(_t100 + 0x78) != 0) {
					_t96 =  *(E012792EF(0, _t96, _t100, _t103) + 0xc);
					_t54 = LoadResource(_t96, FindResourceW(_t96,  *(_t100 + 0x78), 5));
					 *(_t101 - 0x18) = _t54;
				}
				if( *(_t101 - 0x18) != _t84) {
					_t54 = LockResource( *(_t101 - 0x18));
					 *(_t101 - 0x1c) = _t54;
				}
				if( *(_t101 - 0x1c) != _t84) {
					_t86 = _t100;
					 *(_t101 - 0x14) = E012B4515(_t84, _t100, __eflags);
					E01282DC0(_t84, _t96, __eflags);
					 *(_t101 - 0x28) =  *(_t101 - 0x28) & _t84;
					 *(_t101 - 0x2c) = _t84;
					 *(_t101 - 0x24) = _t84;
					__eflags =  *(_t101 - 0x14) - _t84;
					if(__eflags != 0) {
						__eflags =  *(_t101 - 0x14) - GetDesktopWindow();
						if(__eflags != 0) {
							__eflags = IsWindowEnabled( *(_t101 - 0x14));
							if(__eflags != 0) {
								EnableWindow( *(_t101 - 0x14), 0);
								 *(_t101 - 0x2c) = 1;
								_t84 = E01274D2D();
								 *(_t101 - 0x24) = _t84;
								__eflags = _t84;
								if(__eflags != 0) {
									_t86 = _t84;
									__eflags =  *((intOrPtr*)( *_t84 + 0x14c))();
									if(__eflags != 0) {
										_t86 = _t84;
										__eflags = E012869C6(_t84);
										if(__eflags != 0) {
											_t86 = _t84;
											E012869E1(_t84, 0);
											 *(_t101 - 0x28) = 1;
										}
									}
								}
							}
						}
					}
					 *(_t101 - 4) =  *(_t101 - 4) & 0x00000000;
					L0128512A(_t84, __eflags, _t100);
					_t58 = E01282D05(_t84, _t86, _t94,  *(_t101 - 0x14));
					_push(_t96);
					_push(_t58);
					_push( *(_t101 - 0x1c));
					_t59 = E012B480C(_t84, _t100, _t94, _t96, _t100, __eflags);
					_t97 = 0;
					__eflags = _t59;
					if(_t59 != 0) {
						__eflags =  *(_t100 + 0x58) & 0x00000010;
						if(( *(_t100 + 0x58) & 0x00000010) != 0) {
							_t98 = 4;
							_t71 = E01286848(_t100);
							__eflags = _t71 & 0x00000100;
							if((_t71 & 0x00000100) != 0) {
								_t98 = 5;
							}
							E012827C5(_t100, _t94, _t98);
							_t97 = 0;
							__eflags = 0;
						}
						__eflags =  *((intOrPtr*)(_t100 + 0x20)) - _t97;
						if( *((intOrPtr*)(_t100 + 0x20)) != _t97) {
							E01286A31(_t100, _t97, _t97, _t97, _t97, _t97, 0x97);
						}
					}
					 *(_t101 - 4) =  *(_t101 - 4) | 0xffffffff;
					__eflags =  *(_t101 - 0x28) - _t97;
					if( *(_t101 - 0x28) != _t97) {
						E012869E1(_t84, 1);
					}
					__eflags =  *(_t101 - 0x2c) - _t97;
					if( *(_t101 - 0x2c) != _t97) {
						EnableWindow( *(_t101 - 0x14), 1);
					}
					__eflags =  *(_t101 - 0x14) - _t97;
					if(__eflags != 0) {
						__eflags = GetActiveWindow() -  *((intOrPtr*)(_t100 + 0x20));
						if(__eflags == 0) {
							SetActiveWindow( *(_t101 - 0x14));
						}
					}
					 *((intOrPtr*)( *_t100 + 0x60))();
					E012B4557(_t84, _t100, _t94, _t97, _t100, __eflags);
					__eflags =  *(_t100 + 0x78) - _t97;
					if( *(_t100 + 0x78) != _t97) {
						FreeResource( *(_t101 - 0x18));
					}
					_t63 =  *(_t100 + 0x60);
					goto L31;
				} else {
					_t63 = _t54 | 0xffffffff;
					L31:
					return L013696D9(_t63);
				}
			}

0x012b49d0
0x012b49d0
0x012b49d0
0x012b49d7
0x012b49dc
0x012b49de
0x012b49e7
0x012b49ed
0x012b49f0
0x012b49f5
0x012b49f8
0x012b49fa
0x012b49fd
0x012b4a04
0x012b4a15
0x012b4a1b
0x012b4a1b
0x012b4a21
0x012b4a26
0x012b4a2c
0x012b4a2c
0x012b4a32
0x012b4a3c
0x012b4a43
0x012b4a46
0x012b4a4b
0x012b4a4e
0x012b4a51
0x012b4a54
0x012b4a57
0x012b4a5f
0x012b4a62
0x012b4a6d
0x012b4a6f
0x012b4a76
0x012b4a7c
0x012b4a88
0x012b4a8a
0x012b4a8d
0x012b4a8f
0x012b4a93
0x012b4a9b
0x012b4a9d
0x012b4a9f
0x012b4aa6
0x012b4aa8
0x012b4aac
0x012b4aae
0x012b4ab3
0x012b4ab3
0x012b4aa8
0x012b4a9d
0x012b4a8f
0x012b4a6f
0x012b4a62
0x012b4aba
0x012b4abf
0x012b4ac7
0x012b4acc
0x012b4acd
0x012b4ace
0x012b4ad3
0x012b4ad8
0x012b4ada
0x012b4adc
0x012b4ade
0x012b4ae2
0x012b4ae6
0x012b4ae9
0x012b4aee
0x012b4af3
0x012b4af7
0x012b4af7
0x012b4afb
0x012b4b00
0x012b4b00
0x012b4b00
0x012b4b02
0x012b4b05
0x012b4b13
0x012b4b13
0x012b4b05
0x012b4b18
0x012b4b43
0x012b4b46
0x012b4b4c
0x012b4b4c
0x012b4b51
0x012b4b54
0x012b4b5b
0x012b4b5b
0x012b4b61
0x012b4b64
0x012b4b6c
0x012b4b6f
0x012b4b74
0x012b4b74
0x012b4b6f
0x012b4b7e
0x012b4b83
0x012b4b88
0x012b4b8b
0x012b4b90
0x012b4b90
0x012b4b96
0x00000000
0x012b4a34
0x012b4a34
0x012b4b99
0x012b4b9e
0x012b4b9e

APIs

__EH_prolog3_catch.LIBCMT ref: 012B49D7
FindResourceW.KERNEL32(?,?,00000005,00000024,0129436A,00000000,?,00000000,00000000,?,?,?,000004DC), ref: 012B4A0D
LoadResource.KERNEL32(?,00000000,?,00000000,00000000,?,?,?,000004DC), ref: 012B4A15
LockResource.KERNEL32(?,00000024,0129436A,00000000,?,00000000,00000000,?,?,?,000004DC), ref: 012B4A26

Part of subcall function 01282DC0: UnhookWindowsHookEx.USER32(?), ref: 01282DF0

GetDesktopWindow.USER32 ref: 012B4A59
IsWindowEnabled.USER32 ref: 012B4A67
EnableWindow.USER32 ref: 012B4A76

Part of subcall function 012869C6: IsWindowEnabled.USER32 ref: 012869CF

Part of subcall function 0128512A: GetCurrentThreadId.KERNEL32(?,?,?,?,?,?,?,Function_00006293), ref: 01285159
Part of subcall function 0128512A: SetWindowsHookExW.USER32(00000005,Function_00014F19,00000000,00000000), ref: 01285169

Part of subcall function 012B480C: __EH_prolog3_catch.LIBCMT ref: 012B4813
Part of subcall function 012B480C: GlobalLock.KERNEL32 ref: 012B48F9
Part of subcall function 012B480C: CreateDialogIndirectParamW.USER32(?,?,?,012B41E4,00000000), ref: 012B4928
Part of subcall function 012B480C: DestroyWindow.USER32(00000000), ref: 012B49A2
Part of subcall function 012B480C: GlobalUnlock.KERNEL32(?), ref: 012B49B2
Part of subcall function 012B480C: GlobalFree.KERNEL32(?), ref: 012B49BB

Part of subcall function 012827C5: GetParent.USER32(?), ref: 012827F8
Part of subcall function 012827C5: PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 0128281C
Part of subcall function 012827C5: UpdateWindow.USER32 ref: 01282837
Part of subcall function 012827C5: SendMessageW.USER32(?,00000121,00000000,?), ref: 01282858
Part of subcall function 012827C5: SendMessageW.USER32(?,0000036A,00000000,00000002), ref: 01282870
Part of subcall function 012827C5: UpdateWindow.USER32 ref: 012828B3
Part of subcall function 012827C5: PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 012828E4

Part of subcall function 01286A31: SetWindowPos.USER32(?,000000FF,000000FF,?,?,00000000,012827B4), ref: 01286A59

Part of subcall function 01286848: GetWindowLongW.USER32(?,000000F0), ref: 01286853

FreeResource.KERNEL32(?,?,00000000,00000000,?,?,?,000004DC), ref: 012B4B90

Part of subcall function 012869E1: EnableWindow.USER32 ref: 012869F2

EnableWindow.USER32 ref: 012B4B5B
GetActiveWindow.USER32 ref: 012B4B66
SetActiveWindow.USER32(?), ref: 012B4B74

Part of subcall function 012B4557: IsWindow.USER32(?), ref: 012B456E
Part of subcall function 012B4557: EnableWindow.USER32 ref: 012B4580

Memory Dump Source

Source File: 00000010.00000002.746388412.0000000001271000.00000020.sdmp, Offset: 01270000, based on PE: true

Associated: 00000010.00000002.746374753.0000000001270000.00000002.sdmp Download File
Associated: 00000010.00000002.746578910.000000000138C000.00000002.sdmp Download File
Associated: 00000010.00000002.746752878.00000000013CF000.00000004.sdmp Download File
Associated: 00000010.00000002.746788870.00000000013D6000.00000004.sdmp Download File
Associated: 00000010.00000002.746832288.00000000013DE000.00000002.sdmp Download File
Associated: 00000010.00000002.747668141.0000000001574000.00000002.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1270000_Setup.jbxd

Similarity

API ID: Window$EnableMessageResource$Global$ActiveEnabledFreeH_prolog3_catchHookLockPeekSendUpdateWindows$CreateCurrentDesktopDestroyDialogFindIndirectLoadLongParamParentThreadUnhookUnlock
String ID:
API String ID: 2178260107-0
Opcode ID: 1e5f21915f30bd0eb5f2b0202602ba00ffe571bccc1a910acb49f38069c632c5
Instruction ID: be0e7d4ba2b65eeec59277876b3184d65e588cce8eb1862964e698855c3489d7
Opcode Fuzzy Hash: 1e5f21915f30bd0eb5f2b0202602ba00ffe571bccc1a910acb49f38069c632c5
Instruction Fuzzy Hash: B1516030A207469FEF21BFA8C8D4BFEBAB5BF58751F140029D712B2291DB704941CB65

Uniqueness

Uniqueness Score: 0.35%

Function 012B8720, Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 172
keyboardtimeCOMMON

Download Yara Rule

C-Code - Quality: 83%

			E012B8720(void* __ebx, intOrPtr* __ecx, void* __edx, void* __eflags, intOrPtr _a4) {
				signed int _v8;
				intOrPtr _v20;
				signed int _v52;
				char _v56;
				signed int _v60;
				intOrPtr _v64;
				signed int _v68;
				signed int _v72;
				struct tagPOINT _v80;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t58;
				signed int _t61;
				signed int _t63;
				signed int _t64;
				signed int _t65;
				signed int _t68;
				signed int _t70;
				signed int _t79;
				short _t81;
				short _t88;
				intOrPtr _t89;
				short _t93;
				intOrPtr _t99;
				void* _t118;
				intOrPtr _t119;
				intOrPtr* _t120;
				signed int _t121;

				_t118 = __edx;
				_t98 = __ebx;
				_t58 =  *0x13d3570; // 0x99b5b578
				_v8 = _t58 ^ _t121;
				_t119 = _a4;
				_t120 = __ecx;
				if(E01280B27(__ecx, __eflags, _t119) == 0) {
					_push(__ebx);
					_t99 =  *((intOrPtr*)(_t119 + 4));
					_t102 = __ecx;
					_t61 = E012845DB(__ecx);
					__eflags =  *(__ecx + 0xa4) & 0x00000020;
					_v72 = _t61;
					if(( *(__ecx + 0xa4) & 0x00000020) != 0) {
						L5:
						__eflags = _t99 - 0x200;
						if(_t99 < 0x200) {
							L7:
							__eflags = _t99 - 0xa0 - 9;
							if(__eflags > 0) {
								L30:
								_t63 = L01283CE7(_t120);
								__eflags = _t63;
								if(_t63 == 0) {
									L32:
									__eflags = _v72;
									if(_v72 == 0) {
										L35:
										_t64 = IsWindow( *(_t120 + 0x20));
										__eflags = _t64;
										if(_t64 == 0) {
											L38:
											_t65 = 0;
											__eflags = 0;
											L39:
											_pop(_t98);
											goto L40;
										}
										_t65 = L01281A9E(_t119);
										goto L39;
									} else {
										goto L33;
									}
									while(1) {
										L33:
										_t100 = _v72;
										_t68 =  *((intOrPtr*)( *_v72 + 0x10c))(_t119);
										__eflags = _t68;
										if(_t68 != 0) {
											break;
										}
										_t70 = L01283CA8(_t100);
										_v72 = _t70;
										__eflags = _t70;
										if(_t70 != 0) {
											continue;
										}
										goto L35;
									}
									_t65 = 1;
									goto L39;
								}
								__eflags =  *(_t63 + 0x88);
								if( *(_t63 + 0x88) != 0) {
									goto L38;
								}
								goto L32;
							}
							L8:
							_v64 = L01279322(_t99, _t102, _t119, _t120, __eflags);
							_v80.x =  *(_t119 + 0x14);
							_v80.y =  *((intOrPtr*)(_t119 + 0x18));
							ScreenToClient( *(_t120 + 0x20),  &_v80);
							L01367D50( &_v56, 0, 0x2c);
							_v56 = 0x30;
							_t79 =  *((intOrPtr*)( *_t120 + 0x74))(_v80.x, _v80.y,  &_v56);
							__eflags = _v20 - 0xffffffff;
							_v60 = _t79;
							if(_v20 != 0xffffffff) {
								L01367A0B(_v20);
							}
							__eflags = _t99 - 0x201;
							if(_t99 != 0x201) {
								L13:
								_v68 = _v68 & 0x00000000;
								__eflags = _t99 - 0x201;
								if(_t99 != 0x201) {
									_t93 = GetKeyState(1);
									__eflags = _t93;
									if(_t93 < 0) {
										_v60 =  *((intOrPtr*)(_v64 + 0x4c));
									}
								}
								goto L16;
							} else {
								__eflags = _v52 & 0x80000000;
								if((_v52 & 0x80000000) == 0) {
									goto L13;
								}
								_v68 = 1;
								L16:
								__eflags = _v60;
								if(_v60 < 0) {
									L26:
									_t81 = GetKeyState(1);
									__eflags = _t81;
									if(_t81 >= 0) {
										L28:
										 *((intOrPtr*)( *_t120 + 0x19c))(0xffffffff);
										KillTimer( *(_t120 + 0x20), 0xe001);
										L29:
										 *((intOrPtr*)(_v64 + 0x4c)) = _v60;
										goto L30;
									}
									__eflags = _v68;
									if(_v68 == 0) {
										goto L29;
									}
									goto L28;
								}
								__eflags = _v68;
								if(_v68 != 0) {
									goto L26;
								}
								__eflags = _t99 - 0x202;
								if(_t99 != 0x202) {
									__eflags =  *(_t120 + 0xa0) & 0x00000008;
									if(( *(_t120 + 0xa0) & 0x00000008) != 0) {
										L25:
										 *((intOrPtr*)( *_t120 + 0x19c))(_v60);
										goto L29;
									}
									_t88 = GetKeyState(1);
									__eflags = _t88;
									if(_t88 < 0) {
										goto L25;
									}
									_t89 = _v64;
									__eflags = _v60 -  *((intOrPtr*)(_t89 + 0x4c));
									if(_v60 ==  *((intOrPtr*)(_t89 + 0x4c))) {
										goto L29;
									}
									_push(0x12c);
									_push(0xe000);
									L20:
									L012B7A84(_t120);
									goto L29;
								}
								 *((intOrPtr*)( *_t120 + 0x19c))(0xffffffff);
								_push(0xc8);
								_push(0xe001);
								goto L20;
							}
						}
						__eflags = _t99 - 0x209;
						if(__eflags <= 0) {
							goto L8;
						}
						goto L7;
					}
					__eflags = _t99 - 0x201;
					if(_t99 == 0x201) {
						goto L5;
					}
					__eflags = _t99 - 0x202;
					if(_t99 != 0x202) {
						goto L30;
					}
					goto L5;
				} else {
					_t65 = 1;
					L40:
					return L01367D3E(_t65, _t98, _v8 ^ _t121, _t118, _t119, _t120);
				}
			}

0x012b8720
0x012b8720
0x012b8728
0x012b872f
0x012b8734
0x012b8738
0x012b8741
0x012b874b
0x012b874c
0x012b874f
0x012b8751
0x012b8756
0x012b875d
0x012b8760
0x012b8776
0x012b8776
0x012b877c
0x012b8786
0x012b878c
0x012b878f
0x012b88ce
0x012b88d0
0x012b88d5
0x012b88d7
0x012b88e2
0x012b88e2
0x012b88e6
0x012b8908
0x012b890b
0x012b8911
0x012b8913
0x012b8924
0x012b8924
0x012b8924
0x012b8926
0x012b8926
0x00000000
0x012b8926
0x012b8918
0x00000000
0x00000000
0x00000000
0x00000000
0x012b88e8
0x012b88e8
0x012b88e8
0x012b88f0
0x012b88f6
0x012b88f8
0x00000000
0x00000000
0x012b88fc
0x012b8901
0x012b8904
0x012b8906
0x00000000
0x00000000
0x00000000
0x012b8906
0x012b8921
0x00000000
0x012b8921
0x012b88d9
0x012b88e0
0x00000000
0x00000000
0x00000000
0x012b88e0
0x012b8795
0x012b879a
0x012b87a0
0x012b87a6
0x012b87b0
0x012b87be
0x012b87d4
0x012b87db
0x012b87de
0x012b87e2
0x012b87e5
0x012b87ea
0x012b87ef
0x012b87f5
0x012b87f7
0x012b880b
0x012b880b
0x012b880f
0x012b8811
0x012b8815
0x012b881b
0x012b881e
0x012b8826
0x012b8826
0x012b881e
0x00000000
0x012b87f9
0x012b87f9
0x012b8800
0x00000000
0x00000000
0x012b8802
0x012b8829
0x012b8829
0x012b882d
0x012b8898
0x012b889a
0x012b88a0
0x012b88a3
0x012b88ab
0x012b88b1
0x012b88bf
0x012b88c5
0x012b88cb
0x00000000
0x012b88cb
0x012b88a5
0x012b88a9
0x00000000
0x00000000
0x00000000
0x012b88a9
0x012b882f
0x012b8833
0x00000000
0x00000000
0x012b8835
0x012b883b
0x012b885c
0x012b8863
0x012b8889
0x012b8890
0x00000000
0x012b8890
0x012b8867
0x012b886d
0x012b8870
0x00000000
0x00000000
0x012b8872
0x012b8878
0x012b887b
0x00000000
0x00000000
0x012b887d
0x012b8882
0x012b8853
0x012b8855
0x00000000
0x012b8855
0x012b8843
0x012b8849
0x012b884e
0x00000000
0x012b884e
0x012b87f7
0x012b877e
0x012b8784
0x00000000
0x00000000
0x00000000
0x012b8784
0x012b8762
0x012b8768
0x00000000
0x00000000
0x012b876a
0x012b8770
0x00000000
0x00000000
0x00000000
0x012b8743
0x012b8745
0x012b8927
0x012b8934
0x012b8934

APIs

Part of subcall function 012845DB: GetParent.USER32(?), ref: 012845E5

ScreenToClient.USER32(?,?), ref: 012B87B0
_memset.LIBCMT ref: 012B87BE
_free.LIBCMT ref: 012B87EA

Part of subcall function 01367A0B: HeapFree.KERNEL32(00000000,00000000), ref: 01367A21
Part of subcall function 01367A0B: GetLastError.KERNEL32(00000000,?,0136E429,00000000,?,01369B20,013695F6,?,?,01274776,?,?,?,01277D41,0000000C,00000004), ref: 01367A33

GetKeyState.USER32 ref: 012B8815
GetKeyState.USER32 ref: 012B8867

Part of subcall function 012B7A84: KillTimer.USER32 ref: 012B7A9B
Part of subcall function 012B7A84: KillTimer.USER32 ref: 012B7AA5
Part of subcall function 012B7A84: SetTimer.USER32 ref: 012B7AB2

GetKeyState.USER32 ref: 012B889A
KillTimer.USER32 ref: 012B88BF
IsWindow.USER32(?), ref: 012B890B

Part of subcall function 01367D3E: IsDebuggerPresent.KERNEL32 ref: 0136EC6D
Part of subcall function 01367D3E: SetUnhandledExceptionFilter.KERNEL32 ref: 0136EC82
Part of subcall function 01367D3E: UnhandledExceptionFilter.KERNEL32 ref: 0136EC8D
Part of subcall function 01367D3E: GetCurrentProcess.KERNEL32(C0000409), ref: 0136ECA9
Part of subcall function 01367D3E: TerminateProcess.KERNEL32(00000000), ref: 0136ECB0

Part of subcall function 01283CA8: GetParent.USER32(?), ref: 01283CD2

Strings

0, xrefs: 012B87D4

Memory Dump Source

Source File: 00000010.00000002.746388412.0000000001271000.00000020.sdmp, Offset: 01270000, based on PE: true

Associated: 00000010.00000002.746374753.0000000001270000.00000002.sdmp Download File
Associated: 00000010.00000002.746578910.000000000138C000.00000002.sdmp Download File
Associated: 00000010.00000002.746752878.00000000013CF000.00000004.sdmp Download File
Associated: 00000010.00000002.746788870.00000000013D6000.00000004.sdmp Download File
Associated: 00000010.00000002.746832288.00000000013DE000.00000002.sdmp Download File
Associated: 00000010.00000002.747668141.0000000001574000.00000002.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1270000_Setup.jbxd

Similarity

API ID: Timer$KillState$ExceptionFilterParentProcessUnhandled$ClientCurrentDebuggerErrorFreeHeapLastPresentScreenTerminateWindow_free_memset
String ID: 0
API String ID: 30787137-4108050209
Opcode ID: 4c29248c22ac918cd32840799f6fa9e4381263bcb6d103d1976372cb21e83d3c
Instruction ID: 18041395ff14a90dfc8030b6687f18cae8282b2284653eb163228a98ad02d73b
Opcode Fuzzy Hash: 4c29248c22ac918cd32840799f6fa9e4381263bcb6d103d1976372cb21e83d3c
Instruction Fuzzy Hash: 88517430A2030ADBDF25DF68E8C8BEDBBF9BF04394F104529E659A62D1DB719841CB51

Uniqueness

Uniqueness Score: 12.89%

Function 012C0A61, Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 145
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E012C0A61(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4) {
				signed int _v8;
				int _v12;
				int _v16;
				int _v20;
				void _v24;
				struct tagRECT _v40;
				struct tagRECT _v56;
				struct tagRECT _v72;
				struct tagRECT _v92;
				struct tagRECT _v108;
				char _v112;
				intOrPtr _v116;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t74;
				struct HMONITOR__* _t86;
				signed char _t90;
				int _t92;
				void _t103;
				intOrPtr _t108;
				int _t115;
				int _t121;
				int _t125;
				int _t129;
				intOrPtr _t130;
				signed int _t131;

				_t123 = __edx;
				_t74 =  *0x13d3570; // 0x99b5b578
				_v8 = _t74 ^ _t131;
				_t130 = _a4;
				_t129 = 0;
				_t108 = __ecx;
				_v116 = __ecx;
				if(_t130 == 0) {
					L01277AC9(__ecx);
				}
				if((E01286848( *((intOrPtr*)(_t108 + 0xb0))) & 0x00c00000) == 0 || (E01286848( *((intOrPtr*)(_t108 + 0xb0))) & 0x00800000) == 0) {
					_v40.left = _t129;
					_v40.top = _t129;
					_v40.right = _t129;
					_v40.bottom = _t129;
					GetWindowRect( *( *((intOrPtr*)(_t108 + 0xb0)) + 0x20),  &_v40);
					_v24 = _t129;
					asm("cdq");
					asm("cdq");
					_t86 = _v40.top + _v40.bottom - _t123 >> 1;
					_v20 = _t129;
					_v16 = _t129;
					_v12 = _t129;
					_v112 = 0x28;
					__imp__MonitorFromPoint(_t86, 2,  &_v112);
					if(GetMonitorInfoW(_t86, _v40.left + _v40.right - _t123 >> 1) == 0) {
						SystemParametersInfoW(0x30, _t129,  &_v24, _t129);
					} else {
						CopyRect( &_v56,  &_v92);
						CopyRect( &_v72,  &_v108);
						_t103 = _v56.left - _v72.left;
						_t121 = _v56.top - _v72.top;
						_t108 = _v116;
						_v24 = _t103;
						_v20 = _t121;
						_v16 = _v56.right - _v56.left + _t103;
						_v12 = _v56.bottom - _v56.top + _t121;
					}
					_t90 = L012BFC9E(0x13d63e8);
					_t125 = _v12;
					if((_t90 & 0x00000008) != 0) {
						_t125 = _t125 - 2;
						_v12 = _t125;
					}
					if((_t90 & 0x00000004) != 0) {
						_v20 = _v20 + 2;
					}
					_t115 = _v16;
					if((_t90 & 0x00000002) != 0) {
						_t115 = _t115 - 2;
						_v16 = _t115;
					}
					if((_t90 & 0x00000001) != 0) {
						_v24 = _v24 + 2;
					}
					 *((intOrPtr*)(_t130 + 0x10)) = _v24;
					_t92 = _v20;
					_t123 = _t125 - _t92;
					 *(_t130 + 0x14) = _t92;
					 *((intOrPtr*)(_t130 + 8)) = _t115 - _v24;
					 *((intOrPtr*)(_t130 + 0xc)) = _t125 - _t92;
					_t93 =  *((intOrPtr*)(_t108 + 0xfc));
					if(_t93 != _t129 &&  *((intOrPtr*)(_t93 + 0x20)) != _t129 &&  *((intOrPtr*)(_t93 + 0x314)) != _t129 && E0127E1CC(0x13d63e8) == 0) {
						_t129 = GetSystemMetrics;
						 *((intOrPtr*)(_t130 + 0x18)) = GetSystemMetrics(0x22);
						 *((intOrPtr*)(_t130 + 0x1c)) = GetSystemMetrics(0x23);
					}
				}
				return L01367D3E(_t93, _t108, _v8 ^ _t131, _t123, _t129, _t130);
			}

0x012c0a61
0x012c0a69
0x012c0a70
0x012c0a75
0x012c0a79
0x012c0a7b
0x012c0a7d
0x012c0a82
0x012c0a84
0x012c0a84
0x012c0a99
0x012c0abb
0x012c0abe
0x012c0ac1
0x012c0ac4
0x012c0aca
0x012c0ad6
0x012c0ad9
0x012c0ae6
0x012c0aef
0x012c0af3
0x012c0af6
0x012c0af9
0x012c0afc
0x012c0b03
0x012c0b12
0x012c0b63
0x012c0b14
0x012c0b22
0x012c0b2c
0x012c0b31
0x012c0b3d
0x012c0b40
0x012c0b45
0x012c0b4e
0x012c0b53
0x012c0b56
0x012c0b56
0x012c0b6e
0x012c0b73
0x012c0b78
0x012c0b7a
0x012c0b7d
0x012c0b7d
0x012c0b82
0x012c0b84
0x012c0b84
0x012c0b88
0x012c0b8d
0x012c0b8f
0x012c0b92
0x012c0b92
0x012c0b97
0x012c0b99
0x012c0b99
0x012c0ba3
0x012c0ba6
0x012c0ba9
0x012c0bab
0x012c0bae
0x012c0bb1
0x012c0bb4
0x012c0bbc
0x012c0bd9
0x012c0be5
0x012c0bea
0x012c0bea
0x012c0bbc
0x012c0bfb

APIs

Part of subcall function 01286848: GetWindowLongW.USER32(?,000000F0), ref: 01286853

GetWindowRect.USER32 ref: 012C0ACA
MonitorFromPoint.USER32(?,?,00000002), ref: 012C0B03
GetMonitorInfoW.USER32(00000000), ref: 012C0B0A
CopyRect.USER32(?,?), ref: 012C0B22
CopyRect.USER32(?,?), ref: 012C0B2C
SystemParametersInfoW.USER32 ref: 012C0B63

Part of subcall function 012BFC9E: _memset.LIBCMT ref: 012BFCD2
Part of subcall function 012BFC9E: SHAppBarMessage.SHELL32(00000007,?), ref: 012BFCF0
Part of subcall function 012BFC9E: SHAppBarMessage.SHELL32(00000007,?), ref: 012BFD0A
Part of subcall function 012BFC9E: SHAppBarMessage.SHELL32(00000007,?), ref: 012BFD20
Part of subcall function 012BFC9E: SHAppBarMessage.SHELL32(00000007,?), ref: 012BFD39

GetSystemMetrics.USER32 ref: 012C0BE1
GetSystemMetrics.USER32 ref: 012C0BE8

Part of subcall function 01367D3E: IsDebuggerPresent.KERNEL32 ref: 0136EC6D
Part of subcall function 01367D3E: SetUnhandledExceptionFilter.KERNEL32 ref: 0136EC82
Part of subcall function 01367D3E: UnhandledExceptionFilter.KERNEL32 ref: 0136EC8D
Part of subcall function 01367D3E: GetCurrentProcess.KERNEL32(C0000409), ref: 0136ECA9
Part of subcall function 01367D3E: TerminateProcess.KERNEL32(00000000), ref: 0136ECB0

Part of subcall function 01277AC9: __CxxThrowException@8.LIBCMT ref: 01277ADF

Strings

(, xrefs: 012C0AFC

Memory Dump Source

Source File: 00000010.00000002.746388412.0000000001271000.00000020.sdmp, Offset: 01270000, based on PE: true

Associated: 00000010.00000002.746374753.0000000001270000.00000002.sdmp Download File
Associated: 00000010.00000002.746578910.000000000138C000.00000002.sdmp Download File
Associated: 00000010.00000002.746752878.00000000013CF000.00000004.sdmp Download File
Associated: 00000010.00000002.746788870.00000000013D6000.00000004.sdmp Download File
Associated: 00000010.00000002.746832288.00000000013DE000.00000002.sdmp Download File
Associated: 00000010.00000002.747668141.0000000001574000.00000002.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1270000_Setup.jbxd

Similarity

API ID: Message$RectSystem$CopyExceptionFilterInfoMetricsMonitorProcessUnhandledWindow$CurrentDebuggerException@8FromLongParametersPointPresentTerminateThrow_memset
String ID: (
API String ID: 3568799407-3887548279
Opcode ID: a7e362bc96acb598e144d75f21b9072d01ee03dc67f93bfbe49cb87be3fdcf2a
Instruction ID: 0a84d59648d7a8d049c3c9d88b56addd23c129923b62bce77bc972093b3203ae
Opcode Fuzzy Hash: a7e362bc96acb598e144d75f21b9072d01ee03dc67f93bfbe49cb87be3fdcf2a
Instruction Fuzzy Hash: 4A5128B5D10209DFDB14DFADC984AEEBBF9FF88704F14426AE615A7214D7309A00CB64

Uniqueness

Uniqueness Score: 4.01%

Function 01284DB2, Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 99
COMMON

Download Yara Rule

C-Code - Quality: 96%

			E01284DB2(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				void* _t36;
				void* _t43;
				void* _t46;
				long _t61;
				void* _t68;
				struct HWND__* _t70;
				void* _t73;

				_t68 = __edx;
				_push(0x4c);
				L013696A0(0x137faed, __ebx, __edi, __esi);
				_t70 =  *(_t73 + 8);
				_t61 =  *(_t73 + 0x14);
				_t72 = L"AfxOldWndProc423";
				 *(_t73 - 0x38) = _t70;
				 *(_t73 - 0x3c) = _t61;
				 *(_t73 - 0x30) = GetPropW(_t70, _t72);
				_t36 =  *(_t73 + 0xc) - 6;
				 *((intOrPtr*)(_t73 - 0x28)) = 0;
				 *((intOrPtr*)(_t73 - 4)) = 0;
				 *(_t73 - 0x2c) = 1;
				if(_t36 == 0) {
					_t72 = E01282D05(_t61, 0, _t68, _t61);
					E01284CC2(0, E01282D05(_t61, 0, _t68, _t70),  *(_t73 + 0x10), _t37);
					goto L9;
				} else {
					_t43 = _t36 - 0x1a;
					if(_t43 == 0) {
						 *(_t73 - 0x2c) = 0 | E01284D3A(_t61, _t68, _t70, E01282D05(_t61, 0, _t68, _t70), _t61, _t61 >> 0x10) == 0x00000000;
						L9:
						if( *(_t73 - 0x2c) != 0) {
							goto L10;
						}
					} else {
						_t46 = _t43 - 0x62;
						if(_t46 == 0) {
							SetWindowLongW(_t70, 0xfffffffc,  *(_t73 - 0x30));
							RemovePropW(_t70, _t72);
							GlobalDeleteAtom(GlobalFindAtomW(_t72) & 0x0000ffff);
							goto L10;
						} else {
							if(_t46 != 0x8e) {
								L10:
								 *((intOrPtr*)(_t73 - 0x28)) = CallWindowProcW( *(_t73 - 0x30), _t70,  *(_t73 + 0xc),  *(_t73 + 0x10), _t61);
							} else {
								 *((intOrPtr*)(_t73 - 0x24)) = 0;
								 *((intOrPtr*)(_t73 - 0x20)) = 0;
								 *((intOrPtr*)(_t73 - 0x1c)) = 0;
								 *((intOrPtr*)(_t73 - 0x18)) = 0;
								_t72 = E01282D05(_t61, 0, _t68, _t70);
								L01281EB5(_t53, _t73 - 0x24, _t73 - 0x2c);
								 *((intOrPtr*)(_t73 - 0x28)) = CallWindowProcW( *(_t73 - 0x30), _t70, 0x110,  *(_t73 + 0x10), _t61);
								L0128396E(_t61, _t68, _t53, _t73 - 0x24,  *(_t73 - 0x2c));
							}
						}
					}
				}
				return L013696FC(_t61, _t70, _t72);
			}

0x01284db2
0x01284db2
0x01284db9
0x01284dbe
0x01284dc1
0x01284dc4
0x01284dcb
0x01284dce
0x01284dd7
0x01284ddf
0x01284de2
0x01284de5
0x01284de8
0x01284def
0x01284eae
0x01284eba
0x00000000
0x01284df5
0x01284df5
0x01284df8
0x01284ea2
0x01284ebf
0x01284ec3
0x00000000
0x00000000
0x01284dfe
0x01284dfe
0x01284e01
0x01284e64
0x01284e6c
0x01284e7d
0x00000000
0x01284e03
0x01284e08
0x01284ec5
0x01284ed6
0x01284e0e
0x01284e0f
0x01284e12
0x01284e15
0x01284e18
0x01284e20
0x01284e2b
0x01284e46
0x01284e4e
0x01284e4e
0x01284e08
0x01284e01
0x01284df8
0x01284e5b

APIs

__EH_prolog3_catch_GS.LIBCMT ref: 01284DB9
GetPropW.USER32(?,AfxOldWndProc423), ref: 01284DD1
CallWindowProcW.USER32(?,?,00000110,?,?), ref: 01284E3D

Part of subcall function 0128396E: GetWindowRect.USER32 ref: 012839B1
Part of subcall function 0128396E: GetWindow.USER32(?,00000004), ref: 012839CE

SetWindowLongW.USER32 ref: 01284E64
RemovePropW.USER32(?,AfxOldWndProc423), ref: 01284E6C
GlobalFindAtomW.KERNEL32 ref: 01284E73
GlobalDeleteAtom.KERNEL32(?), ref: 01284E7D

Part of subcall function 01284D3A: GetLastActivePopup.USER32(?), ref: 01284D70
Part of subcall function 01284D3A: GetForegroundWindow.USER32 ref: 01284D82
Part of subcall function 01284D3A: SetForegroundWindow.USER32 ref: 01284DA0

Part of subcall function 01281EB5: GetWindowRect.USER32 ref: 01281EC4

Part of subcall function 01284CC2: IsWindow.USER32(?), ref: 01284CF4
Part of subcall function 01284CC2: SendMessageW.USER32(?,0000036E,?,?), ref: 01284D2D

CallWindowProcW.USER32(?,?,?,?,?), ref: 01284ED0

Strings

AfxOldWndProc423, xrefs: 01284DC4, 01284DC9, 01284E6A, 01284E72

Memory Dump Source

Source File: 00000010.00000002.746388412.0000000001271000.00000020.sdmp, Offset: 01270000, based on PE: true

Associated: 00000010.00000002.746374753.0000000001270000.00000002.sdmp Download File
Associated: 00000010.00000002.746578910.000000000138C000.00000002.sdmp Download File
Associated: 00000010.00000002.746752878.00000000013CF000.00000004.sdmp Download File
Associated: 00000010.00000002.746788870.00000000013D6000.00000004.sdmp Download File
Associated: 00000010.00000002.746832288.00000000013DE000.00000002.sdmp Download File
Associated: 00000010.00000002.747668141.0000000001574000.00000002.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1270000_Setup.jbxd

Similarity

API ID: Window$AtomCallForegroundGlobalProcPropRect$ActiveDeleteFindH_prolog3_catch_LastLongMessagePopupRemoveSend
String ID: AfxOldWndProc423
API String ID: 2085894242-1060338832
Opcode ID: 38a9896daa379bfff94d6be4b5fffdb3f9c77dff84aaa12b1ddd805e6d30fc78
Instruction ID: dea646bb654bc65bccbc0774c5059301c7bb7e28b2eb2077a811293fa34893b0
Opcode Fuzzy Hash: 38a9896daa379bfff94d6be4b5fffdb3f9c77dff84aaa12b1ddd805e6d30fc78
Instruction Fuzzy Hash: 11313CB1C2121AABDF15BFA9D848AEEBEBCFF19714F04411AF511B2294D7358910CB64

Uniqueness

Uniqueness Score: 1.64%

Function 012947FA, Relevance: 15.2, APIs: 10, Instructions: 216
COMMON

Download Yara Rule

C-Code - Quality: 80%

			E012947FA(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t118;
				intOrPtr* _t123;
				intOrPtr* _t127;
				signed int _t139;
				intOrPtr* _t142;
				intOrPtr _t144;
				void* _t167;
				void* _t169;
				void* _t208;
				signed int _t212;
				signed int _t213;
				void* _t214;
				void* _t215;
				void* _t217;
				void* _t219;

				_t219 = __eflags;
				_t202 = __edx;
				_t169 = __ecx + 0xb6c;
				_push(0x84);
				L0136966A(0x138268f, __ebx, __edi, __esi);
				_t167 = _t169;
				_push( *((intOrPtr*)(_t167 + 4)));
				L01279EEC(_t167, _t214 - 0x80, __edx, __edi, __esi, _t219);
				 *(_t214 - 0x50) = 0;
				 *((intOrPtr*)(_t214 - 0x4c)) = 0;
				 *((intOrPtr*)(_t214 - 0x48)) = 0;
				 *((intOrPtr*)(_t214 - 0x44)) = 0;
				 *(_t214 - 4) = 0;
				GetClientRect( *( *((intOrPtr*)(_t167 + 4)) + 0x20), _t214 - 0x50);
				 *(_t214 - 0x20) = 0;
				 *(_t214 - 0x1c) = 0;
				 *((intOrPtr*)(_t214 - 0x18)) = 0;
				 *((intOrPtr*)(_t214 - 0x14)) = 0;
				GetWindowRect( *( *((intOrPtr*)(_t167 + 4)) + 0x20), _t214 - 0x20);
				L01279BD6( *((intOrPtr*)(_t167 + 4)), _t214 - 0x20);
				_t206 = OffsetRect;
				OffsetRect(_t214 - 0x50,  ~( *(_t214 - 0x20)),  ~( *(_t214 - 0x1c)));
				L01279552(_t214 - 0x80, _t214 - 0x50);
				_t177 =  *((intOrPtr*)(_t167 + 4));
				 *(_t214 - 0x68) = E01286862( *((intOrPtr*)(_t167 + 4))) & 0x00400000;
				_t118 =  *((intOrPtr*)(E01278D20(_t167, OffsetRect, 0, _t219) + 0x60));
				_t220 = _t118 - 1;
				if(_t118 != 1) {
					_t144 = E0127A083(_t167, _t177, _t202, OffsetRect, 0, _t220, _t118);
					 *((intOrPtr*)(_t214 - 0x64)) = _t144;
					if(_t144 != 0) {
						 *(_t214 - 0x30) = 0;
						 *(_t214 - 0x2c) = 0;
						 *((intOrPtr*)(_t214 - 0x28)) = 0;
						 *((intOrPtr*)(_t214 - 0x24)) = 0;
						GetWindowRect( *( *((intOrPtr*)(_t167 + 4)) + 0x20), _t214 - 0x30);
						_t222 =  *(_t214 - 0x68);
						if( *(_t214 - 0x68) == 0) {
							OffsetRgn( *( *((intOrPtr*)(_t214 - 0x64)) + 4),  ~( *(_t214 - 0x30)),  ~( *(_t214 - 0x2c)));
							L01279C58(_t214 - 0x80,  *((intOrPtr*)(_t214 - 0x64)), 1);
						} else {
							 *(_t214 - 0x40) = 0;
							 *((intOrPtr*)(_t214 - 0x3c)) = 0;
							 *((intOrPtr*)(_t214 - 0x38)) = 0;
							 *((intOrPtr*)(_t214 - 0x34)) = 0;
							GetRgnBox( *( *((intOrPtr*)(_t214 - 0x64)) + 4), _t214 - 0x40);
							OffsetRect(_t214 - 0x40,  *((intOrPtr*)(_t214 - 0x28)) -  *(_t214 - 0x40) -  *((intOrPtr*)(_t214 - 0x38)),  ~( *(_t214 - 0x2c)));
							 *(_t214 - 0x68) = 0;
							 *((intOrPtr*)(_t214 - 0x6c)) = 0x138f894;
							 *(_t214 - 4) = 1;
							E0127A097(_t167, _t214 - 0x6c, _t202, OffsetRect, CreateRectRgnIndirect(_t214 - 0x40));
							L01279C58(_t214 - 0x80, _t214 - 0x6c, 1);
							 *(_t214 - 4) = 0;
							 *((intOrPtr*)(_t214 - 0x6c)) = 0x138f894;
							E0127A27E(_t167, _t214 - 0x6c, OffsetRect, 0, _t222);
						}
					}
				}
				OffsetRect(_t214 - 0x20,  ~( *(_t214 - 0x20)),  ~( *(_t214 - 0x1c)));
				_t123 = E0128C2A4(_t167, _t206, 0, _t222);
				 *((intOrPtr*)( *_t123 + 0x38))(_t214 - 0x80,  *((intOrPtr*)(_t167 + 4)), _t214 - 0x20);
				L01279599(_t214 - 0x80, _t214 - 0x20);
				_t127 = E0128C2A4(_t167, _t206, 0, _t222);
				 *((intOrPtr*)(_t214 - 0x90)) = 0;
				 *((intOrPtr*)(_t214 - 0x8c)) = 0;
				 *((intOrPtr*)(_t214 - 0x88)) = 0;
				 *((intOrPtr*)(_t214 - 0x84)) = 0;
				asm("movsd");
				asm("movsd");
				_t204 =  *_t127;
				asm("movsd");
				asm("movsd");
				_t217 = _t215;
				_t208 = _t217;
				_t212 = _t214 - 0x20;
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				 *((intOrPtr*)( *_t127 + 0x34))(_t214 - 0x80,  *((intOrPtr*)(_t167 + 4)), 1);
				if(( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t167 + 4)))) + 0x1bc))() & 0x00400001) == 0x400000) {
					 *(_t214 - 0x60) = 0;
					 *((intOrPtr*)(_t214 - 0x5c)) = 0;
					 *((intOrPtr*)(_t214 - 0x58)) = 0;
					 *((intOrPtr*)(_t214 - 0x54)) = 0;
					L012C9346(_t167, _t204, _t212, _t214 - 0x60, 0);
					_t139 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t167 + 4)))) + 0x1bc))();
					asm("sbb esi, esi");
					_t213 =  ~_t212;
					_t142 = E0128C2A4(_t167, _t208, _t213, _t139 & 0x0000a000);
					_t204 =  *_t142;
					_t208 = _t217 - 0x10;
					_t212 = _t214 - 0x60;
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					 *((intOrPtr*)( *_t142 + 0x44))(_t214 - 0x80, _t213,  *((intOrPtr*)(_t167 + 4)));
				}
				L01279B4B(_t214 - 0x80, 0);
				 *(_t214 - 4) =  *(_t214 - 4) | 0xffffffff;
				L01279F40(_t167, _t214 - 0x80, _t204, _t208, _t212,  *(_t214 - 4));
				return L013696ED(_t167, _t208, _t212);
			}

0x012947fa
0x012947fa
0x012947fa
0x012c943e
0x012c9448
0x012c944d
0x012c944f
0x012c9455
0x012c9463
0x012c9466
0x012c9469
0x012c946c
0x012c9472
0x012c9475
0x012c9482
0x012c9485
0x012c9488
0x012c948b
0x012c9491
0x012c949e
0x012c94a9
0x012c94b9
0x012c94c2
0x012c94c7
0x012c94d4
0x012c94dc
0x012c94df
0x012c94e2
0x012c94e9
0x012c94ee
0x012c94f3
0x012c9500
0x012c9503
0x012c9506
0x012c9509
0x012c950f
0x012c9515
0x012c9518
0x012c95a2
0x012c95b0
0x012c951a
0x012c9524
0x012c9527
0x012c952a
0x012c952d
0x012c9530
0x012c954a
0x012c954c
0x012c954f
0x012c955a
0x012c9568
0x012c9576
0x012c957e
0x012c9582
0x012c9589
0x012c9589
0x012c9518
0x012c94f3
0x012c95c5
0x012c95c7
0x012c95db
0x012c95e5
0x012c95ea
0x012c95ef
0x012c95f5
0x012c95fb
0x012c9601
0x012c9614
0x012c9615
0x012c9616
0x012c9618
0x012c9619
0x012c961a
0x012c961d
0x012c9622
0x012c9625
0x012c9626
0x012c9627
0x012c962e
0x012c962f
0x012c9647
0x012c964c
0x012c964f
0x012c9652
0x012c9655
0x012c965e
0x012c9668
0x012c9675
0x012c9677
0x012c9679
0x012c9681
0x012c9687
0x012c9689
0x012c968c
0x012c968d
0x012c968e
0x012c9695
0x012c9696
0x012c9696
0x012c969e
0x012c96a3
0x012c96aa
0x012c96b4

APIs

__EH_prolog3_GS.LIBCMT ref: 012C9448

Part of subcall function 01279EEC: __EH_prolog3.LIBCMT ref: 01279EF3
Part of subcall function 01279EEC: GetWindowDC.USER32(00000000), ref: 01279F1F

GetClientRect.USER32 ref: 012C9475
GetWindowRect.USER32 ref: 012C9491

Part of subcall function 01279BD6: ScreenToClient.USER32(?,?), ref: 01279BE7
Part of subcall function 01279BD6: ScreenToClient.USER32(?,?), ref: 01279BF4

OffsetRect.USER32 ref: 012C94B9

Part of subcall function 01279552: ExcludeClipRect.GDI32(?,?,?,?,?), ref: 0127957B
Part of subcall function 01279552: ExcludeClipRect.GDI32(?,?,?,?,?), ref: 01279590

Part of subcall function 01286862: GetWindowLongW.USER32(?,000000EC), ref: 0128686D

GetWindowRect.USER32 ref: 012C950F
GetRgnBox.GDI32(?,?), ref: 012C9530
OffsetRect.USER32 ref: 012C954A
CreateRectRgnIndirect.GDI32(?), ref: 012C955E

Part of subcall function 0127A27E: __EH_prolog3_catch_GS.LIBCMT ref: 0127A288

OffsetRgn.GDI32(?,?,?), ref: 012C95A2

Part of subcall function 01279C58: ExtSelectClipRgn.GDI32(?,00000000,?), ref: 01279C81
Part of subcall function 01279C58: ExtSelectClipRgn.GDI32(?,?,?), ref: 01279C9A

OffsetRect.USER32 ref: 012C95C5

Part of subcall function 0128C2A4: __EH_prolog3.LIBCMT ref: 0128C2AB

Part of subcall function 01279599: IntersectClipRect.GDI32(?,?,?,?,?), ref: 012795C2
Part of subcall function 01279599: IntersectClipRect.GDI32(?,?,?,?,?), ref: 012795D7

Part of subcall function 01279B4B: SelectClipRgn.GDI32(?,00000000), ref: 01279B71
Part of subcall function 01279B4B: SelectClipRgn.GDI32(?,?), ref: 01279B87

Part of subcall function 01279F40: __EH_prolog3.LIBCMT ref: 01279F47
Part of subcall function 01279F40: ReleaseDC.USER32(?,00000000), ref: 01279F64

Part of subcall function 012C9346: SetRectEmpty.USER32 ref: 012C936F
Part of subcall function 012C9346: GetWindowRect.USER32 ref: 012C93A6
Part of subcall function 012C9346: GetClientRect.USER32 ref: 012C93C4
Part of subcall function 012C9346: OffsetRect.USER32 ref: 012C9428

Memory Dump Source

Source File: 00000010.00000002.746388412.0000000001271000.00000020.sdmp, Offset: 01270000, based on PE: true

Associated: 00000010.00000002.746374753.0000000001270000.00000002.sdmp Download File
Associated: 00000010.00000002.746578910.000000000138C000.00000002.sdmp Download File
Associated: 00000010.00000002.746752878.00000000013CF000.00000004.sdmp Download File
Associated: 00000010.00000002.746788870.00000000013D6000.00000004.sdmp Download File
Associated: 00000010.00000002.746832288.00000000013DE000.00000002.sdmp Download File
Associated: 00000010.00000002.747668141.0000000001574000.00000002.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1270000_Setup.jbxd

Similarity

API ID: Rect$Clip$OffsetWindow$ClientSelect$H_prolog3$ExcludeIntersectScreen$CreateEmptyH_prolog3_H_prolog3_catch_IndirectLongRelease
String ID:
API String ID: 3091073834-0
Opcode ID: 9643cab3b7b9c0543405dbf6298e7d25706bb167bfab3f25e8a2986fb0eb6e27
Instruction ID: 58b653849204a9041b60a7d90b2cedd380f80444b6d35aed4f94e6847ac8fcee
Opcode Fuzzy Hash: 9643cab3b7b9c0543405dbf6298e7d25706bb167bfab3f25e8a2986fb0eb6e27
Instruction Fuzzy Hash: 0A81FA71D20229DFCF04EFA8C9849EEBBB9FF19704F14415AE50AAB254DB709945CF60

Uniqueness

Uniqueness Score: 3.53%

Function 012C0BFE, Relevance: 15.1, APIs: 10, Instructions: 112
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E012C0BFE(void* __ecx, signed int _a8) {
				void* __ebp;
				intOrPtr _t42;
				struct HWND__* _t43;
				signed int _t44;
				struct HWND__* _t48;
				struct HWND__* _t49;
				int _t50;
				struct HWND__* _t53;
				struct HWND__* _t54;
				struct HWND__* _t55;
				int _t59;
				struct HWND__* _t74;
				intOrPtr* _t82;
				void* _t83;

				_t82 = _a8;
				_t83 = __ecx;
				if(_t82 == 0) {
					L01277AC9(__ecx);
				}
				_t42 =  *((intOrPtr*)(_t83 + 0xfc));
				_a8 = _a8 & 0x00000000;
				if(_t42 == 0 ||  *(_t42 + 0x20) == 0 || IsWindowVisible( *(_t42 + 0x20)) == 0 && IsWindowVisible( *( *((intOrPtr*)(_t83 + 0xb0)) + 0x20)) != 0 ||  *((intOrPtr*)( *((intOrPtr*)(_t83 + 0xfc)) + 0x314)) == 0) {
					L10:
					_t43 =  *(_t83 + 0x100);
					__eflags = _t43;
					if(_t43 == 0) {
						L20:
						__eflags = _a8;
						if(__eflags == 0) {
							_t49 = E0128C316(_t83, __eflags);
							__eflags = _t49;
							if(_t49 != 0) {
								_t50 = GetSystemMetrics(4);
								_t36 = _t82 + 4;
								 *_t36 =  *(_t82 + 4) + _t50;
								__eflags =  *_t36;
							}
						}
						_t44 = E01286848( *((intOrPtr*)(_t83 + 0xb0)));
						__eflags = _t44 & 0x01000000;
						if((_t44 & 0x01000000) == 0) {
							L26:
							__eflags = 0;
							return 0;
						} else {
							__eflags = _a8;
							if(__eflags != 0) {
								goto L9;
							}
							_t48 = E0128C316(_t83, __eflags);
							__eflags = _t48;
							if(_t48 != 0) {
								goto L9;
							}
							goto L26;
						}
					}
					__eflags =  *(_t43 + 0x20);
					if( *(_t43 + 0x20) == 0) {
						goto L20;
					}
					__eflags = IsWindowVisible( *(_t43 + 0x20));
					if(__eflags != 0) {
						L14:
						_t74 =  *( *(_t83 + 0x100) + 0x1044);
						_t53 = E0128C316(_t83, __eflags);
						__eflags = _t53;
						if(_t53 == 0) {
							L17:
							_t54 =  *(_t83 + 0x100);
							_t30 = _t54 + 0x1044;
							 *_t30 =  *(_t54 + 0x1044) & 0x00000000;
							__eflags =  *_t30;
							L18:
							_t55 =  *(_t83 + 0x100);
							__eflags = _t74 -  *((intOrPtr*)(_t55 + 0x1044));
							if(_t74 !=  *((intOrPtr*)(_t55 + 0x1044))) {
								 *((intOrPtr*)(_t55->i + 0x20c))();
							}
							goto L20;
						}
						_t59 = IsZoomed( *( *((intOrPtr*)(_t83 + 0xb0)) + 0x20));
						__eflags = _t59;
						if(_t59 != 0) {
							goto L17;
						}
						 *( *(_t83 + 0x100) + 0x1044) = 1;
						 *((intOrPtr*)(_t82 + 0xc)) =  *((intOrPtr*)(_t82 + 0xc)) + GetSystemMetrics(0x21);
						goto L18;
					}
					__eflags = IsWindowVisible( *( *((intOrPtr*)(_t83 + 0xb0)) + 0x20));
					if(__eflags != 0) {
						goto L20;
					}
					goto L14;
				} else {
					_a8 = 1;
					if(E0127E1CC(0x13d63e8) == 0) {
						goto L10;
					}
					 *((intOrPtr*)(_t82 + 0xc)) =  *((intOrPtr*)(_t82 + 0xc)) - GetSystemMetrics(0x21);
					 *_t82 =  *_t82 + GetSystemMetrics(0x21);
					 *((intOrPtr*)(_t82 + 8)) =  *((intOrPtr*)(_t82 + 8)) - GetSystemMetrics(0x20);
					L9:
					return 1;
				}
			}

0x012c0c06
0x012c0c09
0x012c0c0d
0x012c0c0f
0x012c0c0f
0x012c0c14
0x012c0c1a
0x012c0c26
0x012c0c8c
0x012c0c8c
0x012c0c92
0x012c0c94
0x012c0d28
0x012c0d28
0x012c0d2c
0x012c0d30
0x012c0d35
0x012c0d37
0x012c0d3b
0x012c0d41
0x012c0d41
0x012c0d41
0x012c0d41
0x012c0d37
0x012c0d4a
0x012c0d4f
0x012c0d54
0x012c0d6f
0x012c0d6f
0x00000000
0x012c0d56
0x012c0d56
0x012c0d5a
0x00000000
0x00000000
0x012c0d62
0x012c0d67
0x012c0d69
0x00000000
0x00000000
0x00000000
0x012c0d69
0x012c0d54
0x012c0c9a
0x012c0c9e
0x00000000
0x00000000
0x012c0ca9
0x012c0cab
0x012c0cbc
0x012c0cc2
0x012c0cca
0x012c0ccf
0x012c0cd1
0x012c0d03
0x012c0d03
0x012c0d09
0x012c0d09
0x012c0d09
0x012c0d10
0x012c0d10
0x012c0d16
0x012c0d1c
0x012c0d22
0x012c0d22
0x00000000
0x012c0d1c
0x012c0cdc
0x012c0ce2
0x012c0ce4
0x00000000
0x00000000
0x012c0cee
0x012c0cfe
0x00000000
0x012c0cfe
0x012c0cb8
0x012c0cba
0x00000000
0x00000000
0x00000000
0x012c0c55
0x012c0c5a
0x012c0c68
0x00000000
0x00000000
0x012c0c74
0x012c0c7b
0x012c0c81
0x012c0c84
0x00000000
0x012c0c86

APIs

IsWindowVisible.USER32(00000000), ref: 012C0C31
IsWindowVisible.USER32(00000000), ref: 012C0C40
GetSystemMetrics.USER32 ref: 012C0C72
GetSystemMetrics.USER32 ref: 012C0C79
GetSystemMetrics.USER32 ref: 012C0C7F
IsWindowVisible.USER32(00000000), ref: 012C0CA7
IsWindowVisible.USER32(00000000), ref: 012C0CB6
IsZoomed.USER32(00000000), ref: 012C0CDC
GetSystemMetrics.USER32 ref: 012C0CF8
GetSystemMetrics.USER32 ref: 012C0D3B

Part of subcall function 01286848: GetWindowLongW.USER32(?,000000F0), ref: 01286853

Part of subcall function 01277AC9: __CxxThrowException@8.LIBCMT ref: 01277ADF

Memory Dump Source

Source File: 00000010.00000002.746388412.0000000001271000.00000020.sdmp, Offset: 01270000, based on PE: true

Associated: 00000010.00000002.746374753.0000000001270000.00000002.sdmp Download File
Associated: 00000010.00000002.746578910.000000000138C000.00000002.sdmp Download File
Associated: 00000010.00000002.746752878.00000000013CF000.00000004.sdmp Download File
Associated: 00000010.00000002.746788870.00000000013D6000.00000004.sdmp Download File
Associated: 00000010.00000002.746832288.00000000013DE000.00000002.sdmp Download File
Associated: 00000010.00000002.747668141.0000000001574000.00000002.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1270000_Setup.jbxd

Similarity

API ID: MetricsSystemWindow$Visible$Exception@8LongThrowZoomed
String ID:
API String ID: 1143040087-0
Opcode ID: b4f3405321ac1cf2a7fb6d25ab045c316400573cb207741a8f8be216f4623115
Instruction ID: 5c36aec9cd4f4d185d2bb799762e3b0e7594140fb3dbccab5d0ba8188eb5f19a
Opcode Fuzzy Hash: b4f3405321ac1cf2a7fb6d25ab045c316400573cb207741a8f8be216f4623115
Instruction Fuzzy Hash: 24417C35220703DFEB219B69C888BAA7BE4FF14754F04426CF7598B1A1D770E940CB69

Uniqueness

Uniqueness Score: 3.53%

Function 0128E35B, Relevance: 15.1, APIs: 10, Instructions: 111
windowCOMMON

Download Yara Rule

C-Code - Quality: 80%

			E0128E35B(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				signed int _t50;
				void* _t58;
				signed int _t60;
				signed int _t61;
				signed int _t62;
				intOrPtr* _t63;
				signed int _t67;
				void* _t81;
				void* _t91;
				void* _t92;
				signed int _t94;
				struct HDC__* _t95;
				signed int _t98;
				void* _t99;

				_t89 = __edx;
				_push(0x74);
				L01369601(0x1380243, __ebx, __edi, __esi);
				_t91 = __ecx;
				_t94 =  *(_t99 + 0x10);
				if(_t94 == 0) {
					L12:
					_t50 = 0;
					__eflags = 0;
				} else {
					_t102 =  *(_t99 + 8);
					if( *(_t99 + 8) == 0) {
						goto L12;
					} else {
						E0128C123(_t99 - 0x80);
						 *((intOrPtr*)(_t99 - 4)) = 0;
						 *(_t99 - 0x7c) = _t94;
						E0128C1DD(_t99 - 0x80, __edx, 0);
						_push(_t91);
						L01279E5D(0, _t99 - 0x4c, __edx, _t91, _t94, _t102);
						 *((char*)(_t99 - 4)) = 1;
						L0127976C(_t99 - 0x28);
						 *((char*)(_t99 - 4)) = 2;
						L01279DC3(0, _t99 - 0x28, _t89, _t91, CreateCompatibleDC( *(_t99 - 0x48)));
						_t92 = SelectObject;
						_t58 = SelectObject( *(_t99 - 0x24),  *(_t99 + 8));
						_t95 =  *(_t99 - 0x24);
						 *(_t99 - 0x10) = _t58;
						if(L0128BFFF(0x13dc5fc) != 0) {
							_t60 = _t99 + 8;
							_push(_t60);
							_push(0);
							_push( *(_t99 - 0x7c));
							 *((intOrPtr*)(_t99 - 0x38)) = 0x13909b4;
							 *(_t99 + 8) = 0;
							L0137E8DA();
							_t81 =  *(_t99 + 8);
							 *(_t99 - 0x34) = _t81;
							 *((intOrPtr*)(_t99 - 0x30)) = 0;
							__eflags = _t60;
							if(_t60 == 0) {
								_t61 = _t99 + 0x10;
								_push(_t61);
								_push(_t95);
								 *(_t99 + 0x10) = 0;
								L0137E8EC();
								 *(_t99 - 0x14) = _t61;
								_t62 =  *(_t99 + 0x10);
								_push(7);
								_push(_t62);
								 *(_t99 - 0x18) = _t62;
								L0137E8F2();
								__eflags = _t62;
								if(_t62 != 0) {
									 *(_t99 - 0x14) = _t62;
								}
								_t63 =  *((intOrPtr*)(_t99 + 0xc));
								_t82 =  *((intOrPtr*)(_t63 + 4));
								_t67 = E0128C735(_t99 - 0x18, _t99 - 0x38,  *_t63,  *((intOrPtr*)(_t63 + 4)),  *((intOrPtr*)(_t63 + 8)) -  *_t63,  *((intOrPtr*)(_t63 + 0xc)) - _t82);
								_push( *(_t99 - 0x18));
								__eflags = _t67;
								_t38 = _t67 == 0;
								__eflags = _t38;
								_t98 = 0 | _t38;
								L0137E8CE();
								_push( *(_t99 + 8));
								L0137E8D4();
							} else {
								_push(_t81);
								L0137E8D4();
								goto L3;
							}
						} else {
							L3:
							_t98 = 0;
						}
						_t104 =  *(_t99 - 0x10);
						if( *(_t99 - 0x10) != 0) {
							SelectObject( *(_t99 - 0x24),  *(_t99 - 0x10));
						}
						 *((char*)(_t99 - 4)) = 1;
						L01279E44(_t99 - 0x28);
						 *((char*)(_t99 - 4)) = 0;
						E0128E003(L01279EB1(0, _t99 - 0x4c, _t89, _t92, _t98, _t104), _t99 - 0x80);
						_t50 = _t98;
					}
				}
				return L013696D9(_t50);
			}

0x0128e35b
0x0128e35b
0x0128e362
0x0128e367
0x0128e369
0x0128e370
0x0128e4a6
0x0128e4a6
0x0128e4a6
0x0128e376
0x0128e376
0x0128e379
0x00000000
0x0128e37f
0x0128e382
0x0128e38b
0x0128e38e
0x0128e391
0x0128e396
0x0128e39a
0x0128e3a2
0x0128e3a6
0x0128e3ae
0x0128e3bc
0x0128e3c4
0x0128e3cd
0x0128e3cf
0x0128e3d7
0x0128e3e1
0x0128e3ea
0x0128e3ed
0x0128e3ee
0x0128e3ef
0x0128e3f2
0x0128e3f9
0x0128e3fc
0x0128e401
0x0128e404
0x0128e407
0x0128e40a
0x0128e40c
0x0128e416
0x0128e419
0x0128e41a
0x0128e41b
0x0128e41e
0x0128e423
0x0128e426
0x0128e429
0x0128e42b
0x0128e42c
0x0128e42f
0x0128e434
0x0128e436
0x0128e438
0x0128e438
0x0128e43b
0x0128e43e
0x0128e458
0x0128e45d
0x0128e462
0x0128e464
0x0128e464
0x0128e467
0x0128e469
0x0128e46e
0x0128e471
0x0128e40e
0x0128e40e
0x0128e40f
0x00000000
0x0128e40f
0x0128e3e3
0x0128e3e3
0x0128e3e3
0x0128e3e3
0x0128e476
0x0128e479
0x0128e481
0x0128e481
0x0128e486
0x0128e48a
0x0128e492
0x0128e49d
0x0128e4a2
0x0128e4a2
0x0128e379
0x0128e4ad

APIs

__EH_prolog3.LIBCMT ref: 0128E362

Part of subcall function 0128C1DD: GetObjectW.GDI32(?,00000054,?), ref: 0128C1FC

Part of subcall function 01279E5D: __EH_prolog3.LIBCMT ref: 01279E64
Part of subcall function 01279E5D: GetDC.USER32(00000000), ref: 01279E90

CreateCompatibleDC.GDI32(?), ref: 0128E3B2
SelectObject.GDI32(?,?), ref: 0128E3CD

Part of subcall function 0128BFFF: EnterCriticalSection.KERNEL32(?), ref: 0128C01B
Part of subcall function 0128BFFF: GdiplusStartup.GDIPLUS(?,?,?), ref: 0128C042
Part of subcall function 0128BFFF: LeaveCriticalSection.KERNEL32(?), ref: 0128C04F

GdipCreateBitmapFromHBITMAP.GDIPLUS(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0128E3FC
GdipDisposeImage.GDIPLUS(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0128E40F
GdipCreateFromHDC.GDIPLUS(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0128E41E
GdipSetInterpolationMode.GDIPLUS(?,00000007,?,?), ref: 0128E42F

Part of subcall function 0128C735: GdipDrawImageRectI.GDIPLUS(?,00000000,?,?,?,?), ref: 0128C75A

GdipDeleteGraphics.GDIPLUS(?,?,00000007,?,?), ref: 0128E469
GdipDisposeImage.GDIPLUS(?,?,?,00000007,?,?), ref: 0128E471
SelectObject.GDI32(?,?), ref: 0128E481

Part of subcall function 01279E44: DeleteDC.GDI32(00000000), ref: 01279E56

Part of subcall function 01279EB1: __EH_prolog3.LIBCMT ref: 01279EB8
Part of subcall function 01279EB1: ReleaseDC.USER32(?,00000000), ref: 01279ED5

Part of subcall function 0128E003: DeleteObject.GDI32(00000000), ref: 0128E015

Memory Dump Source

Source File: 00000010.00000002.746388412.0000000001271000.00000020.sdmp, Offset: 01270000, based on PE: true

Associated: 00000010.00000002.746374753.0000000001270000.00000002.sdmp Download File
Associated: 00000010.00000002.746578910.000000000138C000.00000002.sdmp Download File
Associated: 00000010.00000002.746752878.00000000013CF000.00000004.sdmp Download File
Associated: 00000010.00000002.746788870.00000000013D6000.00000004.sdmp Download File
Associated: 00000010.00000002.746832288.00000000013DE000.00000002.sdmp Download File
Associated: 00000010.00000002.747668141.0000000001574000.00000002.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1270000_Setup.jbxd

Similarity

API ID: Gdip$Object$CreateDeleteH_prolog3Image$CriticalDisposeFromSectionSelect$BitmapCompatibleDrawEnterGdiplusGraphicsInterpolationLeaveModeRectReleaseStartup
String ID:
API String ID: 945595743-0
Opcode ID: ad6fa75c8908c4c87386317fe487fbe930e375576a6bb8e50b47c1a043b3c983
Instruction ID: 9f0a32145da6c698bc6095977c927d98945b4567425176d303f7640357249a5e
Opcode Fuzzy Hash: ad6fa75c8908c4c87386317fe487fbe930e375576a6bb8e50b47c1a043b3c983
Instruction Fuzzy Hash: 28416D76C1125AEFCF14FFA8C8849EEBFB4EF18214F15446AE905B7250DB749A44CB50

Uniqueness

Uniqueness Score: 7.75%

Function 012848FD, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 69
windowCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E012848FD(void* __ebx, void* __ecx, void* __edx, signed int _a4, long _a8) {
				struct HWND__* _v8;
				void* __edi;
				void* _t12;
				void* _t14;
				void* _t15;
				void* _t18;
				void* _t19;
				void* _t29;
				struct HWND__* _t30;
				signed int _t34;
				void* _t36;
				void* _t38;
				void* _t42;

				_t36 = __edx;
				_t29 = __ebx;
				_push(__ecx);
				_t38 = __ecx;
				_t12 = E012848D5(__ecx, __ecx);
				_t34 = _a4 & 0x0000fff0;
				_t42 = _t12;
				_t14 = _t34 - 0xf040;
				if(_t14 == 0) {
					L11:
					if(_a8 != 0x75 || _t42 == 0) {
						L15:
						_t15 = 0;
						goto L16;
					} else {
						E01286A6F(_t29, _t42, _t36);
						L14:
						_t15 = 1;
						L16:
						return _t15;
					}
				}
				_t18 = _t14 - 0x10;
				if(_t18 == 0) {
					goto L11;
				}
				_t19 = _t18 - 0x10;
				if(_t19 == 0 || _t19 == 0xa0) {
					if(_t34 == 0xf060 || _a8 != 0) {
						if(_t42 != 0) {
							_push(_t29);
							_t30 =  *(_t38 + 0x20);
							_v8 = GetFocus();
							E01282D05(_t30, _t34, _t36, SetActiveWindow( *(_t42 + 0x20)));
							SendMessageW( *(_t42 + 0x20), 0x112, _a4, _a8);
							if(IsWindow(_t30) != 0) {
								SetActiveWindow(_t30);
							}
							if(IsWindow(_v8) != 0) {
								SetFocus(_v8);
							}
						}
					}
					goto L14;
				} else {
					goto L15;
				}
			}

0x012848fd
0x012848fd
0x01284902
0x01284905
0x01284907
0x0128490f
0x01284915
0x01284919
0x0128491e
0x0128499e
0x012849a3
0x012849b5
0x012849b5
0x00000000
0x012849a9
0x012849ab
0x012849b0
0x012849b2
0x012849b7
0x012849ba
0x012849ba
0x012849a3
0x01284920
0x01284923
0x00000000
0x00000000
0x01284925
0x01284928
0x0128493b
0x01284945
0x01284947
0x01284948
0x0128495a
0x01284960
0x01284973
0x01284984
0x01284987
0x01284987
0x01284991
0x01284996
0x01284996
0x01284991
0x01284945
0x00000000
0x00000000
0x00000000
0x00000000

APIs

GetFocus.USER32 ref: 0128494B
SetActiveWindow.USER32(?), ref: 0128495D
SendMessageW.USER32(?,00000112,?,?), ref: 01284973
IsWindow.USER32(?), ref: 01284980
SetActiveWindow.USER32(?), ref: 01284987
IsWindow.USER32(?), ref: 0128498C
SetFocus.USER32 ref: 01284996

Part of subcall function 01286A6F: GetParent.USER32(?), ref: 01286A84
Part of subcall function 01286A6F: GetParent.USER32(?), ref: 01286A93
Part of subcall function 01286A6F: GetParent.USER32(?), ref: 01286AA9
Part of subcall function 01286A6F: SetFocus.USER32 ref: 01286ABF

Strings

u, xrefs: 0128499E

Memory Dump Source

Source File: 00000010.00000002.746388412.0000000001271000.00000020.sdmp, Offset: 01270000, based on PE: true

Associated: 00000010.00000002.746374753.0000000001270000.00000002.sdmp Download File
Associated: 00000010.00000002.746578910.000000000138C000.00000002.sdmp Download File
Associated: 00000010.00000002.746752878.00000000013CF000.00000004.sdmp Download File
Associated: 00000010.00000002.746788870.00000000013D6000.00000004.sdmp Download File
Associated: 00000010.00000002.746832288.00000000013DE000.00000002.sdmp Download File
Associated: 00000010.00000002.747668141.0000000001574000.00000002.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1270000_Setup.jbxd

Similarity

API ID: Window$FocusParent$Active$MessageSend
String ID: u
API String ID: 1326723163-4067256894
Opcode ID: 6b9d242a88c4fa7bcb312dff230cc965681777797006be35107ecf6bc2718241
Instruction ID: fa08b3c3706e2481b081e2f597965343777e84508002c2c00cfad013ec9b6621
Opcode Fuzzy Hash: 6b9d242a88c4fa7bcb312dff230cc965681777797006be35107ecf6bc2718241
Instruction Fuzzy Hash: 6C118132522267A7EB357B7DDC08BAEBEA9EF45324F045121EB01A21D5DA34D910CBA0

Uniqueness

Uniqueness Score: 1.18%

Function 0133E9F7, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 64
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E0133E9F7(intOrPtr __ecx, signed int _a4) {
				signed int _v8;
				char _v72;
				void _v100;
				intOrPtr _v104;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t12;
				void* _t14;
				char* _t23;
				void* _t29;
				signed short _t30;
				struct HDC__* _t31;
				signed int _t32;

				_t12 =  *0x13d3570; // 0x99b5b578
				_v8 = _t12 ^ _t32;
				_t31 = GetStockObject;
				_t30 = 0xa;
				_v104 = __ecx;
				_t23 = L"System";
				_t14 = GetStockObject(0x11);
				if(_t14 != 0) {
					L2:
					if(GetObjectW(_t14, 0x5c,  &_v100) != 0) {
						_t23 =  &_v72;
						_t31 = GetDC(0);
						if(_v100 < 0) {
							_v100 =  ~_v100;
						}
						_t30 = MulDiv(_v100, 0x48, GetDeviceCaps(_t31, 0x5a)) & 0x0000ffff;
						ReleaseDC(0, _t31);
					}
					L6:
					_t16 = _a4;
					if(_a4 == 0) {
						_t16 = _t30 & 0x0000ffff;
					}
					return L01367D3E(E0133E8D3(_v104, _t23, _t16), _t23, _v8 ^ _t32, _t29, _t30, _t31);
				}
				_t14 = GetStockObject(0xd);
				if(_t14 == 0) {
					goto L6;
				}
				goto L2;
			}

0x0133e9ff
0x0133ea06
0x0133ea0b
0x0133ea14
0x0133ea17
0x0133ea1a
0x0133ea1f
0x0133ea23
0x0133ea2d
0x0133ea3c
0x0133ea40
0x0133ea4d
0x0133ea4f
0x0133ea51
0x0133ea51
0x0133ea6c
0x0133ea6f
0x0133ea6f
0x0133ea75
0x0133ea75
0x0133ea7b
0x0133ea7d
0x0133ea7d
0x0133ea98
0x0133ea98
0x0133ea27
0x0133ea2b
0x00000000
0x00000000
0x00000000

APIs

GetStockObject.GDI32(00000011), ref: 0133EA1F
GetStockObject.GDI32(0000000D), ref: 0133EA27
GetObjectW.GDI32(00000000,0000005C,?), ref: 0133EA34
GetDC.USER32(00000000), ref: 0133EA43
GetDeviceCaps.GDI32(00000000,0000005A), ref: 0133EA57
MulDiv.KERNEL32 ref: 0133EA63
ReleaseDC.USER32(00000000,00000000), ref: 0133EA6F

Part of subcall function 0133E8D3: GlobalLock.KERNEL32 ref: 0133E8EF
Part of subcall function 0133E8D3: lstrlenW.KERNEL32(?), ref: 0133E939
Part of subcall function 0133E8D3: _wcslen.LIBCMT ref: 0133E963
Part of subcall function 0133E8D3: GlobalUnlock.KERNEL32(?), ref: 0133E9E3

Part of subcall function 01367D3E: IsDebuggerPresent.KERNEL32 ref: 0136EC6D
Part of subcall function 01367D3E: SetUnhandledExceptionFilter.KERNEL32 ref: 0136EC82
Part of subcall function 01367D3E: UnhandledExceptionFilter.KERNEL32 ref: 0136EC8D
Part of subcall function 01367D3E: GetCurrentProcess.KERNEL32(C0000409), ref: 0136ECA9
Part of subcall function 01367D3E: TerminateProcess.KERNEL32(00000000), ref: 0136ECB0

Strings

System, xrefs: 0133EA1A, 0133EA84

Memory Dump Source

Source File: 00000010.00000002.746388412.0000000001271000.00000020.sdmp, Offset: 01270000, based on PE: true

Associated: 00000010.00000002.746374753.0000000001270000.00000002.sdmp Download File
Associated: 00000010.00000002.746578910.000000000138C000.00000002.sdmp Download File
Associated: 00000010.00000002.746752878.00000000013CF000.00000004.sdmp Download File
Associated: 00000010.00000002.746788870.00000000013D6000.00000004.sdmp Download File
Associated: 00000010.00000002.746832288.00000000013DE000.00000002.sdmp Download File
Associated: 00000010.00000002.747668141.0000000001574000.00000002.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1270000_Setup.jbxd

Similarity

API ID: Object$ExceptionFilterGlobalProcessStockUnhandled$CapsCurrentDebuggerDeviceLockPresentReleaseTerminateUnlock_wcslenlstrlen
String ID: System
API String ID: 235103851-3470857405
Opcode ID: 50d8c423fdf5a2a8c1a92e0f677a06e94a54edc13676dc19eb1a8002cbafda95
Instruction ID: 6c474d943600dda4449818156c954d47c53ed5b6f25f8379270a28e71810f249
Opcode Fuzzy Hash: 50d8c423fdf5a2a8c1a92e0f677a06e94a54edc13676dc19eb1a8002cbafda95
Instruction Fuzzy Hash: 57113D71A40318ABEB209BA5DC49FFE7BA9FB84755F440025F605AB1C4DB709D05CBB4

Uniqueness

Uniqueness Score: 0.25%

Function 013521DA, Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 40
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E013521DA(void* __ebx, intOrPtr __ecx, void* __edi, void* __esi, void* __eflags) {
				WCHAR* _t18;
				intOrPtr _t24;
				void* _t25;
				void* _t26;
				intOrPtr _t27;

				_t26 = __eflags;
				_push(4);
				L01369601(0x137ebfd, __ebx, __edi, __esi);
				_t24 = __ecx;
				 *((intOrPtr*)(_t25 - 0x10)) = __ecx;
				L01275CF0(__ecx, _t26);
				 *((intOrPtr*)(__ecx)) = 0x13ad254;
				 *((intOrPtr*)(__ecx + 0x34)) = 0x13ad1bc;
				 *((intOrPtr*)(_t25 - 4)) = 0;
				 *((intOrPtr*)(__ecx + 0x20)) = 0;
				 *((intOrPtr*)(__ecx + 0x24)) = 0;
				 *((intOrPtr*)(__ecx + 0x28)) = 0xffff;
				E012866AF(4);
				_t27 =  *0x13db17c; // 0x0
				if(_t27 == 0) {
					_t18 = L"windows";
					 *0x13db170 = GetProfileIntW(_t18, L"DragScrollInset", 0xb);
					 *0x13db174 = GetProfileIntW(_t18, L"DragScrollDelay", 0x32);
					 *0x13db178 = GetProfileIntW(_t18, L"DragScrollInterval", 0x32);
					 *0x13db17c = 1;
				}
				E01286721(4);
				return L013696D9(_t24);
			}

0x013521da
0x013521da
0x013521e1
0x013521e6
0x013521e8
0x013521eb
0x013521f2
0x013521f8
0x01352201
0x01352204
0x01352207
0x0135220a
0x01352211
0x01352216
0x0135221c
0x0135222b
0x0135223b
0x0135224a
0x01352251
0x01352256
0x01352256
0x01352262
0x0135226e

APIs

__EH_prolog3.LIBCMT ref: 013521E1

Part of subcall function 012866AF: EnterCriticalSection.KERNEL32(013D81D8,?,?,?,?,0127AEA4,00000010,00000008,0127931D,012792B4,01276293,01275CFA,?,0127641E,00000004,01275291), ref: 012866E9
Part of subcall function 012866AF: InitializeCriticalSection.KERNEL32(?,?,?,?,?,0127AEA4,00000010,00000008,0127931D,012792B4,01276293,01275CFA,?,0127641E,00000004,01275291), ref: 012866FB
Part of subcall function 012866AF: LeaveCriticalSection.KERNEL32(013D81D8,?,?,?,?,0127AEA4,00000010,00000008,0127931D,012792B4,01276293,01275CFA,?,0127641E,00000004,01275291), ref: 01286708
Part of subcall function 012866AF: EnterCriticalSection.KERNEL32(?,?,?,?,?,0127AEA4,00000010,00000008,0127931D,012792B4,01276293,01275CFA,?,0127641E,00000004,01275291), ref: 01286718

GetProfileIntW.KERNEL32 ref: 01352231
GetProfileIntW.KERNEL32 ref: 01352240
GetProfileIntW.KERNEL32 ref: 0135224F

Part of subcall function 01286721: LeaveCriticalSection.KERNEL32(?,?,0127AEBE,00000010,00000010,00000008,0127931D,012792B4,01276293,01275CFA,?,0127641E,00000004,01275291,00000004,0127126A), ref: 0128673C

Strings

windows, xrefs: 0135222B, 01352230, 0135223A, 01352249
DragScrollDelay, xrefs: 01352235
DragScrollInset, xrefs: 01352226
DragScrollInterval, xrefs: 01352244

Memory Dump Source

Source File: 00000010.00000002.746388412.0000000001271000.00000020.sdmp, Offset: 01270000, based on PE: true

Associated: 00000010.00000002.746374753.0000000001270000.00000002.sdmp Download File
Associated: 00000010.00000002.746578910.000000000138C000.00000002.sdmp Download File
Associated: 00000010.00000002.746752878.00000000013CF000.00000004.sdmp Download File
Associated: 00000010.00000002.746788870.00000000013D6000.00000004.sdmp Download File
Associated: 00000010.00000002.746832288.00000000013DE000.00000002.sdmp Download File
Associated: 00000010.00000002.747668141.0000000001574000.00000002.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1270000_Setup.jbxd

Similarity

API ID: CriticalSection$Profile$EnterLeave$H_prolog3Initialize
String ID: DragScrollDelay$DragScrollInset$DragScrollInterval$windows
API String ID: 351298047-1024936294
Opcode ID: e4a43026004f2a8d3b5f5e8de27eb46ef406be2ed7264c0abb4aa4fb7945230b
Instruction ID: c053d0b6bd4da441fe64d03d63b7c7a0b42e054b419122d6657cbccccbd435ad
Opcode Fuzzy Hash: e4a43026004f2a8d3b5f5e8de27eb46ef406be2ed7264c0abb4aa4fb7945230b
Instruction Fuzzy Hash: A501A2B0542305DBD730AFBAA941B0AFAE8FF55B18FC1050EE24567684CBB49405CF04

Uniqueness

Uniqueness Score: 1.85%

Function 012AC83B, Relevance: 13.8, APIs: 9, Instructions: 286
keyboardCOMMON

Download Yara Rule

C-Code - Quality: 95%

			E012AC83B(void* __ebx, intOrPtr* __ecx, signed int* __edx, signed int _a4) {
				signed int _v8;
				struct tagRECT _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				char _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				void* __edi;
				void* __esi;
				signed int _t113;
				signed int _t117;
				signed int _t118;
				char _t124;
				signed int _t135;
				signed int _t137;
				signed int _t140;
				signed int _t146;
				signed int _t152;
				signed int _t154;
				signed int _t155;
				void* _t160;
				signed int _t163;
				void* _t165;
				signed int _t166;
				signed int _t171;
				signed char _t176;
				signed int _t177;
				signed int _t192;
				intOrPtr* _t193;
				void* _t204;
				intOrPtr* _t209;
				signed int _t210;

				_t207 = __edx;
				_t179 = __ebx;
				_t113 =  *0x13d3570; // 0x99b5b578
				_v8 = _t113 ^ _t210;
				_t208 = _a4;
				_t209 = __ecx;
				_v52 = _a4;
				if(GetKeyState(0x11) >= 0) {
					_push(__ebx);
					_v48 = 1;
					_t208 = E012789CC(0x13d04b0, _t208);
					_t117 =  *(_t209 + 0x1b8);
					__eflags = _t117;
					if(_t117 == 0) {
						L5:
						_v56 = 0;
					} else {
						__eflags =  *(_t117 + 8);
						if( *(_t117 + 8) == 0) {
							goto L5;
						} else {
							_v56 = 1;
							__eflags =  *(_t117 + 4);
							if( *(_t117 + 4) == 0) {
								goto L5;
							}
						}
					}
					__eflags = _t208;
					if(_t208 == 0) {
						L54:
						_t118 = _v48;
					} else {
						_v24.left = 0;
						_v24.top = 0;
						_v24.right.x = 0;
						_v24.bottom = 0;
						GetWindowRect( *(_v52 + 0x20),  &_v24);
						_t124 =  *((intOrPtr*)( *_t208 + 0x16c))();
						_v40 = _t124;
						_v36 = _t124;
						_v32 = _t124;
						_v28 = _t124;
						L012C7352(0x13d0a78,  &_v24,  &_v40);
						E01286A31(_t208, 0, _v24.left, _v24.top, 0, 0, 0x15);
						_v24.right.x = 0;
						_v24.bottom = 0;
						GetCursorPos( &(_v24.right));
						_t192 = E012789CC(0x139ada0,  *((intOrPtr*)( *_t208 + 0x1a4))());
						_v60 = _t192;
						__eflags = _t192;
						if(_t192 == 0) {
							L11:
							_t193 = _t209;
							_t135 =  *((intOrPtr*)( *_t209 + 0x14))(_v24.right.x, _v24.bottom, _t208, 1);
							_v44 = _t135;
							__eflags = _t135;
							if(__eflags == 0) {
								goto L19;
							} else {
								_v52 = E01282D31(0, _t193, _t207, _t208, _t209, __eflags,  *((intOrPtr*)(_t135 + 0xbc)));
								_t165 = E01282D31(0, _t193, _t207, _t208, _t209, __eflags,  *((intOrPtr*)(_t208 + 0xbc)));
								__eflags = _v52 - _t165;
								if(_v52 != _t165) {
									goto L19;
								} else {
									_t166 = E012789CC(0x13d2028, _v44);
									_pop(_t204);
									_v56 = _t166;
									__eflags = _t166;
									if(_t166 == 0) {
										goto L40;
									} else {
										__eflags =  *(_t209 + 0x124);
										if( *(_t209 + 0x124) == 0) {
											 *((intOrPtr*)(_t209 + 0x128)) = E0136C70D(_t204);
											 *(_t209 + 0x124) = _v56;
										}
										__eflags =  *(_t209 + 0x124) - _v56;
										if( *(_t209 + 0x124) != _v56) {
											goto L40;
										} else {
											__eflags = E0136C70D(_t204) -  *((intOrPtr*)(_t209 + 0x128)) -  *0x13d0514; // 0xdc
											if(__eflags <= 0) {
												goto L40;
											} else {
												_t171 =  *((intOrPtr*)( *_v56 + 0x244))(_t208, 1);
												_t208 = _t171;
												 *((intOrPtr*)(_t209 + 0x128)) = E0136C70D(_v56);
												 *(_t209 + 0x124) = 0;
												_t118 = _t171;
											}
										}
									}
								}
							}
						} else {
							__eflags = _v56;
							if(_v56 != 0) {
								L20:
								 *(_t209 + 0x124) = 0;
								__eflags = _t192;
								if(_t192 == 0) {
									goto L54;
								} else {
									_t137 =  *((intOrPtr*)( *_t192 + 0x194))();
									__eflags = _t137 & 0x0000f000;
									if((_t137 & 0x0000f000) == 0) {
										L40:
										_t118 = 1;
									} else {
										_t207 =  &_v44;
										_v44 = 0;
										_t140 =  *((intOrPtr*)( *_v60 + 0x2b4))( *0x13d0520,  &_v44);
										_t195 = _v44;
										_v48 = _t140;
										__eflags = _v60 - _t195;
										if(_v60 == _t195) {
											_v48 = 0;
										}
										__eflags = _t195;
										if(_t195 != 0) {
											L26:
											__eflags = _v56;
											if(_v56 != 0) {
												goto L42;
											} else {
												__eflags = _t195;
												if(_t195 == 0) {
													_v52 = 0;
												} else {
													_t163 = E012789AE(_t195, 0x139bed8);
													_t195 = _v44;
													_v52 = _t163;
												}
												__eflags = _t195;
												if(_t195 == 0) {
													_t154 = 1;
													__eflags = 1;
												} else {
													_t154 = E012789AE(_t195, 0x13d0f0c);
													_t195 = _v44;
												}
												__eflags = _v52;
												if(_v52 != 0) {
													_t155 =  *0x13d0510; // 0xc8
													goto L36;
												} else {
													__eflags = _t154;
													if(_t154 == 0) {
														goto L42;
													} else {
														_t155 =  *0x13d0514; // 0xdc
														L36:
														_v52 = _t155;
														__eflags =  *((intOrPtr*)(_t209 + 0x120)) - _t195;
														if( *((intOrPtr*)(_t209 + 0x120)) != _t195) {
															L38:
															 *((intOrPtr*)(_t209 + 0x128)) = E0136C70D(_t195);
															 *((intOrPtr*)(_t209 + 0x120)) = _v44;
															_t195 = _t208;
															 *((intOrPtr*)(_t209 + 0x12c)) = _v48;
															E012AA17F(_t208, _v52);
														} else {
															__eflags = _v48 -  *((intOrPtr*)(_t209 + 0x12c));
															if(_v48 !=  *((intOrPtr*)(_t209 + 0x12c))) {
																goto L38;
															}
														}
														_t160 = E0136C70D(_t195);
														__eflags = _t160 -  *((intOrPtr*)(_t209 + 0x128)) - _v52;
														if(_t160 -  *((intOrPtr*)(_t209 + 0x128)) >= _v52) {
															goto L42;
														} else {
															goto L40;
														}
													}
												}
											}
										} else {
											__eflags = _v48 - 2;
											if(_v48 != 2) {
												L42:
												 *((intOrPtr*)(_t209 + 0x120)) = 0;
												 *((intOrPtr*)(_t209 + 0x128)) = E0136C70D(_t195);
												 *((intOrPtr*)(_t209 + 0x12c)) = 0;
												L012A9317(_t208);
												__eflags = _v48 - 1;
												if(_v48 != 1) {
													__eflags = _v48 - 2;
													if(_v48 != 2) {
														__eflags = _v48 - 3;
														if(_v48 != 3) {
															goto L52;
														} else {
															__eflags = _v56;
															if(_v56 != 0) {
																goto L52;
															} else {
																_t207 =  *_t208;
																_v48 =  *((intOrPtr*)( *_t208 + 0x18c))(2, _v44, 1);
																 *((intOrPtr*)( *_t209 + 0x38))(0);
															}
														}
													} else {
														__eflags = _v56;
														if(_v56 != 0) {
															goto L52;
														} else {
															_t207 =  *_t208;
															_t146 =  *((intOrPtr*)( *_t208 + 0x18c))(1, _v44, 1);
														}
														goto L53;
													}
													goto L54;
												} else {
													__eflags = _v44;
													if(_v44 == 0) {
														L52:
														_t146 =  *((intOrPtr*)( *_t208 + 0x18c))(0, _v44, 1);
														L53:
														_v48 = _t146;
														goto L54;
													} else {
														_t207 =  *_t208;
														 *((intOrPtr*)( *_t208 + 0x18c))(0, 0, 1);
														_t152 =  *((intOrPtr*)( *_v60 + 0x2a0))(_v44);
														__eflags = _t152;
														if(_t152 == 0) {
															goto L52;
														} else {
															_t118 = 0;
														}
													}
												}
											} else {
												goto L26;
											}
										}
									}
								}
							} else {
								_t176 =  *((intOrPtr*)( *_t192 + 0x1bc))();
								__eflags = _t176 & 0x00000040;
								if((_t176 & 0x00000040) == 0) {
									L19:
									_t192 = _v60;
									goto L20;
								} else {
									_t177 = E012789AE(_v60, 0x13d0f0c);
									__eflags = _t177;
									if(_t177 == 0) {
										goto L19;
									} else {
										goto L11;
									}
								}
							}
						}
					}
					_pop(_t179);
				} else {
					_t118 = 1;
				}
				return L01367D3E(_t118, _t179, _v8 ^ _t210, _t207, _t208, _t209);
			}

0x012ac83b
0x012ac83b
0x012ac843
0x012ac84a
0x012ac84f
0x012ac854
0x012ac856
0x012ac862
0x012ac86c
0x012ac873
0x012ac87f
0x012ac881
0x012ac88b
0x012ac88d
0x012ac8a0
0x012ac8a0
0x012ac88f
0x012ac88f
0x012ac892
0x00000000
0x012ac894
0x012ac894
0x012ac89b
0x012ac89e
0x00000000
0x00000000
0x012ac89e
0x012ac892
0x012ac8a3
0x012ac8a5
0x012acbbf
0x012acbbf
0x012ac8ab
0x012ac8b5
0x012ac8b8
0x012ac8bb
0x012ac8be
0x012ac8c1
0x012ac8cb
0x012ac8d1
0x012ac8d4
0x012ac8d7
0x012ac8da
0x012ac8ea
0x012ac8fc
0x012ac905
0x012ac908
0x012ac90b
0x012ac928
0x012ac92a
0x012ac92d
0x012ac92f
0x012ac95f
0x012ac967
0x012ac96c
0x012ac96f
0x012ac972
0x012ac974
0x00000000
0x012ac97a
0x012ac98b
0x012ac98e
0x012ac993
0x012ac996
0x00000000
0x012ac99c
0x012ac9a4
0x012ac9aa
0x012ac9ab
0x012ac9ae
0x012ac9b0
0x00000000
0x012ac9b6
0x012ac9b6
0x012ac9bc
0x012ac9c3
0x012ac9cc
0x012ac9cc
0x012ac9d5
0x012ac9db
0x00000000
0x012ac9e1
0x012ac9ec
0x012ac9f2
0x00000000
0x012ac9f8
0x012aca00
0x012aca06
0x012aca0d
0x012aca13
0x012aca19
0x012aca19
0x012ac9f2
0x012ac9db
0x012ac9b0
0x012ac996
0x012ac931
0x012ac931
0x012ac934
0x012aca23
0x012aca23
0x012aca29
0x012aca2b
0x00000000
0x012aca31
0x012aca33
0x012aca39
0x012aca3e
0x012acb0b
0x012acb0d
0x012aca44
0x012aca49
0x012aca53
0x012aca56
0x012aca5c
0x012aca5f
0x012aca62
0x012aca65
0x012aca67
0x012aca67
0x012aca6a
0x012aca6c
0x012aca78
0x012aca78
0x012aca7b
0x00000000
0x012aca81
0x012aca81
0x012aca83
0x012aca97
0x012aca85
0x012aca8a
0x012aca8f
0x012aca92
0x012aca92
0x012aca9a
0x012aca9c
0x012acaaf
0x012acaaf
0x012aca9e
0x012acaa3
0x012acaa8
0x012acaa8
0x012acab0
0x012acab3
0x012acb13
0x00000000
0x012acab5
0x012acab5
0x012acab7
0x00000000
0x012acab9
0x012acab9
0x012acabe
0x012acabe
0x012acac1
0x012acac7
0x012acad4
0x012acadc
0x012acae5
0x012acaee
0x012acaf0
0x012acaf6
0x012acac9
0x012acacc
0x012acad2
0x00000000
0x00000000
0x012acad2
0x012acafb
0x012acb06
0x012acb09
0x00000000
0x00000000
0x00000000
0x00000000
0x012acb09
0x012acab7
0x012acab3
0x012aca6e
0x012aca6e
0x012aca72
0x012acb1a
0x012acb1a
0x012acb27
0x012acb2d
0x012acb33
0x012acb3b
0x012acb3e
0x012acb68
0x012acb6c
0x012acb84
0x012acb88
0x00000000
0x012acb8a
0x012acb8a
0x012acb8d
0x00000000
0x012acb8f
0x012acb8f
0x012acb9f
0x012acba7
0x012acba7
0x012acb8d
0x012acb6e
0x012acb6e
0x012acb71
0x00000000
0x012acb73
0x012acb73
0x012acb7c
0x012acb7c
0x00000000
0x012acb71
0x00000000
0x012acb40
0x012acb40
0x012acb43
0x012acbac
0x012acbb6
0x012acbbc
0x012acbbc
0x00000000
0x012acb45
0x012acb45
0x012acb4c
0x012acb5a
0x012acb60
0x012acb62
0x00000000
0x012acb64
0x012acb64
0x012acb64
0x012acb62
0x012acb43
0x00000000
0x00000000
0x00000000
0x012aca72
0x012aca6c
0x012aca3e
0x012ac93a
0x012ac93c
0x012ac942
0x012ac944
0x012aca20
0x012aca20
0x00000000
0x012ac94a
0x012ac952
0x012ac957
0x012ac959
0x00000000
0x00000000
0x00000000
0x00000000
0x012ac959
0x012ac944
0x012ac934
0x012ac92f
0x012acbc2
0x012ac864
0x012ac866
0x012ac866
0x012acbd0

APIs

GetKeyState.USER32 ref: 012AC859
GetWindowRect.USER32 ref: 012AC8C1

Part of subcall function 012C7352: GetCursorPos.USER32(?), ref: 012C7381
Part of subcall function 012C7352: MonitorFromPoint.USER32(?,?,00000002), ref: 012C73B3
Part of subcall function 012C7352: GetMonitorInfoW.USER32(00000000), ref: 012C73BA
Part of subcall function 012C7352: CopyRect.USER32(012A87D6,?), ref: 012C73CC
Part of subcall function 012C7352: SystemParametersInfoW.USER32 ref: 012C73DC
Part of subcall function 012C7352: OffsetRect.USER32 ref: 012C7406
Part of subcall function 012C7352: OffsetRect.USER32 ref: 012C7431
Part of subcall function 012C7352: OffsetRect.USER32 ref: 012C745E
Part of subcall function 012C7352: OffsetRect.USER32 ref: 012C7483

Part of subcall function 01286A31: SetWindowPos.USER32(?,000000FF,000000FF,?,?,00000000,012827B4), ref: 01286A59

GetCursorPos.USER32(?), ref: 012AC90B
_clock.LIBCMT ref: 012AC9BE
_clock.LIBCMT ref: 012AC9E1
_clock.LIBCMT ref: 012ACA08
_clock.LIBCMT ref: 012ACAD4

Part of subcall function 012AA17F: SetTimer.USER32 ref: 012AA19F

_clock.LIBCMT ref: 012ACAFB
_clock.LIBCMT ref: 012ACB20

Part of subcall function 0136C70D: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,0130C746,00000000), ref: 0136C719
Part of subcall function 0136C70D: __aulldiv.LIBCMT ref: 0136C73F

Part of subcall function 012A9317: KillTimer.USER32 ref: 012A932A

Part of subcall function 01367D3E: IsDebuggerPresent.KERNEL32 ref: 0136EC6D
Part of subcall function 01367D3E: SetUnhandledExceptionFilter.KERNEL32 ref: 0136EC82
Part of subcall function 01367D3E: UnhandledExceptionFilter.KERNEL32 ref: 0136EC8D
Part of subcall function 01367D3E: GetCurrentProcess.KERNEL32(C0000409), ref: 0136ECA9
Part of subcall function 01367D3E: TerminateProcess.KERNEL32(00000000), ref: 0136ECB0

Memory Dump Source

Source File: 00000010.00000002.746388412.0000000001271000.00000020.sdmp, Offset: 01270000, based on PE: true

Associated: 00000010.00000002.746374753.0000000001270000.00000002.sdmp Download File
Associated: 00000010.00000002.746578910.000000000138C000.00000002.sdmp Download File
Associated: 00000010.00000002.746752878.00000000013CF000.00000004.sdmp Download File
Associated: 00000010.00000002.746788870.00000000013D6000.00000004.sdmp Download File
Associated: 00000010.00000002.746832288.00000000013DE000.00000002.sdmp Download File
Associated: 00000010.00000002.747668141.0000000001574000.00000002.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1270000_Setup.jbxd

Similarity

API ID: Rect_clock$Offset$CursorExceptionFilterInfoMonitorProcessSystemTimeTimerUnhandledWindow$CopyCurrentDebuggerFileFromKillParametersPointPresentStateTerminate__aulldiv
String ID:
API String ID: 693275115-0
Opcode ID: e6deb874392a74da4ddd5fa6f8200f4960fef89adc4ffcfd9508ae92b86b5b20
Instruction ID: 8ff6cadc9197a9efe4f54130c827d3bfa2e79cac357041e52ec77a7e036cd257
Opcode Fuzzy Hash: e6deb874392a74da4ddd5fa6f8200f4960fef89adc4ffcfd9508ae92b86b5b20
Instruction Fuzzy Hash: 39B12771A2020AEFCB25DFA8D4849EEBBF5FF48314F54542EE646A7241EB319850CF61

Uniqueness

Uniqueness Score: 12.89%

Function 0128E4B0, Relevance: 13.7, APIs: 9, Instructions: 242
COMMON

Download Yara Rule

C-Code - Quality: 80%

			E0128E4B0(void* __ebx, intOrPtr __ecx, void* __edx, void* __edi, intOrPtr* __esi, void* __eflags, signed long long __fp0) {
				signed char _t141;
				intOrPtr _t142;
				signed int _t143;
				char* _t164;
				intOrPtr _t183;
				void* _t197;
				intOrPtr _t198;
				void* _t212;
				void* _t219;
				signed long long _t241;
				signed long long _t243;

				_t241 = __fp0;
				_t208 = __esi;
				_t197 = __edx;
				_push(0xd0);
				L0136966A(0x1380292, __ebx, __edi, __esi);
				_t202 =  *((intOrPtr*)(_t219 + 8));
				 *((intOrPtr*)(_t219 - 0x4c)) = __ecx;
				 *((intOrPtr*)(_t219 - 0x50)) = _t202;
				if( *((intOrPtr*)(__ecx + 0x74)) == 0 || _t202 <= 0 ||  *((intOrPtr*)(_t219 + 0xc)) <= 0) {
					L30:
					__eflags = 0;
				} else {
					 *(_t219 - 0x20) = 0;
					 *(_t219 - 0x1c) = 0;
					 *((intOrPtr*)(_t219 - 0x18)) = 0;
					 *((intOrPtr*)(_t219 - 0x14)) = 0;
					_t208 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(__ecx + 0x74)))) + 0x1f8))();
					 *((intOrPtr*)(_t219 - 0x44)) = _t208;
					GetWindowRect( *(_t208 + 0x20), _t219 - 0x20);
					OffsetRect(_t219 - 0x20,  ~( *(_t219 - 0x20)),  ~( *(_t219 - 0x1c)));
					if( *((intOrPtr*)(_t219 - 0x18)) -  *(_t219 - 0x20) <= 0) {
						goto L30;
					} else {
						_t227 =  *((intOrPtr*)(_t219 - 0x14)) -  *(_t219 - 0x1c);
						if( *((intOrPtr*)(_t219 - 0x14)) -  *(_t219 - 0x1c) <= 0) {
							goto L30;
						} else {
							E0128C123(_t219 - 0x94);
							 *((intOrPtr*)(_t219 - 4)) = 0;
							E0128E025(0, _t197, _t227,  *((intOrPtr*)(_t219 - 0x18)) -  *(_t219 - 0x20),  *((intOrPtr*)(_t219 - 0x14)) -  *(_t219 - 0x1c), 0x20, 0, 0, 1);
							_push(_t208);
							L01279E5D(0, _t219 - 0xa8, _t197, _t202, _t208, _t227);
							 *((char*)(_t219 - 4)) = 1;
							L0127976C(_t219 - 0x60);
							 *((char*)(_t219 - 4)) = 2;
							L01279DC3(0, _t219 - 0x60, _t197, _t202, CreateCompatibleDC( *(_t219 - 0xa4)));
							if( *(_t219 - 0x90) == 0) {
								 *(_t219 - 0x34) = 0;
							} else {
								 *(_t219 - 0x34) = SelectObject( *(_t219 - 0x5c),  *(_t219 - 0x90));
							}
							 *((intOrPtr*)(_t219 - 0x48)) = 0;
							asm("movsd");
							asm("movsd");
							asm("movsd");
							asm("movsd");
							_t141 =  *((intOrPtr*)( *_t208 + 0x90))(_t219 - 0x60, _t202,  *((intOrPtr*)(_t219 + 0xc)),  *((intOrPtr*)(_t219 + 0x10)), _t219 - 0x48);
							if( *(_t219 - 0x34) != 0) {
								_t141 = SelectObject( *(_t219 - 0x5c),  *(_t219 - 0x34));
							}
							if( *((intOrPtr*)(_t219 - 0x48)) != 0) {
								_t183 =  *((intOrPtr*)(_t219 - 0x14));
								_t198 =  *((intOrPtr*)(_t219 - 0x18));
							} else {
								_t141 =  *(_t219 - 0x8c);
								if( *(_t219 - 0x80) < 0) {
									_t141 = ( *((intOrPtr*)(_t219 - 0x84)) - 1) *  *(_t219 - 0x80) +  *(_t219 - 0x8c);
								}
								_t183 =  *((intOrPtr*)(_t219 - 0x14));
								_t198 =  *((intOrPtr*)(_t219 - 0x18));
								 *(_t219 - 0x34) = 0;
								if((_t183 -  *(_t219 - 0x1c)) * (_t198 -  *(_t219 - 0x20)) > 0) {
									_t164 = _t141 + 3;
									do {
										 *_t164 = 0xff;
										_t183 =  *((intOrPtr*)(_t219 - 0x14));
										_t198 =  *((intOrPtr*)(_t219 - 0x18));
										_t164 = _t164 + 4;
										 *(_t219 - 0x34) =  *(_t219 - 0x34) + 1;
									} while ( *(_t219 - 0x34) < (_t183 -  *(_t219 - 0x1c)) * (_t198 -  *(_t219 - 0x20)));
								}
							}
							_t199 = _t198 -  *(_t219 - 0x20);
							 *((intOrPtr*)(_t219 - 0x38)) = _t198 -  *(_t219 - 0x20);
							asm("fild dword [ebp-0x38]");
							asm("fild dword [ebp-0x50]");
							 *((intOrPtr*)(_t219 - 0x44)) = _t183 -  *(_t219 - 0x1c);
							asm("fild dword [ebp-0x44]");
							asm("fild dword [ebp+0xc]");
							_t243 = _t241 / st1 / st1;
							asm("fcom st0, st2");
							asm("fnstsw ax");
							_t236 = _t141 & 0x00000041;
							if((_t141 & 0x00000041) != 0) {
								st2 = _t243;
							} else {
								st0 = _t243;
							}
							asm("fxch st0, st2");
							_t142 = L0136BAB0(_t141, _t243 * st1);
							asm("fmulp st1, st0");
							_t202 = _t142;
							_t143 = L0136BAB0(_t142, _t243 * st1);
							 *((intOrPtr*)(_t219 - 0x30)) = 0;
							 *((intOrPtr*)(_t219 - 0x28)) = _t142;
							 *((intOrPtr*)(_t219 - 0x2c)) = 0;
							 *(_t219 - 0x24) = _t143;
							E0128C123(_t219 - 0xdc);
							 *((char*)(_t219 - 4)) = 3;
							E0128E025(0, _t199, _t236, _t142,  ~_t143, 0x20, 0, 0, 1);
							if( *((intOrPtr*)(_t219 + 0x10)) == 0) {
								L23:
								L0127976C(_t219 - 0x40);
								 *((char*)(_t219 - 4)) = 4;
								L01279DC3(0, _t219 - 0x40, _t199, _t202, CreateCompatibleDC( *(_t219 - 0xa4)));
								if( *(_t219 - 0xd8) == 0) {
									_t212 = 0;
									__eflags = 0;
								} else {
									_t212 = SelectObject( *(_t219 - 0x3c),  *(_t219 - 0xd8));
								}
								E0128C7CF(_t219 - 0x94,  *(_t219 - 0x3c), _t219 - 0x30, _t219 - 0x20, 0xff, 0);
								_t240 = _t212;
								if(_t212 != 0) {
									SelectObject( *(_t219 - 0x3c), _t212);
								}
								 *((char*)(_t219 - 4)) = 3;
								L01279E44(_t219 - 0x40);
							} else {
								_push(_t219 - 0x20);
								_push( *(_t219 - 0x90));
								_t199 = _t219 - 0x30;
								_push(_t219 - 0x30);
								_push( *(_t219 - 0xd8));
								if( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t219 - 0x4c)) + 0x74)))) + 0x1f4))() == 0) {
									goto L23;
								}
							}
							_t208 = E0128C163(_t219 - 0xdc);
							E0128E003(_t153, _t219 - 0xdc);
							 *((char*)(_t219 - 4)) = 1;
							L01279E44(_t219 - 0x60);
							 *((char*)(_t219 - 4)) = 0;
							E0128E003(L01279EB1(0, _t219 - 0xa8, _t199, _t202, _t153, _t240), _t219 - 0x94);
						}
					}
				}
				return L013696ED(0, _t202, _t208);
			}

0x0128e4b0
0x0128e4b0
0x0128e4b0
0x0128e4b0
0x0128e4ba
0x0128e4bf
0x0128e4c6
0x0128e4c9
0x0128e4cf
0x0128e7ae
0x0128e7ae
0x0128e4e6
0x0128e4e9
0x0128e4ec
0x0128e4ef
0x0128e4f2
0x0128e4fd
0x0128e506
0x0128e509
0x0128e51f
0x0128e52d
0x00000000
0x0128e533
0x0128e539
0x0128e53b
0x00000000
0x0128e541
0x0128e547
0x0128e566
0x0128e569
0x0128e56e
0x0128e575
0x0128e57d
0x0128e581
0x0128e58c
0x0128e59a
0x0128e5a5
0x0128e5bb
0x0128e5a7
0x0128e5b6
0x0128e5b6
0x0128e5c5
0x0128e5d6
0x0128e5d7
0x0128e5d8
0x0128e5e0
0x0128e5e1
0x0128e5ea
0x0128e5f2
0x0128e5f2
0x0128e5fb
0x0128e659
0x0128e65c
0x0128e5fd
0x0128e5fd
0x0128e606
0x0128e613
0x0128e613
0x0128e619
0x0128e61c
0x0128e629
0x0128e631
0x0128e633
0x0128e636
0x0128e636
0x0128e639
0x0128e63c
0x0128e649
0x0128e64c
0x0128e652
0x0128e657
0x0128e631
0x0128e65f
0x0128e665
0x0128e668
0x0128e66b
0x0128e66e
0x0128e673
0x0128e676
0x0128e679
0x0128e67b
0x0128e67d
0x0128e67f
0x0128e682
0x0128e688
0x0128e684
0x0128e684
0x0128e684
0x0128e68a
0x0128e68e
0x0128e693
0x0128e695
0x0128e697
0x0128e6a4
0x0128e6a7
0x0128e6aa
0x0128e6ad
0x0128e6b0
0x0128e6c5
0x0128e6c9
0x0128e6d1
0x0128e6f9
0x0128e6fc
0x0128e707
0x0128e715
0x0128e720
0x0128e735
0x0128e735
0x0128e722
0x0128e731
0x0128e731
0x0128e74e
0x0128e753
0x0128e755
0x0128e75b
0x0128e75b
0x0128e764
0x0128e768
0x0128e6d3
0x0128e6de
0x0128e6df
0x0128e6e5
0x0128e6e8
0x0128e6e9
0x0128e6f7
0x00000000
0x00000000
0x0128e6f7
0x0128e77e
0x0128e780
0x0128e788
0x0128e78c
0x0128e797
0x0128e7a5
0x0128e7aa
0x0128e53b
0x0128e52d
0x0128e7b5

APIs

__EH_prolog3_GS.LIBCMT ref: 0128E4BA
GetWindowRect.USER32 ref: 0128E509
OffsetRect.USER32 ref: 0128E51F

Part of subcall function 0128E025: _free.LIBCMT ref: 0128E04E
Part of subcall function 0128E025: _memset.LIBCMT ref: 0128E067
Part of subcall function 0128E025: _memset.LIBCMT ref: 0128E0A1
Part of subcall function 0128E025: _memcpy_s.LIBCMT ref: 0128E0BB
Part of subcall function 0128E025: CreateDIBSection.GDI32(00000000,00000000,00000000,?,00000000,00000000), ref: 0128E0D4
Part of subcall function 0128E025: _free.LIBCMT ref: 0128E0E6
Part of subcall function 0128E025: _free.LIBCMT ref: 0128E119

Part of subcall function 01279E5D: __EH_prolog3.LIBCMT ref: 01279E64
Part of subcall function 01279E5D: GetDC.USER32(00000000), ref: 01279E90

CreateCompatibleDC.GDI32(?), ref: 0128E590
SelectObject.GDI32(?,?), ref: 0128E5B0
SelectObject.GDI32(?,?), ref: 0128E5F2
CreateCompatibleDC.GDI32(?), ref: 0128E70B
SelectObject.GDI32(?,?), ref: 0128E72B
SelectObject.GDI32(?,00000000), ref: 0128E75B

Part of subcall function 01279E44: DeleteDC.GDI32(00000000), ref: 01279E56

Part of subcall function 0128E003: DeleteObject.GDI32(00000000), ref: 0128E015

Part of subcall function 01279EB1: __EH_prolog3.LIBCMT ref: 01279EB8
Part of subcall function 01279EB1: ReleaseDC.USER32(?,00000000), ref: 01279ED5

Memory Dump Source

Source File: 00000010.00000002.746388412.0000000001271000.00000020.sdmp, Offset: 01270000, based on PE: true

Associated: 00000010.00000002.746374753.0000000001270000.00000002.sdmp Download File
Associated: 00000010.00000002.746578910.000000000138C000.00000002.sdmp Download File
Associated: 00000010.00000002.746752878.00000000013CF000.00000004.sdmp Download File
Associated: 00000010.00000002.746788870.00000000013D6000.00000004.sdmp Download File
Associated: 00000010.00000002.746832288.00000000013DE000.00000002.sdmp Download File
Associated: 00000010.00000002.747668141.0000000001574000.00000002.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1270000_Setup.jbxd

Similarity

API ID: Object$Select$Create_free$CompatibleDeleteH_prolog3Rect_memset$H_prolog3_OffsetReleaseSectionWindow_memcpy_s
String ID:
API String ID: 3768827496-0
Opcode ID: acc50bb4b21b020ee20f625c4964fb4c9c1298f28b28d644ec74e5acb8bc72c2
Instruction ID: 7543994d5e8f6ca36744e63b442fb30c202ba7b908973c1a14c7a0c82a518322
Opcode Fuzzy Hash: acc50bb4b21b020ee20f625c4964fb4c9c1298f28b28d644ec74e5acb8bc72c2
Instruction Fuzzy Hash: E3A11271D1122AEFCF25EFA4C984AEEBBB9BF18304F11415AE905B7291DB305A45CF60

Uniqueness

Uniqueness Score: 1.55%

Function 012781A5, Relevance: 13.7, APIs: 9, Instructions: 233
filecomstringCOMMON

Download Yara Rule

C-Code - Quality: 91%

			E012781A5(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				void* _t68;
				void* _t69;
				void* _t74;
				void* _t82;
				void* _t83;
				void* _t84;
				void* _t85;
				void* _t87;
				void* _t89;
				void* _t90;
				void* _t91;
				void* _t95;
				void* _t100;
				void* _t103;
				void* _t104;
				WCHAR* _t105;
				void* _t108;
				void* _t111;
				void* _t114;
				void* _t117;
				void* _t118;
				void* _t119;
				struct HMETAFILE__* _t121;
				void _t128;
				signed int _t147;
				void* _t153;
				void* _t161;

				_push(0x5c);
				L0136966A(0x137ed67, __ebx, __edi, __esi);
				_t157 =  *(_t161 + 0xc);
				_t147 =  *(_t161 + 8) & 0x0000ffff;
				_t153 =  *(_t161 + 0x10);
				if( *_t157 != 0) {
					L10:
					_t68 =  *_t153 - 1;
					if(_t68 == 0) {
						_t69 = L01277DDF(_t128,  *(_t157 + 4),  *(_t153 + 4));
						__eflags = _t69;
						if(_t69 == 0) {
							goto L19;
						} else {
							 *(_t157 + 4) = _t69;
							goto L37;
						}
					} else {
						_t74 = _t68 - 1;
						if(_t74 == 0) {
							E01273740(0,  *(_t153 + 4));
							 *((intOrPtr*)(_t161 - 4)) = 0;
							E01273740(0,  *(_t157 + 4));
							asm("sbb esi, esi");
							asm("sbb edi, edi");
							_t157 = CopyFileW(_t153,  ~( *(_t157 + 4)) &  *(_t161 - 0x5c), 0);
							L01271470( *(_t161 - 0x5c) + 0xfffffff0, _t147);
							L01271470( *((intOrPtr*)(_t161 - 0x60)) + 0xfffffff0, _t147);
						} else {
							_t82 = _t74;
							if(_t82 == 0) {
								_t83 =  *(_t153 + 4);
								_t84 =  *((intOrPtr*)( *_t83 + 0x30))(_t83, _t161 - 0x58, 1);
								__eflags = _t84;
								if(_t84 != 0) {
									goto L19;
								} else {
									_t85 =  *(_t157 + 4);
									 *((intOrPtr*)(_t161 - 0x64)) = 0;
									 *((intOrPtr*)( *_t85 + 0x14))(_t85, 0, 0, 0, 0);
									_t87 =  *(_t153 + 4);
									 *((intOrPtr*)( *_t87 + 0x14))(_t87, 0, 0, 0, 0);
									_t89 =  *(_t153 + 4);
									_t90 =  *((intOrPtr*)( *_t89 + 0x1c))(_t89,  *(_t157 + 4),  *((intOrPtr*)(_t161 - 0x50)),  *((intOrPtr*)(_t161 - 0x4c)), 0, 0);
									__eflags = _t90;
									if(_t90 != 0) {
										goto L19;
									} else {
										_t91 =  *(_t157 + 4);
										_t157 = 0;
										 *((intOrPtr*)( *_t91 + 0x14))(_t91, 0, 0, 0, 0);
										_t153 =  *(_t153 + 4);
										 *((intOrPtr*)( *_t153 + 0x14))(_t153, 0, 0, 0, 0);
										goto L37;
									}
								}
							} else {
								_t95 = _t82 - 4;
								if(_t95 == 0) {
									_t153 =  *(_t153 + 4);
									 *((intOrPtr*)( *_t153 + 0x1c))(_t153, 0, 0, 0,  *(_t157 + 4));
									asm("sbb eax, eax");
								} else {
									_t100 = _t95 - 8;
									if(_t100 == 0) {
										L16:
										if( *(_t157 + 4) != 0) {
											goto L19;
										} else {
											__imp__OleDuplicateData( *(_t153 + 4), _t147, 0);
											 *(_t157 + 4) = _t100;
										}
									} else {
										_t100 = _t100 - 0x30;
										if(_t100 != 0) {
											goto L19;
										} else {
											goto L16;
										}
									}
								}
							}
						}
					}
				} else {
					_t128 =  *_t153;
					_t103 = _t128 - 1;
					if(_t103 == 0) {
						L8:
						 *_t157 = _t128;
						goto L9;
					} else {
						_t104 = _t103 - 1;
						if(_t104 == 0) {
							 *_t157 = 2;
							_t105 =  *(_t153 + 4);
							__eflags = _t105;
							if(__eflags == 0) {
								_t105 = L01277AC9(_t128);
							}
							 *((intOrPtr*)(_t161 - 0x60)) = lstrlenW(_t105);
							_t108 = L01277CDE(_t128, __eflags, _t106 + 1, 2);
							 *(_t157 + 4) = _t108;
							__eflags = _t108;
							if(_t108 == 0) {
								goto L19;
							} else {
								L01277D0D(_t108,  *((intOrPtr*)(_t161 - 0x60)) +  *((intOrPtr*)(_t161 - 0x60)) + 2,  *(_t153 + 4),  *((intOrPtr*)(_t161 - 0x60)) +  *((intOrPtr*)(_t161 - 0x60)) + 2);
								goto L37;
							}
						} else {
							_t111 = _t104;
							if(_t111 == 0) {
								_t153 =  *(_t153 + 4);
								 *(_t157 + 4) = _t153;
								 *((intOrPtr*)( *_t153 + 4))(_t153);
								 *_t157 = 4;
								goto L37;
							} else {
								_t114 = _t111 - 4;
								if(_t114 == 0) {
									_t153 =  *(_t153 + 4);
									 *(_t157 + 4) = _t153;
									 *((intOrPtr*)( *_t153 + 4))(_t153);
									 *_t157 = 8;
									goto L37;
								} else {
									_t117 = _t114 - 8;
									if(_t117 == 0) {
										 *_t157 = 0x10;
										L9:
										 *(_t157 + 4) = 0;
										goto L10;
									} else {
										_t118 = _t117 - 0x10;
										if(_t118 == 0) {
											_t119 = L01277DDF(_t128, 0,  *(_t153 + 4));
											 *(_t161 - 0x5c) = _t119;
											__eflags = _t119;
											if(_t119 != 0) {
												_t153 = GlobalLock(_t119);
												_t121 = CopyMetaFileW( *(_t153 + 0xc), 0);
												 *(_t153 + 0xc) = _t121;
												__eflags = _t121;
												if(_t121 != 0) {
													_t153 =  *(_t161 - 0x5c);
													GlobalUnlock(_t153);
													 *(_t157 + 4) = _t153;
													 *_t157 = 0x20;
													L37:
													__eflags = 1;
												} else {
													GlobalUnlock( *(_t161 - 0x5c));
													GlobalFree( *(_t161 - 0x5c));
													goto L19;
												}
											} else {
												goto L19;
											}
										} else {
											if(_t118 == 0x20) {
												goto L8;
											}
										}
									}
								}
							}
						}
					}
				}
				return L013696ED(0, _t153, _t157);
			}

0x012781a5
0x012781ac
0x012781b1
0x012781b4
0x012781b8
0x012781bf
0x012781f8
0x012781fa
0x012781fb
0x0127840d
0x01278412
0x01278414
0x00000000
0x0127841a
0x0127841a
0x00000000
0x0127841a
0x01278201
0x01278201
0x01278202
0x012783bb
0x012783c6
0x012783c9
0x012783d6
0x012783dd
0x012783f1
0x012783f3
0x012783fe
0x01278208
0x01278209
0x0127820a
0x0127833f
0x0127834b
0x0127834e
0x01278350
0x00000000
0x01278356
0x01278356
0x01278362
0x01278365
0x01278368
0x01278374
0x01278377
0x01278388
0x0127838b
0x0127838d
0x00000000
0x01278393
0x01278393
0x0127839d
0x012783a1
0x012783a4
0x012783b0
0x00000000
0x012783b0
0x0127838d
0x01278210
0x01278210
0x01278213
0x01278329
0x01278332
0x01278337
0x01278219
0x01278219
0x0127821c
0x01278223
0x01278226
0x00000000
0x01278228
0x0127822d
0x0127823a
0x0127823d
0x0127821e
0x0127821e
0x01278221
0x00000000
0x00000000
0x00000000
0x00000000
0x01278221
0x0127821c
0x01278213
0x0127820a
0x01278202
0x012781c1
0x012781c1
0x012781c5
0x012781c6
0x012781f3
0x012781f3
0x00000000
0x012781c8
0x012781c8
0x012781c9
0x012782da
0x012782e0
0x012782e3
0x012782e5
0x012782e7
0x012782e7
0x012782f3
0x012782fa
0x01278301
0x01278304
0x01278306
0x00000000
0x0127830c
0x01278319
0x00000000
0x0127831e
0x012781cf
0x012781d0
0x012781d1
0x012782c3
0x012782c6
0x012782cc
0x012782cf
0x00000000
0x012781d7
0x012781d7
0x012781da
0x012782ac
0x012782af
0x012782b5
0x012782b8
0x00000000
0x012781e0
0x012781e0
0x012781e3
0x012782a1
0x012781f5
0x012781f5
0x00000000
0x012781e9
0x012781e9
0x012781ec
0x01278248
0x0127824d
0x01278250
0x01278252
0x01278262
0x01278268
0x0127826e
0x01278271
0x01278273
0x01278289
0x0127828d
0x01278293
0x01278296
0x0127841d
0x0127841f
0x01278275
0x01278278
0x01278281
0x00000000
0x01278281
0x00000000
0x00000000
0x00000000
0x012781ee
0x012781f1
0x00000000
0x00000000
0x012781f1
0x012781ec
0x012781e3
0x012781da
0x012781d1
0x012781c9
0x012781c6
0x01278425

APIs

__EH_prolog3_GS.LIBCMT ref: 012781AC
OleDuplicateData.OLE32(?,?,00000000), ref: 0127822D
GlobalLock.KERNEL32 ref: 0127825C
CopyMetaFileW.GDI32(?,00000000), ref: 01278268
GlobalUnlock.KERNEL32(?), ref: 01278278
GlobalFree.KERNEL32(?), ref: 01278281
GlobalUnlock.KERNEL32(?), ref: 0127828D

Part of subcall function 01277AC9: __CxxThrowException@8.LIBCMT ref: 01277ADF

Part of subcall function 01277D0D: _memcpy_s.LIBCMT ref: 01277D1E

lstrlenW.KERNEL32(?,0000005C), ref: 012782ED

Part of subcall function 01277CDE: CoTaskMemAlloc.OLE32(00000000), ref: 01277D05

CopyFileW.KERNEL32 ref: 012783E5

Part of subcall function 01277DDF: GlobalSize.KERNEL32(?), ref: 01277DF0
Part of subcall function 01277DDF: GlobalAlloc.KERNEL32(00002002,00000000), ref: 01277E02
Part of subcall function 01277DDF: GlobalSize.KERNEL32(?), ref: 01277E13
Part of subcall function 01277DDF: GlobalLock.KERNEL32 ref: 01277E24
Part of subcall function 01277DDF: GlobalLock.KERNEL32 ref: 01277E2A
Part of subcall function 01277DDF: GlobalSize.KERNEL32(?), ref: 01277E35
Part of subcall function 01277DDF: GlobalUnlock.KERNEL32(?), ref: 01277E48
Part of subcall function 01277DDF: GlobalUnlock.KERNEL32(?), ref: 01277E4D

Memory Dump Source

Source File: 00000010.00000002.746388412.0000000001271000.00000020.sdmp, Offset: 01270000, based on PE: true

Associated: 00000010.00000002.746374753.0000000001270000.00000002.sdmp Download File
Associated: 00000010.00000002.746578910.000000000138C000.00000002.sdmp Download File
Associated: 00000010.00000002.746752878.00000000013CF000.00000004.sdmp Download File
Associated: 00000010.00000002.746788870.00000000013D6000.00000004.sdmp Download File
Associated: 00000010.00000002.746832288.00000000013DE000.00000002.sdmp Download File
Associated: 00000010.00000002.747668141.0000000001574000.00000002.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1270000_Setup.jbxd

Similarity

API ID: Global$Unlock$LockSize$AllocCopyFile$DataDuplicateException@8FreeH_prolog3_MetaTaskThrow_memcpy_slstrlen
String ID:
API String ID: 4124501163-0
Opcode ID: 1f298d09cbaaee1ad756de6f6983cb1e20e62fcc034c37c8237dffb237aa216f
Instruction ID: d76763e6ebd976cab85a213b22823e22e8bbd53ec1af85bae31de847812ef935
Opcode Fuzzy Hash: 1f298d09cbaaee1ad756de6f6983cb1e20e62fcc034c37c8237dffb237aa216f
Instruction Fuzzy Hash: 238168B1920606AFEB249FA8CD8C93BFBA9FF48305710852DE56697650D770EC11CB60

Uniqueness

Uniqueness Score: 2.84%

Function 012F43E4, Relevance: 13.7, APIs: 9, Instructions: 207
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E012F43E4(intOrPtr* __ecx, intOrPtr __edx, void* __eflags, signed int _a4, struct tagPOINT _a8, struct HRGN__* _a12) {
				signed int _v8;
				struct tagPOINT _v16;
				struct HRGN__* _v20;
				struct HRGN__* _v24;
				struct tagPOINT _v32;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t83;
				int _t87;
				int _t89;
				int _t92;
				void* _t121;
				void* _t127;
				RECT* _t128;
				intOrPtr* _t132;
				void* _t151;
				struct HRGN__* _t153;
				intOrPtr* _t154;
				signed int _t155;

				_t150 = __edx;
				_t129 = __ecx;
				_t83 =  *0x13d3570; // 0x99b5b578
				_v8 = _t83 ^ _t155;
				_t154 = __ecx;
				E01282C5F(_t127, __ecx, _t151, __eflags);
				_push(_a12);
				_t128 = _t154 + 0x1f0;
				_v32.y =  *(_t154 + 0xf4);
				_t87 = PtInRect(_t128, _a8.x);
				 *(_t154 + 0x1e8) = _t87;
				if( *(_t154 + 0x1e8) == _t87) {
					_t153 = 0;
					__eflags = 0;
				} else {
					_t153 = 0;
					if(_t87 != 0) {
						 *(_t154 + 0x1ec) = _a4 & 0x00000001;
					}
					RedrawWindow( *(_t154 + 0x20), _t128, _t153, 0x105);
				}
				if( *(_t154 + 0xf4) < _t153 ||  *((intOrPtr*)(_t154 + 0xf8)) >= _t153 ||  *(_t154 + 0x148) != _t153) {
					L11:
					_t89 =  *((intOrPtr*)( *_t154 + 0x214))( &_a8);
					_t132 =  *((intOrPtr*)(_t154 + 0xf8));
					 *(_t154 + 0xf4) = _t89;
					__eflags = _t132 - _t153;
					if(_t132 >= _t153) {
						__eflags = _t89 - _t132;
						if(_t89 != _t132) {
							_t32 = _t154 + 0xf4;
							 *_t32 =  *(_t154 + 0xf4) | 0xffffffff;
							__eflags =  *_t32;
						}
					}
					_t128 = _v32.y;
					__eflags =  *(_t154 + 0xf4) - _t128;
					if( *(_t154 + 0xf4) == _t128) {
						L25:
						__eflags =  *(_t154 + 0x148) - _t153;
						if( *(_t154 + 0x148) == _t153) {
							goto L37;
						}
						_t128 =  *(_t154 + 0x9c);
						_t92 =  *((intOrPtr*)( *_t154 + 0x160))(_a8.x, _a12);
						__eflags = _t92;
						if(_t92 == 0) {
							L33:
							_t89 =  *((intOrPtr*)( *_t154 + 0x160))(_a8.x, _a12);
							__eflags = _t89;
							if(_t89 == 0) {
								_t89 =  *((intOrPtr*)( *_t154 + 0x19c))(1, 0xffffffff, _t153);
								__eflags = _t89 - _t153;
								if(_t89 != _t153) {
									__eflags = _t128 - 2;
									if(_t128 > 2) {
										 *(_t154 + 0x148) = _t153;
									}
								}
							}
							goto L37;
						}
						__eflags = _t128 - 1;
						if(_t128 <= 1) {
							goto L33;
						}
						__eflags =  *((intOrPtr*)(_t154 + 0x108)) - _t153;
						if( *((intOrPtr*)(_t154 + 0x108)) == _t153) {
							goto L33;
						}
						_v24 = _t153;
						_v20 = _t153;
						_v16.x = _t153;
						_v16.y = _t153;
						_t153 =  *((intOrPtr*)( *_t154 + 0x214))( &_a8);
						_t89 =  *(_t154 + 0xa0);
						__eflags = _t153 - _t89;
						if(_t153 != _t89) {
							__eflags = _t153 - 0xffffffff;
							if(_t153 != 0xffffffff) {
								_t150 =  *_t154;
								 *((intOrPtr*)( *_t154 + 0x25c))(_t153, _t89);
								 *((intOrPtr*)( *_t154 + 0x180))();
								 *((intOrPtr*)( *_t154 + 0x210))(_t153);
								_t89 =  *((intOrPtr*)( *_t154 + 0x214))( &_a8);
								__eflags = _t89 - _t153;
								if(_t89 != _t153) {
									 *((intOrPtr*)( *_t154 + 0x1b4))(_t153,  &_v24);
									_v32.x = _a8.x;
									_v32.y = _a12;
									_v32.x =  *((intOrPtr*)(_t154 + 0x154)) + _v24;
									ClientToScreen( *(_t154 + 0x20),  &_v32);
									_t89 = SetCursorPos(_v32, _v32.y);
								}
							}
						}
						goto L37;
					}
					__eflags =  *((intOrPtr*)(_t154 + 0x7c)) - _t153;
					if( *((intOrPtr*)(_t154 + 0x7c)) != _t153) {
						L17:
						__eflags = _t128 - _t153;
						if(_t128 >= _t153) {
							__eflags =  *(_t154 + 0xf4) - _t153;
							if( *(_t154 + 0xf4) < _t153) {
								__eflags =  *((intOrPtr*)(_t154 + 0xf8)) - _t153;
								if( *((intOrPtr*)(_t154 + 0xf8)) < _t153) {
									 *(_t154 + 0x1e8) = _t153;
									 *(_t154 + 0x1ec) = _t153;
									__eflags =  *(_t154 + 0x148) - _t153;
									if( *(_t154 + 0x148) == _t153) {
										ReleaseCapture();
									}
								}
							}
						} else {
							__eflags =  *(_t154 + 0xf4) - _t153;
							if( *(_t154 + 0xf4) >= _t153) {
								E01282D05(_t128, _t132, _t150, SetCapture( *(_t154 + 0x20)));
							}
						}
						L012F3749(_t154,  *(_t154 + 0xf4));
						_t89 = L012F3749(_t154, _t128);
						goto L25;
					}
					_t132 = _t154;
					_t89 =  *((intOrPtr*)( *_t154 + 0x280))();
					__eflags = _t89;
					if(_t89 == 0) {
						goto L25;
					}
					goto L17;
				} else {
					_v16.x = _a8;
					_v16.y = _a12;
					ClientToScreen( *(_t154 + 0x20),  &_v16);
					_push(_v16.y);
					_t121 = E01282D05(_t128, _t129, _t150, WindowFromPoint(_v16));
					if(_t121 == _t153 ||  *((intOrPtr*)(_t121 + 0x20)) ==  *(_t154 + 0x20)) {
						goto L11;
					} else {
						ReleaseCapture();
						 *(_t154 + 0xf4) =  *(_t154 + 0xf4) | 0xffffffff;
						_t89 = L012F3749(_t154, _v32.y);
						L37:
						return L01367D3E(_t89, _t128, _v8 ^ _t155, _t150, _t153, _t154);
					}
				}
			}

0x012f43e4
0x012f43e4
0x012f43ec
0x012f43f3
0x012f43f9
0x012f43fb
0x012f4400
0x012f4412
0x012f4419
0x012f441c
0x012f4422
0x012f442a
0x012f4450
0x012f4450
0x012f442c
0x012f442c
0x012f4430
0x012f4438
0x012f4438
0x012f4448
0x012f4448
0x012f4458
0x012f44bd
0x012f44c5
0x012f44cb
0x012f44d1
0x012f44d7
0x012f44d9
0x012f44db
0x012f44dd
0x012f44df
0x012f44df
0x012f44df
0x012f44df
0x012f44dd
0x012f44e6
0x012f44e9
0x012f44ef
0x012f4560
0x012f4560
0x012f4566
0x00000000
0x00000000
0x012f4574
0x012f457c
0x012f4582
0x012f4584
0x012f4647
0x012f4651
0x012f4657
0x012f4659
0x012f4664
0x012f466a
0x012f466c
0x012f466e
0x012f4671
0x012f4673
0x012f4673
0x012f4671
0x012f466c
0x00000000
0x012f4659
0x012f458a
0x012f458d
0x00000000
0x00000000
0x012f4593
0x012f4599
0x00000000
0x00000000
0x012f45a7
0x012f45aa
0x012f45ad
0x012f45b0
0x012f45b9
0x012f45bb
0x012f45c1
0x012f45c3
0x012f45c9
0x012f45cc
0x012f45d2
0x012f45d8
0x012f45e2
0x012f45ed
0x012f45fb
0x012f4601
0x012f4603
0x012f460e
0x012f4617
0x012f461d
0x012f4629
0x012f4633
0x012f463f
0x012f463f
0x012f4603
0x012f45cc
0x00000000
0x012f45c3
0x012f44f1
0x012f44f4
0x012f4504
0x012f4504
0x012f4506
0x012f4521
0x012f4527
0x012f4529
0x012f452f
0x012f4531
0x012f4537
0x012f453d
0x012f4543
0x012f4545
0x012f4545
0x012f4543
0x012f452f
0x012f4508
0x012f4508
0x012f450e
0x012f451a
0x012f451a
0x012f450e
0x012f4553
0x012f455b
0x00000000
0x012f455b
0x012f44f8
0x012f44fa
0x012f4500
0x012f4502
0x00000000
0x00000000
0x00000000
0x012f446a
0x012f446d
0x012f4473
0x012f447d
0x012f4483
0x012f4490
0x012f4497
0x00000000
0x012f44a1
0x012f44a1
0x012f44aa
0x012f44b3
0x012f4679
0x012f4687
0x012f4687
0x012f4497

APIs

PtInRect.USER32(?,?,00000000), ref: 012F441C
RedrawWindow.USER32(?,?,00000000,00000105), ref: 012F4448
ClientToScreen.USER32(?,?), ref: 012F447D
WindowFromPoint.USER32(?,?), ref: 012F4489
ReleaseCapture.USER32 ref: 012F44A1
SetCapture.USER32(?), ref: 012F4513
ReleaseCapture.USER32 ref: 012F4545

Part of subcall function 012F3749: InvalidateRect.USER32(?,?,00000001), ref: 012F378F
Part of subcall function 012F3749: UpdateWindow.USER32 ref: 012F3798

ClientToScreen.USER32(?,?), ref: 012F4633
SetCursorPos.USER32 ref: 012F463F

Part of subcall function 01367D3E: IsDebuggerPresent.KERNEL32 ref: 0136EC6D
Part of subcall function 01367D3E: SetUnhandledExceptionFilter.KERNEL32 ref: 0136EC82
Part of subcall function 01367D3E: UnhandledExceptionFilter.KERNEL32 ref: 0136EC8D
Part of subcall function 01367D3E: GetCurrentProcess.KERNEL32(C0000409), ref: 0136ECA9
Part of subcall function 01367D3E: TerminateProcess.KERNEL32(00000000), ref: 0136ECB0

Memory Dump Source

Source File: 00000010.00000002.746388412.0000000001271000.00000020.sdmp, Offset: 01270000, based on PE: true

Associated: 00000010.00000002.746374753.0000000001270000.00000002.sdmp Download File
Associated: 00000010.00000002.746578910.000000000138C000.00000002.sdmp Download File
Associated: 00000010.00000002.746752878.00000000013CF000.00000004.sdmp Download File
Associated: 00000010.00000002.746788870.00000000013D6000.00000004.sdmp Download File
Associated: 00000010.00000002.746832288.00000000013DE000.00000002.sdmp Download File
Associated: 00000010.00000002.747668141.0000000001574000.00000002.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1270000_Setup.jbxd

Similarity

API ID: CaptureWindow$ClientExceptionFilterProcessRectReleaseScreenUnhandled$CurrentCursorDebuggerFromInvalidatePointPresentRedrawTerminateUpdate
String ID:
API String ID: 723688054-0
Opcode ID: 5f56a489645b1997ec25c0ba015e29edbec5ee550d18db4f0cdae868b28f03fc
Instruction ID: f6fb52a33fc3bd1a18c95266364bfffb2d11cd3c7207f071e4cf64ed0da7a96c
Opcode Fuzzy Hash: 5f56a489645b1997ec25c0ba015e29edbec5ee550d18db4f0cdae868b28f03fc
Instruction Fuzzy Hash: 7B812A74610646DFCB25EF68D8889AFFBF5FF48310F10492EEA6A97250DB70A940CB50

Uniqueness

Uniqueness Score: 4.31%

Function 01296777, Relevance: 13.7, APIs: 9, Instructions: 181
windowCOMMON

Download Yara Rule

C-Code - Quality: 98%

			E01296777(void* __ebx, intOrPtr* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				signed int _t73;
				struct HMENU__* _t83;
				signed int _t84;
				intOrPtr* _t86;
				signed int _t87;
				signed int _t89;
				intOrPtr _t95;
				signed int _t98;
				signed int _t103;
				struct tagRECT _t111;
				int _t121;
				intOrPtr* _t124;
				signed int _t126;
				intOrPtr _t127;
				signed int _t138;
				void* _t142;
				intOrPtr _t146;
				intOrPtr* _t148;
				void* _t149;
				void* _t152;

				_t142 = __edx;
				_push(0x28);
				L0136966A(0x1380687, __ebx, __edi, __esi);
				_t146 =  *((intOrPtr*)(_t149 + 8));
				_t148 = __ecx;
				_t121 = 0;
				if( *((intOrPtr*)(__ecx + 0xb04)) == 0) {
					L3:
					_t73 =  *((intOrPtr*)( *_t148 + 0x268))();
					__eflags = _t73;
					if(_t73 != 0) {
						L33:
						return L013696ED(_t121, _t146, _t148);
					}
					__eflags =  *((intOrPtr*)(_t148 + 0xb30)) - _t121;
					if( *((intOrPtr*)(_t148 + 0xb30)) != _t121) {
						goto L33;
					}
					 *((intOrPtr*)( *_t148 + 0x3b0))(0xffffffff);
					_t124 = _t148;
					__eflags =  *0x13d83d4 - _t121; // 0x0
					if(__eflags != 0) {
						E01286A6F(_t121, _t124, _t142);
						 *(_t149 - 0x34) =  *(_t149 + 0xc);
						 *(_t149 - 0x30) =  *(_t149 + 0x10);
						ScreenToClient( *(_t148 + 0x20), _t149 - 0x34);
						_t83 =  *((intOrPtr*)( *_t148 + 0x390))( *(_t149 - 0x34),  *(_t149 - 0x30));
						_t126 =  *(_t148 + 0xb80);
						 *(_t149 - 0x24) = _t83;
						 *(_t148 + 0xb80) = _t83;
						__eflags = _t126 - 0xffffffff;
						if(_t126 != 0xffffffff) {
							L01295B3C(_t148, _t142, _t126);
						}
						_t84 =  *(_t148 + 0xb80);
						__eflags = _t84 - 0xffffffff;
						if(_t84 != 0xffffffff) {
							L01295B3C(_t148, _t142, _t84);
						}
						_t127 =  *0x13d8404; // 0x0
						__eflags = _t127 - _t148;
						if(_t127 != _t148) {
							 *0x13d8404 = _t148;
							__eflags = _t127 - _t121;
							if(_t127 != _t121) {
								_t22 = _t127 + 0xb80;
								 *_t22 =  *(_t127 + 0xb80) | 0xffffffff;
								__eflags =  *_t22;
								L01295B3C(_t127,  *(_t127 + 0xb80),  *(_t127 + 0xb80));
							}
						}
						_t146 = UpdateWindow;
						UpdateWindow( *(_t148 + 0x20));
						__eflags =  *(_t149 - 0x24) - _t121;
						if(__eflags >= 0) {
							_t86 = L01293D66(_t148, __eflags,  *(_t148 + 0xb80));
							 *((intOrPtr*)(_t149 - 0x2c)) = _t86;
							__eflags = _t86 - _t121;
							if(_t86 != _t121) {
								_t143 =  *_t86;
								_t87 =  *((intOrPtr*)( *_t86 + 0x60))();
								__eflags = _t87;
								if(_t87 != 0) {
									_t89 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t149 - 0x2c)))) + 0x50))();
									__eflags = _t89;
									if(_t89 != 0) {
										__eflags =  *(_t149 + 0xc) - 0xffffffff;
										if(__eflags == 0) {
											__eflags =  *(_t149 + 0x10) - 0xffffffff;
											if(__eflags == 0) {
												 *(_t149 - 0x20) = _t121;
												 *(_t149 - 0x1c) = _t121;
												 *(_t149 - 0x18) = _t121;
												 *(_t149 - 0x14) = _t121;
												GetClientRect( *(_t148 + 0x20), _t149 - 0x20);
												L01279C17(_t148, _t149 - 0x20);
												_t111 =  *(_t149 - 0x20);
												 *(_t149 + 0xc) = _t111;
												_t138 =  *(_t149 - 0x1c) + 5;
												__eflags = _t138;
												 *(_t149 + 0xc) = _t111 + 5;
												 *(_t149 + 0x10) = _t138;
											}
										}
										_t146 = 0x1390764;
										 *((intOrPtr*)(_t149 - 0x28)) = 0x1390764;
										 *(_t149 - 0x24) = _t121;
										_t131 = _t149 - 0x28;
										 *(_t149 - 4) = _t121;
										L0129521C(_t149 - 0x28, _t143, 0x3ee6);
										_t121 = L01289341(_t121, _t149 - 0x28, _t143, 0x1390764, _t148, __eflags, GetSubMenu( *(_t149 - 0x24), _t121));
										_t121 = _t121 == 0;
										if(_t121 == 0) {
											L01277AC9(_t131);
										}
										_t95 =  *((intOrPtr*)(_t149 - 0x2c));
										__eflags =  *(_t95 + 0x3c);
										if( *(_t95 + 0x3c) != 0) {
											EnableMenuItem( *(_t121 + 4), 0x420e, 1);
										}
										_t98 =  *((intOrPtr*)( *_t148 + 0x404))( *((intOrPtr*)(_t149 - 0x2c)), _t121);
										__eflags = _t98;
										if(_t98 != 0) {
											_t101 =  *(_t148 + 0xb80) - 1;
											__eflags =  *(_t148 + 0xb80) - 1;
											if(__eflags >= 0) {
												_t103 = L01293D66(_t148, __eflags, _t101);
												__eflags = _t103;
												if(__eflags != 0) {
													__eflags =  *(_t103 + 0x50);
													if(__eflags == 0) {
														EnableMenuItem( *(_t121 + 4), 0x4215, 1);
													}
												}
											}
											L01281FE9(_t121, __eflags, 2,  *(_t149 + 0xc),  *(_t149 + 0x10), _t148, 0);
										}
										_t66 = _t149 - 4;
										 *_t66 =  *(_t149 - 4) | 0xffffffff;
										__eflags =  *_t66;
										 *((intOrPtr*)(_t149 - 0x28)) = _t146;
										L012893D0(_t149 - 0x28);
									}
								} else {
									 *(_t148 + 0xb80) =  *(_t148 + 0xb80) | 0xffffffff;
									L01295B3C(_t148, _t143,  *(_t149 - 0x24));
									UpdateWindow( *(_t148 + 0x20));
								}
							}
						}
					} else {
						L012E7F1C(_t124, _t146,  *(_t149 + 0xc),  *(_t149 + 0x10));
					}
					goto L33;
				}
				_t152 =  *0x13d83d4 - _t121; // 0x0
				if(_t152 == 0) {
					goto L3;
				} else {
					MessageBeep(0xffffffff);
					goto L33;
				}
			}

0x01296777
0x01296777
0x0129677e
0x01296783
0x01296786
0x01296788
0x01296790
0x012967a7
0x012967a9
0x012967af
0x012967b1
0x012969ca
0x012969cf
0x012969cf
0x012967b7
0x012967bd
0x00000000
0x00000000
0x012967c9
0x012967cf
0x012967d1
0x012967d7
0x012967ea
0x012967f2
0x012967f8
0x01296802
0x01296812
0x01296818
0x0129681e
0x01296821
0x01296827
0x0129682a
0x0129682f
0x0129682f
0x01296834
0x0129683a
0x0129683d
0x01296842
0x01296842
0x01296847
0x0129684d
0x0129684f
0x01296851
0x01296857
0x01296859
0x01296861
0x01296861
0x01296861
0x01296869
0x01296869
0x01296859
0x01296871
0x01296877
0x01296879
0x0129687c
0x0129688a
0x0129688f
0x01296892
0x01296894
0x0129689a
0x0129689e
0x012968a1
0x012968a3
0x012968c5
0x012968c8
0x012968ca
0x012968d0
0x012968d4
0x012968d6
0x012968da
0x012968e3
0x012968e6
0x012968e9
0x012968ec
0x012968ef
0x012968fb
0x01296900
0x01296906
0x0129690c
0x0129690c
0x0129690f
0x01296912
0x01296912
0x012968da
0x01296915
0x0129691a
0x0129691d
0x01296925
0x01296928
0x0129692b
0x01296940
0x01296949
0x0129694b
0x0129694d
0x0129694d
0x01296952
0x01296958
0x0129695a
0x01296966
0x01296966
0x01296974
0x0129697a
0x0129697c
0x01296984
0x01296984
0x01296985
0x0129698a
0x0129698f
0x01296991
0x01296993
0x01296997
0x012969a3
0x012969a3
0x01296997
0x01296991
0x012969b6
0x012969b6
0x012969bb
0x012969bb
0x012969bb
0x012969c2
0x012969c5
0x012969c5
0x012968a5
0x012968a8
0x012968b1
0x012968b9
0x012968b9
0x012968a3
0x01296894
0x012967d9
0x012967e0
0x012967e0
0x00000000
0x012967d7
0x01296792
0x01296798
0x00000000
0x0129679a
0x0129679c
0x00000000
0x0129679c

APIs

__EH_prolog3_GS.LIBCMT ref: 0129677E
MessageBeep.USER32 ref: 0129679C

Part of subcall function 01286A6F: GetParent.USER32(?), ref: 01286A84
Part of subcall function 01286A6F: GetParent.USER32(?), ref: 01286A93
Part of subcall function 01286A6F: GetParent.USER32(?), ref: 01286AA9
Part of subcall function 01286A6F: SetFocus.USER32 ref: 01286ABF

ScreenToClient.USER32(?,?), ref: 01296802
UpdateWindow.USER32 ref: 01296877

Part of subcall function 01293D66: PtInRect.USER32(?,?,?), ref: 01293DB9

UpdateWindow.USER32 ref: 012968B9
GetClientRect.USER32 ref: 012968EF

Part of subcall function 01279C17: ClientToScreen.USER32(?,?), ref: 01279C28
Part of subcall function 01279C17: ClientToScreen.USER32(?,?), ref: 01279C35

Part of subcall function 0129521C: LoadMenuW.USER32(?,?), ref: 01295232

GetSubMenu.USER32 ref: 01296934
EnableMenuItem.USER32 ref: 01296966
EnableMenuItem.USER32 ref: 012969A3

Part of subcall function 01281FE9: TrackPopupMenu.USER32(?,?,?,?,00000000,?,?), ref: 01282029

Part of subcall function 01277AC9: __CxxThrowException@8.LIBCMT ref: 01277ADF

Part of subcall function 01295B3C: InvalidateRect.USER32(?,?,00000001), ref: 01295BB1
Part of subcall function 01295B3C: InflateRect.USER32(?,?,?), ref: 01295BF7
Part of subcall function 01295B3C: RedrawWindow.USER32(?,?,00000000,00000401), ref: 01295C0A

Memory Dump Source

Source File: 00000010.00000002.746388412.0000000001271000.00000020.sdmp, Offset: 01270000, based on PE: true

Associated: 00000010.00000002.746374753.0000000001270000.00000002.sdmp Download File
Associated: 00000010.00000002.746578910.000000000138C000.00000002.sdmp Download File
Associated: 00000010.00000002.746752878.00000000013CF000.00000004.sdmp Download File
Associated: 00000010.00000002.746788870.00000000013D6000.00000004.sdmp Download File
Associated: 00000010.00000002.746832288.00000000013DE000.00000002.sdmp Download File
Associated: 00000010.00000002.747668141.0000000001574000.00000002.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1270000_Setup.jbxd

Similarity

API ID: Menu$ClientRect$ParentScreenWindow$EnableItemUpdate$BeepException@8FocusH_prolog3_InflateInvalidateLoadMessagePopupRedrawThrowTrack
String ID:
API String ID: 2683253794-0
Opcode ID: 9b38be6b5fec90f7e5b18bebed7eab44d99f3cdbb63bf09349c1dac549c258a3
Instruction ID: c6418b00822617c493704fbc91ddb2eca8ff2840356165a06d0591e701bc2b82
Opcode Fuzzy Hash: 9b38be6b5fec90f7e5b18bebed7eab44d99f3cdbb63bf09349c1dac549c258a3
Instruction Fuzzy Hash: 92715074A20706DFDF25AFA8C894AED7BF5FF08324F10422DE656A6291DB319905CF10

Uniqueness

Uniqueness Score: 4.31%

Function 0128C9D9, Relevance: 13.7, APIs: 9, Instructions: 168
windowCOMMON

Download Yara Rule

C-Code - Quality: 90%

			E0128C9D9(intOrPtr* __ecx, intOrPtr __edx, void* __eflags, intOrPtr _a4) {
				signed int _v8;
				struct tagRECT _v24;
				struct tagRECT _v40;
				struct tagRECT _v56;
				intOrPtr _v60;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t74;
				void* _t81;
				long _t94;
				intOrPtr _t96;
				intOrPtr* _t115;
				int _t139;
				intOrPtr _t141;
				long _t142;
				signed int _t146;

				_t137 = __edx;
				_t74 =  *0x13d3570; // 0x99b5b578
				_v8 = _t74 ^ _t146;
				_t141 = _a4;
				_t115 = __ecx;
				_v60 = _t141;
				 *((intOrPtr*)(_t115 + 0x438)) = E012789CC(0x1391888, L012B90A4(__ecx));
				 *(_t115 + 0x164) =  *(_t141 + 0x20) >> 0x00000017 & 1;
				_t122 = _t115;
				 *(_t115 + 0x13c) = 1;
				if((E01286848(_t115) & 0x00080000) != 0) {
					_t139 = 0;
				} else {
					SendMessageW( *(E01282D05(_t115, _t122, _t137, GetParent( *(_t115 + 0x20))) + 0x20), 0xb, 0, 0);
					_t94 =  *(_t141 + 0x1c);
					_t129 =  *((intOrPtr*)(_t141 + 0x14));
					_t137 =  *((intOrPtr*)(_t141 + 0x10));
					_t142 =  *((intOrPtr*)(_t141 + 0x18));
					_v40.top = _t142;
					_v40.left = _t94;
					_v40.bottom = _t142 +  *((intOrPtr*)(_t141 + 0x10));
					_v40.right = _t94 +  *((intOrPtr*)(_t141 + 0x14));
					_t96 =  *((intOrPtr*)(_t115 + 0x438));
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_t139 = 0;
					if(_t96 != 0 &&  *((intOrPtr*)(_t96 + 0x2d48)) == 0) {
						_v24.left = 0;
						_v24.top = 0;
						_v24.right = 0;
						_v24.bottom = 0;
						GetClientRect( *(_t96 + 0x460),  &_v24);
						_v56.left = 0;
						_v56.top = 0;
						_v56.right = 0;
						_v56.bottom = 0;
						GetClientRect( *(_t115 + 0x20),  &_v56);
						L01279C17(_t115,  &_v56);
						_v40.left = 0;
						_v40.top = 0;
						_v40.right = 0;
						_v40.bottom = 0;
						GetWindowRect( *(_t115 + 0x20),  &_v40);
						_v24.left = _v24.left + _v40.left - _v56.left;
						_v24.top = _v24.top + _v40.top - _v56.top;
						_t137 = _v40.bottom - _v56.bottom;
						_v24.bottom = _v24.bottom + _v40.bottom - _v56.bottom;
						_v24.right = _v24.right + _v40.right - _v56.right;
						_t129 = _t115;
						E01286A31(_t115, 0, _v24.left, _v24.top, _v24.right + _v40.right - _v56.right - _v24.left, _v24.bottom + _v40.bottom - _v56.bottom - _v24.top, 0x14);
					}
					SendMessageW( *(E01282D05(_t115, _t129, _t137, GetParent( *(_t115 + 0x20))) + 0x20), 0xb, 1, _t139);
					_t141 = _v60;
				}
				_t81 = L012B9157(_t141);
				if(_t81 != 0xffffffff) {
					if(E012C00E2( *((intOrPtr*)(_t115 + 0x438)) + 0x33c) != 0) {
						SendMessageW( *( *((intOrPtr*)(_t115 + 0x438)) + 0x20), 0x10, _t139, _t139);
					}
					L012C1E06(_t115);
					 *((intOrPtr*)( *_t115 + 0x1cc))(_t139);
					PostMessageW( *(_t115 + 0x20),  *0x13d8dd4, _t139, _t139);
					_t87 = 0;
					goto L8;
				} else {
					_t87 = _t81;
					L8:
					 *(_t115 + 0x13c) = _t139;
					return L01367D3E(_t87, _t115, _v8 ^ _t146, _t137, _t139, _t141);
				}
			}

0x0128c9d9
0x0128c9e1
0x0128c9e8
0x0128c9ed
0x0128c9f1
0x0128c9f3
0x0128ca07
0x0128ca19
0x0128ca1f
0x0128ca21
0x0128ca31
0x0128cb59
0x0128ca37
0x0128ca4f
0x0128ca55
0x0128ca58
0x0128ca5b
0x0128ca5e
0x0128ca61
0x0128ca66
0x0128ca69
0x0128ca6e
0x0128ca71
0x0128ca80
0x0128ca81
0x0128ca82
0x0128ca83
0x0128ca84
0x0128ca88
0x0128caa4
0x0128caa7
0x0128caaa
0x0128caad
0x0128cab6
0x0128cabf
0x0128cac2
0x0128cac5
0x0128cac8
0x0128cacb
0x0128cad3
0x0128cadf
0x0128cae2
0x0128cae5
0x0128cae8
0x0128caeb
0x0128cafa
0x0128cb06
0x0128cb0f
0x0128cb1b
0x0128cb21
0x0128cb2c
0x0128cb32
0x0128cb32
0x0128cb4e
0x0128cb54
0x0128cb54
0x0128cb5e
0x0128cb66
0x0128cb94
0x0128cba3
0x0128cba3
0x0128cbaa
0x0128cbb4
0x0128cbc5
0x0128cbcb
0x00000000
0x0128cb68
0x0128cb68
0x0128cb6a
0x0128cb6d
0x0128cb7e
0x0128cb7e

APIs

Part of subcall function 012B90A4: GetParent.USER32(?), ref: 012B90B0
Part of subcall function 012B90A4: GetParent.USER32(00000000), ref: 012B90B3

Part of subcall function 01286848: GetWindowLongW.USER32(?,000000F0), ref: 01286853

GetParent.USER32(?), ref: 0128CA3A
SendMessageW.USER32(?,0000000B,00000000,00000000), ref: 0128CA4F
GetClientRect.USER32 ref: 0128CAB6
GetClientRect.USER32 ref: 0128CACB

Part of subcall function 01279C17: ClientToScreen.USER32(?,?), ref: 01279C28
Part of subcall function 01279C17: ClientToScreen.USER32(?,?), ref: 01279C35

GetWindowRect.USER32 ref: 0128CAEB

Part of subcall function 01286A31: SetWindowPos.USER32(?,000000FF,000000FF,?,?,00000000,012827B4), ref: 01286A59

GetParent.USER32(?), ref: 0128CB3A
SendMessageW.USER32(?,0000000B,00000001,00000000), ref: 0128CB4E
PostMessageW.USER32 ref: 0128CBC5

Part of subcall function 01367D3E: IsDebuggerPresent.KERNEL32 ref: 0136EC6D
Part of subcall function 01367D3E: SetUnhandledExceptionFilter.KERNEL32 ref: 0136EC82
Part of subcall function 01367D3E: UnhandledExceptionFilter.KERNEL32 ref: 0136EC8D
Part of subcall function 01367D3E: GetCurrentProcess.KERNEL32(C0000409), ref: 0136ECA9
Part of subcall function 01367D3E: TerminateProcess.KERNEL32(00000000), ref: 0136ECB0

SendMessageW.USER32(?,00000010,00000000,00000000), ref: 0128CBA3

Memory Dump Source

Source File: 00000010.00000002.746388412.0000000001271000.00000020.sdmp, Offset: 01270000, based on PE: true

Associated: 00000010.00000002.746374753.0000000001270000.00000002.sdmp Download File
Associated: 00000010.00000002.746578910.000000000138C000.00000002.sdmp Download File
Associated: 00000010.00000002.746752878.00000000013CF000.00000004.sdmp Download File
Associated: 00000010.00000002.746788870.00000000013D6000.00000004.sdmp Download File
Associated: 00000010.00000002.746832288.00000000013DE000.00000002.sdmp Download File
Associated: 00000010.00000002.747668141.0000000001574000.00000002.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1270000_Setup.jbxd

Similarity

API ID: ClientMessageParent$RectSendWindow$ExceptionFilterProcessScreenUnhandled$CurrentDebuggerLongPostPresentTerminate
String ID:
API String ID: 1412433428-0
Opcode ID: 9a0ef699211d84318b2aa895fa7704d184b3e54a3890ad5eb5517d5c875adc9e
Instruction ID: 61e363e8c0fae0ed0ec2bf38f30fd98f5e9eaceff2ac492690d6953c33e45e35
Opcode Fuzzy Hash: 9a0ef699211d84318b2aa895fa7704d184b3e54a3890ad5eb5517d5c875adc9e
Instruction Fuzzy Hash: FF6119B1911209AFCF10EFA9D984AEEBBF9FF88314F14416AE905AB255D7719900CF60

Uniqueness

Uniqueness Score: 4.31%

Function 012CEE4A, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 130
windowUNIQUE

Download Yara Rule

C-Code - Quality: 97%

			E012CEE4A(void* __ebx, intOrPtr* __ecx, intOrPtr __edx, int __edi, void* __esi, void* __eflags) {
				intOrPtr* _t55;
				void* _t59;
				void* _t61;
				struct HWND__* _t62;
				void* _t76;
				void* _t79;
				signed int _t110;
				intOrPtr* _t113;
				void* _t114;

				_t107 = __edi;
				_t105 = __edx;
				_push(0x20c);
				L0136966A(0x1382928, __ebx, __edi, __esi);
				_t113 = __ecx;
				if( *((intOrPtr*)(__ecx + 0xcf8)) != 0) {
					L17:
					return L013696ED(0, _t107, _t113);
				}
				if( *((intOrPtr*)(__ecx + 0xcdc)) != 0) {
					_t59 = E012789CC(0x1395654,  *((intOrPtr*)(__ecx + 0xcd0)));
					_t109 = _t59;
					if(_t59 != 0 && L012B8EF9(0, _t109, __edx, 0) != 0) {
						_t61 = L012B8EF9(0, _t109, __edx, 0);
						if(_t61 != 0) {
							_t62 =  *(_t61 + 0x20);
						} else {
							_t62 = 0;
						}
						_t110 = GetWindowLongW(_t62, 0xfffffff0);
						L012F1B90(_t114 - 0x1e8,  *(_t113 + 0xcdc),  *((intOrPtr*)(_t113 + 0xce0)));
						 *(_t114 - 4) = 0;
						 *((intOrPtr*)( *_t113 + 0x344))(_t114 - 0x1e8, 0);
						if((_t110 & 0x00020000) != 0) {
							_t79 = E012F8766(_t114 - 0xf8, 0xf020);
							_t105 =  *_t113;
							 *(_t114 - 4) = 1;
							 *((intOrPtr*)( *_t113 + 0x344))(_t79, 0xffffffff);
							 *(_t114 - 4) = 0;
							E012F8786(_t114 - 0xf8,  *_t113);
						}
						if((_t110 & 0x00010000) != 0) {
							_t76 = E012F8766(_t114 - 0xf8, 0xf120);
							_t105 =  *_t113;
							 *(_t114 - 4) = 2;
							 *((intOrPtr*)( *_t113 + 0x344))(_t76, 0xffffffff);
							 *(_t114 - 4) = 0;
							E012F8786(_t114 - 0xf8,  *_t113);
						}
						E012F8766(_t114 - 0x84, 0xf060);
						 *(_t114 - 4) = 3;
						L01367D50(_t114 - 0x218, 0, 0x30);
						 *(_t114 - 0x218) = 0x30;
						 *((intOrPtr*)(_t114 - 0x214)) = 1;
						if(GetMenuItemInfoW( *(_t113 + 0xcdc), 0xf060, 0, _t114 - 0x218) == 0 || ( *(_t114 - 0x20c) & 0x00000003) != 0) {
							 *(_t114 - 0x60) =  *(_t114 - 0x60) | 0x00040000;
						}
						 *((intOrPtr*)( *_t113 + 0x344))(_t114 - 0x84, 0xffffffff);
						 *(_t114 - 4) = 0;
						E012F8786(_t114 - 0x84, _t105);
						 *(_t114 - 4) =  *(_t114 - 4) | 0xffffffff;
						L012F1BC6(0, _t114 - 0x1e8, _t105, 0xf060, _t113,  *(_t114 - 4));
					}
				}
				_t107 = 1;
				 *((intOrPtr*)(_t113 + 0xcf8)) = 1;
				 *((intOrPtr*)(_t113 + 0xcec)) =  *((intOrPtr*)(_t113 + 0xcf0));
				if( *((intOrPtr*)(_t114 + 8)) != 0) {
					_t55 = L01283CA8(_t113);
					 *((intOrPtr*)( *_t55 + 0x174))(1);
					InvalidateRect( *(_t113 + 0x20), 0, 1);
					UpdateWindow( *(_t113 + 0x20));
				}
				goto L17;
			}

0x012cee4a
0x012cee4a
0x012cee4a
0x012cee54
0x012cee59
0x012cee63
0x012cf02d
0x012cf032
0x012cf032
0x012cee6f
0x012cee80
0x012cee85
0x012cee8b
0x012ceea4
0x012ceeab
0x012ceeb1
0x012ceead
0x012ceead
0x012ceead
0x012ceecf
0x012ceed1
0x012ceee2
0x012ceee5
0x012ceef1
0x012ceefe
0x012cef03
0x012cef0a
0x012cef0e
0x012cef1a
0x012cef1d
0x012cef1d
0x012cef28
0x012cef35
0x012cef3a
0x012cef41
0x012cef45
0x012cef51
0x012cef54
0x012cef54
0x012cef65
0x012cef74
0x012cef78
0x012cef8f
0x012cef99
0x012cefab
0x012cefb6
0x012cefb6
0x012cefca
0x012cefd6
0x012cefd9
0x012cefde
0x012cefe8
0x012cefe8
0x012cee8b
0x012ceff5
0x012ceff6
0x012ceffc
0x012cf005
0x012cf009
0x012cf013
0x012cf01e
0x012cf027
0x012cf027
0x00000000

APIs

__EH_prolog3_GS.LIBCMT ref: 012CEE54
GetWindowLongW.USER32(?,000000F0), ref: 012CEEB7
_memset.LIBCMT ref: 012CEF78
GetMenuItemInfoW.USER32 ref: 012CEFA3

Part of subcall function 01283CA8: GetParent.USER32(?), ref: 01283CD2

InvalidateRect.USER32(?,00000000,00000001), ref: 012CF01E
UpdateWindow.USER32 ref: 012CF027

Part of subcall function 012B8EF9: SendMessageW.USER32(?,00000229,00000000,?), ref: 012B8F24

Strings

0, xrefs: 012CEF8F

Memory Dump Source

Source File: 00000010.00000002.746388412.0000000001271000.00000020.sdmp, Offset: 01270000, based on PE: true

Associated: 00000010.00000002.746374753.0000000001270000.00000002.sdmp Download File
Associated: 00000010.00000002.746578910.000000000138C000.00000002.sdmp Download File
Associated: 00000010.00000002.746752878.00000000013CF000.00000004.sdmp Download File
Associated: 00000010.00000002.746788870.00000000013D6000.00000004.sdmp Download File
Associated: 00000010.00000002.746832288.00000000013DE000.00000002.sdmp Download File
Associated: 00000010.00000002.747668141.0000000001574000.00000002.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1270000_Setup.jbxd

Similarity

API ID: Window$H_prolog3_InfoInvalidateItemLongMenuMessageParentRectSendUpdate_memset
String ID: 0
API String ID: 2438093654-4108050209
Opcode ID: d599e6af96e45388f7ba318fa56bfa4f01638b0ea1f98df90e692eb6adcf9f0a
Instruction ID: c55ad12578090c8312f1f1693c4c3226df1f0f809219853514e4660f3c56c8ed
Opcode Fuzzy Hash: d599e6af96e45388f7ba318fa56bfa4f01638b0ea1f98df90e692eb6adcf9f0a
Instruction Fuzzy Hash: 8051C031510257AFDB25EB68C898FEEFBB9AF54710F1442ADA25A93190DF305A84CF60

Uniqueness

Uniqueness Score: 100.00%

Function 012CE08D, Relevance: 12.3, APIs: 8, Instructions: 331
windowCOMMON

Download Yara Rule

C-Code - Quality: 89%

			E012CE08D(void* __ebx, signed int __ecx, intOrPtr __edx, signed int __edi, void* __esi, void* __eflags) {
				signed int _t127;
				struct HWND__* _t138;
				signed int _t140;
				signed int _t142;
				signed int _t147;
				intOrPtr _t148;
				signed int _t155;
				signed int _t156;
				signed int _t158;
				signed int _t160;
				void* _t166;
				signed int _t167;
				void* _t168;
				signed int _t177;
				signed int _t178;
				void* _t179;
				signed int _t181;
				void* _t182;
				signed int _t184;
				intOrPtr _t188;
				intOrPtr _t190;
				signed short* _t193;
				signed int _t199;
				signed int _t200;
				signed int _t201;
				signed int _t226;
				signed int _t228;
				void* _t230;
				signed int _t231;
				signed int _t232;
				intOrPtr _t233;
				void* _t235;
				intOrPtr _t236;
				void* _t238;
				void* _t240;
				signed int _t252;

				_t225 = __edi;
				_t224 = __edx;
				_t201 = __ecx;
				_push(4);
				L01369601(0x137ee57, __ebx, __edi, __esi);
				_t228 = __ecx;
				_t199 = 0;
				if( *((intOrPtr*)(__ecx + 0x750)) <= 0) {
					L13:
					_t127 =  *(_t228 + 0x7a8);
					if(_t127 != 0 &&  *(_t127 + 0x20) != 0) {
						_t127 = IsWindowVisible( *(_t127 + 0x20));
						if(_t127 != 0) {
							_t127 = E01286A31( *(_t228 + 0x7a8), 0x13d7f18, _t127 | 0xffffffff, _t127 | 0xffffffff, _t127 | 0xffffffff, _t129, 0x13);
						}
					}
					return L013696D9(_t127);
				} else {
					while(_t199 >= 0 && _t199 <  *((intOrPtr*)(_t228 + 0x750))) {
						_t225 =  *( *((intOrPtr*)(_t228 + 0x74c)) + _t199 * 4);
						_t188 =  *((intOrPtr*)(_t225 + 0x74));
						if( *((intOrPtr*)(_t228 + 0x2c4)) == 0) {
							L11:
							_push( *(_t240 + 8));
							_t201 = _t225;
							L0134704B(_t199, _t201, _t224, _t225, _t228, _t252);
							goto L12;
						} else {
							if( *((intOrPtr*)(_t225 + 0x88)) == 0) {
								_t190 =  *((intOrPtr*)(_t188 + 8));
							} else {
								_t190 =  *((intOrPtr*)(_t188 + 0xc));
							}
							E01273740(_t199, _t190);
							 *(_t240 - 4) =  *(_t240 - 4) & 0x00000000;
							L0129D8C0(_t199, _t240 - 0x10);
							_t193 =  *(_t240 - 0x10);
							_t201 =  *(_t193 - 0xc);
							if(_t201 < 2) {
								L18:
								L01347017(_t199, _t225, _t224, _t225);
								 *(_t240 - 4) =  *(_t240 - 4) | 0xffffffff;
								_t201 =  &(( *(_t240 - 0x10))[0xfffffffffffffff8]);
								L01271470(_t201, _t224);
								goto L12;
							} else {
								if(_t201 < 0) {
									_push(0x80070057);
									L012713A0(_t199, _t201, _t225, _t228);
									break;
								} else {
									if(( *_t193 & 0x0000ffff) !=  *((intOrPtr*)(_t228 + 0x2c4))) {
										goto L18;
									} else {
										_t18 = _t240 - 4;
										 *_t18 =  *(_t240 - 4) | 0xffffffff;
										_t252 =  *_t18;
										L01271470(_t193 - 0x10, _t224);
										goto L11;
									}
									L12:
									_t199 = _t199 + 1;
									if(_t199 <  *((intOrPtr*)(_t228 + 0x750))) {
										continue;
									} else {
										goto L13;
									}
								}
							}
						}
						goto L77;
					}
					L01277AC9(_t201);
					asm("int3");
					_push(0x2c);
					L0136966A(0x1382858, _t199, _t225, _t228);
					_t226 =  *(_t240 + 8);
					_t200 = _t201;
					_t229 = 0;
					__eflags =  *(_t200 + 0x304);
					if( *(_t200 + 0x304) != 0) {
						__eflags =  *(_t200 + 0x31c) & 0x00000002;
						if(( *(_t200 + 0x31c) & 0x00000002) == 0) {
							__eflags =  *(_t240 + 0xc);
							if( *(_t240 + 0xc) != 0) {
								E01286A6F(_t200, _t201, _t224);
							}
							L012CD864(_t200, _t224);
							_t204 = _t200;
							 *(_t200 + 0x2c4) = _t229;
							 *(_t200 + 0x7ac) = _t229;
							 *(_t200 + 0x7b0) = _t226;
							 *(_t240 - 0x24) = L01283CA8(_t200);
							_t229 = E01282D05(_t200, _t200, _t224, GetFocus());
							__eflags = _t229;
							if(_t229 != 0) {
								_t138 =  *(_t229 + 0x20);
								__eflags = _t138;
								if(_t138 != 0) {
									_t140 = IsChild( *( *(_t240 - 0x24) + 0x20), _t138);
									__eflags = _t140;
									if(_t140 != 0) {
										L28:
										_t230 = 0;
										__eflags = _t226;
										if(_t226 != 0) {
											 *((intOrPtr*)(_t240 - 0x38)) = 0x13983e4;
											 *((intOrPtr*)(_t240 - 0x34)) = 0;
											 *((intOrPtr*)(_t240 - 0x28)) = 0;
											 *((intOrPtr*)(_t240 - 0x2c)) = 0;
											 *(_t240 - 0x30) = 0;
											 *(_t240 - 4) = 2;
											 *(_t240 - 0x24) = E012789CC(0x139ffb4, _t226);
											_t142 = E012789CC(0x13a1120, _t226);
											_t204 =  *(_t240 - 0x24);
											_t226 = 0;
											_t231 = _t142;
											__eflags = _t204;
											if(_t204 == 0) {
												__eflags = _t231;
												if(_t231 != 0) {
													L01313601(_t231, _t240 - 0x38);
													_t204 = _t231;
													_t155 =  *((intOrPtr*)( *_t231 + 0x10))();
													__eflags = _t155;
													if(_t155 == 0) {
														_t204 = _t231;
														 *(_t240 - 0x24) = 0;
														_t156 = E01312859(_t231);
														__eflags = _t156;
														if(_t156 == 0) {
															L59:
															 *(_t240 - 0x24) =  *(_t231 + 0xa8);
														} else {
															_t204 = _t231;
															_t168 = E01312859(_t231);
															__eflags =  *(_t168 + 0x68);
															if( *(_t168 + 0x68) == 0) {
																goto L59;
															}
														}
														_t233 =  *((intOrPtr*)(_t231 + 0xac));
														__eflags = _t233 - _t226;
														if(_t233 != _t226) {
															_t235 = E012789CC(0x13d0898, E01282D05(_t200, _t204, _t224, GetParent( *(_t233 + 0x20))));
															_t166 = E012789CC(0x139dee8, E012BA661(_t200, _t235, _t224));
															_pop(_t204);
															__eflags = _t166 - _t226;
															if(_t166 == _t226) {
																_t236 =  *((intOrPtr*)(_t235 + 0x10bc));
																__eflags = _t236 - _t226;
																if(_t236 != _t226) {
																	_t167 =  *(_t236 + 0x2c);
																	goto L66;
																}
															} else {
																_t204 =  *(_t166 + 0x1ee4);
																 *(_t200 + 0x7ac) = _t204;
																__eflags = _t204 - _t226;
																if(_t204 == _t226) {
																	_t167 =  *(_t166 + 0x1ef4);
																	L66:
																	 *(_t240 - 0x24) = _t167;
																}
															}
														}
														_t158 =  *(_t240 - 0x24);
														__eflags = _t158 - _t226;
														if(_t158 != _t226) {
															_t226 = _t240 - 0x20;
															asm("movsd");
															asm("movsd");
															asm("movsd");
															asm("movsd");
															_t160 = IsRectEmpty(_t240 - 0x20);
															__eflags = _t160;
															if(_t160 == 0) {
																 *(_t200 + 0x7ac) =  *(_t240 - 0x24);
															}
														}
													}
												}
											} else {
												__eflags =  *(_t200 + 0x31c);
												if(__eflags == 0) {
													L54:
													L0130B9CB(_t200, _t204, _t226, _t231, __eflags, _t240 - 0x38);
												} else {
													__eflags =  *(_t204 + 0x3c4);
													if(__eflags != 0) {
														goto L54;
													}
												}
											}
											_t232 = 0;
											__eflags =  *(_t240 - 0x30);
											if( *(_t240 - 0x30) <= 0) {
												L74:
												_t119 = _t240 - 4;
												 *_t119 =  *(_t240 - 4) | 0xffffffff;
												__eflags =  *_t119;
												 *(_t200 + 0x2c0) = 1;
												E012CC9D1(_t240 - 0x38);
											} else {
												while(1) {
													__eflags = _t232;
													if(_t232 < 0) {
														goto L48;
													}
													__eflags = _t232 -  *(_t240 - 0x30);
													if(_t232 >=  *(_t240 - 0x30)) {
														goto L48;
													} else {
														_t148 =  *((intOrPtr*)(_t240 - 0x34));
														_t204 =  *(_t148 + _t232 * 4);
														_t224 =  *( *(_t148 + _t232 * 4));
														 *((intOrPtr*)( *( *(_t148 + _t232 * 4)) + 0x140))(_t200 + 0x748);
														_t232 = _t232 + 1;
														__eflags = _t232 -  *(_t240 - 0x30);
														if(_t232 <  *(_t240 - 0x30)) {
															continue;
														} else {
															goto L74;
														}
													}
													goto L75;
												}
												goto L48;
											}
										} else {
											 *(_t200 + 0x2c0) = 0;
											__eflags =  *(_t200 + 0x320);
											if(__eflags != 0) {
												_t181 = E01274753(__eflags, 0x8c);
												 *(_t240 - 0x24) = _t181;
												 *(_t240 - 4) = 0;
												__eflags = _t181;
												if(__eflags == 0) {
													_t182 = 0;
													__eflags = 0;
												} else {
													_t182 = E01346E8A(_t181, __eflags,  *(_t200 + 0x320), 0);
												}
												_t51 = _t240 - 4;
												 *_t51 =  *(_t240 - 4) | 0xffffffff;
												__eflags =  *_t51;
												_t204 = _t200 + 0x748;
												_t224 =  *((intOrPtr*)(_t200 + 0x750));
												E012CCBFC(_t200 + 0x748,  *((intOrPtr*)(_t200 + 0x750)), _t182);
											}
											_t226 = 0;
											__eflags =  *((intOrPtr*)(_t200 + 0x73c)) - _t230;
											if( *((intOrPtr*)(_t200 + 0x73c)) > _t230) {
												while(1) {
													__eflags = _t226 - _t230;
													if(_t226 < _t230) {
														break;
													}
													__eflags = _t226 -  *((intOrPtr*)(_t200 + 0x73c));
													if(_t226 >=  *((intOrPtr*)(_t200 + 0x73c))) {
														break;
													} else {
														_t237 =  *((intOrPtr*)( *((intOrPtr*)(_t200 + 0x738)) + _t226 * 4));
														__eflags =  *( *((intOrPtr*)( *((intOrPtr*)(_t200 + 0x738)) + _t226 * 4)) + 0xc);
														if(__eflags != 0) {
															_t178 = E01274753(__eflags, 0x8c);
															 *(_t240 - 0x24) = _t178;
															 *(_t240 - 4) = 1;
															__eflags = _t178;
															if(__eflags == 0) {
																_t179 = 0;
																__eflags = 0;
															} else {
																_t179 = E01346E8A(_t178, __eflags, _t237 + 0x34, 0);
															}
															_t73 = _t240 - 4;
															 *_t73 =  *(_t240 - 4) | 0xffffffff;
															__eflags =  *_t73;
															_t204 = _t200 + 0x748;
															E012CCBFC(_t200 + 0x748,  *((intOrPtr*)(_t200 + 0x750)), _t179);
														}
														_t226 = _t226 + 1;
														__eflags = _t226 -  *((intOrPtr*)(_t200 + 0x73c));
														if(_t226 <  *((intOrPtr*)(_t200 + 0x73c))) {
															_t230 = 0;
															__eflags = 0;
															continue;
														} else {
															goto L35;
														}
													}
													goto L75;
												}
												L48:
												L01277AC9(_t204);
												goto L49;
											} else {
												L35:
												_t238 = _t200 + 0x748;
												 *((intOrPtr*)( *((intOrPtr*)(_t200 + 0xbec)) + 0x140))(_t238);
												 *((intOrPtr*)( *((intOrPtr*)(_t200 + 0x32c)) + 0x140))(_t238);
												_t177 =  *(_t200 + 0x710);
												__eflags = _t177;
												if(_t177 == 0) {
													L49:
													_t147 =  *(_t200 + 0x320);
													__eflags = _t147;
													if(_t147 != 0) {
														 *(_t147 + 0x70) = 1;
													}
												} else {
													__eflags =  *(_t200 + 0x31c) & 0x00000002;
													if(( *(_t200 + 0x31c) & 0x00000002) != 0) {
														goto L49;
													} else {
														 *(_t177 + 0xa4) = 1;
													}
												}
											}
										}
										L75:
										_t229 = 0;
										__eflags = 0;
										_push(0);
										E012CE08D(_t200, _t200, _t224, _t226, 0, 0);
										RedrawWindow( *(_t200 + 0x20), 0, 0, 0x105);
									} else {
										_t229 =  *(_t229 + 0x20);
										_t184 =  *(_t240 - 0x24);
										__eflags = _t229 -  *((intOrPtr*)(_t184 + 0x20));
										if(_t229 ==  *((intOrPtr*)(_t184 + 0x20))) {
											goto L28;
										}
									}
								}
							}
						}
					}
					return L013696ED(_t200, _t226, _t229);
				}
				L77:
			}

0x012ce08d
0x012ce08d
0x012ce08d
0x012ce08d
0x012ce094
0x012ce099
0x012ce0a1
0x012ce0a5
0x012ce13d
0x012ce13d
0x012ce145
0x012ce150
0x012ce158
0x012ce16e
0x012ce16e
0x012ce158
0x012ce178
0x012ce0ab
0x012ce0ab
0x012ce0cf
0x012ce0d1
0x012ce0d4
0x012ce126
0x012ce126
0x012ce129
0x012ce12b
0x00000000
0x012ce0d6
0x012ce0dd
0x012ce0e4
0x012ce0df
0x012ce0df
0x012ce0df
0x012ce0eb
0x012ce0f0
0x012ce0f7
0x012ce0fc
0x012ce0ff
0x012ce105
0x012ce17b
0x012ce17d
0x012ce185
0x012ce189
0x012ce18c
0x00000000
0x012ce107
0x012ce109
0x012ce193
0x012ce198
0x00000000
0x012ce10f
0x012ce118
0x00000000
0x012ce11a
0x012ce11a
0x012ce11a
0x012ce11a
0x012ce121
0x00000000
0x012ce121
0x012ce130
0x012ce130
0x012ce137
0x00000000
0x00000000
0x00000000
0x00000000
0x012ce137
0x012ce109
0x012ce105
0x00000000
0x012ce0d4
0x012ce19d
0x012ce1a2
0x012ce1a3
0x012ce1aa
0x012ce1af
0x012ce1b2
0x012ce1b4
0x012ce1b6
0x012ce1bc
0x012ce1c2
0x012ce1c9
0x012ce1cf
0x012ce1d2
0x012ce1d4
0x012ce1d4
0x012ce1db
0x012ce1e0
0x012ce1e2
0x012ce1e8
0x012ce1ee
0x012ce1f9
0x012ce208
0x012ce20a
0x012ce20c
0x012ce212
0x012ce215
0x012ce217
0x012ce224
0x012ce22a
0x012ce22c
0x012ce23d
0x012ce23d
0x012ce23f
0x012ce241
0x012ce36d
0x012ce374
0x012ce377
0x012ce37a
0x012ce37d
0x012ce386
0x012ce398
0x012ce39b
0x012ce3a0
0x012ce3a3
0x012ce3a8
0x012ce3aa
0x012ce3ac
0x012ce3d0
0x012ce3d2
0x012ce3de
0x012ce3e5
0x012ce3e7
0x012ce3ea
0x012ce3ec
0x012ce3f2
0x012ce3f4
0x012ce3f7
0x012ce3fc
0x012ce3fe
0x012ce40c
0x012ce412
0x012ce400
0x012ce400
0x012ce402
0x012ce407
0x012ce40a
0x00000000
0x00000000
0x012ce40a
0x012ce415
0x012ce41b
0x012ce41d
0x012ce43a
0x012ce44a
0x012ce450
0x012ce451
0x012ce453
0x012ce46d
0x012ce473
0x012ce475
0x012ce477
0x00000000
0x012ce477
0x012ce455
0x012ce455
0x012ce45b
0x012ce461
0x012ce463
0x012ce465
0x012ce47a
0x012ce47a
0x012ce47a
0x012ce463
0x012ce453
0x012ce47d
0x012ce480
0x012ce482
0x012ce487
0x012ce48a
0x012ce48b
0x012ce48c
0x012ce491
0x012ce492
0x012ce498
0x012ce49a
0x012ce49f
0x012ce49f
0x012ce49a
0x012ce482
0x012ce3ec
0x012ce3ae
0x012ce3ae
0x012ce3b4
0x012ce3c2
0x012ce3c6
0x012ce3b6
0x012ce3b6
0x012ce3bc
0x00000000
0x00000000
0x012ce3bc
0x012ce3b4
0x012ce4a5
0x012ce4a7
0x012ce4aa
0x012ce4da
0x012ce4da
0x012ce4da
0x012ce4da
0x012ce4e1
0x012ce4eb
0x012ce4ac
0x012ce4ac
0x012ce4ac
0x012ce4ae
0x00000000
0x00000000
0x012ce4b4
0x012ce4b7
0x00000000
0x012ce4bd
0x012ce4bd
0x012ce4c3
0x012ce4c5
0x012ce4ce
0x012ce4d4
0x012ce4d5
0x012ce4d8
0x00000000
0x00000000
0x00000000
0x00000000
0x012ce4d8
0x00000000
0x012ce4b7
0x00000000
0x012ce4ac
0x012ce247
0x012ce247
0x012ce24d
0x012ce253
0x012ce25a
0x012ce260
0x012ce263
0x012ce266
0x012ce268
0x012ce27a
0x012ce27a
0x012ce26a
0x012ce273
0x012ce273
0x012ce27c
0x012ce27c
0x012ce27c
0x012ce280
0x012ce286
0x012ce28b
0x012ce28b
0x012ce290
0x012ce292
0x012ce298
0x012ce2e6
0x012ce2e6
0x012ce2e8
0x00000000
0x00000000
0x012ce2ea
0x012ce2f0
0x00000000
0x012ce2f2
0x012ce2fb
0x012ce2fd
0x012ce301
0x012ce308
0x012ce30e
0x012ce311
0x012ce318
0x012ce31a
0x012ce32b
0x012ce32b
0x012ce31c
0x012ce324
0x012ce324
0x012ce32d
0x012ce32d
0x012ce32d
0x012ce331
0x012ce33b
0x012ce33b
0x012ce340
0x012ce341
0x012ce347
0x012ce2e4
0x012ce2e4
0x00000000
0x012ce349
0x00000000
0x012ce349
0x012ce347
0x00000000
0x012ce2f0
0x012ce34e
0x012ce34e
0x00000000
0x012ce29a
0x012ce29a
0x012ce2a2
0x012ce2a9
0x012ce2b8
0x012ce2be
0x012ce2c4
0x012ce2c6
0x012ce353
0x012ce353
0x012ce359
0x012ce35b
0x012ce361
0x012ce361
0x012ce2cc
0x012ce2cc
0x012ce2d3
0x00000000
0x012ce2d5
0x012ce2d5
0x012ce2d5
0x012ce2d3
0x012ce2c6
0x012ce298
0x012ce4f0
0x012ce4f0
0x012ce4f0
0x012ce4f2
0x012ce4f5
0x012ce504
0x012ce22e
0x012ce22e
0x012ce231
0x012ce234
0x012ce237
0x00000000
0x00000000
0x012ce237
0x012ce22c
0x012ce217
0x012ce20c
0x012ce1c9
0x012ce50f
0x012ce50f
0x00000000

APIs

__EH_prolog3.LIBCMT ref: 012CE094

Part of subcall function 01347017: IsRectEmpty.USER32 ref: 01346FDB
Part of subcall function 01347017: IsWindowVisible.USER32(?), ref: 01347028

Part of subcall function 01277AC9: __CxxThrowException@8.LIBCMT ref: 01277ADF

__EH_prolog3_GS.LIBCMT ref: 012CE1AA

Part of subcall function 012CD864: GetWindowRect.USER32 ref: 012CD938
Part of subcall function 012CD864: KillTimer.USER32 ref: 012CD967
Part of subcall function 012CD864: GetKeyState.USER32 ref: 012CD994
Part of subcall function 012CD864: GetKeyState.USER32 ref: 012CD9A1
Part of subcall function 012CD864: KillTimer.USER32 ref: 012CD9BB
Part of subcall function 012CD864: GetFocus.USER32 ref: 012CD9F8
Part of subcall function 012CD864: SetTimer.USER32 ref: 012CDA3E

Part of subcall function 01283CA8: GetParent.USER32(?), ref: 01283CD2

GetFocus.USER32 ref: 012CE1FC
IsChild.USER32 ref: 012CE224

Part of subcall function 012CE08D: IsWindowVisible.USER32(00000000), ref: 012CE150
Part of subcall function 012CE08D: GetParent.USER32(?), ref: 012CE422
Part of subcall function 012CE08D: IsRectEmpty.USER32 ref: 012CE492
Part of subcall function 012CE08D: RedrawWindow.USER32(?,00000000,00000000,00000105), ref: 012CE504

Memory Dump Source

Source File: 00000010.00000002.746388412.0000000001271000.00000020.sdmp, Offset: 01270000, based on PE: true

Associated: 00000010.00000002.746374753.0000000001270000.00000002.sdmp Download File
Associated: 00000010.00000002.746578910.000000000138C000.00000002.sdmp Download File
Associated: 00000010.00000002.746752878.00000000013CF000.00000004.sdmp Download File
Associated: 00000010.00000002.746788870.00000000013D6000.00000004.sdmp Download File
Associated: 00000010.00000002.746832288.00000000013DE000.00000002.sdmp Download File
Associated: 00000010.00000002.747668141.0000000001574000.00000002.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1270000_Setup.jbxd

Similarity

API ID: Window$RectTimer$EmptyFocusKillParentStateVisible$ChildException@8H_prolog3H_prolog3_RedrawThrow
String ID:
API String ID: 268758968-0
Opcode ID: 894e0a0c916efa80fbf2ce40286784127bb3a771cc4f37da9eea7abe26f50c20
Instruction ID: 8888fc6bd96f99753eb1c9ae3139b59b75cc90035cd602bbefc3ad072bea3e87
Opcode Fuzzy Hash: 894e0a0c916efa80fbf2ce40286784127bb3a771cc4f37da9eea7abe26f50c20
Instruction Fuzzy Hash: CBD1D430920216DFDB21EF68C484AEEBFF5FF44B14F15026DEA19AB291D730A940CB91

Uniqueness

Uniqueness Score: 12.89%

Function 012D889B, Relevance: 12.3, APIs: 8, Instructions: 313
COMMON

Download Yara Rule

C-Code - Quality: 84%

			E012D889B(signed int __ecx) {
				signed int _v8;
				signed int _v12;
				struct tagRECT _v28;
				struct tagRECT _v44;
				struct tagRECT _v60;
				struct tagRECT _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				RECT* _v92;
				intOrPtr _v96;
				char _v100;
				RECT* _v108;
				signed int _v112;
				RECT* _v120;
				RECT* _v140;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t147;
				signed int _t156;
				signed int _t176;
				signed int _t179;
				long _t180;
				long _t181;
				signed int _t182;
				signed int _t185;
				intOrPtr* _t189;
				long _t193;
				signed int _t198;
				void* _t200;
				signed int _t206;
				signed int _t217;
				signed int _t221;
				intOrPtr _t224;
				RECT* _t241;
				void* _t243;
				signed int _t244;
				signed int _t245;
				signed int _t251;
				RECT* _t252;
				signed int _t255;
				signed int _t256;
				signed int _t257;

				_t147 =  *0x13d3570; // 0x99b5b578
				_v8 = _t147 ^ _t255;
				_t251 = __ecx;
				_t149 =  *((intOrPtr*)(__ecx + 0x338));
				if(_t149 == 0 ||  *((intOrPtr*)(_t149 + 0x20)) == 0) {
					L8:
					return L01367D3E(_t149, 0, _v8 ^ _t255, _t241, _t243, _t251);
				} else {
					_push(_t243);
					_v28.top.left = 0;
					_v28.right = 0;
					_v28.bottom = 0;
					_v12 = 0;
					GetWindowRect( *(__ecx + 0x20),  &(_v28.top));
					_t221 = _t251;
					_t149 = L01279BD6(_t221,  &(_v28.top));
					_t244 = 0;
					if( *((intOrPtr*)(_t251 + 0x328)) <= 0) {
						L7:
						_pop(_t243);
						goto L8;
					} else {
						while(_t244 < SendMessageW( *( *(_t251 + 0x338) + 0x20), 0x40d, 0, 0)) {
							if(_t244 < 0) {
								L9:
								L01277AC9(_t221);
								asm("int3");
								_t256 = _t257;
								_t156 =  *0x13d3570; // 0x99b5b578
								_v60.left = _t156 ^ _t256;
								_t252 = _v44.left;
								_t217 = _t221;
								_v140 = _t252;
								E01282C5F(_t217, _t221, _t244, __eflags);
								_t222 = _t217;
								__eflags =  *((intOrPtr*)( *_t217 + 0x16c))(_t251, 0, _t255);
								if(__eflags == 0) {
									L16:
									_t245 =  *((intOrPtr*)( *_t217 + 0x1a0))(_t244);
									_v84 = _t245;
									CopyRect( &_v28, _t252);
									_v28.top.left = _v28.top.left + _t245;
									L012A5DE6(__eflags,  &_v100);
									_t224 =  *0x13d0f04; // 0x2
									_t252 = _v28.right - _t224 - _v100;
									asm("cdq");
									_v44.left = 0;
									_v44.top.left = 0;
									_t244 = (_t245 - _v96 - _t241 >> 1) -  *((intOrPtr*)(_t217 + 0x2c0)) - _v84 + _v28.top.left;
									_v44.right = 0;
									_v44.bottom = 0;
									_v108 = _t252;
									_v120 = _t224 + _v28.left;
									GetWindowRect( *(_t217 + 0x20),  &_v44);
									L01279BD6(_t217,  &_v44);
									_t176 =  *((intOrPtr*)( *_t217 + 0x1d0))();
									asm("sbb eax, eax");
									_v112 =  ~_t176 + 1;
									_t222 = 0;
									_t179 = 0;
									__eflags = _v84;
									if(_v84 <= 0) {
										__eflags =  *(_t217 + 0x328);
										if( *(_t217 + 0x328) > 0) {
											while(1) {
												__eflags = _t179 - _t222;
												if(__eflags < 0) {
													goto L15;
												}
												__eflags = _t179 -  *(_t217 + 0x328);
												if(__eflags >= 0) {
													goto L15;
												} else {
													_t241 =  *( *(_t217 + 0x324) + _t179 * 4);
													_t179 = _t179 + 1;
													_t241->bottom = 1;
													__eflags = _t179 -  *(_t217 + 0x328);
													if(_t179 <  *(_t217 + 0x328)) {
														continue;
													}
												}
												goto L50;
											}
											goto L15;
										}
									} else {
										_v80 = 0;
										__eflags =  *(_t217 + 0x328);
										if( *(_t217 + 0x328) <= 0) {
											L39:
											_t185 = 0;
											_v80 = 0;
											__eflags =  *(_t217 + 0x328);
											if( *(_t217 + 0x328) > 0) {
												while(1) {
													__eflags = _t185;
													if(__eflags < 0) {
														goto L15;
													}
													__eflags = _t185 -  *(_t217 + 0x328);
													if(__eflags >= 0) {
														goto L15;
													} else {
														_t222 =  *(_t217 + 0x324);
														_t244 =  *( *(_t217 + 0x324) + _t185 * 4);
														__eflags =  *(_t244 + 0x18);
														if( *(_t244 + 0x18) != 0) {
															CopyRect( &_v60, _v92);
															_t189 =  *((intOrPtr*)( *_t244 + 0xc))( &_v76);
															__eflags =  *_t189 + _v60.left - _t252;
															_t185 = _v80;
															_t127 =  *_t189 + _v60.left - _t252 >= 0;
															__eflags = _t127;
															_t222 = 0 | _t127;
															 *(_t244 + 0xc) = _t127;
														}
														_t185 = _t185 + 1;
														_v80 = _t185;
														__eflags = _t185 -  *(_t217 + 0x328);
														if(_t185 <  *(_t217 + 0x328)) {
															continue;
														} else {
														}
													}
													goto L50;
												}
												goto L15;
											}
										} else {
											while(1) {
												__eflags = _t179;
												if(__eflags < 0) {
													goto L15;
												}
												__eflags = _t179 -  *(_t217 + 0x328);
												if(__eflags >= 0) {
													goto L15;
												} else {
													_t252 =  *( *(_t217 + 0x324) + _t179 * 4);
													_v84 = E01318FE3(_t252);
													_t193 = 0;
													_v88 = 0;
													__eflags =  *0x13d0f08 - _t193; // 0x1
													if(__eflags != 0) {
														__eflags = _v112;
														if(_v112 == 0) {
															L25:
															_t193 =  *((intOrPtr*)( *_t217 + 0x1c4))();
															__eflags = _t193;
															if(_t193 != 0) {
																L28:
																_v88 = _v88 & 0x00000000;
																_t193 = 0;
																__eflags = 0;
															} else {
																__eflags = _v84 - 0x13;
																if(_v84 != 0x13) {
																	goto L28;
																} else {
																	goto L27;
																}
															}
														} else {
															__eflags = _v84 - 9;
															if(_v84 == 9) {
																L27:
																_v88 = 1;
															} else {
																goto L25;
															}
														}
													}
													__eflags =  *0x13d9684 - _t193; // 0x0
													if(__eflags == 0) {
														__eflags = _v84 - 8;
														if(_v84 == 8) {
															_v88 = 1;
														}
													}
													_push(_v92);
													_t252->top = _t193;
													_t252->right = _t193;
													__eflags =  *((intOrPtr*)(_t252 + 0x18)) - _t193;
													if( *((intOrPtr*)(_t252 + 0x18)) == _t193) {
														CopyRect( &_v60, ??);
														_t222 = _t244 - _v60.top;
														 *((intOrPtr*)(_t252 + 0x24)) = _v108 - _v60.left;
														_t198 = _v88;
														 *(_t252 + 0x28) = _t244 - _v60.top;
														_t252->bottom = _t198;
														__eflags = _t198;
														if(_t198 == 0) {
															_t200 = 0xfffffffe;
															_t106 =  &_v108;
															 *_t106 = _v108 + _t200 - _v100;
															__eflags =  *_t106;
														}
													} else {
														CopyRect( &_v76, ??);
														_t241 = _v120;
														_t222 = _t244 - _v76.top;
														 *((intOrPtr*)(_t252 + 0x24)) = _t241 - _v76.left;
														_t206 = _v88;
														 *(_t252 + 0x28) = _t244 - _v76.top;
														_t252->bottom = _t206;
														__eflags = _t206;
														if(_t206 == 0) {
															_v120 = _t241 + _v100 + 2;
														}
													}
													_v80 = _v80 + 1;
													__eflags = _v80 -  *(_t217 + 0x328);
													if(_v80 <  *(_t217 + 0x328)) {
														_t179 = _v80;
														continue;
													} else {
														_t252 = _v108;
														goto L39;
													}
												}
												goto L50;
											}
											goto L15;
										}
									}
									L50:
									_t180 = _v28.left;
									__eflags = _v28.right - _t180;
									if(_v28.right <= _t180) {
										_v28.right = _t180;
									}
									_t181 = _v28.top.left;
									__eflags = _v28.bottom - _t181;
									if(_v28.bottom <= _t181) {
										_v28.bottom = _t181;
									}
									_t252 =  &_v28;
									asm("movsd");
									asm("movsd");
									asm("movsd");
									asm("movsd");
									_t182 = E012D889B(_t217);
									_pop(_t244);
								} else {
									_t182 = 0;
									__eflags =  *(_t217 + 0x328);
									if( *(_t217 + 0x328) > 0) {
										while(1) {
											__eflags = _t182;
											if(__eflags < 0) {
												break;
											}
											__eflags = _t182 -  *(_t217 + 0x328);
											if(__eflags >= 0) {
												break;
											} else {
												_t222 =  *( *(_t217 + 0x324) + _t182 * 4);
												_t182 = _t182 + 1;
												 *(_t222 + 0xc) = 1;
												__eflags = _t182 -  *(_t217 + 0x328);
												if(_t182 <  *(_t217 + 0x328)) {
													continue;
												} else {
												}
											}
											goto L55;
										}
										L15:
										L01277AC9(_t222);
										goto L16;
									}
								}
								L55:
								__eflags = _v12 ^ _t256;
								return L01367D3E(_t182, _t217, _v12 ^ _t256, _t241, _t244, _t252);
							} else {
								_t264 = _t244 -  *((intOrPtr*)(_t251 + 0x328));
								if(_t244 >=  *((intOrPtr*)(_t251 + 0x328))) {
									goto L9;
								} else {
									_t241 =  &(_v44.top);
									 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t251 + 0x324)) + _t244 * 4)))) + 0xc))(_t241);
									OffsetRect( &(_v44.top), _v28.top, _v28.right);
									_t221 =  *(_t251 + 0x338);
									_t244 = _t244 + 1;
									_t149 = E012F8E3D(0, _t221, _t241, _t264, _t251, _t244,  &(_v44.top));
									if(_t244 <  *((intOrPtr*)(_t251 + 0x328))) {
										continue;
									} else {
										goto L7;
									}
								}
							}
							goto L56;
						}
						goto L7;
					}
				}
				L56:
			}

0x012d88a3
0x012d88aa
0x012d88af
0x012d88b1
0x012d88bb
0x012d895c
0x012d8969
0x012d88ca
0x012d88ca
0x012d88d2
0x012d88d5
0x012d88d8
0x012d88db
0x012d88de
0x012d88e8
0x012d88ea
0x012d88ef
0x012d88f7
0x012d895b
0x012d895b
0x00000000
0x012d88f9
0x012d88f9
0x012d8915
0x012d896a
0x012d896a
0x012d896f
0x012d8973
0x012d8978
0x012d897f
0x012d8984
0x012d8987
0x012d8989
0x012d898c
0x012d8993
0x012d899b
0x012d899d
0x012d89dc
0x012d89e7
0x012d89ee
0x012d89f1
0x012d89f7
0x012d89fe
0x012d8a03
0x012d8a16
0x012d8a19
0x012d8a28
0x012d8a2e
0x012d8a31
0x012d8a34
0x012d8a37
0x012d8a41
0x012d8a44
0x012d8a47
0x012d8a53
0x012d8a5c
0x012d8a64
0x012d8a67
0x012d8a6a
0x012d8a6c
0x012d8a6e
0x012d8a71
0x012d8bf2
0x012d8bf8
0x012d8bfa
0x012d8bfa
0x012d8bfc
0x00000000
0x00000000
0x012d8c02
0x012d8c08
0x00000000
0x012d8c0e
0x012d8c14
0x012d8c17
0x012d8c18
0x012d8c1f
0x012d8c25
0x00000000
0x00000000
0x012d8c25
0x00000000
0x012d8c08
0x00000000
0x012d8bfa
0x012d8a77
0x012d8a77
0x012d8a7a
0x012d8a80
0x012d8b86
0x012d8b86
0x012d8b88
0x012d8b8b
0x012d8b91
0x012d8b97
0x012d8b97
0x012d8b99
0x00000000
0x00000000
0x012d8b9f
0x012d8ba5
0x00000000
0x012d8bab
0x012d8bab
0x012d8bb1
0x012d8bb4
0x012d8bb8
0x012d8bc1
0x012d8bcf
0x012d8bd9
0x012d8bdb
0x012d8bde
0x012d8bde
0x012d8bde
0x012d8be1
0x012d8be1
0x012d8be4
0x012d8be5
0x012d8be8
0x012d8bee
0x00000000
0x00000000
0x012d8bf0
0x012d8bee
0x00000000
0x012d8ba5
0x00000000
0x012d8b97
0x012d8a86
0x012d8a8b
0x012d8a8b
0x012d8a8d
0x00000000
0x00000000
0x012d8a93
0x012d8a99
0x00000000
0x012d8a9f
0x012d8aa5
0x012d8aaf
0x012d8ab2
0x012d8ab4
0x012d8ab7
0x012d8abd
0x012d8abf
0x012d8ac2
0x012d8aca
0x012d8ace
0x012d8ad4
0x012d8ad6
0x012d8ae7
0x012d8ae7
0x012d8aeb
0x012d8aeb
0x012d8ad8
0x012d8ad8
0x012d8adc
0x00000000
0x00000000
0x00000000
0x00000000
0x012d8adc
0x012d8ac4
0x012d8ac4
0x012d8ac8
0x012d8ade
0x012d8ade
0x00000000
0x00000000
0x00000000
0x012d8ac8
0x012d8ac2
0x012d8aed
0x012d8af3
0x012d8af5
0x012d8af9
0x012d8afb
0x012d8afb
0x012d8af9
0x012d8b02
0x012d8b05
0x012d8b08
0x012d8b0b
0x012d8b0e
0x012d8b47
0x012d8b55
0x012d8b58
0x012d8b5b
0x012d8b5e
0x012d8b61
0x012d8b64
0x012d8b66
0x012d8b6a
0x012d8b6e
0x012d8b6e
0x012d8b6e
0x012d8b6e
0x012d8b10
0x012d8b14
0x012d8b1a
0x012d8b24
0x012d8b27
0x012d8b2a
0x012d8b2d
0x012d8b30
0x012d8b33
0x012d8b35
0x012d8b3e
0x012d8b3e
0x012d8b35
0x012d8b71
0x012d8b77
0x012d8b7d
0x012d8a88
0x00000000
0x012d8b83
0x012d8b83
0x00000000
0x012d8b83
0x012d8b7d
0x00000000
0x012d8a99
0x00000000
0x012d8a8b
0x012d8a80
0x012d8c27
0x012d8c27
0x012d8c2a
0x012d8c2d
0x012d8c2f
0x012d8c2f
0x012d8c32
0x012d8c35
0x012d8c38
0x012d8c3a
0x012d8c3a
0x012d8c40
0x012d8c43
0x012d8c44
0x012d8c45
0x012d8c48
0x012d8c49
0x012d8c4e
0x012d899f
0x012d899f
0x012d89a1
0x012d89a7
0x012d89ad
0x012d89ad
0x012d89af
0x00000000
0x00000000
0x012d89b1
0x012d89b7
0x00000000
0x012d89b9
0x012d89bf
0x012d89c2
0x012d89c3
0x012d89ca
0x012d89d0
0x00000000
0x00000000
0x012d89d2
0x012d89d0
0x00000000
0x012d89b7
0x012d89d7
0x012d89d7
0x00000000
0x012d89d7
0x012d89a7
0x012d8c4f
0x012d8c53
0x012d8c5c
0x012d8917
0x012d8917
0x012d891d
0x00000000
0x012d891f
0x012d892a
0x012d892e
0x012d893b
0x012d8941
0x012d894b
0x012d894e
0x012d8959
0x00000000
0x00000000
0x00000000
0x00000000
0x012d8959
0x012d891d
0x00000000
0x012d8915
0x00000000
0x012d88f9
0x012d88f7
0x00000000

APIs

GetWindowRect.USER32 ref: 012D8A47

Part of subcall function 01279BD6: ScreenToClient.USER32(?,?), ref: 01279BE7
Part of subcall function 01279BD6: ScreenToClient.USER32(?,?), ref: 01279BF4

Part of subcall function 01367D3E: IsDebuggerPresent.KERNEL32 ref: 0136EC6D
Part of subcall function 01367D3E: SetUnhandledExceptionFilter.KERNEL32 ref: 0136EC82
Part of subcall function 01367D3E: UnhandledExceptionFilter.KERNEL32 ref: 0136EC8D
Part of subcall function 01367D3E: GetCurrentProcess.KERNEL32(C0000409), ref: 0136ECA9
Part of subcall function 01367D3E: TerminateProcess.KERNEL32(00000000), ref: 0136ECB0

Part of subcall function 01277AC9: __CxxThrowException@8.LIBCMT ref: 01277ADF

CopyRect.USER32(?,?), ref: 012D89F1

Part of subcall function 012D889B: GetWindowRect.USER32 ref: 012D88DE
Part of subcall function 012D889B: SendMessageW.USER32(?,0000040D,00000000,00000000), ref: 012D8909
Part of subcall function 012D889B: OffsetRect.USER32 ref: 012D893B
Part of subcall function 012D889B: CopyRect.USER32(?,?), ref: 012D8B14
Part of subcall function 012D889B: CopyRect.USER32(?,?), ref: 012D8B47
Part of subcall function 012D889B: CopyRect.USER32(?,?), ref: 012D8BC1

Memory Dump Source

Source File: 00000010.00000002.746388412.0000000001271000.00000020.sdmp, Offset: 01270000, based on PE: true

Associated: 00000010.00000002.746374753.0000000001270000.00000002.sdmp Download File
Associated: 00000010.00000002.746578910.000000000138C000.00000002.sdmp Download File
Associated: 00000010.00000002.746752878.00000000013CF000.00000004.sdmp Download File
Associated: 00000010.00000002.746788870.00000000013D6000.00000004.sdmp Download File
Associated: 00000010.00000002.746832288.00000000013DE000.00000002.sdmp Download File
Associated: 00000010.00000002.747668141.0000000001574000.00000002.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1270000_Setup.jbxd

Similarity

API ID: Rect$Copy$ClientExceptionFilterProcessScreenUnhandledWindow$CurrentDebuggerException@8MessageOffsetPresentSendTerminateThrow
String ID:
API String ID: 2551006443-0
Opcode ID: def7e735db1aa6f6ae49b74a9272c95426d90e77604bd56b89f2790028371427
Instruction ID: 083af24b1d76a5cd09eb135a773d4ec1e2e33b4b4db1ee701aa69cb8401c3bfc
Opcode Fuzzy Hash: def7e735db1aa6f6ae49b74a9272c95426d90e77604bd56b89f2790028371427
Instruction Fuzzy Hash: 02D11871A1020ADFCF15DFA8C5849AEBBF9FF48304F14446AE946EB245E730A946CF51

Uniqueness

Uniqueness Score: 8.94%

Function 012A24A3, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 62
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E012A24A3(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				long _t24;
				void* _t25;
				intOrPtr _t27;
				long _t31;
				struct HDC__* _t38;
				intOrPtr* _t51;
				intOrPtr* _t54;
				void* _t55;

				_push(0);
				L01369601(0x1380fe9, __ebx, __edi, __esi);
				_t54 =  *((intOrPtr*)(_t55 + 8));
				_t51 =  *((intOrPtr*)(_t55 + 0xc));
				_t38 = 0;
				 *((intOrPtr*)(_t55 - 4)) = 0;
				if(_t54 != 0) {
					_t38 =  *(_t54 + 4);
				}
				FillRect(_t38, _t55 + 0x10, GetSysColorBrush(0x18));
				L0129D8C0(_t38, _t55 + 0x20);
				if( *((intOrPtr*)( *_t51 + 0x38))() == 0) {
					_t24 = GetSysColor(0x17);
				} else {
					_t24 =  *0x13d6418; // 0x6d6d6d
				}
				_t25 =  *((intOrPtr*)( *_t54 + 0x30))(_t24);
				_t27 =  *((intOrPtr*)(_t55 + 0x20));
				 *((intOrPtr*)( *_t54 + 0x68))(_t27,  *((intOrPtr*)(_t27 - 0xc)), _t55 + 0x10, 0x25);
				 *((intOrPtr*)( *_t54 + 0x30))(_t25);
				_t31 = GetSysColor(0x17);
				E0128A265(_t55 + 0x10, GetSysColor(0x17), _t31);
				return L013696D9(L01271470( *((intOrPtr*)(_t55 + 0x20)) + 0xfffffff0,  *_t54));
			}

0x012a24a3
0x012a24aa
0x012a24af
0x012a24b2
0x012a24b5
0x012a24b7
0x012a24bc
0x012a24be
0x012a24be
0x012a24cf
0x012a24d8
0x012a24ec
0x012a24f7
0x012a24ee
0x012a24ee
0x012a24ee
0x012a24fe
0x012a250b
0x012a2514
0x012a251c
0x012a2521
0x012a252f
0x012a2544

APIs

__EH_prolog3.LIBCMT ref: 012A24AA
GetSysColorBrush.USER32(00000018), ref: 012A24C3
FillRect.USER32(00000000,?,00000000), ref: 012A24CF
GetSysColor.USER32 ref: 012A24F7
GetSysColor.USER32 ref: 012A2521
GetSysColor.USER32 ref: 012A2526

Strings

mmm, xrefs: 012A24EE

Memory Dump Source

Source File: 00000010.00000002.746388412.0000000001271000.00000020.sdmp, Offset: 01270000, based on PE: true

Associated: 00000010.00000002.746374753.0000000001270000.00000002.sdmp Download File
Associated: 00000010.00000002.746578910.000000000138C000.00000002.sdmp Download File
Associated: 00000010.00000002.746752878.00000000013CF000.00000004.sdmp Download File
Associated: 00000010.00000002.746788870.00000000013D6000.00000004.sdmp Download File
Associated: 00000010.00000002.746832288.00000000013DE000.00000002.sdmp Download File
Associated: 00000010.00000002.747668141.0000000001574000.00000002.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1270000_Setup.jbxd

Similarity

API ID: Color$BrushFillH_prolog3Rect
String ID: mmm
API String ID: 24942539-1545505134
Opcode ID: 8d6f0e53318171f42441ad3d099a62c87a93604a844d9abb3cff9382c3cc353d
Instruction ID: 19f9061c2eaabeb54764de51aafaea318768a4eefe997ec4a9320e073f130d4e
Opcode Fuzzy Hash: 8d6f0e53318171f42441ad3d099a62c87a93604a844d9abb3cff9382c3cc353d
Instruction Fuzzy Hash: 32113A752012099FDB10EFA8C884EAE77A9FF88714F054519FA569B281CB309D00CBA1

Uniqueness

Uniqueness Score: 7.75%

Function 012989AC, Relevance: 12.3, APIs: 8, Instructions: 309
timewindowCOMMON

Download Yara Rule

C-Code - Quality: 90%

			E012989AC(void* __ebx, signed int __ecx, void* __edx, signed int __edi, void* __esi, void* __eflags) {
				signed int _t114;
				intOrPtr _t115;
				signed int _t116;
				signed int _t117;
				signed int _t122;
				signed int _t128;
				intOrPtr _t130;
				intOrPtr _t133;
				intOrPtr _t135;
				signed int _t136;
				signed int _t138;
				intOrPtr _t144;
				intOrPtr _t149;
				signed int _t151;
				signed int _t153;
				signed int _t154;
				void* _t156;
				void* _t159;
				void* _t162;
				intOrPtr _t165;
				signed int _t172;
				signed int _t173;
				intOrPtr _t176;
				signed int _t177;
				signed int _t178;
				intOrPtr _t187;
				signed int _t189;
				signed int _t198;
				void* _t210;
				void* _t213;

				_t205 = __edi;
				_t201 = __edx;
				_t173 = __ecx;
				_push(0x40);
				L0136966A(0x138844e, __ebx, __edi, __esi);
				_t172 = __ecx;
				_t208 = 0;
				if( *((intOrPtr*)(__ecx + 0x164)) != 0) {
					L73:
					_push( *((intOrPtr*)(_t210 + 0x10)));
					_push( *((intOrPtr*)(_t210 + 0xc)));
					L012E9518(_t173,  *((intOrPtr*)(_t210 + 8)));
					L74:
					return L013696ED(_t172, _t205, _t208);
				}
				_t213 =  *0x13d83d4 - _t208; // 0x0
				if(_t213 == 0 ||  *((intOrPtr*)(__ecx + 0xb04)) != 0) {
					_t114 = L0128BFC9(_t172 + 0xc88, _t173 | 0xffffffff, _t173 | 0xffffffff);
					__eflags = _t114;
					if(_t114 == 0) {
						L11:
						_t176 =  *((intOrPtr*)(_t210 + 0x10));
						_t115 =  *((intOrPtr*)(_t210 + 0xc));
						_t208 =  *(_t172 + 0xb7c);
						_t202 =  *_t172;
						 *((intOrPtr*)(_t172 + 0xc8c)) = _t176;
						_t177 = _t172;
						 *((intOrPtr*)(_t172 + 0xc88)) = _t115;
						 *(_t210 - 0x24) = _t208;
						_t116 =  *((intOrPtr*)( *_t172 + 0x390))(_t115, _t176);
						__eflags =  *(_t172 + 0xb20);
						_t205 = _t116;
						 *(_t172 + 0xb7c) = _t205;
						if( *(_t172 + 0xb20) == 0) {
							L15:
							_t178 = _t172;
							_t117 = E012948C9(_t178, 0);
							__eflags = _t117;
							if(_t117 == 0) {
								L17:
								_t118 =  *(_t172 + 0xb7c);
								__eflags =  *(_t172 + 0xb7c) - 0xffffffff;
								if(__eflags != 0) {
									_t178 = _t172;
									_t208 = L01293D66(_t178, __eflags, _t118);
									__eflags = _t208;
									if(_t208 == 0) {
										goto L24;
									}
									_t151 =  *(_t208 + 0x24);
									__eflags = _t151 & 0x00000001;
									if((_t151 & 0x00000001) != 0) {
										L23:
										_t45 = _t172 + 0xb7c;
										 *_t45 =  *(_t172 + 0xb7c) | 0xffffffff;
										__eflags =  *_t45;
										goto L24;
									}
									__eflags = _t151 & 0x00040000;
									if((_t151 & 0x00040000) == 0) {
										goto L24;
									}
									_t178 = _t172;
									_t153 =  *((intOrPtr*)( *_t172 + 0x3e8))();
									__eflags = _t153;
									if(_t153 != 0) {
										goto L24;
									}
									goto L23;
								} else {
									_t208 = 0;
									L24:
									__eflags =  *(_t172 + 0xb38);
									if( *(_t172 + 0xb38) != 0) {
										__eflags =  *(_t172 + 0xb7c) - 0xffffffff;
										if( *(_t172 + 0xb7c) == 0xffffffff) {
											__eflags =  *0x13d6584;
											if( *0x13d6584 != 0) {
												_t178 = _t172;
												_t149 =  *((intOrPtr*)( *_t172 + 0x390))( *((intOrPtr*)(_t210 + 0xc)),  *((intOrPtr*)(_t210 + 0x10)));
												__eflags = _t149 - 0xffffffff;
												if(_t149 != 0xffffffff) {
													__eflags = _t149 -  *((intOrPtr*)(_t172 + 0xb98));
													if(_t149 !=  *((intOrPtr*)(_t172 + 0xb98))) {
														 *((intOrPtr*)(_t172 + 0xb98)) = _t149;
														SetTimer( *(_t172 + 0x20), 0x14, 0x1f4, 0);
													}
												}
											}
										}
									}
									__eflags =  *(_t172 + 0xb34);
									if( *(_t172 + 0xb34) == 0) {
										_t57 = _t210 - 0x2c;
										 *_t57 =  *(_t210 - 0x2c) | 0xffffffff;
										__eflags =  *_t57;
										 *(_t210 - 0x30) =  *(_t172 + 0x20);
										 *(_t172 + 0xb34) = 1;
										 *((intOrPtr*)(_t210 - 0x38)) = 0x10;
										 *((intOrPtr*)(_t210 - 0x34)) = 2;
										E012F870A(_t210 - 0x38);
										_pop(_t178);
									}
									__eflags =  *(_t210 - 0x24) - _t205;
									if( *(_t210 - 0x24) == _t205) {
										L44:
										__eflags =  *(_t210 - 0x24) -  *(_t172 + 0xb7c);
										if( *(_t210 - 0x24) ==  *(_t172 + 0xb7c)) {
											L72:
											_t173 = _t172;
											goto L73;
										}
										_t121 =  *((intOrPtr*)(_t172 + 0xb78));
										 *(_t210 - 0x28) =  *(_t210 - 0x28) & 0x00000000;
										__eflags =  *((intOrPtr*)(_t172 + 0xb78)) - 0xffffffff;
										if(__eflags != 0) {
											_t186 = _t172;
											_t136 = L01293D66(_t172, __eflags, _t121);
											__eflags = _t136;
											if(_t136 == 0) {
												_t136 = L01277AC9(_t186);
											}
											_t202 =  *(_t136 + 0x24);
											_t187 =  *((intOrPtr*)(_t172 + 0xb78));
											_t138 = _t202 & 0xfffdffff;
											__eflags =  *(_t172 + 0xb7c) - _t187;
											if( *(_t172 + 0xb7c) == _t187) {
												_t138 = _t138 | 0x00020000;
												__eflags = _t138;
											}
											__eflags = _t138 - _t202;
											if(_t138 != _t202) {
												_t202 =  *_t172;
												 *((intOrPtr*)( *_t172 + 0x374))(_t187, _t138);
												 *(_t210 - 0x28) = 1;
											}
										}
										__eflags =  *(_t172 + 0xb38);
										if( *(_t172 + 0xb38) != 0) {
											L55:
											__eflags =  *(_t210 - 0x24) - 0xffffffff;
											if( *(_t210 - 0x24) != 0xffffffff) {
												L01295B3C(_t172, _t202,  *(_t210 - 0x24));
												 *(_t210 - 0x28) = 1;
											}
											goto L57;
										} else {
											_t135 =  *((intOrPtr*)(_t172 + 0xb78));
											__eflags = _t135 - 0xffffffff;
											if(_t135 == 0xffffffff) {
												goto L55;
											}
											__eflags =  *(_t210 - 0x24) - _t135;
											if( *(_t210 - 0x24) != _t135) {
												L57:
												__eflags =  *(_t172 + 0xb38);
												if( *(_t172 + 0xb38) != 0) {
													L60:
													_t122 =  *(_t172 + 0xb7c);
													__eflags = _t122 - 0xffffffff;
													if(_t122 != 0xffffffff) {
														L01295B3C(_t172, _t202, _t122);
														__eflags =  *0x13d6584;
														 *(_t210 - 0x28) = 1;
														if(__eflags != 0) {
															_t208 = 0;
															_t128 = E012789CC(0x13d0fe4, L01293D66(_t172, __eflags,  *(_t172 + 0xb7c)));
															__eflags = _t128;
															if(_t128 != 0) {
																__eflags =  *(_t128 + 0x90);
																if( *(_t128 + 0x90) != 0) {
																	_t208 = 1;
																	__eflags = 1;
																}
															}
															_t130 =  *((intOrPtr*)( *_t172 + 0x390))( *((intOrPtr*)(_t210 + 0xc)),  *((intOrPtr*)(_t210 + 0x10)));
															__eflags = _t130 -  *((intOrPtr*)(_t172 + 0xb98));
															if(_t130 !=  *((intOrPtr*)(_t172 + 0xb98))) {
																 *((intOrPtr*)(_t172 + 0xb98)) = _t130;
																KillTimer( *(_t172 + 0x20), 0x14);
																_push(0);
																__eflags = _t208;
																if(_t208 == 0) {
																	_push(0x1f4);
																} else {
																	_push(0x514);
																}
																SetTimer( *(_t172 + 0x20), 0x14, ??, ??);
															}
														}
													}
													L70:
													 *((intOrPtr*)( *_t172 + 0x3b0))( *(_t172 + 0xb7c));
													__eflags =  *(_t210 - 0x28);
													if( *(_t210 - 0x28) != 0) {
														UpdateWindow( *(_t172 + 0x20));
													}
													goto L72;
												}
												_t133 =  *((intOrPtr*)(_t172 + 0xb78));
												__eflags = _t133 - 0xffffffff;
												if(_t133 == 0xffffffff) {
													goto L60;
												}
												__eflags =  *(_t172 + 0xb7c) - _t133;
												if( *(_t172 + 0xb7c) != _t133) {
													goto L70;
												}
												goto L60;
											}
											goto L55;
										}
									} else {
										_t189 = _t178 | 0xffffffff;
										__eflags = _t205 - _t189;
										if(_t205 == _t189) {
											L39:
											__eflags =  *((intOrPtr*)(_t172 + 0xb78)) - _t189;
											if( *((intOrPtr*)(_t172 + 0xb78)) == _t189) {
												L42:
												__eflags =  *0x13d83f8;
												if( *0x13d83f8 == 0) {
													SendMessageW( *(E012845DB(_t172) + 0x20), 0x362, 0xe001, 0);
												}
												goto L44;
											}
											__eflags =  *(_t172 + 0xb38);
											if( *(_t172 + 0xb38) == 0) {
												goto L44;
											}
											__eflags = _t205 - _t189;
											if(_t205 != _t189) {
												goto L44;
											}
											goto L42;
										}
										__eflags =  *(_t172 + 0xb38);
										if( *(_t172 + 0xb38) != 0) {
											L37:
											__eflags = _t208;
											if(_t208 != 0) {
												 *((intOrPtr*)( *_t172 + 0x414))( *((intOrPtr*)(_t208 + 0x20)));
											}
											goto L44;
										}
										_t144 =  *((intOrPtr*)(_t172 + 0xb78));
										__eflags = _t205 - _t144;
										if(_t205 == _t144) {
											goto L37;
										}
										__eflags = _t144 - _t189;
										if(_t144 != _t189) {
											goto L39;
										}
										goto L37;
									}
								}
							}
							_t202 =  *_t117;
							_t178 = _t117;
							_t154 =  *((intOrPtr*)( *_t117 + 0xe8))();
							__eflags = _t154;
							if(_t154 != 0) {
								L14:
								 *(_t172 + 0xb7c) = _t208;
								goto L74;
							}
							goto L17;
						}
						__eflags = _t205 - 0xffffffff;
						if(_t205 != 0xffffffff) {
							goto L15;
						}
						_t156 = E01282D05(_t172, _t177, _t202, GetFocus());
						__eflags = _t156 - _t172;
						if(_t156 != _t172) {
							goto L15;
						}
						goto L14;
					}
					_t159 = L0136B5DE(_t201,  *((intOrPtr*)(_t172 + 0xc88)) -  *((intOrPtr*)(_t210 + 0xc)));
					__eflags = _t159 - 1;
					if(_t159 >= 1) {
						goto L11;
					}
					_t162 = L0136B5DE(_t201,  *((intOrPtr*)(_t172 + 0xc8c)) -  *((intOrPtr*)(_t210 + 0x10)));
					__eflags = _t162 - 1;
					if(_t162 >= 1) {
						goto L11;
					} else {
						 *((intOrPtr*)(_t172 + 0xc88)) =  *((intOrPtr*)(_t210 + 0xc));
						 *((intOrPtr*)(_t172 + 0xc8c)) =  *((intOrPtr*)(_t210 + 0x10));
						goto L74;
					}
				} else {
					if( *((intOrPtr*)(__ecx + 0xb30)) != 0) {
						_t165 =  *((intOrPtr*)(__ecx + 0xc98));
						_t216 =  *((intOrPtr*)(_t210 + 0xc)) -  *((intOrPtr*)(_t165 + 0x54)) - 5;
						if( *((intOrPtr*)(_t210 + 0xc)) -  *((intOrPtr*)(_t165 + 0x54)) >= 5) {
							_push(__ecx);
							L01279E5D(__ecx, _t210 - 0x4c, __edx, __edi, 0, _t216);
							 *(_t210 - 4) = 0;
							asm("movsd");
							asm("movsd");
							asm("movsd");
							asm("movsd");
							 *((intOrPtr*)(_t172 + 0xc70)) =  *((intOrPtr*)(_t210 + 0xc));
							_t198 = 2;
							_t208 = _t198;
							_t205 = _t198;
							E0128A293(_t172, _t210 - 0x4c, _t210 - 0x20, _t198, _t198, _t216, _t172 + 0xc68, _t198, _t198, _t210 - 0x20, _t198, _t198, 0, 0);
							 *(_t210 - 4) =  *(_t210 - 4) | 0xffffffff;
							L01279EB1(_t172, _t210 - 0x4c, _t210 - 0x20, _t198, _t198,  *(_t210 - 4));
						}
						SetCursor( *0x13d64d0);
					}
					goto L74;
				}
			}

0x012989ac
0x012989ac
0x012989ac
0x012989ac
0x012989b3
0x012989b8
0x012989ba
0x012989c2
0x01298dc1
0x01298dc1
0x01298dc4
0x01298dca
0x01298dcf
0x01298dd4
0x01298dd4
0x012989c8
0x012989ce
0x01298a65
0x01298a6a
0x01298a6c
0x01298aaf
0x01298aaf
0x01298ab2
0x01298ab5
0x01298abb
0x01298abe
0x01298ac5
0x01298ac7
0x01298acd
0x01298ad0
0x01298ad6
0x01298add
0x01298adf
0x01298ae5
0x01298b07
0x01298b09
0x01298b0b
0x01298b10
0x01298b12
0x01298b22
0x01298b22
0x01298b28
0x01298b2b
0x01298b32
0x01298b39
0x01298b3b
0x01298b3d
0x00000000
0x00000000
0x01298b3f
0x01298b42
0x01298b44
0x01298b5b
0x01298b5b
0x01298b5b
0x01298b5b
0x00000000
0x01298b5b
0x01298b46
0x01298b4b
0x00000000
0x00000000
0x01298b4f
0x01298b51
0x01298b57
0x01298b59
0x00000000
0x00000000
0x00000000
0x01298b2d
0x01298b2d
0x01298b62
0x01298b62
0x01298b69
0x01298b6b
0x01298b72
0x01298b74
0x01298b7b
0x01298b85
0x01298b87
0x01298b8d
0x01298b90
0x01298b92
0x01298b98
0x01298ba6
0x01298bac
0x01298bac
0x01298b98
0x01298b90
0x01298b7b
0x01298b72
0x01298bb2
0x01298bb9
0x01298bbe
0x01298bbe
0x01298bbe
0x01298bc2
0x01298bc9
0x01298bd3
0x01298bda
0x01298be1
0x01298be6
0x01298be6
0x01298be7
0x01298bea
0x01298c57
0x01298c5a
0x01298c60
0x01298dbf
0x01298dbf
0x00000000
0x01298dbf
0x01298c66
0x01298c6c
0x01298c70
0x01298c73
0x01298c76
0x01298c78
0x01298c7d
0x01298c7f
0x01298c81
0x01298c81
0x01298c86
0x01298c89
0x01298c91
0x01298c96
0x01298c9c
0x01298c9e
0x01298c9e
0x01298c9e
0x01298ca3
0x01298ca5
0x01298ca7
0x01298cad
0x01298cb3
0x01298cb3
0x01298ca5
0x01298cba
0x01298cc1
0x01298cd3
0x01298cd3
0x01298cd7
0x01298cde
0x01298ce3
0x01298ce3
0x00000000
0x01298cc3
0x01298cc3
0x01298cc9
0x01298ccc
0x00000000
0x00000000
0x01298cce
0x01298cd1
0x01298cea
0x01298cea
0x01298cf1
0x01298d0a
0x01298d0a
0x01298d10
0x01298d13
0x01298d1c
0x01298d21
0x01298d28
0x01298d2f
0x01298d39
0x01298d46
0x01298d4d
0x01298d4f
0x01298d51
0x01298d57
0x01298d59
0x01298d59
0x01298d59
0x01298d57
0x01298d64
0x01298d6a
0x01298d70
0x01298d77
0x01298d7d
0x01298d83
0x01298d85
0x01298d87
0x01298d90
0x01298d89
0x01298d89
0x01298d89
0x01298d9a
0x01298d9a
0x01298d70
0x01298d2f
0x01298da0
0x01298daa
0x01298db0
0x01298db4
0x01298db9
0x01298db9
0x00000000
0x01298db4
0x01298cf3
0x01298cf9
0x01298cfc
0x00000000
0x00000000
0x01298cfe
0x01298d04
0x00000000
0x00000000
0x00000000
0x01298d04
0x00000000
0x01298cd1
0x01298bec
0x01298bec
0x01298bef
0x01298bf1
0x01298c1d
0x01298c1d
0x01298c23
0x01298c32
0x01298c32
0x01298c39
0x01298c51
0x01298c51
0x00000000
0x01298c39
0x01298c25
0x01298c2c
0x00000000
0x00000000
0x01298c2e
0x01298c30
0x00000000
0x00000000
0x00000000
0x01298c30
0x01298bf3
0x01298bfa
0x01298c0a
0x01298c0a
0x01298c0c
0x01298c15
0x01298c15
0x00000000
0x01298c0c
0x01298bfc
0x01298c02
0x01298c04
0x00000000
0x00000000
0x01298c06
0x01298c08
0x00000000
0x00000000
0x00000000
0x01298c08
0x01298bea
0x01298b2b
0x01298b14
0x01298b16
0x01298b18
0x01298b1e
0x01298b20
0x01298afc
0x01298afc
0x00000000
0x01298afc
0x00000000
0x01298b20
0x01298ae7
0x01298aea
0x00000000
0x00000000
0x01298af3
0x01298af8
0x01298afa
0x00000000
0x00000000
0x00000000
0x01298afa
0x01298a78
0x01298a7e
0x01298a81
0x00000000
0x00000000
0x01298a8d
0x01298a93
0x01298a96
0x00000000
0x01298a98
0x01298a9b
0x01298aa4
0x00000000
0x01298aa4
0x012989dc
0x012989e2
0x012989e8
0x012989f4
0x012989f7
0x012989f9
0x012989fd
0x01298a05
0x01298a13
0x01298a14
0x01298a15
0x01298a18
0x01298a19
0x01298a1f
0x01298a24
0x01298a2f
0x01298a36
0x01298a3b
0x01298a42
0x01298a42
0x01298a4d
0x01298a4d
0x00000000
0x012989e2

APIs

__EH_prolog3_GS.LIBCMT ref: 012989B3
SetCursor.USER32(00000040), ref: 01298A4D

Part of subcall function 01279E5D: __EH_prolog3.LIBCMT ref: 01279E64
Part of subcall function 01279E5D: GetDC.USER32(00000000), ref: 01279E90

Part of subcall function 0128A293: __EH_prolog3_GS.LIBCMT ref: 0128A29A
Part of subcall function 0128A293: CreateRectRgnIndirect.GDI32(?), ref: 0128A2D7
Part of subcall function 0128A293: CopyRect.USER32(?,?), ref: 0128A2ED
Part of subcall function 0128A293: InflateRect.USER32(?,?,?), ref: 0128A303
Part of subcall function 0128A293: IntersectRect.USER32(?,?,?), ref: 0128A311
Part of subcall function 0128A293: CreateRectRgnIndirect.GDI32(?), ref: 0128A31B
Part of subcall function 0128A293: CreateRectRgn.GDI32(00000000,00000000,00000000,00000000), ref: 0128A330
Part of subcall function 0128A293: CreateRectRgn.GDI32(00000000,00000000,00000000,00000000), ref: 0128A398
Part of subcall function 0128A293: SetRectRgn.GDI32(?,?,00000004,?,?), ref: 0128A3B5
Part of subcall function 0128A293: CopyRect.USER32(?,?), ref: 0128A3C0
Part of subcall function 0128A293: InflateRect.USER32(?,?,?), ref: 0128A3D6
Part of subcall function 0128A293: IntersectRect.USER32(?,?,?), ref: 0128A3E2
Part of subcall function 0128A293: SetRectRgn.GDI32(?,?,?,?,?), ref: 0128A3F7
Part of subcall function 0128A293: CreateRectRgn.GDI32(00000000,00000000,00000000,00000000), ref: 0128A423
Part of subcall function 0128A293: PatBlt.GDI32(00000004,?,?,?,?,005A0049), ref: 0128A494
Part of subcall function 0128A293: PatBlt.GDI32(00000004,?,?,?,?,005A0049), ref: 0128A4E9

Part of subcall function 01279EB1: __EH_prolog3.LIBCMT ref: 01279EB8
Part of subcall function 01279EB1: ReleaseDC.USER32(?,00000000), ref: 01279ED5

GetFocus.USER32 ref: 01298AEC

Part of subcall function 01293D66: PtInRect.USER32(?,?,?), ref: 01293DB9

SetTimer.USER32 ref: 01298BAC
KillTimer.USER32 ref: 01298D7D

Part of subcall function 012F870A: IsWindow.USER32(?), ref: 012F8723
Part of subcall function 012F870A: SetTimer.USER32 ref: 012F873F

Part of subcall function 012845DB: GetParent.USER32(?), ref: 012845E5

SendMessageW.USER32(?,00000362,0000E001,00000000), ref: 01298C51
SetTimer.USER32 ref: 01298D9A

Part of subcall function 01277AC9: __CxxThrowException@8.LIBCMT ref: 01277ADF

UpdateWindow.USER32 ref: 01298DB9

Part of subcall function 01295B3C: InvalidateRect.USER32(?,?,00000001), ref: 01295BB1
Part of subcall function 01295B3C: InflateRect.USER32(?,?,?), ref: 01295BF7
Part of subcall function 01295B3C: RedrawWindow.USER32(?,?,00000000,00000401), ref: 01295C0A

Part of subcall function 012E9518: GetCursorPos.USER32(00000000), ref: 012E9549
Part of subcall function 012E9518: OffsetRect.USER32 ref: 012E956A
Part of subcall function 012E9518: RedrawWindow.USER32(?,00000000,00000000,00000105), ref: 012E959D

Memory Dump Source

Source File: 00000010.00000002.746388412.0000000001271000.00000020.sdmp, Offset: 01270000, based on PE: true

Associated: 00000010.00000002.746374753.0000000001270000.00000002.sdmp Download File
Associated: 00000010.00000002.746578910.000000000138C000.00000002.sdmp Download File
Associated: 00000010.00000002.746752878.00000000013CF000.00000004.sdmp Download File
Associated: 00000010.00000002.746788870.00000000013D6000.00000004.sdmp Download File
Associated: 00000010.00000002.746832288.00000000013DE000.00000002.sdmp Download File
Associated: 00000010.00000002.747668141.0000000001574000.00000002.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1270000_Setup.jbxd

Similarity

API ID: Rect$Create$TimerWindow$Inflate$CopyCursorH_prolog3H_prolog3_IndirectIntersectRedraw$Exception@8FocusInvalidateKillMessageOffsetParentReleaseSendThrowUpdate
String ID:
API String ID: 798511029-0
Opcode ID: 240ae0aba030ce405316cea7b1cc4d160f8a15232604b8a06e7fdbdee9ee5e83
Instruction ID: 7a3826edf36d56d9f52e01d80a18cb8b439221ea1de39bf5dbd42c84213f33d7
Opcode Fuzzy Hash: 240ae0aba030ce405316cea7b1cc4d160f8a15232604b8a06e7fdbdee9ee5e83
Instruction Fuzzy Hash: B0C1707151120ADFDF259F2CC8D4BAD7BA5BB45324F1C4279EE199E2D9DB709880CB20

Uniqueness

Uniqueness Score: 2.28%

Function 012DAD80, Relevance: 12.3, APIs: 8, Instructions: 295
windowkeyboardCOMMON

Download Yara Rule

C-Code - Quality: 98%

			E012DAD80(void* __ebx, struct HWND__** __ecx, void* __edx, struct HWND__* __edi, void* __esi, void* __eflags) {
				void* _t98;
				struct HWND__* _t99;
				void* _t106;
				signed int _t121;
				signed int _t125;
				void* _t129;
				short _t130;
				signed int _t131;
				signed int _t133;
				signed int _t140;
				signed int _t148;
				signed int _t156;
				signed int _t161;
				void* _t163;
				signed int _t166;
				signed int _t167;
				signed int _t168;
				signed int _t169;
				signed int _t172;
				signed int _t190;
				void* _t221;
				struct HWND__** _t228;
				void* _t229;
				intOrPtr _t234;

				_t226 = __edi;
				_t221 = __edx;
				_t177 = __ecx;
				_push(0x50);
				L0136966A(0x1382e24, __ebx, __edi, __esi);
				_t228 = __ecx;
				if( *((intOrPtr*)(__ecx + 0x2b4)) != 0) {
					 *((char*)(__ecx + 0x2b4)) = 0;
				}
				if(_t228[0xd2] == 0) {
					E012E82D0(_t177, _t221,  *((intOrPtr*)(_t229 + 8)),  *((intOrPtr*)(_t229 + 0xc)),  *((intOrPtr*)(_t229 + 0x10)));
					L50:
					return L013696ED(0, _t226, _t228);
				}
				_t98 =  *((intOrPtr*)( *_t228 + 0x198))();
				_t178 = 0x13d0a78;
				_t99 = L012C74B8(0x13d0a78, _t221, _t98);
				 *(_t229 - 0x34) = _t99;
				if(_t99 != 0) {
					L6:
					_t226 = _t228[0xd2];
					 *(_t229 - 0x38) = _t228[0xd1];
					 *((intOrPtr*)( *_t228 + 0x390))();
					 *(_t229 - 0x40) = E012D83B6(0, _t228, _t221, _t226, _t228);
					if( *(_t229 - 0x38) != _t226) {
						L11:
						E01282C5F(0, _t228, _t226, _t238);
						goto L50;
					}
					_t106 = _t226 - 8;
					if(_t106 == 0) {
						__eflags =  *0x13d9684; // 0x0
						if(__eflags != 0) {
							_t226 = E012DA699(0, _t228, _t226, _t228, 8);
							__eflags = _t226;
							if(_t226 != 0) {
								 *((intOrPtr*)(_t226->i + 0xc))(_t229 - 0x30);
								 *(_t229 - 0x20) = 0;
								 *(_t229 - 0x1c) = 0;
								 *((intOrPtr*)(_t229 - 0x18)) = 0;
								 *((intOrPtr*)(_t229 - 0x14)) = 0;
								GetWindowRect(_t228[8], _t229 - 0x20);
								L01279BD6(_t228, _t229 - 0x20);
								OffsetRect(_t229 - 0x30,  *(_t229 - 0x20),  *(_t229 - 0x1c));
								L01279C17(_t228, _t229 - 0x30);
								 *(_t226 + 0x14) = 1;
								 *(_t229 - 0x3c) =  *(_t229 - 0x30);
								 *(_t229 - 0x38) =  *((intOrPtr*)(_t229 - 0x24)) + 1;
								_t121 = E01286862(_t228);
								__eflags = _t121 & 0x00400000;
								if((_t121 & 0x00400000) != 0) {
									_t81 = _t229 - 0x3c;
									 *_t81 =  *(_t229 - 0x3c) +  *((intOrPtr*)(_t229 - 0x28)) -  *(_t229 - 0x30);
									__eflags =  *_t81;
								}
								 *(_t229 - 0x34) = _t228[8];
								 *((intOrPtr*)( *_t228 + 0x2e4))( *(_t229 - 0x3c),  *(_t229 - 0x38));
								_t125 = IsWindow( *(_t229 - 0x34));
								__eflags = _t125;
								if(_t125 != 0) {
									 *(_t226 + 0x14) = 0;
									E012DA1DD(_t228, _t226);
								}
							}
						}
						goto L50;
					}
					_t129 = _t106 - 1;
					if(_t129 == 0) {
						_t130 = GetAsyncKeyState(0x11);
						__eflags = _t130;
						if(_t130 == 0) {
							L39:
							_t131 =  *(_t229 - 0x34);
							__eflags = _t131;
							if(_t131 != 0) {
								_t190 =  *(_t229 - 0x40);
								__eflags = _t190;
								if(_t190 != 0) {
									_t226 =  *(_t131 + 0x11c);
									_t133 =  *((intOrPtr*)( *_t190 + 0x190))();
									__eflags = _t226 & _t133;
									if((_t226 & _t133) != 0) {
										_t226 =  *_t228;
										__eflags = _t228[0xb9];
										 *((intOrPtr*)( *_t228 + 0x368))(0 | _t228[0xb9] == 0x00000000,  *((intOrPtr*)( *( *(_t229 - 0x40)) + 0x190))(0, 1));
									}
								}
							}
							goto L50;
						}
						_t140 =  *((intOrPtr*)( *_t228 + 0x340))();
						__eflags = _t140;
						if(_t140 == 0) {
							goto L39;
						}
						SendMessageW( *(_t228[0x26] + 0x20), 0xb, 0, 0);
						__eflags = _t228[0xb9];
						if(_t228[0xb9] != 0) {
							__eflags = E012789CC(0x13a3fc4,  *((intOrPtr*)( *(_t228[0xc7]) + 0x19c))());
							if(__eflags != 0) {
								_push(0);
								E013283B4(0, _t145, _t226, _t228, __eflags);
							}
							L36:
							SendMessageW( *(_t228[0x26] + 0x20), 0xb, 1, 0);
							_t148 = E012789CC(0x1393e4c, _t228[0x26]);
							__eflags = _t148;
							if(_t148 != 0) {
								 *((intOrPtr*)( *_t148 + 0x174))(1);
							}
							RedrawWindow( *(_t228[0x26] + 0x20), 0, 0, 0x181);
							goto L50;
						}
						L012E77C6(_t229 - 0x5c, 0xa);
						_t178 =  *(_t229 - 0x40);
						 *(_t229 - 4) = 0;
						L012D146C( *(_t229 - 0x40), _t229 - 0x5c);
						_t156 =  *(_t229 - 0x58);
						__eflags = _t156;
						if(_t156 == 0) {
							L33:
							 *(_t229 - 4) =  *(_t229 - 4) | 0xffffffff;
							L012E77EE(_t229 - 0x5c);
							goto L36;
						} else {
							while(1) {
								__eflags = _t156;
								if(__eflags == 0) {
									break;
								}
								 *(_t229 - 0x38) =  *_t156;
								_t226 = E012789CC(0x13d0f0c,  *((intOrPtr*)(_t156 + 8)));
								_t178 = _t226;
								 *(_t229 - 0x34) = _t226;
								_t161 =  *((intOrPtr*)(_t226->i + 0x340))();
								__eflags = _t161;
								if(_t161 != 0) {
									_t226 =  *_t226;
									_t163 =  *((intOrPtr*)( *( *(_t229 - 0x40)) + 0x190))(0, 0);
									_t178 =  *(_t229 - 0x34);
									 *((intOrPtr*)(_t226 + 0x368))(1, _t163);
								}
								__eflags =  *(_t229 - 0x38);
								if( *(_t229 - 0x38) != 0) {
									_t156 =  *(_t229 - 0x38);
									continue;
								} else {
									goto L33;
								}
							}
							L5:
							L01277AC9(_t178);
							goto L6;
						}
					}
					_t238 = _t129 == 0xa;
					if(_t129 == 0xa) {
						_t226 =  *0x13d98fc; // 0x0
						__eflags = _t226;
						if(_t226 != 0) {
							L14:
							_t166 = E012789CC(0x1391888, _t226);
							__eflags = _t166;
							if(_t166 == 0) {
								_t167 = E012789CC(0x1391eac, _t226);
								__eflags = _t167;
								if(_t167 == 0) {
									_t168 = E012789CC(0x13914dc, _t226);
									__eflags = _t168;
									if(_t168 != 0) {
										L20:
										_t169 =  *((intOrPtr*)( *_t168 + 0x208))(_t228);
										goto L21;
									}
									_t168 = E012789CC(0x1391128, _t226);
									__eflags = _t168;
									if(__eflags == 0) {
										goto L22;
									}
									goto L20;
								} else {
									_t169 =  *((intOrPtr*)( *_t167 + 0x1f0))(_t228);
									goto L21;
								}
							} else {
								_t169 =  *((intOrPtr*)( *_t166 + 0x210))(_t228);
								L21:
								__eflags = _t169;
								if(__eflags == 0) {
									goto L11;
								}
								L22:
								 *((intOrPtr*)( *_t228 + 0x2dc))();
								goto L11;
							}
						}
						_t172 = L01283CE7(_t228);
						_t226 = _t172;
						__eflags = _t172;
						if(__eflags == 0) {
							goto L22;
						}
						goto L14;
					} else {
						 *((intOrPtr*)( *_t228 + 0x380))(_t226);
						goto L11;
					}
				}
				_t234 =  *0x13d0a7c; // 0x0
				if(_t234 != 0) {
					goto L6;
				}
				goto L5;
			}

0x012dad80
0x012dad80
0x012dad80
0x012dad80
0x012dad87
0x012dad8c
0x012dad96
0x012dad98
0x012dad98
0x012dada4
0x012db11d
0x012db122
0x012db127
0x012db127
0x012dadac
0x012dadb3
0x012dadb8
0x012dadbd
0x012dadc2
0x012dadd1
0x012dadd7
0x012daddd
0x012dade4
0x012dadf1
0x012dadf7
0x012dae1b
0x012dae1d
0x00000000
0x012dae1d
0x012dadfb
0x012dadfe
0x012db050
0x012db056
0x012db065
0x012db067
0x012db069
0x012db077
0x012db081
0x012db084
0x012db087
0x012db08a
0x012db08d
0x012db099
0x012db0a8
0x012db0b4
0x012db0b9
0x012db0c3
0x012db0cc
0x012db0cf
0x012db0d4
0x012db0d9
0x012db0e1
0x012db0e1
0x012db0e1
0x012db0e1
0x012db0ea
0x012db0f4
0x012db0fd
0x012db103
0x012db105
0x012db10a
0x012db10d
0x012db10d
0x012db105
0x012db069
0x00000000
0x012db056
0x012dae04
0x012dae05
0x012daec0
0x012daec6
0x012daec9
0x012daffa
0x012daffa
0x012daffd
0x012dafff
0x012db005
0x012db008
0x012db00a
0x012db010
0x012db018
0x012db01e
0x012db020
0x012db02b
0x012db039
0x012db045
0x012db045
0x012db020
0x012db00a
0x00000000
0x012dafff
0x012daed3
0x012daed9
0x012daedb
0x00000000
0x00000000
0x012daeee
0x012daef4
0x012daefa
0x012daf9d
0x012daf9f
0x012dafa1
0x012dafa4
0x012dafa4
0x012dafa9
0x012dafb7
0x012dafc8
0x012dafcf
0x012dafd1
0x012dafd9
0x012dafd9
0x012dafef
0x00000000
0x012dafef
0x012daf05
0x012daf0a
0x012daf11
0x012daf14
0x012daf19
0x012daf1c
0x012daf1e
0x012daf74
0x012daf74
0x012daf7b
0x00000000
0x012daf20
0x012daf25
0x012daf25
0x012daf27
0x00000000
0x00000000
0x012daf37
0x012daf3f
0x012daf45
0x012daf47
0x012daf4a
0x012daf50
0x012daf52
0x012daf59
0x012daf5d
0x012daf63
0x012daf69
0x012daf69
0x012daf6f
0x012daf72
0x012daf22
0x00000000
0x00000000
0x00000000
0x00000000
0x012daf72
0x012dadcc
0x012dadcc
0x00000000
0x012dadcc
0x012daf1e
0x012dae0b
0x012dae0e
0x012dae27
0x012dae2d
0x012dae2f
0x012dae3e
0x012dae44
0x012dae4b
0x012dae4d
0x012dae62
0x012dae69
0x012dae6b
0x012dae80
0x012dae87
0x012dae89
0x012dae9c
0x012daea1
0x00000000
0x012daea1
0x012dae91
0x012dae98
0x012dae9a
0x00000000
0x00000000
0x00000000
0x012dae6d
0x012dae72
0x00000000
0x012dae72
0x012dae4f
0x012dae54
0x012daea7
0x012daea7
0x012daea9
0x00000000
0x00000000
0x012daeaf
0x012daeb3
0x00000000
0x012daeb3
0x012dae4d
0x012dae33
0x012dae38
0x012dae3a
0x012dae3c
0x00000000
0x00000000
0x00000000
0x012dae10
0x012dae15
0x00000000
0x012dae15
0x012dae0e
0x012dadc4
0x012dadca
0x00000000
0x00000000
0x00000000

APIs

__EH_prolog3_GS.LIBCMT ref: 012DAD87

Part of subcall function 01277AC9: __CxxThrowException@8.LIBCMT ref: 01277ADF

GetAsyncKeyState.USER32 ref: 012DAEC0
SendMessageW.USER32(?,0000000B,00000000,00000000), ref: 012DAEEE
RedrawWindow.USER32(?,00000000,00000000,00000181), ref: 012DAFEF

Part of subcall function 013283B4: __EH_prolog3.LIBCMT ref: 013283BB

SendMessageW.USER32(?,0000000B,00000001,00000000), ref: 012DAFB7
GetWindowRect.USER32 ref: 012DB08D

Part of subcall function 01279BD6: ScreenToClient.USER32(?,?), ref: 01279BE7
Part of subcall function 01279BD6: ScreenToClient.USER32(?,?), ref: 01279BF4

OffsetRect.USER32 ref: 012DB0A8

Part of subcall function 01279C17: ClientToScreen.USER32(?,?), ref: 01279C28
Part of subcall function 01279C17: ClientToScreen.USER32(?,?), ref: 01279C35

Part of subcall function 01286862: GetWindowLongW.USER32(?,000000EC), ref: 0128686D

IsWindow.USER32(?), ref: 012DB0FD

Part of subcall function 012DA1DD: SendMessageW.USER32(?,00000085,00000000,00000000), ref: 012DA222
Part of subcall function 012DA1DD: SetRectEmpty.USER32 ref: 012DA22F
Part of subcall function 012DA1DD: UpdateWindow.USER32 ref: 012DA238

Part of subcall function 012E82D0: ReleaseCapture.USER32 ref: 012E8300
Part of subcall function 012E82D0: IsWindow.USER32(?), ref: 012E8321
Part of subcall function 012E82D0: DestroyWindow.USER32(?), ref: 012E8331
Part of subcall function 012E82D0: GetParent.USER32(?), ref: 012E834D
Part of subcall function 012E82D0: IsRectEmpty.USER32 ref: 012E83F9
Part of subcall function 012E82D0: IsWindowVisible.USER32(?), ref: 012E843B
Part of subcall function 012E82D0: MapWindowPoints.USER32 ref: 012E8452
Part of subcall function 012E82D0: SendMessageW.USER32(?,00000202,?,?), ref: 012E8471

Part of subcall function 012C74B8: GetParent.USER32(?), ref: 012C75B6

Memory Dump Source

Source File: 00000010.00000002.746388412.0000000001271000.00000020.sdmp, Offset: 01270000, based on PE: true

Associated: 00000010.00000002.746374753.0000000001270000.00000002.sdmp Download File
Associated: 00000010.00000002.746578910.000000000138C000.00000002.sdmp Download File
Associated: 00000010.00000002.746752878.00000000013CF000.00000004.sdmp Download File
Associated: 00000010.00000002.746788870.00000000013D6000.00000004.sdmp Download File
Associated: 00000010.00000002.746832288.00000000013DE000.00000002.sdmp Download File
Associated: 00000010.00000002.747668141.0000000001574000.00000002.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1270000_Setup.jbxd

Similarity

API ID: Window$ClientMessageRectScreenSend$EmptyParent$AsyncCaptureDestroyException@8H_prolog3H_prolog3_LongOffsetPointsRedrawReleaseStateThrowUpdateVisible
String ID:
API String ID: 3607456503-0
Opcode ID: a3ffd2bc5aacddb858dc3aafa49b0845ceaf011a49468beabc155e2fe6eb63f1
Instruction ID: a375d724773fa023b4b19bf61cf6f916db0d247f55c39a0d407ac83563301ae3
Opcode Fuzzy Hash: a3ffd2bc5aacddb858dc3aafa49b0845ceaf011a49468beabc155e2fe6eb63f1
Instruction Fuzzy Hash: FBB15E71A20206EFDF15EFA8D898EADBBB9FF48714F14446DF2069B291DB319841CB50

Uniqueness

Uniqueness Score: 16.53%

Function 012E82D0, Relevance: 12.1, APIs: 8, Instructions: 149
windowCOMMON

Download Yara Rule

C-Code - Quality: 75%

			E012E82D0(intOrPtr* __ecx, void* __edx, int _a4, struct tagPOINT _a8, signed short _a12) {
				signed int _v8;
				struct tagRECT _v24;
				signed int _v28;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t45;
				int _t52;
				void* _t63;
				intOrPtr _t66;
				struct HWND__* _t77;
				intOrPtr* _t80;
				void* _t98;
				int _t99;
				RECT* _t100;
				signed int _t102;
				void* _t103;

				_t98 = __edx;
				_t45 =  *0x13d3570; // 0x99b5b578
				_v8 = _t45 ^ _t102;
				_t80 = __ecx;
				_push(0);
				_t99 =  *((intOrPtr*)( *__ecx + 0x224))();
				if( *((char*)(__ecx + 0x160)) == 0) {
					__eflags = _t99;
					if(_t99 == 0) {
						L23:
						_t82 =  *(_t80 + 0xb0);
						 *((char*)(_t80 + 0x162)) = 0;
						__eflags =  *(_t80 + 0xb0);
						if(__eflags != 0) {
							_push(0);
							E012EE23B(_t80, _t82, _t98, _t99, _t100, 0);
						}
						_t49 = E01282C5F(_t80, _t80, _t99, __eflags);
						L26:
						return L01367D3E(_t49, _t80, _v8 ^ _t102, _t98, _t99, _t100);
					}
					__eflags =  *((char*)(__ecx + 0x162));
					if( *((char*)(__ecx + 0x162)) != 0) {
						goto L23;
					}
					_t52 = IsWindowVisible( *(_t99 + 0x20));
					__eflags = _t52;
					if(_t52 == 0) {
						goto L23;
					}
					MapWindowPoints( *(_t80 + 0x20),  *(_t99 + 0x20),  &_a8, 1);
					_t49 = SendMessageW( *(_t99 + 0x20), 0x202, _a4, (_a12 & 0x0000ffff) << 0x00000010 | _a8.x & 0x0000ffff);
					goto L26;
				}
				ReleaseCapture();
				 *((char*)(_t80 + 0x160)) = 0;
				if(_a4 == 0xffff) {
					L6:
					 *((intOrPtr*)( *_t80 + 0x30c))(0);
					_t63 = L012C74B8(0x13d0a78, _t98, E01282D05(_t80, _t80, _t98, GetParent( *(_t80 + 0x20))));
					if(_t63 != 0) {
						_t75 =  *((intOrPtr*)(_t63 + 0x1b8));
						if( *((intOrPtr*)(_t63 + 0x1b8)) != 0) {
							E012D2392(_t75);
						}
					}
					if(( *((intOrPtr*)( *_t80 + 0x1b4))() & 0x00000002) == 0) {
						goto L23;
					} else {
						_t66 =  *((intOrPtr*)(_t80 + 0x1ac));
						if(_t66 != 0 ||  *((intOrPtr*)(_t80 + 0x1b0)) >= _t66) {
							_t99 =  &_v24;
							asm("movsd");
							asm("movsd");
							asm("movsd");
							asm("movsd");
							if(_t66 != 0 && ( *((intOrPtr*)( *_t80 + 0x1b4))() & 0x00000002) != 0) {
								L01321D14(_t80 + 0x17c, _t98, 1);
							}
							_v28 = _v28 & 0x00000000;
							 *((intOrPtr*)( *_t80 + 0x31c))();
							_t100 =  *((intOrPtr*)( *_t80 + 0x2b0))( &_v28);
							if(_v28 == 0 && IsRectEmpty( &_v24) == 0 && _t100 != _t80) {
								_t99 = _t103 - 0x10;
								_t100 =  &_v24;
								asm("movsd");
								asm("movsd");
								asm("movsd");
								asm("movsd");
								_t49 =  *((intOrPtr*)( *_t80 + 0x1f8))(5, 1);
							}
							goto L26;
						} else {
							goto L23;
						}
					}
				}
				_t77 =  *(_t80 + 0x174);
				if(_t77 != 0 && IsWindow(_t77) != 0) {
					DestroyWindow( *(_t80 + 0x174));
				}
				 *(_t80 + 0x174) =  *(_t80 + 0x174) & 0x00000000;
				goto L6;
			}

0x012e82d0
0x012e82d8
0x012e82df
0x012e82e5
0x012e82e9
0x012e82f8
0x012e82fa
0x012e842b
0x012e842d
0x012e8479
0x012e8479
0x012e847f
0x012e8486
0x012e8488
0x012e848a
0x012e848e
0x012e848e
0x012e8495
0x012e849a
0x012e84a8
0x012e84a8
0x012e842f
0x012e8436
0x00000000
0x00000000
0x012e843b
0x012e8441
0x012e8443
0x00000000
0x00000000
0x012e8452
0x012e8471
0x00000000
0x012e8471
0x012e8300
0x012e830d
0x012e8314
0x012e833e
0x012e8344
0x012e835f
0x012e8366
0x012e8368
0x012e8370
0x012e8374
0x012e8374
0x012e8370
0x012e8385
0x00000000
0x012e838b
0x012e838b
0x012e8393
0x012e83a7
0x012e83aa
0x012e83ab
0x012e83ac
0x012e83ad
0x012e83b0
0x012e83c8
0x012e83c8
0x012e83cf
0x012e83d5
0x012e83ed
0x012e83ef
0x012e8418
0x012e841a
0x012e841d
0x012e841e
0x012e841f
0x012e8422
0x012e8423
0x012e8423
0x00000000
0x00000000
0x00000000
0x00000000
0x012e8393
0x012e8385
0x012e8316
0x012e831e
0x012e8331
0x012e8331
0x012e8337
0x00000000

APIs

ReleaseCapture.USER32 ref: 012E8300
IsWindow.USER32(?), ref: 012E8321
DestroyWindow.USER32(?), ref: 012E8331
GetParent.USER32(?), ref: 012E834D

Part of subcall function 012C74B8: GetParent.USER32(?), ref: 012C75B6

IsRectEmpty.USER32 ref: 012E83F9

Part of subcall function 01321D14: SetRectEmpty.USER32 ref: 01321D6A
Part of subcall function 01321D14: IsRectEmpty.USER32 ref: 01321D74
Part of subcall function 01321D14: SetRectEmpty.USER32 ref: 01321DCB
Part of subcall function 01321D14: SetRectEmpty.USER32 ref: 01321DD1

IsWindowVisible.USER32(?), ref: 012E843B
MapWindowPoints.USER32 ref: 012E8452
SendMessageW.USER32(?,00000202,?,?), ref: 012E8471

Part of subcall function 01367D3E: IsDebuggerPresent.KERNEL32 ref: 0136EC6D
Part of subcall function 01367D3E: SetUnhandledExceptionFilter.KERNEL32 ref: 0136EC82
Part of subcall function 01367D3E: UnhandledExceptionFilter.KERNEL32 ref: 0136EC8D
Part of subcall function 01367D3E: GetCurrentProcess.KERNEL32(C0000409), ref: 0136ECA9
Part of subcall function 01367D3E: TerminateProcess.KERNEL32(00000000), ref: 0136ECB0

Part of subcall function 012EE23B: GetWindowRect.USER32 ref: 012EE2B5
Part of subcall function 012EE23B: EqualRect.USER32 ref: 012EE2E0
Part of subcall function 012EE23B: BeginDeferWindowPos.USER32 ref: 012EE2ED
Part of subcall function 012EE23B: EndDeferWindowPos.USER32(?), ref: 012EE312
Part of subcall function 012EE23B: GetWindowRect.USER32 ref: 012EE3C7

Memory Dump Source

Source File: 00000010.00000002.746388412.0000000001271000.00000020.sdmp, Offset: 01270000, based on PE: true

Associated: 00000010.00000002.746374753.0000000001270000.00000002.sdmp Download File
Associated: 00000010.00000002.746578910.000000000138C000.00000002.sdmp Download File
Associated: 00000010.00000002.746752878.00000000013CF000.00000004.sdmp Download File
Associated: 00000010.00000002.746788870.00000000013D6000.00000004.sdmp Download File
Associated: 00000010.00000002.746832288.00000000013DE000.00000002.sdmp Download File
Associated: 00000010.00000002.747668141.0000000001574000.00000002.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1270000_Setup.jbxd

Similarity

API ID: RectWindow$Empty$DeferExceptionFilterParentProcessUnhandled$BeginCaptureCurrentDebuggerDestroyEqualMessagePointsPresentReleaseSendTerminateVisible
String ID:
API String ID: 3007250036-0
Opcode ID: 7166899a9b6a8b636c820cb30461c23eda283f0391a38ed302d3e0ff2e6b5483
Instruction ID: 7fc23a06457bd872fed711d80c4155a50e0fb988bb0c822d409fb430130b9bc8
Opcode Fuzzy Hash: 7166899a9b6a8b636c820cb30461c23eda283f0391a38ed302d3e0ff2e6b5483
Instruction Fuzzy Hash: 4D516D312102029BEB25AF68C88CBFA3BF9FF45341F440178EA499F196DB75D804CB60

Uniqueness

Uniqueness Score: 1.40%

Function 012D8CDF, Relevance: 12.1, APIs: 8, Instructions: 143
COMMON

Download Yara Rule

C-Code - Quality: 88%

			E012D8CDF(intOrPtr* __ecx, RECT* __edx, struct tagPOINT _a4, intOrPtr _a8, intOrPtr _a12) {
				signed int _v8;
				struct tagRECT _v24;
				struct tagRECT _v40;
				struct tagRECT _v56;
				signed int _v60;
				intOrPtr* _v64;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t63;
				void* _t71;
				void* _t72;
				signed int _t91;
				void* _t113;
				intOrPtr* _t114;
				signed int _t115;
				intOrPtr _t118;

				_t112 = __edx;
				_t63 =  *0x13d3570; // 0x99b5b578
				_v8 = _t63 ^ _t115;
				_t114 = __ecx;
				_v24.left = 0;
				_v24.top = 0;
				_v24.right = 0;
				_v24.bottom = 0;
				GetWindowRect( *(__ecx + 0x20),  &_v24);
				_push(_a8);
				_t113 = PtInRect;
				if(PtInRect( &_v24, _a4.x) != 0) {
					_t71 =  *((intOrPtr*)( *_t114 + 0x198))();
					_t104 = 0x13d0a78;
					_t72 = L012C74B8(0x13d0a78, _t112, _t71);
					if(_t72 != 0) {
						L4:
						if( *((intOrPtr*)(_t72 + 8)) != 0) {
							goto L6;
						} else {
							_t91 = 0;
							_v60 = 0;
							if( *((intOrPtr*)(_t114 + 0x328)) > 0) {
								while(_t91 >= 0 && _t91 <  *((intOrPtr*)(_t114 + 0x328))) {
									_t104 =  *((intOrPtr*)( *((intOrPtr*)(_t114 + 0x324)) + _t91 * 4));
									_t112 =  &_v40;
									_v64 = _t104;
									 *((intOrPtr*)( *_t104 + 0xc))( &_v40);
									OffsetRect( &_v40, _v24.left, _v24.top);
									_push(_a8);
									if(PtInRect( &_v40, _a4.x) != 0) {
										_t68 = E01318FE3(_v64);
									} else {
										_v60 = _v60 + 1;
										if(_v60 <  *((intOrPtr*)(_t114 + 0x328))) {
											_t91 = _v60;
											continue;
										} else {
											goto L6;
										}
									}
									goto L19;
								}
								goto L3;
							} else {
								goto L6;
							}
						}
					} else {
						_t118 =  *0x13d0a7c; // 0x0
						if(_t118 != 0) {
							L6:
							_v56.left = 0;
							_v56.top = 0;
							_v56.right = 0;
							_v56.bottom = 0;
							GetClientRect( *(_t114 + 0x20),  &_v56);
							L01279C17(_t114,  &_v56);
							_push(_a8);
							if(PtInRect( &_v56, _a4.x) == 0) {
								if( *((intOrPtr*)( *_t114 + 0x164))() == 0) {
									L18:
									_t68 = 0xfffffffe;
								} else {
									_v40.left = 0;
									_v40.top = 0;
									_v40.right = 0;
									_v40.bottom = 0;
									SetRect( &_v40, _v24, _v24.top + 1, _v24.right,  *((intOrPtr*)( *_t114 + 0x1a0))() + _v24.top + 1);
									_push(_a8);
									if(PtInRect( &_v40, _a4) == 0) {
										goto L18;
									} else {
										_t68 = (0 | _a12 != 0x00000000) + 1;
									}
								}
							} else {
								_t68 = 1;
							}
						} else {
							L3:
							_t72 = L01277AC9(_t104);
							goto L4;
						}
					}
				}
				L19:
				return L01367D3E(_t68, 0, _v8 ^ _t115, _t112, _t113, _t114);
			}

0x012d8cdf
0x012d8ce7
0x012d8cee
0x012d8cf7
0x012d8cff
0x012d8d02
0x012d8d05
0x012d8d08
0x012d8d0b
0x012d8d11
0x012d8d14
0x012d8d25
0x012d8d2f
0x012d8d36
0x012d8d3b
0x012d8d42
0x012d8d51
0x012d8d54
0x00000000
0x012d8d56
0x012d8d56
0x012d8d58
0x012d8d61
0x012d8da2
0x012d8db4
0x012d8db9
0x012d8dbd
0x012d8dc0
0x012d8dcd
0x012d8dd3
0x012d8de1
0x012d8df9
0x012d8de3
0x012d8de3
0x012d8def
0x012d8d9f
0x00000000
0x012d8df1
0x00000000
0x012d8df1
0x012d8def
0x00000000
0x012d8de1
0x00000000
0x00000000
0x00000000
0x00000000
0x012d8d61
0x012d8d44
0x012d8d44
0x012d8d4a
0x012d8d63
0x012d8d6a
0x012d8d6d
0x012d8d70
0x012d8d73
0x012d8d76
0x012d8d82
0x012d8d87
0x012d8d95
0x012d8e0c
0x012d8e59
0x012d8e5b
0x012d8e0e
0x012d8e12
0x012d8e15
0x012d8e18
0x012d8e1b
0x012d8e38
0x012d8e3e
0x012d8e4c
0x00000000
0x012d8e4e
0x012d8e56
0x012d8e56
0x012d8e4c
0x012d8d97
0x012d8d99
0x012d8d99
0x012d8d4c
0x012d8d4c
0x012d8d4c
0x00000000
0x012d8d4c
0x012d8d4a
0x012d8d42
0x012d8e5c
0x012d8e6a

APIs

GetWindowRect.USER32 ref: 012D8D0B
PtInRect.USER32(?,?,?), ref: 012D8D21

Part of subcall function 01277AC9: __CxxThrowException@8.LIBCMT ref: 01277ADF

GetClientRect.USER32 ref: 012D8D76

Part of subcall function 01279C17: ClientToScreen.USER32(?,?), ref: 01279C28
Part of subcall function 01279C17: ClientToScreen.USER32(?,?), ref: 01279C35

PtInRect.USER32(?,?,?), ref: 012D8D91
OffsetRect.USER32 ref: 012D8DCD
PtInRect.USER32(?,?,?), ref: 012D8DDD
SetRect.USER32(?,?,?,?,?), ref: 012D8E38
PtInRect.USER32(?,?,?), ref: 012D8E48

Part of subcall function 01367D3E: IsDebuggerPresent.KERNEL32 ref: 0136EC6D
Part of subcall function 01367D3E: SetUnhandledExceptionFilter.KERNEL32 ref: 0136EC82
Part of subcall function 01367D3E: UnhandledExceptionFilter.KERNEL32 ref: 0136EC8D
Part of subcall function 01367D3E: GetCurrentProcess.KERNEL32(C0000409), ref: 0136ECA9
Part of subcall function 01367D3E: TerminateProcess.KERNEL32(00000000), ref: 0136ECB0

Part of subcall function 012C74B8: GetParent.USER32(?), ref: 012C75B6

Memory Dump Source

Source File: 00000010.00000002.746388412.0000000001271000.00000020.sdmp, Offset: 01270000, based on PE: true

Associated: 00000010.00000002.746374753.0000000001270000.00000002.sdmp Download File
Associated: 00000010.00000002.746578910.000000000138C000.00000002.sdmp Download File
Associated: 00000010.00000002.746752878.00000000013CF000.00000004.sdmp Download File
Associated: 00000010.00000002.746788870.00000000013D6000.00000004.sdmp Download File
Associated: 00000010.00000002.746832288.00000000013DE000.00000002.sdmp Download File
Associated: 00000010.00000002.747668141.0000000001574000.00000002.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1270000_Setup.jbxd

Similarity

API ID: Rect$Client$ExceptionFilterProcessScreenUnhandled$CurrentDebuggerException@8OffsetParentPresentTerminateThrowWindow
String ID:
API String ID: 2042476133-0
Opcode ID: dc8ac6d273ddd7e975bdca716482f1fcda96399b170c46de165eebb259cd52b1
Instruction ID: e30ebd63cfc451580674eaecf5f2c84266258c6ff9a05d5b17c4048a8cf2d4f3
Opcode Fuzzy Hash: dc8ac6d273ddd7e975bdca716482f1fcda96399b170c46de165eebb259cd52b1
Instruction Fuzzy Hash: 1051097191020AEFCF15EFA9D8848EEBBF9FF58704B10486AE615E7250D7319A45CF60

Uniqueness

Uniqueness Score: 16.53%

Function 012A26EE, Relevance: 12.1, APIs: 8, Instructions: 138
windowCOMMON

Download Yara Rule

C-Code - Quality: 97%

			E012A26EE(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				int _t50;
				int _t53;
				void* _t111;
				intOrPtr _t115;
				intOrPtr _t116;
				void* _t118;

				_t111 = __edx;
				_push(0x10);
				L01369601(0x1381041, __ebx, __edi, __esi);
				if(E0127E1CC(0x13d63e8) != 0) {
					L9:
					_t50 = 0;
					__eflags = 0;
				} else {
					_t115 =  *((intOrPtr*)(_t118 + 8));
					if(E012789AE(_t115, 0x1391eac) == 0) {
						_t53 = E012789AE(_t115, 0x1391888);
						__eflags = _t53;
						if(_t53 == 0) {
							goto L9;
						} else {
							_t116 =  *((intOrPtr*)(_t115 + 0x438));
							goto L5;
						}
					} else {
						_t116 =  *((intOrPtr*)(_t115 + 0x220));
						L5:
						if(_t116 == 0 || IsWindowVisible( *(_t116 + 0x20)) == 0) {
							goto L9;
						} else {
							_t124 =  *((intOrPtr*)(_t116 + 0x314));
							if( *((intOrPtr*)(_t116 + 0x314)) == 0) {
								goto L9;
							} else {
								 *((intOrPtr*)(_t118 - 0x18)) = 0;
								 *((intOrPtr*)(_t118 - 0x1c)) = 0x138f894;
								_t113 = CreateRectRgn;
								 *(_t118 - 4) = 0;
								E0127A097(0, _t118 - 0x1c, _t111, CreateRectRgn, CreateRectRgn(0, 0,  *(_t118 + 0xc),  *(_t118 + 0x10)));
								 *((intOrPtr*)(_t118 - 0x10)) = 0;
								 *((intOrPtr*)(_t118 - 0x14)) = 0x138f894;
								 *(_t118 - 4) = 1;
								E0127A097(0, _t118 - 0x14, _t111, CreateRectRgn, CreateRectRgn(0, 0, 5, 5));
								E0127A0F1(E0128A0C6(_t118 - 0x1c, _t118 - 0x14, _t118 - 0x1c, 3), _t118 - 0x14);
								E0127A097(0, _t118 - 0x14, _t111, CreateRectRgn, CreateEllipticRgn(0, 0, 0xb, 0xb));
								E0127A0F1(E0128A0C6(_t118 - 0x1c, _t118 - 0x14, _t118 - 0x1c, 2), _t118 - 0x14);
								E0127A097(0, _t118 - 0x14, _t111, CreateRectRgn, CreateRectRgn( *(_t118 + 0xc) + 0xfffffffb, 0,  *(_t118 + 0xc), 5));
								E0127A0F1(E0128A0C6(_t118 - 0x1c, _t118 - 0x14, _t118 - 0x1c, 3), _t118 - 0x14);
								E0127A097(0, _t118 - 0x14, _t111, _t113, CreateEllipticRgn( *(_t118 + 0xc) + 0xfffffff6, 0,  *(_t118 + 0xc) + 1, 0xb));
								E0128A0C6(_t118 - 0x1c, _t118 - 0x14, _t118 - 0x1c, 2);
								SetWindowRgn( *( *((intOrPtr*)(_t118 + 8)) + 0x20), E0127A0C5(0, _t118 - 0x1c, _t111), 1);
								 *(_t118 - 4) = 0;
								 *((intOrPtr*)(_t118 - 0x14)) = 0x138f894;
								E0127A27E(0, _t118 - 0x14, _t113, 0x138f894, _t124);
								 *(_t118 - 4) =  *(_t118 - 4) | 0xffffffff;
								 *((intOrPtr*)(_t118 - 0x1c)) = 0x138f894;
								E0127A27E(0, _t118 - 0x1c, _t113, 0x138f894, _t124);
								_t50 = 1;
							}
						}
					}
				}
				return L013696D9(_t50);
			}

0x012a26ee
0x012a26ee
0x012a26f5
0x012a2706
0x012a288b
0x012a288b
0x012a288b
0x012a270c
0x012a270c
0x012a271d
0x012a272e
0x012a2733
0x012a2735
0x00000000
0x012a273b
0x012a273b
0x00000000
0x012a273b
0x012a271f
0x012a271f
0x012a2741
0x012a2745
0x00000000
0x012a275c
0x012a275c
0x012a2762
0x00000000
0x012a2768
0x012a276d
0x012a2770
0x012a2776
0x012a277f
0x012a278a
0x012a278f
0x012a2792
0x012a279b
0x012a27a5
0x012a27bf
0x012a27d4
0x012a27ee
0x012a2804
0x012a281e
0x012a283b
0x012a284d
0x012a2863
0x012a286c
0x012a286f
0x012a2872
0x012a2877
0x012a287e
0x012a2881
0x012a2888
0x012a2888
0x012a2762
0x012a2745
0x012a271d
0x012a2892

APIs

__EH_prolog3.LIBCMT ref: 012A26F5
IsWindowVisible.USER32(?), ref: 012A274E
CreateRectRgn.GDI32(00000000,00000000,?,?), ref: 012A2784
CreateRectRgn.GDI32(00000000,00000000,00000005,00000005), ref: 012A279F

Part of subcall function 0128A0C6: CombineRgn.GDI32(?,?,?,?), ref: 0128A0EB

Part of subcall function 0127A0F1: DeleteObject.GDI32(00000000), ref: 0127A100

CreateEllipticRgn.GDI32(00000000,00000000,0000000B,0000000B), ref: 012A27CA
CreateRectRgn.GDI32(?,00000000,?,00000005), ref: 012A27FE
CreateEllipticRgn.GDI32(?,00000000,?,0000000B), ref: 012A2831
SetWindowRgn.USER32(?,00000000,00000001), ref: 012A2863

Part of subcall function 0127A27E: __EH_prolog3_catch_GS.LIBCMT ref: 0127A288

Memory Dump Source

Source File: 00000010.00000002.746388412.0000000001271000.00000020.sdmp, Offset: 01270000, based on PE: true

Associated: 00000010.00000002.746374753.0000000001270000.00000002.sdmp Download File
Associated: 00000010.00000002.746578910.000000000138C000.00000002.sdmp Download File
Associated: 00000010.00000002.746752878.00000000013CF000.00000004.sdmp Download File
Associated: 00000010.00000002.746788870.00000000013D6000.00000004.sdmp Download File
Associated: 00000010.00000002.746832288.00000000013DE000.00000002.sdmp Download File
Associated: 00000010.00000002.747668141.0000000001574000.00000002.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1270000_Setup.jbxd

Similarity

API ID: Create$Rect$EllipticWindow$CombineDeleteH_prolog3H_prolog3_catch_ObjectVisible
String ID:
API String ID: 4269252787-0
Opcode ID: 086e995fd223f9fbca5f2de81188ab8e40dd1e3cba275b14ea0cc0dc63a39317
Instruction ID: a3795d289ced808a1bad8bfd423ab87897d0e59bbb9fa5526ca695c3bba57293
Opcode Fuzzy Hash: 086e995fd223f9fbca5f2de81188ab8e40dd1e3cba275b14ea0cc0dc63a39317
Instruction Fuzzy Hash: 43511A72D1020BABDB15EBA0CD95EFFBB78AF24310F544519B612B71D0EB349A05CBA1

Uniqueness

Uniqueness Score: 8.94%

Function 0128E1B6, Relevance: 12.1, APIs: 8, Instructions: 124
windowCOMMON

Download Yara Rule

C-Code - Quality: 96%

			E0128E1B6(void* __ebx, intOrPtr* __ecx, intOrPtr __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t46;
				intOrPtr _t47;
				intOrPtr* _t49;
				struct HWND__* _t52;
				struct HWND__* _t54;
				intOrPtr* _t61;
				intOrPtr _t67;
				intOrPtr* _t88;
				intOrPtr* _t90;
				intOrPtr* _t93;
				void* _t94;

				_t87 = __edi;
				_t86 = __edx;
				_t78 = __ecx;
				_push(0x20);
				L01369601(0x1380455, __ebx, __edi, __esi);
				_t93 = __ecx;
				L0128D51C(__ecx, 1);
				_t46 =  *((intOrPtr*)(__ecx + 0x438));
				if(_t46 != 0) {
					_t78 = _t46 + 0x33c;
					if(E012C00E2(_t46 + 0x33c) != 0) {
						SendMessageW( *( *((intOrPtr*)(__ecx + 0x438)) + 0x20), 0x10, 0, 0);
					}
				}
				_t47 =  *((intOrPtr*)(_t93 + 0x434));
				_t98 = _t47;
				if(_t47 == 0 || E01282D31(0, _t78, _t86, _t87, _t93, _t98,  *((intOrPtr*)(_t47 + 0x20))) == 0) {
					L10:
					L012C1E45(_t93);
					_t88 =  *((intOrPtr*)(_t93 + 0x310));
					while(_t88 != 0) {
						_t49 = _t88;
						__eflags = _t88;
						if(__eflags == 0) {
							L01277AC9(_t78);
							L17:
							_t78 = _t94 - 0x2c;
							L013316F2(_t94 - 0x2c, __eflags,  *(_t88 + 0x20));
							_t52 = GetWindow( *(_t88 + 0x20), 2);
							L18:
							_t88 = E01282D05(0, _t78, _t86, _t52);
							if(_t88 != 0) {
								goto L17;
							}
							_t90 =  *((intOrPtr*)(_t94 - 0x28));
							while(1) {
								_t106 = _t90;
								if(_t90 == 0) {
									break;
								}
								_t54 =  *(_t90 + 8);
								_t90 =  *_t90;
								 *(_t94 - 0x10) = _t54;
								__eflags = IsWindow(_t54);
								if(__eflags != 0) {
									__eflags = GetParent( *(_t94 - 0x10)) -  *(_t93 + 0x20);
									if(__eflags == 0) {
										DestroyWindow( *(_t94 - 0x10));
									}
								}
							}
							 *((intOrPtr*)(_t93 + 0x118)) = 0;
							L012B9A9E(0, _t93, _t86, _t90, _t106);
							 *(_t94 - 4) =  *(_t94 - 4) | 0xffffffff;
							 *((intOrPtr*)(_t94 - 0x2c)) = 0x1390b30;
							return L013696D9(E0133286E(_t94 - 0x2c));
						}
						_t88 =  *_t88;
						_t61 = E012789CC(0x13d04b0,  *((intOrPtr*)(_t49 + 8)));
						_pop(_t78);
						__eflags = _t61;
						if(__eflags != 0) {
							_t86 =  *_t61;
							_t78 = _t61;
							 *((intOrPtr*)( *_t61 + 0x60))();
						}
					}
					 *((intOrPtr*)(_t94 - 0x2c)) = 0x1390b30;
					 *((intOrPtr*)(_t94 - 0x20)) = 0;
					 *((intOrPtr*)(_t94 - 0x1c)) = 0;
					 *((intOrPtr*)(_t94 - 0x24)) = 0;
					 *((intOrPtr*)(_t94 - 0x28)) = 0;
					 *((intOrPtr*)(_t94 - 0x18)) = 0;
					 *((intOrPtr*)(_t94 - 0x14)) = 0xa;
					 *(_t94 - 4) = 0;
					_t52 = GetTopWindow( *(_t93 + 0x20));
					goto L18;
				} else {
					if(E01282D05(0, _t78, _t86, GetParent( *( *((intOrPtr*)(_t93 + 0x434)) + 0x20))) == _t93) {
						_t67 =  *((intOrPtr*)(_t93 + 0x438));
						if(_t67 != 0 &&  *((intOrPtr*)(_t67 + 0x140)) == 0) {
							E0128699F( *((intOrPtr*)(_t93 + 0x434)), 0);
							E0128C69C( *((intOrPtr*)(_t93 + 0x434)),  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t93 + 0x434)))) + 0x198))());
							_t78 =  *((intOrPtr*)(_t93 + 0x438)) + 0x14c;
							E012AEA47( *((intOrPtr*)(_t93 + 0x438)) + 0x14c,  *((intOrPtr*)(_t93 + 0x434)));
						}
					}
					 *((intOrPtr*)(_t93 + 0x434)) = 0;
					goto L10;
				}
			}

0x0128e1b6
0x0128e1b6
0x0128e1b6
0x0128e1b6
0x0128e1bd
0x0128e1c2
0x0128e1c6
0x0128e1cb
0x0128e1d5
0x0128e1d7
0x0128e1e4
0x0128e1f3
0x0128e1f3
0x0128e1e4
0x0128e1f9
0x0128e1ff
0x0128e201
0x0128e27b
0x0128e27c
0x0128e281
0x0128e2ab
0x0128e289
0x0128e28b
0x0128e28d
0x0128e2da
0x0128e2df
0x0128e2e2
0x0128e2e5
0x0128e2f0
0x0128e2f6
0x0128e2fc
0x0128e300
0x00000000
0x00000000
0x0128e302
0x0128e331
0x0128e331
0x0128e333
0x00000000
0x00000000
0x0128e307
0x0128e30a
0x0128e30d
0x0128e316
0x0128e318
0x0128e323
0x0128e326
0x0128e32b
0x0128e32b
0x0128e326
0x0128e318
0x0128e337
0x0128e33d
0x0128e342
0x0128e349
0x0128e35a
0x0128e35a
0x0128e292
0x0128e299
0x0128e29f
0x0128e2a0
0x0128e2a2
0x0128e2a4
0x0128e2a6
0x0128e2a8
0x0128e2a8
0x0128e2a2
0x0128e2af
0x0128e2b6
0x0128e2b9
0x0128e2bc
0x0128e2bf
0x0128e2c2
0x0128e2c5
0x0128e2cf
0x0128e2d2
0x00000000
0x0128e20f
0x0128e226
0x0128e228
0x0128e230
0x0128e241
0x0128e259
0x0128e26a
0x0128e270
0x0128e270
0x0128e230
0x0128e275
0x00000000
0x0128e275

APIs

__EH_prolog3.LIBCMT ref: 0128E1BD
SendMessageW.USER32(?,00000010,00000000,00000000), ref: 0128E1F3
GetParent.USER32(?), ref: 0128E218

Part of subcall function 0128699F: ShowWindow.USER32(00000000,?), ref: 012869B0

Part of subcall function 0128C69C: SetParent.USER32 ref: 0128C6AF

GetTopWindow.USER32 ref: 0128E2D2

Part of subcall function 01277AC9: __CxxThrowException@8.LIBCMT ref: 01277ADF

GetWindow.USER32(?,00000002), ref: 0128E2F0
IsWindow.USER32(?), ref: 0128E310
GetParent.USER32(?), ref: 0128E31D
DestroyWindow.USER32(?), ref: 0128E32B

Memory Dump Source

Source File: 00000010.00000002.746388412.0000000001271000.00000020.sdmp, Offset: 01270000, based on PE: true

Associated: 00000010.00000002.746374753.0000000001270000.00000002.sdmp Download File
Associated: 00000010.00000002.746578910.000000000138C000.00000002.sdmp Download File
Associated: 00000010.00000002.746752878.00000000013CF000.00000004.sdmp Download File
Associated: 00000010.00000002.746788870.00000000013D6000.00000004.sdmp Download File
Associated: 00000010.00000002.746832288.00000000013DE000.00000002.sdmp Download File
Associated: 00000010.00000002.747668141.0000000001574000.00000002.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1270000_Setup.jbxd

Similarity

API ID: Window$Parent$DestroyException@8H_prolog3MessageSendShowThrow
String ID:
API String ID: 3586138571-0
Opcode ID: dd01f6a3d4ed98c52e82b03091f6bc2f1cd249c799ddd5e78a1b204692f68495
Instruction ID: 064040faa85d99a2aef4b1531caa0be30869afedfd02dbd9e4a00a44ac43b892
Opcode Fuzzy Hash: dd01f6a3d4ed98c52e82b03091f6bc2f1cd249c799ddd5e78a1b204692f68495
Instruction Fuzzy Hash: BF416D71622206DFDB25BFB8C884AFDBBB5BF48314F56142CE356A7291CB30A940CB50

Uniqueness

Uniqueness Score: 10.55%

Function 01300232, Relevance: 12.1, APIs: 8, Instructions: 100
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E01300232(void* __ebx, struct HWND__* __ecx, void* __edx, void* __eflags, struct tagPOINT _a4, intOrPtr _a8) {
				signed int _v8;
				struct tagRECT _v24;
				void* __edi;
				void* __esi;
				signed int _t27;
				intOrPtr* _t33;
				intOrPtr* _t43;
				intOrPtr* _t53;
				intOrPtr* _t54;
				intOrPtr* _t58;
				void* _t64;
				intOrPtr* _t65;
				struct HWND__* _t66;
				signed int _t67;

				_t64 = __edx;
				_t55 = __ecx;
				_t52 = __ebx;
				_t27 =  *0x13d3570; // 0x99b5b578
				_v8 = _t27 ^ _t67;
				_t66 = __ecx;
				ScreenToClient( *(__ecx + 0x20),  &_a4);
				_t65 = 0;
				_v24.left = 0;
				_v24.top = 0;
				_v24.right = 0;
				_v24.bottom = 0;
				_t33 = E012789CC(0x13d0898, E01282D05(__ebx, _t55, _t64, GetParent( *(_t66 + 0x20))));
				if(_t33 != 0) {
					_push(__ebx);
					_t53 = _t33;
					_t58 = _t33;
					while(1) {
						_t65 = E012BA661(_t53, _t58, _t64);
						if(_t65 == 0) {
							break;
						}
						_t54 =  *((intOrPtr*)( *_t65 + 0x1c0))();
						GetClientRect( *(_t54 + 0x20),  &_v24);
						MapWindowPoints( *(_t54 + 0x20),  *(_t66 + 0x20),  &_v24, 2);
						_push(_a8);
						if(PtInRect( &_v24, _a4.x) != 0) {
							_t43 = _t54;
						} else {
							_t53 = _t65;
							_t58 = _t65;
							continue;
						}
						L11:
						_pop(_t52);
						goto L12;
					}
					_t65 = E012BA6B2(_t53);
					if(_t65 == 0) {
						L10:
						_t43 = 0;
					} else {
						GetClientRect( *(_t65 + 0x20),  &_v24);
						MapWindowPoints( *(_t65 + 0x20), _t66,  &_v24, 2);
						_push(_a8);
						if(PtInRect( &_v24, _a4) == 0) {
							goto L10;
						} else {
							_t43 = _t65;
						}
					}
					goto L11;
				} else {
					_t43 = 0;
				}
				L12:
				return L01367D3E(_t43, _t52, _v8 ^ _t67, _t64, _t65, _t66);
			}

0x01300232
0x01300232
0x01300232
0x0130023a
0x01300241
0x01300249
0x0130024f
0x01300258
0x0130025a
0x0130025d
0x01300260
0x01300263
0x01300278
0x01300281
0x0130028a
0x0130028b
0x0130028d
0x013002d5
0x013002da
0x013002de
0x00000000
0x00000000
0x0130029b
0x013002a4
0x013002b7
0x013002bd
0x013002cf
0x01300325
0x013002d1
0x013002d1
0x013002d3
0x00000000
0x013002d3
0x0130032b
0x0130032b
0x00000000
0x0130032b
0x013002e7
0x013002eb
0x01300329
0x01300329
0x013002ed
0x013002f4
0x01300307
0x0130030d
0x0130031f
0x00000000
0x01300321
0x01300321
0x01300321
0x0130031f
0x00000000
0x01300283
0x01300283
0x01300283
0x0130032c
0x01300339

APIs

ScreenToClient.USER32(?,?), ref: 0130024F
GetParent.USER32(?), ref: 01300266
GetClientRect.USER32 ref: 013002A4
MapWindowPoints.USER32 ref: 013002B7
PtInRect.USER32(?,?,?), ref: 013002C7
GetClientRect.USER32 ref: 013002F4
MapWindowPoints.USER32 ref: 01300307
PtInRect.USER32(?,?,?), ref: 01300317

Part of subcall function 01367D3E: IsDebuggerPresent.KERNEL32 ref: 0136EC6D
Part of subcall function 01367D3E: SetUnhandledExceptionFilter.KERNEL32 ref: 0136EC82
Part of subcall function 01367D3E: UnhandledExceptionFilter.KERNEL32 ref: 0136EC8D
Part of subcall function 01367D3E: GetCurrentProcess.KERNEL32(C0000409), ref: 0136ECA9
Part of subcall function 01367D3E: TerminateProcess.KERNEL32(00000000), ref: 0136ECB0

Memory Dump Source

Source File: 00000010.00000002.746388412.0000000001271000.00000020.sdmp, Offset: 01270000, based on PE: true

Associated: 00000010.00000002.746374753.0000000001270000.00000002.sdmp Download File
Associated: 00000010.00000002.746578910.000000000138C000.00000002.sdmp Download File
Associated: 00000010.00000002.746752878.00000000013CF000.00000004.sdmp Download File
Associated: 00000010.00000002.746788870.00000000013D6000.00000004.sdmp Download File
Associated: 00000010.00000002.746832288.00000000013DE000.00000002.sdmp Download File
Associated: 00000010.00000002.747668141.0000000001574000.00000002.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1270000_Setup.jbxd

Similarity

API ID: Rect$Client$ExceptionFilterPointsProcessUnhandledWindow$CurrentDebuggerParentPresentScreenTerminate
String ID:
API String ID: 399918142-0
Opcode ID: 142877ac4ad5c4413cc4fcee3852404724173bc46435c12638fc2f9a402fcfae
Instruction ID: 24ccdbf82f2694aa9c821e8c70f935b321f54c79edc6fc78ca7e11d311525f1a
Opcode Fuzzy Hash: 142877ac4ad5c4413cc4fcee3852404724173bc46435c12638fc2f9a402fcfae
Instruction Fuzzy Hash: BB315E72600209AFDB16AFA5D8589FEBBFDFF48354B50442AF946D7250EB70D901CB60

Uniqueness

Uniqueness Score: 1.15%

Function 0129001A, Relevance: 12.1, APIs: 8, Instructions: 80
windowCOMMON

Download Yara Rule

C-Code - Quality: 97%

			E0129001A(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t28;
				struct HACCEL__* _t30;
				struct HWND__* _t31;
				struct HWND__* _t45;
				void* _t52;
				void* _t54;
				void* _t56;
				struct HWND__* _t58;
				void* _t59;
				void* _t62;

				_t55 = __esi;
				_t52 = __edx;
				_t46 = __ecx;
				_push(0x1c);
				L01369601(0x138039e, __ebx, __edi, __esi);
				_t54 = __ecx;
				_t28 =  *0x13d97c0; // 0x0
				_t45 = 0;
				if(_t28 != 0) {
					SendMessageW( *(_t28 + 0x20), 0x10, 0, 0);
				}
				_t62 =  *0x13d98fc - _t54; // 0x0
				if(_t62 == 0) {
					 *0x13d98fc = E012789CC(0x1393e4c, E01282D31(_t45, _t46, _t52, _t54, _t55, _t62,  *((intOrPtr*)(_t54 + 0x194))));
				}
				_t47 = _t54 + 0x198;
				E012C0970(_t54 + 0x198);
				_t30 =  *(_t54 + 0x80);
				if(_t30 != _t45) {
					DestroyAcceleratorTable(_t30);
					 *(_t54 + 0x80) = _t45;
				}
				 *(_t54 + 0x2a0) = _t45;
				 *((intOrPtr*)(_t59 - 0x28)) = 0x1390b30;
				 *(_t59 - 0x1c) = _t45;
				 *(_t59 - 0x18) = _t45;
				 *(_t59 - 0x20) = _t45;
				 *(_t59 - 0x24) = _t45;
				 *(_t59 - 0x14) = _t45;
				 *((intOrPtr*)(_t59 - 0x10)) = 0xa;
				 *(_t59 - 4) = _t45;
				_t31 = GetTopWindow( *(_t54 + 0x20));
				while(1) {
					_t56 = E01282D05(_t45, _t47, _t52, _t31);
					if(_t56 == _t45) {
						break;
					}
					_t47 = _t59 - 0x28;
					L013316F2(_t59 - 0x28, __eflags,  *(_t56 + 0x20));
					_t31 = GetWindow( *(_t56 + 0x20), 2);
				}
				_t58 =  *(_t59 - 0x24);
				if(_t58 != _t45) {
					do {
						_t45 =  *(_t58 + 8);
						_t58 = _t58->i;
						if(IsWindow(_t45) != 0 && GetParent(_t45) ==  *(_t54 + 0x20)) {
							DestroyWindow(_t45);
						}
					} while (_t58 != 0);
				}
				L012C984A(_t45, _t54, _t52, _t54);
				 *(_t59 - 4) =  *(_t59 - 4) | 0xffffffff;
				 *((intOrPtr*)(_t59 - 0x28)) = 0x1390b30;
				return L013696D9(E0133286E(_t59 - 0x28));
			}

0x0129001a
0x0129001a
0x0129001a
0x0129001a
0x01290021
0x01290026
0x01290028
0x0129002d
0x01290031
0x0129003a
0x0129003a
0x01290040
0x01290046
0x01290060
0x01290060
0x01290065
0x0129006b
0x01290070
0x01290078
0x0129007b
0x01290081
0x01290081
0x01290087
0x0129008d
0x01290094
0x01290097
0x0129009a
0x0129009d
0x012900a0
0x012900a3
0x012900ad
0x012900b0
0x012900cf
0x012900d5
0x012900d9
0x00000000
0x00000000
0x012900bb
0x012900be
0x012900c9
0x012900c9
0x012900db
0x012900e0
0x012900e2
0x012900e2
0x012900e5
0x012900f0
0x012900ff
0x012900ff
0x01290105
0x012900e2
0x0129010b
0x01290110
0x01290117
0x01290128

APIs

__EH_prolog3.LIBCMT ref: 01290021
SendMessageW.USER32(?,00000010,00000000,00000000), ref: 0129003A

Part of subcall function 012C0970: IsWindowVisible.USER32(?), ref: 012C09AB

DestroyAcceleratorTable.USER32(?), ref: 0129007B
GetTopWindow.USER32 ref: 012900B0
GetWindow.USER32(?,00000002), ref: 012900C9
IsWindow.USER32(?), ref: 012900E8
GetParent.USER32(?), ref: 012900F3
DestroyWindow.USER32(?), ref: 012900FF

Memory Dump Source

Source File: 00000010.00000002.746388412.0000000001271000.00000020.sdmp, Offset: 01270000, based on PE: true

Associated: 00000010.00000002.746374753.0000000001270000.00000002.sdmp Download File
Associated: 00000010.00000002.746578910.000000000138C000.00000002.sdmp Download File
Associated: 00000010.00000002.746752878.00000000013CF000.00000004.sdmp Download File
Associated: 00000010.00000002.746788870.00000000013D6000.00000004.sdmp Download File
Associated: 00000010.00000002.746832288.00000000013DE000.00000002.sdmp Download File
Associated: 00000010.00000002.747668141.0000000001574000.00000002.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1270000_Setup.jbxd

Similarity

API ID: Window$Destroy$AcceleratorH_prolog3MessageParentSendTableVisible
String ID:
API String ID: 3117088925-0
Opcode ID: 94f462b18b89ce59aac29cc2edaee0c2fbb5257709570a1ffd943e0c79bed0b2
Instruction ID: 5ae84cac0ed485a5028cfac6899388f1253c31eb199517223e5326e54f7cd19d
Opcode Fuzzy Hash: 94f462b18b89ce59aac29cc2edaee0c2fbb5257709570a1ffd943e0c79bed0b2
Instruction Fuzzy Hash: 65315471910316DFCF25AF79D888AAEBBB8BF08328F54161CF555B7240DB309944CB64

Uniqueness

Uniqueness Score: 5.54%

Function 012A4D5A, Relevance: 12.1, APIs: 8, Instructions: 75
keyboardCOMMON

Download Yara Rule

C-Code - Quality: 78%

			E012A4D5A(void* __edx, int _a4) {
				signed int _v8;
				char _v264;
				short _v268;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t17;
				struct HKL__* _t25;
				signed int _t32;
				void* _t40;
				void* _t41;
				void* _t45;
				int _t47;
				void* _t48;
				void* _t51;
				signed int _t55;

				_t45 = __edx;
				_t53 = _t55;
				_t17 =  *0x13d3570; // 0x99b5b578
				_v8 = _t17 ^ _t55;
				_t47 = _a4;
				if(_t47 - 0x60 > 9 || (0x00008000 & GetAsyncKeyState(0x12)) != 0) {
					if( *0x13d83f4 != 0) {
						goto L8;
					} else {
						if(_t47 - 0x41 <= 0x19 || (0x00008000 & GetAsyncKeyState(0x12)) != 0) {
							_t32 = _t47;
						} else {
							_t32 = E0136C6E1(_t47);
						}
					}
				} else {
					L8:
					L01367D50( &_v268, 0, 4);
					if(GetKeyboardState( &_v264) == 0) {
						L01277AC9(_t41);
					}
					_t25 = GetKeyboardLayout( *(E0127605F() + 0x30));
					ToUnicodeEx(_t47, MapVirtualKeyW(_t47, 0),  &_v264,  &_v268, 2, 1, _t25);
					CharUpperW( &_v268);
					_t32 = _v268 & 0x0000ffff;
				}
				_pop(_t48);
				_pop(_t51);
				_pop(_t40);
				return L01367D3E(_t32, _t40, _v8 ^ _t53, _t45, _t48, _t51);
			}

0x012a4d5a
0x012a4d5d
0x012a4d65
0x012a4d6c
0x012a4d78
0x012a4d86
0x012a4d98
0x00000000
0x012a4d9a
0x012a4da0
0x012a4dab
0x012a4daf
0x012a4db0
0x012a4db5
0x012a4da0
0x012a4db8
0x012a4db8
0x012a4dc3
0x012a4dda
0x012a4ddc
0x012a4ddc
0x012a4de9
0x012a4e0d
0x012a4e1a
0x012a4e20
0x012a4e20
0x012a4e2a
0x012a4e2b
0x012a4e2e
0x012a4e35

APIs

GetAsyncKeyState.USER32 ref: 012A4D8A
GetAsyncKeyState.USER32 ref: 012A4DA4

Part of subcall function 0136C6E1: __toupper_l.LIBCMT ref: 0136C704

_memset.LIBCMT ref: 012A4DC3
GetKeyboardState.USER32(?), ref: 012A4DD2
GetKeyboardLayout.USER32 ref: 012A4DE9
MapVirtualKeyW.USER32(?,00000000), ref: 012A4E05
ToUnicodeEx.USER32 ref: 012A4E0D
CharUpperW.USER32 ref: 012A4E1A

Part of subcall function 01367D3E: IsDebuggerPresent.KERNEL32 ref: 0136EC6D
Part of subcall function 01367D3E: SetUnhandledExceptionFilter.KERNEL32 ref: 0136EC82
Part of subcall function 01367D3E: UnhandledExceptionFilter.KERNEL32 ref: 0136EC8D
Part of subcall function 01367D3E: GetCurrentProcess.KERNEL32(C0000409), ref: 0136ECA9
Part of subcall function 01367D3E: TerminateProcess.KERNEL32(00000000), ref: 0136ECB0

Part of subcall function 01277AC9: __CxxThrowException@8.LIBCMT ref: 01277ADF

Memory Dump Source

Source File: 00000010.00000002.746388412.0000000001271000.00000020.sdmp, Offset: 01270000, based on PE: true

Associated: 00000010.00000002.746374753.0000000001270000.00000002.sdmp Download File
Associated: 00000010.00000002.746578910.000000000138C000.00000002.sdmp Download File
Associated: 00000010.00000002.746752878.00000000013CF000.00000004.sdmp Download File
Associated: 00000010.00000002.746788870.00000000013D6000.00000004.sdmp Download File
Associated: 00000010.00000002.746832288.00000000013DE000.00000002.sdmp Download File
Associated: 00000010.00000002.747668141.0000000001574000.00000002.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1270000_Setup.jbxd

Similarity

API ID: State$AsyncExceptionFilterKeyboardProcessUnhandled$CharCurrentDebuggerException@8LayoutPresentTerminateThrowUnicodeUpperVirtual__toupper_l_memset
String ID:
API String ID: 1498690879-0
Opcode ID: 6d40e11c6b61d667079cb6211065cecef97a0aebffd7e0d1e40f3dbd0a937b4a
Instruction ID: 2d61c519cf4e841fcd1d7d9253fd310b7b8a3a6e82fb27dabb0065026d9f4ec2
Opcode Fuzzy Hash: 6d40e11c6b61d667079cb6211065cecef97a0aebffd7e0d1e40f3dbd0a937b4a
Instruction Fuzzy Hash: 7221C271A1020AABDB20BB65DC44FFD776CAB14745F840066F740E6085DBB0D9858BB1

Uniqueness

Uniqueness Score: 8.94%

Function 01274B73, Relevance: 12.1, APIs: 8, Instructions: 66
memorystringUNIQUE

Download Yara Rule

C-Code - Quality: 93%

			E01274B73(void* __ecx, short* _a4) {
				void* _v8;
				void* _t17;
				void* _t23;
				void* _t37;

				_push(__ecx);
				_t37 = __ecx;
				_t17 =  *(__ecx + 0x78);
				if(_t17 != 0) {
					_t17 = lstrcmpW(GlobalLock(_t17) + ( *(_t18 + 2) & 0x0000ffff) * 2, _a4);
					if(_t17 == 0) {
						_t17 = OpenPrinterW(_a4,  &_v8, 0);
						if(_t17 != 0) {
							_t21 =  *(_t37 + 0x74);
							if( *(_t37 + 0x74) != 0) {
								E0127AAB7(_t21);
							}
							_t23 = GlobalAlloc(0x42, DocumentPropertiesW(0, _v8, _a4, 0, 0, 0));
							 *(_t37 + 0x74) = _t23;
							if(DocumentPropertiesW(0, _v8, _a4, GlobalLock(_t23), 0, 2) != 1) {
								E0127AAB7( *(_t37 + 0x74));
								 *(_t37 + 0x74) = 0;
							}
							_t17 = ClosePrinter(_v8);
						}
					}
				}
				return _t17;
			}

0x01274b78
0x01274b7a
0x01274b7c
0x01274b84
0x01274b9f
0x01274ba7
0x01274bb1
0x01274bb8
0x01274bba
0x01274bbf
0x01274bc2
0x01274bc2
0x01274bd9
0x01274be0
0x01274bf8
0x01274bfd
0x01274c02
0x01274c02
0x01274c08
0x01274c08
0x01274bb8
0x01274c0d
0x01274c11

APIs

GlobalLock.KERNEL32 ref: 01274B92
lstrcmpW.KERNEL32(00000000,?), ref: 01274B9F
OpenPrinterW.WINSPOOL.DRV(?,?,00000000), ref: 01274BB1
DocumentPropertiesW.WINSPOOL.DRV(00000000,?,?,00000000,00000000,00000000,?,?,00000000), ref: 01274BD1
GlobalAlloc.KERNEL32(00000042,00000000,00000000,?,?,00000000,00000000,00000000,?,?,00000000), ref: 01274BD9
GlobalLock.KERNEL32 ref: 01274BE3
DocumentPropertiesW.WINSPOOL.DRV(00000000,?,?,00000000,00000000,00000002), ref: 01274BF0
ClosePrinter.WINSPOOL.DRV(?,00000000,?,?,00000000,00000000,00000002), ref: 01274C08

Part of subcall function 0127AAB7: GlobalFlags.KERNEL32(?), ref: 0127AAC6
Part of subcall function 0127AAB7: GlobalUnlock.KERNEL32(?,?,?,?,012754F1,?,00000414,01271A2B), ref: 0127AAD7
Part of subcall function 0127AAB7: GlobalFree.KERNEL32(?), ref: 0127AAE1

Memory Dump Source

Source File: 00000010.00000002.746388412.0000000001271000.00000020.sdmp, Offset: 01270000, based on PE: true

Associated: 00000010.00000002.746374753.0000000001270000.00000002.sdmp Download File
Associated: 00000010.00000002.746578910.000000000138C000.00000002.sdmp Download File
Associated: 00000010.00000002.746752878.00000000013CF000.00000004.sdmp Download File
Associated: 00000010.00000002.746788870.00000000013D6000.00000004.sdmp Download File
Associated: 00000010.00000002.746832288.00000000013DE000.00000002.sdmp Download File
Associated: 00000010.00000002.747668141.0000000001574000.00000002.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1270000_Setup.jbxd

Similarity

API ID: Global$DocumentLockProperties$AllocCloseFlagsFreeOpenPrinterPrinter.Unlocklstrcmp
String ID:
API String ID: 168474834-0
Opcode ID: 9fa042bea0eab636d644047d5af7e31de2e7b0e73dfa91d9a0aa89a4701047dc
Instruction ID: 4268af002e79381858481da9e33c96cea78ba75e19afd762fe6d270bf34c5f29
Opcode Fuzzy Hash: 9fa042bea0eab636d644047d5af7e31de2e7b0e73dfa91d9a0aa89a4701047dc
Instruction Fuzzy Hash: DB11A072500605BAEB32ABAADD89CAF7FFDEB85B04B040419F700D2120D635DA40DB20

Uniqueness

Uniqueness Score: 100.00%

Function 01286BE3, Relevance: 12.0, APIs: 8, Instructions: 39
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E01286BE3(void* __ecx) {
				struct HDC__* _t15;
				void* _t17;

				_t17 = __ecx;
				 *((intOrPtr*)(_t17 + 8)) = GetSystemMetrics(0xb);
				 *((intOrPtr*)(_t17 + 0xc)) = GetSystemMetrics(0xc);
				 *0x13d8238 = GetSystemMetrics(2) + 1;
				 *0x13d823c = GetSystemMetrics(3) + 1;
				_t15 = GetDC(0);
				 *((intOrPtr*)(_t17 + 0x18)) = GetDeviceCaps(_t15, 0x58);
				 *((intOrPtr*)(_t17 + 0x1c)) = GetDeviceCaps(_t15, 0x5a);
				return ReleaseDC(0, _t15);
			}

0x01286bf0
0x01286bf6
0x01286bfd
0x01286c05
0x01286c0f
0x01286c20
0x01286c2a
0x01286c32
0x01286c3e

APIs

GetSystemMetrics.USER32 ref: 01286BF2
GetSystemMetrics.USER32 ref: 01286BF9
GetSystemMetrics.USER32 ref: 01286C00
GetSystemMetrics.USER32 ref: 01286C0A
GetDC.USER32(00000000), ref: 01286C14
GetDeviceCaps.GDI32(00000000,00000058), ref: 01286C25
GetDeviceCaps.GDI32(00000000,0000005A), ref: 01286C2D
ReleaseDC.USER32(00000000,00000000), ref: 01286C35

Memory Dump Source

Source File: 00000010.00000002.746388412.0000000001271000.00000020.sdmp, Offset: 01270000, based on PE: true

Associated: 00000010.00000002.746374753.0000000001270000.00000002.sdmp Download File
Associated: 00000010.00000002.746578910.000000000138C000.00000002.sdmp Download File
Associated: 00000010.00000002.746752878.00000000013CF000.00000004.sdmp Download File
Associated: 00000010.00000002.746788870.00000000013D6000.00000004.sdmp Download File
Associated: 00000010.00000002.746832288.00000000013DE000.00000002.sdmp Download File
Associated: 00000010.00000002.747668141.0000000001574000.00000002.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1270000_Setup.jbxd

Similarity

API ID: MetricsSystem$CapsDevice$Release
String ID:
API String ID: 1151147025-0
Opcode ID: 9b318c044661533e7aa6632f3fd0256ffe44ad05d97b06b63b1b2b5bfb8798dd
Instruction ID: 5eb8e6c605fc1a12e9b18ac30ff2955df398f37a775d374a4ef78d0043a68632
Opcode Fuzzy Hash: 9b318c044661533e7aa6632f3fd0256ffe44ad05d97b06b63b1b2b5bfb8798dd
Instruction Fuzzy Hash: 24F01DB1E80714BAE7205B72AC89B6A7FA8EB44761F005516E6059B280DBB598118FD0

Uniqueness

Uniqueness Score: 0.25%

Function 012BE722, Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 367
stringwindowCOMMON

Download Yara Rule

C-Code - Quality: 97%

			E012BE722(void* __ebx, signed int __ecx, signed int __edx, void* __edi, void* __esi, void* __eflags) {
				struct HMENU__* _t159;
				intOrPtr _t162;
				signed int _t166;
				signed int _t167;
				signed int _t177;
				signed int _t178;
				void* _t183;
				signed int _t195;
				signed int _t198;
				void* _t199;
				signed int _t203;
				signed int _t206;
				signed int _t209;
				short _t217;
				intOrPtr _t219;
				signed int _t220;
				signed int _t227;
				intOrPtr _t229;
				void* _t235;
				signed int _t239;
				signed int _t242;
				signed int _t243;
				signed int _t246;
				signed int _t288;
				intOrPtr _t289;
				signed int _t290;
				signed int _t292;
				void* _t293;
				void* _t294;
				struct HMENU__* _t296;

				_t283 = __edx;
				_t247 = __ecx;
				_push(0x314);
				L0136966A(0x1381f29, __ebx, __edi, __esi);
				_t288 = __ecx;
				 *(_t293 - 0x314) = __ecx;
				_t292 =  *((intOrPtr*)( *__ecx + 0x1c0))();
				_t159 =  *(__ecx + 0xea8);
				_t242 = 0;
				_t296 = _t159;
				if(_t296 == 0) {
					L10:
					_t162 =  *((intOrPtr*)( *((intOrPtr*)(E012792EF(_t242, _t288, _t292, __eflags) + 4)) + 0x8c));
					 *((intOrPtr*)(_t293 - 0x320)) = _t162;
					__eflags = _t162 - _t242;
					if(_t162 == _t242) {
						L32:
						_t283 =  *0x13d9934; // 0x0
						__eflags = _t283;
						if(_t283 == 0) {
							L59:
							_t243 =  *((intOrPtr*)( *_t292 + 0x3c4))();
							__eflags = _t243;
							if(_t243 == 0) {
								L61:
								_t243 = E0127E493(_t243, _t283, _t288);
								L62:
								__eflags = _t243;
								if(_t243 != 0) {
									 *((intOrPtr*)( *_t292 + 0x240))(_t243, 0);
								}
								_t166 =  *0x13d98fc; // 0x0
								__eflags = _t166;
								if(__eflags == 0) {
									_t166 = L01283CE7(_t288);
								}
								_push(_t288);
								_push(_t166);
								_t167 = L012BBC3B(_t243, _t283, _t288, _t292, __eflags);
								__eflags = _t167;
								if(_t167 == 0) {
									L8:
									goto L68;
								} else {
									 *((intOrPtr*)( *_t288 + 0x174))(1);
									__eflags = 1;
									L68:
									return L013696ED(_t243, _t288, _t292);
								}
							}
							_t177 =  *((intOrPtr*)( *_t243 + 0x14c))();
							__eflags = _t177;
							if(_t177 != 0) {
								goto L62;
							}
							goto L61;
						}
						__eflags =  *0x13d83d4; // 0x0
						if(__eflags != 0) {
							goto L59;
						}
						_t178 =  *(_t292 + 0xbcc);
						 *(_t293 - 0x310) = 0;
						 *(_t293 - 0x304) = 0;
						 *(_t293 - 0x308) = 0;
						__eflags = _t178;
						if(_t178 == 0) {
							goto L59;
						}
						while(1) {
							_t247 = _t178;
							__eflags = _t178;
							if(__eflags == 0) {
								break;
							}
							 *(_t293 - 0x30c) =  *_t178;
							_t242 =  *(_t178 + 8);
							__eflags = _t242;
							__eflags = 0 | _t242 != 0x00000000;
							if(__eflags == 0) {
								break;
							}
							__eflags =  *((intOrPtr*)(_t283 + 0x20)) -  *((intOrPtr*)(_t242 + 0x20));
							if( *((intOrPtr*)(_t283 + 0x20)) !=  *((intOrPtr*)(_t242 + 0x20))) {
								__eflags =  *(_t242 + 0x24) & 0x00000001;
								if(( *(_t242 + 0x24) & 0x00000001) == 0) {
									 *(_t293 - 0x308) =  *(_t293 - 0x308) & 0x00000000;
								} else {
									__eflags =  *(_t293 - 0x308);
									if( *(_t293 - 0x308) != 0) {
										_t150 = _t292 + 0xbc8; // 0xbc8
										L012E7758(_t150, _t247);
										 *((intOrPtr*)( *_t242 + 4))(1);
									}
									 *(_t293 - 0x308) = 1;
								}
								L58:
								 *(_t293 - 0x304) =  *(_t293 - 0x304) + 1;
								__eflags =  *(_t293 - 0x30c);
								if( *(_t293 - 0x30c) != 0) {
									_t178 =  *(_t293 - 0x30c);
									_t283 =  *0x13d9934; // 0x0
									continue;
								}
								goto L59;
							}
							__eflags =  *0x13d97c4;
							_t100 = _t283 + 4; // 0x4
							_t288 = _t100;
							if( *0x13d97c4 == 0) {
								L42:
								_t102 = _t292 + 0xbc8; // 0xbc8
								L012E7758(_t102, _t247);
								_t247 = _t242;
								 *((intOrPtr*)( *_t242 + 4))(1);
								L43:
								__eflags =  *(_t293 - 0x310);
								if( *(_t293 - 0x310) != 0) {
									L57:
									_t288 =  *(_t293 - 0x314);
									goto L58;
								}
								__eflags =  *(_t293 - 0x308);
								if( *(_t293 - 0x308) == 0) {
									__eflags =  *(_t288 + 0xc);
									if( *(_t288 + 0xc) != 0) {
										__eflags =  *(_t292 + 0xbd4);
										if( *(_t292 + 0xbd4) != 0) {
											_t247 = _t292;
											 *((intOrPtr*)( *_t292 + 0x348))( *(_t293 - 0x304));
											_t110 = _t293 - 0x304;
											 *_t110 =  *(_t293 - 0x304) + 1;
											__eflags =  *_t110;
										}
									}
								}
								_t242 =  *(_t288 + 4);
								while(1) {
									__eflags = _t242;
									if(_t242 == 0) {
										break;
									}
									_t195 = _t242;
									__eflags = _t242;
									if(__eflags == 0) {
										goto L2;
									}
									_t289 =  *((intOrPtr*)(_t195 + 8));
									_t242 =  *_t242;
									_t198 = L012A535A(L012A524F(),  *(_t289 + 0x10), 1);
									_t288 =  *(_t289 + 0x10);
									__eflags = _t198 - 0xffffffff;
									_t119 = _t198 + 1; // 0x1
									asm("sbb ecx, ecx");
									_t199 = L012DDF79(_t242, _t293 - 0x300, _t288, _t292, __eflags);
									_t283 =  *_t292;
									 *(_t293 - 4) = 3;
									 *((intOrPtr*)( *_t292 + 0x344))(_t199,  *(_t293 - 0x304), _t288, 0,  ~_t119 & _t198,  *((intOrPtr*)(_t289 + 4)), 0 | __eflags != 0x00000000);
									 *(_t293 - 0x304) =  *(_t293 - 0x304) + 1;
									_t126 = _t293 - 4;
									 *_t126 =  *(_t293 - 4) | 0xffffffff;
									__eflags =  *_t126;
									_t247 = _t293 - 0x300;
									L012DCBE8(_t242, _t293 - 0x300,  *_t292, _t288, _t292,  *_t126);
								}
								__eflags =  *(_t293 - 0x30c) - _t242;
								if( *(_t293 - 0x30c) != _t242) {
									_t203 =  *((intOrPtr*)( *_t292 + 0x348))( *(_t293 - 0x304));
									 *(_t293 - 0x304) =  *(_t293 - 0x304) + 1;
									__eflags = _t203;
									if(_t203 < 0) {
										_t135 = _t293 - 0x308;
										 *_t135 =  *(_t293 - 0x308) & 0x00000000;
										__eflags =  *_t135;
									} else {
										 *(_t293 - 0x308) = 1;
									}
								}
								 *(_t293 - 0x310) = 1;
								goto L57;
							}
							__eflags =  *(_t288 + 0xc);
							if( *(_t288 + 0xc) == 0) {
								goto L43;
							}
							goto L42;
						}
						L2:
						_t179 = L01277AC9(_t247);
						L3:
						_t297 =  *((intOrPtr*)(_t288 + 0x148)) - _t242;
						if( *((intOrPtr*)(_t288 + 0x148)) != _t242) {
							L5:
							if(E012BA2C9(_t179, _t283) == 0) {
								_t283 =  *_t292;
								__eflags =  *((intOrPtr*)(_t288 + 0x148)) - _t242;
								__eflags = (0 |  *((intOrPtr*)(_t288 + 0x148)) != _t242) - _t242;
								_t247 = _t292;
								_t183 =  *((intOrPtr*)( *_t292 + 0x434))( *((intOrPtr*)(_t288 + 0xea8)), 0 | __eflags == 0x00000000);
							} else {
								_t247 = _t292;
								_t183 =  *((intOrPtr*)( *_t292 + 0x434))( *((intOrPtr*)(_t288 + 0xea8)), 1);
							}
							if(_t183 != 0) {
								goto L10;
							}
							goto L8;
						}
						_push(_t292);
						_push( *((intOrPtr*)(_t288 + 0xea8)));
						_t247 = 0x13d95c8;
						if(L012A5A10(_t242, 0x13d95c8, _t283, _t288, _t292, _t297) != 0) {
							goto L10;
						}
						goto L5;
					}
					__eflags =  *0x13d83d4 - _t242; // 0x0
					if(__eflags != 0) {
						goto L32;
					}
					_t206 =  *(_t292 + 0xbcc);
					 *(_t293 - 0x308) = _t242;
					 *(_t293 - 0x310) = _t242;
					__eflags = _t206 - _t242;
					if(_t206 == _t242) {
						goto L32;
					} else {
						while(1) {
							 *(_t293 - 0x318) = _t206;
							__eflags = _t206;
							if(__eflags == 0) {
								goto L2;
							}
							_t288 =  *_t206;
							_t242 =  *(_t206 + 8);
							__eflags = _t242;
							 *(_t293 - 0x30c) = _t288;
							__eflags = 0 | _t242 != 0x00000000;
							if(__eflags == 0) {
								goto L2;
							}
							__eflags =  *((intOrPtr*)(_t242 + 0x20)) - 0xe110;
							if( *((intOrPtr*)(_t242 + 0x20)) != 0xe110) {
								L19:
								_t242 =  *(_t242 + 0x24) & 0x00000001;
								 *(_t293 - 0x308) =  *(_t293 - 0x308) + 1;
								 *(_t293 - 0x310) = _t242;
								__eflags = _t288;
								if(_t288 != 0) {
									_t206 =  *(_t293 - 0x30c);
									continue;
								}
								L31:
								_t288 =  *(_t293 - 0x314);
								goto L32;
							}
							_t247 = _t242 + 0x2c;
							_t209 = L0127B7DC(_t242, _t242 + 0x2c, _t288, _t292, L"Recent File");
							__eflags = _t209;
							if(_t209 == 0) {
								_t34 = _t292 + 0xbc8; // 0xbc8
								L012E7758(_t34,  *(_t293 - 0x318));
								 *((intOrPtr*)( *_t242 + 4))(1);
								GetCurrentDirectoryW(0x104, _t293 - 0x218);
								_t246 = lstrlenW(_t293 - 0x218);
								_t217 = 0x5c;
								 *((short*)(_t293 + _t246 * 2 - 0x218)) = _t217;
								_t242 = _t246 + 1;
								 *((short*)(_t293 + _t242 * 2 - 0x218)) = 0;
								_t219 =  *((intOrPtr*)(_t293 - 0x320));
								_t290 = 0;
								 *(_t293 - 0x304) = 0;
								__eflags =  *(_t219 + 4);
								if( *(_t219 + 4) <= 0) {
									L26:
									__eflags =  *(_t293 - 0x310);
									if( *(_t293 - 0x310) == 0) {
										goto L31;
									}
									_t220 =  *(_t293 - 0x30c);
									__eflags = _t220;
									if(_t220 == 0) {
										goto L31;
									}
									_t288 =  *(_t220 + 8);
									__eflags = _t288;
									_t247 = 0 | __eflags != 0x00000000;
									__eflags = __eflags != 0;
									if(__eflags == 0) {
										goto L2;
									}
									__eflags =  *(_t288 + 0x24) & 0x00000001;
									if(( *(_t288 + 0x24) & 0x00000001) != 0) {
										_t86 = _t292 + 0xbc8; // 0xbc8
										L012E7758(_t86, _t220);
										 *((intOrPtr*)( *_t288 + 4))(1);
									}
									goto L31;
								} else {
									goto L22;
								}
								do {
									L22:
									E01272410(_t293 - 0x318, E0127859A());
									 *(_t293 - 4) =  *(_t293 - 4) & 0x00000000;
									_t283 = _t293 - 0x318;
									_t227 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t293 - 0x320)))) + 0xc))(_t293 - 0x318, _t290, _t293 - 0x218, _t242, 1);
									__eflags = _t227;
									if(_t227 != 0) {
										E01272410(_t293 - 0x31c, E0127859A());
										 *(_t293 - 0x304) =  *(_t293 - 0x304) + 1;
										 *(_t293 - 4) = 1;
										E01272AE0(_t293 - 0x31c, L"&%d %s",  *(_t293 - 0x304));
										_t294 = _t294 + 0x10;
										_t62 = _t290 + 0xe110; // 0xe110
										_t235 = L012DDF79(_t242, _t293 - 0x300, _t290, _t292, __eflags);
										_t283 =  *_t292;
										 *(_t293 - 4) = 2;
										 *((intOrPtr*)( *_t292 + 0x344))(_t235,  *(_t293 - 0x308), _t62, 0, 0xffffffff,  *((intOrPtr*)(_t293 - 0x31c)), 0,  *(_t293 - 0x318));
										 *(_t293 - 0x308) =  *(_t293 - 0x308) + 1;
										 *(_t293 - 4) = 1;
										L012DCBE8(_t242, _t293 - 0x300,  *_t292, _t290, _t292, __eflags);
										__eflags =  *((intOrPtr*)(_t293 - 0x31c)) + 0xfffffff0;
										L01271470( *((intOrPtr*)(_t293 - 0x31c)) + 0xfffffff0, _t283);
									}
									 *(_t293 - 4) =  *(_t293 - 4) | 0xffffffff;
									L01271470( *(_t293 - 0x318) + 0xfffffff0, _t283);
									_t229 =  *((intOrPtr*)(_t293 - 0x320));
									_t290 = _t290 + 1;
									__eflags = _t290 -  *((intOrPtr*)(_t229 + 4));
								} while (_t290 <  *((intOrPtr*)(_t229 + 4)));
								__eflags =  *(_t293 - 0x304);
								if( *(_t293 - 0x304) != 0) {
									goto L31;
								}
								goto L26;
							}
							goto L19;
						}
						goto L2;
					}
				}
				_t239 = IsMenu(_t159);
				asm("sbb eax, eax");
				_t179 =  ~( ~_t239);
				if(_t296 != 0) {
					goto L3;
				}
				goto L2;
			}

0x012be722
0x012be722
0x012be722
0x012be72c
0x012be731
0x012be735
0x012be741
0x012be743
0x012be749
0x012be74b
0x012be74d
0x012be7cb
0x012be7d3
0x012be7d9
0x012be7df
0x012be7e1
0x012bea16
0x012bea16
0x012bea1e
0x012bea20
0x012bebc8
0x012bebd2
0x012bebd4
0x012bebd6
0x012bebe6
0x012bebed
0x012bebef
0x012bebef
0x012bebf1
0x012bebfa
0x012bebfa
0x012bec00
0x012bec05
0x012bec07
0x012bec0b
0x012bec0b
0x012bec10
0x012bec11
0x012bec12
0x012bec17
0x012bec19
0x012be79f
0x00000000
0x012bec1f
0x012bec25
0x012bec2d
0x012bec2e
0x012bec33
0x012bec33
0x012bec19
0x012bebdc
0x012bebe2
0x012bebe4
0x00000000
0x00000000
0x00000000
0x012bebe4
0x012bea26
0x012bea2c
0x00000000
0x00000000
0x012bea32
0x012bea38
0x012bea3e
0x012bea44
0x012bea4a
0x012bea4c
0x00000000
0x00000000
0x012bea60
0x012bea60
0x012bea62
0x012bea64
0x00000000
0x00000000
0x012bea6c
0x012bea72
0x012bea77
0x012bea7c
0x012bea7e
0x00000000
0x00000000
0x012bea87
0x012bea8a
0x012bec34
0x012bec38
0x012bec67
0x012bec3a
0x012bec3a
0x012bec41
0x012bec44
0x012bec4a
0x012bec55
0x012bec55
0x012bec58
0x012bec58
0x012bebb5
0x012bebb5
0x012bebbb
0x012bebc2
0x012bea54
0x012bea5a
0x00000000
0x012bea5a
0x00000000
0x012bebc2
0x012bea90
0x012bea97
0x012bea97
0x012bea9a
0x012beaa2
0x012beaa3
0x012beaa9
0x012beab2
0x012beab4
0x012beab7
0x012beab7
0x012beabe
0x012bebaf
0x012bebaf
0x00000000
0x012bebaf
0x012beac6
0x012beacc
0x012beace
0x012bead1
0x012bead3
0x012bead9
0x012beae3
0x012beae5
0x012beaeb
0x012beaeb
0x012beaeb
0x012beaeb
0x012bead9
0x012bead1
0x012beaf1
0x012beb6c
0x012beb6c
0x012beb6e
0x00000000
0x00000000
0x012beaf6
0x012beaf8
0x012beafa
0x00000000
0x00000000
0x012beb00
0x012beb06
0x012beb12
0x012beb1a
0x012beb1f
0x012beb27
0x012beb2c
0x012beb3a
0x012beb45
0x012beb4a
0x012beb51
0x012beb57
0x012beb5d
0x012beb5d
0x012beb5d
0x012beb61
0x012beb67
0x012beb67
0x012beb70
0x012beb76
0x012beb82
0x012beb88
0x012beb8e
0x012beb90
0x012beb9e
0x012beb9e
0x012beb9e
0x012beb92
0x012beb92
0x012beb92
0x012beb90
0x012beba5
0x00000000
0x012beba5
0x012bea9c
0x012beaa0
0x00000000
0x00000000
0x00000000
0x012beaa0
0x012be75e
0x012be75e
0x012be763
0x012be763
0x012be769
0x012be780
0x012be787
0x012be7a6
0x012be7aa
0x012be7b5
0x012be7c1
0x012be7c3
0x012be789
0x012be793
0x012be795
0x012be795
0x012be79d
0x00000000
0x00000000
0x00000000
0x012be79d
0x012be76b
0x012be76c
0x012be772
0x012be77e
0x00000000
0x00000000
0x00000000
0x012be77e
0x012be7e7
0x012be7ed
0x00000000
0x00000000
0x012be7f3
0x012be7f9
0x012be7ff
0x012be805
0x012be807
0x00000000
0x012be80d
0x012be815
0x012be815
0x012be81b
0x012be81d
0x00000000
0x00000000
0x012be823
0x012be825
0x012be82a
0x012be82f
0x012be835
0x012be837
0x00000000
0x00000000
0x012be83d
0x012be844
0x012be857
0x012be85a
0x012be85d
0x012be863
0x012be869
0x012be86b
0x012be80f
0x00000000
0x012be80f
0x012bea10
0x012bea10
0x00000000
0x012bea10
0x012be84b
0x012be84e
0x012be853
0x012be855
0x012be878
0x012be87e
0x012be889
0x012be898
0x012be8ab
0x012be8af
0x012be8b0
0x012be8ba
0x012be8bb
0x012be8c3
0x012be8c9
0x012be8cb
0x012be8d1
0x012be8d4
0x012be9d0
0x012be9d0
0x012be9d7
0x00000000
0x00000000
0x012be9d9
0x012be9df
0x012be9e1
0x00000000
0x00000000
0x012be9e3
0x012be9e8
0x012be9ea
0x012be9ed
0x012be9ef
0x00000000
0x00000000
0x012be9f5
0x012be9f9
0x012be9fc
0x012bea02
0x012bea0d
0x012bea0d
0x00000000
0x00000000
0x00000000
0x00000000
0x012be8da
0x012be8da
0x012be8e6
0x012be8f3
0x012be902
0x012be909
0x012be90c
0x012be90e
0x012be920
0x012be92b
0x012be943
0x012be947
0x012be94c
0x012be957
0x012be968
0x012be973
0x012be978
0x012be97c
0x012be982
0x012be98e
0x012be992
0x012be99d
0x012be9a0
0x012be9a0
0x012be9ab
0x012be9b2
0x012be9b7
0x012be9bd
0x012be9be
0x012be9be
0x012be9c7
0x012be9ce
0x00000000
0x00000000
0x00000000
0x012be9ce
0x00000000
0x012be855
0x00000000
0x012be815
0x012be807
0x012be750
0x012be758
0x012be75a
0x012be75c
0x00000000
0x00000000
0x00000000

APIs

__EH_prolog3_GS.LIBCMT ref: 012BE72C
IsMenu.USER32(?), ref: 012BE750

Part of subcall function 01277AC9: __CxxThrowException@8.LIBCMT ref: 01277ADF

Part of subcall function 012A5A10: __EH_prolog3_catch.LIBCMT ref: 012A5A17
Part of subcall function 012A5A10: SetFilePointer.KERNEL32(?,00000000,00000000,00000000,?,?,00000074), ref: 012A5A4E

GetCurrentDirectoryW.KERNEL32(00000104,?), ref: 012BE898
lstrlenW.KERNEL32(?), ref: 012BE8A5

Part of subcall function 012DDF79: __EH_prolog3.LIBCMT ref: 012DDF80

Part of subcall function 0127E493: GetParent.USER32(00000000), ref: 0127E4D5

Part of subcall function 012BBC3B: __EH_prolog3_GS.LIBCMT ref: 012BBC45
Part of subcall function 012BBC3B: GetParent.USER32(?), ref: 012BBD07

Strings

&%d %s, xrefs: 012BE93D
Recent File, xrefs: 012BE846

Memory Dump Source

Source File: 00000010.00000002.746388412.0000000001271000.00000020.sdmp, Offset: 01270000, based on PE: true

Associated: 00000010.00000002.746374753.0000000001270000.00000002.sdmp Download File
Associated: 00000010.00000002.746578910.000000000138C000.00000002.sdmp Download File
Associated: 00000010.00000002.746752878.00000000013CF000.00000004.sdmp Download File
Associated: 00000010.00000002.746788870.00000000013D6000.00000004.sdmp Download File
Associated: 00000010.00000002.746832288.00000000013DE000.00000002.sdmp Download File
Associated: 00000010.00000002.747668141.0000000001574000.00000002.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1270000_Setup.jbxd

Similarity

API ID: H_prolog3_Parent$CurrentDirectoryException@8FileH_prolog3H_prolog3_catchMenuPointerThrowlstrlen
String ID: &%d %s$Recent File
API String ID: 181170804-3015484766
Opcode ID: cde6dd84cf3e50bd412545c5eb72f91f68e8f918e4728ebade41cd0cd6e02dd9
Instruction ID: f0cbdcd50f773871e8bb7e5716cec0fa4f01f8c99e2d215644388cca6dd63184
Opcode Fuzzy Hash: cde6dd84cf3e50bd412545c5eb72f91f68e8f918e4728ebade41cd0cd6e02dd9
Instruction Fuzzy Hash: 3EE19570611216DFDB26DF24C8D4BE9B7F8BF18344F1545A8D60AA7292DB70AB80CF51

Uniqueness

Uniqueness Score: 16.53%

Function 01276C04, Relevance: 10.7, APIs: 7, Instructions: 245
registryCOMMON

Download Yara Rule

C-Code - Quality: 71%

			E01276C04(void* __ebx, intOrPtr* __ecx, void* __edi, void* __esi, void* __eflags, int _a8, short* _a12, int _a16, signed int _a20) {
				int* _v4;
				signed int _v8;
				short* _v12;
				void* _v16;
				signed int* _v20;
				signed int _v24;
				void* _v28;
				char _v40;
				signed int _v44;
				short _v8216;
				WCHAR* _v8220;
				char _v8224;
				void* _v8228;
				long _v8232;
				int _v8236;
				int _v8240;
				short* _v8244;
				int* _v8252;
				short* _v8264;
				unsigned int _t86;
				char* _t88;
				char* _t91;
				signed int _t97;
				signed int _t98;
				WCHAR* _t100;
				signed int _t106;
				signed int _t111;
				signed int _t116;
				short* _t123;
				signed int _t126;
				void* _t128;
				long _t129;
				char* _t132;
				long _t134;
				unsigned int* _t136;
				signed int* _t137;
				void* _t138;
				signed int _t147;
				void* _t159;
				void* _t173;
				signed int _t174;
				char** _t177;
				short* _t178;
				void* _t179;
				char* _t182;
				void* _t184;
				void* _t186;
				signed int _t189;
				signed int _t191;

				_push(0x10);
				L01369601(0x137ec4c, __ebx, __edi, __esi);
				_t177 = _a16;
				_t136 = _a20;
				_t182 = 0;
				 *_t177 = 0;
				 *_t136 = 0;
				_push(0);
				if( *((intOrPtr*)(__ecx + 0x58)) == 0) {
					_push(_a12);
					_push(_a8);
					_t172 =  &_a12;
					_push( &_a12);
					 *((intOrPtr*)( *__ecx + 0x84))();
					_t145 = _a12;
					_t86 =  *(_a12 - 0xc);
					_v4 = 1;
					__eflags = _t86;
					if(__eflags != 0) {
						_a20 = _t86;
						 *_t136 = _t86 >> 1;
						_t88 = E01274753(__eflags, _t86 >> 1);
						_t147 = 0;
						 *_t177 = _t88;
						__eflags = _a20;
						if(_a20 <= 0) {
							L16:
							L01271470( &(_a12[0xfffffffffffffff8]), _t172);
							_t91 = 1;
							__eflags = 1;
							goto L17;
						} else {
							while(1) {
								_t31 = _t147 + 1; // 0x1
								_t173 = _t31;
								__eflags = _t173 - _t182;
								if(_t173 < _t182) {
									break;
								}
								_t123 = _a12;
								_t136 =  *(_t123 - 0xc);
								__eflags = _t173 - _t136;
								if(_t173 > _t136) {
									break;
								} else {
									__eflags = _t147 - _t182;
									if(_t147 < _t182) {
										break;
									} else {
										__eflags = _t147 - _t136;
										if(_t147 > _t136) {
											break;
										} else {
											asm("cdq");
											_t172 =  *_t177;
											_t136 = ( *((intOrPtr*)(_t123 + 2 + _t147 * 2)) - 1 << 4) +  *((intOrPtr*)(_t123 + _t147 * 2)) - 0x41;
											_t126 = _t147 - _t173 >> 1;
											_t147 = _t147 + 2;
											( *_t177)[_t126] = _t136;
											__eflags = _t147 - _a20;
											if(_t147 < _a20) {
												continue;
											} else {
												goto L16;
											}
										}
									}
								}
								goto L32;
							}
							_push(0x80070057);
							L012713A0(_t136, _t147, _t177, _t182);
							asm("int3");
							_t189 = _t191;
							_push(0xffffffff);
							_push(0x137ec72);
							_push( *[fs:0x0]);
							E01368890(0x2020);
							_t97 =  *0x13d3570; // 0x99b5b578
							_t98 = _t97 ^ _t189;
							_v44 = _t98;
							_push(_t136);
							_push(_t182);
							_push(_t177);
							_push(_t98);
							 *[fs:0x0] =  &_v40;
							_t178 = _v12;
							_t174 = _v8;
							_t137 = _v20;
							_t100 = _v16;
							_v8264 = _t178;
							_v8240 = _t174;
							_v8252 = 0;
							__eflags =  *(_t147 + 0x58);
							if( *(_t147 + 0x58) == 0) {
								__eflags = _t174;
								if(_t174 == 0) {
									_v8220 = 0x138e210;
								}
								GetPrivateProfileStringW(_t100, _t178, _v8220,  &_v8216, 0x1000,  *(_t147 + 0x6c));
								_push( &_v8216);
								goto L30;
							} else {
								_t106 = E0127694D(_t147, _t100, 0);
								_v8228 = _t106;
								__eflags = _t106;
								if(_t106 != 0) {
									E01272410( &_v8224, E0127859A());
									_v12 = 0;
									_v8240 = 0;
									_v8236 = 0;
									_t111 = RegQueryValueExW(_v8228, _t178, 0,  &_v8240, 0,  &_v8236);
									_v8232 = _t111;
									__eflags = _t111;
									if(_t111 == 0) {
										__eflags = _v8236 >> 1;
										_v8232 = RegQueryValueExW(_v8228, _v8244, 0,  &_v8240, E01272610(_t137,  &_v8224, RegQueryValueExW, _v8236 >> 1),  &_v8236);
										E012723C0(_t137,  &_v8224, RegQueryValueExW, 0xffffffff);
									}
									RegCloseKey(_v8228);
									__eflags = _v8232;
									if(_v8232 != 0) {
										E01273740(_t137, _v8220);
										_t159 = _v8224 + 0xfffffff0;
									} else {
										_t186 = _v8224 + 0xfffffff0;
										_t116 = E01272530(_t186) + 0x10;
										__eflags = _t116;
										 *_t137 = _t116;
										_t159 = _t186;
									}
									L01271470(_t159, _t174);
								} else {
									_push(_v8220);
									L30:
									E01273740(_t137);
								}
							}
							 *[fs:0x0] = _v20;
							_pop(_t179);
							_pop(_t184);
							_pop(_t138);
							__eflags = _v24 ^ _t189;
							return L01367D3E(_t137, _t138, _v24 ^ _t189, _t174, _t179, _t184);
						}
					} else {
						L01271470(_t145 + 0xfffffff0,  &_a12);
						goto L2;
					}
				} else {
					_push(_a8);
					_t128 = E0127694D(__ecx);
					_v16 = _t128;
					if(_t128 != 0) {
						_v28 = _t128;
						_v24 = 0;
						_v20 = 0;
						_v4 = 0;
						_a16 = 0;
						_a8 = 0;
						_t129 = RegQueryValueExW(_t128, _a12, 0,  &_a16, 0,  &_a8);
						_t167 = _a8;
						 *_a20 = _a8;
						__eflags = _t129;
						if(__eflags != 0) {
							L7:
							_push( *_t177);
							E01274782();
							 *_t177 = _t182;
						} else {
							_t132 = E01274753(__eflags, _t167);
							 *_t177 = _t132;
							_t134 = RegQueryValueExW(_v16, _a12, 0,  &_a16, _t132,  &_a8);
							__eflags = _t134;
							if(_t134 != 0) {
								goto L7;
							} else {
								_t182 = 1;
								__eflags = 1;
							}
						}
						E01276875( &_v28);
						_t91 = _t182;
					} else {
						L2:
						_t91 = 0;
					}
					L17:
					return L013696D9(_t91);
				}
				L32:
			}

0x01276c04
0x01276c0b
0x01276c10
0x01276c13
0x01276c16
0x01276c18
0x01276c1a
0x01276c1c
0x01276c20
0x01276cad
0x01276cb2
0x01276cb5
0x01276cb8
0x01276cb9
0x01276cbf
0x01276cc2
0x01276cc5
0x01276ccc
0x01276cce
0x01276cdd
0x01276ce3
0x01276ce5
0x01276ceb
0x01276ced
0x01276cef
0x01276cf2
0x01276d30
0x01276d36
0x01276d3d
0x01276d3d
0x00000000
0x01276cf4
0x01276cf4
0x01276cf4
0x01276cf4
0x01276cf7
0x01276cf9
0x00000000
0x00000000
0x01276cfb
0x01276cfe
0x01276d01
0x01276d03
0x00000000
0x01276d05
0x01276d05
0x01276d07
0x00000000
0x01276d09
0x01276d09
0x01276d0b
0x00000000
0x01276d0d
0x01276d1b
0x01276d1e
0x01276d20
0x01276d23
0x01276d25
0x01276d28
0x01276d2b
0x01276d2e
0x00000000
0x00000000
0x00000000
0x00000000
0x01276d2e
0x01276d0b
0x01276d07
0x00000000
0x01276d03
0x01276d46
0x01276d4b
0x01276d50
0x01276d54
0x01276d56
0x01276d58
0x01276d63
0x01276d69
0x01276d6e
0x01276d73
0x01276d75
0x01276d78
0x01276d79
0x01276d7a
0x01276d7b
0x01276d7f
0x01276d85
0x01276d88
0x01276d8b
0x01276d8e
0x01276d93
0x01276d99
0x01276d9f
0x01276da5
0x01276da8
0x01276ea2
0x01276ea4
0x01276ea6
0x01276ea6
0x01276ec7
0x01276ed3
0x00000000
0x01276dae
0x01276db0
0x01276db5
0x01276dbb
0x01276dbd
0x01276dd6
0x01276df8
0x01276dfb
0x01276e01
0x01276e07
0x01276e09
0x01276e0f
0x01276e11
0x01276e19
0x01276e4d
0x01276e53
0x01276e53
0x01276e5e
0x01276e64
0x01276e6a
0x01276e92
0x01276e9d
0x01276e6c
0x01276e72
0x01276e7b
0x01276e7b
0x01276e7f
0x01276e81
0x01276e81
0x01276e83
0x01276dbf
0x01276dbf
0x01276ed4
0x01276ed6
0x01276ed6
0x01276dbd
0x01276ee0
0x01276ee8
0x01276ee9
0x01276eea
0x01276eee
0x01276ef6
0x01276ef6
0x01276cd0
0x01276cd3
0x00000000
0x01276cd3
0x01276c26
0x01276c26
0x01276c29
0x01276c2e
0x01276c33
0x01276c3c
0x01276c3f
0x01276c42
0x01276c58
0x01276c5c
0x01276c5f
0x01276c62
0x01276c64
0x01276c6a
0x01276c6c
0x01276c6e
0x01276ca1
0x01276ca1
0x01276ca3
0x01276ca9
0x01276c70
0x01276c71
0x01276c7c
0x01276c89
0x01276c8b
0x01276c8d
0x00000000
0x01276c8f
0x01276c91
0x01276c91
0x01276c91
0x01276c8d
0x01276c95
0x01276c9a
0x01276c35
0x01276c35
0x01276c35
0x01276c35
0x01276d3e
0x01276d43
0x01276d43
0x00000000

APIs

__EH_prolog3.LIBCMT ref: 01276C0B
RegQueryValueExW.ADVAPI32(00000000,?,00000000,?,00000000,?), ref: 01276C62
RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 01276C89

Part of subcall function 01276875: RegCloseKey.ADVAPI32 ref: 01276883

Part of subcall function 01274753: _malloc.LIBCMT ref: 01274771

RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 01276E07
RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 01276E43

Part of subcall function 012723C0: _wcsnlen.LIBCMT ref: 012723D9

RegCloseKey.ADVAPI32(?), ref: 01276E5E

Part of subcall function 01272530: _memcpy_s.LIBCMT ref: 0127258F

GetPrivateProfileStringW.KERNEL32(?,?,?,?,00001000,?), ref: 01276EC7

Part of subcall function 01367D3E: IsDebuggerPresent.KERNEL32 ref: 0136EC6D
Part of subcall function 01367D3E: SetUnhandledExceptionFilter.KERNEL32 ref: 0136EC82
Part of subcall function 01367D3E: UnhandledExceptionFilter.KERNEL32 ref: 0136EC8D
Part of subcall function 01367D3E: GetCurrentProcess.KERNEL32(C0000409), ref: 0136ECA9
Part of subcall function 01367D3E: TerminateProcess.KERNEL32(00000000), ref: 0136ECB0

Part of subcall function 0127694D: RegCreateKeyExW.ADVAPI32(00000000,?,00000000,00000000,00000000,0002001F,00000000,?,?), ref: 01276991
Part of subcall function 0127694D: RegCloseKey.ADVAPI32(00000000), ref: 01276998

Memory Dump Source

Source File: 00000010.00000002.746388412.0000000001271000.00000020.sdmp, Offset: 01270000, based on PE: true

Associated: 00000010.00000002.746374753.0000000001270000.00000002.sdmp Download File
Associated: 00000010.00000002.746578910.000000000138C000.00000002.sdmp Download File
Associated: 00000010.00000002.746752878.00000000013CF000.00000004.sdmp Download File
Associated: 00000010.00000002.746788870.00000000013D6000.00000004.sdmp Download File
Associated: 00000010.00000002.746832288.00000000013DE000.00000002.sdmp Download File
Associated: 00000010.00000002.747668141.0000000001574000.00000002.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1270000_Setup.jbxd

Similarity

API ID: QueryValue$Close$ExceptionFilterProcessUnhandled$CreateCurrentDebuggerH_prolog3PresentPrivateProfileStringTerminate_malloc_memcpy_s_wcsnlen
String ID:
API String ID: 674994970-0
Opcode ID: c645dbdbeb4cb9767d7b46ccb5d285115fe01053c62514c61136ddb58a2eb363
Instruction ID: 71ded07b4afdd7f101effad8b8383e2847131068846bac17c88e3c5d643f8e0d
Opcode Fuzzy Hash: c645dbdbeb4cb9767d7b46ccb5d285115fe01053c62514c61136ddb58a2eb363
Instruction Fuzzy Hash: 2191B2B191022ADFDF26DF24CC489AFBBB9FF18710F10459AE519A7241D7309A94CFA0

Uniqueness

Uniqueness Score: 7.75%

Function 0128EB25, Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 175
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 80%

			E0128EB25(struct HINSTANCE__* __ebx, intOrPtr* __ecx, struct HINSTANCE__* __edi, void* __esi, void* __eflags) {
				intOrPtr _t64;
				struct HINSTANCE__* _t67;
				struct HINSTANCE__* _t68;
				struct HINSTANCE__* _t70;
				struct HINSTANCE__* _t75;
				struct HINSTANCE__* _t81;
				struct HINSTANCE__* _t82;
				struct HINSTANCE__* _t100;
				struct HINSTANCE__* _t101;
				intOrPtr* _t112;
				void* _t113;
				void* _t114;

				_t114 = __eflags;
				_t110 = __edi;
				_t83 = __ebx;
				_push(0x24);
				L0136966A(0x13802ed, __ebx, __edi, __esi);
				_t112 = __ecx;
				 *(_t113 - 0x2c) =  *(_t113 + 8);
				if(E0128CBE6(__ebx, __ecx, __edi, _t114) == 0) {
					L38:
					return L013696ED(_t83, _t110, _t112);
				}
				_t83 = _t112 + 0x43c;
				if(_t83 == 0) {
					L3:
					 *((intOrPtr*)(_t113 - 0x18)) = 0xffffffffffff830a;
					 *((intOrPtr*)(_t113 - 0x14)) = 0xffffffffffff830a;
					_push(L"AFX_SUPERBAR_TAB");
					 *((intOrPtr*)(_t113 - 0x20)) = 0xffff8300;
					 *((intOrPtr*)(_t113 - 0x1c)) = 0xffff8300;
					_t110 = 0x13d63e8;
					_push(_t113 - 0x28);
					 *((intOrPtr*)(_t112 + 0x4b0)) = _t112;
					E0127EA42(_t83, 0x13d63e8, 0x13d63e8, _t112, _t117);
					 *(_t113 - 4) =  *(_t113 - 4) & 0x00000000;
					E01272410(_t113 - 0x24, E0127859A());
					 *(_t113 - 4) = 1;
					E01284613(_t83, _t112, 0x13d63e8, _t113 - 0x24);
					_t109 = _t83->i;
					_push(0);
					_push(0);
					_push(0);
					_push(_t113 - 0x20);
					_push(0x80cf0000);
					_push( *((intOrPtr*)(_t113 - 0x24)));
					_push( *((intOrPtr*)(_t113 - 0x28)));
					_push(0x8000080);
					if( *((intOrPtr*)(_t83->i + 0x58))() == 0) {
						L37:
						L01271470( *((intOrPtr*)(_t113 - 0x24)) + 0xfffffff0, _t109);
						L01271470( *((intOrPtr*)(_t113 - 0x28)) + 0xfffffff0, _t109);
						goto L38;
					}
					_t110 = E0127E37E(0x13d63e8);
					if(_t110 == 0) {
						L35:
						 *((intOrPtr*)(_t112 + 0x4b4)) = 1;
						__eflags = E0128CBCF(_t112);
						if(__eflags != 0) {
							E0128CC49(_t112, _t109, __eflags);
						}
						goto L37;
					} else {
						_t64 = E012789CC(0x1391888, L01283CE7(_t112));
						if(_t64 != 0) {
							_t64 =  *((intOrPtr*)(_t64 + 0x20));
						}
						if(_t83 != 0) {
							_t100 =  *(_t83 + 0x20);
						} else {
							_t100 = 0;
						}
						_t109 = _t110->i;
						_push(_t64);
						_push(_t100);
						_push(_t110);
						if( *((intOrPtr*)(_t110->i + 0x2c))() >= 0) {
							__eflags =  *(_t113 - 0x2c);
							if( *(_t113 - 0x2c) != 0) {
								L15:
								_t67 =  *(_t113 - 0x2c) + 0x43c;
								L17:
								__eflags = _t67;
								if(_t67 != 0) {
									_t67 =  *(_t67 + 0x20);
								}
								__eflags = _t83;
								if(_t83 != 0) {
									_t101 =  *(_t83 + 0x20);
								} else {
									_t101 = 0;
								}
								_t109 = _t110->i;
								_t68 =  *((intOrPtr*)(_t110->i + 0x34))(_t110, _t101, _t67);
								__eflags = _t68;
								if(_t68 < 0) {
									goto L11;
								} else {
									_t103 =  *(_t112 + 0x438);
									__eflags =  *(_t112 + 0x438);
									if( *(_t112 + 0x438) != 0) {
										__eflags = L012B8EF9(_t83, _t103, _t109, 0) - _t112;
										if(__eflags == 0) {
											E0128CD8B(_t83, _t112, _t110, __eflags);
										}
									}
									 *((intOrPtr*)(_t113 - 0x30)) = 1;
									_t70 = GetModuleHandleW(L"DWMAPI");
									__eflags = _t70;
									if(__eflags != 0) {
										_t110 = GetProcAddress(_t70, "DwmSetWindowAttribute");
										__eflags = _t110;
										if(__eflags != 0) {
											__eflags = _t83;
											if(_t83 != 0) {
												_t75 =  *(_t83 + 0x20);
											} else {
												_t75 = 0;
											}
											_t110->i(_t75, 0xa, _t113 - 0x30, 4);
											__eflags = _t83;
											if(__eflags != 0) {
												_t83 =  *(_t83 + 0x20);
											}
											 *_t110(_t83, 7, _t113 - 0x30, 4);
										}
									}
									E0128E951(_t83, _t112, _t110, _t112, __eflags);
									 *((intOrPtr*)( *_t112 + 0x218))( *((intOrPtr*)(_t113 - 0x24)),  *0x13cffe8);
									goto L35;
								}
							}
							_t81 =  *(_t112 + 0x438);
							__eflags = _t81;
							if(_t81 == 0) {
								L16:
								_t67 = 0;
								__eflags = 0;
								goto L17;
							}
							_t82 = E012C4420(_t81 + 0x440, _t112);
							 *(_t113 - 0x2c) = _t82;
							__eflags = _t82;
							if(_t82 == 0) {
								goto L16;
							}
							goto L15;
						} else {
							L11:
							L0128D51C(_t112, 1);
							goto L37;
						}
					}
				}
				_t117 =  *(_t83 + 0x20);
				if( *(_t83 + 0x20) != 0) {
					goto L38;
				}
				goto L3;
			}

0x0128eb25
0x0128eb25
0x0128eb25
0x0128eb25
0x0128eb2c
0x0128eb34
0x0128eb36
0x0128eb40
0x0128ed28
0x0128ed2d
0x0128ed2d
0x0128eb46
0x0128eb4e
0x0128eb5a
0x0128eb62
0x0128eb65
0x0128eb68
0x0128eb70
0x0128eb73
0x0128eb76
0x0128eb7b
0x0128eb7e
0x0128eb84
0x0128eb89
0x0128eb96
0x0128eba1
0x0128eba5
0x0128ebaa
0x0128ebae
0x0128ebaf
0x0128ebb0
0x0128ebb4
0x0128ebb5
0x0128ebba
0x0128ebbf
0x0128ebc2
0x0128ebcc
0x0128ed12
0x0128ed18
0x0128ed23
0x00000000
0x0128ed23
0x0128ebd9
0x0128ebdd
0x0128ecf6
0x0128ecf8
0x0128ed07
0x0128ed09
0x0128ed0d
0x0128ed0d
0x00000000
0x0128ebe3
0x0128ebf0
0x0128ebf9
0x0128ebfb
0x0128ebfb
0x0128ec00
0x0128ec06
0x0128ec02
0x0128ec02
0x0128ec02
0x0128ec09
0x0128ec0b
0x0128ec0c
0x0128ec0d
0x0128ec13
0x0128ec23
0x0128ec27
0x0128ec46
0x0128ec49
0x0128ec52
0x0128ec52
0x0128ec54
0x0128ec56
0x0128ec56
0x0128ec59
0x0128ec5b
0x0128ec61
0x0128ec5d
0x0128ec5d
0x0128ec5d
0x0128ec64
0x0128ec69
0x0128ec6c
0x0128ec6e
0x00000000
0x0128ec70
0x0128ec70
0x0128ec76
0x0128ec78
0x0128ec81
0x0128ec83
0x0128ec87
0x0128ec87
0x0128ec83
0x0128ec91
0x0128ec98
0x0128ec9e
0x0128eca0
0x0128ecae
0x0128ecb0
0x0128ecb2
0x0128ecb4
0x0128ecb6
0x0128ecbc
0x0128ecb8
0x0128ecb8
0x0128ecb8
0x0128ecc8
0x0128ecca
0x0128eccc
0x0128ecce
0x0128ecce
0x0128ecda
0x0128ecda
0x0128ecb2
0x0128ece4
0x0128ecf0
0x00000000
0x0128ecf0
0x0128ec6e
0x0128ec29
0x0128ec2f
0x0128ec31
0x0128ec50
0x0128ec50
0x0128ec50
0x00000000
0x0128ec50
0x0128ec3a
0x0128ec3f
0x0128ec42
0x0128ec44
0x00000000
0x00000000
0x00000000
0x0128ec15
0x0128ec15
0x0128ec19
0x00000000
0x0128ec19
0x0128ec13
0x0128ebdd
0x0128eb50
0x0128eb54
0x00000000
0x00000000
0x00000000

APIs

__EH_prolog3_GS.LIBCMT ref: 0128EB2C

Part of subcall function 0127EA42: __EH_prolog3.LIBCMT ref: 0127EA49
Part of subcall function 0127EA42: LoadCursorW.USER32 ref: 0127EA75
Part of subcall function 0127EA42: GetClassInfoW.USER32 ref: 0127EAB9

Part of subcall function 01284613: GetWindowTextLengthW.USER32 ref: 01284624
Part of subcall function 01284613: GetWindowTextW.USER32 ref: 0128463B

Part of subcall function 0127E37E: CoInitialize.OLE32(00000000), ref: 0127E3AC
Part of subcall function 0127E37E: CoCreateInstance.OLE32(013B6A54,00000000,00000001,0138F74C,?), ref: 0127E3CA

GetModuleHandleW.KERNEL32(DWMAPI), ref: 0128EC98
GetProcAddress.KERNEL32(00000000,DwmSetWindowAttribute), ref: 0128ECA8

Part of subcall function 0128E951: __EH_prolog3.LIBCMT ref: 0128E958

Part of subcall function 012B8EF9: SendMessageW.USER32(?,00000229,00000000,?), ref: 012B8F24

Part of subcall function 0128CC49: GetModuleHandleW.KERNEL32(DWMAPI,?,?,00000000,?,?,?,?,?,?,?,?,012C36B1), ref: 0128CCC0
Part of subcall function 0128CC49: GetProcAddress.KERNEL32(00000000,DwmInvalidateIconicBitmaps,?,?,00000000,?,?,?,?,?,?,?,?,012C36B1), ref: 0128CCD0

Strings

DWMAPI, xrefs: 0128EC8C
AFX_SUPERBAR_TAB, xrefs: 0128EB68
DwmSetWindowAttribute, xrefs: 0128ECA2

Memory Dump Source

Source File: 00000010.00000002.746388412.0000000001271000.00000020.sdmp, Offset: 01270000, based on PE: true

Associated: 00000010.00000002.746374753.0000000001270000.00000002.sdmp Download File
Associated: 00000010.00000002.746578910.000000000138C000.00000002.sdmp Download File
Associated: 00000010.00000002.746752878.00000000013CF000.00000004.sdmp Download File
Associated: 00000010.00000002.746788870.00000000013D6000.00000004.sdmp Download File
Associated: 00000010.00000002.746832288.00000000013DE000.00000002.sdmp Download File
Associated: 00000010.00000002.747668141.0000000001574000.00000002.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1270000_Setup.jbxd

Similarity

API ID: AddressH_prolog3HandleModuleProcTextWindow$ClassCreateCursorH_prolog3_InfoInitializeInstanceLengthLoadMessageSend
String ID: AFX_SUPERBAR_TAB$DWMAPI$DwmSetWindowAttribute
API String ID: 3211386045-136793874
Opcode ID: 3b45131326c6762bfc78f596d8235a6234e49af92bc97f8c07f988362a1254b3
Instruction ID: 5aab74861524fe1db4549c3b7d1ecce15aba362b192829ebf913132b11146512
Opcode Fuzzy Hash: 3b45131326c6762bfc78f596d8235a6234e49af92bc97f8c07f988362a1254b3
Instruction Fuzzy Hash: AA5181B0B212079BEB14BFA9C894FBE77A8AF58604F15011DEA05A72C1DB70D904CB65

Uniqueness

Uniqueness Score: 7.75%

Function 0134E3C0, Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 151
COMMON

Download Yara Rule

C-Code - Quality: 72%

			E0134E3C0(void* __ebx, intOrPtr* __ecx, void* __edi, void* __esi, void* __eflags) {
				signed short* _t50;
				intOrPtr* _t51;
				signed short* _t52;
				signed short* _t53;
				signed short* _t58;
				signed short* _t59;
				signed short* _t63;
				signed short* _t65;
				signed short* _t67;
				signed short* _t72;
				signed short* _t73;
				signed short* _t74;
				signed short* _t81;
				signed short* _t89;
				signed short* _t102;
				intOrPtr* _t104;
				signed short* _t105;
				void* _t106;

				_t85 = __ecx;
				_push(0x38);
				L01369634(0x1388357, __ebx, __edi, __esi);
				_t104 = __ecx;
				E0134E338(__ecx);
				if( *_t104 != 0) {
					__eflags =  *(_t106 + 8);
					if( *(_t106 + 8) != 0) {
						L4:
						_t50 = L01277C74(_t85,  *(_t106 + 0xc),  *(_t106 + 8), _t106 - 0x44);
						_t100 = _t106 - 0x24;
						_t102 = _t50;
						_t51 =  *_t104;
						 *((intOrPtr*)(_t106 - 0x34)) = 0x27;
						_t52 =  *((intOrPtr*)( *_t51 + 0xc))(_t51, _t102, _t106 - 0x24);
						__eflags = _t52;
						if(_t52 < 0) {
							goto L1;
						}
						__eflags =  *(_t106 - 0x1c);
						if( *(_t106 - 0x1c) == 0) {
							L9:
							E01272410(_t106 + 0xc, E0127859A());
							_t58 =  *(_t106 - 0x24) - 1;
							__eflags = _t58;
							 *((intOrPtr*)(_t106 - 4)) = 0;
							 *(_t106 + 8) = 0;
							 *((char*)(_t106 - 4)) = 1;
							if(__eflags == 0) {
								L27:
								_t59 = E01274753(__eflags, 0x38);
								 *(_t106 - 0x14) = _t59;
								 *((char*)(_t106 - 4)) = 3;
								__eflags = _t59;
								if(__eflags == 0) {
									_t89 = 0;
									__eflags = 0;
								} else {
									_t89 = E0134E596(_t59, __eflags, 2, 0x1000);
								}
								 *((char*)(_t106 - 4)) = 1;
								 *(_t106 + 8) = _t89;
								E0134E5FB(_t89,  *((intOrPtr*)(_t106 - 0x20)), 1);
								L14:
								__eflags =  &(( *(_t106 + 0xc))[0xfffffffffffffff8]);
								L01271470( &(( *(_t106 + 0xc))[0xfffffffffffffff8]), _t100);
								_t53 =  *(_t106 + 8);
								L15:
								return L013696D9(_t53);
							}
							_t63 = _t58 - 1;
							__eflags = _t63;
							if(_t63 == 0) {
								E01272AA0(_t102,  *((intOrPtr*)(_t106 - 0x20)));
								_t65 = E01274753(__eflags, 0x14);
								 *(_t106 - 0x14) = _t65;
								 *((char*)(_t106 - 4)) = 2;
								__eflags = _t65;
								if(__eflags == 0) {
									_t105 = 0;
									__eflags = 0;
								} else {
									_t105 = L012874C5(_t65, __eflags);
								}
								 *((char*)(_t106 - 4)) = 1;
								 *(_t106 + 8) = _t105;
								_t67 =  *((intOrPtr*)( *_t105 + 0x24))( *(_t106 + 0xc), 0x12, 0);
								__eflags = _t67;
								if(_t67 != 0) {
									__imp__CoTaskMemFree( *((intOrPtr*)(_t106 - 0x20)));
								} else {
									 *((intOrPtr*)( *_t105 + 4))(1);
									 *(_t106 + 8) = 0;
								}
								goto L14;
							}
							_t72 = _t63;
							__eflags = _t72;
							if(__eflags == 0) {
								_t73 = E01274753(__eflags, 0x1c);
								 *(_t106 - 0x14) = _t73;
								 *((char*)(_t106 - 4)) = 4;
								__eflags = _t73;
								if(__eflags == 0) {
									_t74 = 0;
									__eflags = 0;
								} else {
									_push( *((intOrPtr*)(_t106 - 0x20)));
									_t74 = L013451C7(0, _t73, _t102, _t104, __eflags);
								}
								 *(_t106 + 8) = _t74;
								goto L14;
							}
							__eflags = _t72 - 0x1c;
							if(__eflags == 0) {
								goto L27;
							}
							__imp__ReleaseStgMedium(_t106 - 0x24);
							goto L14;
						}
						 *((intOrPtr*)(_t106 - 0x30)) = 0;
						 *((intOrPtr*)(_t106 - 0x28)) = 0;
						__eflags = _t102;
						if(__eflags == 0) {
							L16:
							__imp__ReleaseStgMedium(_t106 - 0x24);
							goto L1;
						}
						_t81 = E012781A5(0, _t102, _t104, __eflags,  *_t102 & 0x0000ffff, _t106 - 0x30, _t106 - 0x24);
						__eflags = _t81;
						if(_t81 == 0) {
							goto L16;
						}
						__imp__ReleaseStgMedium(_t106 - 0x24);
						_t104 = _t106 - 0x30;
						_t102 = _t106 - 0x24;
						asm("movsd");
						asm("movsd");
						asm("movsd");
						goto L9;
					}
					__eflags =  *(_t106 + 0xc);
					if( *(_t106 + 0xc) == 0) {
						goto L1;
					}
					goto L4;
				}
				L1:
				_t53 = 0;
				goto L15;
			}

0x0134e3c0
0x0134e3c0
0x0134e3c7
0x0134e3cc
0x0134e3ce
0x0134e3d7
0x0134e3e0
0x0134e3e4
0x0134e3eb
0x0134e3f5
0x0134e3fa
0x0134e3fd
0x0134e3ff
0x0134e403
0x0134e40d
0x0134e410
0x0134e412
0x00000000
0x00000000
0x0134e414
0x0134e417
0x0134e44b
0x0134e454
0x0134e45c
0x0134e45c
0x0134e45d
0x0134e460
0x0134e463
0x0134e467
0x0134e534
0x0134e536
0x0134e53c
0x0134e53f
0x0134e543
0x0134e545
0x0134e559
0x0134e559
0x0134e547
0x0134e555
0x0134e555
0x0134e560
0x0134e564
0x0134e567
0x0134e487
0x0134e48a
0x0134e48d
0x0134e492
0x0134e495
0x0134e49a
0x0134e49a
0x0134e46d
0x0134e46d
0x0134e46e
0x0134e4d8
0x0134e4df
0x0134e4e5
0x0134e4e8
0x0134e4ec
0x0134e4ee
0x0134e4fb
0x0134e4fb
0x0134e4f0
0x0134e4f7
0x0134e4f7
0x0134e507
0x0134e50b
0x0134e50e
0x0134e511
0x0134e513
0x0134e529
0x0134e515
0x0134e51b
0x0134e51e
0x0134e51e
0x00000000
0x0134e513
0x0134e471
0x0134e471
0x0134e472
0x0134e4ae
0x0134e4b4
0x0134e4b7
0x0134e4bb
0x0134e4bd
0x0134e4cb
0x0134e4cb
0x0134e4bf
0x0134e4bf
0x0134e4c4
0x0134e4c4
0x0134e4cd
0x00000000
0x0134e4cd
0x0134e474
0x0134e477
0x00000000
0x00000000
0x0134e481
0x00000000
0x0134e481
0x0134e419
0x0134e41c
0x0134e41f
0x0134e421
0x0134e49d
0x0134e4a1
0x00000000
0x0134e4a1
0x0134e42f
0x0134e434
0x0134e436
0x00000000
0x00000000
0x0134e43c
0x0134e442
0x0134e445
0x0134e448
0x0134e449
0x0134e44a
0x00000000
0x0134e44a
0x0134e3e6
0x0134e3e9
0x00000000
0x00000000
0x00000000
0x0134e3e9
0x0134e3d9
0x0134e3d9
0x00000000

APIs

__EH_prolog3_catch.LIBCMT ref: 0134E3C7

Part of subcall function 0134E338: OleGetClipboard.OLE32(?), ref: 0134E350

CoTaskMemFree.OLE32(?), ref: 0134E529

Part of subcall function 012781A5: __EH_prolog3_GS.LIBCMT ref: 012781AC
Part of subcall function 012781A5: OleDuplicateData.OLE32(?,?,00000000), ref: 0127822D
Part of subcall function 012781A5: GlobalLock.KERNEL32 ref: 0127825C
Part of subcall function 012781A5: CopyMetaFileW.GDI32(?,00000000), ref: 01278268
Part of subcall function 012781A5: GlobalUnlock.KERNEL32(?), ref: 01278278
Part of subcall function 012781A5: GlobalFree.KERNEL32(?), ref: 01278281
Part of subcall function 012781A5: GlobalUnlock.KERNEL32(?), ref: 0127828D
Part of subcall function 012781A5: lstrlenW.KERNEL32(?,0000005C), ref: 012782ED
Part of subcall function 012781A5: CopyFileW.KERNEL32 ref: 012783E5

ReleaseStgMedium.OLE32(?), ref: 0134E43C
ReleaseStgMedium.OLE32(?), ref: 0134E481
ReleaseStgMedium.OLE32(?), ref: 0134E4A1

Part of subcall function 013451C7: __EH_prolog3_GS.LIBCMT ref: 013451D1
Part of subcall function 013451C7: CoTaskMemFree.OLE32(?), ref: 0134525D
Part of subcall function 013451C7: CoTaskMemFree.OLE32(?), ref: 01345281

Part of subcall function 01274753: _malloc.LIBCMT ref: 01274771

Part of subcall function 0134E5FB: GlobalLock.KERNEL32 ref: 0134E613
Part of subcall function 0134E5FB: GlobalSize.KERNEL32(?), ref: 0134E61F

Strings

', xrefs: 0134E403

Memory Dump Source

Source File: 00000010.00000002.746388412.0000000001271000.00000020.sdmp, Offset: 01270000, based on PE: true

Associated: 00000010.00000002.746374753.0000000001270000.00000002.sdmp Download File
Associated: 00000010.00000002.746578910.000000000138C000.00000002.sdmp Download File
Associated: 00000010.00000002.746752878.00000000013CF000.00000004.sdmp Download File
Associated: 00000010.00000002.746788870.00000000013D6000.00000004.sdmp Download File
Associated: 00000010.00000002.746832288.00000000013DE000.00000002.sdmp Download File
Associated: 00000010.00000002.747668141.0000000001574000.00000002.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1270000_Setup.jbxd

Similarity

API ID: Global$Free$MediumReleaseTask$CopyFileH_prolog3_LockUnlock$ClipboardDataDuplicateH_prolog3_catchMetaSize_malloclstrlen
String ID: '
API String ID: 3471107458-1997036262
Opcode ID: 9492aa6a5d4f1c84335e1dba67daece59f043995fcb0374384d04f2144d74cff
Instruction ID: 12eb0263f1bacc591548784a4e41b4c0f687b5ac213e94b9c402d7c35cf62fcd
Opcode Fuzzy Hash: 9492aa6a5d4f1c84335e1dba67daece59f043995fcb0374384d04f2144d74cff
Instruction Fuzzy Hash: 46514171900249EBDF11EFA8C984AEDBBF5BF18308F148479E505FB280D679AA44CB61

Uniqueness

Uniqueness Score: 1.23%

Function 012C01E2, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 134
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E012C01E2(void* __ecx, void* __edi, void* __eflags, intOrPtr _a4) {
				signed int _v8;
				struct tagRECT _v24;
				struct tagRECT _v40;
				struct tagRECT _v56;
				struct tagRECT _v76;
				char _v96;
				char _v100;
				signed int _v104;
				void* __ebx;
				void* __esi;
				void* __ebp;
				signed int _t64;
				intOrPtr _t72;
				struct HMONITOR__* _t75;
				long _t87;
				void* _t93;
				intOrPtr* _t94;
				intOrPtr _t107;
				long _t109;
				intOrPtr _t112;
				intOrPtr _t116;
				signed int _t117;

				_t111 = __edi;
				_t64 =  *0x13d3570; // 0x99b5b578
				_v8 = _t64 ^ _t117;
				_t116 = _a4;
				_t94 = E012789CC(0x139d2fc,  *((intOrPtr*)(E012792EF(_t93, __edi, _t116, __eflags) + 4)));
				if(_t94 != 0 &&  *((intOrPtr*)(_t116 + 4)) != 0) {
					_t109 =  *(_t116 + 0x1c);
					_v104 = _v104 & 0x00000000;
					_push(__edi);
					_t112 =  *((intOrPtr*)(_t116 + 0x18));
					_v24.bottom =  *(_t116 + 0x10) + _t112;
					_push( &_v100);
					_push( &_v104);
					_v24.top = _t112;
					_v24.left = _t109;
					_t108 = _t109 +  *((intOrPtr*)(_t116 + 0x14));
					_push( &_v24);
					_v24.right = _t109 +  *((intOrPtr*)(_t116 + 0x14));
					_v100 = 1;
					if( *((intOrPtr*)( *_t94 + 0x140))() != 0) {
						_t122 = _v100 - 3;
						if(_v100 != 3) {
							_v100 = 1;
						}
						_t72 =  *((intOrPtr*)( *((intOrPtr*)(E012792EF(_t94, 1, _t116, _t122) + 4)) + 0x4c));
						if(_t72 < 2) {
							L8:
							 *((intOrPtr*)( *((intOrPtr*)(E012792EF(_t94, 1, _t116, _t125) + 4)) + 0x4c)) = _v100;
						} else {
							if(_t72 > 3) {
								_t125 = _t72 + 0xfffffffa - 1;
								if(_t72 + 0xfffffffa > 1) {
									goto L8;
								}
							}
						}
						_t75 =  &_v96;
						_v40.left = 0;
						_v40.top = 0;
						_v40.right = 0;
						_v40.bottom = 0;
						_v56.left = 0;
						_v56.top = 0;
						_v56.right = 0;
						_v56.bottom = 0;
						_v96 = 0x28;
						__imp__MonitorFromPoint(_v24.top, 2, _t75);
						if(GetMonitorInfoW(_t75, _v24.left) == 0) {
							SystemParametersInfoW(0x30, 0,  &_v40, 0);
						} else {
							CopyRect( &_v40,  &_v76);
						}
						if(_v100 != 3) {
							_t67 = IntersectRect( &_v56,  &_v40,  &_v24);
							__eflags = _t67;
							if(_t67 != 0) {
								 *(_t116 + 0x1c) = _v56.left;
								 *((intOrPtr*)(_t116 + 0x18)) = _v56.top;
								 *((intOrPtr*)(_t116 + 0x14)) = _v24.right - _v24;
								_t67 = _v24.bottom - _v24.top;
								__eflags = _t67;
								goto L16;
							}
						} else {
							_t87 = _v40.left;
							_t107 = _v40.top;
							_t108 = _v40.right - _t87;
							 *(_t116 + 0x1c) = _t87;
							 *((intOrPtr*)(_t116 + 0x18)) = _t107;
							 *((intOrPtr*)(_t116 + 0x14)) = _v40.right - _t87;
							_t67 = _v40.bottom - _t107;
							L16:
							 *(_t116 + 0x10) = _t67;
						}
					}
					_pop(_t111);
				}
				return L01367D3E(_t67, _t94, _v8 ^ _t117, _t108, _t111, _t116);
			}

0x012c01e2
0x012c01ea
0x012c01f1
0x012c01f6
0x012c020b
0x012c0211
0x012c0224
0x012c0229
0x012c022d
0x012c022e
0x012c0233
0x012c0239
0x012c023d
0x012c023e
0x012c0241
0x012c0244
0x012c024c
0x012c0250
0x012c0253
0x012c025e
0x012c0264
0x012c0268
0x012c026a
0x012c026a
0x012c0275
0x012c027b
0x012c0289
0x012c0294
0x012c027d
0x012c0280
0x012c0285
0x012c0287
0x00000000
0x00000000
0x012c0287
0x012c0280
0x012c0297
0x012c02a2
0x012c02a8
0x012c02ab
0x012c02ae
0x012c02b1
0x012c02b4
0x012c02b7
0x012c02ba
0x012c02bd
0x012c02c4
0x012c02d3
0x012c02ed
0x012c02d5
0x012c02dd
0x012c02dd
0x012c02f7
0x012c0320
0x012c0326
0x012c0328
0x012c032d
0x012c0333
0x012c033c
0x012c0342
0x012c0342
0x00000000
0x012c0342
0x012c02f9
0x012c02f9
0x012c02ff
0x012c0302
0x012c0304
0x012c030a
0x012c030d
0x012c0310
0x012c0345
0x012c0345
0x012c0345
0x012c02f7
0x012c0348
0x012c0348
0x012c0356

APIs

MonitorFromPoint.USER32(?,?,00000002), ref: 012C02C4
GetMonitorInfoW.USER32(00000000), ref: 012C02CB
CopyRect.USER32(?,?), ref: 012C02DD
SystemParametersInfoW.USER32 ref: 012C02ED
IntersectRect.USER32(?,?,?), ref: 012C0320

Part of subcall function 01367D3E: IsDebuggerPresent.KERNEL32 ref: 0136EC6D
Part of subcall function 01367D3E: SetUnhandledExceptionFilter.KERNEL32 ref: 0136EC82
Part of subcall function 01367D3E: UnhandledExceptionFilter.KERNEL32 ref: 0136EC8D
Part of subcall function 01367D3E: GetCurrentProcess.KERNEL32(C0000409), ref: 0136ECA9
Part of subcall function 01367D3E: TerminateProcess.KERNEL32(00000000), ref: 0136ECB0

Strings

(, xrefs: 012C02BD

Memory Dump Source

Source File: 00000010.00000002.746388412.0000000001271000.00000020.sdmp, Offset: 01270000, based on PE: true

Associated: 00000010.00000002.746374753.0000000001270000.00000002.sdmp Download File
Associated: 00000010.00000002.746578910.000000000138C000.00000002.sdmp Download File
Associated: 00000010.00000002.746752878.00000000013CF000.00000004.sdmp Download File
Associated: 00000010.00000002.746788870.00000000013D6000.00000004.sdmp Download File
Associated: 00000010.00000002.746832288.00000000013DE000.00000002.sdmp Download File
Associated: 00000010.00000002.747668141.0000000001574000.00000002.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1270000_Setup.jbxd

Similarity

API ID: ExceptionFilterInfoMonitorProcessRectUnhandled$CopyCurrentDebuggerFromIntersectParametersPointPresentSystemTerminate
String ID: (
API String ID: 2178168040-3887548279
Opcode ID: 1415d869bb9493cf66bf2f06ebc61ab3d52b0918452a083145e04cc63e9f44d8
Instruction ID: c87931c52e0710572636b88c04bdde02bcdd7145f46b84ddbb44d8e52492ee6e
Opcode Fuzzy Hash: 1415d869bb9493cf66bf2f06ebc61ab3d52b0918452a083145e04cc63e9f44d8
Instruction Fuzzy Hash: 0451F3B5D10309DFCB20DFA9D9889EEFBF9BF98700B10461AE605E7250D730AA04CB65

Uniqueness

Uniqueness Score: 1.23%

Function 01288929, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 123
COMMON

Download Yara Rule

C-Code - Quality: 73%

			E01288929(void* __ebx, long long* __ecx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t35;
				void* _t36;
				void* _t40;
				intOrPtr _t43;
				void* _t51;
				void* _t60;
				intOrPtr* _t89;
				intOrPtr* _t91;
				void* _t98;
				long long* _t99;

				_t64 = __ebx;
				_push(4);
				L01369601(0x137fdfb, __ebx, __edi, __esi);
				 *((intOrPtr*)(_t98 - 0x10)) = 0;
				_t35 =  *((intOrPtr*)(__ecx + 8));
				if(_t35 != 2) {
					if(_t35 != 1) {
						 *((intOrPtr*)(_t98 - 0x10)) = 0;
						_t36 = _t98 - 0x10;
						 *((intOrPtr*)(_t98 - 4)) = 1;
						 *_t99 =  *__ecx;
						__imp__#114(__ecx, __ecx,  *((intOrPtr*)(_t98 + 0x10)),  *((intOrPtr*)(_t98 + 0xc)), _t36);
						if(_t36 >= 0) {
							E01273740(__ebx,  *((intOrPtr*)(_t98 - 0x10)));
							 *((char*)(_t98 - 4)) = 3;
							_t40 = E01272530( *((intOrPtr*)(_t98 + 0x10)) + 0xfffffff0);
							_t91 =  *((intOrPtr*)(_t98 + 8));
							 *_t91 = _t40 + 0x10;
							L01271470( *((intOrPtr*)(_t98 + 0x10)) + 0xfffffff0, 1);
							__imp__#6( *((intOrPtr*)(_t98 - 0x10)));
							_t43 = _t91;
						} else {
							E01272410(_t98 + 0xc, E0127859A());
							_push(0xd800);
							 *((char*)(_t98 - 4)) = 2;
							if(E01278490() == 0 || L012726D0(_t98 + 0xc, _t47, 0xd800) == 0) {
								E01273740(_t64, L"Invalid DateTime");
								L01271470( *((intOrPtr*)(_t98 + 0xc)) + 0xfffffff0, 1);
								__imp__#6( *((intOrPtr*)(_t98 - 0x10)));
								goto L2;
							} else {
								_t51 = E01272530( *((intOrPtr*)(_t98 + 0xc)) + 0xfffffff0);
								_t89 =  *((intOrPtr*)(_t98 + 8));
								 *_t89 = _t51 + 0x10;
								L01271470( *((intOrPtr*)(_t98 + 0xc)) + 0xfffffff0, 1);
								__imp__#6( *((intOrPtr*)(_t98 - 0x10)));
								goto L7;
							}
						}
					} else {
						E01272410(_t98 + 0xc, E0127859A());
						_push(0xd800);
						 *((intOrPtr*)(_t98 - 4)) = 0;
						if(E01278490() == 0 || L012726D0(_t98 + 0xc, _t56, 0xd800) == 0) {
							E01273740(_t64, L"Invalid DateTime");
							L01271470( *((intOrPtr*)(_t98 + 0xc)) + 0xfffffff0, 1);
							goto L2;
						} else {
							_t60 = E01272530( *((intOrPtr*)(_t98 + 0xc)) + 0xfffffff0);
							_t89 =  *((intOrPtr*)(_t98 + 8));
							 *_t89 = _t60 + 0x10;
							L01271470( *((intOrPtr*)(_t98 + 0xc)) + 0xfffffff0, 1);
							L7:
							_t43 = _t89;
						}
					}
				} else {
					E01273740(__ebx, 0x138e210);
					L2:
					_t43 =  *((intOrPtr*)(_t98 + 8));
				}
				return L013696D9(_t43);
			}

0x01288929
0x01288929
0x01288930
0x01288937
0x0128893a
0x01288940
0x0128895c
0x012889c9
0x012889ce
0x012889d5
0x012889dd
0x012889e0
0x012889e8
0x01288a6f
0x01288a7b
0x01288a7f
0x01288a84
0x01288a91
0x01288a93
0x01288a9b
0x01288aa1
0x012889ea
0x012889f3
0x012889fd
0x012889fe
0x01288a09
0x01288a4b
0x01288a56
0x01288a5e
0x00000000
0x01288a19
0x01288a20
0x01288a25
0x01288a2e
0x01288a30
0x01288a38
0x00000000
0x01288a38
0x01288a09
0x0128895e
0x01288967
0x01288971
0x01288972
0x0128897c
0x012889b7
0x012889c2
0x00000000
0x0128898c
0x01288993
0x01288998
0x012889a1
0x012889a3
0x012889a8
0x012889a8
0x012889a8
0x0128897c
0x01288942
0x0128894a
0x0128894f
0x0128894f
0x0128894f
0x01288aa8

APIs

__EH_prolog3.LIBCMT ref: 01288930
VarBstrFromDate.OLEAUT32(?,?,?,?,?), ref: 012889E0
SysFreeString.OLEAUT32(?), ref: 01288A38
SysFreeString.OLEAUT32(?), ref: 01288A5E

Part of subcall function 01272530: _memcpy_s.LIBCMT ref: 0127258F

SysFreeString.OLEAUT32(?), ref: 01288A9B

Strings

Invalid DateTime, xrefs: 012889B2, 01288A46

Memory Dump Source

Source File: 00000010.00000002.746388412.0000000001271000.00000020.sdmp, Offset: 01270000, based on PE: true

Associated: 00000010.00000002.746374753.0000000001270000.00000002.sdmp Download File
Associated: 00000010.00000002.746578910.000000000138C000.00000002.sdmp Download File
Associated: 00000010.00000002.746752878.00000000013CF000.00000004.sdmp Download File
Associated: 00000010.00000002.746788870.00000000013D6000.00000004.sdmp Download File
Associated: 00000010.00000002.746832288.00000000013DE000.00000002.sdmp Download File
Associated: 00000010.00000002.747668141.0000000001574000.00000002.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1270000_Setup.jbxd

Similarity

API ID: FreeString$BstrDateFromH_prolog3_memcpy_s
String ID: Invalid DateTime
API String ID: 108012304-2190634649
Opcode ID: 989bb8161ae575f2b5867ff74a16b707986db00ee86c00c544b94a3285990097
Instruction ID: 1eb3973efff86e11ffd8e060493e67b75ad3a447597983ac0f4fa736628f7c09
Opcode Fuzzy Hash: 989bb8161ae575f2b5867ff74a16b707986db00ee86c00c544b94a3285990097
Instruction Fuzzy Hash: 9541AD31521107EBCF05BF68DC149BFBB25FF60328B248619F865A73D4CB70AA508B91

Uniqueness

Uniqueness Score: 4.65%

Function 012D2FA8, Relevance: 10.6, APIs: 7, Instructions: 120
COMMON

Download Yara Rule

C-Code - Quality: 98%

			E012D2FA8(void* __ebx, intOrPtr __ecx, void* __edx, void* __edi, void* __esi, void* __eflags, void* __fp0) {
				intOrPtr _t129;
				void* _t130;
				void* _t131;

				_t133 = __fp0;
				_t131 = __eflags;
				_t125 = __edx;
				_push(4);
				L01369601(0x1382c04, __ebx, __edi, __esi);
				_t129 = __ecx;
				 *((intOrPtr*)(_t130 - 0x10)) = __ecx;
				L012F504C(__ebx, __ecx, __edx, __edi, __ecx, _t131);
				 *((intOrPtr*)(__ecx)) = 0x13991d4;
				 *((intOrPtr*)(__ecx + 0x270)) = 0;
				 *((intOrPtr*)(__ecx + 0x274)) = 0;
				 *((intOrPtr*)(__ecx + 0x278)) = 0;
				 *((intOrPtr*)(__ecx + 0x27c)) = 0;
				 *((intOrPtr*)(__ecx + 0x280)) = 0;
				 *((intOrPtr*)(__ecx + 0x284)) = 0;
				 *((intOrPtr*)(__ecx + 0x288)) = 0;
				 *((intOrPtr*)(__ecx + 0x28c)) = 0;
				 *(__ecx + 0x290) = 0;
				 *((intOrPtr*)(__ecx + 0x294)) = 0;
				 *((intOrPtr*)(__ecx + 0x298)) = 0;
				 *((intOrPtr*)(__ecx + 0x29c)) = 0;
				 *((intOrPtr*)(__ecx + 0x2a0)) = 0;
				 *((intOrPtr*)(__ecx + 0x2a4)) = 0;
				 *((intOrPtr*)(__ecx + 0x2a8)) = 0;
				 *((intOrPtr*)(__ecx + 0x2ac)) = 0;
				 *((intOrPtr*)(__ecx + 0x2b0)) = 0;
				 *((intOrPtr*)(__ecx + 0x2b4)) = 0;
				 *((intOrPtr*)(__ecx + 0x2b8)) = 0;
				 *((intOrPtr*)(__ecx + 0x2bc)) = 0;
				 *((intOrPtr*)(__ecx + 0x2c0)) = 0;
				 *((intOrPtr*)(__ecx + 0x2c4)) = 0;
				 *((intOrPtr*)(__ecx + 0x2c8)) = 0;
				 *((intOrPtr*)(__ecx + 0x2cc)) = 0;
				 *((intOrPtr*)(_t130 - 4)) = 0;
				 *((intOrPtr*)(__ecx + 0x2d0)) = 0;
				 *((intOrPtr*)(__ecx + 0x2d4)) = 0;
				 *((intOrPtr*)(__ecx + 0x2d8)) = 0;
				 *((intOrPtr*)(__ecx + 0x2dc)) = 0;
				L01281DD3(__ecx + 0x2e0, __edx, _t131);
				 *((intOrPtr*)(__ecx + 0x2e0)) = 0x1395eac;
				 *((char*)(_t130 - 4)) = 1;
				E0133C984(__ebx, __ecx + 0x354, __edx, 0, __ecx, _t131, __fp0);
				 *((intOrPtr*)(__ecx + 0x354)) = 0x139902c;
				 *((char*)(_t130 - 4)) = 2;
				E0133C984(0x139902c, __ecx + 0xaa4, __edx, 0, __ecx, _t131, __fp0);
				 *((intOrPtr*)(__ecx + 0xaa4)) = 0x139902c;
				 *((char*)(_t130 - 4)) = 3;
				E0133C984(0x139902c, __ecx + 0x11f4, _t125, 0, __ecx, _t131, __fp0);
				 *((intOrPtr*)(__ecx + 0x11f4)) = 0x139902c;
				 *((char*)(_t130 - 4)) = 4;
				E0133C984(0x139902c, __ecx + 0x1944, _t125, 0, __ecx, _t131, __fp0);
				 *((intOrPtr*)(__ecx + 0x1944)) = 0x139902c;
				 *((char*)(_t130 - 4)) = 5;
				E0133C984(0x139902c, __ecx + 0x2094, _t125, 0, __ecx, _t131, _t133);
				 *((intOrPtr*)(__ecx + 0x2094)) = 0x139902c;
				E0128C674(__ecx + 0x27e8, 0xa);
				 *(__ecx + 0xa0) =  *(__ecx + 0xa0) | 0xffffffff;
				 *((intOrPtr*)(__ecx + 0x9c)) = 0;
				 *((intOrPtr*)(__ecx + 0x204)) = 0;
				 *((intOrPtr*)(__ecx + 0x208)) = 0;
				 *((intOrPtr*)(__ecx + 0x20c)) = 0;
				 *((intOrPtr*)(__ecx + 0x210)) = 0;
				 *((intOrPtr*)(__ecx + 0x218)) = 0;
				 *((intOrPtr*)(__ecx + 0x21c)) = 0;
				 *((intOrPtr*)(__ecx + 0x214)) = 0;
				SetRectEmpty(__ecx + 0x290);
				SetRectEmpty(_t129 + 0x2a0);
				 *((intOrPtr*)(_t129 + 0x258)) = 0;
				 *((intOrPtr*)(_t129 + 0x264)) = 0;
				 *((intOrPtr*)(_t129 + 0x25c)) = 0;
				 *((intOrPtr*)(_t129 + 0x260)) = 0;
				 *((intOrPtr*)(_t129 + 0x268)) = 0;
				 *((intOrPtr*)(_t129 + 0x254)) = 0;
				SetRectEmpty(_t129 + 0x270);
				 *((intOrPtr*)(_t129 + 0x224)) = 1;
				 *((intOrPtr*)(_t129 + 0x100)) = 1;
				 *((intOrPtr*)(_t129 + 0x228)) = 1;
				 *((intOrPtr*)(_t129 + 0xfc)) = 1;
				 *((intOrPtr*)(_t129 + 0x234)) = 1;
				 *((intOrPtr*)(_t129 + 0x220)) = 0;
				 *((intOrPtr*)(_t129 + 0x22c)) = 0;
				 *((intOrPtr*)(_t129 + 0x230)) = 0;
				 *((intOrPtr*)(_t129 + 0x238)) = 0;
				 *((intOrPtr*)(_t129 + 0x23c)) = 0;
				 *((intOrPtr*)(_t129 + 0x244)) = 0;
				 *((intOrPtr*)(_t129 + 0x240)) = 0;
				 *((intOrPtr*)(_t129 + 0x248)) = 0;
				 *((intOrPtr*)(_t129 + 0x26c)) = 0;
				 *((intOrPtr*)(_t129 + 0x27e4)) = 0;
				SetRectEmpty(_t129 + 0x2b0);
				SetRectEmpty(_t129 + 0x2c0);
				SetRectEmpty(_t129 + 0x2d0);
				 *((intOrPtr*)(_t129 + 0x250)) = 0;
				 *((intOrPtr*)(_t129 + 0x24c)) = 0;
				return L013696D9(_t129);
			}

0x012d2fa8
0x012d2fa8
0x012d2fa8
0x012d2fa8
0x012d2faf
0x012d2fb4
0x012d2fb6
0x012d2fb9
0x012d2fc0
0x012d2fc6
0x012d2fcc
0x012d2fd2
0x012d2fd8
0x012d2fde
0x012d2fe4
0x012d2fea
0x012d2ff0
0x012d2ff6
0x012d2ffc
0x012d3002
0x012d3008
0x012d300e
0x012d3014
0x012d301a
0x012d3020
0x012d3026
0x012d302c
0x012d3032
0x012d3038
0x012d303e
0x012d3044
0x012d304a
0x012d3050
0x012d305c
0x012d305f
0x012d3065
0x012d306b
0x012d3071
0x012d3077
0x012d307c
0x012d308c
0x012d3090
0x012d309a
0x012d30a6
0x012d30aa
0x012d30af
0x012d30bb
0x012d30bf
0x012d30c4
0x012d30d0
0x012d30d4
0x012d30d9
0x012d30e5
0x012d30e9
0x012d30f6
0x012d30fc
0x012d3107
0x012d3115
0x012d311b
0x012d3121
0x012d3127
0x012d312d
0x012d3133
0x012d3139
0x012d313f
0x012d3145
0x012d314e
0x012d3157
0x012d315d
0x012d3163
0x012d3169
0x012d316f
0x012d3175
0x012d317b
0x012d3180
0x012d3186
0x012d318c
0x012d3192
0x012d3198
0x012d31a5
0x012d31ab
0x012d31b1
0x012d31b7
0x012d31bd
0x012d31c3
0x012d31c9
0x012d31cf
0x012d31d5
0x012d31db
0x012d31e1
0x012d31ea
0x012d31f3
0x012d31f5
0x012d31fb
0x012d3208

APIs

__EH_prolog3.LIBCMT ref: 012D2FAF

Part of subcall function 012F504C: __EH_prolog3.LIBCMT ref: 012F5053

Part of subcall function 0133C984: __EH_prolog3.LIBCMT ref: 0133C98B

SetRectEmpty.USER32 ref: 012D3145
SetRectEmpty.USER32 ref: 012D314E
SetRectEmpty.USER32 ref: 012D317B
SetRectEmpty.USER32 ref: 012D31E1
SetRectEmpty.USER32 ref: 012D31EA
SetRectEmpty.USER32 ref: 012D31F3

Memory Dump Source

Source File: 00000010.00000002.746388412.0000000001271000.00000020.sdmp, Offset: 01270000, based on PE: true

Associated: 00000010.00000002.746374753.0000000001270000.00000002.sdmp Download File
Associated: 00000010.00000002.746578910.000000000138C000.00000002.sdmp Download File
Associated: 00000010.00000002.746752878.00000000013CF000.00000004.sdmp Download File
Associated: 00000010.00000002.746788870.00000000013D6000.00000004.sdmp Download File
Associated: 00000010.00000002.746832288.00000000013DE000.00000002.sdmp Download File
Associated: 00000010.00000002.747668141.0000000001574000.00000002.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1270000_Setup.jbxd

Similarity

API ID: EmptyRect$H_prolog3
String ID:
API String ID: 3752103406-0
Opcode ID: 4ec00f93cedfd9d024d9f0d1171c5c7cb1465b4d47535114ca4d109075f9dce6
Instruction ID: 9b02c130ed84a266d680031916881f028163b0f927564c620c9e28d3ea9493ce
Opcode Fuzzy Hash: 4ec00f93cedfd9d024d9f0d1171c5c7cb1465b4d47535114ca4d109075f9dce6
Instruction Fuzzy Hash: 2E6155B0806B458FD761EF7A85887DAFBE8BFA4304F104A1F80AE83260DBB42145CF15

Uniqueness

Uniqueness Score: 1.97%

Function 012EA275, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 117
COMMON

Download Yara Rule

C-Code - Quality: 72%

			E012EA275(void* __ebx, intOrPtr* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				signed int _t58;
				signed int _t59;
				signed int _t61;
				signed int _t62;
				signed int _t63;
				signed int _t66;
				void* _t72;
				intOrPtr* _t76;
				void* _t91;
				intOrPtr _t96;
				signed int _t97;
				void* _t99;

				_t91 = __edx;
				_push(0x24);
				L0136966A(0x1383759, __ebx, __edi, __esi);
				_t96 =  *((intOrPtr*)(_t99 + 0xc));
				_t93 =  *(_t99 + 0x14);
				 *(_t99 - 0x28) =  *(_t99 + 0x18);
				_t76 = __ecx;
				 *((intOrPtr*)(_t99 - 0x30)) =  *((intOrPtr*)(_t99 + 0x24));
				E01272410(_t99 - 0x24, E0127859A());
				 *(_t99 - 4) =  *(_t99 - 4) & 0x00000000;
				_t101 = _t96;
				if(_t96 != 0) {
					E01272AA0(_t93, _t96);
				} else {
					_push(L"Afx:ControlBar");
					_push(_t99 - 0x2c);
					_t72 = E0127EA42(__ecx, 0x13d63e8, _t93, _t96, _t101);
					 *(_t99 - 4) = 1;
					E01272A30(_t99 - 0x24, _t72);
					 *(_t99 - 4) = 0;
					L01271470( *((intOrPtr*)(_t99 - 0x2c)) + 0xfffffff0, _t91);
				}
				 *((intOrPtr*)(_t76 + 0x170)) =  *((intOrPtr*)(_t99 + 0x1c));
				_t97 = 0;
				if(L012CB2EF(_t76, _t91,  *((intOrPtr*)(_t99 + 8)),  *((intOrPtr*)(_t99 - 0x24)), 0,  *(_t99 + 0x10) | 0x06000000, _t93,  *(_t99 - 0x28),  *((intOrPtr*)(_t99 + 0x1c)),  *((intOrPtr*)(_t99 + 0x20)),  *((intOrPtr*)(_t99 - 0x30))) != 0) {
					CopyRect(_t99 - 0x20, _t93);
					L01279C17( *(_t99 - 0x28), _t99 - 0x20);
					_t58 = IsRectEmpty(_t76 + 0x248);
					__eflags = _t58;
					if(_t58 != 0) {
						_t97 = _t99 - 0x20;
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
					}
					_t93 = _t76 + 0x208;
					_t59 = IsRectEmpty(_t76 + 0x208);
					__eflags = _t59;
					if(_t59 != 0) {
						_t97 = _t99 - 0x20;
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
					}
					_t61 = IsRectEmpty(_t99 - 0x20);
					__eflags = _t61;
					if(_t61 == 0) {
						_t93 = _t76 + 0x1d8;
						_t97 = _t99 - 0x20;
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
					}
					_t62 =  *(_t99 - 0x28);
					__eflags = _t62;
					if(_t62 == 0) {
						_t63 = 0;
						__eflags = 0;
					} else {
						_t63 =  *((intOrPtr*)(_t62 + 0x20));
					}
					 *((intOrPtr*)(_t76 + 0x54)) = _t63;
					E012E8F7E(_t76, _t91);
					_t66 =  *((intOrPtr*)( *_t76 + 0x1c8))();
					__eflags =  *(_t76 + 0x94) & _t66;
					if(( *(_t76 + 0x94) & _t66) != 0) {
						L013218EC(_t76, _t76 + 0x17c, _t91, _t93, _t97, _t76);
					}
					_t97 = 1;
					goto L4;
				} else {
					L4:
					L01271470( *((intOrPtr*)(_t99 - 0x24)) + 0xfffffff0, _t91);
					return L013696ED(_t76, _t93, _t97);
				}
			}

0x012ea275
0x012ea275
0x012ea27c
0x012ea284
0x012ea287
0x012ea28a
0x012ea290
0x012ea292
0x012ea29e
0x012ea2a3
0x012ea2a7
0x012ea2a9
0x012ea2e0
0x012ea2ab
0x012ea2ab
0x012ea2b3
0x012ea2b9
0x012ea2c2
0x012ea2c6
0x012ea2d1
0x012ea2d5
0x012ea2d5
0x012ea2ee
0x012ea302
0x012ea314
0x012ea330
0x012ea33d
0x012ea349
0x012ea34f
0x012ea351
0x012ea353
0x012ea356
0x012ea357
0x012ea358
0x012ea359
0x012ea359
0x012ea35a
0x012ea361
0x012ea367
0x012ea369
0x012ea36b
0x012ea36e
0x012ea36f
0x012ea370
0x012ea371
0x012ea371
0x012ea376
0x012ea37c
0x012ea37e
0x012ea380
0x012ea386
0x012ea389
0x012ea38a
0x012ea38b
0x012ea38c
0x012ea38c
0x012ea38d
0x012ea390
0x012ea392
0x012ea399
0x012ea399
0x012ea394
0x012ea394
0x012ea394
0x012ea39d
0x012ea3a0
0x012ea3a9
0x012ea3af
0x012ea3b5
0x012ea3be
0x012ea3be
0x012ea3c5
0x00000000
0x012ea316
0x012ea316
0x012ea31c
0x012ea328
0x012ea328

APIs

__EH_prolog3_GS.LIBCMT ref: 012EA27C

Part of subcall function 012CB2EF: _memset.LIBCMT ref: 012CB3B5
Part of subcall function 012CB2EF: GetSysColorBrush.USER32(0000000F), ref: 012CB41E
Part of subcall function 012CB2EF: SetClassLongW.USER32(?,000000F6,00000000), ref: 012CB42A
Part of subcall function 012CB2EF: GetWindowRect.USER32 ref: 012CB44D

CopyRect.USER32(?,?), ref: 012EA330

Part of subcall function 01279C17: ClientToScreen.USER32(?,?), ref: 01279C28
Part of subcall function 01279C17: ClientToScreen.USER32(?,?), ref: 01279C35

IsRectEmpty.USER32 ref: 012EA349
IsRectEmpty.USER32 ref: 012EA361
IsRectEmpty.USER32 ref: 012EA376

Part of subcall function 012E8F7E: GetWindowRect.USER32 ref: 012E8F94
Part of subcall function 012E8F7E: GetParent.USER32(?), ref: 012E8FD6
Part of subcall function 012E8F7E: GetParent.USER32(?), ref: 012E8FE6

Part of subcall function 0127EA42: __EH_prolog3.LIBCMT ref: 0127EA49
Part of subcall function 0127EA42: LoadCursorW.USER32 ref: 0127EA75
Part of subcall function 0127EA42: GetClassInfoW.USER32 ref: 0127EAB9

Strings

Afx:ControlBar, xrefs: 012EA2AB

Memory Dump Source

Source File: 00000010.00000002.746388412.0000000001271000.00000020.sdmp, Offset: 01270000, based on PE: true

Associated: 00000010.00000002.746374753.0000000001270000.00000002.sdmp Download File
Associated: 00000010.00000002.746578910.000000000138C000.00000002.sdmp Download File
Associated: 00000010.00000002.746752878.00000000013CF000.00000004.sdmp Download File
Associated: 00000010.00000002.746788870.00000000013D6000.00000004.sdmp Download File
Associated: 00000010.00000002.746832288.00000000013DE000.00000002.sdmp Download File
Associated: 00000010.00000002.747668141.0000000001574000.00000002.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1270000_Setup.jbxd

Similarity

API ID: Rect$Empty$ClassClientParentScreenWindow$BrushColorCopyCursorH_prolog3H_prolog3_InfoLoadLong_memset
String ID: Afx:ControlBar
API String ID: 3459329576-4244778371
Opcode ID: 4769575b14d85aef88e4166325eea671b5348c241b6302c9ec28af155f59bf7f
Instruction ID: 68c68b0a8ab8f6e983348042b6e1a0255f07932818a8bbfc70f8eae3b7664f00
Opcode Fuzzy Hash: 4769575b14d85aef88e4166325eea671b5348c241b6302c9ec28af155f59bf7f
Instruction Fuzzy Hash: 2841387191021A9BDF11EFA8C888AEE7BB9FF19314F440168FE05BB255DB71A905CB60

Uniqueness

Uniqueness Score: 1.91%

Function 012827C5, Relevance: 10.6, APIs: 7, Instructions: 117
windowCOMMON

Download Yara Rule

C-Code - Quality: 92%

			E012827C5(intOrPtr* __ecx, void* __edx, signed int _a4) {
				int _v8;
				int _v12;
				int _v16;
				struct tagMSG* _v20;
				struct HWND__* _v24;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				struct HWND__* _t48;
				struct tagMSG* _t49;
				signed int _t51;
				void* _t54;
				void* _t56;
				int _t59;
				long _t62;
				signed int _t66;
				void* _t69;
				intOrPtr* _t71;
				void* _t73;
				intOrPtr* _t75;

				_t73 = __edx;
				_t70 = __ecx;
				_t75 = __ecx;
				_v16 = 1;
				_v12 = 0;
				if((_a4 & 0x00000004) == 0) {
					L2:
					_v8 = 0;
					L3:
					_t48 = GetParent( *(_t75 + 0x20));
					 *(_t75 + 0x58) =  *(_t75 + 0x58) | 0x00000018;
					_v24 = _t48;
					_t49 = E01276068(_t77);
					_t69 = UpdateWindow;
					_v20 = _t49;
					while(1) {
						_t78 = _v16;
						if(_v16 == 0) {
							goto L15;
						}
						while(1) {
							L15:
							_t51 = E012764C3(_t70, _t73, 0, _t75, _t78);
							if(_t51 == 0) {
								break;
							}
							if(_v8 != 0) {
								_t59 = _v20->message;
								if(_t59 == 0x118 || _t59 == 0x104) {
									E0128699F(_t75, 1);
									UpdateWindow( *(_t75 + 0x20));
									_v8 = 0;
								}
							}
							_t71 = _t75;
							_t54 =  *((intOrPtr*)( *_t75 + 0x88))();
							_t83 = _t54;
							if(_t54 == 0) {
								_t45 = _t75 + 0x58;
								 *_t45 =  *(_t75 + 0x58) & 0xffffffe7;
								__eflags =  *_t45;
								return  *((intOrPtr*)(_t75 + 0x60));
							} else {
								_push(_v20);
								_t56 = E012763C6(_t69, _t71, 0, _t75, _t83);
								_pop(_t70);
								if(_t56 != 0) {
									_v16 = 1;
									_v12 = 0;
								}
								if(PeekMessageW(_v20, 0, 0, 0, 0) == 0) {
									while(1) {
										_t78 = _v16;
										if(_v16 == 0) {
											goto L15;
										}
										goto L4;
									}
								}
								continue;
							}
						}
						_push(0);
						E01274969();
						return _t51 | 0xffffffff;
						L4:
						__eflags = PeekMessageW(_v20, 0, 0, 0, 0);
						if(__eflags != 0) {
							goto L15;
						} else {
							__eflags = _v8;
							if(_v8 != 0) {
								_t70 = _t75;
								E0128699F(_t75, 1);
								UpdateWindow( *(_t75 + 0x20));
								_v8 = 0;
							}
							__eflags = _a4 & 0x00000001;
							if((_a4 & 0x00000001) == 0) {
								__eflags = _v24;
								if(_v24 != 0) {
									__eflags = _v12;
									if(_v12 == 0) {
										SendMessageW(_v24, 0x121, 0,  *(_t75 + 0x20));
									}
								}
							}
							__eflags = _a4 & 0x00000002;
							if(__eflags != 0) {
								L13:
								_v16 = 0;
								continue;
							} else {
								_t62 = SendMessageW( *(_t75 + 0x20), 0x36a, 0, _v12);
								_v12 = _v12 + 1;
								__eflags = _t62;
								if(__eflags != 0) {
									continue;
								}
								goto L13;
							}
						}
					}
				}
				_t66 = E01286848(__ecx);
				_v8 = 1;
				_t77 = _t66 & 0x10000000;
				if((_t66 & 0x10000000) == 0) {
					goto L3;
				}
				goto L2;
			}

0x012827c5
0x012827c5
0x012827d9
0x012827db
0x012827de
0x012827e1
0x012827f2
0x012827f2
0x012827f5
0x012827f8
0x012827fe
0x01282802
0x01282805
0x0128280a
0x01282810
0x01282880
0x01282880
0x01282883
0x00000000
0x00000000
0x01282885
0x01282885
0x01282885
0x0128288c
0x00000000
0x00000000
0x01282891
0x01282896
0x0128289e
0x012828ab
0x012828b3
0x012828b5
0x012828b5
0x0128289e
0x012828ba
0x012828bc
0x012828c2
0x012828c4
0x012828fb
0x012828fb
0x012828fb
0x00000000
0x012828c6
0x012828c6
0x012828c9
0x012828ce
0x012828d1
0x012828d3
0x012828da
0x012828da
0x012828ec
0x01282880
0x01282880
0x01282883
0x00000000
0x00000000
0x00000000
0x01282883
0x01282880
0x00000000
0x012828ec
0x012828c4
0x012828f0
0x012828f1
0x00000000
0x01282815
0x01282822
0x01282824
0x00000000
0x01282826
0x01282826
0x01282829
0x0128282d
0x0128282f
0x01282837
0x01282839
0x01282839
0x0128283c
0x01282840
0x01282842
0x01282845
0x01282847
0x0128284a
0x01282858
0x01282858
0x0128284a
0x01282845
0x0128285e
0x01282862
0x0128287d
0x0128287d
0x00000000
0x01282864
0x01282870
0x01282876
0x01282879
0x0128287b
0x00000000
0x00000000
0x00000000
0x0128287b
0x01282862
0x01282824
0x01282880
0x012827e3
0x012827e8
0x012827eb
0x012827f0
0x00000000
0x00000000
0x00000000

APIs

GetParent.USER32(?), ref: 012827F8
PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 0128281C
UpdateWindow.USER32 ref: 01282837
SendMessageW.USER32(?,00000121,00000000,?), ref: 01282858
SendMessageW.USER32(?,0000036A,00000000,00000002), ref: 01282870

Part of subcall function 0128699F: ShowWindow.USER32(00000000,?), ref: 012869B0

UpdateWindow.USER32 ref: 012828B3
PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 012828E4

Part of subcall function 01286848: GetWindowLongW.USER32(?,000000F0), ref: 01286853

Memory Dump Source

Source File: 00000010.00000002.746388412.0000000001271000.00000020.sdmp, Offset: 01270000, based on PE: true

Associated: 00000010.00000002.746374753.0000000001270000.00000002.sdmp Download File
Associated: 00000010.00000002.746578910.000000000138C000.00000002.sdmp Download File
Associated: 00000010.00000002.746752878.00000000013CF000.00000004.sdmp Download File
Associated: 00000010.00000002.746788870.00000000013D6000.00000004.sdmp Download File
Associated: 00000010.00000002.746832288.00000000013DE000.00000002.sdmp Download File
Associated: 00000010.00000002.747668141.0000000001574000.00000002.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1270000_Setup.jbxd

Similarity

API ID: MessageWindow$PeekSendUpdate$LongParentShow
String ID:
API String ID: 225491234-0
Opcode ID: c37d0c8cddb9a13d37f90cb66123a2ead92c501cf2cf58a15341a7692314939b
Instruction ID: 7aa6eb86ce59f6a674a26c5ec9019af12d3527939b14c92201e76817b8fdd157
Opcode Fuzzy Hash: c37d0c8cddb9a13d37f90cb66123a2ead92c501cf2cf58a15341a7692314939b
Instruction Fuzzy Hash: 87416B7092174AEBDF22AF6AC848EAEBFB9FF85700F10412DF641A21D1D7719540DB20

Uniqueness

Uniqueness Score: 0.24%

Function 0128E025, Relevance: 10.6, APIs: 7, Instructions: 111
COMMON

Download Yara Rule

C-Code - Quality: 89%

			E0128E025(void* __ebx, void* __edx, void* __eflags, long _a4, signed int _a8, long _a12, long _a16, intOrPtr _a20, signed int _a24) {
				signed int _v8;
				void* __ecx;
				void* __ebp;
				long _t32;
				signed int _t34;
				void* _t41;
				struct tagBITMAPINFOHEADER _t50;
				signed int _t51;
				void* _t53;
				long _t55;
				void* _t61;
				void* _t63;
				BITMAPINFO* _t66;
				signed int _t67;
				signed int _t69;
				signed int _t70;

				_t61 = __edx;
				_push(_t53);
				_v8 = _v8 & 0x00000000;
				_t63 = _t53;
				_t66 = L0128DF92(__ebx,  &_v8, __eflags, 0x428);
				if(_t66 != 0) {
					_push(__ebx);
					_t50 = 0x28;
					L01367D50(_t66, 0, _t50);
					_t55 = _a16;
					_t66->bmiHeader.biWidth = _a4;
					_t66->bmiHeader.biPlanes = 1;
					_t32 = _a12;
					_t66->bmiHeader = _t50;
					_t51 = _a8;
					_t66->bmiHeader.biHeight = _t51;
					_t66->bmiHeader.biBitCount = _t32;
					_t66->bmiHeader.biCompression = _t55;
					__eflags = _t32 - 8;
					if(_t32 > 8) {
						__eflags = _t55 - 3;
						if(_t55 == 3) {
							_t16 =  &(_t66->bmiColors); // 0x28
							_push(E01368305(_t16, 0xc, _a20, 0xc));
							L01271310();
						}
					} else {
						_t14 =  &(_t66->bmiColors); // 0x28
						L01367D50(_t14, 0, 0x400);
					}
					_t34 = CreateDIBSection(0, _t66, 0, _t63 + 8, 0, 0);
					__eflags = _t34;
					if(_t34 != 0) {
						 *(_t63 + 4) = _t34;
						__eflags = _t51;
						E0128C1DD(_t63, _t61, (0 | _t51 > 0x00000000) + 1);
						__eflags = _a24 & 0x00000001;
						if((_a24 & 0x00000001) != 0) {
							 *((char*)(_t63 + 0x1d)) = 1;
						}
						_t67 = _v8;
						while(1) {
							__eflags = _t67;
							if(_t67 == 0) {
								break;
							}
							_t67 =  *_t67;
							L01367A0B(_t67);
						}
						_t41 = 1;
						__eflags = 1;
						goto L20;
					} else {
						_t69 = _v8;
						while(1) {
							__eflags = _t69;
							if(_t69 == 0) {
								break;
							}
							_t69 =  *_t69;
							L01367A0B(_t69);
						}
						_t41 = 0;
						L20:
						L21:
						return _t41;
					}
				}
				_t70 = _v8;
				while(_t70 != 0) {
					_t70 =  *_t70;
					L01367A0B(_t70);
				}
				_t41 = 0;
				goto L21;
			}

0x0128e025
0x0128e02a
0x0128e02b
0x0128e031
0x0128e040
0x0128e044
0x0128e05f
0x0128e062
0x0128e067
0x0128e06f
0x0128e072
0x0128e078
0x0128e07c
0x0128e07f
0x0128e081
0x0128e087
0x0128e08a
0x0128e08e
0x0128e091
0x0128e094
0x0128e0ab
0x0128e0ae
0x0128e0b5
0x0128e0c0
0x0128e0c1
0x0128e0c6
0x0128e096
0x0128e09b
0x0128e0a1
0x0128e0a6
0x0128e0d4
0x0128e0da
0x0128e0dc
0x0128e0f4
0x0128e0f9
0x0128e102
0x0128e107
0x0128e10b
0x0128e10d
0x0128e10d
0x0128e111
0x0128e11f
0x0128e11f
0x0128e121
0x00000000
0x00000000
0x0128e117
0x0128e119
0x0128e11e
0x0128e125
0x0128e125
0x00000000
0x0128e0de
0x0128e0de
0x0128e0ec
0x0128e0ec
0x0128e0ee
0x00000000
0x00000000
0x0128e0e4
0x0128e0e6
0x0128e0eb
0x0128e0f0
0x0128e126
0x0128e127
0x0128e12a
0x0128e12a
0x0128e0dc
0x0128e046
0x0128e054
0x0128e04c
0x0128e04e
0x0128e053
0x0128e058
0x00000000

APIs

Part of subcall function 0128DF92: _malloc.LIBCMT ref: 0128DFA5

_free.LIBCMT ref: 0128E04E
_memset.LIBCMT ref: 0128E067
_memset.LIBCMT ref: 0128E0A1
_memcpy_s.LIBCMT ref: 0128E0BB

Part of subcall function 01368305: _memmove.LIBCMT ref: 01368341
Part of subcall function 01368305: _memset.LIBCMT ref: 01368353

CreateDIBSection.GDI32(00000000,00000000,00000000,?,00000000,00000000), ref: 0128E0D4
_free.LIBCMT ref: 0128E0E6

Part of subcall function 0128C1DD: GetObjectW.GDI32(?,00000054,?), ref: 0128C1FC

_free.LIBCMT ref: 0128E119

Part of subcall function 01367A0B: HeapFree.KERNEL32(00000000,00000000), ref: 01367A21
Part of subcall function 01367A0B: GetLastError.KERNEL32(00000000,?,0136E429,00000000,?,01369B20,013695F6,?,?,01274776,?,?,?,01277D41,0000000C,00000004), ref: 01367A33

Memory Dump Source

Source File: 00000010.00000002.746388412.0000000001271000.00000020.sdmp, Offset: 01270000, based on PE: true

Associated: 00000010.00000002.746374753.0000000001270000.00000002.sdmp Download File
Associated: 00000010.00000002.746578910.000000000138C000.00000002.sdmp Download File
Associated: 00000010.00000002.746752878.00000000013CF000.00000004.sdmp Download File
Associated: 00000010.00000002.746788870.00000000013D6000.00000004.sdmp Download File
Associated: 00000010.00000002.746832288.00000000013DE000.00000002.sdmp Download File
Associated: 00000010.00000002.747668141.0000000001574000.00000002.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1270000_Setup.jbxd

Similarity

API ID: _free_memset$CreateErrorFreeHeapLastObjectSection_malloc_memcpy_s_memmove
String ID:
API String ID: 4074344355-0
Opcode ID: e67fb8eec11fbbd7691ae4ade886eddfaad43f301e934e7e08f99f7cafaa580a
Instruction ID: aef32c3401e272b91ea17564e6a388cf20879f128107b4d2239765f88028f413
Opcode Fuzzy Hash: e67fb8eec11fbbd7691ae4ade886eddfaad43f301e934e7e08f99f7cafaa580a
Instruction Fuzzy Hash: 8131D872921616EBE721FF68CC41AAB77ACEF15358F128919E945F72C0D770ED018BA0

Uniqueness

Uniqueness Score: 8.94%

Function 012C0E30, Relevance: 10.6, APIs: 7, Instructions: 110
windowCOMMON

Download Yara Rule

C-Code - Quality: 88%

			E012C0E30(void* __ecx, intOrPtr __edx, void* __edi, intOrPtr _a4) {
				signed int _v8;
				struct tagRECT _v24;
				struct HRGN__* _v28;
				intOrPtr _v32;
				void* __ebx;
				void* __esi;
				void* __ebp;
				signed int _t36;
				void* _t38;
				int _t41;
				intOrPtr* _t42;
				intOrPtr _t43;
				intOrPtr _t44;
				void* _t45;
				intOrPtr _t51;
				intOrPtr _t53;
				intOrPtr _t57;
				int _t58;
				void* _t71;
				void* _t73;
				signed int _t74;

				_t71 = __edi;
				_t70 = __edx;
				_t36 =  *0x13d3570; // 0x99b5b578
				_v8 = _t36 ^ _t74;
				_t73 = __ecx;
				if( *((intOrPtr*)(__ecx + 0x2c)) != 0) {
					L20:
					_t38 = 0;
					__eflags = 0;
					L21:
					return L01367D3E(_t38, 0, _v8 ^ _t74, _t70, _t71, _t73);
				}
				if(_a4 == 0) {
					_t57 =  *((intOrPtr*)(__ecx + 0xfc));
					if(_t57 != 0) {
						_t58 = IsWindowVisible( *(_t57 + 0x20));
						_t78 = _t58;
						if(_t58 != 0) {
							L012CD8C6(0,  *((intOrPtr*)(_t73 + 0xfc)), _t70);
							L012CDF06( *((intOrPtr*)(_t73 + 0xfc)), _t70, _t78, 0);
						}
					}
				}
				_t41 = IsWindowVisible( *( *((intOrPtr*)(_t73 + 0xb0)) + 0x20));
				_t79 = _t41;
				if(_t41 == 0) {
					goto L20;
				}
				_t42 = E0128C2A4(0, _t71, _t73, _t79);
				_t70 =  *_t42;
				_t43 =  *((intOrPtr*)( *_t42 + 0x200))( *((intOrPtr*)(_t73 + 0xb0)), _a4, _t71);
				_v32 = _t43;
				_v28 = 0;
				if(_t43 != 0) {
					_t51 =  *((intOrPtr*)(_t73 + 0xfc));
					if(_t51 != 0 && IsWindowVisible( *(_t51 + 0x20)) != 0) {
						_t53 =  *((intOrPtr*)(_t73 + 0xfc));
						if( *((intOrPtr*)(_t53 + 0x314)) != 0) {
							RedrawWindow( *(_t53 + 0x20), 0, 0, 0x585);
							RedrawWindow( *( *((intOrPtr*)(_t73 + 0xb0)) + 0x20), 0, 0, 0x501);
							_v28 = 1;
						}
					}
				}
				_t44 =  *((intOrPtr*)(_t73 + 0x100));
				if(_t44 != 0 &&  *(_t44 + 0x20) != 0) {
					RedrawWindow( *(_t44 + 0x20), 0, 0, 0x105);
				}
				_t86 = _v28;
				if(_v28 == 0 && E0128C316(_t73, _t86) != 0) {
					_v24.left = 0;
					_v24.top = 0;
					_v24.right = 0;
					_v24.bottom = 0;
					RedrawWindow( *( *((intOrPtr*)(_t73 + 0xb0)) + 0x20),  &_v24, 0, 0x541);
				}
				_pop(_t71);
				if(_v32 == 0) {
					goto L20;
				} else {
					_t45 = E0127E1CC(0x13d63e8);
					if(_t45 != 0) {
						goto L20;
					}
					_t38 = _t45 + 1;
					goto L21;
				}
			}

0x012c0e30
0x012c0e30
0x012c0e38
0x012c0e3f
0x012c0e44
0x012c0e4b
0x012c0f71
0x012c0f71
0x012c0f71
0x012c0f73
0x012c0f80
0x012c0f80
0x012c0e54
0x012c0e56
0x012c0e5e
0x012c0e63
0x012c0e69
0x012c0e6b
0x012c0e73
0x012c0e7f
0x012c0e7f
0x012c0e6b
0x012c0e5e
0x012c0e8d
0x012c0e93
0x012c0e95
0x00000000
0x00000000
0x012c0e9c
0x012c0ea4
0x012c0eae
0x012c0eba
0x012c0ebd
0x012c0ec2
0x012c0ec4
0x012c0ecc
0x012c0edb
0x012c0ee7
0x012c0ef3
0x012c0f05
0x012c0f07
0x012c0f07
0x012c0ee7
0x012c0ecc
0x012c0f0e
0x012c0f16
0x012c0f27
0x012c0f27
0x012c0f29
0x012c0f2c
0x012c0f49
0x012c0f4c
0x012c0f4f
0x012c0f52
0x012c0f58
0x012c0f58
0x012c0f5a
0x012c0f5e
0x00000000
0x012c0f60
0x012c0f65
0x012c0f6c
0x00000000
0x00000000
0x012c0f6e
0x00000000
0x012c0f6e

APIs

IsWindowVisible.USER32(?), ref: 012C0E63

Part of subcall function 012CDF06: RedrawWindow.USER32(?,00000000,00000000,00000105), ref: 012CDF7D

IsWindowVisible.USER32(?), ref: 012C0E8D

Part of subcall function 0128C2A4: __EH_prolog3.LIBCMT ref: 0128C2AB

IsWindowVisible.USER32(?), ref: 012C0ED1
RedrawWindow.USER32(?,00000000,00000000,00000585), ref: 012C0EF3
RedrawWindow.USER32(?,00000000,00000000,00000501), ref: 012C0F05
RedrawWindow.USER32(?,00000000,00000000,00000105), ref: 012C0F27
RedrawWindow.USER32(?,?,00000000,00000541), ref: 012C0F58

Part of subcall function 01367D3E: IsDebuggerPresent.KERNEL32 ref: 0136EC6D
Part of subcall function 01367D3E: SetUnhandledExceptionFilter.KERNEL32 ref: 0136EC82
Part of subcall function 01367D3E: UnhandledExceptionFilter.KERNEL32 ref: 0136EC8D
Part of subcall function 01367D3E: GetCurrentProcess.KERNEL32(C0000409), ref: 0136ECA9
Part of subcall function 01367D3E: TerminateProcess.KERNEL32(00000000), ref: 0136ECB0

Memory Dump Source

Source File: 00000010.00000002.746388412.0000000001271000.00000020.sdmp, Offset: 01270000, based on PE: true

Associated: 00000010.00000002.746374753.0000000001270000.00000002.sdmp Download File
Associated: 00000010.00000002.746578910.000000000138C000.00000002.sdmp Download File
Associated: 00000010.00000002.746752878.00000000013CF000.00000004.sdmp Download File
Associated: 00000010.00000002.746788870.00000000013D6000.00000004.sdmp Download File
Associated: 00000010.00000002.746832288.00000000013DE000.00000002.sdmp Download File
Associated: 00000010.00000002.747668141.0000000001574000.00000002.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1270000_Setup.jbxd

Similarity

API ID: Window$Redraw$Visible$ExceptionFilterProcessUnhandled$CurrentDebuggerH_prolog3PresentTerminate
String ID:
API String ID: 1946771730-0
Opcode ID: 462a2cadcb5659d6c26d9a950f695162ee1bd0d25babb8649d707d0fcedcd9ee
Instruction ID: ba338cb62dc36678ea36feb93a03fcc44338f07232ed0912761402c4a08584f6
Opcode Fuzzy Hash: 462a2cadcb5659d6c26d9a950f695162ee1bd0d25babb8649d707d0fcedcd9ee
Instruction Fuzzy Hash: AA411B7561020BDFEB209F68C980AAABBB9BF48744F10467DF34597161DB70A9808BA5

Uniqueness

Uniqueness Score: 2.84%

Function 01282E59, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 110
windowCOMMON

Download Yara Rule

C-Code - Quality: 96%

			E01282E59(intOrPtr* __ecx, void* __edx) {
				signed int _v8;
				struct HWND__* _v44;
				struct HWND__* _v48;
				intOrPtr _v52;
				void* _v56;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t34;
				long _t48;
				struct HWND__* _t53;
				long _t66;
				intOrPtr* _t68;
				signed int _t69;
				void* _t76;
				void* _t77;
				intOrPtr _t79;
				intOrPtr* _t80;
				signed int _t81;

				_t76 = __edx;
				_t34 =  *0x13d3570; // 0x99b5b578
				_v8 = _t34 ^ _t81;
				_t80 = __ecx;
				_t77 = E0127605F();
				if(_t77 != 0) {
					if( *((intOrPtr*)(_t77 + 0x20)) == __ecx) {
						 *((intOrPtr*)(_t77 + 0x20)) = 0;
					}
					if( *((intOrPtr*)(_t77 + 0x24)) == _t80) {
						 *((intOrPtr*)(_t77 + 0x24)) = 0;
					}
				}
				_t68 =  *((intOrPtr*)(_t80 + 0x64));
				if(_t68 != 0) {
					 *((intOrPtr*)( *_t68 + 0x50))();
					 *((intOrPtr*)(_t80 + 0x64)) = 0;
				}
				_t69 =  *(_t80 + 0x68);
				if(_t69 != 0) {
					 *((intOrPtr*)( *_t69 + 4))(1);
				}
				 *(_t80 + 0x68) =  *(_t80 + 0x68) & 0x00000000;
				_t92 =  *(_t80 + 0x58) & 1;
				if(( *(_t80 + 0x58) & 1) != 0) {
					_t79 =  *((intOrPtr*)(L01279322(1, _t69, _t77, _t80, _t92) + 0x3c));
					if(_t79 != 0) {
						_t94 =  *(_t79 + 0x20);
						if( *(_t79 + 0x20) != 0) {
							L01367D50( &_v56, 0, 0x30);
							_t53 =  *(_t80 + 0x20);
							_v48 = _t53;
							_v44 = _t53;
							_v56 = 0x2c;
							_v52 = 1;
							SendMessageW( *(_t79 + 0x20), 0x433, 0,  &_v56);
						}
					}
				}
				_t78 = GetWindowLongW;
				_t66 = GetWindowLongW( *(_t80 + 0x20), 0xfffffffc);
				E01282C5F(_t66, _t80, GetWindowLongW, _t94);
				if(GetWindowLongW( *(_t80 + 0x20), 0xfffffffc) == _t66) {
					_t48 =  *( *((intOrPtr*)( *_t80 + 0xfc))());
					if(_t48 != 0) {
						SetWindowLongW( *(_t80 + 0x20), 0xfffffffc, _t48);
					}
				}
				E01282D90(_t66, _t80, _t76);
				return L01367D3E( *((intOrPtr*)( *_t80 + 0x120))(), _t66, _v8 ^ _t81, _t76, _t78, _t80);
			}

0x01282e59
0x01282e61
0x01282e68
0x01282e6e
0x01282e75
0x01282e7b
0x01282e80
0x01282ea5
0x01282ea5
0x01282eab
0x01282ead
0x01282ead
0x01282eab
0x01282eb0
0x01282eb5
0x01282eb9
0x01282ebc
0x01282ebc
0x01282ebf
0x01282ec7
0x01282ecc
0x01282ecc
0x01282ecf
0x01282ed3
0x01282ed6
0x01282edd
0x01282ee2
0x01282ee4
0x01282ee8
0x01282ef2
0x01282ef7
0x01282efd
0x01282f00
0x01282f11
0x01282f18
0x01282f1b
0x01282f1b
0x01282ee8
0x01282ee2
0x01282f24
0x01282f31
0x01282f33
0x01282f42
0x01282f4e
0x01282f52
0x01282f5a
0x01282f5a
0x01282f52
0x01282f62
0x01282f7f

APIs

_memset.LIBCMT ref: 01282EF2
SendMessageW.USER32(00000000,00000433,00000000,?), ref: 01282F1B
GetWindowLongW.USER32(?,000000FC), ref: 01282F2D
GetWindowLongW.USER32(?,000000FC), ref: 01282F3E
SetWindowLongW.USER32 ref: 01282F5A

Part of subcall function 01367D3E: IsDebuggerPresent.KERNEL32 ref: 0136EC6D
Part of subcall function 01367D3E: SetUnhandledExceptionFilter.KERNEL32 ref: 0136EC82
Part of subcall function 01367D3E: UnhandledExceptionFilter.KERNEL32 ref: 0136EC8D
Part of subcall function 01367D3E: GetCurrentProcess.KERNEL32(C0000409), ref: 0136ECA9
Part of subcall function 01367D3E: TerminateProcess.KERNEL32(00000000), ref: 0136ECB0

Strings

,, xrefs: 01282F11

Memory Dump Source

Source File: 00000010.00000002.746388412.0000000001271000.00000020.sdmp, Offset: 01270000, based on PE: true

Associated: 00000010.00000002.746374753.0000000001270000.00000002.sdmp Download File
Associated: 00000010.00000002.746578910.000000000138C000.00000002.sdmp Download File
Associated: 00000010.00000002.746752878.00000000013CF000.00000004.sdmp Download File
Associated: 00000010.00000002.746788870.00000000013D6000.00000004.sdmp Download File
Associated: 00000010.00000002.746832288.00000000013DE000.00000002.sdmp Download File
Associated: 00000010.00000002.747668141.0000000001574000.00000002.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1270000_Setup.jbxd

Similarity

API ID: LongWindow$ExceptionFilterProcessUnhandled$CurrentDebuggerMessagePresentSendTerminate_memset
String ID: ,
API String ID: 2933273524-3772416878
Opcode ID: 25e51441a00e1d349992ac548b9d50df23451462d72fc6c0b2d40fee51042577
Instruction ID: 2449328173b3c7c09510d4fc192997de9698f8cebcfa87de491e239b62e4f44d
Opcode Fuzzy Hash: 25e51441a00e1d349992ac548b9d50df23451462d72fc6c0b2d40fee51042577
Instruction Fuzzy Hash: 68415E71611306EFDB25BF78D884A6EBBE9BF58314F14052DE646976D2DB30E800CB94

Uniqueness

Uniqueness Score: 2.71%

Function 012B2473, Relevance: 10.6, APIs: 7, Instructions: 101
windowCOMMON

Download Yara Rule

C-Code - Quality: 97%

			E012B2473(void* __ebx, signed int __ecx, signed int __edx, void* __edi, void* __esi, void* __eflags) {
				void* _t37;
				intOrPtr _t39;
				int _t42;
				intOrPtr _t49;
				signed int _t69;
				signed int _t70;
				struct HWND__* _t72;
				signed int _t75;
				void* _t76;

				_t69 = __edx;
				_t61 = __ecx;
				_push(0x1c);
				_t37 = L01369601(0x13818ec, __ebx, __edi, __esi);
				 *((intOrPtr*)(_t76 - 0x14)) = __ecx;
				 *((intOrPtr*)(__ecx + 0xd8)) =  *((intOrPtr*)(__ecx + 0xd8)) + 1;
				if( *((intOrPtr*)(__ecx + 0xd8)) <= 1) {
					_t39 = E012848D5(__ecx, __edi);
					 *((intOrPtr*)(_t76 - 0x10)) = _t39;
					if(_t39 == 0) {
						L2:
						L01277AC9(_t61);
					}
					_t75 = 0;
					 *(_t76 - 0x28) = 0x1393eb4;
					 *((intOrPtr*)(_t76 - 0x24)) = 0;
					 *((intOrPtr*)(_t76 - 0x18)) = 0;
					 *((intOrPtr*)(_t76 - 0x1c)) = 0;
					 *(_t76 - 0x20) = 0;
					 *(_t76 - 4) = 0;
					_t72 = GetWindow(GetDesktopWindow(), 5);
					if(_t72 != 0) {
						do {
							_t42 = IsWindowEnabled(_t72);
							_t83 = _t42;
							if(_t42 != 0 && E01282D31(0, _t61, _t69, _t72, _t75, _t83, _t72) != 0 && E012B074C( *((intOrPtr*)( *((intOrPtr*)(_t76 - 0x10)) + 0x20)), _t72) != 0 && SendMessageW(_t72, 0x36c, 0, 0) == 0) {
								EnableWindow(_t72, 0);
								_t61 = _t76 - 0x28;
								E012CCBFC(_t76 - 0x28, _t75, _t72);
								_t75 =  *(_t76 - 0x20);
							}
							_t72 = GetWindow(_t72, 2);
						} while (_t72 != 0);
						if(_t75 != 0) {
							_t90 = _t75 > 0;
							if(_t75 > 0) {
								goto L2;
							} else {
								_t70 = 4;
								_t18 = _t75 + 1; // 0x1
								_t69 = _t18 * _t70 >> 0x20;
								_t49 = E01274753(_t90,  ~(0 | _t90 > 0x00000000) | _t18 * _t70);
								_t73 =  *((intOrPtr*)(_t76 - 0x14));
								_t61 = _t75 << 2;
								 *((intOrPtr*)( *((intOrPtr*)(_t76 - 0x14)) + 0xdc)) = _t49;
								 *((intOrPtr*)((_t75 << 2) + _t49)) = 0;
								if((0 |  *((intOrPtr*)(_t76 - 0x24)) != 0x00000000) == 0) {
									goto L2;
								} else {
									L01277D0D( *((intOrPtr*)(_t73 + 0xdc)), _t61,  *((intOrPtr*)(_t76 - 0x24)), _t61);
								}
							}
						}
					}
					 *(_t76 - 4) =  *(_t76 - 4) | 0xffffffff;
					_t37 = E012B2360(_t76 - 0x28);
				}
				return L013696D9(_t37);
			}

0x012b2473
0x012b2473
0x012b2473
0x012b247a
0x012b247f
0x012b2482
0x012b248f
0x012b2495
0x012b249c
0x012b24a1
0x012b24a3
0x012b24a3
0x012b24a3
0x012b24a8
0x012b24aa
0x012b24b1
0x012b24b4
0x012b24b7
0x012b24ba
0x012b24bf
0x012b24cf
0x012b24d3
0x012b24d9
0x012b24da
0x012b24e0
0x012b24e2
0x012b2512
0x012b251a
0x012b251d
0x012b2522
0x012b2522
0x012b252e
0x012b2530
0x012b2536
0x012b253f
0x012b2541
0x00000000
0x012b2547
0x012b254b
0x012b254c
0x012b254f
0x012b2559
0x012b255e
0x012b2564
0x012b2567
0x012b256d
0x012b257a
0x00000000
0x012b2580
0x012b258b
0x012b2590
0x012b257a
0x012b2541
0x012b2536
0x012b2593
0x012b259a
0x012b259a
0x012b25a4

APIs

__EH_prolog3.LIBCMT ref: 012B247A

Part of subcall function 01277AC9: __CxxThrowException@8.LIBCMT ref: 01277ADF

GetDesktopWindow.USER32 ref: 012B24C2
GetWindow.USER32(00000000), ref: 012B24C9
IsWindowEnabled.USER32 ref: 012B24DA
SendMessageW.USER32(00000000,0000036C,00000000,00000000), ref: 012B2506
EnableWindow.USER32 ref: 012B2512
GetWindow.USER32(00000000,00000002), ref: 012B2528

Part of subcall function 01274753: _malloc.LIBCMT ref: 01274771

Part of subcall function 01277D0D: _memcpy_s.LIBCMT ref: 01277D1E

Memory Dump Source

Source File: 00000010.00000002.746388412.0000000001271000.00000020.sdmp, Offset: 01270000, based on PE: true

Associated: 00000010.00000002.746374753.0000000001270000.00000002.sdmp Download File
Associated: 00000010.00000002.746578910.000000000138C000.00000002.sdmp Download File
Associated: 00000010.00000002.746752878.00000000013CF000.00000004.sdmp Download File
Associated: 00000010.00000002.746788870.00000000013D6000.00000004.sdmp Download File
Associated: 00000010.00000002.746832288.00000000013DE000.00000002.sdmp Download File
Associated: 00000010.00000002.747668141.0000000001574000.00000002.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1270000_Setup.jbxd

Similarity

API ID: Window$DesktopEnableEnabledException@8H_prolog3MessageSendThrow_malloc_memcpy_s
String ID:
API String ID: 1243293460-0
Opcode ID: c41d5ab7f98756b1b453e540a2d854fd9b3cba56ce00da5b37d7648ccf9118b3
Instruction ID: 9f532791e261547108df39cf114a050fae8f7bde82b53a12914ae178299233be
Opcode Fuzzy Hash: c41d5ab7f98756b1b453e540a2d854fd9b3cba56ce00da5b37d7648ccf9118b3
Instruction Fuzzy Hash: 5D31A472920306DFDB25AFA49CC99FEBAB8FF48354F14452DE216B6180DB35A901CB61

Uniqueness

Uniqueness Score: 1.37%

Function 0128E840, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 90
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 82%

			E0128E840(intOrPtr __ecx, long __edx, void* __fp0) {
				signed int _v8;
				struct tagRECT _v24;
				long _v28;
				long _v32;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t27;
				void* _t31;
				struct HINSTANCE__* _t33;
				_Unknown_base(*)()* _t35;
				void* _t38;
				void* _t47;
				void* _t49;
				intOrPtr _t68;
				signed int _t69;

				_t66 = __edx;
				_t27 =  *0x13d3570; // 0x99b5b578
				_v8 = _t27 ^ _t69;
				_t68 = __ecx;
				_t70 =  *((intOrPtr*)(__ecx + 0x74));
				if( *((intOrPtr*)(__ecx + 0x74)) != 0) {
					_t31 = L0128DEBA(_t47, __ecx, __edx, _t70);
					_v32 = 0;
					_v28 = 0;
					_t66 =  *( *(_t68 + 0x74));
					_t49 =  *((intOrPtr*)( *( *(_t68 + 0x74)) + 0x1f0))(_t31,  &_v32, _t47);
					if(_t49 == 0) {
						_t38 = E012789CC(0x1391888, L01283CE7( *(_t68 + 0x74)));
						_v24.left = 0;
						_v24.top = 0;
						_v24.right = 0;
						_v24.bottom = 0;
						GetWindowRect( *( *((intOrPtr*)( *( *(_t68 + 0x74)) + 0x1f8))() + 0x20),  &_v24);
						L01279BD6(_t38,  &_v24);
						_t66 = _v24.left;
						_v28 = _v24.top;
						_v32 = _v24.left;
						_t49 = E0128E4B0(_t38, _t68, _t66, 0, _t68, _v24.right - _t66, __fp0, _v24.right - _t66, _v24.bottom - _v24.top, 0);
					}
					_t33 = GetModuleHandleW(L"DWMAPI");
					if(_t33 != 0) {
						_t35 = GetProcAddress(_t33, "DwmSetIconicLivePreviewBitmap");
						if(_t35 != 0) {
							_t68 =  *((intOrPtr*)(_t68 + 0x20));
							 *_t35(_t68, _t49,  &_v32, 0);
						}
					}
					DeleteObject(_t49);
					_pop(_t47);
				}
				return L01367D3E(0, _t47, _v8 ^ _t69, _t66, 0, _t68);
			}

0x0128e840
0x0128e848
0x0128e84f
0x0128e854
0x0128e858
0x0128e85b
0x0128e862
0x0128e86e
0x0128e871
0x0128e874
0x0128e87d
0x0128e881
0x0128e891
0x0128e89d
0x0128e8a0
0x0128e8a3
0x0128e8a6
0x0128e8b8
0x0128e8c4
0x0128e8cf
0x0128e8d4
0x0128e8e1
0x0128e8e9
0x0128e8e9
0x0128e8f0
0x0128e8f8
0x0128e900
0x0128e908
0x0128e90a
0x0128e914
0x0128e914
0x0128e908
0x0128e917
0x0128e91d
0x0128e91d
0x0128e92d

APIs

GetWindowRect.USER32 ref: 0128E8B8

Part of subcall function 01279BD6: ScreenToClient.USER32(?,?), ref: 01279BE7
Part of subcall function 01279BD6: ScreenToClient.USER32(?,?), ref: 01279BF4

Part of subcall function 0128E4B0: __EH_prolog3_GS.LIBCMT ref: 0128E4BA
Part of subcall function 0128E4B0: GetWindowRect.USER32 ref: 0128E509
Part of subcall function 0128E4B0: OffsetRect.USER32 ref: 0128E51F
Part of subcall function 0128E4B0: CreateCompatibleDC.GDI32(?), ref: 0128E590
Part of subcall function 0128E4B0: SelectObject.GDI32(?,?), ref: 0128E5B0
Part of subcall function 0128E4B0: SelectObject.GDI32(?,?), ref: 0128E5F2
Part of subcall function 0128E4B0: CreateCompatibleDC.GDI32(?), ref: 0128E70B
Part of subcall function 0128E4B0: SelectObject.GDI32(?,?), ref: 0128E72B
Part of subcall function 0128E4B0: SelectObject.GDI32(?,00000000), ref: 0128E75B

GetModuleHandleW.KERNEL32(DWMAPI), ref: 0128E8F0
GetProcAddress.KERNEL32(00000000,DwmSetIconicLivePreviewBitmap), ref: 0128E900
DeleteObject.GDI32(00000000), ref: 0128E917

Part of subcall function 01367D3E: IsDebuggerPresent.KERNEL32 ref: 0136EC6D
Part of subcall function 01367D3E: SetUnhandledExceptionFilter.KERNEL32 ref: 0136EC82
Part of subcall function 01367D3E: UnhandledExceptionFilter.KERNEL32 ref: 0136EC8D
Part of subcall function 01367D3E: GetCurrentProcess.KERNEL32(C0000409), ref: 0136ECA9
Part of subcall function 01367D3E: TerminateProcess.KERNEL32(00000000), ref: 0136ECB0

Part of subcall function 0128DEBA: IsIconic.USER32(?), ref: 0128DEDA

Strings

DwmSetIconicLivePreviewBitmap, xrefs: 0128E8FA
DWMAPI, xrefs: 0128E8EB

Memory Dump Source

Source File: 00000010.00000002.746388412.0000000001271000.00000020.sdmp, Offset: 01270000, based on PE: true

Associated: 00000010.00000002.746374753.0000000001270000.00000002.sdmp Download File
Associated: 00000010.00000002.746578910.000000000138C000.00000002.sdmp Download File
Associated: 00000010.00000002.746752878.00000000013CF000.00000004.sdmp Download File
Associated: 00000010.00000002.746788870.00000000013D6000.00000004.sdmp Download File
Associated: 00000010.00000002.746832288.00000000013DE000.00000002.sdmp Download File
Associated: 00000010.00000002.747668141.0000000001574000.00000002.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1270000_Setup.jbxd

Similarity

API ID: Object$Select$Rect$ClientCompatibleCreateExceptionFilterProcessScreenUnhandledWindow$AddressCurrentDebuggerDeleteH_prolog3_HandleIconicModuleOffsetPresentProcTerminate
String ID: DWMAPI$DwmSetIconicLivePreviewBitmap
API String ID: 2283195527-239049650
Opcode ID: 35992f4a1ba896267c71707f85303156f65dfa03816603caf71f7ce79c4f1de5
Instruction ID: f953921562c5fcb0862183117b6ffc3d6c79d3bc254acded6299dbccdd7229f1
Opcode Fuzzy Hash: 35992f4a1ba896267c71707f85303156f65dfa03816603caf71f7ce79c4f1de5
Instruction Fuzzy Hash: 52317C71A0020AEFCB14EFA9D8848BEFBF9FF98304B10052DE112E3251DA746901CB60

Uniqueness

Uniqueness Score: 4.31%

Function 012B25A5, Relevance: 10.6, APIs: 7, Instructions: 80
windowthreadCOMMON

Download Yara Rule

C-Code - Quality: 95%

			E012B25A5(intOrPtr* __ecx, void* __edx, long _a4) {
				void* __ebx;
				void* _t26;
				signed int _t27;
				long _t40;
				signed int _t43;
				void* _t52;
				intOrPtr* _t55;

				_t52 = __edx;
				_t47 = __ecx;
				_t43 = _a4;
				_t55 = __ecx;
				if(_t43 != 0 && ( *(__ecx + 0x58) & 0x00000004) != 0) {
					E012869E1(__ecx, 0);
					return SetFocus(0);
				}
				_t26 = E01282D05(_t43, _t47, _t52, GetParent( *(_t55 + 0x20)));
				if(_t26 == 0) {
					L5:
					if(_t43 != 0) {
						_t27 =  *(_t55 + 0x58);
						if(_t27 < 0) {
							 *(_t55 + 0x58) = _t27 & 0xffffff7f;
							 *((intOrPtr*)( *_t55 + 0x108))();
							_a4 =  *(_t55 + 0x20);
							if(GetActiveWindow() == _a4) {
								SendMessageW(_a4, 6, 1, 0);
							}
						}
						if(( *(_t55 + 0x58) & 0x00000020) != 0) {
							SendMessageW( *(_t55 + 0x20), 0x86, 1, 0);
						}
					} else {
						if( *((intOrPtr*)(_t55 + 0xd8)) == 0) {
							 *(_t55 + 0x58) =  *(_t55 + 0x58) | 0x00000080;
							 *((intOrPtr*)( *_t55 + 0x104))();
						}
					}
					asm("sbb ebx, ebx");
					return E012B0EB2(_t55, ( ~_t43 & 0xfffffff0) + 0x20);
				} else {
					_a4 = 0;
					GetWindowThreadProcessId( *(_t26 + 0x20),  &_a4);
					_t40 = GetCurrentProcessId();
					if(_t40 == _a4) {
						return _t40;
					}
					goto L5;
				}
			}

0x012b25a5
0x012b25a5
0x012b25ab
0x012b25b2
0x012b25b6
0x012b25bf
0x00000000
0x012b25c5
0x012b25da
0x012b25e1
0x012b2603
0x012b2605
0x012b2622
0x012b262d
0x012b2634
0x012b263b
0x012b2644
0x012b2650
0x012b265b
0x012b265b
0x012b2650
0x012b2661
0x012b266f
0x012b266f
0x012b2607
0x012b260d
0x012b2611
0x012b261a
0x012b261a
0x012b260d
0x012b2673
0x00000000
0x012b25e3
0x012b25eb
0x012b25ee
0x012b25f4
0x012b25fd
0x012b2687
0x012b2687
0x00000000
0x012b25fd

APIs

SetFocus.USER32 ref: 012B25C5
GetParent.USER32(?), ref: 012B25D3
GetWindowThreadProcessId.USER32(?,?), ref: 012B25EE
GetCurrentProcessId.KERNEL32 ref: 012B25F4
GetActiveWindow.USER32 ref: 012B2647
SendMessageW.USER32(?,00000006,00000001,00000000), ref: 012B265B
SendMessageW.USER32(?,00000086,00000001,00000000), ref: 012B266F

Part of subcall function 012B0EB2: SendMessageW.USER32(?,00000086,00000001,00000000), ref: 012B0F19
Part of subcall function 012B0EB2: SendMessageW.USER32(?,00000086,00000000,00000000), ref: 012B0F30
Part of subcall function 012B0EB2: GetDesktopWindow.USER32 ref: 012B0F34
Part of subcall function 012B0EB2: SendMessageW.USER32(00000000,0000036D,0000000C,00000000), ref: 012B0F55
Part of subcall function 012B0EB2: GetWindow.USER32(00000000), ref: 012B0F5A

Part of subcall function 012869E1: EnableWindow.USER32 ref: 012869F2

Memory Dump Source

Source File: 00000010.00000002.746388412.0000000001271000.00000020.sdmp, Offset: 01270000, based on PE: true

Associated: 00000010.00000002.746374753.0000000001270000.00000002.sdmp Download File
Associated: 00000010.00000002.746578910.000000000138C000.00000002.sdmp Download File
Associated: 00000010.00000002.746752878.00000000013CF000.00000004.sdmp Download File
Associated: 00000010.00000002.746788870.00000000013D6000.00000004.sdmp Download File
Associated: 00000010.00000002.746832288.00000000013DE000.00000002.sdmp Download File
Associated: 00000010.00000002.747668141.0000000001574000.00000002.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1270000_Setup.jbxd

Similarity

API ID: MessageSendWindow$Process$ActiveCurrentDesktopEnableFocusParentThread
String ID:
API String ID: 1471893699-0
Opcode ID: b633e3bcbeb1e8c6016183844df1f25ed6740b6efec3a0da6cb2fe5d9334cdec
Instruction ID: c73a7f405fda375b27c8e1d0e4ec68fbec8f4f1d5f7852662a3f8b3d2986689f
Opcode Fuzzy Hash: b633e3bcbeb1e8c6016183844df1f25ed6740b6efec3a0da6cb2fe5d9334cdec
Instruction Fuzzy Hash: F4219131120704EFDB32AF29D8C8FEA7BE5FF44790F140119FA86961A0D7B1B4818B60

Uniqueness

Uniqueness Score: 0.89%

Function 012C087D, Relevance: 10.6, APIs: 7, Instructions: 80
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E012C087D(void* __ecx, int _a4, long _a8) {
				intOrPtr _t18;
				intOrPtr _t19;
				intOrPtr _t30;
				struct HWND__* _t32;
				intOrPtr _t33;
				void* _t36;
				intOrPtr* _t38;
				struct HWND__* _t39;
				void* _t40;
				void* _t44;
				void* _t46;
				struct HWND__* _t47;

				_t18 =  *0x13d97c0; // 0x0
				_t44 = __ecx;
				if(_t18 == 0 || IsWindow( *(_t18 + 0x20)) == 0) {
					_t19 =  *((intOrPtr*)(_t44 + 0xfc));
					if(_t19 == 0 || IsWindowVisible( *(_t19 + 0x20)) == 0) {
						return 0;
					} else {
						return SendMessageW( *( *((intOrPtr*)(_t44 + 0xfc)) + 0x20), 0x20a, _a4, _a8);
					}
				} else {
					_t38 =  *0x13d97c0; // 0x0
					if( *((intOrPtr*)(_t38 + 0xef0)) != 0) {
						SendMessageW( *(_t38 + 0x20), 0x20a, _a4, _a8);
						_t38 =  *0x13d97c0; // 0x0
					}
					if( *((intOrPtr*)( *_t38 + 0x200))() == 0) {
						L15:
						return 1;
					} else {
						_t46 = E01282D05(_t36, _t38, _t40, GetFocus());
						if(_t46 == 0) {
							L13:
							_t30 =  *0x13d97c0; // 0x0
							L14:
							SendMessageW( *(_t30 + 0x20), 0x10, 0, 0);
							goto L15;
						}
						_t32 =  *(_t46 + 0x20);
						if(_t32 == 0) {
							goto L13;
						}
						_t33 =  *0x13d97c0; // 0x0
						if(IsChild( *(_t33 + 0x20), _t32) != 0) {
							goto L15;
						}
						_t30 =  *0x13d97c0; // 0x0
						_t47 =  *(_t46 + 0x20);
						if(_t30 != 0) {
							_t39 =  *(_t30 + 0x20);
						} else {
							_t39 = 0;
						}
						if(_t47 == _t39) {
							goto L15;
						} else {
							goto L14;
						}
					}
				}
			}

0x012c0882
0x012c0888
0x012c088c
0x012c0936
0x012c093e
0x00000000
0x012c094d
0x00000000
0x012c0961
0x012c08a3
0x012c08a3
0x012c08b7
0x012c08c7
0x012c08c9
0x012c08c9
0x012c08d9
0x012c0930
0x00000000
0x012c08db
0x012c08e7
0x012c08eb
0x012c0920
0x012c0920
0x012c0925
0x012c092e
0x00000000
0x012c092e
0x012c08ed
0x012c08f2
0x00000000
0x00000000
0x012c08f5
0x012c0905
0x00000000
0x00000000
0x012c0907
0x012c090c
0x012c0911
0x012c0917
0x012c0913
0x012c0913
0x012c0913
0x012c091c
0x00000000
0x012c091e
0x00000000
0x012c091e
0x012c091c
0x012c08d9

APIs

IsWindow.USER32(?), ref: 012C0895
SendMessageW.USER32(?,0000020A,?,?), ref: 012C08C7
GetFocus.USER32 ref: 012C08DB
IsChild.USER32 ref: 012C08FD
SendMessageW.USER32(?,00000010,00000000,00000000), ref: 012C092E
IsWindowVisible.USER32(?), ref: 012C0943
SendMessageW.USER32(?,0000020A,?,?), ref: 012C0961

Memory Dump Source

Source File: 00000010.00000002.746388412.0000000001271000.00000020.sdmp, Offset: 01270000, based on PE: true

Associated: 00000010.00000002.746374753.0000000001270000.00000002.sdmp Download File
Associated: 00000010.00000002.746578910.000000000138C000.00000002.sdmp Download File
Associated: 00000010.00000002.746752878.00000000013CF000.00000004.sdmp Download File
Associated: 00000010.00000002.746788870.00000000013D6000.00000004.sdmp Download File
Associated: 00000010.00000002.746832288.00000000013DE000.00000002.sdmp Download File
Associated: 00000010.00000002.747668141.0000000001574000.00000002.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1270000_Setup.jbxd

Similarity

API ID: MessageSend$Window$ChildFocusVisible
String ID:
API String ID: 1252167185-0
Opcode ID: fa5633d4e60f738a5dafbdc52abd171875c62949d810d1a8cb7eb7de42e6a8f3
Instruction ID: 7c212f232b9ff55367cf97598fa86f761937fdc5d9035bc3749d645c892be15e
Opcode Fuzzy Hash: fa5633d4e60f738a5dafbdc52abd171875c62949d810d1a8cb7eb7de42e6a8f3
Instruction Fuzzy Hash: 83212D3A221602DFEB219F69D844FA67BB9FB48F10F054268F745DB165D761E800CB94

Uniqueness

Uniqueness Score: 2.59%

Function 012F8597, Relevance: 10.6, APIs: 7, Instructions: 78
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E012F8597(void* __ebx, intOrPtr __ecx, void* __edi, void* __esi, void* __eflags) {
				int _t36;
				intOrPtr _t39;
				void* _t40;
				int _t44;
				RECT* _t48;
				struct tagRECT* _t58;
				intOrPtr* _t61;
				signed int _t62;
				void* _t63;
				void* _t64;

				_t64 = __eflags;
				_push(0x54);
				L0136966A(0x138427a, __ebx, __edi, __esi);
				_t48 =  *(_t63 + 0xc);
				_t61 =  *((intOrPtr*)(_t63 + 0x10));
				 *((intOrPtr*)(_t63 - 0x60)) = __ecx;
				E012F84E5(_t48, _t63 - 0x50, __edi, _t61, _t64);
				 *(_t63 - 4) = 0;
				if(_t61 == 0) {
					_t61 = _t63 - 0x50;
				}
				 *((intOrPtr*)(_t61 + 0x34)) = 0;
				if(_t48 == 0) {
					 *(_t63 - 0x58) = 0;
					 *(_t63 - 0x54) = 0;
					GetCursorPos(_t63 - 0x58);
					_t58 = _t61 + 0x24;
					SetRect(_t58,  *(_t63 - 0x58),  *(_t63 - 0x54),  *(_t63 - 0x58),  *(_t63 - 0x54));
				} else {
					_t58 = _t61 + 0x24;
					CopyRect(_t58, _t48);
				}
				if(L0128BFE8(_t58) == 0) {
					_t36 = IsRectEmpty(_t58);
					__eflags = _t36;
					if(_t36 != 0) {
						_t44 =  *0x13d9f28; // 0x2
						InflateRect(_t58, _t44, _t44);
					}
				} else {
					 *((intOrPtr*)(_t61 + 0x34)) = 1;
				}
				_t59 =  *_t61;
				_push(E01274D2D());
				if( *((intOrPtr*)( *_t61 + 0x58))() != 0) {
					_t39 = L01287C1B( *((intOrPtr*)(_t63 - 0x60)), 0x13b6a14);
					_t59 = _t39;
					_t40 = L01287C1B(_t61, 0x13b6ad4);
					 *(_t63 - 0x5c) =  *(_t63 - 0x5c) & 0x00000000;
					__imp__DoDragDrop(_t39, _t40,  *((intOrPtr*)(_t63 + 8)), _t63 - 0x5c);
					_t62 =  *(_t63 - 0x5c);
				} else {
					_t62 = 0;
				}
				 *(_t63 - 4) =  *(_t63 - 4) | 0xffffffff;
				L01275D18(_t63 - 0x50);
				return L013696ED(_t48, _t59, _t62);
			}

0x012f8597
0x012f8597
0x012f859e
0x012f85a3
0x012f85a6
0x012f85a9
0x012f85af
0x012f85b6
0x012f85bb
0x012f85bd
0x012f85bd
0x012f85c0
0x012f85c5
0x012f85d4
0x012f85d7
0x012f85de
0x012f85e7
0x012f85f4
0x012f85c7
0x012f85c8
0x012f85cc
0x012f85cc
0x012f8603
0x012f860f
0x012f8615
0x012f8617
0x012f8619
0x012f8621
0x012f8621
0x012f8605
0x012f8605
0x012f8605
0x012f8627
0x012f862e
0x012f8636
0x012f8658
0x012f8664
0x012f8666
0x012f866b
0x012f8678
0x012f867e
0x012f8638
0x012f8638
0x012f8638
0x012f863a
0x012f8641
0x012f864d

APIs

__EH_prolog3_GS.LIBCMT ref: 012F859E

Part of subcall function 012F84E5: __EH_prolog3.LIBCMT ref: 012F84EC
Part of subcall function 012F84E5: GetProfileIntW.KERNEL32 ref: 012F8544
Part of subcall function 012F84E5: GetProfileIntW.KERNEL32 ref: 012F8556

CopyRect.USER32(?,?), ref: 012F85CC
GetCursorPos.USER32(?), ref: 012F85DE
SetRect.USER32(?,?,?,?,?), ref: 012F85F4
IsRectEmpty.USER32 ref: 012F860F
InflateRect.USER32(?,00000002,00000002), ref: 012F8621
DoDragDrop.OLE32(00000000,00000000,?,00000000), ref: 012F8678

Memory Dump Source

Source File: 00000010.00000002.746388412.0000000001271000.00000020.sdmp, Offset: 01270000, based on PE: true

Associated: 00000010.00000002.746374753.0000000001270000.00000002.sdmp Download File
Associated: 00000010.00000002.746578910.000000000138C000.00000002.sdmp Download File
Associated: 00000010.00000002.746752878.00000000013CF000.00000004.sdmp Download File
Associated: 00000010.00000002.746788870.00000000013D6000.00000004.sdmp Download File
Associated: 00000010.00000002.746832288.00000000013DE000.00000002.sdmp Download File
Associated: 00000010.00000002.747668141.0000000001574000.00000002.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1270000_Setup.jbxd

Similarity

API ID: Rect$Profile$CopyCursorDragDropEmptyH_prolog3H_prolog3_Inflate
String ID:
API String ID: 1837043813-0
Opcode ID: 2e762cda8fbbdc63328d2416b67fa9913e30f7c506afae744cc37cbfb0b022c2
Instruction ID: 8d66eb866c2ea34e5062bb828ea735835eb9f960f125e90a2777058a1d6ab9e4
Opcode Fuzzy Hash: 2e762cda8fbbdc63328d2416b67fa9913e30f7c506afae744cc37cbfb0b022c2
Instruction Fuzzy Hash: 8B213972920215DFDF11AFE4C9489FEFBB8FF58715F004429E602AB648DB70A905CB61

Uniqueness

Uniqueness Score: 1.09%

Function 01276892, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 78registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32 ref: 012768CD
RegCreateKeyExW.ADVAPI32(?,?,00000000,00000000,00000000,0002001F,00000000,?,?), ref: 012768F8
RegCreateKeyExW.ADVAPI32(?,?,00000000,00000000,00000000,0002001F,00000000,?,?), ref: 01276923

Part of subcall function 01276810: GetModuleHandleW.KERNEL32(Advapi32.dll), ref: 01276822
Part of subcall function 01276810: GetProcAddress.KERNEL32(00000000,RegCreateKeyTransactedW), ref: 01276832

RegCloseKey.ADVAPI32(?), ref: 01276937
RegCloseKey.ADVAPI32(?), ref: 01276941

Part of subcall function 012767B7: GetModuleHandleW.KERNEL32(Advapi32.dll), ref: 012767C9
Part of subcall function 012767B7: GetProcAddress.KERNEL32(00000000,RegOpenKeyTransactedW), ref: 012767D9

Strings

software, xrefs: 012768AF

Memory Dump Source

Source File: 00000010.00000002.746388412.0000000001271000.00000020.sdmp, Offset: 01270000, based on PE: true

Associated: 00000010.00000002.746374753.0000000001270000.00000002.sdmp Download File
Associated: 00000010.00000002.746578910.000000000138C000.00000002.sdmp Download File
Associated: 00000010.00000002.746752878.00000000013CF000.00000004.sdmp Download File
Associated: 00000010.00000002.746788870.00000000013D6000.00000004.sdmp Download File
Associated: 00000010.00000002.746832288.00000000013DE000.00000002.sdmp Download File
Associated: 00000010.00000002.747668141.0000000001574000.00000002.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1270000_Setup.jbxd

Similarity

API ID: AddressCloseCreateHandleModuleProc$Open
String ID: software
API String ID: 345982066-2010147023
Opcode ID: 9501b135f2d43e381c4cdd32af6800a30cda24d82207d0a920983a625c79da1c
Instruction ID: c914c2014540674e5b837eb0beba8c3c1a81b733c7a44d64e9a95a057919f7e5
Opcode Fuzzy Hash: 9501b135f2d43e381c4cdd32af6800a30cda24d82207d0a920983a625c79da1c
Instruction Fuzzy Hash: 502158B1910919FFAB219B8ADC88CEFBF7EEFC6740B24005AF605A2100D7308A44DB71

Uniqueness

Uniqueness Score: 0.25%

Function 01280D20, Relevance: 10.6, APIs: 7, Instructions: 73COMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 01280D42
GetWindowRect.USER32 ref: 01280D66
ScreenToClient.USER32(?,?), ref: 01280D79
ScreenToClient.USER32(?,?), ref: 01280D82
EqualRect.USER32 ref: 01280D89
DeferWindowPos.USER32(?,?,00000000,?,?,?,?,00000014), ref: 01280DB3
SetWindowPos.USER32(?,00000000,?,?,?,?,00000014), ref: 01280DBD

Part of subcall function 01367D3E: IsDebuggerPresent.KERNEL32 ref: 0136EC6D
Part of subcall function 01367D3E: SetUnhandledExceptionFilter.KERNEL32 ref: 0136EC82
Part of subcall function 01367D3E: UnhandledExceptionFilter.KERNEL32 ref: 0136EC8D
Part of subcall function 01367D3E: GetCurrentProcess.KERNEL32(C0000409), ref: 0136ECA9
Part of subcall function 01367D3E: TerminateProcess.KERNEL32(00000000), ref: 0136ECB0

Memory Dump Source

Source File: 00000010.00000002.746388412.0000000001271000.00000020.sdmp, Offset: 01270000, based on PE: true

Associated: 00000010.00000002.746374753.0000000001270000.00000002.sdmp Download File
Associated: 00000010.00000002.746578910.000000000138C000.00000002.sdmp Download File
Associated: 00000010.00000002.746752878.00000000013CF000.00000004.sdmp Download File
Associated: 00000010.00000002.746788870.00000000013D6000.00000004.sdmp Download File
Associated: 00000010.00000002.746832288.00000000013DE000.00000002.sdmp Download File
Associated: 00000010.00000002.747668141.0000000001574000.00000002.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1270000_Setup.jbxd

Similarity

API ID: Window$ClientExceptionFilterProcessRectScreenUnhandled$CurrentDebuggerDeferEqualParentPresentTerminate
String ID:
API String ID: 1880694591-0
Opcode ID: 6cf32041b307ec9e3f43d323ee72bc2450bc041a94109cb6f6fc451832bb8312
Instruction ID: e1ae5ae9be181ea70baa572080528e9f760545f5731bc56081b3a5b18c4d897c
Opcode Fuzzy Hash: 6cf32041b307ec9e3f43d323ee72bc2450bc041a94109cb6f6fc451832bb8312
Instruction Fuzzy Hash: C621EE7691120AAFDB10DFA8D845DEEBBBDFF48314F105429E915E3254EB30A9048B60

Uniqueness

Uniqueness Score: 0.51%

Function 012BCDE4, Relevance: 10.6, APIs: 7, Instructions: 73
windowCOMMON

Download Yara Rule

C-Code - Quality: 80%

			E012BCDE4(void* __ecx, long _a4) {
				struct tagPOINT _v12;
				void* __ebx;
				void* _t26;
				void* _t28;
				RECT* _t45;
				void* _t54;

				_push(__ecx);
				_push(__ecx);
				_t54 = __ecx;
				_t26 = __ecx + 0xff0;
				if(_t26 != 0 &&  *((intOrPtr*)(_t26 + 0x20)) != 0) {
					SendMessageW( *(__ecx + 0x1010), 0x407, 0, _a4);
				}
				if( *((intOrPtr*)(_a4 + 4)) != 0x200) {
					L9:
					_t28 = E012B059C(_t54, _a4);
				} else {
					_t45 = _t54 + 0xef8;
					if(IsRectEmpty(_t45) == 0 || IsRectEmpty(_t54 + 0xf08) == 0) {
						_v12.x = _v12.x & 0x00000000;
						_v12.y = _v12.y & 0x00000000;
						GetCursorPos( &_v12);
						ScreenToClient( *(_t54 + 0x20),  &_v12);
						_push(_v12.y);
						if(PtInRect(_t45, _v12.x) != 0) {
							L8:
							L012BBDE1(_t45, _t54,  *((intOrPtr*)(_a4 + 8)), _v12.x, _v12.y);
							_t28 = 1;
						} else {
							_push(_v12.y);
							if(PtInRect(_t54 + 0xf08, _v12) == 0) {
								goto L9;
							} else {
								goto L8;
							}
						}
					} else {
						goto L9;
					}
				}
				return _t28;
			}

0x012bcde9
0x012bcdea
0x012bcded
0x012bcdef
0x012bcdf8
0x012bce10
0x012bce10
0x012bce20
0x012bce9f
0x012bcea4
0x012bce22
0x012bce28
0x012bce33
0x012bce42
0x012bce46
0x012bce4e
0x012bce5b
0x012bce61
0x012bce72
0x012bce87
0x012bce95
0x012bce9c
0x012bce74
0x012bce74
0x012bce85
0x00000000
0x00000000
0x00000000
0x00000000
0x012bce85
0x00000000
0x00000000
0x00000000
0x012bce33
0x012bcead

APIs

SendMessageW.USER32(00000000,00000407,00000000,?), ref: 012BCE10
IsRectEmpty.USER32 ref: 012BCE2F
IsRectEmpty.USER32 ref: 012BCE3C
GetCursorPos.USER32(00000000), ref: 012BCE4E
ScreenToClient.USER32(?,00000000), ref: 012BCE5B
PtInRect.USER32(?,00000000,00000000), ref: 012BCE6E
PtInRect.USER32(?,00000000,00000000), ref: 012BCE81

Part of subcall function 012BBDE1: PtInRect.USER32(?,?,?), ref: 012BBE01
Part of subcall function 012BBDE1: ReleaseCapture.USER32 ref: 012BBE0F
Part of subcall function 012BBDE1: PtInRect.USER32(?,?,?), ref: 012BBE61
Part of subcall function 012BBDE1: PtInRect.USER32(?,?,?), ref: 012BBE8D
Part of subcall function 012BBDE1: InvalidateRect.USER32(?,?,00000001), ref: 012BBEAF
Part of subcall function 012BBDE1: SetTimer.USER32 ref: 012BBED1

Part of subcall function 012B059C: TranslateAcceleratorW.USER32(?,00000000,?), ref: 012B0718

Memory Dump Source

Source File: 00000010.00000002.746388412.0000000001271000.00000020.sdmp, Offset: 01270000, based on PE: true

Associated: 00000010.00000002.746374753.0000000001270000.00000002.sdmp Download File
Associated: 00000010.00000002.746578910.000000000138C000.00000002.sdmp Download File
Associated: 00000010.00000002.746752878.00000000013CF000.00000004.sdmp Download File
Associated: 00000010.00000002.746788870.00000000013D6000.00000004.sdmp Download File
Associated: 00000010.00000002.746832288.00000000013DE000.00000002.sdmp Download File
Associated: 00000010.00000002.747668141.0000000001574000.00000002.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1270000_Setup.jbxd

Similarity

API ID: Rect$Empty$AcceleratorCaptureClientCursorInvalidateMessageReleaseScreenSendTimerTranslate
String ID:
API String ID: 2155878526-0
Opcode ID: 8a1ef7fc6d995093bff26dad19f1159c2a9e123b92836e2b349eb648f043c347
Instruction ID: 37fd666dcf180832a110bfd9c61698048a118273332e705f3a5a1e4844956f63
Opcode Fuzzy Hash: 8a1ef7fc6d995093bff26dad19f1159c2a9e123b92836e2b349eb648f043c347
Instruction Fuzzy Hash: 7021687692020AFFDF219BA4CC84EEE7BBDEB48395F000464F645A6050D771EAA1DB60

Uniqueness

Uniqueness Score: 4.65%

Function 0127ACAC, Relevance: 10.6, APIs: 7, Instructions: 73
COMMON

Download Yara Rule

C-Code - Quality: 63%

			E0127ACAC(void* __edi, struct HWND__* _a4, struct tagPOINT _a8, intOrPtr _a12) {
				signed int _v8;
				struct tagRECT _v24;
				signed int _v28;
				struct tagPOINT _v36;
				void* __esi;
				signed int _t26;
				struct tagPOINT _t28;
				signed int _t29;
				signed int _t39;
				void* _t43;
				intOrPtr _t44;
				signed int _t45;
				void* _t48;
				struct HWND__* _t51;
				signed int _t52;

				_t49 = __edi;
				_t26 =  *0x13d3570; // 0x99b5b578
				_v8 = _t26 ^ _t52;
				_t44 = _a12;
				_t28 = _a8;
				_t51 = _a4;
				_push(_t44);
				_v36.x = _t28;
				_v36.y = _t44;
				_t29 = RealChildWindowFromPoint(_t51, _t28);
				_t45 = _t29;
				_v28 = _t45;
				if(_t45 == 0) {
					_push(__edi);
					ClientToScreen(_t51,  &_v36);
					_push(5);
					while(1) {
						_t51 = GetWindow(_t51, ??);
						if(_t51 == 0) {
							break;
						}
						if(GetDlgCtrlID(_t51) != 0xffff && (GetWindowLongW(_t51, 0xfffffff0) & 0x10000000) != 0) {
							_v24.left = _v24.left & 0x00000000;
							_v24.top = _v24.top & 0x00000000;
							_v24.right = _v24.right & 0x00000000;
							_v24.bottom = _v24.bottom & 0x00000000;
							GetWindowRect(_t51,  &_v24);
							_push(_v36.y);
							if(PtInRect( &_v24, _v36) != 0) {
								_v28 = _t51;
							}
						}
						_push(2);
					}
					_t39 = _v28;
					_pop(_t49);
					L10:
					return L01367D3E(_t39, _t43, _v8 ^ _t52, _t48, _t49, _t51);
				}
				asm("sbb eax, eax");
				_t39 =  ~(_t29 - _t51) & _t45;
				goto L10;
			}

0x0127acac
0x0127acb4
0x0127acbb
0x0127acbe
0x0127acc1
0x0127acc5
0x0127acc8
0x0127accb
0x0127acce
0x0127acd1
0x0127acd7
0x0127acd9
0x0127acde
0x0127acea
0x0127acf0
0x0127acfc
0x0127ad52
0x0127ad55
0x0127ad59
0x00000000
0x00000000
0x0127ad0c
0x0127ad1e
0x0127ad22
0x0127ad26
0x0127ad2a
0x0127ad33
0x0127ad39
0x0127ad4b
0x0127ad4d
0x0127ad4d
0x0127ad4b
0x0127ad50
0x0127ad50
0x0127ad5b
0x0127ad5e
0x0127ad5f
0x0127ad6b
0x0127ad6b
0x0127ace4
0x0127ace6
0x00000000

APIs

RealChildWindowFromPoint.USER32 ref: 0127ACD1
ClientToScreen.USER32(?,?), ref: 0127ACF0
GetDlgCtrlID.USER32 ref: 0127AD01
GetWindowLongW.USER32(00000000,000000F0), ref: 0127AD11
GetWindowRect.USER32 ref: 0127AD33
PtInRect.USER32(00000000,?,?), ref: 0127AD43
GetWindow.USER32(?,00000005), ref: 0127AD53

Part of subcall function 01367D3E: IsDebuggerPresent.KERNEL32 ref: 0136EC6D
Part of subcall function 01367D3E: SetUnhandledExceptionFilter.KERNEL32 ref: 0136EC82
Part of subcall function 01367D3E: UnhandledExceptionFilter.KERNEL32 ref: 0136EC8D
Part of subcall function 01367D3E: GetCurrentProcess.KERNEL32(C0000409), ref: 0136ECA9
Part of subcall function 01367D3E: TerminateProcess.KERNEL32(00000000), ref: 0136ECB0

Memory Dump Source

Source File: 00000010.00000002.746388412.0000000001271000.00000020.sdmp, Offset: 01270000, based on PE: true

Associated: 00000010.00000002.746374753.0000000001270000.00000002.sdmp Download File
Associated: 00000010.00000002.746578910.000000000138C000.00000002.sdmp Download File
Associated: 00000010.00000002.746752878.00000000013CF000.00000004.sdmp Download File
Associated: 00000010.00000002.746788870.00000000013D6000.00000004.sdmp Download File
Associated: 00000010.00000002.746832288.00000000013DE000.00000002.sdmp Download File
Associated: 00000010.00000002.747668141.0000000001574000.00000002.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1270000_Setup.jbxd

Similarity

API ID: Window$ExceptionFilterProcessRectUnhandled$ChildClientCtrlCurrentDebuggerFromLongPointPresentRealScreenTerminate
String ID:
API String ID: 416514603-0
Opcode ID: 9c50fef6e468915bca13d4b91e85c012ace28364fdb796bf26b43a252567c886
Instruction ID: 783bf252a7e8d982f515254aab1c69bfe4d1e765031f0c829394f672b987172d
Opcode Fuzzy Hash: 9c50fef6e468915bca13d4b91e85c012ace28364fdb796bf26b43a252567c886
Instruction Fuzzy Hash: 4121317192121AAFDB109FA8D805BFFBBBCFF18322F144119E601E3144D7789A058BA0

Uniqueness

Uniqueness Score: 1.69%

Function 012E0426, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 72
COMMON

Download Yara Rule

C-Code - Quality: 84%

			E012E0426(void* __ecx, void* __edx, intOrPtr _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				void* __ebx;
				void* __ebp;
				int _t28;
				void* _t38;
				void* _t44;
				intOrPtr _t59;

				_t44 = __edx;
				_t38 = __ecx;
				if( *((intOrPtr*)(__ecx + 0x3c)) != 0) {
					SelectObject( *0x13d9cac,  *(_a4 + 4));
					E0127AA90(_a4);
				}
				SelectObject( *0x13d9ca8,  *(_a4 + 8));
				_v20 = 0;
				_v16 = 0;
				_v12 = 0;
				_v8 = 0;
				asm("movsd");
				asm("movsd");
				asm("movsd");
				 *((intOrPtr*)(_t38 + 0x60)) = 0;
				 *((intOrPtr*)(_t38 + 0x64)) = 0;
				asm("movsd");
				if( *((intOrPtr*)(_t38 + 8)) != 0x20) {
					_t28 =  *(_t38 + 0xa4);
				} else {
					_t28 = 0xffffffff;
				}
				if( *((intOrPtr*)(_t38 + 0x1c)) != 0 || _t28 != 0xffffffff) {
					_t29 =  *((intOrPtr*)(_t38 + 0xa0));
					if( *((intOrPtr*)(_t38 + 0xa0)) == 0) {
						_t29 = L01277AC9(0);
					}
					E0127A14E( *((intOrPtr*)(_t38 + 0x44)),  *((intOrPtr*)(_t29 + 4)));
					 *((intOrPtr*)(_t38 + 0xa0)) = 0;
					DeleteObject(E0127A0C5(_t38, _t38 + 0x98, _t44));
					_t28 = DeleteDC(L01279DFB(_t38, _t38 + 0x40, _t44));
				}
				 *((intOrPtr*)(_t38 + 0x28)) = 0;
				_t59 =  *0x13d9c9c; // 0x0
				if(_t59 != 0) {
					LeaveCriticalSection(0x13d9cb8);
					return _t28;
				}
				return _t28;
			}

0x012e0426
0x012e0437
0x012e043e
0x012e044c
0x012e0451
0x012e0451
0x012e0462
0x012e0464
0x012e0467
0x012e046a
0x012e046d
0x012e0476
0x012e0477
0x012e0478
0x012e0481
0x012e0484
0x012e0487
0x012e0488
0x012e048f
0x012e048a
0x012e048a
0x012e048a
0x012e049a
0x012e04a1
0x012e04a9
0x012e04ab
0x012e04ab
0x012e04b6
0x012e04c1
0x012e04cd
0x012e04dc
0x012e04dc
0x012e04e2
0x012e04e5
0x012e04ee
0x012e04f5
0x00000000
0x012e04f5
0x012e04fc

APIs

SelectObject.GDI32(?,00000000), ref: 012E044C

Part of subcall function 0127AA90: DeleteObject.GDI32 ref: 0127AAA9

SelectObject.GDI32(?,00000000), ref: 012E0462
LeaveCriticalSection.KERNEL32(013D9CB8), ref: 012E04F5

Part of subcall function 01277AC9: __CxxThrowException@8.LIBCMT ref: 01277ADF

Part of subcall function 0127A14E: SelectObject.GDI32(?,?), ref: 0127A159

DeleteObject.GDI32(00000000), ref: 012E04CD
DeleteDC.GDI32(00000000), ref: 012E04DC

Strings

, xrefs: 012E047D

Memory Dump Source

Source File: 00000010.00000002.746388412.0000000001271000.00000020.sdmp, Offset: 01270000, based on PE: true

Associated: 00000010.00000002.746374753.0000000001270000.00000002.sdmp Download File
Associated: 00000010.00000002.746578910.000000000138C000.00000002.sdmp Download File
Associated: 00000010.00000002.746752878.00000000013CF000.00000004.sdmp Download File
Associated: 00000010.00000002.746788870.00000000013D6000.00000004.sdmp Download File
Associated: 00000010.00000002.746832288.00000000013DE000.00000002.sdmp Download File
Associated: 00000010.00000002.747668141.0000000001574000.00000002.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1270000_Setup.jbxd

Similarity

API ID: Object$DeleteSelect$CriticalException@8LeaveSectionThrow
String ID:
API String ID: 1265440004-3916222277
Opcode ID: 4b594d0f257936c667f99e9f617a790a2058a314715c392e8da12fea376c93d7
Instruction ID: 04ae4600b59fdc3e5adc5f5dfe690f169ef51f6917f781d7425c709b7005594c
Opcode Fuzzy Hash: 4b594d0f257936c667f99e9f617a790a2058a314715c392e8da12fea376c93d7
Instruction Fuzzy Hash: 4821C171910206EFCF11EF69D9889AA7BF9FF44310B148166EA049F16ACBB18442CF50

Uniqueness

Uniqueness Score: 4.31%

Function 0127C63E, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 60
libraryloadertimeCOMMON

Download Yara Rule

C-Code - Quality: 55%

			E0127C63E(void* __ebx, intOrPtr* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				struct HINSTANCE__* _t32;
				_Unknown_base(*)()* _t33;
				void* _t50;
				intOrPtr* _t53;
				void* _t54;

				_t50 = __edx;
				_push(0xc);
				L01369601(0x1386cb9, __ebx, __edi, __esi);
				_t53 = __ecx;
				_t56 =  *(__ecx + 0xb4) & 0x0000000c;
				 *((intOrPtr*)(_t54 - 0x18)) = 1;
				if(( *(__ecx + 0xb4) & 0x0000000c) == 0) {
					L6:
					if(( *(_t53 + 0xb4) & 0x00000008) != 0) {
						 *(_t53 + 0xc8) = SetTimer(0,  *(_t53 + 0xc8),  *((intOrPtr*)( *_t53 + 0x10))(), 0x127b802);
					}
					L8:
					return L013696D9( *((intOrPtr*)(_t54 - 0x18)));
				}
				_push(L"SHELL32.DLL");
				 *((intOrPtr*)(_t54 - 0x10)) = 0;
				_t32 = E01274CA7(__ecx, __ecx, _t56);
				if(_t32 == 0) {
					L9:
					 *((intOrPtr*)(_t54 - 0x18)) = 0;
					goto L8;
				}
				_t33 = GetProcAddress(_t32, "SHGetKnownFolderPath");
				if(_t33 == 0) {
					goto L9;
				}
				_push(_t54 - 0x10);
				_push(0);
				_push(0);
				_push(0x13b69e4);
				if( *_t33() != 0 ||  *((intOrPtr*)(_t54 - 0x10)) == 0) {
					goto L9;
				} else {
					E01273740(0,  *((intOrPtr*)(_t54 - 0x10)));
					 *(_t54 - 4) = 0;
					 *((intOrPtr*)( *_t53 + 0x1c))(_t54 - 0x14);
					 *(_t54 - 4) =  *(_t54 - 4) | 0xffffffff;
					L01271470( *((intOrPtr*)(_t54 - 0x14)) + 0xfffffff0, _t50);
					__imp__CoTaskMemFree( *((intOrPtr*)(_t54 - 0x10)));
					goto L6;
				}
			}

0x0127c63e
0x0127c63e
0x0127c645
0x0127c64a
0x0127c64e
0x0127c655
0x0127c65c
0x0127c6cb
0x0127c6d2
0x0127c6ee
0x0127c6ee
0x0127c6f4
0x0127c6fc
0x0127c6fc
0x0127c65e
0x0127c663
0x0127c666
0x0127c66e
0x0127c6fd
0x0127c6fd
0x00000000
0x0127c6fd
0x0127c67a
0x0127c682
0x00000000
0x00000000
0x0127c687
0x0127c688
0x0127c689
0x0127c68a
0x0127c693
0x00000000
0x0127c69a
0x0127c6a0
0x0127c6ad
0x0127c6b0
0x0127c6b6
0x0127c6bd
0x0127c6c5
0x00000000
0x0127c6c5

APIs

__EH_prolog3.LIBCMT ref: 0127C645
SetTimer.USER32 ref: 0127C6E8

Part of subcall function 01274CA7: ActivateActCtx.KERNEL32(?,?), ref: 01274CC7
Part of subcall function 01274CA7: LoadLibraryW.KERNEL32(?), ref: 01274CDE

GetProcAddress.KERNEL32(00000000,SHGetKnownFolderPath), ref: 0127C67A
CoTaskMemFree.OLE32(?), ref: 0127C6C5

Strings

SHGetKnownFolderPath, xrefs: 0127C674
SHELL32.DLL, xrefs: 0127C65E

Memory Dump Source

Source File: 00000010.00000002.746388412.0000000001271000.00000020.sdmp, Offset: 01270000, based on PE: true

Associated: 00000010.00000002.746374753.0000000001270000.00000002.sdmp Download File
Associated: 00000010.00000002.746578910.000000000138C000.00000002.sdmp Download File
Associated: 00000010.00000002.746752878.00000000013CF000.00000004.sdmp Download File
Associated: 00000010.00000002.746788870.00000000013D6000.00000004.sdmp Download File
Associated: 00000010.00000002.746832288.00000000013DE000.00000002.sdmp Download File
Associated: 00000010.00000002.747668141.0000000001574000.00000002.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1270000_Setup.jbxd

Similarity

API ID: ActivateAddressFreeH_prolog3LibraryLoadProcTaskTimer
String ID: SHELL32.DLL$SHGetKnownFolderPath
API String ID: 1217607756-4069204515
Opcode ID: 4c81b4a182f4aa5697488eea8e98702d61c6c85a1dfaf897244bf03a93f69b33
Instruction ID: 2b9f1a58d9ed160726a7b36b7ce5b6e885d7e2f55f1f07113c4af32e3a5982b7
Opcode Fuzzy Hash: 4c81b4a182f4aa5697488eea8e98702d61c6c85a1dfaf897244bf03a93f69b33
Instruction Fuzzy Hash: F3115EB191030B9FDB14EFB8CC95ABFBBB4BF40218F14191DE252A2290CB706954CB50

Uniqueness

Uniqueness Score: 6.84%

Function 0137E640, Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 57
threadsynchronizationCOMMON

Download Yara Rule

C-Code - Quality: 82%

			E0137E640(intOrPtr _a4) {
				long _v0;
				long _v4;
				void* _t7;
				struct _SECURITY_ATTRIBUTES* _t9;
				void* _t11;
				void* _t22;
				intOrPtr _t23;

				_t23 = _a4;
				if(_t23 != 0) {
					if(E0137E2A0() != 0) {
						_t9 =  *0x13dc630; // 0x0
						if(_t9 == 0) {
							 *0x13dc634 = _t23;
							_v4 = 1;
							_t11 = CreateThread(0, 0, 0x137e2b0, 0, 0,  &_v4);
							 *0x13dc630 = _t11;
							WaitForSingleObject(_t11, 0xffffffff);
							_t22 =  *0x13dc630; // 0x0
							_v0 = 0;
							GetExitCodeThread(_t22,  &_v0);
							 *0x13dc630 = 0;
							return _v0;
						} else {
							_push(L"<LogonStart> DisableLogonStartup - The module is busy in handling other request");
							return E0137E290(_t9) | 0xffffffff;
						}
					} else {
						_push(L"<LogonStart> DisableLogonStartup - The function is unsupported for this OS");
						return E0137E290(_t8) | 0xffffffff;
					}
				} else {
					_push(L"<LogonStart> DisableLogonStartup - Parameter is invalided");
					return E0137E290(_t7) | 0xffffffff;
				}
			}

0x0137e642
0x0137e648
0x0137e664
0x0137e679
0x0137e680
0x0137e699
0x0137e6ad
0x0137e6b5
0x0137e6be
0x0137e6c3
0x0137e6c9
0x0137e6d5
0x0137e6dd
0x0137e6e7
0x0137e6f3
0x0137e682
0x0137e682
0x0137e694
0x0137e694
0x0137e666
0x0137e666
0x0137e678
0x0137e678
0x0137e64a
0x0137e64a
0x0137e65c
0x0137e65c

APIs

Part of subcall function 0137E2A0: GetVersion.KERNEL32(0137E662,00000010,?,01272D68,ASUS Live Updata), ref: 0137E2A0

CreateThread.KERNEL32(00000000,00000000,0137E2B0), ref: 0137E6B5
WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 0137E6C3
GetExitCodeThread.KERNEL32(00000000,?), ref: 0137E6DD

Strings

<LogonStart> DisableLogonStartup - The module is busy in handling other request, xrefs: 0137E682
<LogonStart> DisableLogonStartup - The function is unsupported for this OS, xrefs: 0137E666
<LogonStart> DisableLogonStartup - Parameter is invalided, xrefs: 0137E64A

Memory Dump Source

Source File: 00000010.00000002.746388412.0000000001271000.00000020.sdmp, Offset: 01270000, based on PE: true

Associated: 00000010.00000002.746374753.0000000001270000.00000002.sdmp Download File
Associated: 00000010.00000002.746578910.000000000138C000.00000002.sdmp Download File
Associated: 00000010.00000002.746752878.00000000013CF000.00000004.sdmp Download File
Associated: 00000010.00000002.746788870.00000000013D6000.00000004.sdmp Download File
Associated: 00000010.00000002.746832288.00000000013DE000.00000002.sdmp Download File
Associated: 00000010.00000002.747668141.0000000001574000.00000002.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1270000_Setup.jbxd

Similarity

API ID: Thread$CodeCreateExitObjectSingleVersionWait
String ID: <LogonStart> DisableLogonStartup - Parameter is invalided$<LogonStart> DisableLogonStartup - The function is unsupported for this OS$<LogonStart> DisableLogonStartup - The module is busy in handling other request
API String ID: 2356732465-1166478413
Opcode ID: 531d781eb615a5b29dd97a38878dfdd3f86d4195f9491394c52004841f8eddf0
Instruction ID: 48773495e2c5ed4a78b1f58506e94da0f4bceb2ac7a238d1b879f6721269f95f
Opcode Fuzzy Hash: 531d781eb615a5b29dd97a38878dfdd3f86d4195f9491394c52004841f8eddf0
Instruction Fuzzy Hash: FB11A5B2A153016ED620AF6DBC09F467BA8AB40739F142B6DF925D62C4E7B4A404C792

Uniqueness

Uniqueness Score: 12.89%

Function 012EA943, Relevance: 10.6, APIs: 7, Instructions: 56
COMMON

Download Yara Rule

C-Code - Quality: 96%

			E012EA943(void* __ebx, intOrPtr __ecx, intOrPtr __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr* _t29;
				intOrPtr _t66;
				void* _t67;

				_t64 = __edi;
				_t63 = __edx;
				_t44 = __ebx;
				_push(4);
				L01369601(0x138389b, __ebx, __edi, __esi);
				_t66 = __ecx;
				 *((intOrPtr*)(_t67 - 0x10)) = __ecx;
				 *((intOrPtr*)(__ecx)) = 0x139b354;
				 *(_t67 - 4) = 0xb;
				while(1) {
					_t69 =  *((intOrPtr*)(_t66 + 0x4a8));
					if( *((intOrPtr*)(_t66 + 0x4a8)) == 0) {
						break;
					}
					_t29 = L01289E4C(_t66 + 0x49c);
					__eflags = _t29;
					if(_t29 != 0) {
						_t63 =  *_t29;
						 *((intOrPtr*)( *_t29 + 4))(1);
					}
				}
				L01271470( *((intOrPtr*)(_t66 + 0x4c8)) - 0x10, _t63);
				 *(_t67 - 4) = 9;
				L012E77EE(_t66 + 0x49c);
				L01271470( *((intOrPtr*)(_t66 + 0x478)) - 0x10, _t63);
				L01271470( *((intOrPtr*)(_t66 + 0x474)) - 0x10, _t63);
				 *(_t67 - 4) = 6;
				E012DC77B(_t66 + 0x400, _t63, _t64, _t66, _t69);
				 *(_t67 - 4) = 5;
				E0134E6FC(_t44, _t66 + 0x2d8, _t63, _t64, _t66, _t69);
				 *(_t67 - 4) = 4;
				E012DC77B(_t66 + 0x264, _t63, _t64, _t66, _t69);
				 *(_t67 - 4) = 3;
				E012DC961(_t66 + 0x1f0, _t63, _t64, _t66, _t69);
				 *(_t67 - 4) = 2;
				E012DC703(_t66 + 0x17c, _t63, _t64, _t66, _t69);
				 *(_t67 - 4) = 1;
				E012DC77B(_t66 + 0x108, _t63, _t64, _t66, _t69);
				 *(_t67 - 4) = 0;
				E012DC77B(_t66 + 0x94, _t63, _t64, _t66, _t69);
				_t25 = _t67 - 4;
				 *(_t67 - 4) =  *(_t67 - 4) | 0xffffffff;
				return L013696D9(E012B4222(_t66, _t63, _t64, _t66,  *_t25));
			}

0x012ea943
0x012ea943
0x012ea943
0x012ea943
0x012ea94a
0x012ea94f
0x012ea951
0x012ea954
0x012ea95a
0x012ea97b
0x012ea97b
0x012ea982
0x00000000
0x00000000
0x012ea969
0x012ea96e
0x012ea970
0x012ea972
0x012ea978
0x012ea978
0x012ea970
0x012ea98d
0x012ea998
0x012ea99c
0x012ea9aa
0x012ea9b8
0x012ea9c3
0x012ea9c7
0x012ea9d2
0x012ea9d6
0x012ea9e1
0x012ea9e5
0x012ea9f0
0x012ea9f4
0x012ea9ff
0x012eaa03
0x012eaa0e
0x012eaa12
0x012eaa1d
0x012eaa21
0x012eaa26
0x012eaa26
0x012eaa36

APIs

__EH_prolog3.LIBCMT ref: 012EA94A
~_Task_impl.LIBCPMT ref: 012EA9C7

Part of subcall function 012DC77B: __EH_prolog3.LIBCMT ref: 012DC782

Part of subcall function 0134E6FC: __EH_prolog3.LIBCMT ref: 0134E703
Part of subcall function 0134E6FC: ~_Task_impl.LIBCPMT ref: 0134E720
Part of subcall function 0134E6FC: ~_Task_impl.LIBCPMT ref: 0134E737

~_Task_impl.LIBCPMT ref: 012EA9E5
~_Task_impl.LIBCPMT ref: 012EA9F4

Part of subcall function 012DC961: __EH_prolog3.LIBCMT ref: 012DC968

~_Task_impl.LIBCPMT ref: 012EAA03

Part of subcall function 012DC703: __EH_prolog3.LIBCMT ref: 012DC70A

~_Task_impl.LIBCPMT ref: 012EAA12
~_Task_impl.LIBCPMT ref: 012EAA21

Part of subcall function 012B4222: __EH_prolog3.LIBCMT ref: 012B4229

Memory Dump Source

Source File: 00000010.00000002.746388412.0000000001271000.00000020.sdmp, Offset: 01270000, based on PE: true

Associated: 00000010.00000002.746374753.0000000001270000.00000002.sdmp Download File
Associated: 00000010.00000002.746578910.000000000138C000.00000002.sdmp Download File
Associated: 00000010.00000002.746752878.00000000013CF000.00000004.sdmp Download File
Associated: 00000010.00000002.746788870.00000000013D6000.00000004.sdmp Download File
Associated: 00000010.00000002.746832288.00000000013DE000.00000002.sdmp Download File
Associated: 00000010.00000002.747668141.0000000001574000.00000002.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1270000_Setup.jbxd

Similarity

API ID: Task_impl$H_prolog3
String ID:
API String ID: 1204490572-0
Opcode ID: 17c8ae668684d18abf048e142aa73b1acba88db8d5979c23e93c292f289da1b3
Instruction ID: 92d4d2eceec7b1953d2d9c7d2bdf96061b0d129d8170e8b43897e05c5661fc45
Opcode Fuzzy Hash: 17c8ae668684d18abf048e142aa73b1acba88db8d5979c23e93c292f289da1b3
Instruction Fuzzy Hash: E3214F74415746CEEB18FBB8C1587EEBBA4AF25318F91455CC59A132C1CFB42A08C762

Uniqueness

Uniqueness Score: 8.94%

Function 012820B5, Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 53
libraryloaderUNIQUE

Download Yara Rule

C-Code - Quality: 58%

			E012820B5(void* __ebx, void* __ecx, void* __edi, void* __esi, void* __eflags) {
				struct HINSTANCE__* _t20;
				intOrPtr* _t23;
				struct HINSTANCE__* _t27;
				intOrPtr* _t30;
				void* _t32;
				void* _t35;

				_t29 = __ecx;
				_push(0);
				L01369601(0x137f9ca, __ebx, __edi, __esi);
				_t32 = __ecx;
				 *(__ecx + 0x38) =  *(__ecx + 0x38) & 0x00000000;
				_t37 =  *0x13d8010 & 0x00000001;
				if(( *0x13d8010 & 0x00000001) == 0) {
					 *0x13d8010 =  *0x13d8010 | 0x00000001;
					 *(_t35 - 4) =  *(_t35 - 4) & 0x00000000;
					_push(L"user32.dll");
					_t27 = E01274CA7(__ecx, __esi, _t37);
					 *(_t35 - 4) =  *(_t35 - 4) | 0xffffffff;
					_pop(_t29);
					 *0x13d800c = _t27;
				}
				_t20 =  *0x13d800c; // 0x0
				if(_t20 == 0) {
					_t20 = L01277AC9(_t29);
				}
				if(( *0x13d8010 & 0x00000002) == 0) {
					 *0x13d8010 =  *0x13d8010 | 0x00000002;
					 *0x13d8008 = GetProcAddress(_t20, "RegisterTouchWindow");
				}
				if(( *0x13d8010 & 0x00000004) == 0) {
					 *0x13d8010 =  *0x13d8010 | 0x00000004;
					 *0x13d8004 = GetProcAddress( *0x13d800c, "UnregisterTouchWindow");
				}
				_t30 =  *0x13d8008; // 0x0
				if(_t30 == 0) {
					L13:
					_t21 = 0;
					__eflags = 0;
					goto L14;
				} else {
					_t23 =  *0x13d8004; // 0x0
					if(_t23 == 0) {
						goto L13;
					}
					if( *((intOrPtr*)(_t35 + 8)) != 0) {
						 *((intOrPtr*)(_t32 + 0x38)) =  *_t30( *((intOrPtr*)(_t32 + 0x20)),  *((intOrPtr*)(_t35 + 0xc)));
					} else {
						_t21 =  *_t23( *((intOrPtr*)(_t32 + 0x20)));
					}
					L14:
					return L013696D9(_t21);
				}
			}

0x012820b5
0x012820b5
0x012820bc
0x012820c1
0x012820c3
0x012820c7
0x012820ce
0x012820d0
0x012820d7
0x012820db
0x012820e0
0x012820e5
0x012820e9
0x012820ea
0x012820ea
0x012820ef
0x012820f6
0x012820f8
0x012820f8
0x0128210a
0x0128210c
0x0128211b
0x0128211b
0x01282127
0x01282129
0x0128213d
0x0128213d
0x01282142
0x0128214a
0x01282170
0x01282170
0x01282170
0x00000000
0x0128214c
0x0128214c
0x01282153
0x00000000
0x00000000
0x01282159
0x0128216b
0x0128215b
0x0128215e
0x0128215e
0x01282172
0x01282177
0x01282177

APIs

__EH_prolog3.LIBCMT ref: 012820BC
GetProcAddress.KERNEL32(UnregisterTouchWindow,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0128213B

Part of subcall function 01277AC9: __CxxThrowException@8.LIBCMT ref: 01277ADF

Part of subcall function 01274CA7: ActivateActCtx.KERNEL32(?,?), ref: 01274CC7
Part of subcall function 01274CA7: LoadLibraryW.KERNEL32(?), ref: 01274CDE

GetProcAddress.KERNEL32(00000000,RegisterTouchWindow), ref: 01282119

Strings

user32.dll, xrefs: 012820DB
RegisterTouchWindow, xrefs: 01282113
UnregisterTouchWindow, xrefs: 01282130

Memory Dump Source

Source File: 00000010.00000002.746388412.0000000001271000.00000020.sdmp, Offset: 01270000, based on PE: true

Associated: 00000010.00000002.746374753.0000000001270000.00000002.sdmp Download File
Associated: 00000010.00000002.746578910.000000000138C000.00000002.sdmp Download File
Associated: 00000010.00000002.746752878.00000000013CF000.00000004.sdmp Download File
Associated: 00000010.00000002.746788870.00000000013D6000.00000004.sdmp Download File
Associated: 00000010.00000002.746832288.00000000013DE000.00000002.sdmp Download File
Associated: 00000010.00000002.747668141.0000000001574000.00000002.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1270000_Setup.jbxd

Similarity

API ID: AddressProc$ActivateException@8H_prolog3LibraryLoadThrow
String ID: RegisterTouchWindow$UnregisterTouchWindow$user32.dll
API String ID: 3891936220-2470269259
Opcode ID: 7744d03e7bb5d1463c4572db3aec3c2183c3a79d2097f71bfe2576257564b845
Instruction ID: 95aae751d3751aca212f5d206d1fee8ece394e8a3ef41777e083849409314787
Opcode Fuzzy Hash: 7744d03e7bb5d1463c4572db3aec3c2183c3a79d2097f71bfe2576257564b845
Instruction Fuzzy Hash: 67119030622302FFD735EB28F805B253BE8BB10728F108599D655D25DAC7B4A558CB50

Uniqueness

Uniqueness Score: 100.00%

Function 012749F7, Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 53
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 55%

			E012749F7(intOrPtr* __ecx) {
				signed int _v8;
				intOrPtr* _v12;
				void* __ebp;
				intOrPtr* _t16;
				intOrPtr* _t21;
				struct HINSTANCE__* _t28;
				intOrPtr* _t29;
				void* _t35;

				_t23 = __ecx;
				_push(__ecx);
				_push(__ecx);
				_v12 = __ecx;
				_t28 = GetModuleHandleW(L"KERNEL32.DLL");
				if(_t28 == 0) {
					L01277AC9(_t23);
				}
				_t21 = GetProcAddress(_t28, "ApplicationRecoveryInProgress");
				_t29 = GetProcAddress(_t28, "ApplicationRecoveryFinished");
				if(_t21 != 0 && _t29 != 0) {
					_v8 = _v8 & 0x00000000;
					 *_t21( &_v8);
					if(_v8 == 0) {
						_t35 = 1;
						_t16 =  *((intOrPtr*)( *_v12 + 0xfc))();
						if(_t16 != 0) {
							_t35 =  *((intOrPtr*)( *_t16 + 0x38))();
						}
						 *_t29(_t35);
					}
				}
				return 0;
			}

0x012749f7
0x012749fc
0x012749fd
0x01274a06
0x01274a0f
0x01274a13
0x01274a15
0x01274a15
0x01274a2e
0x01274a32
0x01274a36
0x01274a3c
0x01274a44
0x01274a4a
0x01274a53
0x01274a54
0x01274a5c
0x01274a65
0x01274a65
0x01274a68
0x01274a68
0x01274a4a
0x01274a70

APIs

GetModuleHandleW.KERNEL32(KERNEL32.DLL), ref: 01274A09
GetProcAddress.KERNEL32(00000000,ApplicationRecoveryInProgress), ref: 01274A26
GetProcAddress.KERNEL32(00000000,ApplicationRecoveryFinished), ref: 01274A30

Part of subcall function 01277AC9: __CxxThrowException@8.LIBCMT ref: 01277ADF

Strings

KERNEL32.DLL, xrefs: 01274A01
ApplicationRecoveryFinished, xrefs: 01274A28
ApplicationRecoveryInProgress, xrefs: 01274A20

Memory Dump Source

Source File: 00000010.00000002.746388412.0000000001271000.00000020.sdmp, Offset: 01270000, based on PE: true

Associated: 00000010.00000002.746374753.0000000001270000.00000002.sdmp Download File
Associated: 00000010.00000002.746578910.000000000138C000.00000002.sdmp Download File
Associated: 00000010.00000002.746752878.00000000013CF000.00000004.sdmp Download File
Associated: 00000010.00000002.746788870.00000000013D6000.00000004.sdmp Download File
Associated: 00000010.00000002.746832288.00000000013DE000.00000002.sdmp Download File
Associated: 00000010.00000002.747668141.0000000001574000.00000002.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1270000_Setup.jbxd

Similarity

API ID: AddressProc$Exception@8HandleModuleThrow
String ID: ApplicationRecoveryFinished$ApplicationRecoveryInProgress$KERNEL32.DLL
API String ID: 2144170044-4287352451
Opcode ID: c6ebb2c1bd15749706e2017c7978c0aaec946371f0ebc3b32ea2100555964d77
Instruction ID: 1a6f601cc1fea52e96e5f77f33f21a6ed2fe6f252ad5b71d252ba7062f1beae6
Opcode Fuzzy Hash: c6ebb2c1bd15749706e2017c7978c0aaec946371f0ebc3b32ea2100555964d77
Instruction Fuzzy Hash: 54018836A20316AFD711BBB9C858E6F7AACDFC5664F150079E60193300EA74DE01C7A5

Uniqueness

Uniqueness Score: 4.31%

Function 0127498B, Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 45
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E0127498B(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24) {
				void* __ebp;
				void* _t12;
				intOrPtr* _t14;
				void* _t15;
				struct HINSTANCE__* _t16;
				intOrPtr* _t18;

				_t16 = GetModuleHandleW(L"KERNEL32.DLL");
				if(_t16 == 0) {
					L01277AC9(_t15);
				}
				_t14 = GetProcAddress(_t16, "RegisterApplicationRestart");
				_t18 = GetProcAddress(_t16, "RegisterApplicationRecoveryCallback");
				if(_t14 == 0 || _t18 == 0) {
					L7:
					return 0;
				}
				_t12 =  *_t14(_a4, _a8);
				if(_t12 == 0) {
					if(_a12 == _t12) {
						goto L7;
					}
					_t12 =  *_t18(_a12, _a16, _a20, _a24);
					if(_t12 == 0) {
						goto L7;
					}
				}
				return _t12;
			}

0x0127499e
0x012749a2
0x012749a4
0x012749a4
0x012749bd
0x012749c1
0x012749c5
0x012749ee
0x00000000
0x012749ee
0x012749d1
0x012749d5
0x012749da
0x00000000
0x00000000
0x012749e8
0x012749ec
0x00000000
0x00000000
0x012749ec
0x012749f4

APIs

GetModuleHandleW.KERNEL32(KERNEL32.DLL), ref: 01274998
GetProcAddress.KERNEL32(00000000,RegisterApplicationRestart), ref: 012749B5
GetProcAddress.KERNEL32(00000000,RegisterApplicationRecoveryCallback), ref: 012749BF

Part of subcall function 01277AC9: __CxxThrowException@8.LIBCMT ref: 01277ADF

Strings

RegisterApplicationRecoveryCallback, xrefs: 012749B7
KERNEL32.DLL, xrefs: 01274993
RegisterApplicationRestart, xrefs: 012749AF

Memory Dump Source

Source File: 00000010.00000002.746388412.0000000001271000.00000020.sdmp, Offset: 01270000, based on PE: true

Associated: 00000010.00000002.746374753.0000000001270000.00000002.sdmp Download File
Associated: 00000010.00000002.746578910.000000000138C000.00000002.sdmp Download File
Associated: 00000010.00000002.746752878.00000000013CF000.00000004.sdmp Download File
Associated: 00000010.00000002.746788870.00000000013D6000.00000004.sdmp Download File
Associated: 00000010.00000002.746832288.00000000013DE000.00000002.sdmp Download File
Associated: 00000010.00000002.747668141.0000000001574000.00000002.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1270000_Setup.jbxd

Similarity

API ID: AddressProc$Exception@8HandleModuleThrow
String ID: KERNEL32.DLL$RegisterApplicationRecoveryCallback$RegisterApplicationRestart
API String ID: 2144170044-723216104
Opcode ID: 95f5b09f1a8b49861ec75e4dc22a8a876b8807884ae2b1e9e164c6b0bf595ebe
Instruction ID: 86be69027fc6c70a357333d8a21bcfc660badfa0c452cda2134d67f6f91f74ba
Opcode Fuzzy Hash: 95f5b09f1a8b49861ec75e4dc22a8a876b8807884ae2b1e9e164c6b0bf595ebe
Instruction Fuzzy Hash: 2EF0443352036BF79F223FAA9D05DAF3E6DEF85A907040536FA0492111DA71C81197A0

Uniqueness

Uniqueness Score: 3.53%

Function 01286B9D, Relevance: 10.5, APIs: 7, Instructions: 30
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E01286B9D(void* __ecx) {
				struct HBRUSH__* _t14;
				void* _t18;

				_t18 = __ecx;
				 *((intOrPtr*)(_t18 + 0x28)) = GetSysColor(0xf);
				 *((intOrPtr*)(_t18 + 0x2c)) = GetSysColor(0x10);
				 *((intOrPtr*)(_t18 + 0x30)) = GetSysColor(0x14);
				 *((intOrPtr*)(_t18 + 0x34)) = GetSysColor(0x12);
				 *((intOrPtr*)(_t18 + 0x38)) = GetSysColor(6);
				 *((intOrPtr*)(_t18 + 0x24)) = GetSysColorBrush(0xf);
				_t14 = GetSysColorBrush(6);
				 *(_t18 + 0x20) = _t14;
				return _t14;
			}

0x01286ba9
0x01286baf
0x01286bb6
0x01286bbd
0x01286bc4
0x01286bd1
0x01286bd8
0x01286bdb
0x01286bde
0x01286be2

APIs

GetSysColor.USER32 ref: 01286BAB
GetSysColor.USER32 ref: 01286BB2
GetSysColor.USER32 ref: 01286BB9
GetSysColor.USER32 ref: 01286BC0
GetSysColor.USER32 ref: 01286BC7
GetSysColorBrush.USER32(0000000F), ref: 01286BD4
GetSysColorBrush.USER32(00000006), ref: 01286BDB

Memory Dump Source

Source File: 00000010.00000002.746388412.0000000001271000.00000020.sdmp, Offset: 01270000, based on PE: true

Associated: 00000010.00000002.746374753.0000000001270000.00000002.sdmp Download File
Associated: 00000010.00000002.746578910.000000000138C000.00000002.sdmp Download File
Associated: 00000010.00000002.746752878.00000000013CF000.00000004.sdmp Download File
Associated: 00000010.00000002.746788870.00000000013D6000.00000004.sdmp Download File
Associated: 00000010.00000002.746832288.00000000013DE000.00000002.sdmp Download File
Associated: 00000010.00000002.747668141.0000000001574000.00000002.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1270000_Setup.jbxd

Similarity

API ID: Color$Brush
String ID:
API String ID: 2798902688-0
Opcode ID: aaded3904de4f3ea4f23cd2fc51a2a9167bf25a8368214945645229f21d1834e
Instruction ID: 76bebd5718a3880a994bccf38d9a2f493020d54a5c8d35c67d3e614cdaaa7d25
Opcode Fuzzy Hash: aaded3904de4f3ea4f23cd2fc51a2a9167bf25a8368214945645229f21d1834e
Instruction Fuzzy Hash: 1EF05E719407445BD730BB725909B47BAD5FFC0710F02192EE2418B980D6B6E040CF00

Uniqueness

Uniqueness Score: 0.17%

Function 012AC2D4, Relevance: 9.2, APIs: 6, Instructions: 221
COMMON

Download Yara Rule

C-Code - Quality: 92%

			E012AC2D4(void* __ecx, intOrPtr* _a4, intOrPtr _a8) {
				signed int _v8;
				struct tagRECT _v24;
				struct tagRECT _v40;
				char _v56;
				int _v60;
				int _v64;
				signed int _v68;
				signed int _v72;
				intOrPtr* _v76;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t119;
				intOrPtr _t129;
				intOrPtr _t139;
				intOrPtr _t140;
				signed int _t141;
				void* _t151;
				long _t153;
				char _t154;
				void* _t167;
				intOrPtr _t168;
				int _t169;
				long _t170;
				intOrPtr _t171;
				int _t172;
				intOrPtr _t173;
				char* _t206;
				intOrPtr* _t207;
				intOrPtr* _t208;
				signed int _t209;

				_t119 =  *0x13d3570; // 0x99b5b578
				_v8 = _t119 ^ _t209;
				_t207 = _a4;
				_t206 = 0;
				_t167 = __ecx;
				_v76 = _t207;
				_v24.left = 0;
				_v24.top = 0;
				_v24.right = 0;
				_v24.bottom = 0;
				GetWindowRect( *(_t207 + 0x20),  &_v24);
				_v60 =  *((intOrPtr*)( *_t207 + 0x160))();
				_v72 =  *((intOrPtr*)( *_t207 + 0x190))();
				_v68 = E01286862( *((intOrPtr*)(_t167 + 0xe4))) & 0x00400000;
				if(_a8 == 0) {
					_t129 = L012D113D(_t207);
					_v40.left = 0;
					_v40.top = 0;
					_v40.right = 0;
					_v40.bottom = 0;
					_v76 = _t129;
					GetWindowRect( *(_t129 + 0x20),  &_v40);
					L01279BD6(E01282D05(_t167,  &_v40, _t204, GetParent( *(_t207 + 0x20))),  &_v24);
					L01279BD6(E01282D05(_t167, _t133, _t204, GetParent( *(_t207 + 0x20))),  &_v40);
					if(_v60 == 0) {
						_t139 =  *((intOrPtr*)(_t167 + 0x10c));
						_v40.top = _t139;
						_v24.top = _t139;
						_t140 =  *((intOrPtr*)(_t167 + 0x114));
						_v40.bottom = _t140;
						_v24.bottom = _t140;
					} else {
						_t153 =  *(_t167 + 0x108);
						_v40.left = _t153;
						_v24.left = _t153;
						_t154 =  *((intOrPtr*)(_t167 + 0x110));
						_v40.right = _t154;
						_v24.right = _t154;
					}
					_t141 = _v72;
					_v64 = _t206;
					_v60 = _t206;
					if(_t141 == 0x1000) {
						if(_v68 != _t206) {
							goto L19;
						}
						goto L25;
					} else {
						if(_t141 == 0x2000) {
							_t171 =  *((intOrPtr*)(_t167 + 0x10c));
							if(_v24.top == _t171) {
								L28:
								_t167 = OffsetRect;
								OffsetRect( &_v24, _v64, _v60);
								OffsetRect( &_v40, _v64, _v60);
								 *((intOrPtr*)( *_t207 + 0x234))(_t206, _v24.left, _v24.top, _v24.right - _v24.left, _v24.bottom - _v24.top, 0x14, _t206);
								_t208 = _v76;
								 *((intOrPtr*)( *_t208 + 0x234))(_t206, _v40.left, _v40.top, _v40.right - _v40.left, _v40.bottom - _v40.top, 0x14, _t206);
								_t151 =  *((intOrPtr*)( *_t208 + 0x20c))();
								L29:
								return L01367D3E(_t151, _t167, _v8 ^ _t209, _t204, _t206, _t208);
							}
							_t172 = _t171 - _v24.top;
							L23:
							_v60 = _t172;
							goto L28;
						}
						if(_t141 == 0x4000) {
							if(_v68 != _t206) {
								L25:
								_t170 =  *(_t167 + 0x108);
								if(_v24.left == _t170) {
									goto L28;
								}
								_t169 = _t170 - _v24.left;
								L27:
								_v64 = _t169;
								goto L28;
							}
							L19:
							_t168 =  *((intOrPtr*)(_t167 + 0x110));
							if(_v24.right == _t168) {
								goto L28;
							}
							_t169 = _t168 - _v24.right;
							goto L27;
						}
						if(_t141 != 0x8000) {
							goto L28;
						}
						_t173 =  *((intOrPtr*)(_t167 + 0x114));
						if(_v24.bottom == _t173) {
							goto L28;
						}
						_t172 = _t173 - _v24.bottom;
						goto L23;
					}
				}
				 *((intOrPtr*)( *_t207 + 0x25c))( &(_v40.right), 0, _v60);
				if(_v60 == 0) {
					if((_v72 & 0x00001000) == 0) {
						_v24.left = _v24.right - _v40.right;
					} else {
						_v24.right = _v40.right + _v24.left;
					}
				} else {
					if((_v72 & 0x00002000) == 0) {
						_v24.top = _v24.bottom - _v40.bottom;
					} else {
						_v24.bottom = _v40.bottom + _v24.top;
					}
				}
				_t208 = _t167 + 0x108;
				_t206 =  &_v56;
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				L01279C17( *((intOrPtr*)(_t167 + 0xe4)),  &_v56);
				L012AB938( &_v56,  &_v24, _v72, _v60, 1);
				_v68 = _v68 & 0x00000000;
				_t204 =  &_v24;
				_t151 =  *((intOrPtr*)( *_v76 + 0x280))( &_v24,  &_v68);
				goto L29;
			}

0x012ac2dc
0x012ac2e3
0x012ac2e8
0x012ac2ef
0x012ac2f5
0x012ac2f7
0x012ac2fa
0x012ac2fd
0x012ac300
0x012ac303
0x012ac306
0x012ac316
0x012ac329
0x012ac336
0x012ac33c
0x012ac3e6
0x012ac3ef
0x012ac3f2
0x012ac3f5
0x012ac3f8
0x012ac3fe
0x012ac401
0x012ac41c
0x012ac436
0x012ac43e
0x012ac45a
0x012ac460
0x012ac463
0x012ac466
0x012ac46c
0x012ac46f
0x012ac440
0x012ac440
0x012ac446
0x012ac449
0x012ac44c
0x012ac452
0x012ac455
0x012ac455
0x012ac472
0x012ac475
0x012ac478
0x012ac480
0x012ac4d2
0x00000000
0x00000000
0x00000000
0x012ac482
0x012ac487
0x012ac4bc
0x012ac4c5
0x012ac4e5
0x012ac4e8
0x012ac4f5
0x012ac501
0x012ac51f
0x012ac52b
0x012ac544
0x012ac54e
0x012ac554
0x012ac562
0x012ac562
0x012ac4c7
0x012ac4ca
0x012ac4ca
0x00000000
0x012ac4ca
0x012ac48e
0x012ac4aa
0x012ac4d4
0x012ac4d4
0x012ac4dd
0x00000000
0x00000000
0x012ac4df
0x012ac4e2
0x012ac4e2
0x00000000
0x012ac4e2
0x012ac4ac
0x012ac4ac
0x012ac4b5
0x00000000
0x00000000
0x012ac4b7
0x00000000
0x012ac4b7
0x012ac495
0x00000000
0x00000000
0x012ac497
0x012ac4a0
0x00000000
0x00000000
0x012ac4a2
0x00000000
0x012ac4a2
0x012ac480
0x012ac34e
0x012ac357
0x012ac37f
0x012ac392
0x012ac381
0x012ac387
0x012ac387
0x012ac359
0x012ac360
0x012ac373
0x012ac362
0x012ac368
0x012ac368
0x012ac360
0x012ac39b
0x012ac3a1
0x012ac3a4
0x012ac3a5
0x012ac3a6
0x012ac3ab
0x012ac3ac
0x012ac3c3
0x012ac3cd
0x012ac3d5
0x012ac3d9
0x00000000

APIs

GetWindowRect.USER32 ref: 012AC306

Part of subcall function 01286862: GetWindowLongW.USER32(?,000000EC), ref: 0128686D

Part of subcall function 01279C17: ClientToScreen.USER32(?,?), ref: 01279C28
Part of subcall function 01279C17: ClientToScreen.USER32(?,?), ref: 01279C35

GetWindowRect.USER32 ref: 012AC401
GetParent.USER32(?), ref: 012AC40E

Part of subcall function 01279BD6: ScreenToClient.USER32(?,?), ref: 01279BE7
Part of subcall function 01279BD6: ScreenToClient.USER32(?,?), ref: 01279BF4

GetParent.USER32(?), ref: 012AC428
OffsetRect.USER32 ref: 012AC4F5
OffsetRect.USER32 ref: 012AC501

Part of subcall function 01367D3E: IsDebuggerPresent.KERNEL32 ref: 0136EC6D
Part of subcall function 01367D3E: SetUnhandledExceptionFilter.KERNEL32 ref: 0136EC82
Part of subcall function 01367D3E: UnhandledExceptionFilter.KERNEL32 ref: 0136EC8D
Part of subcall function 01367D3E: GetCurrentProcess.KERNEL32(C0000409), ref: 0136ECA9
Part of subcall function 01367D3E: TerminateProcess.KERNEL32(00000000), ref: 0136ECB0

Memory Dump Source

Source File: 00000010.00000002.746388412.0000000001271000.00000020.sdmp, Offset: 01270000, based on PE: true

Associated: 00000010.00000002.746374753.0000000001270000.00000002.sdmp Download File
Associated: 00000010.00000002.746578910.000000000138C000.00000002.sdmp Download File
Associated: 00000010.00000002.746752878.00000000013CF000.00000004.sdmp Download File
Associated: 00000010.00000002.746788870.00000000013D6000.00000004.sdmp Download File
Associated: 00000010.00000002.746832288.00000000013DE000.00000002.sdmp Download File
Associated: 00000010.00000002.747668141.0000000001574000.00000002.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1270000_Setup.jbxd

Similarity

API ID: ClientRectScreen$Window$ExceptionFilterOffsetParentProcessUnhandled$CurrentDebuggerLongPresentTerminate
String ID:
API String ID: 3917652626-0
Opcode ID: 10acb2ff5fe51d0bc52e7a0689b5293365e7ca6ba6981962cdd4d5d7621d3f70
Instruction ID: fe29c021c3b818fb771d2d732a8ab44b3e0b067a60c5f467b3fac3acfa90c3aa
Opcode Fuzzy Hash: 10acb2ff5fe51d0bc52e7a0689b5293365e7ca6ba6981962cdd4d5d7621d3f70
Instruction Fuzzy Hash: A391D3B5D1020AEFCF15DFA8D9889EEBBB5FF48300F50456AEA05A7250DB746A50CF60

Uniqueness

Uniqueness Score: 2.98%

Function 012D0061, Relevance: 9.2, APIs: 6, Instructions: 208
windowCOMMON

Download Yara Rule

C-Code - Quality: 78%

			E012D0061(void* __ebx, intOrPtr* __ecx, intOrPtr __edx, void* __edi, void* __esi, void* __eflags) {
				int _t80;
				intOrPtr _t81;
				intOrPtr* _t89;
				int _t99;
				intOrPtr _t108;
				int _t112;
				int _t115;
				int _t118;
				int _t126;
				void* _t127;
				intOrPtr* _t162;
				void* _t163;
				intOrPtr _t167;

				_t158 = __edx;
				_t129 = __ecx;
				_t125 = __ebx;
				_push(0x14);
				L01369601(0x13864c1, __ebx, __edi, __esi);
				_t162 = __ecx;
				_t167 =  *((intOrPtr*)(__ecx + 0xcd8));
				_t168 = _t167 == 0;
				if(_t167 == 0) {
					L01277AC9(__ecx);
				}
				_push( *((intOrPtr*)(_t163 + 8)));
				_push( *0x13d9a98);
				_push(_t163 + 8);
				L012FB33A(_t125, _t129, _t158, 0, _t162, _t168);
				 *((intOrPtr*)(_t163 - 4)) = 0;
				 *((intOrPtr*)(_t163 - 0x20)) =  *((intOrPtr*)(_t162 + 0xcf8));
				E012CEB44(_t125, _t162, _t158, 0, _t162, _t168, 0, 0, 0);
				_t126 =  *( *((intOrPtr*)(E012792EF(_t125, 0, _t162, _t168) + 4)) + 0x5c);
				 *(_t163 - 0x18) = _t126;
				if( *((intOrPtr*)(_t162 + 0xcc8)) == 0 || _t126 == 0) {
					L16:
					 *((intOrPtr*)( *_t162 + 0x434))( *(_t162 + 0xce4));
					_push(0);
					_push( *(_t163 + 0xc));
					_push( *((intOrPtr*)(_t163 + 8)));
					if(L0129B760(_t126, _t162, _t158, 0, _t162, _t176) == 0) {
						L19:
						_t80 = E012845DB(_t162);
						__eflags = _t80;
						if(__eflags != 0) {
							__eflags =  *(_t80 + 0x20);
							if(__eflags != 0) {
								 *((intOrPtr*)(_t162 + 0xcd4)) = 0;
								 *((intOrPtr*)( *_t162 + 0x430))( *((intOrPtr*)(_t162 + 0xcd8)), 1, 0);
								_t99 =  *(_t162 + 0xce4);
								 *(_t163 + 0xc) = _t99;
								__eflags = _t99;
								if(_t99 == 0) {
									 *(_t163 + 0xc) = SendMessageW( *(E012845DB(_t162) + 0x20), 0x366, 0, 0);
								}
								_t126 =  *0x13d8428; // 0xc120
								SendMessageW( *(E012845DB(_t162) + 0x20), _t126,  *(_t163 + 0xc), 0);
								_push(_t162);
								_push( *((intOrPtr*)(_t162 + 0xcd8)));
								L012A5B3E(_t126, 0x13d95c8, _t158, 0, _t162, __eflags);
								 *((intOrPtr*)(_t162 + 0xcd4)) =  *((intOrPtr*)(_t162 + 0xcd8));
							}
						}
						L24:
						_t81 =  *((intOrPtr*)(_t162 + 0xcd4));
						_t179 = _t81;
						if(_t81 == 0) {
							L27:
							_t127 = 0;
							__eflags = 0;
							L28:
							if( *((intOrPtr*)(_t163 - 0x20)) != 0) {
								E012CEE4A(_t127, _t162, _t158, 0, _t162, _t127 == 0, 0 | _t127 == 0x00000000);
							}
							if(_t127 != 0) {
								_t89 = L01283CA8(_t162);
								_t158 =  *_t89;
								 *((intOrPtr*)( *_t89 + 0x174))(1);
								InvalidateRect( *(_t162 + 0x20), 0, 1);
								UpdateWindow( *(_t162 + 0x20));
							}
							 *((intOrPtr*)( *_t162 + 0x208))();
							L0129BA1B(_t127, _t162, _t158, 0, _t162);
							L01271470( *((intOrPtr*)(_t163 + 8)) + 0xfffffff0, _t158);
							return L013696D9(1);
						}
						_push(_t162);
						_push(_t81);
						if(L012A5A10(_t126, 0x13d95c8, _t158, 0, _t162, _t179) == 0) {
							goto L27;
						}
						_t127 = 1;
						goto L28;
					}
					_t178 =  *((intOrPtr*)(_t162 + 0xb1c));
					if( *((intOrPtr*)(_t162 + 0xb1c)) != 0) {
						goto L19;
					}
					_push(_t162);
					_push( *((intOrPtr*)(_t162 + 0xcd8)));
					L012A5B3E(_t126, 0x13d95c8, _t158, 0, _t162, _t178);
					goto L24;
				} else {
					_t108 =  *((intOrPtr*)( *_t126 + 0x10))();
					 *((intOrPtr*)(_t163 - 0x14)) = _t108;
					if(_t108 != 0) {
						goto L7;
						L8:
						_t173 =  *((intOrPtr*)(_t126 + 0x88));
						if( *((intOrPtr*)(_t126 + 0x88)) == 0) {
							goto L15;
						}
						_t112 =  *(_t126 + 0x54);
						_t158 =  *_t162;
						 *(_t163 - 0x10) = _t112;
						 *((intOrPtr*)( *_t162 + 0x434))(_t112);
						_push( *(_t163 - 0x10));
						_push( *(_t163 + 0xc));
						_push( *((intOrPtr*)(_t163 + 8)));
						if(L0129B760(_t126, _t162,  *_t162, 0, _t162, _t173) == 0) {
							L12:
							_t115 = E012845DB(_t162);
							__eflags = _t115;
							if(__eflags != 0) {
								__eflags =  *(_t115 + 0x20);
								if(__eflags != 0) {
									 *((intOrPtr*)(_t162 + 0xcd4)) = 0;
									 *((intOrPtr*)( *_t162 + 0x430))( *((intOrPtr*)(_t126 + 0x88)), 0, 0);
									_t118 =  *0x13d8428; // 0xc120
									 *(_t163 - 0x1c) = _t118;
									SendMessageW( *(E012845DB(_t162) + 0x20),  *(_t163 - 0x1c),  *(_t163 - 0x10), 0);
									_push(_t162);
									_push( *((intOrPtr*)(_t126 + 0x88)));
									L012A5B3E(_t126, 0x13d95c8, _t158, 0, _t162, __eflags);
									 *((intOrPtr*)(_t162 + 0xcd4)) =  *((intOrPtr*)(_t126 + 0x88));
								}
							}
							goto L15;
						}
						_t175 =  *((intOrPtr*)(_t162 + 0xb1c));
						if( *((intOrPtr*)(_t162 + 0xb1c)) != 0) {
							goto L12;
						}
						_push(_t162);
						_push( *((intOrPtr*)(_t126 + 0x88)));
						L012A5B3E(_t126, 0x13d95c8, _t158, 0, _t162, _t175);
						L15:
						_t176 =  *((intOrPtr*)(_t163 - 0x14));
						if( *((intOrPtr*)(_t163 - 0x14)) != 0) {
							_t126 =  *(_t163 - 0x18);
							L7:
							_t126 =  *((intOrPtr*)( *_t126 + 0x14))(_t163 - 0x14);
							if(E012789AE(_t126, 0x13a2e8c) == 0) {
								goto L15;
							}
							goto L8;
						}
					}
					goto L16;
				}
			}

0x012d0061
0x012d0061
0x012d0061
0x012d0061
0x012d0068
0x012d006d
0x012d0073
0x012d007c
0x012d007e
0x012d0080
0x012d0080
0x012d0085
0x012d008b
0x012d0091
0x012d0092
0x012d00a5
0x012d00a8
0x012d00ab
0x012d00b8
0x012d00bb
0x012d00c4
0x012d01c3
0x012d01cd
0x012d01d3
0x012d01d4
0x012d01d9
0x012d01e3
0x012d0203
0x012d0205
0x012d020a
0x012d020c
0x012d020e
0x012d0211
0x012d0220
0x012d0226
0x012d022c
0x012d0232
0x012d0235
0x012d0237
0x012d0250
0x012d0250
0x012d0253
0x012d0268
0x012d026e
0x012d026f
0x012d027a
0x012d0285
0x012d0285
0x012d0211
0x012d028b
0x012d028b
0x012d0291
0x012d0293
0x012d02aa
0x012d02aa
0x012d02aa
0x012d02ac
0x012d02af
0x012d02bb
0x012d02bb
0x012d02c2
0x012d02c6
0x012d02cb
0x012d02d1
0x012d02dd
0x012d02e6
0x012d02e6
0x012d02f0
0x012d02f8
0x012d0303
0x012d0310
0x012d0310
0x012d0295
0x012d0296
0x012d02a3
0x00000000
0x00000000
0x012d02a7
0x00000000
0x012d02a7
0x012d01e5
0x012d01eb
0x00000000
0x00000000
0x012d01ed
0x012d01ee
0x012d01f9
0x00000000
0x012d00d2
0x012d00d6
0x012d00d9
0x012d00de
0x012d00e4
0x012d010a
0x012d010a
0x012d0110
0x00000000
0x00000000
0x012d0116
0x012d0119
0x012d011e
0x012d0121
0x012d0127
0x012d012c
0x012d012f
0x012d0139
0x012d0156
0x012d0158
0x012d015d
0x012d015f
0x012d0161
0x012d0164
0x012d016a
0x012d0178
0x012d017e
0x012d0185
0x012d0197
0x012d019d
0x012d019e
0x012d01a9
0x012d01b4
0x012d01b4
0x012d0164
0x00000000
0x012d015f
0x012d013b
0x012d0141
0x00000000
0x00000000
0x012d0143
0x012d0144
0x012d014f
0x012d01ba
0x012d01ba
0x012d01bd
0x012d00e6
0x012d00e9
0x012d00f4
0x012d0104
0x00000000
0x00000000
0x00000000
0x012d0104
0x012d01bd
0x00000000
0x012d00de

APIs

__EH_prolog3.LIBCMT ref: 012D0068

Part of subcall function 012FB33A: __EH_prolog3.LIBCMT ref: 012FB341

Part of subcall function 012CEB44: __EH_prolog3_GS.LIBCMT ref: 012CEB4E
Part of subcall function 012CEB44: GetSystemMenu.USER32 ref: 012CEBB0
Part of subcall function 012CEB44: IsMenu.USER32(?), ref: 012CEBC9
Part of subcall function 012CEB44: IsMenu.USER32(?), ref: 012CEBE3
Part of subcall function 012CEB44: SendMessageW.USER32(?,0000007F,00000000,00000000), ref: 012CEC18
Part of subcall function 012CEB44: GetClassLongW.USER32 ref: 012CEC2E
Part of subcall function 012CEB44: GetWindowLongW.USER32(?,000000F0), ref: 012CEC79
Part of subcall function 012CEB44: _memset.LIBCMT ref: 012CED3F
Part of subcall function 012CEB44: GetMenuItemInfoW.USER32 ref: 012CED6A

SendMessageW.USER32(?,?,00000000,00000000), ref: 012D0197

Part of subcall function 0129B760: __EH_prolog3_catch.LIBCMT ref: 0129B76A

Part of subcall function 012845DB: GetParent.USER32(?), ref: 012845E5

SendMessageW.USER32(?,00000366,00000000,00000000), ref: 012D024A
SendMessageW.USER32(?,0000C120,?,00000000), ref: 012D0268

Part of subcall function 012A5B3E: __EH_prolog3_catch.LIBCMT ref: 012A5B48
Part of subcall function 012A5B3E: CloseHandle.KERNEL32(?), ref: 012A5B81
Part of subcall function 012A5B3E: GetTempPathW.KERNEL32(00000104,00000000), ref: 012A5BA8
Part of subcall function 012A5B3E: GetTempFileNameW.KERNEL32(?,AFX,00000000,00000000,00000000), ref: 012A5BDF
Part of subcall function 012A5B3E: CreateFileW.KERNEL32(?,C0000000,00000000,00000000,00000002,04000100,00000000), ref: 012A5C01

InvalidateRect.USER32(?,00000000,00000001), ref: 012D02DD
UpdateWindow.USER32 ref: 012D02E6

Part of subcall function 0129BA1B: CharUpperW.USER32 ref: 0129BA93

Part of subcall function 01283CA8: GetParent.USER32(?), ref: 01283CD2

Part of subcall function 012CEE4A: __EH_prolog3_GS.LIBCMT ref: 012CEE54
Part of subcall function 012CEE4A: GetWindowLongW.USER32(?,000000F0), ref: 012CEEB7
Part of subcall function 012CEE4A: _memset.LIBCMT ref: 012CEF78
Part of subcall function 012CEE4A: GetMenuItemInfoW.USER32 ref: 012CEFA3
Part of subcall function 012CEE4A: InvalidateRect.USER32(?,00000000,00000001), ref: 012CF01E
Part of subcall function 012CEE4A: UpdateWindow.USER32 ref: 012CF027

Part of subcall function 012A5A10: __EH_prolog3_catch.LIBCMT ref: 012A5A17
Part of subcall function 012A5A10: SetFilePointer.KERNEL32(?,00000000,00000000,00000000,?,?,00000074), ref: 012A5A4E

Part of subcall function 01277AC9: __CxxThrowException@8.LIBCMT ref: 01277ADF

Memory Dump Source

Source File: 00000010.00000002.746388412.0000000001271000.00000020.sdmp, Offset: 01270000, based on PE: true

Associated: 00000010.00000002.746374753.0000000001270000.00000002.sdmp Download File
Associated: 00000010.00000002.746578910.000000000138C000.00000002.sdmp Download File
Associated: 00000010.00000002.746752878.00000000013CF000.00000004.sdmp Download File
Associated: 00000010.00000002.746788870.00000000013D6000.00000004.sdmp Download File
Associated: 00000010.00000002.746832288.00000000013DE000.00000002.sdmp Download File
Associated: 00000010.00000002.747668141.0000000001574000.00000002.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1270000_Setup.jbxd

Similarity

API ID: Menu$MessageSendWindow$FileH_prolog3_catchLong$H_prolog3H_prolog3_InfoInvalidateItemParentRectTempUpdate_memset$CharClassCloseCreateException@8HandleNamePathPointerSystemThrowUpper
String ID:
API String ID: 2467279752-0
Opcode ID: 58034e607146adbe8f9ab32e4b0900652eb3b07a1947de00b1212edac7b3ce55
Instruction ID: bf0d9626b691cdcaedb429ae743e2cc88aa7dfe1a2b90ef725a7016e335548ea
Opcode Fuzzy Hash: 58034e607146adbe8f9ab32e4b0900652eb3b07a1947de00b1212edac7b3ce55
Instruction Fuzzy Hash: F771AF306207029FDF25AF78C898EAE7BB6FF88710F044569FA4A97264DF319940CB54

Uniqueness

Uniqueness Score: 8.94%

Function 012960E4, Relevance: 9.2, APIs: 6, Instructions: 173
COMMON

Download Yara Rule

C-Code - Quality: 92%

			E012960E4(intOrPtr* __ecx, void* __edx, signed int _a4, intOrPtr _a8, char _a12, intOrPtr _a16) {
				signed int _v8;
				void* __ebx;
				signed int _t45;
				signed int _t46;
				signed int _t53;
				void* _t55;
				signed int _t60;
				signed int _t64;
				signed int _t73;
				signed int _t83;
				void* _t86;
				void* _t87;
				signed int _t88;
				void* _t91;
				signed int _t108;
				signed int _t113;
				intOrPtr* _t117;
				signed int _t119;

				_t111 = __edx;
				_push(__ecx);
				_t117 = __ecx;
				if( *((intOrPtr*)(__ecx + 0xb44)) == 0) {
					_t45 =  *(__ecx + 0xb8c);
					_v8 = _t45;
					__eflags = _t45;
					if(_t45 < 0) {
						goto L1;
					}
					_t113 =  *(__ecx + 0xc98);
					 *(__ecx + 0xc98) =  *(__ecx + 0xc98) & 0x00000000;
					 *((intOrPtr*)( *__ecx + 0x3d0))();
					_push(_a16);
					_push(_a12);
					__eflags =  *((intOrPtr*)( *__ecx + 0x390))();
					if(__eflags < 0) {
						L6:
						_t46 =  *((intOrPtr*)( *_t117 + 0x3f8))(_a4, _t87);
						_t88 = _t46;
						_a4 = _t88;
						__eflags = _t88;
						if(_t88 == 0) {
							L30:
							L31:
							L32:
							return _t46;
						}
						_t53 =  *((intOrPtr*)( *_t88 + 0x78))(_t117);
						__eflags = _t53;
						if(_t53 != 0) {
							 *(_t88 + 0x1c) =  *(_t88 + 0x1c) & 0x00000000;
							__eflags = _t113;
							if(_t113 == 0) {
								L18:
								_t55 =  *((intOrPtr*)( *_t117 + 0x340))(_t88, _v8);
								__eflags = _t55 - 0xffffffff;
								if(_t55 != 0xffffffff) {
									 *((intOrPtr*)( *_t117 + 0x208))();
									_t98 = E01282D05(_t88, _t117, _t111, GetParent( *(_t117 + 0x20)));
									_t60 = E012789AE(_t59, 0x139900c);
									__eflags = _t60;
									if(_t60 != 0) {
										_t73 = E012789CC(0x13d0280, E01282D05(_t88, _t98, _t111, GetParent( *(E01282D05(_t88, _t98, _t111, GetParent( *(_t117 + 0x20))) + 0x20))));
										_pop(_t98);
										__eflags = _t73;
										if(_t73 != 0) {
											_t111 =  *_t73;
											_t98 = _t73;
											 *((intOrPtr*)( *_t73 + 0x20c))();
										}
									}
									__eflags =  *0x13d83d8;
									if( *0x13d83d8 != 0) {
										_t98 = _t88;
										 *((intOrPtr*)( *_t88 + 0x80))();
									}
									 *(_t117 + 0xb80) =  *(_t117 + 0xb80) | 0xffffffff;
									RedrawWindow( *(_t117 + 0x20), 0, 0, 0x505);
									_t64 = E012789CC(0x13d0898, E01282D05(RedrawWindow, _t98, _t111, GetParent( *(_t117 + 0x20))));
									__eflags = _t64;
									if(_t64 != 0) {
										RedrawWindow( *(_t64 + 0x20), 0, 0, 0x505);
									}
									L29:
									_t46 = 1;
									__eflags = 1;
									goto L30;
								}
								_t119 = 0;
								L21:
								 *((intOrPtr*)( *_t88 + 4))(1);
								_t46 = _t119;
								goto L30;
							}
							__eflags = _a8 - 1;
							if(_a8 == 1) {
								goto L18;
							}
							_t91 = L01293C10(_t117, _t113);
							__eflags = _v8 - _t91;
							if(_v8 == _t91) {
								L20:
								 *((intOrPtr*)( *_t117 + 0x410))(_t113, _t117 + 0xc80,  &_a12);
								_t88 = _a4;
								_t119 = 1;
								__eflags = 1;
								goto L21;
							}
							_t20 = _t91 + 1; // 0x1
							__eflags = _v8 - _t20;
							if(_v8 == _t20) {
								goto L20;
							}
							 *((intOrPtr*)( *_t117 + 0x34c))(_t91);
							_t108 = _v8;
							__eflags = _t108 - _t91;
							if(_t108 > _t91) {
								_t108 = _t108 - 1;
								__eflags = _t108;
							}
							_t83 =  *(_t117 + 0xbd4);
							__eflags = _t108 - _t83;
							if(_t108 < _t83) {
								_t83 = _t108;
							}
							_t88 = _a4;
							_v8 = _t83;
							goto L18;
						}
						 *((intOrPtr*)( *_t88 + 4))(1);
						goto L29;
					}
					_t86 = L01293D66(__ecx, __eflags, _t50);
					__eflags = _t113 - _t86;
					if(_t113 != _t86) {
						goto L6;
					} else {
						_t46 = 0;
						goto L31;
					}
				}
				L1:
				_t46 = 0;
				goto L32;
			}

0x012960e4
0x012960e9
0x012960eb
0x012960f4
0x012960fd
0x01296103
0x01296106
0x01296108
0x00000000
0x00000000
0x0129610d
0x01296113
0x0129611a
0x01296120
0x01296125
0x01296130
0x01296132
0x01296147
0x0129614f
0x01296155
0x01296157
0x0129615a
0x0129615c
0x012962c0
0x012962c1
0x012962c2
0x012962c4
0x012962c4
0x01296167
0x0129616a
0x0129616c
0x0129617c
0x01296180
0x01296182
0x012961c6
0x012961ce
0x012961d4
0x012961d7
0x0129620d
0x01296229
0x0129622b
0x01296230
0x01296232
0x01296250
0x01296256
0x01296257
0x01296259
0x0129625b
0x0129625d
0x0129625f
0x0129625f
0x01296259
0x01296265
0x0129626c
0x01296270
0x01296272
0x01296272
0x0129627e
0x01296291
0x012962a4
0x012962ab
0x012962ad
0x012962bb
0x012962bb
0x012962bd
0x012962bf
0x012962bf
0x00000000
0x012962bf
0x012961d9
0x012961f9
0x012961ff
0x01296202
0x00000000
0x01296202
0x01296184
0x01296188
0x00000000
0x00000000
0x01296192
0x01296194
0x01296197
0x012961dd
0x012961ed
0x012961f3
0x012961f8
0x012961f8
0x00000000
0x012961f8
0x01296199
0x0129619c
0x0129619f
0x00000000
0x00000000
0x012961a6
0x012961ac
0x012961af
0x012961b1
0x012961b3
0x012961b3
0x012961b3
0x012961b4
0x012961ba
0x012961bc
0x012961be
0x012961be
0x012961c0
0x012961c3
0x00000000
0x012961c3
0x01296174
0x00000000
0x01296174
0x01296137
0x0129613c
0x0129613e
0x00000000
0x01296140
0x01296140
0x00000000
0x01296140
0x0129613e
0x012960f6
0x012960f6
0x00000000

APIs

RedrawWindow.USER32(?,00000000,00000000,00000505), ref: 012962BB

Part of subcall function 01293D66: PtInRect.USER32(?,?,?), ref: 01293DB9

GetParent.USER32(?), ref: 0129621C
GetParent.USER32(?), ref: 01296237
GetParent.USER32(?), ref: 01296242
RedrawWindow.USER32(?,00000000,00000000,00000505), ref: 01296291
GetParent.USER32(?), ref: 01296296

Memory Dump Source

Source File: 00000010.00000002.746388412.0000000001271000.00000020.sdmp, Offset: 01270000, based on PE: true

Associated: 00000010.00000002.746374753.0000000001270000.00000002.sdmp Download File
Associated: 00000010.00000002.746578910.000000000138C000.00000002.sdmp Download File
Associated: 00000010.00000002.746752878.00000000013CF000.00000004.sdmp Download File
Associated: 00000010.00000002.746788870.00000000013D6000.00000004.sdmp Download File
Associated: 00000010.00000002.746832288.00000000013DE000.00000002.sdmp Download File
Associated: 00000010.00000002.747668141.0000000001574000.00000002.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1270000_Setup.jbxd

Similarity

API ID: Parent$RedrawWindow$Rect
String ID:
API String ID: 4100640234-0
Opcode ID: e7d6b8ec35c9a27c0dcc1c5d288e18df6139e3fb3e7c33614bd927acb1375a4f
Instruction ID: 36e35d4eafdcf9859575cef3471b6392ef345b40b6076c761823e700ba65a875
Opcode Fuzzy Hash: e7d6b8ec35c9a27c0dcc1c5d288e18df6139e3fb3e7c33614bd927acb1375a4f
Instruction Fuzzy Hash: AC517F717207029FDF259F6CCC88B6E7BE9BF48714F114569EA469B2A1EB70E900CB50

Uniqueness

Uniqueness Score: 2.98%

Function 012B480C, Relevance: 9.1, APIs: 6, Instructions: 139
COMMON

Download Yara Rule

C-Code - Quality: 91%

			E012B480C(void* __ebx, intOrPtr* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				signed int _t62;
				signed int _t68;
				signed int _t70;
				struct HWND__* _t71;
				signed int _t74;
				signed int _t104;
				void* _t115;
				signed int _t118;
				DLGTEMPLATE* _t119;
				struct HWND__* _t120;
				intOrPtr* _t122;
				void* _t123;

				_t117 = __edi;
				_t115 = __edx;
				_t98 = __ecx;
				_push(0x3c);
				L01369634(0x1381c04, __ebx, __edi, __esi);
				_t122 = __ecx;
				 *((intOrPtr*)(_t123 - 0x20)) = __ecx;
				_t127 =  *(_t123 + 0x10);
				if( *(_t123 + 0x10) == 0) {
					 *(_t123 + 0x10) =  *(E012792EF(0, __edi, __ecx, _t127) + 0xc);
				}
				_t118 =  *(E012792EF(0, _t117, _t122, _t127) + 0x3c);
				 *(_t123 - 0x28) = _t118;
				 *(_t123 - 0x14) = 0;
				 *(_t123 - 4) = 0;
				E012862B1(0, _t98, _t118, _t122, _t127, 0x10);
				E012862B1(0, _t98, _t118, _t122, _t127, 0xfc000);
				L0128387E(0, _t98, _t115, _t118, _t127);
				L012B3A8A();
				if(_t118 == 0) {
					_t119 =  *(_t123 + 8);
					L7:
					__eflags = _t119;
					if(_t119 == 0) {
						L4:
						_t62 = 0;
						L26:
						return L013696D9(_t62);
					}
					E01272410(_t123 - 0x1c, E0127859A());
					 *(_t123 - 4) = 1;
					 *((intOrPtr*)(_t123 - 0x18)) = 0;
					_t68 = E0133EAD7(_t119, __eflags, _t119, _t123 - 0x1c, _t123 - 0x18);
					__eflags = _t68;
					__eflags = 0 | _t68 == 0x00000000;
					if(__eflags != 0) {
						_push(_t119);
						E0133EA9B(_t123 - 0x38, _t119);
						 *(_t123 - 4) = 2;
						E0133E9F7(_t123 - 0x38,  *((intOrPtr*)(_t123 - 0x18)));
						 *(_t123 - 0x14) = E0133E74A(_t123 - 0x38);
						 *(_t123 - 4) = 1;
						E0133E73C(_t123 - 0x38);
						__eflags =  *(_t123 - 0x14);
						if(__eflags != 0) {
							_t119 = GlobalLock( *(_t123 - 0x14));
						}
					}
					 *(_t122 + 0x60) =  *(_t122 + 0x60) | 0xffffffff;
					 *(_t122 + 0x58) =  *(_t122 + 0x58) | 0x00000010;
					L0128512A(0, __eflags, _t122);
					_t70 =  *(_t123 + 0xc);
					__eflags = _t70;
					if(_t70 != 0) {
						_t71 =  *(_t70 + 0x20);
					} else {
						_t71 = 0;
					}
					_t120 = CreateDialogIndirectParamW( *(_t123 + 0x10), _t119, _t71, E012B41E4, 0);
					L01271470( *((intOrPtr*)(_t123 - 0x1c)) + 0xfffffff0, _t115);
					 *(_t123 - 4) =  *(_t123 - 4) | 0xffffffff;
					_t104 =  *(_t123 - 0x28);
					__eflags = _t104;
					if(__eflags != 0) {
						__eflags = _t120;
						if(__eflags != 0) {
							 *((intOrPtr*)( *_t104 + 0x18))(_t123 - 0x48);
							 *((intOrPtr*)( *_t122 + 0x158))(0);
						}
					}
					_t74 = E01282DC0(0, _t120, __eflags);
					__eflags = _t74;
					if(_t74 == 0) {
						 *((intOrPtr*)( *_t122 + 0x120))();
					}
					__eflags = _t120;
					if(_t120 != 0) {
						__eflags =  *(_t122 + 0x58) & 0x00000010;
						if(( *(_t122 + 0x58) & 0x00000010) == 0) {
							DestroyWindow(_t120);
							_t120 = 0;
							__eflags = 0;
						}
					}
					__eflags =  *(_t123 - 0x14);
					if( *(_t123 - 0x14) != 0) {
						GlobalUnlock( *(_t123 - 0x14));
						GlobalFree( *(_t123 - 0x14));
					}
					__eflags = _t120;
					_t54 = _t120 != 0;
					__eflags = _t54;
					_t62 = 0 | _t54;
					goto L26;
				}
				_push(_t123 - 0x48);
				if( *((intOrPtr*)( *_t122 + 0x158))() != 0) {
					_t119 =  *((intOrPtr*)( *_t118 + 0x14))(_t123 - 0x48,  *(_t123 + 8));
					goto L7;
				}
				goto L4;
			}

0x012b480c
0x012b480c
0x012b480c
0x012b480c
0x012b4813
0x012b4818
0x012b481a
0x012b481f
0x012b4822
0x012b482c
0x012b482c
0x012b4834
0x012b4839
0x012b483c
0x012b483f
0x012b4842
0x012b484c
0x012b4851
0x012b4856
0x012b485d
0x012b488a
0x012b488d
0x012b488d
0x012b488f
0x012b4871
0x012b4871
0x012b49c8
0x012b49cd
0x012b49cd
0x012b489a
0x012b48a8
0x012b48ac
0x012b48af
0x012b48b9
0x012b48be
0x012b48c0
0x012b48c2
0x012b48c6
0x012b48d1
0x012b48d5
0x012b48e5
0x012b48e8
0x012b48ec
0x012b48f1
0x012b48f4
0x012b48ff
0x012b48ff
0x012b48f4
0x012b4901
0x012b4905
0x012b490a
0x012b490f
0x012b4912
0x012b4914
0x012b491a
0x012b4916
0x012b4916
0x012b4916
0x012b4934
0x012b4936
0x012b493b
0x012b4965
0x012b4968
0x012b496a
0x012b496c
0x012b496e
0x012b4976
0x012b497e
0x012b497e
0x012b496e
0x012b4984
0x012b4989
0x012b498b
0x012b4991
0x012b4991
0x012b4997
0x012b4999
0x012b499b
0x012b499f
0x012b49a2
0x012b49a8
0x012b49a8
0x012b49a8
0x012b499f
0x012b49aa
0x012b49ad
0x012b49b2
0x012b49bb
0x012b49bb
0x012b49c3
0x012b49c5
0x012b49c5
0x012b49c5
0x00000000
0x012b49c5
0x012b4864
0x012b486f
0x012b4886
0x00000000
0x012b4886
0x00000000

APIs

__EH_prolog3_catch.LIBCMT ref: 012B4813

Part of subcall function 012862B1: _memset.LIBCMT ref: 012862E1

Part of subcall function 0128387E: _memset.LIBCMT ref: 012838BB
Part of subcall function 0128387E: GetVersionExW.KERNEL32(?), ref: 012838D4

GlobalFree.KERNEL32(?), ref: 012B49BB

Part of subcall function 0133E9F7: GetStockObject.GDI32(00000011), ref: 0133EA1F
Part of subcall function 0133E9F7: GetStockObject.GDI32(0000000D), ref: 0133EA27
Part of subcall function 0133E9F7: GetObjectW.GDI32(00000000,0000005C,?), ref: 0133EA34
Part of subcall function 0133E9F7: GetDC.USER32(00000000), ref: 0133EA43
Part of subcall function 0133E9F7: GetDeviceCaps.GDI32(00000000,0000005A), ref: 0133EA57
Part of subcall function 0133E9F7: MulDiv.KERNEL32 ref: 0133EA63
Part of subcall function 0133E9F7: ReleaseDC.USER32(00000000,00000000), ref: 0133EA6F

Part of subcall function 0133E73C: GlobalFree.KERNEL32(00000000), ref: 0133E743

GlobalLock.KERNEL32 ref: 012B48F9

Part of subcall function 0128512A: GetCurrentThreadId.KERNEL32(?,?,?,?,?,?,?,Function_00006293), ref: 01285159
Part of subcall function 0128512A: SetWindowsHookExW.USER32(00000005,Function_00014F19,00000000,00000000), ref: 01285169

CreateDialogIndirectParamW.USER32(?,?,?,012B41E4,00000000), ref: 012B4928

Part of subcall function 01282DC0: UnhookWindowsHookEx.USER32(?), ref: 01282DF0

DestroyWindow.USER32(00000000), ref: 012B49A2
GlobalUnlock.KERNEL32(?), ref: 012B49B2

Memory Dump Source

Source File: 00000010.00000002.746388412.0000000001271000.00000020.sdmp, Offset: 01270000, based on PE: true

Associated: 00000010.00000002.746374753.0000000001270000.00000002.sdmp Download File
Associated: 00000010.00000002.746578910.000000000138C000.00000002.sdmp Download File
Associated: 00000010.00000002.746752878.00000000013CF000.00000004.sdmp Download File
Associated: 00000010.00000002.746788870.00000000013D6000.00000004.sdmp Download File
Associated: 00000010.00000002.746832288.00000000013DE000.00000002.sdmp Download File
Associated: 00000010.00000002.747668141.0000000001574000.00000002.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1270000_Setup.jbxd

Similarity

API ID: Global$Object$FreeHookStockWindows_memset$CapsCreateCurrentDestroyDeviceDialogH_prolog3_catchIndirectLockParamReleaseThreadUnhookUnlockVersionWindow
String ID:
API String ID: 519092138-0
Opcode ID: afab07b0033f0c2d3d46728d8b4dfeb921592d21e3df59826beabbd2ca1fb921
Instruction ID: b1183fdf19d3133ce20fa33901a10010a5428cc5b3060cb3c17962d3f7e4b3a4
Opcode Fuzzy Hash: afab07b0033f0c2d3d46728d8b4dfeb921592d21e3df59826beabbd2ca1fb921
Instruction Fuzzy Hash: 4B518B3192028BDFCF14FFA8C8C49FEBBB5AF54354F140529E642A7292DB709A41CB61

Uniqueness

Uniqueness Score: 0.80%

Function 012DA981, Relevance: 9.1, APIs: 6, Instructions: 132
COMMON

Download Yara Rule

C-Code - Quality: 81%

			E012DA981(intOrPtr* __ecx, void* __edx, void* __eflags, struct tagPOINT _a4, intOrPtr _a8, signed int _a12) {
				signed int _v8;
				struct tagRECT _v24;
				struct tagRECT _v40;
				struct tagRECT _v56;
				signed int _v60;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t57;
				void* _t60;
				void* _t63;
				void* _t65;
				signed int _t82;
				int _t87;
				void* _t90;
				intOrPtr* _t107;
				signed int _t108;

				_t105 = __edx;
				_t57 =  *0x13d3570; // 0x99b5b578
				_v8 = _t57 ^ _t108;
				_t107 = __ecx;
				_t60 =  *((intOrPtr*)( *__ecx + 0x1b4))();
				_t92 = _t60;
				_t63 = L012C74B8(0x13d0a78, __edx,  *((intOrPtr*)( *__ecx + 0x198))());
				_v60 = _v60 | 0xffffffff;
				if(_t60 < 0) {
					_t111 = _t63;
					if(_t63 != 0) {
						_t90 = L012A5D28(_t92, _t63, 0, _t107, _t111);
						if(_t90 != 0 &&  *((intOrPtr*)(_t90 + 8)) != 0 &&  *((intOrPtr*)(_t90 + 4)) != 0) {
							_v60 =  *((intOrPtr*)(_t90 + 0x100));
						}
					}
				}
				_t65 =  *((intOrPtr*)( *_t107 + 0x334))(_a4.x, _a8, 1);
				_t93 = _t65;
				_v40.left = 0;
				_v40.top = 0;
				_v40.right = 0;
				_v40.bottom = 0;
				_v56.left = 0;
				_v56.top = 0;
				_v56.right = 0;
				_v56.bottom = 0;
				 *((intOrPtr*)( *_t107 + 0x32c))( &_v40,  &_v56);
				if(_t65 == 2) {
					L15:
					_push(3);
					L16:
					_pop(0);
					L17:
					return L01367D3E(0, _t93, _v8 ^ _t108, _t105, 0, _t107);
				}
				_push(_a8);
				_t93 = PtInRect;
				if(PtInRect( &_v40, _a4.x) != 0) {
					goto L15;
				}
				_push(_a8);
				if(PtInRect( &_v56, _a4.x) != 0 || _v60 == 8) {
					goto L15;
				} else {
					_v24.left = 0;
					_v24.top = 0;
					_v24.right = 0;
					_v24.bottom = 0;
					GetWindowRect( *(_t107 + 0x20),  &_v24);
					_v24.top = _v24.top +  *((intOrPtr*)( *_t107 + 0x1a0))();
					_v24.top = _v24.top + _v40.bottom - _v40.top;
					_v24.bottom = _v24.bottom + _v56.top - _v56.bottom;
					_t82 = _a12;
					if(_t82 != 0xffffffff) {
						InflateRect( &_v24,  ~_t82,  ~_t82);
						_push(_a8);
						_t87 = PtInRect( &_v24, _a4.x);
						__eflags = _t87;
						if(_t87 == 0) {
							L12:
							_push(2);
							goto L16;
						}
						L14:
						goto L17;
					}
					_push(_a8);
					if(PtInRect( &_v24, _a4) == 0) {
						goto L14;
					}
					goto L12;
				}
			}

0x012da981
0x012da989
0x012da990
0x012da995
0x012da99a
0x012da9a0
0x012da9b2
0x012da9b7
0x012da9bf
0x012da9c1
0x012da9c3
0x012da9c7
0x012da9ce
0x012da9e0
0x012da9e0
0x012da9ce
0x012da9c3
0x012da9ef
0x012da9fc
0x012daa03
0x012daa06
0x012daa09
0x012daa0c
0x012daa0f
0x012daa12
0x012daa15
0x012daa18
0x012daa1b
0x012daa24
0x012daad0
0x012daad0
0x012daad2
0x012daad2
0x012daad3
0x012daae1
0x012daae1
0x012daa2a
0x012daa2d
0x012daa3e
0x00000000
0x00000000
0x012daa44
0x012daa52
0x00000000
0x012daa5a
0x012daa61
0x012daa64
0x012daa67
0x012daa6a
0x012daa6d
0x012daa7d
0x012daa86
0x012daa8f
0x012daa92
0x012daa98
0x012daab6
0x012daabc
0x012daac6
0x012daac8
0x012daaca
0x012daaaa
0x012daaaa
0x00000000
0x012daaaa
0x012daacc
0x00000000
0x012daacc
0x012daa9a
0x012daaa8
0x00000000
0x00000000
0x00000000
0x012daaa8

APIs

Part of subcall function 012C74B8: GetParent.USER32(?), ref: 012C75B6

PtInRect.USER32(?,?,?), ref: 012DAA3A
PtInRect.USER32(?,?,?), ref: 012DAA4E
GetWindowRect.USER32 ref: 012DAA6D
PtInRect.USER32(?,?,?), ref: 012DAAA4
InflateRect.USER32(?,?,?), ref: 012DAAB6
PtInRect.USER32(?,?,?), ref: 012DAAC6

Part of subcall function 01367D3E: IsDebuggerPresent.KERNEL32 ref: 0136EC6D
Part of subcall function 01367D3E: SetUnhandledExceptionFilter.KERNEL32 ref: 0136EC82
Part of subcall function 01367D3E: UnhandledExceptionFilter.KERNEL32 ref: 0136EC8D
Part of subcall function 01367D3E: GetCurrentProcess.KERNEL32(C0000409), ref: 0136ECA9
Part of subcall function 01367D3E: TerminateProcess.KERNEL32(00000000), ref: 0136ECB0

Part of subcall function 012A5D28: __EH_prolog3.LIBCMT ref: 012A5D2F

Memory Dump Source

Source File: 00000010.00000002.746388412.0000000001271000.00000020.sdmp, Offset: 01270000, based on PE: true

Associated: 00000010.00000002.746374753.0000000001270000.00000002.sdmp Download File
Associated: 00000010.00000002.746578910.000000000138C000.00000002.sdmp Download File
Associated: 00000010.00000002.746752878.00000000013CF000.00000004.sdmp Download File
Associated: 00000010.00000002.746788870.00000000013D6000.00000004.sdmp Download File
Associated: 00000010.00000002.746832288.00000000013DE000.00000002.sdmp Download File
Associated: 00000010.00000002.747668141.0000000001574000.00000002.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1270000_Setup.jbxd

Similarity

API ID: Rect$ExceptionFilterProcessUnhandled$CurrentDebuggerH_prolog3InflateParentPresentTerminateWindow
String ID:
API String ID: 3973106645-0
Opcode ID: ab63c620d551ad504c99323c79c1423a983d72b7b6d5e3d055aff35a5c9f6339
Instruction ID: e15efdb9c6511658b07280c67ecaa8d77fa0f4aff9952d3a9b3405ee72909eaf
Opcode Fuzzy Hash: ab63c620d551ad504c99323c79c1423a983d72b7b6d5e3d055aff35a5c9f6339
Instruction Fuzzy Hash: D4511771A1020AAFCF11DFA8C984DEEBBF9FF48314F10451AE645E7251D7759A40CB61

Uniqueness

Uniqueness Score: 12.89%

Function 0127E6F4, Relevance: 9.1, APIs: 6, Instructions: 116
memoryCOMMON

Download Yara Rule

C-Code - Quality: 45%

			E0127E6F4(void* __ebx, intOrPtr __ecx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t48;
				intOrPtr _t50;
				intOrPtr _t53;
				intOrPtr _t55;
				void* _t56;
				intOrPtr _t59;
				intOrPtr _t65;
				intOrPtr _t66;
				intOrPtr _t67;
				intOrPtr _t74;
				signed int _t89;
				signed int _t91;
				intOrPtr _t93;
				intOrPtr* _t95;
				intOrPtr* _t96;
				intOrPtr _t97;
				void* _t98;

				_push(0x50);
				L01369601(0x137f584, __ebx, __edi, __esi);
				_t48 =  *((intOrPtr*)(_t98 + 8));
				_t95 =  *((intOrPtr*)(_t98 + 0xc));
				 *((intOrPtr*)(_t98 - 0x18)) = __ecx;
				 *((intOrPtr*)(_t98 - 0x10)) = _t48;
				 *((intOrPtr*)(_t98 - 0x1c)) = _t95;
				_t74 = 0;
				 *((intOrPtr*)(_t98 - 4)) = 0;
				if(_t48 == 0 ||  *((intOrPtr*)(__ecx + 0x1f8)) == 0) {
					L15:
					_t50 =  *((intOrPtr*)(_t98 + 0x18));
					 *((intOrPtr*)( *_t95 + 0x68))(_t50,  *((intOrPtr*)(_t50 - 0xc)), _t98 + 0x1c,  *((intOrPtr*)(_t98 + 0x2c)));
					L01271470( *((intOrPtr*)(_t98 + 0x18)) + 0xfffffff0,  *_t95);
					_t53 = 0;
					__eflags = 0;
				} else {
					_t55 = E0127E1CC(__ecx);
					if(_t55 == 0) {
						goto L15;
					} else {
						if( *((intOrPtr*)(_t98 + 0x18)) != 0) {
							__imp__#2( *((intOrPtr*)(_t98 + 0x18)));
							_t93 = _t55;
							 *((intOrPtr*)(_t98 - 0x14)) = _t93;
							__eflags = _t93;
							if(__eflags != 0) {
								goto L5;
							} else {
								_push(0x8007000e);
								_t67 = L012713A0(0, __ecx, _t93, _t95);
								goto L13;
							}
						} else {
							_t93 = 0;
							 *((intOrPtr*)(_t98 - 0x14)) = 0;
							L5:
							_t96 = __imp__#7;
							 *((char*)(_t98 - 4)) = 1;
							_t56 =  *_t96(_t93);
							_t91 = 2;
							_t89 = (_t56 + 1) * _t91 >> 0x20;
							_t59 = E01274753(0,  ~0x00BADBAD | (_t56 + 0x00000001) * _t91);
							_t74 = _t59;
							L013699F6(_t74,  *_t96(_t93) + 1, _t93);
							_t97 = 0x40;
							L01367D50(_t98 - 0x5c, 0, _t97);
							_t65 =  *((intOrPtr*)(_t98 + 0x30));
							 *((intOrPtr*)(_t98 - 0x5c)) = _t97;
							 *(_t98 - 0x58) = 0x2000;
							if(_t65 > 0) {
								 *(_t98 - 0x58) = 0x2800;
								 *((intOrPtr*)(_t98 - 0x28)) = _t65;
							}
							_t66 =  *((intOrPtr*)(_t98 + 0x34));
							if(_t66 != 0xffffffff) {
								 *(_t98 - 0x58) =  *(_t98 - 0x58) | 0x00000001;
								 *((intOrPtr*)(_t98 - 0x54)) = _t66;
							}
							_t67 =  *((intOrPtr*)(_t98 - 0x1c));
							if(_t67 != 0) {
								L13:
								_t67 =  *((intOrPtr*)(_t67 + 4));
							} else {
							}
						}
						 *((intOrPtr*)( *((intOrPtr*)(_t98 - 0x18)) + 0x1f8))( *((intOrPtr*)(_t98 - 0x10)), _t67,  *((intOrPtr*)(_t98 + 0x10)),  *((intOrPtr*)(_t98 + 0x14)), _t74, 0xffffffff,  *((intOrPtr*)(_t98 + 0x2c)), _t98 + 0x1c, _t98 - 0x5c);
						E01274782();
						__imp__#6(_t93, _t74);
						L01271470( *((intOrPtr*)(_t98 + 0x18)) + 0xfffffff0, _t89);
						_t53 = 1;
					}
				}
				return L013696D9(_t53);
			}

0x0127e6f4
0x0127e6fb
0x0127e700
0x0127e703
0x0127e706
0x0127e709
0x0127e70c
0x0127e70f
0x0127e711
0x0127e716
0x0127e817
0x0127e820
0x0127e829
0x0127e832
0x0127e837
0x0127e837
0x0127e728
0x0127e728
0x0127e72f
0x00000000
0x0127e735
0x0127e738
0x0127e7b8
0x0127e7be
0x0127e7c0
0x0127e7c3
0x0127e7c5
0x00000000
0x0127e7cb
0x0127e7cb
0x0127e7d0
0x00000000
0x0127e7d0
0x0127e73a
0x0127e73a
0x0127e73c
0x0127e73f
0x0127e73f
0x0127e746
0x0127e74a
0x0127e751
0x0127e752
0x0127e75c
0x0127e764
0x0127e76b
0x0127e772
0x0127e77a
0x0127e77f
0x0127e785
0x0127e788
0x0127e791
0x0127e793
0x0127e79a
0x0127e79a
0x0127e79d
0x0127e7a3
0x0127e7a5
0x0127e7a9
0x0127e7a9
0x0127e7ac
0x0127e7b1
0x0127e7d5
0x0127e7d5
0x00000000
0x0127e7b3
0x0127e7b1
0x0127e7f3
0x0127e7fa
0x0127e801
0x0127e80d
0x0127e814
0x0127e814
0x0127e72f
0x0127e83e

APIs

__EH_prolog3.LIBCMT ref: 0127E6FB
SysStringLen.OLEAUT32(00000000), ref: 0127E74A

Part of subcall function 01274753: _malloc.LIBCMT ref: 01274771

SysStringLen.OLEAUT32(00000000), ref: 0127E766
_memset.LIBCMT ref: 0127E77A
SysAllocString.OLEAUT32(?), ref: 0127E7B8
SysFreeString.OLEAUT32(00000000), ref: 0127E801

Memory Dump Source

Source File: 00000010.00000002.746388412.0000000001271000.00000020.sdmp, Offset: 01270000, based on PE: true

Associated: 00000010.00000002.746374753.0000000001270000.00000002.sdmp Download File
Associated: 00000010.00000002.746578910.000000000138C000.00000002.sdmp Download File
Associated: 00000010.00000002.746752878.00000000013CF000.00000004.sdmp Download File
Associated: 00000010.00000002.746788870.00000000013D6000.00000004.sdmp Download File
Associated: 00000010.00000002.746832288.00000000013DE000.00000002.sdmp Download File
Associated: 00000010.00000002.747668141.0000000001574000.00000002.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1270000_Setup.jbxd

Similarity

API ID: String$AllocFreeH_prolog3_malloc_memset
String ID:
API String ID: 1388600264-0
Opcode ID: 22c84f4f724bb1c55cf430166d7170611a9d80328e0853caf05c7e0051e9b9a6
Instruction ID: b6dacfc22e542d2314f21cfba9ca8c4a3ea56664e53b5cf35046d78104553065
Opcode Fuzzy Hash: 22c84f4f724bb1c55cf430166d7170611a9d80328e0853caf05c7e0051e9b9a6
Instruction Fuzzy Hash: 6E41827191020B9FDF14DFA8CC85ABFBBB8EF14358F114169FA25E7294D6309851CBA0

Uniqueness

Uniqueness Score: 16.53%

Function 012CA719, Relevance: 9.1, APIs: 6, Instructions: 104
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 97%

			E012CA719(void* __ebx, signed int __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr* _t39;
				struct HWND__* _t42;
				signed int _t44;
				intOrPtr* _t45;
				void* _t47;
				signed int _t56;
				signed int _t59;
				intOrPtr _t68;
				struct HWND__* _t69;
				intOrPtr* _t71;
				intOrPtr* _t73;
				void* _t74;

				_t66 = __edx;
				_t60 = __ecx;
				_push(0x28);
				L01369601(0x13827a7, __ebx, __edi, __esi);
				_t59 = __ecx;
				 *((intOrPtr*)(_t74 - 0x18)) = __ecx;
				 *__ecx = 0x1397b14;
				_t71 =  *((intOrPtr*)(__ecx + 0x1e0));
				 *(_t74 - 4) = 1;
				_t68 = 0;
				while(_t71 != _t68) {
					_t39 = _t71;
					__eflags = _t71 - _t68;
					if(__eflags == 0) {
						L6:
						L01277AC9(_t60);
						L7:
						_t60 = _t74 - 0x34;
						L013316F2(_t74 - 0x34, __eflags,  *(_t71 + 0x20));
						_t42 = GetWindow( *(_t71 + 0x20), 2);
						L8:
						_t71 = E01282D05(_t59, _t60, _t66, _t42);
						if(_t71 != _t68) {
							goto L7;
						}
						_t73 =  *((intOrPtr*)(_t74 - 0x30));
						if(_t73 == _t68) {
							L15:
							_t44 = E01294A70();
							_t71 =  *((intOrPtr*)(_t44 + 4));
							 *(_t74 - 0x14) = _t44;
							while(1) {
								_t83 = _t71 - _t68;
								if(_t71 == _t68) {
									break;
								}
								 *((intOrPtr*)(_t74 - 0x10)) = _t71;
								_t45 = _t71;
								__eflags = _t71 - _t68;
								if(__eflags == 0) {
									goto L6;
								}
								_t46 =  *((intOrPtr*)(_t45 + 8));
								_t71 =  *_t71;
								__eflags =  *((intOrPtr*)(_t45 + 8)) - _t68;
								_t60 = 0 | __eflags != 0x00000000;
								__eflags = (__eflags != 0) - _t68;
								if(__eflags == 0) {
									goto L6;
								}
								_t47 = E01282D31(_t59, _t60, _t66, _t68, _t71, __eflags,  *((intOrPtr*)(_t46 + 0x20)));
								__eflags = _t47;
								if(_t47 == 0) {
									_t60 =  *(_t74 - 0x14);
									L012E7758( *(_t74 - 0x14),  *((intOrPtr*)(_t74 - 0x10)));
								}
							}
							 *(_t74 - 4) = 1;
							 *(_t74 - 0x34) = 0x1390b30;
							E0133286E(_t74 - 0x34);
							 *(_t74 - 4) = 0;
							E012AEDA4(_t59, _t59 + 0x114, _t66, _t68, _t71, _t83);
							_t35 = _t74 - 4;
							 *(_t74 - 4) =  *(_t74 - 4) | 0xffffffff;
							return L013696D9(E012CA049(_t59, _t66, _t68, _t71,  *_t35));
						} else {
							goto L10;
						}
						do {
							L10:
							_t69 =  *(_t73 + 8);
							_t73 =  *_t73;
							if(IsWindow(_t69) != 0 && GetParent(_t69) ==  *(_t59 + 0x20)) {
								DestroyWindow(_t69);
							}
						} while (_t73 != 0);
						_t68 = 0;
						goto L15;
					} else {
						_t71 =  *_t71;
						_t56 = E012789CC(0x13d04b0,  *((intOrPtr*)(_t39 + 8)));
						_pop(_t60);
						__eflags = _t56 - _t68;
						if(__eflags != 0) {
							_t66 =  *_t56;
							_t60 = _t56;
							 *((intOrPtr*)( *_t56 + 0x60))();
						}
						continue;
					}
				}
				 *(_t74 - 0x34) = 0x1390b30;
				 *((intOrPtr*)(_t74 - 0x28)) = _t68;
				 *((intOrPtr*)(_t74 - 0x24)) = _t68;
				 *((intOrPtr*)(_t74 - 0x2c)) = _t68;
				 *((intOrPtr*)(_t74 - 0x30)) = _t68;
				 *((intOrPtr*)(_t74 - 0x20)) = _t68;
				 *((intOrPtr*)(_t74 - 0x1c)) = 0xa;
				 *(_t74 - 4) = 2;
				_t42 = GetTopWindow( *(_t59 + 0x20));
				goto L8;
			}

0x012ca719
0x012ca719
0x012ca719
0x012ca720
0x012ca725
0x012ca727
0x012ca72a
0x012ca730
0x012ca736
0x012ca73d
0x012ca763
0x012ca741
0x012ca743
0x012ca745
0x012ca793
0x012ca793
0x012ca798
0x012ca79b
0x012ca79e
0x012ca7a9
0x012ca7af
0x012ca7b5
0x012ca7b9
0x00000000
0x00000000
0x012ca7bb
0x012ca7c0
0x012ca7eb
0x012ca7eb
0x012ca7f0
0x012ca7f3
0x012ca828
0x012ca828
0x012ca82a
0x00000000
0x00000000
0x012ca7f8
0x012ca7fb
0x012ca7fd
0x012ca7ff
0x00000000
0x00000000
0x012ca801
0x012ca804
0x012ca808
0x012ca80a
0x012ca80d
0x012ca80f
0x00000000
0x00000000
0x012ca814
0x012ca819
0x012ca81b
0x012ca820
0x012ca823
0x012ca823
0x012ca81b
0x012ca82f
0x012ca833
0x012ca83a
0x012ca845
0x012ca849
0x012ca84e
0x012ca84e
0x012ca85e
0x00000000
0x00000000
0x00000000
0x012ca7c2
0x012ca7c2
0x012ca7c2
0x012ca7c5
0x012ca7d0
0x012ca7df
0x012ca7df
0x012ca7e5
0x012ca7e9
0x00000000
0x012ca747
0x012ca74a
0x012ca751
0x012ca757
0x012ca758
0x012ca75a
0x012ca75c
0x012ca75e
0x012ca760
0x012ca760
0x00000000
0x012ca75a
0x012ca745
0x012ca767
0x012ca76e
0x012ca771
0x012ca774
0x012ca777
0x012ca77a
0x012ca77d
0x012ca787
0x012ca78b
0x00000000

APIs

__EH_prolog3.LIBCMT ref: 012CA720
GetTopWindow.USER32 ref: 012CA78B

Part of subcall function 01277AC9: __CxxThrowException@8.LIBCMT ref: 01277ADF

GetWindow.USER32(?,00000002), ref: 012CA7A9
IsWindow.USER32(?), ref: 012CA7C8
GetParent.USER32(?), ref: 012CA7D3
DestroyWindow.USER32(?), ref: 012CA7DF

Part of subcall function 012AEDA4: __EH_prolog3.LIBCMT ref: 012AEDAB

Part of subcall function 012CA049: __EH_prolog3_catch_GS.LIBCMT ref: 012CA053

Memory Dump Source

Source File: 00000010.00000002.746388412.0000000001271000.00000020.sdmp, Offset: 01270000, based on PE: true

Associated: 00000010.00000002.746374753.0000000001270000.00000002.sdmp Download File
Associated: 00000010.00000002.746578910.000000000138C000.00000002.sdmp Download File
Associated: 00000010.00000002.746752878.00000000013CF000.00000004.sdmp Download File
Associated: 00000010.00000002.746788870.00000000013D6000.00000004.sdmp Download File
Associated: 00000010.00000002.746832288.00000000013DE000.00000002.sdmp Download File
Associated: 00000010.00000002.747668141.0000000001574000.00000002.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1270000_Setup.jbxd

Similarity

API ID: Window$H_prolog3$DestroyException@8H_prolog3_catch_ParentThrow
String ID:
API String ID: 1668363998-0
Opcode ID: 7bc3641939f60718e0f2ff5bf499e6f45211de55a96a90dcbc4132fb16f05b2b
Instruction ID: bba7e030a295e9acfb1d6ec5a69f705b23c96aba261133975edacba2fe6c2232
Opcode Fuzzy Hash: 7bc3641939f60718e0f2ff5bf499e6f45211de55a96a90dcbc4132fb16f05b2b
Instruction Fuzzy Hash: 3541E53092021ADFCF16EF68C4886ADFBB4BF58B14F29065CEA567B251E7705D04CB90

Uniqueness

Uniqueness Score: 5.06%

Function 012BAAFE, Relevance: 9.1, APIs: 6, Instructions: 95
windowCOMMON

Download Yara Rule

C-Code - Quality: 97%

			E012BAAFE(void* __ecx, void* __edx, void* __edi) {
				signed int _v8;
				struct tagRECT _v24;
				void* __ebx;
				void* __esi;
				signed int _t30;
				int _t35;
				int _t39;
				int _t58;
				void* _t59;
				void* _t64;
				void* _t65;
				void* _t67;
				signed int _t68;

				_t65 = __edi;
				_t64 = __edx;
				_t30 =  *0x13d3570; // 0x99b5b578
				_v8 = _t30 ^ _t68;
				_t67 = __ecx;
				_v24.left = 0;
				_v24.top = 0;
				_v24.right = 0;
				_v24.bottom = 0;
				GetWindowRect( *( *((intOrPtr*)(__ecx + 0x120)) + 0x20),  &_v24);
				_t35 =  *(_t67 + 0x124);
				_t58 = _t35;
				if( *((intOrPtr*)(_t67 + 0x290)) != 0) {
					_t58 =  ~_t58;
				}
				OffsetRect( &_v24, _t58, _t35);
				SendMessageW( *(_t67 + 0x20), 0xb, 0, 0);
				_t39 = IsWindowVisible( *(_t67 + 0x20));
				_t59 = _t67;
				if(_t39 != 0) {
					E01286A31(_t59, 0, _v24.left, _v24.top, _v24.right - _v24.left, _v24.bottom - _v24.top, 0x14);
				} else {
					E0128699F(_t59, 4);
					E01286A31( *((intOrPtr*)(_t67 + 0x120)), 0x13d7e28, E01286A31(_t67, 0x13d7e28, _v24.left, _v24.top, _v24.right - _v24.left, _v24.bottom - _v24.top, 0x10) | 0xffffffff, E01286A31(_t67, 0x13d7e28, _v24.left, _v24.top, _v24.right - _v24.left, _v24.bottom - _v24.top, 0x10) | 0xffffffff, E01286A31(_t67, 0x13d7e28, _v24.left, _v24.top, _v24.right - _v24.left, _v24.bottom - _v24.top, 0x10) | 0xffffffff, _t54, 0x53);
					_t65 = _t65;
				}
				SendMessageW( *(_t67 + 0x20), 0xb, 1, 0);
				return L01367D3E(RedrawWindow( *(_t67 + 0x20), 0, 0, 0x105), 0, _v8 ^ _t68, _t64, _t65, _t67);
			}

0x012baafe
0x012baafe
0x012bab06
0x012bab0d
0x012bab17
0x012bab20
0x012bab23
0x012bab26
0x012bab29
0x012bab2f
0x012bab35
0x012bab3b
0x012bab43
0x012bab45
0x012bab45
0x012bab4d
0x012bab5a
0x012bab63
0x012bab69
0x012bab6d
0x012babc9
0x012bab6f
0x012bab72
0x012babaa
0x012babaf
0x012babaf
0x012babd6
0x012babf9

APIs

GetWindowRect.USER32 ref: 012BAB2F
OffsetRect.USER32 ref: 012BAB4D
SendMessageW.USER32(00000000,0000000B,00000000,00000000), ref: 012BAB5A
IsWindowVisible.USER32(?), ref: 012BAB63

Part of subcall function 01286A31: SetWindowPos.USER32(?,000000FF,000000FF,?,?,00000000,012827B4), ref: 01286A59

SendMessageW.USER32(00000014,0000000B,00000001,00000000), ref: 012BABD6
RedrawWindow.USER32(00000105,00000000,00000000,00000105), ref: 012BABE6

Part of subcall function 01367D3E: IsDebuggerPresent.KERNEL32 ref: 0136EC6D
Part of subcall function 01367D3E: SetUnhandledExceptionFilter.KERNEL32 ref: 0136EC82
Part of subcall function 01367D3E: UnhandledExceptionFilter.KERNEL32 ref: 0136EC8D
Part of subcall function 01367D3E: GetCurrentProcess.KERNEL32(C0000409), ref: 0136ECA9
Part of subcall function 01367D3E: TerminateProcess.KERNEL32(00000000), ref: 0136ECB0

Part of subcall function 0128699F: ShowWindow.USER32(00000000,?), ref: 012869B0

Memory Dump Source

Source File: 00000010.00000002.746388412.0000000001271000.00000020.sdmp, Offset: 01270000, based on PE: true

Associated: 00000010.00000002.746374753.0000000001270000.00000002.sdmp Download File
Associated: 00000010.00000002.746578910.000000000138C000.00000002.sdmp Download File
Associated: 00000010.00000002.746752878.00000000013CF000.00000004.sdmp Download File
Associated: 00000010.00000002.746788870.00000000013D6000.00000004.sdmp Download File
Associated: 00000010.00000002.746832288.00000000013DE000.00000002.sdmp Download File
Associated: 00000010.00000002.747668141.0000000001574000.00000002.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1270000_Setup.jbxd

Similarity

API ID: Window$ExceptionFilterMessageProcessRectSendUnhandled$CurrentDebuggerOffsetPresentRedrawShowTerminateVisible
String ID:
API String ID: 830698359-0
Opcode ID: f01c7e4b8e75d4d601921d7a9fbbda8a30aa575e7687740a0be040dde9d40f29
Instruction ID: 029ab356bc32e2d20505e3f82118f287b714388888faf09cd2be825b2bac9a73
Opcode Fuzzy Hash: f01c7e4b8e75d4d601921d7a9fbbda8a30aa575e7687740a0be040dde9d40f29
Instruction Fuzzy Hash: 4131F1B291020ABFDB21DFA8CD85EFFBBBDFB48744F140518B555A6194DB70AD009B20

Uniqueness

Uniqueness Score: 2.38%

Function 012D074C, Relevance: 9.1, APIs: 6, Instructions: 76
windowCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E012D074C(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t56;
				intOrPtr _t57;
				void* _t77;
				int _t80;
				void* _t81;
				void* _t82;

				_t82 = __eflags;
				_t75 = __edx;
				_push(0x48);
				L0136966A(0x13829f9, __ebx, __edi, __esi);
				_t77 = __ecx;
				_push(0);
				L01279EEC(0, _t81 - 0x54, __edx, __ecx, __esi, _t82);
				 *(_t81 - 4) = 0;
				L0127976C(_t81 - 0x40);
				 *(_t81 - 4) = 1;
				L01279DC3(0, _t81 - 0x40, __edx, _t77, CreateCompatibleDC(0));
				 *(_t81 - 0x2c) = GetSystemMetrics(0x36);
				_t80 = GetSystemMetrics(0x36);
				 *((intOrPtr*)(_t81 - 0x24)) = 0;
				 *((intOrPtr*)(_t81 - 0x28)) = 0x138f588;
				 *(_t81 - 4) = 2;
				E0127A097(0, _t81 - 0x28, _t75, _t77, CreateCompatibleBitmap( *(_t81 - 0x50),  *(_t81 - 0x2c), _t80));
				 *((intOrPtr*)(_t81 - 0x30)) = E0127A14E( *(_t81 - 0x3c),  *((intOrPtr*)(_t81 - 0x24)));
				 *(_t81 - 0x18) =  *(_t81 - 0x2c);
				 *(_t81 - 0x20) = 0;
				 *((intOrPtr*)(_t81 - 0x1c)) = 0;
				 *(_t81 - 0x14) = _t80;
				DrawFrameControl( *(_t81 - 0x3c), _t81 - 0x20, 1, 0x2000);
				 *((intOrPtr*)(_t77 + 0xd08)) =  *(_t81 - 0x14) -  *((intOrPtr*)(_t81 - 0x1c));
				_t56 =  *((intOrPtr*)(_t81 - 0x30));
				 *((intOrPtr*)(_t77 + 0xd04)) =  *(_t81 - 0x18) -  *(_t81 - 0x20);
				_t83 = _t56;
				if(_t56 != 0) {
					_t57 =  *((intOrPtr*)(_t56 + 4));
				} else {
					_t57 = 0;
				}
				E0127A14E( *(_t81 - 0x3c), _t57);
				 *(_t81 - 4) = 1;
				 *((intOrPtr*)(_t81 - 0x28)) = 0x138f588;
				E0127A27E(0, _t81 - 0x28, _t77, _t80, _t83);
				 *(_t81 - 4) = 0;
				L01279E44(_t81 - 0x40);
				 *(_t81 - 4) =  *(_t81 - 4) | 0xffffffff;
				L01279F40(0, _t81 - 0x54, _t75, _t77, _t80,  *(_t81 - 4));
				return L013696ED(0, _t77, _t80);
			}

0x012d074c
0x012d074c
0x012d074c
0x012d0753
0x012d0758
0x012d075c
0x012d0760
0x012d0768
0x012d076b
0x012d0771
0x012d077f
0x012d0790
0x012d0795
0x012d0797
0x012d079a
0x012d07a5
0x012d07b6
0x012d07c6
0x012d07d1
0x012d07dd
0x012d07e0
0x012d07e3
0x012d07e6
0x012d07f8
0x012d07fe
0x012d0801
0x012d0807
0x012d0809
0x012d080f
0x012d080b
0x012d080b
0x012d080b
0x012d0816
0x012d081e
0x012d0822
0x012d0829
0x012d0831
0x012d0834
0x012d0839
0x012d0840
0x012d084a

APIs

__EH_prolog3_GS.LIBCMT ref: 012D0753

Part of subcall function 01279EEC: __EH_prolog3.LIBCMT ref: 01279EF3
Part of subcall function 01279EEC: GetWindowDC.USER32(00000000), ref: 01279F1F

CreateCompatibleDC.GDI32(00000000), ref: 012D0775
GetSystemMetrics.USER32 ref: 012D078C
GetSystemMetrics.USER32 ref: 012D0793
CreateCompatibleBitmap.GDI32(?,?,00000000), ref: 012D07AC

Part of subcall function 0127A14E: SelectObject.GDI32(?,?), ref: 0127A159

DrawFrameControl.USER32(?,?,00000001,00002000), ref: 012D07E6

Part of subcall function 0127A27E: __EH_prolog3_catch_GS.LIBCMT ref: 0127A288

Part of subcall function 01279E44: DeleteDC.GDI32(00000000), ref: 01279E56

Part of subcall function 01279F40: __EH_prolog3.LIBCMT ref: 01279F47
Part of subcall function 01279F40: ReleaseDC.USER32(?,00000000), ref: 01279F64

Memory Dump Source

Source File: 00000010.00000002.746388412.0000000001271000.00000020.sdmp, Offset: 01270000, based on PE: true

Associated: 00000010.00000002.746374753.0000000001270000.00000002.sdmp Download File
Associated: 00000010.00000002.746578910.000000000138C000.00000002.sdmp Download File
Associated: 00000010.00000002.746752878.00000000013CF000.00000004.sdmp Download File
Associated: 00000010.00000002.746788870.00000000013D6000.00000004.sdmp Download File
Associated: 00000010.00000002.746832288.00000000013DE000.00000002.sdmp Download File
Associated: 00000010.00000002.747668141.0000000001574000.00000002.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1270000_Setup.jbxd

Similarity

API ID: CompatibleCreateH_prolog3MetricsSystem$BitmapControlDeleteDrawFrameH_prolog3_H_prolog3_catch_ObjectReleaseSelectWindow
String ID:
API String ID: 3855098414-0
Opcode ID: f842480870f7110624717baa221f8a0c975d197a0b71199fbf6bbc7b73aa1133
Instruction ID: 25c5837f26b5f299d9e96a17a4028f07a115b9b3b005944a9e39b724f0e6f752
Opcode Fuzzy Hash: f842480870f7110624717baa221f8a0c975d197a0b71199fbf6bbc7b73aa1133
Instruction Fuzzy Hash: 91310271C10219EFDF05EFE8C984AEEBBB8BF18324F14811AE505B7290DB755A44CB60

Uniqueness

Uniqueness Score: 8.94%

Function 012E0F27, Relevance: 9.1, APIs: 6, Instructions: 74
UNIQUE

Download Yara Rule

C-Code - Quality: 100%

			E012E0F27(void* __eax, void* __ebx, void* __edx, void* __edi, void* __esi) {
				void* _t62;
				void* _t65;
				void* _t66;

				_t66 = __esi;
				_t65 = __edi;
				_t62 = __ebx;
			}

0x012e0f27
0x012e0f27
0x012e0f27

APIs

SelectObject.GDI32(?,?), ref: 012E0F31
SelectObject.GDI32(?,?), ref: 012E1028

Part of subcall function 01279E44: DeleteDC.GDI32(00000000), ref: 01279E56

GetPixel.GDI32(?,?,00000000), ref: 012E0FBE
GetPixel.GDI32(?,?,00000000), ref: 012E0FD0
SetPixel.GDI32(?,?,00000000,00000000), ref: 012E0FDF
SetPixel.GDI32(?,?,00000000,?), ref: 012E0FF1

Memory Dump Source

Source File: 00000010.00000002.746388412.0000000001271000.00000020.sdmp, Offset: 01270000, based on PE: true

Associated: 00000010.00000002.746374753.0000000001270000.00000002.sdmp Download File
Associated: 00000010.00000002.746578910.000000000138C000.00000002.sdmp Download File
Associated: 00000010.00000002.746752878.00000000013CF000.00000004.sdmp Download File
Associated: 00000010.00000002.746788870.00000000013D6000.00000004.sdmp Download File
Associated: 00000010.00000002.746832288.00000000013DE000.00000002.sdmp Download File
Associated: 00000010.00000002.747668141.0000000001574000.00000002.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1270000_Setup.jbxd

Similarity

API ID: Pixel$ObjectSelect$Delete
String ID:
API String ID: 1397414195-0
Opcode ID: d4c355cd783eaddd6169454986c267e03462cd7486dc33e6a19a62eeb16b4981
Instruction ID: 4e2c417b5e64a5b0b1506fe7133b74b81bbc94b728fdd70ad8b3457ada9e9b4b
Opcode Fuzzy Hash: d4c355cd783eaddd6169454986c267e03462cd7486dc33e6a19a62eeb16b4981
Instruction Fuzzy Hash: 5231D270E10229DFDF219FA5CD89A9CBBB6FF08310F5041A9EA08A7222DB715991DF50

Uniqueness

Uniqueness Score: 23.02%

Function 012B2F39, Relevance: 9.1, APIs: 6, Instructions: 67
windowCOMMON

Download Yara Rule

C-Code - Quality: 67%

			E012B2F39(void* __ebx, intOrPtr __ecx, intOrPtr __edx, void* __edi, void* __esi, void* __eflags) {
				void* _t33;
				long _t37;
				void* _t40;
				void* _t55;
				intOrPtr _t64;
				void* _t65;

				_t58 = __edx;
				_t48 = __ebx;
				_push(0x18);
				L01369634(0x1381a5a, __ebx, __edi, __esi);
				 *((intOrPtr*)(_t65 - 0x1c)) = __ecx;
				_push(_t65 - 0x18);
				_push(_t65 - 0x20);
				_push( *((intOrPtr*)(_t65 + 0xc)));
				_push(0x3e8);
				L0137E13A();
				_t33 = GlobalLock( *(_t65 - 0x18));
				E01272410(_t65 - 0x14, E0127859A());
				 *(_t65 - 4) =  *(_t65 - 4) & 0x00000000;
				 *(_t65 - 4) = 1;
				E01272AA0(__edi, _t33);
				_t37 = GlobalUnlock( *(_t65 - 0x18));
				 *(_t65 - 4) =  *(_t65 - 4) & 0x00000000;
				_push( *(_t65 - 0x18));
				_push(0x8000);
				_push(0x3e4);
				_push(0x3e8);
				_push( *((intOrPtr*)(_t65 + 0xc)));
				L0137E134();
				_t60 =  *((intOrPtr*)(_t65 - 0x1c));
				PostMessageW( *(_t65 + 8), 0x3e4,  *( *((intOrPtr*)(_t65 - 0x1c)) + 0x20), _t37);
				if(E012869C6( *((intOrPtr*)(_t65 - 0x1c))) != 0) {
					_t64 =  *((intOrPtr*)(_t65 - 0x14));
					__eflags =  *((intOrPtr*)(_t64 - 4)) - 1;
					if(__eflags > 0) {
						L012715B0(_t65 - 0x14,  *((intOrPtr*)(_t64 - 0xc)));
						_t64 =  *((intOrPtr*)(_t65 - 0x14));
					}
					_t40 = E012792EF(_t48, _t60, _t64, __eflags);
					_t58 =  *((intOrPtr*)( *((intOrPtr*)(_t40 + 4))));
					 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t40 + 4)))) + 0xbc))(_t64);
					E012723C0(_t48, _t65 - 0x14, _t60, 0xffffffff);
					_t55 = _t64 - 0x10;
				} else {
					_t55 =  *((intOrPtr*)(_t65 - 0x14)) + 0xfffffff0;
				}
				L01271470(_t55, _t58);
				return L013696D9(0);
			}

0x012b2f39
0x012b2f39
0x012b2f39
0x012b2f40
0x012b2f45
0x012b2f4b
0x012b2f4f
0x012b2f50
0x012b2f53
0x012b2f58
0x012b2f60
0x012b2f71
0x012b2f76
0x012b2f7e
0x012b2f82
0x012b2f8a
0x012b2f90
0x012b2f94
0x012b2f9c
0x012b2fa1
0x012b2fa2
0x012b2fa7
0x012b2faa
0x012b2faf
0x012b2fba
0x012b2fc9
0x012b2ff2
0x012b2ff5
0x012b2ff9
0x012b3001
0x012b3006
0x012b3006
0x012b3009
0x012b3011
0x012b3016
0x012b3021
0x012b3026
0x012b2fcb
0x012b2fce
0x012b2fce
0x012b3029
0x012b3035

APIs

__EH_prolog3_catch.LIBCMT ref: 012B2F40
UnpackDDElParam.USER32 ref: 012B2F58
GlobalLock.KERNEL32 ref: 012B2F60
GlobalUnlock.KERNEL32(?,00000000), ref: 012B2F8A
ReuseDDElParam.USER32(?,000003E8,000003E4,00008000,?), ref: 012B2FAA
PostMessageW.USER32 ref: 012B2FBA

Part of subcall function 012869C6: IsWindowEnabled.USER32 ref: 012869CF

Part of subcall function 012723C0: _wcsnlen.LIBCMT ref: 012723D9

Part of subcall function 012715A0: _memcpy_s.LIBCMT ref: 012715FE

Memory Dump Source

Source File: 00000010.00000002.746388412.0000000001271000.00000020.sdmp, Offset: 01270000, based on PE: true

Associated: 00000010.00000002.746374753.0000000001270000.00000002.sdmp Download File
Associated: 00000010.00000002.746578910.000000000138C000.00000002.sdmp Download File
Associated: 00000010.00000002.746752878.00000000013CF000.00000004.sdmp Download File
Associated: 00000010.00000002.746788870.00000000013D6000.00000004.sdmp Download File
Associated: 00000010.00000002.746832288.00000000013DE000.00000002.sdmp Download File
Associated: 00000010.00000002.747668141.0000000001574000.00000002.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1270000_Setup.jbxd

Similarity

API ID: GlobalParam$EnabledH_prolog3_catchLockMessagePostReuseUnlockUnpackWindow_memcpy_s_wcsnlen
String ID:
API String ID: 4140245776-0
Opcode ID: e7cb31398dfdfa79debef14f9779677be99ffac32554976651b1b7de8fcedb5a
Instruction ID: 54f8c5a62895e39bde1a72c4ecd2b23b74b7dda2b66ff114e0e3857b55b9163d
Opcode Fuzzy Hash: e7cb31398dfdfa79debef14f9779677be99ffac32554976651b1b7de8fcedb5a
Instruction Fuzzy Hash: D021483191020AEBDF11EBA4CD45AFEBB79BF24329F104124E501B72D0DB346E05CBA1

Uniqueness

Uniqueness Score: 1.47%

Function 012B07E7, Relevance: 9.1, APIs: 6, Instructions: 65
COMMON

Download Yara Rule

C-Code - Quality: 92%

			E012B07E7(intOrPtr __ecx, void* __edx, intOrPtr _a4) {
				intOrPtr _v8;
				void* __ebx;
				void* __edi;
				void* __esi;
				struct HWND__* _t17;
				signed int _t22;
				void* _t28;
				void* _t31;
				struct HWND__* _t33;
				void* _t35;

				_t31 = __edx;
				_t30 = __ecx;
				_push(__ecx);
				_v8 = __ecx;
				_t17 = GetWindow(GetDesktopWindow(), 5);
				_t33 = _t17;
				_t37 = _t33;
				if(_t33 == 0) {
					L14:
					return _t17;
				} else {
					_t28 = ShowWindow;
					_push(_t35);
					do {
						_t35 = E01282D31(_t28, _t30, _t31, _t33, _t35, _t37, _t33);
						if(_t35 != 0) {
							_t20 =  *((intOrPtr*)(_v8 + 0x20));
							if( *((intOrPtr*)(_v8 + 0x20)) != _t33 && E012B074C(_t20, _t33) != 0) {
								_t22 = GetWindowLongW(_t33, 0xfffffff0);
								if(_a4 != 0) {
									__eflags = _t22 & 0x18000000;
									if(__eflags == 0) {
										__eflags =  *(_t35 + 0x58) & 0x00000002;
										if(__eflags != 0) {
											__eflags =  *(_v8 + 0xd4);
											if(__eflags == 0) {
												ShowWindow(_t33, 4);
												_t14 = _t35 + 0x58;
												 *_t14 =  *(_t35 + 0x58) & 0xfffffffd;
												__eflags =  *_t14;
											}
										}
									}
								} else {
									if((_t22 & 0x18000000) == 0x10000000) {
										ShowWindow(_t33, 0);
										 *(_t35 + 0x58) =  *(_t35 + 0x58) | 0x00000002;
									}
								}
							}
						}
						_t17 = GetWindow(_t33, 2);
						_t33 = _t17;
					} while (_t33 != 0);
					goto L14;
				}
			}

0x012b07e7
0x012b07e7
0x012b07ec
0x012b07f0
0x012b07fa
0x012b0800
0x012b0802
0x012b0804
0x012b088c
0x012b088e
0x012b080a
0x012b080b
0x012b0811
0x012b0812
0x012b0818
0x012b081c
0x012b0821
0x012b0826
0x012b0836
0x012b0840
0x012b0859
0x012b085e
0x012b0860
0x012b0864
0x012b0869
0x012b0870
0x012b0875
0x012b0877
0x012b0877
0x012b0877
0x012b0877
0x012b0870
0x012b0864
0x012b0842
0x012b084c
0x012b0851
0x012b0853
0x012b0853
0x012b084c
0x012b0840
0x012b0826
0x012b087e
0x012b0884
0x012b0886
0x00000000
0x012b0812

APIs

GetDesktopWindow.USER32 ref: 012B07F3
GetWindow.USER32(00000000), ref: 012B07FA
GetWindowLongW.USER32(00000000,000000F0), ref: 012B0836
ShowWindow.USER32(00000000,00000000), ref: 012B0851
ShowWindow.USER32(00000000,00000004), ref: 012B0875
GetWindow.USER32(00000000,00000002), ref: 012B087E

Memory Dump Source

Source File: 00000010.00000002.746388412.0000000001271000.00000020.sdmp, Offset: 01270000, based on PE: true

Associated: 00000010.00000002.746374753.0000000001270000.00000002.sdmp Download File
Associated: 00000010.00000002.746578910.000000000138C000.00000002.sdmp Download File
Associated: 00000010.00000002.746752878.00000000013CF000.00000004.sdmp Download File
Associated: 00000010.00000002.746788870.00000000013D6000.00000004.sdmp Download File
Associated: 00000010.00000002.746832288.00000000013DE000.00000002.sdmp Download File
Associated: 00000010.00000002.747668141.0000000001574000.00000002.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1270000_Setup.jbxd

Similarity

API ID: Window$Show$DesktopLong
String ID:
API String ID: 3178490500-0
Opcode ID: da391b9b7f47fd688b110c076e8fad3df8836c11aaa429a3aa2c1e6445d8d617
Instruction ID: 5af1106fffd886c4a9eb9d4983c10820f627f3001b49a2918dd134ecd956129b
Opcode Fuzzy Hash: da391b9b7f47fd688b110c076e8fad3df8836c11aaa429a3aa2c1e6445d8d617
Instruction Fuzzy Hash: 4311C831510746ABD733972C88C9FAF7ABA9B817A4F240114F611A71A9CB78E54086A4

Uniqueness

Uniqueness Score: 0.59%

Function 01276A9F, Relevance: 9.1, APIs: 6, Instructions: 62
registrystringCOMMON

Download Yara Rule

C-Code - Quality: 71%

			E01276A9F(void* __ecx, WCHAR* _a4, short* _a8, char* _a12) {
				long _t23;
				void* _t31;

				if( *((intOrPtr*)(__ecx + 0x58)) == 0) {
					return WritePrivateProfileStringW(_a4, _a8, _a12,  *(__ecx + 0x6c));
				}
				_push(0);
				if(_a8 != 0) {
					_push(_a4);
					_t31 = E0127694D(__ecx);
					if(_a12 != 0) {
						if(_t31 == 0) {
							L3:
							return 0;
						}
						_t23 = RegSetValueExW(_t31, _a8, 0, 1, _a12, lstrlenW(_a12) + _t21 + 2);
						L10:
						RegCloseKey(_t31);
						return 0 | _t23 == 0x00000000;
					}
					if(_t31 == 0) {
						goto L3;
					}
					_t23 = RegDeleteValueW(_t31, _a8);
					goto L10;
				}
				_t31 = E01276892(__ecx);
				if(_t31 != 0) {
					_t23 = RegDeleteKeyW(_t31, _a4);
					goto L10;
				}
				goto L3;
			}

0x01276aac
0x00000000
0x01276b2e
0x01276aae
0x01276ab2
0x01276acf
0x01276ad7
0x01276adc
0x01276af0
0x01276abf
0x00000000
0x01276abf
0x01276b0a
0x01276b10
0x01276b13
0x00000000
0x01276b1d
0x01276ae0
0x00000000
0x00000000
0x01276ae6
0x00000000
0x01276ae6
0x01276ab9
0x01276abd
0x01276ac7
0x00000000
0x01276ac7
0x00000000

APIs

RegDeleteKeyW.ADVAPI32(00000000,?), ref: 01276AC7

Part of subcall function 0127694D: RegCreateKeyExW.ADVAPI32(00000000,?,00000000,00000000,00000000,0002001F,00000000,?,?), ref: 01276991
Part of subcall function 0127694D: RegCloseKey.ADVAPI32(00000000), ref: 01276998

RegDeleteValueW.ADVAPI32 ref: 01276AE6
lstrlenW.KERNEL32(?), ref: 01276AF5
RegSetValueExW.ADVAPI32 ref: 01276B0A
RegCloseKey.ADVAPI32(00000000), ref: 01276B13

Part of subcall function 01276892: RegOpenKeyExW.ADVAPI32 ref: 012768CD
Part of subcall function 01276892: RegCreateKeyExW.ADVAPI32(?,?,00000000,00000000,00000000,0002001F,00000000,?,?), ref: 012768F8
Part of subcall function 01276892: RegCreateKeyExW.ADVAPI32(?,?,00000000,00000000,00000000,0002001F,00000000,?,?), ref: 01276923
Part of subcall function 01276892: RegCloseKey.ADVAPI32(?), ref: 01276937
Part of subcall function 01276892: RegCloseKey.ADVAPI32(?), ref: 01276941

WritePrivateProfileStringW.KERNEL32(?,?,?,?), ref: 01276B2E

Memory Dump Source

Source File: 00000010.00000002.746388412.0000000001271000.00000020.sdmp, Offset: 01270000, based on PE: true

Associated: 00000010.00000002.746374753.0000000001270000.00000002.sdmp Download File
Associated: 00000010.00000002.746578910.000000000138C000.00000002.sdmp Download File
Associated: 00000010.00000002.746752878.00000000013CF000.00000004.sdmp Download File
Associated: 00000010.00000002.746788870.00000000013D6000.00000004.sdmp Download File
Associated: 00000010.00000002.746832288.00000000013DE000.00000002.sdmp Download File
Associated: 00000010.00000002.747668141.0000000001574000.00000002.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1270000_Setup.jbxd

Similarity

API ID: Close$Create$DeleteValue$OpenPrivateProfileStringWritelstrlen
String ID:
API String ID: 457592527-0
Opcode ID: 2667e01c957b116830b63c3664563bfd6f6a9f05545fbec2342a187e730330b5
Instruction ID: 8c84bb94f998487797784aff36a2f485121acc30a32d7f5149a0e28a7c0772f2
Opcode Fuzzy Hash: 2667e01c957b116830b63c3664563bfd6f6a9f05545fbec2342a187e730330b5
Instruction Fuzzy Hash: B7118F72421616FFEF222FA5CC88CEF3B69FB09355B098425FA1595010D7328951DB60

Uniqueness

Uniqueness Score: 1.23%

Function 0127AC14, Relevance: 9.1, APIs: 6, Instructions: 56
COMMON

Download Yara Rule

C-Code - Quality: 71%

			E0127AC14(struct HWND__* _a4, struct tagPOINT _a8, intOrPtr _a12) {
				signed int _v8;
				struct tagRECT _v24;
				void* __edi;
				void* __esi;
				signed int _t19;
				void* _t31;
				void* _t34;
				void* _t35;
				struct HWND__* _t36;
				signed int _t37;

				_t19 =  *0x13d3570; // 0x99b5b578
				_v8 = _t19 ^ _t37;
				_t36 = _a4;
				ClientToScreen(_t36,  &_a8);
				_t35 = GetWindow;
				_push(5);
				while(1) {
					_t36 = GetWindow(_t36, ??);
					if(_t36 == 0) {
						break;
					}
					if(GetDlgCtrlID(_t36) == 0xffff || (GetWindowLongW(_t36, 0xfffffff0) & 0x10000000) == 0) {
						L4:
						_push(2);
						continue;
					} else {
						_v24.left = _v24.left & 0x00000000;
						_v24.top = _v24.top & 0x00000000;
						_v24.right = _v24.right & 0x00000000;
						_v24.bottom = _v24.bottom & 0x00000000;
						GetWindowRect(_t36,  &_v24);
						_push(_a12);
						if(PtInRect( &_v24, _a8) != 0) {
							_t23 = _t36;
						} else {
							goto L4;
						}
					}
					break;
				}
				return L01367D3E(_t23, _t31, _v8 ^ _t37, _t34, _t35, _t36);
			}

0x0127ac1c
0x0127ac23
0x0127ac27
0x0127ac30
0x0127ac36
0x0127ac3c
0x0127ac8f
0x0127ac92
0x0127ac96
0x00000000
0x00000000
0x0127ac4c
0x0127ac8d
0x0127ac8d
0x00000000
0x0127ac5e
0x0127ac5e
0x0127ac62
0x0127ac66
0x0127ac6a
0x0127ac73
0x0127ac79
0x0127ac8b
0x0127aca8
0x00000000
0x00000000
0x00000000
0x0127ac8b
0x00000000
0x0127ac4c
0x0127aca5

APIs

ClientToScreen.USER32(?,?), ref: 0127AC30
GetDlgCtrlID.USER32 ref: 0127AC41
GetWindowLongW.USER32(00000000,000000F0), ref: 0127AC51
GetWindowRect.USER32 ref: 0127AC73
PtInRect.USER32(00000000,00000000,00000000), ref: 0127AC83
GetWindow.USER32(?,00000005), ref: 0127AC90

Part of subcall function 01367D3E: IsDebuggerPresent.KERNEL32 ref: 0136EC6D
Part of subcall function 01367D3E: SetUnhandledExceptionFilter.KERNEL32 ref: 0136EC82
Part of subcall function 01367D3E: UnhandledExceptionFilter.KERNEL32 ref: 0136EC8D
Part of subcall function 01367D3E: GetCurrentProcess.KERNEL32(C0000409), ref: 0136ECA9
Part of subcall function 01367D3E: TerminateProcess.KERNEL32(00000000), ref: 0136ECB0

Memory Dump Source

Source File: 00000010.00000002.746388412.0000000001271000.00000020.sdmp, Offset: 01270000, based on PE: true

Associated: 00000010.00000002.746374753.0000000001270000.00000002.sdmp Download File
Associated: 00000010.00000002.746578910.000000000138C000.00000002.sdmp Download File
Associated: 00000010.00000002.746752878.00000000013CF000.00000004.sdmp Download File
Associated: 00000010.00000002.746788870.00000000013D6000.00000004.sdmp Download File
Associated: 00000010.00000002.746832288.00000000013DE000.00000002.sdmp Download File
Associated: 00000010.00000002.747668141.0000000001574000.00000002.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1270000_Setup.jbxd

Similarity

API ID: Window$ExceptionFilterProcessRectUnhandled$ClientCtrlCurrentDebuggerLongPresentScreenTerminate
String ID:
API String ID: 3898718898-0
Opcode ID: b3354e16b48a25d6308c2620d01b73ee3365206c0b046e3de6238f1d876f77b8
Instruction ID: 2abe1a66650489da4d194b15b01becdc257e3f0a57a8217a3a41a204c5e98cc1
Opcode Fuzzy Hash: b3354e16b48a25d6308c2620d01b73ee3365206c0b046e3de6238f1d876f77b8
Instruction Fuzzy Hash: 06119E72921219BFDB119F58D808BEFB7BCFF14326F154119F901A3084D7789A058BA1

Uniqueness

Uniqueness Score: 0.20%

Function 0127AD6E, Relevance: 9.1, APIs: 6, Instructions: 52
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0127AD6E(struct HWND__* _a4) {
				struct HWND__* _t3;
				struct HWND__* _t6;
				struct HWND__* _t8;
				struct HWND__* _t10;

				_t3 = GetFocus();
				_t10 = _t3;
				if(_t10 != 0) {
					_t8 = _a4;
					if(_t10 == _t8) {
						L10:
						return _t3;
					}
					if(E0127AB61(_t10, 3) != 0) {
						L5:
						if(_t8 == 0 || (GetWindowLongW(_t8, 0xfffffff0) & 0x40000000) == 0) {
							L8:
							_t3 = SendMessageW(_t10, 0x14f, 0, 0);
							goto L9;
						} else {
							_t6 = GetParent(_t8);
							_t3 = GetDesktopWindow();
							if(_t6 == _t3) {
								L9:
								goto L10;
							}
							goto L8;
						}
					}
					_t3 = GetParent(_t10);
					_t10 = _t3;
					if(_t10 == _t8) {
						goto L9;
					}
					_t3 = E0127AB61(_t10, 2);
					if(_t3 == 0) {
						goto L9;
					}
					goto L5;
				}
				return _t3;
			}

0x0127ad74
0x0127ad7a
0x0127ad7e
0x0127ad81
0x0127ad86
0x0127ade4
0x00000000
0x0127ade4
0x0127ad99
0x0127adb0
0x0127adb2
0x0127add3
0x0127addd
0x00000000
0x0127adc4
0x0127adc5
0x0127adc9
0x0127add1
0x0127ade3
0x00000000
0x0127ade3
0x00000000
0x0127add1
0x0127adb2
0x0127ad9c
0x0127ad9e
0x0127ada2
0x00000000
0x00000000
0x0127ada7
0x0127adae
0x00000000
0x00000000
0x00000000
0x0127adae
0x0127ade7

APIs

GetFocus.USER32 ref: 0127AD74

Part of subcall function 0127AB61: GetWindowLongW.USER32(?,000000F0), ref: 0127AB82
Part of subcall function 0127AB61: GetClassNameW.USER32(?,?,0000000A), ref: 0127AB97
Part of subcall function 0127AB61: CompareStringW.KERNEL32(00000409,00000001,?,000000FF,combobox,000000FF), ref: 0127ABB1

GetParent.USER32(00000000), ref: 0127AD9C
GetWindowLongW.USER32(?,000000F0), ref: 0127ADB7
GetParent.USER32(?), ref: 0127ADC5
GetDesktopWindow.USER32 ref: 0127ADC9
SendMessageW.USER32(00000000,0000014F,00000000,00000000), ref: 0127ADDD

Memory Dump Source

Source File: 00000010.00000002.746388412.0000000001271000.00000020.sdmp, Offset: 01270000, based on PE: true

Associated: 00000010.00000002.746374753.0000000001270000.00000002.sdmp Download File
Associated: 00000010.00000002.746578910.000000000138C000.00000002.sdmp Download File
Associated: 00000010.00000002.746752878.00000000013CF000.00000004.sdmp Download File
Associated: 00000010.00000002.746788870.00000000013D6000.00000004.sdmp Download File
Associated: 00000010.00000002.746832288.00000000013DE000.00000002.sdmp Download File
Associated: 00000010.00000002.747668141.0000000001574000.00000002.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1270000_Setup.jbxd

Similarity

API ID: Window$LongParent$ClassCompareDesktopFocusMessageNameSendString
String ID:
API String ID: 1233893325-0
Opcode ID: 93613e78723b0052f31102e4e28d0a0e0ed271ec3c080b724cd2bac206db059d
Instruction ID: 4d8ed041581587fd2496307493585160f0297f1f89dd2288bb3d8756398bc40d
Opcode Fuzzy Hash: 93613e78723b0052f31102e4e28d0a0e0ed271ec3c080b724cd2bac206db059d
Instruction Fuzzy Hash: A8018C3226431327E7312B3EAC89FBF2E9D9B81B72F1D1125FB01A3184DBB498018264

Uniqueness

Uniqueness Score: 0.49%

Function 012BE36D, Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 294
keyboardwindowCOMMON

Download Yara Rule

C-Code - Quality: 92%

			E012BE36D(intOrPtr* __ecx, signed int __edx, signed short _a4) {
				signed int _v8;
				struct tagRECT _v24;
				signed int _v28;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t93;
				signed int _t96;
				signed int _t111;
				signed int _t113;
				void* _t116;
				signed int _t117;
				signed int _t122;
				void* _t125;
				signed int _t126;
				signed int _t129;
				signed int _t131;
				signed int _t134;
				signed int _t136;
				void* _t137;
				signed int _t140;
				signed int _t148;
				signed short _t151;
				signed int _t157;
				signed int _t160;
				void* _t164;
				signed int _t166;
				signed int _t186;
				intOrPtr* _t193;
				signed int _t194;
				signed int _t195;

				_t190 = __edx;
				_t93 =  *0x13d3570; // 0x99b5b578
				_v8 = _t93 ^ _t195;
				_t193 = __ecx;
				_t96 =  *((intOrPtr*)( *__ecx + 0x1c0))();
				_v28 = _v28 & 0x00000000;
				_t194 = _t96;
				_t148 = E01286862(__ecx) & 0x00400000;
				_t98 = 0x25;
				if(_t148 == 0) {
					L10:
					_t151 = _a4;
					__eflags = _t151 - _t98;
					if(__eflags > 0) {
						L3:
						_t151 = _a4;
						_t98 = _t151 - 0x26;
						if(_t98 == 0) {
							L17:
							_t151 = _a4;
							_v28 = 1;
							L18:
							__eflags =  *0x13d83d4;
							if( *0x13d83d4 == 0) {
								_t98 =  *((intOrPtr*)( *_t194 + 0x3fc))(_t151);
							}
							__eflags = _v28;
							if(_v28 == 0) {
								L71:
								return L01367D3E(_t98, _t148, _v8 ^ _t195, _t190, _t193, _t194);
							}
							L21:
							__eflags =  *(_t193 + 0xef0);
							if( *(_t193 + 0xef0) == 0) {
								L69:
								__eflags =  *(_t194 + 0xd08);
								if( *(_t194 + 0xd08) != 0) {
									_t98 =  *((intOrPtr*)( *_t193 + 0x1fc))( *(_t194 + 0xb7c));
								}
								goto L71;
							}
							_t98 =  *(_t194 + 0xb7c);
							__eflags =  *(_t194 + 0xb7c);
							if(__eflags < 0) {
								goto L69;
							}
							_t148 = L01293D66(_t194, __eflags, _t98);
							__eflags = _t148;
							if(_t148 != 0) {
								L25:
								_v24.left = 0;
								_v24.top = 0;
								_v24.right = 0;
								_v24.bottom = 0;
								GetClientRect( *(_t194 + 0x20),  &_v24);
								_v28 =  *((intOrPtr*)(_t194 + 0xcd4));
								__eflags =  *((intOrPtr*)(_t148 + 0x58)) - _v24.top;
								if( *((intOrPtr*)(_t148 + 0x58)) >= _v24.top) {
									_t98 =  *(_t148 + 0x60);
									__eflags =  *(_t148 + 0x60) - _v24.bottom;
									if( *(_t148 + 0x60) <= _v24.bottom) {
										goto L69;
									}
									_t157 =  *((intOrPtr*)( *_t194 + 0x354))();
									_t111 =  *(_t148 + 0x60) - _v24.bottom;
									asm("cdq");
									_t65 = _t111 % _t157;
									__eflags = _t65;
									_t98 = _t111 / _t157;
									_t190 = _t65;
									_t148 = _t111 / _t157 + 1;
									L55:
									__eflags = _t148;
									if(_t148 == 0) {
										goto L69;
									}
									_t113 =  *((intOrPtr*)( *_t194 + 0x354))();
									asm("cdq");
									_t116 =  *(_t193 + 0x13c) / _t113 - 2;
									_t75 =  &_v28;
									 *_t75 = _v28 + _t148;
									__eflags =  *_t75;
									if( *_t75 >= 0) {
										_t160 = _v28;
										_t148 = 0;
										__eflags = 0;
									} else {
										_t148 = 0;
										_t160 = 0;
									}
									_t190 =  *((intOrPtr*)(_t194 + 0xbd4)) - _t116;
									_t117 =  *((intOrPtr*)(_t194 + 0xbd4)) - _t116 - 1;
									__eflags = _t160 - _t117;
									if(_t160 >= _t117) {
										_v28 = _t117;
									} else {
										__eflags = _v28 - _t148;
										if(_v28 < _t148) {
											_v28 = _t148;
										}
									}
									E012BA2F0(_t194, _v28);
									_t98 = E012BC93E(_t193, _t190, _t148);
									__eflags =  *(_t193 + 0xef4) - _t148;
									if( *(_t193 + 0xef4) == _t148) {
										L67:
										__eflags = _t98 - _t148;
										if(_t98 != _t148) {
											_t98 = E012BC93E(_t193, _t190, 0);
										}
									} else {
										_t164 = _t193 + 0xf28;
										__eflags = _t164 - _t148;
										if(_t164 == _t148) {
											goto L67;
										}
										__eflags =  *((intOrPtr*)(_t164 + 0x20)) - _t148;
										if( *((intOrPtr*)(_t164 + 0x20)) == _t148) {
											goto L67;
										}
										_t98 = SetScrollPos( *(_t193 + 0xf48), 2, _v28, 1);
									}
									goto L69;
								}
								_t166 =  *((intOrPtr*)( *_t194 + 0x354))();
								_t122 =  *((intOrPtr*)(_t148 + 0x58)) - _v24.top;
								asm("cdq");
								_t98 = _t122 / _t166;
								_t190 = _t122 % _t166;
								_t148 = _t122 / _t166 - 1;
								goto L55;
							}
							_t98 =  *((intOrPtr*)( *_t194 + 0x354))();
							__eflags = _t98;
							if(_t98 == 0) {
								goto L69;
							}
							goto L25;
						}
						_t125 = _t98 - 1;
						if(_t125 == 0) {
							_t126 = L01293699(0);
							 *0x13d97bc =  *0x13d97bc & 0x00000000;
							_v28 = _t126;
							_t194 = E012BA6CD(_t193);
							__eflags = _t194;
							if(_t194 == 0) {
								L47:
								_t194 = E012BA6B2(_t193);
								__eflags = _t194;
								if(_t194 == 0) {
									L50:
									_t129 = E012BA661(_t148, _t193, _t190);
									__eflags = _t129;
									if(_t129 != 0) {
										__eflags = _t148;
										_t54 = _t148 == 0;
										__eflags = _t54;
										SendMessageW( *(_t129 + 0x20), 0x100, (0 | _t54) + (0 | _t54) + 0x25, 0);
									}
									L52:
									_t98 = _v28;
									 *0x13d97bc = _v28;
									goto L71;
								}
								_t131 = E012789AE(_t194, 0x13d1738);
								__eflags = _t131;
								if(_t131 != 0) {
									goto L50;
								}
								 *((intOrPtr*)( *_t194 + 0x39c))();
								goto L52;
							}
							_t134 =  *(_t194 + 0x20);
							__eflags = _t134 - 0xffffffff;
							if(_t134 == 0xffffffff) {
								L43:
								_t136 =  *((intOrPtr*)( *_t194 + 0xc8))(0);
								__eflags = _t136;
								if(_t136 == 0) {
									goto L47;
								}
								__eflags =  *(_t194 + 0x8c);
								if( *(_t194 + 0x8c) != 0) {
									_t137 = E012BA6CD(_t193);
									__eflags = _t137 - _t194;
									if(_t137 == _t194) {
										E012BE36D( *(_t194 + 0x8c), _t190, 0x24, 0, 0);
									}
								}
								goto L52;
							}
							__eflags = _t134;
							if(_t134 == 0) {
								goto L43;
							}
							_t140 =  *((intOrPtr*)( *_t194 + 0xdc))();
							__eflags = _t140;
							if(_t140 == 0) {
								goto L47;
							}
							goto L43;
						}
						if(_t125 == 1) {
							_t98 = GetAsyncKeyState(0x11);
							__eflags = 0x00008000 & _t98;
							if((0x00008000 & _t98) == 0) {
								goto L17;
							}
							__eflags =  *(_t194 + 0xcf0);
							if(__eflags != 0) {
								goto L17;
							}
							_t98 = E012BE22F(_t193, _t190, __eflags);
							goto L71;
						}
						L6:
						_t98 =  *((intOrPtr*)( *_t194 + 0x3fc))(_t151);
						_t201 = _t98;
						if(_t98 == 0) {
							_t98 = E01282C5F(_t148, _t193, _t193, _t201);
						}
						goto L71;
					}
					if(__eflags == 0) {
						_t98 = E012BA6B2(_t193);
						__eflags = _t98;
						if(_t98 == 0) {
							_t186 =  *(_t193 + 0x148);
							__eflags = _t186;
							if(_t186 == 0) {
								goto L71;
							}
							_t98 =  *((intOrPtr*)( *_t186 + 0x70))();
							__eflags = _t98;
							if(_t98 == 0) {
								goto L71;
							}
							_push(0);
							L35:
							_t98 = L012BBBA8(_t193, _t190);
							goto L71;
						}
						_t190 =  *_t98;
						_t98 =  *((intOrPtr*)( *_t98 + 0x398))();
						goto L71;
					}
					__eflags = _t151 - 0xd;
					if(_t151 == 0xd) {
						goto L18;
					}
					__eflags = _t151 - 0x1b;
					if(_t151 == 0x1b) {
						 *((intOrPtr*)(_t193 + 0x10b4)) = 1;
						_push(1);
						goto L35;
					}
					__eflags = _t151 - 0x20;
					if(__eflags <= 0) {
						goto L6;
					}
					__eflags = _t151 - 0x22;
					if(_t151 <= 0x22) {
						__eflags =  *(_t193 + 0xef4);
						if(__eflags == 0) {
							goto L6;
						}
						_t98 =  *((intOrPtr*)( *_t194 + 0x3fc))(_t151);
						goto L21;
					}
					__eflags = _t151 - 0x24;
					if(__eflags > 0) {
						goto L6;
					}
					goto L17;
				}
				if(_a4 != _t98) {
					__eflags = _a4 - 0x27;
					if(_a4 == 0x27) {
						_a4 = _t98;
					}
					goto L10;
				} else {
					_a4 = 0x27;
					goto L3;
				}
			}

0x012be36d
0x012be375
0x012be37c
0x012be382
0x012be386
0x012be38c
0x012be392
0x012be39b
0x012be3a3
0x012be3a4
0x012be3f2
0x012be3f2
0x012be3f5
0x012be3f7
0x012be3b2
0x012be3b2
0x012be3b7
0x012be3ba
0x012be420
0x012be420
0x012be423
0x012be42a
0x012be42a
0x012be431
0x012be438
0x012be438
0x012be43e
0x012be442
0x012be70b
0x012be719
0x012be719
0x012be448
0x012be448
0x012be44f
0x012be6f2
0x012be6f2
0x012be6f9
0x012be705
0x012be705
0x00000000
0x012be6f9
0x012be455
0x012be45b
0x012be45d
0x00000000
0x00000000
0x012be46b
0x012be46d
0x012be46f
0x012be483
0x012be485
0x012be488
0x012be48b
0x012be48e
0x012be498
0x012be4a4
0x012be4aa
0x012be4ad
0x012be637
0x012be63a
0x012be63d
0x00000000
0x00000000
0x012be64d
0x012be652
0x012be655
0x012be656
0x012be656
0x012be656
0x012be656
0x012be658
0x012be65b
0x012be65b
0x012be65d
0x00000000
0x00000000
0x012be667
0x012be675
0x012be678
0x012be67b
0x012be67b
0x012be67b
0x012be67e
0x012be686
0x012be689
0x012be689
0x012be680
0x012be680
0x012be682
0x012be682
0x012be691
0x012be693
0x012be696
0x012be698
0x012be6a4
0x012be69a
0x012be69a
0x012be69d
0x012be69f
0x012be69f
0x012be69d
0x012be6ac
0x012be6b4
0x012be6b9
0x012be6bf
0x012be6e5
0x012be6e5
0x012be6e7
0x012be6ed
0x012be6ed
0x012be6c1
0x012be6c1
0x012be6c7
0x012be6c9
0x00000000
0x00000000
0x012be6cb
0x012be6ce
0x00000000
0x00000000
0x012be6dd
0x012be6dd
0x00000000
0x012be6bf
0x012be4bd
0x012be4c2
0x012be4c5
0x012be4c6
0x012be4c6
0x012be4c8
0x00000000
0x012be4c8
0x012be475
0x012be47b
0x012be47d
0x00000000
0x00000000
0x00000000
0x012be47d
0x012be3bc
0x012be3bd
0x012be56d
0x012be572
0x012be57b
0x012be583
0x012be585
0x012be587
0x012be5da
0x012be5e1
0x012be5e3
0x012be5e5
0x012be603
0x012be605
0x012be60a
0x012be60c
0x012be610
0x012be612
0x012be612
0x012be624
0x012be624
0x012be62a
0x012be62a
0x012be62d
0x00000000
0x012be62d
0x012be5ee
0x012be5f3
0x012be5f5
0x00000000
0x00000000
0x012be5fb
0x00000000
0x012be5fb
0x012be589
0x012be58c
0x012be58f
0x012be5a3
0x012be5a9
0x012be5af
0x012be5b1
0x00000000
0x00000000
0x012be5b3
0x012be5ba
0x012be5be
0x012be5c3
0x012be5c5
0x012be5d3
0x012be5d3
0x012be5c5
0x00000000
0x012be5ba
0x012be591
0x012be593
0x00000000
0x00000000
0x012be599
0x012be59f
0x012be5a1
0x00000000
0x00000000
0x00000000
0x012be5a1
0x012be3c4
0x012be53e
0x012be549
0x012be54c
0x00000000
0x00000000
0x012be552
0x012be559
0x00000000
0x00000000
0x012be561
0x00000000
0x012be561
0x012be3ca
0x012be3cf
0x012be3d5
0x012be3d7
0x012be3df
0x012be3df
0x00000000
0x012be3d7
0x012be3f9
0x012be4fb
0x012be500
0x012be502
0x012be513
0x012be519
0x012be51b
0x00000000
0x00000000
0x012be523
0x012be526
0x012be528
0x00000000
0x00000000
0x012be52e
0x012be530
0x012be532
0x00000000
0x012be532
0x012be504
0x012be508
0x00000000
0x012be508
0x012be3ff
0x012be402
0x00000000
0x00000000
0x012be404
0x012be407
0x012be4f0
0x012be4f6
0x00000000
0x012be4f6
0x012be40d
0x012be410
0x00000000
0x00000000
0x012be412
0x012be415
0x012be4d0
0x012be4d7
0x00000000
0x00000000
0x012be4e2
0x00000000
0x012be4e2
0x012be41b
0x012be41e
0x00000000
0x00000000
0x00000000
0x012be41e
0x012be3a9
0x012be3e9
0x012be3ed
0x012be3ef
0x012be3ef
0x00000000
0x012be3ab
0x012be3ab
0x00000000
0x012be3ab

APIs

Part of subcall function 01286862: GetWindowLongW.USER32(?,000000EC), ref: 0128686D

GetClientRect.USER32 ref: 012BE498
SetScrollPos.USER32(?,00000002,00000000,00000001), ref: 012BE6DD

Part of subcall function 012BBBA8: SendMessageW.USER32(?,00000010,00000000,00000000), ref: 012BBC2E

GetAsyncKeyState.USER32 ref: 012BE53E

Part of subcall function 012BE22F: IsWindow.USER32(?), ref: 012BE2FF
Part of subcall function 012BE22F: InvalidateRect.USER32(?,00000054,00000001), ref: 012BE315
Part of subcall function 012BE22F: UpdateWindow.USER32 ref: 012BE321

SendMessageW.USER32(?,00000100,?,00000000), ref: 012BE624

Part of subcall function 012BC93E: GetClientRect.USER32 ref: 012BC974
Part of subcall function 012BC93E: InflateRect.USER32(?,00000000,00000000), ref: 012BC9A3
Part of subcall function 012BC93E: SetRectEmpty.USER32 ref: 012BCA41
Part of subcall function 012BC93E: SetRectEmpty.USER32 ref: 012BCA4A
Part of subcall function 012BC93E: GetSystemMetrics.USER32 ref: 012BCA6B
Part of subcall function 012BC93E: KillTimer.USER32 ref: 012BCB05
Part of subcall function 012BC93E: EqualRect.USER32 ref: 012BCB27
Part of subcall function 012BC93E: EqualRect.USER32 ref: 012BCB38
Part of subcall function 012BC93E: EqualRect.USER32 ref: 012BCB89
Part of subcall function 012BC93E: InvalidateRect.USER32(?,?,00000001), ref: 012BCBA2
Part of subcall function 012BC93E: InvalidateRect.USER32(?,?,00000001), ref: 012BCBAA
Part of subcall function 012BC93E: EqualRect.USER32 ref: 012BCBBE
Part of subcall function 012BC93E: InvalidateRect.USER32(?,?,00000001), ref: 012BCBD1
Part of subcall function 012BC93E: InvalidateRect.USER32(?,?,00000001), ref: 012BCBD9
Part of subcall function 012BC93E: UpdateWindow.USER32 ref: 012BCBEC

Part of subcall function 01367D3E: IsDebuggerPresent.KERNEL32 ref: 0136EC6D
Part of subcall function 01367D3E: SetUnhandledExceptionFilter.KERNEL32 ref: 0136EC82
Part of subcall function 01367D3E: UnhandledExceptionFilter.KERNEL32 ref: 0136EC8D
Part of subcall function 01367D3E: GetCurrentProcess.KERNEL32(C0000409), ref: 0136ECA9
Part of subcall function 01367D3E: TerminateProcess.KERNEL32(00000000), ref: 0136ECB0

Part of subcall function 01293D66: PtInRect.USER32(?,?,?), ref: 01293DB9

Strings

', xrefs: 012BE3E9

Memory Dump Source

Source File: 00000010.00000002.746388412.0000000001271000.00000020.sdmp, Offset: 01270000, based on PE: true

Associated: 00000010.00000002.746374753.0000000001270000.00000002.sdmp Download File
Associated: 00000010.00000002.746578910.000000000138C000.00000002.sdmp Download File
Associated: 00000010.00000002.746752878.00000000013CF000.00000004.sdmp Download File
Associated: 00000010.00000002.746788870.00000000013D6000.00000004.sdmp Download File
Associated: 00000010.00000002.746832288.00000000013DE000.00000002.sdmp Download File
Associated: 00000010.00000002.747668141.0000000001574000.00000002.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1270000_Setup.jbxd

Similarity

API ID: Rect$Invalidate$EqualWindow$ClientEmptyExceptionFilterMessageProcessSendUnhandledUpdate$AsyncCurrentDebuggerInflateKillLongMetricsPresentScrollStateSystemTerminateTimer
String ID: '
API String ID: 1023739657-1997036262
Opcode ID: a2da5ae7f348ee984f2ce21f8752db5f783dcbc55c8ef9b06c05a11d20fde110
Instruction ID: 9d5cf5467d3be3fb23b973d27b60326b678db512dd8055483218dc743911ce15
Opcode Fuzzy Hash: a2da5ae7f348ee984f2ce21f8752db5f783dcbc55c8ef9b06c05a11d20fde110
Instruction Fuzzy Hash: 52B16E30720607CFDB299F68C4E8BFD7BE2AF44385F154129E646DB291EB749941CB81

Uniqueness

Uniqueness Score: 1.97%

Function 012862B1, Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 243
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E012862B1(void* __ebx, void* __ecx, void* __edi, void* __esi, void* __eflags, signed int _a4) {
				intOrPtr _v8;
				signed int _v12;
				signed int _v16;
				char* _v20;
				signed int _v28;
				intOrPtr _v32;
				intOrPtr _v40;
				intOrPtr _v52;
				signed int _v56;
				void* __ebp;
				intOrPtr _t127;
				void* _t133;
				intOrPtr _t135;
				signed int _t145;
				signed int _t146;
				signed int _t178;
				signed int _t180;
				signed int _t182;
				signed int _t184;
				signed int _t186;
				signed int _t190;
				void* _t193;
				intOrPtr _t194;
				signed int _t204;

				_t193 = __ecx;
				_t127 = E012792EF(__ebx, __edi, __esi, __eflags);
				_v8 = _t127;
				_t3 =  &_a4;
				 *_t3 = _a4 &  !( *(_t127 + 0x18));
				if( *_t3 == 0) {
					return 1;
				}
				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_t204 = 0;
				L01367D50( &_v56, 0, 0x28);
				_v52 = DefWindowProcW;
				_t133 = E012792EF(__ebx, 0, 0, __eflags);
				__eflags = _a4 & 0x00000001;
				_v40 =  *((intOrPtr*)(_t133 + 8));
				_t135 =  *0x13d8278; // 0x10003
				_t190 = 8;
				_v32 = _t135;
				_v16 = _t190;
				if(__eflags != 0) {
					_push( &_v56);
					_v56 = 0xb;
					_v20 = L"AfxWnd100su";
					_t186 = L01285F4B(_t190, _t193, 0, 0, __eflags);
					__eflags = _t186;
					if(_t186 != 0) {
						_t204 = 1;
						__eflags = 1;
					}
				}
				__eflags = _a4 & 0x00000020;
				if(__eflags != 0) {
					_v56 = _v56 | 0x0000008b;
					_push( &_v56);
					_v20 = L"AfxOleControl100su";
					_t184 = L01285F4B(_t190, _t193, 0, _t204, __eflags);
					__eflags = _t184;
					if(_t184 != 0) {
						_t204 = _t204 | 0x00000020;
						__eflags = _t204;
					}
				}
				__eflags = _a4 & 0x00000002;
				if(__eflags != 0) {
					_push( &_v56);
					_v56 = 0;
					_v20 = L"AfxControlBar100su";
					_v28 = 0x10;
					_t182 = L01285F4B(_t190, _t193, 0, _t204, __eflags);
					__eflags = _t182;
					if(_t182 != 0) {
						_t204 = _t204 | 0x00000002;
						__eflags = _t204;
					}
				}
				__eflags = _a4 & 0x00000004;
				if(__eflags != 0) {
					_v56 = _t190;
					_v28 = 0;
					_t180 = E0128626D(_t193, __eflags,  &_v56, L"AfxMDIFrame100su", 0x7a01);
					__eflags = _t180;
					if(_t180 != 0) {
						_t204 = _t204 | 0x00000004;
						__eflags = _t204;
					}
				}
				__eflags = _a4 & _t190;
				if(__eflags != 0) {
					_v56 = 0xb;
					_v28 = 6;
					_t178 = E0128626D(_t193, __eflags,  &_v56, L"AfxFrameOrView100su", 0x7a02);
					__eflags = _t178;
					if(_t178 != 0) {
						_t204 = _t204 | _t190;
						__eflags = _t204;
					}
				}
				__eflags = _a4 & 0x00000010;
				if(__eflags != 0) {
					_v12 = 0xff;
					_t204 = _t204 | L0128381B(_t190, _t193, _t204, __eflags,  &_v16, 0x3fc0);
					_t48 =  &_a4;
					 *_t48 = _a4 & 0xffffc03f;
					__eflags =  *_t48;
				}
				__eflags = _a4 & 0x00000040;
				if(__eflags != 0) {
					_v12 = 0x10;
					_t204 = _t204 | L0128381B(_t190, _t193, _t204, __eflags,  &_v16, 0x40);
					__eflags = _t204;
				}
				__eflags = _a4 & 0x00000080;
				if(__eflags != 0) {
					_v12 = 2;
					_t204 = _t204 | L0128381B(_t190, _t193, _t204, __eflags,  &_v16, 0x80);
					__eflags = _t204;
				}
				__eflags = _a4 & 0x00000100;
				if(__eflags != 0) {
					_v12 = _t190;
					_t204 = _t204 | L0128381B(_t190, _t193, _t204, __eflags,  &_v16, 0x100);
					__eflags = _t204;
				}
				__eflags = _a4 & 0x00000200;
				if(__eflags != 0) {
					_v12 = 0x20;
					_t204 = _t204 | L0128381B(_t190, _t193, _t204, __eflags,  &_v16, 0x200);
					__eflags = _t204;
				}
				__eflags = _a4 & 0x00000400;
				if(__eflags != 0) {
					_v12 = 1;
					_t204 = _t204 | L0128381B(0x400, _t193, _t204, __eflags,  &_v16, 0x400);
					__eflags = _t204;
				}
				__eflags = _a4 & 0x00000800;
				if(__eflags != 0) {
					_v12 = 0x40;
					_t204 = _t204 | L0128381B(0x400, _t193, _t204, __eflags,  &_v16, 0x800);
					__eflags = _t204;
				}
				__eflags = _a4 & 0x00001000;
				if(__eflags != 0) {
					_v12 = 4;
					_t204 = _t204 | L0128381B(0x400, _t193, _t204, __eflags,  &_v16, 0x1000);
					__eflags = _t204;
				}
				__eflags = _a4 & 0x00002000;
				if(__eflags != 0) {
					_v12 = 0x80;
					_t204 = _t204 | L0128381B(0x400, _t193, _t204, __eflags,  &_v16, 0x2000);
					__eflags = _t204;
				}
				__eflags = _a4 & 0x00004000;
				if(__eflags != 0) {
					_v12 = 0x800;
					_t204 = _t204 | L0128381B(0x400, _t193, _t204, __eflags,  &_v16, 0x4000);
					__eflags = _t204;
				}
				__eflags = _a4 & 0x00008000;
				if(__eflags != 0) {
					_v12 = 0x400;
					_t204 = _t204 | L0128381B(0x400, _t193, _t204, __eflags,  &_v16, 0x8000);
					__eflags = _t204;
				}
				__eflags = _a4 & 0x00010000;
				if(__eflags != 0) {
					_v12 = 0x200;
					_t204 = _t204 | L0128381B(0x400, _t193, _t204, __eflags,  &_v16, 0x10000);
					__eflags = _t204;
				}
				__eflags = _a4 & 0x00020000;
				if(__eflags != 0) {
					_v12 = 0x100;
					_t204 = _t204 | L0128381B(0x400, _t193, _t204, __eflags,  &_v16, 0x20000);
					__eflags = _t204;
				}
				__eflags = _a4 & 0x00040000;
				if(__eflags != 0) {
					_v12 = 0x8000;
					_t204 = _t204 | L0128381B(0x400, _t193, _t204, __eflags,  &_v16, 0x40000);
					__eflags = _t204;
				}
				__eflags = _a4 & 0x00080000;
				if(__eflags != 0) {
					_v12 = 0x1000;
					_t204 = _t204 | L0128381B(0x400, _t193, _t204, __eflags,  &_v16, 0x80000);
					__eflags = _t204;
				}
				_t194 = _v8;
				 *(_t194 + 0x18) =  *(_t194 + 0x18) | _t204;
				_t145 =  *(_t194 + 0x18);
				__eflags = (_t145 & 0x00003fc0) - 0x3fc0;
				if((_t145 & 0x00003fc0) == 0x3fc0) {
					_t145 = _t145 | 0x00000010;
					 *(_t194 + 0x18) = _t145;
					__eflags = _t204;
				}
				asm("sbb eax, eax");
				_t146 = _t145 + 1;
				__eflags = _t146;
				return _t146;
			}

0x012862b1
0x012862b9
0x012862be
0x012862c6
0x012862c6
0x012862c9
0x00000000
0x012862cd
0x012862d3
0x012862d4
0x012862d5
0x012862df
0x012862e1
0x012862ee
0x012862f1
0x012862f6
0x012862ff
0x01286302
0x01286307
0x01286308
0x0128630b
0x0128630e
0x01286313
0x01286314
0x0128631b
0x01286322
0x01286327
0x01286329
0x0128632b
0x0128632b
0x0128632b
0x01286329
0x0128632c
0x01286330
0x01286332
0x0128633c
0x0128633d
0x01286344
0x01286349
0x0128634b
0x0128634d
0x0128634d
0x0128634d
0x0128634b
0x01286350
0x01286354
0x01286359
0x0128635a
0x0128635d
0x01286364
0x0128636b
0x01286370
0x01286372
0x01286374
0x01286374
0x01286374
0x01286372
0x01286377
0x0128637b
0x0128638b
0x0128638e
0x01286391
0x01286396
0x01286398
0x0128639a
0x0128639a
0x0128639a
0x01286398
0x0128639d
0x012863a0
0x012863b0
0x012863b7
0x012863be
0x012863c3
0x012863c5
0x012863c7
0x012863c7
0x012863c7
0x012863c5
0x012863c9
0x012863cd
0x012863d8
0x012863e4
0x012863e6
0x012863e6
0x012863e6
0x012863e6
0x012863ed
0x012863f1
0x012863f9
0x01286405
0x01286405
0x01286405
0x01286407
0x0128640b
0x01286416
0x01286422
0x01286422
0x01286422
0x01286429
0x0128642c
0x01286433
0x0128643b
0x0128643b
0x0128643b
0x01286442
0x01286445
0x0128644c
0x01286458
0x01286458
0x01286458
0x0128645f
0x01286462
0x01286469
0x01286475
0x01286475
0x01286475
0x0128647c
0x0128647f
0x01286486
0x01286492
0x01286492
0x01286492
0x01286499
0x0128649c
0x012864a3
0x012864af
0x012864af
0x012864af
0x012864b6
0x012864b9
0x012864c0
0x012864cc
0x012864cc
0x012864cc
0x012864d3
0x012864d6
0x012864dd
0x012864e5
0x012864e5
0x012864e5
0x012864ec
0x012864ef
0x012864f6
0x012864fe
0x012864fe
0x012864fe
0x01286505
0x01286508
0x0128650f
0x0128651b
0x0128651b
0x0128651b
0x01286522
0x01286525
0x0128652c
0x01286538
0x01286538
0x01286538
0x0128653f
0x01286542
0x01286549
0x01286551
0x01286551
0x01286551
0x01286558
0x0128655b
0x01286562
0x0128656e
0x0128656e
0x0128656e
0x01286570
0x01286573
0x01286576
0x01286582
0x01286584
0x01286586
0x01286589
0x0128658c
0x0128658c
0x01286598
0x0128659b
0x0128659b
0x00000000

APIs

_memset.LIBCMT ref: 012862E1

Part of subcall function 0128626D: LoadIconW.USER32 ref: 01286291
Part of subcall function 0128626D: LoadIconW.USER32 ref: 012862A0

Part of subcall function 01285F4B: __EH_prolog3_catch.LIBCMT ref: 01285F52

Strings

AfxFrameOrView100su, xrefs: 012863A7
@, xrefs: 012863ED
@, xrefs: 01286486
AfxMDIFrame100su, xrefs: 01286382

Memory Dump Source

Source File: 00000010.00000002.746388412.0000000001271000.00000020.sdmp, Offset: 01270000, based on PE: true

Associated: 00000010.00000002.746374753.0000000001270000.00000002.sdmp Download File
Associated: 00000010.00000002.746578910.000000000138C000.00000002.sdmp Download File
Associated: 00000010.00000002.746752878.00000000013CF000.00000004.sdmp Download File
Associated: 00000010.00000002.746788870.00000000013D6000.00000004.sdmp Download File
Associated: 00000010.00000002.746832288.00000000013DE000.00000002.sdmp Download File
Associated: 00000010.00000002.747668141.0000000001574000.00000002.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1270000_Setup.jbxd

Similarity

API ID: IconLoad$H_prolog3_catch_memset
String ID: @$@$AfxFrameOrView100su$AfxMDIFrame100su
API String ID: 1127005088-2639805938
Opcode ID: 012acfd537e3fee8bd08362edda7928bfdd0d27c47f10c15472e726e89c99f21
Instruction ID: 4051a9460a82f15545e45f8dd57ba78c3038abcf2bbce7eddd68a729fda3acb8
Opcode Fuzzy Hash: 012acfd537e3fee8bd08362edda7928bfdd0d27c47f10c15472e726e89c99f21
Instruction Fuzzy Hash: 5E913271C1221AAEEB51EFA8C484BDEBFFCAF14744F158165EA08F61C1E7748644CBA0

Uniqueness

Uniqueness Score: 16.53%

Function 0133E8D3, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 110
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0133E8D3(void** __ecx, WCHAR* _a4, short _a8) {
				signed int _v8;
				signed int* _v12;
				intOrPtr _v16;
				signed int _v20;
				intOrPtr _v24;
				signed int _t56;
				void* _t57;
				intOrPtr _t58;
				short* _t59;
				signed int _t61;
				signed int* _t73;
				short* _t75;
				void* _t82;
				signed int* _t89;
				signed int _t90;
				void* _t91;
				void** _t92;
				intOrPtr _t94;
				signed int _t97;
				void* _t99;

				_t92 = __ecx;
				if(__ecx[1] != 0) {
					_t73 = GlobalLock( *__ecx);
					_v12 = _t73;
					_v8 = 0 | _t73[0] == 0x0000ffff;
					_v20 = E0133E71D(_t73);
					_t94 = (0 | _v8 != 0x00000000) + (0 | _v8 != 0x00000000) + 1 + (0 | _v8 != 0x00000000) + (0 | _v8 != 0x00000000) + 1;
					_v24 = _t94;
					if(_v8 == 0) {
						 *_t73 =  *_t73 | 0x00000040;
					} else {
						_t73[3] = _t73[3] | 0x00000040;
					}
					_t56 = lstrlenW(_a4);
					if(_t56 >= 0x20) {
						L15:
						_t57 = 0;
						goto L18;
					} else {
						_t20 = _t56 * 2; // 0x754d4eba
						_t58 = _t94 + _t20 + 2;
						_v16 = _t58;
						if(_t58 < _t94) {
							goto L15;
						}
						_t59 = E0133E750(_t73);
						_t82 = 0;
						_t75 = _t59;
						if(_v20 != 0) {
							_t26 = L01369A59(_t75 + _t94) * 2; // 0x754d4eba
							_t82 = _t94 + _t26 + 2;
						}
						_t30 = _v16 + 3; // 0x3
						_t89 = _v12;
						_t33 = _t75 + 3; // 0x754d4ebd
						_t61 = _t82 + _t33 & 0xfffffffc;
						_t97 = _t75 + _t30 & 0xfffffffc;
						_v20 = _t61;
						if(_v8 == 0) {
							_t90 =  *(_t89 + 8) & 0x0000ffff;
						} else {
							_t90 =  *(_t89 + 0x10) & 0x0000ffff;
						}
						if(_v16 == _t82 || _t90 == 0) {
							L17:
							 *_t75 = _a8;
							L0127DE03(_t75 + _v24, _v16 - _v24, _a4, _v16 - _v24);
							_t92[1] = _t92[1] + _t97 - _v20;
							GlobalUnlock( *_t92);
							_t92[2] = _t92[2] & 0x00000000;
							_t57 = 1;
							L18:
							return _t57;
						} else {
							_t91 = _t92[1];
							_t86 = _t91 - _t61 + _v12;
							if(_t91 - _t61 + _v12 <= _t91) {
								L0127DE03(_t97, _t86, _t61, _t86);
								_t99 = _t99 + 0x10;
								goto L17;
							}
							goto L15;
						}
					}
				}
				return 0;
			}

0x0133e8dc
0x0133e8e2
0x0133e8f5
0x0133e906
0x0133e909
0x0133e911
0x0133e925
0x0133e928
0x0133e92b
0x0133e933
0x0133e92d
0x0133e92d
0x0133e92d
0x0133e939
0x0133e942
0x0133e9ac
0x0133e9ac
0x00000000
0x0133e944
0x0133e944
0x0133e944
0x0133e948
0x0133e94d
0x00000000
0x00000000
0x0133e950
0x0133e956
0x0133e958
0x0133e95d
0x0133e969
0x0133e969
0x0133e969
0x0133e970
0x0133e974
0x0133e977
0x0133e97b
0x0133e97e
0x0133e985
0x0133e988
0x0133e990
0x0133e98a
0x0133e98a
0x0133e98a
0x0133e997
0x0133e9bc
0x0133e9c3
0x0133e9d3
0x0133e9e0
0x0133e9e3
0x0133e9e9
0x0133e9ef
0x0133e9f0
0x00000000
0x0133e99e
0x0133e99e
0x0133e9a5
0x0133e9aa
0x0133e9b4
0x0133e9b9
0x00000000
0x0133e9b9
0x00000000
0x0133e9aa
0x0133e997
0x0133e942
0x00000000

APIs

GlobalLock.KERNEL32 ref: 0133E8EF
lstrlenW.KERNEL32(?), ref: 0133E939
_wcslen.LIBCMT ref: 0133E963

Part of subcall function 0127DE03: _memmove_s.LIBCMT ref: 0127DE14

GlobalUnlock.KERNEL32(?), ref: 0133E9E3

Strings

System, xrefs: 0133E8EB

Memory Dump Source

Source File: 00000010.00000002.746388412.0000000001271000.00000020.sdmp, Offset: 01270000, based on PE: true

Associated: 00000010.00000002.746374753.0000000001270000.00000002.sdmp Download File
Associated: 00000010.00000002.746578910.000000000138C000.00000002.sdmp Download File
Associated: 00000010.00000002.746752878.00000000013CF000.00000004.sdmp Download File
Associated: 00000010.00000002.746788870.00000000013D6000.00000004.sdmp Download File
Associated: 00000010.00000002.746832288.00000000013DE000.00000002.sdmp Download File
Associated: 00000010.00000002.747668141.0000000001574000.00000002.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1270000_Setup.jbxd

Similarity

API ID: Global$LockUnlock_memmove_s_wcslenlstrlen
String ID: System
API String ID: 1539522659-3470857405
Opcode ID: 4ae936936f3ad110907b9e13fac63e60f9e41d21a2daf9d884767b7bb210f404
Instruction ID: a90d9fc11479ae4dfbb1857f591e5214951b59af8569efe71f3abd68da58f188
Opcode Fuzzy Hash: 4ae936936f3ad110907b9e13fac63e60f9e41d21a2daf9d884767b7bb210f404
Instruction Fuzzy Hash: 0641E87190021AEFDF14DF68C8446BEBBB9FF44318F14867AD812E7285D7349A41CB94

Uniqueness

Uniqueness Score: 7.75%

Function 012A424A, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 90
COMMON

Download Yara Rule

C-Code - Quality: 92%

			E012A424A(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				struct tagRECT _t41;
				intOrPtr _t45;
				intOrPtr _t57;
				void* _t59;
				int _t63;
				intOrPtr _t72;
				intOrPtr* _t79;
				void* _t80;
				void* _t83;
				void* _t84;

				_t75 = __edx;
				_t61 = __ebx;
				_push(0x24);
				L0136966A(0x13811ee, __ebx, __edi, __esi);
				_t79 =  *((intOrPtr*)(_t80 + 8));
				asm("cdq");
				_t63 =  *((intOrPtr*)(_t80 + 0x10)) +  *((intOrPtr*)(_t80 + 0x18)) - __edx >> 1;
				asm("cdq");
				_t41 =  *((intOrPtr*)(_t80 + 0x14)) +  *((intOrPtr*)(_t80 + 0xc)) - __edx >> 1;
				 *(_t80 - 0x20) = _t41;
				 *(_t80 - 0x18) = _t41 + 1;
				 *(_t80 - 0x1c) = _t63;
				 *(_t80 - 0x14) = _t63 + 1;
				InflateRect(_t80 - 0x20, 5, 5);
				_t77 = 0;
				if( *0x13d6594 <= 8) {
					L7:
					_t45 =  *0x13d6418; // 0x6d6d6d
					__eflags =  *((intOrPtr*)(_t80 + 0x1c)) - _t77;
					if(__eflags == 0) {
						_t45 = 0x7f00;
					}
					E0127A3A8(_t61, _t80 - 0x28, _t75, _t77, _t79, __eflags);
					 *(_t80 - 4) = _t77;
					_t77 = E0127A1AA(_t79, _t80 - 0x28);
					_t61 =  *((intOrPtr*)( *_t79 + 0x24))(8, _t45);
					Ellipse( *(_t79 + 4),  *(_t80 - 0x20),  *(_t80 - 0x1c),  *(_t80 - 0x18),  *(_t80 - 0x14));
					E0127A1AA(_t79, _t48);
					E0127A1AA(_t79, _t50);
					_t29 = _t80 - 4;
					 *_t29 =  *(_t80 - 4) | 0xffffffff;
					__eflags =  *_t29;
					 *((intOrPtr*)(_t80 - 0x28)) = 0x138f578;
					E0127A27E(_t50, _t80 - 0x28, _t48, _t79,  *_t29);
				} else {
					_t83 =  *0x13d6570 - _t77; // 0x0
					if(_t83 != 0) {
						goto L7;
					} else {
						_t84 =  *0x13d656c - _t77; // 0x0
						if(_t84 != 0) {
							goto L7;
						} else {
							E012FC185(_t80 - 0x30, _t79);
							_t72 =  *0x13d6400; // 0xa0a0a0
							 *(_t80 - 4) = 1;
							_t85 =  *((intOrPtr*)(_t80 + 0x1c));
							if( *((intOrPtr*)(_t80 + 0x1c)) != 0) {
								_t57 =  *0x13d6418; // 0x6d6d6d
							} else {
								_t72 = 0x2c7547;
								_t57 = 0x80d0a0;
							}
							_t59 = E012FE7BD(_t61, _t80 - 0x30, _t75, _t77, _t79, _t85, _t80 - 0x20, _t57, _t72);
							 *(_t80 - 4) =  *(_t80 - 4) | 0xffffffff;
							L012FC19C(_t59, _t80 - 0x30);
						}
					}
				}
				return L013696ED(_t61, _t77, _t79);
			}

0x012a424a
0x012a424a
0x012a424a
0x012a4251
0x012a425c
0x012a425f
0x012a426a
0x012a426c
0x012a426f
0x012a4271
0x012a4277
0x012a427a
0x012a4284
0x012a4287
0x012a428d
0x012a4296
0x012a42f0
0x012a42f0
0x012a42f5
0x012a42f8
0x012a42fa
0x012a42fa
0x012a4303
0x012a430e
0x012a4316
0x012a4324
0x012a4332
0x012a433b
0x012a4343
0x012a4348
0x012a4348
0x012a4348
0x012a434f
0x012a4356
0x012a4298
0x012a4298
0x012a429e
0x00000000
0x012a42a0
0x012a42a0
0x012a42a6
0x00000000
0x012a42a8
0x012a42ac
0x012a42b1
0x012a42b7
0x012a42be
0x012a42c1
0x012a42e9
0x012a42c3
0x012a42c3
0x012a42c8
0x012a42c8
0x012a42d6
0x012a42db
0x012a42e2
0x012a42e2
0x012a42a6
0x012a429e
0x012a4360

APIs

__EH_prolog3_GS.LIBCMT ref: 012A4251
InflateRect.USER32(?,00000005,00000005), ref: 012A4287

Part of subcall function 012FE7BD: __EH_prolog3.LIBCMT ref: 012FE7C7
Part of subcall function 012FE7BD: CreateCompatibleDC.GDI32(?), ref: 012FE842
Part of subcall function 012FE7BD: CreateCompatibleBitmap.GDI32(00000001,?,?), ref: 012FE879
Part of subcall function 012FE7BD: SelectObject.GDI32(?,00000000), ref: 012FE8E3
Part of subcall function 012FE7BD: __floor_pentium4.LIBCMT ref: 012FE9F6
Part of subcall function 012FE7BD: __floor_pentium4.LIBCMT ref: 012FEA0B
Part of subcall function 012FE7BD: __floor_pentium4.LIBCMT ref: 012FEA6B
Part of subcall function 012FE7BD: __floor_pentium4.LIBCMT ref: 012FEA80
Part of subcall function 012FE7BD: __floor_pentium4.LIBCMT ref: 012FEB2F
Part of subcall function 012FE7BD: __floor_pentium4.LIBCMT ref: 012FEB44
Part of subcall function 012FE7BD: __floor_pentium4.LIBCMT ref: 012FEBA0
Part of subcall function 012FE7BD: __floor_pentium4.LIBCMT ref: 012FECE1
Part of subcall function 012FE7BD: __floor_pentium4.LIBCMT ref: 012FEE31
Part of subcall function 012FE7BD: __floor_pentium4.LIBCMT ref: 012FEE46
Part of subcall function 012FE7BD: __floor_pentium4.LIBCMT ref: 012FEEAE
Part of subcall function 012FE7BD: __floor_pentium4.LIBCMT ref: 012FEFE9
Part of subcall function 012FE7BD: DeleteObject.GDI32(?), ref: 012FF176

Part of subcall function 0127A3A8: __EH_prolog3.LIBCMT ref: 0127A3AF
Part of subcall function 0127A3A8: CreateSolidBrush.GDI32(?), ref: 0127A3CA

Part of subcall function 0127A1AA: SelectObject.GDI32(?,00000000), ref: 0127A1D0
Part of subcall function 0127A1AA: SelectObject.GDI32(?,?), ref: 0127A1E6

Ellipse.GDI32(?,?,?,?,?), ref: 012A4332

Part of subcall function 0127A27E: __EH_prolog3_catch_GS.LIBCMT ref: 0127A288

Strings

mmm, xrefs: 012A42E9, 012A42F0
Gu,, xrefs: 012A42C3

Memory Dump Source

Source File: 00000010.00000002.746388412.0000000001271000.00000020.sdmp, Offset: 01270000, based on PE: true

Associated: 00000010.00000002.746374753.0000000001270000.00000002.sdmp Download File
Associated: 00000010.00000002.746578910.000000000138C000.00000002.sdmp Download File
Associated: 00000010.00000002.746752878.00000000013CF000.00000004.sdmp Download File
Associated: 00000010.00000002.746788870.00000000013D6000.00000004.sdmp Download File
Associated: 00000010.00000002.746832288.00000000013DE000.00000002.sdmp Download File
Associated: 00000010.00000002.747668141.0000000001574000.00000002.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1270000_Setup.jbxd

Similarity

API ID: __floor_pentium4$Object$CreateSelect$CompatibleH_prolog3$BitmapBrushDeleteEllipseH_prolog3_H_prolog3_catch_InflateRectSolid
String ID: Gu,$mmm
API String ID: 2979496167-3474039531
Opcode ID: 8cce44b10056006bd3b2bf6101ab98388cf6d4c0f88eccb410724d05cfb78d81
Instruction ID: 530ceeebcce60dac18b8d0f749a23c985a1bd0f7ab796c0d77de4ba7876fe0d2
Opcode Fuzzy Hash: 8cce44b10056006bd3b2bf6101ab98388cf6d4c0f88eccb410724d05cfb78d81
Instruction Fuzzy Hash: E531807091020ADFDF15EFA8DC41AEE77B9FF58320F44412AE512A7284DB70AA15CF64

Uniqueness

Uniqueness Score: 7.75%

Function 012C011F, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 67
COMMON

Download Yara Rule

C-Code - Quality: 95%

			E012C011F(void* __ebx, void* __ecx, void* __edx, void* __eflags) {
				signed int _v8;
				int _v20;
				void _v24;
				struct tagRECT _v40;
				intOrPtr _v60;
				intOrPtr _v64;
				char _v68;
				struct tagRECT _v84;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t21;
				struct HWND__* _t26;
				void* _t45;
				void* _t46;
				intOrPtr* _t47;
				void* _t48;
				signed int _t49;

				_t45 = __edx;
				_t36 = __ebx;
				_t21 =  *0x13d3570; // 0x99b5b578
				_v8 = _t21 ^ _t49;
				_t48 = __ecx;
				_t47 = E012789CC(0x139d2fc,  *((intOrPtr*)(E012792EF(__ebx, _t46, __ecx, __eflags) + 4)));
				if(_t47 == 0) {
					L8:
					return L01367D3E(_t24, _t36, _v8 ^ _t49, _t45, _t47, _t48);
				}
				_t26 =  *(_t48 + 0xb0);
				if(_t26 != 0) {
					_t26 =  *(_t26 + 0x20);
				}
				if(IsWindow(_t26) != 0) {
					_v68 = 0x2c;
					if(E01280BBB( *(_t48 + 0xb0),  &_v68) != 0) {
						if(_v60 != 3) {
							_v60 = 1;
						}
						SystemParametersInfoW(0x30, 0,  &_v24, 0);
						OffsetRect( &_v40, _v24, _v20);
						CopyRect( &_v84,  &_v40);
						_t24 =  *((intOrPtr*)( *_t47 + 0x144))( &_v84, _v64, _v60);
					}
				}
				goto L8;
			}

0x012c011f
0x012c011f
0x012c0127
0x012c012e
0x012c0133
0x012c0147
0x012c014d
0x012c01d4
0x012c01e1
0x012c01e1
0x012c0153
0x012c015b
0x012c015d
0x012c015d
0x012c0169
0x012c0175
0x012c0183
0x012c0189
0x012c018b
0x012c018b
0x012c019c
0x012c01ac
0x012c01ba
0x012c01ce
0x012c01ce
0x012c0183
0x00000000

APIs

IsWindow.USER32(?), ref: 012C0161

Part of subcall function 01280BBB: GetWindowPlacement.USER32(?,?), ref: 01280BCD

SystemParametersInfoW.USER32 ref: 012C019C
OffsetRect.USER32 ref: 012C01AC
CopyRect.USER32(?,?), ref: 012C01BA

Part of subcall function 01367D3E: IsDebuggerPresent.KERNEL32 ref: 0136EC6D
Part of subcall function 01367D3E: SetUnhandledExceptionFilter.KERNEL32 ref: 0136EC82
Part of subcall function 01367D3E: UnhandledExceptionFilter.KERNEL32 ref: 0136EC8D
Part of subcall function 01367D3E: GetCurrentProcess.KERNEL32(C0000409), ref: 0136ECA9
Part of subcall function 01367D3E: TerminateProcess.KERNEL32(00000000), ref: 0136ECB0

Strings

,, xrefs: 012C0175

Memory Dump Source

Source File: 00000010.00000002.746388412.0000000001271000.00000020.sdmp, Offset: 01270000, based on PE: true

Associated: 00000010.00000002.746374753.0000000001270000.00000002.sdmp Download File
Associated: 00000010.00000002.746578910.000000000138C000.00000002.sdmp Download File
Associated: 00000010.00000002.746752878.00000000013CF000.00000004.sdmp Download File
Associated: 00000010.00000002.746788870.00000000013D6000.00000004.sdmp Download File
Associated: 00000010.00000002.746832288.00000000013DE000.00000002.sdmp Download File
Associated: 00000010.00000002.747668141.0000000001574000.00000002.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1270000_Setup.jbxd

Similarity

API ID: ExceptionFilterProcessRectUnhandledWindow$CopyCurrentDebuggerInfoOffsetParametersPlacementPresentSystemTerminate
String ID: ,
API String ID: 683549430-3772416878
Opcode ID: ea0d477d59ebb2420fb844c418723f786774a8e0f5cd3c59c3e6ef94d7cd8e3d
Instruction ID: b2a9fe7d0c7177c3724bb1a5f51cf29edcd3ba28b34b3cedbef11ebde503669b
Opcode Fuzzy Hash: ea0d477d59ebb2420fb844c418723f786774a8e0f5cd3c59c3e6ef94d7cd8e3d
Instruction Fuzzy Hash: B921297191020AEBDF15DBE9D848AEEBBB9FB48714F140559F601A7180DB70A900CB65

Uniqueness

Uniqueness Score: 2.71%

Function 012B43B4, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 61
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E012B43B4(void* __ebx, void* __ecx, void* __edx, void* __eflags, struct HWND__** _a4) {
				void* __edi;
				struct HWND__* _t10;
				struct HWND__* _t12;
				struct HWND__* _t14;
				struct HWND__* _t15;
				int _t19;
				void* _t21;
				void* _t25;
				struct HWND__** _t26;
				void* _t27;

				_t25 = __edx;
				_t21 = __ebx;
				_t26 = _a4;
				_t27 = __ecx;
				if(E01280B27(__ecx, __eflags, _t26) == 0) {
					_t10 = L01283CE7(__ecx);
					__eflags = _t10;
					if(_t10 == 0) {
						L5:
						__eflags = _t26[1] - 0x100;
						if(_t26[1] != 0x100) {
							L13:
							return L01281A9E(_t26);
						}
						_t12 = _t26[2];
						__eflags = _t12 - 0x1b;
						if(_t12 == 0x1b) {
							L8:
							__eflags = GetWindowLongW( *_t26, 0xfffffff0) & 0x00000004;
							if(__eflags == 0) {
								goto L13;
							}
							_t14 = E0127ABCE(_t21, _t25, _t26, __eflags,  *_t26, L"Edit");
							__eflags = _t14;
							if(_t14 == 0) {
								goto L13;
							}
							_t15 = GetDlgItem( *(_t27 + 0x20), 2);
							__eflags = _t15;
							if(_t15 == 0) {
								L12:
								SendMessageW( *(_t27 + 0x20), 0x111, 2, 0);
								goto L1;
							}
							_t19 = IsWindowEnabled(_t15);
							__eflags = _t19;
							if(_t19 == 0) {
								goto L13;
							}
							goto L12;
						}
						__eflags = _t12 - 3;
						if(_t12 != 3) {
							goto L13;
						}
						goto L8;
					}
					__eflags =  *(_t10 + 0x88);
					if( *(_t10 + 0x88) == 0) {
						goto L5;
					}
					return 0;
				}
				L1:
				return 1;
			}

0x012b43b4
0x012b43b4
0x012b43bb
0x012b43bf
0x012b43c8
0x012b43d4
0x012b43d9
0x012b43db
0x012b43ea
0x012b43ea
0x012b43f1
0x012b444f
0x00000000
0x012b4452
0x012b43f3
0x012b43f6
0x012b43f9
0x012b4400
0x012b440a
0x012b440c
0x00000000
0x00000000
0x012b4415
0x012b441a
0x012b441c
0x00000000
0x00000000
0x012b4423
0x012b4429
0x012b442b
0x012b4438
0x012b4444
0x00000000
0x012b4444
0x012b442e
0x012b4434
0x012b4436
0x00000000
0x00000000
0x00000000
0x012b4436
0x012b43fb
0x012b43fe
0x00000000
0x00000000
0x00000000
0x012b43fe
0x012b43dd
0x012b43e4
0x00000000
0x00000000
0x00000000
0x012b43e6
0x012b43ca
0x00000000

APIs

GetWindowLongW.USER32(?,000000F0), ref: 012B4404

Part of subcall function 0127ABCE: GetClassNameW.USER32(?,?,00000020), ref: 0127ABEE

GetDlgItem.USER32(?,00000002), ref: 012B4423
IsWindowEnabled.USER32 ref: 012B442E
SendMessageW.USER32(?,00000111,00000002,00000000), ref: 012B4444

Strings

Edit, xrefs: 012B440E

Memory Dump Source

Source File: 00000010.00000002.746388412.0000000001271000.00000020.sdmp, Offset: 01270000, based on PE: true

Associated: 00000010.00000002.746374753.0000000001270000.00000002.sdmp Download File
Associated: 00000010.00000002.746578910.000000000138C000.00000002.sdmp Download File
Associated: 00000010.00000002.746752878.00000000013CF000.00000004.sdmp Download File
Associated: 00000010.00000002.746788870.00000000013D6000.00000004.sdmp Download File
Associated: 00000010.00000002.746832288.00000000013DE000.00000002.sdmp Download File
Associated: 00000010.00000002.747668141.0000000001574000.00000002.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1270000_Setup.jbxd

Similarity

API ID: Window$ClassEnabledItemLongMessageNameSend
String ID: Edit
API String ID: 4123737207-554135844
Opcode ID: b65a2e9fbf2e7afdc1da73889ad97fd2c75188b0fbf3665b498d7d1a5137ba60
Instruction ID: 88a516becba8c95493a7096ede7b296caf64efb6d0a18451af15a701c906e3ab
Opcode Fuzzy Hash: b65a2e9fbf2e7afdc1da73889ad97fd2c75188b0fbf3665b498d7d1a5137ba60
Instruction Fuzzy Hash: BD11C630371243A7EA303B298CC8BEABAA9EF51B95F184524F317D2092DF64D420C660

Uniqueness

Uniqueness Score: 0.24%

Function 0128E7B8, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 54
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 73%

			E0128E7B8(void* __ebx, void* __ecx, void* __fp0, unsigned int _a8) {
				void* _v8;
				void* __edi;
				void* __esi;
				void* __ebp;
				struct HINSTANCE__* _t11;
				void* _t12;
				void* _t13;
				void* _t21;
				void* _t27;
				unsigned int _t33;

				_push(__ecx);
				_t29 = __ecx;
				_t35 =  *((intOrPtr*)(__ecx + 0x74));
				if( *((intOrPtr*)(__ecx + 0x74)) != 0) {
					_push(__ebx);
					_t21 = _a8 & 0x0000ffff;
					_t33 = _a8 >> 0x10;
					_a8 = _t21;
					_t11 = GetModuleHandleW(L"DWMAPI");
					__eflags = _t11;
					if(__eflags != 0) {
						_t13 = GetProcAddress(_t11, "DwmSetIconicThumbnail");
						_v8 = _t13;
						__eflags = _t13;
						if(__eflags != 0) {
							_t21 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t29 + 0x74)))) + 0x1ec))(_t33, _t21);
							__eflags = _t21;
							if(__eflags == 0) {
								_t21 = E0128E4B0(_t21, _t29, _t27, _t29, _t33, __eflags, __fp0, _t33, _a8, 1);
							}
							_v8( *((intOrPtr*)(_t29 + 0x20)), _t21, 0);
							DeleteObject(_t21);
						}
					}
					_t12 = E01282C5F(_t21, _t29, _t29, __eflags);
				} else {
					_t12 = E01282C5F(__ebx, __ecx, __ecx, _t35);
				}
				return _t12;
			}

0x0128e7bd
0x0128e7bf
0x0128e7c1
0x0128e7c5
0x0128e7ce
0x0128e7cf
0x0128e7dc
0x0128e7df
0x0128e7e2
0x0128e7e8
0x0128e7ea
0x0128e7f2
0x0128e7f8
0x0128e7fb
0x0128e7fd
0x0128e80c
0x0128e80e
0x0128e810
0x0128e81f
0x0128e81f
0x0128e828
0x0128e82c
0x0128e82c
0x0128e7fd
0x0128e834
0x0128e7c7
0x0128e7c7
0x0128e7c7
0x0128e83d

APIs

GetModuleHandleW.KERNEL32(DWMAPI), ref: 0128E7E2
GetProcAddress.KERNEL32(00000000,DwmSetIconicThumbnail), ref: 0128E7F2
DeleteObject.GDI32(00000000), ref: 0128E82C

Part of subcall function 0128E4B0: __EH_prolog3_GS.LIBCMT ref: 0128E4BA
Part of subcall function 0128E4B0: GetWindowRect.USER32 ref: 0128E509
Part of subcall function 0128E4B0: OffsetRect.USER32 ref: 0128E51F
Part of subcall function 0128E4B0: CreateCompatibleDC.GDI32(?), ref: 0128E590
Part of subcall function 0128E4B0: SelectObject.GDI32(?,?), ref: 0128E5B0
Part of subcall function 0128E4B0: SelectObject.GDI32(?,?), ref: 0128E5F2
Part of subcall function 0128E4B0: CreateCompatibleDC.GDI32(?), ref: 0128E70B
Part of subcall function 0128E4B0: SelectObject.GDI32(?,?), ref: 0128E72B
Part of subcall function 0128E4B0: SelectObject.GDI32(?,00000000), ref: 0128E75B

Strings

DwmSetIconicThumbnail, xrefs: 0128E7EC
DWMAPI, xrefs: 0128E7D7

Memory Dump Source

Source File: 00000010.00000002.746388412.0000000001271000.00000020.sdmp, Offset: 01270000, based on PE: true

Associated: 00000010.00000002.746374753.0000000001270000.00000002.sdmp Download File
Associated: 00000010.00000002.746578910.000000000138C000.00000002.sdmp Download File
Associated: 00000010.00000002.746752878.00000000013CF000.00000004.sdmp Download File
Associated: 00000010.00000002.746788870.00000000013D6000.00000004.sdmp Download File
Associated: 00000010.00000002.746832288.00000000013DE000.00000002.sdmp Download File
Associated: 00000010.00000002.747668141.0000000001574000.00000002.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1270000_Setup.jbxd

Similarity

API ID: Object$Select$CompatibleCreateRect$AddressDeleteH_prolog3_HandleModuleOffsetProcWindow
String ID: DWMAPI$DwmSetIconicThumbnail
API String ID: 3997049295-3761315311
Opcode ID: 027e1284a487999621049973eacb323eb763984d1bbf70d324091faf15d09b61
Instruction ID: 6f2cbfb43e00838f5feec83501f60ca7094f05debd28ad360cae3fc466759ff0
Opcode Fuzzy Hash: 027e1284a487999621049973eacb323eb763984d1bbf70d324091faf15d09b61
Instruction Fuzzy Hash: 9801D271321306BFEB107BA98888EAE77ACFF48310F054129FA0197291DBB4D901C7A0

Uniqueness

Uniqueness Score: 3.53%

Function 012EE409, Relevance: 7.9, APIs: 5, Instructions: 362
COMMON

Download Yara Rule

C-Code - Quality: 74%

			E012EE409(signed int __ecx, intOrPtr _a4) {
				intOrPtr _v0;
				intOrPtr _v4;
				signed int _v8;
				signed int _v12;
				signed int _v16;
				struct tagRECT _v32;
				intOrPtr _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				signed int _v49;
				signed int _v52;
				long _v56;
				long _v60;
				signed int _v64;
				signed int _v68;
				intOrPtr _v72;
				char _v80;
				signed int _v92;
				intOrPtr _v96;
				intOrPtr _v100;
				intOrPtr _v104;
				intOrPtr _v108;
				intOrPtr _v112;
				intOrPtr _v116;
				intOrPtr _v120;
				char _v124;
				char _v125;
				intOrPtr _v132;
				intOrPtr _v136;
				intOrPtr _v144;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t171;
				long _t173;
				signed int _t177;
				int _t180;
				signed int _t182;
				signed int _t184;
				signed int _t188;
				signed int _t193;
				signed int _t195;
				signed int _t197;
				intOrPtr _t202;
				signed int _t207;
				intOrPtr _t217;
				void* _t218;
				signed int _t230;
				signed int _t238;
				signed int _t246;
				signed int _t252;
				signed int _t254;
				signed int _t255;
				signed int _t260;
				signed int _t264;
				long _t266;
				signed int _t267;
				long _t276;
				long _t279;
				void* _t280;
				signed int _t282;
				void* _t283;
				signed int _t284;
				void* _t285;
				signed int _t287;
				signed int _t288;
				void* _t289;
				signed int _t290;
				signed int _t293;
				signed int _t294;
				signed int _t295;
				signed int _t297;
				signed int _t298;

				_t255 = __ecx;
				_t171 =  *0x13d3570; // 0x99b5b578
				_v8 = _t171 ^ _t293;
				_t282 = __ecx;
				_t173 =  *(__ecx + 0x28);
				_v32.top.left = 0;
				if(_t173 == 0) {
					L19:
					_pop(_t283);
					return L01367D3E(_v32.top.left, 0, _v8 ^ _t293, _t279, _t283, _t287);
				} else {
					_push(_t287);
					while(_t173 != 0) {
						_t287 =  *(_t173 + 8);
						_v32.left =  *_t173;
						_t255 = _t287;
						if( *((intOrPtr*)( *_t287 + 0x178))() != 0 || _a4 == 0 ||  *((intOrPtr*)(_t282 + 4)) != 0) {
							_v32.right.left = 0;
							_v32.bottom = 0;
							_v16 = 0;
							_v12 = 0;
							GetWindowRect( *(_t287 + 0x20),  &(_v32.right));
							_t255 =  *(_t282 + 0x40);
							_t279 = _v16;
							_t287 = _t255 & 0x00002000;
							if(_t287 != 0 || (_t255 & 0x00008000) != 0) {
								_t246 = _v12 - _v32.bottom;
							} else {
								_t246 = _t279 - _v32.right.left;
								__eflags = _t246;
							}
							if(_v32.top.left <= _t246) {
								if(_t287 != 0 || (_t255 & 0x00008000) != 0) {
									_v32.top.left = _v12 - _v32.bottom;
								} else {
									_t279 = _t279 - _v32.right.left;
									__eflags = _t279;
									_v32.top.left = _t279;
								}
							}
						}
						if(_v32.left != 0) {
							_t173 = _v32.left;
							continue;
						} else {
							_pop(_t287);
							if(_v32.top.left != 0) {
								_v32.top.left = _v32.top.left +  *((intOrPtr*)(_t282 + 0x1c));
							}
							goto L19;
						}
					}
					L01277AC9(_t255);
					asm("int3");
					_push(_t293);
					_t294 = _t297;
					_t298 = _t297 - 0x18;
					_t177 =  *0x13d3570; // 0x99b5b578
					_v52 = _t177 ^ _t294;
					_push(0);
					_push(_t282);
					_t252 = _t255;
					_v72 = _v40;
					_t180 = L012ED959(_t255, _v40);
					_t284 =  *(_t252 + 0x28);
					__eflags = _t284;
					if(_t284 == 0) {
						L31:
						_pop(_t285);
						__eflags = _v12 ^ _t294;
						return L01367D3E(_t180, _t252, _v12 ^ _t294, _t279, _t285, _t287);
					} else {
						_push(_t287);
						while(1) {
							_t182 = _t284;
							__eflags = _t284;
							if(_t284 == 0) {
								break;
							}
							_t287 =  *(_t182 + 8);
							_t284 =  *_t284;
							_t255 = _t287;
							_t180 =  *((intOrPtr*)( *_t287 + 0x178))();
							__eflags = _t180;
							if(_t180 != 0) {
								L25:
								_v32.top.left = 0;
								_v32.right.left = 0;
								_v32.bottom = 0;
								_v16 = 0;
								GetWindowRect( *(_t287 + 0x20),  &(_v32.top));
								__eflags =  *(_t252 + 0x40) & 0x0000a000;
								if(( *(_t252 + 0x40) & 0x0000a000) == 0) {
									_t238 = _v32.right.left - _v16;
									__eflags = _t238;
									_push(_t238);
									_push(0);
								} else {
									_push(0);
									_push(_v32.top.left - _v32.bottom);
								}
								_t180 = InflateRect(_v32.left, ??, ??);
							} else {
								__eflags =  *((intOrPtr*)(_t252 + 4)) - _t180;
								if( *((intOrPtr*)(_t252 + 4)) != _t180) {
									goto L25;
								}
							}
							__eflags = _t284;
							if(_t284 != 0) {
								continue;
							} else {
								_pop(_t287);
								goto L31;
							}
							goto L82;
						}
						L01277AC9(_t255);
						asm("int3");
						_t295 = _t298;
						_t184 =  *0x13d3570; // 0x99b5b578
						_v92 = _t184 ^ _t295;
						_t288 = _t255;
						_v124 = 0;
						_v120 = 0;
						_v116 = 0;
						_v112 = 0;
						_v108 = 0;
						_v104 = 0;
						_v100 = 0;
						_v96 = 0;
						_v136 = 0;
						_v132 = 0;
						L012ED959(_t255,  &_v124);
						_v125 = 1;
						_t188 = E0128C2A4(0, _t284, _t288, __eflags);
						_t280 =  *_t188;
						_t260 = _t188;
						_v144 =  *((intOrPtr*)(_t280 + 0x1a8))(_t287, _t252, _t294);
						_t190 =  *(_t288 + 0x28);
						__eflags = _t190;
						if(_t190 != 0) {
							_push(_t284);
							while(1) {
								__eflags = _t190;
								if(_t190 == 0) {
									break;
								}
								_t284 =  *(_t190 + 8);
								_v64 =  *_t190;
								_t260 = _t284;
								_t190 =  *((intOrPtr*)( *_t284 + 0x178))();
								__eflags = _t190;
								if(_t190 != 0) {
									L38:
									GetWindowRect( *(_t284 + 0x20),  &_v32);
									__eflags = _v49;
									if(_v49 != 0) {
										__eflags =  *(_t288 + 0x40) & 0x0000a000;
										if(( *(_t288 + 0x40) & 0x0000a000) == 0) {
											_t230 = _v44 + _v4;
											__eflags = _t230;
											_v56 = _t230;
										} else {
											_v60 = _v48 + _v4;
										}
									}
									_t264 = _v32.bottom;
									__eflags =  *(_t284 + 0x104);
									if( *(_t284 + 0x104) != 0) {
										L49:
										__eflags = _v49;
										if(_v49 != 0) {
											goto L50;
										}
									} else {
										__eflags = _v49;
										if(_v49 != 0) {
											L50:
											_v49 = 0;
										} else {
											_t217 =  *0x13d1f0c; // 0x1
											_t218 = _t217 + _v0;
											__eflags =  *(_t288 + 0x40) & 0x0000a000;
											if(( *(_t288 + 0x40) & 0x0000a000) == 0) {
												_v56 = _v56 - _t218;
												__eflags = _v68;
												if(_v68 != 0) {
													asm("cdq");
													_t111 =  &_v56;
													 *_t111 = _v56 +  ~(_v32.right.left - _v32.left - _t280 >> 1);
													__eflags =  *_t111;
													goto L49;
												}
											} else {
												_v60 = _v60 - _t218;
												__eflags = _v68;
												if(_v68 != 0) {
													asm("cdq");
													_v60 = _v60 +  ~(_t264 - _v32.top.left - _t280 >> 1);
												}
											}
										}
									}
									__eflags =  *(_t288 + 0x40) & 0x0000a000;
									if(( *(_t288 + 0x40) & 0x0000a000) == 0) {
										_t202 = _t264 - _v32.top.left;
										_t266 = _v56;
										_v32.top.left = _t266;
										_t267 = _t266 + _t202;
										__eflags = _t267;
										_v32.bottom = _t267;
									} else {
										_t202 = _v32.right.left - _v32.left;
										_t276 = _v60;
										_v32.left = _t276;
										_v32.right.left = _t276 + _t202;
									}
									_v72 = _t202;
									L01279BD6( *((intOrPtr*)(_t288 + 0x44)),  &_v32);
									 *((intOrPtr*)( *_t284 + 0x234))(0, _v32.left, _v32.top.left, _v32.right.left - _v32.left, _v32.bottom - _v32.top.left, 0x14, 0);
									_t207 = 0;
									__eflags =  *(_t288 + 0x40) & 0x0000a000;
									if(( *(_t288 + 0x40) & 0x0000a000) != 0) {
										_t207 = 1;
										__eflags = 1;
									}
									_t280 =  *_t284;
									__eflags = _t207;
									_t260 = _t284;
									 *((intOrPtr*)(_t280 + 0x204))( &_v80, _v72, 0 | _t207 == 0x00000000);
									GetWindowRect( *(_t284 + 0x20),  &_v32);
									__eflags =  *(_t288 + 0x40) & 0x0000a000;
									if(( *(_t288 + 0x40) & 0x0000a000) == 0) {
										_t190 = _v32.bottom - _v32.top.left + _v0;
										_t158 =  &_v56;
										 *_t158 = _v56 + _v32.bottom - _v32.top.left + _v0;
										__eflags =  *_t158;
									} else {
										_t190 = _v32.right.left - _v32.left + _v0;
										_v60 = _v60 + _v32.right.left - _v32.left + _v0;
									}
								} else {
									__eflags =  *(_t288 + 4);
									if( *(_t288 + 4) != 0) {
										goto L38;
									}
								}
								__eflags = _v64;
								if(_v64 != 0) {
									_t190 = _v64;
									continue;
								}
								_pop(_t284);
								goto L61;
							}
							L01277AC9(_t260);
							asm("int3");
							_push(_t295);
							_push(0);
							_t254 = _t260;
							__eflags =  *(_t254 + 0x30);
							if( *(_t254 + 0x30) != 0) {
								__eflags = _v8;
								_push(_t288);
								if(_v8 == 0) {
									_t290 =  *(_t254 + 0x2c);
								} else {
									_t290 =  *(_t254 + 0x28);
								}
								_push(_t284);
								while(1) {
									__eflags = _t290;
									if(_t290 == 0) {
										break;
									}
									__eflags = _v8;
									_t193 = _t290;
									if(_v8 == 0) {
										__eflags = _t290;
										if(_t290 == 0) {
											L80:
											L01277AC9(_t260);
											L81:
											_t195 = _t284;
											L78:
											return _t195;
										}
										_t290 =  *(_t290 + 4);
										L74:
										__eflags =  *(_t254 + 4);
										_t284 =  *(_t193 + 8);
										if( *(_t254 + 4) != 0) {
											goto L81;
										}
										_t260 = _t284;
										_t197 =  *((intOrPtr*)( *_t284 + 0x178))();
										__eflags = _t197;
										if(_t197 != 0) {
											goto L81;
										}
										continue;
									}
									__eflags = _t290;
									if(_t290 == 0) {
										goto L80;
									}
									_t290 =  *_t290;
									goto L74;
								}
								_t195 = 0;
								__eflags = 0;
								goto L78;
							} else {
								return 0;
							}
						}
						L61:
						_pop(_t289);
						__eflags = _v16 ^ _t295;
						return L01367D3E(_t190, 0, _v16 ^ _t295, _t280, _t284, _t289);
					}
				}
				goto L82;
			}

0x012ee409
0x012ee411
0x012ee418
0x012ee41d
0x012ee41f
0x012ee424
0x012ee429
0x012ee4d2
0x012ee4d8
0x012ee4e2
0x012ee42f
0x012ee42f
0x012ee435
0x012ee43f
0x012ee444
0x012ee447
0x012ee451
0x012ee461
0x012ee464
0x012ee467
0x012ee46a
0x012ee470
0x012ee476
0x012ee479
0x012ee47e
0x012ee484
0x012ee491
0x012ee496
0x012ee498
0x012ee498
0x012ee498
0x012ee49e
0x012ee4a2
0x012ee4b2
0x012ee4b7
0x012ee4b7
0x012ee4b7
0x012ee4ba
0x012ee4ba
0x012ee4a2
0x012ee49e
0x012ee4c0
0x012ee432
0x00000000
0x012ee4c6
0x012ee4c6
0x012ee4ca
0x012ee4cf
0x012ee4cf
0x00000000
0x012ee4ca
0x012ee4c0
0x012ee4e5
0x012ee4ea
0x012ee4ed
0x012ee4ee
0x012ee4f0
0x012ee4f3
0x012ee4fa
0x012ee500
0x012ee501
0x012ee503
0x012ee505
0x012ee508
0x012ee50d
0x012ee510
0x012ee512
0x012ee579
0x012ee57c
0x012ee57d
0x012ee586
0x012ee514
0x012ee514
0x012ee515
0x012ee515
0x012ee517
0x012ee519
0x00000000
0x00000000
0x012ee51b
0x012ee520
0x012ee522
0x012ee524
0x012ee52a
0x012ee52c
0x012ee533
0x012ee535
0x012ee538
0x012ee53b
0x012ee53e
0x012ee548
0x012ee54e
0x012ee555
0x012ee565
0x012ee565
0x012ee568
0x012ee569
0x012ee557
0x012ee55d
0x012ee55f
0x012ee55f
0x012ee56e
0x012ee52e
0x012ee52e
0x012ee531
0x00000000
0x00000000
0x012ee531
0x012ee574
0x012ee576
0x00000000
0x012ee578
0x012ee578
0x00000000
0x012ee578
0x00000000
0x012ee576
0x012ee589
0x012ee58e
0x012ee592
0x012ee597
0x012ee59e
0x012ee5a9
0x012ee5ab
0x012ee5ae
0x012ee5b1
0x012ee5b4
0x012ee5b7
0x012ee5ba
0x012ee5bd
0x012ee5c0
0x012ee5c3
0x012ee5c6
0x012ee5c9
0x012ee5ce
0x012ee5d2
0x012ee5d7
0x012ee5d9
0x012ee5e1
0x012ee5e4
0x012ee5e7
0x012ee5e9
0x012ee5ef
0x012ee5f5
0x012ee5f5
0x012ee5f7
0x00000000
0x00000000
0x012ee5ff
0x012ee604
0x012ee607
0x012ee609
0x012ee60f
0x012ee611
0x012ee61c
0x012ee623
0x012ee629
0x012ee62c
0x012ee62e
0x012ee635
0x012ee645
0x012ee645
0x012ee648
0x012ee637
0x012ee63d
0x012ee63d
0x012ee635
0x012ee64b
0x012ee64e
0x012ee654
0x012ee69d
0x012ee69d
0x012ee6a0
0x00000000
0x00000000
0x012ee656
0x012ee656
0x012ee659
0x012ee6a2
0x012ee6a2
0x012ee65b
0x012ee65b
0x012ee660
0x012ee663
0x012ee66a
0x012ee685
0x012ee688
0x012ee68b
0x012ee693
0x012ee69a
0x012ee69a
0x012ee69a
0x00000000
0x012ee69a
0x012ee66c
0x012ee66c
0x012ee66f
0x012ee672
0x012ee679
0x012ee680
0x012ee680
0x012ee672
0x012ee66a
0x012ee659
0x012ee6a5
0x012ee6ac
0x012ee6c4
0x012ee6c6
0x012ee6c9
0x012ee6cc
0x012ee6cc
0x012ee6ce
0x012ee6ae
0x012ee6b1
0x012ee6b4
0x012ee6b7
0x012ee6bc
0x012ee6bc
0x012ee6d4
0x012ee6db
0x012ee6fc
0x012ee702
0x012ee704
0x012ee70b
0x012ee70d
0x012ee70d
0x012ee70d
0x012ee70e
0x012ee712
0x012ee71e
0x012ee721
0x012ee72e
0x012ee734
0x012ee73b
0x012ee751
0x012ee754
0x012ee754
0x012ee754
0x012ee73d
0x012ee743
0x012ee746
0x012ee746
0x012ee613
0x012ee613
0x012ee616
0x00000000
0x00000000
0x012ee616
0x012ee757
0x012ee75a
0x012ee5f2
0x00000000
0x012ee5f2
0x012ee760
0x00000000
0x012ee760
0x012ee771
0x012ee776
0x012ee779
0x012ee77c
0x012ee77d
0x012ee77f
0x012ee783
0x012ee789
0x012ee78d
0x012ee78e
0x012ee795
0x012ee790
0x012ee790
0x012ee790
0x012ee798
0x012ee7c9
0x012ee7c9
0x012ee7cb
0x00000000
0x00000000
0x012ee79b
0x012ee79f
0x012ee7a1
0x012ee7ab
0x012ee7ad
0x012ee7d6
0x012ee7d6
0x012ee7db
0x012ee7db
0x012ee7cf
0x00000000
0x012ee7d0
0x012ee7af
0x012ee7b2
0x012ee7b2
0x012ee7b6
0x012ee7b9
0x00000000
0x00000000
0x012ee7bd
0x012ee7bf
0x012ee7c5
0x012ee7c7
0x00000000
0x00000000
0x00000000
0x012ee7c7
0x012ee7a3
0x012ee7a5
0x00000000
0x00000000
0x012ee7a7
0x00000000
0x012ee7a7
0x012ee7cd
0x012ee7cd
0x00000000
0x012ee785
0x00000000
0x012ee785
0x012ee783
0x012ee761
0x012ee764
0x012ee765
0x012ee76e
0x012ee76e
0x012ee512
0x00000000

APIs

GetWindowRect.USER32 ref: 012EE470

Part of subcall function 01367D3E: IsDebuggerPresent.KERNEL32 ref: 0136EC6D
Part of subcall function 01367D3E: SetUnhandledExceptionFilter.KERNEL32 ref: 0136EC82
Part of subcall function 01367D3E: UnhandledExceptionFilter.KERNEL32 ref: 0136EC8D
Part of subcall function 01367D3E: GetCurrentProcess.KERNEL32(C0000409), ref: 0136ECA9
Part of subcall function 01367D3E: TerminateProcess.KERNEL32(00000000), ref: 0136ECB0

Part of subcall function 01277AC9: __CxxThrowException@8.LIBCMT ref: 01277ADF

Part of subcall function 012ED959: SetRectEmpty.USER32 ref: 012ED966
Part of subcall function 012ED959: GetWindowRect.USER32 ref: 012ED977

GetWindowRect.USER32 ref: 012EE548
InflateRect.USER32(?,00000000,?), ref: 012EE56E

Part of subcall function 0128C2A4: __EH_prolog3.LIBCMT ref: 0128C2AB

GetWindowRect.USER32 ref: 012EE623

Part of subcall function 01279BD6: ScreenToClient.USER32(?,?), ref: 01279BE7
Part of subcall function 01279BD6: ScreenToClient.USER32(?,?), ref: 01279BF4

GetWindowRect.USER32 ref: 012EE72E

Memory Dump Source

Source File: 00000010.00000002.746388412.0000000001271000.00000020.sdmp, Offset: 01270000, based on PE: true

Associated: 00000010.00000002.746374753.0000000001270000.00000002.sdmp Download File
Associated: 00000010.00000002.746578910.000000000138C000.00000002.sdmp Download File
Associated: 00000010.00000002.746752878.00000000013CF000.00000004.sdmp Download File
Associated: 00000010.00000002.746788870.00000000013D6000.00000004.sdmp Download File
Associated: 00000010.00000002.746832288.00000000013DE000.00000002.sdmp Download File
Associated: 00000010.00000002.747668141.0000000001574000.00000002.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1270000_Setup.jbxd

Similarity

API ID: Rect$Window$ClientExceptionFilterProcessScreenUnhandled$CurrentDebuggerEmptyException@8H_prolog3InflatePresentTerminateThrow
String ID:
API String ID: 607440246-0
Opcode ID: 01596cef4afdb80dbcd9d4883c21c9ae7d9c4cba45f43892ef9b783092dc29ff
Instruction ID: 08275e19d77672dd9b416c1ae9d135eddc8b1b71a52642741ac2947a300d7d63
Opcode Fuzzy Hash: 01596cef4afdb80dbcd9d4883c21c9ae7d9c4cba45f43892ef9b783092dc29ff
Instruction Fuzzy Hash: 7FE12871E1020AEFDB14DFACD988AAEBBF5FF48314F954569E605A7240E770A940CF50

Uniqueness

Uniqueness Score: 1.07%

Function 012C6AD2, Relevance: 7.8, APIs: 5, Instructions: 346
windowUNIQUE

Download Yara Rule

C-Code - Quality: 93%

			E012C6AD2(void* __ebx, int __ecx, intOrPtr __edx, void* __edi, void* __esi, void* __eflags) {
				int _t148;
				int _t172;
				int _t194;
				int _t195;
				long _t204;
				int _t206;
				int _t208;
				signed int _t233;
				signed int _t234;
				int _t243;
				int _t244;
				int _t258;
				int _t277;
				int _t297;
				int _t302;
				int _t305;
				int _t307;
				signed int _t308;
				int _t309;
				void* _t310;

				_t303 = __edx;
				_t245 = __ecx;
				_push(0x7c);
				L0136966A(0x138257f, __ebx, __edi, __esi);
				_t305 =  *(_t310 + 8);
				_t242 = __ecx;
				 *(_t310 - 0x54) = __ecx;
				if(( !( *(_t305 + 0x18)) & 0x00000001) == 0) {
					L22:
					 *((intOrPtr*)(_t310 - 0x5c)) = E012789CC(0x1391888, E01282D05(_t242, _t245, _t303, GetParent( *(_t242 + 0x20))));
					_t307 = 0;
					 *(_t310 - 0x40) = 0;
					E012888E2(_t242, _t305, _t305, _t310 - 0x40);
					_t148 =  *(_t310 - 0x40);
					 *(_t310 - 0x44) = 0;
					 *(_t310 - 0x60) = 0;
					__eflags = _t148;
					if(_t148 <= 0) {
						goto L48;
					}
					 *(_t310 - 0x4c) = _t148;
					do {
						E01272410(_t310 - 0x40, E0127859A());
						_t308 = 3;
						_push(_t310 - 0x40);
						 *(_t310 - 4) = _t308;
						E01278786(_t242, _t305, _t303, _t305, _t308, __eflags);
						 *(_t310 - 0x50) =  *(_t310 - 0x50) & 0x00000000;
						 *(_t310 - 0x58) =  *(_t310 - 0x58) & 0x00000000;
						E012888E2(_t242, _t305, _t305, _t310 - 0x50);
						__eflags =  *(_t310 - 0x50);
						if(__eflags != 0) {
							_push(0);
							 *(_t310 - 0x58) = L012B73EB(_t242, _t305, _t303, _t305, _t308, __eflags);
						}
						E012888E2(_t242, _t305, _t305, _t310 - 0x38);
						E012888E2(_t242, _t305, _t305, _t310 - 0x3c);
						E012C2F3D(_t242, _t308, __eflags, _t305, _t310 - 0x28);
						E012C2F3D(_t242, _t308, __eflags, _t305, _t310 - 0x30);
						E012A66F3(_t242, _t308, __eflags, _t305, _t310 - 0x20);
						E012888E2(_t242, _t305, _t305, _t310 - 0x34);
						 *(_t310 - 0x68) =  *(_t310 - 0x68) & 0x00000000;
						E012888E2(_t242, _t305, _t305, _t310 - 0x68);
						 *(_t310 - 0x48) =  *(_t310 - 0x48) | 0xffffffff;
						E012888E2(_t242, _t305, _t305, _t310 - 0x48);
						__eflags =  *(_t310 - 0x60);
						if( *(_t310 - 0x60) != 0) {
							 *(_t310 - 0x34) = _t308;
						}
						_t172 =  *(_t310 - 0x40);
						 *(_t310 - 0x50) = 0;
						__eflags =  *(_t172 - 0xc);
						if( *(_t172 - 0xc) == 0) {
							__eflags =  *(_t310 - 0x48) - 0xffffffff;
							if( *(_t310 - 0x48) == 0xffffffff) {
								goto L38;
							}
							goto L32;
						} else {
							__eflags =  *(_t310 - 0x48) - 0xffffffff;
							if( *(_t310 - 0x48) != 0xffffffff) {
								L32:
								_t309 = E012789CC(0x13d0f0c, E01290575( *((intOrPtr*)(_t310 - 0x5c)),  *(_t310 - 0x48)));
								__eflags = _t309;
								if(_t309 != 0) {
									_t243 = L012CB8B6(_t242, _t309, _t303);
									__eflags = _t243;
									if(_t243 != 0) {
										 *((intOrPtr*)( *_t309 + 0x37c))();
									}
									 *(_t310 - 0x50) =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t310 - 0x5c)))) + 0x1cc))(_t309);
									__eflags = _t243;
									if(_t243 != 0) {
										 *((intOrPtr*)( *_t243 + 0x3c4))(_t309);
									}
									_t242 =  *(_t310 - 0x54);
								}
								goto L38;
							}
							_t303 =  *((intOrPtr*)( *((intOrPtr*)(_t310 - 0x5c))));
							 *(_t310 - 0x50) =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t310 - 0x5c)))) + 0x220))(_t172,  *(_t310 - 0x58));
						}
						L38:
						_t258 =  *(_t310 - 0x58);
						__eflags = _t258;
						if(_t258 != 0) {
							 *((intOrPtr*)( *_t258 + 4))(1);
						}
						_t307 =  *(_t310 - 0x50);
						__eflags = _t307;
						if(_t307 != 0) {
							E01280BD7(_t307, _t310 - 0x3c);
							__eflags =  *(_t310 - 0x34) - 3;
							if( *(_t310 - 0x34) == 3) {
								E0128699F(_t242, 3);
								 *(_t310 - 0x60) = 1;
							}
							__eflags =  *(_t310 - 0x68);
							if( *(_t310 - 0x68) != 0) {
								 *(_t310 - 0x44) =  *(_t307 + 0x20);
							}
						}
						 *(_t310 - 4) =  *(_t310 - 4) | 0xffffffff;
						L01271470( *(_t310 - 0x40) + 0xfffffff0, _t303);
						_t134 = _t310 - 0x4c;
						 *_t134 =  *(_t310 - 0x4c) - 1;
						__eflags =  *_t134;
					} while ( *_t134 != 0);
					__eflags =  *(_t310 - 0x44);
					if( *(_t310 - 0x44) != 0) {
						SendMessageW( *(_t242 + 0x20), 0x222,  *(_t310 - 0x44), 0);
					}
					goto L48;
				} else {
					_t272 = _t310 - 0x88;
					L012E77C6(_t310 - 0x88, 0xa);
					 *(_t310 - 4) =  *(_t310 - 4) & 0x00000000;
					_t307 = GetWindow;
					_push(5);
					_push( *((intOrPtr*)(__ecx + 0x20)));
					while(1) {
						_t194 = E01282D05(_t242, _t272, _t303, GetWindow());
						_t244 = _t194;
						if(_t244 == 0) {
							break;
						}
						_t195 = E012789CC(0x139096c, _t244);
						_pop(_t272);
						 *(_t310 - 0x4c) = _t195;
						__eflags = _t195;
						if(_t195 == 0) {
							L8:
							_t242 =  *(_t244 + 0x20);
							_push(2);
							_push( *(_t244 + 0x20));
							continue;
						} else {
							_t303 =  *_t195;
							 *(_t310 - 0x44) =  *(_t310 - 0x44) & 0x00000000;
							E01273740(_t244,  *((intOrPtr*)( *_t195 + 0x20c))(_t310 - 0x44));
							_t277 =  *(_t310 - 0x44);
							 *(_t310 - 4) = 1;
							__eflags = _t277;
							if(_t277 != 0) {
								 *((intOrPtr*)( *_t277 + 4))(1);
							}
							__eflags =  *( *(_t310 - 0x40) - 0xc);
							if(__eflags != 0) {
								L012E77F9(_t310 - 0x88, __eflags,  *(_t310 - 0x4c));
							}
							_t272 =  *(_t310 - 0x40) + 0xfffffff0;
							__eflags =  *(_t310 - 0x40) + 0xfffffff0;
							 *(_t310 - 4) = 0;
							L01271470( *(_t310 - 0x40) + 0xfffffff0, _t303);
							goto L8;
						}
					}
					_t204 = SendMessageW( *( *(_t310 - 0x54) + 0x20), 0x229, _t194, _t194);
					_t245 = _t305;
					 *(_t310 - 0x4c) = _t204;
					E01288211(_t244, _t305, _t305,  *((intOrPtr*)(_t310 - 0x7c)));
					_t242 =  *(_t310 - 0x84);
					while(_t242 != 0) {
						_t206 = _t242;
						__eflags = _t242;
						if(_t242 == 0) {
							L01277AC9(_t245);
							goto L22;
						}
						_t242 =  *_t242;
						_t208 = E012789CC(0x139096c,  *((intOrPtr*)(_t206 + 8)));
						 *(_t310 - 0x48) =  *(_t310 - 0x48) & 0x00000000;
						_t307 = _t208;
						E01273740(_t242,  *((intOrPtr*)( *_t307 + 0x20c))(_t310 - 0x48));
						 *(_t310 - 4) = 2;
						E01278675(_t305, _t310 - 0x40);
						__eflags =  *(_t310 - 0x48);
						 *(_t310 - 0x44) = 0 |  *(_t310 - 0x48) != 0x00000000;
						E01288211(_t242, _t305, _t305,  *(_t310 - 0x48) != 0);
						__eflags =  *(_t310 - 0x44);
						if( *(_t310 - 0x44) != 0) {
							L012B734F(_t242, _t305, _t303,  *(_t310 - 0x48));
							_t302 =  *(_t310 - 0x48);
							__eflags = _t302;
							if(_t302 != 0) {
								 *((intOrPtr*)( *_t302 + 4))(1);
							}
						}
						E01280BBB(_t307, _t310 - 0x3c);
						E01288211(_t242, _t305, _t305,  *((intOrPtr*)(_t310 - 0x38)));
						E01288211(_t242, _t305, _t305,  *((intOrPtr*)(_t310 - 0x3c)));
						 *((intOrPtr*)(_t310 - 0x6c)) =  *((intOrPtr*)(_t310 - 0x28));
						 *(_t310 - 0x68) =  *(_t310 - 0x24);
						E01288537(_t305, _t305, _t310 - 0x6c, 8);
						 *((intOrPtr*)(_t310 - 0x64)) =  *((intOrPtr*)(_t310 - 0x30));
						 *(_t310 - 0x60) =  *(_t310 - 0x2c);
						E01288537(_t305, _t305, _t310 - 0x64, 8);
						E01288537(_t305, _t305, _t310 - 0x20, 0x10);
						E01288211(_t242, _t305, _t305,  *(_t310 - 0x34));
						__eflags =  *(_t307 + 0x20) -  *(_t310 - 0x4c);
						_t233 = E01288211(_t242, _t305, _t305, 0 |  *(_t307 + 0x20) ==  *(_t310 - 0x4c));
						_t297 =  *(_t307 + 0x434);
						_t234 = _t233 | 0xffffffff;
						__eflags = _t297;
						if(_t297 != 0) {
							__eflags =  *(_t297 + 0x20);
							if( *(_t297 + 0x20) != 0) {
								_t234 = E0128691B(_t297, _t303);
							}
						}
						E01288211(_t242, _t305, _t305, _t234);
						_t245 =  *(_t310 - 0x40) + 0xfffffff0;
						__eflags =  *(_t310 - 0x40) + 0xfffffff0;
						 *(_t310 - 4) = 0;
						L01271470( *(_t310 - 0x40) + 0xfffffff0, _t303);
					}
					 *(_t310 - 4) =  *(_t310 - 4) | 0xffffffff;
					L012E77EE(_t310 - 0x88);
					L48:
					return L013696ED(_t242, _t305, _t307);
				}
			}

0x012c6ad2
0x012c6ad2
0x012c6ad2
0x012c6ad9
0x012c6ade
0x012c6ae6
0x012c6ae8
0x012c6aed
0x012c6cfa
0x012c6d16
0x012c6d1c
0x012c6d21
0x012c6d24
0x012c6d29
0x012c6d2c
0x012c6d2f
0x012c6d32
0x012c6d34
0x00000000
0x00000000
0x012c6d3a
0x012c6d3d
0x012c6d46
0x012c6d4d
0x012c6d51
0x012c6d54
0x012c6d57
0x012c6d5c
0x012c6d60
0x012c6d6a
0x012c6d6f
0x012c6d73
0x012c6d75
0x012c6d7e
0x012c6d7e
0x012c6d87
0x012c6d92
0x012c6d9c
0x012c6da6
0x012c6db0
0x012c6dbb
0x012c6dc0
0x012c6dca
0x012c6dcf
0x012c6dd9
0x012c6de0
0x012c6de3
0x012c6de5
0x012c6de5
0x012c6de8
0x012c6deb
0x012c6dee
0x012c6df1
0x012c6e0d
0x012c6e11
0x00000000
0x00000000
0x00000000
0x012c6df3
0x012c6df3
0x012c6df7
0x012c6e13
0x012c6e29
0x012c6e2d
0x012c6e2f
0x012c6e38
0x012c6e3a
0x012c6e3c
0x012c6e42
0x012c6e42
0x012c6e54
0x012c6e57
0x012c6e59
0x012c6e60
0x012c6e60
0x012c6e66
0x012c6e66
0x00000000
0x012c6e2f
0x012c6dff
0x012c6e08
0x012c6e08
0x012c6e69
0x012c6e69
0x012c6e6c
0x012c6e6e
0x012c6e74
0x012c6e74
0x012c6e77
0x012c6e7a
0x012c6e7c
0x012c6e84
0x012c6e89
0x012c6e8d
0x012c6e93
0x012c6e98
0x012c6e98
0x012c6e9f
0x012c6ea3
0x012c6ea8
0x012c6ea8
0x012c6ea3
0x012c6eae
0x012c6eb5
0x012c6eba
0x012c6eba
0x012c6eba
0x012c6eba
0x012c6ec3
0x012c6ec7
0x012c6ed6
0x012c6ed6
0x00000000
0x012c6af3
0x012c6af5
0x012c6afb
0x012c6b00
0x012c6b04
0x012c6b0a
0x012c6b0c
0x012c6b7e
0x012c6b81
0x012c6b86
0x012c6b8a
0x00000000
0x00000000
0x012c6b17
0x012c6b1d
0x012c6b1e
0x012c6b21
0x012c6b23
0x012c6b78
0x012c6b78
0x012c6b7b
0x012c6b7d
0x00000000
0x012c6b25
0x012c6b25
0x012c6b27
0x012c6b3b
0x012c6b40
0x012c6b43
0x012c6b47
0x012c6b49
0x012c6b4f
0x012c6b4f
0x012c6b55
0x012c6b59
0x012c6b64
0x012c6b64
0x012c6b6c
0x012c6b6c
0x012c6b6f
0x012c6b73
0x00000000
0x012c6b73
0x012c6b23
0x012c6b99
0x012c6ba2
0x012c6ba4
0x012c6ba7
0x012c6bac
0x012c6cd9
0x012c6bb7
0x012c6bb9
0x012c6bbb
0x012c6cf5
0x00000000
0x012c6cf5
0x012c6bc4
0x012c6bcb
0x012c6bd0
0x012c6bd6
0x012c6bea
0x012c6bf5
0x012c6bf9
0x012c6c00
0x012c6c09
0x012c6c0c
0x012c6c11
0x012c6c15
0x012c6c1c
0x012c6c21
0x012c6c24
0x012c6c26
0x012c6c2c
0x012c6c2c
0x012c6c26
0x012c6c35
0x012c6c3f
0x012c6c49
0x012c6c51
0x012c6c57
0x012c6c62
0x012c6c6a
0x012c6c70
0x012c6c7b
0x012c6c88
0x012c6c92
0x012c6c9c
0x012c6ca5
0x012c6caa
0x012c6cb0
0x012c6cb3
0x012c6cb5
0x012c6cb7
0x012c6cbb
0x012c6cbd
0x012c6cbd
0x012c6cbb
0x012c6cc5
0x012c6ccd
0x012c6ccd
0x012c6cd0
0x012c6cd4
0x012c6cd4
0x012c6ce1
0x012c6ceb
0x012c6edc
0x012c6ee1
0x012c6ee1

APIs

__EH_prolog3_GS.LIBCMT ref: 012C6AD9
GetWindow.USER32(?,00000005), ref: 012C6B7E
SendMessageW.USER32(?,00000229,00000000,00000000), ref: 012C6B99

Part of subcall function 01280BBB: GetWindowPlacement.USER32(?,?), ref: 01280BCD

Part of subcall function 0128691B: GetDlgCtrlID.USER32 ref: 01286924

Part of subcall function 01277AC9: __CxxThrowException@8.LIBCMT ref: 01277ADF

GetParent.USER32(?), ref: 012C6CFD

Part of subcall function 01278786: __EH_prolog3_GS.LIBCMT ref: 01278790

Part of subcall function 012B73EB: __EH_prolog3_catch.LIBCMT ref: 012B73F2

Part of subcall function 01280BD7: SetWindowPlacement.USER32 ref: 01280BE9

SendMessageW.USER32(?,00000222,00000000,00000000), ref: 012C6ED6

Part of subcall function 0128699F: ShowWindow.USER32(00000000,?), ref: 012869B0

Part of subcall function 012CB8B6: GetParent.USER32(?), ref: 012CB8E7

Memory Dump Source

Source File: 00000010.00000002.746388412.0000000001271000.00000020.sdmp, Offset: 01270000, based on PE: true

Associated: 00000010.00000002.746374753.0000000001270000.00000002.sdmp Download File
Associated: 00000010.00000002.746578910.000000000138C000.00000002.sdmp Download File
Associated: 00000010.00000002.746752878.00000000013CF000.00000004.sdmp Download File
Associated: 00000010.00000002.746788870.00000000013D6000.00000004.sdmp Download File
Associated: 00000010.00000002.746832288.00000000013DE000.00000002.sdmp Download File
Associated: 00000010.00000002.747668141.0000000001574000.00000002.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1270000_Setup.jbxd

Similarity

API ID: Window$H_prolog3_MessageParentPlacementSend$CtrlException@8H_prolog3_catchShowThrow
String ID:
API String ID: 2116876482-0
Opcode ID: 75715834df89dab366d452ee74734855ba41671c34203317b22c486af44574e6
Instruction ID: 28f7c631bddcdb5be659319b9fbff4e73516b183e2040085a672dbf87d07883b
Opcode Fuzzy Hash: 75715834df89dab366d452ee74734855ba41671c34203317b22c486af44574e6
Instruction Fuzzy Hash: EFD17B71A2120ADFDF15EBE8C898BBDBBB9BF58710F14022DE615AB2D0DB705901CB51

Uniqueness

Uniqueness Score: 23.02%

Function 01296406, Relevance: 7.8, APIs: 5, Instructions: 338
COMMON

Download Yara Rule

C-Code - Quality: 71%

			E01296406(signed int __ecx, intOrPtr _a4, signed int _a8, struct tagRECT* _a12) {
				signed int _v8;
				struct tagRECT _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				intOrPtr _v44;
				long _v48;
				long _v52;
				char _v56;
				signed int _v60;
				intOrPtr _v64;
				signed int _v68;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t152;
				signed int _t160;
				intOrPtr _t161;
				long _t170;
				long _t171;
				long _t173;
				long _t174;
				intOrPtr _t175;
				signed int _t176;
				long _t177;
				signed int _t181;
				long _t183;
				signed int _t188;
				long _t197;
				struct tagRECT* _t198;
				signed int _t201;
				long _t204;
				long _t205;
				long _t206;
				long _t208;
				long _t209;
				signed int _t212;
				intOrPtr _t222;
				long _t226;
				struct tagRECT* _t228;
				signed int _t233;
				intOrPtr _t238;
				signed int _t246;

				_t152 =  *0x13d3570; // 0x99b5b578
				_v8 = _t152 ^ _t246;
				_v28 = _v28 | 0xffffffff;
				_t198 = _a12;
				_t228 = SetRectEmpty;
				_t233 = __ecx;
				_v36 = __ecx;
				SetRectEmpty(_t198);
				 *((intOrPtr*)( *_t233 + 0x190))();
				asm("sbb ecx, ecx");
				_v64 = _a4;
				_t160 = _a8;
				_t201 =  ~_t233;
				_t225 = 0;
				_v68 = _t201;
				_v60 = _t160;
				if(_t160 < 0) {
					_v60 = 0;
				}
				_t161 =  *((intOrPtr*)(_t233 + 0xbd4));
				if(_t161 == _t225 || _t161 == 1 &&  *((intOrPtr*)(_t233 + 0xca0)) != _t225) {
					GetClientRect( *(_t233 + 0x20), _t198);
					_t117 =  &_v28;
					 *_t117 = _v28 & 0x00000000;
					__eflags =  *_t117;
					goto L56;
				} else {
					if(_t201 == _t225) {
						_t177 =  *(_t233 + 0xbcc);
						_v32 = _t225;
						__eflags = _t177 - _t225;
						if(_t177 == _t225) {
							goto L70;
						} else {
							goto L44;
						}
						while(1) {
							L44:
							_t208 = _t177;
							__eflags = _t177;
							if(_t177 == 0) {
								goto L17;
							}
							_t208 =  *(_t208 + 8);
							_t177 =  *_t177;
							__eflags = _t208;
							if(_t208 == 0) {
								goto L17;
							}
							_t225 = _v60;
							_t228 =  &_v56;
							asm("movsd");
							asm("movsd");
							asm("movsd");
							asm("movsd");
							__eflags = _t225 - _v52;
							if(_t225 < _v52) {
								asm("movsd");
								asm("movsd");
								asm("movsd");
								asm("movsd");
								_v28 = _v32;
								_t198->bottom = _t198->top;
								goto L51;
							}
							_t222 = _v44;
							__eflags = _t225 - _t222;
							if(_t225 <= _t222) {
								asm("movsd");
								asm("movsd");
								asm("movsd");
								asm("movsd");
								_t233 = _v36;
								__eflags = _t225 - _v52 - _t222 - _t225;
								_t188 = _v32;
								if(_t225 - _v52 <= _t222 - _t225) {
									_v28 = _t188;
									_t198->bottom = _t198->top;
								} else {
									_v28 = _t188 + 1;
									_t198->top = _t198->bottom;
								}
								goto L56;
							}
							_v32 = _v32 + 1;
							__eflags = _t177;
							if(_t177 != 0) {
								continue;
							}
							_t233 = _v36;
							goto L70;
						}
						goto L17;
					} else {
						_v40 =  *((intOrPtr*)( *_t233 + 0x354))();
						_v32 = 0;
						_v24.left = 0;
						_v24.top = 0;
						_v24.right = 0;
						_v24.bottom = 0;
						SetRectEmpty( &_v24);
						_t197 =  *(_t233 + 0xbcc);
						while(_t197 != 0) {
							_t208 = _t197;
							__eflags = _t197;
							if(_t197 == 0) {
								L17:
								L01277AC9(_t208);
								L18:
								_t209 = _t208 - _v24.bottom;
								__eflags = _t209;
								_t233 = _v36;
								_v40 = _t209;
								break;
							}
							_t208 =  *(_t208 + 8);
							_t197 =  *_t197;
							__eflags = _t208;
							if(_t208 == 0) {
								goto L17;
							}
							__eflags =  *(_t208 + 0x40);
							if( *(_t208 + 0x40) != 0) {
								L14:
								_t35 =  &_v32;
								 *_t35 = _v32 + 1;
								__eflags =  *_t35;
								continue;
							}
							__eflags =  *(_t208 + 0x50);
							if( *(_t208 + 0x50) == 0) {
								goto L14;
							}
							__eflags = _v32;
							_t228 =  &_v56;
							asm("movsd");
							asm("movsd");
							asm("movsd");
							asm("movsd");
							if(_v32 <= 0) {
								L13:
								_t228 =  &_v24;
								asm("movsd");
								asm("movsd");
								asm("movsd");
								asm("movsd");
								_t233 = _v36;
								goto L14;
							}
							_t208 = _v52;
							__eflags = _t208 - _v24.bottom;
							if(_t208 > _v24.bottom) {
								goto L18;
							}
							goto L13;
						}
						_t212 =  *((intOrPtr*)( *_t233 + 0x354))() + _v40;
						_t181 = _v60;
						asm("cdq");
						_t225 = _t181 % _t212;
						_v32 = _v32 & 0x00000000;
						_t208 =  *(_t233 + 0xbcc);
						_v40 = _t181 / _t212;
						_t183 = 0;
						while(_t208 != 0) {
							_t226 = _t208;
							__eflags = _t208;
							if(_t208 == 0) {
								goto L17;
							}
							_t225 =  *(_t226 + 8);
							_t208 =  *_t208;
							__eflags = _t225;
							if(_t225 == 0) {
								goto L17;
							}
							__eflags =  *(_t225 + 0x40);
							if( *(_t225 + 0x40) != 0) {
								L32:
								_t183 = _t183 + 1;
								__eflags = _t183;
								continue;
							}
							__eflags =  *(_t225 + 0x50);
							if( *(_t225 + 0x50) == 0) {
								goto L32;
							} else {
								asm("movsd");
								asm("movsd");
								asm("movsd");
								asm("movsd");
								__eflags = _t183;
								if(_t183 > 0) {
									__eflags = _v52 - _v24.bottom;
									if(_v52 >= _v24.bottom) {
										_t58 =  &_v32;
										 *_t58 = _v32 + 1;
										__eflags =  *_t58;
									}
								}
								_t225 = _v40;
								__eflags = _v32 - _v40;
								if(__eflags > 0) {
									_t228 = _t198;
									asm("movsd");
									asm("movsd");
									asm("movsd");
									asm("movsd");
									_t198->left = _t198->right;
									_t70 = _t183 - 1; // -1
									_v28 = _t70;
									L38:
									__eflags = _v28 - 0xffffffff;
									_t233 = _v36;
									if(_v28 != 0xffffffff) {
										L56:
										_t228 = 0;
										if(_v28 >= 0) {
											_v24.left = 0;
											_v24.top = 0;
											_v24.right = 0;
											_v24.bottom = 0;
											GetClientRect( *(_t233 + 0x20),  &_v24);
											if( *((intOrPtr*)(_t233 + 0xca0)) != 0) {
												_t175 =  *((intOrPtr*)(_t233 + 0xbd4));
												if(_v28 == _t175) {
													_t176 = _t175 - 1;
													_v28 = 0;
													if(_t176 >= 0) {
														_v28 = _t176;
													}
												}
											}
											if(_v68 == _t228) {
												_t170 = _t198->top + 0xfffffffd;
												__eflags = _v24.top - _t170;
												if(_v24.top > _t170) {
													_t170 = _v24.top;
												}
												_t204 = _v24.bottom;
												_t198->top = _t170;
												_t171 = _t170 + 6;
												_t198->bottom = _t171;
												__eflags = _t171 - _t204;
												if(_t171 > _t204) {
													_t198->bottom = _t204;
													_t205 = _t204 + 0xfffffffa;
													__eflags = _t205;
													_t198->top = _t205;
												}
											} else {
												_t173 = _t198->left + 0xfffffffd;
												if(_v24.left > _t173) {
													_t173 = _v24.left;
												}
												_t206 = _v24.right;
												_t198->left = _t173;
												_t174 = _t173 + 6;
												_t198->right = _t174;
												if(_t174 > _t206) {
													_t198->right = _t206;
													_t198->left = _t206 + 0xfffffffa;
												}
											}
										}
										L70:
										if( *((intOrPtr*)(_t233 + 0xca0)) != 0 && _v28 ==  *((intOrPtr*)(_t233 + 0xbd4))) {
											_v28 = _v28 | 0xffffffff;
											SetRectEmpty(_t198);
										}
										return L01367D3E(_v28, _t198, _v8 ^ _t246, _t225, _t228, _t233);
									}
									L39:
									if(_v32 != _v40) {
										goto L70;
									}
									asm("movsd");
									asm("movsd");
									asm("movsd");
									asm("movsd");
									_t198->left = _t198->right;
									_v28 = _t183;
									L51:
									_t233 = _v36;
									goto L56;
								}
								if(__eflags != 0) {
									L31:
									_t228 =  &_v24;
									asm("movsd");
									asm("movsd");
									asm("movsd");
									asm("movsd");
									_t233 = _v36;
									goto L32;
								}
								_t238 = _v64;
								__eflags = _t238 - _v56;
								if(_t238 < _v56) {
									_t228 = _t198;
									asm("movsd");
									asm("movsd");
									asm("movsd");
									asm("movsd");
									L37:
									_t198->right = _t198->left;
									_v28 = _t183;
									goto L38;
								}
								_t225 = _v48;
								__eflags = _t238 - _t225;
								if(_t238 <= _t225) {
									_t225 = _t225 - _v64;
									_t228 = _t198;
									asm("movsd");
									asm("movsd");
									asm("movsd");
									asm("movsd");
									__eflags = _v64 - _v56 - _t225;
									if(_v64 - _v56 <= _t225) {
										goto L37;
									}
									_t86 = _t183 + 1; // 0x1
									_v28 = _t86;
									_t198->left = _t198->right;
									goto L38;
								}
								goto L31;
							}
						}
						goto L39;
					}
				}
			}

0x0129640e
0x01296415
0x01296418
0x0129641d
0x01296422
0x01296428
0x0129642b
0x0129642e
0x01296434
0x01296441
0x01296446
0x01296449
0x0129644c
0x0129644e
0x01296450
0x01296453
0x01296458
0x0129645a
0x0129645a
0x0129645d
0x01296465
0x012966a6
0x012966ac
0x012966ac
0x012966ac
0x00000000
0x0129647c
0x0129647e
0x01296607
0x0129660d
0x01296610
0x01296612
0x00000000
0x00000000
0x00000000
0x00000000
0x01296618
0x01296618
0x01296618
0x0129661a
0x0129661c
0x00000000
0x00000000
0x01296622
0x01296625
0x01296627
0x01296629
0x00000000
0x00000000
0x0129662f
0x01296635
0x01296638
0x01296639
0x0129663a
0x0129663b
0x0129663c
0x0129663f
0x0129665f
0x01296660
0x01296661
0x01296662
0x01296663
0x01296669
0x00000000
0x01296669
0x01296641
0x01296644
0x01296646
0x01296676
0x01296677
0x01296678
0x01296680
0x01296681
0x01296684
0x01296686
0x01296689
0x01296697
0x0129669d
0x0129668b
0x0129668c
0x01296692
0x01296692
0x00000000
0x01296689
0x01296648
0x0129664b
0x0129664d
0x00000000
0x00000000
0x0129664f
0x00000000
0x0129664f
0x00000000
0x01296484
0x0129648e
0x01296493
0x01296496
0x01296499
0x0129649c
0x0129649f
0x012964a6
0x012964a8
0x012964f3
0x012964b0
0x012964b2
0x012964b4
0x012964f9
0x012964f9
0x012964fe
0x012964fe
0x012964fe
0x01296501
0x01296504
0x00000000
0x01296504
0x012964b6
0x012964b9
0x012964bb
0x012964bd
0x00000000
0x00000000
0x012964bf
0x012964c3
0x012964f0
0x012964f0
0x012964f0
0x012964f0
0x00000000
0x012964f0
0x012964c5
0x012964c9
0x00000000
0x00000000
0x012964cb
0x012964d2
0x012964d5
0x012964d6
0x012964d7
0x012964d8
0x012964d9
0x012964e3
0x012964e6
0x012964e9
0x012964ea
0x012964eb
0x012964ec
0x012964ed
0x00000000
0x012964ed
0x012964db
0x012964de
0x012964e1
0x00000000
0x00000000
0x00000000
0x012964e1
0x01296513
0x01296516
0x01296519
0x0129651a
0x0129651c
0x01296520
0x01296526
0x01296529
0x01296588
0x0129652d
0x0129652f
0x01296531
0x00000000
0x00000000
0x01296533
0x01296536
0x01296538
0x0129653a
0x00000000
0x00000000
0x0129653c
0x01296540
0x01296587
0x01296587
0x01296587
0x00000000
0x01296587
0x01296542
0x01296546
0x00000000
0x01296548
0x0129654e
0x0129654f
0x01296550
0x01296551
0x01296552
0x01296554
0x01296559
0x0129655c
0x0129655e
0x0129655e
0x0129655e
0x0129655e
0x0129655c
0x01296561
0x01296564
0x01296567
0x01296591
0x01296593
0x01296594
0x01296595
0x01296596
0x0129659a
0x0129659c
0x0129659f
0x012965b5
0x012965b5
0x012965b9
0x012965bc
0x012966b0
0x012966b0
0x012966b5
0x012966c2
0x012966c5
0x012966c8
0x012966cb
0x012966ce
0x012966da
0x012966dc
0x012966e5
0x012966e7
0x012966e8
0x012966ed
0x012966ef
0x012966ef
0x012966ed
0x012966e5
0x012966f5
0x01296720
0x01296723
0x01296726
0x01296728
0x01296728
0x0129672b
0x0129672e
0x01296731
0x01296734
0x01296737
0x01296739
0x0129673b
0x0129673e
0x0129673e
0x01296741
0x01296741
0x012966f7
0x012966f9
0x012966ff
0x01296701
0x01296701
0x01296704
0x01296707
0x01296709
0x0129670c
0x01296711
0x01296713
0x01296719
0x01296719
0x01296711
0x012966f5
0x01296744
0x0129674b
0x01296758
0x0129675d
0x0129675d
0x01296774
0x01296774
0x012965c2
0x012965c8
0x00000000
0x00000000
0x012965d3
0x012965d4
0x012965d5
0x012965d6
0x012965da
0x012965dc
0x0129666c
0x0129666c
0x00000000
0x0129666c
0x01296569
0x0129657a
0x0129657d
0x01296580
0x01296581
0x01296582
0x01296583
0x01296584
0x00000000
0x01296584
0x0129656b
0x0129656e
0x01296571
0x012965a7
0x012965a9
0x012965aa
0x012965ab
0x012965ac
0x012965ad
0x012965af
0x012965b2
0x00000000
0x012965b2
0x01296573
0x01296576
0x01296578
0x012965ea
0x012965f0
0x012965f2
0x012965f3
0x012965f4
0x012965f5
0x012965f6
0x012965f8
0x00000000
0x00000000
0x012965fa
0x012965fd
0x01296603
0x00000000
0x01296603
0x00000000
0x01296578
0x01296546
0x00000000
0x0129658c
0x0129647e

APIs

SetRectEmpty.USER32 ref: 0129642E
SetRectEmpty.USER32 ref: 012964A6

Part of subcall function 01277AC9: __CxxThrowException@8.LIBCMT ref: 01277ADF

GetClientRect.USER32 ref: 012966A6
GetClientRect.USER32 ref: 012966CE
SetRectEmpty.USER32 ref: 0129675D

Part of subcall function 01367D3E: IsDebuggerPresent.KERNEL32 ref: 0136EC6D
Part of subcall function 01367D3E: SetUnhandledExceptionFilter.KERNEL32 ref: 0136EC82
Part of subcall function 01367D3E: UnhandledExceptionFilter.KERNEL32 ref: 0136EC8D
Part of subcall function 01367D3E: GetCurrentProcess.KERNEL32(C0000409), ref: 0136ECA9
Part of subcall function 01367D3E: TerminateProcess.KERNEL32(00000000), ref: 0136ECB0

Memory Dump Source

Source File: 00000010.00000002.746388412.0000000001271000.00000020.sdmp, Offset: 01270000, based on PE: true

Associated: 00000010.00000002.746374753.0000000001270000.00000002.sdmp Download File
Associated: 00000010.00000002.746578910.000000000138C000.00000002.sdmp Download File
Associated: 00000010.00000002.746752878.00000000013CF000.00000004.sdmp Download File
Associated: 00000010.00000002.746788870.00000000013D6000.00000004.sdmp Download File
Associated: 00000010.00000002.746832288.00000000013DE000.00000002.sdmp Download File
Associated: 00000010.00000002.747668141.0000000001574000.00000002.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1270000_Setup.jbxd

Similarity

API ID: Rect$Empty$ClientExceptionFilterProcessUnhandled$CurrentDebuggerException@8PresentTerminateThrow
String ID:
API String ID: 2821521454-0
Opcode ID: 714614a989ece17a1c13b8538241a7ef6ea571116243bcda33cd4877923c32af
Instruction ID: 3abfc28492f06c5bbc9f1b0d5b6867f804b4cb0e2d854b4b8c6925806dbff14e
Opcode Fuzzy Hash: 714614a989ece17a1c13b8538241a7ef6ea571116243bcda33cd4877923c32af
Instruction Fuzzy Hash: 8AD1E471E1061ACFCF19CFACD5806AEBBF2FF49310F248169EA15AB244D775A941CB90

Uniqueness

Uniqueness Score: 2.20%

Function 012D0AEB, Relevance: 7.8, APIs: 5, Instructions: 272
windowCOMMON

Download Yara Rule

C-Code - Quality: 89%

			E012D0AEB(void* __ebx, signed int __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				signed int _t102;
				signed int _t105;
				signed int _t107;
				int _t111;
				signed int _t112;
				signed int _t118;
				signed int _t136;
				signed int _t139;
				intOrPtr _t140;
				signed int _t169;
				signed int _t174;
				signed int _t194;
				void* _t212;
				signed int _t214;
				intOrPtr* _t215;
				intOrPtr* _t217;
				void* _t218;
				intOrPtr _t224;

				_t212 = __edx;
				_t168 = __ecx;
				_push(0x188);
				L0136966A(0x1382a6d, __ebx, __edi, __esi);
				_t214 =  *(_t218 + 8);
				_t217 = __ecx;
				if((0 |  *((intOrPtr*)(__ecx + 0xd14)) != 0x00000000) != 0) {
					L2:
					if(E01282D05(0, _t168, _t212, GetFocus()) == _t217) {
						E01286A6F(0, L01283CA8(_t217), _t212);
					}
					_t102 =  *(_t217 + 0xcd4);
					if(_t102 != _t214) {
						L12:
						_t169 =  *0x13dac98; // 0x0
						__eflags = _t169;
						if(__eflags != 0) {
							__eflags = _t102;
							if(__eflags != 0) {
								_push(_t102);
								L01341D7E(0, _t169, _t214, _t217, __eflags);
							}
						}
						_push(_t217);
						_push( *(_t217 + 0xcd4));
						L012A5B3E(0, 0x13d95c8, _t212, _t214, _t217, __eflags);
						 *(_t218 - 0x194) =  *(_t217 + 0xcf8);
						 *(_t217 + 0xcf8) = 0;
						 *(_t217 + 0xcd4) = _t214;
						__eflags =  *(_t218 + 0xc);
						if(__eflags != 0) {
							 *(_t217 + 0xcd8) = _t214;
						}
						_t105 =  *((intOrPtr*)( *_t217 + 0x190))();
						_push(_t217);
						_push(_t214);
						 *(_t218 - 0x188) = _t105;
						__eflags = L012A5A10(0, 0x13d95c8, _t212, _t214, _t217, __eflags);
						if(__eflags == 0) {
							L20:
							_t107 = L01289341(0, 0x13d95c8, _t212, _t214, _t217, __eflags, _t214);
							 *(_t218 - 0x188) = _t107;
							__eflags = _t107;
							if(_t107 == 0) {
								goto L47;
							}
							_t174 =  *0x13dac98; // 0x0
							__eflags = _t174;
							if(__eflags != 0) {
								_push(_t214);
								L01341E92(0, _t174, _t212, _t214, _t217, __eflags);
							}
							 *((intOrPtr*)( *_t217 + 0x350))();
							_t214 =  *(_t218 - 0x188);
							_t111 = GetMenuItemCount( *(_t214 + 4));
							 *(_t218 - 0x190) = _t111;
							 *(_t218 - 0x184) = 0;
							__eflags = _t111;
							if(_t111 <= 0) {
								L36:
								_t112 =  *(_t217 + 0xce8);
								__eflags = _t112;
								if(_t112 != 0) {
									_push(0);
									_push(_t112);
									__eflags = L01293BD3(_t217);
									if(__eflags < 0) {
										E012D0880(0, _t218 - 0x178, _t212, _t214, _t217, __eflags);
										 *(_t218 - 4) = 2;
										 *((intOrPtr*)( *_t217 + 0x344))(_t218 - 0x178, 0xffffffff,  *(_t217 + 0xce8),  *((intOrPtr*)(_t217 + 0xcf4)),  *((intOrPtr*)(_t217 + 0xd0c)));
										_t87 = _t218 - 4;
										 *_t87 =  *(_t218 - 4) | 0xffffffff;
										__eflags =  *_t87;
										L012CFE49(0, _t218 - 0x178, _t212, _t214, _t217,  *_t87);
									}
								}
								goto L39;
							} else {
								do {
									 *(_t218 - 0x180) = GetMenuItemID( *(_t214 + 4),  *(_t218 - 0x184));
									E01272410(_t218 - 0x17c, E0127859A());
									_t189 = _t214;
									 *(_t218 - 4) = 0;
									L01289447(0, _t214,  *(_t218 - 0x184), _t218 - 0x17c, 0x400);
									__eflags =  *(_t218 - 0x180);
									if( *(_t218 - 0x180) == 0) {
										 *((intOrPtr*)( *_t217 + 0x348))(0xffffffff);
										goto L35;
									}
									__eflags =  *(_t218 - 0x180) - 0xffffffff;
									if(__eflags == 0) {
										_t136 = L01289341(0, _t189, _t212, _t214, _t217, __eflags, GetSubMenu( *(_t214 + 4),  *(_t218 - 0x184)));
										__eflags = _t136;
										_t168 = 0 | __eflags != 0x00000000;
										 *(_t218 - 0x18c) = _t136;
										__eflags = __eflags != 0;
										if(__eflags == 0) {
											goto L1;
										}
										_t194 =  *0x13dac98; // 0x0
										 *(_t218 - 0x180) = 0;
										__eflags = _t194;
										if(__eflags != 0) {
											_push(_t218 - 0x17c);
											 *(_t218 - 0x180) = L01341C99(0, _t212, _t214, _t217, __eflags);
										}
										_t215 = E01278939(0,  *((intOrPtr*)(_t217 + 0xd14)), _t214, _t217, __eflags);
										_t139 =  *(_t218 - 0x18c);
										__eflags = _t139;
										if(__eflags != 0) {
											_t140 =  *((intOrPtr*)(_t139 + 4));
										} else {
											_t140 = 0;
										}
										L012DDC12(_t215, _t215, __eflags, 0, _t140, 0xffffffff,  *(_t218 - 0x17c), 0);
										 *((intOrPtr*)(_t215 + 8)) = 1;
										 *((intOrPtr*)(_t215 + 0xc)) = 0;
										 *((intOrPtr*)( *_t215 + 0xf4))( *(_t218 - 0x180));
										 *((intOrPtr*)( *_t217 + 0x344))(_t215, 0xffffffff);
										 *((intOrPtr*)( *_t215 + 4))(1);
										_t214 =  *(_t218 - 0x188);
										goto L35;
									}
									L012E7314(0, _t218 - 0x80, _t212, _t214, _t217, __eflags);
									 *(_t218 - 4) = 1;
									 *((intOrPtr*)(_t218 - 0x78)) = 1;
									 *((intOrPtr*)(_t218 - 0x74)) = 0;
									 *((intOrPtr*)( *_t217 + 0x344))(_t218 - 0x80, 0xffffffff,  *(_t218 - 0x180), 0xffffffff,  *(_t218 - 0x17c), 0, 0);
									 *(_t218 - 4) = 0;
									L012E5DDF(_t218 - 0x80, _t212);
									L35:
									 *(_t218 - 4) =  *(_t218 - 4) | 0xffffffff;
									L01271470( *(_t218 - 0x17c) + 0xfffffff0, _t212);
									 *(_t218 - 0x184) =  *(_t218 - 0x184) + 1;
									__eflags =  *(_t218 - 0x184) -  *(_t218 - 0x190);
								} while ( *(_t218 - 0x184) <  *(_t218 - 0x190));
								goto L36;
							}
						} else {
							__eflags =  *(_t218 + 0x10);
							if(__eflags != 0) {
								goto L20;
							}
							 *((intOrPtr*)( *_t217 + 0x1dc))( *(_t218 - 0x188));
							L39:
							__eflags =  *(_t218 - 0x194);
							if( *(_t218 - 0x194) != 0) {
								_t118 = E012789CC(0x1395654,  *((intOrPtr*)(_t217 + 0xcd0)));
								__eflags = _t118;
								if(_t118 != 0) {
									E012CEB44(0, _t217, _t212, _t214, _t217, __eflags, 1, L012B8EF9(0, _t118, _t212, 0), 1);
								}
							}
							__eflags =  *(_t217 + 0x20);
							if( *(_t217 + 0x20) != 0) {
								 *((intOrPtr*)( *_t217 + 0x208))();
							}
							L0129BA1B(0, _t217, _t212, _t214, _t217);
							L45:
							if( *((intOrPtr*)(_t217 + 0x168)) == 0) {
								 *((intOrPtr*)( *_t217 + 0x2d4))(1);
							}
							L47:
							return L013696ED(0, _t214, _t217);
						}
					}
					_t224 =  *0x13d83d4; // 0x0
					if(_t224 != 0 ||  *(_t218 + 0x10) != 0) {
						goto L12;
					} else {
						_t226 =  *(_t217 + 0xcf8);
						if( *(_t217 + 0xcf8) == 0) {
							goto L45;
						}
						E012CEB44(0, _t217, _t212, _t214, _t217, _t226, 0, 0, 0);
						E012CEB44(0, _t217, _t212, _t214, _t217, _t226, 1, 0, 0);
						L01295B3C(_t217, _t212, 0);
						_t214 = 0;
						if( *((intOrPtr*)(_t217 + 0xcec)) > 0) {
							 *(_t218 - 0x17c) =  *(_t218 - 0x17c) | 0xffffffff;
							do {
								L01295B3C(_t217, _t212, E01294430(_t217) +  *(_t218 - 0x17c));
								_t214 = _t214 + 1;
								 *(_t218 - 0x17c) =  *(_t218 - 0x17c) - 1;
							} while (_t214 <  *((intOrPtr*)(_t217 + 0xcec)));
						}
						goto L45;
					}
				}
				L1:
				L01277AC9(_t168);
				goto L2;
			}

0x012d0aeb
0x012d0aeb
0x012d0aeb
0x012d0af5
0x012d0afa
0x012d0b01
0x012d0b0e
0x012d0b15
0x012d0b23
0x012d0b2e
0x012d0b2e
0x012d0b33
0x012d0b3b
0x012d0bb1
0x012d0bb1
0x012d0bb7
0x012d0bb9
0x012d0bbb
0x012d0bbd
0x012d0bbf
0x012d0bc0
0x012d0bc0
0x012d0bbd
0x012d0bc5
0x012d0bc6
0x012d0bd1
0x012d0bdc
0x012d0be2
0x012d0be8
0x012d0bee
0x012d0bf1
0x012d0bf3
0x012d0bf3
0x012d0bfd
0x012d0c03
0x012d0c04
0x012d0c0a
0x012d0c15
0x012d0c17
0x012d0c33
0x012d0c34
0x012d0c39
0x012d0c3f
0x012d0c41
0x00000000
0x00000000
0x012d0c47
0x012d0c4d
0x012d0c4f
0x012d0c51
0x012d0c52
0x012d0c52
0x012d0c5b
0x012d0c61
0x012d0c6a
0x012d0c70
0x012d0c76
0x012d0c7c
0x012d0c7e
0x012d0e0b
0x012d0e0b
0x012d0e11
0x012d0e13
0x012d0e15
0x012d0e16
0x012d0e1e
0x012d0e20
0x012d0e3a
0x012d0e4c
0x012d0e53
0x012d0e59
0x012d0e59
0x012d0e59
0x012d0e63
0x012d0e63
0x012d0e20
0x00000000
0x012d0c84
0x012d0c84
0x012d0c93
0x012d0ca5
0x012d0cbc
0x012d0cbe
0x012d0cc1
0x012d0cc6
0x012d0ccc
0x012d0ddb
0x00000000
0x012d0ddb
0x012d0cd2
0x012d0cd9
0x012d0d31
0x012d0d38
0x012d0d3a
0x012d0d3d
0x012d0d43
0x012d0d45
0x00000000
0x00000000
0x012d0d4b
0x012d0d51
0x012d0d57
0x012d0d59
0x012d0d61
0x012d0d67
0x012d0d67
0x012d0d78
0x012d0d7a
0x012d0d80
0x012d0d82
0x012d0d88
0x012d0d84
0x012d0d84
0x012d0d84
0x012d0d98
0x012d0da7
0x012d0dae
0x012d0db1
0x012d0dbe
0x012d0dca
0x012d0dcd
0x00000000
0x012d0dcd
0x012d0cee
0x012d0cfd
0x012d0d01
0x012d0d08
0x012d0d0b
0x012d0d14
0x012d0d17
0x012d0de1
0x012d0de7
0x012d0dee
0x012d0df3
0x012d0dff
0x012d0dff
0x00000000
0x012d0c84
0x012d0c19
0x012d0c19
0x012d0c1c
0x00000000
0x00000000
0x012d0c28
0x012d0e68
0x012d0e68
0x012d0e6e
0x012d0e7b
0x012d0e82
0x012d0e84
0x012d0e95
0x012d0e95
0x012d0e84
0x012d0e9a
0x012d0e9d
0x012d0ea3
0x012d0ea3
0x012d0eab
0x012d0eb0
0x012d0eb6
0x012d0ebe
0x012d0ebe
0x012d0ec4
0x012d0ec9
0x012d0ec9
0x012d0c17
0x012d0b3d
0x012d0b43
0x00000000
0x012d0b4a
0x012d0b4a
0x012d0b50
0x00000000
0x00000000
0x012d0b5b
0x012d0b66
0x012d0b6e
0x012d0b73
0x012d0b7b
0x012d0b81
0x012d0b88
0x012d0b98
0x012d0b9d
0x012d0b9e
0x012d0ba4
0x012d0b88
0x00000000
0x012d0b7b
0x012d0b43
0x012d0b10
0x012d0b10
0x00000000

APIs

__EH_prolog3_GS.LIBCMT ref: 012D0AF5

Part of subcall function 01277AC9: __CxxThrowException@8.LIBCMT ref: 01277ADF

Part of subcall function 01283CA8: GetParent.USER32(?), ref: 01283CD2

Part of subcall function 01286A6F: GetParent.USER32(?), ref: 01286A84
Part of subcall function 01286A6F: GetParent.USER32(?), ref: 01286A93
Part of subcall function 01286A6F: GetParent.USER32(?), ref: 01286AA9
Part of subcall function 01286A6F: SetFocus.USER32 ref: 01286ABF

GetFocus.USER32 ref: 012D0B15

Part of subcall function 012A5B3E: __EH_prolog3_catch.LIBCMT ref: 012A5B48
Part of subcall function 012A5B3E: CloseHandle.KERNEL32(?), ref: 012A5B81
Part of subcall function 012A5B3E: GetTempPathW.KERNEL32(00000104,00000000), ref: 012A5BA8
Part of subcall function 012A5B3E: GetTempFileNameW.KERNEL32(?,AFX,00000000,00000000,00000000), ref: 012A5BDF
Part of subcall function 012A5B3E: CreateFileW.KERNEL32(?,C0000000,00000000,00000000,00000002,04000100,00000000), ref: 012A5C01

Part of subcall function 012A5A10: __EH_prolog3_catch.LIBCMT ref: 012A5A17
Part of subcall function 012A5A10: SetFilePointer.KERNEL32(?,00000000,00000000,00000000,?,?,00000074), ref: 012A5A4E

Part of subcall function 01341E92: __EH_prolog3.LIBCMT ref: 01341E99
Part of subcall function 01341E92: GetMenuItemCount.USER32(?), ref: 01341EC9
Part of subcall function 01341E92: GetMenuItemID.USER32(?,00000000), ref: 01341EE3
Part of subcall function 01341E92: GetMenuState.USER32(?,00000000,00000400), ref: 01341EF7
Part of subcall function 01341E92: ModifyMenuW.USER32(?,00000000,00000400,00000000,?), ref: 01341F51
Part of subcall function 01341E92: GetSubMenu.USER32 ref: 01341F6A

Part of subcall function 012E7314: __EH_prolog3.LIBCMT ref: 012E731B

Part of subcall function 01341D7E: __EH_prolog3.LIBCMT ref: 01341D85
Part of subcall function 01341D7E: GetMenuItemCount.USER32(?), ref: 01341DD7
Part of subcall function 01341D7E: GetMenuItemID.USER32(?,00000000), ref: 01341E38
Part of subcall function 01341D7E: GetSubMenu.USER32 ref: 01341E47

GetMenuItemCount.USER32(?), ref: 012D0C6A
GetMenuItemID.USER32(?,?), ref: 012D0C8D

Part of subcall function 01289447: GetMenuStringW.USER32(?,?,00000000,00000000,?), ref: 01289464
Part of subcall function 01289447: GetMenuStringW.USER32(?,?,00000000,00000001,?), ref: 01289485

GetSubMenu.USER32 ref: 012D0D2A

Part of subcall function 01278939: __EH_prolog3_catch.LIBCMT ref: 01278940

Part of subcall function 01341C99: __EH_prolog3.LIBCMT ref: 01341CA0

Part of subcall function 01295B3C: InvalidateRect.USER32(?,?,00000001), ref: 01295BB1
Part of subcall function 01295B3C: InflateRect.USER32(?,?,?), ref: 01295BF7
Part of subcall function 01295B3C: RedrawWindow.USER32(?,?,00000000,00000401), ref: 01295C0A

Part of subcall function 0129BA1B: CharUpperW.USER32 ref: 0129BA93

Part of subcall function 012B8EF9: SendMessageW.USER32(?,00000229,00000000,?), ref: 012B8F24

Part of subcall function 012CEB44: __EH_prolog3_GS.LIBCMT ref: 012CEB4E
Part of subcall function 012CEB44: GetSystemMenu.USER32 ref: 012CEBB0
Part of subcall function 012CEB44: IsMenu.USER32(?), ref: 012CEBC9
Part of subcall function 012CEB44: IsMenu.USER32(?), ref: 012CEBE3
Part of subcall function 012CEB44: SendMessageW.USER32(?,0000007F,00000000,00000000), ref: 012CEC18
Part of subcall function 012CEB44: GetClassLongW.USER32 ref: 012CEC2E
Part of subcall function 012CEB44: GetWindowLongW.USER32(?,000000F0), ref: 012CEC79
Part of subcall function 012CEB44: _memset.LIBCMT ref: 012CED3F
Part of subcall function 012CEB44: GetMenuItemInfoW.USER32 ref: 012CED6A

Part of subcall function 012D0880: __EH_prolog3.LIBCMT ref: 012D0887

Part of subcall function 012CFE49: __EH_prolog3.LIBCMT ref: 01349C29

Memory Dump Source

Source File: 00000010.00000002.746388412.0000000001271000.00000020.sdmp, Offset: 01270000, based on PE: true

Associated: 00000010.00000002.746374753.0000000001270000.00000002.sdmp Download File
Associated: 00000010.00000002.746578910.000000000138C000.00000002.sdmp Download File
Associated: 00000010.00000002.746752878.00000000013CF000.00000004.sdmp Download File
Associated: 00000010.00000002.746788870.00000000013D6000.00000004.sdmp Download File
Associated: 00000010.00000002.746832288.00000000013DE000.00000002.sdmp Download File
Associated: 00000010.00000002.747668141.0000000001574000.00000002.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1270000_Setup.jbxd

Similarity

API ID: Menu$Item$H_prolog3$Parent$CountFileH_prolog3_catch$FocusH_prolog3_LongMessageRectSendStringTempWindow$CharClassCloseCreateException@8HandleInflateInfoInvalidateModifyNamePathPointerRedrawStateSystemThrowUpper_memset
String ID:
API String ID: 2487280993-0
Opcode ID: 4431fc1c9b9a204ae80640fae36495f061f35fda7c3457ca16d8b1214847b35e
Instruction ID: acb7522de3f6da1a64a3787d1fb1dd98f8da01603e95e0cefa949e4204a4ed59
Opcode Fuzzy Hash: 4431fc1c9b9a204ae80640fae36495f061f35fda7c3457ca16d8b1214847b35e
Instruction Fuzzy Hash: 96B1A170610616AFDF25AF68CC94AFDBBB5BF54314F1046ADE25A932A0DF306A80CF54

Uniqueness

Uniqueness Score: 10.55%

Function 012A4522, Relevance: 7.7, APIs: 5, Instructions: 241
COMMON

Download Yara Rule

C-Code - Quality: 87%

			E012A4522(void* __ebx, intOrPtr __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				void* _t126;
				intOrPtr _t129;
				intOrPtr _t130;
				intOrPtr _t132;
				intOrPtr _t145;
				intOrPtr _t149;
				void* _t150;
				void* _t160;
				void* _t161;
				intOrPtr* _t178;
				intOrPtr _t183;
				intOrPtr _t193;
				intOrPtr _t194;
				void* _t214;
				struct tagPOINT _t215;
				intOrPtr _t222;
				intOrPtr _t223;
				intOrPtr _t224;
				signed int _t226;
				intOrPtr _t227;
				intOrPtr _t229;
				intOrPtr _t230;
				void* _t232;
				intOrPtr _t242;

				_t214 = __edx;
				_push(0x88);
				L0136966A(0x138127c, __ebx, __edi, __esi);
				_t178 =  *((intOrPtr*)(_t232 + 0xc));
				 *((intOrPtr*)(_t232 - 0x64)) =  *((intOrPtr*)(_t232 + 8));
				_t226 =  *( *((intOrPtr*)(_t178 + 0x2c)) + 0x3c0);
				 *((intOrPtr*)(_t232 - 0x8c)) = __ecx;
				 *((intOrPtr*)(_t232 - 0x88)) = _t178;
				if( *((intOrPtr*)(_t232 + 0x10)) == 0 || ( *(_t226 + 0x31c) & 0x00000001) != 0 &&  *((intOrPtr*)( *_t178 + 0x124))() == 0) {
					 *((intOrPtr*)(_t232 + 0x10)) = 0;
				} else {
					 *((intOrPtr*)(_t232 + 0x10)) = 1;
				}
				if( *((intOrPtr*)( *_t178 + 0x30))() == 0 || ( *(_t226 + 0x31c) & 0x00000001) == 0) {
					_t227 = 0;
					__eflags = 0;
				} else {
					_t227 = 1;
				}
				if( *((intOrPtr*)( *_t178 + 0x2c))() != 0 || _t227 != 0) {
					_t126 =  *((intOrPtr*)( *_t178 + 0x40))();
					 *((intOrPtr*)(_t232 - 0x70)) = 1;
					_t241 = _t126;
					if(_t126 != 0) {
						goto L12;
					}
				} else {
					L12:
					 *((intOrPtr*)(_t232 - 0x70)) = 0;
				}
				_push( *0x13d6438);
				_push(1);
				_push(0);
				E0127A354(_t178, _t232 - 0x84, _t214, 0, _t227, _t241);
				 *(_t232 - 4) = 0;
				_t129 = E0127A1AA( *((intOrPtr*)(_t232 - 0x64)), _t232 - 0x84);
				_t242 = _t129;
				_t191 = 0 | _t242 == 0x00000000;
				 *((intOrPtr*)(_t232 - 0x7c)) = _t129;
				if(_t242 == 0) {
					L01277AC9(_t191);
				}
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_t193 =  *((intOrPtr*)(_t232 - 0x5c)) + 3;
				 *((intOrPtr*)(_t232 - 0x5c)) = _t193;
				_t180 =  *( *((intOrPtr*)(_t178 + 0x2c)) + 0x3c0);
				_t130 =  *((intOrPtr*)( *( *((intOrPtr*)(_t178 + 0x2c)) + 0x3c0) + 0x2b8));
				_t229 = 0x138f598;
				if(_t130 > 0) {
					asm("cdq");
					_t207 = _t130 - _t214 >> 1;
					_t160 = 0x64;
					_t161 = _t160 - (_t130 - _t214 >> 1);
					_t245 = _t161 - 0xa;
					if(_t161 < 0xa) {
						_t161 = 0xa;
					}
					_push(E012FC1A3(_t207,  *0x13d6434, _t161));
					_push(1);
					_push(0);
					E0127A354(_t180, _t232 - 0x6c, _t214, 0, _t229, _t245);
					 *(_t232 - 4) = 1;
					E0127A1AA( *((intOrPtr*)(_t232 - 0x64)), _t232 - 0x6c);
					L01279B90( *((intOrPtr*)(_t232 - 0x64)), _t232 - 0x94,  *((intOrPtr*)(_t232 - 0x58)) - 1,  *((intOrPtr*)(_t232 - 0x5c)));
					L012795E0( *((intOrPtr*)(_t232 - 0x64)),  *((intOrPtr*)(_t232 - 0x58)) - 1,  *((intOrPtr*)(_t232 - 0x54)));
					 *(_t232 - 4) = 0;
					 *((intOrPtr*)(_t232 - 0x6c)) = _t229;
					E0127A27E(_t180, _t232 - 0x6c, 0, _t229,  *((intOrPtr*)(_t232 - 0x58)) - 1);
					_t193 =  *((intOrPtr*)(_t232 - 0x5c));
				}
				if( *((intOrPtr*)(_t232 + 0x10)) != 0 ||  *((intOrPtr*)(_t232 - 0x70)) != 0) {
					_t215 =  *(_t232 - 0x60);
					_t230 =  *((intOrPtr*)(_t232 - 0x54));
					 *((intOrPtr*)(_t232 - 0x48)) = _t215 + 1;
					_t132 =  *((intOrPtr*)(_t232 - 0x58)) - 2;
					 *(_t232 - 0x50) = _t215;
					 *((intOrPtr*)(_t232 - 0x40)) = _t215 + 1;
					_t183 = _t193 + 2;
					_t222 = _t230 - 1;
					 *((intOrPtr*)(_t232 - 0x4c)) = _t230;
					 *((intOrPtr*)(_t232 - 0x3c)) = _t183;
					 *((intOrPtr*)(_t232 - 0x38)) = _t215 + 3;
					 *((intOrPtr*)(_t232 - 0x34)) = _t193;
					 *((intOrPtr*)(_t232 - 0x2c)) = _t193;
					_t194 = _t132 - 1;
					 *((intOrPtr*)(_t232 - 0x24)) = _t183;
					 *((intOrPtr*)(_t232 - 0x14)) = _t230;
					_t217 = _t132 - 3;
					_t180 = 0;
					_t229 = 0x138f894;
					 *((intOrPtr*)(_t232 - 0x58)) = _t132;
					 *((intOrPtr*)(_t232 - 0x44)) = _t222;
					 *((intOrPtr*)(_t232 - 0x30)) = _t132 - 3;
					 *((intOrPtr*)(_t232 - 0x28)) = _t194;
					 *((intOrPtr*)(_t232 - 0x20)) = _t194;
					 *((intOrPtr*)(_t232 - 0x1c)) = _t222;
					 *((intOrPtr*)(_t232 - 0x18)) = _t132;
					 *((intOrPtr*)(_t232 - 0x74)) = 0;
					 *((intOrPtr*)(_t232 - 0x78)) = 0x138f894;
					 *(_t232 - 4) = 2;
					E0127A097(0, _t232 - 0x78, _t132 - 3, _t222, CreatePolygonRgn(_t232 - 0x50, 8, 2));
					_t223 =  *((intOrPtr*)(_t232 - 0x64));
					__eflags =  *((intOrPtr*)(_t232 + 0x10));
					if( *((intOrPtr*)(_t232 + 0x10)) != 0) {
						L01279B4B(_t223, _t232 - 0x78);
						_t145 = E0130ADAF( *((intOrPtr*)(_t232 - 0x88)));
						__eflags = _t145;
						if(_t145 == 0) {
							_t217 =  *((intOrPtr*)( *((intOrPtr*)(_t232 - 0x8c))));
							_t149 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t232 - 0x8c)))) + 0x27c))( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t232 - 0x88)) + 0x2c)) + 0xe0)));
						} else {
							_t149 =  *0x13d643c; // 0xffffff
						}
						__eflags = _t149 - 0xffffffff;
						if(__eflags == 0) {
							_t150 = 0x13d64a8;
							__eflags =  *((intOrPtr*)(_t232 - 0x70)) - _t180;
							if( *((intOrPtr*)(_t232 - 0x70)) == _t180) {
								_t150 = 0x13d64b0;
							}
							_t104 = _t150 + 4; // 0x0
							FillRect( *(_t223 + 4), _t232 - 0x60,  *_t104);
						} else {
							_push(_t149);
							E0127A3A8(_t180, _t232 - 0x6c, _t217, _t223, _t229, __eflags);
							FillRect( *(_t223 + 4), _t232 - 0x60,  *(_t232 - 0x68));
							 *((intOrPtr*)(_t232 - 0x6c)) = 0x138f578;
							E0127A27E(_t180, _t232 - 0x6c, _t223, _t229, __eflags);
						}
						L01279B4B(_t223, _t180);
					}
					Polyline( *(_t223 + 4), _t232 - 0x50, 8);
					E0127A1AA(_t223,  *((intOrPtr*)(_t232 - 0x7c)));
					_t224 =  *0x13d6448; // 0x0
					 *(_t232 - 4) = _t180;
					 *((intOrPtr*)(_t232 - 0x78)) = _t229;
					E0127A27E(_t180, _t232 - 0x78, _t224, _t229, __eflags);
					 *((intOrPtr*)(_t232 - 0x84)) = 0x138f598;
				} else {
					E0127A1AA( *((intOrPtr*)(_t232 - 0x64)),  *((intOrPtr*)(_t232 - 0x7c)));
					_t224 =  *0x13d6448; // 0x0
					 *((intOrPtr*)(_t232 - 0x84)) = _t229;
				}
				 *(_t232 - 4) =  *(_t232 - 4) | 0xffffffff;
				E0127A27E(_t180, _t232 - 0x84, _t224, _t229,  *(_t232 - 4));
				return L013696ED(_t180, _t224, _t229);
			}

0x012a4522
0x012a4522
0x012a452c
0x012a4534
0x012a4537
0x012a453d
0x012a4545
0x012a454b
0x012a4554
0x012a4576
0x012a456d
0x012a456d
0x012a456d
0x012a4582
0x012a4592
0x012a4592
0x012a458d
0x012a458f
0x012a458f
0x012a459d
0x012a45a7
0x012a45aa
0x012a45b1
0x012a45b3
0x00000000
0x00000000
0x012a45b5
0x012a45b5
0x012a45b5
0x012a45b5
0x012a45b8
0x012a45c4
0x012a45c6
0x012a45c7
0x012a45d6
0x012a45d9
0x012a45e0
0x012a45e2
0x012a45e5
0x012a45ea
0x012a45ec
0x012a45ec
0x012a45fa
0x012a45fb
0x012a45fc
0x012a45fd
0x012a4601
0x012a4604
0x012a4607
0x012a460d
0x012a4615
0x012a461c
0x012a461e
0x012a4625
0x012a4627
0x012a4628
0x012a462a
0x012a462d
0x012a4631
0x012a4631
0x012a463e
0x012a463f
0x012a4641
0x012a4645
0x012a4651
0x012a4655
0x012a466c
0x012a467c
0x012a4684
0x012a4688
0x012a468b
0x012a4690
0x012a4690
0x012a4696
0x012a46b9
0x012a46bc
0x012a46c5
0x012a46cb
0x012a46ce
0x012a46d1
0x012a46d4
0x012a46da
0x012a46dd
0x012a46e0
0x012a46e3
0x012a46e6
0x012a46e9
0x012a46ec
0x012a46ef
0x012a46f2
0x012a46f5
0x012a46f8
0x012a46fa
0x012a46ff
0x012a4702
0x012a4705
0x012a4708
0x012a470b
0x012a470e
0x012a4711
0x012a4714
0x012a4717
0x012a4722
0x012a4730
0x012a4735
0x012a4738
0x012a473b
0x012a4747
0x012a4752
0x012a4757
0x012a4759
0x012a4777
0x012a477a
0x012a475b
0x012a475b
0x012a475b
0x012a4780
0x012a4783
0x012a47af
0x012a47b4
0x012a47b7
0x012a47b9
0x012a47b9
0x012a47be
0x012a47c8
0x012a4785
0x012a4785
0x012a4789
0x012a4798
0x012a47a1
0x012a47a8
0x012a47a8
0x012a47d1
0x012a47d1
0x012a47df
0x012a47ea
0x012a47ef
0x012a47f8
0x012a47fb
0x012a47fe
0x012a4803
0x012a469d
0x012a46a3
0x012a46a8
0x012a46ae
0x012a46ae
0x012a480d
0x012a4817
0x012a4823

APIs

__EH_prolog3_GS.LIBCMT ref: 012A452C

Part of subcall function 0127A354: __EH_prolog3.LIBCMT ref: 0127A35B
Part of subcall function 0127A354: CreatePen.GDI32(?,?,?), ref: 0127A37C

Part of subcall function 0127A1AA: SelectObject.GDI32(?,00000000), ref: 0127A1D0
Part of subcall function 0127A1AA: SelectObject.GDI32(?,?), ref: 0127A1E6

Part of subcall function 01279B90: MoveToEx.GDI32(?,?,?,?), ref: 01279BBA
Part of subcall function 01279B90: MoveToEx.GDI32(?,?,?,?), ref: 01279BCB

Part of subcall function 012795E0: MoveToEx.GDI32(?,?,?,00000000), ref: 012795FD
Part of subcall function 012795E0: LineTo.GDI32(?,?,?), ref: 0127960C

CreatePolygonRgn.GDI32(?,00000008,00000002), ref: 012A4726
FillRect.USER32(00000002,?,00000000), ref: 012A47C8

Part of subcall function 0127A3A8: __EH_prolog3.LIBCMT ref: 0127A3AF
Part of subcall function 0127A3A8: CreateSolidBrush.GDI32(?), ref: 0127A3CA

FillRect.USER32(00000002,?,?), ref: 012A4798
Polyline.GDI32(00000002,?,00000008), ref: 012A47DF

Part of subcall function 0127A27E: __EH_prolog3_catch_GS.LIBCMT ref: 0127A288

Part of subcall function 01279B4B: SelectClipRgn.GDI32(?,00000000), ref: 01279B71
Part of subcall function 01279B4B: SelectClipRgn.GDI32(?,?), ref: 01279B87

Part of subcall function 01277AC9: __CxxThrowException@8.LIBCMT ref: 01277ADF

Memory Dump Source

Source File: 00000010.00000002.746388412.0000000001271000.00000020.sdmp, Offset: 01270000, based on PE: true

Associated: 00000010.00000002.746374753.0000000001270000.00000002.sdmp Download File
Associated: 00000010.00000002.746578910.000000000138C000.00000002.sdmp Download File
Associated: 00000010.00000002.746752878.00000000013CF000.00000004.sdmp Download File
Associated: 00000010.00000002.746788870.00000000013D6000.00000004.sdmp Download File
Associated: 00000010.00000002.746832288.00000000013DE000.00000002.sdmp Download File
Associated: 00000010.00000002.747668141.0000000001574000.00000002.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1270000_Setup.jbxd

Similarity

API ID: Select$CreateMove$ClipFillH_prolog3ObjectRect$BrushException@8H_prolog3_H_prolog3_catch_LinePolygonPolylineSolidThrow
String ID:
API String ID: 3326447015-0
Opcode ID: f655d712bd9a54d59903d0e9c3a2dabbd0974cf600a52ff6848dce1f4ea92043
Instruction ID: b7fd422a1253e08dca08b648c4a82d9d7d892ca781c107d31e86983b28153e7d
Opcode Fuzzy Hash: f655d712bd9a54d59903d0e9c3a2dabbd0974cf600a52ff6848dce1f4ea92043
Instruction Fuzzy Hash: 64A1A870D1035ACFDF14DFA8C880AEDBBB9BF58300F588169EA09AB255DB709A45CF50

Uniqueness

Uniqueness Score: 5.54%

Function 012FE50B, Relevance: 7.7, APIs: 5, Instructions: 226
windowCOMMON

Download Yara Rule

C-Code - Quality: 98%

			E012FE50B(void* __ebx, intOrPtr __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				int _t139;
				intOrPtr _t148;
				struct HDC__* _t151;
				intOrPtr _t159;
				void* _t163;
				int _t165;
				signed int _t171;
				intOrPtr _t176;
				intOrPtr _t177;
				signed int _t182;
				int _t183;
				intOrPtr _t191;
				int _t200;
				int _t204;
				signed int _t208;
				signed int _t211;
				int _t223;
				signed int _t230;
				void* _t232;
				signed int _t235;
				int _t237;
				void* _t238;
				void* _t242;
				intOrPtr _t254;

				_push(0x58);
				_t139 = L01369601(0x1384870, __ebx, __edi, __esi);
				 *((intOrPtr*)(_t242 - 0x24)) = __ecx;
				if( *(_t242 + 0x18) != 0xffffffff) {
					_t230 =  *(_t242 + 8);
					_t182 =  *(_t242 + 0xc);
					_t235 =  *((intOrPtr*)(_t242 + 0x10)) - _t230;
					 *(_t242 - 0x10) = _t230;
					 *(_t242 + 0xc) = _t182;
					 *(_t242 + 8) = L0136B5DE(__edx, _t235);
					 *(_t242 - 0x20) =  *((intOrPtr*)(_t242 + 0x14)) - _t182;
					_t139 = L0136B5DE(__edx,  *((intOrPtr*)(_t242 + 0x14)) - _t182);
					 *(_t242 - 0x14) = _t139;
					if(_t235 != 0) {
						__eflags = _t235;
						_t14 = _t235 > 0;
						__eflags = _t14;
						_t208 = 0 | _t14;
						_t209 = _t208 + _t208 - 1;
						 *((intOrPtr*)(_t242 - 0x1c)) = _t208 + _t208 - 1;
					} else {
						 *((intOrPtr*)(_t242 - 0x1c)) = 0;
					}
					if( *(_t242 - 0x20) != 0) {
						__eflags =  *(_t242 - 0x20);
						_t22 =  *(_t242 - 0x20) > 0;
						__eflags = _t22;
						_t211 = 0 | _t22;
						_t209 = _t211 + _t211 - 1;
						 *((intOrPtr*)(_t242 - 0x18)) = _t211 + _t211 - 1;
					} else {
						 *((intOrPtr*)(_t242 - 0x18)) = 0;
					}
					if( *(_t242 + 8) != 0 || _t139 != 0) {
						 *((intOrPtr*)(_t242 - 0x4c)) =  *((intOrPtr*)(_t242 + 0x10));
						 *(_t242 - 0x54) = _t230;
						 *(_t242 - 0x50) = _t182;
						 *((intOrPtr*)(_t242 - 0x48)) =  *((intOrPtr*)(_t242 + 0x14));
						E012FC0BD(_t242 - 0x54);
						_t231 =  *(_t242 - 0x50);
						_t148 =  *((intOrPtr*)(_t242 - 0x4c)) + 1;
						_t191 =  *((intOrPtr*)(_t242 - 0x48)) + 1;
						 *((intOrPtr*)(_t242 - 0x48)) = _t191;
						 *((intOrPtr*)(_t242 - 0x4c)) = _t148;
						_t139 = _t148 -  *(_t242 - 0x54);
						_t183 = _t191 - _t231;
						 *(_t242 - 0x3c) = _t139;
						 *(_t242 - 0x38) = _t183;
						if(_t139 != 0 && _t183 != 0) {
							L0127976C(_t242 - 0x64);
							_t151 =  *( *((intOrPtr*)(_t242 - 0x24)) + 4);
							 *(_t242 - 4) =  *(_t242 - 4) & 0x00000000;
							if(_t151 != 0) {
								_t151 =  *(_t151 + 4);
							}
							if(L01279DC3(_t183, _t242 - 0x64, _t209, _t231, CreateCompatibleDC(_t151)) != 0) {
								 *(_t242 - 0x30) =  *(_t242 - 0x30) & 0x00000000;
								_t236 = 0x138f588;
								 *(_t242 - 0x34) = 0x138f588;
								 *(_t242 - 4) = 1;
								if(E0127A097(_t183, _t242 - 0x34, _t209, _t231, CreateCompatibleBitmap( *( *( *((intOrPtr*)(_t242 - 0x24)) + 4) + 4),  *(_t242 - 0x3c), _t183)) == 0) {
									L35:
									 *(_t242 - 4) = 0;
									 *(_t242 - 0x34) = _t236;
								} else {
									_t159 = E0127A14E( *(_t242 - 0x60),  *(_t242 - 0x30));
									_t254 = _t159;
									_t199 = 0 | _t254 == 0x00000000;
									 *((intOrPtr*)(_t242 - 0x28)) = _t159;
									if(_t254 == 0) {
										L01277AC9(_t199);
									}
									_t163 = E012FC0DC(_t242 - 0x3c, _t242 - 0x20);
									 *(_t242 - 0x2c) = _t163;
									if(_t163 == 0 ||  *(_t242 - 0x20) == 0) {
										goto L35;
									} else {
										SelectObject( *(_t242 - 0x60), _t163);
										_t165 =  *(_t242 - 0x14);
										_t200 =  *(_t242 + 8);
										 *((char*)(_t242 + 0x13)) = 0;
										if(_t165 > _t200) {
											 *(_t242 + 8) = _t165;
											 *((char*)(_t242 + 0x13)) = 1;
											_t165 = _t200;
										}
										_t237 = _t165 + _t165;
										 *(_t242 - 0x14) = _t237;
										_t238 = _t237 -  *(_t242 + 8);
										_t171 = (( *(_t242 + 0x18) & 0x000000ff | 0xffffff00) << 0x00000008 |  *(_t242 + 0x18) >> 0x00000008 & 0x000000ff) << 0x00000008 |  *(_t242 + 0x18) >> 0x00000010 & 0x000000ff;
										_t204 =  *(_t242 - 0x38);
										 *((intOrPtr*)(_t242 + 0x14)) = 1;
										do {
											 *( *(_t242 - 0x20) + ((_t231 -  *(_t242 + 0xc) + _t204 - 1) *  *(_t242 - 0x3c) -  *(_t242 - 0x54) +  *(_t242 - 0x10)) * 4) = _t171;
											if(_t238 >= 0) {
												do {
													if( *((char*)(_t242 + 0x13)) == 0) {
														_t93 = _t242 + 0xc;
														 *_t93 =  *(_t242 + 0xc) +  *((intOrPtr*)(_t242 - 0x18));
														__eflags =  *_t93;
													} else {
														 *(_t242 - 0x10) =  *(_t242 - 0x10) +  *((intOrPtr*)(_t242 - 0x1c));
													}
													_t238 = _t238 -  *(_t242 + 8) +  *(_t242 + 8);
												} while (_t238 >= 0);
											}
											if( *((char*)(_t242 + 0x13)) == 0) {
												_t101 = _t242 - 0x10;
												 *_t101 =  *(_t242 - 0x10) +  *((intOrPtr*)(_t242 - 0x1c));
												__eflags =  *_t101;
											} else {
												 *(_t242 + 0xc) =  *(_t242 + 0xc) +  *((intOrPtr*)(_t242 - 0x18));
											}
											_t238 = _t238 +  *(_t242 - 0x14);
											 *((intOrPtr*)(_t242 + 0x14)) =  *((intOrPtr*)(_t242 + 0x14)) + 1;
										} while ( *((intOrPtr*)(_t242 + 0x14)) <=  *(_t242 + 8));
										_t232 = _t231 -  *(_t242 + 0xc);
										_t223 =  *(_t242 - 0x3c);
										_t231 =  *(_t242 - 0x20);
										 *(_t242 - 0x38) = _t204;
										_t236 = (_t232 + _t204 - 1) * _t223 -  *(_t242 - 0x54) +  *(_t242 - 0x10);
										 *( *(_t242 - 0x20) + ((_t232 + _t204 - 1) * _t223 -  *(_t242 - 0x54) +  *(_t242 - 0x10)) * 4) = _t171;
										_t183 = 0;
										 *((intOrPtr*)(_t242 - 0x44)) = 0;
										 *(_t242 - 0x3c) = _t223;
										 *((intOrPtr*)(_t242 - 0x40)) = 0;
										E012FCE61( *((intOrPtr*)(_t242 - 0x24)),  *( *((intOrPtr*)(_t242 - 0x24)) + 4), _t242 - 0x54, _t242 - 0x64, _t242 - 0x44);
										_t176 =  *((intOrPtr*)(_t242 - 0x28));
										_t265 = _t176;
										if(_t176 != 0) {
											_t177 =  *((intOrPtr*)(_t176 + 4));
										} else {
											_t177 = 0;
										}
										E0127A14E( *(_t242 - 0x60), _t177);
										DeleteObject( *(_t242 - 0x2c));
										 *(_t242 - 4) = _t183;
										 *(_t242 - 0x34) = 0x138f588;
									}
								}
								E0127A27E(_t183, _t242 - 0x34, _t231, _t236, _t265);
							}
							 *(_t242 - 4) =  *(_t242 - 4) | 0xffffffff;
							_t139 = L01279E44(_t242 - 0x64);
						}
					}
				}
				return L013696D9(_t139);
			}

0x012fe50b
0x012fe512
0x012fe517
0x012fe51e
0x012fe524
0x012fe52a
0x012fe52d
0x012fe530
0x012fe533
0x012fe53b
0x012fe544
0x012fe547
0x012fe550
0x012fe555
0x012fe55e
0x012fe560
0x012fe560
0x012fe560
0x012fe563
0x012fe567
0x012fe557
0x012fe557
0x012fe557
0x012fe56d
0x012fe576
0x012fe579
0x012fe579
0x012fe579
0x012fe57c
0x012fe580
0x012fe56f
0x012fe56f
0x012fe56f
0x012fe586
0x012fe593
0x012fe59c
0x012fe59f
0x012fe5a2
0x012fe5a5
0x012fe5b0
0x012fe5b3
0x012fe5b4
0x012fe5b5
0x012fe5ba
0x012fe5bd
0x012fe5c0
0x012fe5c2
0x012fe5c5
0x012fe5c8
0x012fe5d9
0x012fe5e1
0x012fe5e4
0x012fe5ea
0x012fe5ec
0x012fe5ec
0x012fe601
0x012fe607
0x012fe60b
0x012fe610
0x012fe61d
0x012fe635
0x012fe79a
0x012fe79a
0x012fe79e
0x012fe63b
0x012fe641
0x012fe648
0x012fe64a
0x012fe64d
0x012fe654
0x012fe656
0x012fe656
0x012fe663
0x012fe668
0x012fe66d
0x00000000
0x012fe67d
0x012fe681
0x012fe687
0x012fe68a
0x012fe68d
0x012fe693
0x012fe695
0x012fe698
0x012fe69c
0x012fe69c
0x012fe6a1
0x012fe6bf
0x012fe6c2
0x012fe6c8
0x012fe6ca
0x012fe6cd
0x012fe6d4
0x012fe6ea
0x012fe6ef
0x012fe6f1
0x012fe6f5
0x012fe702
0x012fe702
0x012fe702
0x012fe6f7
0x012fe6fa
0x012fe6fa
0x012fe70a
0x012fe70a
0x012fe6f1
0x012fe712
0x012fe71f
0x012fe71f
0x012fe71f
0x012fe714
0x012fe717
0x012fe717
0x012fe722
0x012fe725
0x012fe72b
0x012fe730
0x012fe733
0x012fe73a
0x012fe743
0x012fe746
0x012fe74c
0x012fe75e
0x012fe760
0x012fe763
0x012fe766
0x012fe769
0x012fe76e
0x012fe771
0x012fe773
0x012fe779
0x012fe775
0x012fe775
0x012fe775
0x012fe780
0x012fe788
0x012fe78e
0x012fe791
0x012fe791
0x012fe66d
0x012fe7a4
0x012fe7a4
0x012fe7a9
0x012fe7b0
0x012fe7b0
0x012fe5c8
0x012fe586
0x012fe7ba

APIs

__EH_prolog3.LIBCMT ref: 012FE512
CreateCompatibleDC.GDI32(?), ref: 012FE5F0
CreateCompatibleBitmap.GDI32(00000001,?,?), ref: 012FE624
DeleteObject.GDI32(?), ref: 012FE788

Part of subcall function 01277AC9: __CxxThrowException@8.LIBCMT ref: 01277ADF

Part of subcall function 012FC0DC: CreateDIBSection.GDI32(00000000,00000028,00000000,?,00000000,00000000), ref: 012FC156

SelectObject.GDI32(?,00000000), ref: 012FE681

Part of subcall function 0127A27E: __EH_prolog3_catch_GS.LIBCMT ref: 0127A288

Part of subcall function 0127A14E: SelectObject.GDI32(?,?), ref: 0127A159

Part of subcall function 01279E44: DeleteDC.GDI32(00000000), ref: 01279E56

Memory Dump Source

Source File: 00000010.00000002.746388412.0000000001271000.00000020.sdmp, Offset: 01270000, based on PE: true

Associated: 00000010.00000002.746374753.0000000001270000.00000002.sdmp Download File
Associated: 00000010.00000002.746578910.000000000138C000.00000002.sdmp Download File
Associated: 00000010.00000002.746752878.00000000013CF000.00000004.sdmp Download File
Associated: 00000010.00000002.746788870.00000000013D6000.00000004.sdmp Download File
Associated: 00000010.00000002.746832288.00000000013DE000.00000002.sdmp Download File
Associated: 00000010.00000002.747668141.0000000001574000.00000002.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1270000_Setup.jbxd

Similarity

API ID: CreateObject$CompatibleDeleteSelect$BitmapException@8H_prolog3H_prolog3_catch_SectionThrow
String ID:
API String ID: 3204590787-0
Opcode ID: b1714838fa77e25eeefcbdbf6eb1561c985ec8a692ea34b8f439486db6c9b34f
Instruction ID: 89e915e906ee7ec1dd7e4498f133e0b7a4922adfb6f80b3cec3944dcc7af5dd4
Opcode Fuzzy Hash: b1714838fa77e25eeefcbdbf6eb1561c985ec8a692ea34b8f439486db6c9b34f
Instruction Fuzzy Hash: FFA17A71D1021ADFCF19CFA8C9849EEFBB5BF48304F168129EA05A7264D734AA05CF90

Uniqueness

Uniqueness Score: 1.97%

Function 012C4E4B, Relevance: 7.7, APIs: 5, Instructions: 216
windowCOMMON

Download Yara Rule

C-Code - Quality: 97%

			E012C4E4B(intOrPtr* __ecx, intOrPtr __edx, void* __eflags, intOrPtr _a4) {
				int _v8;
				struct HWND__* _v12;
				intOrPtr* _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr* _t63;
				struct HWND__* _t66;
				intOrPtr _t67;
				intOrPtr _t78;
				void* _t82;
				void* _t85;
				intOrPtr _t89;
				intOrPtr _t91;
				intOrPtr* _t94;
				signed int _t96;
				void* _t101;
				intOrPtr* _t102;
				void* _t107;
				void* _t108;
				void* _t112;
				void* _t113;
				RECT* _t114;
				void* _t115;
				intOrPtr* _t116;
				void* _t119;
				intOrPtr* _t150;
				intOrPtr* _t151;
				intOrPtr* _t152;
				intOrPtr* _t153;
				signed int _t154;
				void* _t157;
				void* _t184;

				_t147 = __edx;
				_t150 = __ecx;
				_t63 = E012789CC(0x1391888, L01283CA8(__ecx));
				_pop(_t119);
				_t151 = _t63;
				_v16 = _t151;
				_t113 = E012789CC(0x139096c, E01282D05(_t112, _t119, __edx, _a4));
				_t66 = 0;
				_v8 = 0;
				if( *((intOrPtr*)(_t151 + 0x140)) == 0) {
					_t157 =  *0x13d0188 - _t66; // 0x1
					if(_t157 == 0) {
						SendMessageW( *(_t150 + 0x20), 0xb, 0, 0);
						_t66 = 0;
					}
				}
				_v12 = _t66;
				if(_t113 == _t66) {
					L24:
					_t152 = _t150 + 0x74;
					_t114 = 0;
					if(_t152 != 0 &&  *((intOrPtr*)(_t152 + 0x20)) != 0) {
						_t78 =  *((intOrPtr*)( *_t152 + 0x178))();
						_v24 = _t78;
						_t115 =  *((intOrPtr*)( *_t152 + 0x218))(_a4);
						if(_t115 >= 0) {
							_t85 = E012789CC(0x139096c,  *((intOrPtr*)( *_t152 + 0x1ac))(_t115));
							if(_t85 != 0) {
								 *(_t85 + 0x11c) = 1;
							}
							 *((intOrPtr*)( *_t152 + 0x194))(_t115, 1);
						}
						_t82 =  *((intOrPtr*)( *_t152 + 0x178))();
						_t114 = 0;
						_v8 = 0 | _v24 != _t82;
					}
					_t122 = _t150;
					_t67 = E01282C5F(_t114, _t150, _t150, 0);
					_t153 = _v16;
					_a4 = _t67;
					if(_v8 != _t114) {
						_t122 = _t153;
						 *((intOrPtr*)( *_t153 + 0x174))(1);
					}
					if( *((intOrPtr*)(_t153 + 0x140)) == _t114) {
						if(IsWindow(_v12) != 0) {
							_t122 = _t150;
							L012C37FC(_t150, _t147, _v12);
						}
						if( *((intOrPtr*)(_t153 + 0x140)) == _t114) {
							_t184 =  *0x13d0188 - _t114; // 0x1
							if(_t184 == 0) {
								SendMessageW( *(_t150 + 0x20), 0xb, 1, _t114);
								RedrawWindow( *(E01282D05(_t114, _t122, _t147, GetParent( *(_t150 + 0x20))) + 0x20), _t114, _t114, 0x185);
							}
						}
					}
					return _a4;
				}
				_t154 =  *(_t113 + 0x118);
				 *(_t113 + 0x118) =  *(_t113 + 0x118) & 0x00000000;
				if(_t154 == 0) {
					goto L24;
				}
				_t89 =  *((intOrPtr*)( *_t154 + 0x178))();
				_v24 = _t89;
				_t91 =  *((intOrPtr*)( *_t154 + 0x218))(_a4);
				_v20 = _t91;
				_t161 = _t91;
				if(_t91 >= 0) {
					 *(_t113 + 0x11c) = 1;
				}
				_t94 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(E012792EF(_t113, _t150, _t154, _t161) + 4)))) + 0xfc))();
				if(_t94 == 0 ||  *((intOrPtr*)( *_t94 + 0x30))() == 0) {
					_t96 = 1;
					__eflags = 1;
				} else {
					_t96 = 0;
				}
				_t147 =  *_t154;
				 *((intOrPtr*)( *_t154 + 0x194))(_v20, _t96);
				if( *((intOrPtr*)( *_t154 + 0x1a8))() != 0) {
					_t101 =  *((intOrPtr*)( *_t154 + 0x178))();
					__eflags = _v24 - _t101;
					_t34 = _v24 != _t101;
					__eflags = _t34;
					_v8 = 0 | _t34;
					goto L24;
				} else {
					_t102 = L012E779D(_t150 + 0x28d0, _t154, _t99);
					if(_t102 == 0) {
						goto L24;
					}
					if( *((intOrPtr*)(_t150 + 0x28dc)) <= 1 ||  *((intOrPtr*)(_t154 + 0x24c)) == 0) {
						L22:
						_push(1);
						E012C4CCD(_t150, _t147, _t154);
						goto L24;
					} else {
						_t104 =  *_t102;
						if( *_t102 != 0) {
							L17:
							_t116 = E012789CC(0x139900c,  *((intOrPtr*)(_t104 + 8)));
							if(_t116 != 0) {
								_t107 =  *((intOrPtr*)( *_t116 + 0x208))();
								if(_t107 == 0xffffffff) {
									_t107 = 0;
								}
								_t147 =  *_t116;
								_t108 =  *((intOrPtr*)( *_t116 + 0x1ac))(_t107);
								if(_t108 != 0) {
									_v12 =  *(_t108 + 0x20);
								}
							}
							goto L22;
						}
						_t104 =  *((intOrPtr*)(_t150 + 0x28d4));
						if( *((intOrPtr*)(_t150 + 0x28d4)) == 0) {
							goto L22;
						}
						goto L17;
					}
				}
			}

0x012c4e4b
0x012c4e56
0x012c4e63
0x012c4e69
0x012c4e6d
0x012c4e6f
0x012c4e82
0x012c4e84
0x012c4e88
0x012c4e91
0x012c4e93
0x012c4e99
0x012c4ea2
0x012c4ea8
0x012c4ea8
0x012c4e99
0x012c4eaa
0x012c4eaf
0x012c4fc8
0x012c4fc8
0x012c4fcb
0x012c4fcf
0x012c4fda
0x012c4fe3
0x012c4ff0
0x012c4ff4
0x012c5007
0x012c5010
0x012c5012
0x012c5012
0x012c5023
0x012c5023
0x012c502d
0x012c503b
0x012c503d
0x012c503d
0x012c5040
0x012c5042
0x012c5047
0x012c504a
0x012c5050
0x012c5056
0x012c5058
0x012c5058
0x012c5064
0x012c5071
0x012c5076
0x012c5078
0x012c5078
0x012c5083
0x012c5085
0x012c508b
0x012c5095
0x012c50b4
0x012c50b4
0x012c508b
0x012c5083
0x012c50c1
0x012c50c1
0x012c4eb5
0x012c4ebb
0x012c4ec4
0x00000000
0x00000000
0x012c4ece
0x012c4ed7
0x012c4ede
0x012c4ee4
0x012c4ee7
0x012c4ee9
0x012c4eeb
0x012c4eeb
0x012c4f01
0x012c4f09
0x012c4f1c
0x012c4f1c
0x012c4f16
0x012c4f16
0x012c4f16
0x012c4f1d
0x012c4f25
0x012c4f37
0x012c4fb7
0x012c4fbf
0x012c4fc2
0x012c4fc2
0x012c4fc5
0x00000000
0x012c4f39
0x012c4f41
0x012c4f48
0x00000000
0x00000000
0x012c4f51
0x012c4fa7
0x012c4fa7
0x012c4fac
0x00000000
0x012c4f5c
0x012c4f5c
0x012c4f60
0x012c4f6c
0x012c4f79
0x012c4f7f
0x012c4f85
0x012c4f8e
0x012c4f90
0x012c4f90
0x012c4f92
0x012c4f97
0x012c4f9f
0x012c4fa4
0x012c4fa4
0x012c4f9f
0x00000000
0x012c4f7f
0x012c4f62
0x012c4f6a
0x00000000
0x00000000
0x00000000
0x012c4f6a
0x012c4f51

APIs

Part of subcall function 01283CA8: GetParent.USER32(?), ref: 01283CD2

SendMessageW.USER32(?,0000000B,00000000,00000000), ref: 012C4EA2

Part of subcall function 012C4CCD: GetWindowRect.USER32 ref: 012C4D95
Part of subcall function 012C4CCD: GetWindowRect.USER32 ref: 012C4DAD
Part of subcall function 012C4CCD: UnionRect.USER32(?,?,?), ref: 012C4DB8

IsWindow.USER32(?), ref: 012C5069
RedrawWindow.USER32(?,00000000,00000000,00000185), ref: 012C50B4

Part of subcall function 012C37FC: GetClientRect.USER32 ref: 012C388A
Part of subcall function 012C37FC: IsRectEmpty.USER32 ref: 012C3894

SendMessageW.USER32(?,0000000B,00000001,00000000), ref: 012C5095
GetParent.USER32(?), ref: 012C509E

Memory Dump Source

Source File: 00000010.00000002.746388412.0000000001271000.00000020.sdmp, Offset: 01270000, based on PE: true

Associated: 00000010.00000002.746374753.0000000001270000.00000002.sdmp Download File
Associated: 00000010.00000002.746578910.000000000138C000.00000002.sdmp Download File
Associated: 00000010.00000002.746752878.00000000013CF000.00000004.sdmp Download File
Associated: 00000010.00000002.746788870.00000000013D6000.00000004.sdmp Download File
Associated: 00000010.00000002.746832288.00000000013DE000.00000002.sdmp Download File
Associated: 00000010.00000002.747668141.0000000001574000.00000002.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1270000_Setup.jbxd

Similarity

API ID: Rect$Window$MessageParentSend$ClientEmptyRedrawUnion
String ID:
API String ID: 3813728443-0
Opcode ID: da307d3fad058b788d992b6fc0da10a2bbc7c0d26bf46e069216b4364d2022a6
Instruction ID: 7280ad560952f5a9aa1e79fbc8f9f13cc77bad61a8b8f94a013b31fffb335c1f
Opcode Fuzzy Hash: da307d3fad058b788d992b6fc0da10a2bbc7c0d26bf46e069216b4364d2022a6
Instruction Fuzzy Hash: E3717C30710602AFEB25AF78C898AAE7BE5FF08705F04427DEB45DB291DB319940CB91

Uniqueness

Uniqueness Score: 4.31%

Function 012EE23B, Relevance: 7.7, APIs: 5, Instructions: 168
COMMON

Download Yara Rule

C-Code - Quality: 56%

			E012EE23B(intOrPtr* __ebx, intOrPtr* __ecx, void* __edx, void* __edi, void* __esi, char _a4, intOrPtr _a8) {
				signed int _v0;
				signed int _v8;
				struct tagRECT _v24;
				struct tagRECT _v40;
				int _v44;
				char _v48;
				struct HDWP__* _v52;
				signed int _v72;
				intOrPtr _v92;
				intOrPtr _v96;
				intOrPtr _v100;
				char _v104;
				intOrPtr _v108;
				void* __ebp;
				signed int _t69;
				int _t71;
				signed int _t73;
				signed int _t77;
				signed int _t84;
				signed int _t89;
				struct HDWP__* _t101;
				intOrPtr* _t104;
				void* _t105;
				intOrPtr* _t106;
				void* _t107;
				void* _t114;
				long _t116;
				signed int _t117;
				void* _t118;
				void* _t121;
				intOrPtr* _t122;
				void* _t123;
				signed int _t125;
				signed int _t126;
				signed int _t127;

				_t114 = __edx;
				_t108 = __ecx;
				_t104 = __ebx;
				_t69 =  *0x13d3570; // 0x99b5b578
				_v8 = _t69 ^ _t125;
				_push(__ebx);
				_push(__esi);
				_t121 = __ecx;
				_t71 =  *(__ecx + 0x28);
				_push(__edi);
				_t116 = 0;
				_v48 = __ecx;
				if(_t71 != 0) {
					while(1) {
						__eflags = _t71 - _t116;
						if(__eflags == 0) {
							break;
						}
						_t104 =  *((intOrPtr*)(_t71 + 8));
						_v44 =  *_t71;
						_t108 = _t104;
						_t71 =  *((intOrPtr*)( *_t104 + 0x178))();
						__eflags = _t71;
						if(_t71 != 0) {
							L6:
							__eflags = _t104 - _a8;
							if(_t104 != _a8) {
								_v40.left = _t116;
								_v40.top = _t116;
								_v40.right = _t116;
								_v40.bottom = _t116;
								GetWindowRect( *(_t104 + 0x20),  &_v40);
								__eflags = _a4;
								_t108 = _t104;
								if(_a4 == 0) {
									_t71 = E012E8F7E(_t108, _t114);
								} else {
									_v24.left = _t116;
									_v24.top = _t116;
									_v24.right = _t116;
									_v24.bottom = _t116;
									L012E90AB(_t104, _t108, _t114,  &_v24);
									_t71 = EqualRect( &_v24,  &_v40);
									__eflags = _t71;
									if(_t71 == 0) {
										_t101 = BeginDeferWindowPos( *(_t121 + 0x30));
										_t108 = _v48;
										_v52 = _t101;
										_push( &_v52);
										_t127 = _t127 - 0x10;
										asm("movsd");
										asm("movsd");
										asm("movsd");
										_push(_t104);
										asm("movsd");
										L012EDCBB(_t108, _t114);
										_t71 = EndDeferWindowPos(_v52);
										_t121 = _v48;
										_t116 = 0;
									}
								}
							}
						} else {
							__eflags =  *((intOrPtr*)(_t121 + 4)) - _t116;
							if( *((intOrPtr*)(_t121 + 4)) != _t116) {
								goto L6;
							}
						}
						__eflags = _v44 - _t116;
						if(_v44 != _t116) {
							_t71 = _v44;
							continue;
						} else {
							goto L1;
						}
						goto L32;
					}
					L01277AC9(_t108);
					asm("int3");
					_push(_t125);
					_t126 = _t127;
					_t73 =  *0x13d3570; // 0x99b5b578
					_v72 = _t73 ^ _t126;
					_push(_t104);
					_push(_t121);
					_t105 = 0;
					_push(_t116);
					_t122 = _t108;
					_v104 = 0;
					_v100 = 0;
					_v96 = 0;
					_v92 = 0;
					L012ED9A7(_t108, __eflags,  &_v104);
					_t117 =  *(_t122 + 0x28);
					_v108 = 0;
					__eflags = _t117;
					if(_t117 != 0) {
						while(1) {
							_t77 = _t117;
							__eflags = _t117 - _t105;
							if(_t117 == _t105) {
								break;
							}
							_t106 =  *((intOrPtr*)(_t77 + 8));
							_t117 =  *_t117;
							_t108 = _t106;
							_t84 =  *((intOrPtr*)( *_t106 + 0x178))();
							__eflags = _t84;
							if(_t84 != 0) {
								L20:
								__eflags = _v0;
								_v40.bottom = 0;
								_v24.left = 0;
								_v24.top = 0;
								_v24.right = 0;
								_push( &(_v40.bottom));
								if(_v0 == 0) {
									GetWindowRect( *(_t106 + 0x20), ??);
								} else {
									_t108 = _t106;
									L012E90AB(_t106, _t106, _t114);
								}
								__eflags =  *(_t122 + 0x40) & 0x0000a000;
								if(( *(_t122 + 0x40) & 0x0000a000) == 0) {
									_t89 = _v24.right - _v24.left;
									__eflags = _t89;
								} else {
									_t89 = _v24.top - _v40.bottom;
								}
								_t63 =  &_v48;
								 *_t63 = _v48 + _t89;
								__eflags =  *_t63;
							} else {
								__eflags =  *((intOrPtr*)(_t122 + 4)) - _t84;
								if( *((intOrPtr*)(_t122 + 4)) != _t84) {
									goto L20;
								}
							}
							__eflags = _t117;
							if(_t117 != 0) {
								_t105 = 0;
								__eflags = 0;
								continue;
							} else {
								goto L14;
							}
							goto L31;
						}
						L01277AC9(_t108);
						goto L30;
					} else {
						L14:
						__eflags =  *(_t122 + 0x40) & 0x0000a000;
						_pop(_t117);
						_pop(_t122);
						_pop(_t105);
						if(( *(_t122 + 0x40) & 0x0000a000) == 0) {
							L30:
							_t80 = _v40.right - _v40.left;
							__eflags = _v40.right - _v40.left;
						} else {
							_t80 = _v40.top - _v44;
						}
					}
					L31:
					__eflags = _v24.bottom ^ _t126;
					return L01367D3E(_t80 - _v48, _t105, _v24.bottom ^ _t126, _t114, _t117, _t122);
				} else {
					L1:
					_pop(_t118);
					_pop(_t123);
					_pop(_t107);
					return L01367D3E(_t71, _t107, _v8 ^ _t125, _t114, _t118, _t123);
				}
				L32:
			}

0x012ee23b
0x012ee23b
0x012ee23b
0x012ee243
0x012ee24a
0x012ee24d
0x012ee24e
0x012ee24f
0x012ee251
0x012ee254
0x012ee255
0x012ee257
0x012ee25c
0x012ee272
0x012ee272
0x012ee274
0x00000000
0x00000000
0x012ee27c
0x012ee281
0x012ee284
0x012ee286
0x012ee28c
0x012ee28e
0x012ee299
0x012ee299
0x012ee29c
0x012ee2a6
0x012ee2a9
0x012ee2ac
0x012ee2af
0x012ee2b5
0x012ee2bb
0x012ee2bf
0x012ee2c1
0x012ee31f
0x012ee2c3
0x012ee2c7
0x012ee2ca
0x012ee2cd
0x012ee2d0
0x012ee2d3
0x012ee2e0
0x012ee2e6
0x012ee2e8
0x012ee2ed
0x012ee2f3
0x012ee2f6
0x012ee2fc
0x012ee2fd
0x012ee305
0x012ee306
0x012ee307
0x012ee308
0x012ee309
0x012ee30a
0x012ee312
0x012ee318
0x012ee31b
0x012ee31b
0x012ee2e8
0x012ee2c1
0x012ee290
0x012ee290
0x012ee293
0x00000000
0x00000000
0x012ee293
0x012ee324
0x012ee327
0x012ee26f
0x00000000
0x012ee32d
0x00000000
0x012ee32d
0x00000000
0x012ee327
0x012ee332
0x012ee337
0x012ee33a
0x012ee33b
0x012ee340
0x012ee347
0x012ee34a
0x012ee34b
0x012ee34c
0x012ee34e
0x012ee353
0x012ee355
0x012ee358
0x012ee35b
0x012ee35e
0x012ee361
0x012ee366
0x012ee369
0x012ee36c
0x012ee36e
0x012ee386
0x012ee386
0x012ee388
0x012ee38a
0x00000000
0x00000000
0x012ee38c
0x012ee391
0x012ee393
0x012ee395
0x012ee39b
0x012ee39d
0x012ee3a4
0x012ee3a6
0x012ee3a9
0x012ee3ac
0x012ee3af
0x012ee3b2
0x012ee3b8
0x012ee3b9
0x012ee3c7
0x012ee3bb
0x012ee3bb
0x012ee3bd
0x012ee3bd
0x012ee3cd
0x012ee3d4
0x012ee3e1
0x012ee3e1
0x012ee3d6
0x012ee3d9
0x012ee3d9
0x012ee3e4
0x012ee3e4
0x012ee3e4
0x012ee39f
0x012ee39f
0x012ee3a2
0x00000000
0x00000000
0x012ee3a2
0x012ee3e7
0x012ee3e9
0x012ee384
0x012ee384
0x00000000
0x012ee3eb
0x00000000
0x012ee3eb
0x00000000
0x012ee3e9
0x012ee3ed
0x00000000
0x012ee370
0x012ee370
0x012ee370
0x012ee377
0x012ee378
0x012ee379
0x012ee37a
0x012ee3f2
0x012ee3f5
0x012ee3f5
0x012ee37c
0x012ee37f
0x012ee37f
0x012ee37a
0x012ee3f8
0x012ee3fe
0x012ee406
0x012ee25e
0x012ee25e
0x012ee261
0x012ee262
0x012ee265
0x012ee26c
0x012ee26c
0x00000000

APIs

GetWindowRect.USER32 ref: 012EE2B5
EqualRect.USER32 ref: 012EE2E0
BeginDeferWindowPos.USER32 ref: 012EE2ED

Part of subcall function 012EDCBB: GetWindowRect.USER32 ref: 012EDCEA

EndDeferWindowPos.USER32(?), ref: 012EE312

Part of subcall function 012E8F7E: GetWindowRect.USER32 ref: 012E8F94
Part of subcall function 012E8F7E: GetParent.USER32(?), ref: 012E8FD6
Part of subcall function 012E8F7E: GetParent.USER32(?), ref: 012E8FE6

Part of subcall function 01277AC9: __CxxThrowException@8.LIBCMT ref: 01277ADF

Part of subcall function 012E90AB: GetParent.USER32(?), ref: 012E90C5

GetWindowRect.USER32 ref: 012EE3C7

Part of subcall function 01367D3E: IsDebuggerPresent.KERNEL32 ref: 0136EC6D
Part of subcall function 01367D3E: SetUnhandledExceptionFilter.KERNEL32 ref: 0136EC82
Part of subcall function 01367D3E: UnhandledExceptionFilter.KERNEL32 ref: 0136EC8D
Part of subcall function 01367D3E: GetCurrentProcess.KERNEL32(C0000409), ref: 0136ECA9
Part of subcall function 01367D3E: TerminateProcess.KERNEL32(00000000), ref: 0136ECB0

Memory Dump Source

Source File: 00000010.00000002.746388412.0000000001271000.00000020.sdmp, Offset: 01270000, based on PE: true

Associated: 00000010.00000002.746374753.0000000001270000.00000002.sdmp Download File
Associated: 00000010.00000002.746578910.000000000138C000.00000002.sdmp Download File
Associated: 00000010.00000002.746752878.00000000013CF000.00000004.sdmp Download File
Associated: 00000010.00000002.746788870.00000000013D6000.00000004.sdmp Download File
Associated: 00000010.00000002.746832288.00000000013DE000.00000002.sdmp Download File
Associated: 00000010.00000002.747668141.0000000001574000.00000002.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1270000_Setup.jbxd

Similarity

API ID: Window$Rect$Parent$DeferExceptionFilterProcessUnhandled$BeginCurrentDebuggerEqualException@8PresentTerminateThrow
String ID:
API String ID: 2449331517-0
Opcode ID: 1be8ec330359258c2d7a2addc02a315c75f544b3beb293cada2dc3be15290007
Instruction ID: 3d831d941ba1ae26ccdaa6f62907fe2592f8557b2e7a27c42fc07e1c22b98321
Opcode Fuzzy Hash: 1be8ec330359258c2d7a2addc02a315c75f544b3beb293cada2dc3be15290007
Instruction Fuzzy Hash: 4C512971D1020ADFDF10DFA9C9889EEBBF9FF48310B95456AE605E7214DB70AA40CB61

Uniqueness

Uniqueness Score: 1.40%

Function 012D04B7, Relevance: 7.7, APIs: 5, Instructions: 166
windowCOMMON

Download Yara Rule

C-Code - Quality: 91%

			E012D04B7(void* __ebx, intOrPtr __ecx, void* __edx, void* __edi, void* __esi, void* __eflags, void* __fp0) {
				signed int _t57;
				void* _t59;
				void* _t60;
				signed int _t63;
				void* _t67;
				signed int _t69;
				signed int _t70;
				signed int _t75;
				signed int _t87;
				signed int _t102;
				intOrPtr _t117;
				void* _t118;
				signed int _t121;
				intOrPtr _t122;
				void* _t123;
				void* _t131;

				_t131 = __fp0;
				_t119 = __esi;
				_t115 = __edx;
				_push(0x18);
				L01369601(0x13829c6, __ebx, __edi, __esi);
				_t117 = __ecx;
				 *((intOrPtr*)(_t123 - 0x14)) = __ecx;
				L3:
				_t125 =  *((intOrPtr*)(_t117 + 0xbf0));
				if( *((intOrPtr*)(_t117 + 0xbf0)) != 0) {
					_t57 = L01289E4C(_t117 + 0xbe4);
					__eflags = _t57;
					if(__eflags != 0) {
						_t115 =  *_t57;
						 *((intOrPtr*)( *_t57 + 4))(1);
					}
					goto L3;
				}
				_t59 = E012789CC(0x139d2fc,  *((intOrPtr*)(E012792EF(0, _t117, _t119, _t125) + 4)));
				if(_t59 == 0 ||  *((intOrPtr*)(_t59 + 0xf0)) == 0) {
					L8:
					_t60 = 0;
					goto L9;
				} else {
					_t120 = 0x1390764;
					 *((intOrPtr*)(_t123 - 0x24)) = 0x1390764;
					 *(_t123 - 0x20) = 0;
					 *(_t123 - 4) = 0;
					if(L0129521C(_t123 - 0x24, _t115,  *(_t123 + 8)) != 0) {
						_t63 = GetMenuItemCount( *(_t123 - 0x20));
						 *(_t123 - 0x18) = _t63;
						 *(_t123 + 8) = 0;
						__eflags = _t63;
						if(_t63 <= 0) {
							L30:
							 *(_t123 - 4) =  *(_t123 - 4) | 0xffffffff;
							 *((intOrPtr*)(_t123 - 0x24)) = _t120;
							L012893D0(_t123 - 0x24);
							_t60 = 1;
							L9:
							return L013696D9(_t60);
						} else {
							do {
								_t121 = GetMenuItemID( *(_t123 - 0x20),  *(_t123 + 8));
								_t67 = E0127859A();
								_t98 = _t123 - 0x10;
								E01272410(_t123 - 0x10, _t67);
								 *(_t123 - 4) = 1;
								__eflags = _t121;
								if(__eflags == 0) {
									_t69 = E01274753(__eflags, 0x70);
									 *(_t123 - 0x1c) = _t69;
									 *(_t123 - 4) = 2;
									__eflags = _t69;
									if(__eflags == 0) {
										_t70 = 0;
										__eflags = 0;
									} else {
										_t70 = L012E5D99(_t69, __eflags);
									}
									__eflags = _t70;
									_t98 = 0 | __eflags != 0x00000000;
									 *(_t123 - 4) = 1;
									__eflags = __eflags != 0;
									if(__eflags == 0) {
										goto L31;
									} else {
										 *((intOrPtr*)(_t70 + 0x24)) = 1;
										goto L27;
									}
								} else {
									__eflags = _t121 - 0xffffffff;
									if(__eflags == 0) {
										_t121 = L01289341(0, _t98, _t115, _t117, _t121, __eflags, GetSubMenu( *(_t123 - 0x20),  *(_t123 + 8)));
										__eflags = _t121;
										__eflags = 0 | _t121 != 0x00000000;
										if(__eflags == 0) {
											L31:
											L01277AC9(_t98);
											asm("int3");
											_push(4);
											L01369601(0x1388f3a, 0, _t117, _t121);
											_t102 = E01274753(__eflags, 0xd18);
											 *(_t123 - 0x10) = _t102;
											_t75 = 0;
											 *(_t123 - 4) = 0;
											__eflags = _t102;
											if(__eflags != 0) {
												_t75 = L012CFE64(0, _t102, __eflags, _t131);
											}
											return L013696D9(_t75);
										} else {
											_t118 = E01278939(0,  *((intOrPtr*)(_t117 + 0xd14)), _t117, _t121, __eflags);
											__eflags = _t121;
											if(__eflags != 0) {
												_t122 =  *((intOrPtr*)(_t121 + 4));
											} else {
												_t122 = 0;
											}
											L012DDC12(_t118, _t118, __eflags, 0, _t122, 0xffffffff,  *(_t123 - 0x10), 0);
											L01289F0E( *((intOrPtr*)(_t123 - 0x14)) + 0xbe4, __eflags, _t118);
											_t117 =  *((intOrPtr*)(_t123 - 0x14));
											goto L28;
										}
									} else {
										_t87 = E01274753(__eflags, 0x70);
										 *(_t123 - 0x1c) = _t87;
										 *(_t123 - 4) = 3;
										__eflags = _t87;
										if(__eflags == 0) {
											_t70 = 0;
											__eflags = 0;
										} else {
											_push(0);
											_push(0);
											_push( *(_t123 - 0x10));
											_push(0xffffffff);
											_push(_t121);
											_t70 = L012E7314(0, _t87, _t115, _t117, _t121, __eflags);
										}
										 *(_t123 - 4) = 1;
										L27:
										L01289F0E(_t117 + 0xbe4, __eflags, _t70);
										goto L28;
									}
								}
								goto L34;
								L28:
								 *(_t123 - 4) = 0;
								L01271470( *(_t123 - 0x10) + 0xfffffff0, _t115);
								 *(_t123 + 8) =  *(_t123 + 8) + 1;
								__eflags =  *(_t123 + 8) -  *(_t123 - 0x18);
							} while ( *(_t123 + 8) <  *(_t123 - 0x18));
							_t120 = 0x1390764;
							goto L30;
						}
					} else {
						 *(_t123 - 4) =  *(_t123 - 4) | 0xffffffff;
						 *((intOrPtr*)(_t123 - 0x24)) = 0x1390764;
						L012893D0(_t123 - 0x24);
						goto L8;
					}
				}
				L34:
			}

0x012d04b7
0x012d04b7
0x012d04b7
0x012d04b7
0x012d04be
0x012d04c3
0x012d04c5
0x012d04e4
0x012d04e4
0x012d04ea
0x012d04d2
0x012d04d7
0x012d04d9
0x012d04db
0x012d04e1
0x012d04e1
0x00000000
0x012d04d9
0x012d04f9
0x012d0502
0x012d0538
0x012d0538
0x00000000
0x012d050c
0x012d050c
0x012d0511
0x012d0514
0x012d051d
0x012d0527
0x012d0545
0x012d054b
0x012d054e
0x012d0551
0x012d0553
0x012d0675
0x012d0675
0x012d067c
0x012d067f
0x012d0686
0x012d053a
0x012d053f
0x012d0559
0x012d0559
0x012d0565
0x012d0567
0x012d056d
0x012d0570
0x012d0575
0x012d0579
0x012d057b
0x012d0615
0x012d061b
0x012d061e
0x012d0622
0x012d0624
0x012d062f
0x012d062f
0x012d0626
0x012d0628
0x012d0628
0x012d0633
0x012d0635
0x012d0638
0x012d063c
0x012d063e
0x00000000
0x012d0640
0x012d0640
0x00000000
0x012d0640
0x012d0581
0x012d0581
0x012d0584
0x012d05c7
0x012d05cb
0x012d05d0
0x012d05d2
0x012d068c
0x012d068c
0x012d0691
0x012d0692
0x012d0699
0x012d06a9
0x012d06ab
0x012d06ae
0x012d06b0
0x012d06b3
0x012d06b5
0x012d06b7
0x012d06b7
0x012d06c1
0x012d05d8
0x012d05e3
0x012d05e5
0x012d05e7
0x012d05ed
0x012d05e9
0x012d05e9
0x012d05e9
0x012d05fa
0x012d0609
0x012d060e
0x00000000
0x012d060e
0x012d0586
0x012d0588
0x012d058e
0x012d0591
0x012d0595
0x012d0597
0x012d05aa
0x012d05aa
0x012d0599
0x012d0599
0x012d059a
0x012d059b
0x012d05a0
0x012d05a2
0x012d05a3
0x012d05a3
0x012d05ac
0x012d0647
0x012d064e
0x00000000
0x012d064e
0x012d0584
0x00000000
0x012d0653
0x012d0659
0x012d065c
0x012d0661
0x012d0667
0x012d0667
0x012d0670
0x00000000
0x012d0670
0x012d0529
0x012d0529
0x012d0530
0x012d0533
0x00000000
0x012d0533
0x012d0527
0x00000000

APIs

__EH_prolog3.LIBCMT ref: 012D04BE
__EH_prolog3.LIBCMT ref: 012D0699

Part of subcall function 0129521C: LoadMenuW.USER32(?,?), ref: 01295232

GetMenuItemCount.USER32(?), ref: 012D0545
GetMenuItemID.USER32(?,?), ref: 012D055F
GetSubMenu.USER32 ref: 012D05BB

Part of subcall function 01278939: __EH_prolog3_catch.LIBCMT ref: 01278940

Part of subcall function 012E7314: __EH_prolog3.LIBCMT ref: 012E731B

Part of subcall function 01274753: _malloc.LIBCMT ref: 01274771

Part of subcall function 01277AC9: __CxxThrowException@8.LIBCMT ref: 01277ADF

Memory Dump Source

Source File: 00000010.00000002.746388412.0000000001271000.00000020.sdmp, Offset: 01270000, based on PE: true

Associated: 00000010.00000002.746374753.0000000001270000.00000002.sdmp Download File
Associated: 00000010.00000002.746578910.000000000138C000.00000002.sdmp Download File
Associated: 00000010.00000002.746752878.00000000013CF000.00000004.sdmp Download File
Associated: 00000010.00000002.746788870.00000000013D6000.00000004.sdmp Download File
Associated: 00000010.00000002.746832288.00000000013DE000.00000002.sdmp Download File
Associated: 00000010.00000002.747668141.0000000001574000.00000002.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1270000_Setup.jbxd

Similarity

API ID: Menu$H_prolog3$Item$CountException@8H_prolog3_catchLoadThrow_malloc
String ID:
API String ID: 2647612901-0
Opcode ID: 76f6565cf389ca6b447861650b263cccb1544b2f89c2455bc3a35f6ff412dd9a
Instruction ID: 563ef7b9d2859076f5c284764833117985892427623f522a3019823a705107f6
Opcode Fuzzy Hash: 76f6565cf389ca6b447861650b263cccb1544b2f89c2455bc3a35f6ff412dd9a
Instruction Fuzzy Hash: 9051C371924217DFCF14FFB4C9846FDBAB0AF54328F204169E616A72E0DB704A44CBA5

Uniqueness

Uniqueness Score: 12.89%

Function 012DA779, Relevance: 7.7, APIs: 5, Instructions: 155
windowCOMMON

Download Yara Rule

C-Code - Quality: 62%

			E012DA779(intOrPtr* __ecx, void* __edx, long _a4) {
				void* __ebx;
				intOrPtr _t29;
				void* _t35;
				intOrPtr _t36;
				void* _t51;
				intOrPtr _t52;
				long _t55;
				intOrPtr* _t59;
				void* _t62;
				void* _t68;
				intOrPtr* _t69;
				intOrPtr* _t72;
				void* _t73;

				_t68 = __edx;
				_t55 = _a4;
				_t29 =  *((intOrPtr*)(_t55 + 4));
				_t69 = __ecx;
				_t73 = _t29 - 0x104;
				if(_t73 > 0) {
					if(_t29 < 0x200 || _t29 > 0x202 && (_t29 <= 0x203 || _t29 > 0x205 && _t29 + 0xfffffdf9 > 1)) {
						L18:
						if( *((intOrPtr*)(_t55 + 4)) != 0x100) {
							L32:
							if( *((intOrPtr*)(_t55 + 4)) != 0x100 ||  *((intOrPtr*)(_t55 + 8)) != 0x1b) {
								L43:
								return L012CBF9C(_t69, _t55);
							} else {
								_t59 = _t69;
								if( *((intOrPtr*)( *_t69 + 0x1b4))() >= 0) {
									goto L43;
								}
								_t35 = L012C74B8(0x13d0a78, _t68, E01282D05(_t55, _t59, _t68, GetParent( *(_t69 + 0x20))));
								if(_t35 == 0) {
									goto L43;
								}
								_t36 =  *((intOrPtr*)(_t35 + 0x1b8));
								if(_t36 == 0 ||  *((intOrPtr*)(_t36 + 8)) == 0 ||  *((intOrPtr*)(_t36 + 4)) == 0) {
									goto L43;
								} else {
									_t72 = E012789CC(0x13d04b0, E01282D05(_t55, 0x13d0a78, _t68, GetParent( *(_t69 + 0x20))));
									_pop(_t62);
									if(_t72 == 0 || E01282D05(_t55, _t62, _t68, GetCapture()) != _t72) {
										goto L43;
									} else {
										_push(0);
										_push(0);
										_push(0x1f);
										L42:
										_push( *((intOrPtr*)(_t72 + 0x20)));
										L23:
										PostMessageW();
										return 1;
									}
								}
							}
						}
						if(( *((intOrPtr*)( *_t69 + 0x1b4))() & 0x00000002) == 0 ||  *((char*)(_t69 + 0x2b4)) == 0 ||  *((intOrPtr*)(_t55 + 8)) != 0x1b) {
							if( *((intOrPtr*)(_t55 + 4)) != 0x100 ||  *((intOrPtr*)( *_t69 + 0x168))() == 0 ||  *((intOrPtr*)(_t55 + 8)) != 0x1b) {
								goto L32;
							} else {
								_t72 = L012CB8B6(_t55, _t69, _t68);
								_t51 =  *((intOrPtr*)( *_t72 + 0x224))(0);
								if( *((char*)(_t72 + 0x2b4)) != 0 || _t51 != 0 &&  *((char*)(_t51 + 0x99)) != 0) {
									_push(0);
									_push(0);
									_push(0x1f);
									if(_t51 == 0) {
										goto L42;
									}
									_push( *((intOrPtr*)(_t51 + 0x20)));
									goto L23;
								} else {
									goto L32;
								}
							}
						} else {
							_push(0);
							_push(0);
							_push(0x1f);
							_push( *(_t69 + 0x20));
							goto L23;
						}
					} else {
						L15:
						_t52 =  *((intOrPtr*)(_t69 + 0x338));
						if(_t52 != 0 &&  *(_t52 + 0x20) != 0) {
							SendMessageW( *(_t52 + 0x20), 0x407, 0, _t55);
						}
						goto L18;
					}
				}
				if(_t73 == 0) {
					goto L15;
				}
				if(_t29 < 0xa1) {
					goto L18;
				}
				if(_t29 <= 0xa2) {
					goto L15;
				}
				if(_t29 <= 0xa3) {
					goto L18;
				}
				if(_t29 <= 0xa5) {
					goto L15;
				}
				if(_t29 <= 0xa6) {
					goto L18;
				}
				if(_t29 <= 0xa8 || _t29 == 0x100) {
					goto L15;
				} else {
					goto L18;
				}
			}

0x012da779
0x012da77f
0x012da782
0x012da787
0x012da78e
0x012da790
0x012da7cc
0x012da80e
0x012da816
0x012da8a7
0x012da8ae
0x012da93e
0x00000000
0x012da8be
0x012da8c0
0x012da8ca
0x00000000
0x00000000
0x012da8e3
0x012da8ea
0x00000000
0x00000000
0x012da8ec
0x012da8f4
0x00000000
0x012da902
0x012da918
0x012da91b
0x012da91e
0x00000000
0x012da930
0x012da930
0x012da932
0x012da934
0x012da936
0x012da936
0x012da842
0x012da842
0x00000000
0x012da84a
0x012da91e
0x012da8f4
0x012da8ae
0x012da828
0x012da853
0x00000000
0x012da869
0x012da870
0x012da878
0x012da885
0x012da896
0x012da897
0x012da898
0x012da89c
0x00000000
0x00000000
0x012da8a2
0x00000000
0x00000000
0x00000000
0x00000000
0x012da885
0x012da839
0x012da839
0x012da83b
0x012da83d
0x012da83f
0x00000000
0x012da83f
0x012da7ed
0x012da7ed
0x012da7ed
0x012da7f5
0x012da808
0x012da808
0x00000000
0x012da7f5
0x012da7cc
0x012da792
0x00000000
0x00000000
0x012da799
0x00000000
0x00000000
0x012da7a0
0x00000000
0x00000000
0x012da7a7
0x00000000
0x00000000
0x012da7ae
0x00000000
0x00000000
0x012da7b5
0x00000000
0x00000000
0x012da7bc
0x00000000
0x012da7c5
0x00000000
0x012da7c5

APIs

SendMessageW.USER32(00000000,00000407,00000000,?), ref: 012DA808
PostMessageW.USER32 ref: 012DA842

Part of subcall function 012CB8B6: GetParent.USER32(?), ref: 012CB8E7

GetParent.USER32(?), ref: 012DA8D5

Part of subcall function 012C74B8: GetParent.USER32(?), ref: 012C75B6

GetParent.USER32(?), ref: 012DA905
GetCapture.USER32 ref: 012DA920

Part of subcall function 012CBF9C: IsWindow.USER32(?), ref: 012CBFF6

Memory Dump Source

Source File: 00000010.00000002.746388412.0000000001271000.00000020.sdmp, Offset: 01270000, based on PE: true

Associated: 00000010.00000002.746374753.0000000001270000.00000002.sdmp Download File
Associated: 00000010.00000002.746578910.000000000138C000.00000002.sdmp Download File
Associated: 00000010.00000002.746752878.00000000013CF000.00000004.sdmp Download File
Associated: 00000010.00000002.746788870.00000000013D6000.00000004.sdmp Download File
Associated: 00000010.00000002.746832288.00000000013DE000.00000002.sdmp Download File
Associated: 00000010.00000002.747668141.0000000001574000.00000002.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1270000_Setup.jbxd

Similarity

API ID: Parent$Message$CapturePostSendWindow
String ID:
API String ID: 2288035734-0
Opcode ID: 10aa466d2eb6db86bdbefa05bc2cf5b85d1460a2e6d8b07f88980d1cbca9e3c7
Instruction ID: df0a5a46e4c9a3626886b90d76bd4b94171b2c6690b7cca0e9d2cdfdbc2ed575
Opcode Fuzzy Hash: 10aa466d2eb6db86bdbefa05bc2cf5b85d1460a2e6d8b07f88980d1cbca9e3c7
Instruction Fuzzy Hash: 3151E530A603039BFF355B28C88AFBD7BA5AB04754F194176EB86DB1E2C774C881C652

Uniqueness

Uniqueness Score: 16.53%

Function 0134CE3D, Relevance: 7.7, APIs: 5, Instructions: 154
COMMON

Download Yara Rule

C-Code - Quality: 59%

			E0134CE3D(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags, void* __fp0) {
				struct HDC__* _t72;
				signed int _t74;
				void* _t81;
				void* _t104;
				void* _t106;
				intOrPtr* _t107;
				void* _t121;
				intOrPtr _t123;
				int _t127;
				void* _t130;
				void* _t135;
				void* _t147;

				_t147 = __fp0;
				_t121 = __edx;
				_push(0x3c);
				L0136966A(0x13881ba, __ebx, __edi, __esi);
				_t123 =  *((intOrPtr*)(_t130 + 8));
				 *((intOrPtr*)(_t130 - 0x38)) =  *((intOrPtr*)(_t130 + 0xc));
				_t127 = 0;
				_t106 = __ecx;
				 *((intOrPtr*)(_t130 - 0x34)) = _t123;
				 *((intOrPtr*)(_t130 - 0x24)) =  *((intOrPtr*)(_t130 + 0x10));
				_t135 =  *0x13d96e4 - _t127; // 0x0
				if(_t135 != 0) {
					L2:
					 *((intOrPtr*)(_t130 - 0x28)) = 1;
				} else {
					_t104 = E0134C0A8();
					 *((intOrPtr*)(_t130 - 0x28)) = 0;
					if(_t104 == 2) {
						goto L2;
					}
				}
				L0127976C(_t130 - 0x48);
				 *(_t130 - 4) = _t127;
				if(_t123 != _t127) {
					_t72 =  *(_t123 + 4);
				} else {
					_t72 = 0;
				}
				_t74 = L01279DC3(_t106, _t130 - 0x48, _t121, _t123, CreateCompatibleDC(_t72));
				_t138 =  *((intOrPtr*)(_t130 - 0x28)) - _t127;
				if( *((intOrPtr*)(_t130 - 0x28)) == _t127) {
					 *(_t130 - 0x20) = _t127;
					 *(_t130 - 0x1c) = _t127;
					 *(_t130 - 0x18) = _t127;
					 *(_t130 - 0x14) = _t127;
					GetBoundsRect( *(_t123 + 8), _t130 - 0x20, _t127);
					 *(_t130 - 0x2c) = _t127;
					 *((intOrPtr*)(_t130 - 0x30)) = 0x138f578;
					 *(_t130 - 4) = 1;
					E0127A097(_t106, _t130 - 0x30, _t121, _t123, CreateSolidBrush( *0x13d96a0));
					FillRect( *(_t123 + 4), _t130 - 0x20,  *(_t130 - 0x2c));
					 *(_t130 - 4) = 0;
					 *((intOrPtr*)(_t130 - 0x30)) = 0x138f578;
					_t74 = E0127A27E(_t106, _t130 - 0x30, _t123, _t127, _t138);
				}
				if( *((intOrPtr*)(_t106 + 0xf9c)) == _t127) {
					E0134C1CB(_t123, _t106 + 0x1020,  *((intOrPtr*)(_t130 - 0x38)));
					__eflags =  *((intOrPtr*)(_t106 + 0x102c)) - _t127;
					if( *((intOrPtr*)(_t106 + 0x102c)) == _t127) {
						L15:
						E0134C1F7(_t123, _t106 + 0x1020,  *((intOrPtr*)(_t130 - 0x24)), 1, 1);
					} else {
						__eflags =  *0x13d96b4 - _t127; // 0x0
						if(__eflags != 0) {
							goto L15;
						} else {
							__eflags =  *((intOrPtr*)(_t106 + 0xf10)) - _t127;
							if( *((intOrPtr*)(_t106 + 0xf10)) == _t127) {
								goto L15;
							} else {
								__eflags =  *((intOrPtr*)(_t106 + 0xee4)) - _t127;
								if(__eflags == 0) {
									goto L15;
								} else {
									_push(0xca7041);
									E0127A3A8(_t106, _t130 - 0x30, _t121, _t123, _t127, __eflags);
									E0134C1F7(_t123, _t106 + 0x1020, _t130 - 0x30, 1, 1);
									 *((intOrPtr*)(_t130 - 0x30)) = 0x138f578;
									E0127A27E(_t106, _t130 - 0x30, _t123, _t127, __eflags);
								}
							}
						}
					}
				} else {
					 *(_t130 - 0x20) = _t127;
					 *(_t130 - 0x1c) = _t127;
					 *(_t130 - 0x18) = _t127;
					 *(_t130 - 0x14) = _t127;
					_push(((_t74 & 0xffffff00 |  *((intOrPtr*)(_t130 - 0x28)) == _t127) - 0x00000001 & 0x000000c1) - 0x00000001 & 0x000000ff);
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_push(1);
					_push(1);
					asm("movsd");
					_push(0);
					_push( *((intOrPtr*)(_t130 - 0x34)));
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					L012E3D0B(_t106 + 0xf14, _t147);
					_t123 =  *((intOrPtr*)(_t130 - 0x34));
					_t127 = 0;
				}
				_t81 = (0 |  *((intOrPtr*)(_t106 + 0x102c)) != _t127) + 7;
				if(_t81 >= 4) {
					_t107 = _t106 + 0x8c;
					 *((intOrPtr*)(_t130 - 0x24)) = _t81 + 0xfffffffd;
					do {
						if( *((intOrPtr*)(_t107 + 0x2e4)) != _t127) {
							 *((intOrPtr*)( *_t107 + 0x30))(_t123,  *((intOrPtr*)(_t130 - 0x28)));
						}
						_t107 = _t107 + 0x2e8;
						_t62 = _t130 - 0x24;
						 *_t62 =  *((intOrPtr*)(_t130 - 0x24)) - 1;
					} while ( *_t62 != 0);
				}
				 *(_t130 - 4) =  *(_t130 - 4) | 0xffffffff;
				L01279E44(_t130 - 0x48);
				return L013696ED(_t106, _t123, _t127);
			}

0x0134ce3d
0x0134ce3d
0x0134ce3d
0x0134ce44
0x0134ce4c
0x0134ce4f
0x0134ce55
0x0134ce57
0x0134ce59
0x0134ce5c
0x0134ce5f
0x0134ce65
0x0134ce74
0x0134ce74
0x0134ce67
0x0134ce67
0x0134ce6c
0x0134ce72
0x00000000
0x00000000
0x0134ce72
0x0134ce7e
0x0134ce83
0x0134ce88
0x0134ce8e
0x0134ce8a
0x0134ce8a
0x0134ce8a
0x0134ce9c
0x0134cea1
0x0134cea4
0x0134ceae
0x0134ceb1
0x0134ceb4
0x0134ceb7
0x0134ceba
0x0134cec0
0x0134cec3
0x0134ced0
0x0134cede
0x0134ceed
0x0134cef6
0x0134cefa
0x0134cf01
0x0134cf01
0x0134cf0c
0x0134cf69
0x0134cf6e
0x0134cf74
0x0134cfc2
0x0134cfd2
0x0134cf76
0x0134cf76
0x0134cf7c
0x00000000
0x0134cf7e
0x0134cf7e
0x0134cf84
0x00000000
0x0134cf86
0x0134cf86
0x0134cf8c
0x00000000
0x0134cf8e
0x0134cf8e
0x0134cf96
0x0134cfac
0x0134cfb4
0x0134cfbb
0x0134cfbb
0x0134cf8c
0x0134cf84
0x0134cf7c
0x0134cf0e
0x0134cf11
0x0134cf1d
0x0134cf20
0x0134cf23
0x0134cf29
0x0134cf32
0x0134cf33
0x0134cf34
0x0134cf35
0x0134cf37
0x0134cf39
0x0134cf3a
0x0134cf41
0x0134cf47
0x0134cf48
0x0134cf49
0x0134cf50
0x0134cf51
0x0134cf56
0x0134cf59
0x0134cf59
0x0134cfe2
0x0134cfe8
0x0134cfea
0x0134cff3
0x0134cff6
0x0134cffc
0x0134d006
0x0134d006
0x0134d009
0x0134d00f
0x0134d00f
0x0134d00f
0x0134cff6
0x0134d014
0x0134d01b
0x0134d025

APIs

__EH_prolog3_GS.LIBCMT ref: 0134CE44
CreateCompatibleDC.GDI32(00000000), ref: 0134CE92
GetBoundsRect.GDI32(?,0134D3BB,00000000), ref: 0134CEBA
CreateSolidBrush.GDI32 ref: 0134CED4
FillRect.USER32(00000000,0134D3BB,?), ref: 0134CEED

Part of subcall function 0134C1CB: FillRgn.GDI32(00000000,?,00000000), ref: 0134C1ED

Part of subcall function 0134C1F7: FrameRgn.GDI32(00000000,?,00000000,0134D3BB,0000003C), ref: 0134C21F

Part of subcall function 01279E44: DeleteDC.GDI32(00000000), ref: 01279E56

Part of subcall function 0127A3A8: __EH_prolog3.LIBCMT ref: 0127A3AF
Part of subcall function 0127A3A8: CreateSolidBrush.GDI32(?), ref: 0127A3CA

Part of subcall function 0127A27E: __EH_prolog3_catch_GS.LIBCMT ref: 0127A288

Memory Dump Source

Source File: 00000010.00000002.746388412.0000000001271000.00000020.sdmp, Offset: 01270000, based on PE: true

Associated: 00000010.00000002.746374753.0000000001270000.00000002.sdmp Download File
Associated: 00000010.00000002.746578910.000000000138C000.00000002.sdmp Download File
Associated: 00000010.00000002.746752878.00000000013CF000.00000004.sdmp Download File
Associated: 00000010.00000002.746788870.00000000013D6000.00000004.sdmp Download File
Associated: 00000010.00000002.746832288.00000000013DE000.00000002.sdmp Download File
Associated: 00000010.00000002.747668141.0000000001574000.00000002.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1270000_Setup.jbxd

Similarity

API ID: Create$BrushFillRectSolid$BoundsCompatibleDeleteFrameH_prolog3H_prolog3_H_prolog3_catch_
String ID:
API String ID: 275149273-0
Opcode ID: 7a7eaddfe8d04799c87cbbd90bf5c8a7075f1f31b5317718d864f5e1b3255069
Instruction ID: ed6f5207ac0d75ba8dbd03eeb34e05f3c4b8530f13bc915c73117d290585ac85
Opcode Fuzzy Hash: 7a7eaddfe8d04799c87cbbd90bf5c8a7075f1f31b5317718d864f5e1b3255069
Instruction Fuzzy Hash: D8515C71D11219EFCF11DFA8D884AEDBBB9FF18718F18012AF901AA185C7715A45CBA1

Uniqueness

Uniqueness Score: 2.04%

Function 012AAFB9, Relevance: 7.6, APIs: 5, Instructions: 124
windowUNIQUE

Download Yara Rule

C-Code - Quality: 87%

			E012AAFB9(void* __ebx, intOrPtr* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				signed int _t55;
				intOrPtr _t62;
				void* _t78;
				intOrPtr _t79;
				signed int _t82;
				intOrPtr _t106;
				void* _t107;
				intOrPtr _t109;
				intOrPtr* _t111;
				void* _t112;

				_t107 = __edx;
				_push(0x2c);
				L0136966A(0x1381566, __ebx, __edi, __esi);
				_t109 =  *((intOrPtr*)(_t112 + 8));
				_t114 =  *(_t109 + 0x18) & 0x00000001;
				_t111 = __ecx;
				if(( *(_t109 + 0x18) & 0x00000001) == 0) {
					 *(_t112 - 0x20) = 0;
					 *((intOrPtr*)(_t112 - 0x1c)) = 0;
					 *((intOrPtr*)(_t112 - 0x18)) = 0;
					 *((intOrPtr*)(_t112 - 0x14)) = 0;
					GetWindowRect( *(__ecx + 0x20), _t112 - 0x20);
					__eflags =  *((intOrPtr*)(_t111 + 0x84));
					if( *((intOrPtr*)(_t111 + 0x84)) != 0) {
						_t62 =  *((intOrPtr*)(_t111 + 0x9c)) +  *((intOrPtr*)(_t112 - 0x1c));
						__eflags = _t62;
						 *((intOrPtr*)(_t112 - 0x14)) = _t62;
					}
					 *(_t112 - 0x34) = IsWindowVisible( *(_t111 + 0x20));
					E01288211(0, _t109, _t109, E01286848(_t111));
					E01288537(_t109, _t109, _t112 - 0x20, 0x10);
					E01288211(0, _t109, _t109,  *(_t112 - 0x34));
					_t55 = E01282D31(0, _t109, _t107, _t109, _t111, __eflags,  *((intOrPtr*)(_t111 + 0xc8)));
					__eflags = _t55;
					if(_t55 == 0) {
						_push(0);
					} else {
						_push(E0128691B(_t55, _t107));
					}
					E01288211(0, _t109, _t109);
					E01288211(0, _t109, _t109,  *((intOrPtr*)(_t111 + 0xb8)));
					E01288211(0, _t109, _t109,  *((intOrPtr*)(_t111 + 0x88)));
				} else {
					 *(_t112 - 0x34) = 0;
					 *(_t112 - 0x30) = 0;
					 *((intOrPtr*)(_t112 - 0x2c)) = 0;
					 *((intOrPtr*)(_t112 - 0x28)) = 0;
					 *((intOrPtr*)(_t112 - 0x24)) = 0;
					SetRectEmpty(_t112 - 0x30);
					E012888E2(0, _t109, _t109, _t112 - 0x34);
					E012A66F3(0, _t111, _t114, _t109, _t112 - 0x30);
					E012888E2(0, _t109, _t109, _t112 - 0x38);
					E012888E2(0, _t109, _t109, _t111 + 0xb4);
					E012888E2(0, _t109, _t109, _t111 + 0xb8);
					E012888E2(0, _t109, _t109, _t111 + 0x88);
					_t78 =  *((intOrPtr*)( *_t111 + 0x200))(0x138e210,  *(_t112 - 0x34) & 0xefffffff, _t112 - 0x30,  *0x13d9624, 0);
					_t115 = _t78;
					if(_t78 == 0) {
						_t106 = E01274753(_t115, 0x10);
						 *((intOrPtr*)(_t112 - 0x38)) = _t106;
						 *(_t112 - 4) = 0;
						_t116 = _t106;
						if(_t106 == 0) {
							_t82 = 0;
							__eflags = 0;
						} else {
							_push(0);
							_push(0);
							_t82 = E01288B7D(0, _t106, _t109, _t111, _t116);
						}
						 *(_t112 - 4) =  *(_t112 - 4) | 0xffffffff;
						 *(_t112 - 0x34) = _t82;
						L0136B20F(_t112 - 0x34, 0x13c007c);
					}
					_t79 =  *0x13d9624; // 0x0
					 *((intOrPtr*)(_t111 + 0xbc)) =  *((intOrPtr*)(_t79 + 0x20));
				}
				return L013696ED(0, _t109, _t111);
			}

0x012aafb9
0x012aafb9
0x012aafc0
0x012aafc5
0x012aafca
0x012aafce
0x012aafd0
0x012ab0af
0x012ab0b2
0x012ab0b5
0x012ab0b8
0x012ab0bb
0x012ab0c1
0x012ab0c7
0x012ab0cf
0x012ab0cf
0x012ab0d2
0x012ab0d2
0x012ab0e0
0x012ab0eb
0x012ab0f8
0x012ab102
0x012ab10d
0x012ab112
0x012ab114
0x012ab120
0x012ab116
0x012ab11d
0x012ab11d
0x012ab123
0x012ab130
0x012ab13d
0x012aafd6
0x012aafda
0x012aafdd
0x012aafe0
0x012aafe3
0x012aafe6
0x012aafe9
0x012aaff5
0x012aafff
0x012ab00a
0x012ab018
0x012ab026
0x012ab034
0x012ab057
0x012ab05d
0x012ab05f
0x012ab069
0x012ab06b
0x012ab06e
0x012ab071
0x012ab073
0x012ab07e
0x012ab07e
0x012ab075
0x012ab075
0x012ab076
0x012ab077
0x012ab077
0x012ab080
0x012ab084
0x012ab090
0x012ab090
0x012ab095
0x012ab09d
0x012ab09d
0x012ab147

APIs

__EH_prolog3_GS.LIBCMT ref: 012AAFC0
SetRectEmpty.USER32 ref: 012AAFE9

Part of subcall function 01274753: _malloc.LIBCMT ref: 01274771

__CxxThrowException@8.LIBCMT ref: 012AB090

Part of subcall function 0136B20F: RaiseException.KERNEL32(?,?,?,?), ref: 0136B251

Part of subcall function 01288B7D: __EH_prolog3.LIBCMT ref: 01288B84

GetWindowRect.USER32 ref: 012AB0BB
IsWindowVisible.USER32(?), ref: 012AB0D8

Part of subcall function 01286848: GetWindowLongW.USER32(?,000000F0), ref: 01286853

Part of subcall function 0128691B: GetDlgCtrlID.USER32 ref: 01286924

Memory Dump Source

Source File: 00000010.00000002.746388412.0000000001271000.00000020.sdmp, Offset: 01270000, based on PE: true

Associated: 00000010.00000002.746374753.0000000001270000.00000002.sdmp Download File
Associated: 00000010.00000002.746578910.000000000138C000.00000002.sdmp Download File
Associated: 00000010.00000002.746752878.00000000013CF000.00000004.sdmp Download File
Associated: 00000010.00000002.746788870.00000000013D6000.00000004.sdmp Download File
Associated: 00000010.00000002.746832288.00000000013DE000.00000002.sdmp Download File
Associated: 00000010.00000002.747668141.0000000001574000.00000002.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1270000_Setup.jbxd

Similarity

API ID: Window$Rect$CtrlEmptyExceptionException@8H_prolog3H_prolog3_LongRaiseThrowVisible_malloc
String ID:
API String ID: 1759769945-0
Opcode ID: 6e9160b1c98ca84b890618b78d346b7871c543b4857505fdd8c93431bc91c133
Instruction ID: 57b60fd421103506900d76cf3cb7550594bcba40c3eb4bf165d2dcd065839b8b
Opcode Fuzzy Hash: 6e9160b1c98ca84b890618b78d346b7871c543b4857505fdd8c93431bc91c133
Instruction Fuzzy Hash: DE411F71A2130AAFDF15FFA4D890ABEB7FABF58310F54442DE15AE2280DB345905DB21

Uniqueness

Uniqueness Score: 23.02%

Function 012BCC05, Relevance: 7.6, APIs: 5, Instructions: 123
COMMON

Download Yara Rule

C-Code - Quality: 60%

			E012BCC05(RECT* __ecx, void* __edx, void* __edi, struct tagPOINT* _a4) {
				signed int _v8;
				struct tagRECT _v24;
				struct tagRECT _v40;
				struct tagRECT _v56;
				RECT* _v60;
				void* __ebx;
				void* __esi;
				signed int _t41;
				intOrPtr _t51;
				intOrPtr _t56;
				void* _t58;
				void* _t65;
				void* _t68;
				struct tagPOINT* _t74;
				void* _t84;
				RECT* _t88;
				RECT* _t90;
				signed int _t91;

				_t85 = __edi;
				_t84 = __edx;
				_t41 =  *0x13d3570; // 0x99b5b578
				_v8 = _t41 ^ _t91;
				_t74 = _a4;
				_v24.left = 0;
				_v24.top = 0;
				_v24.right = 0;
				_v24.bottom = 0;
				_t88 = __ecx;
				_v60 = __ecx;
				GetClientRect( *(__ecx + 0x20),  &_v24);
				L01279C17(_t88,  &_v24);
				_push(_t74->y);
				if(PtInRect( &_v24, _t74->x) != 0) {
					_push(__edi);
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_t90 = _v60;
					_t51 =  *((intOrPtr*)(_t90 + 0xed4));
					if(_t51 == 0) {
						_v40.right =  *((intOrPtr*)(_t90 + 0xecc)) + _v24.left;
					} else {
						_t65 = _t51 - 1;
						if(_t65 == 0) {
							_v40.left = _v24.right -  *((intOrPtr*)(_t90 + 0xecc));
						} else {
							_t68 = _t65 - 1;
							if(_t68 == 0) {
								_v40.bottom =  *((intOrPtr*)(_t90 + 0xecc)) + _v24.top;
							} else {
								if(_t68 == 1) {
									_v40.top = _v24.bottom -  *((intOrPtr*)(_t90 + 0xecc));
								}
							}
						}
					}
					_push(_t74->y);
					if(PtInRect( &_v40, _t74->x) == 0) {
						_t56 =  *((intOrPtr*)(_t90 + 0xfc0));
						if(_t74->x <= _v24.right - _t56) {
							if(_t74->y <= _v24.bottom - _t56) {
								if(IsRectEmpty(_t90) != 0) {
									L20:
									_t58 = 0;
									goto L21;
								}
								asm("movsd");
								asm("movsd");
								asm("movsd");
								asm("movsd");
								L01279C17(_v60,  &_v56);
								_push(_t74->y);
								if(PtInRect( &_v56,  *_t74) == 0) {
									goto L20;
								}
								_push(5);
								goto L19;
							}
							_push(2);
							goto L19;
						}
						_t58 = 1;
						goto L21;
					} else {
						_push(3);
						L19:
						_pop(_t58);
						L21:
						_pop(_t85);
						goto L22;
					}
				} else {
					_t58 = 4;
					L22:
					return L01367D3E(_t58, _t74, _v8 ^ _t91, _t84, _t85, _t90);
				}
			}

0x012bcc05
0x012bcc05
0x012bcc0d
0x012bcc14
0x012bcc1a
0x012bcc1e
0x012bcc21
0x012bcc24
0x012bcc27
0x012bcc2d
0x012bcc33
0x012bcc36
0x012bcc42
0x012bcc47
0x012bcc58
0x012bcc62
0x012bcc69
0x012bcc6a
0x012bcc6b
0x012bcc6c
0x012bcc6d
0x012bcc76
0x012bcc79
0x012bccb7
0x012bcc7b
0x012bcc7b
0x012bcc7c
0x012bcca9
0x012bcc7e
0x012bcc7e
0x012bcc7f
0x012bcc9b
0x012bcc81
0x012bcc82
0x012bcc8d
0x012bcc8d
0x012bcc82
0x012bcc7f
0x012bcc7c
0x012bccba
0x012bcccb
0x012bccd1
0x012bccde
0x012bcced
0x012bcd02
0x012bcd2f
0x012bcd2f
0x00000000
0x012bcd2f
0x012bcd0a
0x012bcd0b
0x012bcd0c
0x012bcd11
0x012bcd12
0x012bcd17
0x012bcd28
0x00000000
0x00000000
0x012bcd2a
0x00000000
0x012bcd2a
0x012bccef
0x00000000
0x012bccef
0x012bcce2
0x00000000
0x012bcccd
0x012bcccd
0x012bcd2c
0x012bcd2c
0x012bcd31
0x012bcd31
0x00000000
0x012bcd31
0x012bcc5a
0x012bcc5c
0x012bcd32
0x012bcd3f
0x012bcd3f

APIs

GetClientRect.USER32 ref: 012BCC36

Part of subcall function 01279C17: ClientToScreen.USER32(?,?), ref: 01279C28
Part of subcall function 01279C17: ClientToScreen.USER32(?,?), ref: 01279C35

PtInRect.USER32(?,?,?), ref: 012BCC50
PtInRect.USER32(?,?,?), ref: 012BCCC3
IsRectEmpty.USER32 ref: 012BCCFA
PtInRect.USER32(?,?,?), ref: 012BCD20

Part of subcall function 01367D3E: IsDebuggerPresent.KERNEL32 ref: 0136EC6D
Part of subcall function 01367D3E: SetUnhandledExceptionFilter.KERNEL32 ref: 0136EC82
Part of subcall function 01367D3E: UnhandledExceptionFilter.KERNEL32 ref: 0136EC8D
Part of subcall function 01367D3E: GetCurrentProcess.KERNEL32(C0000409), ref: 0136ECA9
Part of subcall function 01367D3E: TerminateProcess.KERNEL32(00000000), ref: 0136ECB0

Memory Dump Source

Source File: 00000010.00000002.746388412.0000000001271000.00000020.sdmp, Offset: 01270000, based on PE: true

Associated: 00000010.00000002.746374753.0000000001270000.00000002.sdmp Download File
Associated: 00000010.00000002.746578910.000000000138C000.00000002.sdmp Download File
Associated: 00000010.00000002.746752878.00000000013CF000.00000004.sdmp Download File
Associated: 00000010.00000002.746788870.00000000013D6000.00000004.sdmp Download File
Associated: 00000010.00000002.746832288.00000000013DE000.00000002.sdmp Download File
Associated: 00000010.00000002.747668141.0000000001574000.00000002.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1270000_Setup.jbxd

Similarity

API ID: Rect$Client$ExceptionFilterProcessScreenUnhandled$CurrentDebuggerEmptyPresentTerminate
String ID:
API String ID: 3186546793-0
Opcode ID: 4d44c238f3f3f82371bae5957b90bbced160f56df33e59d2f3ada529045ffa2a
Instruction ID: 31444cad5d53c812b3161d44dcbaa746991590c337ddc86560b37ac603de08d3
Opcode Fuzzy Hash: 4d44c238f3f3f82371bae5957b90bbced160f56df33e59d2f3ada529045ffa2a
Instruction Fuzzy Hash: 2A412B71A1060BEFDF11DFA8D985AEEBBB5FB18340F104829E506EB244D771AA11CB60

Uniqueness

Uniqueness Score: 1.28%

Function 012AE90B, Relevance: 7.6, APIs: 5, Instructions: 113
windowCOMMON

Download Yara Rule

C-Code - Quality: 89%

			E012AE90B(void* __ebx, intOrPtr __ecx, void* __edx, void* __edi, void* __esi, struct HWND__* _a4) {
				signed int _v0;
				int _v8;
				intOrPtr _v12;
				signed int _v20;
				void* __ebp;
				int _t26;
				signed int _t27;
				int _t29;
				signed int _t31;
				int _t40;
				int _t42;
				int _t43;
				intOrPtr _t46;
				struct HWND__* _t48;
				int _t50;
				int _t61;
				struct HWND__* _t63;
				int _t65;
				intOrPtr _t67;
				intOrPtr* _t68;

				_t58 = __edx;
				_push(__ecx);
				_push(__ecx);
				_push(__ebx);
				_t46 = __ecx;
				_t50 =  *(__ecx + 0xe4);
				_v12 = __ecx;
				if(_t50 == 0) {
					L10:
					return _t26;
				} else {
					_t27 = E012789AE(_t50, 0x139096c);
					asm("sbb eax, eax");
					_t26 =  ~_t27 + 1;
					_v8 = _t26;
					if(_a4 == 0) {
						_t61 =  *(__ecx + 0xcc);
						while(1) {
							__eflags = _t61;
							if(_t61 == 0) {
								break;
							}
							_t29 = _t61;
							__eflags = _t61;
							if(_t61 == 0) {
								L01277AC9(_t50);
								asm("int3");
								_t31 = _v20;
								__eflags = _t31;
								if(_t31 != 0) {
									_v0 =  *((intOrPtr*)(_t31 + 0x20));
								} else {
									_v0 = _v0 & _t31;
								}
								__eflags = _t50 + 0x19c;
								return L012ADDD2(_t50 + 0x19c, _t50 + 0x19c,  &_v0);
							} else {
								_t65 =  *(_t29 + 8);
								_t61 =  *_t61;
								__eflags = _t65;
								if(_t65 != 0) {
									_t48 =  *(_t65 + 0x20);
								} else {
									_t48 = 0;
								}
								_a4 = _t48;
								_t26 = IsWindow(_t48);
								__eflags = _t26;
								if(_t26 != 0) {
									_t26 = IsWindowVisible(_t48);
									__eflags = _t26;
									if(_t26 != 0) {
										__eflags = _v8;
										if(_v8 == 0) {
											L20:
											ShowWindow(_t48, 0);
											_t67 = _v12;
											_t17 = _t67 + 0x164; // 0x164
											_t50 = _t17;
											_t26 = L012ADE02(_t50,  &_a4, 0);
											__eflags = _t26;
											if(__eflags == 0) {
												_t19 = _t67 + 0x164; // 0x164
												_t50 = _t19;
												_t26 = L012ADDD2(_t50, __eflags,  &_a4);
											}
										} else {
											_t26 = E012789CC(0x139a818,  *((intOrPtr*)( *((intOrPtr*)(E012789CC(0x13d04b0, _t65))) + 0x1a4))());
											_pop(_t50);
											__eflags = _t26;
											if(_t26 != 0) {
												goto L20;
											}
										}
									}
								}
								continue;
							}
							goto L29;
						}
						goto L9;
					} else {
						_t68 =  *((intOrPtr*)(__ecx + 0x168));
						while(_t68 != 0) {
							_t63 =  *(_t68 + 8);
							_t68 =  *_t68;
							_t40 = IsWindow(_t63);
							__eflags = _t40;
							if(_t40 != 0) {
								_t42 = E012789CC(0x13d04b0, E01282D05(_t46, _t50, _t58, _t63));
								_pop(_t50);
								__eflags = _t42;
								if(_t42 != 0) {
									_t58 =  *_t42;
									_t50 = _t42;
									_t43 =  *((intOrPtr*)( *_t42 + 0x19c))();
									__eflags = _t43;
									if(_t43 > 0) {
										ShowWindow(_t63, 4);
									}
								}
							}
						}
						_t26 = E0133286E(_t46 + 0x164);
						L9:
						goto L10;
					}
				}
				L29:
			}

0x012ae90b
0x012ae910
0x012ae911
0x012ae912
0x012ae913
0x012ae915
0x012ae91b
0x012ae920
0x012ae993
0x012ae995
0x012ae922
0x012ae929
0x012ae930
0x012ae932
0x012ae937
0x012ae93a
0x012ae998
0x012aea34
0x012aea34
0x012aea36
0x00000000
0x00000000
0x012ae9a3
0x012ae9a5
0x012ae9a7
0x012aea41
0x012aea46
0x012aea4c
0x012aea4f
0x012aea51
0x012aea5b
0x012aea53
0x012aea53
0x012aea53
0x012aea62
0x012aea6e
0x012ae9ad
0x012ae9ad
0x012ae9b0
0x012ae9b2
0x012ae9b4
0x012ae9ba
0x012ae9b6
0x012ae9b6
0x012ae9b6
0x012ae9be
0x012ae9c1
0x012ae9c7
0x012ae9c9
0x012ae9cc
0x012ae9d2
0x012ae9d4
0x012ae9d6
0x012ae9da
0x012aea04
0x012aea07
0x012aea0d
0x012aea16
0x012aea16
0x012aea1c
0x012aea21
0x012aea23
0x012aea29
0x012aea29
0x012aea2f
0x012aea2f
0x012ae9dc
0x012ae9f9
0x012ae9ff
0x012aea00
0x012aea02
0x00000000
0x00000000
0x012aea02
0x012ae9da
0x012ae9d4
0x00000000
0x012ae9c9
0x00000000
0x012ae9a7
0x00000000
0x012ae93c
0x012ae93c
0x012ae982
0x012ae944
0x012ae947
0x012ae94a
0x012ae950
0x012ae952
0x012ae960
0x012ae966
0x012ae967
0x012ae969
0x012ae96b
0x012ae96d
0x012ae96f
0x012ae975
0x012ae977
0x012ae97c
0x012ae97c
0x012ae977
0x012ae969
0x012ae952
0x012ae98c
0x012ae991
0x00000000
0x012ae992
0x012ae93a
0x00000000

APIs

IsWindow.USER32(00000000), ref: 012AE94A
ShowWindow.USER32(00000000,00000004), ref: 012AE97C
IsWindow.USER32(?), ref: 012AE9C1
IsWindowVisible.USER32(?), ref: 012AE9CC
ShowWindow.USER32(?,00000000), ref: 012AEA07

Part of subcall function 01277AC9: __CxxThrowException@8.LIBCMT ref: 01277ADF

Memory Dump Source

Source File: 00000010.00000002.746388412.0000000001271000.00000020.sdmp, Offset: 01270000, based on PE: true

Associated: 00000010.00000002.746374753.0000000001270000.00000002.sdmp Download File
Associated: 00000010.00000002.746578910.000000000138C000.00000002.sdmp Download File
Associated: 00000010.00000002.746752878.00000000013CF000.00000004.sdmp Download File
Associated: 00000010.00000002.746788870.00000000013D6000.00000004.sdmp Download File
Associated: 00000010.00000002.746832288.00000000013DE000.00000002.sdmp Download File
Associated: 00000010.00000002.747668141.0000000001574000.00000002.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1270000_Setup.jbxd

Similarity

API ID: Window$Show$Exception@8ThrowVisible
String ID:
API String ID: 579020799-0
Opcode ID: b27a73c22c8ddf68ba36b68ec112ba3f1e796a25528877818db52f31abc7c088
Instruction ID: e55cb8c881867a2e4395512cd77924b75bea3f473b9e5d07f2c6a15839b61fc3
Opcode Fuzzy Hash: b27a73c22c8ddf68ba36b68ec112ba3f1e796a25528877818db52f31abc7c088
Instruction Fuzzy Hash: 1E31C931221303ABDB249F79C855FBF7BA8BF54724F554168EB469B241DB30E801C7A1

Uniqueness

Uniqueness Score: 1.55%

Function 012EA64D, Relevance: 7.6, APIs: 5, Instructions: 109
windowstringCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E012EA64D(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				void* _t39;
				intOrPtr _t45;
				WCHAR* _t48;
				long _t59;
				void* _t80;
				void* _t83;
				signed int _t85;
				intOrPtr* _t86;
				WCHAR* _t89;
				void* _t90;
				intOrPtr* _t91;

				_t83 = __edx;
				_push(4);
				L01369601(0x13837de, __ebx, __edi, __esi);
				 *((intOrPtr*)(_t90 - 4)) = 0;
				if( *((intOrPtr*)(_t90 + 0xc)) == 0 ||  *((intOrPtr*)(_t90 + 8)) == 0) {
					L18:
					return L013696D9(L01271470( *(_t90 + 0x14) + 0xfffffff0, _t83));
				} else {
					_t39 = 1;
					_t85 = 0;
					while(_t39 !=  *(_t90 + 0x10)) {
						_t39 = _t39 + _t39;
						_t85 = _t85 + 1;
						if(_t85 < 0xb) {
							continue;
						} else {
							goto L18;
						}
					}
					if(_t85 != 0xffffffff) {
						_t6 = E01272530( *(_t90 + 0x14) + 0xfffffff0) + 0x10; // 0x10
						_t89 = _t6;
						 *(_t90 - 0x10) = _t89;
						_t43 =  *((intOrPtr*)(_t90 + 0x18));
						 *((char*)(_t90 - 4)) = 1;
						if( *((intOrPtr*)(_t90 + 0x18)) == 0) {
							_t43 = 0x138e210;
						}
						_t72 = _t90 + 0x10;
						E01273740(0, _t43);
						_t45 =  *0x13d9d6c; // 0x0
						 *((char*)(_t90 - 4)) = 2;
						if(_t45 != 0 &&  *((intOrPtr*)(_t85 * 0x34 + _t45 + 4)) != 0) {
							_t59 =  *(_t90 + 0x10);
							if( *((intOrPtr*)(_t59 - 0xc)) != 0) {
								SendMessageW( *( *((intOrPtr*)(_t90 + 0xc)) + 0x20), 0x421, 1,  *(_t90 + 0x14));
								_t72 = _t90 - 0x10;
								E01272A30(_t90 - 0x10, _t90 + 0x10);
								_t89 =  *(_t90 - 0x10);
							} else {
								SendMessageW( *( *((intOrPtr*)(_t90 + 0xc)) + 0x20), 0x421, 1, _t59);
							}
						}
						_t48 = E0136C922(_t72,  *((intOrPtr*)(_t89 - 0xc)) + 1, 2);
						 *( *((intOrPtr*)(_t90 + 8)) + 0x24) = _t48;
						if(_t48 != 0) {
							lstrcpyW(_t48, _t89);
							_t86 = E012789CC(0x13ab3d4,  *((intOrPtr*)(_t90 + 0xc)));
							_pop(_t80);
							if(_t86 != 0) {
								 *((intOrPtr*)(_t90 + 0xc)) = _t91;
								 *_t91 = E01272530( *(_t90 + 0x10) + 0xfffffff0) + 0x10;
								 *((intOrPtr*)( *_t86 + 0x16c))(_t80);
							}
						}
						L01271470( *(_t90 + 0x10) + 0xfffffff0, _t83);
						_t32 = _t89 - 0x10; // 0x0
						L01271470(_t32, _t83);
					}
					goto L18;
				}
			}

0x012ea64d
0x012ea64d
0x012ea654
0x012ea65b
0x012ea661
0x012ea77f
0x012ea78f
0x012ea670
0x012ea672
0x012ea673
0x012ea675
0x012ea67a
0x012ea67c
0x012ea680
0x00000000
0x012ea682
0x00000000
0x012ea682
0x012ea680
0x012ea68a
0x012ea69c
0x012ea69c
0x012ea6a0
0x012ea6a3
0x012ea6a6
0x012ea6ac
0x012ea6ae
0x012ea6ae
0x012ea6b4
0x012ea6b7
0x012ea6bc
0x012ea6c1
0x012ea6c7
0x012ea6d2
0x012ea6d8
0x012ea700
0x012ea70a
0x012ea70d
0x012ea712
0x012ea6da
0x012ea6e8
0x012ea6e8
0x012ea6d8
0x012ea71c
0x012ea726
0x012ea72b
0x012ea72f
0x012ea742
0x012ea745
0x012ea748
0x012ea751
0x012ea760
0x012ea766
0x012ea766
0x012ea748
0x012ea772
0x012ea777
0x012ea77a
0x012ea77a
0x00000000
0x012ea68a

APIs

__EH_prolog3.LIBCMT ref: 012EA654

Part of subcall function 01272530: _memcpy_s.LIBCMT ref: 0127258F

SendMessageW.USER32(?,00000421,00000001,?), ref: 012EA6E8
SendMessageW.USER32(?,00000421,00000001,?), ref: 012EA700
_calloc.LIBCMT ref: 012EA71C
lstrcpyW.KERNEL32(00000000,00000010), ref: 012EA72F

Memory Dump Source

Source File: 00000010.00000002.746388412.0000000001271000.00000020.sdmp, Offset: 01270000, based on PE: true

Associated: 00000010.00000002.746374753.0000000001270000.00000002.sdmp Download File
Associated: 00000010.00000002.746578910.000000000138C000.00000002.sdmp Download File
Associated: 00000010.00000002.746752878.00000000013CF000.00000004.sdmp Download File
Associated: 00000010.00000002.746788870.00000000013D6000.00000004.sdmp Download File
Associated: 00000010.00000002.746832288.00000000013DE000.00000002.sdmp Download File
Associated: 00000010.00000002.747668141.0000000001574000.00000002.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1270000_Setup.jbxd

Similarity

API ID: MessageSend$H_prolog3_calloc_memcpy_slstrcpy
String ID:
API String ID: 4289958352-0
Opcode ID: 9f5afd3f55af746a157b9cdacacf4fb9bb5e15633ad5db3f0b829532aac1f982
Instruction ID: c91b314862ba1ad45417be0eb047e6a1ab922d7468a1575e1395739dfdd443cf
Opcode Fuzzy Hash: 9f5afd3f55af746a157b9cdacacf4fb9bb5e15633ad5db3f0b829532aac1f982
Instruction Fuzzy Hash: AA4171726202069FDF14EF68CC89AAE7BF4FF15328F444519F626972D1DB709850CB50

Uniqueness

Uniqueness Score: 12.89%

Function 012AEBC8, Relevance: 7.6, APIs: 5, Instructions: 106
COMMON

Download Yara Rule

C-Code - Quality: 98%

			E012AEBC8(void* __ebx, intOrPtr __ecx, void* __edi, void* __esi, void* __eflags) {
				struct tagRECT* _t88;
				intOrPtr _t106;
				void* _t107;

				_push(4);
				L01369601(0x1381675, __ebx, __edi, __esi);
				_t106 = __ecx;
				 *((intOrPtr*)(_t107 - 0x10)) = __ecx;
				 *((intOrPtr*)(__ecx)) = 0x1393d4c;
				_t88 = __ecx + 0x10;
				_t88->left = 0;
				_t88->top = 0;
				_t88->right = 0;
				_t88->bottom = 0;
				L012E77C6(__ecx + 0x20, 0xa);
				 *((intOrPtr*)(_t107 - 4)) = 0;
				L012E77C6(__ecx + 0x3c, 0xa);
				 *((char*)(_t107 - 4)) = 1;
				L012E77C6(__ecx + 0x58, 0xa);
				 *((char*)(_t107 - 4)) = 2;
				L012E77C6(__ecx + 0x74, 0xa);
				 *((char*)(_t107 - 4)) = 3;
				L012E77C6(__ecx + 0x90, 0xa);
				L012ABD00(__ecx + 0xac, 0xa);
				 *((char*)(_t107 - 4)) = 5;
				L012E77C6(__ecx + 0xc8, 0xa);
				 *((intOrPtr*)(__ecx + 0xe4)) = 0;
				 *(__ecx + 0xe8) = 0;
				 *((intOrPtr*)(__ecx + 0xec)) = 0;
				 *((intOrPtr*)(__ecx + 0xf0)) = 0;
				 *((intOrPtr*)(__ecx + 0xf4)) = 0;
				 *((intOrPtr*)(__ecx + 0xf8)) = 0;
				 *((intOrPtr*)(__ecx + 0xfc)) = 0;
				 *((intOrPtr*)(__ecx + 0x100)) = 0;
				 *((intOrPtr*)(__ecx + 0x104)) = 0;
				 *((char*)(_t107 - 4)) = 6;
				 *((intOrPtr*)(__ecx + 0x108)) = 0;
				 *((intOrPtr*)(__ecx + 0x10c)) = 0;
				 *((intOrPtr*)(__ecx + 0x110)) = 0;
				 *((intOrPtr*)(__ecx + 0x114)) = 0;
				L012E77C6(__ecx + 0x134, 0xa);
				L012ABD28(__ecx + 0x164, 0xa);
				L012ABD28(__ecx + 0x180, 0xa);
				L012ABD28(__ecx + 0x19c, 0xa);
				 *((intOrPtr*)(__ecx + 0x1b8)) = 0;
				L012ABD5B(__ecx + 0x1bc, 0xa);
				E01272410(__ecx + 0x1ec, E0127859A());
				 *((intOrPtr*)(__ecx + 0x118)) = 0;
				 *((intOrPtr*)(__ecx + 0x11c)) = 0;
				 *((intOrPtr*)(__ecx + 0x150)) = 0;
				 *((intOrPtr*)(__ecx + 0x120)) = 0;
				 *((intOrPtr*)(__ecx + 0x124)) = 0;
				 *((intOrPtr*)(__ecx + 0x128)) = 0;
				 *((intOrPtr*)(__ecx + 0x12c)) = 0;
				SetRectEmpty(__ecx + 0xe8);
				SetRectEmpty(_t106 + 0xf8);
				SetRectEmpty(_t106 + 0x108);
				SetRectEmpty(_t88);
				 *((intOrPtr*)(_t106 + 0x130)) = 0;
				 *((intOrPtr*)(_t106 + 4)) = 1;
				 *((intOrPtr*)(_t106 + 8)) = 0;
				 *((intOrPtr*)(_t106 + 0x154)) = 0;
				 *((intOrPtr*)(_t106 + 0x158)) = 0;
				 *((intOrPtr*)(_t106 + 0xc)) = 0;
				 *((intOrPtr*)(_t106 + 0x15c)) = 0;
				 *((intOrPtr*)(_t106 + 0x160)) = 0;
				 *((intOrPtr*)(_t106 + 0x1d8)) = 0;
				 *((intOrPtr*)(_t106 + 0x1dc)) = 0;
				 *((intOrPtr*)(_t106 + 0x1e0)) = 0;
				 *((intOrPtr*)(_t106 + 0x1e8)) = 0;
				 *((intOrPtr*)(_t106 + 0x1e4)) = 0;
				return L013696D9(_t106);
			}

0x012aebc8
0x012aebcf
0x012aebd4
0x012aebd6
0x012aebd9
0x012aebdf
0x012aebe9
0x012aebeb
0x012aebee
0x012aebf1
0x012aebf4
0x012aebfe
0x012aec01
0x012aec0b
0x012aec0f
0x012aec19
0x012aec1d
0x012aec2a
0x012aec2e
0x012aec3b
0x012aec48
0x012aec4c
0x012aec51
0x012aec57
0x012aec5d
0x012aec63
0x012aec69
0x012aec6f
0x012aec75
0x012aec7b
0x012aec81
0x012aec8f
0x012aec93
0x012aec99
0x012aec9f
0x012aeca5
0x012aecab
0x012aecb8
0x012aecc5
0x012aecd2
0x012aecdf
0x012aece5
0x012aecf6
0x012aecfb
0x012aed01
0x012aed07
0x012aed0d
0x012aed13
0x012aed19
0x012aed1f
0x012aed2c
0x012aed39
0x012aed46
0x012aed4d
0x012aed53
0x012aed59
0x012aed60
0x012aed63
0x012aed69
0x012aed6f
0x012aed72
0x012aed78
0x012aed7e
0x012aed84
0x012aed8a
0x012aed90
0x012aed96
0x012aeda3

APIs

__EH_prolog3.LIBCMT ref: 012AEBCF
SetRectEmpty.USER32 ref: 012AED2C
SetRectEmpty.USER32 ref: 012AED39
SetRectEmpty.USER32 ref: 012AED46
SetRectEmpty.USER32 ref: 012AED4D

Memory Dump Source

Source File: 00000010.00000002.746388412.0000000001271000.00000020.sdmp, Offset: 01270000, based on PE: true

Associated: 00000010.00000002.746374753.0000000001270000.00000002.sdmp Download File
Associated: 00000010.00000002.746578910.000000000138C000.00000002.sdmp Download File
Associated: 00000010.00000002.746752878.00000000013CF000.00000004.sdmp Download File
Associated: 00000010.00000002.746788870.00000000013D6000.00000004.sdmp Download File
Associated: 00000010.00000002.746832288.00000000013DE000.00000002.sdmp Download File
Associated: 00000010.00000002.747668141.0000000001574000.00000002.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1270000_Setup.jbxd

Similarity

API ID: EmptyRect$H_prolog3
String ID:
API String ID: 3752103406-0
Opcode ID: 0d9b6b4a1f62d6396be55dd5bb9c70044748985109699df715ab077b62825a56
Instruction ID: e7d35dfa8d57773f60223aa9786580f43228cccab4190ce7cb22791c3207a81a
Opcode Fuzzy Hash: 0d9b6b4a1f62d6396be55dd5bb9c70044748985109699df715ab077b62825a56
Instruction Fuzzy Hash: 9151C6B0940B45DBD324DF36C484BDAFBE8AFA9704F40890FD5AA97290DBB02144CF92

Uniqueness

Uniqueness Score: 1.97%

Function 012DA24F, Relevance: 7.6, APIs: 5, Instructions: 105
COMMON

Download Yara Rule

C-Code - Quality: 80%

			E012DA24F(intOrPtr* __ecx, intOrPtr _a4) {
				signed int _v8;
				struct tagRECT _v24;
				struct tagRECT _v40;
				struct tagRECT _v56;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t42;
				void* _t70;
				void* _t72;
				void* _t87;
				long _t89;
				void* _t90;
				intOrPtr* _t92;
				signed int _t93;

				_t42 =  *0x13d3570; // 0x99b5b578
				_v8 = _t42 ^ _t93;
				_t92 = __ecx;
				L012D1489(_a4,  &_v40);
				if(IsRectEmpty( &_v40) == 0) {
					_push(_t72);
					_push(_t90);
					_t47 = L01283CA8(_t92);
					_t73 = _t47;
					if(_t47 != 0) {
						L01279BD6(_t73,  &_v40);
						_v24.left = 0;
						_v24.top = 0;
						_v24.right = 0;
						_v24.bottom = 0;
						GetWindowRect( *(_t92 + 0x20),  &_v24);
						L01279BD6(_t73,  &_v24);
						_v56.left = 0;
						_v56.top = 0;
						_v56.right = 0;
						_v56.bottom = 0;
						UnionRect( &_v56,  &_v24,  &_v40);
						if(EqualRect( &_v56,  &_v40) == 0) {
							OffsetRect( &_v24, _v40.left - _v24.left, _v40.top - _v24.top);
							_t89 = _v24.left;
							_t87 = _v40.right - _v40.left;
							if(_v24.right - _t89 > _t87) {
								_v24.right = _t87 + _t89;
							}
							_t70 = _v40.bottom - _v40.top;
							if(_v24.bottom - _v24.top > _t70) {
								_v24.bottom = _v24.top + _t70;
							}
							_t47 =  *((intOrPtr*)( *_t92 + 0x234))(0, _t89, _v24.top, _t87, _t70, 0x14, 0);
						}
					}
					_pop(_t90);
					_pop(_t72);
				}
				return L01367D3E(_t47, _t72, _v8 ^ _t93, _t89, _t90, _t92);
			}

0x012da257
0x012da25e
0x012da265
0x012da26b
0x012da27c
0x012da282
0x012da283
0x012da286
0x012da28b
0x012da291
0x012da29d
0x012da2a9
0x012da2ac
0x012da2af
0x012da2b2
0x012da2b5
0x012da2c1
0x012da2d2
0x012da2d5
0x012da2d8
0x012da2db
0x012da2de
0x012da2f4
0x012da308
0x012da314
0x012da317
0x012da31e
0x012da323
0x012da323
0x012da32c
0x012da334
0x012da33b
0x012da33b
0x012da34c
0x012da34c
0x012da2f4
0x012da352
0x012da353
0x012da353
0x012da360

APIs

Part of subcall function 012D1489: SetRectEmpty.USER32 ref: 012D14A4

IsRectEmpty.USER32 ref: 012DA274
GetWindowRect.USER32 ref: 012DA2B5
UnionRect.USER32(?,?,?), ref: 012DA2DE
EqualRect.USER32 ref: 012DA2EC
OffsetRect.USER32 ref: 012DA308

Part of subcall function 01367D3E: IsDebuggerPresent.KERNEL32 ref: 0136EC6D
Part of subcall function 01367D3E: SetUnhandledExceptionFilter.KERNEL32 ref: 0136EC82
Part of subcall function 01367D3E: UnhandledExceptionFilter.KERNEL32 ref: 0136EC8D
Part of subcall function 01367D3E: GetCurrentProcess.KERNEL32(C0000409), ref: 0136ECA9
Part of subcall function 01367D3E: TerminateProcess.KERNEL32(00000000), ref: 0136ECB0

Part of subcall function 01283CA8: GetParent.USER32(?), ref: 01283CD2

Part of subcall function 01279BD6: ScreenToClient.USER32(?,?), ref: 01279BE7
Part of subcall function 01279BD6: ScreenToClient.USER32(?,?), ref: 01279BF4

Memory Dump Source

Source File: 00000010.00000002.746388412.0000000001271000.00000020.sdmp, Offset: 01270000, based on PE: true

Associated: 00000010.00000002.746374753.0000000001270000.00000002.sdmp Download File
Associated: 00000010.00000002.746578910.000000000138C000.00000002.sdmp Download File
Associated: 00000010.00000002.746752878.00000000013CF000.00000004.sdmp Download File
Associated: 00000010.00000002.746788870.00000000013D6000.00000004.sdmp Download File
Associated: 00000010.00000002.746832288.00000000013DE000.00000002.sdmp Download File
Associated: 00000010.00000002.747668141.0000000001574000.00000002.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1270000_Setup.jbxd

Similarity

API ID: Rect$ClientEmptyExceptionFilterProcessScreenUnhandled$CurrentDebuggerEqualOffsetParentPresentTerminateUnionWindow
String ID:
API String ID: 686094730-0
Opcode ID: 217524daf24dc3c3e9d5c40c3643008ae378403e68870297c58d0bc7f893aa1b
Instruction ID: da86eccffb12e8f05e70205db785290084a94e96e089f836076ff7b2cdc727cf
Opcode Fuzzy Hash: 217524daf24dc3c3e9d5c40c3643008ae378403e68870297c58d0bc7f893aa1b
Instruction Fuzzy Hash: 364199B1A0020AAFCB10DFE9D9848EEBBFDFF58304B50456AE505F3204DB75AA058B61

Uniqueness

Uniqueness Score: 6.84%

Function 012D498B, Relevance: 7.6, APIs: 5, Instructions: 102
windowCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E012D498B(intOrPtr* __ecx, signed int _a4, signed int _a8, int _a12) {
				void* __ebx;
				void* __ebp;
				int _t31;
				intOrPtr _t32;
				int _t35;
				signed int _t36;
				intOrPtr _t38;
				void* _t51;
				intOrPtr _t53;
				int _t59;
				int _t60;
				int _t65;
				intOrPtr* _t66;

				_t52 = __ecx;
				_t66 = __ecx;
				if( *((intOrPtr*)(__ecx + 0x204)) == 0) {
					_push(_a12);
					L20:
					_push(_a8);
					_push(_a4);
					return L01283741(_t52);
				}
				_t60 = _a12;
				__eflags = _t60;
				if(_t60 != 0) {
					_t53 =  *((intOrPtr*)(_t60 + 0x20));
				} else {
					_t53 = 0;
				}
				_t31 = _t66 + 0x2e0;
				__eflags = _t31;
				if(_t31 != 0) {
					_t32 =  *((intOrPtr*)(_t31 + 0x20));
				} else {
					_t32 = 0;
				}
				__eflags = _t53 - _t32;
				if(_t53 != _t32) {
					L19:
					_push(_t60);
					_t52 = _t66;
					goto L20;
				}
				__eflags =  *(_t66 + 0xa0) - 0xffffffff;
				if( *(_t66 + 0xa0) != 0xffffffff) {
					__eflags =  *0x13d9b50; // 0x0
					if(__eflags == 0) {
						_t35 =  *((intOrPtr*)( *_t66 + 0x20c))();
						_t55 = _t35;
						_t36 =  *(_t66 + 0xa0);
						_a12 = _t35;
						__eflags = _t36;
						if(_t36 < 0) {
							L18:
							L01277AC9(_t55);
							goto L19;
						}
						__eflags = _t36 -  *((intOrPtr*)(_t66 + 0x90));
						if(_t36 >=  *((intOrPtr*)(_t66 + 0x90))) {
							goto L18;
						}
						_t65 = (_a8 & 0x0000ffff) << 0x00000010 | _a4 & 0x0000ffff;
						_t62 =  *((intOrPtr*)(_t66 + 0x8c));
						_t38 =  *((intOrPtr*)( *((intOrPtr*)(_t66 + 0x8c)) + _t36 * 4));
						__eflags =  *(_t38 + 0x38);
						_t51 = SendMessageW;
						 *0x13d9b50 = 1;
						if( *(_t38 + 0x38) == 0) {
							L17:
							SendMessageW( *(_a12 + 0x20), 0x114, _t65, 0);
							 *0x13d9b50 =  *0x13d9b50 & 0x00000000;
							SetScrollPos( *(_t66 + 0x300), 2, E01282311(_a12, 0), 1);
							L012D3DED(_t66);
							return SendMessageW( *(E01282D05(_t51, _t66, _t62, GetParent( *(_t66 + 0x20))) + 0x20),  *0x13d9b38, _t65, 0);
						}
						__eflags = _a4 - 4;
						if(_a4 == 4) {
							L16:
							_t59 = _a8 - E01282311(_t55, 0);
							__eflags = _t59;
							SendMessageW( *(_a12 + 0x20), 0x1014, _t59, 0);
							goto L17;
						}
						__eflags = _a4 - 5;
						if(_a4 != 5) {
							goto L17;
						}
						goto L16;
					}
				}
				return _t32;
			}

0x012d498b
0x012d4992
0x012d499d
0x012d499f
0x012d4ac3
0x012d4ac3
0x012d4ac6
0x00000000
0x012d4ac9
0x012d49a7
0x012d49aa
0x012d49ac
0x012d49b2
0x012d49ae
0x012d49ae
0x012d49ae
0x012d49b5
0x012d49bb
0x012d49bd
0x012d49c3
0x012d49bf
0x012d49bf
0x012d49bf
0x012d49c6
0x012d49c8
0x012d4ac0
0x012d4ac0
0x012d4ac1
0x00000000
0x012d4ac1
0x012d49ce
0x012d49d5
0x012d49db
0x012d49e1
0x012d49eb
0x012d49f1
0x012d49f3
0x012d49f9
0x012d49fc
0x012d49fe
0x012d4abb
0x012d4abb
0x00000000
0x012d4abb
0x012d4a04
0x012d4a0a
0x00000000
0x00000000
0x012d4a1b
0x012d4a1d
0x012d4a23
0x012d4a26
0x012d4a29
0x012d4a2f
0x012d4a39
0x012d4a63
0x012d4a71
0x012d4a76
0x012d4a8f
0x012d4a97
0x00000000
0x012d4ab7
0x012d4a3b
0x012d4a3f
0x012d4a47
0x012d4a53
0x012d4a53
0x012d4a61
0x00000000
0x012d4a61
0x012d4a41
0x012d4a45
0x00000000
0x00000000
0x00000000
0x012d4a45
0x012d49e1
0x012d4ad2

APIs

SendMessageW.USER32(?,00001014,?,00000000), ref: 012D4A61
SendMessageW.USER32(?,00000114,?,00000000), ref: 012D4A71

Part of subcall function 01282311: GetScrollPos.USER32(?,?), ref: 01282332

SetScrollPos.USER32(?,00000002,00000000,00000001), ref: 012D4A8F

Part of subcall function 012D3DED: ShowScrollBar.USER32 ref: 012D3E11

GetParent.USER32(?), ref: 012D4A9F
SendMessageW.USER32(?,?,00000000,00000000), ref: 012D4AB7

Part of subcall function 01277AC9: __CxxThrowException@8.LIBCMT ref: 01277ADF

Memory Dump Source

Source File: 00000010.00000002.746388412.0000000001271000.00000020.sdmp, Offset: 01270000, based on PE: true

Associated: 00000010.00000002.746374753.0000000001270000.00000002.sdmp Download File
Associated: 00000010.00000002.746578910.000000000138C000.00000002.sdmp Download File
Associated: 00000010.00000002.746752878.00000000013CF000.00000004.sdmp Download File
Associated: 00000010.00000002.746788870.00000000013D6000.00000004.sdmp Download File
Associated: 00000010.00000002.746832288.00000000013DE000.00000002.sdmp Download File
Associated: 00000010.00000002.747668141.0000000001574000.00000002.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1270000_Setup.jbxd

Similarity

API ID: MessageScrollSend$Exception@8ParentShowThrow
String ID:
API String ID: 207188772-0
Opcode ID: 5fc0c26be9d1b9aa995d5225d5c02d1be859c90f0c54ce744d761dc10ad16828
Instruction ID: a16871bcec573b3eb46740e81282e2895a6726456195aab7240cfcd4462b4689
Opcode Fuzzy Hash: 5fc0c26be9d1b9aa995d5225d5c02d1be859c90f0c54ce744d761dc10ad16828
Instruction Fuzzy Hash: 6F310271220382EFDB21FF28CC94FBA7BA5FB44300F004529F69A876A1D7709980CB55

Uniqueness

Uniqueness Score: 10.55%

Function 0129CB7A, Relevance: 7.6, APIs: 5, Instructions: 102
COMMON

Download Yara Rule

C-Code - Quality: 95%

			E0129CB7A(void* __ebx, void* __ecx, signed int __edx, void* __edi, void* __eflags) {
				void* __esi;
				void* _t11;
				signed int _t12;
				intOrPtr* _t17;
				signed int _t18;
				void* _t23;
				void* _t25;
				signed int _t26;
				signed int _t54;
				void* _t59;

				_t54 = __edx;
				_t59 = __ecx;
				_t11 = E01282C5F(__ebx, __ecx, __edi, __eflags);
				if(_t11 == 0xffffffff) {
					return _t11;
				}
				_push(__ebx);
				_push(__edi);
				_t57 = LoadCursorW;
				__eflags =  *0x13d64d0; // 0x0
				if(__eflags == 0) {
					E012792EF(0, LoadCursorW, _t59, __eflags);
					 *0x13d64d0 = LoadCursorW( *(E012792EF(0, LoadCursorW, _t59, __eflags) + 0xc), 0x7904);
				}
				__eflags =  *0x13d64d4; // 0x0
				if(__eflags == 0) {
					E012792EF(0, _t57, _t59, __eflags);
					 *0x13d64d4 = LoadCursorW( *(E012792EF(0, _t57, _t59, __eflags) + 0xc), 0x7905);
				}
				__eflags =  *0x13d64dc; // 0x0
				if(__eflags == 0) {
					E012792EF(0, _t57, _t59, __eflags);
					 *0x13d64dc = LoadCursorW(0, 0x7f86);
				}
				_t12 = E0127E493(0, _t54, _t59);
				__eflags = _t12;
				if(_t12 != 0) {
					_t25 = E0127E493(0, _t54, _t59);
					_t54 =  *0x13d98fc; // 0x0
					__eflags = _t54;
					if(_t54 != 0) {
						_t26 = _t54;
					} else {
						_t26 = L01283CE7(_t25);
					}
					__eflags = _t26;
					if(_t26 != 0) {
						__eflags = E01286862(_t26) & 0x00400000;
						L012DFF98(E01286862(_t26) & 0x00400000);
					}
				}
				__eflags =  *(_t59 + 0xb28);
				if(__eflags == 0) {
					_t23 = E01278D20(0, _t57, _t59, __eflags);
					__eflags =  *(_t23 + 0x160);
					if( *(_t23 + 0x160) != 0) {
						L012FB459(_t59 + 0xc1c, _t59);
					}
				}
				E0127A097(0, _t59 + 0xc78, _t54, _t57, CreatePen(0, 1,  *0x13d6408));
				E012EA539(0, _t54, _t57, _t59, __eflags);
				_t17 = E0128C2A4(0, _t57, _t59, __eflags);
				_t55 =  *_t17;
				_t18 =  *((intOrPtr*)( *_t17 + 0xbc))(_t59, _t59 + 0xc94, _t59, 2);
				 *(_t59 + 0xb64) = _t18;
				__eflags = _t18;
				if(__eflags == 0) {
					SetWindowRgn( *(_t59 + 0x20), 0, 0);
				} else {
					E0129CA6C(0, _t59, _t55, _t57, _t59, __eflags);
				}
				L01289F0E(0x13d843c, __eflags, _t59);
				__eflags = 0;
				return 0;
			}

0x0129cb7a
0x0129cb7d
0x0129cb7f
0x0129cb87
0x00000000
0x0129cb89
0x0129cb90
0x0129cb93
0x0129cb94
0x0129cb9a
0x0129cba0
0x0129cba2
0x0129cbb7
0x0129cbb7
0x0129cbbc
0x0129cbc2
0x0129cbc4
0x0129cbd9
0x0129cbd9
0x0129cbde
0x0129cbe4
0x0129cbe6
0x0129cbf3
0x0129cbf3
0x0129cbf9
0x0129cbff
0x0129cc01
0x0129cc04
0x0129cc09
0x0129cc10
0x0129cc12
0x0129cc1d
0x0129cc14
0x0129cc16
0x0129cc16
0x0129cc1f
0x0129cc21
0x0129cc2a
0x0129cc30
0x0129cc30
0x0129cc21
0x0129cc35
0x0129cc3b
0x0129cc3d
0x0129cc42
0x0129cc48
0x0129cc51
0x0129cc51
0x0129cc48
0x0129cc6c
0x0129cc7b
0x0129cc80
0x0129cc85
0x0129cc8a
0x0129cc90
0x0129cc96
0x0129cc98
0x0129cca8
0x0129cc9a
0x0129cc9c
0x0129cc9c
0x0129ccb4
0x0129ccba
0x00000000

APIs

LoadCursorW.USER32 ref: 0129CBB5
LoadCursorW.USER32 ref: 0129CBD7
LoadCursorW.USER32 ref: 0129CBF1

Part of subcall function 0127E493: GetParent.USER32(00000000), ref: 0127E4D5

Part of subcall function 01286862: GetWindowLongW.USER32(?,000000EC), ref: 0128686D

CreatePen.GDI32(00000000,00000001), ref: 0129CC5F

Part of subcall function 012EA539: __EH_prolog3.LIBCMT ref: 012EA540
Part of subcall function 012EA539: SendMessageW.USER32(?,00000401,00000001,00000000), ref: 012EA5ED
Part of subcall function 012EA539: SendMessageW.USER32(?,00000418,00000000,FFFFFFFF), ref: 012EA606

Part of subcall function 0128C2A4: __EH_prolog3.LIBCMT ref: 0128C2AB

SetWindowRgn.USER32(?,00000000,00000000), ref: 0129CCA8

Part of subcall function 0129CA6C: __EH_prolog3_GS.LIBCMT ref: 0129CA73
Part of subcall function 0129CA6C: GetWindowRect.USER32 ref: 0129CAB4
Part of subcall function 0129CA6C: CreateRoundRectRgn.GDI32(00000000,00000000,?,?,00000004,00000004), ref: 0129CADE
Part of subcall function 0129CA6C: SetWindowRgn.USER32(?,?,00000000), ref: 0129CAF4
Part of subcall function 0129CA6C: SetWindowRgn.USER32(?,00000000,00000000), ref: 0129CB10

Memory Dump Source

Source File: 00000010.00000002.746388412.0000000001271000.00000020.sdmp, Offset: 01270000, based on PE: true

Associated: 00000010.00000002.746374753.0000000001270000.00000002.sdmp Download File
Associated: 00000010.00000002.746578910.000000000138C000.00000002.sdmp Download File
Associated: 00000010.00000002.746752878.00000000013CF000.00000004.sdmp Download File
Associated: 00000010.00000002.746788870.00000000013D6000.00000004.sdmp Download File
Associated: 00000010.00000002.746832288.00000000013DE000.00000002.sdmp Download File
Associated: 00000010.00000002.747668141.0000000001574000.00000002.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1270000_Setup.jbxd

Similarity

API ID: Window$CursorLoad$CreateH_prolog3MessageRectSend$H_prolog3_LongParentRound
String ID:
API String ID: 3391722688-0
Opcode ID: 39ba074c83072c9516acf69095fbab8565ee35a74d1994086dbc915fe6c10c4e
Instruction ID: 611896d4f9c78166c16b3ada9ee20634a71c932bb8a89a46cfa939f5bd0e6198
Opcode Fuzzy Hash: 39ba074c83072c9516acf69095fbab8565ee35a74d1994086dbc915fe6c10c4e
Instruction Fuzzy Hash: 8331F3B19313539FDF207BB8ED899BA76AEAF60314F01043AE212A7181DB3494508B60

Uniqueness

Uniqueness Score: 3.15%

Function 01296A53, Relevance: 7.6, APIs: 5, Instructions: 99
COMMON

Download Yara Rule

C-Code - Quality: 84%

			E01296A53(intOrPtr* __ecx, void* __edx) {
				signed int _v8;
				struct tagRECT _v24;
				struct tagPOINT _v32;
				struct tagPOINT _v40;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t33;
				void* _t39;
				void* _t52;
				long _t53;
				intOrPtr _t60;
				void* _t70;
				intOrPtr _t71;
				intOrPtr* _t72;
				signed int _t73;
				void* _t75;

				_t70 = __edx;
				_t33 =  *0x13d3570; // 0x99b5b578
				_v8 = _t33 ^ _t73;
				_t72 = __ecx;
				_t71 =  *((intOrPtr*)(__ecx + 0xb30));
				_t59 = 0;
				_v32.x = 0;
				_v32.y = 0;
				GetCursorPos( &_v32);
				if(_t71 != 0) {
					L7:
					_push( *0x13d64d0);
					goto L8;
				} else {
					_t71 = ScreenToClient;
					_t75 =  *0x13d83d4 - _t59; // 0x0
					if(_t75 == 0) {
						L10:
						_v40.x = _v32.x;
						_v40.y = _v32.y;
						ScreenToClient( *(_t72 + 0x20),  &_v40);
						_v24.left = _t59;
						_v24.top = _t59;
						_v24.right = _t59;
						_v24.bottom = _t59;
						L012C9346(_t72 + 0xb6c, _t70, _t72,  &_v24, 1);
						_push(_v40.y);
						__eflags = PtInRect( &_v24, _v40);
						if(__eflags == 0) {
							L13:
							_t39 = E01282C5F(_t59, _t72, _t71, __eflags);
						} else {
							__eflags =  *0x13d97c0 - _t59; // 0x0
							if(__eflags != 0) {
								goto L13;
							} else {
								_push( *0x13d64dc);
								L8:
								SetCursor();
								_t39 = 1;
							}
						}
					} else {
						if( *((intOrPtr*)(_t72 + 0xb80)) == 0xffffffff ||  *((intOrPtr*)(_t72 + 0xb04)) != 0) {
							L9:
							_t59 = 0;
							__eflags = 0;
							goto L10;
						} else {
							ScreenToClient( *(_t72 + 0x20),  &_v32);
							_t60 =  *((intOrPtr*)(_t72 + 0xb80));
							_t52 =  *((intOrPtr*)( *_t72 + 0x390))(_v32.x, _v32.y);
							_t78 = _t52 - _t60;
							if(_t52 != _t60) {
								goto L9;
							} else {
								_t53 = L01293D66(_t72, _t78, _t60);
								_t59 = _t53;
								if( *((intOrPtr*)( *_t53 + 0x3c))() == 0 || L0136B5DE(_t70, _v32.x -  *((intOrPtr*)(_t59 + 0x5c))) > 6) {
									goto L9;
								} else {
									goto L7;
								}
							}
						}
					}
				}
				return L01367D3E(_t39, _t59, _v8 ^ _t73, _t70, _t71, _t72);
			}

0x01296a53
0x01296a5b
0x01296a62
0x01296a6b
0x01296a6d
0x01296a73
0x01296a76
0x01296a79
0x01296a7c
0x01296a84
0x01296aef
0x01296aef
0x00000000
0x01296a86
0x01296a86
0x01296a8c
0x01296a92
0x01296b02
0x01296b05
0x01296b0b
0x01296b15
0x01296b23
0x01296b26
0x01296b29
0x01296b2c
0x01296b2f
0x01296b34
0x01296b44
0x01296b46
0x01296b58
0x01296b5a
0x01296b48
0x01296b48
0x01296b4e
0x00000000
0x01296b50
0x01296b50
0x01296af5
0x01296af5
0x01296afd
0x01296afd
0x01296b4e
0x01296a94
0x01296a9b
0x01296b00
0x01296b00
0x01296b00
0x00000000
0x01296aa5
0x01296aac
0x01296ab6
0x01296abe
0x01296ac4
0x01296ac6
0x00000000
0x01296ac8
0x01296acb
0x01296ad0
0x01296adb
0x00000000
0x00000000
0x00000000
0x00000000
0x01296adb
0x01296ac6
0x01296a9b
0x01296a92
0x01296b6d

APIs

GetCursorPos.USER32(?), ref: 01296A7C
ScreenToClient.USER32(?,?), ref: 01296AAC

Part of subcall function 01293D66: PtInRect.USER32(?,?,?), ref: 01293DB9

ScreenToClient.USER32(?,?), ref: 01296B15

Part of subcall function 012C9346: SetRectEmpty.USER32 ref: 012C936F
Part of subcall function 012C9346: GetWindowRect.USER32 ref: 012C93A6
Part of subcall function 012C9346: GetClientRect.USER32 ref: 012C93C4
Part of subcall function 012C9346: OffsetRect.USER32 ref: 012C9428

PtInRect.USER32(?,?,?), ref: 01296B3E
SetCursor.USER32 ref: 01296AF5

Part of subcall function 01367D3E: IsDebuggerPresent.KERNEL32 ref: 0136EC6D
Part of subcall function 01367D3E: SetUnhandledExceptionFilter.KERNEL32 ref: 0136EC82
Part of subcall function 01367D3E: UnhandledExceptionFilter.KERNEL32 ref: 0136EC8D
Part of subcall function 01367D3E: GetCurrentProcess.KERNEL32(C0000409), ref: 0136ECA9
Part of subcall function 01367D3E: TerminateProcess.KERNEL32(00000000), ref: 0136ECB0

Memory Dump Source

Source File: 00000010.00000002.746388412.0000000001271000.00000020.sdmp, Offset: 01270000, based on PE: true

Associated: 00000010.00000002.746374753.0000000001270000.00000002.sdmp Download File
Associated: 00000010.00000002.746578910.000000000138C000.00000002.sdmp Download File
Associated: 00000010.00000002.746752878.00000000013CF000.00000004.sdmp Download File
Associated: 00000010.00000002.746788870.00000000013D6000.00000004.sdmp Download File
Associated: 00000010.00000002.746832288.00000000013DE000.00000002.sdmp Download File
Associated: 00000010.00000002.747668141.0000000001574000.00000002.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1270000_Setup.jbxd

Similarity

API ID: Rect$Client$CursorExceptionFilterProcessScreenUnhandled$CurrentDebuggerEmptyOffsetPresentTerminateWindow
String ID:
API String ID: 130217932-0
Opcode ID: b2426a49a199b45ff0d276142f3139cd5231fd2563108e02a45a2e12854394ee
Instruction ID: d46eaf7fd668b07b6b69f0584b396d4509c92db1b592b8daf3bcae37d1090979
Opcode Fuzzy Hash: b2426a49a199b45ff0d276142f3139cd5231fd2563108e02a45a2e12854394ee
Instruction Fuzzy Hash: 2231327191020ADFCF21DFA9D8949EEBBF9FB48314F50452DD616E3154EB349905CB60

Uniqueness

Uniqueness Score: 1.97%

Function 0129E1BF, Relevance: 7.6, APIs: 5, Instructions: 97
COMMON

Download Yara Rule

C-Code - Quality: 62%

			E0129E1BF(void* __ebx, void* _a4, intOrPtr _a8, struct tagRECT _a12, intOrPtr _a32, intOrPtr _a36) {
				intOrPtr _t18;
				void* _t25;
				void* _t27;
				intOrPtr _t31;
				intOrPtr _t36;

				_t18 =  *((intOrPtr*)(_a8 + 0x17c));
				if(_t18 != 1) {
					if(_t18 != 2) {
						E0128A265( &_a12,  *0x13d6434,  *0x13d6440);
						InflateRect( &_a12, 0xffffffff, 0xffffffff);
						_push( *0x13d6438);
						goto L5;
					} else {
						E0128A265( &_a12, 0x7f0000,  *0x13d6440);
						InflateRect( &_a12, 0xffffffff, 0xffffffff);
						E0128A265( &_a12,  *0x13d643c, 0x7f0000);
					}
				} else {
					E0128A265( &_a12, 0x7f,  *0x13d6440);
					InflateRect( &_a12, 0xffffffff, 0xffffffff);
					_push(0x7f);
					L5:
					_push( *0x13d643c);
					_push( &_a12);
					E0128A265();
				}
				_t25 = 2;
				_push(_t25 - _a32);
				_t27 = 2;
				InflateRect( &_a12, _t27 - _a36, ??);
				_t31 =  *0x13d6434; // 0xf0f0f0
				E0128A265( &_a12, _t31, _t31);
				InflateRect( &_a12, 1, 1);
				_t36 =  *0x13d6434; // 0xf0f0f0
				return E0128A265( &_a12, _t36, _t36);
			}

0x0129e1c7
0x0129e1d7
0x0129e204
0x0129e24b
0x0129e25e
0x0129e260
0x00000000
0x0129e206
0x0129e214
0x0129e227
0x0129e236
0x0129e23b
0x0129e1d9
0x0129e1e5
0x0129e1f8
0x0129e1fa
0x0129e266
0x0129e266
0x0129e26f
0x0129e272
0x0129e272
0x0129e279
0x0129e27d
0x0129e280
0x0129e289
0x0129e28b
0x0129e298
0x0129e2a5
0x0129e2a7
0x0129e2bc

APIs

InflateRect.USER32(?,000000FF,000000FF), ref: 0129E1F8
InflateRect.USER32(?,000000FF,000000FF), ref: 0129E227
InflateRect.USER32(?,000000FF,000000FF), ref: 0129E25E
InflateRect.USER32(?,?,?), ref: 0129E289
InflateRect.USER32(?,00000001,00000001), ref: 0129E2A5

Memory Dump Source

Source File: 00000010.00000002.746388412.0000000001271000.00000020.sdmp, Offset: 01270000, based on PE: true

Associated: 00000010.00000002.746374753.0000000001270000.00000002.sdmp Download File
Associated: 00000010.00000002.746578910.000000000138C000.00000002.sdmp Download File
Associated: 00000010.00000002.746752878.00000000013CF000.00000004.sdmp Download File
Associated: 00000010.00000002.746788870.00000000013D6000.00000004.sdmp Download File
Associated: 00000010.00000002.746832288.00000000013DE000.00000002.sdmp Download File
Associated: 00000010.00000002.747668141.0000000001574000.00000002.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1270000_Setup.jbxd

Similarity

API ID: InflateRect
String ID:
API String ID: 2073123975-0
Opcode ID: eeb89089f06c83d666189ff1839ae8b2c3d987ddc4b79de07bb69062acfc20a0
Instruction ID: 8f84464dc2dc4eaf270d690d9512e957681549abf5f32f73d9446e2d3379409a
Opcode Fuzzy Hash: eeb89089f06c83d666189ff1839ae8b2c3d987ddc4b79de07bb69062acfc20a0
Instruction Fuzzy Hash: F8313EB251621AAFCF21EFA8DC45EBA376EAB48720F540616F624D31C5CA31A8108B60

Uniqueness

Uniqueness Score: 1.20%

Function 012AA53B, Relevance: 7.6, APIs: 5, Instructions: 96
windowCOMMON

Download Yara Rule

C-Code - Quality: 88%

			E012AA53B(void* __ebx, intOrPtr* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr* _t49;
				struct HWND__* _t52;
				struct HWND__* _t53;
				void* _t64;
				intOrPtr* _t66;
				void* _t70;

				_t64 = __edx;
				_push(0);
				L01369601(0x13851e7, __ebx, __edi, __esi);
				_t49 = __ecx;
				_t66 =  *((intOrPtr*)(_t70 + 8));
				 *((intOrPtr*)(__ecx + 0x90)) = E012789AE(_t66, 0x13d0280);
				if(_t66 != 0) {
					_t52 =  *(_t66 + 0x20);
				} else {
					_t52 = 0;
				}
				if( *(_t49 + 0xc8) != _t52) {
					_t74 = _t66;
					if(_t66 != 0) {
						_t53 =  *(_t66 + 0x20);
					} else {
						_t53 = 0;
					}
					 *(_t49 + 0xc8) = _t53;
					E01272410(_t70 + 8, E0127859A());
					 *((intOrPtr*)(_t70 - 4)) = 0;
					E01284613(_t49, _t66, _t66, _t70 + 8);
					E012868D4(_t49,  *((intOrPtr*)(_t70 + 8)));
					SendMessageW( *(_t49 + 0x20), 0x80, 0, SendMessageW( *(_t66 + 0x20), 0x7f, 0, 0));
					SendMessageW( *(_t49 + 0x20), 0x80, 1, SendMessageW( *(_t66 + 0x20), 0x7f, 1, 0));
					E012AA31E(_t49, _t49, _t64, _t74, _t66, 1);
					if( *((intOrPtr*)( *_t66 + 0x1c4))() != 0) {
						if( *((intOrPtr*)(_t49 + 0x90)) == 0 ||  *((intOrPtr*)(_t66 + 0xca0)) == 0 ||  *((intOrPtr*)(_t66 + 0xb54)) == 0) {
							_push(2);
						} else {
							_push(0x12);
						}
						 *((intOrPtr*)( *_t49 + 0x188))();
					}
					if(E012789AE(_t66, 0x13d0d1c) != 0 &&  *((intOrPtr*)(_t66 + 0xca0)) != 0) {
						 *((intOrPtr*)( *_t49 + 0x188))(0x10);
					}
					 *((intOrPtr*)( *_t49 + 0x1f0))();
					_t26 = L01271470( *((intOrPtr*)(_t70 + 8)) + 0xfffffff0, _t64);
				}
				return L013696D9(_t26);
			}

0x012aa53b
0x012aa53b
0x012aa542
0x012aa547
0x012aa549
0x012aa55a
0x012aa562
0x012aa568
0x012aa564
0x012aa564
0x012aa564
0x012aa571
0x012aa577
0x012aa579
0x012aa57f
0x012aa57b
0x012aa57b
0x012aa57b
0x012aa582
0x012aa591
0x012aa59c
0x012aa59f
0x012aa5a9
0x012aa5c8
0x012aa5e0
0x012aa5e5
0x012aa5f6
0x012aa600
0x012aa616
0x012aa612
0x012aa612
0x012aa612
0x012aa61c
0x012aa61c
0x012aa630
0x012aa641
0x012aa641
0x012aa64b
0x012aa657
0x012aa657
0x012aa661

APIs

__EH_prolog3.LIBCMT ref: 012AA542

Part of subcall function 01284613: GetWindowTextLengthW.USER32 ref: 01284624
Part of subcall function 01284613: GetWindowTextW.USER32 ref: 0128463B

Part of subcall function 012868D4: IsWindow.USER32(?), ref: 012868E8
Part of subcall function 012868D4: SetWindowTextW.USER32 ref: 01286910

SendMessageW.USER32(?,0000007F,00000000,00000000), ref: 012AA5BB
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 012AA5C8
SendMessageW.USER32(?,0000007F,00000001,00000000), ref: 012AA5D3
SendMessageW.USER32(?,00000080,00000001,00000000), ref: 012AA5E0

Memory Dump Source

Source File: 00000010.00000002.746388412.0000000001271000.00000020.sdmp, Offset: 01270000, based on PE: true

Associated: 00000010.00000002.746374753.0000000001270000.00000002.sdmp Download File
Associated: 00000010.00000002.746578910.000000000138C000.00000002.sdmp Download File
Associated: 00000010.00000002.746752878.00000000013CF000.00000004.sdmp Download File
Associated: 00000010.00000002.746788870.00000000013D6000.00000004.sdmp Download File
Associated: 00000010.00000002.746832288.00000000013DE000.00000002.sdmp Download File
Associated: 00000010.00000002.747668141.0000000001574000.00000002.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1270000_Setup.jbxd

Similarity

API ID: MessageSendWindow$Text$H_prolog3Length
String ID:
API String ID: 3455290349-0
Opcode ID: c889679dfb7b11bc276f991120e61c11395117202e3c7de18d86ed0597b01ed4
Instruction ID: 2c34f7f5440e16c3944c7da6b2cc3f37bdb98a3a6cff9bf6a2dfcc5b1b4cb1e8
Opcode Fuzzy Hash: c889679dfb7b11bc276f991120e61c11395117202e3c7de18d86ed0597b01ed4
Instruction Fuzzy Hash: 0231AC30760212AFEF28AB24CC95BBE3A65BF44B44F040179FA4A9B2D1CF709844CB95

Uniqueness

Uniqueness Score: 0.98%

Function 012C0787, Relevance: 7.6, APIs: 5, Instructions: 87
COMMON

Download Yara Rule

C-Code - Quality: 89%

			E012C0787(void* __ecx, void* __edx, long _a4, long _a8) {
				signed int _v8;
				struct tagRECT _v24;
				struct tagRECT _v40;
				struct tagPOINT _v48;
				intOrPtr _v52;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t31;
				void* _t35;
				intOrPtr _t37;
				intOrPtr _t39;
				int _t42;
				struct tagPOINT* _t43;
				void* _t54;
				void* _t55;
				intOrPtr* _t59;
				void* _t61;
				struct tagPOINT _t62;
				signed int _t64;
				struct tagPOINT* _t65;
				intOrPtr _t66;
				intOrPtr _t67;

				_t61 = __edx;
				_t55 = __ecx;
				_t31 =  *0x13d3570; // 0x99b5b578
				_v8 = _t31 ^ _t64;
				_v48.x = _a4;
				_v48.y = _a8;
				_t66 =  *0x13d83d4; // 0x0
				if(_t66 != 0) {
					L8:
					_t35 = 0;
					__eflags = 0;
				} else {
					_t67 =  *0x13d97c0; // 0x0
					if(_t67 == 0) {
						goto L8;
					} else {
						_t37 = L012BDADD(__ecx, _t62);
						_t62 = GetWindowRect;
						_t54 = PtInRect;
						_v52 = _t37;
						if(_t37 == 0 || IsWindow( *(_t37 + 0x10c0)) == 0) {
							L5:
							_t39 =  *0x13d97c0; // 0x0
							_v24.left = 0;
							_v24.top = 0;
							_v24.right = 0;
							_v24.bottom = 0;
							GetWindowRect( *(_t39 + 0x20),  &_v24);
							_push(_v48.y);
							_t62 = _v48.x;
							_t42 = PtInRect( &_v24, _t62);
							_t71 = _t42;
							if(_t42 != 0) {
								goto L8;
							} else {
								_t43 = _t65;
								 *_t43 = _t62;
								_t43->y = _v48.y;
								_t59 =  *0x13d97c0; // 0x0
								if(E01300232(_t54,  *((intOrPtr*)( *_t59 + 0x1c0))(), _t61, _t71, _t55, _t55) != 0) {
									goto L8;
								} else {
									_t35 = 1;
								}
							}
						} else {
							_v40.left = 0;
							_v40.top = 0;
							_v40.right = 0;
							_v40.bottom = 0;
							GetWindowRect( *(_v52 + 0x10c0),  &_v40);
							_push(_v48.y);
							if(PtInRect( &_v40, _v48) != 0) {
								goto L8;
							} else {
								goto L5;
							}
						}
					}
				}
				return L01367D3E(_t35, _t54, _v8 ^ _t64, _t61, _t62, 0);
			}

0x012c0787
0x012c0787
0x012c078f
0x012c0796
0x012c079e
0x012c07a7
0x012c07aa
0x012c07b0
0x012c086a
0x012c086a
0x012c086a
0x012c07b6
0x012c07b6
0x012c07bc
0x00000000
0x012c07c2
0x012c07c2
0x012c07c7
0x012c07cd
0x012c07d3
0x012c07d8
0x012c0815
0x012c0819
0x012c081e
0x012c0821
0x012c0824
0x012c0827
0x012c082d
0x012c082f
0x012c0832
0x012c083a
0x012c083c
0x012c083e
0x00000000
0x012c0840
0x012c0845
0x012c0847
0x012c0849
0x012c084c
0x012c0863
0x00000000
0x012c0865
0x012c0867
0x012c0867
0x012c0863
0x012c07ea
0x012c07f7
0x012c07fa
0x012c07fd
0x012c0800
0x012c0803
0x012c0805
0x012c0813
0x00000000
0x00000000
0x00000000
0x00000000
0x012c0813
0x012c07d8
0x012c07bc
0x012c087a

APIs

IsWindow.USER32(?), ref: 012C07E0
GetWindowRect.USER32 ref: 012C0803
PtInRect.USER32(?,?,?), ref: 012C080F
GetWindowRect.USER32 ref: 012C082D
PtInRect.USER32(?,?,?), ref: 012C083A

Part of subcall function 01300232: ScreenToClient.USER32(?,?), ref: 0130024F
Part of subcall function 01300232: GetParent.USER32(?), ref: 01300266
Part of subcall function 01300232: GetClientRect.USER32 ref: 013002A4
Part of subcall function 01300232: MapWindowPoints.USER32 ref: 013002B7
Part of subcall function 01300232: PtInRect.USER32(?,?,?), ref: 013002C7
Part of subcall function 01300232: GetClientRect.USER32 ref: 013002F4
Part of subcall function 01300232: MapWindowPoints.USER32 ref: 01300307
Part of subcall function 01300232: PtInRect.USER32(?,?,?), ref: 01300317

Part of subcall function 01367D3E: IsDebuggerPresent.KERNEL32 ref: 0136EC6D
Part of subcall function 01367D3E: SetUnhandledExceptionFilter.KERNEL32 ref: 0136EC82
Part of subcall function 01367D3E: UnhandledExceptionFilter.KERNEL32 ref: 0136EC8D
Part of subcall function 01367D3E: GetCurrentProcess.KERNEL32(C0000409), ref: 0136ECA9
Part of subcall function 01367D3E: TerminateProcess.KERNEL32(00000000), ref: 0136ECB0

Memory Dump Source

Source File: 00000010.00000002.746388412.0000000001271000.00000020.sdmp, Offset: 01270000, based on PE: true

Associated: 00000010.00000002.746374753.0000000001270000.00000002.sdmp Download File
Associated: 00000010.00000002.746578910.000000000138C000.00000002.sdmp Download File
Associated: 00000010.00000002.746752878.00000000013CF000.00000004.sdmp Download File
Associated: 00000010.00000002.746788870.00000000013D6000.00000004.sdmp Download File
Associated: 00000010.00000002.746832288.00000000013DE000.00000002.sdmp Download File
Associated: 00000010.00000002.747668141.0000000001574000.00000002.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1270000_Setup.jbxd

Similarity

API ID: Rect$Window$Client$ExceptionFilterPointsProcessUnhandled$CurrentDebuggerParentPresentScreenTerminate
String ID:
API String ID: 3938917775-0
Opcode ID: c5fe30387e3c0c99cd53557848070fab4622bc1e8148e8b1e1e17f057e2ac955
Instruction ID: 66614742af50f7cce81ce1e1734da2326c981d77c97309222f1ef4267848591f
Opcode Fuzzy Hash: c5fe30387e3c0c99cd53557848070fab4622bc1e8148e8b1e1e17f057e2ac955
Instruction Fuzzy Hash: C731F275A20219EFCB11DFA9D8448EEBBF8FB48B54B11826AF605E3210D7709900CFA4

Uniqueness

Uniqueness Score: 2.28%

Function 01282447, Relevance: 7.6, APIs: 5, Instructions: 81
windowCOMMON

Download Yara Rule

C-Code - Quality: 67%

			E01282447(intOrPtr* __ecx, void* __edx, int _a4, int _a8, RECT* _a12, struct HWND__* _a16) {
				signed int _v8;
				struct tagRECT _v24;
				RECT* _v28;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t29;
				struct HWND__* _t45;
				void* _t51;
				intOrPtr* _t53;
				signed int _t54;

				_t51 = __edx;
				_t29 =  *0x13d3570; // 0x99b5b578
				_v8 = _t29 ^ _t54;
				_t45 = _a16;
				_t53 = __ecx;
				_v28 = _a12;
				if(IsWindowVisible( *(__ecx + 0x20)) != 0 || _v28 != 0 || _t45 != 0) {
					_t33 = ScrollWindow( *(_t53 + 0x20), _a4, _a8, _v28, _t45);
				} else {
					_push(5);
					_push( *(_t53 + 0x20));
					while(1) {
						_t45 = GetWindow();
						if(_t45 == 0) {
							break;
						}
						_v24.left = 0;
						_v24.top = 0;
						_v24.right = 0;
						_v24.bottom = 0;
						GetWindowRect(_t45,  &_v24);
						L01279BD6(_t53,  &_v24);
						SetWindowPos(_t45, 0, _v24.left + _a4, _v24.top + _a8, 0, 0, 0x15);
						_push(2);
						_push(_t45);
					}
				}
				if( *((intOrPtr*)(_t53 + 0x68)) != 0 && _v28 == 0) {
					_t53 =  *((intOrPtr*)(_t53 + 0x68));
					_t33 =  *((intOrPtr*)( *_t53 + 0x5c))(_a4, _a8);
				}
				return L01367D3E(_t33, _t45, _v8 ^ _t54, _t51, 0, _t53);
			}

0x01282447
0x0128244f
0x01282456
0x0128245d
0x01282462
0x01282467
0x01282474
0x012824e0
0x0128247f
0x0128247f
0x01282481
0x012824c5
0x012824cb
0x012824cf
0x00000000
0x00000000
0x0128248b
0x0128248e
0x01282491
0x01282494
0x01282497
0x012824a3
0x012824bc
0x012824c2
0x012824c4
0x012824c4
0x012824d1
0x012824e9
0x012824f3
0x012824fd
0x012824fd
0x0128250e

APIs

IsWindowVisible.USER32(?), ref: 0128246A
GetWindowRect.USER32 ref: 01282497

Part of subcall function 01279BD6: ScreenToClient.USER32(?,?), ref: 01279BE7
Part of subcall function 01279BD6: ScreenToClient.USER32(?,?), ref: 01279BF4

SetWindowPos.USER32(00000000,00000000,?,?,00000000,00000000,00000015), ref: 012824BC
GetWindow.USER32(?,00000005), ref: 012824C5
ScrollWindow.USER32(?,?,?,?,?), ref: 012824E0

Part of subcall function 01367D3E: IsDebuggerPresent.KERNEL32 ref: 0136EC6D
Part of subcall function 01367D3E: SetUnhandledExceptionFilter.KERNEL32 ref: 0136EC82
Part of subcall function 01367D3E: UnhandledExceptionFilter.KERNEL32 ref: 0136EC8D
Part of subcall function 01367D3E: GetCurrentProcess.KERNEL32(C0000409), ref: 0136ECA9
Part of subcall function 01367D3E: TerminateProcess.KERNEL32(00000000), ref: 0136ECB0

Memory Dump Source

Source File: 00000010.00000002.746388412.0000000001271000.00000020.sdmp, Offset: 01270000, based on PE: true

Associated: 00000010.00000002.746374753.0000000001270000.00000002.sdmp Download File
Associated: 00000010.00000002.746578910.000000000138C000.00000002.sdmp Download File
Associated: 00000010.00000002.746752878.00000000013CF000.00000004.sdmp Download File
Associated: 00000010.00000002.746788870.00000000013D6000.00000004.sdmp Download File
Associated: 00000010.00000002.746832288.00000000013DE000.00000002.sdmp Download File
Associated: 00000010.00000002.747668141.0000000001574000.00000002.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1270000_Setup.jbxd

Similarity

API ID: Window$ClientExceptionFilterProcessScreenUnhandled$CurrentDebuggerPresentRectScrollTerminateVisible
String ID:
API String ID: 54850722-0
Opcode ID: 82ad40e4f197aaa1c87c42294615547fb8694b60c8b3f63267bf6c05739aa90f
Instruction ID: d99d4f706bb5431a8a1fb599cd2f36f9fa5578cae34c8e3a9f57d36470d69a7b
Opcode Fuzzy Hash: 82ad40e4f197aaa1c87c42294615547fb8694b60c8b3f63267bf6c05739aa90f
Instruction Fuzzy Hash: A5212A71910609EBDF21DFA9DC89DAFBBB9FF88314F104419F645A2251E774A940CB60

Uniqueness

Uniqueness Score: 0.71%

Function 012B0EB2, Relevance: 7.6, APIs: 5, Instructions: 70
windowCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E012B0EB2(void* __ecx, unsigned int _a4) {
				void* __ebp;
				struct HWND__* _t20;
				void* _t23;
				void* _t27;
				void* _t34;
				struct HWND__* _t35;

				_t28 = __ecx;
				_t34 = __ecx;
				if((E01286848(__ecx) & 0x40000000) == 0) {
					_t28 = __ecx;
					_t27 = L01283CE7(__ecx);
				} else {
					_t27 = __ecx;
				}
				if(_t27 == 0) {
					L01277AC9(_t28);
				}
				if((_a4 & 0x0000000c) != 0) {
					_t23 = E012869C6(_t27);
					if(( !(_a4 >> 3) & 0x00000001) == 0 || _t23 == 0 || _t27 == _t34) {
						SendMessageW( *(_t27 + 0x20), 0x86, 0, 0);
					} else {
						 *(_t34 + 0x58) =  *(_t34 + 0x58) | 0x00000200;
						SendMessageW( *(_t27 + 0x20), 0x86, 1, 0);
						 *(_t34 + 0x58) =  *(_t34 + 0x58) & 0xfffffdff;
					}
				}
				_push(5);
				_push(GetDesktopWindow());
				while(1) {
					_t20 = GetWindow();
					_t35 = _t20;
					if(_t35 == 0) {
						break;
					}
					if(E012B074C( *(_t27 + 0x20), _t35) != 0) {
						SendMessageW(_t35, 0x36d, _a4, 0);
					}
					_push(2);
					_push(_t35);
				}
				return _t20;
			}

0x012b0eb2
0x012b0eba
0x012b0ec6
0x012b0ecc
0x012b0ed3
0x012b0ec8
0x012b0ec8
0x012b0ec8
0x012b0ed7
0x012b0ed9
0x012b0ed9
0x012b0ee8
0x012b0eec
0x012b0efc
0x012b0f30
0x012b0f06
0x012b0f06
0x012b0f19
0x012b0f1b
0x012b0f1b
0x012b0efc
0x012b0f32
0x012b0f3a
0x012b0f5a
0x012b0f5a
0x012b0f60
0x012b0f64
0x00000000
0x00000000
0x012b0f48
0x012b0f55
0x012b0f55
0x012b0f57
0x012b0f59
0x012b0f59
0x012b0f6a

APIs

Part of subcall function 01286848: GetWindowLongW.USER32(?,000000F0), ref: 01286853

GetWindow.USER32(00000000), ref: 012B0F5A

Part of subcall function 012869C6: IsWindowEnabled.USER32 ref: 012869CF

Part of subcall function 01277AC9: __CxxThrowException@8.LIBCMT ref: 01277ADF

SendMessageW.USER32(?,00000086,00000001,00000000), ref: 012B0F19
SendMessageW.USER32(?,00000086,00000000,00000000), ref: 012B0F30
GetDesktopWindow.USER32 ref: 012B0F34
SendMessageW.USER32(00000000,0000036D,0000000C,00000000), ref: 012B0F55

Memory Dump Source

Source File: 00000010.00000002.746388412.0000000001271000.00000020.sdmp, Offset: 01270000, based on PE: true

Associated: 00000010.00000002.746374753.0000000001270000.00000002.sdmp Download File
Associated: 00000010.00000002.746578910.000000000138C000.00000002.sdmp Download File
Associated: 00000010.00000002.746752878.00000000013CF000.00000004.sdmp Download File
Associated: 00000010.00000002.746788870.00000000013D6000.00000004.sdmp Download File
Associated: 00000010.00000002.746832288.00000000013DE000.00000002.sdmp Download File
Associated: 00000010.00000002.747668141.0000000001574000.00000002.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1270000_Setup.jbxd

Similarity

API ID: Window$MessageSend$DesktopEnabledException@8LongThrow
String ID:
API String ID: 447541037-0
Opcode ID: d45d9e7bd2989208c704f6c06d5264fef1f7b3f1065f29652e240255a4139882
Instruction ID: 5548c4b7d444171f35d8050cb81a8dba2200dd7aac7ea1b833a34de045acbe10
Opcode Fuzzy Hash: d45d9e7bd2989208c704f6c06d5264fef1f7b3f1065f29652e240255a4139882
Instruction Fuzzy Hash: BE11BF3137170777FB332A298CC5FEF3A68AF447A0F114114FB45691D2CEA5D84086A8

Uniqueness

Uniqueness Score: 0.69%

Function 012A06FE, Relevance: 7.6, APIs: 5, Instructions: 66
COMMON

Download Yara Rule

C-Code - Quality: 66%

			E012A06FE(intOrPtr* __ecx, intOrPtr _a4, struct tagRECT _a8, struct tagPOINT* _a24) {
				signed int _v8;
				long _v12;
				long _v16;
				struct tagPOINT _v24;
				intOrPtr _v28;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t23;
				int _t33;
				intOrPtr* _t36;
				intOrPtr _t38;
				void* _t44;
				void* _t48;
				struct tagPOINT* _t49;
				signed int _t51;

				_t23 =  *0x13d3570; // 0x99b5b578
				_v8 = _t23 ^ _t51;
				_t49 = _a24;
				_t36 = __ecx;
				_t38 = _a4;
				_v28 = _t38;
				if( *((intOrPtr*)(_t49 + 0x750)) == 0) {
					_v24.x = 0;
					_v24.y = 0;
					_v16 = 0;
					_v12 = 0;
					GetClientRect( *(E01282D05(_t36, _t38, _t44, GetParent( *(_t49 + 0x20))) + 0x20),  &_v24);
					MapWindowPoints( *(E01282D05(_t36,  &_v24, _t44, GetParent( *(_t49 + 0x20))) + 0x20),  *(_t49 + 0x20),  &_v24, 2);
					_t49 =  &_v24;
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_t33 =  *((intOrPtr*)( *_t36 + 0x1d8))(_v28);
				} else {
					_t33 = FillRect( *(_t38 + 4),  &_a8,  *0x13d647c);
				}
				_pop(_t48);
				return L01367D3E(_t33, _t36, _v8 ^ _t51, _t44, _t48, _t49);
			}

0x012a0706
0x012a070d
0x012a0712
0x012a0715
0x012a0717
0x012a071d
0x012a0726
0x012a0746
0x012a0749
0x012a074c
0x012a074f
0x012a0761
0x012a077f
0x012a078f
0x012a0792
0x012a0793
0x012a0794
0x012a0797
0x012a0798
0x012a0728
0x012a0735
0x012a0735
0x012a07a1
0x012a07ac

APIs

FillRect.USER32(?,?), ref: 012A0735
GetParent.USER32(?), ref: 012A0752
GetClientRect.USER32 ref: 012A0761
GetParent.USER32(?), ref: 012A076A
MapWindowPoints.USER32 ref: 012A077F

Part of subcall function 01367D3E: IsDebuggerPresent.KERNEL32 ref: 0136EC6D
Part of subcall function 01367D3E: SetUnhandledExceptionFilter.KERNEL32 ref: 0136EC82
Part of subcall function 01367D3E: UnhandledExceptionFilter.KERNEL32 ref: 0136EC8D
Part of subcall function 01367D3E: GetCurrentProcess.KERNEL32(C0000409), ref: 0136ECA9
Part of subcall function 01367D3E: TerminateProcess.KERNEL32(00000000), ref: 0136ECB0

Memory Dump Source

Source File: 00000010.00000002.746388412.0000000001271000.00000020.sdmp, Offset: 01270000, based on PE: true

Associated: 00000010.00000002.746374753.0000000001270000.00000002.sdmp Download File
Associated: 00000010.00000002.746578910.000000000138C000.00000002.sdmp Download File
Associated: 00000010.00000002.746752878.00000000013CF000.00000004.sdmp Download File
Associated: 00000010.00000002.746788870.00000000013D6000.00000004.sdmp Download File
Associated: 00000010.00000002.746832288.00000000013DE000.00000002.sdmp Download File
Associated: 00000010.00000002.747668141.0000000001574000.00000002.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1270000_Setup.jbxd

Similarity

API ID: ExceptionFilterParentProcessRectUnhandled$ClientCurrentDebuggerFillPointsPresentTerminateWindow
String ID:
API String ID: 764668513-0
Opcode ID: 98967b67850b79dc9a66c5a57f0493b89103ffdd3f394b4e7236ee98e3277443
Instruction ID: 7de15178cb326fca97ba5f34efc3e3fd5d634ed235eaa2d342a76df149755bbe
Opcode Fuzzy Hash: 98967b67850b79dc9a66c5a57f0493b89103ffdd3f394b4e7236ee98e3277443
Instruction Fuzzy Hash: C2214A71910209EFCB10EFA4D9498AEBFB9FF49310F514569E905A7250EB71AA01CFA0

Uniqueness

Uniqueness Score: 2.59%

Function 0129CA6C, Relevance: 7.6, APIs: 5, Instructions: 58
COMMON

Download Yara Rule

C-Code - Quality: 95%

			E0129CA6C(intOrPtr __ebx, intOrPtr* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				void* _t30;
				void* _t47;
				intOrPtr* _t51;
				void* _t52;

				_t47 = __edx;
				_t40 = __ebx;
				_push(0x1c);
				L0136966A(0x1380c14, __ebx, __edi, __esi);
				_t51 = __ecx;
				if(__ecx != 0 &&  *(__ecx + 0x20) != 0) {
					if( *((intOrPtr*)(__ecx + 0xb64)) == 0) {
						L5:
						SetWindowRgn( *(_t51 + 0x20), 0, 0);
					} else {
						_t30 =  *((intOrPtr*)( *__ecx + 0x19c))();
						_t57 = _t30;
						if(_t30 == 0) {
							goto L5;
						} else {
							 *(_t52 - 0x20) = 0;
							 *((intOrPtr*)(_t52 - 0x1c)) = 0;
							 *((intOrPtr*)(_t52 - 0x18)) = 0;
							 *((intOrPtr*)(_t52 - 0x14)) = 0;
							GetWindowRect( *(__ecx + 0x20), _t52 - 0x20);
							_t40 = 0x138f894;
							 *(_t52 - 0x24) = 0;
							 *((intOrPtr*)(_t52 - 0x28)) = 0x138f894;
							 *(_t52 - 4) = 0;
							E0127A097(0x138f894, _t52 - 0x28, _t47, 0, CreateRoundRectRgn(0, 0,  *((intOrPtr*)(_t52 - 0x18)) -  *(_t52 - 0x20) + 1,  *((intOrPtr*)(_t52 - 0x14)) -  *((intOrPtr*)(_t52 - 0x1c)) + 1, 4, 4));
							SetWindowRgn( *(_t51 + 0x20),  *(_t52 - 0x24), 0);
							 *(_t52 - 4) =  *(_t52 - 4) | 0xffffffff;
							 *((intOrPtr*)(_t52 - 0x28)) = 0x138f894;
							E0127A27E(0x138f894, _t52 - 0x28, 0, _t51, _t57);
						}
					}
				}
				return L013696ED(_t40, 0, _t51);
			}

0x0129ca6c
0x0129ca6c
0x0129ca6c
0x0129ca73
0x0129ca78
0x0129ca7e
0x0129ca93
0x0129cb0b
0x0129cb10
0x0129ca95
0x0129ca97
0x0129ca9d
0x0129ca9f
0x00000000
0x0129caa1
0x0129caa8
0x0129caab
0x0129caae
0x0129cab1
0x0129cab4
0x0129caba
0x0129cabf
0x0129cac2
0x0129cadb
0x0129cae8
0x0129caf4
0x0129cafa
0x0129cb01
0x0129cb04
0x0129cb04
0x0129ca9f
0x0129ca93
0x0129cb1b

APIs

__EH_prolog3_GS.LIBCMT ref: 0129CA73
GetWindowRect.USER32 ref: 0129CAB4
CreateRoundRectRgn.GDI32(00000000,00000000,?,?,00000004,00000004), ref: 0129CADE
SetWindowRgn.USER32(?,?,00000000), ref: 0129CAF4

Part of subcall function 0127A27E: __EH_prolog3_catch_GS.LIBCMT ref: 0127A288

SetWindowRgn.USER32(?,00000000,00000000), ref: 0129CB10

Memory Dump Source

Source File: 00000010.00000002.746388412.0000000001271000.00000020.sdmp, Offset: 01270000, based on PE: true

Associated: 00000010.00000002.746374753.0000000001270000.00000002.sdmp Download File
Associated: 00000010.00000002.746578910.000000000138C000.00000002.sdmp Download File
Associated: 00000010.00000002.746752878.00000000013CF000.00000004.sdmp Download File
Associated: 00000010.00000002.746788870.00000000013D6000.00000004.sdmp Download File
Associated: 00000010.00000002.746832288.00000000013DE000.00000002.sdmp Download File
Associated: 00000010.00000002.747668141.0000000001574000.00000002.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1270000_Setup.jbxd

Similarity

API ID: Window$Rect$CreateH_prolog3_H_prolog3_catch_Round
String ID:
API String ID: 4273792742-0
Opcode ID: 0806353681c1357e35b76fc3e962051c96f05fc54a5b89a6d5b1ff6aade68c38
Instruction ID: 377e45a50c39982c94c63ceaaadb638ea5de4f52eebb22111ef6c1a05b5c19df
Opcode Fuzzy Hash: 0806353681c1357e35b76fc3e962051c96f05fc54a5b89a6d5b1ff6aade68c38
Instruction Fuzzy Hash: 1E11177191030ADFDF25DFA9C8989EEFBB8FF98720F14021AE242B2254D7315901DB24

Uniqueness

Uniqueness Score: 1.55%

Function 012A6A84, Relevance: 7.6, APIs: 5, Instructions: 56
COMMON

Download Yara Rule

C-Code - Quality: 95%

			E012A6A84(void* __ebx, intOrPtr* __ecx, void* __edx, void* __edi, intOrPtr _a4) {
				void* __esi;
				void* __ebp;
				void* _t15;
				void* _t29;
				void* _t41;
				void* _t42;
				void* _t44;
				intOrPtr* _t45;

				_t42 = __edi;
				_t41 = __edx;
				_t34 = __ecx;
				_t33 = __ebx;
				_t45 = __ecx;
				if( *((char*)(__ecx + 0x99)) != 0) {
					return _t15;
				}
				E01282D05(__ebx, _t34, _t41, SetCapture( *(__ecx + 0x20)));
				if( *((intOrPtr*)(_t45 + 0xc0)) == 0) {
					 *((intOrPtr*)(_t45 + 0xc0)) = _a4;
				}
				 *((char*)(_t45 + 0x99)) = 1;
				 *((intOrPtr*)( *_t45 + 0x208))(1, _t42);
				GetCursorPos(_t45 + 0x124);
				if(( *((intOrPtr*)( *_t45 + 0x1ac))() & 0x00000001) != 0) {
					_t29 =  *((intOrPtr*)( *_t45 + 0x1ac))();
					_t49 = _t29;
					if(_t29 >= 0) {
						E012792EF(_t33, GetCursorPos, _t45, _t49);
						SetCursor(LoadCursorW(0, 0x7f86));
					}
				}
				GetCursorPos(_t45 + 0xf4);
				_t37 =  *((intOrPtr*)(_t45 + 0x178));
				_pop(_t44);
				_t50 =  *((intOrPtr*)(_t45 + 0x178));
				if( *((intOrPtr*)(_t45 + 0x178)) == 0) {
					_t37 = L012C74B8(0x13d0a78, _t41, _t45);
				}
				return L012ADC82(_t33, _t37, _t41, _t44, _t45, _t50);
			}

0x012a6a84
0x012a6a84
0x012a6a84
0x012a6a84
0x012a6a8a
0x012a6a93
0x012a6b3a
0x012a6b3a
0x012a6aa3
0x012a6aaf
0x012a6ab4
0x012a6ab4
0x012a6ac1
0x012a6ac8
0x012a6adb
0x012a6ae9
0x012a6aef
0x012a6af5
0x012a6af7
0x012a6af9
0x012a6b0c
0x012a6b0c
0x012a6af7
0x012a6b19
0x012a6b1b
0x012a6b21
0x012a6b22
0x012a6b24
0x012a6b31
0x012a6b31
0x00000000

APIs

SetCapture.USER32(?), ref: 012A6A9C
GetCursorPos.USER32(?), ref: 012A6ADB
LoadCursorW.USER32 ref: 012A6B05
SetCursor.USER32(00000000), ref: 012A6B0C
GetCursorPos.USER32(?), ref: 012A6B19

Part of subcall function 012ADC82: __EH_prolog3.LIBCMT ref: 012ADC89
Part of subcall function 012ADC82: GetParent.USER32(?), ref: 012ADCBA
Part of subcall function 012ADC82: GetWindow.USER32(?,00000000), ref: 012ADD02

Part of subcall function 012C74B8: GetParent.USER32(?), ref: 012C75B6

Memory Dump Source

Source File: 00000010.00000002.746388412.0000000001271000.00000020.sdmp, Offset: 01270000, based on PE: true

Associated: 00000010.00000002.746374753.0000000001270000.00000002.sdmp Download File
Associated: 00000010.00000002.746578910.000000000138C000.00000002.sdmp Download File
Associated: 00000010.00000002.746752878.00000000013CF000.00000004.sdmp Download File
Associated: 00000010.00000002.746788870.00000000013D6000.00000004.sdmp Download File
Associated: 00000010.00000002.746832288.00000000013DE000.00000002.sdmp Download File
Associated: 00000010.00000002.747668141.0000000001574000.00000002.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1270000_Setup.jbxd

Similarity

API ID: Cursor$Parent$CaptureH_prolog3LoadWindow
String ID:
API String ID: 4133483553-0
Opcode ID: a35797af7507da9e9106ab6016b1f789527b31b5e2729a59bcbb184e9e8864a4
Instruction ID: 918650b7e3386ce37cddbbf8081de51f35090fdc2501303803e5dbacffac4281
Opcode Fuzzy Hash: a35797af7507da9e9106ab6016b1f789527b31b5e2729a59bcbb184e9e8864a4
Instruction Fuzzy Hash: 34119E317503059FDB24AB78C40CFEABBE9EF99715F04082DE28A97241DB70A440CBA1

Uniqueness

Uniqueness Score: 2.84%

Function 0127A9F7, Relevance: 7.6, APIs: 5, Instructions: 55
stringCOMMON

Download Yara Rule

C-Code - Quality: 75%

			E0127A9F7(void* __ecx, void* __edx, struct HWND__* _a4, WCHAR* _a8) {
				signed int _v8;
				char _v518;
				short _v520;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t9;
				struct HWND__* _t23;
				void* _t24;
				void* _t25;
				void* _t28;
				int _t30;
				void* _t31;
				WCHAR* _t33;
				void* _t34;
				signed int _t38;

				_t28 = __edx;
				_t25 = __ecx;
				_t36 = _t38;
				_t9 =  *0x13d3570; // 0x99b5b578
				_v8 = _t9 ^ _t38;
				_t23 = _a4;
				_t33 = _a8;
				if(_t23 == 0) {
					L2:
					L01277AC9(_t25);
				}
				if(_t33 == 0) {
					goto L2;
				}
				_t30 = lstrlenW(_t33);
				_v520 = 0;
				L01367D50( &_v518, 0, 0x1fe);
				if(_t30 > 0x100 || GetWindowTextW(_t23,  &_v520, 0x100) != _t30 || lstrcmpW( &_v520, _t33) != 0) {
					_t17 = SetWindowTextW(_t23, _t33);
				}
				_pop(_t31);
				_pop(_t34);
				_pop(_t24);
				return L01367D3E(_t17, _t24, _v8 ^ _t36, _t28, _t31, _t34);
			}

0x0127a9f7
0x0127a9f7
0x0127a9fa
0x0127aa02
0x0127aa09
0x0127aa0d
0x0127aa11
0x0127aa17
0x0127aa19
0x0127aa19
0x0127aa19
0x0127aa20
0x00000000
0x00000000
0x0127aa29
0x0127aa33
0x0127aa41
0x0127aa50
0x0127aa79
0x0127aa79
0x0127aa82
0x0127aa83
0x0127aa86
0x0127aa8d

APIs

Part of subcall function 01277AC9: __CxxThrowException@8.LIBCMT ref: 01277ADF

lstrlenW.KERNEL32(?,?,?), ref: 0127AA23
_memset.LIBCMT ref: 0127AA41
GetWindowTextW.USER32 ref: 0127AA5B
lstrcmpW.KERNEL32(?,?,?,?), ref: 0127AA6D
SetWindowTextW.USER32 ref: 0127AA79

Part of subcall function 01367D3E: IsDebuggerPresent.KERNEL32 ref: 0136EC6D
Part of subcall function 01367D3E: SetUnhandledExceptionFilter.KERNEL32 ref: 0136EC82
Part of subcall function 01367D3E: UnhandledExceptionFilter.KERNEL32 ref: 0136EC8D
Part of subcall function 01367D3E: GetCurrentProcess.KERNEL32(C0000409), ref: 0136ECA9
Part of subcall function 01367D3E: TerminateProcess.KERNEL32(00000000), ref: 0136ECB0

Memory Dump Source

Source File: 00000010.00000002.746388412.0000000001271000.00000020.sdmp, Offset: 01270000, based on PE: true

Associated: 00000010.00000002.746374753.0000000001270000.00000002.sdmp Download File
Associated: 00000010.00000002.746578910.000000000138C000.00000002.sdmp Download File
Associated: 00000010.00000002.746752878.00000000013CF000.00000004.sdmp Download File
Associated: 00000010.00000002.746788870.00000000013D6000.00000004.sdmp Download File
Associated: 00000010.00000002.746832288.00000000013DE000.00000002.sdmp Download File
Associated: 00000010.00000002.747668141.0000000001574000.00000002.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1270000_Setup.jbxd

Similarity

API ID: ExceptionFilterProcessTextUnhandledWindow$CurrentDebuggerException@8PresentTerminateThrow_memsetlstrcmplstrlen
String ID:
API String ID: 1082789804-0
Opcode ID: 909f5e6ee2a1e6a341ae2292c5ff3d3fec372601111c8143aead75c29448dfcc
Instruction ID: f7e77ce4e2c436585952195233f5bc2f7aeea7a94bff0e8195d9ce690a6179d5
Opcode Fuzzy Hash: 909f5e6ee2a1e6a341ae2292c5ff3d3fec372601111c8143aead75c29448dfcc
Instruction Fuzzy Hash: 32016DB661121AABDB21FBB89D48DFF77BCEF54354F444461EA05E3106EA309A448BA0

Uniqueness

Uniqueness Score: 3.15%

Function 012F88B5, Relevance: 7.6, APIs: 5, Instructions: 53
threadCOMMON

Download Yara Rule

C-Code - Quality: 92%

			E012F88B5(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				void* _t18;
				void* _t23;
				intOrPtr _t27;
				void* _t32;

				_push(0);
				_t10 = L01369601(0x13842ad, __ebx, __edi, __esi);
				_t27 =  *0x13d0894; // 0x1
				if(_t27 != 0) {
					if( *0x13d15f0 != 0xfffffffe) {
						_t10 =  *(_t23 + 8);
						 *0x13d15f0 = _t10;
						__eflags = _t10 - 0xffffffff;
						if(_t10 == 0xffffffff) {
							 *0x13d9f68 = 0;
						}
					} else {
						if( *(_t23 + 8) != 0xffffffff) {
							_t30 =  *0x13d9f8c & 0x00000001;
							if(( *0x13d9f8c & 0x00000001) == 0) {
								 *0x13d9f8c =  *0x13d9f8c | 0x00000001;
								 *(_t23 - 4) = 0;
								L012CB279(__ebx, 0x13d9f6c, __edi, 0, _t30);
								E013689DE(_t30, 0x138b490);
								 *(_t23 - 4) =  *(_t23 - 4) | 0xffffffff;
								_pop(_t18);
							}
							EnterCriticalSection(0x13d9f74);
							_t32 =  *0x13d9f68; // 0x0
							if(_t32 != 0) {
								L01277AC9(_t18);
							}
							_t10 = E0136CF98(0x12f885d, 0, 0);
							 *0x13d9f68 = _t10;
							if(_t10 <= 0 || _t10 == 0xffffffff) {
								 *0x13d9f68 = 0;
							} else {
								SetThreadPriority(_t10, 0xffffffff);
								_t10 =  *(_t23 + 8);
								 *0x13d15f0 =  *(_t23 + 8);
							}
							LeaveCriticalSection(0x13d9f74);
						}
					}
				}
				return L013696D9(_t10);
			}

0x012f88b5
0x012f88bc
0x012f88c3
0x012f88c9
0x012f88d6
0x012f896a
0x012f896d
0x012f8972
0x012f8975
0x012f8977
0x012f8977
0x012f88dc
0x012f88e0
0x012f88e6
0x012f88ed
0x012f88ef
0x012f88fb
0x012f88fe
0x012f8908
0x012f890d
0x012f8911
0x012f8911
0x012f8918
0x012f891e
0x012f8924
0x012f8926
0x012f8926
0x012f8932
0x012f893a
0x012f8941
0x012f895b
0x012f8948
0x012f894b
0x012f8951
0x012f8954
0x012f8954
0x012f8962
0x012f8962
0x012f88e0
0x012f88d6
0x012f8982

APIs

__EH_prolog3.LIBCMT ref: 012F88BC
EnterCriticalSection.KERNEL32(013D9F74,00000000,0129993F,00000001), ref: 012F8918
LeaveCriticalSection.KERNEL32(013D9F74), ref: 012F8962

Part of subcall function 01277AC9: __CxxThrowException@8.LIBCMT ref: 01277ADF

Part of subcall function 012CB279: __EH_prolog3.LIBCMT ref: 012CB280

__beginthread.LIBCMT ref: 012F8932

Part of subcall function 0136CF98: ___set_flsgetvalue.LIBCMT ref: 0136CFBE
Part of subcall function 0136CF98: __calloc_crt.LIBCMT ref: 0136CFCA
Part of subcall function 0136CF98: __getptd.LIBCMT ref: 0136CFD7
Part of subcall function 0136CF98: __initptd.LIBCMT ref: 0136CFE0
Part of subcall function 0136CF98: CreateThread.KERNEL32(00000000,?,0136CF3F,00000000,00000004,00000000), ref: 0136CFFE
Part of subcall function 0136CF98: ResumeThread.KERNEL32(00000000,?,013D9F74,?,012F8937,012F885D,00000000,00000000), ref: 0136D00E
Part of subcall function 0136CF98: GetLastError.KERNEL32(?,013D9F74,?,012F8937,012F885D,00000000,00000000), ref: 0136D019
Part of subcall function 0136CF98: _free.LIBCMT ref: 0136D022
Part of subcall function 0136CF98: __dosmaperr.LIBCMT ref: 0136D02D

SetThreadPriority.KERNEL32(00000000,000000FF), ref: 012F894B

Memory Dump Source

Source File: 00000010.00000002.746388412.0000000001271000.00000020.sdmp, Offset: 01270000, based on PE: true

Associated: 00000010.00000002.746374753.0000000001270000.00000002.sdmp Download File
Associated: 00000010.00000002.746578910.000000000138C000.00000002.sdmp Download File
Associated: 00000010.00000002.746752878.00000000013CF000.00000004.sdmp Download File
Associated: 00000010.00000002.746788870.00000000013D6000.00000004.sdmp Download File
Associated: 00000010.00000002.746832288.00000000013DE000.00000002.sdmp Download File
Associated: 00000010.00000002.747668141.0000000001574000.00000002.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1270000_Setup.jbxd

Similarity

API ID: Thread$CriticalH_prolog3Section$CreateEnterErrorException@8LastLeavePriorityResumeThrow___set_flsgetvalue__beginthread__calloc_crt__dosmaperr__getptd__initptd_free
String ID:
API String ID: 4182316935-0
Opcode ID: 95e2f2ce0ac54b9e6fbc24f387a1c7bab7378900d18a77afb7e0fd5b62ecd94c
Instruction ID: 1c08083310c9b293e07f2fd97f58c854ae9b6ca3611cf5373875256230b12b94
Opcode Fuzzy Hash: 95e2f2ce0ac54b9e6fbc24f387a1c7bab7378900d18a77afb7e0fd5b62ecd94c
Instruction Fuzzy Hash: EA11BF70412312DBDB30AB68B84965CFAADA70077DF240B6DE776963D8C3304649CB92

Uniqueness

Uniqueness Score: 5.54%

Function 012B0D18, Relevance: 7.5, APIs: 5, Instructions: 48
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E012B0D18(void* __ecx) {
				struct tagMSG _v32;
				void* __ebp;
				void* _t9;
				void* _t13;
				void* _t26;

				_t26 = __ecx;
				if( *((intOrPtr*)(__ecx + 0x88)) != 0) {
					if(PeekMessageW( &_v32,  *(__ecx + 0x20), 0x367, 0x367, 3) == 0) {
						PostMessageW( *(_t26 + 0x20), 0x367, 0, 0);
					}
					if(GetCapture() ==  *(_t26 + 0x20)) {
						ReleaseCapture();
					}
					_t13 = L01283CE7(_t26);
					if(_t13 == 0) {
						_t13 = L01277AC9(0);
					}
					 *((intOrPtr*)(_t26 + 0x88)) = 0;
					 *((intOrPtr*)(_t13 + 0x88)) = 0;
					return PostMessageW( *(_t26 + 0x20), 0x36a, 0, 0);
				}
				return _t9;
			}

0x012b0d21
0x012b0d2a
0x012b0d4c
0x012b0d56
0x012b0d56
0x012b0d61
0x012b0d63
0x012b0d63
0x012b0d6b
0x012b0d74
0x012b0d76
0x012b0d76
0x012b0d7d
0x012b0d88
0x00000000
0x012b0d94
0x012b0d97

APIs

PeekMessageW.USER32(?,?,00000367,00000367,00000003), ref: 012B0D3E
PostMessageW.USER32 ref: 012B0D56
GetCapture.USER32 ref: 012B0D58
ReleaseCapture.USER32 ref: 012B0D63
PostMessageW.USER32 ref: 012B0D91

Part of subcall function 01277AC9: __CxxThrowException@8.LIBCMT ref: 01277ADF

Memory Dump Source

Source File: 00000010.00000002.746388412.0000000001271000.00000020.sdmp, Offset: 01270000, based on PE: true

Associated: 00000010.00000002.746374753.0000000001270000.00000002.sdmp Download File
Associated: 00000010.00000002.746578910.000000000138C000.00000002.sdmp Download File
Associated: 00000010.00000002.746752878.00000000013CF000.00000004.sdmp Download File
Associated: 00000010.00000002.746788870.00000000013D6000.00000004.sdmp Download File
Associated: 00000010.00000002.746832288.00000000013DE000.00000002.sdmp Download File
Associated: 00000010.00000002.747668141.0000000001574000.00000002.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1270000_Setup.jbxd

Similarity

API ID: Message$CapturePost$Exception@8PeekReleaseThrow
String ID:
API String ID: 3917137991-0
Opcode ID: bc4cc64a5ee43b860ab97fe4d1809dd0925c84618cd8d574f79f8bf7031f9aa0
Instruction ID: 5073f2b447c581b194ebc9f7f64dc4fdbc24bc2f9d512ac13e9eed919ba1fb0f
Opcode Fuzzy Hash: bc4cc64a5ee43b860ab97fe4d1809dd0925c84618cd8d574f79f8bf7031f9aa0
Instruction Fuzzy Hash: AD018F71610702BFE7366B25DC8DFAF7ABCFB84B14F14452DF28692195EA60F8008764

Uniqueness

Uniqueness Score: 0.63%

Function 012A4CCF, Relevance: 7.5, APIs: 5, Instructions: 44
keyboardCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E012A4CCF(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, int _a4) {
				signed int _v8;
				char _v264;
				short _v268;
				void* __ebp;
				signed int _t12;
				struct HKL__* _t19;
				void* _t27;
				void* _t28;
				void* _t33;
				void* _t34;
				void* _t35;
				signed int _t39;

				_t35 = __esi;
				_t34 = __edi;
				_t33 = __edx;
				_t28 = __ecx;
				_t27 = __ebx;
				_t37 = _t39;
				_t12 =  *0x13d3570; // 0x99b5b578
				_v8 = _t12 ^ _t39;
				if(GetKeyboardState( &_v264) == 0) {
					L01277AC9(_t28);
				}
				L01367D50( &_v268, 0, 4);
				_t19 = GetKeyboardLayout( *(E0127605F() + 0x30));
				return L01367D3E(0 | ToUnicodeEx(_a4, MapVirtualKeyW(_a4, 0),  &_v264,  &_v268, 2, 0, _t19) > 0x00000000, _t27, _v8 ^ _t37, _t33, _t34, _t35);
			}

0x012a4ccf
0x012a4ccf
0x012a4ccf
0x012a4ccf
0x012a4ccf
0x012a4cd2
0x012a4cda
0x012a4ce1
0x012a4cf3
0x012a4cf5
0x012a4cf5
0x012a4d05
0x012a4d15
0x012a4d57

APIs

GetKeyboardState.USER32(?), ref: 012A4CEB
_memset.LIBCMT ref: 012A4D05
GetKeyboardLayout.USER32 ref: 012A4D15
MapVirtualKeyW.USER32(?,00000000), ref: 012A4D33
ToUnicodeEx.USER32 ref: 012A4D3D

Part of subcall function 01367D3E: IsDebuggerPresent.KERNEL32 ref: 0136EC6D
Part of subcall function 01367D3E: SetUnhandledExceptionFilter.KERNEL32 ref: 0136EC82
Part of subcall function 01367D3E: UnhandledExceptionFilter.KERNEL32 ref: 0136EC8D
Part of subcall function 01367D3E: GetCurrentProcess.KERNEL32(C0000409), ref: 0136ECA9
Part of subcall function 01367D3E: TerminateProcess.KERNEL32(00000000), ref: 0136ECB0

Part of subcall function 01277AC9: __CxxThrowException@8.LIBCMT ref: 01277ADF

Memory Dump Source

Source File: 00000010.00000002.746388412.0000000001271000.00000020.sdmp, Offset: 01270000, based on PE: true

Associated: 00000010.00000002.746374753.0000000001270000.00000002.sdmp Download File
Associated: 00000010.00000002.746578910.000000000138C000.00000002.sdmp Download File
Associated: 00000010.00000002.746752878.00000000013CF000.00000004.sdmp Download File
Associated: 00000010.00000002.746788870.00000000013D6000.00000004.sdmp Download File
Associated: 00000010.00000002.746832288.00000000013DE000.00000002.sdmp Download File
Associated: 00000010.00000002.747668141.0000000001574000.00000002.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1270000_Setup.jbxd

Similarity

API ID: ExceptionFilterKeyboardProcessUnhandled$CurrentDebuggerException@8LayoutPresentStateTerminateThrowUnicodeVirtual_memset
String ID:
API String ID: 3059514492-0
Opcode ID: 08302f5a78ff51e61db64d218fb5a8ad216086aa3a51106c4bce79411ec44503
Instruction ID: 3fab531383cf45452e25c0880fbd22bd718499f144e1dfa81edf5780f097d8e2
Opcode Fuzzy Hash: 08302f5a78ff51e61db64d218fb5a8ad216086aa3a51106c4bce79411ec44503
Instruction Fuzzy Hash: E70162B2600209BFDF20AFA5DC49FEE77BCAF14704F504065B646E6095EBB09A848B60

Uniqueness

Uniqueness Score: 8.94%

Function 0131C2CB, Relevance: 7.4, APIs: 3, Strings: 1, Instructions: 432
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E0131C2CB(void* __ebx, signed int __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t191;
				signed int _t200;
				signed char _t203;
				signed int _t207;
				signed int _t210;
				signed int _t211;
				signed int _t225;
				intOrPtr* _t230;
				signed int _t238;
				struct tagRECT** _t239;
				signed char _t247;
				signed int _t257;
				intOrPtr _t258;
				signed int _t261;
				intOrPtr* _t268;
				signed int _t273;
				signed int _t275;
				signed int _t281;
				signed int _t289;
				signed int _t294;
				signed int _t299;
				signed int _t314;
				signed int _t316;
				struct tagRECT _t336;
				signed int _t354;
				intOrPtr _t363;
				void* _t365;
				intOrPtr _t367;
				signed int _t369;
				struct tagRECT _t371;
				signed int _t372;
				struct tagRECT* _t376;
				intOrPtr* _t378;
				signed int _t389;
				void* _t390;
				long long _t393;

				_t365 = __edx;
				_push(0x74);
				L0136966A(0x1385acd, __ebx, __edi, __esi);
				_t376 =  *(_t390 + 8);
				_t316 = __ecx;
				_t318 =  *((intOrPtr*)(__ecx + 0x2c));
				_t371 = 0;
				 *(_t390 - 0x70) = _t376;
				 *((intOrPtr*)(_t390 - 0x4c)) =  *((intOrPtr*)(_t390 + 0xc));
				if( *((intOrPtr*)(__ecx + 0x2c)) != 0) {
					_t191 =  *((intOrPtr*)(__ecx + 4));
					__eflags =  *(_t191 - 0xc);
					if( *(_t191 - 0xc) == 0) {
						goto L1;
					}
					E0130AF41(_t318, _t390 - 0x80, 1);
					__eflags =  *(_t390 - 0x80);
					if( *(_t390 - 0x80) != 0) {
						L6:
						L012893E6( *((intOrPtr*)(_t390 - 0x4c)), _t390 - 0x6c, _t316 + 4);
						_t200 =  *((intOrPtr*)( *_t316 + 0x98))();
						__eflags = _t200;
						if(_t200 != 0) {
							L9:
							_t203 =  *(L012A5655(_t390 - 0x64, _t316, _t390 - 0x64));
							 *(_t390 - 0x50) = _t203;
							__eflags = _t203 - _t371;
							if(_t203 != _t371) {
								_t363 =  *0x13d65cc; // 0x1
								_t393 =  *0x13d65c4;
								__eflags = _t363 - _t371;
								if(_t363 == _t371) {
									asm("fld1");
								} else {
									_t393 = st0;
								}
								asm("fld1");
								asm("fcom st0, st1");
								asm("fnstsw ax");
								st1 = _t393;
								__eflags = _t203 & 0x00000005;
								if((_t203 & 0x00000005) != 0) {
									st1 = _t393;
									st0 = _t393;
								} else {
									__eflags = _t363 - _t371;
									if(_t363 == _t371) {
										st1 = _t393;
									} else {
										st0 = _t393;
									}
									asm("fimul dword [ebp-0x50]");
									 *(_t390 - 0x50) = L0136BAB0(_t203, _t393);
								}
							}
							L19:
							__eflags =  *((intOrPtr*)(_t390 + 0x10)) - _t371;
							if( *((intOrPtr*)(_t390 + 0x10)) == _t371) {
								L43:
								 *(_t390 - 0x44) =  *((intOrPtr*)(_t316 + 0x1c)) +  *(_t390 - 0x7c) + 6;
								 *(_t390 - 0x20) = _t371;
								 *(_t390 - 0x1c) = _t371;
								 *(_t390 - 0x18) = _t371;
								 *(_t390 - 0x14) = _t371;
								_t207 =  *((intOrPtr*)( *_t316 + 0x1a8))();
								__eflags = _t207;
								if(_t207 != 0) {
									_t88 = _t390 - 0x44;
									 *_t88 =  *(_t390 - 0x44) + 2;
									__eflags =  *_t88;
								}
								_t371 = _t390 - 0x30;
								asm("movsd");
								asm("movsd");
								asm("movsd");
								asm("movsd");
								 *(_t390 - 0x2c) =  *(_t390 - 0x44);
								 *(_t390 - 0x60) = 0x21;
								_t210 =  *((intOrPtr*)( *_t316 + 0x1a8))();
								__eflags = _t210;
								if(_t210 != 0) {
									 *(_t390 - 0x60) = 0x821;
								}
								_t211 =  *(_t316 + 0xf4);
								__eflags = _t211 - 0xffffffff;
								if(_t211 != 0xffffffff) {
									E01272940(_t316 + 4, _t390 - 0x48, _t211);
									_t378 =  *((intOrPtr*)(_t390 - 0x4c));
									 *(_t390 - 4) = 3;
									 *((intOrPtr*)( *_t378 + 0x68))( *((intOrPtr*)(_t390 - 0x48)),  *((intOrPtr*)( *((intOrPtr*)(_t390 - 0x48)) - 0xc)), _t390 - 0x30,  *(_t390 - 0x60));
									 *((intOrPtr*)(_t390 - 0x28)) =  *((intOrPtr*)(_t390 - 0x28)) -  *(_t390 - 0x50);
									 *(_t390 - 0x2c) =  *(_t390 - 0x68) +  *(_t390 - 0x44);
									E0127EA1D(_t316 + 4, _t390 - 0x58,  *(_t316 + 0xf4) + 1);
									_t372 =  *(_t390 - 0x58);
									_t367 =  *_t378;
									 *(_t390 - 4) = 4;
									 *((intOrPtr*)(_t367 + 0x68))(_t372,  *((intOrPtr*)(_t372 - 0xc)), _t390 - 0x30,  *(_t390 - 0x60));
									_t225 =  *((intOrPtr*)( *_t316 + 0x98))();
									__eflags = _t225;
									if(_t225 != 0) {
										L53:
										asm("movsd");
										asm("movsd");
										asm("movsd");
										asm("movsd");
										 *(_t390 - 0x1c) =  *(_t390 - 0x2c) + 2;
										_t230 = L012893E6( *((intOrPtr*)(_t390 - 0x4c)), _t390 - 0x78, _t390 - 0x58);
										_t371 =  *(_t390 - 0x58);
										asm("cdq");
										_t336 =  *((intOrPtr*)(_t390 - 0x28)) - ( *((intOrPtr*)(_t390 - 0x28)) -  *(_t390 - 0x30) -  *_t230 - _t367 >> 1);
										__eflags = _t336;
										 *(_t390 - 0x20) = _t336;
										L54:
										L01271470(_t371 - 0x10, _t367);
										 *(_t390 - 4) =  *(_t390 - 4) | 0xffffffff;
										_t339 =  *((intOrPtr*)(_t390 - 0x48)) + 0xfffffff0;
										__eflags =  *((intOrPtr*)(_t390 - 0x48)) + 0xfffffff0;
										L01271470( *((intOrPtr*)(_t390 - 0x48)) + 0xfffffff0, _t367);
										goto L55;
									}
									_t257 =  *((intOrPtr*)( *_t316 + 0x1a8))();
									__eflags = _t257;
									if(_t257 == 0) {
										goto L54;
									}
									goto L53;
								} else {
									_t258 =  *((intOrPtr*)(_t316 + 4));
									 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t390 - 0x4c)))) + 0x68))(_t258,  *((intOrPtr*)(_t258 - 0xc)), _t390 - 0x30,  *(_t390 - 0x60));
									_t339 = _t316;
									_t261 =  *((intOrPtr*)( *_t316 + 0x98))();
									__eflags = _t261;
									if(_t261 != 0) {
										L50:
										_t369 =  *(_t390 - 0x44);
										_t371 = _t390 - 0x20;
										asm("movsd");
										asm("movsd");
										asm("movsd");
										asm("movsd");
										 *(_t390 - 0x1c) =  &( *(_t390 - 0x68)->left) + _t369;
										asm("cdq");
										_t268 = L012A5655(_t390 - 0x78, _t316, _t390 - 0x78);
										asm("cdq");
										 *(_t390 - 0x20) = ( *((intOrPtr*)(_t316 + 0x20)) +  *((intOrPtr*)(_t316 + 0x18)) - _t369 >> 1) - ( *_t268 - _t369 >> 1) - 1;
										L55:
										_t238 = IsRectEmpty(_t390 - 0x20);
										__eflags = _t238;
										if(_t238 != 0) {
											_t376 = 0;
											__eflags = 0;
										} else {
											 *(_t390 - 0x14) =  *((intOrPtr*)(L012A5655(_t390 - 0x78, _t316, _t390 - 0x78) + 4)) +  *(_t390 - 0x1c);
											 *(_t390 - 0x18) =  *(_t390 - 0x20) +  *(_t390 - 0x50);
											asm("movsd");
											asm("movsd");
											asm("movsd");
											asm("movsd");
											_t376 = 0;
											_t247 = OffsetRect(_t390 - 0x40, 0, 1);
											__eflags =  *0x13d65cc - _t376; // 0x1
											if(__eflags == 0) {
												asm("fld1");
											} else {
												_t393 =  *0x13d65c4;
											}
											asm("fld1");
											asm("fcompp");
											asm("fnstsw ax");
											__eflags = _t247 & 0x00000005;
											if(__eflags != 0) {
												_t371 = 0;
												__eflags = 0;
											} else {
												_t371 = 0xd;
											}
											 *(_t390 - 0x6c) = _t376;
											 *(_t390 - 0x68) = _t376;
											L012A5768(_t316, _t339, __eflags, _t393,  *((intOrPtr*)(_t390 - 0x4c)), _t371, _t390 - 0x40, 3, _t390 - 0x6c);
											__eflags =  *((intOrPtr*)(_t316 + 0x78)) - _t376;
											 *(_t390 - 0x5c) = _t376;
											 *(_t390 - 0x58) = _t376;
											L012A5768(_t316, _t339,  *((intOrPtr*)(_t316 + 0x78)) - _t376, _t393,  *((intOrPtr*)(_t390 - 0x4c)), _t371, _t390 - 0x20, 0 |  *((intOrPtr*)(_t316 + 0x78)) != _t376, _t390 - 0x5c);
										}
										_t239 =  *(_t390 - 0x70);
										 *_t239 = _t376;
										_t239[1] = _t376;
										L65:
										return L013696ED(_t316, _t371, _t376);
									}
									_t339 = _t316;
									_t273 =  *((intOrPtr*)( *_t316 + 0x1a8))();
									__eflags = _t273;
									if(_t273 == 0) {
										goto L55;
									}
									goto L50;
								}
							}
							E01273740(_t316, 0x13996b0);
							_t343 =  *((intOrPtr*)(_t316 + 0x144));
							 *(_t316 + 0xf4) =  *(_t316 + 0xf4) | 0xffffffff;
							 *(_t390 - 4) = _t371;
							__eflags = _t343 - _t371;
							if(_t343 != _t371) {
								_t275 = 0;
								 *(_t390 - 0x60) = 0x7fff;
								 *(_t390 - 0x58) = 0;
								__eflags = _t343 - _t371;
								if(_t343 > _t371) {
									while(1) {
										__eflags = _t275 - _t371;
										if(_t275 < _t371) {
											break;
										}
										__eflags = _t275 -  *((intOrPtr*)(_t316 + 0x144));
										if(_t275 >=  *((intOrPtr*)(_t316 + 0x144))) {
											break;
										}
										_t389 =  *( *((intOrPtr*)(_t316 + 0x140)) + _t275 * 4);
										E01272940(_t316 + 4, _t390 - 0x48, _t389);
										 *(_t390 - 4) = 1;
										_t281 =  *((intOrPtr*)( *_t316 + 0x1a8))();
										__eflags = _t281;
										if(_t281 == 0) {
											E0127E841(_t390 - 0x48, 0x13996b8,  *(_t390 - 0x44));
											E0129AE20(_t316, _t390 - 0x48, 0x26);
											E0127E841(_t390 - 0x48,  *(_t390 - 0x44), 0x138f8d0);
										}
										_t371 =  *(L012893E6( *((intOrPtr*)(_t390 - 0x4c)), _t390 - 0x38, _t390 - 0x48));
										E0127EA1D(_t316 + 4, _t390 - 0x54, _t389 + 1);
										 *(_t390 - 4) = 2;
										_t289 =  *((intOrPtr*)( *_t316 + 0x1a8))();
										__eflags = _t289;
										if(_t289 == 0) {
											E0127E841(_t390 - 0x54, 0x13996b8,  *(_t390 - 0x44));
											E0129AE20(_t316, _t390 - 0x54, 0x26);
											E0127E841(_t390 - 0x54,  *(_t390 - 0x44), 0x138f8d0);
										}
										_t294 =  *((intOrPtr*)(L012893E6( *((intOrPtr*)(_t390 - 0x4c)), _t390 - 0x78, _t390 - 0x54))) +  *(_t390 - 0x50);
										__eflags = _t371 - _t294;
										if(_t371 > _t294) {
											_t294 = _t371;
										}
										__eflags = _t294 -  *(_t390 - 0x60);
										if(_t294 <  *(_t390 - 0x60)) {
											 *(_t390 - 0x60) = _t294;
											 *(_t316 + 0xf4) = _t389;
										}
										L01271470( *((intOrPtr*)(_t390 - 0x54)) + 0xfffffff0, _t365);
										_t343 =  *((intOrPtr*)(_t390 - 0x48)) + 0xfffffff0;
										 *(_t390 - 4) = 0;
										L01271470( *((intOrPtr*)(_t390 - 0x48)) + 0xfffffff0, _t365);
										 *(_t390 - 0x58) =  *(_t390 - 0x58) + 1;
										__eflags =  *(_t390 - 0x58) -  *((intOrPtr*)(_t316 + 0x144));
										if( *(_t390 - 0x58) <  *((intOrPtr*)(_t316 + 0x144))) {
											_t275 =  *(_t390 - 0x58);
											_t371 = 0;
											__eflags = 0;
											continue;
										} else {
											_t376 =  *(_t390 - 0x70);
											goto L23;
										}
									}
									L01277AC9(_t343);
									goto L43;
								}
								L23:
								_t354 =  *(_t390 - 0x60);
								L24:
								_t299 = _t354 & 0x80000001;
								__eflags = _t299;
								if(__eflags < 0) {
									__eflags = (_t299 - 0x00000001 | 0xfffffffe) + 1;
								}
								if(__eflags != 0) {
									_t354 = _t354 - 1;
									__eflags = _t354;
								}
								_t376->left = _t354;
								_t376->top =  *(_t390 - 0x68) +  *(_t390 - 0x68);
								L01271470( *(_t390 - 0x44) + 0xfffffff0, _t365);
								L2:
								goto L65;
							}
							_t354 =  *(_t390 - 0x6c);
							goto L24;
						}
						_t314 =  *((intOrPtr*)( *_t316 + 0x1a8))();
						__eflags = _t314;
						if(_t314 != 0) {
							goto L9;
						} else {
							 *(_t390 - 0x50) = _t371;
							goto L19;
						}
					}
					__eflags =  *(_t390 - 0x7c);
					if( *(_t390 - 0x7c) == 0) {
						goto L1;
					}
					goto L6;
				}
				L1:
				 *_t376 = _t371;
				_t376->top = _t371;
				goto L2;
			}

0x0131c2cb
0x0131c2cb
0x0131c2d2
0x0131c2d7
0x0131c2dd
0x0131c2df
0x0131c2e2
0x0131c2e4
0x0131c2e7
0x0131c2ec
0x0131c2fa
0x0131c2fd
0x0131c300
0x00000000
0x00000000
0x0131c308
0x0131c30d
0x0131c310
0x0131c317
0x0131c322
0x0131c32b
0x0131c331
0x0131c333
0x0131c348
0x0131c351
0x0131c353
0x0131c356
0x0131c358
0x0131c35a
0x0131c360
0x0131c366
0x0131c368
0x0131c36e
0x0131c36a
0x0131c36a
0x0131c36a
0x0131c370
0x0131c372
0x0131c374
0x0131c376
0x0131c378
0x0131c37b
0x0131c39a
0x0131c39c
0x0131c37d
0x0131c37d
0x0131c37f
0x0131c385
0x0131c381
0x0131c381
0x0131c381
0x0131c387
0x0131c395
0x0131c395
0x0131c37b
0x0131c39e
0x0131c39e
0x0131c3a1
0x0131c538
0x0131c542
0x0131c549
0x0131c54c
0x0131c54f
0x0131c552
0x0131c555
0x0131c55b
0x0131c55d
0x0131c55f
0x0131c55f
0x0131c55f
0x0131c55f
0x0131c569
0x0131c56c
0x0131c56d
0x0131c56e
0x0131c56f
0x0131c570
0x0131c577
0x0131c57e
0x0131c584
0x0131c586
0x0131c588
0x0131c588
0x0131c58f
0x0131c595
0x0131c598
0x0131c617
0x0131c625
0x0131c634
0x0131c63b
0x0131c641
0x0131c655
0x0131c65c
0x0131c664
0x0131c66a
0x0131c674
0x0131c678
0x0131c67f
0x0131c685
0x0131c687
0x0131c697
0x0131c6a3
0x0131c6a4
0x0131c6a5
0x0131c6a9
0x0131c6b0
0x0131c6bb
0x0131c6c0
0x0131c6cc
0x0131c6d1
0x0131c6d1
0x0131c6d3
0x0131c6d6
0x0131c6d9
0x0131c6e1
0x0131c6e5
0x0131c6e5
0x0131c6e8
0x00000000
0x0131c6e8
0x0131c68d
0x0131c693
0x0131c695
0x00000000
0x00000000
0x00000000
0x0131c59a
0x0131c59d
0x0131c5ad
0x0131c5b2
0x0131c5b4
0x0131c5ba
0x0131c5bc
0x0131c5d0
0x0131c5d0
0x0131c5d9
0x0131c5dc
0x0131c5dd
0x0131c5de
0x0131c5e3
0x0131c5e4
0x0131c5ed
0x0131c5f8
0x0131c5ff
0x0131c607
0x0131c6ed
0x0131c6f1
0x0131c6f7
0x0131c6f9
0x0131c792
0x0131c792
0x0131c6ff
0x0131c711
0x0131c71d
0x0131c720
0x0131c721
0x0131c722
0x0131c723
0x0131c726
0x0131c72d
0x0131c733
0x0131c739
0x0131c743
0x0131c73b
0x0131c73b
0x0131c73b
0x0131c745
0x0131c747
0x0131c749
0x0131c74b
0x0131c74e
0x0131c755
0x0131c755
0x0131c750
0x0131c752
0x0131c752
0x0131c765
0x0131c768
0x0131c76b
0x0131c776
0x0131c779
0x0131c77f
0x0131c78b
0x0131c78b
0x0131c794
0x0131c797
0x0131c799
0x0131c79c
0x0131c7a1
0x0131c7a1
0x0131c5c0
0x0131c5c2
0x0131c5c8
0x0131c5ca
0x00000000
0x00000000
0x00000000
0x0131c5ca
0x0131c598
0x0131c3af
0x0131c3b4
0x0131c3ba
0x0131c3c1
0x0131c3c4
0x0131c3c6
0x0131c3cd
0x0131c3cf
0x0131c3d6
0x0131c3d9
0x0131c3db
0x0131c410
0x0131c410
0x0131c412
0x00000000
0x00000000
0x0131c418
0x0131c41e
0x00000000
0x00000000
0x0131c42d
0x0131c437
0x0131c440
0x0131c444
0x0131c44a
0x0131c44c
0x0131c459
0x0131c463
0x0131c473
0x0131c473
0x0131c488
0x0131c495
0x0131c49e
0x0131c4a2
0x0131c4a8
0x0131c4aa
0x0131c4b7
0x0131c4c1
0x0131c4d1
0x0131c4d1
0x0131c4e8
0x0131c4eb
0x0131c4ed
0x0131c4ef
0x0131c4ef
0x0131c4f1
0x0131c4f4
0x0131c4f6
0x0131c4f9
0x0131c4f9
0x0131c505
0x0131c50d
0x0131c510
0x0131c514
0x0131c519
0x0131c51f
0x0131c525
0x0131c40b
0x0131c40e
0x0131c40e
0x00000000
0x0131c52b
0x0131c52b
0x00000000
0x0131c52b
0x0131c525
0x0131c533
0x00000000
0x0131c533
0x0131c3dd
0x0131c3dd
0x0131c3e0
0x0131c3e2
0x0131c3e2
0x0131c3e7
0x0131c3ed
0x0131c3ed
0x0131c3ee
0x0131c3f0
0x0131c3f0
0x0131c3f0
0x0131c3f4
0x0131c3fe
0x0131c401
0x0131c2f3
0x00000000
0x0131c2f3
0x0131c3c8
0x00000000
0x0131c3c8
0x0131c339
0x0131c33f
0x0131c341
0x00000000
0x0131c343
0x0131c343
0x00000000
0x0131c343
0x0131c341
0x0131c312
0x0131c315
0x00000000
0x00000000
0x00000000
0x0131c315
0x0131c2ee
0x0131c2ee
0x0131c2f0
0x00000000

APIs

__EH_prolog3_GS.LIBCMT ref: 0131C2D2

Part of subcall function 012893E6: GetTextExtentPoint32W.GDI32(?,?,?,?), ref: 012893FD

Part of subcall function 0127E841: _wcslen.LIBCMT ref: 0127E85A
Part of subcall function 0127E841: _wcslen.LIBCMT ref: 0127E87C
Part of subcall function 0127E841: _wcslen.LIBCMT ref: 0127E8BD
Part of subcall function 0127E841: _wcslen.LIBCMT ref: 0127E992

Part of subcall function 01277AC9: __CxxThrowException@8.LIBCMT ref: 01277ADF

IsRectEmpty.USER32 ref: 0131C6F1
OffsetRect.USER32 ref: 0131C72D

Strings

!, xrefs: 0131C577

Memory Dump Source

Source File: 00000010.00000002.746388412.0000000001271000.00000020.sdmp, Offset: 01270000, based on PE: true

Associated: 00000010.00000002.746374753.0000000001270000.00000002.sdmp Download File
Associated: 00000010.00000002.746578910.000000000138C000.00000002.sdmp Download File
Associated: 00000010.00000002.746752878.00000000013CF000.00000004.sdmp Download File
Associated: 00000010.00000002.746788870.00000000013D6000.00000004.sdmp Download File
Associated: 00000010.00000002.746832288.00000000013DE000.00000002.sdmp Download File
Associated: 00000010.00000002.747668141.0000000001574000.00000002.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1270000_Setup.jbxd

Similarity

API ID: _wcslen$Rect$EmptyException@8ExtentH_prolog3_OffsetPoint32TextThrow
String ID: !
API String ID: 1576304605-2657877971
Opcode ID: 1ec8bc51834f9d29fcb41820d32362af09f56c6da4f4bfdc5a633c9e31c387d6
Instruction ID: 6ec947290a90bf804df1767401743957a7a09bf91dfc61155d9b567d90791801
Opcode Fuzzy Hash: 1ec8bc51834f9d29fcb41820d32362af09f56c6da4f4bfdc5a633c9e31c387d6
Instruction Fuzzy Hash: B7028D71A0021ADFCF15DFA8C884AEEBBB9FF45314F144169E906EB299DB30A945CF50

Uniqueness

Uniqueness Score: 3.53%

Function 012CC4BD, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 88
COMMON

Download Yara Rule

C-Code - Quality: 73%

			E012CC4BD(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				void* _t36;
				intOrPtr* _t39;
				signed int _t56;
				intOrPtr* _t63;
				intOrPtr* _t68;
				void* _t72;
				intOrPtr _t74;
				intOrPtr* _t75;
				void* _t76;
				void* _t81;

				_t81 = __eflags;
				_t70 = __edx;
				_push(0xc);
				L01369601(0x138096a, __ebx, __edi, __esi);
				_t72 = __ecx;
				_push( *((intOrPtr*)(_t76 + 8)));
				_push( *0x13d99ac);
				_push(_t76 - 0x10);
				L012FB33A(__ebx, __ecx, __edx, __ecx, __esi, _t81);
				_t74 =  *((intOrPtr*)(_t76 + 0xc));
				 *(_t76 - 4) =  *(_t76 - 4) & 0x00000000;
				if(_t74 == 0xffffffff) {
					_t74 = E0128691B(__ecx, __edx);
				}
				E01272410(_t76 + 8, E0127859A());
				_t56 = 1;
				_t83 =  *((intOrPtr*)(_t76 + 0x10)) - 0xffffffff;
				 *(_t76 - 4) = 1;
				_t36 = _t76 + 8;
				if( *((intOrPtr*)(_t76 + 0x10)) != 0xffffffff) {
					_push( *((intOrPtr*)(_t76 + 0x10)));
					_push(_t74);
					E01272AE0(_t36, L"%sBasePane-%d%x",  *((intOrPtr*)(_t76 - 0x10)));
				} else {
					_push(_t74);
					E01272AE0(_t36, L"%sBasePane-%d",  *((intOrPtr*)(_t76 - 0x10)));
				}
				 *((intOrPtr*)(_t76 - 0x18)) = 0;
				 *((intOrPtr*)(_t76 - 0x14)) = 0;
				_push(_t56);
				_push(0);
				 *(_t76 - 4) = 2;
				_t39 = L012FB05D(_t56, _t76 - 0x18, _t72, _t74, _t83);
				_push( *((intOrPtr*)(_t76 + 8)));
				_t75 = _t39;
				if( *((intOrPtr*)( *_t75 + 0x10))() != 0) {
					 *((intOrPtr*)( *_t75 + 0x54))(L"IsVisible", _t72 + 0x78);
					_t63 =  *((intOrPtr*)(_t76 - 0x18));
					 *(_t72 + 0x7c) = _t56;
					 *(_t76 - 4) = _t56;
					__eflags = _t63;
					if(_t63 != 0) {
						 *((intOrPtr*)( *_t63 + 4))(_t56);
					}
				} else {
					_t68 =  *((intOrPtr*)(_t76 - 0x18));
					 *(_t76 - 4) = _t56;
					if(_t68 != 0) {
						 *((intOrPtr*)( *_t68 + 4))(_t56);
					}
					_t56 = 0;
				}
				L01271470( *((intOrPtr*)(_t76 + 8)) + 0xfffffff0, _t70);
				L01271470( *((intOrPtr*)(_t76 - 0x10)) + 0xfffffff0, _t70);
				return L013696D9(_t56);
			}

0x012cc4bd
0x012cc4bd
0x012cc4bd
0x012cc4c4
0x012cc4c9
0x012cc4cb
0x012cc4d1
0x012cc4d7
0x012cc4d8
0x012cc4e0
0x012cc4e3
0x012cc4ea
0x012cc4f3
0x012cc4f3
0x012cc4fe
0x012cc505
0x012cc506
0x012cc50a
0x012cc50d
0x012cc510
0x012cc526
0x012cc529
0x012cc533
0x012cc512
0x012cc512
0x012cc51c
0x012cc521
0x012cc53d
0x012cc540
0x012cc543
0x012cc544
0x012cc548
0x012cc54c
0x012cc551
0x012cc554
0x012cc55f
0x012cc5a0
0x012cc5a3
0x012cc5a6
0x012cc5a9
0x012cc5ac
0x012cc5ae
0x012cc5b3
0x012cc5b3
0x012cc561
0x012cc561
0x012cc564
0x012cc569
0x012cc56e
0x012cc56e
0x012cc571
0x012cc571
0x012cc579
0x012cc584
0x012cc590

APIs

__EH_prolog3.LIBCMT ref: 012CC4C4

Part of subcall function 012FB33A: __EH_prolog3.LIBCMT ref: 012FB341

Part of subcall function 012FB05D: __EH_prolog3.LIBCMT ref: 012FB064

Part of subcall function 0128691B: GetDlgCtrlID.USER32 ref: 01286924

Strings

%sBasePane-%d%x, xrefs: 012CC52D
%sBasePane-%d, xrefs: 012CC516
IsVisible, xrefs: 012CC599

Memory Dump Source

Source File: 00000010.00000002.746388412.0000000001271000.00000020.sdmp, Offset: 01270000, based on PE: true

Associated: 00000010.00000002.746374753.0000000001270000.00000002.sdmp Download File
Associated: 00000010.00000002.746578910.000000000138C000.00000002.sdmp Download File
Associated: 00000010.00000002.746752878.00000000013CF000.00000004.sdmp Download File
Associated: 00000010.00000002.746788870.00000000013D6000.00000004.sdmp Download File
Associated: 00000010.00000002.746832288.00000000013DE000.00000002.sdmp Download File
Associated: 00000010.00000002.747668141.0000000001574000.00000002.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1270000_Setup.jbxd

Similarity

API ID: H_prolog3$Ctrl
String ID: %sBasePane-%d$%sBasePane-%d%x$IsVisible
API String ID: 3879667756-4027084908
Opcode ID: b5b177cfa8dc1e0812074e6e8718dc730bf5141a980742ec26675ca00dc372e5
Instruction ID: eb107a86e52865fb642b2e67b79d94f181a9b6015befb55fb554259f53b2ea73
Opcode Fuzzy Hash: b5b177cfa8dc1e0812074e6e8718dc730bf5141a980742ec26675ca00dc372e5
Instruction Fuzzy Hash: E731A170911206EFCF15EFB8CC549BF7B64FF25268F04466CE626AB291DB309A14CB90

Uniqueness

Uniqueness Score: 2.38%

Function 012CC5B8, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 79
COMMON

Download Yara Rule

C-Code - Quality: 70%

			E012CC5B8(void* __ebx, intOrPtr* __ecx, intOrPtr __edx, void* __edi, void* __esi, void* __eflags) {
				void* _t31;
				intOrPtr* _t33;
				void* _t44;
				intOrPtr* _t54;
				intOrPtr* _t64;
				intOrPtr _t66;
				intOrPtr* _t67;
				void* _t68;
				void* _t73;

				_t73 = __eflags;
				_t62 = __edx;
				_push(0xc);
				L01369601(0x138096a, __ebx, __edi, __esi);
				_t64 = __ecx;
				_push( *((intOrPtr*)(_t68 + 8)));
				_push( *0x13d99ac);
				_push(_t68 - 0x10);
				L012FB33A(__ebx, __ecx, __edx, __ecx, __esi, _t73);
				_t66 =  *((intOrPtr*)(_t68 + 0xc));
				 *((intOrPtr*)(_t68 - 4)) = 0;
				if(_t66 == 0xffffffff) {
					_t66 = E0128691B(__ecx, __edx);
				}
				E01272410(_t68 + 8, E0127859A());
				_t75 =  *((intOrPtr*)(_t68 + 0x10)) - 0xffffffff;
				 *((char*)(_t68 - 4)) = 1;
				_t31 = _t68 + 8;
				if( *((intOrPtr*)(_t68 + 0x10)) != 0xffffffff) {
					_push( *((intOrPtr*)(_t68 + 0x10)));
					_push(_t66);
					E01272AE0(_t31, L"%sBasePane-%d%x",  *((intOrPtr*)(_t68 - 0x10)));
				} else {
					_push(_t66);
					E01272AE0(_t31, L"%sBasePane-%d",  *((intOrPtr*)(_t68 - 0x10)));
				}
				 *((intOrPtr*)(_t68 - 0x18)) = 0;
				 *((intOrPtr*)(_t68 - 0x14)) = 0;
				_push(0);
				_push(0);
				 *((char*)(_t68 - 4)) = 2;
				_t33 = L012FB05D(0, _t68 - 0x18, _t64, _t66, _t75);
				_push( *((intOrPtr*)(_t68 + 8)));
				_t67 = _t33;
				if( *((intOrPtr*)( *_t67 + 0xc))() != 0) {
					_t44 =  *((intOrPtr*)( *_t64 + 0x178))();
					_t62 =  *_t67;
					 *((intOrPtr*)( *_t67 + 0x38))(L"IsVisible", _t44);
				}
				_t54 =  *((intOrPtr*)(_t68 - 0x18));
				 *((char*)(_t68 - 4)) = 1;
				if(_t54 != 0) {
					 *((intOrPtr*)( *_t54 + 4))(1);
				}
				L01271470( *((intOrPtr*)(_t68 + 8)) + 0xfffffff0, _t62);
				L01271470( *((intOrPtr*)(_t68 - 0x10)) + 0xfffffff0, _t62);
				return L013696D9(1);
			}

0x012cc5b8
0x012cc5b8
0x012cc5b8
0x012cc5bf
0x012cc5c4
0x012cc5c6
0x012cc5cc
0x012cc5d2
0x012cc5d3
0x012cc5db
0x012cc5e0
0x012cc5e6
0x012cc5ef
0x012cc5ef
0x012cc5fa
0x012cc5ff
0x012cc603
0x012cc607
0x012cc60a
0x012cc620
0x012cc623
0x012cc62d
0x012cc60c
0x012cc60c
0x012cc616
0x012cc61b
0x012cc635
0x012cc638
0x012cc63b
0x012cc63c
0x012cc640
0x012cc644
0x012cc649
0x012cc64c
0x012cc657
0x012cc65d
0x012cc663
0x012cc66d
0x012cc66d
0x012cc670
0x012cc673
0x012cc679
0x012cc67f
0x012cc67f
0x012cc688
0x012cc693
0x012cc6a0

APIs

__EH_prolog3.LIBCMT ref: 012CC5BF

Part of subcall function 012FB33A: __EH_prolog3.LIBCMT ref: 012FB341

Part of subcall function 012FB05D: __EH_prolog3.LIBCMT ref: 012FB064

Part of subcall function 0128691B: GetDlgCtrlID.USER32 ref: 01286924

Strings

%sBasePane-%d%x, xrefs: 012CC627
%sBasePane-%d, xrefs: 012CC610
IsVisible, xrefs: 012CC666

Memory Dump Source

Source File: 00000010.00000002.746388412.0000000001271000.00000020.sdmp, Offset: 01270000, based on PE: true

Associated: 00000010.00000002.746374753.0000000001270000.00000002.sdmp Download File
Associated: 00000010.00000002.746578910.000000000138C000.00000002.sdmp Download File
Associated: 00000010.00000002.746752878.00000000013CF000.00000004.sdmp Download File
Associated: 00000010.00000002.746788870.00000000013D6000.00000004.sdmp Download File
Associated: 00000010.00000002.746832288.00000000013DE000.00000002.sdmp Download File
Associated: 00000010.00000002.747668141.0000000001574000.00000002.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1270000_Setup.jbxd

Similarity

API ID: H_prolog3$Ctrl
String ID: %sBasePane-%d$%sBasePane-%d%x$IsVisible
API String ID: 3879667756-4027084908
Opcode ID: 2e4f922279b335a9254af334ced663cdec9e96bbd9404a7b26729f10ba692c7e
Instruction ID: 9a58136652c94ce9f1863c329ecdf4b07e61125790e13037653b886c9bb07be1
Opcode Fuzzy Hash: 2e4f922279b335a9254af334ced663cdec9e96bbd9404a7b26729f10ba692c7e
Instruction Fuzzy Hash: B321C371900206AFDF10EFA4CC589BE7B65FF55368F14466CFA6967390CB309A50CBA1

Uniqueness

Uniqueness Score: 2.38%

Function 0128CC49, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 72
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 46%

			E0128CC49(intOrPtr* __ecx, void* __edx, void* __eflags) {
				signed int _v8;
				char _v24;
				char _v28;
				char _v32;
				char _v36;
				char _v40;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t14;
				char _t17;
				struct HINSTANCE__* _t23;
				_Unknown_base(*)()* _t25;
				intOrPtr* _t29;
				void* _t37;
				void* _t38;
				char* _t40;
				signed int _t42;
				void* _t43;

				_t37 = __edx;
				_t14 =  *0x13d3570; // 0x99b5b578
				_v8 = _t14 ^ _t42;
				_t29 = __ecx;
				if(E0128CBE6(__ecx, __ecx, _t38, __eflags) == 0 || E0128CBCF(_t29) == 0) {
					_t17 = 0;
					__eflags = 0;
				} else {
					_v40 = 0;
					_v36 = 0;
					_v32 = 0;
					_v28 = 0;
					if( *((intOrPtr*)(_t29 + 0x4b8)) != 0) {
						 *((intOrPtr*)( *_t29 + 0x208))( &_v24);
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
					}
					_t38 = _t43 - 0x10;
					_t40 =  &_v40;
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					 *((intOrPtr*)( *_t29 + 0x210))();
					_t23 = GetModuleHandleW(L"DWMAPI");
					if(_t23 != 0) {
						_t25 = GetProcAddress(_t23, "DwmInvalidateIconicBitmaps");
						if(_t25 != 0) {
							_t29 = _t29 + 0x43c;
							if(_t29 != 0) {
								_t29 =  *((intOrPtr*)(_t29 + 0x20));
							}
							 *_t25(_t29);
						}
					}
					_t17 = 1;
				}
				return L01367D3E(_t17, _t29, _v8 ^ _t42, _t37, _t38, _t40);
			}

0x0128cc49
0x0128cc51
0x0128cc58
0x0128cc5e
0x0128cc67
0x0128cced
0x0128cced
0x0128cc78
0x0128cc7a
0x0128cc7d
0x0128cc80
0x0128cc83
0x0128cc8c
0x0128cc96
0x0128cca1
0x0128cca2
0x0128cca3
0x0128cca4
0x0128cca4
0x0128ccaa
0x0128ccac
0x0128ccaf
0x0128ccb0
0x0128ccb1
0x0128ccb4
0x0128ccb5
0x0128ccc0
0x0128ccc8
0x0128ccd0
0x0128ccd8
0x0128ccda
0x0128cce0
0x0128cce2
0x0128cce2
0x0128cce6
0x0128cce6
0x0128ccd8
0x0128ccea
0x0128ccea
0x0128ccfd

APIs

GetModuleHandleW.KERNEL32(DWMAPI,?,?,00000000,?,?,?,?,?,?,?,?,012C36B1), ref: 0128CCC0
GetProcAddress.KERNEL32(00000000,DwmInvalidateIconicBitmaps,?,?,00000000,?,?,?,?,?,?,?,?,012C36B1), ref: 0128CCD0

Part of subcall function 01367D3E: IsDebuggerPresent.KERNEL32 ref: 0136EC6D
Part of subcall function 01367D3E: SetUnhandledExceptionFilter.KERNEL32 ref: 0136EC82
Part of subcall function 01367D3E: UnhandledExceptionFilter.KERNEL32 ref: 0136EC8D
Part of subcall function 01367D3E: GetCurrentProcess.KERNEL32(C0000409), ref: 0136ECA9
Part of subcall function 01367D3E: TerminateProcess.KERNEL32(00000000), ref: 0136ECB0

Strings

DWMAPI, xrefs: 0128CCBB
DwmInvalidateIconicBitmaps, xrefs: 0128CCCA

Memory Dump Source

Source File: 00000010.00000002.746388412.0000000001271000.00000020.sdmp, Offset: 01270000, based on PE: true

Associated: 00000010.00000002.746374753.0000000001270000.00000002.sdmp Download File
Associated: 00000010.00000002.746578910.000000000138C000.00000002.sdmp Download File
Associated: 00000010.00000002.746752878.00000000013CF000.00000004.sdmp Download File
Associated: 00000010.00000002.746788870.00000000013D6000.00000004.sdmp Download File
Associated: 00000010.00000002.746832288.00000000013DE000.00000002.sdmp Download File
Associated: 00000010.00000002.747668141.0000000001574000.00000002.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1270000_Setup.jbxd

Similarity

API ID: ExceptionFilterProcessUnhandled$AddressCurrentDebuggerHandleModulePresentProcTerminate
String ID: DWMAPI$DwmInvalidateIconicBitmaps
API String ID: 2926921055-1098356003
Opcode ID: 5bba25f74d843b2c249763c080e5d8f0a82a4e57a02b5cca48c82dc0b4e81353
Instruction ID: 22d4362426fb09250a781f84d468e72ec5a6178d93b150a749bdd7727cc7ad01
Opcode Fuzzy Hash: 5bba25f74d843b2c249763c080e5d8f0a82a4e57a02b5cca48c82dc0b4e81353
Instruction Fuzzy Hash: 2B1151B1A116069BDB10FF79D8845EF7BE9AF49200B140479AA06EB185EB71D910CB74

Uniqueness

Uniqueness Score: 4.31%

Function 0129EB4C, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 68
UNIQUE

Download Yara Rule

C-Code - Quality: 83%

			E0129EB4C(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t34;
				void* _t36;
				signed int _t40;
				signed int _t42;
				intOrPtr _t44;
				intOrPtr _t48;
				void* _t53;
				void* _t57;
				intOrPtr* _t59;
				void* _t60;
				void* _t61;

				_t53 = __edx;
				_push(0x24);
				L0136966A(0x1380d38, __ebx, __edi, __esi);
				_t59 =  *((intOrPtr*)(_t61 + 0xc));
				_t44 =  *((intOrPtr*)(_t61 + 8));
				if( *((intOrPtr*)( *_t59 + 0x2c))() != 0) {
					L3:
					 *(_t61 - 0x28) = 1;
				} else {
					_t42 =  *((intOrPtr*)( *_t59 + 0x30))();
					if(_t42 != 0) {
						goto L3;
					} else {
						 *(_t61 - 0x28) =  *(_t61 - 0x28) & _t42;
					}
				}
				if( *((intOrPtr*)( *_t59 + 0x34))() != 0) {
					L7:
					 *(_t61 - 0x24) = 1;
				} else {
					_t40 =  *((intOrPtr*)( *_t59 + 0x40))();
					if(_t40 != 0) {
						goto L7;
					} else {
						 *(_t61 - 0x24) =  *(_t61 - 0x24) & _t40;
					}
				}
				_t60 = _t59 + 0x18;
				_t57 = _t61 - 0x20;
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				InflateRect(_t61 - 0x20, 0xfffffffe, 0xfffffffe);
				E012FC185(_t61 - 0x30, _t44);
				_t48 =  *0x13d6440; // 0x696969
				 *(_t61 - 4) = 0;
				if( *(_t61 - 0x28) == 0) {
					_t48 =  *0x13d6438; // 0xa0a0a0
				}
				_t68 =  *(_t61 - 0x24);
				_t34 =  *0x13d6444; // 0xe3e3e3
				if( *(_t61 - 0x24) == 0) {
					_t34 =  *0x13d6434; // 0xf0f0f0
				}
				_t36 = E012FE7BD(_t44, _t61 - 0x30, _t53, _t57, _t60, _t68, _t61 - 0x20, _t34, _t48);
				 *(_t61 - 4) =  *(_t61 - 4) | 0xffffffff;
				L012FC19C(_t36, _t61 - 0x30);
				return L013696ED(_t44, _t57, _t60);
			}

0x0129eb4c
0x0129eb4c
0x0129eb53
0x0129eb58
0x0129eb5d
0x0129eb6a
0x0129eb7c
0x0129eb7c
0x0129eb6c
0x0129eb70
0x0129eb75
0x00000000
0x0129eb77
0x0129eb77
0x0129eb77
0x0129eb75
0x0129eb88
0x0129eb9a
0x0129eb9a
0x0129eb8a
0x0129eb8e
0x0129eb93
0x00000000
0x0129eb95
0x0129eb95
0x0129eb95
0x0129eb93
0x0129eb9d
0x0129eba0
0x0129eba3
0x0129eba4
0x0129eba7
0x0129ebae
0x0129ebaf
0x0129ebb9
0x0129ebbe
0x0129ebc6
0x0129ebcc
0x0129ebce
0x0129ebce
0x0129ebd4
0x0129ebd7
0x0129ebdc
0x0129ebde
0x0129ebde
0x0129ebec
0x0129ebf1
0x0129ebf8
0x0129ec02

APIs

__EH_prolog3_GS.LIBCMT ref: 0129EB53
InflateRect.USER32(?,000000FE,000000FE), ref: 0129EBAF

Part of subcall function 012FE7BD: __EH_prolog3.LIBCMT ref: 012FE7C7
Part of subcall function 012FE7BD: CreateCompatibleDC.GDI32(?), ref: 012FE842
Part of subcall function 012FE7BD: CreateCompatibleBitmap.GDI32(00000001,?,?), ref: 012FE879
Part of subcall function 012FE7BD: SelectObject.GDI32(?,00000000), ref: 012FE8E3
Part of subcall function 012FE7BD: __floor_pentium4.LIBCMT ref: 012FE9F6
Part of subcall function 012FE7BD: __floor_pentium4.LIBCMT ref: 012FEA0B
Part of subcall function 012FE7BD: __floor_pentium4.LIBCMT ref: 012FEA6B
Part of subcall function 012FE7BD: __floor_pentium4.LIBCMT ref: 012FEA80
Part of subcall function 012FE7BD: __floor_pentium4.LIBCMT ref: 012FEB2F
Part of subcall function 012FE7BD: __floor_pentium4.LIBCMT ref: 012FEB44
Part of subcall function 012FE7BD: __floor_pentium4.LIBCMT ref: 012FEBA0
Part of subcall function 012FE7BD: __floor_pentium4.LIBCMT ref: 012FECE1
Part of subcall function 012FE7BD: __floor_pentium4.LIBCMT ref: 012FEE31
Part of subcall function 012FE7BD: __floor_pentium4.LIBCMT ref: 012FEE46
Part of subcall function 012FE7BD: __floor_pentium4.LIBCMT ref: 012FEEAE
Part of subcall function 012FE7BD: __floor_pentium4.LIBCMT ref: 012FEFE9
Part of subcall function 012FE7BD: DeleteObject.GDI32(?), ref: 012FF176

Strings

iii, xrefs: 0129EBBE
, xrefs: 0129EBD7

Memory Dump Source

Source File: 00000010.00000002.746388412.0000000001271000.00000020.sdmp, Offset: 01270000, based on PE: true

Associated: 00000010.00000002.746374753.0000000001270000.00000002.sdmp Download File
Associated: 00000010.00000002.746578910.000000000138C000.00000002.sdmp Download File
Associated: 00000010.00000002.746752878.00000000013CF000.00000004.sdmp Download File
Associated: 00000010.00000002.746788870.00000000013D6000.00000004.sdmp Download File
Associated: 00000010.00000002.746832288.00000000013DE000.00000002.sdmp Download File
Associated: 00000010.00000002.747668141.0000000001574000.00000002.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1270000_Setup.jbxd

Similarity

API ID: __floor_pentium4$CompatibleCreateObject$BitmapDeleteH_prolog3H_prolog3_InflateRectSelect
String ID: iii$
API String ID: 1491969260-462628325
Opcode ID: d80122ed26d64d040b51701d6b2aeed4f2cc4785a463827d05e3d377069a99e4
Instruction ID: 1439c62b37acf345ee63450cee60df1e36c7c0b361cfadb35ab45bcbabee8359
Opcode Fuzzy Hash: d80122ed26d64d040b51701d6b2aeed4f2cc4785a463827d05e3d377069a99e4
Instruction Fuzzy Hash: 69219F70A20219DFCF15DF6CC865DEDB7B9FF5C325B110519E252AB291EB31A900CB64

Uniqueness

Uniqueness Score: 100.00%

Function 0127EA42, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64
COMMON

Download Yara Rule

C-Code - Quality: 81%

			E0127EA42(void* __ebx, void* __ecx, void* __edi, void* __esi, void* __eflags) {
				void* _t32;
				int _t36;
				struct HINSTANCE__* _t52;
				WCHAR** _t54;
				void* _t55;
				intOrPtr _t59;

				_t53 = __esi;
				_t51 = __edi;
				_push(0x30);
				L01369601(0x137f5b8, __ebx, __edi, __esi);
				_t59 =  *((intOrPtr*)(_t55 + 0xc));
				 *((intOrPtr*)(_t55 - 4)) = 0;
				 *((intOrPtr*)(_t55 - 0x14)) = 0;
				_t60 = _t59 == 0;
				if(_t59 == 0) {
					L01277AC9(__ecx);
				}
				_t52 =  *(E012792EF(0, _t51, _t53, _t60) + 8);
				 *((intOrPtr*)(_t55 - 0x10)) = LoadCursorW(0, 0x7f00);
				_t32 = E0127859A();
				_t54 =  *(_t55 + 8);
				E01272410(_t54, _t32);
				_push(0x10);
				_push( *((intOrPtr*)(_t55 - 0x10)));
				 *((intOrPtr*)(_t55 - 4)) = 0;
				_push(8);
				_push(_t52);
				 *((intOrPtr*)(_t55 - 0x14)) = 1;
				E01272AE0(_t54, L"%s:%x:%x:%x:%x",  *((intOrPtr*)(_t55 + 0xc)));
				_t50 = _t55 - 0x3c;
				_t36 = GetClassInfoW(_t52,  *_t54, _t55 - 0x3c);
				_t61 = _t36;
				if(_t36 == 0) {
					 *((intOrPtr*)(_t55 - 0x38)) = DefWindowProcW;
					 *((intOrPtr*)(_t55 - 0x24)) =  *((intOrPtr*)(_t55 - 0x10));
					 *(_t55 - 0x18) =  *_t54;
					_push(_t55 - 0x3c);
					 *(_t55 - 0x3c) = 8;
					 *((intOrPtr*)(_t55 - 0x30)) = 0;
					 *((intOrPtr*)(_t55 - 0x34)) = 0;
					 *(_t55 - 0x2c) = _t52;
					 *((intOrPtr*)(_t55 - 0x28)) = 0;
					 *((intOrPtr*)(_t55 - 0x20)) = 0x10;
					 *((intOrPtr*)(_t55 - 0x1c)) = 0;
					if(L01285F4B(0, _t50, _t52, _t54, _t61) == 0) {
						L012796BD(_t50);
					}
				}
				return L013696D9(_t54);
			}

0x0127ea42
0x0127ea42
0x0127ea42
0x0127ea49
0x0127ea52
0x0127ea55
0x0127ea5b
0x0127ea5e
0x0127ea60
0x0127ea62
0x0127ea62
0x0127ea6c
0x0127ea7b
0x0127ea7e
0x0127ea83
0x0127ea89
0x0127ea8e
0x0127ea90
0x0127ea93
0x0127ea96
0x0127ea98
0x0127ea9c
0x0127eaa9
0x0127eab3
0x0127eab9
0x0127eabf
0x0127eac1
0x0127eac8
0x0127eace
0x0127ead3
0x0127ead9
0x0127eada
0x0127eae1
0x0127eae4
0x0127eae7
0x0127eaea
0x0127eaed
0x0127eaf4
0x0127eafe
0x0127eb00
0x0127eb00
0x0127eafe
0x0127eb0c

APIs

__EH_prolog3.LIBCMT ref: 0127EA49
LoadCursorW.USER32 ref: 0127EA75
GetClassInfoW.USER32 ref: 0127EAB9

Part of subcall function 01285F4B: __EH_prolog3_catch.LIBCMT ref: 01285F52

Part of subcall function 012796BD: __CxxThrowException@8.LIBCMT ref: 012796D3

Part of subcall function 01277AC9: __CxxThrowException@8.LIBCMT ref: 01277ADF

Strings

%s:%x:%x:%x:%x, xrefs: 0127EAA3

Memory Dump Source

Source File: 00000010.00000002.746388412.0000000001271000.00000020.sdmp, Offset: 01270000, based on PE: true

Associated: 00000010.00000002.746374753.0000000001270000.00000002.sdmp Download File
Associated: 00000010.00000002.746578910.000000000138C000.00000002.sdmp Download File
Associated: 00000010.00000002.746752878.00000000013CF000.00000004.sdmp Download File
Associated: 00000010.00000002.746788870.00000000013D6000.00000004.sdmp Download File
Associated: 00000010.00000002.746832288.00000000013DE000.00000002.sdmp Download File
Associated: 00000010.00000002.747668141.0000000001574000.00000002.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1270000_Setup.jbxd

Similarity

API ID: Exception@8Throw$ClassCursorH_prolog3H_prolog3_catchInfoLoad
String ID: %s:%x:%x:%x:%x
API String ID: 2691246852-1000192757
Opcode ID: 0f96cd788edf03b86c04c6989186d7f136bfe9fc272842070b58d1f85622df89
Instruction ID: ef934d638495aa19e1e1b1c3501650621a4076feaff262708fc523d03c533478
Opcode Fuzzy Hash: 0f96cd788edf03b86c04c6989186d7f136bfe9fc272842070b58d1f85622df89
Instruction Fuzzy Hash: 152129B0D1121AAFDB10EFA9C884AEEBBB8FF18314F118429E515B7240D7745A44CB64

Uniqueness

Uniqueness Score: 2.71%

Function 012A496E, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 61
COMMON

Download Yara Rule

C-Code - Quality: 95%

			E012A496E(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t31;
				intOrPtr _t35;
				intOrPtr _t40;
				void* _t48;
				intOrPtr _t61;
				intOrPtr* _t64;
				void* _t65;

				_push(0xc);
				L01369601(0x13812b4, __ebx, __edi, __esi);
				_t61 =  *((intOrPtr*)(_t65 + 0xc));
				_t64 =  *((intOrPtr*)(_t65 + 8));
				_t31 =  *0x13d6454; // 0x0
				if( *((intOrPtr*)(_t61 + 0xc)) == 0) {
					_t31 =  *0x13d6464; // 0x544e43
				}
				_t58 =  *_t64;
				_t48 =  *((intOrPtr*)( *_t64 + 0x30))(_t31);
				InflateRect(_t65 + 0x10, 0xffffffff, 0xffffffff);
				 *((intOrPtr*)(_t65 + 0x18)) =  *((intOrPtr*)(_t65 + 0x18)) - 2;
				_t68 =  *((intOrPtr*)(_t61 + 0xc));
				_t35 =  *0x13d645c; // 0xd1b499
				if( *((intOrPtr*)(_t61 + 0xc)) == 0) {
					_t35 =  *0x13d6460; // 0xdbcdbf
				}
				E0127A3A8(_t48, _t65 - 0x18, _t58, _t61, _t64, _t68);
				 *(_t65 - 4) =  *(_t65 - 4) & 0x00000000;
				FillRect( *(_t64 + 4), _t65 + 0x10,  *(_t65 - 0x14));
				E01273740(_t48,  *((intOrPtr*)(_t61 + 0x9c)));
				_t40 =  *((intOrPtr*)(_t65 - 0x10));
				 *(_t65 - 4) = 1;
				 *((intOrPtr*)( *_t64 + 0x68))(_t40,  *((intOrPtr*)(_t40 - 0xc)), _t65 + 0x10, 0x8825, _t35);
				 *((intOrPtr*)( *_t64 + 0x30))(_t48);
				L01271470( *((intOrPtr*)(_t65 - 0x10)) + 0xfffffff0,  *_t64);
				 *(_t65 - 4) =  *(_t65 - 4) | 0xffffffff;
				 *((intOrPtr*)(_t65 - 0x18)) = 0x138f578;
				return L013696D9(E0127A27E(_t48, _t65 - 0x18, _t65 + 0x10, _t64,  *(_t65 - 4)));
			}

0x012a496e
0x012a4975
0x012a497a
0x012a4980
0x012a4985
0x012a498a
0x012a498c
0x012a498c
0x012a4991
0x012a499b
0x012a49a3
0x012a49a9
0x012a49ad
0x012a49b1
0x012a49b6
0x012a49b8
0x012a49b8
0x012a49c1
0x012a49c9
0x012a49d4
0x012a49e3
0x012a49e8
0x012a49fd
0x012a4a01
0x012a4a09
0x012a4a12
0x012a4a17
0x012a4a1e
0x012a4a2f

APIs

__EH_prolog3.LIBCMT ref: 012A4975
InflateRect.USER32(?,000000FF,000000FF), ref: 012A49A3

Part of subcall function 0127A3A8: __EH_prolog3.LIBCMT ref: 0127A3AF
Part of subcall function 0127A3A8: CreateSolidBrush.GDI32(?), ref: 0127A3CA

FillRect.USER32(00000000,?,?), ref: 012A49D4

Part of subcall function 0127A27E: __EH_prolog3_catch_GS.LIBCMT ref: 0127A288

Strings

CNT, xrefs: 012A498C

Memory Dump Source

Source File: 00000010.00000002.746388412.0000000001271000.00000020.sdmp, Offset: 01270000, based on PE: true

Associated: 00000010.00000002.746374753.0000000001270000.00000002.sdmp Download File
Associated: 00000010.00000002.746578910.000000000138C000.00000002.sdmp Download File
Associated: 00000010.00000002.746752878.00000000013CF000.00000004.sdmp Download File
Associated: 00000010.00000002.746788870.00000000013D6000.00000004.sdmp Download File
Associated: 00000010.00000002.746832288.00000000013DE000.00000002.sdmp Download File
Associated: 00000010.00000002.747668141.0000000001574000.00000002.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1270000_Setup.jbxd

Similarity

API ID: H_prolog3Rect$BrushCreateFillH_prolog3_catch_InflateSolid
String ID: CNT
API String ID: 3289394523-2405506541
Opcode ID: d84b0f55e2a119047528d28a2faad07d0f67412fe095119d0549bf690d8ffe5c
Instruction ID: c096383fa0a189e6e52ce55476dcee8ab7e9a5b168eb68c50d90ae948e26f67f
Opcode Fuzzy Hash: d84b0f55e2a119047528d28a2faad07d0f67412fe095119d0549bf690d8ffe5c
Instruction Fuzzy Hash: 0821627061020ADFCB14EFA8C849EAEB7B9FF44324F144208F961972C0CB30A954CFA0

Uniqueness

Uniqueness Score: 8.94%

Function 012A0649, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 59
COMMON

Download Yara Rule

C-Code - Quality: 62%

			E012A0649(void* __eflags, intOrPtr _a4, struct tagRECT _a8, intOrPtr _a12, intOrPtr _a28) {
				signed int _v8;
				struct tagRECT _v24;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t23;
				intOrPtr _t29;
				intOrPtr _t42;
				void* _t46;
				signed int _t49;

				_t23 =  *0x13d3570; // 0x99b5b578
				_v8 = _t23 ^ _t49;
				_t42 = _a4;
				FillRect( *(_t42 + 4),  &_a8,  *0x13d647c);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v24.right = _v24.right + 1;
				_v24.bottom = _v24.bottom + 1;
				_v24.top = _a12 - 1;
				_t29 =  *0x13d6410; // 0x696969
				E0128A265( &_v24, _t29, _t29);
				InflateRect( &_v24, 0xffffffff, 0xffffffff);
				DrawEdge( *(_t42 + 4),  &_v24, 4 + (0 | _a28 == 0x00000001) * 4, 0xf);
				return L01367D3E(1, _t42, _v8 ^ _t49, _t46,  &_v24,  &_a8);
			}

0x012a0651
0x012a0658
0x012a065c
0x012a066e
0x012a067d
0x012a067e
0x012a067f
0x012a0681
0x012a0682
0x012a0685
0x012a0688
0x012a068b
0x012a0698
0x012a06a5
0x012a06c5
0x012a06dc

APIs

FillRect.USER32(?,?), ref: 012A066E
InflateRect.USER32(?,000000FF,000000FF), ref: 012A06A5
DrawEdge.USER32(?,?,00000000,0000000F), ref: 012A06C5

Part of subcall function 01367D3E: IsDebuggerPresent.KERNEL32 ref: 0136EC6D
Part of subcall function 01367D3E: SetUnhandledExceptionFilter.KERNEL32 ref: 0136EC82
Part of subcall function 01367D3E: UnhandledExceptionFilter.KERNEL32 ref: 0136EC8D
Part of subcall function 01367D3E: GetCurrentProcess.KERNEL32(C0000409), ref: 0136ECA9
Part of subcall function 01367D3E: TerminateProcess.KERNEL32(00000000), ref: 0136ECB0

Strings

iii, xrefs: 012A068B

Memory Dump Source

Source File: 00000010.00000002.746388412.0000000001271000.00000020.sdmp, Offset: 01270000, based on PE: true

Associated: 00000010.00000002.746374753.0000000001270000.00000002.sdmp Download File
Associated: 00000010.00000002.746578910.000000000138C000.00000002.sdmp Download File
Associated: 00000010.00000002.746752878.00000000013CF000.00000004.sdmp Download File
Associated: 00000010.00000002.746788870.00000000013D6000.00000004.sdmp Download File
Associated: 00000010.00000002.746832288.00000000013DE000.00000002.sdmp Download File
Associated: 00000010.00000002.747668141.0000000001574000.00000002.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1270000_Setup.jbxd

Similarity

API ID: ExceptionFilterProcessRectUnhandled$CurrentDebuggerDrawEdgeFillInflatePresentTerminate
String ID: iii
API String ID: 3180629759-940974255
Opcode ID: fc25a96f0a933a5aa57a9ff9663ead2688494467c1d658ba74fbe5ba280fdd49
Instruction ID: e7174671fcf15a31c6e8c8a5df4e4c9cf427da8ba3d66440c6f93fb481557b49
Opcode Fuzzy Hash: fc25a96f0a933a5aa57a9ff9663ead2688494467c1d658ba74fbe5ba280fdd49
Instruction Fuzzy Hash: 23110AB2500209EFCF10DFA8DD849EF7BBDFB49324F104626A925E7195EB319A05CB60

Uniqueness

Uniqueness Score: 1.47%

Function 012846F0, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 43
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 89%

			E012846F0(void* __ebx, void* __edi, void* __eflags, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				void* __esi;
				void* __ebp;
				struct HINSTANCE__* _t16;
				_Unknown_base(*)()* _t17;
				void* _t25;
				void* _t26;
				void* _t27;

				_t27 = __eflags;
				E012866AF(0xc);
				_push(0x1283959);
				_t26 = E0127AE89(__ebx, 0x13d8038, __edi, _t25, _t27);
				if(_t26 == 0) {
					L01277AC9(0x13d8038);
				}
				_t29 =  *(_t26 + 8);
				if( *(_t26 + 8) != 0) {
					L7:
					E01286721(0xc);
					return  *(_t26 + 8)(_a4, _a8, _a12, _a16);
				} else {
					_push(L"hhctrl.ocx");
					_t16 = E01274CA7(0x13d8038, _t26, _t29);
					 *(_t26 + 4) = _t16;
					if(_t16 != 0) {
						_t17 = GetProcAddress(_t16, "HtmlHelpW");
						 *(_t26 + 8) = _t17;
						__eflags = _t17;
						if(_t17 != 0) {
							goto L7;
						}
						FreeLibrary( *(_t26 + 4));
						 *(_t26 + 4) =  *(_t26 + 4) & 0x00000000;
					}
					return 0;
				}
			}

0x012846f0
0x012846f8
0x012846fd
0x0128470c
0x01284710
0x01284712
0x01284712
0x01284717
0x0128471b
0x01284755
0x01284757
0x00000000
0x0128471d
0x0128471d
0x01284722
0x01284728
0x0128472d
0x01284739
0x0128473f
0x01284742
0x01284744
0x00000000
0x00000000
0x01284749
0x0128474f
0x0128474f
0x00000000
0x0128472f

APIs

Part of subcall function 012866AF: EnterCriticalSection.KERNEL32(013D81D8,?,?,?,?,0127AEA4,00000010,00000008,0127931D,012792B4,01276293,01275CFA,?,0127641E,00000004,01275291), ref: 012866E9
Part of subcall function 012866AF: InitializeCriticalSection.KERNEL32(?,?,?,?,?,0127AEA4,00000010,00000008,0127931D,012792B4,01276293,01275CFA,?,0127641E,00000004,01275291), ref: 012866FB
Part of subcall function 012866AF: LeaveCriticalSection.KERNEL32(013D81D8,?,?,?,?,0127AEA4,00000010,00000008,0127931D,012792B4,01276293,01275CFA,?,0127641E,00000004,01275291), ref: 01286708
Part of subcall function 012866AF: EnterCriticalSection.KERNEL32(?,?,?,?,?,0127AEA4,00000010,00000008,0127931D,012792B4,01276293,01275CFA,?,0127641E,00000004,01275291), ref: 01286718

Part of subcall function 0127AE89: __EH_prolog3_catch.LIBCMT ref: 0127AE90

GetProcAddress.KERNEL32(00000000,HtmlHelpW,Function_00013959,0000000C), ref: 01284739
FreeLibrary.KERNEL32(?), ref: 01284749

Part of subcall function 01286721: LeaveCriticalSection.KERNEL32(?,?,0127AEBE,00000010,00000010,00000008,0127931D,012792B4,01276293,01275CFA,?,0127641E,00000004,01275291,00000004,0127126A), ref: 0128673C

Part of subcall function 01274CA7: ActivateActCtx.KERNEL32(?,?), ref: 01274CC7
Part of subcall function 01274CA7: LoadLibraryW.KERNEL32(?), ref: 01274CDE

Part of subcall function 01277AC9: __CxxThrowException@8.LIBCMT ref: 01277ADF

Strings

HtmlHelpW, xrefs: 01284733
hhctrl.ocx, xrefs: 0128471D

Memory Dump Source

Source File: 00000010.00000002.746388412.0000000001271000.00000020.sdmp, Offset: 01270000, based on PE: true

Associated: 00000010.00000002.746374753.0000000001270000.00000002.sdmp Download File
Associated: 00000010.00000002.746578910.000000000138C000.00000002.sdmp Download File
Associated: 00000010.00000002.746752878.00000000013CF000.00000004.sdmp Download File
Associated: 00000010.00000002.746788870.00000000013D6000.00000004.sdmp Download File
Associated: 00000010.00000002.746832288.00000000013DE000.00000002.sdmp Download File
Associated: 00000010.00000002.747668141.0000000001574000.00000002.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1270000_Setup.jbxd

Similarity

API ID: CriticalSection$EnterLeaveLibrary$ActivateAddressException@8FreeH_prolog3_catchInitializeLoadProcThrow
String ID: HtmlHelpW$hhctrl.ocx
API String ID: 760637261-3773518134
Opcode ID: 8ff63fb228ae0894db71a981416fd52223da7b1505f599c0eaff5f1b4dd613c4
Instruction ID: 31852014505aba1ff6663f579b032a2a515f75b01d4fc248ca6e9bd42ec8c3b5
Opcode Fuzzy Hash: 8ff63fb228ae0894db71a981416fd52223da7b1505f599c0eaff5f1b4dd613c4
Instruction Fuzzy Hash: 9C01F431122B43EBDB223FA6DC09B6B7B99FF01791F008819F65A951D4EBB0D4508791

Uniqueness

Uniqueness Score: 0.57%

Function 0127AB61, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 42
COMMON

Download Yara Rule

C-Code - Quality: 83%

			E0127AB61(struct HWND__* _a4, intOrPtr _a8) {
				signed int _v8;
				short _v28;
				void* __esi;
				signed int _t7;
				int _t16;
				void* _t19;
				void* _t22;
				void* _t23;
				struct HWND__* _t24;
				signed int _t25;

				_t7 =  *0x13d3570; // 0x99b5b578
				_v8 = _t7 ^ _t25;
				_t24 = _a4;
				if(_t24 != 0) {
					if((GetWindowLongW(_t24, 0xfffffff0) & 0x0000000f) != _a8) {
						goto L1;
					} else {
						GetClassNameW(_t24,  &_v28, 0xa);
						_t16 = CompareStringW(0x409, 1,  &_v28, 0xffffffff, L"combobox", 0xffffffff);
						asm("sbb eax, eax");
						_t11 =  ~(_t16 - 2) + 1;
					}
				} else {
					L1:
					_t11 = 0;
				}
				return L01367D3E(_t11, _t19, _v8 ^ _t25, _t22, _t23, _t24);
			}

0x0127ab69
0x0127ab70
0x0127ab74
0x0127ab79
0x0127ab8e
0x00000000
0x0127ab90
0x0127ab97
0x0127abb1
0x0127abbc
0x0127abbe
0x0127abbe
0x0127ab7b
0x0127ab7b
0x0127ab7b
0x0127ab7b
0x0127abcb

APIs

GetWindowLongW.USER32(?,000000F0), ref: 0127AB82
GetClassNameW.USER32(?,?,0000000A), ref: 0127AB97
CompareStringW.KERNEL32(00000409,00000001,?,000000FF,combobox,000000FF), ref: 0127ABB1

Part of subcall function 01367D3E: IsDebuggerPresent.KERNEL32 ref: 0136EC6D
Part of subcall function 01367D3E: SetUnhandledExceptionFilter.KERNEL32 ref: 0136EC82
Part of subcall function 01367D3E: UnhandledExceptionFilter.KERNEL32 ref: 0136EC8D
Part of subcall function 01367D3E: GetCurrentProcess.KERNEL32(C0000409), ref: 0136ECA9
Part of subcall function 01367D3E: TerminateProcess.KERNEL32(00000000), ref: 0136ECB0

Strings

combobox, xrefs: 0127AB9F

Memory Dump Source

Source File: 00000010.00000002.746388412.0000000001271000.00000020.sdmp, Offset: 01270000, based on PE: true

Associated: 00000010.00000002.746374753.0000000001270000.00000002.sdmp Download File
Associated: 00000010.00000002.746578910.000000000138C000.00000002.sdmp Download File
Associated: 00000010.00000002.746752878.00000000013CF000.00000004.sdmp Download File
Associated: 00000010.00000002.746788870.00000000013D6000.00000004.sdmp Download File
Associated: 00000010.00000002.746832288.00000000013DE000.00000002.sdmp Download File
Associated: 00000010.00000002.747668141.0000000001574000.00000002.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1270000_Setup.jbxd

Similarity

API ID: ExceptionFilterProcessUnhandled$ClassCompareCurrentDebuggerLongNamePresentStringTerminateWindow
String ID: combobox
API String ID: 369270905-2240613097
Opcode ID: 5ce3c446df30a4b1febfc0fcad6bb8b6692099ad004098ac4e32906b96d288d2
Instruction ID: 5ecffe4b9c0da6cb8ac1a089b2f240bbd43cc6ebde6f236e69c751a8e6728345
Opcode Fuzzy Hash: 5ce3c446df30a4b1febfc0fcad6bb8b6692099ad004098ac4e32906b96d288d2
Instruction Fuzzy Hash: 49F0D132660219ABCB11EF788C46EFE77ACAB15334F540705F922E70C4EA70AA0187A5

Uniqueness

Uniqueness Score: 2.71%

Function 012CCF65, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 40
timewindowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E012CCF65(intOrPtr __ecx, intOrPtr _a4, intOrPtr _a8) {
				void* _t16;
				intOrPtr _t18;
				void* _t19;
				intOrPtr _t20;

				_t17 = __ecx;
				_t20 = __ecx;
				if( *((intOrPtr*)(__ecx + 0x304)) != 0) {
					KillTimer( *(__ecx + 0x20), 2);
					if(_a8 != 0x12) {
						L11:
						return 0;
					}
					if(E01282D05(_t16, _t17, _t19, GetFocus()) == _t20) {
						if( *0x13d97c0 != 0) {
							L10:
							RedrawWindow( *(_t20 + 0x20), 0, 0, 0x105);
							L3:
							return 1;
						}
						_t18 = _a4;
						L9:
						E01286A6F(_t16, _t18, _t19);
						goto L10;
					}
					_t18 = _t20;
					goto L9;
				}
				if(_a8 == 0x79 || _a8 == 0x12) {
					goto L3;
				} else {
					goto L11;
				}
			}

0x012ccf65
0x012ccf6b
0x012ccf74
0x012ccf8c
0x012ccf96
0x012ccfd1
0x00000000
0x012ccfd1
0x012ccfa6
0x012ccfb3
0x012ccfbd
0x012ccfc9
0x012ccf82
0x00000000
0x012ccf84
0x012ccfb5
0x012ccfb8
0x012ccfb8
0x00000000
0x012ccfb8
0x012ccfa8
0x00000000
0x012ccfa8
0x012ccf7a
0x00000000
0x00000000
0x00000000
0x00000000

APIs

KillTimer.USER32 ref: 012CCF8C
GetFocus.USER32 ref: 012CCF98
RedrawWindow.USER32(?,00000000,00000000,00000105), ref: 012CCFC9

Part of subcall function 01286A6F: GetParent.USER32(?), ref: 01286A84
Part of subcall function 01286A6F: GetParent.USER32(?), ref: 01286A93
Part of subcall function 01286A6F: GetParent.USER32(?), ref: 01286AA9
Part of subcall function 01286A6F: SetFocus.USER32 ref: 01286ABF

Strings

y, xrefs: 012CCF76

Memory Dump Source

Source File: 00000010.00000002.746388412.0000000001271000.00000020.sdmp, Offset: 01270000, based on PE: true

Associated: 00000010.00000002.746374753.0000000001270000.00000002.sdmp Download File
Associated: 00000010.00000002.746578910.000000000138C000.00000002.sdmp Download File
Associated: 00000010.00000002.746752878.00000000013CF000.00000004.sdmp Download File
Associated: 00000010.00000002.746788870.00000000013D6000.00000004.sdmp Download File
Associated: 00000010.00000002.746832288.00000000013DE000.00000002.sdmp Download File
Associated: 00000010.00000002.747668141.0000000001574000.00000002.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1270000_Setup.jbxd

Similarity

API ID: Parent$Focus$KillRedrawTimerWindow
String ID: y
API String ID: 674144280-4225443349
Opcode ID: 1022396f9519e73f24bce5a969cd545821c8b16c68574fa01c8f32abc4f5f88f
Instruction ID: 7139a713602c544198796b0ff384f1fc879960efa58afec69c343fbdc66f6d06
Opcode Fuzzy Hash: 1022396f9519e73f24bce5a969cd545821c8b16c68574fa01c8f32abc4f5f88f
Instruction Fuzzy Hash: 54F0A4311B4307EBDB315F65D805B697B69FB45F21F10822FF31A95095D7B09550CB50

Uniqueness

Uniqueness Score: 2.12%

Function 01276810, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 39libraryloaderUNIQUE

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(Advapi32.dll), ref: 01276822
GetProcAddress.KERNEL32(00000000,RegCreateKeyTransactedW), ref: 01276832

Strings

RegCreateKeyTransactedW, xrefs: 0127682C
Advapi32.dll, xrefs: 0127681D

Memory Dump Source

Source File: 00000010.00000002.746388412.0000000001271000.00000020.sdmp, Offset: 01270000, based on PE: true

Associated: 00000010.00000002.746374753.0000000001270000.00000002.sdmp Download File
Associated: 00000010.00000002.746578910.000000000138C000.00000002.sdmp Download File
Associated: 00000010.00000002.746752878.00000000013CF000.00000004.sdmp Download File
Associated: 00000010.00000002.746788870.00000000013D6000.00000004.sdmp Download File
Associated: 00000010.00000002.746832288.00000000013DE000.00000002.sdmp Download File
Associated: 00000010.00000002.747668141.0000000001574000.00000002.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1270000_Setup.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: Advapi32.dll$RegCreateKeyTransactedW
API String ID: 1646373207-2994018265
Opcode ID: e1aab5b5cc9dbe4910e9a1bfea9ad58d2fceec79896aeb70cc663a18687d7a0a
Instruction ID: b68e8fb26533759130cfc570d715ad118286044c98018b403b200011c75e1c4c
Opcode Fuzzy Hash: e1aab5b5cc9dbe4910e9a1bfea9ad58d2fceec79896aeb70cc663a18687d7a0a
Instruction Fuzzy Hash: 97F03C7212020ABFEF221F99DC04FDA3FA9EB08755F044429FB5491061C672C475DB90

Uniqueness

Uniqueness Score: 100.00%

Function 01276F23, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 38
libraryloaderUNIQUE

Download Yara Rule

C-Code - Quality: 18%

			E01276F23(intOrPtr* __ecx, intOrPtr _a4, intOrPtr _a8) {
				struct HINSTANCE__* _t7;
				_Unknown_base(*)()* _t8;
				intOrPtr* _t12;

				_t12 = __ecx;
				if( *__ecx == 0) {
					if( *((intOrPtr*)(__ecx + 4)) == 0) {
						L6:
						return 1;
					}
					return RegDeleteKeyW();
				}
				_t7 = GetModuleHandleW(L"Advapi32.dll");
				if(_t7 == 0) {
					goto L6;
				}
				_t8 = GetProcAddress(_t7, "RegDeleteKeyTransactedW");
				if(_t8 == 0) {
					goto L6;
				}
				return  *_t8(_a4, _a8, 0, 0,  *_t12, 0);
			}

0x01276f2a
0x01276f30
0x01276f63
0x01276f6e
0x00000000
0x01276f70
0x01276f68
0x01276f68
0x01276f37
0x01276f3f
0x00000000
0x00000000
0x01276f47
0x01276f4f
0x00000000
0x00000000
0x00000000

APIs

GetModuleHandleW.KERNEL32(Advapi32.dll), ref: 01276F37
GetProcAddress.KERNEL32(00000000,RegDeleteKeyTransactedW), ref: 01276F47

Strings

RegDeleteKeyTransactedW, xrefs: 01276F41
Advapi32.dll, xrefs: 01276F32

Memory Dump Source

Source File: 00000010.00000002.746388412.0000000001271000.00000020.sdmp, Offset: 01270000, based on PE: true

Associated: 00000010.00000002.746374753.0000000001270000.00000002.sdmp Download File
Associated: 00000010.00000002.746578910.000000000138C000.00000002.sdmp Download File
Associated: 00000010.00000002.746752878.00000000013CF000.00000004.sdmp Download File
Associated: 00000010.00000002.746788870.00000000013D6000.00000004.sdmp Download File
Associated: 00000010.00000002.746832288.00000000013DE000.00000002.sdmp Download File
Associated: 00000010.00000002.747668141.0000000001574000.00000002.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1270000_Setup.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: Advapi32.dll$RegDeleteKeyTransactedW
API String ID: 1646373207-2168864297
Opcode ID: d1f27174e8b6375fae50d49be972acff7432a9bed98c4c067c7cb16983ee893d
Instruction ID: 32471d7b0df8823048d99998d227da249e7acd55310ae3c6a668c7858ed917c5
Opcode Fuzzy Hash: d1f27174e8b6375fae50d49be972acff7432a9bed98c4c067c7cb16983ee893d
Instruction Fuzzy Hash: 05F08233218A05BBE6322F9EAD08D6FBFAFEBC1B61754483AF246D1004C6724456C761

Uniqueness

Uniqueness Score: 100.00%

Function 012767B7, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 35libraryloaderUNIQUE

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(Advapi32.dll), ref: 012767C9
GetProcAddress.KERNEL32(00000000,RegOpenKeyTransactedW), ref: 012767D9

Strings

RegOpenKeyTransactedW, xrefs: 012767D3
Advapi32.dll, xrefs: 012767C4

Memory Dump Source

Source File: 00000010.00000002.746388412.0000000001271000.00000020.sdmp, Offset: 01270000, based on PE: true

Associated: 00000010.00000002.746374753.0000000001270000.00000002.sdmp Download File
Associated: 00000010.00000002.746578910.000000000138C000.00000002.sdmp Download File
Associated: 00000010.00000002.746752878.00000000013CF000.00000004.sdmp Download File
Associated: 00000010.00000002.746788870.00000000013D6000.00000004.sdmp Download File
Associated: 00000010.00000002.746832288.00000000013DE000.00000002.sdmp Download File
Associated: 00000010.00000002.747668141.0000000001574000.00000002.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1270000_Setup.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: Advapi32.dll$RegOpenKeyTransactedW
API String ID: 1646373207-3913318428
Opcode ID: 32bc86e5d6ec9f89cc24cd51bea0b836a882544dcad3f2b1cdf17444d226b8c3
Instruction ID: 542b00dc50f2c21c5d4cf28117e86f6f2ffe7c18071f6cdac3e56c9851a7f1eb
Opcode Fuzzy Hash: 32bc86e5d6ec9f89cc24cd51bea0b836a882544dcad3f2b1cdf17444d226b8c3
Instruction Fuzzy Hash: 8CF03A722A061AEBEF211FA9AC04BAA7BADEB04752F144839FA0191050D671D4A5DBA0

Uniqueness

Uniqueness Score: 100.00%

Function 0127E603, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 30
libraryloaderUNIQUE

Download Yara Rule

C-Code - Quality: 60%

			E0127E603(void* __ebx, void* __ecx, void* __edi, void* __esi, void* __eflags) {
				struct HINSTANCE__* _t13;
				_Unknown_base(*)()* _t14;
				void* _t15;
				struct HINSTANCE__* _t17;
				void* _t22;

				_t19 = __ecx;
				_push(0);
				L01369601(0x137f559, __ebx, __edi, __esi);
				_t24 =  *0x13d6614 & 0x00000001;
				if(( *0x13d6614 & 0x00000001) == 0) {
					 *0x13d6614 =  *0x13d6614 | 0x00000001;
					 *(_t22 - 4) =  *(_t22 - 4) & 0x00000000;
					_push(L"Shell32.dll");
					_t17 = E01274CA7(__ecx, __esi, _t24);
					 *(_t22 - 4) =  *(_t22 - 4) | 0xffffffff;
					_pop(_t19);
					 *0x13d6610 = _t17;
				}
				_t13 =  *0x13d6610; // 0x0
				if(_t13 == 0) {
					_t13 = L01277AC9(_t19);
				}
				_t14 = GetProcAddress(_t13, "SHCreateItemFromParsingName");
				if(_t14 != 0) {
					_t15 =  *_t14( *((intOrPtr*)(_t22 + 8)),  *((intOrPtr*)(_t22 + 0xc)),  *((intOrPtr*)(_t22 + 0x10)),  *((intOrPtr*)(_t22 + 0x14)));
				} else {
					_t15 = 0x80004005;
				}
				return L013696D9(_t15);
			}

0x0127e603
0x0127e603
0x0127e60a
0x0127e60f
0x0127e616
0x0127e618
0x0127e61f
0x0127e623
0x0127e628
0x0127e62d
0x0127e631
0x0127e632
0x0127e632
0x0127e637
0x0127e63e
0x0127e640
0x0127e640
0x0127e64b
0x0127e653
0x0127e668
0x0127e655
0x0127e655
0x0127e655
0x0127e66f

APIs

__EH_prolog3.LIBCMT ref: 0127E60A
GetProcAddress.KERNEL32(00000000,SHCreateItemFromParsingName,00000000), ref: 0127E64B

Part of subcall function 01277AC9: __CxxThrowException@8.LIBCMT ref: 01277ADF

Part of subcall function 01274CA7: ActivateActCtx.KERNEL32(?,?), ref: 01274CC7
Part of subcall function 01274CA7: LoadLibraryW.KERNEL32(?), ref: 01274CDE

Strings

Shell32.dll, xrefs: 0127E623
SHCreateItemFromParsingName, xrefs: 0127E645

Memory Dump Source

Source File: 00000010.00000002.746388412.0000000001271000.00000020.sdmp, Offset: 01270000, based on PE: true

Associated: 00000010.00000002.746374753.0000000001270000.00000002.sdmp Download File
Associated: 00000010.00000002.746578910.000000000138C000.00000002.sdmp Download File
Associated: 00000010.00000002.746752878.00000000013CF000.00000004.sdmp Download File
Associated: 00000010.00000002.746788870.00000000013D6000.00000004.sdmp Download File
Associated: 00000010.00000002.746832288.00000000013DE000.00000002.sdmp Download File
Associated: 00000010.00000002.747668141.0000000001574000.00000002.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1270000_Setup.jbxd

Similarity

API ID: ActivateAddressException@8H_prolog3LibraryLoadProcThrow
String ID: SHCreateItemFromParsingName$Shell32.dll
API String ID: 3117607892-214508289
Opcode ID: 44db1f291a7ec125239c51eab86eb4b4e1c2dd328727e27b76f18e1f7679c89a
Instruction ID: 1c99c0aee69044c55b621662084179bd9ac77c3968f0c2ffe8b4dea28cc30b33
Opcode Fuzzy Hash: 44db1f291a7ec125239c51eab86eb4b4e1c2dd328727e27b76f18e1f7679c89a
Instruction Fuzzy Hash: ECF0B470221306AFCF21AFB8ED06B6A3AACBB1033CF014448F531D2198C779C7149B64

Uniqueness

Uniqueness Score: 100.00%

Function 0128A99E, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 12
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 71%

			E0128A99E(void* __ecx) {
				char _v8;
				struct HINSTANCE__* _t4;
				signed int _t5;
				void* _t10;
				void* _t11;

				_t11 = __ecx;
				_t4 = GetModuleHandleW(L"COMCTL32.DLL");
				if(_t4 != 0) {
					_t5 = GetProcAddress(_t4, "TaskDialogIndirect");
					asm("sbb eax, eax");
					return  ~( ~_t5);
				} else {
					_push(_t11);
					_v8 = 0x13cf4e8;
					L0136B20F( &_v8, 0x13beb24);
					asm("int3");
					_t10 = _t11;
					 *((intOrPtr*)(_t10 + 4)) = 1;
					return _t10;
				}
			}

0x0128a99e
0x0128a9a3
0x0128a9ab
0x0128a9b8
0x0128a9c0
0x0128a9c4
0x0128a9ad
0x01277ace
0x01277ad8
0x01277adf
0x01277ae4
0x01277ae5
0x01277ae7
0x01277aee
0x01277aee

APIs

GetModuleHandleW.KERNEL32(COMCTL32.DLL,0127D366,0000001C), ref: 0128A9A3
GetProcAddress.KERNEL32(00000000,TaskDialogIndirect), ref: 0128A9B8

Strings

COMCTL32.DLL, xrefs: 0128A99E
TaskDialogIndirect, xrefs: 0128A9B2

Memory Dump Source

Source File: 00000010.00000002.746388412.0000000001271000.00000020.sdmp, Offset: 01270000, based on PE: true

Associated: 00000010.00000002.746374753.0000000001270000.00000002.sdmp Download File
Associated: 00000010.00000002.746578910.000000000138C000.00000002.sdmp Download File
Associated: 00000010.00000002.746752878.00000000013CF000.00000004.sdmp Download File
Associated: 00000010.00000002.746788870.00000000013D6000.00000004.sdmp Download File
Associated: 00000010.00000002.746832288.00000000013DE000.00000002.sdmp Download File
Associated: 00000010.00000002.747668141.0000000001574000.00000002.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1270000_Setup.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: COMCTL32.DLL$TaskDialogIndirect
API String ID: 1646373207-244319309
Opcode ID: 7e033f18b1bdc87cc543fd530e9c58e349581c2e5e283de5b85e8b83e86c4376
Instruction ID: aea7e566c18f78ca1de56f99d01adbe2452c16035be446cd14400443712bad83
Opcode Fuzzy Hash: 7e033f18b1bdc87cc543fd530e9c58e349581c2e5e283de5b85e8b83e86c4376
Instruction Fuzzy Hash: 2BC08C303FA303AACF202BB9980E83A381CD600B067002518F002E6089EAA0800206A0

Uniqueness

Uniqueness Score: 6.84%

Function 012C64DE, Relevance: 6.5, APIs: 4, Instructions: 476
COMMON

Download Yara Rule

C-Code - Quality: 96%

			E012C64DE(void* __ebx, signed int __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t235;
				signed int _t251;
				signed int _t269;
				signed int _t274;
				intOrPtr _t299;
				signed int _t307;
				signed int _t309;
				signed int _t319;
				intOrPtr _t320;
				signed int _t322;
				signed int _t326;
				void* _t327;
				intOrPtr _t338;
				intOrPtr* _t354;
				signed int _t372;
				signed int _t373;
				signed int _t382;
				intOrPtr* _t384;
				signed int _t419;
				signed int _t427;
				signed int _t429;
				signed int _t472;
				signed int _t476;
				intOrPtr* _t478;
				void* _t479;

				_t473 = __edx;
				_push(0x68);
				L0136966A(0x1382537, __ebx, __edi, __esi);
				_t476 =  *(_t479 + 8);
				_t478 =  *((intOrPtr*)(_t479 + 0xc));
				_t382 = __ecx;
				if(( !( *(_t476 + 0x18)) & 0x00000001) == 0) {
					L15:
					 *(_t479 - 0x3c) =  *(_t479 - 0x3c) & 0x00000000;
					E012888E2(_t382, _t476, _t476, _t479 - 0x3c);
					 *(_t479 - 0x58) =  *(_t479 - 0x58) | 0xffffffff;
					E012888E2(_t382, _t476, _t476, _t479 - 0x58);
					 *(_t479 - 0x40) =  *(_t479 - 0x40) & 0x00000000;
					_t388 = _t476;
					E012888E2(_t382, _t476, _t476, _t479 - 0x40);
					__eflags =  *(_t479 - 0x40);
					if( *(_t479 - 0x40) != 0) {
						_t388 = _t382;
						_t326 = E012C2D8B(_t382, _t478);
						 *(_t479 - 0x4c) = _t326;
						__eflags = _t326;
						if(_t326 != 0) {
							_t473 =  *_t326;
							_t78 = _t326 + 0x24c;
							 *_t78 =  *(_t326 + 0x24c) & 0x00000000;
							__eflags =  *_t78;
							_t327 =  *((intOrPtr*)( *_t326 + 0x208))();
							_t388 =  *(_t479 - 0x4c);
							L012F3749( *(_t479 - 0x4c), _t327);
						}
					}
					 *(_t478 + 0x24c) =  *(_t479 - 0x40);
					_t235 = E012789CC(0x1391888, E01282D05(_t382, _t388, _t473, GetParent( *(_t382 + 0x20))));
					 *(_t479 - 0x38) =  *(_t479 - 0x38) & 0x00000000;
					__eflags =  *(_t479 - 0x3c);
					 *((intOrPtr*)(_t479 - 0x48)) = _t235;
					if( *(_t479 - 0x3c) <= 0) {
						L38:
						 *(_t479 - 0x44) =  *(_t479 - 0x44) & 0x00000000;
						E012888E2(_t382, _t476, _t476, _t479 - 0x44);
						 *(_t479 - 0x3c) =  *(_t479 - 0x3c) & 0x00000000;
						E012888E2(_t382, _t476, _t476, _t479 - 0x3c);
						 *((intOrPtr*)(_t479 - 0x74)) = 0x139654c;
						 *((intOrPtr*)(_t479 - 0x70)) = 0;
						 *((intOrPtr*)(_t479 - 0x64)) = 0;
						 *((intOrPtr*)(_t479 - 0x68)) = 0;
						 *((intOrPtr*)(_t479 - 0x6c)) = 0;
						 *(_t479 - 4) = 4;
						 *(_t479 - 0x38) = 0;
						__eflags =  *(_t479 - 0x3c);
						if( *(_t479 - 0x3c) <= 0) {
							L40:
							L012F3CAD(_t382, _t478,  *(_t479 - 0x44));
							E012F4B19(_t478, _t479 - 0x74);
							 *(_t479 - 0x34) =  *(_t479 - 0x34) & 0x00000000;
							 *(_t382 + 0x28b8) =  *(_t479 - 0x44);
							E012888E2(_t382, _t476, _t476, _t479 - 0x34);
							E012D6BB9(_t382, _t478, _t473, _t476, _t478, __eflags);
							 *(_t382 + 0x28bc) =  *(_t479 - 0x34);
							E012888E2(_t382, _t476, _t476, _t479 - 0x34);
							_t251 =  *(_t479 - 0x34);
							 *(_t478 + 0x108) = _t251;
							 *(_t382 + 0x28c0) = _t251;
							 *(_t479 - 0x3c) = 1;
							E012888E2(_t382, _t476, _t476, _t479 - 0x3c);
							 *((intOrPtr*)( *_t478 + 0x240))( *(_t479 - 0x3c), 1,  *(_t479 - 0x34));
							 *(_t382 + 0x28cc) =  *(_t479 - 0x3c);
							_t383 = 0;
							 *((intOrPtr*)(_t479 - 0x20)) = 0;
							 *((intOrPtr*)(_t479 - 0x1c)) = 0;
							 *((intOrPtr*)(_t479 - 0x18)) = 0;
							 *((intOrPtr*)(_t479 - 0x14)) = 0;
							E012A66F3(0, _t478, __eflags, _t476, _t479 - 0x20);
							L01279BD6(E01282D05(0, _t478, _t473, GetParent( *(_t478 + 0x20))), _t479 - 0x20);
							E01286A31(_t478, 0,  *((intOrPtr*)(_t479 - 0x20)),  *((intOrPtr*)(_t479 - 0x18)),  *((intOrPtr*)(_t479 - 0x18)) -  *((intOrPtr*)(_t479 - 0x20)),  *((intOrPtr*)(_t479 - 0x14)) -  *((intOrPtr*)(_t479 - 0x1c)), 0x14);
							_t269 =  *((intOrPtr*)( *_t478 + 0x1a8))();
							__eflags = _t269;
							if(_t269 > 0) {
								_t215 =  *((intOrPtr*)( *_t478 + 0x1a8))() - 1; // -1
								_t274 =  *(_t479 - 0x58);
								__eflags = _t274 - _t215;
								if(_t274 > _t215) {
									_t274 =  *((intOrPtr*)( *_t478 + 0x1a8))() - 1;
									__eflags = _t274;
								}
								 *((intOrPtr*)( *_t478 + 0x210))(_t274);
							}
							_t219 = _t479 - 4;
							 *_t219 =  *(_t479 - 4) | 0xffffffff;
							__eflags =  *_t219;
							E012C2E5D(_t479 - 0x74);
							L45:
							return L013696ED(_t383, _t476, _t478);
						} else {
							goto L39;
						}
						do {
							L39:
							 *(_t479 - 0x4c) =  *(_t479 - 0x4c) | 0xffffffff;
							E012888E2(_t382, _t476, _t476, _t479 - 0x4c);
							E012CCBFC(_t479 - 0x74,  *(_t479 - 0x38),  *(_t479 - 0x4c));
							 *(_t479 - 0x38) =  *(_t479 - 0x38) + 1;
							__eflags =  *(_t479 - 0x38) -  *(_t479 - 0x3c);
						} while ( *(_t479 - 0x38) <  *(_t479 - 0x3c));
						goto L40;
					} else {
						do {
							E01272410(_t479 - 0x50, E0127859A());
							_push(_t479 - 0x50);
							 *(_t479 - 4) = 2;
							E01278786(_t382, _t476, _t473, _t476, _t478, __eflags);
							 *(_t479 - 0x54) =  *(_t479 - 0x54) & 0x00000000;
							 *(_t479 - 0x40) =  *(_t479 - 0x40) & 0x00000000;
							E012888E2(_t382, _t476, _t476, _t479 - 0x54);
							__eflags =  *(_t479 - 0x54);
							if(__eflags != 0) {
								_push(0);
								 *(_t479 - 0x40) = L012B73EB(_t382, _t476, _t473, _t476, _t478, __eflags);
							}
							E01272410(_t479 - 0x44, E0127859A());
							_push(_t479 - 0x44);
							 *(_t479 - 4) = 3;
							E01278786(_t382, _t476, _t473, _t476, _t478, __eflags);
							E012888E2(_t382, _t476, _t476, _t479 - 0x60);
							E012D2F10(_t478,  *((intOrPtr*)(_t479 - 0x60)));
							 *(_t479 - 0x4c) =  *(_t479 - 0x4c) | 0xffffffff;
							E012888E2(_t382, _t476, _t476, _t479 - 0x4c);
							 *(_t479 - 0x34) =  *(_t479 - 0x34) | 0xffffffff;
							E012888E2(_t382, _t476, _t476, _t479 - 0x34);
							_t299 =  *((intOrPtr*)(_t479 - 0x50));
							__eflags =  *(_t299 - 0xc);
							if( *(_t299 - 0xc) == 0) {
								__eflags =  *(_t479 - 0x34) - 0xffffffff;
								if( *(_t479 - 0x34) == 0xffffffff) {
									goto L35;
								}
								_t427 = E012789CC(0x13d0f0c, E01290575( *((intOrPtr*)(_t479 - 0x48)),  *(_t479 - 0x34)));
								 *(_t479 - 0x54) = _t427;
								__eflags = _t427;
								if(_t427 == 0) {
									goto L35;
								}
								_t307 = L012CB8B6(_t382, _t427, _t473);
								 *(_t479 - 0x5c) = _t307;
								__eflags = _t307;
								if(_t307 != 0) {
									 *((intOrPtr*)( *( *(_t479 - 0x54)) + 0x37c))();
								}
								_t309 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t479 - 0x48)))) + 0x1cc))( *(_t479 - 0x54));
								_t429 =  *(_t479 - 0x5c);
								 *(_t479 - 0x34) = _t309;
								__eflags = _t429;
								if(_t429 != 0) {
									 *((intOrPtr*)( *_t429 + 0x3c4))( *(_t479 - 0x54));
								}
							} else {
								_t319 = E0128A5C1(_t382 + 0x294c, _t299, 0);
								_push( *(_t479 - 0x40));
								_push( *((intOrPtr*)(_t479 - 0x50)));
								__eflags = _t319;
								_t320 =  *((intOrPtr*)( *((intOrPtr*)(_t479 - 0x48))));
								if(_t319 != 0) {
									 *(_t479 - 0x34) =  *((intOrPtr*)(_t320 + 0x220))();
									L32:
									__eflags =  *(_t479 - 0x34);
									if( *(_t479 - 0x34) != 0) {
										 *((intOrPtr*)( *_t478 + 0x188))( *(_t479 - 0x34),  *(_t479 - 0x44), 0xffffffff, 1);
										 *((intOrPtr*)( *_t478 + 0x1dc))( *(_t479 - 0x38),  *(_t479 - 0x4c));
										__eflags =  *(_t479 + 0x10);
										if( *(_t479 + 0x10) != 0) {
											 *((intOrPtr*)( *(_t479 - 0x34) + 0x118)) = _t478;
										}
									}
									goto L35;
								}
								_t322 =  *((intOrPtr*)(_t320 + 0x21c))();
								 *(_t479 - 0x34) = _t322;
								__eflags = _t322;
								if(_t322 == 0) {
									goto L35;
								}
								E0128A7CB(_t382 + 0x294c, _t479 - 0x50);
							}
							goto L32;
							L35:
							_t419 =  *(_t479 - 0x40);
							__eflags = _t419;
							if(_t419 != 0) {
								 *((intOrPtr*)( *_t419 + 4))(1);
							}
							L01271470( *(_t479 - 0x44) + 0xfffffff0, _t473);
							 *(_t479 - 4) =  *(_t479 - 4) | 0xffffffff;
							L01271470( *((intOrPtr*)(_t479 - 0x50)) + 0xfffffff0, _t473);
							 *(_t479 - 0x38) =  *(_t479 - 0x38) + 1;
							__eflags =  *(_t479 - 0x38) -  *(_t479 - 0x3c);
						} while ( *(_t479 - 0x38) <  *(_t479 - 0x3c));
						goto L38;
					}
				}
				 *((intOrPtr*)(_t479 - 0x48)) =  *((intOrPtr*)( *_t478 + 0x1a8))();
				E01288211(__ecx, _t476, _t476, _t330);
				E01288211(__ecx, _t476, _t476,  *((intOrPtr*)( *_t478 + 0x208))());
				E01288211(__ecx, _t476, _t476,  *(_t478 + 0x24c));
				 *(_t479 - 0x38) =  *(_t479 - 0x38) & 0x00000000;
				if( *((intOrPtr*)(_t479 - 0x48)) <= 0) {
					L9:
					E01288211(_t382, _t476, _t476,  *((intOrPtr*)(_t478 + 0x1cc)));
					_t444 = _t476;
					E01288211(_t382, _t476, _t476,  *((intOrPtr*)(_t478 + 0x1c0)));
					_t338 =  *((intOrPtr*)(_t478 + 0x1c0));
					_t383 = 0;
					if(_t338 <= 0) {
						L13:
						E01288211(_t383, _t476, _t476,  *((intOrPtr*)(_t478 + 0x244)));
						E01288211(_t383, _t476, _t476,  *(_t478 + 0x108));
						E01288211(_t383, _t476, _t476,  *((intOrPtr*)( *_t478 + 0x244))());
						 *(_t479 - 0x30) = 0;
						 *((intOrPtr*)(_t479 - 0x2c)) = 0;
						 *((intOrPtr*)(_t479 - 0x28)) = 0;
						 *((intOrPtr*)(_t479 - 0x24)) = 0;
						GetWindowRect( *(_t478 + 0x20), _t479 - 0x30);
						E01288537(_t476, _t476, _t479 - 0x30, 0x10);
						goto L45;
					}
					while(_t383 >= 0 && _t383 < _t338) {
						_t444 = _t476;
						E01288211(_t383, _t476, _t476,  *((intOrPtr*)( *((intOrPtr*)(_t478 + 0x1bc)) + _t383 * 4)));
						_t338 =  *((intOrPtr*)(_t478 + 0x1c0));
						_t383 = _t383 + 1;
						if(_t383 < _t338) {
							continue;
						}
						goto L13;
					}
					L01277AC9(_t444);
					goto L15;
				} else {
					goto L2;
				}
				do {
					L2:
					_t354 = E012789CC(0x139096c,  *((intOrPtr*)( *_t478 + 0x1ac))( *(_t479 - 0x38)));
					 *(_t479 - 0x34) =  *(_t479 - 0x34) & 0x00000000;
					_t384 = _t354;
					E01273740(_t384,  *((intOrPtr*)( *_t384 + 0x20c))(_t479 - 0x34));
					 *(_t479 - 4) =  *(_t479 - 4) & 0x00000000;
					E01278675(_t476, _t479 - 0x44);
					 *(_t479 - 0x3c) = 0 |  *(_t479 - 0x34) != 0x00000000;
					E01288211(_t384, _t476, _t476,  *(_t479 - 0x34) != 0);
					if( *(_t479 - 0x3c) != 0) {
						L012B734F(_t384, _t476, _t473,  *(_t479 - 0x34));
						_t472 =  *(_t479 - 0x34);
						if(_t472 != 0) {
							 *((intOrPtr*)( *_t472 + 4))(1);
						}
					}
					E01272410(_t479 - 0x40, E0127859A());
					 *(_t479 - 4) = 1;
					 *((intOrPtr*)( *_t478 + 0x1b8))( *(_t479 - 0x38), _t479 - 0x40);
					E01278675(_t476, _t479 - 0x40);
					E01288211(_t384, _t476, _t476,  *((intOrPtr*)(_t478 + 0x27e4)));
					_t372 = E01288211(_t384, _t476, _t476,  *((intOrPtr*)( *_t478 + 0x1d8))( *(_t479 - 0x38)));
					_t382 =  *(_t384 + 0x434);
					_t373 = _t372 | 0xffffffff;
					if(_t382 != 0 &&  *(_t382 + 0x20) != 0) {
						_t373 = E0128691B(_t382, _t473);
					}
					E01288211(_t382, _t476, _t476, _t373);
					L01271470( *(_t479 - 0x40) + 0xfffffff0, _t473);
					 *(_t479 - 4) =  *(_t479 - 4) | 0xffffffff;
					L01271470( *(_t479 - 0x44) + 0xfffffff0, _t473);
					 *(_t479 - 0x38) =  *(_t479 - 0x38) + 1;
				} while ( *(_t479 - 0x38) <  *((intOrPtr*)(_t479 - 0x48)));
				goto L9;
			}

0x012c64de
0x012c64de
0x012c64e5
0x012c64ea
0x012c64f0
0x012c64f5
0x012c64f9
0x012c66fa
0x012c66fa
0x012c6704
0x012c6709
0x012c6713
0x012c6718
0x012c6720
0x012c6722
0x012c6727
0x012c672b
0x012c672d
0x012c672f
0x012c6734
0x012c6737
0x012c6739
0x012c673b
0x012c673d
0x012c673d
0x012c673d
0x012c6746
0x012c674c
0x012c6750
0x012c6750
0x012c6739
0x012c6758
0x012c6773
0x012c6778
0x012c677c
0x012c6782
0x012c6785
0x012c6948
0x012c6948
0x012c6952
0x012c6957
0x012c6961
0x012c6968
0x012c696f
0x012c6972
0x012c6975
0x012c6978
0x012c697b
0x012c6982
0x012c6985
0x012c6988
0x012c69b2
0x012c69b7
0x012c69c2
0x012c69ca
0x012c69ce
0x012c69da
0x012c69e4
0x012c69ec
0x012c69f8
0x012c69fd
0x012c6a00
0x012c6a06
0x012c6a12
0x012c6a19
0x012c6a27
0x012c6a30
0x012c6a39
0x012c6a3d
0x012c6a40
0x012c6a43
0x012c6a46
0x012c6a49
0x012c6a63
0x012c6a81
0x012c6a8a
0x012c6a90
0x012c6a92
0x012c6a9e
0x012c6aa1
0x012c6aa4
0x012c6aa6
0x012c6ab2
0x012c6ab2
0x012c6ab2
0x012c6ab8
0x012c6ab8
0x012c6abe
0x012c6abe
0x012c6abe
0x012c6ac5
0x012c6aca
0x012c6acf
0x00000000
0x00000000
0x00000000
0x012c698a
0x012c698a
0x012c698a
0x012c6994
0x012c69a2
0x012c69a7
0x012c69ad
0x012c69ad
0x00000000
0x012c678b
0x012c678b
0x012c6794
0x012c679c
0x012c679f
0x012c67a6
0x012c67ab
0x012c67af
0x012c67b9
0x012c67be
0x012c67c2
0x012c67c4
0x012c67cd
0x012c67cd
0x012c67d9
0x012c67e1
0x012c67e4
0x012c67e8
0x012c67f3
0x012c67fd
0x012c6802
0x012c680c
0x012c6811
0x012c681b
0x012c6820
0x012c6823
0x012c6827
0x012c6873
0x012c6877
0x00000000
0x00000000
0x012c6895
0x012c6897
0x012c689a
0x012c689c
0x00000000
0x00000000
0x012c689e
0x012c68a3
0x012c68a6
0x012c68a8
0x012c68af
0x012c68af
0x012c68bd
0x012c68c3
0x012c68c6
0x012c68c9
0x012c68cb
0x012c68d2
0x012c68d2
0x012c6829
0x012c6832
0x012c6837
0x012c683d
0x012c6840
0x012c6842
0x012c6844
0x012c686e
0x012c68d8
0x012c68d8
0x012c68dc
0x012c68ec
0x012c68fc
0x012c6902
0x012c6906
0x012c690b
0x012c690b
0x012c6906
0x00000000
0x012c68dc
0x012c6846
0x012c684c
0x012c684f
0x012c6851
0x00000000
0x00000000
0x012c6861
0x012c6861
0x00000000
0x012c6911
0x012c6911
0x012c6914
0x012c6916
0x012c691c
0x012c691c
0x012c6925
0x012c692d
0x012c6934
0x012c6939
0x012c693f
0x012c693f
0x00000000
0x012c678b
0x012c6785
0x012c650c
0x012c650f
0x012c6521
0x012c652e
0x012c6533
0x012c653b
0x012c6653
0x012c665b
0x012c6666
0x012c6668
0x012c666d
0x012c6673
0x012c6677
0x012c669c
0x012c66a4
0x012c66b1
0x012c66c3
0x012c66ca
0x012c66cd
0x012c66d0
0x012c66d3
0x012c66dd
0x012c66eb
0x00000000
0x012c66eb
0x012c6679
0x012c668a
0x012c668c
0x012c6691
0x012c6697
0x012c669a
0x00000000
0x00000000
0x00000000
0x012c669a
0x012c66f5
0x00000000
0x00000000
0x00000000
0x00000000
0x012c6541
0x012c6541
0x012c6554
0x012c6559
0x012c655f
0x012c6573
0x012c6578
0x012c6582
0x012c6592
0x012c6595
0x012c659e
0x012c65a5
0x012c65aa
0x012c65af
0x012c65b5
0x012c65b5
0x012c65af
0x012c65c1
0x012c65d1
0x012c65d5
0x012c65e1
0x012c65ee
0x012c6603
0x012c6608
0x012c660e
0x012c6613
0x012c661d
0x012c661d
0x012c6625
0x012c6630
0x012c6638
0x012c663f
0x012c6644
0x012c664a
0x00000000

APIs

__EH_prolog3_GS.LIBCMT ref: 012C64E5

Part of subcall function 0128691B: GetDlgCtrlID.USER32 ref: 01286924

GetWindowRect.USER32 ref: 012C66DD

Part of subcall function 01277AC9: __CxxThrowException@8.LIBCMT ref: 01277ADF

GetParent.USER32(?), ref: 012C6761

Part of subcall function 012B73EB: __EH_prolog3_catch.LIBCMT ref: 012B73F2

Part of subcall function 012CB8B6: GetParent.USER32(?), ref: 012CB8E7

Part of subcall function 012F3CAD: RedrawWindow.USER32(?,00000000,00000000,00000105), ref: 012F3D12
Part of subcall function 012F3CAD: GetParent.USER32(?), ref: 012F3D44
Part of subcall function 012F3CAD: RedrawWindow.USER32(?,00000000,00000000,00000185), ref: 012F3D5C

Part of subcall function 012F4B19: RedrawWindow.USER32(?,00000000,00000000,00000105), ref: 012F4BC4

Part of subcall function 012D6BB9: __EH_prolog3.LIBCMT ref: 012D6BC0

GetParent.USER32(?), ref: 012C6A55

Part of subcall function 01279BD6: ScreenToClient.USER32(?,?), ref: 01279BE7
Part of subcall function 01279BD6: ScreenToClient.USER32(?,?), ref: 01279BF4

Part of subcall function 01286A31: SetWindowPos.USER32(?,000000FF,000000FF,?,?,00000000,012827B4), ref: 01286A59

Part of subcall function 01278786: __EH_prolog3_GS.LIBCMT ref: 01278790

Part of subcall function 012F3749: InvalidateRect.USER32(?,?,00000001), ref: 012F378F
Part of subcall function 012F3749: UpdateWindow.USER32 ref: 012F3798

Memory Dump Source

Source File: 00000010.00000002.746388412.0000000001271000.00000020.sdmp, Offset: 01270000, based on PE: true

Associated: 00000010.00000002.746374753.0000000001270000.00000002.sdmp Download File
Associated: 00000010.00000002.746578910.000000000138C000.00000002.sdmp Download File
Associated: 00000010.00000002.746752878.00000000013CF000.00000004.sdmp Download File
Associated: 00000010.00000002.746788870.00000000013D6000.00000004.sdmp Download File
Associated: 00000010.00000002.746832288.00000000013DE000.00000002.sdmp Download File
Associated: 00000010.00000002.747668141.0000000001574000.00000002.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1270000_Setup.jbxd

Similarity

API ID: Window$Parent$Redraw$ClientH_prolog3_RectScreen$CtrlException@8H_prolog3H_prolog3_catchInvalidateThrowUpdate
String ID:
API String ID: 925417098-0
Opcode ID: 0b501b006010786554b87bd9b571155ddb1b0856d48618964e426a3a2c468182
Instruction ID: 1ac201e7964c7b262176976fad53e825d2be17a4e2b09b010abcd9d86c1b9925
Opcode Fuzzy Hash: 0b501b006010786554b87bd9b571155ddb1b0856d48618964e426a3a2c468182
Instruction Fuzzy Hash: 97123A71A1120AEFDF15EFA8D898AFDBBB6BF58310F24012DE616E7290DB345905CB11

Uniqueness

Uniqueness Score: 4.65%

Function 012AC565, Relevance: 6.3, APIs: 4, Instructions: 258
keyboardCOMMON

Download Yara Rule

C-Code - Quality: 91%

			E012AC565(signed int* __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, struct tagRECT* _a16, intOrPtr _a20, signed int _a24) {
				signed int _v8;
				struct tagRECT _v24;
				RECT* _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				intOrPtr _v44;
				signed int _v48;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t91;
				struct tagRECT* _t93;
				signed int* _t100;
				signed int _t101;
				long _t102;
				signed int _t107;
				signed int _t108;
				signed int _t109;
				signed int _t112;
				signed int _t113;
				signed int* _t114;
				RECT* _t117;
				RECT* _t118;
				signed int* _t119;
				signed int* _t120;
				signed int _t122;
				signed int* _t125;
				void* _t126;
				signed int* _t130;
				signed int _t142;
				signed int _t147;
				intOrPtr _t182;
				void* _t183;
				void* _t185;
				long _t188;
				signed int _t191;

				_t91 =  *0x13d3570; // 0x99b5b578
				_v8 = _t91 ^ _t191;
				_t93 = _a16;
				_t130 = __ecx;
				_t182 = _a4;
				_v44 = _a20;
				_v28 = _t93;
				_v36 = _a24;
				SetRectEmpty(_t93);
				if(GetKeyState(0x11) < 0) {
					L36:
					_pop(_t183);
					return L01367D3E(_t95, _t130, _v8 ^ _t191, _t171, _t183, _t185);
				}
				_v48 = _v48 & 0x00000000;
				_v40 = _v40 & 0x00000000;
				_v32 =  *_t130;
				_t100 =  *((intOrPtr*)(_v32 + 0x14))(_a8, _a12, E012789CC(0x13d04b0, _t182), 1, _t185);
				if(_t100 == 0) {
					L3:
					_t101 = _t130[0x6e];
					if(_t101 == 0 ||  *((intOrPtr*)(_t101 + 8)) == 0 ||  *((intOrPtr*)(_t101 + 4)) == 0) {
						_t102 = 0;
						__eflags = 0;
					} else {
						_t102 = E012789CC(0x1397d4c,  *((intOrPtr*)( *((intOrPtr*)(E012789CC(0x13d04b0, _t182))) + 0x1a4))());
					}
					_t171 =  *_t130;
					_t142 = E012789CC(0x13d0f0c,  *((intOrPtr*)( *_t130 + 0x10))(_a8, _a12,  *0x13d0520, 1, 0, 1, _t102));
					_v32 = _t142;
					if(_t142 == 0 || E012D83B6(_t130, _t142, _t171, _t182, 0x13d04b0) == 0) {
						_t107 = L012AB66D(_t130, _t171, __eflags, _a8, _a12,  &_v40,  &_v48);
						__eflags = _t107;
						_t95 = _v36;
						if(_t107 == 0) {
							 *_t95 =  *_t95 & 0x00000000;
							__eflags =  *_t95;
							goto L35;
						}
						 *_t95 =  *_t95 & 0x00000000;
						_t108 = E012789AE(_t182, 0x13d04b0);
						__eflags = _t108;
						if(_t108 == 0) {
							_t109 = E012789AE(_t182, 0x13d0f0c);
							__eflags = _t109;
							if(_t109 == 0) {
								L20:
								_t188 = 0;
								__eflags = 0;
								L21:
								_v24.left = _t188;
								_v24.top = _t188;
								_v24.right = _t188;
								_v24.bottom = _t188;
								GetWindowRect( *(_t182 + 0x20),  &_v24);
								__eflags = _v48 - _t188;
								if(_v48 == _t188) {
								}
								asm("movsd");
								asm("movsd");
								asm("movsd");
								asm("movsd");
								_t112 = E01286862(_t130[0x39]);
								_t147 = _v40;
								_t113 = _t112 & 0x00400000;
								__eflags = _t147 - 0x1000;
								if(_t147 == 0x1000) {
									__eflags = _t113;
									_t114 = _v28;
									if(_t113 == 0) {
										goto L29;
									}
									goto L33;
								} else {
									__eflags = _t147 - 0x2000;
									if(_t147 == 0x2000) {
										_t117 = _v28;
										_t171 = _t117->top - _v24.top + _v24.bottom;
										 *(_t117 + 0xc) = _t117->top - _v24.top + _v24.bottom;
										L30:
										 *((intOrPtr*)( *_t130 + 0x5c))(_v28, _t147);
										_t95 = L01279C17(_t130[0x39], _v28);
										goto L35;
									}
									__eflags = _t147 - 0x4000;
									if(_t147 == 0x4000) {
										__eflags = _t113;
										_t114 = _v28;
										if(_t113 == 0) {
											L33:
											_t171 = _t114[2] - _v24.right + _v24.left;
											 *_t114 = _t114[2] - _v24.right + _v24.left;
											goto L30;
										}
										L29:
										_t171 =  *_t114 - _v24.left + _v24.right;
										__eflags = _t171;
										_t114[2] = _t171;
										goto L30;
									}
									__eflags = _t147 - 0x8000;
									if(_t147 == 0x8000) {
										_t118 = _v28;
										_t171 = _t118->bottom - _v24.bottom + _v24.top;
										 *(_t118 + 4) = _t118->bottom - _v24.bottom + _v24.top;
									}
									goto L30;
								}
							}
							_t119 = E012789CC(0x13d0f0c, _t182);
							_t171 =  *_t119;
							_t95 =  *((intOrPtr*)( *_t119 + 0x194))();
							__eflags = _v40 & _t95;
							if((_v40 & _t95) == 0) {
								goto L35;
							}
							goto L20;
						}
						_t120 = E012789CC(0x13d04b0, _t182);
						_t171 =  *_t120;
						_t122 = E012789CC(0x139ada0,  *((intOrPtr*)( *_t120 + 0x1a4))());
						_t188 = 0;
						__eflags = _t122;
						if(_t122 == 0) {
							goto L21;
						}
						_t171 =  *_t122;
						_t95 =  *((intOrPtr*)( *_t122 + 0x194))();
						__eflags = _v40 & _t95;
						if((_v40 & _t95) == 0) {
							goto L35;
						}
						goto L21;
					} else {
						if(E012789AE(_t182, 0x13d04b0) == 0) {
							L12:
							_t125 = E012D83B6(_t130, _v32, _t171, _t182, 0x13d04b0);
							_t171 =  *_t125;
							_t95 =  *((intOrPtr*)( *_t125 + 0x298))(_t182, _a8, _a12, _v28, _v44, _v36);
							L35:
							_pop(_t185);
							goto L36;
						}
						_t126 = E012789CC(0x13d04b0, _t182);
						_t171 =  *_v32;
						_push(_t126);
						if( *((intOrPtr*)( *_v32 + 0x338))() == 0) {
							goto L35;
						}
						goto L12;
					}
				}
				_t171 =  *_t100;
				 *((intOrPtr*)( *_t100 + 0x1bc))(_t182, _a8, _a12, _v28, _v44, _v36);
				if(IsRectEmpty(_v28) == 0) {
					goto L35;
				}
				goto L3;
			}

0x012ac56d
0x012ac574
0x012ac577
0x012ac57b
0x012ac581
0x012ac584
0x012ac58b
0x012ac58e
0x012ac591
0x012ac5a2
0x012ac82b
0x012ac82e
0x012ac838
0x012ac838
0x012ac5aa
0x012ac5ae
0x012ac5bc
0x012ac5d2
0x012ac5d7
0x012ac604
0x012ac604
0x012ac60c
0x012ac63c
0x012ac63c
0x012ac61a
0x012ac633
0x012ac639
0x012ac63e
0x012ac665
0x012ac667
0x012ac66c
0x012ac6d7
0x012ac6dc
0x012ac6de
0x012ac6e1
0x012ac827
0x012ac827
0x00000000
0x012ac827
0x012ac6e7
0x012ac6ed
0x012ac6f2
0x012ac6f4
0x012ac739
0x012ac73e
0x012ac740
0x012ac75e
0x012ac75e
0x012ac75e
0x012ac760
0x012ac767
0x012ac76a
0x012ac76d
0x012ac770
0x012ac773
0x012ac779
0x012ac782
0x012ac782
0x012ac78d
0x012ac78e
0x012ac78f
0x012ac790
0x012ac797
0x012ac79c
0x012ac79f
0x012ac7a4
0x012ac7aa
0x012ac813
0x012ac815
0x012ac818
0x00000000
0x00000000
0x00000000
0x012ac7ac
0x012ac7ac
0x012ac7b2
0x012ac802
0x012ac80b
0x012ac80e
0x012ac7e7
0x012ac7ef
0x012ac7fb
0x00000000
0x012ac7fb
0x012ac7b4
0x012ac7ba
0x012ac7d5
0x012ac7d7
0x012ac7da
0x012ac81a
0x012ac820
0x012ac823
0x00000000
0x012ac823
0x012ac7dc
0x012ac7e1
0x012ac7e1
0x012ac7e4
0x00000000
0x012ac7e4
0x012ac7bc
0x012ac7c2
0x012ac7c4
0x012ac7cd
0x012ac7d0
0x012ac7d0
0x00000000
0x012ac7c2
0x012ac7aa
0x012ac744
0x012ac749
0x012ac74f
0x012ac755
0x012ac758
0x00000000
0x00000000
0x00000000
0x012ac758
0x012ac6f8
0x012ac6fd
0x012ac70f
0x012ac714
0x012ac718
0x012ac71a
0x00000000
0x00000000
0x012ac71c
0x012ac720
0x012ac726
0x012ac729
0x00000000
0x00000000
0x00000000
0x012ac677
0x012ac681
0x012ac6a0
0x012ac6a3
0x012ac6ab
0x012ac6bc
0x012ac82a
0x012ac82a
0x00000000
0x012ac82a
0x012ac685
0x012ac68f
0x012ac691
0x012ac69a
0x00000000
0x00000000
0x00000000
0x012ac69a
0x012ac66c
0x012ac5dc
0x012ac5ed
0x012ac5fe
0x00000000
0x00000000
0x00000000

APIs

SetRectEmpty.USER32 ref: 012AC591
GetKeyState.USER32 ref: 012AC599
IsRectEmpty.USER32 ref: 012AC5F6
GetWindowRect.USER32 ref: 012AC773

Part of subcall function 01286862: GetWindowLongW.USER32(?,000000EC), ref: 0128686D

Part of subcall function 01279C17: ClientToScreen.USER32(?,?), ref: 01279C28
Part of subcall function 01279C17: ClientToScreen.USER32(?,?), ref: 01279C35

Part of subcall function 01367D3E: IsDebuggerPresent.KERNEL32 ref: 0136EC6D
Part of subcall function 01367D3E: SetUnhandledExceptionFilter.KERNEL32 ref: 0136EC82
Part of subcall function 01367D3E: UnhandledExceptionFilter.KERNEL32 ref: 0136EC8D
Part of subcall function 01367D3E: GetCurrentProcess.KERNEL32(C0000409), ref: 0136ECA9
Part of subcall function 01367D3E: TerminateProcess.KERNEL32(00000000), ref: 0136ECB0

Memory Dump Source

Source File: 00000010.00000002.746388412.0000000001271000.00000020.sdmp, Offset: 01270000, based on PE: true

Associated: 00000010.00000002.746374753.0000000001270000.00000002.sdmp Download File
Associated: 00000010.00000002.746578910.000000000138C000.00000002.sdmp Download File
Associated: 00000010.00000002.746752878.00000000013CF000.00000004.sdmp Download File
Associated: 00000010.00000002.746788870.00000000013D6000.00000004.sdmp Download File
Associated: 00000010.00000002.746832288.00000000013DE000.00000002.sdmp Download File
Associated: 00000010.00000002.747668141.0000000001574000.00000002.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1270000_Setup.jbxd

Similarity

API ID: Rect$ClientEmptyExceptionFilterProcessScreenUnhandledWindow$CurrentDebuggerLongPresentStateTerminate
String ID:
API String ID: 2395382703-0
Opcode ID: 9c9f23d06fe747a6efb9cfb796a5e0bc45cbaf502b59faee9d42de88b7336f26
Instruction ID: d1373ed1ac9b79643f8339216f8f70a2d4c33f72857658ed73a56d1035a04f97
Opcode Fuzzy Hash: 9c9f23d06fe747a6efb9cfb796a5e0bc45cbaf502b59faee9d42de88b7336f26
Instruction Fuzzy Hash: DE917171A10206DFDF19DFA4C848AFEBBB9FF48710F148169EA05AB254DB319850CFA4

Uniqueness

Uniqueness Score: 2.12%

Function 0128ABAF, Relevance: 6.3, APIs: 4, Instructions: 253
COMMON

Download Yara Rule

C-Code - Quality: 92%

			E0128ABAF(void* __ebx, signed int __ecx, void* __edi, void* __esi, void* __eflags) {
				signed int _t125;
				signed int _t126;
				signed int _t161;
				signed int _t172;
				void* _t173;
				signed int _t198;
				signed int _t200;
				signed int _t205;
				void* _t206;
				signed int _t212;
				signed int _t214;
				signed int _t221;
				signed int _t223;
				void* _t224;

				_t174 = __ecx;
				_push(0x14);
				L01369601(0x138008c, __ebx, __edi, __esi);
				_t223 = __ecx;
				 *((intOrPtr*)(_t224 - 0x1c)) = __ecx;
				_t198 = 0;
				 *(_t224 - 0x10) = 0;
				_t172 =  *(_t224 + 8);
				if(_t172 >= 0) {
					L2:
					_t124 =  *(_t224 + 0xc);
					if(_t124 >= _t198) {
						 *(_t223 + 0x10) = _t124;
					}
					if(_t172 != _t198) {
						_t174 =  *(_t223 + 4);
						__eflags = _t174 - _t198;
						if(_t174 != _t198) {
							_t200 =  *(_t223 + 0xc);
							__eflags = _t172 - _t200;
							if(_t172 > _t200) {
								_t125 =  *(_t223 + 0x10);
								__eflags = _t125 - _t198;
								if(_t125 == _t198) {
									asm("cdq");
									_t198 = _t198 & 0x00000007;
									_t125 =  *(_t223 + 8) + _t198 >> 3;
									__eflags = _t125 - 4;
									if(_t125 >= 4) {
										_t174 = 0x400;
										__eflags = _t125 - 0x400;
										if(_t125 > 0x400) {
											_t125 = 0x400;
										}
									} else {
										_t125 = 4;
									}
								}
								_t126 = _t125 + _t200;
								 *(_t224 + 0xc) = _t126;
								__eflags = _t172 - _t126;
								if(_t172 >= _t126) {
									 *(_t224 + 0xc) = _t172;
								}
								__eflags =  *(_t224 + 0xc) - _t200;
								if(__eflags < 0) {
									goto L1;
								} else {
									 *(_t224 - 0x14) = E01274753(__eflags,  *(_t224 + 0xc) * 0xc);
									L01277D0D(_t128,  *(_t224 + 0xc) * 0xc,  *(_t223 + 4),  *(_t223 + 8) * 0xc);
									L01367D50( *(_t223 + 8) * 0xc +  *(_t224 - 0x14), 0, (_t172 -  *(_t223 + 8)) * 0xc);
									 *(_t224 + 8) =  *(_t224 + 8) & 0x00000000;
									__eflags = _t172 -  *(_t223 + 8);
									if(_t172 -  *(_t223 + 8) <= 0) {
										L49:
										_push( *(_t223 + 4));
										E01274782();
										 *(_t223 + 4) =  *(_t224 - 0x14);
										L50:
										_t124 =  *(_t224 + 0xc);
										 *(_t223 + 0xc) =  *(_t224 + 0xc);
										L51:
										 *(_t223 + 8) = _t172;
										L52:
										return L013696D9(_t124);
									} else {
										goto L44;
									}
									do {
										L44:
										_t212 = ( *(_t223 + 8) +  *(_t224 + 8)) * 0xc +  *(_t224 - 0x14);
										__eflags = _t212;
										 *(_t224 - 0x20) = _t212;
										 *(_t224 - 4) = 6;
										if(_t212 != 0) {
											E01272410(_t224 - 0x18, E0127859A());
											_t100 = _t224 - 0x10;
											 *_t100 =  *(_t224 - 0x10) | 0x00000004;
											__eflags =  *_t100;
											 *(_t224 - 4) = 7;
											E0128AB80(_t212,  *_t100, 0, _t224 - 0x18, 0);
										}
										 *(_t224 - 4) =  *(_t224 - 4) | 0xffffffff;
										__eflags =  *(_t224 - 0x10) & 0x00000004;
										if(( *(_t224 - 0x10) & 0x00000004) != 0) {
											 *(_t224 - 0x10) =  *(_t224 - 0x10) & 0xfffffffb;
											__eflags =  *(_t224 - 0x18) + 0xfffffff0;
											L01271470( *(_t224 - 0x18) + 0xfffffff0, _t198);
										}
										 *(_t224 + 8) =  *(_t224 + 8) + 1;
										__eflags =  *(_t224 + 8) - _t172 -  *(_t223 + 8);
									} while ( *(_t224 + 8) < _t172 -  *(_t223 + 8));
									goto L49;
								}
							}
							_t124 =  *(_t223 + 8);
							__eflags = _t124 - _t172;
							if(__eflags >= 0) {
								if(__eflags <= 0) {
									goto L51;
								}
								_t124 = _t124 - _t172;
								 *(_t224 + 8) = _t198;
								__eflags = _t124;
								if(_t124 <= 0) {
									goto L51;
								}
								_t214 = _t172 * 0xc;
								__eflags = _t214;
								do {
									L01271470( *((intOrPtr*)( *(_t223 + 4) + _t214 + 4)) - 0x10, _t198);
									 *(_t224 + 8) =  *(_t224 + 8) + 1;
									_t124 =  *(_t223 + 8) - _t172;
									_t214 = _t214 + 0xc;
									__eflags =  *(_t224 + 8) -  *(_t223 + 8) - _t172;
								} while ( *(_t224 + 8) <  *(_t223 + 8) - _t172);
								goto L51;
							}
							L01367D50(_t124 * 0xc + _t174, _t198, (_t172 - _t124) * 0xc);
							 *(_t224 + 8) =  *(_t224 + 8) & 0x00000000;
							_t124 = _t172 -  *(_t223 + 8);
							__eflags = _t172 -  *(_t223 + 8);
							if(_t172 -  *(_t223 + 8) <= 0) {
								goto L51;
							} else {
								goto L24;
							}
							do {
								L24:
								_t221 = ( *(_t223 + 8) +  *(_t224 + 8)) * 0xc +  *(_t223 + 4);
								__eflags = _t221;
								 *(_t224 - 0x18) = _t221;
								 *(_t224 - 4) = 3;
								if(_t221 != 0) {
									E01272410(_t224 + 0xc, E0127859A());
									_t56 = _t224 - 0x10;
									 *_t56 =  *(_t224 - 0x10) | 0x00000002;
									__eflags =  *_t56;
									 *(_t224 - 4) = 4;
									E0128AB80(_t221,  *_t56, 0, _t224 + 0xc, 0);
								}
								 *(_t224 - 4) =  *(_t224 - 4) | 0xffffffff;
								__eflags =  *(_t224 - 0x10) & 0x00000002;
								if(( *(_t224 - 0x10) & 0x00000002) != 0) {
									 *(_t224 - 0x10) =  *(_t224 - 0x10) & 0xfffffffd;
									__eflags =  *(_t224 + 0xc) + 0xfffffff0;
									L01271470( *(_t224 + 0xc) + 0xfffffff0, _t198);
								}
								 *(_t224 + 8) =  *(_t224 + 8) + 1;
								_t124 = _t172 -  *(_t223 + 8);
								__eflags =  *(_t224 + 8) - _t172 -  *(_t223 + 8);
							} while ( *(_t224 + 8) < _t172 -  *(_t223 + 8));
							goto L51;
						}
						_t161 =  *(_t223 + 0x10);
						 *(_t224 + 0xc) = _t172;
						__eflags = _t172 - _t161;
						if(__eflags <= 0) {
							 *(_t224 + 0xc) = _t161;
						}
						 *(_t223 + 4) = E01274753(__eflags,  *(_t224 + 0xc) * 0xc);
						L01367D50(_t162, 0,  *(_t224 + 0xc) * 0xc);
						 *(_t224 + 8) =  *(_t224 + 8) & 0x00000000;
						__eflags = _t172;
						if(_t172 > 0) {
							do {
								_t205 =  *(_t224 + 8) * 0xc +  *(_t223 + 4);
								__eflags = _t205;
								 *(_t224 - 0x18) = _t205;
								 *(_t224 - 4) = 0;
								if(_t205 != 0) {
									E01272410(_t224 - 0x14, E0127859A());
									_t30 = _t224 - 0x10;
									 *_t30 =  *(_t224 - 0x10) | 0x00000001;
									__eflags =  *_t30;
									 *(_t224 - 4) = 1;
									E0128AB80(_t205,  *_t30, 0, _t224 - 0x14, 0);
								}
								 *(_t224 - 4) =  *(_t224 - 4) | 0xffffffff;
								__eflags =  *(_t224 - 0x10) & 0x00000001;
								if(( *(_t224 - 0x10) & 0x00000001) != 0) {
									 *(_t224 - 0x10) =  *(_t224 - 0x10) & 0xfffffffe;
									__eflags =  *(_t224 - 0x14) + 0xfffffff0;
									L01271470( *(_t224 - 0x14) + 0xfffffff0, _t198);
								}
								 *(_t224 + 8) =  *(_t224 + 8) + 1;
								__eflags =  *(_t224 + 8) - _t172;
							} while ( *(_t224 + 8) < _t172);
						}
						goto L50;
					}
					if( *(_t223 + 4) == _t198) {
						L10:
						 *(_t223 + 0xc) = _t198;
						 *(_t223 + 8) = _t198;
						goto L52;
					}
					_t173 = 0;
					if( *(_t223 + 8) <= _t198) {
						L9:
						_push( *(_t223 + 4));
						_t124 = E01274782();
						 *(_t223 + 4) =  *(_t223 + 4) & 0x00000000;
						_t198 = 0;
						goto L10;
					}
					_t206 = 0;
					do {
						L01271470( *((intOrPtr*)( *(_t223 + 4) + _t206 + 4)) - 0x10, _t198);
						_t173 = _t173 + 1;
						_t206 = _t206 + 0xc;
					} while (_t173 <  *(_t223 + 8));
					goto L9;
				}
				L1:
				L01277AC9(_t174);
				goto L2;
			}

0x0128abaf
0x0128abaf
0x0128abb6
0x0128abbb
0x0128abbd
0x0128abc0
0x0128abc2
0x0128abc5
0x0128abca
0x0128abd1
0x0128abd1
0x0128abd6
0x0128abd8
0x0128abd8
0x0128abdd
0x0128ac1f
0x0128ac22
0x0128ac24
0x0128acbe
0x0128acc1
0x0128acc3
0x0128ada0
0x0128ada3
0x0128ada5
0x0128adaa
0x0128adab
0x0128adb0
0x0128adb3
0x0128adb6
0x0128adbd
0x0128adc2
0x0128adc4
0x0128adc6
0x0128adc6
0x0128adb8
0x0128adba
0x0128adba
0x0128adb6
0x0128adc8
0x0128adca
0x0128adcd
0x0128adcf
0x0128add1
0x0128add1
0x0128add4
0x0128add7
0x00000000
0x0128addd
0x0128adf3
0x0128adf8
0x0128ae11
0x0128ae16
0x0128ae22
0x0128ae24
0x0128ae89
0x0128ae89
0x0128ae8c
0x0128ae95
0x0128ae98
0x0128ae98
0x0128ae9b
0x0128ae9e
0x0128ae9e
0x0128aea1
0x0128aea6
0x00000000
0x00000000
0x00000000
0x0128ae26
0x0128ae26
0x0128ae2f
0x0128ae2f
0x0128ae32
0x0128ae35
0x0128ae3c
0x0128ae47
0x0128ae4c
0x0128ae4c
0x0128ae4c
0x0128ae5a
0x0128ae5e
0x0128ae5e
0x0128ae63
0x0128ae67
0x0128ae6b
0x0128ae70
0x0128ae74
0x0128ae77
0x0128ae77
0x0128ae7c
0x0128ae84
0x0128ae84
0x00000000
0x0128ae26
0x0128add7
0x0128acc9
0x0128accc
0x0128acce
0x0128ad64
0x00000000
0x00000000
0x0128ad6a
0x0128ad6c
0x0128ad6f
0x0128ad71
0x00000000
0x00000000
0x0128ad79
0x0128ad79
0x0128ad7c
0x0128ad86
0x0128ad8e
0x0128ad91
0x0128ad93
0x0128ad96
0x0128ad96
0x00000000
0x0128ad9b
0x0128ace3
0x0128ace8
0x0128acee
0x0128acf4
0x0128acf6
0x00000000
0x00000000
0x00000000
0x00000000
0x0128acfc
0x0128acfc
0x0128ad05
0x0128ad05
0x0128ad08
0x0128ad0b
0x0128ad12
0x0128ad1d
0x0128ad22
0x0128ad22
0x0128ad22
0x0128ad30
0x0128ad34
0x0128ad34
0x0128ad39
0x0128ad3d
0x0128ad41
0x0128ad46
0x0128ad4a
0x0128ad4d
0x0128ad4d
0x0128ad52
0x0128ad57
0x0128ad5a
0x0128ad5a
0x00000000
0x0128ad5f
0x0128ac2a
0x0128ac2d
0x0128ac30
0x0128ac32
0x0128ac34
0x0128ac34
0x0128ac47
0x0128ac4a
0x0128ac4f
0x0128ac56
0x0128ac58
0x0128ac5e
0x0128ac64
0x0128ac64
0x0128ac67
0x0128ac6a
0x0128ac71
0x0128ac7c
0x0128ac81
0x0128ac81
0x0128ac81
0x0128ac8f
0x0128ac93
0x0128ac93
0x0128ac98
0x0128ac9c
0x0128aca0
0x0128aca5
0x0128aca9
0x0128acac
0x0128acac
0x0128acb1
0x0128acb4
0x0128acb4
0x0128acb9
0x00000000
0x0128ac58
0x0128abe2
0x0128ac14
0x0128ac14
0x0128ac17
0x00000000
0x0128ac17
0x0128abe4
0x0128abe9
0x0128ac05
0x0128ac05
0x0128ac08
0x0128ac0d
0x0128ac12
0x00000000
0x0128ac12
0x0128abeb
0x0128abed
0x0128abf7
0x0128abfc
0x0128abfd
0x0128ac00
0x00000000
0x0128abed
0x0128abcc
0x0128abcc
0x00000000

APIs

__EH_prolog3.LIBCMT ref: 0128ABB6

Part of subcall function 01277AC9: __CxxThrowException@8.LIBCMT ref: 01277ADF

_memset.LIBCMT ref: 0128AC4A
_memset.LIBCMT ref: 0128ACE3

Part of subcall function 01274753: _malloc.LIBCMT ref: 01274771

Part of subcall function 01277D0D: _memcpy_s.LIBCMT ref: 01277D1E

_memset.LIBCMT ref: 0128AE11

Memory Dump Source

Source File: 00000010.00000002.746388412.0000000001271000.00000020.sdmp, Offset: 01270000, based on PE: true

Associated: 00000010.00000002.746374753.0000000001270000.00000002.sdmp Download File
Associated: 00000010.00000002.746578910.000000000138C000.00000002.sdmp Download File
Associated: 00000010.00000002.746752878.00000000013CF000.00000004.sdmp Download File
Associated: 00000010.00000002.746788870.00000000013D6000.00000004.sdmp Download File
Associated: 00000010.00000002.746832288.00000000013DE000.00000002.sdmp Download File
Associated: 00000010.00000002.747668141.0000000001574000.00000002.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1270000_Setup.jbxd

Similarity

API ID: _memset$Exception@8H_prolog3Throw_malloc_memcpy_s
String ID:
API String ID: 1779389629-0
Opcode ID: 8dfad20486147f5bd7490b4a10d522a360521f990a6e9fe23e6827717ecf9846
Instruction ID: 843b650285e79318bd1480577b19292a703e6ec1e17810a1269a21bab4b8a84e
Opcode Fuzzy Hash: 8dfad20486147f5bd7490b4a10d522a360521f990a6e9fe23e6827717ecf9846
Instruction Fuzzy Hash: 18A1E1729117079FCB14EF68C98466EBBB5FFA0314F25C92AD56A9B2D0DB30E640CB50

Uniqueness

Uniqueness Score: 4.01%

Function 012A81B6, Relevance: 6.2, APIs: 4, Instructions: 208
COMMON

Download Yara Rule

C-Code - Quality: 92%

			E012A81B6(int __ecx, int __edx, void* __eflags, intOrPtr _a4, RECT* _a8) {
				signed int _v8;
				struct tagRECT _v24;
				struct tagRECT* _v28;
				struct tagRECT* _v32;
				struct tagRECT* _v36;
				void* _v40;
				struct tagRECT _v56;
				struct tagRECT _v72;
				int _v76;
				void _v80;
				int _v84;
				int _v88;
				intOrPtr _v92;
				char _v96;
				intOrPtr _v100;
				char _v104;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t96;
				void* _t117;
				long _t118;
				long _t123;
				int _t133;
				void* _t137;
				void* _t142;
				RECT* _t170;
				struct tagRECT* _t171;
				void* _t176;
				int _t178;
				signed int _t179;

				_t166 = __edx;
				_t96 =  *0x13d3570; // 0x99b5b578
				_v8 = _t96 ^ _t179;
				_t133 = __ecx;
				_t170 = _a8;
				_v88 = __ecx;
				_t98 = E01282C5F(__ecx, __ecx, _t170, __eflags);
				_t171 = 0;
				if( *((intOrPtr*)(_t133 + 0x84)) != 0) {
					L33:
					return L01367D3E(_t98, _t133, _v8 ^ _t179, _t166, _t170, _t171);
				}
				_v24.left = 0;
				_v24.top = 0;
				_v24.right = 0;
				_v24.bottom = 0;
				GetWindowRect( *(_t133 + 0x20),  &_v24);
				CopyRect( &_v56, _t170);
				_v72.left = 0;
				_v72.top = 0;
				_v72.right = 0;
				_v72.bottom = 0;
				GetClientRect( *(_t133 + 0x20),  &_v72);
				if(_a4 == 1 || _a4 == 2) {
					_v76 = 1;
					_t98 = _v56.right - _v56.left;
					_t142 = _v24.right - _v24.left;
				} else {
					_t98 = _v56.bottom - _v56.top;
					_t142 = _v24.bottom - _v24.top;
					_v76 = 0;
				}
				_t185 = _t98 - _t142;
				if(_t98 == _t142) {
					goto L33;
				} else {
					_t98 = E012789CC(0x13d0280, E01282D31(_t133, _t142, _t166, _t170, _t171, _t185,  *((intOrPtr*)(_t133 + 0xc8))));
					_v84 = _t98;
					if(_t98 == _t171) {
						goto L33;
					} else {
						_v40 = _t171;
						_v36 = _t171;
						_v32 = _t171;
						_v28 = _t171;
						 *((intOrPtr*)( *_t133 + 0x1b8))( &_v40);
						_t176 = _v56.bottom -  *((intOrPtr*)(_t133 + 0xa0)) - _v56.top - _v28 - _v36;
						_t137 = _v56.right - _v56.left - _v32 - _v40;
						_t166 =  &_v104;
						 *((intOrPtr*)( *_v84 + 0x2a4))( &_v104, 0);
						if(_v76 != 0) {
							_t176 = _t137;
						}
						_t133 = _v84;
						 *((intOrPtr*)( *_t133 + 0x204))( &_v96, _t176, 0 | _v76 == 0x00000000);
						_t178 = _v92 - _v100;
						_t117 = _v96 - _v104;
						if(_t117 != 0) {
							__eflags = _a4 - 2;
							if(_a4 != 2) {
								_t170->left = _t170->right - _v24.right - _t117 + _v24.left;
							} else {
								_t170->right = _t170->left - _v24.left + _v24.right + _t117;
							}
							L19:
							__eflags = _t178;
							if(_t178 == 0) {
								__eflags = _a4 - 6;
								if(_a4 != 6) {
									_t118 = _v24.top;
									L29:
									_t170->top = _t118;
									L30:
									 *((intOrPtr*)( *_t133 + 0x20c))();
									_t171 = 0;
									_v80 = 0;
									_t98 = SystemParametersInfoW(0x26, 0,  &_v80, 0);
									__eflags = _v80;
									if(_v80 == 0) {
										_t98 = E012789AE(_t133, 0x139a818);
										__eflags = _t98;
										if(_t98 != 0) {
											_t166 = _t170->right - _t170->left;
											__eflags = _t170->right - _t170->left;
											_t98 = E01286A31(_v88, 0, _t170->left, _t170->top, _t170->right - _t170->left, _t170->bottom - _t170->top, 0x14);
										}
									}
									goto L33;
								}
								_t123 = _v24.bottom;
								L27:
								_t170->bottom = _t123;
								goto L30;
							}
							__eflags = _a4 - 6;
							if(_a4 == 6) {
								L24:
								_t123 = _t170->top - _v24.top + _v24.bottom + _t178;
								goto L27;
							}
							__eflags = _a4 - 2;
							if(_a4 == 2) {
								goto L24;
							}
							__eflags = _a4 - 1;
							if(_a4 == 1) {
								goto L24;
							}
							_t118 = _t170->bottom - _v24.bottom - _t178 + _v24.top;
							goto L29;
						}
						if(_t178 != 0 || E012789AE(_t133, 0x139a818) == 0) {
							__eflags = _a4 - 2;
							if(_a4 != 2) {
								_t170->left = _v24.left;
							} else {
								_t170->right = _v24.right;
							}
							goto L19;
						} else {
							_t171 =  &_v24;
							asm("movsd");
							asm("movsd");
							asm("movsd");
							asm("movsd");
							goto L33;
						}
					}
				}
			}

0x012a81b6
0x012a81be
0x012a81c5
0x012a81ca
0x012a81cd
0x012a81d0
0x012a81d3
0x012a81d8
0x012a81e0
0x012a83ec
0x012a83fa
0x012a83fa
0x012a81ed
0x012a81f0
0x012a81f3
0x012a81f6
0x012a81f9
0x012a8204
0x012a8211
0x012a8214
0x012a8217
0x012a821a
0x012a821d
0x012a8229
0x012a8310
0x012a8316
0x012a8319
0x012a8239
0x012a823f
0x012a8242
0x012a8245
0x012a8245
0x012a8248
0x012a824a
0x00000000
0x012a8250
0x012a8261
0x012a8268
0x012a826d
0x00000000
0x012a8273
0x012a827b
0x012a827e
0x012a8281
0x012a8284
0x012a8287
0x012a82aa
0x012a82ad
0x012a82b2
0x012a82b6
0x012a82c0
0x012a82c2
0x012a82c2
0x012a82c4
0x012a82d9
0x012a82e5
0x012a82e8
0x012a82eb
0x012a8321
0x012a8325
0x012a8341
0x012a8327
0x012a8331
0x012a8331
0x012a8358
0x012a8358
0x012a835a
0x012a8388
0x012a838c
0x012a8396
0x012a8399
0x012a8399
0x012a839c
0x012a83a0
0x012a83a6
0x012a83b0
0x012a83b3
0x012a83b9
0x012a83bc
0x012a83c5
0x012a83ca
0x012a83cc
0x012a83de
0x012a83de
0x012a83e7
0x012a83e7
0x012a83cc
0x00000000
0x012a83bc
0x012a838e
0x012a8391
0x012a8391
0x00000000
0x012a8391
0x012a835c
0x012a8360
0x012a837b
0x012a8384
0x00000000
0x012a8384
0x012a8362
0x012a8366
0x00000000
0x00000000
0x012a8368
0x012a836c
0x00000000
0x00000000
0x012a8376
0x00000000
0x012a8376
0x012a82ef
0x012a8345
0x012a8349
0x012a8356
0x012a834b
0x012a834e
0x012a834e
0x00000000
0x012a8301
0x012a8301
0x012a8304
0x012a8305
0x012a8306
0x012a8307
0x00000000
0x012a8307
0x012a82ef
0x012a826d

APIs

GetWindowRect.USER32 ref: 012A81F9
CopyRect.USER32(?,?), ref: 012A8204
GetClientRect.USER32 ref: 012A821D
SystemParametersInfoW.USER32 ref: 012A83B3

Part of subcall function 01286A31: SetWindowPos.USER32(?,000000FF,000000FF,?,?,00000000,012827B4), ref: 01286A59

Part of subcall function 01367D3E: IsDebuggerPresent.KERNEL32 ref: 0136EC6D
Part of subcall function 01367D3E: SetUnhandledExceptionFilter.KERNEL32 ref: 0136EC82
Part of subcall function 01367D3E: UnhandledExceptionFilter.KERNEL32 ref: 0136EC8D
Part of subcall function 01367D3E: GetCurrentProcess.KERNEL32(C0000409), ref: 0136ECA9
Part of subcall function 01367D3E: TerminateProcess.KERNEL32(00000000), ref: 0136ECB0

Memory Dump Source

Source File: 00000010.00000002.746388412.0000000001271000.00000020.sdmp, Offset: 01270000, based on PE: true

Associated: 00000010.00000002.746374753.0000000001270000.00000002.sdmp Download File
Associated: 00000010.00000002.746578910.000000000138C000.00000002.sdmp Download File
Associated: 00000010.00000002.746752878.00000000013CF000.00000004.sdmp Download File
Associated: 00000010.00000002.746788870.00000000013D6000.00000004.sdmp Download File
Associated: 00000010.00000002.746832288.00000000013DE000.00000002.sdmp Download File
Associated: 00000010.00000002.747668141.0000000001574000.00000002.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1270000_Setup.jbxd

Similarity

API ID: Rect$ExceptionFilterProcessUnhandledWindow$ClientCopyCurrentDebuggerInfoParametersPresentSystemTerminate
String ID:
API String ID: 112544114-0
Opcode ID: bb03007223a808c85db91b430cd5981b36d323dd94d13dfe2e046dba899187cc
Instruction ID: 25e4f3eebe6b798fa1369a9fc57c8fd513bac1534abb7aea9192084323c24e90
Opcode Fuzzy Hash: bb03007223a808c85db91b430cd5981b36d323dd94d13dfe2e046dba899187cc
Instruction Fuzzy Hash: CF811971D1021AEFCF14DFE8C9889AEBBB4FF08701F548169E915AB214DB70A945CF91

Uniqueness

Uniqueness Score: 1.69%

Function 012BA068, Relevance: 6.2, APIs: 4, Instructions: 162
windowCOMMON

Download Yara Rule

C-Code - Quality: 95%

			E012BA068(void* __ebx, void* __ecx, int _a4) {
				int _v8;
				void* __edi;
				void* __esi;
				void* __ebp;
				int _t48;
				intOrPtr* _t51;
				intOrPtr* _t60;
				intOrPtr* _t65;
				intOrPtr* _t68;
				void* _t77;
				int _t78;
				intOrPtr* _t80;
				intOrPtr* _t86;
				intOrPtr* _t93;
				int _t99;
				void* _t103;
				void* _t107;

				_t77 = __ebx;
				_push(__ecx);
				_t107 = __ecx;
				_t109 =  *((intOrPtr*)(__ecx + 0x34)) - 0xffffffff;
				if( *((intOrPtr*)(__ecx + 0x34)) == 0xffffffff) {
					L30:
					return _t48;
				}
				_push(_t103);
				_t48 = E012789CC(0x139d2fc,  *((intOrPtr*)(E012792EF(__ebx, _t103, __ecx, _t109) + 4)));
				_v8 = _t48;
				if(_t48 == 0) {
					L29:
					goto L30;
				} else {
					_t51 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t107 + 0x14)))) + 0x224))(0);
					if(_t51 == 0) {
						_t51 =  *((intOrPtr*)(_t107 + 0x14));
					}
					_t102 =  *_t51;
					 *((intOrPtr*)( *_t51 + 0x60))();
					_t86 =  *((intOrPtr*)(_t107 + 0x14));
					if(_t86 != 0) {
						 *((intOrPtr*)( *_t86 + 4))(1);
					}
					_push(_t77);
					_t78 = _a4;
					 *((intOrPtr*)(_t107 + 0x14)) = 0;
					 *((intOrPtr*)(_t107 + 0x18)) = 0;
					_a4 = E012789CC(0x1391888, _t78);
					E01286A31(_t78, 0,  *((intOrPtr*)(_t107 + 0x20)),  *((intOrPtr*)(_t107 + 0x24)),  *((intOrPtr*)(_t107 + 0x28)) -  *((intOrPtr*)(_t107 + 0x20)),  *((intOrPtr*)(_t107 + 0x2c)) -  *((intOrPtr*)(_t107 + 0x24)), 4);
					SendMessageW( *(_t78 + 0x20), 0xb, 0, 0);
					_t90 = _v8;
					 *((intOrPtr*)(_v8 + 0xb8)) = 0;
					if(_a4 == 0) {
						_t60 = E012789CC(0x1391eac, _t78);
						__eflags = _t60;
						if(_t60 != 0) {
							E012FA956(_v8, _t60,  *((intOrPtr*)(_t107 + 0x3c)));
						}
					} else {
						E012FA938(_t90, _a4,  *((intOrPtr*)(_t107 + 0x3c)));
					}
					SendMessageW( *(_t78 + 0x20), 0xb, 1, 0);
					RedrawWindow( *(_t78 + 0x20), 0, 0, 0x185);
					if( *((intOrPtr*)(_t107 + 0x1c)) != 0) {
						L20:
						_t93 = _a4;
						goto L21;
					} else {
						_t93 = _a4;
						if(_t93 == 0) {
							_t65 = E012789CC(0x1391eac, _t78);
							_v8 = _t65;
							__eflags = _t65;
							if(_t65 == 0) {
								L24:
								_t48 =  *(_t107 + 0x30);
								if(_t48 != 0) {
									_t48 =  *(_t48 + 0xfc);
									if(_t48 != 0) {
										_t48 = IsWindowVisible( *(_t48 + 0x20));
										if(_t48 != 0) {
											_t94 =  *(_t107 + 0x30);
											_t48 =  *( *(_t107 + 0x30) + 0xfc);
											if( *((intOrPtr*)(_t48 + 0x314)) != 0) {
												_t48 = L012C1498(_t94);
											}
										}
									}
								}
								goto L29;
							}
							_t80 =  *((intOrPtr*)(_t65 + 0x1d0));
							__eflags = _t80;
							if(_t80 == 0) {
								goto L24;
							}
							E012924FF(_t80, 1, 0, 0);
							_t68 =  *((intOrPtr*)( *_t80 + 0x16c))();
							__eflags = _t68;
							if(_t68 == 0) {
								goto L24;
							}
							_t99 = _v8;
							L19:
							E01286A6F(_t80, _t99, _t102);
							goto L20;
						}
						_t80 =  *((intOrPtr*)(_t93 + 0x3e8));
						if(_t80 == 0) {
							L21:
							if(_t93 != 0 &&  *((intOrPtr*)(_t93 + 0x2d48)) != 0) {
								 *((intOrPtr*)( *_t93 + 0x208))();
							}
							goto L24;
						}
						E012924FF(_t80, 1, 0, 0);
						if( *((intOrPtr*)( *_t80 + 0x16c))() == 0) {
							goto L20;
						}
						_t99 = _a4;
						goto L19;
					}
				}
			}

0x012ba068
0x012ba06d
0x012ba06f
0x012ba071
0x012ba075
0x012ba220
0x012ba222
0x012ba222
0x012ba07b
0x012ba089
0x012ba092
0x012ba097
0x012ba21f
0x00000000
0x012ba09d
0x012ba0a3
0x012ba0ab
0x012ba0ad
0x012ba0ad
0x012ba0b0
0x012ba0b4
0x012ba0b7
0x012ba0bc
0x012ba0c2
0x012ba0c2
0x012ba0c5
0x012ba0c6
0x012ba0cf
0x012ba0d2
0x012ba0dc
0x012ba0f8
0x012ba104
0x012ba10a
0x012ba10d
0x012ba116
0x012ba12b
0x012ba132
0x012ba134
0x012ba13d
0x012ba13d
0x012ba118
0x012ba11e
0x012ba11e
0x012ba14a
0x012ba15a
0x012ba163
0x012ba1d3
0x012ba1d3
0x00000000
0x012ba165
0x012ba165
0x012ba16a
0x012ba199
0x012ba1a0
0x012ba1a3
0x012ba1a5
0x012ba1ea
0x012ba1ea
0x012ba1f0
0x012ba1f2
0x012ba1fa
0x012ba1ff
0x012ba207
0x012ba209
0x012ba20c
0x012ba218
0x012ba21a
0x012ba21a
0x012ba218
0x012ba207
0x012ba1fa
0x00000000
0x012ba1f0
0x012ba1a7
0x012ba1ad
0x012ba1af
0x00000000
0x00000000
0x012ba1b8
0x012ba1c1
0x012ba1c7
0x012ba1c9
0x00000000
0x00000000
0x012ba1cb
0x012ba1ce
0x012ba1ce
0x00000000
0x012ba1ce
0x012ba16c
0x012ba174
0x012ba1d6
0x012ba1d8
0x012ba1e4
0x012ba1e4
0x00000000
0x012ba1d8
0x012ba17b
0x012ba18c
0x00000000
0x00000000
0x012ba18e
0x00000000
0x012ba18e
0x012ba163

APIs

Part of subcall function 01286A31: SetWindowPos.USER32(?,000000FF,000000FF,?,?,00000000,012827B4), ref: 01286A59

SendMessageW.USER32(?,0000000B,00000000,00000000), ref: 012BA104
SendMessageW.USER32(?,0000000B,00000001,00000000), ref: 012BA14A
RedrawWindow.USER32(?,00000000,00000000,00000185), ref: 012BA15A

Part of subcall function 01286A6F: GetParent.USER32(?), ref: 01286A84
Part of subcall function 01286A6F: GetParent.USER32(?), ref: 01286A93
Part of subcall function 01286A6F: GetParent.USER32(?), ref: 01286AA9
Part of subcall function 01286A6F: SetFocus.USER32 ref: 01286ABF

IsWindowVisible.USER32(?), ref: 012BA1FF

Part of subcall function 012C1498: IsWindowVisible.USER32(?), ref: 012C14C7
Part of subcall function 012C1498: IsWindowVisible.USER32(?), ref: 012C14D6
Part of subcall function 012C1498: GetWindowRect.USER32 ref: 012C1528
Part of subcall function 012C1498: IsZoomed.USER32(?), ref: 012C1537
Part of subcall function 012C1498: SetWindowRgn.USER32(?,00000000,00000001), ref: 012C15A4
Part of subcall function 012C1498: _memset.LIBCMT ref: 012C15C4
Part of subcall function 012C1498: GetSystemMetrics.USER32 ref: 012C160E
Part of subcall function 012C1498: _memset.LIBCMT ref: 012C16DF

Memory Dump Source

Source File: 00000010.00000002.746388412.0000000001271000.00000020.sdmp, Offset: 01270000, based on PE: true

Associated: 00000010.00000002.746374753.0000000001270000.00000002.sdmp Download File
Associated: 00000010.00000002.746578910.000000000138C000.00000002.sdmp Download File
Associated: 00000010.00000002.746752878.00000000013CF000.00000004.sdmp Download File
Associated: 00000010.00000002.746788870.00000000013D6000.00000004.sdmp Download File
Associated: 00000010.00000002.746832288.00000000013DE000.00000002.sdmp Download File
Associated: 00000010.00000002.747668141.0000000001574000.00000002.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1270000_Setup.jbxd

Similarity

API ID: Window$ParentVisible$MessageSend_memset$FocusMetricsRectRedrawSystemZoomed
String ID:
API String ID: 1567790911-0
Opcode ID: 4faec40e185c454ebeecc0667441d0b769deed748630659e0ae6bd29c61f1c66
Instruction ID: 811ca4c6c386ef96036145b9c49fefe3a89a11c73a1ba22a98b5f83bc8679d89
Opcode Fuzzy Hash: 4faec40e185c454ebeecc0667441d0b769deed748630659e0ae6bd29c61f1c66
Instruction Fuzzy Hash: 7B519630220702EFDB259F29C8C8DAA7BB6FF84790B24456DF7469B651DB72E840CB10

Uniqueness

Uniqueness Score: 2.04%

Function 0127E841, Relevance: 6.1, APIs: 4, Instructions: 149
COMMON

Download Yara Rule

C-Code - Quality: 95%

			E0127E841(intOrPtr* __ecx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				intOrPtr _v20;
				signed int _v24;
				intOrPtr _v28;
				signed int _v32;
				intOrPtr _v36;
				intOrPtr* _v40;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t67;
				signed int _t68;
				signed int _t70;
				intOrPtr _t71;
				signed int _t74;
				intOrPtr _t75;
				intOrPtr _t83;
				intOrPtr* _t89;
				intOrPtr _t90;
				void* _t92;
				void* _t110;
				signed int _t112;
				intOrPtr _t113;
				intOrPtr _t115;
				signed int _t119;
				void* _t122;
				void* _t124;

				_t89 = __ecx;
				_v40 = __ecx;
				if(_a4 == 0) {
					_v8 = 0;
				} else {
					_v8 = L01369A59(_a4);
				}
				if(_v8 != 0) {
					if(_a8 == 0) {
						_v16 = 0;
					} else {
						_v16 = L01369A59(_a8);
					}
					_v12 = 0;
					_t115 =  *_t89;
					_t110 = _t115 +  *(_t115 - 0xc) * 2;
					if(_t115 >= _t110) {
						L31:
						return _v12;
					} else {
						while(1) {
							L11:
							_t67 = L013692EB(_t115, _a4);
							if(_t67 == 0) {
								break;
							}
							_v12 = _v12 + 1;
							_t115 = _t67 + _v8 * 2;
						}
						if(_t115 == 0) {
							_t68 = 0;
						} else {
							_t68 = L01369A59(_t115);
						}
						_t115 = _t115 + 2 + _t68 * 2;
						if(_t115 < _t110) {
							goto L11;
						} else {
							if(_v12 <= 0) {
								goto L31;
							}
							_t112 =  *( *_t89 - 0xc);
							_t119 = (_v16 - _v8) * _v12 + _t112;
							_v24 = _t112;
							_v32 = _t119;
							_t70 = _t119;
							if(_t119 <= _t112) {
								_t70 = _t112;
							}
							_t71 = E01272610(_t89, _t89, _t112, _t70);
							_t113 = _t71 + _t112 * 2;
							_v28 = _t71;
							_t90 = _t71;
							_v36 = _t113;
							if(_t71 >= _t113) {
								L30:
								L01271540(_t90, _v40, _t113, _t119, _t119);
								goto L31;
							} else {
								while(1) {
									_t113 = L013692EB(_t90, _a4);
									if(_t113 == 0) {
										goto L26;
									}
									_t92 = _v16 + _v16;
									do {
										_t122 = _v24 - (_t113 - _v28 >> 1) - _v8;
										L0127DE03(_t92 + _t113, _t122 + _t122, _t113 + _v8 * 2, _t122 + _t122);
										L01277D0D(_t113, _t92, _a8, _t92);
										_v20 = _t92 + _t113;
										_t83 = _v16;
										_v24 = _v24 + _t83 - _v8;
										 *((short*)(_t113 + (_t122 + _t83) * 2)) = 0;
										_t113 = L013692EB(_v20, _a4);
										_t124 = _t124 + 0x28;
									} while (_t113 != 0);
									_t119 = _v32;
									_t90 = _v20;
									L26:
									if(_t90 == 0) {
										_t74 = 0;
									} else {
										_t74 = L01369A59(_t90);
									}
									_t59 = _t74 * 2; // 0x2
									_t75 = _t90 + _t59 + 2;
									_v20 = _t75;
									if(_t75 < _v36) {
										_t90 = _v20;
										continue;
									} else {
										goto L30;
									}
								}
							}
						}
					}
				} else {
					return 0;
				}
			}

0x0127e84d
0x0127e84f
0x0127e855
0x0127e865
0x0127e857
0x0127e860
0x0127e860
0x0127e86b
0x0127e877
0x0127e887
0x0127e879
0x0127e882
0x0127e882
0x0127e88a
0x0127e88d
0x0127e893
0x0127e898
0x0127e9b5
0x00000000
0x0127e89e
0x0127e8a9
0x0127e8a9
0x0127e8ad
0x0127e8b6
0x00000000
0x00000000
0x0127e8a3
0x0127e8a6
0x0127e8a6
0x0127e8ba
0x0127e8c5
0x0127e8bc
0x0127e8bd
0x0127e8c2
0x0127e8c7
0x0127e8cd
0x00000000
0x0127e8cf
0x0127e8d3
0x00000000
0x00000000
0x0127e8e5
0x0127e8e8
0x0127e8ea
0x0127e8ed
0x0127e8f0
0x0127e8f4
0x0127e8f6
0x0127e8f6
0x0127e8fb
0x0127e900
0x0127e903
0x0127e906
0x0127e908
0x0127e90d
0x0127e9ac
0x0127e9b0
0x00000000
0x0127e913
0x0127e918
0x0127e921
0x0127e927
0x00000000
0x00000000
0x0127e92c
0x0127e92e
0x0127e940
0x0127e94c
0x0127e957
0x0127e962
0x0127e965
0x0127e972
0x0127e975
0x0127e97e
0x0127e980
0x0127e983
0x0127e987
0x0127e98a
0x0127e98d
0x0127e98f
0x0127e99a
0x0127e991
0x0127e992
0x0127e997
0x0127e99c
0x0127e99c
0x0127e9a0
0x0127e9a6
0x0127e915
0x00000000
0x00000000
0x00000000
0x00000000
0x0127e9a6
0x0127e918
0x0127e90d
0x0127e8cd
0x0127e86d
0x00000000
0x0127e86d

APIs

_wcslen.LIBCMT ref: 0127E85A
_wcslen.LIBCMT ref: 0127E87C
_wcslen.LIBCMT ref: 0127E8BD

Part of subcall function 0127DE03: _memmove_s.LIBCMT ref: 0127DE14

Part of subcall function 01277D0D: _memcpy_s.LIBCMT ref: 01277D1E

_wcslen.LIBCMT ref: 0127E992

Memory Dump Source

Source File: 00000010.00000002.746388412.0000000001271000.00000020.sdmp, Offset: 01270000, based on PE: true

Associated: 00000010.00000002.746374753.0000000001270000.00000002.sdmp Download File
Associated: 00000010.00000002.746578910.000000000138C000.00000002.sdmp Download File
Associated: 00000010.00000002.746752878.00000000013CF000.00000004.sdmp Download File
Associated: 00000010.00000002.746788870.00000000013D6000.00000004.sdmp Download File
Associated: 00000010.00000002.746832288.00000000013DE000.00000002.sdmp Download File
Associated: 00000010.00000002.747668141.0000000001574000.00000002.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1270000_Setup.jbxd

Similarity

API ID: _wcslen$_memcpy_s_memmove_s
String ID:
API String ID: 993104120-0
Opcode ID: 3f53282a6a35975ddac98f3233a4608f758dcf5ee0b57a4aac990f03210be3b5
Instruction ID: 968a1e7376e080dd0422e4dcab970e72ebd03eb3ea4f6979c9cc66c0fbbaff0d
Opcode Fuzzy Hash: 3f53282a6a35975ddac98f3233a4608f758dcf5ee0b57a4aac990f03210be3b5
Instruction Fuzzy Hash: E7516572D2021AEFCF11DFA8C9809EFB7B9FF58314B16459AD915B7214D730AA41CBA0

Uniqueness

Uniqueness Score: 0.09%

Function 012A2547, Relevance: 6.1, APIs: 4, Instructions: 148
COMMON

Download Yara Rule

C-Code - Quality: 69%

			E012A2547(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t65;
				intOrPtr _t104;
				void* _t121;
				void* _t128;

				_t121 = __edx;
				_push(0x2c);
				L0136966A(0x138100c, __ebx, __edi, __esi);
				_t104 =  *((intOrPtr*)(_t128 + 8));
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_t127 = InflateRect;
				 *(_t128 - 0x24) =  *(_t128 + 0x14);
				InflateRect(_t128 - 0x20, 0xffffffff, 0);
				if( *((intOrPtr*)(_t128 + 0x30)) != 0 ||  *(_t128 + 0x34) != 0) {
					E012E04FF(_t104, _t128 + 0x18);
					InflateRect(_t128 - 0x20, 0xffffffff, 0xfffffffe);
				}
				_t132 =  *(_t128 - 0x24) - 0xffffffff;
				if( *(_t128 - 0x24) != 0xffffffff) {
					_push( *(_t128 - 0x24));
					E0127A3A8(_t104, _t128 - 0x28, _t121, 0, _t127, _t132);
					FillRect( *(_t104 + 4), _t128 - 0x20,  *(_t128 - 0x24));
					 *((intOrPtr*)(_t128 - 0x28)) = 0x138f578;
					E0127A27E(_t104, _t128 - 0x28, 0, _t127, _t132);
				}
				_t65 =  *0x13d6400; // 0xa0a0a0
				if( *(_t128 + 0x28) == 0 ||  *(_t128 + 0x2c) == 0) {
					_push(_t65);
					_push(1);
					_push(0);
					E0127A354(_t104, _t128 - 0x30, _t121, 0, _t127, __eflags);
					_t106 = _t104;
					 *(_t128 - 4) = 0;
					_t127 = E0127A1AA(_t104, _t128 - 0x30);
					__eflags = _t68;
					__eflags = _t68 == 0;
					if(_t68 == 0) {
						L01277AC9(_t106);
					}
					L01279B90(_t104, _t128 - 0x28,  *((intOrPtr*)(_t128 + 0x18)),  *((intOrPtr*)(_t128 + 0x1c)));
					L012795E0(_t104,  *((intOrPtr*)(_t128 + 0x18)),  *((intOrPtr*)(_t128 + 0x24)));
					L01279B90(_t104, _t128 - 0x28,  *((intOrPtr*)(_t128 + 0x20)) - 1,  *((intOrPtr*)(_t128 + 0x1c)));
					L012795E0(_t104,  *((intOrPtr*)(_t128 + 0x20)) - 1,  *((intOrPtr*)(_t128 + 0x24)));
					__eflags =  *(_t128 + 0x28);
					if( *(_t128 + 0x28) != 0) {
						L01279B90(_t104, _t128 - 0x28,  *((intOrPtr*)(_t128 + 0x18)),  *((intOrPtr*)(_t128 + 0x1c)));
						L012795E0(_t104,  *((intOrPtr*)(_t128 + 0x20)),  *((intOrPtr*)(_t128 + 0x1c)));
					}
					__eflags =  *(_t128 + 0x2c);
					if( *(_t128 + 0x2c) != 0) {
						L01279B90(_t104, _t128 - 0x38,  *((intOrPtr*)(_t128 + 0x18)),  *((intOrPtr*)(_t128 + 0x24)) - 1);
						_t91 =  *((intOrPtr*)(_t128 + 0x24)) - 1;
						__eflags =  *((intOrPtr*)(_t128 + 0x24)) - 1;
						L012795E0(_t104,  *((intOrPtr*)(_t128 + 0x20)), _t91);
					}
					E0127A1AA(_t104, _t127);
					_t49 = _t128 - 4;
					 *_t49 =  *(_t128 - 4) | 0xffffffff;
					__eflags =  *_t49;
					 *((intOrPtr*)(_t128 - 0x30)) = 0x138f598;
					E0127A27E(_t104, _t128 - 0x30, 0, _t127,  *_t49);
				} else {
					E0128A265(_t128 + 0x18, _t65, _t65);
				}
				if( *((intOrPtr*)(_t128 + 0x30)) == 0) {
					__eflags =  *(_t128 + 0x34);
					if( *(_t128 + 0x34) != 0) {
						_push( *0x13d643c);
						_push( *0x13d6438);
						goto L19;
					}
				} else {
					_push( *0x13d6438);
					_push( *0x13d643c);
					L19:
					_push(_t128 + 0x18);
					E0128A265();
				}
				return L013696ED(_t104, 0, _t127);
			}

0x012a2547
0x012a2547
0x012a254e
0x012a2556
0x012a255f
0x012a2560
0x012a2561
0x012a2562
0x012a2563
0x012a256c
0x012a2575
0x012a257a
0x012a2586
0x012a2593
0x012a2593
0x012a2595
0x012a2599
0x012a259b
0x012a25a1
0x012a25b0
0x012a25b9
0x012a25c0
0x012a25c0
0x012a25c5
0x012a25cd
0x012a25e6
0x012a25e7
0x012a25e9
0x012a25ed
0x012a25f6
0x012a25f8
0x012a2600
0x012a2604
0x012a2609
0x012a260b
0x012a260d
0x012a260d
0x012a261e
0x012a262b
0x012a263e
0x012a264d
0x012a2652
0x012a2655
0x012a2663
0x012a2670
0x012a2670
0x012a2675
0x012a2678
0x012a2688
0x012a2690
0x012a2690
0x012a2697
0x012a2697
0x012a269f
0x012a26a4
0x012a26a4
0x012a26a4
0x012a26ab
0x012a26b2
0x012a25d4
0x012a25dc
0x012a25dc
0x012a26ba
0x012a26ca
0x012a26cd
0x012a26cf
0x012a26d5
0x00000000
0x012a26d5
0x012a26bc
0x012a26bc
0x012a26c2
0x012a26db
0x012a26de
0x012a26e1
0x012a26e1
0x012a26eb

APIs

__EH_prolog3_GS.LIBCMT ref: 012A254E
InflateRect.USER32(?,000000FF,00000000), ref: 012A2575

Part of subcall function 012E04FF: FillRect.USER32(?,?), ref: 012E0513

InflateRect.USER32(?,000000FF,000000FE), ref: 012A2593
FillRect.USER32(?,?,000000FF), ref: 012A25B0

Part of subcall function 0127A354: __EH_prolog3.LIBCMT ref: 0127A35B
Part of subcall function 0127A354: CreatePen.GDI32(?,?,?), ref: 0127A37C

Part of subcall function 0127A1AA: SelectObject.GDI32(?,00000000), ref: 0127A1D0
Part of subcall function 0127A1AA: SelectObject.GDI32(?,?), ref: 0127A1E6

Part of subcall function 01279B90: MoveToEx.GDI32(?,?,?,?), ref: 01279BBA
Part of subcall function 01279B90: MoveToEx.GDI32(?,?,?,?), ref: 01279BCB

Part of subcall function 012795E0: MoveToEx.GDI32(?,?,?,00000000), ref: 012795FD
Part of subcall function 012795E0: LineTo.GDI32(?,?,?), ref: 0127960C

Part of subcall function 0127A27E: __EH_prolog3_catch_GS.LIBCMT ref: 0127A288

Part of subcall function 01277AC9: __CxxThrowException@8.LIBCMT ref: 01277ADF

Part of subcall function 0127A3A8: __EH_prolog3.LIBCMT ref: 0127A3AF
Part of subcall function 0127A3A8: CreateSolidBrush.GDI32(?), ref: 0127A3CA

Memory Dump Source

Source File: 00000010.00000002.746388412.0000000001271000.00000020.sdmp, Offset: 01270000, based on PE: true

Associated: 00000010.00000002.746374753.0000000001270000.00000002.sdmp Download File
Associated: 00000010.00000002.746578910.000000000138C000.00000002.sdmp Download File
Associated: 00000010.00000002.746752878.00000000013CF000.00000004.sdmp Download File
Associated: 00000010.00000002.746788870.00000000013D6000.00000004.sdmp Download File
Associated: 00000010.00000002.746832288.00000000013DE000.00000002.sdmp Download File
Associated: 00000010.00000002.747668141.0000000001574000.00000002.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1270000_Setup.jbxd

Similarity

API ID: Rect$Move$CreateFillH_prolog3InflateObjectSelect$BrushException@8H_prolog3_H_prolog3_catch_LineSolidThrow
String ID:
API String ID: 2564685684-0
Opcode ID: a8d7d65e718a53dea4a6ad8a995fa6a9a04657aa2e10b6239cdec768f249a380
Instruction ID: bfb5bc83204a2616a68c447bd5a33e3993a3b0ce8978f56431327ca5f3585a06
Opcode Fuzzy Hash: a8d7d65e718a53dea4a6ad8a995fa6a9a04657aa2e10b6239cdec768f249a380
Instruction Fuzzy Hash: BD516D7092021EEFDF11EFA8DC80CFE7BBAFF58368B441229F915A2154D6319955CB60

Uniqueness

Uniqueness Score: 3.53%

Function 012DC55D, Relevance: 6.1, APIs: 4, Instructions: 138
COMMON

Download Yara Rule

C-Code - Quality: 95%

			E012DC55D(void* __ebx, intOrPtr* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t32;
				void* _t34;
				void* _t36;
				void* _t38;
				intOrPtr _t41;
				intOrPtr* _t52;
				void* _t55;
				void* _t62;
				void* _t65;
				intOrPtr* _t73;
				void* _t81;
				void* _t97;
				intOrPtr* _t100;
				intOrPtr* _t102;
				void* _t104;
				void* _t105;
				void* _t106;

				_t106 = __eflags;
				_t97 = __edx;
				_push(8);
				L01369601(0x1382ed4, __ebx, __edi, __esi);
				_t102 = __ecx;
				_t32 = E01282C5F(__ebx, __ecx, __edi, _t106);
				 *((intOrPtr*)(_t105 - 0x14)) = _t32;
				if(_t32 != 0) {
					_t73 = _t102;
					_t34 =  *((intOrPtr*)( *_t102 + 0x168))();
					__eflags = _t34;
					if(_t34 == 0) {
						_t36 =  *((intOrPtr*)( *_t102 + 0x224))(0);
						__eflags = _t36;
						if(_t36 == 0) {
							_t38 =  *((intOrPtr*)( *_t102 + 0x1d8))();
							__eflags = _t38;
							if(_t38 == 0) {
								 *((intOrPtr*)( *_t102 + 0x234))(0, 0, 0, 0, 0, 0x37, 0);
							} else {
								RedrawWindow( *( *((intOrPtr*)(_t102 + 0x31c)) + 0x20), 0, 0, 0x105);
								 *((intOrPtr*)( *_t102 + 0x234))(0, 0, 0, 0, 0, 0x37, 0);
								 *((intOrPtr*)( *_t102 + 0x264))(0);
							}
						} else {
							E01286A31(_t36, 0, 0, 0, 0, 0, 0x37);
						}
						L14:
						_t41 =  *((intOrPtr*)(_t105 - 0x14));
						goto L15;
					}
					_t71 = GetParent;
					_t52 = E012789CC(0x139c3ac, E01282D05(GetParent, _t73, _t97, GetParent( *(_t102 + 0x20))));
					_pop(_t81);
					_t100 = _t52;
					_t55 = E012789CC(0x13a32dc, E01282D05(GetParent, _t81, _t97, GetParent( *(_t100 + 0x20))));
					__eflags = _t55;
					if(_t55 != 0) {
						_t104 =  *((intOrPtr*)( *_t100 + 0x218))( *(_t102 + 0x20));
						E01272410(_t105 - 0x10, E0127859A());
						 *(_t105 - 4) =  *(_t105 - 4) & 0x00000000;
						__eflags = _t104;
						if(_t104 >= 0) {
							_t62 =  *((intOrPtr*)( *_t100 + 0x1a8))();
							__eflags = _t104 - _t62;
							if(_t104 < _t62) {
								 *((intOrPtr*)( *_t100 + 0x1b8))(_t104, _t105 - 0x10);
								_t65 = L0127B7DC(GetParent, _t105 - 0x10, _t100, _t104,  *((intOrPtr*)(_t105 + 0xc)));
								__eflags = _t65;
								if(_t65 != 0) {
									E01273740(_t71,  *((intOrPtr*)(_t105 + 0xc)));
									 *(_t105 - 4) = 1;
									 *((intOrPtr*)( *_t100 + 0x1bc))(_t104, _t105 + 0xc);
									__eflags =  *((intOrPtr*)(_t105 + 0xc)) + 0xfffffff0;
									L01271470( *((intOrPtr*)(_t105 + 0xc)) + 0xfffffff0, _t97);
								}
							}
						}
						L01271470( *((intOrPtr*)(_t105 - 0x10)) + 0xfffffff0, _t97);
					}
					goto L14;
				} else {
					_t41 = 0;
					L15:
					return L013696D9(_t41);
				}
			}

0x012dc55d
0x012dc55d
0x012dc55d
0x012dc564
0x012dc569
0x012dc56b
0x012dc572
0x012dc577
0x012dc582
0x012dc584
0x012dc58a
0x012dc58c
0x012dc65f
0x012dc665
0x012dc667
0x012dc67d
0x012dc683
0x012dc685
0x012dc6c8
0x012dc687
0x012dc697
0x012dc6a9
0x012dc6b4
0x012dc6b4
0x012dc669
0x012dc672
0x012dc672
0x012dc6ce
0x012dc6ce
0x00000000
0x012dc6ce
0x012dc595
0x012dc5a9
0x012dc5af
0x012dc5b0
0x012dc5c3
0x012dc5ca
0x012dc5cc
0x012dc5e0
0x012dc5eb
0x012dc5f0
0x012dc5f4
0x012dc5f6
0x012dc5fc
0x012dc602
0x012dc604
0x012dc60f
0x012dc61b
0x012dc620
0x012dc622
0x012dc62a
0x012dc638
0x012dc63c
0x012dc645
0x012dc648
0x012dc648
0x012dc622
0x012dc604
0x012dc653
0x012dc653
0x00000000
0x012dc579
0x012dc579
0x012dc6d1
0x012dc6d6
0x012dc6d6

APIs

__EH_prolog3.LIBCMT ref: 012DC564
GetParent.USER32(?), ref: 012DC59B
GetParent.USER32(?), ref: 012DC5B5
RedrawWindow.USER32(?,00000000,00000000,00000105), ref: 012DC697

Part of subcall function 01286A31: SetWindowPos.USER32(?,000000FF,000000FF,?,?,00000000,012827B4), ref: 01286A59

Memory Dump Source

Source File: 00000010.00000002.746388412.0000000001271000.00000020.sdmp, Offset: 01270000, based on PE: true

Associated: 00000010.00000002.746374753.0000000001270000.00000002.sdmp Download File
Associated: 00000010.00000002.746578910.000000000138C000.00000002.sdmp Download File
Associated: 00000010.00000002.746752878.00000000013CF000.00000004.sdmp Download File
Associated: 00000010.00000002.746788870.00000000013D6000.00000004.sdmp Download File
Associated: 00000010.00000002.746832288.00000000013DE000.00000002.sdmp Download File
Associated: 00000010.00000002.747668141.0000000001574000.00000002.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1270000_Setup.jbxd

Similarity

API ID: ParentWindow$H_prolog3Redraw
String ID:
API String ID: 3920142697-0
Opcode ID: 836e816c0ccd1fea2f20bd77f48fa5f9651d8c9afd72c4900eac10b68fc6e866
Instruction ID: 1c13f6e292240e2d10c5e2f05fa7dddeb61db480ae69bea93f9a7b250ae6555e
Opcode Fuzzy Hash: 836e816c0ccd1fea2f20bd77f48fa5f9651d8c9afd72c4900eac10b68fc6e866
Instruction Fuzzy Hash: 0B41A131221102EFDB15AB68C858EBEBBF9BFA4714F14055DF546972A0DF70AD10CBA0

Uniqueness

Uniqueness Score: 16.53%

Function 012860DC, Relevance: 6.1, APIs: 4, Instructions: 132
windowCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E012860DC(void* __ebx, signed short __ecx, void* __edx, void* __edi, void* __esi, void* __eflags, void* __fp0) {
				signed short _t46;
				signed short _t47;
				long _t54;
				long _t60;
				signed short _t62;
				signed short _t63;
				signed short _t66;
				signed int _t70;
				void* _t79;
				int _t81;
				signed short _t82;
				int _t86;
				long _t87;
				void* _t88;
				void* _t89;
				void* _t102;

				_t102 = __fp0;
				_t79 = __edx;
				_t67 = __ecx;
				_push(0x30);
				L01369601(0x137fc48, __ebx, __edi, __esi);
				_t66 = __ecx;
				_t81 = 0;
				_t91 =  *((intOrPtr*)(__ecx + 0x70));
				if( *((intOrPtr*)(__ecx + 0x70)) == 0) {
					_t62 = E01274753(_t91, 0x38);
					 *(_t88 - 0x18) = _t62;
					 *(_t88 - 4) = 0;
					_t92 = _t62;
					if(_t62 == 0) {
						_t63 = 0;
						__eflags = 0;
					} else {
						_push(_t66);
						_t63 = L012B38A6(_t66, _t62, 0, __esi, _t92);
					}
					 *(_t88 - 4) =  *(_t88 - 4) | 0xffffffff;
					_t67 = _t63;
					 *(_t66 + 0x70) = _t63;
					E012B408F(_t63, _t79, _t102);
				}
				_t86 =  *(_t88 + 8);
				 *(_t88 - 0x10) = 1;
				if(_t86 == _t81) {
					L27:
					L01283D28(_t66, _t67, _t79,  *(_t66 + 0x20), 0x364, _t81, _t81, _t81, _t81);
					L28:
					return L013696D9( *(_t88 - 0x10));
				} else {
					goto L6;
				}
				while(1) {
					L6:
					_t46 =  *_t86 & 0x0000ffff;
					if(_t46 == _t81) {
						break;
					}
					_t82 = _t46;
					_t47 =  *(_t86 + 2) & 0x0000ffff;
					 *(_t88 + 8) =  *(_t86 + 4);
					_t87 = _t86 + 8;
					 *(_t88 - 0x18) = _t82;
					if(_t47 == 0x1234) {
						L13:
						_t70 = 8;
						memset(_t88 - 0x38, 0, _t70 << 2);
						_t89 = _t89 + 0xc;
						 *(_t88 - 0x38) =  *(_t88 - 0x38) | 0xffffffff;
						 *(_t88 - 0x3c) = 1;
						E01273740(_t66, _t87);
						 *((intOrPtr*)(_t88 - 0x34)) =  *((intOrPtr*)(_t88 - 0x14));
						_t54 = SendDlgItemMessageW( *(_t66 + 0x20),  *(_t88 - 0x18) & 0x0000ffff, 0x40b, 0, _t88 - 0x3c);
						__eflags = _t54 - 0xffffffff;
						if(_t54 == 0xffffffff) {
							_t24 = _t88 - 0x10;
							 *_t24 =  *(_t88 - 0x10) & 0x00000000;
							__eflags =  *_t24;
						}
						_t67 =  *((intOrPtr*)(_t88 - 0x14)) + 0xfffffff0;
						L01271470( *((intOrPtr*)(_t88 - 0x14)) + 0xfffffff0, _t79);
						L25:
						_t86 = _t87 +  *(_t88 + 8);
						_t81 = 0;
						if( *(_t88 - 0x10) != 0) {
							continue;
						}
						break;
					}
					_t67 = 0x401;
					if(_t47 != 0x401) {
						__eflags = _t47 - 0x403;
						if(_t47 == 0x403) {
							_t47 = 0x143;
						}
						__eflags = _t47 - 0x40b;
						if(_t47 != 0x40b) {
							__eflags = _t47 - 0x37c;
							if(_t47 != 0x37c) {
								_t67 = 0x180;
								__eflags = _t47 - 0x180;
								if(_t47 == 0x180) {
									L23:
									if(SendDlgItemMessageA( *(_t66 + 0x20), _t82 & 0x0000ffff, _t47 & 0x0000ffff, 0, _t87) == 0xffffffff) {
										 *(_t88 - 0x10) =  *(_t88 - 0x10) & 0x00000000;
									}
									goto L25;
								}
								_t67 = 0x143;
								__eflags = _t47 - 0x143;
								if(_t47 != 0x143) {
									goto L25;
								}
								goto L23;
							}
							_t60 = SendDlgItemMessageW( *(_t66 + 0x20), _t82 & 0x0000ffff, 0x37c,  *(_t88 + 8), _t87);
							__eflags = _t60 - 0xffffffff;
							if(_t60 == 0xffffffff) {
								_t29 = _t88 - 0x10;
								 *_t29 =  *(_t88 - 0x10) & 0x00000000;
								__eflags =  *_t29;
							}
							_t67 =  *(_t66 + 0x70);
							__eflags =  *(_t66 + 0x70);
							if(__eflags != 0) {
								_push(_t87);
								_push( *(_t88 + 8));
								_push(_t82);
								L012B392E(_t66, _t67, _t79, _t82, _t87, __eflags);
							}
							goto L25;
						} else {
							goto L13;
						}
					}
					_t47 = 0x180;
					goto L23;
				}
				if( *(_t88 - 0x10) == _t81) {
					goto L28;
				}
				goto L27;
			}

0x012860dc
0x012860dc
0x012860dc
0x012860dc
0x012860e3
0x012860e8
0x012860ea
0x012860ec
0x012860ef
0x012860f3
0x012860f9
0x012860fc
0x012860ff
0x01286101
0x0128610d
0x0128610d
0x01286103
0x01286103
0x01286106
0x01286106
0x0128610f
0x01286113
0x01286115
0x01286118
0x01286118
0x0128611d
0x01286120
0x01286129
0x01286251
0x0128625d
0x01286262
0x0128626a
0x00000000
0x00000000
0x00000000
0x0128612f
0x0128612f
0x0128612f
0x01286135
0x00000000
0x00000000
0x0128613e
0x01286140
0x01286144
0x0128614c
0x0128614f
0x01286155
0x01286184
0x01286186
0x0128618c
0x0128618c
0x0128618e
0x01286196
0x0128619d
0x012861a5
0x012861bb
0x012861c1
0x012861c4
0x012861c6
0x012861c6
0x012861c6
0x012861c6
0x012861cd
0x012861d0
0x0128623e
0x0128623e
0x01286241
0x01286246
0x00000000
0x00000000
0x00000000
0x01286246
0x01286157
0x0128615f
0x01286170
0x01286173
0x01286175
0x01286175
0x0128617f
0x01286182
0x012861dc
0x012861df
0x0128620f
0x01286214
0x01286217
0x01286221
0x01286238
0x0128623a
0x0128623a
0x00000000
0x01286238
0x01286219
0x0128621c
0x0128621f
0x00000000
0x00000000
0x00000000
0x0128621f
0x012861ed
0x012861f3
0x012861f6
0x012861f8
0x012861f8
0x012861f8
0x012861f8
0x012861fc
0x012861ff
0x01286201
0x01286203
0x01286204
0x01286207
0x01286208
0x01286208
0x00000000
0x00000000
0x00000000
0x00000000
0x01286182
0x01286161
0x00000000
0x01286161
0x0128624f
0x00000000
0x00000000
0x00000000

APIs

__EH_prolog3.LIBCMT ref: 012860E3

Part of subcall function 012B408F: GetWindow.USER32(00000000,00000005), ref: 012B40CC
Part of subcall function 012B408F: GetClassNameW.USER32(?,?,00000400), ref: 012B40EB
Part of subcall function 012B408F: GetWindow.USER32(?,00000002), ref: 012B4134

Part of subcall function 012B38A6: __EH_prolog3.LIBCMT ref: 012B38AD

SendDlgItemMessageW.USER32(?,?,0000040B,00000000,?), ref: 012861BB
SendDlgItemMessageW.USER32(?,?,0000037C,?,?), ref: 012861ED

Part of subcall function 012B392E: __EH_prolog3.LIBCMT ref: 012B3935
Part of subcall function 012B392E: _memcpy_s.LIBCMT ref: 012B3976

SendDlgItemMessageA.USER32(?,?,?,00000000,?), ref: 0128622F

Part of subcall function 01283D28: GetTopWindow.USER32 ref: 01283D38
Part of subcall function 01283D28: SendMessageW.USER32(00000000,?,?,?), ref: 01283D6A
Part of subcall function 01283D28: GetTopWindow.USER32 ref: 01283D77
Part of subcall function 01283D28: GetWindow.USER32(00000000,00000002), ref: 01283D95

Part of subcall function 01274753: _malloc.LIBCMT ref: 01274771

Memory Dump Source

Source File: 00000010.00000002.746388412.0000000001271000.00000020.sdmp, Offset: 01270000, based on PE: true

Associated: 00000010.00000002.746374753.0000000001270000.00000002.sdmp Download File
Associated: 00000010.00000002.746578910.000000000138C000.00000002.sdmp Download File
Associated: 00000010.00000002.746752878.00000000013CF000.00000004.sdmp Download File
Associated: 00000010.00000002.746788870.00000000013D6000.00000004.sdmp Download File
Associated: 00000010.00000002.746832288.00000000013DE000.00000002.sdmp Download File
Associated: 00000010.00000002.747668141.0000000001574000.00000002.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1270000_Setup.jbxd

Similarity

API ID: Window$MessageSend$H_prolog3Item$ClassName_malloc_memcpy_s
String ID:
API String ID: 4011848771-0
Opcode ID: f3b1c12eabf7bd3aac4c3bb34861f49d88ca95d94bf6ff0181bc80ac67fc9bf0
Instruction ID: 1303c3566785a460b5fa2c6830117e280de892f8345ec4fc007d5d67bbb00446
Opcode Fuzzy Hash: f3b1c12eabf7bd3aac4c3bb34861f49d88ca95d94bf6ff0181bc80ac67fc9bf0
Instruction Fuzzy Hash: B941D171921116ABDF25EFA8DC40BFE7AB5FF40324F504219FAA1A62DACB704A41C750

Uniqueness

Uniqueness Score: 1.25%

Function 012C25C3, Relevance: 6.1, APIs: 4, Instructions: 129
COMMON

Download Yara Rule

C-Code - Quality: 81%

			E012C25C3(intOrPtr* __ebx, intOrPtr __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t50;
				intOrPtr _t52;
				intOrPtr* _t53;
				intOrPtr _t55;
				int _t64;
				int _t66;
				signed int _t68;
				intOrPtr* _t96;
				intOrPtr _t105;
				void* _t111;
				struct tagRECT _t113;
				intOrPtr _t117;
				signed int _t119;
				void* _t120;
				void* _t121;
				intOrPtr _t125;

				_t111 = __edx;
				_t90 = __ebx;
				_push(0x34);
				L0136966A(0x13821e1, __ebx, __edi, __esi);
				_t50 =  *((intOrPtr*)(_t120 + 8));
				_t116 = __ecx;
				_t113 = 0;
				_t125 = _t50;
				_t93 = 0 | _t125 == 0x00000000;
				 *((intOrPtr*)(_t120 - 0x28)) = __ecx;
				 *((intOrPtr*)(_t120 - 0x2c)) = _t50;
				if(_t125 == 0) {
					L01277AC9(_t93);
				}
				 *((intOrPtr*)(_t120 - 0x30)) = _t116 + 0x54;
				_t52 = L012BFD80( *((intOrPtr*)(_t116 + 4)),  *((intOrPtr*)(_t116 + 8)), _t116 + 0x54);
				 *((intOrPtr*)(_t120 - 0x24)) = _t52;
				if(_t52 != _t113) {
					_t53 = E01278939(_t90,  *((intOrPtr*)(_t116 + 0xf8)), _t113, _t116, __eflags);
					_t90 = _t53;
					_t55 =  *((intOrPtr*)( *_t90 + 0x320))( *((intOrPtr*)(_t116 + 0xb0)), 0x50402808,  *((intOrPtr*)(_t120 - 0x24)));
					_t96 = _t90;
					__eflags = _t55;
					if(_t55 != 0) {
						E012868D4(_t96,  *((intOrPtr*)(_t120 - 0x2c)));
						_t117 =  *_t90;
						 *((intOrPtr*)(_t117 + 0x1e0))( *((intOrPtr*)(_t117 + 0x1bc))() | 0x00000034);
						 *((intOrPtr*)( *_t90 + 0x1e8))(0xf000);
						 *(_t120 - 0x20) = _t113;
						 *(_t120 - 0x1c) = _t113;
						 *(_t120 - 0x18) = _t113;
						 *(_t120 - 0x14) = _t113;
						GetWindowRect( *(_t90 + 0x20), _t120 - 0x20);
						_t64 = GetSystemMetrics(0x10);
						asm("cdq");
						_t119 = _t64 - _t111 >> 1;
						_t66 = GetSystemMetrics(0x11);
						asm("cdq");
						 *((intOrPtr*)(_t120 - 0x38)) =  *(_t120 - 0x18) -  *(_t120 - 0x20) + _t119;
						_t68 = _t66 - _t111 >> 1;
						 *(_t120 - 0x40) = _t119;
						 *(_t120 - 0x3c) = _t68;
						_t105 =  *(_t120 - 0x14) -  *(_t120 - 0x1c) + _t68;
						__eflags = _t105;
						 *((intOrPtr*)(_t120 - 0x34)) = _t105;
						_t113 = _t121 - 0x10;
						_t116 = _t120 - 0x40;
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						 *((intOrPtr*)( *_t90 + 0x1f8))(0, 1);
						 *((intOrPtr*)(_t90 + 0x12c)) = 0x7fff;
						 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t120 - 0x28)) + 0xb0)))) + 0x174))(1);
						L01289F0E( *((intOrPtr*)(_t120 - 0x30)), _t105, _t90);
					} else {
						 *((intOrPtr*)( *_t90 + 4))(1);
						goto L4;
					}
				} else {
					E01272410(_t120 - 0x24, E0127859A());
					 *(_t120 - 4) = _t113;
					_push( *((intOrPtr*)( *((intOrPtr*)(_t120 - 0x24)) + 8)) -  *((intOrPtr*)( *((intOrPtr*)(_t120 - 0x24)) + 4)) + 1);
					_push(0x3f73);
					_push(_t120 - 0x24);
					L0129BB91(_t90, _t111, _t113, _t116,  *((intOrPtr*)( *((intOrPtr*)(_t120 - 0x24)) + 8)) -  *((intOrPtr*)( *((intOrPtr*)(_t120 - 0x24)) + 4)) + 1);
					_t116 =  *((intOrPtr*)(_t120 - 0x24));
					L01277911(_t90, _t113,  *((intOrPtr*)(_t120 - 0x24)),  *((intOrPtr*)( *((intOrPtr*)(_t120 - 0x24)) + 8)) -  *((intOrPtr*)( *((intOrPtr*)(_t120 - 0x24)) + 4)) + 1,  *((intOrPtr*)(_t120 - 0x24)), 0x40, _t113);
					L01271470(_t116 - 0x10, _t111);
					L4:
				}
				return L013696ED(_t90, _t113, _t116);
			}

0x012c25c3
0x012c25c3
0x012c25c3
0x012c25ca
0x012c25cf
0x012c25d2
0x012c25d6
0x012c25d8
0x012c25da
0x012c25dd
0x012c25e0
0x012c25e5
0x012c25e7
0x012c25e7
0x012c25f3
0x012c25f9
0x012c25fe
0x012c2603
0x012c2650
0x012c2658
0x012c2669
0x012c266f
0x012c2671
0x012c2673
0x012c2681
0x012c2686
0x012c2696
0x012c26a5
0x012c26af
0x012c26b2
0x012c26b5
0x012c26b8
0x012c26be
0x012c26cc
0x012c26ce
0x012c26d5
0x012c26d7
0x012c26df
0x012c26e2
0x012c26ef
0x012c26f1
0x012c26f6
0x012c26f9
0x012c26f9
0x012c26fd
0x012c2703
0x012c2705
0x012c2708
0x012c2709
0x012c270a
0x012c270d
0x012c270e
0x012c2717
0x012c272b
0x012c2735
0x012c2675
0x012c2679
0x00000000
0x012c2679
0x012c2605
0x012c260e
0x012c2619
0x012c261d
0x012c2621
0x012c2626
0x012c2627
0x012c262c
0x012c2636
0x012c263e
0x012c2643
0x012c2643
0x012c2741

APIs

__EH_prolog3_GS.LIBCMT ref: 012C25CA
GetSystemMetrics.USER32 ref: 012C26D7

Part of subcall function 0129BB91: __EH_prolog3.LIBCMT ref: 0129BB98

Part of subcall function 01277AC9: __CxxThrowException@8.LIBCMT ref: 01277ADF

Part of subcall function 01278939: __EH_prolog3_catch.LIBCMT ref: 01278940

Part of subcall function 012868D4: IsWindow.USER32(?), ref: 012868E8
Part of subcall function 012868D4: SetWindowTextW.USER32 ref: 01286910

GetWindowRect.USER32 ref: 012C26BE
GetSystemMetrics.USER32 ref: 012C26CC

Memory Dump Source

Source File: 00000010.00000002.746388412.0000000001271000.00000020.sdmp, Offset: 01270000, based on PE: true

Associated: 00000010.00000002.746374753.0000000001270000.00000002.sdmp Download File
Associated: 00000010.00000002.746578910.000000000138C000.00000002.sdmp Download File
Associated: 00000010.00000002.746752878.00000000013CF000.00000004.sdmp Download File
Associated: 00000010.00000002.746788870.00000000013D6000.00000004.sdmp Download File
Associated: 00000010.00000002.746832288.00000000013DE000.00000002.sdmp Download File
Associated: 00000010.00000002.747668141.0000000001574000.00000002.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1270000_Setup.jbxd

Similarity

API ID: Window$MetricsSystem$Exception@8H_prolog3H_prolog3_H_prolog3_catchRectTextThrow
String ID:
API String ID: 318980517-0
Opcode ID: 43bda9513da824be79011b9cb6595c07a06907380d3e0b7771b3052b38ddde6c
Instruction ID: 9eba86f0ff973450d4bd20049a37c70a25f3f43a34f57b95cfb2b5a57a7877ac
Opcode Fuzzy Hash: 43bda9513da824be79011b9cb6595c07a06907380d3e0b7771b3052b38ddde6c
Instruction Fuzzy Hash: FF414971A10216DFCF14EFA8CC99AEEBBB5FF58300F144569E906AB295CB70A904CB50

Uniqueness

Uniqueness Score: 2.48%

Function 0127CBB6, Relevance: 6.1, APIs: 4, Instructions: 121
registryCOMMON

Download Yara Rule

C-Code - Quality: 49%

			E0127CBB6(void* __ebx, intOrPtr* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				signed int _t55;
				intOrPtr* _t109;
				void* _t112;
				void* _t113;
				void* _t114;
				void* _t115;

				_t115 = __eflags;
				_t107 = __edx;
				L0136966A(0x137f2cd, __ebx, __edi, __esi);
				_t109 = __ecx;
				 *((intOrPtr*)(_t112 - 0x43c)) = 0;
				 *((intOrPtr*)(_t112 - 0x448)) = E01276892( *((intOrPtr*)(E012792EF(__ebx, __ecx, 0, _t115) + 4)), 0);
				 *((intOrPtr*)(_t112 - 0x444)) = 0;
				 *((intOrPtr*)(_t112 - 0x440)) = 0;
				 *((intOrPtr*)(_t112 - 4)) = 0;
				 *(_t112 - 0x438) = 0;
				 *((intOrPtr*)(_t112 - 0x434)) = 0;
				 *((intOrPtr*)(_t112 - 0x430)) = 0;
				 *((char*)(_t112 - 4)) = 1;
				_t55 = L0127B6E1(_t112 - 0x438,  *((intOrPtr*)(_t112 - 0x448)),  *((intOrPtr*)( *((intOrPtr*)( *_t109 + 0x20))(_t112 - 0x424, 0x43c))), 0x2001f);
				asm("sbb bl, bl");
				L01271470( *((intOrPtr*)(_t112 - 0x424)) + 0xfffffff0, __edx);
				_t87 =  ~_t55 + 1;
				if( ~_t55 + 1 != 0) {
					 *((short*)(_t112 - 0x218)) = 0;
					 *((intOrPtr*)(_t112 - 0x424)) = 0;
					L01367D50(_t112 - 0x216, 0, 0x206);
					_t114 = _t113 + 0xc;
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_push(_t112 - 0x42c);
					_t87 = 0x104;
					_push(_t112 - 0x218);
					 *((intOrPtr*)(_t112 - 0x42c)) = 0x104;
					_push(0);
					while(RegEnumValueW( *(_t112 - 0x438), ??, ??, ??, ??, ??, ??, ??) == 0) {
						 *((intOrPtr*)(_t112 - 0x424)) =  *((intOrPtr*)(_t112 - 0x424)) + 1;
						 *((short*)(_t112 - 0x420)) = 0;
						 *((intOrPtr*)(_t112 - 0x42c)) = _t87;
						L01367D50(_t112 - 0x41e, 0, 0x206);
						_t114 = _t114 + 0xc;
						 *((intOrPtr*)(_t112 - 0x428)) = _t87;
						__eflags = L0127B732(_t112 - 0x438, _t112 - 0x218, _t112 - 0x420, _t112 - 0x428);
						if(__eflags == 0) {
							E0127CB52(_t87, _t109 + 4, _t109, __eflags, _t112 - 0x218);
							E01272AA0(_t109, _t112 - 0x420);
							 *((intOrPtr*)(_t112 - 0x43c)) = 1;
						}
						_push(0);
						_push(0);
						_push(0);
						_push(0);
						_push(_t112 - 0x42c);
						_push(_t112 - 0x218);
						_push( *((intOrPtr*)(_t112 - 0x424)));
					}
					E01276875(_t112 - 0x438);
					L0127B605(_t112 - 0x448,  *((intOrPtr*)( *((intOrPtr*)( *_t109 + 0x20))(_t112 - 0x428))));
					L01271470( *((intOrPtr*)(_t112 - 0x428)) + 0xfffffff0, _t107);
				}
				E01276875(_t112 - 0x438);
				E01276875(_t112 - 0x448);
				return L013696ED(_t87, _t109, 0);
			}

0x0127cbb6
0x0127cbb6
0x0127cbc0
0x0127cbc7
0x0127cbc9
0x0127cbdd
0x0127cbe3
0x0127cbe9
0x0127cbef
0x0127cbf2
0x0127cbf8
0x0127cbfe
0x0127cc0f
0x0127cc2a
0x0127cc39
0x0127cc3e
0x0127cc43
0x0127cc45
0x0127cc52
0x0127cc61
0x0127cc67
0x0127cc6c
0x0127cc6f
0x0127cc70
0x0127cc71
0x0127cc72
0x0127cc79
0x0127cc80
0x0127cc85
0x0127cc86
0x0127cc8c
0x0127cd25
0x0127cc92
0x0127cc9f
0x0127ccae
0x0127ccb4
0x0127ccb9
0x0127ccd7
0x0127cce2
0x0127cce4
0x0127ccf0
0x0127ccfe
0x0127cd03
0x0127cd03
0x0127cd0d
0x0127cd0e
0x0127cd0f
0x0127cd10
0x0127cd17
0x0127cd1e
0x0127cd1f
0x0127cd1f
0x0127cd3f
0x0127cd5a
0x0127cd68
0x0127cd68
0x0127cd73
0x0127cd7e
0x0127cd8e

APIs

__EH_prolog3_GS.LIBCMT ref: 0127CBC0

Part of subcall function 01276892: RegOpenKeyExW.ADVAPI32 ref: 012768CD
Part of subcall function 01276892: RegCreateKeyExW.ADVAPI32(?,?,00000000,00000000,00000000,0002001F,00000000,?,?), ref: 012768F8
Part of subcall function 01276892: RegCreateKeyExW.ADVAPI32(?,?,00000000,00000000,00000000,0002001F,00000000,?,?), ref: 01276923
Part of subcall function 01276892: RegCloseKey.ADVAPI32(?), ref: 01276937
Part of subcall function 01276892: RegCloseKey.ADVAPI32(?), ref: 01276941

Part of subcall function 0127B6E1: RegOpenKeyExW.ADVAPI32 ref: 0127B70D

_memset.LIBCMT ref: 0127CC67
_memset.LIBCMT ref: 0127CCB4

Part of subcall function 0127B732: RegQueryValueExW.ADVAPI32(?,?,00000000,?,?,?), ref: 0127B75A

RegEnumValueW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000), ref: 0127CD2B

Part of subcall function 0127B605: GetModuleHandleW.KERNEL32(Advapi32.dll), ref: 0127B62E
Part of subcall function 0127B605: GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 0127B63E
Part of subcall function 0127B605: RegDeleteKeyW.ADVAPI32(?,?), ref: 0127B66C

Part of subcall function 01276875: RegCloseKey.ADVAPI32 ref: 01276883

Memory Dump Source

Source File: 00000010.00000002.746388412.0000000001271000.00000020.sdmp, Offset: 01270000, based on PE: true

Associated: 00000010.00000002.746374753.0000000001270000.00000002.sdmp Download File
Associated: 00000010.00000002.746578910.000000000138C000.00000002.sdmp Download File
Associated: 00000010.00000002.746752878.00000000013CF000.00000004.sdmp Download File
Associated: 00000010.00000002.746788870.00000000013D6000.00000004.sdmp Download File
Associated: 00000010.00000002.746832288.00000000013DE000.00000002.sdmp Download File
Associated: 00000010.00000002.747668141.0000000001574000.00000002.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1270000_Setup.jbxd

Similarity

API ID: Close$CreateOpenValue_memset$AddressDeleteEnumH_prolog3_HandleModuleProcQuery
String ID:
API String ID: 3120914085-0
Opcode ID: f6c73c28b25e37332bca6fdf65b388332ac469763296e402ef2a9fde6dcd50e2
Instruction ID: 5190302d45b10aa70c54302e5fee9eafbdb3bfb19d8f1710e38e2ca8705cfd9d
Opcode Fuzzy Hash: f6c73c28b25e37332bca6fdf65b388332ac469763296e402ef2a9fde6dcd50e2
Instruction Fuzzy Hash: 6241FBF19111299BDB64DB64CC94BEEBBBCEF18214F4001DAF609A3151DB309B94CFA9

Uniqueness

Uniqueness Score: 10.55%

Function 012BA3BE, Relevance: 6.1, APIs: 4, Instructions: 120
COMMON

Download Yara Rule

C-Code - Quality: 98%

			E012BA3BE(void* __ecx) {
				intOrPtr _v8;
				char _v16;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t66;
				void* _t77;
				intOrPtr _t80;
				void* _t96;
				intOrPtr _t97;
				intOrPtr _t98;
				intOrPtr _t99;

				_t96 = __ecx;
				_t97 =  *0x13d6568; // 0x0
				if(_t97 != 0) {
					 *0x13d97bc = 0;
				}
				 *((intOrPtr*)(_t96 + 0xea8)) = 0;
				 *((intOrPtr*)(_t96 + 0x128)) = 0;
				 *((intOrPtr*)(_t96 + 0x12c)) = 0;
				 *((intOrPtr*)(_t96 + 0x130)) = 0;
				 *((intOrPtr*)(_t96 + 0x134)) = 0;
				 *((intOrPtr*)(_t96 + 0x148)) = 0;
				 *((intOrPtr*)(_t96 + 0x120)) = 1;
				 *((intOrPtr*)(_t96 + 0xeac)) = 1;
				 *((intOrPtr*)(_t96 + 0x138)) = 0;
				 *((intOrPtr*)(_t96 + 0x13c)) = 0;
				 *((intOrPtr*)(_t96 + 0xed8)) = 0;
				 *((intOrPtr*)(_t96 + 0xedc)) = 0;
				 *((intOrPtr*)(_t96 + 0xec4)) = 0;
				_t66 = L01293699(0);
				asm("sbb eax, eax");
				 *(_t96 + 0xf20) =  *(_t96 + 0xf20) | 0xffffffff;
				 *(_t96 + 0xec8) =  *(_t96 + 0xec8) | 0xffffffff;
				 *((intOrPtr*)(_t96 + 0xee8)) =  ~_t66 + 1;
				 *((intOrPtr*)(_t96 + 0xeec)) = 0;
				 *((intOrPtr*)(_t96 + 0xef0)) = 0;
				 *((intOrPtr*)(_t96 + 0xef4)) = 0;
				 *((intOrPtr*)(_t96 + 0xec0)) = 0;
				 *((intOrPtr*)(_t96 + 0xebc)) = 0;
				 *((intOrPtr*)(_t96 + 0xecc)) = 0;
				 *((intOrPtr*)(_t96 + 0xed4)) = 0;
				SetRectEmpty(_t96 + 0xef8);
				SetRectEmpty(_t96 + 0xf08);
				_v8 =  *((intOrPtr*)( *((intOrPtr*)(E0128C2A4(1, 0, _t96, _t97))) + 0x2e8))() + _t74;
				_t77 = L012A5655( &_v16, 1,  &_v16);
				 *((intOrPtr*)(_t96 + 0xf18)) = 0;
				 *((intOrPtr*)(_t96 + 0xf1c)) =  *((intOrPtr*)(_t77 + 4)) + _v8;
				 *((intOrPtr*)(_t96 + 0xee0)) = 1;
				 *((intOrPtr*)(_t96 + 0xee4)) = 1;
				_t98 =  *0x13d0d40; // 0x1
				if(_t98 == 0) {
					L6:
					_t80 = 0;
					__eflags = 0;
				} else {
					_t99 =  *0x13d83d4; // 0x0
					if(_t99 != 0) {
						goto L6;
					} else {
						_t100 =  *0x13d6594 - 8;
						if( *0x13d6594 <= 8) {
							goto L6;
						} else {
							_t80 =  *((intOrPtr*)(E0128C2A4(1, 0, _t96, _t100) + 0x98));
						}
					}
				}
				 *((intOrPtr*)(_t96 + 0xfc0)) = _t80;
				 *((intOrPtr*)(_t96 + 0xf24)) = 0;
				if(L01293699(0) == 3 &&  *0x13d6594 <= 8) {
					 *0x13d97bc = 0;
					 *((intOrPtr*)(_t96 + 0xee8)) = 1;
				}
				 *((intOrPtr*)(_t96 + 0xfd8)) = 0;
				 *((intOrPtr*)(_t96 + 0xfdc)) = 0;
				SetRectEmpty(_t96 + 0xfe0);
				 *((intOrPtr*)(_t96 + 0x1090)) = 0;
				 *((intOrPtr*)(_t96 + 0xea4)) = 0;
				 *((intOrPtr*)(_t96 + 0x124)) = 0;
				 *((intOrPtr*)(_t96 + 0xeb0)) = 0;
				 *((intOrPtr*)(_t96 + 0xeb8)) = 0;
				 *((intOrPtr*)(_t96 + 0x10b0)) = 0;
				 *((intOrPtr*)(_t96 + 0x10b8)) = 2;
				 *((intOrPtr*)(_t96 + 0x10b4)) = 0;
				 *((intOrPtr*)(_t96 + 0x10bc)) = 0;
				 *((intOrPtr*)(_t96 + 0x10c0)) = 0;
				 *((intOrPtr*)(_t96 + 0xed0)) = 0;
				 *((intOrPtr*)(_t96 + 0x108c)) = 0;
				 *((intOrPtr*)(_t96 + 0x1094)) = 0;
				SetRectEmpty(_t96 + 0x10a0);
				 *((intOrPtr*)(_t96 + 0x1080)) = 0;
				 *((intOrPtr*)(_t96 + 0x1084)) = 0;
				 *((intOrPtr*)(_t96 + 0x1088)) = 0;
				 *((intOrPtr*)(_t96 + 0x109c)) = 0;
				 *((intOrPtr*)(_t96 + 0xeb4)) = 0;
				 *((intOrPtr*)(_t96 + 0xfd4)) = 0;
				 *((intOrPtr*)(_t96 + 0x1098)) = 0;
				return 0;
			}

0x012ba3cb
0x012ba3cd
0x012ba3d3
0x012ba3d5
0x012ba3d5
0x012ba3e1
0x012ba3e7
0x012ba3ed
0x012ba3f3
0x012ba3f9
0x012ba3ff
0x012ba405
0x012ba40b
0x012ba411
0x012ba417
0x012ba41d
0x012ba423
0x012ba429
0x012ba42f
0x012ba436
0x012ba438
0x012ba43f
0x012ba447
0x012ba454
0x012ba45a
0x012ba460
0x012ba466
0x012ba46c
0x012ba472
0x012ba478
0x012ba47e
0x012ba48b
0x012ba4a2
0x012ba4a9
0x012ba4b4
0x012ba4ba
0x012ba4c0
0x012ba4c6
0x012ba4cc
0x012ba4d2
0x012ba4f2
0x012ba4f2
0x012ba4f2
0x012ba4d4
0x012ba4d4
0x012ba4da
0x00000000
0x012ba4dc
0x012ba4dc
0x012ba4e3
0x00000000
0x012ba4e5
0x012ba4ea
0x012ba4ea
0x012ba4e3
0x012ba4da
0x012ba4f5
0x012ba4fb
0x012ba509
0x012ba514
0x012ba51a
0x012ba51a
0x012ba52d
0x012ba533
0x012ba539
0x012ba53d
0x012ba54a
0x012ba550
0x012ba556
0x012ba55c
0x012ba562
0x012ba568
0x012ba572
0x012ba578
0x012ba57e
0x012ba584
0x012ba58a
0x012ba590
0x012ba596
0x012ba598
0x012ba59e
0x012ba5a4
0x012ba5aa
0x012ba5b0
0x012ba5b6
0x012ba5bf
0x012ba5c8

APIs

SetRectEmpty.USER32 ref: 012BA47E
SetRectEmpty.USER32 ref: 012BA48B

Part of subcall function 0128C2A4: __EH_prolog3.LIBCMT ref: 0128C2AB

SetRectEmpty.USER32 ref: 012BA539
SetRectEmpty.USER32 ref: 012BA596

Memory Dump Source

Source File: 00000010.00000002.746388412.0000000001271000.00000020.sdmp, Offset: 01270000, based on PE: true

Associated: 00000010.00000002.746374753.0000000001270000.00000002.sdmp Download File
Associated: 00000010.00000002.746578910.000000000138C000.00000002.sdmp Download File
Associated: 00000010.00000002.746752878.00000000013CF000.00000004.sdmp Download File
Associated: 00000010.00000002.746788870.00000000013D6000.00000004.sdmp Download File
Associated: 00000010.00000002.746832288.00000000013DE000.00000002.sdmp Download File
Associated: 00000010.00000002.747668141.0000000001574000.00000002.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1270000_Setup.jbxd

Similarity

API ID: EmptyRect$H_prolog3
String ID:
API String ID: 3752103406-0
Opcode ID: 1e94598693e52db69666d0f1d11321882f9b7a9315ff9967cf01ed55300736d7
Instruction ID: a2aa348f35d38f1c6102293a9c1ff4a0e1dc9b848aaa67e42062d66085acbe3b
Opcode Fuzzy Hash: 1e94598693e52db69666d0f1d11321882f9b7a9315ff9967cf01ed55300736d7
Instruction Fuzzy Hash: 51519BB1815B858EC360DF3AD5846E6FAE8FFA4304F144A2FD0AED2265DBB06481CF10

Uniqueness

Uniqueness Score: 0.80%

Function 012D4272, Relevance: 6.1, APIs: 4, Instructions: 101
COMMON

Download Yara Rule

C-Code - Quality: 87%

			E012D4272(void* __ebx, void* __ecx, void* __edi, int _a4, int _a8, int _a12, int _a16, intOrPtr _a20, intOrPtr _a24) {
				int _v8;
				long _v12;
				intOrPtr _v32;
				void* __ebp;
				int _t81;
				long _t82;
				signed int _t87;
				signed int _t92;
				intOrPtr _t94;
				void* _t101;
				void* _t112;
				int _t115;
				void* _t119;
				intOrPtr _t120;
				struct HWND__* _t123;
				long _t128;
				intOrPtr* _t129;
				intOrPtr _t130;
				intOrPtr _t134;
				intOrPtr* _t144;
				struct HWND__* _t145;
				void* _t148;
				long _t150;
				intOrPtr* _t152;
				long _t154;
				void* _t156;
				void* _t160;

				_t156 = _t160;
				_push(__ecx);
				_push(__ecx);
				_t148 = __ecx;
				_t81 =  *(__ecx + 0x27ec);
				_v8 = 1;
				if(_t81 == 0) {
					L29:
					return _t81;
				} else {
					while(1) {
						_t123 =  *(_t81 + 8);
						_t128 =  *_t81;
						_v12 = _t128;
						if(_t123 == 0) {
							break;
						}
						if( *((intOrPtr*)(_t148 + 0x21c)) == 0 ||  *((intOrPtr*)(_t148 + 0x240)) != 0) {
							_t112 = 0;
							__eflags = 0;
						} else {
							_t112 = 1;
						}
						if(_a20 != 0) {
							L26:
							SetWindowPos(_t123, 0, 0, 0, 0, 0, 0x14);
						} else {
							if(_t112 != 0) {
								L14:
								if( *((intOrPtr*)(_t148 + 0x244)) == 0 || _v8 == 0) {
									_t115 = _a4;
									if( *((intOrPtr*)(_t148 + 0x208)) != 0 ||  *((intOrPtr*)(_t148 + 0x20c)) != 0 ||  *((intOrPtr*)(_t148 + 0x210)) != 0) {
										if(_v8 != 0) {
											_t115 =  *((intOrPtr*)(_t148 + 0x290)) - _a12 - 1;
										}
									}
									SetWindowPos(_t123, 0, _t115, _a8, _a12, _a16, 0x14);
									if( *((intOrPtr*)(_t148 + 0x208)) != 0 ||  *((intOrPtr*)(_t148 + 0x20c)) != 0 ||  *((intOrPtr*)(_t148 + 0x210)) != 0) {
										if(_v8 == 0) {
											goto L25;
										}
									} else {
										L25:
										_a4 = _a4 + _a12 + _a24;
									}
								} else {
									goto L26;
								}
							} else {
								_t119 = _t148 + 0x2094;
								if(_t119 != 0) {
									_t120 =  *((intOrPtr*)(_t119 + 0x20));
								} else {
									_t120 = 0;
								}
								if(_t123 == _t120) {
									goto L26;
								} else {
									goto L14;
								}
							}
						}
						InvalidateRect(_t123, 0, 1);
						_t81 = UpdateWindow(_t123);
						_v8 = 0;
						if(_v12 != 0) {
							_t81 = _v12;
							continue;
						} else {
							goto L29;
						}
						goto L71;
					}
					_t82 = L01277AC9(_t128);
					asm("int3");
					_push(_t123);
					_push(_t148);
					_t150 = _t128;
					__eflags = _t150;
					if(_t150 == 0) {
						L64:
						return _t82;
					} else {
						__eflags =  *(_t150 + 0x20);
						if( *(_t150 + 0x20) == 0) {
							goto L64;
						} else {
							__eflags =  *(_t150 + 0x218);
							if( *(_t150 + 0x218) == 0) {
								goto L64;
							} else {
								__eflags =  *(_t150 + 0x204);
								if( *(_t150 + 0x204) != 0) {
									goto L64;
								} else {
									_push(0);
									__eflags =  *(_t150 + 0x208);
									if( *(_t150 + 0x208) != 0) {
										L40:
										_t129 = _t150 + 0x354;
										__eflags =  *(_t150 + 0x90);
										if( *(_t150 + 0x90) != 0) {
											__eflags =  *(_t150 + 0x264);
											E012869E1(_t129, 0 |  *(_t150 + 0x264) > 0x00000000);
											_t87 =  *(_t150 + 0x90) - 1;
											__eflags = _t87;
											if(_t87 < 0) {
												goto L65;
											} else {
												__eflags = _t87 -  *(_t150 + 0x90);
												if(_t87 >=  *(_t150 + 0x90)) {
													goto L65;
												} else {
													__eflags =  *(_t150 + 0x244);
													if( *(_t150 + 0x244) != 0) {
														goto L49;
													} else {
														_t134 =  *((intOrPtr*)( *((intOrPtr*)(_t150 + 0x8c)) + _t87 * 4));
														__eflags =  *((intOrPtr*)(_t134 + 0x18)) -  *((intOrPtr*)(_t150 + 0x298));
														if( *((intOrPtr*)(_t134 + 0x18)) <=  *((intOrPtr*)(_t150 + 0x298))) {
															goto L48;
														} else {
															__eflags =  *(_t150 + 0x264) - _t87;
															goto L47;
														}
													}
													goto L50;
												}
											}
										} else {
											E012869E1(_t129, 0);
											_push(0);
											goto L51;
										}
									} else {
										__eflags =  *(_t150 + 0x20c);
										if( *(_t150 + 0x20c) != 0) {
											goto L40;
										} else {
											__eflags =  *(_t150 + 0x210);
											if( *(_t150 + 0x210) != 0) {
												goto L40;
											} else {
												__eflags =  *(_t150 + 0x258);
												E012869E1(_t150 + 0x354, 0 |  *(_t150 + 0x258) > 0x00000000);
												__eflags =  *(_t150 + 0x244);
												if( *(_t150 + 0x244) != 0) {
													L49:
													_t101 = 1;
													__eflags = 1;
												} else {
													__eflags =  *(_t150 + 0x258) -  *((intOrPtr*)(_t150 + 0x25c));
													L47:
													if(__eflags < 0) {
														goto L49;
													} else {
														L48:
														_t101 = 0;
													}
												}
												L50:
												_push(_t101);
												L51:
												_t144 = _t150 + 0xaa4;
												_t129 = _t144;
												_t82 = E012869E1(_t129);
												__eflags =  *(_t150 + 0x244);
												if( *(_t150 + 0x244) != 0) {
													__eflags =  *(_t150 + 0x208);
													if( *(_t150 + 0x208) != 0) {
														L56:
														__eflags = 0;
													} else {
														__eflags =  *(_t150 + 0x20c);
														if( *(_t150 + 0x20c) != 0) {
															goto L56;
														} else {
															__eflags =  *(_t150 + 0x210);
															if( *(_t150 + 0x210) != 0) {
																goto L56;
															} else {
																_push(4);
																_pop(0);
															}
														}
													}
													asm("sbb eax, eax");
													__eflags = ( ~( *(_t150 + 0x248)) & 0x00000014) + 0xd;
													_t129 = _t144;
													_t82 = E0133C5EE(_t129, ( ~( *(_t150 + 0x248)) & 0x00000014) + 0xd, 0, 0xd);
												}
												_t154 =  *(_t150 + 0x27ec);
												while(1) {
													__eflags = _t154;
													if(_t154 == 0) {
														break;
													}
													_t145 =  *(_t154 + 8);
													_t150 =  *_t154;
													__eflags = _t145;
													if(_t145 == 0) {
														L65:
														L01277AC9(_t129);
														asm("int3");
														_push(_t156);
														_push(_t150);
														_t152 = _t129;
														_t130 = _v32;
														__eflags = _t130 - 1;
														 *(_t152 + 0x204) = 0 | _t130 == 0x00000001;
														__eflags = _t130 - 4;
														_t92 = 0 | _t130 == 0x00000004;
														__eflags = _t130 - 5;
														 *(_t152 + 0x208) = _t92;
														 *(_t152 + 0x7c) = _t92;
														 *(_t152 + 0x20c) = 0 | _t130 == 0x00000005;
														__eflags = _t130 - 6;
														if(_t130 == 6) {
															L69:
															_t94 = 1;
															__eflags = 1;
														} else {
															__eflags = _t130 - 7;
															if(_t130 == 7) {
																goto L69;
															} else {
																_t94 = 0;
															}
														}
														 *((intOrPtr*)(_t152 + 0x210)) = _t94;
														E012D2BE2(0, _t152);
														 *((intOrPtr*)( *_t152 + 0x174))();
														__eflags = 1;
														return 1;
													} else {
														_t82 = IsWindowEnabled(_t145);
														__eflags = _t82;
														if(_t82 == 0) {
															_t82 = SendMessageW(_t145, 0x1f, 0, 0);
														}
														continue;
													}
													goto L71;
												}
												goto L64;
											}
										}
									}
								}
							}
						}
					}
				}
				L71:
			}

0x012d4275
0x012d4277
0x012d4278
0x012d427a
0x012d427c
0x012d4285
0x012d428e
0x012d4382
0x012d4385
0x012d4294
0x012d429a
0x012d429a
0x012d429d
0x012d429f
0x012d42a4
0x00000000
0x00000000
0x012d42b0
0x012d42bf
0x012d42bf
0x012d42ba
0x012d42bc
0x012d42bc
0x012d42c4
0x012d4356
0x012d435e
0x012d42ca
0x012d42cc
0x012d42e3
0x012d42e9
0x012d42f0
0x012d42f9
0x012d430e
0x012d4319
0x012d4319
0x012d430e
0x012d4328
0x012d4334
0x012d4349
0x00000000
0x00000000
0x012d434b
0x012d434b
0x012d4351
0x012d4351
0x00000000
0x00000000
0x00000000
0x012d42ce
0x012d42ce
0x012d42d6
0x012d42dc
0x012d42d8
0x012d42d8
0x012d42d8
0x012d42e1
0x00000000
0x00000000
0x00000000
0x00000000
0x012d42e1
0x012d42cc
0x012d4368
0x012d436f
0x012d4375
0x012d437b
0x012d4297
0x00000000
0x012d4381
0x00000000
0x012d4381
0x00000000
0x012d437b
0x012d4388
0x012d438d
0x012d4390
0x012d4391
0x012d4392
0x012d4396
0x012d4398
0x012d44ef
0x012d44f1
0x012d439e
0x012d439e
0x012d43a1
0x00000000
0x012d43a7
0x012d43a7
0x012d43ad
0x00000000
0x012d43b3
0x012d43b3
0x012d43b9
0x00000000
0x012d43bf
0x012d43bf
0x012d43c0
0x012d43c6
0x012d4405
0x012d4405
0x012d440b
0x012d4411
0x012d441e
0x012d4428
0x012d4433
0x012d4434
0x012d4436
0x00000000
0x012d443c
0x012d443c
0x012d4442
0x00000000
0x012d4448
0x012d4448
0x012d444e
0x00000000
0x012d4450
0x012d4456
0x012d445c
0x012d4462
0x00000000
0x012d4464
0x012d4464
0x00000000
0x012d4464
0x012d4462
0x00000000
0x012d444e
0x012d4442
0x012d4413
0x012d4414
0x012d4419
0x00000000
0x012d4419
0x012d43c8
0x012d43c8
0x012d43ce
0x00000000
0x012d43d0
0x012d43d0
0x012d43d6
0x00000000
0x012d43d8
0x012d43da
0x012d43ea
0x012d43ef
0x012d43f5
0x012d4470
0x012d4472
0x012d4472
0x012d43f7
0x012d43fd
0x012d446a
0x012d446a
0x00000000
0x012d446c
0x012d446c
0x012d446c
0x012d446c
0x012d446a
0x012d4473
0x012d4473
0x012d4474
0x012d4474
0x012d447a
0x012d447c
0x012d4481
0x012d4487
0x012d4489
0x012d448f
0x012d44a6
0x012d44a6
0x012d4491
0x012d4491
0x012d4497
0x00000000
0x012d4499
0x012d4499
0x012d449f
0x00000000
0x012d44a1
0x012d44a1
0x012d44a3
0x012d44a3
0x012d449f
0x012d4497
0x012d44b3
0x012d44b8
0x012d44bc
0x012d44be
0x012d44be
0x012d44c3
0x012d44ea
0x012d44ea
0x012d44ec
0x00000000
0x00000000
0x012d44cb
0x012d44ce
0x012d44d0
0x012d44d2
0x012d44f2
0x012d44f2
0x012d44f7
0x012d44fa
0x012d44ff
0x012d4500
0x012d4502
0x012d4505
0x012d450b
0x012d4513
0x012d4516
0x012d451b
0x012d4521
0x012d4527
0x012d452a
0x012d4530
0x012d4533
0x012d453e
0x012d4540
0x012d4540
0x012d4535
0x012d4535
0x012d4538
0x00000000
0x012d453a
0x012d453a
0x012d453a
0x012d4538
0x012d4543
0x012d4549
0x012d4552
0x012d455a
0x012d455d
0x012d44d4
0x012d44d5
0x012d44db
0x012d44dd
0x012d44e4
0x012d44e4
0x00000000
0x012d44dd
0x00000000
0x012d44d2
0x00000000
0x012d44ee
0x012d43d6
0x012d43ce
0x012d43c6
0x012d43b9
0x012d43ad
0x012d43a1
0x012d4398
0x00000000

APIs

SetWindowPos.USER32(?,00000000,?,?,?,?,00000014), ref: 012D4328
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000014), ref: 012D435E
InvalidateRect.USER32(?,00000000,00000001), ref: 012D4368
UpdateWindow.USER32 ref: 012D436F

Part of subcall function 01277AC9: __CxxThrowException@8.LIBCMT ref: 01277ADF

Memory Dump Source

Source File: 00000010.00000002.746388412.0000000001271000.00000020.sdmp, Offset: 01270000, based on PE: true

Associated: 00000010.00000002.746374753.0000000001270000.00000002.sdmp Download File
Associated: 00000010.00000002.746578910.000000000138C000.00000002.sdmp Download File
Associated: 00000010.00000002.746752878.00000000013CF000.00000004.sdmp Download File
Associated: 00000010.00000002.746788870.00000000013D6000.00000004.sdmp Download File
Associated: 00000010.00000002.746832288.00000000013DE000.00000002.sdmp Download File
Associated: 00000010.00000002.747668141.0000000001574000.00000002.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1270000_Setup.jbxd

Similarity

API ID: Window$Exception@8InvalidateRectThrowUpdate
String ID:
API String ID: 3922475170-0
Opcode ID: 14b5346e43129e081307180dd13bba45f2341d126ada430609b0d80de241b3eb
Instruction ID: 9b28ba08bb590d8943ed3f89c959004ae57391a89967463451f57a8ebd73e7da
Opcode Fuzzy Hash: 14b5346e43129e081307180dd13bba45f2341d126ada430609b0d80de241b3eb
Instruction Fuzzy Hash: 3831A630560786EFDF72EF6CC8889EABBF9FB84311F34451AE66A92501D7709580CB50

Uniqueness

Uniqueness Score: 10.55%

Function 012B2927, Relevance: 6.1, APIs: 4, Instructions: 95
COMMON

Download Yara Rule

C-Code - Quality: 90%

			E012B2927(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t30;
				struct HWND__* _t33;
				char* _t34;
				struct HWND__* _t56;
				void* _t62;
				struct HWND__** _t66;
				void* _t67;
				struct HWND__** _t71;
				intOrPtr _t73;

				_t62 = __edx;
				_push(0x20c);
				L0136966A(0x1381960, __ebx, __edi, __esi);
				_t66 =  *(_t67 + 0xc);
				_t30 =  *((intOrPtr*)(_t67 + 0x10));
				_t71 = _t66;
				_t53 = 0 | _t71 == 0x00000000;
				 *((intOrPtr*)(_t67 - 0x218)) = _t30;
				if(_t71 == 0) {
					L1:
					_t30 = L01277AC9(_t53);
				}
				_t73 = _t30;
				_t53 = 0 | _t73 != 0x00000000;
				if(_t73 != 0) {
					goto L1;
				}
				E01272410(_t67 - 0x214, E0127859A());
				_t56 = _t66[2];
				_t33 = _t66[1];
				 *((intOrPtr*)(_t67 - 4)) = 0;
				if(_t56 != 0xfffffdf8 || (_t66[0x19] & 0x00000001) == 0) {
					if(_t56 == 0xfffffdee && (_t66[0x2d] & 0x00000001) != 0) {
						goto L7;
					}
				} else {
					L7:
					_t33 = GetDlgCtrlID(_t33);
				}
				if(_t33 == 0) {
					L12:
					_t34 =  &(_t66[4]);
					if(_t66[2] != 0xfffffdf8) {
						_push(L0136B25B(_t34, 0x50,  *(_t67 - 0x214), 0xffffffff));
						L01271310();
					} else {
						WideCharToMultiByte(3, 0,  *(_t67 - 0x214), 0xffffffff, _t34, 0x50, 0, 0);
					}
					 *((intOrPtr*)( *((intOrPtr*)(_t67 - 0x218)))) = 0;
					SetWindowPos( *_t66, 0, 0, 0, 0, 0, 0x213);
					L01271470( &(( *(_t67 - 0x214))[0xfffffffffffffff8]), _t62);
				} else {
					if(E01278428(0xfffffdf8, _t67 - 0x210, 0, _t66, _t33, _t67 - 0x210, 0x100) != 0) {
						E012784C0(0xfffffdf8, 0, _t67 - 0x214, _t67 - 0x210, 1, 0xa);
						goto L12;
					} else {
						L01271470( &(( *(_t67 - 0x214))[0xfffffffffffffff8]), _t62);
					}
				}
				return L013696ED(0xfffffdf8, 0, _t66);
			}

0x012b2927
0x012b2927
0x012b2931
0x012b2936
0x012b2939
0x012b2940
0x012b2942
0x012b2945
0x012b294d
0x012b294f
0x012b294f
0x012b294f
0x012b2956
0x012b2958
0x012b295d
0x00000000
0x00000000
0x012b296b
0x012b2970
0x012b2973
0x012b297b
0x012b2980
0x012b298e
0x00000000
0x00000000
0x012b2999
0x012b2999
0x012b299a
0x012b299a
0x012b29a2
0x012b29e3
0x012b29e3
0x012b29e9
0x012b2a13
0x012b2a14
0x012b29eb
0x012b29fb
0x012b29fb
0x012b2a2c
0x012b2a30
0x012b2a3f
0x012b29a4
0x012b29b8
0x012b29de
0x00000000
0x012b29ba
0x012b29c3
0x012b29c8
0x012b29b8
0x012b2a4c

APIs

__EH_prolog3_GS.LIBCMT ref: 012B2931

Part of subcall function 01277AC9: __CxxThrowException@8.LIBCMT ref: 01277ADF

GetDlgCtrlID.USER32 ref: 012B299A

Part of subcall function 012784C0: _wcschr.LIBCMT ref: 012784D8
Part of subcall function 012784C0: _wcschr.LIBCMT ref: 012784F2
Part of subcall function 012784C0: lstrlenW.KERNEL32(-00000002), ref: 012784FE

WideCharToMultiByte.KERNEL32(00000003,00000000,?,000000FF,?,00000050,00000000,00000000,00000000,0000020C), ref: 012B29FB
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000213), ref: 012B2A30

Memory Dump Source

Source File: 00000010.00000002.746388412.0000000001271000.00000020.sdmp, Offset: 01270000, based on PE: true

Associated: 00000010.00000002.746374753.0000000001270000.00000002.sdmp Download File
Associated: 00000010.00000002.746578910.000000000138C000.00000002.sdmp Download File
Associated: 00000010.00000002.746752878.00000000013CF000.00000004.sdmp Download File
Associated: 00000010.00000002.746788870.00000000013D6000.00000004.sdmp Download File
Associated: 00000010.00000002.746832288.00000000013DE000.00000002.sdmp Download File
Associated: 00000010.00000002.747668141.0000000001574000.00000002.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1270000_Setup.jbxd

Similarity

API ID: _wcschr$ByteCharCtrlException@8H_prolog3_MultiThrowWideWindowlstrlen
String ID:
API String ID: 2200414912-0
Opcode ID: e026390247c430333b007f2ac7a420c220f2678700dfcdca79586d66dbbb6ef7
Instruction ID: 3cbe55ccbd7eee182634056f52a9324fb790381159b62cdbc4f90deb693bf799
Opcode Fuzzy Hash: e026390247c430333b007f2ac7a420c220f2678700dfcdca79586d66dbbb6ef7
Instruction Fuzzy Hash: 29310C305607079BDB31AB68CC9CFFF7768EF60354F14064CE62AA61D4D67069808B21

Uniqueness

Uniqueness Score: 2.71%

Function 012D2A7B, Relevance: 6.1, APIs: 4, Instructions: 87
COMMON

Download Yara Rule

C-Code - Quality: 60%

			E012D2A7B(intOrPtr* __ecx) {
				signed int _v8;
				struct tagRECT _v24;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t36;
				void* _t40;
				long _t47;
				intOrPtr* _t51;
				intOrPtr _t55;
				void* _t60;
				void* _t63;
				intOrPtr _t65;
				struct tagRECT _t68;
				signed int _t69;

				_t36 =  *0x13d3570; // 0x99b5b578
				_t37 = _t36 ^ _t69;
				_v8 = _t36 ^ _t69;
				_t51 = __ecx;
				if( *((intOrPtr*)(__ecx + 0x214)) != 0) {
					_push(_t63);
					_push(_t60);
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_t40 =  *((intOrPtr*)( *__ecx + 0x1a0))();
					if( *((intOrPtr*)(__ecx + 0x10c)) == 0 || _t40 > 1) {
						if( *((intOrPtr*)(_t51 + 0x238)) == 0 || _t40 != 0) {
							_t65 =  *((intOrPtr*)(_t51 + 0x268));
							if(_t65 < GetSystemMetrics(0x15) + _t41) {
								SetRectEmpty( &_v24);
								SetRectEmpty(_t51 + 0x270);
								goto L9;
							} else {
								_t55 =  *((intOrPtr*)(_t51 + 0x254));
								_v24.top = _v24.top + 1;
								_v24.bottom = _v24.bottom - 2;
								_t47 = _t55 - _t65;
								_v24.right = _t55;
								_v24.left = _t47;
								asm("movsd");
								asm("movsd");
								asm("movsd");
								asm("movsd");
								 *((intOrPtr*)(_t51 + 0x274)) =  *((intOrPtr*)(_t51 + 0x274)) + 1;
								_t68 = _t47 - 5;
								 *(_t51 + 0x278) = _t47;
								 *(_t51 + 0x270) = _t68;
								 *(_t51 + 0x298) = _t68;
							}
						} else {
							goto L8;
						}
					} else {
						L8:
						_v24.bottom = _v24.bottom - 2;
						SetRectEmpty(_t51 + 0x270);
						L9:
						_t47 = _v24.left;
						_t55 = _v24.right;
					}
					_t58 = _v24.bottom - _v24.top;
					_t37 = E01286A31(_t51 + 0x2e0, 0, _t47, _v24.top, _t55 - _t47, _v24.bottom - _v24.top, 0x114);
					_pop(_t60);
					_pop(_t63);
				}
				return L01367D3E(_t37, _t51, _v8 ^ _t69, _t58, _t60, _t63);
			}

0x012d2a83
0x012d2a88
0x012d2a8a
0x012d2a8e
0x012d2a97
0x012d2a9f
0x012d2aa0
0x012d2aaa
0x012d2aab
0x012d2aac
0x012d2aad
0x012d2aae
0x012d2abb
0x012d2ac9
0x012d2acf
0x012d2ae1
0x012d2b2e
0x012d2b37
0x00000000
0x012d2ae3
0x012d2ae3
0x012d2ae9
0x012d2aec
0x012d2af2
0x012d2af4
0x012d2af7
0x012d2b03
0x012d2b04
0x012d2b05
0x012d2b06
0x012d2b07
0x012d2b0d
0x012d2b10
0x012d2b16
0x012d2b1c
0x012d2b1c
0x00000000
0x00000000
0x00000000
0x012d2b3b
0x012d2b3b
0x012d2b3b
0x012d2b46
0x012d2b4c
0x012d2b4c
0x012d2b4f
0x012d2b4f
0x012d2b55
0x012d2b6d
0x012d2b72
0x012d2b73
0x012d2b73
0x012d2b80

APIs

GetSystemMetrics.USER32 ref: 012D2AD7
SetRectEmpty.USER32 ref: 012D2B2E
SetRectEmpty.USER32 ref: 012D2B46
SetRectEmpty.USER32 ref: 012D2B37

Part of subcall function 01286A31: SetWindowPos.USER32(?,000000FF,000000FF,?,?,00000000,012827B4), ref: 01286A59

Part of subcall function 01367D3E: IsDebuggerPresent.KERNEL32 ref: 0136EC6D
Part of subcall function 01367D3E: SetUnhandledExceptionFilter.KERNEL32 ref: 0136EC82
Part of subcall function 01367D3E: UnhandledExceptionFilter.KERNEL32 ref: 0136EC8D
Part of subcall function 01367D3E: GetCurrentProcess.KERNEL32(C0000409), ref: 0136ECA9
Part of subcall function 01367D3E: TerminateProcess.KERNEL32(00000000), ref: 0136ECB0

Memory Dump Source

Source File: 00000010.00000002.746388412.0000000001271000.00000020.sdmp, Offset: 01270000, based on PE: true

Associated: 00000010.00000002.746374753.0000000001270000.00000002.sdmp Download File
Associated: 00000010.00000002.746578910.000000000138C000.00000002.sdmp Download File
Associated: 00000010.00000002.746752878.00000000013CF000.00000004.sdmp Download File
Associated: 00000010.00000002.746788870.00000000013D6000.00000004.sdmp Download File
Associated: 00000010.00000002.746832288.00000000013DE000.00000002.sdmp Download File
Associated: 00000010.00000002.747668141.0000000001574000.00000002.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1270000_Setup.jbxd

Similarity

API ID: EmptyRect$ExceptionFilterProcessUnhandled$CurrentDebuggerMetricsPresentSystemTerminateWindow
String ID:
API String ID: 1048913119-0
Opcode ID: b0d612d75bd9dfd64c670b0a33cac7983b957c780cfd871adee0fb223a7e87b7
Instruction ID: 142c03e105c642a39a621fbcd7dcf65d32ce3171ec9700013f6d95a3f6fc6806
Opcode Fuzzy Hash: b0d612d75bd9dfd64c670b0a33cac7983b957c780cfd871adee0fb223a7e87b7
Instruction Fuzzy Hash: E4310771A1021ADFDF14DFA8C9C86EE77B8FF45304F0841B9AD09AF149D6B06A45CBA1

Uniqueness

Uniqueness Score: 10.55%

Function 012A64BF, Relevance: 6.1, APIs: 4, Instructions: 73
keyboardCOMMON

Download Yara Rule

C-Code - Quality: 83%

			E012A64BF(void* __ebx, intOrPtr __ecx, void* __edx, void* __esi) {
				signed int _v8;
				struct tagRECT _v24;
				int _v28;
				struct tagPOINT _v36;
				char _v40;
				void* __edi;
				signed int _t22;
				int _t25;
				int _t27;
				int _t38;
				int _t41;
				void* _t47;
				intOrPtr _t48;
				signed int _t51;

				_t49 = __esi;
				_t47 = __edx;
				_t42 = __ecx;
				_t40 = __ebx;
				_t22 =  *0x13d3570; // 0x99b5b578
				_v8 = _t22 ^ _t51;
				_t48 = __ecx;
				if(GetKeyState(0x11) >= 0) {
					_t25 =  *(_t48 + 0x178);
					_push(__ebx);
					_push(__esi);
					__eflags = _t25;
					if(__eflags == 0) {
						_t25 = L012C74B8(0x13d0a78, _t47, E01282D31(__ebx, _t42, _t47, _t48, 0, __eflags,  *((intOrPtr*)(_t48 + 0xbc))));
					}
					_t41 = _t25;
					__eflags = _t41;
					if(_t41 == 0) {
						L8:
						_t27 = 1;
						__eflags = 1;
					} else {
						_v36.x = 0;
						_v36.y = 0;
						GetCursorPos( &_v36);
						_v24.left = 0;
						_v24.top = 0;
						_v24.right = 0;
						_v24.bottom = 0;
						SetRectEmpty( &_v24);
						_v28 = 0;
						_v40 = 0;
						E012AC565(_t41, _t48, _v36.x, _v36.y,  &_v24,  &_v28,  &_v40);
						_t38 = IsRectEmpty( &_v24);
						__eflags = _t38;
						if(_t38 == 0) {
							goto L8;
						} else {
							__eflags = _v28;
							if(_v28 != 0) {
								goto L8;
							} else {
								_t27 = 0;
							}
						}
					}
					_pop(_t49);
					_pop(_t40);
				} else {
					_t27 = 0;
				}
				return L01367D3E(_t27, _t40, _v8 ^ _t51, _t47, _t48, _t49);
			}

0x012a64bf
0x012a64bf
0x012a64bf
0x012a64bf
0x012a64c7
0x012a64ce
0x012a64d4
0x012a64df
0x012a64e8
0x012a64ee
0x012a64ef
0x012a64f2
0x012a64f4
0x012a6507
0x012a6507
0x012a650c
0x012a650e
0x012a6510
0x012a656f
0x012a6571
0x012a6571
0x012a6512
0x012a6516
0x012a6519
0x012a651c
0x012a6526
0x012a6529
0x012a652c
0x012a652f
0x012a6532
0x012a654c
0x012a6550
0x012a6553
0x012a655c
0x012a6562
0x012a6564
0x00000000
0x012a6566
0x012a6566
0x012a6569
0x00000000
0x012a656b
0x012a656b
0x012a656b
0x012a6569
0x012a6564
0x012a6572
0x012a6573
0x012a64e1
0x012a64e1
0x012a64e1
0x012a6580

APIs

GetKeyState.USER32 ref: 012A64D6
GetCursorPos.USER32(?), ref: 012A651C
SetRectEmpty.USER32 ref: 012A6532

Part of subcall function 012AC565: SetRectEmpty.USER32 ref: 012AC591
Part of subcall function 012AC565: GetKeyState.USER32 ref: 012AC599
Part of subcall function 012AC565: IsRectEmpty.USER32 ref: 012AC5F6
Part of subcall function 012AC565: GetWindowRect.USER32 ref: 012AC773

IsRectEmpty.USER32 ref: 012A655C

Part of subcall function 01367D3E: IsDebuggerPresent.KERNEL32 ref: 0136EC6D
Part of subcall function 01367D3E: SetUnhandledExceptionFilter.KERNEL32 ref: 0136EC82
Part of subcall function 01367D3E: UnhandledExceptionFilter.KERNEL32 ref: 0136EC8D
Part of subcall function 01367D3E: GetCurrentProcess.KERNEL32(C0000409), ref: 0136ECA9
Part of subcall function 01367D3E: TerminateProcess.KERNEL32(00000000), ref: 0136ECB0

Part of subcall function 012C74B8: GetParent.USER32(?), ref: 012C75B6

Memory Dump Source

Source File: 00000010.00000002.746388412.0000000001271000.00000020.sdmp, Offset: 01270000, based on PE: true

Associated: 00000010.00000002.746374753.0000000001270000.00000002.sdmp Download File
Associated: 00000010.00000002.746578910.000000000138C000.00000002.sdmp Download File
Associated: 00000010.00000002.746752878.00000000013CF000.00000004.sdmp Download File
Associated: 00000010.00000002.746788870.00000000013D6000.00000004.sdmp Download File
Associated: 00000010.00000002.746832288.00000000013DE000.00000002.sdmp Download File
Associated: 00000010.00000002.747668141.0000000001574000.00000002.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1270000_Setup.jbxd

Similarity

API ID: Rect$Empty$ExceptionFilterProcessStateUnhandled$CurrentCursorDebuggerParentPresentTerminateWindow
String ID:
API String ID: 655928509-0
Opcode ID: c37f81ee2dd9f3e256d2b52e8a078971151722de1101f1153ab7659998f96f0e
Instruction ID: a4a65d5c9aca4a00c3a504bd7a01e325e6a791dc889fcb06d0b42ea035973947
Opcode Fuzzy Hash: c37f81ee2dd9f3e256d2b52e8a078971151722de1101f1153ab7659998f96f0e
Instruction Fuzzy Hash: 6F21FC71E1021AAFCF21DFE5D8449EFBBBDFB48B44F94452AE541E2104DB749A01CBA1

Uniqueness

Uniqueness Score: 1.64%

Function 012A8CA3, Relevance: 6.1, APIs: 4, Instructions: 66
windowCOMMON

Download Yara Rule

C-Code - Quality: 80%

			E012A8CA3(void* __ebx, intOrPtr __ecx, void* __edx, void* __edi, void* __eflags) {
				intOrPtr _v8;
				intOrPtr _v12;
				void* __ebp;
				void* _t15;
				intOrPtr _t18;
				void* _t22;
				void* _t30;
				void* _t31;
				void* _t39;
				void* _t40;
				intOrPtr _t44;

				_t40 = __edi;
				_t39 = __edx;
				_t30 = __ebx;
				_push(__ecx);
				_push(__ecx);
				_t44 = __ecx;
				_v12 = __ecx;
				_t15 = E01282C5F(__ebx, __ecx, __edi, __eflags);
				if(_t15 != 0) {
					if((E01286848(_t44) & 0x00000100) != 0) {
						_t35 = _t44;
						_t18 = E012848D5(_t44, __edi);
						_v8 = _t18;
						if(_t18 == 0) {
							L01277AC9(_t35);
						}
						_push(_t30);
						_push(_t40);
						_t31 = E01282D05(_t30, _t35, _t39, GetForegroundWindow());
						if(_v8 == _t31 || E01282D05(_t31, _t35, _t39, GetLastActivePopup( *(_v8 + 0x20))) == _t31 && SendMessageW( *(_t31 + 0x20), 0x36d, 0x40, 0) != 0) {
							_t22 = 1;
							__eflags = 1;
						} else {
							_t22 = 0;
						}
						SendMessageW( *(_v12 + 0x20), 0x36d, 4 + (0 | _t22 == 0x00000000) * 4, 0);
					}
					_t15 = 1;
				}
				return _t15;
			}

0x012a8ca3
0x012a8ca3
0x012a8ca3
0x012a8ca8
0x012a8ca9
0x012a8cab
0x012a8cad
0x012a8cb0
0x012a8cb7
0x012a8cc9
0x012a8ccb
0x012a8ccd
0x012a8cd2
0x012a8cd7
0x012a8cd9
0x012a8cd9
0x012a8cde
0x012a8cdf
0x012a8cf2
0x012a8cfc
0x012a8d28
0x012a8d28
0x012a8d22
0x012a8d22
0x012a8d22
0x012a8d41
0x012a8d44
0x012a8d47
0x012a8d47
0x012a8d4a

APIs

Part of subcall function 01286848: GetWindowLongW.USER32(?,000000F0), ref: 01286853

GetForegroundWindow.USER32 ref: 012A8CE0
GetLastActivePopup.USER32(?), ref: 012A8D04
SendMessageW.USER32(?,0000036D,00000040,00000000), ref: 012A8D1C
SendMessageW.USER32(?,0000036D,00000000,00000000), ref: 012A8D41

Part of subcall function 01277AC9: __CxxThrowException@8.LIBCMT ref: 01277ADF

Memory Dump Source

Source File: 00000010.00000002.746388412.0000000001271000.00000020.sdmp, Offset: 01270000, based on PE: true

Associated: 00000010.00000002.746374753.0000000001270000.00000002.sdmp Download File
Associated: 00000010.00000002.746578910.000000000138C000.00000002.sdmp Download File
Associated: 00000010.00000002.746752878.00000000013CF000.00000004.sdmp Download File
Associated: 00000010.00000002.746788870.00000000013D6000.00000004.sdmp Download File
Associated: 00000010.00000002.746832288.00000000013DE000.00000002.sdmp Download File
Associated: 00000010.00000002.747668141.0000000001574000.00000002.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1270000_Setup.jbxd

Similarity

API ID: MessageSendWindow$ActiveException@8ForegroundLastLongPopupThrow
String ID:
API String ID: 1483153143-0
Opcode ID: 8b4c822c4d698543256f8082ba538f9e264aba6e5a2424bce9be76ead6deae54
Instruction ID: 8a1319d8fef27a5bfbf51cb1d75ad26df8d638f6eb635ba059cb06072b8bb931
Opcode Fuzzy Hash: 8b4c822c4d698543256f8082ba538f9e264aba6e5a2424bce9be76ead6deae54
Instruction Fuzzy Hash: 7911C672B31206BBEB15BBB89C44F7E7A6CEB59301F014029A601E7090FA70D900C7A1

Uniqueness

Uniqueness Score: 1.97%

Function 0128CF42, Relevance: 6.1, APIs: 4, Instructions: 61
windowCOMMON

Download Yara Rule

C-Code - Quality: 89%

			E0128CF42(intOrPtr __ecx, void* __edx, int _a4) {
				intOrPtr _v8;
				void* __ebx;
				intOrPtr _t18;
				int _t19;
				struct HWND__* _t20;
				void* _t24;
				void* _t31;
				intOrPtr _t33;
				void* _t37;
				intOrPtr _t39;

				_t31 = __edx;
				_t27 = __ecx;
				_push(__ecx);
				_push(_t24);
				_t33 = __ecx;
				_v8 = __ecx;
				_t37 = E01282D05(_t24, _t27, _t31, GetParent( *(__ecx + 0x20)));
				_t39 =  *0x13d0188; // 0x1
				if(_t39 != 0 || _t37 == 0) {
					L4:
					if((E01286848(_t33) & 0x00080000) == 0) {
						_a4 = 3;
					}
					_t18 =  *((intOrPtr*)(_t33 + 0x438));
					if(_t18 != 0 &&  *((intOrPtr*)(_t18 + 0x2d48)) != 0) {
						_a4 = 1;
					}
					_t19 = L012B9AF4(_t33, _t31, _a4);
				} else {
					_t20 =  *(_t37 + 0x20);
					if(_t20 == 0) {
						goto L4;
					} else {
						SendMessageW(_t20, 0xb, 0, 0);
						L012B9AF4(_v8, _t31, _a4);
						SendMessageW( *(_t37 + 0x20), 0xb, 1, 0);
						_t19 = RedrawWindow( *(_t37 + 0x20), 0, 0, 0x185);
					}
				}
				return _t19;
			}

0x0128cf42
0x0128cf42
0x0128cf47
0x0128cf48
0x0128cf4b
0x0128cf50
0x0128cf61
0x0128cf63
0x0128cf69
0x0128cfaa
0x0128cfb6
0x0128cfb8
0x0128cfb8
0x0128cfbf
0x0128cfc7
0x0128cfd1
0x0128cfd1
0x0128cfdd
0x0128cf6f
0x0128cf6f
0x0128cf74
0x00000000
0x0128cf76
0x0128cf81
0x0128cf89
0x0128cf96
0x0128cfa2
0x0128cfa2
0x0128cf74
0x0128cfe6

APIs

GetParent.USER32(?), ref: 0128CF53
SendMessageW.USER32(?,0000000B,00000000,00000000), ref: 0128CF81
SendMessageW.USER32(?,0000000B,00000001,00000000), ref: 0128CF96
RedrawWindow.USER32(?,00000000,00000000,00000185), ref: 0128CFA2

Part of subcall function 01286848: GetWindowLongW.USER32(?,000000F0), ref: 01286853

Part of subcall function 012B9AF4: SendMessageW.USER32(?,00000234,00000000,00000000), ref: 012B9B6F
Part of subcall function 012B9AF4: SendMessageW.USER32(?,00000229,00000000,00000000), ref: 012B9B96
Part of subcall function 012B9AF4: SendMessageW.USER32(?,00000229,00000000,00000000), ref: 012B9BB3
Part of subcall function 012B9AF4: SendMessageW.USER32(?,00000222,?,00000000), ref: 012B9BCA
Part of subcall function 012B9AF4: SendMessageW.USER32(?,00000222,00000000,?), ref: 012B9BEF

Memory Dump Source

Source File: 00000010.00000002.746388412.0000000001271000.00000020.sdmp, Offset: 01270000, based on PE: true

Associated: 00000010.00000002.746374753.0000000001270000.00000002.sdmp Download File
Associated: 00000010.00000002.746578910.000000000138C000.00000002.sdmp Download File
Associated: 00000010.00000002.746752878.00000000013CF000.00000004.sdmp Download File
Associated: 00000010.00000002.746788870.00000000013D6000.00000004.sdmp Download File
Associated: 00000010.00000002.746832288.00000000013DE000.00000002.sdmp Download File
Associated: 00000010.00000002.747668141.0000000001574000.00000002.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1270000_Setup.jbxd

Similarity

API ID: MessageSend$Window$LongParentRedraw
String ID:
API String ID: 982432997-0
Opcode ID: 183f6587d996a8fba77c3e98efe0fb1848ccc2526d87b06a2996d496b97467d1
Instruction ID: 71c9488feb7ba3f7203f5d6ce11223de06328ae6c349ef10a5dcbcb46b367dd6
Opcode Fuzzy Hash: 183f6587d996a8fba77c3e98efe0fb1848ccc2526d87b06a2996d496b97467d1
Instruction Fuzzy Hash: 4C1191B2220206BBEF217F54C8C8EBEBAADFB94394F14402AF74596190D7B19C50CB60

Uniqueness

Uniqueness Score: 3.15%

Function 012B4723, Relevance: 6.1, APIs: 4, Instructions: 59
COMMON

Download Yara Rule

C-Code - Quality: 90%

			E012B4723(void* __ecx) {
				void* _v8;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t24;
				void* _t29;
				void* _t31;
				struct HINSTANCE__* _t33;
				signed int _t35;
				signed int _t36;
				void* _t38;
				signed int* _t41;

				_push(__ecx);
				_push(_t29);
				_t38 = __ecx;
				_t43 =  *((intOrPtr*)(__ecx + 0x78));
				_t41 =  *(__ecx + 0x80);
				_v8 =  *((intOrPtr*)(__ecx + 0x7c));
				if( *((intOrPtr*)(__ecx + 0x78)) != 0) {
					_t33 =  *(E012792EF(_t29, __ecx, _t41, _t43) + 0xc);
					_v8 = LoadResource(_t33, FindResourceW(_t33,  *(_t38 + 0x78), 5));
				}
				if(_v8 != 0) {
					_t41 = LockResource(_v8);
				}
				_t31 = 1;
				if(_t41 != 0) {
					_t36 =  *_t41;
					if(_t41[0] != 0xffff) {
						_t24 = _t41[2] & 0x0000ffff;
						_t35 = _t41[3] & 0x0000ffff;
					} else {
						_t36 = _t41[3];
						_t24 = _t41[4] & 0x0000ffff;
						_t35 = _t41[5] & 0x0000ffff;
					}
					if((_t36 & 0x00001801) != 0 || _t24 != 0 || _t35 != 0) {
						_t31 = 0;
					}
				}
				if( *(_t38 + 0x78) != 0) {
					FreeResource(_v8);
				}
				return _t31;
			}

0x012b4728
0x012b4729
0x012b472c
0x012b472e
0x012b4735
0x012b473b
0x012b473e
0x012b4745
0x012b475c
0x012b475c
0x012b4763
0x012b476e
0x012b476e
0x012b4772
0x012b4775
0x012b4777
0x012b4782
0x012b4791
0x012b4795
0x012b4784
0x012b4784
0x012b4787
0x012b478b
0x012b478b
0x012b479f
0x012b47ab
0x012b47ab
0x012b479f
0x012b47b1
0x012b47b6
0x012b47b6
0x012b47c2

APIs

FindResourceW.KERNEL32(?,00000000,00000005), ref: 012B474E
LoadResource.KERNEL32(?,00000000), ref: 012B4756
LockResource.KERNEL32(00000000), ref: 012B4768
FreeResource.KERNEL32(00000000), ref: 012B47B6

Memory Dump Source

Source File: 00000010.00000002.746388412.0000000001271000.00000020.sdmp, Offset: 01270000, based on PE: true

Associated: 00000010.00000002.746374753.0000000001270000.00000002.sdmp Download File
Associated: 00000010.00000002.746578910.000000000138C000.00000002.sdmp Download File
Associated: 00000010.00000002.746752878.00000000013CF000.00000004.sdmp Download File
Associated: 00000010.00000002.746788870.00000000013D6000.00000004.sdmp Download File
Associated: 00000010.00000002.746832288.00000000013DE000.00000002.sdmp Download File
Associated: 00000010.00000002.747668141.0000000001574000.00000002.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1270000_Setup.jbxd

Similarity

API ID: Resource$FindFreeLoadLock
String ID:
API String ID: 1078018258-0
Opcode ID: 83e39ace14b7ffa897b289123c2780b7e86b08c16d4b8faaf10db78c2d6e5143
Instruction ID: fb862eaa7dffed8a682039c4990a986a0ce126e0491ee3bea07dc42ff813de9f
Opcode Fuzzy Hash: 83e39ace14b7ffa897b289123c2780b7e86b08c16d4b8faaf10db78c2d6e5143
Instruction Fuzzy Hash: AB11E635110751EFE725AFA9C8C8AF6B7B8FF05355F10842AEA6253542E770E980E760

Uniqueness

Uniqueness Score: 0.09%

Function 012B6B38, Relevance: 6.1, APIs: 4, Instructions: 59
windowCOMMON

Download Yara Rule

C-Code - Quality: 78%

			E012B6B38(void* __ebx, void* __edx, void* __edi, struct HWND__* _a4, intOrPtr _a8, long* _a12) {
				signed int _t19;
				long _t22;
				int _t24;
				WCHAR* _t25;
				void* _t29;
				intOrPtr* _t31;
				void* _t36;
				void* _t37;
				intOrPtr* _t38;

				_t37 = __edi;
				_t36 = __edx;
				_t29 = __ebx;
				_t38 = _a4;
				E012867E8( *((intOrPtr*)(_t38 + 4)), _a8,  &_a4);
				_t19 = GetWindowLongW(_a4, 0xfffffff0);
				_push(_a8);
				_t31 = _t38;
				if((_t19 & 0x00000003) == 3) {
					E012B6781(_t31);
				} else {
					E012B6781(_t31);
					 *((intOrPtr*)(_t38 + 0xc)) = 1;
				}
				if( *_t38 != 0) {
					_t24 = GetWindowTextLengthW(_a4);
					if(_t24 <= 0) {
						_t25 = E01272610(_t29, _a12, _t37, 0xff);
						_push(0x100);
					} else {
						_t9 = _t24 + 1; // 0x1
						_t25 = E0127849B(_a12, _t24);
					}
					GetWindowTextW(_a4, _t25, ??);
					return E012723C0(_t29, _a12, _t37, 0xffffffff);
				}
				_t39 = _a12;
				_t22 = SendMessageW(_a4, 0x14d, 0xffffffff,  *_a12);
				if(_t22 == 0xffffffff) {
					return E0127A9F7(_t31, _t36, _a4,  *_t39);
				}
				return _t22;
			}

0x012b6b38
0x012b6b38
0x012b6b38
0x012b6b3e
0x012b6b4b
0x012b6b55
0x012b6b5b
0x012b6b61
0x012b6b65
0x012b6b75
0x012b6b67
0x012b6b67
0x012b6b6c
0x012b6b6c
0x012b6b7d
0x012b6b82
0x012b6b8a
0x012b6ba3
0x012b6ba8
0x012b6b8c
0x012b6b8c
0x012b6b94
0x012b6b94
0x012b6bb1
0x00000000
0x012b6bbc
0x012b6bc3
0x012b6bd2
0x012b6bdb
0x00000000
0x012b6be2
0x012b6be9

APIs

Part of subcall function 012867E8: GetDlgItem.USER32(?,?), ref: 012867F9

GetWindowLongW.USER32(?,000000F0), ref: 012B6B55
GetWindowTextLengthW.USER32 ref: 012B6B82
GetWindowTextW.USER32 ref: 012B6BB1

Part of subcall function 012723C0: _wcsnlen.LIBCMT ref: 012723D9

SendMessageW.USER32(?,0000014D,000000FF,?), ref: 012B6BD2

Part of subcall function 0127A9F7: lstrlenW.KERNEL32(?,?,?), ref: 0127AA23
Part of subcall function 0127A9F7: _memset.LIBCMT ref: 0127AA41
Part of subcall function 0127A9F7: GetWindowTextW.USER32 ref: 0127AA5B
Part of subcall function 0127A9F7: lstrcmpW.KERNEL32(?,?,?,?), ref: 0127AA6D
Part of subcall function 0127A9F7: SetWindowTextW.USER32 ref: 0127AA79

Memory Dump Source

Source File: 00000010.00000002.746388412.0000000001271000.00000020.sdmp, Offset: 01270000, based on PE: true

Associated: 00000010.00000002.746374753.0000000001270000.00000002.sdmp Download File
Associated: 00000010.00000002.746578910.000000000138C000.00000002.sdmp Download File
Associated: 00000010.00000002.746752878.00000000013CF000.00000004.sdmp Download File
Associated: 00000010.00000002.746788870.00000000013D6000.00000004.sdmp Download File
Associated: 00000010.00000002.746832288.00000000013DE000.00000002.sdmp Download File
Associated: 00000010.00000002.747668141.0000000001574000.00000002.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1270000_Setup.jbxd

Similarity

API ID: Window$Text$ItemLengthLongMessageSend_memset_wcsnlenlstrcmplstrlen
String ID:
API String ID: 3152496235-0
Opcode ID: fdf5e4876eb7ffe0de53735f1a481d218fc0c6e63edb6bad330dc76a5f8eb389
Instruction ID: f41a1dde917d939da35ac3870ca940caa8728dce7318b1c9d6136876f6349b2f
Opcode Fuzzy Hash: fdf5e4876eb7ffe0de53735f1a481d218fc0c6e63edb6bad330dc76a5f8eb389
Instruction Fuzzy Hash: 15115B3212424AEBCF11AF94CC84EFE7B79EF143A0F144619FA756A1E0DB71A990DB50

Uniqueness

Uniqueness Score: 1.15%

Function 01276A14, Relevance: 6.1, APIs: 4, Instructions: 57
registryCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E01276A14(void* __ecx, void* __edx, WCHAR* _a4, short* _a8, char _a12) {
				signed int _v8;
				short _v40;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t13;
				WCHAR* _t21;
				short* _t24;
				void* _t28;
				void* _t30;
				signed int _t31;

				_t28 = __edx;
				_t13 =  *0x13d3570; // 0x99b5b578
				_v8 = _t13 ^ _t31;
				_t24 = _a8;
				_t30 = __ecx;
				_t29 = _a4;
				if( *((intOrPtr*)(__ecx + 0x58)) == 0) {
					swprintf( &_v40, 0x10, L"%d", _a12);
					_t18 = WritePrivateProfileStringW(_t29, _t24,  &_v40,  *(_t30 + 0x6c));
				} else {
					_t30 = E0127694D(__ecx, _t29, 0);
					if(_t30 != 0) {
						_t21 = RegSetValueExW(_t30, _t24, 0, 4,  &_a12, 4);
						_t29 = _t21;
						RegCloseKey(_t30);
						_t18 = 0 | _t21 == 0x00000000;
					}
				}
				return L01367D3E(_t18, _t24, _v8 ^ _t31, _t28, _t29, _t30);
			}

0x01276a14
0x01276a1c
0x01276a23
0x01276a27
0x01276a2b
0x01276a32
0x01276a35
0x01276a77
0x01276a88
0x01276a37
0x01276a3f
0x01276a43
0x01276a51
0x01276a58
0x01276a5a
0x01276a64
0x01276a64
0x01276a43
0x01276a9c

APIs

RegSetValueExW.ADVAPI32 ref: 01276A51
RegCloseKey.ADVAPI32(00000000), ref: 01276A5A
swprintf.LIBCMT ref: 01276A77
WritePrivateProfileStringW.KERNEL32(?,?,?,?), ref: 01276A88

Part of subcall function 01367D3E: IsDebuggerPresent.KERNEL32 ref: 0136EC6D
Part of subcall function 01367D3E: SetUnhandledExceptionFilter.KERNEL32 ref: 0136EC82
Part of subcall function 01367D3E: UnhandledExceptionFilter.KERNEL32 ref: 0136EC8D
Part of subcall function 01367D3E: GetCurrentProcess.KERNEL32(C0000409), ref: 0136ECA9
Part of subcall function 01367D3E: TerminateProcess.KERNEL32(00000000), ref: 0136ECB0

Part of subcall function 0127694D: RegCreateKeyExW.ADVAPI32(00000000,?,00000000,00000000,00000000,0002001F,00000000,?,?), ref: 01276991
Part of subcall function 0127694D: RegCloseKey.ADVAPI32(00000000), ref: 01276998

Memory Dump Source

Source File: 00000010.00000002.746388412.0000000001271000.00000020.sdmp, Offset: 01270000, based on PE: true

Associated: 00000010.00000002.746374753.0000000001270000.00000002.sdmp Download File
Associated: 00000010.00000002.746578910.000000000138C000.00000002.sdmp Download File
Associated: 00000010.00000002.746752878.00000000013CF000.00000004.sdmp Download File
Associated: 00000010.00000002.746788870.00000000013D6000.00000004.sdmp Download File
Associated: 00000010.00000002.746832288.00000000013DE000.00000002.sdmp Download File
Associated: 00000010.00000002.747668141.0000000001574000.00000002.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1270000_Setup.jbxd

Similarity

API ID: CloseExceptionFilterProcessUnhandled$CreateCurrentDebuggerPresentPrivateProfileStringTerminateValueWriteswprintf
String ID:
API String ID: 3340587730-0
Opcode ID: 7f129f51867ef87197e7a57a45d5eb6492c8d3f8b233d52f78999daee144bb11
Instruction ID: e275564edc3eb10992af6439bbc4dbe2ef3074c42e64fac2d6330aeb9d503c6a
Opcode Fuzzy Hash: 7f129f51867ef87197e7a57a45d5eb6492c8d3f8b233d52f78999daee144bb11
Instruction Fuzzy Hash: 9801A17261030AFBEB21EF698C45FAF77ACAF59714F104419F601A7180DA74ED1587A0

Uniqueness

Uniqueness Score: 0.49%

Function 012C8F41, Relevance: 6.1, APIs: 4, Instructions: 55
windowcomCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E012C8F41(intOrPtr* __ecx) {
				void* __ebx;
				void* __edi;
				void* __esi;
				struct HMENU__* _t18;
				intOrPtr* _t20;
				signed int _t22;
				signed int _t23;
				signed int _t26;
				void* _t32;
				intOrPtr* _t34;

				_t34 = __ecx;
				_t26 =  *((intOrPtr*)( *__ecx + 0x1d0))();
				_t18 = CreateMenu();
				 *(_t34 + 0x138) = _t18;
				if(_t18 == 0) {
					return _t18;
				}
				_t32 = _t34 + 0x13c;
				L01367D50(_t32, 0, 0x18);
				_t20 =  *((intOrPtr*)(_t34 + 0x128));
				_push(_t32);
				_push( *(_t34 + 0x138));
				_push(_t20);
				if( *((intOrPtr*)( *_t20 + 0x24))() == 0) {
					__eflags = _t26;
					if(__eflags != 0) {
						_t22 = L01277F15(_t26, _t32, _t34, __eflags);
						 *(_t34 + 0x180) = _t22;
						__imp__OleCreateMenuDescriptor( *(_t34 + 0x138), _t32,  *(_t34 + 0x138), _t26, _t32, 1, 1);
						__eflags = _t22;
						_t14 = _t22 != 0;
						__eflags = _t14;
						 *(_t34 + 0x154) = _t22;
						_t23 = 0 | _t14;
					} else {
						_t23 = 1;
					}
				} else {
					DestroyMenu( *(_t34 + 0x138));
					 *(_t34 + 0x138) =  *(_t34 + 0x138) & 0x00000000;
					_t23 = 0;
				}
				return _t23;
			}

0x012c8f45
0x012c8f4f
0x012c8f51
0x012c8f57
0x012c8f5f
0x012c8fe2
0x012c8fe2
0x012c8f64
0x012c8f6d
0x012c8f72
0x012c8f7d
0x012c8f7e
0x012c8f84
0x012c8f8a
0x012c8fa3
0x012c8fa5
0x012c8fb8
0x012c8fc4
0x012c8fca
0x012c8fd2
0x012c8fd4
0x012c8fd4
0x012c8fd7
0x012c8fdd
0x012c8fa7
0x012c8fa9
0x012c8fa9
0x012c8f8c
0x012c8f92
0x012c8f98
0x012c8f9f
0x012c8f9f
0x00000000

APIs

CreateMenu.USER32 ref: 012C8F51
_memset.LIBCMT ref: 012C8F6D
DestroyMenu.USER32 ref: 012C8F92

Part of subcall function 01277F15: __EH_prolog3_GS.LIBCMT ref: 01277F1F
Part of subcall function 01277F15: GetMenuItemCount.USER32(?), ref: 01277F51
Part of subcall function 01277F15: GetSubMenu.USER32 ref: 01277F95
Part of subcall function 01277F15: GetMenuState.USER32(?,?,00000400), ref: 01277FAE
Part of subcall function 01277F15: GetSubMenu.USER32 ref: 0127801D
Part of subcall function 01277F15: GetMenuStringW.USER32(?,?,?,00000100,00000400), ref: 01278042
Part of subcall function 01277F15: _wcslen.LIBCMT ref: 01278099
Part of subcall function 01277F15: AppendMenuW.USER32 ref: 012780C7
Part of subcall function 01277F15: GetMenuItemCount.USER32(00000000), ref: 01278106
Part of subcall function 01277F15: GetMenuItemID.USER32(?,?), ref: 0127813F
Part of subcall function 01277F15: InsertMenuW.USER32(?,?,00000000,00000000), ref: 01278155

OleCreateMenuDescriptor.OLE32(?,?), ref: 012C8FCA

Memory Dump Source

Source File: 00000010.00000002.746388412.0000000001271000.00000020.sdmp, Offset: 01270000, based on PE: true

Associated: 00000010.00000002.746374753.0000000001270000.00000002.sdmp Download File
Associated: 00000010.00000002.746578910.000000000138C000.00000002.sdmp Download File
Associated: 00000010.00000002.746752878.00000000013CF000.00000004.sdmp Download File
Associated: 00000010.00000002.746788870.00000000013D6000.00000004.sdmp Download File
Associated: 00000010.00000002.746832288.00000000013DE000.00000002.sdmp Download File
Associated: 00000010.00000002.747668141.0000000001574000.00000002.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1270000_Setup.jbxd

Similarity

API ID: Menu$Item$CountCreate$AppendDescriptorDestroyH_prolog3_InsertStateString_memset_wcslen
String ID:
API String ID: 583539312-0
Opcode ID: 0b70666f5560c1a8f54687d580832a85f841af5a06661b01500608ac8ba4d09f
Instruction ID: 857a28d227e0df3f2a637ffdf405fdd53bdac45d3a8c7108347d01c14dfaf2f2
Opcode Fuzzy Hash: 0b70666f5560c1a8f54687d580832a85f841af5a06661b01500608ac8ba4d09f
Instruction Fuzzy Hash: 59115B71210702ABE7705B39DC89FE77AE9EF88755F00482DB65AD6150DB71A950CB20

Uniqueness

Uniqueness Score: 12.89%

Function 012A62BA, Relevance: 6.0, APIs: 4, Instructions: 50
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E012A62BA(void* __ecx, void* __edx, void* __eflags, intOrPtr _a4) {
				void* __ebx;
				void* __edi;
				void* __esi;
				int _t17;
				struct HWND__* _t18;
				void* _t21;
				void* _t28;
				intOrPtr* _t29;
				void* _t30;

				_t30 = __ecx;
				_t29 = E012789CC(0x139ada0, E01282D31(_t21, __ecx, __edx, _t28, __ecx, __eflags,  *((intOrPtr*)(__ecx + 0xc8))));
				if(_t29 != 0) {
					 *((intOrPtr*)( *_t29 + 0x30c))(_a4);
				}
				_t17 = IsWindow( *(_t30 + 0xc0));
				if(_t17 != 0 && _a4 == 0) {
					_t17 = DestroyWindow( *(_t30 + 0xc0));
					 *(_t30 + 0xc0) =  *(_t30 + 0xc0) & 0x00000000;
				}
				if(_t29 == 0 || _a4 != 0) {
					return _t17;
				} else {
					_t18 =  *(_t29 + 0x174);
					if(_t18 !=  *((intOrPtr*)(_t30 + 0x20))) {
						_t18 = IsWindow(_t18);
						if(_t18 != 0) {
							_t18 = DestroyWindow( *(_t29 + 0x174));
						}
					}
					 *(_t29 + 0x174) =  *(_t29 + 0x174) & 0x00000000;
					return _t18;
				}
			}

0x012a62c2
0x012a62da
0x012a62e0
0x012a62e9
0x012a62e9
0x012a62f5
0x012a6303
0x012a6311
0x012a6313
0x012a6313
0x012a631c
0x012a634d
0x012a6324
0x012a6324
0x012a632d
0x012a6330
0x012a6338
0x012a6340
0x012a6340
0x012a6338
0x012a6342
0x00000000
0x012a6342

APIs

IsWindow.USER32(?), ref: 012A62F5
DestroyWindow.USER32(?), ref: 012A6311
IsWindow.USER32(?), ref: 012A6330
DestroyWindow.USER32(?), ref: 012A6340

Memory Dump Source

Source File: 00000010.00000002.746388412.0000000001271000.00000020.sdmp, Offset: 01270000, based on PE: true

Associated: 00000010.00000002.746374753.0000000001270000.00000002.sdmp Download File
Associated: 00000010.00000002.746578910.000000000138C000.00000002.sdmp Download File
Associated: 00000010.00000002.746752878.00000000013CF000.00000004.sdmp Download File
Associated: 00000010.00000002.746788870.00000000013D6000.00000004.sdmp Download File
Associated: 00000010.00000002.746832288.00000000013DE000.00000002.sdmp Download File
Associated: 00000010.00000002.747668141.0000000001574000.00000002.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1270000_Setup.jbxd

Similarity

API ID: Window$Destroy
String ID:
API String ID: 3707531092-0
Opcode ID: 6fb7b93379d5bda181fb267d0d970a27f74bf71ca4d9fd69c7ee807efc500070
Instruction ID: bd3ef08fcf1b3b18d08b330696b6e59e90748b42dc1bb4fe2e3f7c8aaac3019d
Opcode Fuzzy Hash: 6fb7b93379d5bda181fb267d0d970a27f74bf71ca4d9fd69c7ee807efc500070
Instruction Fuzzy Hash: F301B531111702EFEB215F39DC88BAAFFA9FF40766F589629E61983150DB31A811CB60

Uniqueness

Uniqueness Score: 1.23%

Function 012B8FED, Relevance: 6.0, APIs: 4, Instructions: 50
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E012B8FED(void* __ecx, struct HMENU__* _a4) {
				int _v8;
				struct HMENU__* _v12;
				struct HMENU__* _t8;
				int _t9;
				int _t11;
				int _t12;
				int _t16;
				struct HMENU__* _t19;

				if(_a4 != 0) {
					_t8 = GetMenuItemCount(_a4);
					while(_t8 != 0) {
						_t9 = _t8 - 1;
						_v12 = _t9;
						_t19 = GetSubMenu(_a4, _t9);
						if(_t19 == 0) {
							L8:
							_t8 = _v12;
							continue;
						}
						_t11 = GetMenuItemCount(_t19);
						_t16 = 0;
						_v8 = _t11;
						if(_t11 <= 0) {
							goto L8;
						} else {
							goto L5;
						}
						while(1) {
							L5:
							_t12 = GetMenuItemID(_t19, _t16);
							if(_t12 >= 0xe130 && _t12 <= 0xe13f) {
								break;
							}
							_t16 = _t16 + 1;
							if(_t16 < _v8) {
								continue;
							}
							goto L8;
						}
						_t8 = _t19;
						break;
					}
					return _t8;
				}
				return 0;
			}

0x012b8ff8
0x012b900a
0x012b904d
0x012b900e
0x012b9013
0x012b901c
0x012b9020
0x012b904a
0x012b904a
0x00000000
0x012b904a
0x012b9023
0x012b9025
0x012b9027
0x012b902c
0x00000000
0x00000000
0x00000000
0x00000000
0x012b902e
0x012b902e
0x012b9030
0x012b903b
0x00000000
0x00000000
0x012b9044
0x012b9048
0x00000000
0x00000000
0x00000000
0x012b9048
0x012b9058
0x00000000
0x012b9058
0x00000000
0x012b9053
0x00000000

APIs

GetMenuItemCount.USER32(00000000), ref: 012B900A
GetSubMenu.USER32 ref: 012B9016
GetMenuItemCount.USER32(00000000), ref: 012B9023
GetMenuItemID.USER32(00000000,00000000), ref: 012B9030

Memory Dump Source

Source File: 00000010.00000002.746388412.0000000001271000.00000020.sdmp, Offset: 01270000, based on PE: true

Associated: 00000010.00000002.746374753.0000000001270000.00000002.sdmp Download File
Associated: 00000010.00000002.746578910.000000000138C000.00000002.sdmp Download File
Associated: 00000010.00000002.746752878.00000000013CF000.00000004.sdmp Download File
Associated: 00000010.00000002.746788870.00000000013D6000.00000004.sdmp Download File
Associated: 00000010.00000002.746832288.00000000013DE000.00000002.sdmp Download File
Associated: 00000010.00000002.747668141.0000000001574000.00000002.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1270000_Setup.jbxd

Similarity

API ID: Menu$Item$Count
String ID:
API String ID: 879546783-0
Opcode ID: b03d02682283c2a775225368cb13961ea2999a2086a6a9ebfca4236d9e92a25b
Instruction ID: cc0a79cc362e6f05d6c33d6deb0ecd78c43fdfb29e5b6d74e65edff90e2b77c4
Opcode Fuzzy Hash: b03d02682283c2a775225368cb13961ea2999a2086a6a9ebfca4236d9e92a25b
Instruction Fuzzy Hash: 5C0162B5530209BBEF214B69D8C49EE7EBDEB857D8F140825E701D2201D6B4D9C09760

Uniqueness

Uniqueness Score: 1.34%

Function 012A0D6F, Relevance: 6.0, APIs: 4, Instructions: 49
COMMON

Download Yara Rule

C-Code - Quality: 68%

			E012A0D6F(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				int _t20;
				void* _t22;
				int _t28;
				void* _t30;
				void* _t39;
				intOrPtr _t42;
				void* _t43;

				_t40 = __edi;
				_t39 = __edx;
				_t33 = __ebx;
				_push(8);
				L01369601(0x1380ce8, __ebx, __edi, __esi);
				_t42 =  *((intOrPtr*)(_t43 + 8));
				if( *0x13d9ca0 == 0) {
					_t20 = IsRectEmpty(_t43 + 0x20);
					__eflags = _t20;
					if(_t20 == 0) {
						FillRect( *(_t42 + 4), _t43 + 0x20,  *0x13d6484);
					}
					_t22 = E0128A265(_t43 + 0x10,  *0x13d6438,  *0x13d643c);
				} else {
					E012FC185(_t43 - 0x14, _t42);
					 *(_t43 - 4) =  *(_t43 - 4) & 0x00000000;
					_t28 = IsRectEmpty(_t43 + 0x20);
					_t46 = _t28;
					if(_t28 == 0) {
						_push(0xffffffff);
						_push( *0x13d641c);
						_push(_t43 + 0x20);
						L012FF1AB(__ebx, _t43 - 0x14, _t39, __edi, _t42, _t46);
					}
					_push( *0x13d6438);
					_push(0xffffffff);
					_push(_t43 + 0x10);
					_t30 = L012FF1AB(_t33, _t43 - 0x14, _t39, _t40, _t42, _t46);
					 *(_t43 - 4) =  *(_t43 - 4) | 0xffffffff;
					_t22 = L012FC19C(_t30, _t43 - 0x14);
				}
				return L013696D9(_t22);
			}

0x012a0d6f
0x012a0d6f
0x012a0d6f
0x012a0d6f
0x012a0d76
0x012a0d82
0x012a0d85
0x012a0ddc
0x012a0de2
0x012a0de4
0x012a0df3
0x012a0df3
0x012a0e0b
0x012a0d87
0x012a0d8b
0x012a0d90
0x012a0d98
0x012a0d9e
0x012a0da0
0x012a0da2
0x012a0da4
0x012a0dad
0x012a0db1
0x012a0db1
0x012a0db6
0x012a0dbf
0x012a0dc1
0x012a0dc5
0x012a0dca
0x012a0dd1
0x012a0dd1
0x012a0e15

APIs

__EH_prolog3.LIBCMT ref: 012A0D76
IsRectEmpty.USER32 ref: 012A0D98

Part of subcall function 012FF1AB: __EH_prolog3.LIBCMT ref: 012FF1B2
Part of subcall function 012FF1AB: CreateCompatibleDC.GDI32(?), ref: 012FF215
Part of subcall function 012FF1AB: CreateCompatibleBitmap.GDI32(?,?,?), ref: 012FF247
Part of subcall function 012FF1AB: SelectObject.GDI32(?,00000000), ref: 012FF2A5
Part of subcall function 012FF1AB: _memmove.LIBCMT ref: 012FF31B
Part of subcall function 012FF1AB: _memmove.LIBCMT ref: 012FF3BD
Part of subcall function 012FF1AB: BitBlt.GDI32(?,?,?,?,?,?,00000000,00000000,00CC0020), ref: 012FF3F2
Part of subcall function 012FF1AB: DeleteObject.GDI32(?), ref: 012FF438

IsRectEmpty.USER32 ref: 012A0DDC
FillRect.USER32(?,?), ref: 012A0DF3

Memory Dump Source

Source File: 00000010.00000002.746388412.0000000001271000.00000020.sdmp, Offset: 01270000, based on PE: true

Associated: 00000010.00000002.746374753.0000000001270000.00000002.sdmp Download File
Associated: 00000010.00000002.746578910.000000000138C000.00000002.sdmp Download File
Associated: 00000010.00000002.746752878.00000000013CF000.00000004.sdmp Download File
Associated: 00000010.00000002.746788870.00000000013D6000.00000004.sdmp Download File
Associated: 00000010.00000002.746832288.00000000013DE000.00000002.sdmp Download File
Associated: 00000010.00000002.747668141.0000000001574000.00000002.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1270000_Setup.jbxd

Similarity

API ID: Rect$CompatibleCreateEmptyH_prolog3Object_memmove$BitmapDeleteFillSelect
String ID:
API String ID: 2582036219-0
Opcode ID: fa3695bf64ed6b49720bf11a27585cc1e1eec4e79e2fb6a66a4c970ca7bfa85e
Instruction ID: 6a119fe18b6cb546265e04a3ab1b8dea3efe2ead1817239fdc78a00f0780d50b
Opcode Fuzzy Hash: fa3695bf64ed6b49720bf11a27585cc1e1eec4e79e2fb6a66a4c970ca7bfa85e
Instruction Fuzzy Hash: 4C114C7241120AAFCF21EFA4DD05EEE777DFB15329F404229B621B20D4DB35AA18CB60

Uniqueness

Uniqueness Score: 3.53%

Function 01286A6F, Relevance: 6.0, APIs: 4, Instructions: 39
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E01286A6F(void* __ebx, void* __ecx, void* __edx) {
				void* _t24;
				void* _t28;

				_t24 = __edx;
				_t22 = __ecx;
				_t21 = __ebx;
				_t28 = __ecx;
				if( *((intOrPtr*)(__ecx + 0x6c)) != 0) {
					goto ( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(__ecx + 0x6c)))) + 0xb0)));
				}
				if(E01282D05(__ebx, _t22, _t24, GetParent( *(__ecx + 0x20))) != 0) {
					_t22 = E01282D05(__ebx, _t22, _t24, GetParent( *(_t28 + 0x20)));
					if(L01281B2F(_t16) != 0) {
						_t22 = E01282D05(__ebx, _t22, _t24, GetParent( *(_t28 + 0x20)));
						 *(L01281B2F(_t19) + 0x70) =  *(_t20 + 0x70) & 0x00000000;
					}
				}
				return E01282D05(_t21, _t22, _t24, SetFocus( *(_t28 + 0x20)));
			}

0x01286a6f
0x01286a6f
0x01286a6f
0x01286a72
0x01286a78
0x01286ad4
0x01286ad4
0x01286a8e
0x01286a9b
0x01286aa4
0x01286ab1
0x01286ab8
0x01286ab8
0x01286aa4
0x01286acd

APIs

GetParent.USER32(?), ref: 01286A84
GetParent.USER32(?), ref: 01286A93
GetParent.USER32(?), ref: 01286AA9
SetFocus.USER32 ref: 01286ABF

Memory Dump Source

Source File: 00000010.00000002.746388412.0000000001271000.00000020.sdmp, Offset: 01270000, based on PE: true

Associated: 00000010.00000002.746374753.0000000001270000.00000002.sdmp Download File
Associated: 00000010.00000002.746578910.000000000138C000.00000002.sdmp Download File
Associated: 00000010.00000002.746752878.00000000013CF000.00000004.sdmp Download File
Associated: 00000010.00000002.746788870.00000000013D6000.00000004.sdmp Download File
Associated: 00000010.00000002.746832288.00000000013DE000.00000002.sdmp Download File
Associated: 00000010.00000002.747668141.0000000001574000.00000002.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1270000_Setup.jbxd

Similarity

API ID: Parent$Focus
String ID:
API String ID: 384096180-0
Opcode ID: fb8d62c97b5a1659536172224923145f372c80a94284571a972c7cd4c36a439b
Instruction ID: 669c43fbd5126532dc8884517b2c6248799e8a17a7a128f6d36dd1a343d2c10f
Opcode Fuzzy Hash: fb8d62c97b5a1659536172224923145f372c80a94284571a972c7cd4c36a439b
Instruction Fuzzy Hash: 0DF0FF325213069BDB207B75EC08F6B7AAABF98311F060868E985975A4EF35D811CA10

Uniqueness

Uniqueness Score: 1.23%

Function 012B4BCF, Relevance: 6.0, APIs: 4, Instructions: 38
COMMON

Download Yara Rule

C-Code - Quality: 73%

			E012B4BCF(intOrPtr __ecx, void* __edx, void* __eflags, WCHAR* _a4, intOrPtr _a8) {
				intOrPtr _v8;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t9;
				void* _t14;
				void* _t18;
				void* _t19;
				void* _t20;
				void* _t22;
				struct HINSTANCE__* _t23;

				_t18 = __edx;
				_push(__ecx);
				_push(_t22);
				_push(_t19);
				_v8 = __ecx;
				_t14 = 0;
				_t23 =  *(E012792EF(0, _t19, _t22, __eflags) + 0xc);
				_t20 = LoadResource(_t23, FindResourceW(_t23, _a4, 5));
				_t27 = _t20;
				if(_t20 != 0) {
					_t14 = LockResource(_t20);
				}
				_t9 = E012B480C(_t14, _v8, _t18, _t20, _t23, _t27, _t14, _a8, _t23);
				FreeResource(_t20);
				return _t9;
			}

0x012b4bcf
0x012b4bd4
0x012b4bd6
0x012b4bd7
0x012b4bd8
0x012b4bdb
0x012b4be2
0x012b4bf9
0x012b4bfb
0x012b4bfd
0x012b4c06
0x012b4c06
0x012b4c10
0x012b4c18
0x012b4c24

APIs

FindResourceW.KERNEL32(?,?,00000005,00000000,?,?,?,?,012CB418,?,?), ref: 012B4BEB
LoadResource.KERNEL32(?,00000000,?,?,?,?,012CB418,?,?), ref: 012B4BF3
LockResource.KERNEL32(00000000,?,?,?,?,012CB418,?,?), ref: 012B4C00

Part of subcall function 012B480C: __EH_prolog3_catch.LIBCMT ref: 012B4813
Part of subcall function 012B480C: GlobalLock.KERNEL32 ref: 012B48F9
Part of subcall function 012B480C: CreateDialogIndirectParamW.USER32(?,?,?,012B41E4,00000000), ref: 012B4928
Part of subcall function 012B480C: DestroyWindow.USER32(00000000), ref: 012B49A2
Part of subcall function 012B480C: GlobalUnlock.KERNEL32(?), ref: 012B49B2
Part of subcall function 012B480C: GlobalFree.KERNEL32(?), ref: 012B49BB

FreeResource.KERNEL32(00000000,00000000,?,?,?,?,?,?,012CB418,?,?), ref: 012B4C18

Memory Dump Source

Source File: 00000010.00000002.746388412.0000000001271000.00000020.sdmp, Offset: 01270000, based on PE: true

Associated: 00000010.00000002.746374753.0000000001270000.00000002.sdmp Download File
Associated: 00000010.00000002.746578910.000000000138C000.00000002.sdmp Download File
Associated: 00000010.00000002.746752878.00000000013CF000.00000004.sdmp Download File
Associated: 00000010.00000002.746788870.00000000013D6000.00000004.sdmp Download File
Associated: 00000010.00000002.746832288.00000000013DE000.00000002.sdmp Download File
Associated: 00000010.00000002.747668141.0000000001574000.00000002.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1270000_Setup.jbxd

Similarity

API ID: Resource$Global$FreeLock$CreateDestroyDialogFindH_prolog3_catchIndirectLoadParamUnlockWindow
String ID:
API String ID: 4150614275-0
Opcode ID: e0845039b43aa7a95c4538167db8adeaee1c6b422520886c152ac935d50e19ec
Instruction ID: d7d2664eacd496ac377d923e1f03f663c510caafce8e8f6872542eeecbcabfb3
Opcode Fuzzy Hash: e0845039b43aa7a95c4538167db8adeaee1c6b422520886c152ac935d50e19ec
Instruction Fuzzy Hash: E1F05E36210314BBD7126BE99C8CCEFBBADEF967A1B114025F606A3205EA749941C7B0

Uniqueness

Uniqueness Score: 0.09%

Function 012B4B3B, Relevance: 6.0, APIs: 4, Instructions: 32
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E012B4B3B(void* __edx) {
				intOrPtr _t16;
				struct HWND__* _t19;
				intOrPtr _t23;
				void* _t27;
				intOrPtr* _t29;
				void* _t30;

				_t27 = __edx;
				_t29 =  *((intOrPtr*)(_t30 - 0x20));
				_t23 =  *((intOrPtr*)(_t30 - 0x24));
				if( *((intOrPtr*)(_t30 - 0x28)) != 0) {
					E012869E1(_t23, 1);
				}
				if( *((intOrPtr*)(_t30 - 0x2c)) != 0) {
					EnableWindow( *(_t30 - 0x14), 1);
				}
				if( *(_t30 - 0x14) != 0) {
					_t19 = GetActiveWindow();
					_t35 = _t19 -  *((intOrPtr*)(_t29 + 0x20));
					if(_t19 ==  *((intOrPtr*)(_t29 + 0x20))) {
						SetActiveWindow( *(_t30 - 0x14));
					}
				}
				 *((intOrPtr*)( *_t29 + 0x60))();
				E012B4557(_t23, _t29, _t27, 0, _t29, _t35);
				if( *((intOrPtr*)(_t29 + 0x78)) != 0) {
					FreeResource( *(_t30 - 0x18));
				}
				_t16 =  *((intOrPtr*)(_t29 + 0x60));
				return L013696D9(_t16);
			}

0x012b4b3b
0x012b4b3b
0x012b4b3e
0x012b4b46
0x012b4b4c
0x012b4b4c
0x012b4b54
0x012b4b5b
0x012b4b5b
0x012b4b64
0x012b4b66
0x012b4b6c
0x012b4b6f
0x012b4b74
0x012b4b74
0x012b4b6f
0x012b4b7e
0x012b4b83
0x012b4b8b
0x012b4b90
0x012b4b90
0x012b4b96
0x012b4b9e

APIs

EnableWindow.USER32 ref: 012B4B5B
GetActiveWindow.USER32 ref: 012B4B66
SetActiveWindow.USER32(?), ref: 012B4B74

Part of subcall function 012B4557: IsWindow.USER32(?), ref: 012B456E
Part of subcall function 012B4557: EnableWindow.USER32 ref: 012B4580

FreeResource.KERNEL32(?,?,00000000,00000000,?,?,?,000004DC), ref: 012B4B90

Part of subcall function 012869E1: EnableWindow.USER32 ref: 012869F2

Memory Dump Source

Source File: 00000010.00000002.746388412.0000000001271000.00000020.sdmp, Offset: 01270000, based on PE: true

Associated: 00000010.00000002.746374753.0000000001270000.00000002.sdmp Download File
Associated: 00000010.00000002.746578910.000000000138C000.00000002.sdmp Download File
Associated: 00000010.00000002.746752878.00000000013CF000.00000004.sdmp Download File
Associated: 00000010.00000002.746788870.00000000013D6000.00000004.sdmp Download File
Associated: 00000010.00000002.746832288.00000000013DE000.00000002.sdmp Download File
Associated: 00000010.00000002.747668141.0000000001574000.00000002.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1270000_Setup.jbxd

Similarity

API ID: Window$Enable$Active$FreeResource
String ID:
API String ID: 870741292-0
Opcode ID: f5546c75c857f514b919f40499a8d99d642c80e6f5d4d686f82fd63c45266b7f
Instruction ID: 5b7e6ff4ced1ae83bf804ddc5d8565682a3e638f35d14e2320faebf88125d082
Opcode Fuzzy Hash: f5546c75c857f514b919f40499a8d99d642c80e6f5d4d686f82fd63c45266b7f
Instruction Fuzzy Hash: FFF01930D10709CBDF22AF68C8C5AEDBBB1BF48752F140018E34272696DB325980CB61

Uniqueness

Uniqueness Score: 0.36%

Function 012A2895, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 107
COMMON

Download Yara Rule

C-Code - Quality: 59%

			E012A2895(void* __ebx, intOrPtr __ecx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr* _t48;
				intOrPtr _t59;
				void* _t68;
				intOrPtr* _t78;
				intOrPtr _t80;
				intOrPtr* _t81;
				intOrPtr _t90;
				intOrPtr _t91;
				intOrPtr _t94;
				void* _t96;

				_t92 = __edi;
				_push(0x18);
				L0136966A(0x13820b7, __ebx, __edi, __esi);
				_t78 =  *((intOrPtr*)(_t96 + 8));
				_t80 =  *((intOrPtr*)(__ecx + 0x1c));
				_t94 = 0;
				 *((intOrPtr*)(_t96 - 0x24)) = __ecx;
				if(_t80 != 0) {
					_t48 =  *((intOrPtr*)(__ecx + 0x58));
					if(_t48 != 0) {
						if(_t78 != 0) {
							_t91 =  *((intOrPtr*)(_t78 + 4));
						} else {
							_t91 = 0;
						}
						_t92 = _t96 + 0x10;
						 *_t48(_t80, _t91, 1, _t94, _t96 + 0x10, _t94);
					}
					if( *(_t96 + 0x20) != _t94) {
						_t92 = _t96 - 0x20;
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						InflateRect(_t96 - 0x20, 0xfffffffd, 0xfffffffd);
						_t94 = 0;
						asm("cdq");
						 *((intOrPtr*)(_t96 - 0x18)) = ( *((intOrPtr*)(_t96 - 0x18)) -  *(_t96 - 0x20)) *  *(_t96 + 0x24) /  *(_t96 + 0x20) +  *(_t96 - 0x20);
						_t59 =  *((intOrPtr*)(_t96 - 0x24));
						_t81 =  *((intOrPtr*)(_t59 + 0x58));
						if(_t81 != 0) {
							if(_t78 != 0) {
								_t90 =  *((intOrPtr*)(_t78 + 4));
							} else {
								_t90 = 0;
							}
							_t92 = _t96 - 0x20;
							 *_t81( *((intOrPtr*)(_t59 + 0x1c)), _t90, 3, _t94, _t96 - 0x20, _t94);
						}
						if( *((intOrPtr*)(_t96 + 0x34)) != _t94) {
							E01272410(_t96 - 0x24, E0127859A());
							asm("cdq");
							 *((intOrPtr*)(_t96 - 4)) = _t94;
							E01272AE0(_t96 - 0x24, L"%d%%",  *(_t96 + 0x24) * 0x64 /  *(_t96 + 0x20));
							_t68 =  *((intOrPtr*)( *_t78 + 0x30))( *0x13d6408);
							_t94 =  *((intOrPtr*)(_t96 - 0x24));
							_t92 = _t68;
							 *((intOrPtr*)( *_t78 + 0x68))(_t94,  *((intOrPtr*)(_t94 - 0xc)), _t96 + 0x10, 0x25);
							 *((intOrPtr*)( *_t78 + 0x30))(_t68);
							L01271470(_t94 - 0x10,  *(_t96 + 0x24) * 0x64 %  *(_t96 + 0x20));
						}
					}
				}
				return L013696ED(_t78, _t92, _t94);
			}

0x012a2895
0x012a2895
0x012a289c
0x012a28a1
0x012a28a6
0x012a28a9
0x012a28ab
0x012a28b0
0x012a28b9
0x012a28be
0x012a28c2
0x012a28c8
0x012a28c4
0x012a28c4
0x012a28c4
0x012a28cc
0x012a28d5
0x012a28d5
0x012a28da
0x012a28e3
0x012a28e6
0x012a28e7
0x012a28ea
0x012a28f1
0x012a28f2
0x012a28fe
0x012a2904
0x012a290b
0x012a290e
0x012a2911
0x012a2916
0x012a291a
0x012a2920
0x012a291c
0x012a291c
0x012a291c
0x012a2924
0x012a292f
0x012a292f
0x012a2934
0x012a293f
0x012a294a
0x012a294e
0x012a295b
0x012a296d
0x012a2970
0x012a297c
0x012a2983
0x012a298b
0x012a2991
0x012a2991
0x012a2934
0x012a2998
0x012a299e

APIs

__EH_prolog3_GS.LIBCMT ref: 012A289C
InflateRect.USER32(?,000000FD,000000FD), ref: 012A28F2

Strings

%d%%, xrefs: 012A2955

Memory Dump Source

Source File: 00000010.00000002.746388412.0000000001271000.00000020.sdmp, Offset: 01270000, based on PE: true

Associated: 00000010.00000002.746374753.0000000001270000.00000002.sdmp Download File
Associated: 00000010.00000002.746578910.000000000138C000.00000002.sdmp Download File
Associated: 00000010.00000002.746752878.00000000013CF000.00000004.sdmp Download File
Associated: 00000010.00000002.746788870.00000000013D6000.00000004.sdmp Download File
Associated: 00000010.00000002.746832288.00000000013DE000.00000002.sdmp Download File
Associated: 00000010.00000002.747668141.0000000001574000.00000002.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1270000_Setup.jbxd

Similarity

API ID: H_prolog3_InflateRect
String ID: %d%%
API String ID: 3173815319-1518462796
Opcode ID: 14db95825cb6cac937624931b80a4af0c68d4a86001616575dd5cbe114d484a4
Instruction ID: a1111aa8ae2cd2095a07da75a5476dc305e13357050cfe501367d3cbe4281d10
Opcode Fuzzy Hash: 14db95825cb6cac937624931b80a4af0c68d4a86001616575dd5cbe114d484a4
Instruction Fuzzy Hash: 6F317A7162022ADFCF15DFA8CC84DEEBBB9FF49B10B515559F902AB255C630E900CBA0

Uniqueness

Uniqueness Score: 6.84%

Function 0127C702, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 103
COMMON

Download Yara Rule

C-Code - Quality: 79%

			E0127C702(void* __ebx, intOrPtr __ecx, void* __edi, void* __esi, void* __eflags) {
				void* _t65;
				void* _t104;
				void* _t107;

				_t107 = __eflags;
				L0136966A(0x137f225, __ebx, __edi, __esi);
				_t95 =  *((intOrPtr*)(_t104 + 0xc));
				 *(_t104 - 4) =  *(_t104 - 4) & 0x00000000;
				 *(_t104 - 0x30) =  *(_t104 - 0x30) & 0x00000000;
				_t77 =  *((intOrPtr*)(_t104 + 8));
				 *((intOrPtr*)(_t104 - 0x24)) = __ecx;
				 *((intOrPtr*)(_t104 - 0x34)) =  *((intOrPtr*)(_t104 + 8));
				L01275375(_t95, _t104 - 0x2c,  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t104 + 0xc)))) - 0xc)) - E01272310( *((intOrPtr*)(_t104 + 0xc)), _t107, 0x5c) - 1);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				 *(_t104 - 4) = 1;
				asm("movsd");
				__imp__CoCreateGuid(_t104 - 0x20, 0x28);
				E01272410(_t104 - 0x28, E0127859A());
				 *(_t104 - 4) = 2;
				E01272AE0(_t104 - 0x28, L"%08lX%04X%04x%02X%02X%02X%02X%02X%02X%02X%02X",  *((intOrPtr*)(_t104 - 0x20)));
				E01272410( *((intOrPtr*)(_t104 + 8)), E0127859A());
				_t93 = _t104 - 0x24;
				 *(_t104 - 0x30) = 1;
				_t65 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t104 - 0x24)))) + 0x18))(_t104 - 0x24,  *(_t104 - 0x1c) & 0x0000ffff,  *(_t104 - 0x1a) & 0x0000ffff,  *(_t104 - 0x18) & 0x000000ff,  *(_t104 - 0x17) & 0x000000ff,  *(_t104 - 0x16) & 0x000000ff,  *(_t104 - 0x15) & 0x000000ff,  *(_t104 - 0x14) & 0x000000ff,  *(_t104 - 0x13) & 0x000000ff,  *(_t104 - 0x12) & 0x000000ff,  *(_t104 - 0x11) & 0x000000ff);
				 *(_t104 - 4) = 3;
				E01272A30(_t77, _t65);
				 *(_t104 - 4) = 2;
				L01271470( *((intOrPtr*)(_t104 - 0x24)) + 0xfffffff0, _t104 - 0x24);
				L01275637(_t77, "\\");
				_t103 =  *((intOrPtr*)(_t104 - 0x28));
				L012753C7(_t77,  *((intOrPtr*)(_t104 - 0x28)),  *((intOrPtr*)( *((intOrPtr*)(_t104 - 0x28)) - 0xc)));
				L01275637(_t77, 0x138cd30);
				_t97 =  *((intOrPtr*)(_t104 - 0x2c));
				L012753C7(_t77,  *((intOrPtr*)(_t104 - 0x2c)),  *((intOrPtr*)( *((intOrPtr*)(_t104 - 0x2c)) - 0xc)));
				L01271470(_t103 - 0x10, _t104 - 0x24);
				L01271470(_t97 - 0x10, _t93);
				return L013696ED(_t77, _t97, _t103);
			}

0x0127c702
0x0127c709
0x0127c70e
0x0127c711
0x0127c715
0x0127c71b
0x0127c721
0x0127c728
0x0127c73a
0x0127c747
0x0127c748
0x0127c749
0x0127c74e
0x0127c755
0x0127c756
0x0127c765
0x0127c7a8
0x0127c7ac
0x0127c7bc
0x0127c7c6
0x0127c7ca
0x0127c7d1
0x0127c7d7
0x0127c7db
0x0127c7e6
0x0127c7ea
0x0127c7f6
0x0127c7fb
0x0127c804
0x0127c810
0x0127c815
0x0127c81e
0x0127c826
0x0127c82e
0x0127c83a

APIs

__EH_prolog3_GS.LIBCMT ref: 0127C709

Part of subcall function 01272310: _wcsrchr.LIBCMT ref: 0127231D

CoCreateGuid.OLE32(?), ref: 0127C756

Part of subcall function 01275637: _wcslen.LIBCMT ref: 01275649

Part of subcall function 012753C7: _wcsnlen.LIBCMT ref: 012753FB

Strings

%08lX%04X%04x%02X%02X%02X%02X%02X%02X%02X%02X, xrefs: 0127C7A2

Memory Dump Source

Source File: 00000010.00000002.746388412.0000000001271000.00000020.sdmp, Offset: 01270000, based on PE: true

Associated: 00000010.00000002.746374753.0000000001270000.00000002.sdmp Download File
Associated: 00000010.00000002.746578910.000000000138C000.00000002.sdmp Download File
Associated: 00000010.00000002.746752878.00000000013CF000.00000004.sdmp Download File
Associated: 00000010.00000002.746788870.00000000013D6000.00000004.sdmp Download File
Associated: 00000010.00000002.746832288.00000000013DE000.00000002.sdmp Download File
Associated: 00000010.00000002.747668141.0000000001574000.00000002.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1270000_Setup.jbxd

Similarity

API ID: CreateGuidH_prolog3__wcslen_wcsnlen_wcsrchr
String ID: %08lX%04X%04x%02X%02X%02X%02X%02X%02X%02X%02X
API String ID: 1773233415-1017209998
Opcode ID: 26fa650275a4cd6e8c42b9821ce984c14909b143fe01ce60f7d79b0469ebb3b3
Instruction ID: 2b886176a4c76f26cbb3a72ba797a03d74cd169de1051eddb93f94d8c0aa4b73
Opcode Fuzzy Hash: 26fa650275a4cd6e8c42b9821ce984c14909b143fe01ce60f7d79b0469ebb3b3
Instruction Fuzzy Hash: 47318D7291025AAFCB01EFA4CC54AFFFBB9AF59215F044059E951B7291CA789E04CB70

Uniqueness

Uniqueness Score: 4.31%

Function 012A412A, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 97
COMMON

Download Yara Rule

C-Code - Quality: 65%

			E012A412A(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t40;
				intOrPtr _t42;
				void* _t46;
				intOrPtr _t75;
				void* _t86;
				void* _t88;
				intOrPtr _t90;
				void* _t92;

				_t89 = __esi;
				_t87 = __edi;
				_t86 = __edx;
				_push(0x18);
				L01369601(0x13811c3, __ebx, __edi, __esi);
				_t40 =  *0x13d6404; // 0xffffff
				_t94 =  *((intOrPtr*)(_t92 + 0x20));
				if( *((intOrPtr*)(_t92 + 0x20)) == 0) {
					_t40 =  *0x13d643c; // 0xffffff
				}
				_push(_t40);
				_push(1);
				_push(0);
				E0127A354(0, _t92 - 0x1c, _t86, _t87, _t89, _t94);
				_t42 =  *0x13d6410; // 0x696969
				 *(_t92 - 4) = 0;
				_t95 =  *((intOrPtr*)(_t92 + 0x20));
				if( *((intOrPtr*)(_t92 + 0x20)) == 0) {
					_t42 =  *0x13d6440; // 0x696969
				}
				_push(_t42);
				_push(1);
				_push(0);
				E0127A354(0, _t92 - 0x14, _t86, _t87, _t89, _t95);
				_t90 =  *((intOrPtr*)(_t92 + 8));
				 *(_t92 - 4) = 1;
				_t88 = E0127A1AA(_t90, _t92 - 0x1c);
				_t46 = _t92 - 0x24;
				_t75 = _t90;
				_t96 =  *((intOrPtr*)(_t92 + 0x1c));
				if( *((intOrPtr*)(_t92 + 0x1c)) != 0) {
					L01279B90(_t75, _t46,  *((intOrPtr*)(_t92 + 0xc)),  *((intOrPtr*)(_t92 + 0x18)));
					L012795E0(_t90,  *((intOrPtr*)(_t92 + 0x14)),  *((intOrPtr*)(_t92 + 0x18)));
					asm("cdq");
					_t51 =  *((intOrPtr*)(_t92 + 0x14)) +  *((intOrPtr*)(_t92 + 0xc)) - _t86;
					__eflags =  *((intOrPtr*)(_t92 + 0x14)) +  *((intOrPtr*)(_t92 + 0xc)) - _t86;
					L012795E0(_t90, _t51 >> 1,  *((intOrPtr*)(_t92 + 0x10)));
					E0127A1AA(_t90, _t92 - 0x14);
					_push( *((intOrPtr*)(_t92 + 0x18)));
					_push( *((intOrPtr*)(_t92 + 0xc)));
				} else {
					L01279B90(_t75, _t46,  *((intOrPtr*)(_t92 + 0x14)),  *((intOrPtr*)(_t92 + 0x10)));
					asm("cdq");
					L012795E0(_t90,  *((intOrPtr*)(_t92 + 0x14)) +  *((intOrPtr*)(_t92 + 0xc)) - _t86 >> 1,  *((intOrPtr*)(_t92 + 0x18)));
					E0127A1AA(_t90, _t92 - 0x14);
					L012795E0(_t90,  *((intOrPtr*)(_t92 + 0xc)),  *((intOrPtr*)(_t92 + 0x10)));
					_push( *((intOrPtr*)(_t92 + 0x10)));
					_push( *((intOrPtr*)(_t92 + 0x14)));
				}
				L012795E0(_t90);
				E0127A1AA(_t90, _t88);
				 *(_t92 - 4) = 0;
				 *((intOrPtr*)(_t92 - 0x14)) = 0x138f598;
				E0127A27E(0, _t92 - 0x14, _t88, 0x138f598, _t96);
				_t34 = _t92 - 4;
				 *(_t92 - 4) =  *(_t92 - 4) | 0xffffffff;
				 *((intOrPtr*)(_t92 - 0x1c)) = 0x138f598;
				return L013696D9(E0127A27E(0, _t92 - 0x1c, _t88, 0x138f598,  *_t34));
			}

0x012a412a
0x012a412a
0x012a412a
0x012a412a
0x012a4131
0x012a4136
0x012a413d
0x012a4140
0x012a4142
0x012a4142
0x012a4147
0x012a4148
0x012a414a
0x012a414e
0x012a4153
0x012a4158
0x012a415b
0x012a415e
0x012a4160
0x012a4160
0x012a4165
0x012a4166
0x012a4168
0x012a416c
0x012a4171
0x012a417a
0x012a4183
0x012a4185
0x012a4188
0x012a418a
0x012a418d
0x012a41d8
0x012a41e5
0x012a41f3
0x012a41f4
0x012a41f4
0x012a41fb
0x012a4206
0x012a420b
0x012a420e
0x012a418f
0x012a4196
0x012a41a4
0x012a41ac
0x012a41b7
0x012a41c4
0x012a41c9
0x012a41cc
0x012a41cc
0x012a4213
0x012a421b
0x012a4228
0x012a422b
0x012a422e
0x012a4233
0x012a4233
0x012a423a
0x012a4247

APIs

__EH_prolog3.LIBCMT ref: 012A4131

Part of subcall function 0127A354: __EH_prolog3.LIBCMT ref: 0127A35B
Part of subcall function 0127A354: CreatePen.GDI32(?,?,?), ref: 0127A37C

Part of subcall function 0127A1AA: SelectObject.GDI32(?,00000000), ref: 0127A1D0
Part of subcall function 0127A1AA: SelectObject.GDI32(?,?), ref: 0127A1E6

Part of subcall function 01279B90: MoveToEx.GDI32(?,?,?,?), ref: 01279BBA
Part of subcall function 01279B90: MoveToEx.GDI32(?,?,?,?), ref: 01279BCB

Part of subcall function 012795E0: MoveToEx.GDI32(?,?,?,00000000), ref: 012795FD
Part of subcall function 012795E0: LineTo.GDI32(?,?,?), ref: 0127960C

Part of subcall function 0127A27E: __EH_prolog3_catch_GS.LIBCMT ref: 0127A288

Strings

iii, xrefs: 012A4160
iii, xrefs: 012A4153

Memory Dump Source

Source File: 00000010.00000002.746388412.0000000001271000.00000020.sdmp, Offset: 01270000, based on PE: true

Associated: 00000010.00000002.746374753.0000000001270000.00000002.sdmp Download File
Associated: 00000010.00000002.746578910.000000000138C000.00000002.sdmp Download File
Associated: 00000010.00000002.746752878.00000000013CF000.00000004.sdmp Download File
Associated: 00000010.00000002.746788870.00000000013D6000.00000004.sdmp Download File
Associated: 00000010.00000002.746832288.00000000013DE000.00000002.sdmp Download File
Associated: 00000010.00000002.747668141.0000000001574000.00000002.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1270000_Setup.jbxd

Similarity

API ID: Move$H_prolog3ObjectSelect$CreateH_prolog3_catch_Line
String ID: iii$iii
API String ID: 2228108477-3499908146
Opcode ID: 46d05a9abda962e0d2d49fa7faf12755103c4cc50c84631f692550b4fb8423b0
Instruction ID: e2e165a068878658eb24d4b329d3b93696da9d791ff784c8aab04b7ab59c1624
Opcode Fuzzy Hash: 46d05a9abda962e0d2d49fa7faf12755103c4cc50c84631f692550b4fb8423b0
Instruction Fuzzy Hash: FF31817161021BEFCF01EFA8D8919EF377AAF28328F044014F911A7290DB319A25CBA1

Uniqueness

Uniqueness Score: 2.59%

Function 01274FE8, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46
UNIQUE

Download Yara Rule

C-Code - Quality: 57%

			E01274FE8(void* __ebx, void* __ecx) {
				signed int _v8;
				char _v28;
				short _v548;
				void* __edi;
				void* __esi;
				signed int _t9;
				long _t12;
				short _t13;
				void* _t19;
				void* _t25;
				void* _t26;
				void* _t30;
				signed int _t35;

				_t19 = __ebx;
				_t33 = _t35;
				_t9 =  *0x13d3570; // 0x99b5b578
				_v8 = _t9 ^ _t35;
				_t12 = GetModuleFileNameW( *(__ecx + 0x44),  &_v548, 0x104);
				if(_t12 == 0) {
					L4:
					_t13 = 0;
					__eflags = 0;
				} else {
					_t39 = _t12 - 0x104;
					if(_t12 == 0x104) {
						goto L4;
					} else {
						 *(PathFindExtensionW( &_v548)) = 0;
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsw");
						_t13 = E01274E12(0, _t39,  &_v28,  &_v548);
						_t26 = _t26;
					}
				}
				_pop(_t30);
				return L01367D3E(_t13, _t19, _v8 ^ _t33, _t25, _t26, _t30);
			}

0x01274fe8
0x01274feb
0x01274ff3
0x01274ffa
0x01275010
0x01275018
0x01275052
0x01275052
0x01275052
0x0127501a
0x0127501a
0x0127501c
0x00000000
0x0127501e
0x0127502e
0x01275039
0x0127503a
0x0127503b
0x01275042
0x01275048
0x0127504a
0x0127504f
0x0127504f
0x0127501c
0x01275059
0x01275060

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104), ref: 01275010
PathFindExtensionW.SHLWAPI(?), ref: 01275026

Part of subcall function 01274E12: GetProcAddress.KERNEL32(00000000,GetThreadPreferredUILanguages), ref: 01274E57
Part of subcall function 01274E12: _memset.LIBCMT ref: 01274E83
Part of subcall function 01274E12: _wcstoul.LIBCMT ref: 01274ECB
Part of subcall function 01274E12: _wcslen.LIBCMT ref: 01274EEC
Part of subcall function 01274E12: GetUserDefaultUILanguage.KERNEL32 ref: 01274EFC
Part of subcall function 01274E12: ConvertDefaultLocale.KERNEL32(?), ref: 01274F23
Part of subcall function 01274E12: ConvertDefaultLocale.KERNEL32(?), ref: 01274F32
Part of subcall function 01274E12: GetSystemDefaultUILanguage.KERNEL32 ref: 01274F3B
Part of subcall function 01274E12: ConvertDefaultLocale.KERNEL32(?), ref: 01274F57
Part of subcall function 01274E12: ConvertDefaultLocale.KERNEL32(?), ref: 01274F66
Part of subcall function 01274E12: GetModuleFileNameW.KERNEL32(01270000,?,00000105), ref: 01274F9E

Part of subcall function 01367D3E: IsDebuggerPresent.KERNEL32 ref: 0136EC6D
Part of subcall function 01367D3E: SetUnhandledExceptionFilter.KERNEL32 ref: 0136EC82
Part of subcall function 01367D3E: UnhandledExceptionFilter.KERNEL32 ref: 0136EC8D
Part of subcall function 01367D3E: GetCurrentProcess.KERNEL32(C0000409), ref: 0136ECA9
Part of subcall function 01367D3E: TerminateProcess.KERNEL32(00000000), ref: 0136ECB0

Strings

%s%s.dll, xrefs: 01275031

Memory Dump Source

Source File: 00000010.00000002.746388412.0000000001271000.00000020.sdmp, Offset: 01270000, based on PE: true

Associated: 00000010.00000002.746374753.0000000001270000.00000002.sdmp Download File
Associated: 00000010.00000002.746578910.000000000138C000.00000002.sdmp Download File
Associated: 00000010.00000002.746752878.00000000013CF000.00000004.sdmp Download File
Associated: 00000010.00000002.746788870.00000000013D6000.00000004.sdmp Download File
Associated: 00000010.00000002.746832288.00000000013DE000.00000002.sdmp Download File
Associated: 00000010.00000002.747668141.0000000001574000.00000002.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1270000_Setup.jbxd

Similarity

API ID: Default$ConvertLocale$ExceptionFileFilterLanguageModuleNameProcessUnhandled$AddressCurrentDebuggerExtensionFindPathPresentProcSystemTerminateUser_memset_wcslen_wcstoul
String ID: %s%s.dll
API String ID: 3481812526-1649984862
Opcode ID: e8a5d29158702b3033e22cfaec24dc0956f36bc9c29e0005cd3e9638e6fe7e47
Instruction ID: 134a0d77673cdb8525af57db9c33df6696c68ff85c603a79a91072d7cd9289a1
Opcode Fuzzy Hash: e8a5d29158702b3033e22cfaec24dc0956f36bc9c29e0005cd3e9638e6fe7e47
Instruction Fuzzy Hash: 58016272910119ABCB11DF68E885DFFB7EDBF4D314F450469A605E7040EA709A458BA0

Uniqueness

Uniqueness Score: 100.00%

Function 012E61E9, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 34
registrywindowCOMMON

Download Yara Rule

C-Code - Quality: 88%

			E012E61E9(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				int _t11;
				intOrPtr _t13;
				int _t16;
				void* _t23;
				void* _t25;
				WCHAR* _t28;
				void* _t29;

				_t25 = __edx;
				_push(4);
				L01369601(0x137ee57, __ebx, __edi, __esi);
				if( *0x13d9d1c == 0) {
					_t13 =  *0x13d9d24; // 0x13cf688
					_t1 = E01272530(_t13 + 0xfffffff0) + 0x10; // 0x10
					_t28 = _t1;
					_pop(_t23);
					 *(_t29 - 0x10) = _t28;
					 *(_t29 - 4) =  *(_t29 - 4) & 0x00000000;
					if( *((intOrPtr*)(_t28 - 0xc)) == 0) {
						E01272AE0(_t29 - 0x10, L"ToolbarButton%p", E01274D2D());
						_t28 =  *(_t29 - 0x10);
					}
					_t16 = RegisterWindowMessageW(_t28);
					 *0x13d9d1c = _t16;
					if(_t16 == 0) {
						L01277AC9(_t23);
					}
					_t8 = _t28 - 0x10; // 0x0
					L01271470(_t8, _t25);
				}
				_t11 =  *0x13d9d1c; // 0x0
				return L013696D9(_t11);
			}

0x012e61e9
0x012e61e9
0x012e61f0
0x012e61fd
0x012e61ff
0x012e620d
0x012e620d
0x012e6210
0x012e6211
0x012e6214
0x012e621c
0x012e622d
0x012e6232
0x012e6235
0x012e6239
0x012e623f
0x012e6248
0x012e624a
0x012e624a
0x012e624f
0x012e6252
0x012e6252
0x012e6257
0x012e6262

APIs

__EH_prolog3.LIBCMT ref: 012E61F0

Part of subcall function 01272530: _memcpy_s.LIBCMT ref: 0127258F

RegisterWindowMessageW.USER32(00000010,00000004,012E62A8,00000000,00000000,00000000,00000000,0000005C,01295FA8,?), ref: 012E6239

Part of subcall function 01277AC9: __CxxThrowException@8.LIBCMT ref: 01277ADF

Strings

ToolbarButton%p, xrefs: 012E6227

Memory Dump Source

Source File: 00000010.00000002.746388412.0000000001271000.00000020.sdmp, Offset: 01270000, based on PE: true

Associated: 00000010.00000002.746374753.0000000001270000.00000002.sdmp Download File
Associated: 00000010.00000002.746578910.000000000138C000.00000002.sdmp Download File
Associated: 00000010.00000002.746752878.00000000013CF000.00000004.sdmp Download File
Associated: 00000010.00000002.746788870.00000000013D6000.00000004.sdmp Download File
Associated: 00000010.00000002.746832288.00000000013DE000.00000002.sdmp Download File
Associated: 00000010.00000002.747668141.0000000001574000.00000002.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1270000_Setup.jbxd

Similarity

API ID: Exception@8H_prolog3MessageRegisterThrowWindow_memcpy_s
String ID: ToolbarButton%p
API String ID: 1043608731-899657487
Opcode ID: 871c392fd2d293f7c550912a915840d30f3b263e4d8ec55ae8c991a58baa401f
Instruction ID: d631b45f5bfe708564566f789850570f5d887b6eeeb62e19a69463f522629ebb
Opcode Fuzzy Hash: 871c392fd2d293f7c550912a915840d30f3b263e4d8ec55ae8c991a58baa401f
Instruction Fuzzy Hash: AAF0C2758212078BCF20FBA8EC18BAE73B8FF1032CF404545E16073285DB345609CB55

Uniqueness

Uniqueness Score: 5.06%

Function 0133EFA3, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24
libraryloaderUNIQUE

Download Yara Rule

C-Code - Quality: 82%

			E0133EFA3(void* __ebx, void* __ecx, void* __edi, void* __esi, void* __eflags) {
				struct HINSTANCE__* _t9;
				_Unknown_base(*)()* _t12;
				_Unknown_base(*)()* _t19;
				void* _t20;

				_push(0);
				L01369601(0x1387439, __ebx, __edi, __esi);
				if(( *0x13dab48 & 0x00000001) == 0) {
					 *0x13dab48 =  *0x13dab48 | 0x00000001;
					 *(_t20 - 4) =  *(_t20 - 4) & 0x00000000;
					_push(L"UxTheme.dll");
					 *0x13dab44 = E01274CA7(__ecx, __esi,  *(_t20 - 4));
				}
				_t9 =  *0x13dab44; // 0x0
				_t19 =  *(_t20 + 0xc);
				if(_t9 != 0) {
					_t12 = GetProcAddress(_t9,  *(_t20 + 8));
					if(_t12 != 0) {
						_t19 = _t12;
					}
				}
				return L013696D9(_t19);
			}

0x0133efa3
0x0133efaa
0x0133efb6
0x0133efb8
0x0133efbf
0x0133efc3
0x0133efce
0x0133efce
0x0133efd3
0x0133efd8
0x0133efdd
0x0133efe3
0x0133efeb
0x0133efed
0x0133efed
0x0133efeb
0x0133eff6

APIs

__EH_prolog3.LIBCMT ref: 0133EFAA
GetProcAddress.KERNEL32(00000000,?,00000000,0133F06C,OpenThemeData,Function_000586E9,00000000,012B76C6,?,REBAR,01390900), ref: 0133EFE3

Part of subcall function 01274CA7: ActivateActCtx.KERNEL32(?,?), ref: 01274CC7
Part of subcall function 01274CA7: LoadLibraryW.KERNEL32(?), ref: 01274CDE

Strings

UxTheme.dll, xrefs: 0133EFC3

Memory Dump Source

Source File: 00000010.00000002.746388412.0000000001271000.00000020.sdmp, Offset: 01270000, based on PE: true

Associated: 00000010.00000002.746374753.0000000001270000.00000002.sdmp Download File
Associated: 00000010.00000002.746578910.000000000138C000.00000002.sdmp Download File
Associated: 00000010.00000002.746752878.00000000013CF000.00000004.sdmp Download File
Associated: 00000010.00000002.746788870.00000000013D6000.00000004.sdmp Download File
Associated: 00000010.00000002.746832288.00000000013DE000.00000002.sdmp Download File
Associated: 00000010.00000002.747668141.0000000001574000.00000002.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1270000_Setup.jbxd

Similarity

API ID: ActivateAddressH_prolog3LibraryLoadProc
String ID: UxTheme.dll
API String ID: 1863515369-352951104
Opcode ID: d6e98e715cf722da698a60a8d66f3e444c319ed86d555b37b2ac1d5202e6de8e
Instruction ID: ea5bc3697f001dad7b763cc1c6bd41038cffc3ca6a042cda04e24df3a98c23da
Opcode Fuzzy Hash: d6e98e715cf722da698a60a8d66f3e444c319ed86d555b37b2ac1d5202e6de8e
Instruction Fuzzy Hash: CFE06D316023119BDB20AF7CE6047493ADDAB5036CF154468FC04E7288C7B4DA45C754

Uniqueness

Uniqueness Score: 100.00%

Function 012866AF, Relevance: 5.0, APIs: 4, Instructions: 38
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E012866AF(signed int _a4) {
				void* __ebp;
				struct _CRITICAL_SECTION* _t4;
				void* _t8;
				signed int _t9;
				intOrPtr* _t12;

				_t9 = _a4;
				if(_t9 >= 0x11) {
					_t4 = L01277AC9(_t8);
				}
				if( *0x13d803c == 0) {
					_t4 = E01286646();
				}
				_t12 = 0x13d81f0 + _t9 * 4;
				if( *_t12 == 0) {
					EnterCriticalSection(0x13d81d8);
					if( *_t12 == 0) {
						_t4 = 0x13d8040 + _t9 * 0x18;
						InitializeCriticalSection(_t4);
						 *_t12 =  *_t12 + 1;
					}
					LeaveCriticalSection(0x13d81d8);
				}
				EnterCriticalSection(0x13d8040 + _t9 * 0x18);
				return _t4;
			}

0x012866b7
0x012866bd
0x012866bf
0x012866bf
0x012866cb
0x012866cd
0x012866cd
0x012866d8
0x012866e2
0x012866e9
0x012866ee
0x012866f5
0x012866fb
0x01286701
0x01286701
0x01286708
0x01286708
0x01286718
0x0128671e

APIs

EnterCriticalSection.KERNEL32(?,?,?,?,?,0127AEA4,00000010,00000008,0127931D,012792B4,01276293,01275CFA,?,0127641E,00000004,01275291), ref: 01286718

Part of subcall function 01286646: InitializeCriticalSection.KERNEL32(013D81D8,012866D2,?,?,?,?,0127AEA4,00000010,00000008,0127931D,012792B4,01276293,01275CFA,?,0127641E,00000004), ref: 0128665E

Part of subcall function 01277AC9: __CxxThrowException@8.LIBCMT ref: 01277ADF

EnterCriticalSection.KERNEL32(013D81D8,?,?,?,?,0127AEA4,00000010,00000008,0127931D,012792B4,01276293,01275CFA,?,0127641E,00000004,01275291), ref: 012866E9
InitializeCriticalSection.KERNEL32(?,?,?,?,?,0127AEA4,00000010,00000008,0127931D,012792B4,01276293,01275CFA,?,0127641E,00000004,01275291), ref: 012866FB
LeaveCriticalSection.KERNEL32(013D81D8,?,?,?,?,0127AEA4,00000010,00000008,0127931D,012792B4,01276293,01275CFA,?,0127641E,00000004,01275291), ref: 01286708

Memory Dump Source

Source File: 00000010.00000002.746388412.0000000001271000.00000020.sdmp, Offset: 01270000, based on PE: true

Associated: 00000010.00000002.746374753.0000000001270000.00000002.sdmp Download File
Associated: 00000010.00000002.746578910.000000000138C000.00000002.sdmp Download File
Associated: 00000010.00000002.746752878.00000000013CF000.00000004.sdmp Download File
Associated: 00000010.00000002.746788870.00000000013D6000.00000004.sdmp Download File
Associated: 00000010.00000002.746832288.00000000013DE000.00000002.sdmp Download File
Associated: 00000010.00000002.747668141.0000000001574000.00000002.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1270000_Setup.jbxd

Similarity

API ID: CriticalSection$EnterInitialize$Exception@8LeaveThrow
String ID:
API String ID: 2785074161-0
Opcode ID: 0921b2973f36d4741caccf4b224bdd9b89b8136aa5d6858d0491acad4decc102
Instruction ID: 98d12225d9d3b6b3b05f31361e4a29d765759e59404cd9e03249c9ecac0c9ccb
Opcode Fuzzy Hash: 0921b2973f36d4741caccf4b224bdd9b89b8136aa5d6858d0491acad4decc102
Instruction Fuzzy Hash: 40F0F673602216AFD7203B6EFC84B59B66EFBE0369F051019E10092181D778E5458BB5

Uniqueness

Uniqueness Score: 0.25%

Function 0127AE1D, Relevance: 5.0, APIs: 4, Instructions: 35
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E0127AE1D(long* __ecx, signed int _a4) {
				void* _t9;
				struct _CRITICAL_SECTION* _t12;
				signed int _t14;
				long* _t16;

				_t16 = __ecx;
				_t1 =  &(_t16[7]); // 0x1c
				_t12 = _t1;
				EnterCriticalSection(_t12);
				_t14 = _a4;
				if(_t14 <= 0 || _t14 >= _t16[3]) {
					L5:
					LeaveCriticalSection(_t12);
					return 0;
				} else {
					_t9 = TlsGetValue( *_t16);
					if(_t9 == 0 || _t14 >=  *((intOrPtr*)(_t9 + 8))) {
						goto L5;
					} else {
						LeaveCriticalSection(_t12);
						return  *((intOrPtr*)( *((intOrPtr*)(_t9 + 0xc)) + _t14 * 4));
					}
				}
			}

0x0127ae24
0x0127ae27
0x0127ae27
0x0127ae2b
0x0127ae31
0x0127ae36
0x0127ae5f
0x0127ae60
0x00000000
0x0127ae3d
0x0127ae3f
0x0127ae47
0x00000000
0x0127ae4e
0x0127ae55
0x00000000
0x0127ae5b
0x0127ae47

APIs

EnterCriticalSection.KERNEL32(0000001C,?,?,?,?,0127B3C9,?,00000004,012792FE,01276293,01275CFA,?,0127641E,00000004,01275291,00000004), ref: 0127AE2B
TlsGetValue.KERNEL32 ref: 0127AE3F
LeaveCriticalSection.KERNEL32(0000001C,?,?,?,?,0127B3C9,?,00000004,012792FE,01276293,01275CFA,?,0127641E,00000004,01275291,00000004), ref: 0127AE55
LeaveCriticalSection.KERNEL32(0000001C,?,?,?,?,0127B3C9,?,00000004,012792FE,01276293,01275CFA,?,0127641E,00000004,01275291,00000004), ref: 0127AE60

Memory Dump Source

Source File: 00000010.00000002.746388412.0000000001271000.00000020.sdmp, Offset: 01270000, based on PE: true

Associated: 00000010.00000002.746374753.0000000001270000.00000002.sdmp Download File
Associated: 00000010.00000002.746578910.000000000138C000.00000002.sdmp Download File
Associated: 00000010.00000002.746752878.00000000013CF000.00000004.sdmp Download File
Associated: 00000010.00000002.746788870.00000000013D6000.00000004.sdmp Download File
Associated: 00000010.00000002.746832288.00000000013DE000.00000002.sdmp Download File
Associated: 00000010.00000002.747668141.0000000001574000.00000002.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1270000_Setup.jbxd

Similarity

API ID: CriticalSection$Leave$EnterValue
String ID:
API String ID: 3969253408-0
Opcode ID: fecae84f54d198ab62e155cb995a8132b11a43b0c6083b2371502bcbd23e2f32
Instruction ID: 1d0c869bcfbd3c0babaad663c00e2a5cb4baba7421bb4a808e97ad6a13a728a5
Opcode Fuzzy Hash: fecae84f54d198ab62e155cb995a8132b11a43b0c6083b2371502bcbd23e2f32
Instruction Fuzzy Hash: C5F09A332103149FC7208F1CEC8889F77AEEA9477170A4825E50683106EAB0F9068BA0

Uniqueness

Uniqueness Score: 0.23%

Description:	Command-line interfaces provide a way of interacting with computer systems and is a common feature across many types of operating system platforms. One example command-line interface on Windows systems is cmd , which can be used to perform a number of tasks including execution of other software. Command-line interfaces can be interacted with locally or remotely via a remote desktop application, reverse shell session, etc. Commands that are executed run with the current permission level of the command-line interface process unless the command includes process invocation that changes permissions context for that execution (e.g. Scheduled Task ).
Tactics:	Execution
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	A bootkit is a malware variant that modifies the boot sectors of a hard drive, including the Master Boot Record (MBR) and Volume Boot Record (VBR).
Tactics:	Persistence
Data Sources:	API monitoring, MBR, VBR
Platforms:	Linux, Windows
Url:	Open detailed description by Mitre

Description:	Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Registry. Service configurations can be modified using utilities such as sc.exe and Reg .
Tactics:	Persistence
Data Sources:	File monitoring, Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	When operating systems boot up, they can start programs or applications called services that perform background system functions. A service's configuration information, including the file path to the service's executable, is stored in the Windows Registry.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security scanning or event reporting.
Tactics:	Defense Evasion
Data Sources:	API monitoring, Anti-virus, File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries can use methods of capturing user input for obtaining credentials for Valid Accounts and information Collection that include keylogging and user input field interception.
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Kernel drivers, Process monitoring, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of local system or domain accounts.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries will likely attempt to get a listing of other systems by IP address, hostname, or other logical identifier on a network that may be used for Lateral Movement from the current system. Functionality could exist within remote access tools to enable this, but utilities available on the operating system could also be used.
Tactics:	Discovery
Data Sources:	Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the Windows clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	API monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may explicitly employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if necessary secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Use of a standard non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive. Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a common, standardized application layer protocol such as HTTP, HTTPS, SMTP, or DNS to avoid detection by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report Setup.exe

Overview

General Information

Detection

Confidence

Classification

Analysis Advice

Mitre Att&ck Matrix

Signature Overview

AV Detection:

Spreading:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Lowering of HIPS / PFW / Operating System Security Settings:

Signature Similarity

Similar Samples

Behavior Graph

Simulations

Behavior and APIs

Antivirus Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Yara Overview

Initial Sample

PCAP (Network Traffic)

Dropped Files

Memory Dumps

Unpacked PEs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Screenshots

Thumbnails

Startup

Created / dropped Files

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

Contacted IPs

Public

Static File Info

General

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Version Infos

Possible Origin

Network Behavior

Snort IDS Alerts

Network Port Distribution

UDP Packets

Function 0127F4B4, Relevance: 103.8, APIs: 48, Strings: 11, Instructions: 557
stringUNIQUE

Function 01273800, Relevance: 65.2, APIs: 18, Strings: 19, Instructions: 489
filestringUNIQUECrypto

Function 012732A0, Relevance: 84.3, APIs: 24, Strings: 24, Instructions: 308
registrystringsleepUNIQUE

Function 01272F00, Relevance: 52.8, APIs: 22, Strings: 8, Instructions: 257
registrystringUNIQUE

Function 0127AF7B, Relevance: 16.6, APIs: 11, Instructions: 106
memoryCOMMONLIBRARYCODE

Function 01278A87, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61
COMMON

Function 012F84E5, Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 39
COMMON

Function 01271680, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 34
COMMON

Function 0127B425, Relevance: 7.5, APIs: 5, Instructions: 36
COMMON

Function 0138B908, Relevance: 6.1, APIs: 4, Instructions: 76
memoryUNIQUELIBRARYCODE

Function 0127478D, Relevance: 4.6, APIs: 3, Instructions: 70
registryCOMMON

Function 01272810, Relevance: 3.1, APIs: 2, Instructions: 73
COMMON

Function 01288E58, Relevance: 3.0, APIs: 2, Instructions: 36
COMMON

Function 01276674, Relevance: 3.0, APIs: 2, Instructions: 15
threadCOMMON